Use auditing to track reads and writes in a file

Ashish Nainwal (nainwal@in.ibm.com), System Administrator, IBM

Ashish Nainwal is an AIX security support specialist and system administrator at IBM India Systems and Technology Lab. He has been one of the focal points in AIX security in his two years with AIX. Ashish has also been involved in various System p™ administration activities and has diverse experience with customers. You can contact him at anainwal@in.ibm.com.

Summary: In this article, discover how to track several events on AIX(R) with auditing, a major feature of AIX security, and learn how to use auditing to keep track of the read and write operations on a file. Also examine commands, such as ls or istat, to check a file's time stamp.

Tag this!

Date: 07 Aug 2007
Level: Intermediate
Activity: 2785 views
Comments:

Introduction

AIX® provides easy ways to track the last time a file was accessed. The ls command is one example. But sometimes you want to know who, or which process, accessed the file. You might need such information for debugging or keeping track of important files. You can track information related to read and write operations on a file with the help of auditing.

In AIX, auditing systems are intended to record security-related information and to alert administrators about security breaches. You can customize the configuration and objects files, which are used by the auditing subsystem to keep track of any file you want. You can also use the real-time monitoring feature of auditing to keep track of some processes and files that are being modified randomly by unidentified processes.

Tracking

There are no special requirements to track files; all you need is a normal AIX system with root access. The audit command grants execute access to the root user and members of the audit group. A non-root user should be part of an audit group to execute auditing on a system.

The high-level steps for tracking files are:

Configuring the audit subsystem
Monitoring output

Configuring the audit subsystem

Configuring the audit subsystem requires making specific entries in the objects and configuration files that the audit subsystem uses to generate the results.

In this scenario, you're tracking the /home/test.txt file. To configure the audit subsystem, try the following:

In the /etc/security/audit/objects file, make an entry for /home/test.txt. Use the following format:
/home/test.txt: r = "S_NOTAUTH_READ" w = "S_NOTAUTH_WRITE"
S_NOTAUTH_READ and S_NOTAUTH_WRITE are keywords to track the read and the write, respectively. These keywords can be replaced by any keyword, depending on your requirements.
You can also track more than one file using the same keyword by making individual entries for each file to be tracked in the /etc/security/audit/objects file, in the same format.
In the /etc/security/audit/config file, make the following entry under the classes subsection, as follows:
classes: abusers = S_NOTAUTH_READ, S_NOTAUTH_WRITE
In the /etc/security/audit/config file, add entries for all your users, as follows:
users: root = general, abusers user1=abusers user2=abusers . . . userN=abusers
This set of entries ensures that any read or write operation being done on the /home/test.txt file by any of the users in this list is reported by audit. If an entry for a user already exists, you can append the entry for abusers by separating it from the previous one using a comma.
Auditing provides data monitoring in two modes:
- BIN mode: Records the audit events to two alternating temporary BIN files, and then appends them to a single audit trail file.
- STREAM mode: Writes the audit records to a circular buffer that can be read by the /dev/audit device file.
In this scenario, there is no major difference between the two except the format of the output provided. You can switch on any or both modes to collect the data. They can be switched on or off by making an appropriate entry in the etc/security/audit/config file. The example below switches on STREAM mode.
start: bin mode = off stream mode = on

The above steps ensure that the /home/test.txt file is under the auditing subsystem's observation.

Monitoring output

To monitor the output, first start the auditing subsystem using the following command:

# audit start

Data collection in STREAM mode

Because the data collection is enabled in STREAM mode, you can start data collection by running the following command:

# cat /etc/security/audit/streamcmds

This command provides the following information:

/usr/sbin/auditstream | auditpr > /audit/stream.out &

The auditing results are written in the /audit/stream.out file, which can be monitored in real time to keep track of the read and write operations.

A typical output would look like Listing 1 below.

Listing 1. Output file—Data collection in STREAM mode

# tail -f /audit/stream.out

event           	login    status       time                         command
--------------- 	-------- -------- 	   --------- 	            ---------
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
FILE_Unlink    	root     OK          Thu May 24 14:07:09 2007		vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink     	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink    	root     OK          Thu May 24 14:07:20 2007 	vi
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat

The interpretation of the output file is simple. For example, the following line:

S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi

shows that a write operation was performed by root on the file on Thursday, May 24th, at 14:07:13.

Data collection in BIN mode

If data collection in BIN mode is enabled, you can start the data collection by executing the following command:

# /usr/sbin/auditpr -v < /audit/trail > /audit.out

This command writes the results of auditing to the /audit.out file, which can be monitored in real time as well.

A typical output would look like Listing 2 below.

Listing 2. Output file—Data collection in BIN mode

# vi /audit.out
"/audit.out" 30 lines, 2012 characters
event           login    status        time                        command
--------       -------- -----------   -------------              --------------
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
FILE_Unlink      root      OK          Thu May 24 15:07:32 2007    vi
        filename /var/tmp/Ex21778
S_NOTAUTH_READ  root      OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ   root     OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ  root     OK           Thu May 24 15:07:32 2007     vi
        <tail format undefined>
S_NOTAUTH_WRITE root     OK           Thu May 24 15:07:37 2007     vi
        <ail format undefined>
FILE_Unlink     root     OK           Thu May 24 15:07:37 2007	    vi

You can monitor the output files to keep track of the read and write operations on your files.

Resources

Learn

IBM Redbooks: Read Accounting and Auditing on AIX 5L to set up, maintain, and troubleshoot the advanced auditing and accounting features on AIX 5L™ systems.
Popular content: See what AIX and UNIX content your peers find interesting.
AIX and UNIX: The AIX and UNIX developerWorks zone provides a wealth of information relating to all aspects of AIX systems administration and expanding your UNIX skills.
New to AIX and UNIX?: Visit the "New to AIX and UNIX" page to learn more about AIX and UNIX.
AIX Wiki: Discover a collaborative environment for technical information related to AIX.
Search the AIX and UNIX library by topic:
Safari bookstore: Visit this e-reference library to find specific technical resources.
developerWorks technical events and webcasts: Stay current with developerWorks technical events and webcasts.
Podcasts: Tune in and catch up with IBM technical experts.

Get products and technologies

IBM trial software: Build your next development project with software for download directly from developerWorks.

Discuss

Participate in the developerWorks blogs and get involved in the developerWorks community.
Participate in the AIX and UNIX forums:

About the author

Comments

Trademarks | My developerWorks terms and conditions

Close [x]

Help: Update or add to My dW interests

What's this?

This little timesaver lets you update your My developerWorks profile with just one click! The general subject of this content (AIX and UNIX, Information Management, Lotus, Rational, Tivoli, WebSphere, Java, Linux, Open source, SOA and Web services, Web development, or XML) will be added to the interests section of your profile, if it's not there already. You only need to be logged in to My developerWorks.

And what's the point of adding your interests to your profile? That's how you find other users with the same interests as yours, and see what they're reading and contributing to the community. Your interests also help us recommend relevant developerWorks content to you.

View your My developerWorks profile

Return from help

Close [x]

Help: Remove from My dW interests

What's this?

Removing this interest does not alter your profile, but rather removes this piece of content from a list of all content for which you've indicated interest. In a future enhancement to My developerWorks, you'll be able to see a record of that content.

View your My developerWorks profile

Return from help

static.content.url=http://www.ibm.com/developerworks/js/artrating/

SITE_ID=1

Zone=AIX and UNIX

ArticleID=245713

ArticleTitle=Use auditing to track reads and writes in a file

publish-date=08072007

author1-email=nainwal@in.ibm.com

author1-email-cc=