AIX® provides easy ways to track the last time a file was accessed. The
ls command is one example. But sometimes you want to
know who, or which process, accessed the file. You might need such information for
debugging or keeping track of important files. You can track information related
to read and write operations on a file with the help of auditing.
In AIX, auditing systems are intended to record security-related information and to alert administrators about security breaches. You can customize the configuration and objects files, which are used by the auditing subsystem to keep track of any file you want. You can also use the real-time monitoring feature of auditing to keep track of some processes and files that are being modified randomly by unidentified processes.
There are no special requirements to track files; all you need is a normal AIX
system with root access. The
audit command grants
execute access to the root user and members of the audit group. A non-root user
should be part of an audit group to execute auditing on a system.
The high-level steps for tracking files are:
Configuring the audit subsystem requires making specific entries in the objects and configuration files that the audit subsystem uses to generate the results.
In this scenario, you're tracking the /home/test.txt file. To configure the audit subsystem, try the following:
- In the /etc/security/audit/objects file, make an entry for /home/test.txt.
Use the following format:
/home/test.txt: r = "S_NOTAUTH_READ" w = "S_NOTAUTH_WRITE"
S_NOTAUTH_WRITEare keywords to track the read and the write, respectively. These keywords can be replaced by any keyword, depending on your requirements.
You can also track more than one file using the same keyword by making individual entries for each file to be tracked in the /etc/security/audit/objects file, in the same format.
- In the /etc/security/audit/config file, make the following entry under the
classes subsection, as follows:
classes: abusers = S_NOTAUTH_READ, S_NOTAUTH_WRITE
- In the /etc/security/audit/config file, add entries for all your users, as
users: root = general, abusers user1=abusers user2=abusers . . . userN=abusers
This set of entries ensures that any read or write operation being done on the /home/test.txt file by any of the users in this list is reported by audit. If an entry for a user already exists, you can append the entry for abusers by separating it from the previous one using a comma.
- Auditing provides data monitoring in two modes:
- BIN mode: Records the audit events to two alternating temporary BIN files, and then appends them to a single audit trail file.
- STREAM mode: Writes the audit records to a circular buffer that can be read by the /dev/audit device file.
In this scenario, there is no major difference between the two except the format of the output provided. You can switch on any or both modes to collect the data. They can be switched on or off by making an appropriate entry in the etc/security/audit/config file. The example below switches on STREAM mode.
start: bin mode = off stream mode = on
The above steps ensure that the /home/test.txt file is under the auditing subsystem's observation.
To monitor the output, first start the auditing subsystem using the following command:
# audit start
Because the data collection is enabled in STREAM mode, you can start data collection by running the following command:
# cat /etc/security/audit/streamcmds
This command provides the following information:
/usr/sbin/auditstream | auditpr > /audit/stream.out &
The auditing results are written in the /audit/stream.out file, which can be monitored in real time to keep track of the read and write operations.
A typical output would look like Listing 1 below.
# tail -f /audit/stream.out event login status time command --------------- -------- -------- --------- --------- S_NOTAUTH_READ root OK Thu May 24 14:07:05 2007 cat S_NOTAUTH_READ root OK Thu May 24 14:07:05 2007 cat FILE_Unlink root OK Thu May 24 14:07:09 2007 vi S_NOTAUTH_READ root OK Thu May 24 14:07:09 2007 vi S_NOTAUTH_READ root OK Thu May 24 14:07:09 2007 vi S_NOTAUTH_READ root OK Thu May 24 14:07:09 2007 vi S_NOTAUTH_WRITE root OK Thu May 24 14:07:13 2007 vi FILE_Unlink root OK Thu May 24 14:07:13 2007 vi FILE_Unlink root OK Thu May 24 14:07:20 2007 vi S_NOTAUTH_READ ash OK Thu May 24 14:09:39 2007 cat S_NOTAUTH_READ ash OK Thu May 24 14:09:39 2007 cat
The interpretation of the output file is simple. For example, the following line:
S_NOTAUTH_WRITE root OK Thu May 24 14:07:13 2007 vi
shows that a write operation was performed by root on the file on Thursday, May 24th, at 14:07:13.
If data collection in BIN mode is enabled, you can start the data collection by executing the following command:
# /usr/sbin/auditpr -v < /audit/trail > /audit.out
This command writes the results of auditing to the /audit.out file, which can be monitored in real time as well.
A typical output would look like Listing 2 below.
# vi /audit.out "/audit.out" 30 lines, 2012 characters event login status time command -------- -------- ----------- ------------- -------------- S_NOTAUTH_READ root OK Thu May 24 15:07:27 2007 cat <tail format undefined> S_NOTAUTH_READ root OK Thu May 24 15:07:27 2007 cat <tail format undefined> FILE_Unlink root OK Thu May 24 15:07:32 2007 vi filename /var/tmp/Ex21778 S_NOTAUTH_READ root OK Thu May 24 15:07:32 2007 vi <tail format undefined> S_NOTAUTH_READ root OK Thu May 24 15:07:32 2007 vi <tail format undefined> S_NOTAUTH_READ root OK Thu May 24 15:07:32 2007 vi <tail format undefined> S_NOTAUTH_WRITE root OK Thu May 24 15:07:37 2007 vi <ail format undefined> FILE_Unlink root OK Thu May 24 15:07:37 2007 vi
You can monitor the output files to keep track of the read and write operations on your files.
Read Accounting and Auditing on AIX 5L to set up, maintain, and
troubleshoot the advanced auditing and accounting features on AIX 5L™
- Popular content:
See what AIX and UNIX content your peers find interesting.
- AIX and
The AIX and UNIX developerWorks zone provides a wealth of information relating to
all aspects of AIX systems administration and expanding your UNIX skills.
- New to AIX and UNIX?:
Visit the "New to AIX and UNIX" page to learn more about AIX and UNIX.
- AIX Wiki:
Discover a collaborative environment for technical information related to AIX.
- Search the AIX and UNIX library by topic:
- System administration
- Application development
- Tools and utilities
- Java™ technology
- Open source
- Safari bookstore:
Visit this e-reference library to find specific technical resources.
- developerWorks technical events and webcasts:
Stay current with developerWorks technical events and webcasts.
- Podcasts: Tune in and
catch up with IBM technical experts.
Get products and technologies
- IBM trial software:
Build your next development project with software for download directly from
- Participate in the
and get involved in the developerWorks community.
- Participate in the AIX and UNIX forums:
- AIX—technical forum
- AIX 6 Open Beta
- AIX for Developers Forum
- Cluster Systems Management
- IBM Support Assistant
- Performance Tools—technical
- More AIX and UNIX forums
Ashish Nainwal is an AIX security support specialist and system administrator at IBM India Systems and Technology Lab. He has been one of the focal points in AIX security in his two years with AIX. Ashish has also been involved in various System p™ administration activities and has diverse experience with customers. You can contact him at email@example.com.