Topic
  • 1 reply
  • Latest Post - ‏2011-03-02T19:41:10Z by blanckea
ilya_b
ilya_b
1 Post

Pinned topic AIX Audit - Sudo failure audits

‏2011-03-02T19:05:31Z |
Hello,
I am running AIX 5.3 and sudo 1.6.9 and have issues auditing failed sudo attempts using the AIX audit subsystem. The funny thing is that i am getting successful sudo logs just fine.

Here is my audit config file:

start:
binmode = on
streammode = off

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds

stream:
cmds = /etc/security/audit/streamcmds

classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,
FS_Mkdir,FS_Rmdir

objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,
S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR

SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,
SRC_Addserver,SRC_Chserver,SRC_Delserver

kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,
PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,ROC_Limits,
PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer

files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,
FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,
FILE_Privilege,DEV_Create

svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,
SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,
SHM_Open,SHM_Close,SHM_Owner,SHM_Mode

mail = SENDMAIL_Config,SENDMAIL_ToFile

cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,
CRON_Start,CRON_Finish

tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,
TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,
TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,
TCPIP_kdata_in,TCPIP_kcreate

eprise = PROC_Delete, PROC_Execute, PROC_RealUID, PROC_AuditID,
PROC_RealGID, PROC_Environ, PROC_Privilege, PROC_Settimer, FILE_Link,
FILE_Unlink, FILE_Rename, FILE_Owner, FILE_Mode, FS_Mount, FS_Umount,
FILE_Acl, FILE_Privilege, FS_Chroot, TCPIP_config, TCPIP_host_id,
TCPIP_route, TCPIP_connect, TCPIP_access, TCPIP_set_time,
TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kcreate, USER_Login,
PORT_Locked, SYSCK_Check, SYSCK_Update, SYSCK_Install, USER_Check,
USER_Logout, PORT_Change, USER_Change, USER_Remove, USER_Create,
USER_SetGroups, USER_SetEnv, USER_SU, GROUP_User, GROUP_Adms,
GROUP_Change, GROUP_Create,GROUP_Remove, PASSWORD_Change,
PASSWORD_Flags, PASSWORD_Check, PASSWORD_Ckerr, SRC_Start, SRC_Stop,
SRC_Addssys, SRC_Chssys, SRC_Addserver, SRC_Chserver, SRC_Delssys,
SRC_Delserver, ENQUE_admin, ENQUE_exec, SENDMAIL_Config,
SENDMAIL_ToFile, AT_JobAdd, AT_JobRemove, CRON_JobRemove,
CRON_JobAdd, CRON_Start, CRON_Finish,NVRAM_Config, DEV_Configure,
DEV_Change, DEV_Create, DEV_Start, INSTALLP_Inst, INSTALLP_Exec,
UPDATEP_Name, DEV_Stop, DEV_UnConfigure, DEV_Remove, LVM_ChangeLV,
LVM_ChangeVG, LVM_CreateLV, LVM_CreateVG, LVM_DeleteVG, LVM_DeleteLV,
LVM_VaryoffVG, LVM_VaryonVG, BACKUP_Export, BACKUP_Priv,
RESTORE_Import, USER_Shell, TCBCK_Check, TCBCK_Update, PROC_SetGroups,
FS_Fchdir, PROC_Settimer, MAIL_ToUser, EFS_WriteKS, KST_Change,
RFM_SetObj, RFM_SetIpc, AUTH_Create, AUTH_Change,
AUTH_Remove, CMD_Change, CMD_Remove, DEV_Change, DEV_Remove,
PFILE_Change, PFILE_Remove, PROC_Change, WM_CreateWPAR,
WM_RemoveWPAR, WM_StartWPAR, WM_StopWPAR, WM_RebootWPAR,
WM_ResumeWPAR, WM_ModifyWPAR, WM_SyncWPAR, WM_CheckptWPAR,
WM_SetInitConf, WM_ResetConfig, WM_ModifyConfig, SEC_ChkAuth,
SEC_ChkAuthId, SEC_SetWpsCid, SEC_SetKst, MLS_SetPPV

users:
default = eprise
Please help. Thanks.
Updated on 2011-03-02T19:41:10Z at 2011-03-02T19:41:10Z by blanckea
  • blanckea
    blanckea
    12 Posts

    Re: AIX Audit - Sudo failure audits

    ‏2011-03-02T19:41:10Z  
    Hello, can you please specify what exact error message you get in which log file.
    And what exact command you are using to get this message.
    Regards