Generating a generic audit log

Edit online

The following are examples of generating a generic audit log.

In this example, assume that a system administrator wants to use the audit subsystem to monitor a large multi-user server system. No direct integration into an IDS is performed, all audit records will be inspected manually for irregularities. Only a few essential audit events are recorded, to keep the amount of generated data to a manageable size.

The audit events that are considered for event detection are the following:
FILE_Write
We want to know about file writes to configuration files, so this event will be used with all files in the /etc tree.
PROC_SetUserIDs
All changes of user IDs
AUD_Bin_Def
Audit bin configuration
USER_SU
The su command
PASSWORD_Change
passwd command
AUD_Lost_Rec
Notification in case there where lost records
CRON_JobAdd
new cron jobs
AT_JobAdd
new at jobs
USER_Login
All logins
PORT_Locked
All locks on terminals because of too many invalid attempts

The following is an example of how to generate a generic audit log:

  1. Set up a list of critical files to be monitored for changes, such as, all files in /etc and configure them for FILE_Write events in the objects file as follows: 
    find /etc -type f | awk '{printf("%s:\n\tw = FILE_Write\n\n",$1)}' >> /etc/security/audit/objects
  2. Use the auditcat command to set up BIN mode auditing. The /etc/security/audit/bincmds file is similar to the following: 
    /usr/sbin/auditcat -p -o $trail $bin
  3. Edit the /etc/security/audit/config file and add a class for the events we have interest. List all existing users and specify the custom class for them. 
    start:
        binmode = on
        streammode = off

bin:
        cmds = /etc/security/audit/bincmds
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 100000
        freespace = 100000

classes:
        custom = FILE_Write,PROC_SetUser,AUD_Bin_Def,AUD_Lost_Rec,USER_SU, \
                 PASSWORD_Change,CRON_JobAdd,AT_JobAdd,USER_Login,PORT_Locked

users:
        root = custom
        afx = custom
        ...
  4. Add the custom audit class to the /usr/lib/security/mkuser.default file, so that new IDs will automatically have the correct audit call associated: 
    user:
    auditclasses = custom
    pgrp = staff
    groups = staff
    shell = /usr/bin/ksh
    home = /home/$USER
  5. Create a new file system named /audit by using SMIT or the crfs command. The file system should be large enough to hold the two bins and a large audit trail.
  6. Run the audit start command option and examine the /audit file. You should see the two bin files and an empty trail file initially. After you have used the system for a while, you should have audit records in the trail file that can be read with: 
    auditpr  -hhelpPRtTc -v | more
This example uses only a few events. To see all events, you could specify the classname ALL for all users. This action will generate large amounts of data. You might want to add all events related to user changes and privilege changes to your custom class.