How To
Summary
You can use AIX Auditing to monitor file system operations.
Steps
The test example logs the following predefined file system events:
- FS_Chdir,FS_Chroot,FS_Extend,FS_Fchdir,FS_Mkdir,FS_Mkdirat,FS_Mount,FS_Rmdir,FS_Umount
- Read IBM Documentation about AIX Audit events:
1) Modify config:start options
|
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
|
classes:
fsclass=FS_Chdir,FS_Chroot,FS_Extend,FS_Fchdir,FS_Mkdir,FS_Mkdirat,FS_Mount,FS_Rmdir,FS_Umount users: |
|
users:
default = fsclass ** You can specify a user ID if you only want to audit a specific user, or enter 'default' to log these events for all users.
|
|
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -htpPrceR -w > /audit/stream.out &
|
5) Stop and restart audit:
|
# audit shutdown
# audit start |
|
# Test steps:
crfs -v jfs2 -g rootvg -m /testFS -a size=10M -m /testFS mount /testFS chroot /testFS ls mkdir /testFS/testDir cd /testFS chfs -a size=+2M /testFS rm -r testDir cd .. unmount /testFS rmfs /testFS |
|
# cat /audit/stream.out
(Note: The "time" column was removed from this example)
process parent real command event status
-------- -------- ---- --------- ------- --------------- ----------- 16187742 9306446 root crfs FS_Mkdir OK mode:755 dir: /testFS
7078230 16187744 root mount FS_Mount OK mount:object /dev/fslv05 stub /testFS
16187750 9306446 root chroot FS_Chroot OK change root directory to: /testFS 16187764 9306446 root mkdir FS_Mkdir OK mode:755 dir: /testFS/testDir 9306446 14877002 root ksh FS_Chdir OK change current directory to: /testFS 13893944 9306446 root chfs FS_Extend OK vfs:8285, cmd: 5 13893950 9306446 root rm FS_Rmdir OK remove of directory: testDir 9306446 14877002 root ksh FS_Chdir OK change current directory to: / 7537052 13893954 root mount FS_Umount OK umount:object /dev/fslv05 stub /testFS |
Additional Information
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
25 May 2023
UID
ibm16616715