AIX AUDIT: How can I monitor user logins and logouts?

How To

Summary

You can use AIX Auditing to monitor user login and logout activities.

Steps

The following example logs user logins, logouts, exits, and su by monitoring USER_Login,USER_Logout,USER_Exit,USER_SU and related events. There is an option to monitor SSH login events. This example does not cover log management, or other audit configuration details. The example assumes the "/audit" file system exists. See the "Support" section in this note for references.

1) Modify events: (append to file)

** THIS STEP IS OPTIONAL: If users log in through SSH (provided by the AIX openssh.base file set), you need to add some events to track user log outs.

SSH Background: USER_Exit is not logged for ssh logins because it is an rlogind or telnetd call. - See the AIX Audit System "Events" section The USER_Logout is not applicable unless the sshd has UserLogin=true, and that was disabled in later OpenSSH.
# vi /etc/security/audit/events * # SSH Audit Hooks # * SSH_AUDIT_UNKNOWN SSH_auditknwn = printf "%s" * SSH_AUTH_FAIL_GSSAPI SSH_failgssapi = printf "%s" * SSH_AUTH_FAIL_HOSTBASED SSH_failhstbsd = printf "%s" * SSH_AUTH_FAIL_KBDINT SSH_failkbdint = printf "%s" * SSH_AUTH_FAIL_NONE SSH_failnone = printf "%s" * SSH_AUTH_FAIL_PASSWD SSH_failpasswd = printf "%s" * SSH_AUTH_FAIL_PUBKEY SSH_failpubkey = printf "%s" * SSH_AUTH_SUCCESS SSH_authsuccess = printf "%s" * SSH_CONNECTION_ABANDON SSH_connabndn = printf "%s" * SSH_CONNECTION_CLOSE SSH_connclose = printf "%s" * SSH_INVALID_USER SSH_invldusr = printf "%s" * SSH_LOGIN_EXCEED_MAXTRIES SSH_exceedmtrix = printf "%s" * SSH_LOGIN_ROOT_DENIED SSH_rootdned = printf "%s" * SSH_NOLOGIN SSH_nologin = printf "%s"

2) Modify config:start options:

# vi /etc/security/audit/config start: binmode = off streammode = on ignorenonexistentity = no

3) Modify config:class: (add userLogin and sshClass)

classes: userLogin = USER_Login,USER_Logout,USER_Exit,USER_SU sshClass = SSH_auditknwn,SSH_failgssapi,SSH_failhstbsd,SSH_failkbdint,SSH_failnone,SSH_failpasswd,SSH_failpubkey,SSH_authsuccess,SSH_connabndn,SSH_connclose,SS H_invldusr,SSH_exceedmtrix,SSH_rootdned,SSH_nologin

4) Add 'userLogin' and 'sshClass' to config:users: (If root is assigned classes, you must specify these new classes for root, since tsm, sshd and telnetd run as root. Otherwise, you can assign the classes to 'default')

users: root = general,userLogin,sshClass default = userLogin,sshClass

5) Configure the stream mode commands:

# vi /etc/security/audit/streamcmds: /usr/sbin/auditstream \| auditpr -htpPrceR -w > /audit/stream.out &

6) Stop and restart audit:

# audit shutdown # audit start

7) Now test some user logins, logouts, and su.

8) Check the audit stream log:

# cat /audit/stream.out time process parent real command event status ------------------------ -------- -------- -------- -------- ------------- ------------ TEST SSH INVALID PASSWORD: Wed Jul 08 14:04:13 2020 11796656 19988734 root sshd USER_Login FAIL_AUTH user: shelltester tty: ssh Wed Jul 08 14:04:18 2020 11796656 19988734 root sshd SSH_failpasswd OK audit event euid 0 user shelltester event 4 (SSH_failpasswd) remote ip (10.99.0.141) TEST SSH VALID PASSWORD: Wed Jul 08 14:04:23 2020 11796656 19988734 root sshd USER_Login OK user: shelltester tty: ssh Wed Jul 08 14:04:23 2020 11796656 19988734 root sshd SSH_authsuccess OK audit event euid 0 user shelltester event 2 (SSH_authsuccess) remote ip (10.99.0.141) Wed Jul 08 14:04:29 2020 11796656 19988734 root sshd USER_Login OK user: shelltester tty: /dev/pts/1 Wed Jul 08 14:04:29 2020 11796656 19988734 root sshd USER_Login OK user: shelltester tty: ssh TEST SSH INVALID SU PASSWORD: Wed Jul 08 14:04:33 2020 19071208 19398876 shelltes su USER_SU FAIL root EXIT SSH: Wed Jul 08 14:04:38 2020 11796656 19988734 root sshd SSH_connabndn OK audit event euid 0 user shelltester event 12 (SSH_connabndn) remote ip (nnn.nnn.nnn.nnn) TEST TELNET INVALID PASSWORD: Wed Jul 08 14:08:17 2020 11796660 20185154 root tsm USER_Login FAIL_AUTH user: shelltester tty: /dev/pts/1 TEST TELNET INVALID PASSWORD: Wed Jul 08 14:08:30 2020 11796660 20185154 root tsm USER_Login OK user: shelltester tty: /dev/pts/1 EXIT TELNET: Wed Jul 08 14:08:33 2020 20185154 4260048 root telnetd USER_Exit OK tty: User shelltester logged out on /dev/pts/1

Additional Information

SUPPORT
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist. See How technical questions (Q&A) are handled by IBM Support: https://www.ibm.com/support/pages/node/796206 You can learn more about the audit functionality on AIX and best practices through the following resources: IBM Documentation Audit section: https://www.ibm.com/docs/en/aix/7.2?topic=system-auditing-overview AIX Redbooks, "Auditing and Accounting" http://www.redbooks.ibm.com/redbooks/pdfs/sg246396.pdf And the following Technotes: The Audit Subsystem in AIX: https://www.ibm.com/support/pages/node/720377 AIX Auditing Best Practices https://www.ibm.com/support/pages/node/629163 If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available. Read more about IBM Technology Services (Formerly Systems Lab Services) https://www.ibm.com/services/infrastructure - See more details about AIX, Linux, and Red Hat OpenShift Security Services https://www.ibm.com/support/pages/node/6584155 If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

Working with IBM AIX Support: Describing the problem

Working with IBM AIX Support: Collecting snap data

The Audit Subsystem in AIX

AIX Auditing Best Practices

AIX Redbooks - Auditing and Accounting

IBM Documentation - AIX Auditing

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"TS003592510","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Tips

AIX AUDIT: How can I monitor user logins and logouts?

How To

Summary

Steps

Additional Information

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?