How To
Summary
With auditing enabled on AIX, it is possible to record the PID and PPID of a process that triggered an audited event. Sometimes this will not provide enough information for you, and it could be helpful to record the entire process tree of the process.
Steps
This can be accomplished by incorporating a custom script into your /etc/security/audit/streamcmds configuration. Please note that this is not foolproof - if the process that you are auditing is very short-lived, this method cannot capture the process tree in time.
This requires making a series of modifications to the /etc/security/audit/config file. First, turn on stream mode:
start:
ignorenonexistentity = no
binmode = off
streammode = on
fullpath = on
The 'stream' stanza, by default, points to the /etc/security/audit/streamcmds file as the file that will process the audit stream data:
stream:
streamcompact = off
cmds = /etc/security/audit/streamcmds
You can change that if you like, but for this example we leave it as it is.
Next, you need to know what you want to audit. You can configure object auditing by making changes to the /etc/security/audit/objects file, or you can choose to perform event auditing and either use an existing audit class, or define a custom audit class. In this example, I define a custom audit class that records TCPIP_connect and TCP_kconnect events:
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,etc....
objects = ...etc...
...etc...
lvm = LVM_AddLV,LVM_KDeleteLV...etc...
tcpk = TCP_kconnect,TCPIP_connect
I choose to call this class 'tcpk', and added only those two events to this class. This allows me to audit what is initiating TCP connections - for example, if I want to find what process is contacting a certain external host.
Now, define what users you want to audit this class for. You can set it as the default audit class:
users:
default = tcpk
You can add more users manually in this section of the config file, or you can use the chuser command to set the auditclasses attribute for any users you want.
Next, it is time to create your custom script that will run proctree against the process that is being audited. In this example, I have written it so that not only will it record the date that the proctree is gathered - which will be necessary to match it up to an entry in the audit log - but also will prevent it from running proctree multiple times in succession against the same process:
#!/usr/bin/ksh
while read line
do
if [[ $oldline != $line ]]; then
date
proctree $line 2> /dev/null
fi
oldline=$line
done
For this example, I will refer to this script as /audit/get_tree.sh.
After saving this script, set the ownership and give it execute permissions:
chown root:audit /audit/get_tree.sh
chmod 755 /audit/get_tree.sh
Next, modify your /etc/security/audit/streamcmds file to have these lines. You can have more lines than what I show in the streamcmds file, if you like. For this example, if you are only wanting to audit the TCP connect events, remove any existing lines in streamcmds and replace with these two lines:
/usr/sbin/auditstream | auditselect -e "(event == TCP_kconnect || event == TCPIP_connect)" | auditpr -v -helRtcrpP >> /audit/stream.out &
/usr/sbin/auditstream | auditselect -e "(event == TCP_kconnect || event == TCPIP_connect)" | auditpr -t0 -hP | /audit/get_tree.sh >> /audit/tree.out &
If you find that there are certain processes that you want to exclude from auditing, you can modify the lines to exclude them. For this example, I am excluding logger and snmpmibd from being audited:
/usr/sbin/auditstream | auditselect -e "(event == TCP_kconnect || event == TCPIP_connect) && command != logger && command != snmpmibd" | auditpr -v -helRtcrpP >> /audit/stream.out &
/usr/sbin/auditstream | auditselect -e "(event == TCP_kconnect || event == TCPIP_connect) && command != logger && command != snmpmibd" | auditpr -t0 -hP | /audit/get_tree.sh >> /audit/tree.out &
Now, run 'audit start'. Checking 'ps -ef' output should show two instances of auditpr running, two of auditstream, two of auditselect, and one of the get_tree.sh script. If you were to run 'audit shutdown', you'll see they all disappear. For our purposes, you'll want to run 'audit start' and leave it running.
You can make sure audit starts on reboot by adding an entry to inittab:
mkitab "audit:2:once:/usr/sbin/audit start > /dev/null 2>&1"
The audit output will be written to the /audit/stream.out and /audit/tree.out files if you use the same streamcmds entries that I show above.
Once audit is started, someone executing an 'ssh testlab179' would cause this to show up in /audit/stream.out:
TCP_kconnect root OK Tue Oct 26 12:47:16 2021 ssh root 15007926 8454350
fd3 testlab179 ssh
The /audit/tree.out file would show a corresponding process tree entry like this to let you know the chain of processes that led to this ssh attempt:
Tue Oct 26 12:47:16 CDT 2021
4194452 /usr/sbin/srcmstr
8913038 /usr/sbin/sshd
9699426 sshd: root@pts/2
8454350 -ksh
15007926 ssh testlab179
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z0000001fMuAAI","label":"AIX General Support"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
05 April 2022
UID
ibm16519912