IBM Support

Auditing Script to Gather Process Information

Question & Answer


Question

How can I run the ps or proctree command when auditing finds an event occurred?

Answer

There are times when it's useful to use auditing to catch a process performing an unwanted action.  While auditing events and file objects can help show you what process is doing it, you may need to find out how the process is being invoked.  For that auditing will allow you to see the PID and PPID to report on what parent process started things off.

However sometimes you need to catch a snapshot of this going on to see all the way up the process chain.  For those times you can invoke a small shell script from stream auditing.  You can set up stream auditing to gather only those events you are interested in, and then run proctree or ps to view the current processes at the time of the event.


To use this, put the script on the system, in the /etc/security/audit directory.  Make sure it is executable and has the correct permissions:


Here is an example proc.sh:

    #!/usr/bin/ksh
    while read line
    do
    echo "--- `date` --- "
    echo " "
    /usr/bin/proctree $line
    echo " "
    done
    exit 0


Make it executable:
    # chmod +x proc.sh

Now modify the streamcmds file to add a 2nd line to the existing one.  Have this use auditselect to filter for the events you wish to trigger on, and then execute the shell script.

    # cat streamcmds
    /usr/sbin/auditstream | auditpr -v -t1 -herlRtcpP >> /audit/stream.out &
    /usr/sbin/auditstream | auditselect -e "event==ODM_READ || EVENT==ODM_WRITE" | auditpr -hp | /etc/security/audit/proc.sh >> /audit/proc.out 2>/dev/null &


The lines here should be unbroken even though they wrap output.

So the first line is a regular auditpr to capture information into /audit/stream.out
The second line uses auditselect to filter for two events, ODM_READ and ODM_WRITE. If either event occurs then feed that information (the PID) into a pipe to the proc.sh script, and append the output of that script to a separate audit trail.

After the event is caught, you can find the event name in the audit stream.out file, get the PID and find the correct proctree or ps output in the process output file.

[{"Product":{"code":"SWG10","label":"AIX"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1023892

Page Feedback