IBM Support

AIX AUDIT: How can I monitor file deletions?

How To


Summary

You can use AIX Auditing to monitor file operations. This example monitors only removals or renaming of file or directories.

Steps

The following example logs FILE_Unlink, FILE_Rename, and FS_Rmdir events. This example does not cover log management, or other audit configuration details. The example assumes the "/audit" file system exists.  The example uses streamcmds for short term data collection. You can use binmode if you prefer. See the "Support" section in this note for references.


1) Modify config:start options.
# vi /etc/security/audit/config
start:
    binmode = off
    streammode = on
    ignorenonexistentity = no
2) Modify config:class:
classes:
      myFiles = FILE_Unlink,FILE_Rename,FS_Rmdir
3) Add 'myFiles' class to config:users.
users:
     default = myFiles
** You can specify a user ID if you only want to audit a specific user, or enter 'default' to log these events for all users.
   
4) Configure the stream mode commands.
# vi /etc/security/audit/streamcmds:
#Default audit text output
# /usr/sbin/auditstream | auditpr > /audit/stream.out &
 
# Detailed audit text output
#/usr/sbin/auditstream |/usr/sbin/auditselect -e "command != audit "|  auditpr -htpPlrceR -w > /audit/stream.out &
 
# Detailed text to logger format (***used in this example***)
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t1 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' > /audit/stream.out.log &
 
# Redirect to syslog (local7 must be defined in /etc/syslog.conf
#/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local7.notice -r &

5) Stop and restart audit.
# audit shutdown
# audit start
6) Now test a simple file move and delete operation.
Test command line file renaming and deletions:
# mkdir /tmp/myDirA
# touch /tmp/myDirA/fileA
# mv /tmp/myDirA /tmp/myDirB
# mv /tmp/myDirB/fileA /tmp/myDirB/fileB
# rm /tmp/myDirB/fileB
# rmdir /tmp/myDirB
Test sftp file renaming and deletions:
# mkdir /tmp/myDirC
# touch /tmp/myDirC/fileC
Establish an sftp connection and perform the following:
sftp> rename /tmp/myDirC /tmp/myDirD
sftp> rename /tmp/myDirD/fileC /tmp/myDirD/fileD
sftp> rm /tmp/myDirD/fileD
sftp> rmdir /tmp/myDirD
7) Check the audit stream log.
* Note - some columns were omitted for demonstration purposes
# cat /audit/stream.out.log
event           command    login real status time of day    
================================================================================================================
FILE_Rename     mv          root root OK 22 Apr 2024 19:25:17.709268 frompath: /tmp/myDirA topath: /tmp/myDirB
FILE_Rename     mv          root root OK 22 Apr 2024 19:25:17.719272 frompath: /tmp/myDirB/fileA topath:                                                                               /tmp/myDirB/fileB
FILE_Unlink     rm          root root OK 22 Apr 2024 19:25:17.719272 filename /tmp/myDirB/fileB
FS_Rmdir        rmdir       root root OK 22 Apr 2024 19:25:17.729276 remove of directory: /tmp/myDirB
FILE_Rename     sftp-server root root OK 22 Apr 2024 19:26:39.514258 frompath: /tmp/myDirC topath: /tmp/myDirD
FILE_Rename     sftp-server root root OK 22 Apr 2024 19:27:23.746907 frompath: /tmp/myDirD/fileC topath:                                                                               /tmp/myDirD/fileD
FILE_Unlink     sftp-server root root OK 22 Apr 2024 19:28:56.864628 filename /tmp/myDirD/fileD
FS_Rmdir        sftp-server root root OK 22 Apr 2024 19:29:23.426605 remove of directory: /tmp/myDirD

 

Additional Information

SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

You can learn more about the audit functionality on AIX and best practices through the following resources:
 

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  
 

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

 

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

  - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
22 April 2024

UID

ibm13245499

Page Feedback