How To
Summary
You can use AIX Auditing to monitor file operations. This example monitors only removals or renaming of file or directories.
Steps
The following example logs FILE_Unlink, FILE_Rename, and FS_Rmdir events. This example does not cover log management, or other audit configuration details. The example assumes the "/audit" file system exists. The example uses streamcmds for short term data collection. You can use binmode if you prefer. See the "Support" section in this note for references.
- This example applies to all FILE_Unlink, FILE_Rename and FS_Rmdir events.
1) Modify config:start options.
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
classes:
myFiles = FILE_Unlink,FILE_Rename,FS_Rmdir |
users:
default = myFiles ** You can specify a user ID if you only want to audit a specific user, or enter 'default' to log these events for all users.
|
# vi /etc/security/audit/streamcmds:
#Default audit text output
# /usr/sbin/auditstream | auditpr > /audit/stream.out & # Detailed audit text output
#/usr/sbin/auditstream |/usr/sbin/auditselect -e "command != audit "| auditpr -htpPlrceR -w > /audit/stream.out & # Detailed text to logger format (***used in this example***)
/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t1 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' > /audit/stream.out.log & # Redirect to syslog (local7 must be defined in /etc/syslog.conf
#/usr/sbin/auditstream | /usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != auditpr && command != auditselect"|auditpr -t0 -h eclrRdi -v |awk -u 'NR%2{printf "%s ",$0;next}{print;}' | /usr/bin/logger -p local7.notice -r & |
5) Stop and restart audit.
# audit shutdown
# audit start |
Test command line file renaming and deletions:
# mkdir /tmp/myDirA
# touch /tmp/myDirA/fileA # mv /tmp/myDirA /tmp/myDirB # mv /tmp/myDirB/fileA /tmp/myDirB/fileB # rm /tmp/myDirB/fileB # rmdir /tmp/myDirB Test sftp file renaming and deletions:
# mkdir /tmp/myDirC
# touch /tmp/myDirC/fileC
Establish an sftp connection and perform the following:
sftp> rename /tmp/myDirC /tmp/myDirD
sftp> rename /tmp/myDirD/fileC /tmp/myDirD/fileD
sftp> rm /tmp/myDirD/fileD
sftp> rmdir /tmp/myDirD
|
# cat /audit/stream.out.log
event command login real status time of day
================================================================================================================ FILE_Rename mv root root OK 22 Apr 2024 19:25:17.709268 frompath: /tmp/myDirA topath: /tmp/myDirB FILE_Rename mv root root OK 22 Apr 2024 19:25:17.719272 frompath: /tmp/myDirB/fileA topath: /tmp/myDirB/fileB FILE_Unlink rm root root OK 22 Apr 2024 19:25:17.719272 filename /tmp/myDirB/fileB FS_Rmdir rmdir root root OK 22 Apr 2024 19:25:17.729276 remove of directory: /tmp/myDirB FILE_Rename sftp-server root root OK 22 Apr 2024 19:26:39.514258 frompath: /tmp/myDirC topath: /tmp/myDirD FILE_Rename sftp-server root root OK 22 Apr 2024 19:27:23.746907 frompath: /tmp/myDirD/fileC topath: /tmp/myDirD/fileD FILE_Unlink sftp-server root root OK 22 Apr 2024 19:28:56.864628 filename /tmp/myDirD/fileD FS_Rmdir sftp-server root root OK 22 Apr 2024 19:29:23.426605 remove of directory: /tmp/myDirD |
Additional Information
SUPPORT |
---|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
22 April 2024
UID
ibm13245499