IBM Support

AIX AUDIT: Examining an audit log for user actions

Question & Answer


Question

PROBLEM: I need to track when userA opens a file, as root. I assigned the "files" class to userA, however I never see the FILE_Open for the file, although the user calls su to edit the file. 

Why don't I see FILE_Open events for some users?

Answer

Audit logs the event for the real user. When login userA calls su, the "real user" is the new user id.
  • Login user:  userA
  • Real user:  root
For example, the following settings are included in /etc/security/audit/config:
streammode = on
stream:
       cmds = /etc/security/audit/streamcmds
classes:
        general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
 files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,File_copy
 root = general
 userA = files


 
The auditpr command includes real user and login user information:
cat /etc/security/audit/streamcmds
/usr/sbin/auditstream | auditpr -htpPrlceR -w > /audit/stream.out &

As root:
su userA -c cat /tmp/opentest
/audit/stream.out log:
time process parent real login command event status

Wed Aug 05 20:08:16 2020 12845166 12255360 userA root cat FILE_Open OK

flags: 67108864 mode: 0 fd: 3 filename /tmp/opentest
Now login as userA:
cat /tmp/opentest
/audit/stream.out log:
Wed Aug 05 20:12:54 2020 8782058 12255360 userA userA cat FILE_Open OK

flags: 67108864 mode: 0 fd: 3 filename /tmp/opentest
As userA:
su "-c cat /tmp/opentest"
There are some FILE_Open calls for userA, related to the su authentication. There is no FILE_Open logged for the 'cat /tmp/opentest' command, because root performed the open, and the files class is not assigned to root:
Since the general class is assigned to root, the USER_SU event is logged:
/audit/stream.out log:
Wed Aug 05 20:14:35 2020 8782064 12255360 userA userA su FILE_Open OK

flags: 0 mode: 0 fd: 5 filename /etc/security/user

Wed Aug 05 20:14:35 2020 8782064 12255360 userA userA su FILE_Open OK

flags: 0 mode: 0 fd: 5 filename /etc/security/user

Wed Aug 05 20:14:35 2020 8782064 12255360 root userA su USER_SU OK

root
SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

You can learn more about the audit functionality on AIX and best practices through the following resources:
 

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  
 

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

 

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

  - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
25 May 2023

UID

ibm16323281

Page Feedback