IBM Support

AIX AUDIT: How can I monitor a specific command?

How To


Summary

You can use AIX Auditing to monitor file operations. This example monitors a command.

Steps

The following example logs /usr/bin/csh events. This example does not cover log management, or other audit configuration details. The example assumes the "/audit" file system exists.  See the "Support" section in this note for references.


1) Modify config:start options 
# vi /etc/security/audit/config
start:
    binmode = off
    streammode = on
    ignorenonexistentity = no
2) Modify  /etc/security/audit/objects file to add an entry for the object/file you want to audit.
# vi /etc/security/audit/objects
/usr/bin/csh:
x = "CSHELL_EXEC"

 
Format: 
/path/to/file:
access_mode = "audit_event "

An audit-event name can be up to 15 bytes long; longer names are rejected. Valid access modes are read (r), write (w), and execute (x) modes. For directories, search mode is substituted for execute mode.

3) Edit the /etc/security/audit/events file to include the event and print format for the audit log.
* /usr/bin/csh
CSHELL_EXEC = printf " %s "
Format:
* Is a comment character
AuditEvent FormatCommand
   
4) Configure the stream mode commands
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -htpPrceR -w > /audit/stream.out &

5) Stop and restart audit:
# audit shutdown
# audit start
6) Now invoke the command:
# /usr/bin/csh
7) Check the audit stream log:
# cat /audit/stream.out
time                     process  parent   real    command event        status
------------------- ---------------------------------------------------------
Thu Oct 22 15:41:35 2020 16777336 17039590 root csh     CSHELL_EXEC     OK
         audit object exec event detected /usr/bin/csh

 

Additional Information

SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

You can learn more about the audit functionality on AIX and best practices through the following resources:
 

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  
 

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

 

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

  - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
25 May 2023

UID

ibm16351647