Question & Answer
Question
Answer
1) Make changes to audit config file to enable streammode auditing...
#vi /etc/security/audit/config
start:
binmode = off
streammode = on
With streammode, you will immediately get the output in text format. If you choose binmode, you will have to convert the data from binary to text before reading it (see technote: AIX System Security Audit for more details -
http://www.ibm.com/support/docview.wss?uid=isg3T1000212 )
2) Confirm the following line is in /etc/security/audit/streamcmds file
/usr/sbin/auditstream | auditpr -v -t1 -h tpPrceR > /audit/stream.out &
-v results in an additional line of output with increased verbosity.
-t1 causes additional header lines for ease of analysis
-h includes additional options to include pid, ppid, real userid, command info, etc.
* See the auditpr man page for further information on the available arguments.
If you want to limit what events will be monitored you can also modify this
file to use the auditselect command, eg...
# vi /etc/security/audit/streamcmds
/usr/sbin/auditstream | /usr/sbin/auditselect -e "command!=cron && command!=at" | auditpr -v -t1 -h tpPrceR > auditstream.out &
This command would exclude from the audistream.out file the information that would be gathered from cron and at. This is probably not something you would want to do in your circumstance.
* See the AIX System Security Audit technote for more information on using auditselect.
3) Edit the /etc/security/audit/objects file to add an entry for the object/file you want to audit.
The format of an entry in the objects file is:
/path/to/file:
access_mode = "audit_event "
An audit-event name can be up to 15 bytes long; longer names are rejected. Valid access modes are read (r), write (w), and execute (x) modes. For directories, search mode is substituted for execute mode.
eg:
/path/to/filename:
w = "S_FILE_WRITE"
The above line will audit writes to the file, but you can also audit reads or execute (for commands) with the following:
r = "S_FILE_READ"
and/or
x = "S_FILE_EXEC"
NOTE: auditing will error on startup if the object is a symbolic link...
# ls -ld /bin
lrwxrwxrwx 1 bin bin 8 Jul 28 2015 /bin -> /usr/bin
In the objects file:
/bin:
w = "BIN_W"
r = "BIN_R"
# audit start
** failed setting kernel audit objects
You must point to the actual file/link target, eg /usr/bin
| # grep "/" /etc/security/audit/objects | tr -d ":" | xargs -I {} sh -c 'if [ -L "{}" ]; then echo "{} is a SYMLINK"; fi' |
4) Edit the /etc/security/audit/events file to include your events and a print format to record them in the audit log.
Each attribute in the stanza is the name of an audit event, with the following format:
AuditEvent = FormatCommand
Normally the path to the object being audited is included as a comment before the event. Comments in the events file are preceded with an asterisk (*).
* /path/to/filename
S_FILE_WRITE = printf " %s "
If you included READ and/or EXECUTE entries in step 3, you will also need to add the following entries to the events file.
S_FILE_READ = printf " %s "
and/or
S_FILE_EXECUTE = printf " %s "
5) Start auditing by running the following command:
# audit start
if you need to reset auditing for any reason run the following commands:
# audit shutdown; audit start
6) Wait until the issue to occur, or perform steps to duplicate the problem being audited.
7) Stop auditing and check the output file for FILE entries
# audit shutdown
# cd /audit
# cat stream.out
The audit record is displayed as follows (example is for auditing a WRITE to a file)...
S_FILE_WRITE root OK Wed mar 06 2012 <application_name>
audit object write event detected /path/to/filename
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources: IBM Documentation Audit section: AIX Redbooks, "Auditing and Accounting" And the following Technotes: The Audit Subsystem in AIX: AIX Auditing Best Practices If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Was this topic helpful?
Document Information
Modified date:
12 March 2024
UID
isg3T1013098