IBM Support

AIX AUDIT: Enabling full path file names

Question & Answer


Question

How can I get the full path to a file in an audit trail or audit stream output file?

Answer

Full file paths are a feature added to AIX auditing in AIX 5300-11 and 6100-04.
From the audit man page:

on [panic | fullpath]
Restarts the auditing system after a suspension, if the system is properly configured (for example, if the audit start command was used initially and the configuration is still valid). If auditing has already started when the command is given, only bin data collection can be changed.

If you specify the fullpath option, the FILE_Open, FILE_Read and FILE_Write auditing events capture the full path name of a file.

The "fullpath" argument is only an option to the "audit on" command, so to start auditing and enable full path names you will need to run these commands:

# audit start
# audit off
# audit on fullpath


Example output with fullpath enabled

FILE_Open       root     root     OK          Wed May 27 09:15:25 2015 sshd                            6946924  4063418
       flags: 258 mode: 644 fd: 8 filename /etc/utmp
FILE_Read       root     root     OK          Wed May 27 09:15:25 2015 sshd                            6946924  4063418
       file descriptor = 8 filename = /etc/utmp
FILE_Write      root     root     OK          Wed May 27 09:15:25 2015 sshd                            6946924  4063418
       file descriptor = 8 filename = /etc/utmp
FILE_Close      root     root     OK          Wed May 27 09:15:25 2015 sshd                            6946924  4063418
       file descriptor = 8


Example without fullpath

FILE_Open       root     root     OK          Wed May 27 09:14:55 2015 sshd                            6946918  4063418
       flags: 258 mode: 644 fd: 8 filename /etc/utmp
FILE_Read       root     root     OK          Wed May 27 09:14:55 2015 sshd                            6946918  4063418
       file descriptor = 8 filename =
FILE_Write      root     root     OK          Wed May 27 09:14:55 2015 sshd                            6946918  4063418
       file descriptor = 8 filename =
FILE_Close      root     root     OK          Wed May 27 09:14:55 2015 sshd                            6946918  4063418
       file descriptor = 8

Verifying that fullpath is enabled

You can see the status of fullpath using the audit query command. It should show up in the first line of output:


# audit query
auditing on[fullpath]
bin processing off

SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

  - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
15 February 2023

UID

isg3T1022298

Page Feedback