Question & Answer
Question
Answer
Audit, and other security configurations involve comprehensive features, which require advanced review and planning.
- Read some example steps to set up an auditing subsystem in "Setting Up Auditing" in IBM AIX Documentation.
- See more details, including diagrams, in the IBM AIX Documentation Security PDF (Auditing overview, page 129.)
- What to audit
- Are there defined requirements?
- Government regulations
- Industry standards
- Enterprise hardening requirements
- Product recommendations or requirements
- Event selection must maintain a balance between insufficient to too much detail.
- Are there defined requirements?
- How to audit (data collection mode)
- Long term?
- Select BIN mode.
- Short term?
- Select STREAM mode.
- Select BIN and STREAM for both storage and immediate processing
- Read details about audit record processing in IBM AIX Documentation "Audit logger configuration"
- Long term?
- When to audit
- Plan to start the audit subsystem:
- At boot
- At scheduled times
- When particular users log in
- When a specific command is invoked
- Plan to start the audit subsystem:
- Who to audit
- All users?
- The default stanza in config applies selected classes (groups of events) to all users.
- Specific users?
- Specific roles?
- All users?
- Storage space for the records
- Audit records can produce large amounts of data.
- Consider the amount of data you will collect, and where you will store it.
- The AIX audit subsystem uses /audit by default.
- It is recommended to create a separate file system for /audit to avoid filling root (/).
- This directory should be secure.
- Consider the amount of data you will collect, and where you will store it.
- Audit records can produce large amounts of data.
- How to store the records
- Back up and send trail to centralized server?
- Send records to centralized server through syslogd?
- /etc/security/audit/config Contains audit system configuration information.
- /etc/security/audit/objects Contains audit events for audited objects.
- /etc/security/audit/events Contains the audit events of the system.
- /etc/security/audit/bincmds Contains auditbin backend commands.
- /etc/security/audit/streamcmds Contains auditstream commands.
|
SUPPORT
|
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
08 July 2024
UID
ibm16825071