How To
Summary
You can use AIX Auditing to monitor file operations. This example monitors the console log file to identify the process that is repeating output to the console.
Steps
The following example logs updates to the default console log file, /var/adm/ras/conslog. This example does not cover log management, or other audit configuration details. The example assumes the "/audit" file system exists, and uses streammode for logging demonstration.
See the "Support" section in this note for technical references.
1) Modify config:start options
|
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
|
# vi /etc/security/audit/objects
/var/adm/ras/conslog:
w = "CONS_LOG_W" Format:
/path/to/file:
access_mode = "audit_event " An audit-event name can be up to 15 bytes long; longer names are rejected. Valid access modes are read (r), write (w), and execute (x) modes. For directories, search mode is substituted for execute mode. |
|
* /var/adm/ras/conslog
CONS_LOG_W = printf " %s " Format:
* Is a comment character
AuditEvent = FormatCommand
|
|
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -w -t1 -h etpPlrcR > /audit/stream.out &
|
5) Stop and restart audit:
|
# audit shutdown
# audit start |
|
# echo "Console Log Test" > /var/adm/ras/conslog
|
|
# cat /audit/stream.out
event time process parent login real command status
------- ---------------------------- -------- -------- -------- -------- ------------- ----------- CONS_LOG_W Fri Nov 11 19:19:04 2022 17563914 15073664 root root ksh OK audit object write event detected /var/adm/ras/conslog CONS_LOG_W Fri Nov 11 19:24:30 2022 18809228 4325820 root root rtcd OK audit object write event detected /var/adm/ras/conslog
|
Additional Information
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
25 May 2023
UID
ibm16838969