How To
Summary
A user ID has repeated failed logins after a password change. The who command does not identify the device, but the administrator suspects a failed database connection. This document demonstrates how to audit the PROC_Execute events to get more details.
Steps
- Logs the following predefined file system events:
- PROC_Execute, USER_Login
- Adds /etc/security/failedlogin to the objects file
- AIX Audit events
- AIX Audit objects file
- https://www.ibm.com/docs/en/aix/7.3?topic=files-objects-file
| # cd /etc/security/audit |
2) Modify config:start options:
|
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
|
classes: <...>
failCheck = USER_Login,PROC_Execute
|
|
users:
default = failCheck **If you only want to audit a specific user, you can specify a user ID. Or, use 'default' to log the defined events for all users.
|
| /etc/security/failedlogin: w = "S_FAILED_WRITE" |
| S_FAILED_WRITE = printf "%s" |
|
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -htpPrceR -w > /audit/stream.out &
|
8) Stop and restart audit:
|
# audit shutdown
# audit start |
|
# Test steps:
6.1 Test an ssh login with an incorrect password. 6.2 Test a db2 connection with an incorrect password
. /home/ldapdb2/sqllib/db2profile
db2 connect to ldapdb2 user ldapdb2 using badPassword |
|
# cat /audit/stream.out
(Note: The "time" column was removed from this example)
process parent real command event status
-------- -------- ---- --------- ------- --------------- ----------- 11993496 14090580 root sshd USER_Login FAIL_AUTH user: ldapdb2 tty: ssh
11993496 14090580 root sshd S_FAILED_WRITE OK audit object write event detected
/etc/security/failedlogin
11993500 13959552 root db2 PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name db2 connect to ldapdb2 user ldapdb2 using badPassword
7078192 8519956 root db2sysc S_PASSWD_READ OK audit object read event detected /etc/security/passwd
7078192 8519956 root db2sysc USER_Login FAIL_AUTH user: ldapdb2 tty:
7078192 8519956 root db2sysc S_FAILED_WRITE OK audit object write event detected
/etc/security/failedlogin
|
Additional Information
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functions on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
18 September 2023
UID
ibm17034043