IBM Support

AIX AUDIT: How to monitor file events

How To


Summary

You can use AIX Auditing to monitor file operations.

Objective

Demonstrate the file events used by audit.

Note:  This example:

  1. Does not cover log management, or other audit configuration details.
  2. Assumes the "/audit" file system exists.  See the "Support" section in this note for references.
  3. Uses the "stream" mode for demonstration. The bin mode is recommended for long-term audit collection.
  4. Logs events from the /etc/security/audit/config "file" class 
User or system call Audit event Description
read FILE_Read Reads data from the file descriptor. (This will NOT report the file name)
write FILE_Write Writes data to the file descriptor. (This will NOT report the file name)
close FILE_Close Closes the open file descriptor. (This will NOT report the file name)
link FILE_Link Creates new directory entry for a file system object.
unlink FILE_Unlink Removes a file system object.
rename FILE_Rename Changes the name of a file system object.
chown FILE_Owner Changes file ownership.
chmod FILE_Mode Changes file mode.

Steps

1) Modify config:start options 

# vi /etc/security/audit/config
start:
    binmode = off
    streammode = on
    ignorenonexistentity = no
2) Add 'files' class to config:users:
users:
     default = myfiles
** You can specify a user ID, or enter 'default' to log these events for all users.
   
3) Configure the stream mode commands
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -htpPrceR -w > /audit/stream.out &

4) Stop and restart audit:
# audit shutdown
# audit start
5) Now test some file operations:
cd /tmp
echo hello > /tmp/a.out
perl -pi.bak -e 's/hello/goodbye/g' /tmp/a.out
mv /tmp/a.out /tmp/b.out
ln -sf /tmp/b.out /tmp/a.out
unlink /tmp/a.out
chown bin.bin /tmp/b.out
chmod 700 /tmp/b.out
rm /tmp/b.out
rm a.out.bak
6) Check the audit stream log:
# cat /audit/stream.out
time                     process  parent   real     command          event           status
------------------------ -------- -------- -------- ------------------------------- -------- -----------
Wed Nov 22 13:50:14 2023 18743714 13762900 root     ksh              FILE_Open       OK      flags: 67109633 mode: 640 fd: 3 filename /tmp/a.out
 
Wed Nov 22 13:50:14 2023 17760662 18743714 root     perl5.34.1       FILE_Open       OK      flags: 67108864 mode: 0 fd: 3 filename /tmp/a.out
 
Wed Nov 22 13:50:14 2023 17760664 18743714 root     mv               FILE_Rename     OK      frompath: /tmp/a.out topath: /tmp/b.out
 
Wed Nov 22 13:50:14 2023 17760668 18743714 root     unlink           FILE_Unlink     OK      filename /tmp/a.out
 
Wed Nov 22 13:50:14 2023 17760670 18743714 root     chown            FILE_Owner      OK      owner: 2 group: 2 filename /tmp/b.out
 
Wed Nov 22 13:50:14 2023 15532324 18743714 root     chmod            FILE_Mode       OK      mode: 700 filename /tmp/b.out
 
Wed Nov 22 13:50:14 2023 15532326 18743714 root     rm               FILE_Unlink     OK      filename /tmp/b.out
 
Wed Nov 22 13:50:15 2023 15991160 18743714 root     rm               FILE_Unlink     OK      filename a.out.bak
 

 

Additional Information

SUPPORT

Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.

You can learn more about the audit functionality on AIX and best practices through the following resources:
 

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.  
 

1.  Document (or collect screen captures of) all symptoms, errors, and messages related to your issue.

2.  Capture any logs or data relevant to the situation.

3.  Contact IBM to open a case:

   -For electronic support, see the IBM Support Community:
     https://www.ibm.com/mysupport
   -If you require telephone support, see the web page:
      https://www.ibm.com/planetwide/

4.  Provide a clear, concise description of the issue.

 

5.  If the system is accessible, collect a system snap, and upload all of the details and data for your case.

  - For guidance, see: Working with IBM AIX Support: Collecting snap data

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
30 November 2023

UID

ibm17081882

Page Feedback