How To
Summary
You can use AIX Auditing to monitor file operations.
Objective
Demonstrate the file events used by audit.
Note: This example:
- Does not cover log management, or other audit configuration details.
- Assumes the "/audit" file system exists. See the "Support" section in this note for references.
- Uses the "stream" mode for demonstration. The bin mode is recommended for long-term audit collection.
- Logs events from the /etc/security/audit/config "file" class
- Reference: IBM Documentation Audit events
User or system call | Audit event | Description |
---|---|---|
read | FILE_Read | Reads data from the file descriptor. (This will NOT report the file name) |
write | FILE_Write | Writes data to the file descriptor. (This will NOT report the file name) |
close | FILE_Close | Closes the open file descriptor. (This will NOT report the file name) |
link | FILE_Link | Creates new directory entry for a file system object. |
unlink | FILE_Unlink | Removes a file system object. |
rename | FILE_Rename | Changes the name of a file system object. |
chown | FILE_Owner | Changes file ownership. |
chmod | FILE_Mode | Changes file mode. |
Steps
1) Modify config:start options
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
users:
default = myfiles ** You can specify a user ID, or enter 'default' to log these events for all users.
|
# vi /etc/security/audit/streamcmds:
/usr/sbin/auditstream | auditpr -htpPrceR -w > /audit/stream.out &
|
4) Stop and restart audit:
# audit shutdown
# audit start |
cd /tmp
echo hello > /tmp/a.out perl -pi.bak -e 's/hello/goodbye/g' /tmp/a.out mv /tmp/a.out /tmp/b.out ln -sf /tmp/b.out /tmp/a.out unlink /tmp/a.out chown bin.bin /tmp/b.out chmod 700 /tmp/b.out rm /tmp/b.out rm a.out.bak |
# cat /audit/stream.out
time process parent real command event status
------------------------ -------- -------- -------- ------------------------------- -------- ----------- Wed Nov 22 13:50:14 2023 18743714 13762900 root ksh FILE_Open OK flags: 67109633 mode: 640 fd: 3 filename /tmp/a.out
Wed Nov 22 13:50:14 2023 17760662 18743714 root perl5.34.1 FILE_Open OK flags: 67108864 mode: 0 fd: 3 filename /tmp/a.out
Wed Nov 22 13:50:14 2023 17760664 18743714 root mv FILE_Rename OK frompath: /tmp/a.out topath: /tmp/b.out
Wed Nov 22 13:50:14 2023 17760668 18743714 root unlink FILE_Unlink OK filename /tmp/a.out
Wed Nov 22 13:50:14 2023 17760670 18743714 root chown FILE_Owner OK owner: 2 group: 2 filename /tmp/b.out
Wed Nov 22 13:50:14 2023 15532324 18743714 root chmod FILE_Mode OK mode: 700 filename /tmp/b.out
Wed Nov 22 13:50:14 2023 15532326 18743714 root rm FILE_Unlink OK filename /tmp/b.out
Wed Nov 22 13:50:15 2023 15991160 18743714 root rm FILE_Unlink OK filename a.out.bak
|
Additional Information
SUPPORT |
---|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
30 November 2023
UID
ibm17081882