How To
Summary
You can use AIX Auditing to monitor permission changes.
Objective
Demonstrate a method to quickly check for permission changes, by monitoring the FILE_Mode event.
See AIX AUDIT: How to monitor file events to learn about other file events.
Note: This example:
- Does not cover log management, or other audit configuration details.
- Assumes the "/audit" file system exists. See the "Support" section in this note for references.
- Uses the "stream" mode for demonstration. The bin mode is recommended for long-term audit collection.
- Only tracks the FILE_Mode and FILE_Owner events created by the chmod and chown commands. If file permissions are changed by file replacements (for example, tar extraction, or file moving methods), you need to extend auditing to capture other events.
- Uses auditselect to filter for the chown and chmod events.
- Reference: IBM Documentation Audit events
| User or system call | Audit event | Description |
|---|---|---|
| chmod | FILE_Mode | Changes file mode. |
| chown | FILE_Owner | Changes file ownership. |
Steps
|
# vi /etc/security/audit/config
start:
binmode = off streammode = on ignorenonexistentity = no |
|
myMode = FILE_Mode,FILE_Owner
|
|
users:
default = myMode ** You can specify a user ID, or enter 'default' to log these events for all users. However, if a user has an assigned class, the default class will not be applied to that user.
users:
root=general (myMode is NOT applied for root) default = myMode
|
|
# vi /etc/security/audit/streamcmds
/usr/sbin/auditstream | /usr/sbin/auditselect -e "command==chown || command==chmod" |auditpr -htpPlrceR -w > /audit/stream.out &
|
5) Stop and restart audit.
|
# audit shutdown
# audit start |
|
chmod 666 /dev/null; chown root.system /dev/null; su - userA -c "chown root.system /dev/null; chmod 666 /dev/null; "
|
|
# cat /audit/stream.out
time process parent login real command event status
------------------------ -------- -------- -------- -------- ---------------- ------- ----------- Mon Aug 26 12:47:50 2024 13631878 10682708 root root chmod FILE_Mode OK mode: 666 filename /dev/null Mon Aug 26 12:47:50 2024 13631880 10682708 root root chown FILE_Owner OK owner: 0 group: 0 filename /dev/null Mon Aug 26 12:47:51 2024 13304100 13631882 root userA chown FILE_Owner FAIL_PRIV owner: 0 group: 0 filename /dev/null Mon Aug 26 12:47:51 2024 13304102 13631882 root userA chmod FILE_Mode FAIL_PRIV mode: 666 filename /dev/null |
Additional Information
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
26 August 2024
UID
ibm17086054