AIX AUDIT: How can I monitor who killed a process?

How To

Summary

You can use AIX Auditing to monitor when processes are killed with the PROC_Kill or SRC_Stop events.

Objective

In this example, the sleep, and sshd daemon processes were killed Friday May 17, 2024, between 07:00:00 and 08:00:00. The example demonstrates how to configure the audit daemon to show who killed the processes.

Environment

The following class is defined in /etc/security/audit/config.

start: binmode = on myProc = USER_Login,PROC_Execute,PROC_Kill,SRC_Stop,SRC_Start

The class is assigned to all users.

users: default = myProc

The audit daemon is running.

audit query \| grep auditing --> auditing on ps -ef \| grep audit \| egrep "auditbin\|auditstream" --> root 15008120 1 0 18:07:27 - 0:00 auditbin

Steps

1) As root, start the sleep command, in the background.

sleep 9999 &

2) Login non-root user userA

su - root kill -9 <PID of sleep> stopsrc -s sshd startsrc -s sshd

3) Login as root in a new terminal session

stopsrc -s sshd startsrc -s sshd sleep 9999 & kill -9 <PID of sleep>

4) We are using bin mode for this audit example, so we must stop the audit daemon so the bin1 and bin2 files will get written to /audit/trail.

audit shutdown # Restart the audit daemon if required audit start

5) Use the auditselect to filter commands, dates, commands, and other options.

See the auditselect man page for audit select
- https://www.ibm.com/docs/en/aix/7.3?topic=auditselect-command

/usr/sbin/auditselect -m -e "date == 05/17/24 && time >= 07:00:00 && time <= 08:00:00 && command != logger && command != auditstream && command != audit && command != auditpr && command != auditselect && command != auditcat" /audit/trail \| auditpr -htpPlrceR -w

TIP: If you use stream mode, use the following in /etc/security/audit/streamcmds:

/usr/sbin/auditselect -m -e "command != logger && command != auditstream && command != audit && command != auditpr && command != auditselect && command != auditcat" /audit/trail | auditpr -htpPlrceR -w > /audit/stream.out &

# Then examine the /audit/stream.out, searching for the date range.

grep "May 17" /audit/stream.out | awk -v year="2024" -v start="07:00:00" -v end="08:00:00" '$5 == year && $4 >= start && $4 <= end'

The following related calls are reported:

time process parent login real command event status ------------------------ -------- -------- -------- -------- ---------- --------------- ----------- Fri May 17 07:47:41 2024 17105234 15925754 root root sleep PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sleep 9999 The userA logs in here: Fri May 17 07:47:48 2024 15008040 16777514 userA userA ksh PROC_Execute OK euid: 88 egid: 1 epriv: 0:0 name -ksh Fri May 17 07:47:48 2024 16974266 9372022 root root sshd USER_Login OK user: userA tty: /dev/pts/0 Fri May 17 07:47:48 2024 16974266 9372022 root root sshd USER_Login OK user: userA tty: ssh The userA switches to root (su) here: Fri May 17 07:47:54 2024 17170924 15008040 userA userA su PROC_Execute OK euid: 88 egid: 1 epriv: 0:0 name su - The root's shell is invoked, but the login user is still "userA" Fri May 17 07:47:57 2024 17170924 15008040 userA root ksh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name -ksh Fri May 17 07:47:58 2024 13697310 14942528 root root sh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sh -c As su root, the userA kills the sleep process here: Fri May 17 07:48:05 2024 17170924 15008040 userA root ksh PROC_Kill OK pid: 17105234, sig: 9 As su root, the userA runs stopsrc to stop the sshd daemon: Fri May 17 07:48:11 2024 13959464 17170924 userA root stopsrc PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name stopsrc -s sshd The PROC_Kill is sent by root Fri May 17 07:48:11 2024 3932630 1 root root srcmstr PROC_Kill OK pid: 9372022, sig: 15 The SRC_Stop is sent by root Fri May 17 07:48:11 2024 3932630 1 root root srcmstr SRC_Stop OK sshd The sshd is restarted Fri May 17 07:48:14 2024 13959466 3932630 root root sshd PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/sbin/sshd -D Fri May 17 07:48:14 2024 14090718 14942528 root root sh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sh -c Fri May 17 07:48:14 2024 3932630 1 root root srcmstr SRC_Start OK sshd Fri May 17 07:48:14 2024 9372024 17170924 userA root startsrc PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name startsrc -s sshd Fri May 17 07:48:33 2024 9372030 13959466 root root sshd PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/sbin/sshd -D -R The root user logs in here: Fri May 17 07:48:38 2024 9372030 13959466 root root sshd USER_Login OK user: root tty: ssh Fri May 17 07:48:39 2024 14156280 14942528 root root sh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sh -c The root shell is started Fri May 17 07:48:39 2024 17039740 9372030 root root ksh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name -ksh Fri May 17 07:48:39 2024 17039740 9372030 root root sshd USER_Login OK user: root tty: /dev/pts/1 Fri May 17 07:48:39 2024 9372030 13959466 root root sshd USER_Login OK user: root tty: ssh The root user stops sshd: Fri May 17 07:48:44 2024 17432952 17039740 root root stopsrc PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name stopsrc -s sshd Fri May 17 07:48:44 2024 3932630 1 root root srcmstr PROC_Kill OK pid: 13959466, sig: 15 Fri May 17 07:48:44 2024 3932630 1 root root srcmstr SRC_Stop OK sshd Fri May 17 07:48:47 2024 13959468 3932630 root root sshd PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name /usr/sbin/sshd -D Fri May 17 07:48:47 2024 14549360 14942528 root root sh PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sh -c The root user restarts sshd: Fri May 17 07:48:47 2024 17432954 17039740 root root startsrc PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name startsrc -s sshd Fri May 17 07:48:47 2024 3932630 1 root root srcmstr SRC_Start OK sshd The root user starts a sleep process: Fri May 17 07:49:06 2024 15401352 17039740 root root sleep PROC_Execute OK euid: 0 egid: 0 epriv: ffffffff:ffffffff name sleep 9999 The root user kills the sleep process: Fri May 17 07:49:11 2024 17039740 9372030 root root ksh PROC_Kill OK pid: 15401352, sig: 9

Additional Information

SUPPORT
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist. See How technical questions (Q&A) are handled by IBM Support: https://www.ibm.com/support/pages/node/796206 You can learn more about the audit functionality on AIX and best practices through the following resources: IBM Documentation Audit section: https://www.ibm.com/docs/en/aix/7.3?topic=system-auditing-overview AIX Redbooks, "Auditing and Accounting" http://www.redbooks.ibm.com/redbooks/pdfs/sg246396.pdf And the following Technotes: The Audit Subsystem in AIX: https://www.ibm.com/support/pages/node/720377 AIX Auditing Best Practices https://www.ibm.com/support/pages/node/629163 If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available Read more about IBM Technology Expert Labs infrastructure services https://www.ibm.com/products/expertlabs/infrastructure Email systems-expert-labs@ibm.com See Brochure https://www.ibm.com/downloads/cas/6OQDY58O See Power Offerings https://www.ibm.com/downloads/cas/RKEYQE3M See more details about AIX, Linux, and Red Hat OpenShift Security Services https://www.ibm.com/support/pages/node/6584155 If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract. 1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: https://www.ibm.com/mysupport -If you require telephone support, see the web page: https://www.ibm.com/planetwide/ 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem 5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data

Related Information

IBM Support Community

Learn more about "Getting IBM Support" here

Working with IBM AIX Support: Describing the problem

Working with IBM AIX Support: Collecting snap data

AIX Redbooks - Auditing and Accounting

IBM Documentation - AIX Auditing

[{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cw2BAAQ","label":"Security-\u003EAudit"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Tips

AIX AUDIT: How can I monitor who killed a process?

How To

Summary

Objective

Environment

Steps

Additional Information

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?