Education
Abstract
AHA Event Monitoring does not accommodate file modification monitoring when a file's i-nodes are not preserved
Content
File modification monitoring in AHA is based on the file's i-node number. In some circumstances, the tool used to modify the file may create a temporary file, make changes, and replace the original file. Therefore, the i-node number of the new file will be different from the original i-node. From an AHA monitoring perspective, the original file has been deleted. From an administrative perspective, the file has only been edited.
One example would be editing a file using the visudo tool. An AHAFS event is in place to monitor a change to the /etc/sudoers file.
Using the vi editor to modify the file will generate the expected log entry:
------------------------------------------------------------------------------------
BEGIN_EVENT_INFO
Time : TIME
Sequence Num : SEQ_NUM
Process ID : PID
User Info : userName=user, loginName=login, groupName=group
Program Name : vi
RC_FROM_EVPROD=1006
END_EVENT_INFO
Email is sent to admin@email
AHAFS event: /aha/fs/modFile.monFactory/etc/sudoers.mon
Time : TIME
Sequence Num : SEQ_NUM
Process ID : PID
User Info : userName=user, loginName=login, groupName=group
Program Name : vi
RC_FROM_EVPROD=1006
END_EVENT_INFO
Email is sent to admin@email
AHAFS event: /aha/fs/modFile.monFactory/etc/sudoers.mon
------------------------------------------------------------------------------------
Now we will modify /etc/sudoers using the visudo tool. The visudo tool will create a temporary file and replace the original file.
The log entry generated is:
------------------------------------------------------------------------------------
BEGIN_EVENT_INFO
Time : TIME
Sequence Num : SEQ_NUM
Process ID : PID
User Info : userName=user, loginName=login, groupName=group
Program Name : visudo
RC_FROM_EVPROD=1003
END_EVENT_INFO
Email is sent to admin@email
The select() returned -1.
The event file "/aha/fs/modFile.monFactory/etc/sudoers.mon" no longer exists! The event object might have been deleted.
Time : TIME
Sequence Num : SEQ_NUM
Process ID : PID
User Info : userName=user, loginName=login, groupName=group
Program Name : visudo
RC_FROM_EVPROD=1003
END_EVENT_INFO
Email is sent to admin@email
The select() returned -1.
The event file "/aha/fs/modFile.monFactory/etc/sudoers.mon" no longer exists! The event object might have been deleted.
------------------------------------------------------------------------------------
In summary, AHAFS event monitoring can not accommodate file modification monitoring when a tool creates a temporary file and replaces the original.
[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"Component":"","Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Was this topic helpful?
Document Information
Modified date:
25 April 2019
UID
ibm10882442