AIX Security Audit Configuration

To ensure that the Event Manager AIX “out-of-the-box” template can retrieve information from the AIX security audit, you must set the following files to the AIX server to be monitored.

  • streamcmds
  • config
  • events
  • objects

The specific configuration for each file is shown in the following sections:.

  1. Set the file streamcmds:
Default security audit AIX information is sent to a binary file. However ThinkServer needs the information in a different format. To change the format, process audit information with the following script:
 
send_syslog.
 
Create the file named send_syslog in the folder /etc/helpsystems.
 
Then copy the AWK script file:
 
awk '{
 
u = match ($ 0, / helpsystems /)
if (u ==0) {
if (vari ==" ")
vari = $ 0
 
else
vari= vari $0}
else
{vari= vari $0
print van | "logger -p info"
close ( "logger -p info")
vari =""}
}'
 
Give the script file send_syslog sufficient permissions to run.
 
Finally, change the file contents streamcmd, located in /etc/security/audit/streamcmds, with the following line:
 
/Usr/sbin/auditstream | auditpr -helRtcr -v | /Etc/helpsystems/send_syslog &
  1. Set the config file:
This is the config file that details which users will be audited and to what extent:
 
/Etc/security/audit/config
 
We recommend auditing the following:
 
Creation, deletion and modification of users, roles and groups
 
Password changes
 
Use of privileges
 
Operations (creating, deleting, renaming, etc.) of files and directories
 
Changes to permits
 
Changes in the system settings (time, audit settings, communications, etc.)
 
Example audit entries categorized in the config file
 
Audited =
 
USER_Create, USER_Remove, USER_Change, USER_SU, USER_Logout,
USER_LOGIN, USER_Shell, ROLE_Create, ROLE_Change, ROLE_Remove
FILE_Unilnk, FILE_Owner, FILE_Mode, FILE_Rename, FS_Rmdlr,
FS_Mkdir, PASSWORD_Change, GROUP_Remove, GROUP_Change,
GROUP_Create, AUD_It,AUD_Events, AUD_Objects, AUD_Proc,
AUD_Bin_Def
 
The config file also needs to define which custom audit category applies to each audited user. For example:
 
users: root = Audited
 
This indicates that the root user is audited as defined in the category Audited. You can add more users to this file if required.
  1. Events configuration file:
The events file contains the definition of syslog record formats.
 
/Etc/security/audit/events
 
For each audited event that occurs in the AIX system, several events are stored in the AIX syslog file. As a result, ThinkServer receives multiple messages for a single audit event. Further configuration needs to be applied to reduce this to a single message for each event.
 
This can be done by use of the AWK script send_syslog defined in the file streamcmds (see Step 1). This script concatenates the lines in the syslog file until it finds the text string helpsystems. At this point it knows the end of the message has been reached and sends the concatenated message to ThinkServer.
 
In order for the script to work as intended, helpsystems must be added to the end of each line in the event file.
 
Section event file with changes marked in red
 
auditpr:
 
"proc kernel events
 
 
" fork ()
PROC_CREATE = print forked child process% d helpsystems
 
 
" exit ()
PROC_Delete = print child process exited% d helpsystems
 
 
" exec ()
PROC_Execute = print euid.% d egid:% d epriv.% x:% x name% s
helpsystems
 
 
" setuidx ()
PROC_REALUID = printf real uid:% d helpsystems PROC_AuditID =
print login uid:% d helpsystems
 
 
In most files described in this document the functions associated with a command are used. You can also use the events file for which solutions are launched by a particular command. For example, the function user_create can be associated with the command mkuser as shown below:
 
File events section showing the link between the command and role mkuser_create
 
" mkuser
 
User_create = printf %s% s helpsystems

 

  1. Objects configuration file:
This is the default security audit on the AIX server audit level actions such as login failures or other actions not related to a specific object. It can also audit at object level. To do this you must edit the Objects file. This file details which files are audited and whether they will be audited for:
 
Scripts only
 
Read only
 
Read and write to any file in the directory.
 
/etc/security/audit/objects
 
Add any files you want to audit object level and indicate when you want to audit them. See the following examples:
 
Example of a file to audit object level for scripts
 
To audit each time a user writes in the user file located in /etc/security/user create the following entry:
 
/etc/security/user
 
w = S_USER_WRITE
 
Example of a file to audit object level readings
 
To audit each time a user reads the group file located in /etc/security/group create the following entry: 
 
/etc/security/group
 
r="S_GROUP_READ"
 
  1. Start the audit:
Once setup is complete, run the following command to start the audit:
 
audit start
 
  1. Check the audit:
To verify the audit is working properly run the following command from the command line:
 
/usr/sbin/auditstream | auditpr -helRtcr -v
 
The display changes to Wait mode.
 
Open another terminal window with an audited user and run the command:
 
mkuser test
 
If the audit is functioning properly, the Wait mode screen displays the command executed:
 
mkuser test
 
If the command does not appear, you can turn off the audit and verify the configuration.
  1. Turn off the audit:
If you need to stop auditing, run the command:
 
audit shutdown