In order to monitor the auditing events on AIX 7.1, perform the following procedure:
- Configure the Audit module.
- Stop and shut down the audit service using the commands below:
# audit off
# audit shutdown - Switch the path to the audit configuration folder:
# cd /etc/security/audit
- Modify the config file to add monitor event and change the event output mode.
- In the "start" section, set the following:
set binmode = off
streammode = on - In the "classes" section, add "system" and "init" classes with the corresponding command:
system = USER_Remove,USER_Create,GROUP_Create,GROUP_Remove
init = User_Login - Add the two (2) classes from the previous step under the "users" section to include them in the audit scope.
- In the "start" section, set the following:
- Modify the event output format on the events file:
- tsm
USER_Login = printf "User: %s tty: %s" - rmuser
USER_Remove = printf " delete user %s" - mkuser
USER_Create = printf " new user %s %s %P %A" - mkgroup
GROUP_Create = printf " new group %s %s" - rmgroup
GROUP_Remove = printf " remove group %s"
- tsm
- Comment out the other entries and add the line below from the streamcmds file:
/usr/sbin/auditstream |auditpr -v > /var/log/user.log &
- Stop and shut down the audit service using the commands below:
- Configure the Syslog module.
- Run the command below to stop the syslog daemon:
# stopsrc -s syslogd
- Add the audit log below to the /etc/syslog.conf file:
User.debug /var/log/user.log rotate size 5m files 5
- Run the command below to start the syslog daemon:
# startsrc -s syslogd
- Start audit module using the following command:
# audit start
- Confirm that audit is running using the following command:
#audit query
- Check the audit log output event located under /var/log/user.log propriety.
- Check the /etc/rc file and ensure that there is no entry like below.
/usr/sbin/audit start
- If the above line exists, modify it similar to the following:
/usr/sbin/audit start 1>&- 2>&-
- Verify next that there is no audit start in /etc/inittab.
- Run the command below to stop the syslog daemon:
- Customize a Log Inspection rule for AIX.
- Right-click the Log Inspection rule 1002831 – Unix Syslog and select Duplicate.
- Rename the duplicated Log Inspection rule to "Unix - Syslog for HG".
- Under Content tab, remove all the content of Unix – Syslog for HG rule and paste the following content to meet the specific request for monitor action:
<group name="syslog,access_control,">
<rule id="2505" level="6">
<match>User: root|ROOT LOGIN|login from|session opened for user root by (uid</match>
<description>Physical root login</description>
</rule>
</group>
<group name="syslog,adduser">
<rule id="5901" level="6">
<match> new group</match>
<description>New group added to the system</description>
</rule>
<rule id="5902" level="6">
<match> new user| new account added</match>
<description>New user added to the system</description>
</rule>
<rule id="5903" level="6">
<regex> delete user| account deleted| removed group| remove group| group '\S+' removed$</regex>
<description>Group (or user) deleted from the system</description>
</rule>
</group> - Under Files tab, change the monitor file to /var/log/user.log with syslog type.
- Right-click the Log Inspection rule 1002831 – Unix Syslog and select Duplicate.
- Assign both the default and customized Log Inspection rules below to the target AIX server:
- Unix -Syslog for HG
- 1002792- Default Rules Configuration
- Perform the following request actions from the AIX server:
- Add User command: mkuser xxx
- Remove User command: rmuser xxx
- Add Group command: mkgroup yyy
- Remove Group command: rmgroup yyy
- Login as root: Login root from the other session
- On the Log Inspection, verify that the events were logged for the actions mentioned above.