Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring a Log Inspection rule to monitor auditing events on AIX 7.1

    • Updated:
    • 14 Aug 2020
    • Product/Version:
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 10.2
    • Deep Security 10.3
    • Deep Security 9.6
    • Platform:
    • IBM AIX 7.1

Track these auditing events on AIX 7.1 by customizing a Log Inspection rule:

  • Add user
  • Remove user
  • Add group
  • Remove group
  • Login as root

In order to monitor the auditing events on AIX 7.1, perform the following procedure:

  1. Configure the Audit module.
    1. Stop and shut down the audit service using the commands below:

      # audit off
      # audit shutdown

    2. Switch the path to the audit configuration folder:

      # cd /etc/security/audit

    3. Modify the config file to add monitor event and change the event output mode.
      1. In the "start" section, set the following:

        set binmode = off
        streammode = on

        Add binmode and streammode

      2. In the "classes" section, add "system" and "init" classes with the corresponding command:

        system = USER_Remove,USER_Create,GROUP_Create,GROUP_Remove
        init = User_Login

        Add system and init

      3. Add the two (2) classes from the previous step under the "users" section to include them in the audit scope.

        Add classes under users

    4. Modify the event output format on the events file:
      • tsm
        USER_Login = printf "User: %s tty: %s"
      • rmuser
        USER_Remove = printf " delete user %s"
      • mkuser
        USER_Create = printf " new user %s %s %P %A"
      • mkgroup
        GROUP_Create = printf " new group %s %s"
      • rmgroup
        GROUP_Remove = printf " remove group %s"
    5. Comment out the other entries and add the line below from the streamcmds file:

      /usr/sbin/auditstream |auditpr -v > /var/log/user.log &

      Modify audit log

  2. Configure the Syslog module.
    1. Run the command below to stop the syslog daemon:

      # stopsrc -s syslogd

    2. Add the audit log below to the /etc/syslog.conf file:

      User.debug /var/log/user.log rotate size 5m files 5

      Audit log

    3. Run the command below to start the syslog daemon:

      # startsrc -s syslogd

    4. Start audit module using the following command:

      # audit start

    5. Confirm that audit is running using the following command:

      #audit query

    6. Check the audit log output event located under /var/log/user.log propriety.
    7. Check the /etc/rc file and ensure that there is no entry like below.

      /usr/sbin/audit start

    8. If the above line exists, modify it similar to the following:

      /usr/sbin/audit start 1>&- 2>&-

    9. Verify next that there is no audit start in /etc/inittab.
  3. Customize a Log Inspection rule for AIX.
    1. Right-click the Log Inspection rule 1002831 – Unix Syslog and select Duplicate.

      Duplicate 1002831 – Unix Syslog

    2. Rename the duplicated Log Inspection rule to "Unix - Syslog for HG".
    3. Under Content tab, remove all the content of Unix – Syslog for HG rule and paste the following content to meet the specific request for monitor action:

      <group name="syslog,access_control,">
      <rule id="2505" level="6">
      <match>User: root|ROOT LOGIN|login from|session opened for user root by (uid</match>
      <description>Physical root login</description>

      <group name="syslog,adduser">
      <rule id="5901" level="6">
      <match> new group</match>
      <description>New group added to the system</description>

      <rule id="5902" level="6">
      <match> new user| new account added</match>
      <description>New user added to the system</description>

      <rule id="5903" level="6">
      <regex> delete user| account deleted| removed group| remove group| group '\S+' removed$</regex>
      <description>Group (or user) deleted from the system</description>

      Replace the content of the default Log Inspection rule

    4. Under Files tab, change the monitor file to /var/log/user.log with syslog type.

      Change monitor file

  4. Assign both the default and customized Log Inspection rules below to the target AIX server:
    • Unix -Syslog for HG
    • 1002792- Default Rules Configuration

    Apply custom and default Log Inspection rule

  5. Perform the following request actions from the AIX server:
    • Add User command: mkuser xxx
    • Remove User command: rmuser xxx
    • Add Group command: mkgroup yyy
    • Remove Group command: rmgroup yyy
    • Login as root: Login root from the other session
  6. On the Log Inspection, verify that the events were logged for the actions mentioned above.

    Check the Log Inspection events

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.