Monitoring Events with AIX Audit
The AIX* built-in audit subsystem allows system administrators to monitor and record security-related events on the system. This utility provides a good footing for identifying security vulnerability concerning user profile attribute changes and security settings on your system files. You can also use the audit reports to make security decisions based on the Sarbanes-Oxley Act of 2002 (SOX) recommendation for UNIX systems and your internal policy. In this article, I’ll describe how to configure AIX’s built-in audit system to monitor events.
AIX Audit works by defining an audit class, which can be any name. Within this class, audit events, such as logging in and file changes, are defined. Once audit is running, any event that has been defined will be monitored, and can be tracked in the audit log. Events can be recorded on a per-user basis or by groups of users. Individual files can also be monitored. The IBM Redbooks* publication, “Accounting and Auditing on AIX 5L” (SG24-6396-00, http://www.redbooks.ibm.com/abstracts/sg246396.html?Open) contains the full list of audit events, their meanings and how audit works.
The list of system or ad-hoc files to monitor can be exhaustive, so I’ll just focus on a few. Looking at a typical framework for a daily security audit, I would recommend it contain at least user account-changed attributes, user account-changed passwords and user su attempts. I’ll leave it up to you to address other system events you wish to monitor. As is always the case, what needs to be audited will depend on your security policy.
One thing to note is audit will monitor against the user ID for the audit event triggered and not the audit event itself. When data is written to the audit log, it’s written as a record that includes a header and a tail. The header contains the user, the time, the type of event and whether or not it was successful. The tail consists of other available information, like the parsing attributes. Auditing data can be collected in two modes, bin or stream. This article will only describe the stream mode. The stream mode writes to a circular buffer file, thus when the file becomes full it starts re-writing at the beginning of the file. Clearly the stream mode has advantages; if a file system containing the audit log file becomes full, it’ll still log events.
Search our new 2013 Buyer's Guide.
Web Exclusive | Understand your options for 12X PCIe I/O drawers
E-Newsletter | PowerHA SystemMirror 7.1 introduces a robust CLI utility
Web Exclusive | AEM controls power flow and cooling distribution