AIX Audit PR connector configuration tips and tricks.

Document created by ron.beck on Aug 24, 2009
Version 1Show Document
  • View in full screen mode

Here is a configuration for AIX Audit that one of our customers has created to work with our AIX Audit PR connector.


There are few files located in /etc/security/audit that layout the events and what the audit subsystem does.  I'll just paste them in below:




   The syntax for this file is exact.  For instance, there cannot be a line feed between the stanza name ":" and the config params that follow and so forth.



        binmode = on

        streammode = off


        trail = /audit/bkup/trail

        bin1 = /audit/bin1

        bin2 = /audit/bin2

        binsize = 524288

        cmds = /etc/security/audit/bincmds

        freespace = 0


        cmds = /etc/security/audit/streamcmds


        tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate

        ipsec = IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd

        cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish

        eprise = GROUP_Adms,GROUP_Create,GROUP_Remove,PASSWORD_Flags,USER_Change,USER_Create,USER_Remove,PROC_Reboot,AUD_Bin_Def,AUD_Events,AUD_It,AUD_Objects,FS_Chroot,INSTALLP_Inst,PORT_Locked,FILE_Owner,MAIL_ToUser

        std = GROUP_Change,GROUP_User,PASSWORD_Check,User_SetGroups,USER_Reboot,TERM_Logout,USER_Login,USER_Logout,USER_SU,PASSWORD_Ckerr,USER_Check,USRCK_Error,USER_Exit,PASSWORD_Change

        net = TCPIP_config,TCPIP_host_id,TCPIP_connect,TCPIP_access


        root = eprise,std,cron,net

        default = std,cron



/etc/security/audit/events:  Be sure to use the one that goes with the version of audit that is installed.  I've seen problems when using an events file from another revision.  Also, if you want to add more objects, like files from /etc, this is the file that has the action info based on the /etc/security/audit/objects.


/etc/security/audit/objects:  Defines the objects and their paths, plus whether or not an event gets reported due to reads of that object, writes, or both.  To get yourself going you probably initially will want to use the original objects and events files, and then modify them when the basics get working.



/etc/security/audit/streamcmds:  Here is what I use, one line


/usr/sbin/auditstream | auditpr > /audit/stream.out &



/etc/security/audit/bincmds:  The auditbin process is not needed for the Real Time AIX Arcsight connector.  I use it to log the audit data for archiving purposes.  Here are the contents, just in case you want to see it...


/usr/sbin/auditcat -p -o "/audit/bkup/trail.`/usr/bin/date +%m%d%Y%H%M`" $bin /usr/bin/find /audit/bkup -type f -user root -exec /usr/bin/chown arcsight {} \; /usr/bin/find /audit/bkup -mtime +30 -exec /usr/bin/mv {} /audit/7yr \; /usr/bin/find /audit/7yr -type f -user root -exec /usr/bin/chown arcsight {} \; /usr/bin/chown arcsight:audit /audit/bkup /audit/7yr

2 people found this helpful