Home > Success Center > Log & Event Manager (LEM) > AIX Agent Install and Auditing

AIX Agent Install and Auditing

Table of contents

Updated March 11th, 2016

Overview

This article provides brief information and steps install and audit AIX Agent. 

Environment

All LEM versions

Steps

AIX Audit Information (Pre-install/configuration)

 

A list of audit events built into AIX, along with a list of predefined audit objects, can be found in the file /etc/security/audit/events.

In general, auditing events are defined at the system call level. A single operation at the command line would result in records of several events in the audit trail. For example, when viewing a file using the cat or more command, you would see the following records logged into the audit trail:

 

FILE_Open (file is opened)
FILE_Read (file is read)
FILE_Write (file is written to standard output)
PROC_Create (process creation for more OR cat)
PROC_Execute (command execution)
PROC_Delete (process completion)

 

To add further audit objects, extend the /etc/security/audit/objects file.

An audit can be started in one OR both of these modes (BIN mode or STREAM mode), but prefer to use STREAM.

 

In STREAM mode, the default AIX configuration provides a program to read the STREAM buffer and processes each record with the commands found in /etc/security/audit/streamcmds. These commands format the output into human-readable form and write it in /audit/stream.out. This file is NOT cumulative; it is restarted every time the audit is restarted. The STREAM audit trail can be read in real time by reading /audit/stream.out, or by sending output directly to a terminal or printer.
 

There are five audit subcommands for invoking auditing:

  • /usr/sbin/audit start - To activate the audit subsystem (This is the only correct way to start audit).
  • /usr/sbin/audit shutdown - To stop auditing subsystem, processing final BIN records,

       and removing the /audit/auditb file that is used as an "active" indicator by the audit modules

  • /usr/sbin/audit off - To suspend auditing temporarily.
  • /usr/sbin/audit on - To resume audit after audit off.
  • /usr/sbin/audit query - To display the status of auditing.

 

All auditing related configuration files reside in /etc/security/audit.

The /etc/security/audit/config file contains the key audit controls.

 

more /etc/security/audit/config

classes:
general = USER_SU,PASSWORD_Change,USER_Login,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,...
objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LILITS_WRITE,S_LOGIN_WRITE,...
SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,...
kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,...
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,...
svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,...
mail = SENDMAIL_Config,SENDMAIL_ToFile
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,...
lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV<LVM_ReduceLV,...
users:
root = general
joe = general,files

 

For additional information, see The Audit Subsystem in AIX from the IBM website. 

 

Agent Install and Enable Auditing steps:

 

Agent Install:

  1. Download the AIX agent from the Solarwinds Customer Portal.
  2. Unzip Windows system, and copy the setup.bin to the AIX system (winscp is recommended).
  3. Use chmod 777 setup.bin. This will set the permissions to allow execution.
  4. Installation asks to create /usr/local/contego/ContegoSPOP/ , let it install there whenever possible.
  5. Spop.conf can be changed to point to either the IP address or hostname of the LEM.
    Note: When changing spop.conf, be sure to restart the agent service.

 

Another feature of Unix Agents, is that the agent directory can be copied to other Unix servers (removing the spop directory), and then add the agent startup script to the operating system startup scripts for automated agent startups.

 

Configure auditing on the AIX server:

  1. vi  /etc/security/audit/config - Verify the contents below

         start:
               binmode = off   
         streammode = on

         bin:
               trail = /audit/trail
               bin1 = /audit/bin1
               bin2 = /audit/bin2
               binsize = 10240
               cmds = /etc/security/audit/bincmds

         stream:
               cmds = /etc/security/audit/streamcmd
     

  2. /usr/sbin/audit shutdown
     
  3. vi  /etc/security/audit/streamcmds - Insert the following line:
         /usr/sbin/auditstream | auditpr -v > /audit/stream.out &

 

  1. /usr/sbin/audit start

 

Verify logging:

  1. cat  /audit/stream.out - Shows the audits collected in the AIX file.
     
  2. tail -f  /audit/stream.out  - Monitors the log file real-time on the AIX server.
     
  3. if nothing is received:
         /usr/sbin/audit  on
         /usr/sbin/audit start
              (both commands above have a stop, shutdown, and query option)

 

 

You must to post a comment.
Last modified
20:37, 25 Apr 2017

Tags

Classifications

Public