Updated March 11th, 2016
This article provides brief information and steps install and audit AIX Agent.
All LEM versions
AIX Audit Information (Pre-install/configuration)
A list of audit events built into AIX, along with a list of predefined audit objects, can be found in the file /etc/security/audit/events.
In general, auditing events are defined at the system call level. A single operation at the command line would result in records of several events in the audit trail. For example, when viewing a file using the cat or more command, you would see the following records logged into the audit trail:
FILE_Open (file is opened)
FILE_Read (file is read)
FILE_Write (file is written to standard output)
PROC_Create (process creation for more OR cat)
PROC_Execute (command execution)
PROC_Delete (process completion)
To add further audit objects, extend the /etc/security/audit/objects file.
An audit can be started in one OR both of these modes (BIN mode or STREAM mode), but prefer to use STREAM.
In STREAM mode, the default AIX configuration provides a program to read the STREAM buffer and processes each record with the commands found in /etc/security/audit/streamcmds. These commands format the output into human-readable form and write it in /audit/stream.out. This file is NOT cumulative; it is restarted every time the audit is restarted. The STREAM audit trail can be read in real time by reading /audit/stream.out, or by sending output directly to a terminal or printer.
There are five audit subcommands for invoking auditing:
and removing the /audit/auditb file that is used as an "active" indicator by the audit modules
All auditing related configuration files reside in /etc/security/audit.
The /etc/security/audit/config file contains the key audit controls.
For additional information, see The Audit Subsystem in AIX from the IBM website.
Agent Install and Enable Auditing steps:
Another feature of Unix Agents, is that the agent directory can be copied to other Unix servers (removing the spop directory), and then add the agent startup script to the operating system startup scripts for automated agent startups.
Configure auditing on the AIX server:
binmode = off
streammode = on
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
cmds = /etc/security/audit/streamcmd