1. Cloud Control Host Lifecycle Management Guide
  2. Monitoring and Managing Hosts
  3. Additional Setup for Real-time Monitoring
  4. Preparing to Monitor AIX Hosts
  5. Administering AIX Auditing

Administering AIX Auditing

The AIX auditing subsystem allows an administrator to record security-relevant information, such as User Logins, Logouts, and file changes, for analysis against existing security policies and detection of security violations.

Setting up auditing involves modification of the existing auditing configuration files. To set up auditing, follow these steps:

  1. Log into the AIX machine as the root user.
  2. Open a terminal window and change directory to /etc/security/audit
  3. Open the config file in vi.
  4. Locate the following sections, and update or add the listed values:
    start:
   binmode = off
   streammode = on


stream:
  cmds = /etc/security/audit/cccstream


classes:
…
   filewatch = PROC_Create,PROC_Delete,FILE_Open,FILE_Write,FILE_Close,FILE_ Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Fchmod,FILE_Fchown,FS_Chdir,FS_Fchdir,FS_Chroot,FS_Mkdir,FS_Rmdir,FILE_Symlink,FILE_Dupfd,FILE_Mknod,FILE_Utimes

users:
   root = filewatch
   default = filewatch

    Note:

    • In this case, default refers to all users that are not root. Further note that the last line of the config file should be a blank line.

    • Each parameter (binmode, streammode, filewatch, root, and default) must have a tab in front of them. You can verify that the audit system has used all variables properly by using the audit query command. Make sure the filewatch property appears in the output.

  5. Save your modifications and exit vi.
  6. In the same directory (/etc/security/audit/) open the file streamcmds in vi.
  7. Clear all text from the file. The default configuration for this file is not necessary, as the File Monitoring agent module (nmxcf process) will operate as a direct audit reader. Clearing the file helps to reduce CPU usage and improve overall auditing performance.
  8. Save the file and exit vi.
  9. At the terminal prompt, enter the following command to initialize Auditing at system startup:

    mkitab "audit:2:once:/usr/sbin/audit start"

  10. At the prompt, restart audit using the command /usr/sbin/audit shutdown and /usr/sbin/audit start or directly reboot the host to make the auditing effective.
  11. At the prompt, use the command audit query to view the configuration the audit system is using. Ensure that the properties are set correctly and that the required settings for filewatch are set.