Hi All,
I am requested to set up auditing on some of our AIX boxes. I would need to audit user login-logout events, and everything that was run interactively (commands and scripts).
Now, I have at least 2 problems:
1) I have set up a new event class in the /etc/security/audit/config file as follows:
and assigned the above class to my user for testing purposes:
I have also set stream mode on, to watch events real time (later, for prod purposes I plan to use binary mode)
After all this, started auditin, an watched events. Surprisingly there ate a lot of events which were not configured to be collected:
FILE_Accessx
FILE_Close
FILE_Dupfd
FILE_Open
FILE_Pipe
FILE_Read
FILE_Stat
FILE_Unlink
FILE_Write
FS_Chdir
PROC_Create
PROC_Delete
PROC_Execute
PROC_Load
PROC_LoadMember
PROC_Setpgid
S_PASSWD_READ
PROC events are OK, but as far as I know, FILE events should not appear.
Can you tell me where do I fail?
2) I do not see the straightforward possibility to audit script runs. They just appear as a file open by ksh and then a heap of executes, but it seems quite hard to follow. Is there workaround to this?
Thanks in advance,
--Trifo
I am requested to set up auditing on some of our AIX boxes. I would need to audit user login-logout events, and everything that was run interactively (commands and scripts).
Now, I have at least 2 problems:
1) I have set up a new event class in the /etc/security/audit/config file as follows:
Code:
proc_events = PROC_Create,PROC_Delete,PROC_Execute,PROC_LPExecute,PROC_Environ,PROC_SetSignal,PROC_Kill,PROC_LoadError,PROC_Sysconfig,PROC_SysParm,PROC_Rebootand assigned the above class to my user for testing purposes:
Code:
trifo = proc_eventsI have also set stream mode on, to watch events real time (later, for prod purposes I plan to use binary mode)
After all this, started auditin, an watched events. Surprisingly there ate a lot of events which were not configured to be collected:
FILE_Accessx
FILE_Close
FILE_Dupfd
FILE_Open
FILE_Pipe
FILE_Read
FILE_Stat
FILE_Unlink
FILE_Write
FS_Chdir
PROC_Create
PROC_Delete
PROC_Execute
PROC_Load
PROC_LoadMember
PROC_Setpgid
S_PASSWD_READ
PROC events are OK, but as far as I know, FILE events should not appear.
Can you tell me where do I fail?
2) I do not see the straightforward possibility to audit script runs. They just appear as a file open by ksh and then a heap of executes, but it seems quite hard to follow. Is there workaround to this?
Thanks in advance,
--Trifo