Unix Logging

[jmcclain]

I've been asked to help get a Unix based application through a Sarbanes-Oxley review.

The auditors are requiring that privileged access (e.g. root level accounts) must be logged. The logs must then be reviewed to ensure that any actions taken by these accounts are appropriate.

My specific question is if anyone has any experience with
- Developing a script to log actions by particular accounts
- Using a third party tool to perform logging

Any suggestions would be appreciated, as we are stuck!

 

[RodKnowlton]

Auditors love sudo.

It not only logs all privileged access, it allows highly granular control of privilege. You can be as specific as only allowing a certain user to run a certain command with certain arguments on a certain machine. The log isn't formatted with automated parsing in mind, but it sounds like you'll need to be manually reviewing them anyway.

AIX versions are available from Bull Freeware, and the AIX Toolbox for Linux Applications.

Rod Knowlton
IBM Certified Advanced Technical Expert pSeries and AIX 5L

 

[ggitlin]

You might also want to disable the remote login for "root" user and then set up syslogd to log the "auth" and "info" messages, which will log the "su -" into the syslog file.

 

[BFOJ]

If you only allow "su -" to root level accounts then you can run a variation of the following command to monitor who is using "su -":

tail -20 /var/adm/sulog

 

[hfaix]

You may also consider turning on AIX audit and configure it to your specific needs. That was one of my requests from SOX.