User AIX Audit

[isifer]

Hi all

I should configure the AUDIT on a AIX 5.1 machine.
the only thing that I should set is the control of login o logout of the users.

I have read but I could't understand "what" to change in relation to what I should do.
the rest of the audit is useless for my work

i see /etc/security/audit/config
and i see /etc/security/audit/event

Can you help me step by step? or if someone can post the file that is useful to me

thanks guys

 

[MoreFeo]

To configure the audit process you must edit /etc/security/audit/config

It has a structure similar to:

start:
   binmode = on
   streammode = off

bin:
   trail = /var/log/auditoria/<hostname>
   bin1 = /audit/bin1
   bin2 = /audit/bin2
   binsize = 10240
   cmds = /etc/security/audit/bincmds
   freespace = 65536

stream:
   cmds = /etc/security/audit/streamcmds

classes:
   general =
USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_
Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir

   objects =
S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_RE
AD,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR

   SRC =
SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SR
C_Chserver,SRC_Delserver

   kernel =
PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_Re
alGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,
P
ROC_Privilege,PROC_Settimer

   files =
FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_R
ename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create

   svipc =
MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create
,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,SHM_Open,SHM_Close,SH
M_
Owner,SHM_Mode

   mail = SENDMAIL_Config,SENDMAIL_ToFile

   cron =
AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Fini
sh

   tcpip =
TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TC
PIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCP
IP
_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate

   ipsec =
IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_m
ktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf
,I
PSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC
_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_
nego,IKE_activat_c
md,IKE_remove_cmd

   lvm =
LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_Av
oidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,LVM_RemovePV,
LVM_
AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQ
uorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeV
G,LVM_CreateLV,LVM
_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG

   ldapserver =
LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,L
DAP_Search,LDAP_Compare

   aacct =
AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_Sw
tchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,AACCT_SysIntSet,AAC
CT_P
rIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACC
T_PolLoad,AACCT_PolUnload,AACCT_NotChange,AACCT_NotifyOff

start: binmode and streammode. The audit process can store the logs in binary (binmode) and/or text format (streammode). With these 2 parameters you specify if you want binary, text, or both.

bin: the trail parameter indicates the log file for binmode.

classes: the events to be audited, separated by their class (for login auditing I think you will only need the general section).

Once you've edited the config file there are several commands to start/stop and pause the audit process:

- audit start: used when audit process is not running. Reads the config file and starts the process.
- audit shutdown: stops the audit process.
- audit off: pauses the audit process, but doesn't close it. This closes the log file, so you can rename or move it.
- audit on: used when audit process is running but paused. It re-activates the audit process, without re-reading the config file.
- audit query: queries the audit process status.