AIX Audit Series of Articles

• AIX: Configure AIX Audit in BIN Mode
• AIX: Configure AIX Audit in Stream Mode
• AIX: Filtering content in AIX Audit

Configure Audit

Step 1: Create a Backup of the Files

To ensure safety, create backups of the audit configuration files:

cd /etc/security/audit

cp config config_original

cp streamcmds streamcmds_original

Modify the File /etc/security/audit/config

start:
       ignorenonexistentity = no
       binmode = on
       streammode = off
       fullpath = on
bin:
       trail = /audit/trail
       bin1 = /audit/bin1
       bin2 = /audit/bin2
       binsize = 10240
       cmds = /etc/security/audit/bincmds
       freespace = 65536
...
custom_audit =FILE_Open,FILE_Read,FILE_Write,FILE_Rename,...,PROC_Execute,USER_Shell

users:
   default = custom_audit

Save and close

Modify the File /etc/security/audit/bincmds

/usr/sbin/auditpr -t0 -h eclrRpPd -w -i $bin > $bin.out

Save and close

Auditbin will alternate the value of $bin, to the value of bin1 and bin2 from config file.

Run audit

1) Stop Audit

audit shutdown

2) Start Audit

audit start

Sample output

Thu Jul 25 19:56:22 2024 FILE_Open       cecuser  cecuser  OK          ls                              7471614  7274804          flags: 67108864 mode: 0 fd: 3 filename /home/SW/dir1
Thu Jul 25 19:56:22 2024 FILE_Close      cecuser  cecuser  OK          ls                              7471614  7274804          file descriptor = 3

Ver também

• Linux:Comando Find
• Linux: Identificando qual processo esta escutando uma porta tcpip

• Mais Artigos sobre Linux / UNIX / AIX