Setting up and configuring the AIX audit subsystem

Setting up and configuring the AIX audit subsystem
BIN mode collection is the recommended method when auditing a
production system.
BIN mode
The BIN mode collection method is batch oriented and is used for longtime storage of large
amounts of audit data. In BIN mode, audit records are alternately collected in two temporary files
called bin files. When one bin file is full (size is specified in /etc/security/audit/config) the audit
logger switches to the other bin file. The auditbin daemon is responsible for flushing the full bin to
an audit trail. The data in the bin is flushed to the trail according to the backend commands that
reside in the /etc/security/audit/bincmds file.
Audit subsystem commands
Audit subsystem commands control the AIX® audit subsystems and its output. The
/usr/sbin/audit command enables you to start, shutdown, suspend, and inquire the audit
subsystem. This command has the following variations:
audit start
Starts the audit subsystem.
audit shutdown
Ends the audit subsystem; when BIN mode collection is used the bin files are
flushed.
audit off
Suspends the audit subsystem temporarily.
audit on
Restarts the audit subsystem when it has been suspended.
audit query
Displays the current status of the auditing system, and list all audit classes and
selected objects.
Important:
To enable the audit subsystem to start each time the system is started, the following line must be
added to the /etc/rc file:
/usr/sbin/audit start
The Control Files
The following files control the auditing subsystem:
/etc/security/audit/config
/etc/security/audit/bincmds
/etc/security/audit/events
/etc/security/audit/objects
/etc/security/audit/streamcmds
Audit Configuration Requirements
Please refer to chapter 2.1.1, AIX Platforms, section 6, Activity Auditing of ITXC104 for
configuration requirements. Chapter 2.1.1, AIX platforms can be found at the following URL:
http://w3-03.ibm.com/transform/sas/as-web.nsf/ContentDocsByTitle/AIX+Platforms
In addition to requirements specified in ITCS104, the following
configuration settings must be in place.
The security administrator must add the following lines at the end of the /etc/security/audit/events
file:
* Object Audit Event definitions needed
* for Tivoli Compliance Insight Manager
Obj_READ = printf "%s"
Obj_WRITE = printf "%s"
Obj_EXECUTE = printf "%s"
The objects that need to be monitored for auditing must be present in the
/etc/security/audit/objects file. Each object has a stanza that defines one or more access modes
(read, write, or execute). The access modes are associated with the object audit event types that
were defined earlier in the /etc/security/audit/events file. The following stanzas must be included
in the /etc/security/audit/objects file.
/etc/sudoers:
r = "Obj_READ"
w = "Obj_WRITE"
/usr/local/bin/pbrun:
x = "Obj_EXECUTE"
/var/adm/syslog-00-00-00.log:
r = "Obj_READ"
w = "Obj_WRITE"
Instructions for adding sudo logs to syslog for collection by TCIM:
1. Edit the sudoers file to add the following line under #Defaults. Example
# Defaults specification
Defaults syslog=local2
2. If there is already a Defaults entry in the file you can merge the two settings like this:
# Defaults specification
Defaults syslog=local2,log_year,logfile=/var/log/sudo.log
3. Create the log file by using touch:
$ touch /var/adm/syslog-00-00-00.log
4. Edit the syslog.conf file and add the following at the bottom:
local2.debug /var/adm/syslog-00-00-00.log rotate files 3 time 1m
5. Restart the syslog deamon:
# stopsrc -s syslogd
0513-044 The syslogd Subsystem was requested to stop.
# startsrc -s syslogd
0513-059 The syslogd Subsystem has been started. Subsystem PID is 168102.
Run the following two commands in sequence to restart the auditing subsystem:
# audit shutdown
# audit start
You may use the following command to query the audit subsystem for the list of defined objects:
# audit query
You should see something like the following;
auditing on
audit bin manager is process 10114
audit events:
objects
S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,
S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
itcs104
USER_SU,PASSWORD_Change,PROC_Reboot,USER_Reboot,DEV_Change,
DEV_Configure,DEV_Create,DEV_Remove,DEV_Start,DEV_Stop,
DEV_UnConfigure,ACCT_Disable,ACCT_Enable,PORT_Change,
PORT_Locked,TCPIP_config,TCPIP_kconfig,TCPIP_kroute,TCPIP_route,
ENQUE_exec,FS_Extend,FS_Mount,FS_Umount,FS_Chroot,
RESTORE_Import,AUD_Events,AUD_Objects,AUD_Proc,AUD_It,
INSTALLP_Inst,TCPIP_set_time,PROC_Adjtime,PROC_Sysconfig,
PROC_LoadError,TCPIP_host_id
audit objects:
/etc/security/audit/config:
w = AUD_CONFIG_WR
/etc/security/environ:
w = S_ENVIRON_WRITE
/etc/security/group:
w = S_GROUP_WRITE
/etc/security/limits:
w = S_LIMITS_WRITE
/etc/security/login.cfg:
w = S_LOGIN_WRITE
/etc/security/passwd:
r = S_PASSWD_READ
w = S_PASSWD_WRITE
/etc/security/user:
w = S_USER_WRITE
/etc/sudoers:
r = Obj_READ
w = Obj_WRITE
/usr/local/bin/pbrun:
x = Obj_EXECUTE
/var/adm/syslog-00-00-00.log:
r = Obj_READ
w = Obj_WRITE
#
#
The object audit events are written to the audit bins in the same manner as the events generated
from the standard event auditing. The following are two commands that can be used together to
view the object audit events. The auditpr command is used to convert the binary audit records
into a readable format. It is assumed that the audit bins are defined in the /audit folder and bin1
is the current active bin.
# auditcat /audit/bin1 | auditpr -v
event login status time command
--------------- -------- ----------- ------------------------ --------
Obj_READ root OK Tue Dec 06 17:08:21 2005 vi
audit object read event detected /etc/sudoers
Obj_WRITE root OK Tue Dec 06 17:08:26 2005 vi
audit object write event detected /etc/sudoers
Obj_EXECUTE root OK Tue Dec 06 17:09:09 2005 pbrun
audit object exec event detected /usr/local/bin/pbrun
#
#
The Event column shows the AIX® event name as defined in the /etc/security/audit/events file.
The Login column displays the user ID that performed the action. The Status column indicates a
success or failure of the action. The Command column shows the command or the program
name that wrote the audit event. The three object audit events shown in the example indicate
read and write actions on the /etc/sudoers file and execute action on the /usr/local/bin/pbrun file.
create an id “insight” that has permission to the following:
The SSH collect process does not require Actuator installation on an audited system. However,
the correct Tivoli Compliance Insight Manager user must be created on the audited system and
included in the following standard groups: security, system, and audit. You must also add groupwrite
permissions for the /var/log/eprise directory. The Tivoli Compliance Insight Manager user
must have the following rights:
• Read permissions for the failedlogin file (/etc/security/failedlogin), and rx permissions on
the /etc and /etc/security directories.
• Read permissions for the wtmp file (/var/adm/wtmp), and rx permissions on the /var and
/var/adm directories.
• Full access (rwx) to /var/log/eprise, and rx permissions on /var and /var/log.
• Read and write access to the files created in /var/log/eprise.
• Read permissions for the /var/adm/syslog-00-00-00.log file
Setting up the SSH user on AIX systems
Use this procedure to create a user account on a to-be-audited AIX® system and to set it up so
that it can be used by Tivoli Compliance Insight Manager to remotely collect log data:
1. Log in to the audited system as the root user.
2. To create a Tivoli Compliance Insight Manager user, type the following command: mkuser
username
where username is the user ID you want to use. Your system might have requirements
for valid passwords. If the mkuser utility returns a message saying the username is not
valid, try another combination until the value is accepted.
3. To set the user password:
a. At the command prompt, type passwd username, where username is the user
ID you just created.
b. When prompted, enter the new password. Then, enter it again to confirm.
4. Change the login shell to /bin/sh:
a. Type passwd -s username.
5.
a. At the prompt, type Y to change the login shell.
b. Type the directory you want to change to as illustrated in the following example:
c. Change (yes) or (no)? >y
d. To ?>/bin/sh
crme 12:/#
6. After you change the login shell, the Tivoli Compliance Insight Manager user should be
able to run tar and gzip utilities without specifying the full path to them.
7. To verify that the tar and gzip utilities are accessible to the Tivoli Compliance Insight
Manager user from the shell:
a. Log in as the root user.
b. To locate the utilities, run the following command: which tar gzip
8.
a. At the prompt, type Y to change the login shell.
b. Type the directory you want to change to as illustrated in the following example:
c. Change (yes) or (no)? >y
d. To ?>/bin/sh
crme 12:/#
9. After you change the login shell, the Tivoli Compliance Insight Manager user should be
able to run tar and gzip utilities without specifying the full path to them.
10. To verify that the tar and gzip utilities are accessible to the Tivoli Compliance Insight
Manager user from the shell:
a. Log in as the root user.
b. To locate the utilities, run the following command:
which tar gzip
11.
a. Figure 4. Editing the SSH user group file to add the Tivoli Compliance Insight
Manager user
b. Save the edited file.
i. If you are using the vi text editor, press Esc, or type wq to exit. You
should see the following command after typing this:
Figure 5. Command output after adding the Tivoli Compliance Insight
Manager user to the SSH user group
ii. Press Enter to save the file.
c. Then remove write access to file group for the owner.
chmod u-w group
Attention:
The AIX system might have a specific configuration where these steps do not apply. In that case,
check the group ownership and group permissions of the files that are collected, and verify that
the Tivoli Compliance Insight Manager has the required authorizations to access the files for
collection.
POST
These steps to be completed after the machine has been setup and configured in TCIM server:
The public key is sent to the admin and the admin needs to follow the following steps :
Installing the public key using OpenSSH
1. Create a hidden .ssh directory in the home directory of the Tivoli Compliance Insight
Manager user if it does not already exist. Type the following command, for example:
mkdir $HOME/.ssh
2. In the ssh directory, create or edit a file called authorized_keys. Then, paste the contents
of the temporary public key file, which was created on the point of presence and
transferred to the audited system, into the file as a single line. Delete the temporary key
file when done. Use any text editor or use the following commands on the command line:
touch $HOME/.ssh/authorized_keys
cat tempkey >> $HOME/.ssh/authorized_keys
rm tempkey
3. Set the permissions on the .ssh directory and the authorized_keys file so that the insight
user is the owner with read access. Type the following commands to set the ownership
and permissions correctly:
cd $HOME
chown insight .ssh .ssh/*
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
4. After you set the permissions, review the ssh directory listing. The listing should be
similar to the following:
total 56
drwx------ 2 insight users 4096 Dec 18 02:51 .
drwx------ 47 insight users 4096 Jan 4 17:24 ..
-rw------- 1 insight users 452 Apr 8 2005
authorized_keys
Note:
After the connection between the point or presence and the audited system has been
established for the first time, the SSH daemon creates and stores additional files, which
are required for normal functioning of the SSH connection, in the .ssh directory.

AIX COMMAND

Commands for AIX System Administrators

------------------------------------------

The following is a list of commands that are used specifically for administering

AIX:..................................................................................

bosboot- Initializes a boot device.

bootlist- Alters the list of boot devices (or the ordering of these

devices in the list) available to the system.

cfgmgr- Configures devices by running the programs in

/etc/methods directory.

chcons- Redirects the system console to device or file, effective

next startup

chdev- Changes a device’s characteristics.

chdisp- Changes the display used by the low-function terminal

(LFT) subsystem.

checkcw- Prepares constant-width text for the troff command.

checkeq or checkmm- Checks documents formatted with memorandum macros.

checknr- Checks nroff and troff files.

chfont- Changes the default font selected at boot time.

chfs- Changes attributes of a file system.

chgroup- Changes attributes for groups.

chgrpmem- Changes the administrators or members of a group.

chhwkbd- Changes the low-function terminal (LFT) keyboard

attributes stored in the Object Data Manager (ODM)

database.

chitab- Changes records in the /etc/inittab file.

chkbd- Changes the default keyboard map used by the

low-function terminal (LFT) at system startup.

chkey- Changes your encryption key.

chlang- Sets LANG environment variable in /etc/environment

file for next login.

AIX Benefits for System Administrators 5

------------------------------------------

chlicense

There are two types of user licensing, fixed and floating.

Fixed licensing is always enabled, and the number of

licenses can be changed through the -u option. Floating

licensing can be enabled or disabled (on or off) through

the -f option.

chlv- Changes the characteristics of a logical volume.

chnamsv Changes TCP/IP-based name service configuration on a

host.

chprtsv- Changes a print service configuration on a client or

server machine.

chps- Changes attributes of a paging space.

chpv- Changes the characteristics of a physical volume in a

volume group.

chque- Changes the queue name.

chquedev- Changes the printer or plotter queue device names.

chssys- Changes a subsystem definition in the subsystem object

class.

chtcb- Changes or queries the trusted computing base attribute

of a file.

chtz- Changes the system time zone information.

chuser- Changes attributes for the specified user.

chvfs- Changes entries in the /etc/vfs file.

chvg- Sets the characteristics of a volume group.

chvirprt- Changes the attribute values of a virtual printer.

crfs- Adds a file system.

crvfs- Creates entries in the /etc/vfs file.

exportvg- Exports the definition of a volume group from a set of

physical volumes.

extendvg- Adds physical volumes to a volume group.

grpck- Verifies the correctness of a group definition.

importvg- Imports a new volume group definition from a set of

physical volumes.

lsallq- Lists the names of all configured queues.

lsallqdev- Lists all configured printer and plotter queue device

names within a specified queue.

lsattr- Displays attribute characteristics and possible values of

attributes for devices in the system.

lsdev- Displays devices in the system and their characteristics.

lsdisp- Lists the displays currently available on the system.

lsfont- Lists the fonts available for use by the display.

lsfs- Displays the characteristics of file systems.

lsgroup- Displays the attributes of groups.

lsitab- Lists the records in the /etc/inittab file.

lskbd- Lists the keyboard maps currently available to the

low-function terminal (LFT) subsystem.

6 AIX Benefits for System Administrators

------------------------------------------------------------------------------

lslicense- Displays the number of fixed licenses and the status of

floating licensing.

lslpp- Lists optional program products.

lsnamsv- Shows name service information stored in the database.

lsprtsv- Shows print service information stored in the database.

lsps- Lists paging space and attributes.

lsque- Displays the queue stanza name.

lsquedev- Displays the device stanza name.

lssrc- Gets the status of a subsystem, a group of subsystems, or

a subserver.

lsuser- Displays attributes of user accounts.

lsvfs- Lists entries in the /etc/vfs file.

mkcatdefs- Preprocesses a message source file.

runcat Pipes the output data from the mkcatdefs command to

the gencat command.

mkdev- Adds a device to the system.

mkfont- Adds the font code associated with a display to the

system.

mkfontdir- Creates a fonts.dir file from a directory of font files.

mkgroup- Creates a new group.

mkitab- Makes records in the /etc/inittab file.

mklv- Creates a logical volume.

mklvcopy- Adds copies to a logical volume.

mknamsv- Configures TCP/IP-based name service on a host for a

client.

mknotify- Adds a notify-method definition to the notify-object

class.

mkprtsv- Configures TCP/IP-based print service on a host.

mkps- Adds an additional paging space to the system.

mkque- Adds a printer queue to the system.

mkquedev- Adds a printer queue device to the system.

mkserver- Adds a subserver definition to the subserver object class.

mkssys- Adds a subsystem definition to the subsystem object

class.

mksysb- Backs up mounted file systems in the rootvg volume

group for subsequent reinstallation.

mkszfile- Records size of mounted file systems in the rootvg

volume group for reinstallation.

mktcpip- Sets the required values for starting TCP/IP on a host.

mkuser- Creates a new user account.

mkuser.sys- Customizes a new user account.

mkvg- Creates a volume group.

mkvirprt- Makes a virtual printer.

odmadd- Adds objects to created object classes.

AIX Benefits for System Administrators 7

---------------------------------------------------------------------------------

odmchange- Changes the contents of a selected object in the specified

object class.

odmcreate-Produces the .c (source) and .h (include) files necessary

for ODM application development and creates empty

object classes.

odmdelete- Deletes selected objects from a specified object class.

odmdrop- Removes an object class.

odmget- Retrieves objects from the specified object classes and

places them into an odmadd input file.

odmshow- Displays an object class definition on the screen.

pwdck Verifies the correctness of local authentication

information.

redefinevg- Redefines the set of physical volumes of the given

volume group in the device configuration database.

reducevg- Removes physical volumes from a volume group. When

all physical volumes are removed from the volume

group, the volume group is deleted.

reorgvg- Reorganizes the physical partition allocation for a

volume group.

restbase- Restores customized information from the boot image.

rmdel- Removes a delta from a Source Code Control System

(SCCS) file.

rmdev- Removes a device from the system.

rmf- Removes folders and the messages they contain.

rmfs- Removes a file system.

rmgroup- Removes a group.

rmitab- Removes records in the /etc/inittab file.

rmlv- Removes logical volumes from a volume group.

rmlvcopy- Removes copies from a logical volume.

rmm- Removes messages.

rmnamsv- Unconfigures TCP/IP-based name service on a host.

rmnotify- Removes a notify-method definition from the

notify-object class.

rmprtsv- Unconfigures a print service on a client or server

machine.

rmps- Removes a paging space from the system.

rmque- Removes a printer queue from the system.

rmquedev- Removes a printer or plotter queue device from the

system.

rmserver- Removes a subserver definition from the subserver object

class.

rmssys- Removes a subsystem definition from the subsystem

object class.

rmuser- Removes a user account.

rmvfs- Removes entries in the /etc/vfsfile.

rmvirprt- Removes a virtual printer.

8 AIX Benefits for System Administrators

----------------------------------------------------------------------------

savebase- Saves base customized device data in the ODM onto the

boot device.

swapoff- Deactivates one or more paging space.

swapon- Specifies additional devices for paging and swapping.

syncvg- Synchronizes logical volume copies that are not current.

usrck- Verifies the correctness of a user definition.

varyoffvg- Deactivates a volume group.

varyonvg- Activates a volume group.

--------------------------------------------------------------------------------