Question

AIX Audit Events - AIX adding its own?

Asked by: SMcP

Hi there,

AIX 5.3 Auditing  we have a very simple AIX Audit Config as noted below.  However when we do a Audit Query Config we get the out put as per (again below).

This is generating a lot of data which we don't actually want.

I think it's because AIX Auditing is adding the "ALL=..." parameter (go figure - see the query results)

The question I suppose is "where does this "ALL=..." come from?"  Shown at <<AIX IS ADDING THIS LINE AUTOMATICALLY>> in the code below.  It shouldn't inject itself into the Config stream at all.

Is there an overall setting that determines if this can happen or what?

Many thanks in advance,

Kindest regards

CONFIG FILE:
start:
        binmode = on
        streammode = off
 
bin:
        freespace = 65536
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
 
classes:
        general = PASSWORD_Change,INSTALLP_Inst
        SRC = No_Events            
        USR = USER_Create,USER_Change,USER_Login,USER_Reboot
        GRP = GROUP_Create,GROUP_Change,GROUP_Remove
        cron = AT_JobAdd,CRON_Start
        tcpip = No_Events     
        kernel = No_Events  
        files = No_Events
        svipc = No_Events
        mail = No_Events
        objects = No_Events
        lvm = No_Events
        ldapserver = No_Events
        ipsec = No_Events
        aacct = No_Events
        ALL = PASSWORD_Change
 
users:
        root = general
 
 
<serverName@/audit>audit query
 
auditing on
audit bin manager is process 380994
audit events:
        general = PASSWORD_Change,INSTALLP_Inst
        SRC = No_Events
        USR = USER_Login,USER_Create,USER_Change,USER_Reboot
        GRP = GROUP_Create,GROUP_Change,GROUP_Remove
        cron = AT_JobAdd,CRON_Start
        tcpip = No_Events
        kernel = No_Events
        files = No_Events
        svipc = No_Events
        mail = No_Events
        objects = No_Events
        lvm = No_Events
        ldapserver = No_Events
        ipsec = No_Events
        aacct = No_Events
        ALL = PASSWORD_Change
 
<<AIX IS ADDING THIS LINE AUTOMATICALLY>>
 
        ALL = AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,
S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE,USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,
SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,
SRC_Delserver,PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,
PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,
PROC_Privilege,PROC_Settimer,FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Owner,FILE_Mode,
FILE_Acl,FILE_Privilege,DEV_Create,MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,
MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,SHM_Open,
SHM_Close,SHM_Owner,SHM_Mode,SENDMAIL_Config,SENDMAIL_ToFile,AT_JobAdd,AT_JobRemove,
CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish,TCPIP_config,TCPIP_host_id,TCPIP_route,
TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,
TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate,IPSEC_chtun,
IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,
IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,
IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_nego,
IKE_activat_cmd,IKE_remove_cmd,LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,
LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,
LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,
LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeVG,
LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG,LDAP_Bind,
LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare,
AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,
AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,AACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,
AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,
AACCT_NotChange,AACCT_NotifyOff,AUD_It,PROC_Kill,WLM_set,PROC_Sysconfig,TCP_ksocket,
TCP_kconnect,TCP_kclose,TCP_kbind,TCP_ksetopt,PROC_Adjtime,FILE_Stat,FILE_Accessx,FILE_Dupfd,
PROC_Setpgid,TCB_Exec,PROC_Load,PROC_LoadMember,SHM_Detach,FILE_Pipe,PROC_LoadError,
FILE_FReadXacl,FILE_FWriteXacl,FILE_Fchown,PROC_SetGroups,PROC_SetUserIDs,AUD_Proc,
FILE_ReadXacl,FILE_WriteXacl,FILE_Utimes,AUD_Bin_Def,TCP_klisten,TCP_kaccept,FILE_Mknod,
FILE_StatAcl,TCP_kshutdown,TCP_ksocketpair,PROC_SetPAGVal,USER_Login,INSTALLP_Inst,
USER_Create,USER_Change,USER_Reboot,GROUP_Create,GROUP_Change,GROUP_Remove,
FILE_Fchmod,FILE_Frevoke,FILE_Facl,USER_Exit,FS_Mount,FS_Umount,INIT_End,INIT_Start,
No_Events,USER_Chpass,PASSWORD_Flags
 
audit objects:
        /etc/security/passwd:
                 r = S_PASSWD_READ
                 w = S_PASSWD_WRITE

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-07-27 at 01:44:48ID24602207
Tags

AIX Audit Events

Topic

IBM AIX Unix

Participating Experts
1
Points
500
Comments
3

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. AUDITING
    I have been requested to turn on auditing on our Live system. I have set the parameters audit_trail and audit_sys_operations to true. I have also run cataudit.sql. What is the next step from this please? I have been requested to audit the lot from the audit actions table. C...
  2. AIX Auditing
    Hi, I need to set-up auditing on all our AIX servers and I want to edit all users with selected classes. how do I set it on the /etc/security/audit/config? Will this work? (example) users: ALL = general, objects Regards
  3. IBM AIX - auditing
    on your /etc/security/audit/config ... you have general=USER_Create,USER_SU users: root = general --- q1. Will IBM AIX log every user created? q2. Where I can see this log file and output? Also Will it log the user creation date? q3: How about other system specifically HP-U...
  4. AIX auditing writes to all files.
    I've been asked to audit writes to all files on a server. Is the following script OK to run nightly (after backups complete)? Please suggest how could it be improved (if needed)? Also, does the following command create a new objects file daily or is it possible that the ex...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

Accepted Solution

by: dfkePosted on 2009-07-27 at 02:13:20ID: 24949775

Rank: Guru

Comments are available to members only. Sign up or Log in to view these comments.

 

Expert Comment

by: SMcPPosted on 2009-07-27 at 02:26:19ID: 24949824

Comments are available to members only. Sign up or Log in to view these comments.

 

Expert Comment

by: SMcPPosted on 2009-09-07 at 03:36:08ID: 31608121

Comments are available to members only. Sign up or Log in to view these comments.

20120131-EE-VQP-001

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...