	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

Question

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.0

AIX Audit Events - AIX adding its own?

Asked by SMcP in IBM AIX Unix

Tags: AIX Audit Events

Hi there,

AIX 5.3 Auditing we have a very simple AIX Audit Config as noted below. However when we do a Audit Query Config we get the out put as per (again below).

This is generating a lot of data which we don't actually want.

I think it's because AIX Auditing is adding the "ALL=..." parameter (go figure - see the query results)

The question I suppose is "where does this "ALL=..." come from?" Shown at <<AIX IS ADDING THIS LINE AUTOMATICALLY>> in the code below. It shouldn't inject itself into the Config stream at all.

Is there an overall setting that determines if this can happen or what?

Many thanks in advance,

Kindest regards

View the Solution FREE for 30 Days

         
           
             1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:

           
           
             CONFIG FILE:
start:
        binmode = on
        streammode = off
 
bin:
        freespace = 65536
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
 
classes:
        general = PASSWORD_Change,INSTALLP_Inst
        SRC = No_Events            
        USR = USER_Create,USER_Change,USER_Login,USER_Reboot
        GRP = GROUP_Create,GROUP_Change,GROUP_Remove
        cron = AT_JobAdd,CRON_Start
        tcpip = No_Events     
        kernel = No_Events  
        files = No_Events
        svipc = No_Events
        mail = No_Events
        objects = No_Events
        lvm = No_Events
        ldapserver = No_Events
        ipsec = No_Events
        aacct = No_Events
        ALL = PASSWORD_Change
 
users:
        root = general
 
 
<serverName@/audit>audit query
 
auditing on
audit bin manager is process 380994
audit events:
        general = PASSWORD_Change,INSTALLP_Inst
        SRC = No_Events
        USR = USER_Login,USER_Create,USER_Change,USER_Reboot
        GRP = GROUP_Create,GROUP_Change,GROUP_Remove
        cron = AT_JobAdd,CRON_Start
        tcpip = No_Events
        kernel = No_Events
        files = No_Events
        svipc = No_Events
        mail = No_Events
        objects = No_Events
        lvm = No_Events
        ldapserver = No_Events
        ipsec = No_Events
        aacct = No_Events
        ALL = PASSWORD_Change
 
<<AIX IS ADDING THIS LINE AUTOMATICALLY>>
 
        ALL = AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,
S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE,USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,
SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,
SRC_Delserver,PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,
PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,
PROC_Privilege,PROC_Settimer,FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Owner,FILE_Mode,
FILE_Acl,FILE_Privilege,DEV_Create,MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,
MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,SHM_Open,
SHM_Close,SHM_Owner,SHM_Mode,SENDMAIL_Config,SENDMAIL_ToFile,AT_JobAdd,AT_JobRemove,
CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish,TCPIP_config,TCPIP_host_id,TCPIP_route,
TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,
TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate,IPSEC_chtun,
IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,
IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,
IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_nego,
IKE_activat_cmd,IKE_remove_cmd,LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,
LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,
LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,
LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeVG,
LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG,LDAP_Bind,
LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare,
AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,
AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,AACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,
AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,
AACCT_NotChange,AACCT_NotifyOff,AUD_It,PROC_Kill,WLM_set,PROC_Sysconfig,TCP_ksocket,
TCP_kconnect,TCP_kclose,TCP_kbind,TCP_ksetopt,PROC_Adjtime,FILE_Stat,FILE_Accessx,FILE_Dupfd,
PROC_Setpgid,TCB_Exec,PROC_Load,PROC_LoadMember,SHM_Detach,FILE_Pipe,PROC_LoadError,
FILE_FReadXacl,FILE_FWriteXacl,FILE_Fchown,PROC_SetGroups,PROC_SetUserIDs,AUD_Proc,
FILE_ReadXacl,FILE_WriteXacl,FILE_Utimes,AUD_Bin_Def,TCP_klisten,TCP_kaccept,FILE_Mknod,
FILE_StatAcl,TCP_kshutdown,TCP_ksocketpair,PROC_SetPAGVal,USER_Login,INSTALLP_Inst,
USER_Create,USER_Change,USER_Reboot,GROUP_Create,GROUP_Change,GROUP_Remove,
FILE_Fchmod,FILE_Frevoke,FILE_Facl,USER_Exit,FS_Mount,FS_Umount,INIT_End,INIT_Start,
No_Events,USER_Chpass,PASSWORD_Flags
 
audit objects:
        /etc/security/passwd:
                 r = S_PASSWD_READ
                 w = S_PASSWD_WRITE

           
         

20091021-EE-VQP-81 - Hierarchy / EE_QW_3_20080625

Hall of Fame

1. woolmilkp...555,288
2. gheist53,917
3. KeremE31,716
4. omarfarid29,955
5. dfke15,589
6. sjm_ee13,445
7. Tintin12,000
8. ozo8,700
9. sdstuber7,220
10. amit_g5,900
11. Kdo5,250
12. dolomiti5,000
13. uayneb4,584
14. mrjoltcola4,400
15. robertfwo...4,000
16. Adam3143,950
17. rammaghe...3,320
18. liddler3,000
18. askb3,000
20. angelIII2,800
21. JIEXA2,750
22. kishored...2,600
23. blu2,000
23. yuzh2,000
23. pauloaguia2,000
23. FishMonger2,000
23. LindaC2,000
23. GRayL2,000
23. EmpKent2,000
23. murugesa...2,000
23. dineesh2,000
23. Nopius2,000
23. flow012,000
23. arober112,000
23. nemws12,000
23. erudans2,000
23. leakim9712,000
23. mnh2,000
23. oocyte2,000

1. woolmilkp...626,158
2. gheist360,801
3. sjm_ee326,380
4. omarfarid116,105
5. Kdo83,841
6. dfke75,279
7. tfewster60,515
8. cpc200450,485
9. Sandy_it47,477
10. Tintin45,526
11. yuzh32,970
12. Gns32,313
13. KeremE31,716
14. giltjr30,400
15. amit_g28,690
16. sdstuber27,650
17. ozo25,898
18. robertfwo...23,830
19. JustUNIX21,715
20. Lhotch21,350
21. sppalser18,648
22. iskhan16,860
23. sunnycoder16,275
24. JulieBouillon14,370
25. MikeOM_...13,300

AIX Audit Events - AIX adding its own?

Asked by SMcP in IBM AIX Unix

Tags: AIX Audit Events

About this solution