Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Edit AIX Audit events

Posted on 2009-07-08
3
Medium Priority
?
917 Views
Last Modified: 2013-11-17
Hi,

These are the parameters when I do "audit query" and it's giving me a lot of logs.

auditing on
audit bin manager is process 23962
audit events:
        loginout - USER_Login,TERM_Logout,USER_Exit,USER_Logout,PROC_Execute
        ALL - AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE,USER_Login,TERM_Logout,USER_Exit,USER_Logout,PROC_Execute,AUD_It,FILE_Open,PROC_Delete,FILE_Write,FILE_Close,AUD_Bin_Def,FILE_Stat,FILE_Read,PROC_Adjtime,TCP_ksocket,TCP_kconnect,TCP_kclose,PROC_Create,FILE_Fchown,FILE_Dupfd,PROC_Privilege,PROC_SetPri,FILE_Accessx,PROC_LoadError,FILE_Pipe,PROC_SetUserIDs,PROC_RealGID,CRON_Start,CRON_Finish,FILE_Unlink,TCB_Exec,AUD_Proc,SENDMAIL_Config,PROC_SetGroups,MAIL_ToUser,WLM_set,FILE_Fchmod,FILE_Rename,FILE_Mode,PROC_Setpgid,PROC_Limits,INIT_End,MSG_Read,FS_Chdir,SHM_Open,SHM_Detach,INIT_Start,FILE_ReadXacl,FILE_WriteXacl,FILE_Owner,FILE_Utimes,PROC_LoadMember,PROC_Load,TCP_ksetopt,TCP_kbind,PROC_Environ,TCP_kshutdown,FS_Fchdir,FILE_Link,FILE_FReadXacl,FILE_FWriteXacl

audit objects:
        /etc/security/audit/config:
                 w = AUD_CONFIG_WR
        /etc/security/limits:
                 w = S_LIMITS_WRITE
        /etc/security/group:
                 w = S_GROUP_WRITE
        /etc/security/environ:
                 w = S_ENVIRON_WRITE
        /etc/security/login.cfg:
                 w = S_LOGIN_WRITE
        /etc/security/passwd:
                 r = S_PASSWD_READ
                 w = S_PASSWD_WRITE
        /etc/security/user:
                 w = S_USER_WRITE


Here also is my audit config file

start:
        binmode = on
        streammode = off

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536

stream:
        cmds = /etc/security/audit/streamcmds

classes:
        loginout = USER_Login,TERM_Logout,USER_Exit,USER_Logout,PROC_Execute

users:
        default = loginout


My question now is how can I remove the parameter "ALL" on the audit event. I only want to audit on those with "loginout".

Thank you.
0
Comment
Question by:mkuser01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24803345
Hi,
the 'ALL' class is implicitly defined and always there.
If you don't use it, it should do no harm. It is not active unless explicitly configured in the config file.
wmp
 
0
 

Author Comment

by:mkuser01
ID: 24829250
Hi,

I've isolated my problem by removing all the parameters under "classes" on /etc/security/audit/config file but I'm still getting bunch of logs.  Based on my configuration, there should be no logs right?  

Thank you in advance.

0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 1500 total points
ID: 24829779
Well,

it seems that the 'users:  default ...' stanza
doesn't do what we want in your case, for whichever reason.

Please re-add your 'classes: ...' stanza
and add every concerned user under 'users: ...', either by editing the file directly or by issuing

chuser "auditclasses=loginout" [userid]

Should there be too many users to change manually, use this little script:

lsuser -a ALL | while read name ; do chuser "auditclasses=loginout" $name ; done

Take care to issue 'audit shutdown' and 'audit start' after making changes to reset the configuration in the kernel tables.

HTH

wmp
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question