Solved

Setting Up AIX Audit

Posted on 2013-06-16
3
511 Views
Last Modified: 2013-06-28
I have a server that a set of of files are deleted each week in a specific directory. The fact it's occurring around the same time each weekend, I suspect that it's a cron process running. There are too many scripts in cron to go through so I was wondering if it's possible to enable the AIX auditing subsystem to detect when a file in a specific directory is deleted and to report who or what process removed it. If this can be done with the audit subsystem, I need help in configuring this.
0
Comment
Question by:abgtemp
  • 2
3 Comments
 
LVL 1

Accepted Solution

by:
Ponmaniraja earned 300 total points
Comment Utility
Hi below is the file to configure audit subsystem to detect when a file is deleted in the specific directory.

#more /etc/security/audit/config
-----------------------------------------------------------------------------------------------------------
start:
binmode = off
streammode=on
bin:
trail = /auditfs/trail
bin1 = /auditfs/bin1
bin2 = /auditfs/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
genuser=USER_SU,PASSWORD_Change

objects=S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
users:
root = general
0
 

Author Comment

by:abgtemp
Comment Utility
Thanks. Where do you specify the directory or file?
0
 
LVL 1

Expert Comment

by:Ponmaniraja
Comment Utility
In objects you have to give.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Using libpcap/Jpcap to capture and send packets on Solaris version (10/11) Library used: 1.      Libpcap (http://www.tcpdump.org) Version 1.2 2.      Jpcap(http://netresearch.ics.uci.edu/kfujii/Jpcap/doc/index.html) Version 0.6 Prerequisite: 1.      GCC …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now