Solved

Using auditd on AIX 6.1

Posted on 2013-10-22
2
799 Views
Last Modified: 2014-02-09
Is there any experience out there in using the auditd (as known from Linux) on AIX (rather than using the AIX' built-in audit subsystem)?

Might auditd eventually be more sensible when it comes to
- sensible amount of data
- satisfying PCI DSS requirements

E.g. we'd like to restrict logging to activities on interactive shells by users w/ admin rights. This seems to be a problem w/ AIX audit.
0
Comment
Question by:jmeesenburg
2 Comments
 
LVL 9

Accepted Solution

by:
jfer0x01 earned 300 total points
Comment Utility
Auditd will log when users login and out physically and over telnet ssh and when users su, among other things like cron execution.

Might auditd eventually be more sensible when it comes to
- sensible amount of data - Lots of logs, kinda hard to read though.
- satisfying PCI DSS requirements - I take it the AIX box has client or financial information, so yes. Log are also sequential and and running off of epoch time and thus generates legitimate log entries.

E.g. we'd like to restrict logging to activities on interactive shells by users w/ admin rights.

Auditd, logs. Restriction or alerting of login events has to be accomplished by.

1. Custom script that parses logs, sends an email or generates syslog entry to alert you.
2. 3rd party solution that parses logs. (logwatch, Logstash, Splunk).

Hope this helps.

Jfer
0
 

Author Closing Comment

by:jmeesenburg
Comment Utility
Thanks jfer - good hints in the right direction!

In the meantime we've figured out to do that properly.
As you wrote, a bit of scripting is required, but the right configuration using the tools AIX and the audit subsystem provide are key.
Fortunately, there's no 3rd party software required.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
OfficeMate Freezes on login or does not load after login credentials are input.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now