===== Audit AIX server =====

http://www.redbooks.ibm.com/abstracts/sg246396.html?Open

https://www-01.ibm.com/support/docview.wss?uid=isg3T1000212

https://www.ibm.com/developerworks/aix/library/au-audit_filter/index.html

==== Combining audit and syslog ====

https://www.ibm.com/developerworks/community/forums/html/topic?id=9c719228-b1b9-4d7a-9b7a-d455e74c2807

First create a filesystem /audit with 2 GB for example to prevent a / full.

The basic step is to edit /etc/security/audit/config and set streammode = on, and give it an improved streamcmds file. As an example, an excerpt of my config file looks like this:
<code>
start:

        binmode = on
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 102400
        cmds = /etc/security/audit/bincmds
        freespace = 65536
        backuppath = /audit
        backupsize = 0
        bincompact = off

 stream:
        cmds = /etc/security/audit/streams.004
</code>
 

The streams.004 file then looks like this:
<code>
auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &
auditstream -m -c files      >>/audit/files.bin &
auditstream -m -c tcpip      >>/audit/tcpip.bin &
</code>

You can also use:
  /usr/sbin/auditstream | auditpr -h eclrRdi -v | /usr/bin/logger -p local0.debug &

Note that every command in streamcmds starts as auditstream, and all run in the background. If they do not, then audit start does not start.

In addition, each auditstream command is one line (no \ escapes at the end of a line for formatting). Otherwise the command audit start hangs or returns with an error.

A sample output in syslog file is:
<code>
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Open       root     FAIL        Wed Jan 30 23:07:03 2013 date         
Jan 30 23:07:03 x054 local1:warn|warning audit:         flags: 0 mode: 0 fd: 3 filename /usr/share/lib/zoneinfo//posixrules
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       root     FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 10 filename: /var/log/blockip/noact.log
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /usr/bin/audit
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /opt/bin/audit
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /etc/audit
Jan 30 23:13:17 x054 auth|security:info sshd[8323294]: Bad protocol version identification 'abcd' from 192.168.129.121
</code>

The last entry is from the application sshd writing to the auth syslog rather than local1.


==== Print audit report ====

To test to ensure that auditing is configured correctly, run the SSH commands, and then run the auditpr command to get the audit reports:
  auditpr  -v < /audit/trail

==== Start/Stop audit process ====

To start the audit process add the following line to the system initialization file (the /etc/rc file):
  /usr/sbin/audit start 1>&- 2>&- 
  
Stop audit process:
  /usr/sbin/audit shutdown
  
You have also to add a stop process into /etc/rc.shutdown, but always add an **exit 0** at the end of this file to be sure that the shutdown process will success.

===== Auditing in OpenSSH =====

Add the following new class to the /etc/security/audit/config file:
<code>
sshclass = SSH_failnone, SSH_failpasswd,SSH_failkbdint,SSH_failpubkey, SSH_failhstbsd,
SSH_failgssapi, SSH_invldusr,SSH_nologin, SSH_connclose,SSH_auditknwn, SSH_rootdned,
SSH_exceedmtrix,SSH_connabndn, SSH_authsuccess
</code>

In the /etc/security/audit/events file, append the following events:
<code>	
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"
</code>

Add new class name (sshclass) for the user you want to enable auditing.

If the root user already has a set of classes to audit, append sshclass list of audit classes. For example, the root user already has the following:
<cli prompt='#'>
[root@prnim01]/etc/security/audit# lsuser -a auditclasses root
auditclasses=general,tcpip
[root@prnim01]/etc/security/audit# chuser  auditclasses=general,tcpip,sshclass root

[root@prnim01]/etc/security/audit# lsuser -a auditclasses ALL
root auditclasses=general,tcpip,sshclass
daemon
bin
</cli>

You can also change the defaults settings for user creation: **/usr/lib/security/mkuser.default**

And/or add in the user section of **/etc/security/audit/config** the default audit
<code>
           users:
                       root = general
                        joe = general, files, TCPIP
                    default = general
</code>
Restart audit processes
<cli prompt='#'>
# /usr/sbin/audit shutdown
 
# /usr/sbin/audit  start
</cli>

Now try a ssh connection, and read the audit log using
  auditpr  -v < /audit/trail