wiki

http://www.redbooks.ibm.com/abstracts/sg246396.html?Open

https://www-01.ibm.com/support/docview.wss?uid=isg3T1000212

https://www.ibm.com/developerworks/aix/library/au-audit_filter/index.html

https://www.ibm.com/developerworks/community/forums/html/topic?id=9c719228-b1b9-4d7a-9b7a-d455e74c2807

First create a filesystem /audit with 2 GB for example to prevent a / full.

The basic step is to edit /etc/security/audit/config and set streammode = on, and give it an improved streamcmds file. As an example, an excerpt of my config file looks like this:

start:

        binmode = on
        streammode = on

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 102400
        cmds = /etc/security/audit/bincmds
        freespace = 65536
        backuppath = /audit
        backupsize = 0
        bincompact = off

 stream:
        cmds = /etc/security/audit/streams.004

The streams.004 file then looks like this:

auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &
auditstream -m -c files      >>/audit/files.bin &
auditstream -m -c tcpip      >>/audit/tcpip.bin &

You can also use:

/usr/sbin/auditstream | auditpr -h eclrRdi -v | /usr/bin/logger -p local0.debug &

Note that every command in streamcmds starts as auditstream, and all run in the background. If they do not, then audit start does not start.

In addition, each auditstream command is one line (no \ escapes at the end of a line for formatting). Otherwise the command audit start hangs or returns with an error.

A sample output in syslog file is:

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Open       root     FAIL        Wed Jan 30 23:07:03 2013 date         
Jan 30 23:07:03 x054 local1:warn|warning audit:         flags: 0 mode: 0 fd: 3 filename /usr/share/lib/zoneinfo//posixrules
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       root     FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 10 filename: /var/log/blockip/noact.log
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /usr/bin/audit
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /opt/bin/audit
Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             
Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /etc/audit
Jan 30 23:13:17 x054 auth|security:info sshd[8323294]: Bad protocol version identification 'abcd' from 192.168.129.121

The last entry is from the application sshd writing to the auth syslog rather than local1.

To test to ensure that auditing is configured correctly, run the SSH commands, and then run the auditpr command to get the audit reports:

auditpr  -v < /audit/trail

To start the audit process add the following line to the system initialization file (the /etc/rc file):

/usr/sbin/audit start 1>&- 2>&- 

Stop audit process:

/usr/sbin/audit shutdown

You have also to add a stop process into /etc/rc.shutdown, but always add an exit 0 at the end of this file to be sure that the shutdown process will success.

Add the following new class to the /etc/security/audit/config file:

sshclass = SSH_failnone, SSH_failpasswd,SSH_failkbdint,SSH_failpubkey, SSH_failhstbsd,
SSH_failgssapi, SSH_invldusr,SSH_nologin, SSH_connclose,SSH_auditknwn, SSH_rootdned,
SSH_exceedmtrix,SSH_connabndn, SSH_authsuccess

In the /etc/security/audit/events file, append the following events:

	
SSH_failnone = printf "%s"
SSH_failpasswd = printf "%s"
SSH_failkbdint = printf "%s"
SSH_failpubkey = printf "%s"
SSH_failhstbsd = printf "%s"
SSH_failgssapi = printf "%s"
SSH_invldusr = printf "%s"
SSH_nologin = printf "%s"
SSH_connclose = printf "%s"
SSH_auditknwn = printf "%s"
SSH_authsuccess = printf "%s"
SSH_rootdned = printf "%s"
SSH_exceedmtrix = printf "%s"
SSH_connabndn = printf "%s"

Add new class name (sshclass) for the user you want to enable auditing.

If the root user already has a set of classes to audit, append sshclass list of audit classes. For example, the root user already has the following:

[root@prnim01]/etc/security/audit# lsuser -a auditclasses root
auditclasses=general,tcpip
[root@prnim01]/etc/security/audit# chuser  auditclasses=general,tcpip,sshclass root

[root@prnim01]/etc/security/audit# lsuser -a auditclasses ALL
root auditclasses=general,tcpip,sshclass
daemon
bin

You can also change the defaults settings for user creation: /usr/lib/security/mkuser.default

And/or add in the user section of /etc/security/audit/config the default audit

           users:
                       root = general
                        joe = general, files, TCPIP
                    default = general

Restart audit processes

# /usr/sbin/audit shutdown
 
# /usr/sbin/audit  start

Now try a ssh connection, and read the audit log using

auditpr  -v < /audit/trail