AIX Audit API Enhancements

Users would use audit subsystem to capture important security-relevant information, which can be analyzed to detect potential and actual violations of the system security policy. Endpoint detection and response (EDR) solutions help organizations to find any suspicious activities and respond to them quickly to minimize the damages on the production system. These EDR solutions can exploit audit APIs to fetch audit event records for AIX platform. 

Stating with AIX Version 7.3 TL3, AIX audit() API was enhanced to include two new flags to improve AIX Audit subsystem’s capability and ease of use.

Control default users audit configuration:

Audit subsystem provides system calls/APIs such as auditevents(), auditproc() and audit() to configure and manage auditing on AIX. These system calls can be used to register audit classes and audit events, to enable auditing on currently running processes and audit lifecycle management. To establish the audit activities for a user, the chuser command can be used with the 'auditclasses' attribute. These classes need to be registered in “/etc/security/audit/config” file as part of classes stanza. The user’s stanza in “etc/security/audit/config" file, defines audit classes (sets of events) for each user. Each UserName attribute must be the login name of a system user or the string “default”. The “default” string covers the auditing for any user including any new users who gets created.

The auditevents() subroutine is used to set the audit class definitions that control event auditing. Each audit class is a set of one or more audit events. The auditproc() subroutine queries or sets the auditing state of a process. So, by using only audit() system calls, it is not possible to mimic the behavior of “default” value for user stanza as mentioned above. A new flag called “AUDIT_SET_DEFAULT_USER_CLASS” is added for audit() system call. This flag should be specified as given below:

audit(AUDIT_ON, AUDIT_FULLPATH | AUDIT_SET_DEFAULT_USER_CLASS);

This new flag when set will mimic the behavior of “default” values for user stanza. Any user/new user when logs-in, the classes/events registered using auditevents() will be set for all the processes in the user session. 

The following is an example program to enable auditing with new flags. 

#include <sys/audit.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <sys/signal.h>

void sigquit(int signo) {
  printf("Audit Reset\n");
  if(audit(AUDIT_RESET, 0) < 0){
    printf("audit reset failed %d\n",errno);
    exit(1);
  }
  exit(0);
}

int main() {
  struct audit_class ae;
  /* One audit class is registered ...you can have multiple class as well */
  char TmpClass[] = "TEMP1\0";
  /* Total length includes null characters as below */
  char Events[] = "FILE_Open\0File_Close\0\0";
  int fd, count, len;
  struct aud_rec arb;
  static struct sigaction mysig;

  mysig.sa_handler = (void (*)(int))sigquit;
  SIGINITSET(mysig.sa_mask);
  mysig.sa_flags = 0;
  sigaction(SIGINT,&mysig,(struct sigaction *)NULL);

  printf("Init the audit ...\n");

  len = sizeof(Events);
  ae.ae_name = TmpClass;
  ae.ae_list = (char *)malloc(len);
  bzero(ae.ae_list, len);
  bcopy(Events, ae.ae_list, len);
  ae.ae_len = len;

  printf("Registering audit classes/events ...\n");
  if(auditevents(AUDIT_SET, &ae, 1) < 0){
    printf("auditevents failed %d\n",errno);
    exit(1);
  }
  free(ae.ae_list);

  printf("Start the audit ...\n");
  if((audit(AUDIT_ON, AUDIT_FULLPATH|AUDIT_SET_DEFAULT_USER_CLASS)) < 0){
    perror("audit failed\n");
    printf("Audit cannot be turned on\n");
    exit(1);
  }

  printf("Set audit to all current procs ...\n");
  /* Set audit to process of interest using auditproc() syscall
   * Ex: auditproc (pi_pid, AUDIT_EVENTS, TmpClass, 7)
   */
  printf("Auditing Started ...\n");

  while ( 1 );

  return;
}

Control TCPIP audit events monitoring:

The following TCPIP audit events will be monitored, ONLY on a specific condition:

TCP_kbind, TCP_klisten, TCP_kaccept, TCP_kconnect, TCP_ksend, TCP_kreceive, TCP_kshutdown, TCP_ksetopt and TCP_kclose

Whenever, the socket descriptor gets created as part of socket or socketpair system call, if auditing has been enabled during that time, audit events are logged for the above events.

If auditing is enabled after the socket descriptor is created, then this will disable the audit events for any of the above events. For EDR kind of solutions, there would be loss of critical audit events pertaining to TCPIP. To overcome this limitation a new flag called “AUDIT_ENABLE_ALL_TCPK_EVENTS” is added to audit() system call. This flag should be specified as given below.

audit(AUDIT_ON, AUDIT_FULLPATH | AUDIT_ENABLE_ALL_TCPK_EVENTS);

Also a new parameter “tcp_enable_all_kevents” is added for users to configure this flag in "/etc/security/audit/config" file. This flag will be disabled by default. This new flag when set will override the above behavior and capture the above audit events no matter when socket descriptor is created.

When auditing is enabled on AIX for the above events with this new flag, audit query will display as below: