AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only
Back to discussions
Expand all | Collapse all

AIX Audit Service Best Practices Recommendation for Config File

  • 1.  AIX Audit Service Best Practices Recommendation for Config File

    Posted Thu May 17, 2012 04:45 PM

    Originally posted by: Paulrichard10


    I am configuring AIX Audit Service on an initial AIX lpar and plan on implementing on all our AIX lpars. I have taken the default config in the /etc/security/audit directory and made some modifications to it (e.g. adding user names and associating the users with a class).

    The question is: are there any recommendations available for the config file beyond what is specified in the default config file - as to best practices? Any help will be appreciated. THX.

    Regards, Paul


  • 2.  Re: AIX Audit Service Best Practices Recommendation for Config File

    Posted Mon March 14, 2016 01:40 AM

    Originally posted by: yseo


    Hi Paul, 

    Did you receive any answers on this? Looking through the audit conf there are a lot of options and I didn't find real good documentation on it... especially for AD users on the system. 
    Also I am looking for some examples to balance between system performance and audit requirements (PCI-DSS)

     

    ------------------------------------------------------------------------------

    audit company dubai



  • 3.  Re: AIX Audit Service Best Practices Recommendation for Config File

    Posted Fri March 18, 2016 07:50 AM

    Originally posted by: amitag


    When you said Audit config I assume that you are looking for events which can be configured.  This is varies from company to company as per their organization policies & requirements. Some recommendations are

     

    1.  In the security  http://public.dhe.ibm.com/systems/power/docs/aix/72/security_pdf.pdf, on page 136 under section " Event selection"  general recommendation are mentioned, which can be referred. You can refer "audit system" section  for more detail.

     

    2.  The red book http://www.redbooks.ibm.com/redbooks/pdfs/sg246020.pdf on page 143 under section "Appendix A. Audit events" , it contains the description of the events and can be selected  as per the organization needs.  You can refer chapter 2 for more detail.

     

    3.   These are some recommendations mostly based on security events generated on the system. This list can be evaluated and  further modified as per organization needs. These events are subset of EVENTS shipped with AIX and they are classified into two "MUST have" and "Good to have [ Shown as empty in the table]".

     

    Events

    Information capture

    Required?

    PROC_Execute

    PROC_Execute = printf "euid: %d egid: %d epriv: %x:%x name %s"         08x:%08x:%08x:%08x, name %s"

    MUST

    FILE_WriteXacl

    printf "path: %s, ACL: %C"

     

    PROC_Privilege

    printf "cmd: %x privset: %x:%x"

     

    PROC_Kill

    printf "pid: %d, sig: %d"

    MUST

    PROC_SetGroups

    printf "group set: %G"

     

    PROC_Sysconfig

    printf "%x"

     

    PROC_SetRoles

    printf "rc: %d numroles: %d roleset: %d,%d,%d,%d,%d,%d,%d,%d"

    MUST

    AUD_It

    printf "cmd: %d arg: %d"

    MUST

    FILE_Write

    printf "file descriptor = %d filename = %s"

     

    FILE_Link

    printf "linkname %s filename %s"

     

    FILE_Unlink

    printf "filename %s"

    MUST

    FILE_Rename

    printf "frompath: %s topath: %s"

    MUST

    FILE_Owner

    printf "owner: %d group: %d filename %s"

    MUST

    FILE_Mode

    printf "mode: %o filename %s"

    MUST

    FILE_Fchmod

    printf "mode: %o file descriptor %d"

     

    FILE_Fchown

    printf "owner: %d group: %d file descriptor %d"

     

    FS_Mount

    printf "mount: object %s stub %s"

     

    FS_Umount

    printf "umount: object %s stub %s"

    MUST

    FILE_Acl

    printf "filename: %s, ACL: %A"

     

    FILE_Privilege

    printf "pcl: %d"

     

    FILE_Chpriv

    printf "file: %s, pcl: %P"

     

    FS_Chroot

    printf "change root directory to: %s"

     

    FS_Rmdir

    printf "remove of directory: %s"

    MUST

    FS_Mkdir

    printf "mode: %o dir: %s"

     

    USER_Login

    printf "user: %s tty: %s"

    MUST

    PORT_Locked

    printf "Port %s locked due to invalid login attempts"

    MUST

    TERM_Logout

    printf "%s"

    MUST

    USER_Exit

    printf "tty: %s"

    MUST

    USRCK_Error

    printf "%s %s"

     

    USER_Logout

    printf "%s"

    MUST

    PORT_Change

    printf "Changed attributes of port %s; new values: %s"

     

    USER_Change

    printf "%s %s"

    MUST

    USER_Remove

    printf "%s"

    MUST

    USER_Create

    printf "%s %s"

    MUST

    USER_SetGroups

    printf "%s %s"

     

    USER_SetEnv

    printf "environment %s"

     

    USER_SU

    printf "%s"

    MUST

    USER_Chpass

    printf "user: %s, msg: %s"

    MUST

    USER_Locked

    printf "user %s has been locked"

    MUST

    USER_Unlocked

    printf "user %s has been unlocked"

    MUST

    GROUP_User

    printf "grpck: removed user %s from %s in /etc/group"

    MUST

    GROUP_Adms

    printf "grpck: removed admin user %s from %s in /etc/security/group"

    MUST

    GROUP_Change

    printf "%s %s"

    MUST

    GROUP_Create

    printf "%s %s"

    MUST

    GROUP_Remove

    printf "%s"

    MUST

    PASSWORD_Change

    printf "%s"

    MUST

    PASSWORD_Flags

    printf "%s %s"

    MUST

    PASSWORD_Check

    printf "User = %s Error/Fix = %s Status = %s"

     

    PASSWORD_Ckerr

    printf "User/File = %s Error = %s"

     

    SRC_Start

    printf "%s"

    MUST

    SRC_Stop

    printf "%s"

    MUST

    AT_JobAdd

    printf "file name = %s User = %s time = %s"

    MUST

    AT_JobRemove

    printf "file name = %s User = %s"

    MUST

    CRON_JobRemove

    printf "file name = %s User = %s time = %s"

    MUST

    CRON_JobAdd

    printf "file name = %s User = %s time = %s"

    MUST

    CRON_Start

    printf "event = %s cmd = %s time = %s"

    MUST

    CRON_Finish

    printf "user = %s pid = %s time = %s"

    MUST

    DEV_Configure

    printf " device %s"

     

    DEV_Change

    printf " params = %s"

     

    DEV_Create

    printf "mode: %o dev: %d filename %s"

     

    INSTALLP_Inst

    printf "Option Name: %s Level: %s  Installation %s"

    MUST

    INSTALLP_Exec

    printf "Option Name: %s Level: %s  Executed Program %s"

    MUST

    DEV_Stop

    printf " device %s"

    MUST

    DEV_UnConfigure

    printf " device %s"

    MUST

    DEV_Remove

    printf " device %s"

    MUST

    DSMIT_start

    printf "%s"

    MUST

    DSMIT_end

    printf "%s"

    MUST

    BACKUP_Export

    printf " %s "

     

    BACKUP_Priv

    printf " %s "

     

    RESTORE_Import

    printf " %s "

    MUST

    USER_Shell

    printf "tty: %s "

     

    USER_Reboot

    printf " %s "

    MUST

    PROC_Reboot

    printf "cmd: %d  time: %T"

    MUST

    LDAP_Bind

    printf "ConnectID: %d Host: %s Port: %d BindDN: %s"

    MUST

    LDAP_Unbind

    printf "ConnectID: %d"

    MUST

    LDAP_Add

    printf "ConnectID: %d Entry: %s"

    MUST

    LDAP_Delete

    printf "ConnectID: %d Entry: %s"

    MUST

    LDAP_Modify

    printf "ConnectID: %d Entry: %s"

    MUST

    LDAP_Modifydn

    printf "ConnectID: %d NewEntry: %s OldEntry: %s"

    MUST

    SEC_SetKst

    printf "dauths=%d, droles=%d, dpcmds=%d, dpdevs=%d, rc=%d, status=%d"

    MUST

    PROC_SetPDom

    printf "pid = %d rc= %d"

     

    LVM_ChangeLV

    printf " %s "

    MUST

    LVM_ChangeVG

    printf " %s "

    MUST

    LVM_CreateLV

    printf " %s "

    MUST

    LVM_CreateVG

    printf " %s "

    MUST

    LVM_DeleteVG

    printf " %s "

    MUST

    LVM_DeleteLV

    printf " %s "

    MUST

    LVM_VaryoffVG

    printf " %s "

    MUST

    LVM_VaryonVG

    printf " %s "

    MUST

    LVM_AddLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d"

    MUST

    LVM_KDeleteLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d"

    MUST

    LVM_ExtendLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d %s"

    MUST

    LVM_ReduceLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d %s"

    MUST

    LVM_KChangeLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d %s"

    MUST

    LVM_AvoidLV

    printf "Logical Volume ID: %08x%08x%08x%08x.%d %s"

    MUST

    LVM_MissingPV

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_AddPV

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume device(major,minor): %X"

    MUST

    LVM_AddMissPV

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_DeletePV

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_RemovePV

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_AddVGSA

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_DeleteVGSA

    printf "Volume Group ID: %08x%08x%08x%08x Physical Volume Index: %d"

    MUST

    LVM_SetupVG

    printf "Volume Group ID: %08x%08x%08x%08x"

    MUST

    LVM_DefineVG

    printf "Volume Group ID: %08x%08x%08x%08x"

    MUST

    LVM_KDeleteVG

    printf "Volume Group ID: %08x%08x%08x%08x"

    MUST



Related Content