Hello,

We changed our AIX auditing from BIN mode to STREAM mode to be able to capture audit data to syslog and forward also that data to our rsyslog/SIEM server.

But on one AIX server, which has huge of scp / sftp / ssh activity, we ended up audit process eating ALL available CPU ; and checking from syslog; it was flooding with 

following lines: 

ug 14 08:09:46 <hostname> user:notice <user> :         file descriptor = 34789 FILE_Close      ssh-user-exec                   root     root     FAIL        14 Aug 2024 08:03:49.065145  No associated roles              

 + similar  FILE_Open,  FILE_Close

I haven't been digging much on AIX auditing especially, so asking advice how to treat this:

1) Should I be concerned about those lines = Do we have some basic settings (on AIX / ssh level etc)  undefined, which should be on place?

or 

2) Are these like "normal" lines, which could be filtered out / excluded from Auditing ?

Any experience, anyone? 

Br,

tommi

Hi Tommi,

I can't say anything about you get the event into your logs, but:

• I hope you DON'T use standard AIX syslog for this task ;-) Install rsyslog on AIX. It should be more performant and will give you encryption between your AIX rsyslog and rsyslog server. You can also forward your audit messages direct to the rsyslog server without saving them on AIX
• You can configure event classes you want to monitor in /etc/security/audit/config. Don't audit everything possible, only the events your security department really needs. Ask them what they need (and why they need ;-) If they want to know when users log in and out, they don't need audit for this. They can use standard SSH logs.
• After you configured audit classes, you can assign them to users. You define some set of classes as default, and another set for specific users.

Regarding FILE_Open, FILE_Close messages. If you look into /etc/security/audit/events, you'll see that they produce additional text. FILE_Open writes into auditing information about the path to the file and its descriptor. FILE_Close writes which file descriptor was closed. Generally I'd never look at FILE_Close problems ;-) But FILE_Open will give more clue which file ssh tried to open and failed.

Hello,

We changed our AIX auditing from BIN mode to STREAM mode to be able to capture audit data to syslog and forward also that data to our rsyslog/SIEM server.

But on one AIX server, which has huge of scp / sftp / ssh activity, we ended up audit process eating ALL available CPU ; and checking from syslog; it was flooding with 

following lines: 

ug 14 08:09:46 <hostname> user:notice <user> :         file descriptor = 34789 FILE_Close      ssh-user-exec                   root     root     FAIL        14 Aug 2024 08:03:49.065145  No associated roles              

 + similar  FILE_Open,  FILE_Close

I haven't been digging much on AIX auditing especially, so asking advice how to treat this:

1) Should I be concerned about those lines = Do we have some basic settings (on AIX / ssh level etc)  undefined, which should be on place?

or 

2) Are these like "normal" lines, which could be filtered out / excluded from Auditing ?

Any experience, anyone? 

Br,

tommi