Originally posted by: usrb

Hi all,

does anyone have experience with setting up auditing on AIX 6.1?
I have a problem with turning off ALL class. I do not specify it in /etc/security/audit/config, but when I start audit, and hit audit query command, it audits ALL class with classes I define. It is very important to disable it because there is huge amount of logs generated.

Originally posted by: usrb

Nobody has some clue?

To quote Auditing and Accounting on AIX redbook (2.4 Recommendations for auditing):

"On systems with little memory or CPU power, we do not recommend starting the
audit subsystem automatically; instead, have it ready to be launched, especially
if you plan to audit the ALL class. Also, we recommend configuring the auditing to
avoid the use of the ALL class, because this may make it even more difficult to
detect an intruder or a security breach in the large amount of data generated by
auditing the ALL class."

Nowhere is written how and where to turn it off! I'm pissed at IBM :-)

Originally posted by: CRM

I feel that your last comment is not the most constructive. This forum is strictly people spending their own time to try and help others.

If you need urgent help then your first port of call should always be to raise a PMR with IBM support.

I have setup auditing before and it worked fine, the most obvious cause for this would be mis-configuration. If you post your config file there may be something that jumps out.

regards

Chris

Originally posted by: usrb

Sorry for my unconstructive comment, but I'm little bit crazy with this unsolved situation.
Here is my conf, so if anybody can help, please do.

+1 start:
+2 binmode = on
+3 streammode = off
+4
+5 bin:
+6 trail = /audit/trail
+7 bin1 = /audit/bin1
+8 bin2 = /audit/bin2
+9 binsize = 10240
+10 cmds = /etc/security/audit/bincmds
+11 freespace = 4194303
+12
+13 # stream:
+14 # cmds = /etc/security/audit/streamcmds
+15
+16 classes:
+17 general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chro
ot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
+18 files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,
FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create
+19 tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_da
ta_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kd
ata_in,TCPIP_kcreate,TCPWrapper
+20 lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LV
M_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG
,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_C
hangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
+21
+22 users:
+23 root = general,files,tcpip,lvm

Originally posted by: CRM

OK,

The last line here:

root = general,files,tcpip,lvm

should be turning on auditing for the general, files, tcpip and lvm classes for the ROOT user:

To establish the audit activities for each user, use the chuser
command with the auditclasses attribute for each user for whom you
want to define audit classes (sets of audit events):

chuser "auditclasses=general,init,system" dave
chuser "auditclasses=general,init" mary

These chuser commands create the following lines in the users
stanza of the /etc/security/audit/config file:

users:
dave=general,init,system
mary=general,init

This configuration includes dave, the administrator of the system,
and mary, an employee who updates information.

If you are getting a deluge of auditing events, this is because root user has all of these classes active.

See the chuser command above to tunr auditing on and off for the users you are interested in.

regards

Chris

Originally posted by: usrb

Under line "root = general,files,tcpip,lvm" I have few more human users who are added with classes general, files and tcpip, and now ALL class.

This is the output of audit query command when audit is running:

auditing on
audit bin manager is process 229506
audit events:
general - USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
files - FILE_Unlink,FILE_Link,FILE_Rename,FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create
tcpip - TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate,TCPWrapper
lvm - LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
ALL - S_DENY_WRITE,S_ALLOW_WRITE,AUD_CONFIG_WR,S_USER_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_LOGIN_WRITE,S_LIMITS_WRITE,S_GROUP_WRITE,S_ENVIRON_WRITE,USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver,PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,SHM_Open,SHM_Close,SHM_Owner,SHM_Mode,SENDMAIL_Config,SENDMAIL_ToFile,AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish,TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate,TCPWrapper,IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd,LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG,LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare,AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,AACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,AACCT_NotChange,AACCT_NotifyOff,AUD_It,PROC_Adjtime,FILE_Stat,FILE_Pipe,FILE_Accessx,FILE_Dupfd,PROC_Load,PROC_LoadMember,TCP_ksocket,TCP_kconnect,TCP_kclose,SHM_Detach,WLM_set,TCB_Exec,PROC_Sysconfig,FILE_Mknod,PROC_LoadError,MLS_SetPPV,FILE_Fchown,PROC_SetGroups,PROC_SetUserIDs,AUD_Proc,PROC_Environx,MLS_GetSecconf,TCP_ksocketpair,TCP_kshutdown,PROC_Setpgid,FILE_ReadXacl,FILE_WriteXacl,FILE_Utimes,AUD_Bin_Def,TCP_ksetopt,TCP_kbind,SEC_ChkAuth,FS_Mount,FS_Umount,PROC_Kill,USER_Login,FS_Fchdir,FILE_StatAcl,GROUP_Create,USER_Create,USER_Change,FILE_FReadXacl,FILE_FWriteXacl,FILE_Fchmod,USER_Chpass,GROUP_Change,TCP_klisten,TCP_kaccept,RTSEM_Init,RTSEM_Destroy,RTSEM_Wait,RTSEM_Post,SEC_aclxcntl,FILE_StatPriv

audit objects:
/etc/security/audit/config:
w = AUD_CONFIG_WR
/etc/security/environ:
w = S_ENVIRON_WRITE
/etc/security/group:
w = S_GROUP_WRITE
/etc/security/login.cfg:
w = S_LOGIN_WRITE
/etc/security/limits:
w = S_LIMITS_WRITE
/etc/security/passwd:
r = S_PASSWD_READ
w = S_PASSWD_WRITE
/etc/security/user:
w = S_USER_WRITE
/etc/hosts.allow:
w = S_ALLOW_WRITE
/etc/hosts.deny:
w = S_DENY_WRITE