Originally posted by: SystemAdmin

I have been setting up auditing on AIX 6100-03-02-0939 and found that file transfers using sftp are not showing in the audit trail as might be expected, and are only showing in the system log.

The system being audited is using AIX 6.1 TL 3, and the auditing has been setup with bin auditing, a class eprise, and a default user; e.g.

eprise = PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_Privilege,PROC_Settimer,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FS_Mount,FS_Umount,FILE_Acl,FILE_Privilege,FS_Chroot,TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kcreate,USER_Login,PORT_Locked,SYSCK_Check,SYSCK_Update,SYSCK_Install,USER_Check,USER_Logout,PORT_Change,USER_Change,USER_Remove,USER_Create,USER_SetGroups,USER_SetEnv,USER_SU,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,PASSWORD_Change,PASSWORD_Flags,PASSWORD_Check,PASSWORD_Ckerr,SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Addserver,SRC_Chserver,SRC_Delssys,SRC_Delserver,ENQUE_admin,ENQUE_exec,SENDMAIL_Config,SENDMAIL_ToFile,AT_JobAdd,AT_JobRemove,CRON_JobRemove,CRON_JobAdd,CRON_Start,CRON_Finish,NVRAM_Config,DEV_Configure,DEV_Change,DEV_Create,DEV_Start,INSTALLP_Inst,INSTALLP_Exec,UPDATEP_Name,DEV_Stop,DEV_UnConfigure,DEV_Remove,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG,BACKUP_Export,BACKUP_Priv,RESTORE_Import,USER_Shell,TCBCK_Check,TCBCK_Update,PROC_SetGroups,FS_Fchdir,PROC_Settimer,MAIL_ToUser,EFS_WriteKS,KST_Change,RFM_SetObj,RFM_SetIpc,AUTH_Create,AUTH_Change,AUTH_Remove,CMD_Change,CMD_Remove,DEV_Change,DEV_Remove,PFILE_Change,PFILE_Remove,PROC_Change,WM_CreateWPAR,WM_RemoveWPAR,WM_StartWPAR,WM_StopWPAR,WM_RebootWPAR,WM_ResumeWPAR,WM_ModifyWPAR,WM_SyncWPAR,WM_CheckptWPAR,WM_SetInitConf,WM_ResetConfig,WM_ModifyConfig,SEC_ChkAuth,SEC_ChkAuthId,SEC_SetWpsCid,SEC_SetKst   users: root = general,SRC,tcpip,cron,eprise 

default = general,tcpip,cron,eprise

With this setting and "OpenSSH_5.0p1, OpenSSL 0.9.8k-fips 25 Mar 2009" there is no connection entry in the audit log for sftp, and the overwriting of an existing file does not leave an entry.

The file I am using for testing is in a directory that has been added to the "object" file with an entry similar to:

/sap_ifc/PI/Banks/XXXXX/new/archive/: r = 
"Obj_READ" w = 
"Obj_WRITE"

I believe that some versions of ssh have been modified by IBM to generate entries in the audit log. Does anyone know which TL or Service Packs could be used to gain auditing of ssh, scp and sftp?

P.S. I have since added "files" to the user entries in the audit config. This is an improvement, in that it generates a FILE_Open entry in the audit log when a file is overwritten using sftp; but I doubt that it will be enough to placate the auditors.

P.S. I also attempted to add each file that needs to be protected to the "object" configuration file; but the 20,000 files were too many, and audit runs out of memory.