View Only

AIX Security: Audit Tips, Tricks and Technotes

By Jan Harris posted 2 days ago


Many administrators open support cases seeking guidance for AIX audit configuration. Audit customization and analysis is out of the scope of AIX Support, but I have published several technical notes that demonstrate audit configuration.  I will add related technotes and references to this blog so readers have a common reference.

AIX AUDIT:  Resolving auditbin failed backend command bin file errors
AIX AUDIT: Auditing commands run by switched users (su, sudo)
AIX AUDIT: Examining an audit log for user actions
AIX AUDIT: How can I monitor a specific command?
AIX AUDIT: How can I monitor all user activities on a system?
AIX AUDIT: How can I monitor file deletions?
AIX AUDIT: How can I monitor file system operations?
AIX AUDIT: How can I monitor system time changes?
AIX AUDIT: How can I monitor user logins and logouts?
AIX AUDIT: How to rotate the audit BIN trail file
AIX AUDIT: What is writing to the console log?
AIX AUDIT: Cannot find "role" stanza in /etc/security/audit/config

You can learn more about the audit functionality on AIX and best practices through the following resources:


IBM Documentation Audit section:

AIX Redbooks, "Auditing and Accounting"

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

  • Read more about IBM Technology Services (Formerly Systems Lab Services)




2 days ago

Hello, José
Yes, I agree this book is rather old.  We have had some internal discussions, and I agree it should at least get some "modernization" , and will continue to try to get some updates.  This is one of the reasons I created this blog, so users would have a consistent list of how-tos and be able to communicate concerns about documentation. THANKS for your feedback! 

2 days ago

Hi Jan,

Thanks for the comprehensive collection, it's good to have a starting point.

I've noticed that the auditing redbook is getting a bit long in the tooth (AIX 5.3) any way to get a book update on the pipeline ?

I know that by 5.3 audit was already quite complete, but it would still be a good option to add all the new stuff up to 7.3, adding a chapter on VIOS auditing and merging information from all those links into a coherent whole.