AIX

 View Only

AIX Security: Audit Tips, Tricks and Technotes

By Jan Harris posted Thu May 25, 2023 06:23 PM

  

Many administrators open support cases seeking guidance for AIX audit configuration. Audit customization and analysis is out of the scope of AIX Support, but I have published several technical notes that demonstrate audit configuration.  I will add related technotes and references to this blog so readers have a common reference.

AIX AUDIT:  Resolving auditbin failed backend command bin file errors
AIX AUDIT: Auditing commands run by switched users (su, sudo)
AIX AUDIT: Examining an audit log for user actions
AIX AUDIT: How can I monitor a specific command?
AIX AUDIT: How can I monitor all user activities on a system?
AIX AUDIT: How to monitor file events
AIX AUDIT: How can I monitor file deletions?
AIX AUDIT: How can I monitor file system operations?
AIX AUDIT: How to monitor permission changes
AIX AUDIT: How can I monitor system time changes?
AIX AUDIT: How can I monitor user logins and logouts?
AIX AUDIT: How to rotate the audit BIN trail file
AIX AUDIT: What is writing to the console log?
AIX AUDIT: Cannot find "role" stanza in /etc/security/audit/config
AIX AUDIT: Enabling full path file names
AIX AUDIT: Using PROC_Execute to identify failed login sources
Related Technotes:

Redirecting AIX audit events to the syslogd subsystem

You can learn more about the audit functionality on AIX and best practices through the following resources:

 

IBM Documentation Audit section:
https://www.ibm.com/docs/en/aix/7.2?topic=system-auditing-overview

AIX Redbooks, "Auditing and Accounting"
http://www.redbooks.ibm.com/redbooks/pdfs/sg246396.pdf

If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist.

If you require consulting services, there are more fee-based services available.

  • Read more about IBM Technology Services (Formerly Systems Lab Services)




2 comments
142 views

Permalink

Comments

Fri May 26, 2023 10:53 AM

Hello, José
Yes, I agree this book is rather old.  We have had some internal discussions, and I agree it should at least get some "modernization" , and will continue to try to get some updates.  This is one of the reasons I created this blog, so users would have a consistent list of how-tos and be able to communicate concerns about documentation. THANKS for your feedback! 

Fri May 26, 2023 05:19 AM

Hi Jan,

Thanks for the comprehensive collection, it's good to have a starting point.

I've noticed that the auditing redbook is getting a bit long in the tooth (AIX 5.3) any way to get a book update on the pipeline ?

I know that by 5.3 audit was already quite complete, but it would still be a good option to add all the new stuff up to 7.3, adding a chapter on VIOS auditing and merging information from all those links into a coherent whole.