AIX 7.2 auditing question

  • 1.  AIX 7.2 auditing question

    Posted Wed September 01, 2021 01:42 PM
    Edited by Irfan Khairi Wed September 08, 2021 03:38 PM
    Hello All,

    I have a requirement on AIX 7.2 TL3 SP3 servers to setup auditing so that TTY commands run by ldap users after sudo to any service accounts on the server should be written to audit log. Also, commands run by root user should be written to audit log. This is to track commands manually run by users after sudo to service accounts such as oracle, apps etc on each server. I tried using PROC_Create, PROC_Execute, USER_Shell audit events but it didn't help much. These audit events also capture all system calls, forked child processes running in the background by that service account which create a huge audit log everyday which doesn't serve the actual purpose. Please let me know if you have any suggestions to setup auditing only to capture tty commands run by users. 

    cat /etc/security/audit/config
    ignorenonexistentity = no
    binmode = off
    streammode = on

    bincompact = off
    trail = /audit/trail
    bin1 = /audit/bin1
    bin2 = /audit/bin2
    binsize = 10240
    cmds = /etc/security/audit/bincmds
    freespace = 65536
    backuppath = /audit
    backupsize = 0

    streamcompact = off
    cmds = /etc/security/audit/streamcmds

    testAudit = USER_Shell, PROC_Execute

    default = testAudit


    cat /etc/security/audit/streamcmds
    /usr/sbin/auditstream | auditpr -v -t1 -h tpPrceR > /audit/stream.out &

    Please let me know if you need any additional information. Thank you.