Hello All,
I have a requirement on AIX 7.2 TL3 SP3 servers to setup auditing so that TTY commands run by ldap users after sudo to any service accounts on the server should be written to audit log. Also, commands run by root user should be written to audit log. This is to track commands manually run by users after sudo to service accounts such as oracle, apps etc on each server. I tried using PROC_Create, PROC_Execute, USER_Shell audit events but it didn't help much. These audit events also capture all system calls, forked child processes running in the background by that service account which create a huge audit log everyday which doesn't serve the actual purpose. Please let me know if you have any suggestions to setup auditing only to capture tty commands run by users.
Configuration:
cat /etc/security/audit/config
start:
ignorenonexistentity = no
binmode = off
streammode = on
bin:
bincompact = off
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
stream:
streamcompact = off
cmds = /etc/security/audit/streamcmds
classes:
testAudit = USER_Shell, PROC_Execute
users:
default = testAudit
role:
cat /etc/security/audit/streamcmds
/usr/sbin/auditstream | auditpr -v -t1 -h tpPrceR > /audit/stream.out &
Please let me know if you need any additional information. Thank you.