AIX

 View Only

 AIX audit - user login name not showing in log

Glenn Robinson's profile image
Glenn Robinson posted Wed April 16, 2025 09:25 AM

AIX 7.2

I have added the following to /etc/security/audit/config:

classes:

        auth = USER_Login,USER_Logout,USER_Exit

users:
        default = auth

From this I want to capture a log in, log out and exit for every user.

I have a test user (test_sys) and this user has auth set as the audit class:

auditclasses=auth 

When I log in as the user I see the following in the audit log:

# auditstream| auditpr -helrtR
event           login    real     time                     status
--------------- -------- -------- ------------------------ -----------
S_PASSWD_READ   root     root     Wed Apr 16 14:29:27 2025 OK
S_PASSWD_READ   root     root     Wed Apr 16 14:29:27 2025 OK
S_PASSWD_READ   root     root     Wed Apr 16 14:29:27 2025 OK
USER_Login      root     root     Wed Apr 16 14:29:27 2025 OK
USER_Login      root     root     Wed Apr 16 14:29:28 2025 OK
USER_Login      root     root     Wed Apr 16 14:29:28 2025 OK
S_PASSWD_READ   root     root     Wed Apr 16 14:29:28 2025 OK
S_PASSWD_READ   root     root     Wed Apr 16 14:29:28 2025 OK
S_PASSWD_READ   root     root     Wed Apr 16 14:29:28 2025 OK
USER_Login      root     root     Wed Apr 16 14:29:28 2025 OK
USER_Login      root     root     Wed Apr 16 14:29:28 2025 OK

I was expecting one of either login or real to show test_sys instead of root.

How do I get the actual name of the user logging in?

Also, why aren't there entries for when that user logs out?

I'm suspecting I'm missing something here which might fix both.

Thorsten Burghardt's profile image
Thorsten Burghardt IBM Champion posted Thu April 17, 2025 02:24 AM

Hi, it should work as you tested - but since the Login-Daemons are running as root, it is logged as root. If you like to see what a user did in an sudo su - environment add extra classes or events to the user. This will print the different Users (login and real). 

Have look also at: https://www.ibm.com/support/pages/aix-audit-how-can-i-monitor-user-logins-and-logouts 

Andrey Klyachkin's profile image
Andrey Klyachkin IBM Champion posted Thu April 17, 2025 04:07 AM

The USER_Login is generated by tsm and the USER_Logout is generated by logout command. Depending on how you log in and out, you may execute these or other commands.

E.g.:

  • if you use bash, logout is a shell builtin and will not generate USER_Logout event because you don't use the logout program.
  • if you use sshd and don't configure it to use login (UseLogin yes), it will not generate USER_Login, because tsm is not executed.

If you want to audit SSH logins (not only terminal or telnet logins), add SSH-specific events into /etc/security/audit/events. See the article on the IBM's site about auditing login and logout events.

Regarding the user information in the event output. For some of the events you may need to print additional information. 

Related Content