AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.

 View Only

  • 1.  Question on Auditing

    Posted Mon September 29, 2008 10:58 AM

    Originally posted by: SystemAdmin


    Hi,

    Suppose I have a 1000 files under a particular directory, and if I want to monitor the read/write(unauthorized) on all the files of the directory, how do I add them to the /etc/security/audit/objects file?
    Should I make an entry for each of the files in the directory, or is there an easier way to do it? Any help would be greatly appreciated.
    Thanks in advance

    G


  • 2.  Re: Question on Auditing

    Posted Mon September 29, 2008 11:04 AM

    Originally posted by: orphy


    Check out some examples in http://www.redbooks.ibm.com/abstracts/sg246396.html
    Orphy


  • 3.  Re: Question on Auditing

    Posted Mon September 29, 2008 11:18 AM

    Originally posted by: SystemAdmin


    Hi,

    I do not find any relevant example to answer my question.
    Simplifying my question with an example-
    Suppose I have a1.txt....a1000.txt under /home/test/sample_a
    How do I add the objects a1.txt to a1000.txt for auditing. If I have to enter all the 1000 paths in the object file, it will be a cumbersome task.
    Is there an easier way?

    G


  • 4.  Re: Question on Auditing

    Posted Mon September 29, 2008 11:23 AM

    Originally posted by: orphy


    Have a look at the find command on page 31. You can make adjustments to fit your need. You don't have to manually enter those thousand files.
    Orphy


  • 5.  Re: Question on Auditing

    Posted Wed October 01, 2008 12:45 PM

    Originally posted by: SystemAdmin


    Further to my earlier question on auditing , is there a way to find out which files were written to as well. When I see the audit log, I only see the command as cat or vi. The file on which the cat or vi command was used is not mentioned.
    Any idea how this can be incorporated.

    G


  • 6.  Re: Question on Auditing

    Posted Thu October 02, 2008 04:53 AM

    Originally posted by: CRM


    Can you be a bit more specific, how are you running audit?

    Can you paste in the command you used and some sample output.

    If you are using the auditpr you are suing the -v flag for the verbose output as a starter for 10?

    regards

    Chris


  • 7.  Re: Question on Auditing

    Posted Thu October 02, 2008 01:08 PM

    Originally posted by: SystemAdmin


    I check for the stream.out file using the command
    tail -f /audit/stream.out

    And I get the output something like

    S_NOTAUTH_READ root OK Thu May 24 14:07:05 2007 cat
    S_NOTAUTH_READ root OK Thu May 24 14:07:05 2007 cat

    now on which file cat was used,is not mentoioned.
    Any way to get that

    Gayathri


  • 8.  Re: Question on Auditing

    Posted Fri October 03, 2008 04:05 AM

    Originally posted by: CRM


    Ok - paste in the ouput of your:

    /etc/security/audit/streamcmds

    file

    I expect it will be similar to:

    /usr/sbin/auditstream | auditpr > /audit/stream.out &

    Now try putting a -v flag onto auditpr and see what the output is.

    This should print the file descriptor (as it uses the events file formatting).

    regards

    Chris


  • 9.  Re: Question on Auditing

    Posted Fri October 03, 2008 01:37 PM

    Originally posted by: SystemAdmin


    Hi,

    When I tried the -v flag for auditpr, I get the output as follows:

    S_NOTAUTH_READ gayathri OK Fri Oct 03 12:56:32 2008 vi

    <tail format undefined>
    S_NOTAUTH_READ gayathri OK Fri Oct 03 12:56:32 2008 vi

    <tail format undefined>
    S_NOTAUTH_READ gayathri OK Fri Oct 03 12:56:32 2008 vi

    <tail format undefined>


  • 10.  Re: Question on Auditing

    Posted Mon October 06, 2008 04:57 AM

    Originally posted by: CRM


    So the line reads:

    /usr/sbin/auditstream | /usr/sbin/auditpr -v > /dev/console
    This should work, I will have to try this out on a system here when I get a moment.

    regards

    Chris


Related Content