Suppose you use a finely-tuned Syslog audit policy in your environment. Your audit configuration has proven efficient and reliable, and you do not want anyone but a few trusted administrators to be able to change it. Even so, you want to know immediately if the audit policy is modified in any way.
Use InTrust real-time monitoring capabilities to enable immediate notification. Syslog audit configuration is defined in the syslog.conf file, so the solution in this case is to monitor this file with InTrust and send an alert whenever the file is modified.
Enable the “Syslog.conf file modified” rule and supply the appropriate file paths as the rule's parameter.
You want to receive daily information about possible security issues in your environment, such as brute force attack attempts.
You can achieve this by scheduling gathering and reporting jobs with InTrust.
Take the following steps:
This section describes the format to which the InTrust agent converts the Audit log trails it receives. A typical Audit log trail is like this:
Wed Jun 20 15:37:16 2007 FS_Mkdir jsmith OK smbd root 450648 245934 819443 00C8967E4C000000
mode: 755 dir: tmp/data
From these trails, the agent produces event records for the audit database. Each event record has a fixed number of fields, which are described in the following table. These fields are always present, even if their values are empty.
Field |
Details |
---|---|
ProviderName |
For all events, the value of this field is empty. |
Priority | For all events, the value of this field is 2, meaning Normal. |
LocalTime |
The local time of the event. |
GMT |
The time of the event represented in GMT format. |
DataSourceName |
For all events, the value of this field is "AIX 5L Audit Log". |
HostName |
The name of the AIX host where the InTrust agent captured the event. |
DataSourceId |
InTrust's internal ID of the agent's AIX auditing engine. For all events, the value of this field is "{B0CAB4B0-F676-4E2A-A345-A6071279D8FC}" |
Insertion String 1 |
Event name such as FS_Rmdir, FILE_Unlink and so on. |
Insertion String 2 |
User account under which the program ran. This may not be the same as the user account that opened the login session. |
Insertion String 3 |
Auditing status according to system audit. |
Insertion String 4 |
Name of the program that caused the event. For events 60000 and 60001, the value is "InTrust collector for AIX audit log". |
Insertion String 5 | User account that first opened the login session. In the course of the session, the account may have been substituted. |
Insertion String 6 |
Process ID of the program that caused the event. |
Insertion String 7 |
Process ID of the program's parent process. |
Insertion String 8 |
Thread ID of the program that caused the event. |
Insertion String 9 |
CPU ID used by the program. |
Insertion String 10 |
Same as Insertion String 2. |
Insertion String 11 |
Same as Insertion String 5. |
Insertion String 12 |
The formatted but unmodified contents of the audit trail. |
Description |
Events 60000 and 60001 provide their own descriptions. For other events, the value is the same as Insertion String 12. |
UserName |
Same as Insertion String 5. |
Category |
Same as Insertion String 1. |
Source |
Same as Insertion String 4. |
TimeGenerated |
Event generation time in GMT format. |
TimeWritten |
Event record time in GMT format. |
EventType |
For event 60000, the value of this field is 2, meaning Warning. For all other events, the value is 4, meaning Information. |
EventID |
Can be 0, 60000 or 60001. For all native Audit log events, the value of this field is 0. Events with the IDs 60000 and 60001 are not native events. They are generated by the agent when it detects system audit stop and start, respectively. |
PlatformID |
The ID of the AIX platform; 640 for all events. |
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center