The related topics explain the steps you need to take to set up AIX auditing and monitoring, as follows:
For detailed instructions, see Installing Agents Manually.
Syslog is an important logging facility in AIX. Syslog functionality is provided by the syslogd daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network.
The syslog.conf file specifies where syslogd sends a message depending on the parameters of the message. For a detailed description of this file's format, see the syslog.conf man page.
When you install the InTrust agent on the AIX host, the necessary entries are automatically added to syslog.conf. You do not have to modify any message redirection settings manually. However, as long as you do not modify InTrust-related settings, it is up to you how you configure redirection of messages to other destinations.
The AIX audit system provides logging capability and handles system events in the following two ways:
The InTrust agent on the AIX computer relies on stream mode for event records.
Auditing starts according to audit system settings, including the following:
If your auditing is already configured the way you need, then you do not need to do any further configuration. However, you might still need to configure or adjust the audit settings, as described in the related topics. In this case you primarily need to edit the two settings listed above.
AIX audit uses the settings in the following files:
This section briefly describes only settings that specify auditable accounts and events. For detailed information about these and other settings, refer to the audit system man pages (man audit) and the Accounting and Auditing on AIX 5L IBM Red Book.
The settings in question are configured in the /etc/security/audit/config file.
If you did not enable system audit compatibility with the agent during setup, take the following additional steps to enable the InTrust agent to capture Audit log events:
The /etc/security/audit/config file also includes definitions of audit classes and assignments of those classes to individual user accounts.
This part of the file looks similar to the following:
...
classes:
general=USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
objects=S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
...
users:
root = general,objects,kernel,files
...
Auditing is configured on a per-user basis. Each audited account is assigned an audit class, which is a grouping of auditable event types. Audit classes are defined in the classes stanza and associated with individual users in the users stanza.
You can use default AIX audit class presets, or define your own classes, and associate them with the users whose activity you want to audit. For details on event syntax and any other configuration options, refer to AIX documentation.
After editing the /etc/security/audit/config file, restart system audit.
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center