The auditing subsystem on AIX computers stores files in the /etc/security/audit folder. You must have audit streaming enabled. However, streaming all events might consume too much space or processor time.
The following steps describe the minimum auditing activity Change Guardian requires.
Add the following line to the /etc/security/audit/config and /etc/security/audit/streamcmds files:
/usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/stream.out&
Ensure the /etc/security/audit/config file includes the following stanzas:
start
binmode = off
streammode = on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
stream:
cmds = /etc/security/audit/bincmds
Add the following events to all Change Guardian users:
FS_Mount
FILE_Unlinkat
CRON_Finish
FILE_Linkat
CRON_JobRemove
PROC_Kill
PROC_Execute
FILE_Unlink
FILE_Rename
FILE_Fchown
FILE_Owner
FILE_Close
USER_Chpass
FILE_Symlinkat
USER_Change
FILE_Symlink
PROC_LPExecute
FILE_Open
FILE_Mknodat
FILE_Dupfd
FILE_Chmod
FILE_Renameat
USER_Create
GROUP_Create
FS_Chdir
FS_Umount
FILE_Chown
FILE_Fchownat
GROUP_Change
PROC_Create
USER_Remove
FILE_Fchmod
PROC_Adjtime
CRON_JobAdd
FILE_Utimes
PROC_Delete
FILE_Openxat
GROUP_Remove
FILE_Fchmodat
FILE_Mode
PROC_Settimer
FILE_Mknod
CRON_Start
FILE_Link
If you have unsuccessfully attempted to set up auditing on your AIX computer, ensure you remove all files in the /etc/security/audit folder except the trail, stream.out , and bin files.