C.1 Configuring the AIX Audit Subsystem

The auditing subsystem on AIX computers stores files in the /etc/security/audit folder. You must have audit streaming enabled. However, streaming all events might consume too much space or processor time.

The following steps describe the minimum auditing activity Change Guardian requires.

  1. Add the following line to the /etc/security/audit/config and /etc/security/audit/streamcmds files:

    /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/stream.out&
    
  2. Ensure the /etc/security/audit/config file includes the following stanzas:

    start
    
         binmode = off
    
         streammode = on
    
    bin:
    
         trail = /audit/trail
    
         bin1 = /audit/bin1
    
         bin2 = /audit/bin2
    
         binsize = 10240
    
      cmds = /etc/security/audit/bincmds
    
    stream:
    
      cmds = /etc/security/audit/bincmds
    
  3. Add the following events to all Change Guardian users:

    • FS_Mount

    • FILE_Unlinkat

    • CRON_Finish

    • FILE_Linkat

    • CRON_JobRemove

    • PROC_Kill

    • PROC_Execute

    • FILE_Unlink

    • FILE_Rename

    • FILE_Fchown

    • FILE_Owner

    • FILE_Close

    • USER_Chpass

    • FILE_Symlinkat

    • USER_Change

    • FILE_Symlink

    • PROC_LPExecute

    • FILE_Open

    • FILE_Mknodat

    • FILE_Dupfd

    • FILE_Chmod

    • FILE_Renameat

    • USER_Create

    • GROUP_Create

    • FS_Chdir

    • FS_Umount

    • FILE_Chown

    • FILE_Fchownat

    • GROUP_Change

    • PROC_Create

    • USER_Remove

    • FILE_Fchmod

    • PROC_Adjtime

    • CRON_JobAdd

    • FILE_Utimes

    • PROC_Delete

    • FILE_Openxat

    • GROUP_Remove

    • FILE_Fchmodat

    • FILE_Mode

    • PROC_Settimer

    • FILE_Mknod

    • CRON_Start

    • FILE_Link

If you have unsuccessfully attempted to set up auditing on your AIX computer, ensure you remove all files in the /etc/security/audit folder except the trail, stream.out , and bin files.