9.1 Configuring a UNIX Auditing Subsystem

This section provides information about auditing on UNIX computers.

9.1.1 Configuring the AIX Audit Subsystem

The auditing subsystem on AIX computers stores files in the /etc/security/audit folder. Enable the audit streaming. However, streaming all events might consume too much memory or processor time, so switch on only the minimum required auditing.

The minimum auditing activity Change Guardian requires the following:

  1. Add the following line to the /etc/security/audit/config and /etc/security/audit/streamcmds files:

    /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/stream.out&

  2. Ensure that the /etc/security/audit/config file includes the following lines:

    start
         binmode = off
         streammode = on
    bin:
         trail = /audit/trail
         bin1 = /audit/bin1
         bin2 = /audit/bin2
         binsize = 10240
      cmds = /etc/security/audit/bincmds
    stream:
      cmds = /etc/security/audit/streamcmds
    classes:
         general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Fchdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,FILE_Symlink,USER_Exit,PROC_Create,PROC_Delete,FILE_Fchmod,FS_Rmdir,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,USER_Remove,USER_Create,USER_Chpass,USER_Change,FS_Mount,FS_Umount,FILE_Unlinkat,FILE_Symlinkat
         Kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,PROC_LPExecute,PROC_Adjtime,PROC_Kill
         files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,FILE_Dupfd,FILE_Chmod,FILE_Chown,FILE_Utimes,FILE_Truncate,FILE_Mknod,FILE_Symlink,FILE_Unlinkat,FILE_Fchownat,FILE_Linkat,FILE_Fchown,FILE_Symlinkat,FILE_Openxat,FILE_Mknodat,FILE_Renameat,FILE_Fchownat,FILE_Fchmod,FILE_Fchown,FILE_Fchmodat
        
         cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
    users:
         root = general,kernel,files,cron
         default = general,kernel,files,cron
    role:
         /usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /usr/audit/stream.out&

  3. Ensure that the /etc/security/audit/events file contains the following:

    • FS_Mount

    • FILE_Unlinkat

    • CRON_Finish

    • FILE_Linkat

    • CRON_JobRemove

    • PROC_Kill

    • PROC_Execute

    • FILE_Unlink

    • FILE_Rename

    • FILE_Fchown

    • FILE_Owner

    • FILE_Close

    • USER_Chpass

    • FILE_Symlinkat

    • USER_Change

    • FILE_Symlink

    • PROC_LPExecute

    • FILE_Open

    • FILE_Mknodat

    • FILE_Dupfd

    • FILE_Chmod

    • FILE_Renameat

    • USER_Create

    • GROUP_Create

    • FS_Chdir

    • FS_Umount

    • FILE_Chown

    • FILE_Fchownat

    • GROUP_Change

    • PROC_Create

    • USER_Remove

    • FILE_Fchmod

    • PROC_Adjtime

    • CRON_JobAdd

    • FILE_Utimes

    • PROC_Delete

    • FILE_Openxat

    • GROUP_Remove

    • FILE_Fchmodat

    • FILE_Mode

    • PROC_Settimer

    • FILE_Mknod

    • CRON_Start

    • FILE_Link

NOTE:If your attempt to set up auditing on your AIX computer is not successful, ensure that you remove all files in the /etc/security/audit directory except the trail, stream.out, and the bin directory.

9.1.2 Configuring the HP-UX Audit Subsystem

The auditing subsystem on HP computers stores files in the /etc/rc.config.d directory. You must process audit trail events. Ensure that the /etc/rc.config.d/auditing file matches the following lines: 

AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1=" -P -F   -e admin -s exit -s kill -s vfsmount -s rename -s unlink -s creat -s symlink -s fchown -s execv -s stime -s link -s settimeofday -s mount -s clock_settime -s fchmod -s lchown -s umount2 -s chmod -s execve -s chown -s open -s umount -s fork -s mknod -s vfork -s chdir -s adjtime -s mkdir -s rmdir  "
AUDEVENT_ARGS2=" "
AUDEVENT_ARGS3=" "
AUDEVENT_ARGS4=" "
AUDOMON_ARGS=" -p 20 -t 1 -w 90"

9.1.3 Configuring the Solaris Auditing Subsystem

Solaris 10 operating system has different auditing subsystems than Solaris 11.

On computers running Solaris 10, perform the following steps:

  1. Ensure that the Basic Security Module restarts after reboot by running ./bsmconv from the /etc/security folder.

  2. Ensure that the /etc/security/audit_control file contains the following lines:

    flags: ua,fm,cl,pc,fw,fr,ad,as,fc,ps,fd,nf
    naflags: fm,cl,pc,fw,fr,as,ad,fc,ps,fd,nf
    minfree:20
    dir:/var/audit

For Solaris 11, set the auditing flags by running the following commands:

auditconfig -setflags pm,ps,ua,as,fd,fc,fm,fw,fr
auditconfig -setnaflags pm,ps,ua,as,fd,fc,fm,fw,fr