This section provides information about auditing on UNIX computers.
The auditing subsystem on AIX computers stores files in the /etc/security/audit folder. Enable the audit streaming. However, streaming all events might consume too much memory or processor time, so switch on only the minimum required auditing.
The minimum auditing activity Change Guardian requires the following:
Add the following line to the /etc/security/audit/config and /etc/security/audit/streamcmds files:
/usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /audit/stream.out&
Ensure that the /etc/security/audit/config file includes the following lines:
start
binmode = off
streammode = on
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Fchdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir,FILE_Symlink,USER_Exit,PROC_Create,PROC_Delete,FILE_Fchmod,FS_Rmdir,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,USER_Remove,USER_Create,USER_Chpass,USER_Change,FS_Mount,FS_Umount,FILE_Unlinkat,FILE_Symlinkat
Kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri,PROC_Setpri,PROC_Privilege,PROC_Settimer,PROC_LPExecute,PROC_Adjtime,PROC_Kill
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename,FILE_Owner,FILE_Mode,FILE_Acl,FILE_Privilege,DEV_Create,FILE_Dupfd,FILE_Chmod,FILE_Chown,FILE_Utimes,FILE_Truncate,FILE_Mknod,FILE_Symlink,FILE_Unlinkat,FILE_Fchownat,FILE_Linkat,FILE_Fchown,FILE_Symlinkat,FILE_Openxat,FILE_Mknodat,FILE_Renameat,FILE_Fchownat,FILE_Fchmod,FILE_Fchown,FILE_Fchmodat
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
users:
root = general,kernel,files,cron
default = general,kernel,files,cron
role:
/usr/sbin/auditstream | /usr/sbin/auditpr -t 0 -r -v -helRtcrpPTh >> /usr/audit/stream.out&
Ensure that the /etc/security/audit/events file contains the following:
FS_Mount
FILE_Unlinkat
CRON_Finish
FILE_Linkat
CRON_JobRemove
PROC_Kill
PROC_Execute
FILE_Unlink
FILE_Rename
FILE_Fchown
FILE_Owner
FILE_Close
USER_Chpass
FILE_Symlinkat
USER_Change
FILE_Symlink
PROC_LPExecute
FILE_Open
FILE_Mknodat
FILE_Dupfd
FILE_Chmod
FILE_Renameat
USER_Create
GROUP_Create
FS_Chdir
FS_Umount
FILE_Chown
FILE_Fchownat
GROUP_Change
PROC_Create
USER_Remove
FILE_Fchmod
PROC_Adjtime
CRON_JobAdd
FILE_Utimes
PROC_Delete
FILE_Openxat
GROUP_Remove
FILE_Fchmodat
FILE_Mode
PROC_Settimer
FILE_Mknod
CRON_Start
FILE_Link
NOTE:If your attempt to set up auditing on your AIX computer is not successful, ensure that you remove all files in the /etc/security/audit directory except the trail, stream.out, and the bin directory.
The auditing subsystem on HP computers stores files in the /etc/rc.config.d directory. You must process audit trail events. Ensure that the /etc/rc.config.d/auditing file matches the following lines:
AUDITING=1
PRI_AUDFILE=/.secure/etc/audfile1
PRI_SWITCH=1000
SEC_AUDFILE=/.secure/etc/audfile2
SEC_SWITCH=1000
AUDEVENT_ARGS1=" -P -F -e admin -s exit -s kill -s vfsmount -s rename -s unlink -s creat -s symlink -s fchown -s execv -s stime -s link -s settimeofday -s mount -s clock_settime -s fchmod -s lchown -s umount2 -s chmod -s execve -s chown -s open -s umount -s fork -s mknod -s vfork -s chdir -s adjtime -s mkdir -s rmdir "
AUDEVENT_ARGS2=" "
AUDEVENT_ARGS3=" "
AUDEVENT_ARGS4=" "
AUDOMON_ARGS=" -p 20 -t 1 -w 90"
Solaris 10 operating system has different auditing subsystems than Solaris 11.
On computers running Solaris 10, perform the following steps:
Ensure that the Basic Security Module restarts after reboot by running ./bsmconv from the /etc/security folder.
Ensure that the /etc/security/audit_control file contains the following lines:
flags: ua,fm,cl,pc,fw,fr,ad,as,fc,ps,fd,nf
naflags: fm,cl,pc,fw,fr,as,ad,fc,ps,fd,nf
minfree:20
dir:/var/audit
For Solaris 11, set the auditing flags by running the following commands:
auditconfig -setflags pm,ps,ua,as,fd,fc,fm,fw,fr
auditconfig -setnaflags pm,ps,ua,as,fd,fc,fm,fw,fr