[ossec-list] Audit module on IBM AIX

[Salvati Amedeo]

Title: Audit module on IBM AIX

please confider this configuration:

1. On /etc/security/audit/config file:

we have swiched off binmode and activated the streammode

start:
        binmode = off
        streammode = on

and we have defined soa class with:

soa = TCPIP_connect,USER_Login,PORT_Locked,TERM_Logout,USER_Exit,USER_Logout,PORT_Change,USER_Change,USER_Remove,USER_Create,USER_SetGroups,USER_SU,GROUP_User,GROUP_Adms,GROUP_Change,GROUP_Create,GROUP_Remove,PASSWORD_Change,PASSWORD_Flags,AT_JobAdd,AT_JobRemove,CRON_Start,CRON_Finish,CRON_JobAdd,CRON_JobRemove,USER_Reboot,PROC_Reboot

2. On /etc/security/audit/streamcmds file we have inserted:

/usr/sbin/auditstream |auditpr -v -t0 -helRcrpP| perl -ne 'BEGIN{$|=1;}chomp;$S=$_;$_=<>;print $S,$_;' | logger -pauth.info -t "AIX" &

we have used perl for aggregate logs, because AIX awk don't has flush function

3. On /etc/syslog.conf we have inserted:

auth.info       @x.x.x.x

After all run:

# audit shutdown
# audit start

and this scprit who associate all defined system users to class 'soa':

#!/usr/bin/ksh
#
# Autore: Amedeo Salvati <[EMAIL PROTECTED]>
# Data: 26/07/2006 dd/mm/yyyy
#
# Parsing del file /etc/passwd con lettura di tutti
# gli utenti definiti sul sistema e lancio del comando:
# chuser auditclasses=$CLASS $utente
#
# Parsing /etc/passwd file and read all users on the
# system and then launch:
# chuser auditclasses=$CLASS $utente
#
CHUSER=/usr/bin/chuser
PASSWD=/etc/passwd
CLASS="soa"

USERS=`awk ' BEGIN { FS=":" } { print $1 } ' $PASSWD`


# loop for users
if [ -n "$USERS" ] ; then
  for USER in $USERS; do
    $CHUSER auditclasses=$CLASS $USER >> /dev/null 2>&1
  done
fi

#
# EOF

- Workaround:

1. Event from sshd doesn't log TCPIP_connect, user exit and others (audit module logs this information only from inetd)

2. we receive event from tcpip class on special case TCPIP_data_out, but we don't have defined it!

if somebody know any solution please let me know

best regards
amedeo

Date: Wed, Aug 23 2006 11:42 am
From: "Meir Michanie"


I am interested in the IBM/AIX


> If any people want i have made the same configuration/scripts for IBM AIX,
> please let me know if someone are interested to it...
>
> amedeo
>
>

userToAuditClasses
Description: userToAuditClasses