Bookmark and Share
RSS

Recent Posts

Combining audit and syslog

February 4, 2013

Hello all. It has been much too long since I last wrote on SecuringAIX. My apologies. This has not been for lack of something to write about—I have been hoping to have a bit more to say.

So, a short blog to get me started again in 2013!

While visiting a customer, I was asked about combining audit with syslog. The basic steps are easy, and I’ll show them here. The harder part is getting the classes defined properly so you don’t get swamped by too many messages.

The basic step is to edit /etc/security/audit/config and set streammode = on, and give it an improved streamcmds file. As an example, an excerpt of my config file looks like this:

start:

        binmode = on

        streammode = on

bin:

        trail = /audit/trail

        bin1 = /audit/bin1

        bin2 = /audit/bin2

        binsize = 102400

        cmds = /etc/security/audit/bincmds

        freespace = 65536

        backuppath = /audit

        backupsize = 0

        bincompact = off

 stream:

        cmds = /etc/security/audit/streams.004

 

The streams.004 file then looks like this:

auditstream -m -c general | tee -a /audit/general.bin | auditselect -e "result==FAIL && command!=java" | auditpr -v | logger -p local1.warn -t audit &

auditstream -m -c files      >>/audit/files.bin &

auditstream -m -c tcpip      >>/audit/tcpip.bin &

Note that every command in streamcmds starts as auditstream, and all run in the background. If they do not, then audit start does not start.

In addition, each auditstream command is one line (no \ escapes at the end of a line for formatting). Otherwise the command audit start hangs or returns with an error.

A sample output in syslog file is:

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Open       root     FAIL        Wed Jan 30 23:07:03 2013 date         

Jan 30 23:07:03 x054 local1:warn|warning audit:         flags: 0 mode: 0 fd: 3 filename /usr/share/lib/zoneinfo//posixrules

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       root     FAIL        Wed Jan 30 23:07:03 2013 ksh                             

Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 10 filename: /var/log/blockip/noact.log

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             

Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /usr/bin/audit

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             

Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /opt/bin/audit

Jan 30 23:07:03 x054 local1:warn|warning audit: FILE_Stat       michael  FAIL        Wed Jan 30 23:07:03 2013 ksh                             

Jan 30 23:07:03 x054 local1:warn|warning audit:         cmd: 0 filename: /etc/audit

Jan 30 23:13:17 x054 auth|security:info sshd[8323294]: Bad protocol version identification 'abcd' from 192.168.129.121

The last entry is from the application sshd writing to the auth syslog rather than local1.

Posted February 4, 2013| Permalink

Post a Comment

Note: Comments are moderated and will not appear until approved

comments powered by Disqus
-->