Archive for

June 17th, 2012

...

June 17, 2012 11:41 pm

Auditing an Object

Comments Off
by    in AIX,security

Question

How can I audit a specific command or file on AIX?

Cause

Need to know which user or process is executing a command or opening a file for READ or WRITE.

Answer

The following steps can be used to configure AIX Auditing to audit individual files (including commands) for READ, WRITE and/or EXEC access.

1) Make changes to audit config file to enable streammode auditing…

#vi /etc/security/audit/config

start:
binmode = off
streammode = on

With streammode, you will immediately get the output in text format. If you choose binmode, you will have to convert the data from binary to text before reading it (see Technote: AIX System Security Audit for more details -
http://www.aixmind.com/?p=2429 )

2) Confirm the following line is in /etc/security/audit/streamcmds file

/usr/sbin/auditstream | auditpr -v > /audit/stream.out &

Note that there is a “-v” after auditpr. The -v is not set by default, but it gives you more information. If you want to limit what events will be monitored you can also modify this
file to use the auditselect command, eg…

# vi /etc/security/audit/streamcmds

/usr/sbin/auditstream | /usr/sbin/auditselect -e “command!=cron && command!=at” | auditpr -v > auditstream.out &

This command would exclude from the audistream.out file the information that would be gathered from cron and at. This is probably not something you would want to do in your circumstance.

* See the AIX System Security Audit technote for more information on using auditselect.

3) Edit the /etc/security/audit/objects file to add an entry for the object/file you want to audit (replace path/to/filename and FILENAME with actual path and filename to be audited)

eg:

/path/to/filename:
w = “S_FILENAME_WRITE”

The above line will audit writes to the file, but you can also audit reads and/or execute (for commands) with…

r = “S_FILENAME_READ”
and/or
x = “S_FILENAME_EXECUTE”

4) Edit the /etc/security/audit/events file to include the following:

* /path/to/filename
S_FILENAME_WRITE = printf ” %s “

If you included READ and/or EXECUTE entries in step 3, you will also need to add the following entries to the events file…

S_FILENAME_READ = printf ” %s “
and/or
S_FILENAME_EXECUTE = printf ” %s “

5) Start auditing. On the command line type:

# audit start

if you need to reset auditing for any reason, simply exec…

# audit shutdown; audit start

6) Wait until the issue to occur, or perform steps to duplicate the problem being audited.

7) Stop auditing and check the output file for FILENAME entries

# audit shutdown
# cd /audit
# cat stream.out

The audit record is displayed as follows (example is for auditing a WRITE to a file)…

S_FILENAME_WRITE root OK Wed mar 06 2012 <application_name>
audit object write event detected /path/to/filename

 

Source:  http://www-304.ibm.com/support/docview.wss?uid=isg3T1013098

tags: , ,
Comments Off
11:31 pm

Director Agent 6.3 on AIX is Logging Too Many Messages in the Console

Comments Off
by    in AIX

Description

When the cas_agent subsystem is running on an AIX agent, it logs messages similar to the following:

 bin/nonstop_aix @/var/opt/tivoli/ep/runtime/nonstop/config/nonstop.properties  

They can be seen with the alog -o -f /var/adm/ras/conslog command or on the vterm to this system using HMC.

This occurs with agents that have the following cas.agent fileset version:

cas.agent 1.4.2.40


Fix

A fix will be available in a later version.

Work-around

To disable the messages, you should perform the following steps:

1. Stop the subsystem by issuing the following command:

stopsrc -s cas_agent
2. Wait using the following command until the subsystem is inoperative:

lssrc -s cas_agent
3. Save /var/opt/tivoli/ep/runtime/nonstop/bin/cas_src.sh: cp /var/opt/tivoli/ep/runtime/nonstop/bin/cas_src.sh /var/opt/tivoli/ep/runtime/nonstop/bin/cas_src.sh.org
4. Edit /var/opt/tivoli/ep/runtime/nonstop/bin/cas_src.sh as follows:

Replace the following code snippet:
do
/usr/bin/sleep 10
 /usr/bin/ps -ef | grep nonstop_aix

# if nonstop_aix is not found, then exit
["$?" -ne 0] && break
done

with the following code:
do
/usr/bin/sleep 10
  NONSTOP_PID1=`/usr/bin/ps -ef|/usr/bin/grep '\/var\/opt\/tivoli\/ep'|/usr/bin/grep nonstop_aix|/usr/bin/grep -v grep|/
usr/bin/awk '{print $2}'`
NONSTOP_PID2=`/usr/bin/ps -ef|/usr/bin/grep '\/opt\/ibm\/director\/agent'|/usr/bin/grep nonstop_aix|/usr/bin/grep -v g
rep|/usr/bin/awk '{print $2}'`

# if nonstop_aix is not found then exit
if [[ "$NONSTOP_PID1" == "" && "$NONSTOP_PID2" == "" ]]; then
break
fi
done

5. Start the subsystem by issuing the following command:

startsrc -s cas_agent
tags: , ,
Comments Off
3:49 pm

How to fake your name and sender email address when sending email on UNIX

Comments Off
by    in Shell Script

You can ues sendmail command:

sendmail -F "Fake Name" -f facke_sender_email@host.com recipient@sth.com < your-email-content.txt
tags:
Comments Off