How can I audit a specific command or file on AIX?
Need to know which user or process is executing a command or opening a file for READ or WRITE.
The following steps can be used to configure AIX Auditing to audit individual files (including commands) for READ, WRITE and/or EXEC access.
1) Make changes to audit config file to enable streammode auditing…
binmode = off
streammode = on
With streammode, you will immediately get the output in text format. If you choose binmode, you will have to convert the data from binary to text before reading it (see Technote: AIX System Security Audit for more details -
2) Confirm the following line is in /etc/security/audit/streamcmds file
/usr/sbin/auditstream | auditpr -v > /audit/stream.out &
Note that there is a “-v” after auditpr. The -v is not set by default, but it gives you more information. If you want to limit what events will be monitored you can also modify this
file to use the auditselect command, eg…
# vi /etc/security/audit/streamcmds
/usr/sbin/auditstream | /usr/sbin/auditselect -e “command!=cron && command!=at” | auditpr -v > auditstream.out &
This command would exclude from the audistream.out file the information that would be gathered from cron and at. This is probably not something you would want to do in your circumstance.
* See the AIX System Security Audit technote for more information on using auditselect.
3) Edit the /etc/security/audit/objects file to add an entry for the object/file you want to audit (replace path/to/filename and FILENAME with actual path and filename to be audited)
w = “S_FILENAME_WRITE”
The above line will audit writes to the file, but you can also audit reads and/or execute (for commands) with…
r = “S_FILENAME_READ”
x = “S_FILENAME_EXECUTE”
4) Edit the /etc/security/audit/events file to include the following:
S_FILENAME_WRITE = printf ” %s “
If you included READ and/or EXECUTE entries in step 3, you will also need to add the following entries to the events file…
S_FILENAME_READ = printf ” %s “
S_FILENAME_EXECUTE = printf ” %s “
5) Start auditing. On the command line type:
# audit start
if you need to reset auditing for any reason, simply exec…
# audit shutdown; audit start
6) Wait until the issue to occur, or perform steps to duplicate the problem being audited.
7) Stop auditing and check the output file for FILENAME entries
# audit shutdown
# cd /audit
# cat stream.out
The audit record is displayed as follows (example is for auditing a WRITE to a file)…
S_FILENAME_WRITE root OK Wed mar 06 2012 <application_name>
audit object write event detected /path/to/filename