Monitoring AIX Users
Audience: AIX Administrators and End Users
Date: July 16, 1999Monitoring user activity is an important system administration task. Here are a few usefulAIX commands for monitoring user activity.
CommandDescription
lastDisplay information about previous logins, including logindate/time, logout time, originating remote host.who List users who are currently logged on. ps -fu "userid" List processes being run by "userid"..sh_historyText file located in the home directory of each Korn shell user.The file contains the last 50 commands issued by the user./var/adm/sulog Text file containing all "su" activity./etc/security/failedloginBinary file containing a listing of all failed login attempts. Thefile can be read by only root, using "who failedlogin"AIX has two other facilities for monitoring user activity on a more granular level. Thefirst is "Accounting" which monitors user's connect time and system usage (cpu bycommand, diskstorage and printer usage). The second is "Auditing", a security relatedfunction, which provides a detailed audit trail of each user's activity, including priviledgefailures, commands run, files they view/create/delete, and more. Both Accounting andAuditing are part of the base AIX operating system. However, both must be configured torun. The attachment HTML files discuss how to set up accounting and auditing. See your AIX documentation for more information.
AIX System Security Audit [audit.all.cmd]
AIX System Security Audit-------------------------------------------------------------------------------ContentsAbout This DocumentRelated DocumentationOverviewAuditing Events and ObjectsAuditing Mode: BIN and STREAMStarting and Stopping AuditAuditing ConfigurationAuditing a UserAuditing an ObjectDisk Space ConsiderationUnderstanding the OutputCommon Problems with Auditing
Data OverloadFixes for Auditing Subsystem-------------------------------------------------------------------------------About This DocumentThis document is intended to simplify the use of the auditing systemprovidedin AIX and applies to all versions of AIX. It includes information onwhatauditing offers, what its requirements are, and what common problemsmay beencountered. The intention is not to answer every question aboutauditing, butto provide a starting point for understanding and setting up auditing.Related DocumentationDocumentation for System Auditing can be found in Chapter 5 of the"SystemManagement Guide" for AIX version 3.2, Chapter 3 of the "SystemManagementGuide: Operating System and Devices" for AIX version 4, and Chapter 8in theIBM Redbook "Elements of Security: AIX 4.1" (GG24-4433-00).The AIX and RS/6000 product documentation library is also available:http://www.rs6000.ibm.com/resource/-------------------------------------------------------------------------------OverviewThe auditing subsystem provides the means to record security-relatedinformation and to alert system administrators of potential and actualviolations of the system security policy. The information collected byauditingincludes: the name of the auditable event, the status (success orfailure) ofthe event, and any additional event-specific information related tosecurityauditing.-------------------------------------------------------------------------------Auditing Events and ObjectsA list of audit events built into AIX, along with a list of predefinedauditobjects, can be found in the file /etc/security/audit/events.In general, auditing events are defined at the system call level. Asingleoperation at the command line would result in records of several eventsin the
audit trail. For example, when viewing a file using the cat or morecommand,you would see the following records logged into the audit trail:FILE_Open (file is opened)FILE_Read (file is read)FILE_Write (file is written to standard output)PROC_Create (process creation for more OR cat)PROC_Execute (command execution)PROC_Delete (process completion)Auditing all possible events can produce a huge amount of data. Throughauditcontrols (that is, modifying the configuration files), you can selectevents tobe recorded.Audit events are grouped into classes. The events can be defined bywhichevents are in a class. While the class names are arbitrary, they,rather thanindividual event names, are associated with user IDs when the auditsubsystemis active.Auditing objects are just individual files that will be monitored. Threeoperations can be audited: read, write, and execute. Objects are notassociatedwith user IDs. Audit records are generated whenever an audited object isreferenced by any user (including root).To add further audit objects, extend the /etc/security/audit/objectsfile.-------------------------------------------------------------------------------Auditing Mode: BIN and STREAMThere are two modes of operation for auditing: BIN and STREAM. BIN modewritesthe audit trail to alternating temporary files (bins), then to a singletrailfile. STREAM mode writes to a circular buffer that is read synchronouslythrough an audit pseudo-device (/dev/audit).An audit can be started in one OR both of these modes.Using the audit configuration setup shipped with AIX,/etc/security/audit/config, the BIN mode alternates between /audit/bin1and/audit/bin2. When one BIN is full (the binsize parameter determines thesize ofthe bin), the audit switches to the other BIN file while adding theaccumulateddata in the first file to the audit trail (defined in/etc/security/audit/bincmds), /audit/trail. Use "audit shutdown" to becertain
of 00
AIX Monitor Users
866 Reads
Info and Rating
| Category: | Uncategorized. |
| Rating: | |
| Upload Date: | 11/18/2009 |
| Copyright: | Attribution Non-commercial |
| Tags: |
Leave a Comment