AIX Auditing (im_aixaudit)

This module reads directly from the kernel, provided the AIX Audit subsystem has STREAM mode enabled, which is disabled by default. The xm_aixaudit module parses events from AIX Audit logs when BIN mode is enabled, which is the default setting. Both modes can be enabled and collect logs concurrently. For additional details, see Auditing mode: BIN and STREAM.

Prerequisites

The AIX audit subsystem and NXLog Agent have default settings that are incompatible with each other.

Changing the directives User nxlog and Group nxlog to User root and Group system in the NXLog Agent configuration will allow the module to read the required pseudo device and file. Otherwise, an error and warning will be logged:

ERROR [im_aixaudit|aixaudit] Couldn't open /dev/audit;Permission denied
WARNING [im_aixaudit|aixaudit] Couldn't read event config /etc/security/audit/events

By default, the AIX audit files located under /etc/security/audit/* are owned by user root, group system.Changing their ownership or permissions could raise security flags (STIG finding V-91271).

Any reconfiguration of the AIX Audit subsystem requires it to be shut down and restarted for the changes to take effect.

Stop the AIX Audit subsystem
# audit shutdown
auditing reset

The AIX Audit subsystem defaults to BIN mode with STREAM mode disabled. For NXLog Agent to read from the default event stream /dev/audit as shown in the configuration example below, set streammode to on and streamcompact to off.

/etc/security/audit/config
start:
        binmode = on
        streammode = on
        ignorenonexistentity = no

bin:
        trail = /audit/trail
        bin1 = /audit/bin1
        bin2 = /audit/bin2
        binsize = 10240
        cmds = /etc/security/audit/bincmds
        freespace = 65536
        backuppath = /audit
        backupsize = 0
        bincompact = off

stream:
        cmds = /etc/security/audit/streamcmds
        streamcompact = off

After the configuration changes have been saved, the subsystem can be started.

Start the AIX Audit subsystem
# audit start

Configuration

The im_aixaudit module accepts the following directives in addition to the common module directives.

Optional directives

DeviceFile

This optional directive specifies the device file from which to read audit events. If this is not specified, it defaults to /dev/audit.

EventsConfigFile

This optional directive contains the path to the file with a list of audit events. This file should contain events in AuditEvent = FormatCommand format. The AuditEvent is a reference to the audit object which is defined under the /etc/security/audit/objects path. The FormatCommand defines the auditpr output for the object. For more information, see the The AIX Auditing subsystem resources on the IBM Documentation website.

Fields

See the xm_aixaudit Fields.

Examples

Example 1. Reading AIX Audit events from the kernel

This configuration reads AIX audit events directly from the kernel via the(default) /dev/audit device file.

nxlog.conf
<Input in>
    Module      im_aixaudit
    DeviceFile  /dev/audit
</Input>