AIX Auditing (im_aixaudit)
This module reads directly from the kernel, provided the AIX Audit subsystem has STREAM mode enabled, which is disabled by default. The xm_aixaudit module parses events from AIX Audit logs when BIN mode is enabled, which is the default setting. Both modes can be enabled and collect logs concurrently. For additional details, see Auditing mode: BIN and STREAM.
Prerequisites
The AIX audit subsystem and NXLog Agent have default settings that are incompatible with each other.
Changing the directives User nxlog
and Group nxlog
to User root
and Group system
in the NXLog Agent configuration will allow the module to read the required pseudo device and file.
Otherwise, an error and warning will be logged:
ERROR [im_aixaudit|aixaudit] Couldn't open /dev/audit;Permission denied
WARNING [im_aixaudit|aixaudit] Couldn't read event config /etc/security/audit/events
By default, the AIX audit files located under /etc/security/audit/*
are owned by user root
, group system
.Changing their ownership or permissions could raise security flags (STIG finding V-91271).
Any reconfiguration of the AIX Audit subsystem requires it to be shut down and restarted for the changes to take effect.
# audit shutdown
auditing reset
The AIX Audit subsystem defaults to BIN mode with STREAM mode disabled.
For NXLog Agent to read from the default event stream /dev/audit
as shown in the configuration example below, set streammode
to on
and streamcompact
to off
.
start:
binmode = on
streammode = on
ignorenonexistentity = no
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
stream:
cmds = /etc/security/audit/streamcmds
streamcompact = off
After the configuration changes have been saved, the subsystem can be started.
# audit start
Configuration
The im_aixaudit module accepts the following directives in addition to the common module directives.
Optional directives
This optional directive specifies the device file from which to read audit events.
If this is not specified, it defaults to |
|
This optional directive contains the path to the file with a list of audit events.
This file should contain events in |
Fields
See the xm_aixaudit Fields.