AIX Auditing (im_aixaudit)
This module reads directly from the kernel, provided the AIX Audit subsystem has STREAM mode enabled, which is disabled by default. The xm_aixaudit module parses events from AIX Audit logs when BIN mode is enabled, which is the default setting. Both modes can be enabled and collect logs concurrently. For additional details, see Auditing mode: BIN and STREAM.
Prerequisites
The AIX audit subsystem and the NXLog agent have default settings that are incompatible with each other.
Changing the directives User nxlog
and Group nxlog
to User root
and Group system
in the NXLog configuration will allow the module to read the required pseudo device and file, otherwise an error and warning will occur:
ERROR [im_aixaudit|aixaudit] Couldn't open /dev/audit;Permission denied
WARNING [im_aixaudit|aixaudit] Couldn't read event config /etc/security/audit/events
By default, the AIX audit files located under /etc/security/audit/*
are owned by user root
, group system
.Changing their ownership or permissions could raise security flags (STIG finding V-91271).
Any reconfiguration of the AIX Audit subsystem requires it to be shut down and restarted for the changes to take effect.
# audit shutdown
auditing reset
The AIX Audit subsystem defaults to BIN mode with STREAM mode disabled.
In order for NXLog to read from the default event stream /dev/audit
as shown in the configuration example below, set streammode
to on
and streamcompact
to off
.
start:
binmode = on
streammode = on
ignorenonexistentity = no
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
stream:
cmds = /etc/security/audit/streamcmds
streamcompact = off
After the configuration changes have been saved, the subsystem can be started.
# audit start
To examine the supported platforms, see the list of installer packages in the Available Modules chapter. |
Configuration
The im_aixaudit module accepts the following directives in addition to the common module directives.
- DeviceFile
-
This optional directive specifies the device file from which to read audit events. If this is not specified, it defaults to
/dev/audit
.
- EventsConfigFile
-
This optional directive contains the path to the file with a list of audit events. This file should contain events in
AuditEvent = FormatCommand
format. TheAuditEvent
is a reference to the audit object which is defined under the/etc/security/audit/objects
path. TheFormatCommand
defines theauditpr
output for the object. For more information, see the The AIX Auditing subsystem resources on the IBM Documentation website.
Fields
See the xm_aixaudit Fields.