From: Green, Simon (SGreen@KRAFTEUROPE.COM)
Date: Thu Jun 27 2002 - 12:21:12 EDT
I've done some work with the audit system.
There is an auditing Redbook; get a copy if you haven't already.
I reduced the number of events audited considerably from the default.
I kept SRC, cron and the objects classes. Objects only checked for write
access, though.
I also set up my own class of general stuff. This contained TCPIP login
related stuff and SU. Also the LVM events, filesystem mounts and security
changes, (GROUP_Create, PASSWORD_Change and the like). Most of that was for
my benefit, so that I could see who'd messed up my system by removing
/dev/hd1 and the like.
I specifically did NOT audit file creation, links etc. That can produce
quite a lot of data as there's no way of refining it: it's all files, or
none. (The load does depend on the nature of the applications running, of
course.)
Every user in the system gets audited for all classes; I added the audit
classes to the user defaults.
With those, the total volume of data created is quite small, so it's
realistic to keep an extensive history. My control workstation, for
example, has at least five years of data, taking up about 10MB.
It's worth recycling the audit system periodically. I do it weekly, but
monthly would probably suffice. Also, don't have a single, large audit
trail file: it makes querying it very difficult. Archive it off
periodically.
Reporting is fairly rudimentary. It'll extract data from the audit system
and select the particular fields that you want, but it has no way of
consolidating entries. SO if you've got 100 similar USER_SU events, you'll
get 100 report lines. It might be worth extracting data and using some sort
of report generator to process it.
Provided you don't get carried away, the system overhead is fairly low.
Simon Green
Philip Morris ITSC Europe
AIX-L Archive at http://marc.theaimsgroup.com/?l=aix-l&r=1&w=2
AIX FAQ at http://www.faqs.org/faqs/aix-faq/
N.B. Unsolicited email from vendors will seldom be appreciated.
> -----Original Message-----
> From: Jim Lane [mailto:JLane@TORONTOHYDRO.COM]
> Sent: 27 June 2002 16:54
> To: aix-l@Princeton.EDU
> Subject: advice on AIX auditing
>
>
> Hi, All
>
> as part of a general onslaught re security I've started tinkering with
> the AIX audit system. there doesn't seem to be much information that I
> can find by way of high level "how to" guidance on using this
> thing. I'm
> especially interested in how to figure out what events, classes etc I
> should be auditing. I'm still not sure of the scope of
> information that
> this thing can give me as against what I should be looking
> for. thus far
> it seems to be able to generate a lot of information of the "so what"
> variety. has anybody out there worked with AIX auditing? if so, would
> you be willing to share experiences especially regarding how you
> customized it? also, what about reports formats, data
> retention volumes.
> any help or references would be greatly appreciated.
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:16:01 EDT