• home
  • forum
  • my
  • kt
  • download
    • Home / Operating Systems / Linux / Linux and other OSs /

    Use auditing to track reads and writes in a file

    Author: 2007-09-07 11:00:37 From:

    In this article, discover how to track several events on AIX(R) with auditing, a major feature of AIX security, and learn how to use auditing to keep track of the read and write operations on a file. Also examine commands, such as ls or istat, to check a file's time stamp.

    Introduction

    AIX® provides easy ways to track the last time a file was accessed. The ls command is one example. But sometimes you want to know who, or which process, accessed the file. You might need such information for debugging or keeping track of important files. You can track information related to read and write operations on a file with the help of auditing.

    In AIX, auditing systems are intended to record security-related information and to alert administrators about security breaches. You can customize the configuration and objects files, which are used by the auditing subsystem to keep track of any file you want. You can also use the real-time monitoring feature of auditing to keep track of some processes and files that are being modified randomly by unidentified processes.

    Tracking

    There are no special requirements to track files; all you need is a normal AIX system with root access. The audit command grants execute access to the root user and members of the audit group. A non-root user should be part of an audit group to execute auditing on a system.

    The high-level steps for tracking files are:

    1. Configuring the audit subsystem
    2. Monitoring output

    Configuring the audit subsystem

    Configuring the audit subsystem requires making specific entries in the objects and configuration files that the audit subsystem uses to generate the results.

    In this scenario, you're tracking the /home/test.txt file. To configure the audit subsystem, try the following:

    1. In the /etc/security/audit/objects file, make an entry for /home/test.txt. Use the following format: 

      /home/test.txt:
	r = "S_NOTAUTH_READ"
	w = "S_NOTAUTH_WRITE"

      S_NOTAUTH_READ and S_NOTAUTH_WRITE are keywords to track the read and the write, respectively. These keywords can be replaced by any keyword, depending on your requirements.

      You can also track more than one file using the same keyword by making individual entries for each file to be tracked in the /etc/security/audit/objects file, in the same format.

    2. In the /etc/security/audit/config file, make the following entry under the classes subsection, as follows: 

      classes:
	abusers = S_NOTAUTH_READ, S_NOTAUTH_WRITE

    3. In the /etc/security/audit/config file, add entries for all your users, as follows: 

      users:
	root = general, abusers
	user1=abusers
	user2=abusers
	.
	.
	.
	userN=abusers

      This set of entries ensures that any read or write operation being done on the /home/test.txt file by any of the users in this list is reported by audit. If an entry for a user already exists, you can append the entry for abusers by separating it from the previous one using a comma.

    4. Auditing provides data monitoring in two modes:
      • BIN mode: Records the audit events to two alternating temporary BIN files, and then appends them to a single audit trail file.

      • STREAM mode: Writes the audit records to a circular buffer that can be read by the /dev/audit device file.

      In this scenario, there is no major difference between the two except the format of the output provided. You can switch on any or both modes to collect the data. They can be switched on or off by making an appropriate entry in the etc/security/audit/config file. The example below switches on STREAM mode.

      start:
        bin mode = off
        stream mode = on

    The above steps ensure that the /home/test.txt file is under the auditing subsystem's observation.

    Monitoring output

    To monitor the output, first start the auditing subsystem using the following command:

    # audit start

    Data collection in STREAM mode

    Because the data collection is enabled in STREAM mode, you can start data collection by running the following command:

    # cat /etc/security/audit/streamcmds

    This command provides the following information:

    /usr/sbin/auditstream | auditpr > /audit/stream.out &

    The auditing results are written in the /audit/stream.out file, which can be monitored in real time to keep track of the read and write operations.

    A typical output would look like Listing 1 below.


    Listing 1. Output file¡ªData collection in STREAM mode

                        
# tail -f /audit/stream.out

event           	login    status       time                         command
--------------- 	-------- -------- 	   --------- 	            ---------
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:05 2007 	cat
FILE_Unlink    	root     OK          Thu May 24 14:07:09 2007		vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_READ  	root     OK          Thu May 24 14:07:09 2007 	vi
S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink     	root     OK          Thu May 24 14:07:13 2007 	vi
FILE_Unlink    	root     OK          Thu May 24 14:07:20 2007 	vi
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat
S_NOTAUTH_READ  	ash      OK          Thu May 24 14:09:39 2007 	cat

    The interpretation of the output file is simple. For example, the following line: 

    S_NOTAUTH_WRITE 	root     OK          Thu May 24 14:07:13 2007 	vi

    shows that a write operation was performed by root on the file on Thursday, May 24th, at 14:07:13.

    Data collection in BIN mode

    If data collection in BIN mode is enabled, you can start the data collection by executing the following command:

    # /usr/sbin/auditpr -v < /audit/trail > /audit.out

    This command writes the results of auditing to the /audit.out file, which can be monitored in real time as well.

    A typical output would look like Listing 2 below.


    Listing 2. Output file¡ªData collection in BIN mode

                        
# vi /audit.out
"/audit.out" 30 lines, 2012 characters
event           login    status        time                        command
--------       -------- -----------   -------------              --------------
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
S_NOTAUTH_READ   root      OK          Thu May 24 15:07:27 2007   cat
        <tail format undefined>
FILE_Unlink      root      OK          Thu May 24 15:07:32 2007    vi
        filename /var/tmp/Ex21778
S_NOTAUTH_READ  root      OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ   root     OK          Thu May 24 15:07:32 2007	    vi
        <tail format undefined>
S_NOTAUTH_READ  root     OK           Thu May 24 15:07:32 2007     vi
        <tail format undefined>
S_NOTAUTH_WRITE root     OK           Thu May 24 15:07:37 2007     vi
        <ail format undefined>
FILE_Unlink     root     OK           Thu May 24 15:07:37 2007	    vi

    You can monitor the output files to keep track of the read and write operations on your files.

    discuss this topic to forum

    [Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]

    relation tutorial

    No relevant information

    Category

      Administration (7)
      Editing Files (2)
      Getting Started (8)
      Installation (8)
      Linux and other OSs (10)
      Miscellaneous (10)
      Networking (8)
      Security (9)
      Shells and Utilities (14)
      System Monitoring (5)
      Troubleshooting (1)
      X Windows (6)

    New

    Hot

    JCWcn.com
    Copyright © 2007 All rights reserved