AIX System Security:4.Logging

jiazf82

System tools:logcheck,logwatch

http://sourceforge.net/projects/swatchlog/

http://sourceforge.net/projects/sentrytools

1.Capture mesg send to syslog.

printf "### Following lines added by CISecurity \
AIX Benchmark Section 5.1\n\
auth.info\t\t/var/adm/authlog\n\
*.info;auth.none\t\t/var/adm/syslog\n" \
>> /etc/syslog.conf
touch /var/adm/authlog /var/adm/syslog
chown root:system /var/adm/authlog
chmod 600 /var/adm/authlog
chmod 640 /var/adm/syslog
stopsrc -s syslogd
startsrc -s syslogd

2.Configure syslogd to send logs to a remote loghost

printf "### Following lines added by CISecurity \
AIX Benchmark Section 5.2\n\
auth.info\t\t@loghost
*.info;auth.none\t\t@loghost
*.emerg\t\t@loghost\n\
local7.*\t\t@loghost\n" >> /etc/syslog.conf
stopsrc -s syslogd
startsrc -s syslogd

make sure the syslog system accept the mesg from other system:

chssys -s syslogd -a "-r"
stopsrc -s syslogd
startsrc -s syslogd

3.Enable sar accounting

4.Enable kernel-level auditing

audit on

To start auditing automatically at next boot:

mkitab -i cron "audit:2:once:/usr/sbin/audit start 2>&1 >
/dev/console"
telinit q
echo "audit shutdown" >> /usr/sbin/shutdown

5.Confirm Permissions On system log Files

for FILE in \
/smit.log \
/var/adm/cron/log \
/var/tmp/dpid2.log \
/var/tmp/hostmibd.log \
/var/tmp/snmpd.log \
/var/adm/ras/*
/var/ct/RMstart.log
do
if [ -f $FILE ]; then
echo "Fixing log file permissions on $FILE"
chmod o-rw $FILE
fi
done







本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4031/showart_196566.html