Monitoring Aix Users
Monitoring Aix Users
Monitoring Aix Users
Monitoring user activity is an important system administration task. Here are a few useful AIX commands
for monitoring user activity.
Command Description
Display information about previous logins, including login date/time, logout time,
originating remote host.
who List users who are currently logged on.
ps -fu "userid" List processes being run by "userid".
Text file located in the home directory of each Korn shell user. The file contains
the last 50 commands issued by the user.
/var/adm/sulog Text file containing all "su" activity.
Binary file containing a listing of all failed login attempts. The file can be read by
only root, using "who failedlogin"
AIX has two other facilities for monitoring user activity on a more granular level. The first is
"Accounting" which monitors user's connect time and system usage (cpu by command, diskstorage and
printer usage). The second is "Auditing", a security related function, which provides a detailed audit trail
of each user's activity, including priviledge failures, commands run, files they view/create/delete, and
more. Both Accounting and Auditing are part of the base AIX operating system. However, both must be
configured to run. The attachment HTML files discuss how to set up accounting and auditing. See your
AIX documentation for more information.
This document is intended to simplify the use of the auditing system provided
in AIX and applies to all versions of AIX. It includes information on what
auditing offers, what its requirements are, and what common problems may be
encountered. The intention is not to answer every question about auditing, but
to provide a starting point for understanding and setting up auditing.
Related Documentation
A list of audit events built into AIX, along with a list of predefined audit
objects, can be found in the file /etc/security/audit/events.
In general, auditing events are defined at the system call level. A single
operation at the command line would result in records of several events in the
audit trail. For example, when viewing a file using the cat or more command,
you would see the following records logged into the audit trail:
Auditing all possible events can produce a huge amount of data. Through audit
controls (that is, modifying the configuration files), you can select events to
be recorded.
Audit events are grouped into classes. The events can be defined by which
events are in a class. While the class names are arbitrary, they, rather than
individual event names, are associated with user IDs when the audit subsystem
is active.
Auditing objects are just individual files that will be monitored. Three
operations can be audited: read, write, and execute. Objects are not associated
Monitoring AIX Users -3-
with user IDs. Audit records are generated whenever an audited object is
referenced by any user (including root).
There are two modes of operation for auditing: BIN and STREAM. BIN mode writes
the audit trail to alternating temporary files (bins), then to a single trail
file. STREAM mode writes to a circular buffer that is read synchronously
through an audit pseudo-device (/dev/audit).
In STREAM mode, the default AIX configuration provides a program to read the
STREAM buffer and processes each record with the commands found in
/etc/security/audit/streamcmds. These commands format the output into
human-readable form and write it in /audit/stream.out. This file is NOT
cumulative; it is restarted every time the audit is restarted. The STREAM audit
trail can be read in real time by reading /audit/stream.out, or by sending
output directly to a terminal or printer.
There are five audit subcommands for invoking auditing. They are as follows:
NOTE: Using audit commands in the wrong order can confuse the auditing
subsystem. If the auditing subsystem gets confused, reset everything by
deleting all files in the /audit directory (except trail, stream.out and bin
To start auditing at system startup, add the following line to the /etc/rc
file, just prior to the line reading dspmsg 5 'Multi-user initialization
/usr/sbin/audit start
If auditing is running at all times, make sure to run or to add the following
in the /usr/sbin/shutdown script to properly shut down:
/usr/sbin/audit shutdown
Auditing Configuration
The predefined classes are: general, objects, SRC, kernel, files, SVIPC, mail,
cron, and TCPIP. New classes can be defined using the auditing events in the
/etc/security/audit/events file. All audit classes except the objects class are
associated with user IDs. For example, audit the events defined as "general"
and "TCPIP" for user root.
root = general
joe = general, files, TCPIP
default = general
When auditing starts, it ALWAYS audits the events specified for every user ID
defined in the config file and ALL the objects defined in
/etc/security/audit/objects. If the objects' audit records are not wanted,
remove or comment out (using an *) the objects defined in the objects file.
If there are specific classes of events that are not wanted as audit records,
specify No_Events for that specific class in the config file.
For example:
files = No_Events
tcpip = No_Events
Monitoring AIX Users -5-
The objects file contains all objects to be audited when auditing is active. A
user defined object is displayed as:
r = "JOE_READ"
NOTE: There is no need to add the newly added objects to the objects stanza in
the /etc/security/audit/config file, since the objects line is not referenced.
Only the objects file is referenced.
The streamcmds file has commands that are entered for STREAM audit records. The
default file contains one command.
Adding the -v flag for the auditpr command improves this command at the expense
of having more information. Without -v, full path names for files are not shown
in the audit output; only file descriptors are recorded.
To limit the amount of data collected during the auditing operation, use the -c
option on the auditstream command to select a specific class of events as
defined in the config file, or use the auditselect command to select specific
For example:
NOTE: This command must be all on one line in the streamcmds file. This command
will collect only FILE_Open event records.
NOTE: The following command will limit data collection to only the TCPIP class
of events as defined in the config file.
The bincmds file contains commands that are entered whenever a BIN file fills
or when auditing is shut down. The file distributed reads like the following:
The environment variables in the preceding command are defined while auditing
is active. The auditselect command can be added to select specific events,
reducing the amount of audit records.
The bincmds file will only collect audit records that match USER_SU or
USER_Login audit events. Enter:
Auditing a User
For example:
joe = procmon
The newly assigned audit classes will take effect at the next login for
user joe.
3. The BIN mode audit trail can be read with the following:
The STREAM mode audit file /audit/stream.out can be viewed directly. Remember
that the /audit/stream.out file is rewritten each time the auditing subsystem
is started. Save the old stream.out before starting auditing.
If you do not want the objects audit records when auditing a user ID, comment
out the objects defined in the /etc/security/audit/objects file or rename this
Auditing an Object
In the following example, all processes writing to the /etc/utmp file will be
* /etc/utmp
UTMP_WRITE = printf " %s "
In this case, the init process owned by root wrote to the file.
Monitoring AIX Users -7-
NOTE: The length of an audit event or object name cannot exceed 15 characters.
This limit is defined in the header file /usr/include/sys/audit.h, ah_event
[16]. The following error message usually indicates an invalid event or object
Each record in the audit trail takes about 50 to 150 bytes depending on what
mode is used and whether the verbose mode flag is specified. This means that
1MB of data could contain about 6800 entries.
For example:
/usr/sbin/auditselect -f /audit/pick \
/audit/trail | /usr/sbin/auditpr -v
This command reports the use of the rlogin command within the specific time
interval (8AM-5PM between April 1 and April 12).
The compressed trail data from the binmode auditing is not in the same format
at AIX version 3.2 as it is in 4.1 or later. There is a utility to convert the
data from a pre-AIX Version 4 format to the Version 4 format. It is a command
called auditconv.
o There are certain errors that appear when running audit start.
Error Message:
o Error Message:
If it is not obvious that the user stanza is missing, verify that each of the
classes are defined on a single continuous line.
Data Overload
Given the way that cron and the TCPIP code is written, each sets up its own set
of audit events. These events will get written into the audit trail regardless
of how the config files are set up. The workaround is to use auditselect to
exclude these events when generating the audit report. TCPIP sessions, ftpd,
rexecd, and telnetd all call auditproc() to set up process auditing using the
class tcpip in /etc/security/audit/config. The same thing is done in the cron
code (at, cron, and cronadm) for the cron class in /etc/security/audit/config.
These events will be written into the audit trail. The best thing to do is to
filter them using auditselect.
For example:
Monitoring AIX Users -9-
This document describes the accounting setup procedures for AIX Version 3.2.
The setup of system accounting as documented in the 3.2 AIX InfoExplorer has
some errors. This document describes the Version 3.2 setup procedures and
provides the corrections to enable system accounting under AIX version 3.2.
Access to the InfoExplorer and system documentation for AIX Version 3.2 require
the setup person to be root. In this document, root user will be used for
setting up system accounting and the user adm for running the reports.
Modify the root user .profile to provide access to the required executables.
Modification of the root profile is optional, but will probably help with
Related Documentation
This command should report the state as COMMITTED or APPLIED if the fileset is
installed. To get the latest level accounting software, refer to the section
"Fixes and Problems" later in this document.
1. Log in as root.
2. Edit the .profile file with your favorite text editor.
3. Locate the PATH statement in the .profile file. It must include the
/usr/sbin/acct and /var/adm/acct directories as shown in the following
PATH= /usr/bin:/etc:/usr/sbin:/usr/ucb:/usr/bin/X11:/sbin:
/usr/sbin/acct:/var/adm/acct ; export PATH
4. Locate the export statement in the .profile. If the PATH statement given
above was not used, the PATH variable must be included.
Monitoring AIX Users - 10 -
2. Enter:
This command ensures correct permissions and provides access to the wtmp
and pacct files.
3. Update the /etc/acct/holidays file for the current year using a favorite
text editor. The following notes will help clarify the format of this
o An asterisk (*) in column 1 denotes a comment.
o Define prime time on the first data line (the first line that is not a
comment) using a 24-hour clock. The line will consist of three 4-digit
fields, in the following order:
- current year
- when (hhmm) prime time begins
- when (hhmm) prime time ends
For example, to specify the year 1992 with prime time beginning at
8:00 a.m. and ending at 5:00 p.m., specify:
o Define the company holidays for the year on the next data line. Each
line contains four fields in the following order:
- day of the year
- month
- day of the month
- description of the holiday
The day-of-the-year field contains the number of the day of the year
in which the holiday falls. It must be a number from 1 through 365
(366 on a leap year like 1992).
4. The file systems that will be included for accounting information need to
be configured in the /etc/filesystems file. For each file system that will
be included, add the following information to its stanza:
account = true
5. Indicate the data file that will be used for printer data by adding the
following line to the /etc/qconfig stanza for that printer:
acctfile = /var/adm/qacct
This entry must be added to the queue stanza and not the device stanza. If
the entry is added by editing the /etc/qconfig file, enter the following
command to re-digest the qconfig file:
enq -d
Another method of adding this entry to the qconfig file would be to enter
Monitoring AIX Users - 11 -
These steps will update the appropriate stanza in /etc/qconfig file and
will re-digest the qconfig file.
NOTE: The printer accounting will not record usage for network printers,
transparent printers, or PostScript printers. In addition, all print
queues must use the same accounting file:
su - adm
cd /var/adm/acct
mkdir nite fiscal sum
chown adm:adm nite fiscal sum
chmod 755 nite fiscal sum
7. Modify the crontabs file for the adm user for automated accumulation of
accounting data. The crontabs file for the adm user is in
su - adm -c crontab -e
This will bring up the adm crontabfile in a vi session. You may need to
uncomment or add some entries, and times may need to be modified to suit
the installation's time requirements. An example of the entries needed is
as follows:
o The first line starts runacct at 11:10 pm (10 23), each Sunday through
Saturday (0-6). runacct runs the daily reporting.
o The second line starts disk accounting at 11:00 pm (0 23), each Sunday
through Saturday (0-6), before starting runacct.
o The third line checks the /var/adm/pacct file to ensure that it does
not get too large at 0 minutes past each hour (0 *) every day (*).
If the free space in /var falls below 500 blocks, then ckpacct turns
off accounting until space is made available. A loss of accounting
data will result during the period that accounting is turned off.
ckpacct will turn accounting on again when more space is available.
THERE IS NO NOTIFICATION unless the MAILCOM variable is set as
Monitoring AIX Users - 12 -
The variable can be set in the ckpacct and runacct scripts or in the
/etc/environment file. If MAILCOM is set in both places the setting in
ckpacct and runacct will be used.
o The fourth line runs the monthly accounting reports at 4:15 am on the
first of every month.
The startup command records the time that accounting was turned on and
cleans up the previous day's accounting files.
If the system is not going to be rebooted at this time, run the preceding
startup command from the root command line to start process accounting.
The meaning of the fields in the accounting Daily Usage Report are as follows:
User ID number
Login name of user
Cumulative CPU minutes during prime hours
During non-prime hours
Cumulative minutes spent in the kernel during prime hours
During non-prime hours
Cumulative blocks transferred during prime hours
During non-prime hours
Cumulative blocks read/written during prime hours
During non-prime hours
Cumulative connect time (minutes) during prime hours
During non-prime hours
Cumulative disk usage
Queuing system charges (pages)
Fee for special services
Count of processes
Count of login sessions
Monitoring AIX Users - 13 -
Count of count of disk samples
Fixes for AIX Version 3.2.5 and later can be downloaded via the Internet with
the FixDist service.
On very large systems, if there are over 1000 users in the /etc/passwd file,
the /usr/sbin/acct/dodisk script must be changed. At line 136 in dodisk, the
diskusg command must be changed to read as follows:
nnnnn is the new maximum number of users for which disk accounting should be
done. (When the maximum number is too small, the dodisk script will return an
error message that tells the user to use -uxxxx. It should say -Uxxxx.)
o IX38748 corrects the problem of a user missing the output from individual
users for the CPU and DASD output.
o IX39408 corrects the problem of process accounting failing on a diskless
o IX42292 corrects the problem of the runacct account command truncating the
wtmp file during its nightly run, causing connection accounting to be lost
for users who do not log off.
o IX40232 corrects the problem of daily and monthly per-user memory
accounting being off by a factor of exactly 200.
o IX42322 corrects the problem of a 64MB limit on system process accounting.
With this problem, any process that used more than 64MB of memory caused an
overflow, and the process size reported by the ac_mem field was inaccurate.
o IX43161 corrects the problem of acctprc2 core dumping with more than 500
o IX41228 corrects the problem of acctdisk entering into an infinite loop if
the input file is corrupted.
o IX40305 corrects the problem of the /var/adm/acct/sum/login log file not
being updated in 3.2.5.
Diagnosing Problems
acctcms acctmerg
acctcom acctprc
acctcon acctprcl
acctdisk acctprc2
All of these accounting commands accept input from standard input (as in
acctcms < /usr/adm/pacct) and redirect to standard output (as in acctcmd <
/usr/adm/pacct > /tmp/report). Find out which accounting file is being used
as standard input and where the output is being directed by entering:
Monitoring AIX Users - 14 -
o Defaults are standard in and standard out. Exact syntax is very important.