Using PowerSC RTC to monitor for the deletion of a specific file.
One of my customers was concerned that someone or something
was randomly deleting the /etc/niminfo on several of his AIX hosts. We
discussed several ways in which he could track down who or what was
removing this file. Obviously, the AIX audit subsystem would be an ideal
method of capturing this event. However, PowerSC Real Time Compliance
(RTC) can also monitor and capture this type of event.
“The PowerSC™ Real Time Compliance feature continuously
monitors enabled AIX® systems to ensure that they are configured
consistently and securely.
The PowerSC Real Time Compliance feature works with the
PowerSC Compliance Automation and AIX Security Expert policies to
provide notification when compliance violations occur or when a
monitored file is changed. When the security configuration policy of a
system is violated, the PowerSC Real Time Compliance feature sends an
email or a text message to alert the system administrator.”
Here’s a quick start guide on configuring PowerSC RTC on AIX.
1. PowerSC is included with the AIX Enterprise
Edition offering. Download the PowerSC software from IBM Entitled
Systems Support (ESS) website.
The package name is ESD_-_PowerSC_Standard_Edition_v1.1.5_122016.tar.gz.
2. Install the following filesets on the AIX host.
# lslpp -L powerscStd\*
Fileset Level State Type Description (Uninstaller)
----------------------------------------------------------------------------
powerscStd.license 7.1.1.5 C F PowerSC Standard Edition
powerscStd.rtc.rte 1.1.5.0 C F Real-Time Compliance
# oslevel -s
7100-04-04-1717
3. Configure RTC.
# smit RTC
>Configure Real-Time Compliance Subsystem
Configure Real-Time Compliance subsystem
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Email Address (comma separated) [root@lpar9]
Alert Information Level [1] +#
Alert Style [once] +
Alert Email Subject []
Debug [off] +
Or you can use /usr/sbin/mkrtc.
# lssrc -s rtcd
Subsystem
Group
PID Status
rtcd 11075602 active
4. Configure the /etc/security/rtc/rtcd.conf and rtcd_policy.conf files.
/etc/security/rtc/rtcd.conf:
infolevel: 3
alertStyle: event
locallogfile: /var/log/rtc.log
Add /etc/niminfo to rtcd_policy.conf file.
# tail -2 /etc/security/rtc/rtcd_policy.conf
/etc/niminfo:
eventtype = modFile,modFileAttr
Restart RTC.
# stopsrc -s rtcd
# startsrc -s rtcd
5. Test RTC monitoring. e.g If someone deletes the niminfo file, a report is sent via email to root.
# rm /etc/niminfo
# mail
Mail [5.2 UCB] [AIX 5.X] Type ? for help.
"/var/spool/mail/root": 2 messages 2 new
>N 1 RTC@lpar9.mel Thu Aug 3 12:46 35/880 "PowerSC Real-Time Alert - 75"
?
Message 1:
From root Thu Aug 3 12:46:25 2017
Date: Thu, 3 Aug 2017 12:46:25 GMT
To: root@lpar9.meldemo.au.ibm.com
From: RTC@lpar9.meldemo.au.ibm.com
Subject: PowerSC Real-Time Alert - lpar9
The following event(s) has occurred:
BEGIN_EVENT_INFO
Hostname : lpar9
Filename : /etc/niminfo
Time : Thu Aug 3 12:46:25 2017
Sequence Num : 2
Process ID : 15991252
User Info : userName=root, loginName=root, groupName=system
Program Name : rm
Event : AHAFS_MODFILE_REMOVE
STACK_TRACE
[14D70]
ahafs_evprods+970
aha_process_vnop+194
vnop_remove+3A4
kunlinkat+530
.svc_instr
IPRA.$rm+800
IPRA.$rm_main+100
main+C4
__start+68
END_EVENT_INFO
The event information is also captured in the RTC log file (/var/log/rtc.log) on the host.
# grep -p REMOVE /var/log/rtc.log | head -50
The following event(s) has occurred:
BEGIN_EVENT_INFO
Hostname : lpar9
Filename : /etc/niminfo
Time : Thu Aug 3 12:46:25 2017
Sequence Num : 2
Process ID : 15991252
User Info : userName=root, loginName=root, groupName=system
Program Name : rm
Event : AHAFS_MODFILE_REMOVE
STACK_TRACE
[14D70]
ahafs_evprods+970
aha_process_vnop+194
vnop_remove+3A4
kunlinkat+530
.svc_instr
IPRA.$rm+800
IPRA.$rm_main+100
main+C4
__start+68
END_EVENT_INFO
IBM Knowledge Center PowerSC Real Time Compliance
https://www.ibm.com/support/knowledgecenter/en/SSTQK9_1.1.5/com.ibm.powersc.se/realtimecompliance.htm
Tags:
chris
gibson
deletion
rtcd
start
aix
file
guide
audit
configuring
deleted
to
quick
rtc
powersc
blog
on