Using PowerSC RTC to monitor for the deletion of a specific file.

 

One of my customers was concerned that someone or something was randomly deleting the /etc/niminfo on several of his AIX hosts. We discussed several ways in which he could track down who or what was removing this file. Obviously, the AIX audit subsystem would be an ideal method of capturing this event. However, PowerSC Real Time Compliance (RTC) can also monitor and capture this type of event.

 

“The PowerSC™ Real Time Compliance feature continuously monitors enabled AIX® systems to ensure that they are configured consistently and securely.

 

The PowerSC Real Time Compliance feature works with the PowerSC Compliance Automation and AIX Security Expert policies to provide notification when compliance violations occur or when a monitored file is changed. When the security configuration policy of a system is violated, the PowerSC Real Time Compliance feature sends an email or a text message to alert the system administrator.”

 

Here’s a quick start guide on configuring PowerSC RTC on AIX.

 

1. PowerSC is included with the AIX Enterprise Edition offering. Download the PowerSC software from IBM Entitled Systems Support (ESS) website.

 

 

The package name is ESD_-_PowerSC_Standard_Edition_v1.1.5_122016.tar.gz.

 

2. Install the following filesets on the AIX host.

 

# lslpp -L powerscStd\*

  Fileset                      Level  State  Type  Description (Uninstaller)

  ----------------------------------------------------------------------------

  powerscStd.license         7.1.1.5    C     F    PowerSC Standard Edition

  powerscStd.rtc.rte         1.1.5.0    C     F    Real-Time Compliance

 

# oslevel -s

7100-04-04-1717

 

3. Configure RTC.

 

# smit RTC

>Configure Real-Time Compliance Subsystem

 

                  Configure Real-Time Compliance subsystem

 

Type or select values in entry fields.

Press Enter AFTER making all desired changes.

 

                                                        [Entry Fields]

* Email Address (comma separated)                    [root@lpar9]

  Alert Information Level                            [1]            +#

  Alert Style                                        [once]         +

  Alert Email Subject                                []

  Debug                                              [off]          +

 

Or you can use /usr/sbin/mkrtc.

 

# lssrc -s rtcd

Subsystem         Group            PID          Status

 rtcd                              11075602     active

 

4. Configure the /etc/security/rtc/rtcd.conf and rtcd_policy.conf files.

 

/etc/security/rtc/rtcd.conf:

 

infolevel: 3

alertStyle: event

locallogfile: /var/log/rtc.log

 

Add /etc/niminfo to rtcd_policy.conf file.

 

# tail -2 /etc/security/rtc/rtcd_policy.conf

 

/etc/niminfo:

        eventtype = modFile,modFileAttr

 

Restart RTC.

 

# stopsrc -s rtcd

 

# startsrc -s rtcd

 

5. Test RTC monitoring. e.g If someone deletes the niminfo file, a report is sent via email to root.

 

# rm /etc/niminfo

 

# mail

Mail [5.2 UCB] [AIX 5.X]  Type ? for help.

"/var/spool/mail/root": 2 messages 2 new

>N  1 RTC@lpar9.mel  Thu Aug  3 12:46  35/880  "PowerSC Real-Time Alert - 75"

?

Message  1:

From root Thu Aug  3 12:46:25 2017

Date: Thu, 3 Aug 2017 12:46:25 GMT

To: root@lpar9.meldemo.au.ibm.com

From: RTC@lpar9.meldemo.au.ibm.com

Subject: PowerSC Real-Time Alert - lpar9

 

The following event(s) has occurred:

BEGIN_EVENT_INFO

Hostname      : lpar9

Filename      : /etc/niminfo

Time          : Thu Aug  3 12:46:25 2017

Sequence Num  : 2

Process ID    : 15991252

User Info     : userName=root, loginName=root, groupName=system

Program Name  : rm

Event         : AHAFS_MODFILE_REMOVE

STACK_TRACE

[14D70]

ahafs_evprods+970

aha_process_vnop+194

vnop_remove+3A4

kunlinkat+530

.svc_instr

IPRA.$rm+800

IPRA.$rm_main+100

main+C4

__start+68

END_EVENT_INFO

 

The event information is also captured in the RTC log file (/var/log/rtc.log) on the host.

 

# grep -p REMOVE /var/log/rtc.log | head -50

The following event(s) has occurred:

BEGIN_EVENT_INFO

Hostname      : lpar9

Filename      : /etc/niminfo

Time          : Thu Aug  3 12:46:25 2017

Sequence Num  : 2

Process ID    : 15991252

User Info     : userName=root, loginName=root, groupName=system

Program Name  : rm

Event         : AHAFS_MODFILE_REMOVE

STACK_TRACE

[14D70]

ahafs_evprods+970

aha_process_vnop+194

vnop_remove+3A4

kunlinkat+530

.svc_instr

IPRA.$rm+800

IPRA.$rm_main+100

main+C4

__start+68

END_EVENT_INFO

 

 

IBM Knowledge Center PowerSC Real Time Compliance

https://www.ibm.com/support/knowledgecenter/en/SSTQK9_1.1.5/com.ibm.powersc.se/realtimecompliance.htm

 

 

Tags:  chris gibson deletion rtcd start aix file guide audit configuring deleted to quick rtc powersc blog on