# Audit設定案内

### 1. AIXでRemote Logging設定 <a href="#id-1" id="id-1"></a>

PLURA 右上のInstall Agentsページ上段メニューからOS別選択

UNIX > AIXタブ

### 2. ファイル監査設定 <a href="#id-2" id="id-2"></a>

**Audit > config設定値変更**

audit service終了

`# audit off`

`# audit shutdown`

config修正

`# vi /etc/security/audit/config`

{% hint style="info" %}

```
  // 値変更

  set binmode = off

  streammode = on

  // 入力値追加(class section, user section)

  class:

  system = USER_Remove,USER_Create,GROUP_Create,GROUP_Remove

  init = User_Login

  …

  users:

  root = general

  default = general, system, init
```

{% endhint %}

/etc/security/audit/streamcmds修正

{% hint style="info" %}

```
  // 入力値追加

  /usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info &

  find /etc -type f | awk ‘{printf(“%s:\n\tw = FILE_Write\n\n”,$1)}’ >> /etc/security/audit/objects

  /usr/sbin/auditstream | /usr/sbin/auditselect -e “event == FILE_Write” | auditpr  -hhelpPRtTc -v > /dev/console &
```

{% endhint %}

vi /etc/security/audit/objects修正

{% hint style="info" %}

```
  /etc/hosts:

  w = FILE_Write
```

{% endhint %}

Audit Tag Name設定

`# vi /etc/security/audit/objects`

{% hint style="info" %}

```
  /etc/hosts:

  w = W_@タグ名
```

{% endhint %}

vi /etc/security/audit/events修正

{% hint style="info" %}

```
  W_@タグ名 = printf “%s_qubit”
```

{% endhint %}

### 3. Syslog module構成 <a href="#id-3" id="id-3"></a>

config修正

`# vi /etc/syslog.conf`

{% hint style="info" %}

```
  // 入力値追加

  *.info @ログ取り込みサーバーIPアドレス

  *.debug @ログ取り込みサーバーIPアドレス

  …

  *.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;mail.none;auth.none  /var/adm/syslog/syslog.log

  #User.debug /var/adm/syslog/syslog.log rotate size 5m files 5
```

{% endhint %}

restart src

`# refresh -s syslogd`

start audit

`# audit off`

`# audit start`

### 4. PLURA ウェブでAuditフィルタ登録 <a href="#id-4" id="id-4"></a>

PLURA V5ウェブでAuditフィルタを登録します。 [(ショートカット)](https://qubitsec.github.io/ja_f_regi_audit.html)

### 5. PLURAでAuditフィルタ検出活用 <a href="#id-5" id="id-5"></a>

[(ショートカット)](https://qubitsec.github.io/ja_aix_hack_using_audit.html)

### 参照 <a href="#id-6" id="id-6"></a>

<https://developer.ibm.com/technologies/systems/articles/au-audit_filter/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.plura.io/ja/faq/siem/ibm-aix/audit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.