> For the complete documentation index, see [llms.txt](https://docs.plura.io/ko/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.plura.io/ko/faq/siem/ibm-aix/audit.md).

# Audit 설정 안내

### 1. AIX에서 Remote Logging 설정 <a href="#id-1" id="id-1"></a>

* PLURA 상단 메뉴에서 `Install Agents` 선택
* OS별 선택에서 `UNIX > AIX 탭` 클릭

### 2. 파일 감사 설정 <a href="#id-2" id="id-2"></a>

* `Audit` > `config` 설정값 변경
* 감사 서비스 종료

```bash
audit off
```

```bash
audit shutdown
```

* `config` 파일 수정

```bash
vi /etc/security/audit/config
```

```
  // 값 변경

  set binmode = off

  streammode = on

  // 입력값 추가(class section, user section)

  class:

  system = USER_Remove,USER_Create,GROUP_Create,GROUP_Remove

  init = User_Login

  …

  users:

  root = general

  default = general, system, init
```

* `streamcmds` 파일 수정

```bash
/etc/security/audit/streamcmds
```

```
  // 입력값 추가

  /usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info &

  find /etc -type f | awk ‘{printf(“%s:\n\tw = FILE_Write\n\n”,$1)}’ >> /etc/security/audit/objects

  /usr/sbin/auditstream | /usr/sbin/auditselect -e “event == FILE_Write” | auditpr  -hhelpPRtTc -v > /dev/console &
```

* `objects` 파일 수정

```bash
vi /etc/security/audit/objects
```

```
  /etc/hosts:

  w = FILE_Write
```

* **Audit Tag Name 설정**

```bash
vi /etc/security/audit/objects
```

```
  /etc/hosts:

  w = W_@태그네임
```

* `events` 파일 수정

```bash
vi /etc/security/audit/events
```

```
  W_@태그네임 = printf “%s_qubit”
```

### 3. Syslog 모듈 구성 <a href="#id-3" id="id-3"></a>

* `syslog.conf` 파일 수정

```bash
vi /etc/syslog.conf
```

```
  // 입력값 추가

  *.info @로그취합서버 IP주소

  *.debug @로그취합서버 IP주소

  …

  *.debug;*.emerg;*.alert;*.crit;*.err;*.warning;*.notice;*.info;mail.none;auth.none  /var/adm/syslog/syslog.log

  #User.debug /var/adm/syslog/syslog.log rotate size 5m files 5
```

* `syslog` 재시작

```bash
refresh -s syslogd
```

* `audit` 시작

```bash
audit off
```

```bash
audit start
```

### 4. Audit 필터 등록 <a href="#id-4" id="id-4"></a>

* PLURA 웹에서 Audit 필터를 등록합니다. [(바로가기)](https://docs.plura.io/ko/function/common/filter/audit)

### 5. Audit 필터 탐지 활용  <a href="#id-5" id="id-5"></a>

* [(바로가기)](https://docs.plura.io/ko/faq/siem/ibm-aix/audit-1)<br>

### 참고사이트 <a href="#id-6" id="id-6"></a>

> <https://developer.ibm.com/technologies/systems/articles/au-audit_filter/>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.plura.io/ko/faq/siem/ibm-aix/audit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.