You can audit AFS events on AIX File Servers using an AFS mechanism that transfers audit information from AFS to the AIX auditing system. The following general classes of AFS events can be audited. For a complete list of specific AFS audit events, see Appendix D, AIX Audit Events.
Authentication and Identification Events
Security Events
Privilege Required Events
Object Creation and Deletion Events
Attribute Modification Events
Process Control Events
This section assumes familiarity with the AIX auditing system. For more information, see the AIX System Management Guide for the version of AIX you are using.
The directory /usr/afs/local/audit contains three files that contain the information needed to configure AIX File Servers to audit AFS events:
The events.sample file contains information on auditable AFS events. The contents of this file are integrated into the corresponding AIX events file (/etc/security/audit/events).
The config.sample file defines the six classes of AFS audit events and the events that make up each class. It also defines the classes of AFS audit events to audit for the File Server, which runs as the local superuser root. The contents of this file must be integrated into the corresponding AIX config file (/etc/security/audit/config).
The objects.sample file contains a list of information about audited files. You must only audit files in the local file space. The contents of this file must be integrated into the corresponding AIX objects file (/etc/security/audit/objects).
Once you have properly configured these files to include the AFS-relevant information, use the AIX auditing system to start up and shut down the auditing.
Create the following string in the file /usr/afs/local/Audit on each File Server on which you plan to audit AFS events:
AFS_AUDIT_AllEvents
Issue the bos restart command (with the -all flag) to stop and restart all server processes on each File Server. For instructions on using this command, see Stopping and Immediately Restarting Processes.
Remove the contents of the file /usr/afs/local/Audit on each File Server for which you are no longer interested in auditing AFS events.
Issue the bos restart command (with the -all flag) to stop and restart all server processes on each File Server. For instructions on using this command, see Stopping and Immediately Restarting Processes.