This IBM® Redpaper looks at auditing UNIX/Linux® system use with the Tivoli® Access™ Manager for Operating Systems and Tivoli Compliance Insight Manager products, and focuses only on UNIX/Linux system auditing.

Any site that has deployed a large number of UNIX® or Linux systems will be familiar with the security concerns that are entrenched in these operating systems. One of the most significant is the concern over the use of the superuser account, root, or any account with UID=0. The root user has access to any resource in the system, and where this activity is logged through system accounting or auditing, the root user has access rights to modify the audit files. The user could perform malicious changes to the system and then wipe their tracks. As many activities on a UNIX/Linux system require root authority, many sites find that the number of users who know the root password is out of control and impossible to track.

Tivoli Access Manager for Operating Systems provides operating system level access control for UNIX/Linux systems. One of the key features is the ability to control root account use. Another strength of the product is its ability to audit system use and secure the audit trail from tampering. Tivoli Compliance Insight Manager provides enterprise-wide audit and compliance reporting. Use of Tivoli Access Manager for Operating Systems with Tivoli Compliance Insight Manager can provide an effective UNIX/Linux activity auditing solution.

This paper is an introduction to Tivoli Access Manager for Operating Systems and how it provides for UNIX/Linux activity auditing. A number of privileged user use cases are performed, and the native Tivoli Access Manager for Operating Systems auditing mechanism is used to report on the use cases. Finally, this audit data is sent to the Tivoli Compliance Insight Manager and viewed using standard and custom reporting.