audit Command

AIX Version 4.3 Commands Reference, Volume 1

audit Command

Purpose

Controls system auditing.

Syntax

audit { start | shutdown }

audit { off | on [ panic ] }

audit query

Description

The audit command controls system auditing through its several keywords. One keyword must be included each time the command is given. The start keyword and the shutdown keyword start and stop the auditing system and reset the system configuration. The off keyword and the on keyword suspend and restart the audit system without affecting the system configuration. The query keyword lets you query the current status.

The auditing system follows the instructions established in the following configuration files:

/etc/security/audit/config
/etc/security/audit/events
/etc/security/audit/objects
/etc/security/audit/bincmds
/etc/security/audit/streamcmds

Each of these files is described in "Files" section. For information on configuring the audit system, see "Setting up Auditing" in AIX Version 4.3 System Management Guide: Operating System and Devices.

Keywords

start	Starts the audit subsystem. The command reads the instructions in the configuration files and does the following: object auditing Writes the audit event definitions in the /etc/security/audit/objects file into the kernel to define the object auditing events. event auditing Writes the audit class definitions in the /etc/security/audit/config file into the kernel to define the audit classes. bin auditing Starts the auditbin daemon according to the configuration information in the bin stanza in the /etc/security/audit/config file, if the start stanza contains `binmode=on` . stream auditing Invokes the audit stream commands as defined in the stream stanza in the /etc/security/audit/config file, if the start stanza contains `streammode=on` . Attention: Invocation of stream auditing from /etc/inittab should be avoided. user auditing Audits all users currently logged in to the system, if they are configured in the users stanza of the /etc/security/audit/config file. audit logging Enables the audit logging component as defined in the start stanza in the /etc/security/audit/config file.
shutdown	Terminates the collection of audit records and resets the configuration information by removing the definition of classes from the kernel tables. All the audit records are flushed from the kernel buffers into the bin files or audit streams, according to the specifications for the backend commands, which are contained in the /etc/security/audit/bincmds file for binmode auditing, and in the /etc/security/audit/streamcmds file for streammode auditing. The collection of audit data stops until the next audit start command is given.
off	Suspends the auditing system, but leaves the configuration valid. Data collection pauses until the audit on command is given.
on [panic]	Restarts the auditing system after a suspension, if the system is properly configured (for example, if the audit start command was used initially and the configuration is still valid). If auditing is already started when the command is given, only bin data collection can be changed. If you specify the panic option, the system will shut down if bin data collection is enabled but cannot be written to a bin file. If binmode is not enabled, the system will shut down.
query	Displays the current status of the audit subsystem, in the following format: auditing on {panic} \| auditing off bin manager off \| is process number pid audit events: audit class: audit event, audit event... audit objects: object name: object mode: audit event

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode	File
r	/etc/security/audit/config
r	/etc/security/audit/objects
x	/usr/sbin/auditbin
x	/usr/sbin/auditstream

Examples

To start the audit process, configure the audit system as described in "Setting up Auditing" in AIX Version 4.3 System Management Guide: Operating System and Devices, and add the following line to the system initialization file (the /etc/rc file):
```
/usr/sbin/audit start
```
The audit process starts, as configured, each time the system is initialized.
To terminate the operation of the auditing process, enter:
```
/usr/sbin/audit shutdown
```
Data collection stops until the audit start command is given again. The configuration of classes in the operating system kernel is lost.
Note: The audit shutdown command should be in the /etc/shutdown file as well.
To suspend the audit subsystem, enter:
```
/usr/sbin/audit off
```
To restart an audit process that was suspended by the audit off command, enter:
```
/usr/sbin/audit on
```
The suspended state ends and audit records are generated again, as long as the system is configured correctly.
To display the current status of the auditing system, enter:
```
/usr/sbin/audit query
```
An example of an audit query status message follows:
```
auditing on
 
bin manager is process number 123
 
audit events:
    authentication- USER_Login, USER_Logout
    administration- USER_Create, GROUP_Create
 
audit objects:
    /etc/security/passwd :
      r = AUTH_Read
    /etc/security/passwd : 
      w = AUTH_Write 
```
The query tells you that audit records will be written when the specified users log in or log out, when the specified administrators create a user or a group, and when the system receives an authorized read or write instruction for the /etc/security/passwd file.

Files

/usr/sbin/audit	Contains the path of the audit command.
/etc/rc	Contains the system initialization commands.
/etc/security/audit/config
	Contains audit configuration information.
/etc/security/audit/events
	Lists the audit events and their tail format specifications.
/etc/security/audit/objects
	Lists the audit events for each file (object).
/etc/security/audit/bincmds
	Contains shell commands for processing audit bin data.
/etc/security/audit/streamcmds
	Contains auditstream commands.

Related Information

The auditbin daemon, auditcat command, auditconv command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.

The audit subroutine, auditbin subroutine, auditevents subroutine, auditlog subroutine, auditproc subroutine.

For general information on auditing, refer to Auditing Overview in AIX Version 4.3 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.

To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX Version 4.3 System Management Guide: Operating System and Devices.