events File

AIX Version 4 Files Reference

events File

Purpose

Contains information about system audit events.

Description

The /etc/security/audit/events file is an ASCII stanza file that contains information about audit events. The file contains just one stanza, auditpr, which lists all the audit events in the system. The stanza also contains formatting information that the auditpr command needs to write an audit tail for each event.

Each attribute in the stanza is the name of an audit event, with the following format:

AuditEvent = FormatCommand

The format command can have the following parameters:

(empty)	The event has no tail.
printf Format	The tail is formatted according to the string supplied for the Format parameter. The %x symbols within the string indicate places for the audit trail to supply data.
Program -i n Arg ...	The tail is formatted by the program specified by the Program parameter. The -i n parameter is passed to the program as its first parameter, indicating that the output is to be indented by n spaces. Other formatting information can be specified with the Arg parameter. The audit event name is passed as the last parameter. The tail is written to the standard input of the program.

Audit Event Formatting Information

Format	Description
%A	Formatted output is similar to the aclget command.
%d	Formatted as a 32-bit signed decimal integer
%G	Formatted as a comma-separated list of group names or numerical identifiers.
%o	Formatted as 32-bit octal integer.
%P	Formatted output is similar to the pclget command.
%s	Formatted as a text string.
%T	Formatted as a text string giving include date and time with 6 significant digits for the seconds `DD Mmm YYYY HH:MM:SS:mmmuuu` ).
%u	Formatted as a 32-bit unsigned integer.
%x	Formatted as a 32-bit hexidecimal integer.
%X	Formatted as a 32-bit hexidecimal integer with upper case letters.

Security

Access Control: This file should grant read (r) access to the root user and members of the audit group, and grant write (w) access only to the root user.

Examples

To format the tail of an audit record for new audit events, such as FILE_Open and PROC_Create , add format specifications like the following to the auditpr stanza in the /etc/security/audit/events file:

auditpr:
  FILE_Open = printf "flags: %d mode: %o \
   fd: %d filename: %s"
  PROC_Create = printf "forked child process %d"

Implementation Specifics

This file is part of Base Operating System (BOS) Runtime.

Files

/etc/security/audit/events	Specifies the path to the file.
/etc/security/audit/config	Contains audit system configuration information.
/etc/security/audit/objects	Contains information about audited objects.
/etc/security/audit/bincmds	Contains auditbin backend commands.
/etc/security/audit/streamcmds	Contains auditstream commands.

Related Information

The audit command, auditpr command.

Auditing Overview, Setting Up Auditing, and Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.