This document describes a procedure that is intended only for configuration of auditing in stream mode and for configuration of tracking of the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to AIX Version 3.2.
Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:
The default setting of the bin and stream stanzas are:
NOTE: The following is on one line, with no spaces between commas.
bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds stream: cmds = /etc/security/audit/streamcmds
NOTE: The following is on one line, with no spaces between commas.
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, CRON_Start,CRON_Finish
<user> = <audit class>, <audit class>
For example, to enable tracking of cron events from root's crontab table, enter:
root = cron
CRON_Start = printf "event = %s cmd = %s time = %s" CRON_Finish = printf "user = %s pid = %s time = %s"
The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.
NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.
/etc/auditstream | auditpr -v > /audit/stream.out &
audit shutdown audit start