Setting Up Auditing to Monitor cron Events in AIX 3.2


Contents

About This Document
Procedure

About This Document

This document describes a procedure that is intended only for configuration of auditing in stream mode and for configuration of tracking of the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to AIX Version 3.2.


Procedure

Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:

  1. In the start stanza in the /etc/security/audit/config file, streammode should be set to ON and binmode should be set to OFF.

    The default setting of the bin and stream stanzas are:

    NOTE: The following is on one line, with no spaces between commas.

     
       bin: 
                 trail = /audit/trail 
                 bin1 = /audit/bin1 
                 bin2 = /audit/bin2 
                 binsize = 10240 
                 cmds = /etc/security/audit/bincmds 
       stream: 
                 cmds = /etc/security/audit/streamcmds 
    
  2. Group cron audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file. The CRON_Start and CRON_Finish events monitor cron-job "start" and "finish" events. Below is the cron audit class with every event that audit can track.

    NOTE: The following is on one line, with no spaces between commas.

     
    cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, 
    CRON_Start,CRON_Finish 
    
  3. To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. Each line is in the form
     
       <user> = <audit class>, <audit class> 
    

    For example, to enable tracking of cron events from root's crontab table, enter:

     
       root = cron 
    
  4. Events need to be added to /etc/security/audit/events file. The following is an example of the "CRON_Start" and "CRON_Finish" events:
     
       CRON_Start = printf "event = %s cmd = %s time = %s" 
       CRON_Finish = printf "user = %s pid = %s time = %s" 
    

    The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.

    NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.

  5. The output file for the cron report is specified in the /etc/security/audit/streamcmds file. The default setting for streamcmds is:
     
       /etc/auditstream | auditpr -v > /audit/stream.out & 
    
  6. After the config and events files have been changed, auditing must be restarted so that it will be reinitialized with the new parameters. To restart auditing, enter the following commands:
     
       audit shutdown 
       audit start 
    

Setting Up Auditing to Monitor cron Events in AIX 32: cron.auditing.32.cmd ITEM: FAX
Dated: 99/05/05~00:00 Category: cmd
This HTML file was generated 99/06/24~12:41:57
Comments or suggestions? Contact us