audit query
The audit command controls system auditing through its several keywords. One keyword must be included each time the command is given. The start keyword and the shutdown keyword start and stop the auditing system and reset the system configuration. The off keyword and the on keyword suspend and restart the audit system without affecting the system configuration. The query keyword lets you query the current status.
The auditing system follows the instructions established in the following configuration files:
Each of these files is described in "Files" section . For information on configuring the audit system, see "Setting up Auditing" in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Mode | File |
---|---|
r | /etc/security/audit/config |
r | /etc/security/audit/objects |
x | /usr/sbin/auditbin |
x | /usr/sbin/auditstream |
/usr/sbin/audit start
The audit process starts, as configured, each time the system is initialized.
/usr/sbin/audit shutdown
Data collection stops until the audit start command is given again. The configuration of classes in the operating system kernel is lost.
Note: The audit shutdown command should be in the /etc/shutdown file as well.
/usr/sbin/audit off
/usr/sbin/audit on
The suspended state ends and audit records are generated again, as long as the system is configured correctly.
/usr/sbin/audit query
An example of an audit query status message follows:
auditing on bin manager is process number 123 audit events: authentication- USER_Login, USER_Logout administration- USER_Create, GROUP_Create audit objects: /etc/security/passwd : r = AUTH_Read /etc/security/passwd : w = AUTH_Write
The query tells you that audit records will be written when the specified users log in or log out, when the specified administrators create a user or a group, and when the system receives an authorized read or write instruction for the /etc/security/passwd file.
/usr/sbin/audit | Contains the path of the audit command. |
/etc/rc | Contains the system initialization commands. |
/etc/security/audit/config | |
Contains audit configuration information. | |
/etc/security/audit/events | |
Lists the audit events and their tail format specifications. | |
/etc/security/audit/objects | |
Lists the audit events for each file (object). | |
/etc/security/audit/bincmds | |
Contains shell commands for processing audit bin data. | |
/etc/security/audit/streamcmds | |
Contains auditstream commands. |
The auditbin daemon, auditcat command, auditconv command, auditpr command, auditselect command, auditstream command, login command, logout command, su command.
The audit subroutine, auditbin subroutine, auditevents subroutine, auditlog subroutine, auditproc subroutine.
For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.
To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.