[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 1

auditbin Daemon


Manages bins of audit information.




The auditbin daemon in the audit subsystem manages bin1 and bin2, temporary bin files that alternately collect audit event data. The command also delivers bins of data records to backend commands for processing.

As audit events occur, the operating system kernel writes a record to a bin file. When a bin file is full, the auditbin daemon reads the /etc/security/audit/bincmds file and delivers the bin records to the backend commands defined in the file. Each line of the /etc/security/audit/bincmds file contains one or more commands with input and output that can be piped together or redirected. The auditbin daemon searches each command for the $bin string and the $trail string and substitutes the path names of the current bin file and the system trail file for these strings.

The auditbin daemon ensures that each command encounters each bin at least once, but does not synchronize access to the bins. When all the commands have run, the bin file is ready to collect more audit records.

If a command is unsuccessful, the auditbin daemon stops delivering data records and sends a message to the /dev/tty device every 60 seconds until the root user or a member of the audit group stops the command.


Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/security/audit/config
r /etc/security/audit/bincmds
rw Defined audit bins and trail file
x All audit bin processing commands


  1. To configure the auditbin daemon, edit the start and bin stanzas of the /etc/security/audit/config file to include the following attribute definitions:

             binmode = on
             trail = /audit/trail
             bin1 = /audit/bin1
             bin2 = /audit/bin2
             binsize = 25000
             cmds = /etc/security/audit/bincmds
  2. To define the commands that process the audit trail, edit the /etc/security/audit/bincmds file to include one or more command lines, such as the following:

    /usr/sbin/auditcat -p -o $trail $bin
    /usr/sbin/auditselect -e "event == USER_Login" \
    $bin | /usr/sbin/auditpr >> /etc/log 

    The first command line appends compressed audit bins to the audit trail file. The second line selects USER_Login records from each bin file, passes them to the auditpr command for formatting, and appends the records to the /etc/log file.


/usr/sbin/auditbin Specifies the path to the auditbin daemon.
/audit/binx Specifies the path to the default bin collection files, with x indicating the bin number.
                          Contains audit system configuration information.
                          Contains the audit events of the system.
                          Contains audit events for audited objects (files).
                          Contains the auditbin backend commands.
                          Contains the auditstream commands.

Related Information

The audit command, auditcat command, auditconv command,auditpr command, auditselect command, auditstream command.

The audit subroutine, auditbin subroutine.

Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.

To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.

[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]