Manages bins of audit information.
auditbin
The auditbin daemon in the audit subsystem manages bin1 and bin2, temporary bin files that alternately collect audit event data. The command also delivers bins of data records to backend commands for processing.
As audit events occur, the operating system kernel writes a record to a bin file. When a bin file is full, the auditbin daemon reads the /etc/security/audit/bincmds file and delivers the bin records to the backend commands defined in the file. Each line of the /etc/security/audit/bincmds file contains one or more commands with input and output that can be piped together or redirected. The auditbin daemon searches each command for the $bin string and the $trail string and substitutes the path names of the current bin file and the system trail file for these strings.
The auditbin daemon ensures that each command encounters each bin at least once, but does not synchronize access to the bins. When all the commands have run, the bin file is ready to collect more audit records.
If a command is unsuccessful, the auditbin daemon stops delivering data records and sends a message to the /dev/tty device every 60 seconds until the root user or a member of the audit group stops the command.
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /etc/security/audit/config |
r | /etc/security/audit/bincmds |
rw | Defined audit bins and trail file |
x | All audit bin processing commands |
start: binmode = on bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin /usr/sbin/auditselect -e "event == USER_Login" \ $bin | /usr/sbin/auditpr >> /etc/log
The first command line appends compressed audit bins to the audit trail file. The second line selects USER_Login records from each bin file, passes them to the auditpr command for formatting, and appends the records to the /etc/log file.
/usr/sbin/auditbin | Specifies the path to the auditbin daemon. |
/audit/binx | Specifies the path to the default bin collection files, with x indicating the bin number. |
/etc/security/audit/config | |
Contains audit system configuration information. | |
/etc/security/audit/events | |
Contains the audit events of the system. | |
/etc/security/audit/objects | |
Contains audit events for audited objects (files). | |
/etc/security/audit/bincmds | |
Contains the auditbin backend commands. | |
/etc/security/audit/streamcmds | |
Contains the auditstream commands. |
The audit command, auditcat command, auditconv command,auditpr command, auditselect command, auditstream command.
The audit subroutine, auditbin subroutine.
Auditing Overview in AIX 5L Version 5.2 Security Guide.
To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.2 Security Guide.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Standalone System Security in AIX 5L Version 5.2 Security Guide.