[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 1

auditstream Command

Purpose

Creates a channel for reading audit records.

Syntax

auditstream [ -m ] [ -c Class ...]

Description

The auditstream command is part of the audit subsystem. This command reads audit records from the /dev/audit file (the audit device) and copies the records to standard output in binary format. You can select a subset of the audit records by specifying audit classes (defined in the /etc/security/audit/config file) with the -c flag; otherwise, all currently enabled audit classes are copied.

Audit stream data can be displayed and processed as it is generated. For example, the command output can be piped to an audit backend command for further processing or redirected to a file. Both the auditselect command, which selects data records according to defined criteria, and the auditpr command, which formats the records for viewing or for printing, are examples of backend commands.

The auditstream command can be called from the command line or be configured to run multiple times as part of the audit system configuration. For information on configuring the auditstream command, refer to "Setting up Auditing" in AIX 5L Version 5.2 Security Guide and to the /etc/security/audit/config file.

Note: The auditstream command should be run in the background.

Flags

-c Class Specifies the audit classes to be copied. Each class must be configured in the etc/security/audit/config file as a list of comma-separated audit events. The default value is all the currently enabled audit events.
-m Includes the CPU ID in each audit record.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /dev/audit

Examples

  1. To configure the stream collection of audit data when the audit system is initialized, add the following to the stream stanza of the /etc/security/audit/config file:

    cmds  =  /etc/security/audit/streamcmds

    Then add the following to the start stanza:

    streammode=on

    Next, add to the /etc/security/audit/streamcmds file all the stream commands that should be executed when the auditing system is initialized. For example:

    /usr/sbin/auditstream  -c  authentication  |  \
    /usr/sbin/auditpr  -v  >  /dev/console
     
    /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  \
    "result  ==  FAIL_ACCESS"  |  \
    /usr/sbin/auditpr  -t  2  -v  >  /dev/lpr2 

    The first command formats all records for events in the authentication class and writes them to the system console. The second command formats all records that resulted in an access denial and prints them on the printer /dev/lp2.

  2. To record audit stream events on a line printer, enter:

    /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  "event  ==  \
    USER_Login  ||  event  ==  USER_SU"    |  \
    /usr/sbin/auditpr  -v  >  /dev/lp0  &

    This command formats and writes all user login and su events to the line printer.

Files

/usr/sbin/auditstream Specifies the path of the auditstream command.
/etc/rc Contains the system startup routines.
/dev/audit Specifies the audit device.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/bincmds Contains auditbin backend commands.
/etc/security/audit/streamcmds Contains auditstream commands.
/etc/security/audit/hosts Contains host and CPU IDs.

Related Information

The audit command, auditcat command, auditconv command, auditpr command, auditselect command.

The auditbin daemon.

For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.2 Security Guide.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Standalone System Security in AIX 5L Version 5.2 Security Guide.

To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]