Creates a channel for reading audit records.
auditstream [ -m ] [ -c Class ...]
The auditstream command is part of the audit subsystem. This command reads audit records from the /dev/audit file (the audit device) and copies the records to standard output in binary format. You can select a subset of the audit records by specifying audit classes (defined in the /etc/security/audit/config file) with the -c flag; otherwise, all currently enabled audit classes are copied.
Audit stream data can be displayed and processed as it is generated. For example, the command output can be piped to an audit backend command for further processing or redirected to a file. Both the auditselect command, which selects data records according to defined criteria, and the auditpr command, which formats the records for viewing or for printing, are examples of backend commands.
The auditstream command can be called from the command line or be configured to run multiple times as part of the audit system configuration. For information on configuring the auditstream command, refer to "Setting up Auditing" in AIX 5L Version 5.2 Security Guide and to the /etc/security/audit/config file.
Note: The auditstream command should be run in the background.
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /dev/audit |
cmds = /etc/security/audit/streamcmds
Then add the following to the start stanza:
streammode=on
Next, add to the /etc/security/audit/streamcmds file all the stream commands that should be executed when the auditing system is initialized. For example:
/usr/sbin/auditstream -c authentication | \ /usr/sbin/auditpr -v > /dev/console /usr/sbin/auditstream | /usr/sbin/auditselect -e \ "result == FAIL_ACCESS" | \ /usr/sbin/auditpr -t 2 -v > /dev/lpr2
The first command formats all records for events in the authentication class and writes them to the system console. The second command formats all records that resulted in an access denial and prints them on the printer /dev/lp2.
/usr/sbin/auditstream | /usr/sbin/auditselect -e "event == \ USER_Login || event == USER_SU" | \ /usr/sbin/auditpr -v > /dev/lp0 &
This command formats and writes all user login and su events to the line printer.
/usr/sbin/auditstream | Specifies the path of the auditstream command. |
/etc/rc | Contains the system startup routines. |
/dev/audit | Specifies the audit device. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/objects | Contains audit events for audited objects (files). |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |
/etc/security/audit/hosts | Contains host and CPU IDs. |
The audit command, auditcat command, auditconv command, auditpr command, auditselect command.
The auditbin daemon.
For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.2 Security Guide.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Standalone System Security in AIX 5L Version 5.2 Security Guide.
To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.2 Security Guide.