Files Reference

config File

Purpose

Contains audit system configuration information.

Description

The /etc/security/audit/config file is an ASCII stanza file that contains audit system configuration information. This file contains five stanzas: start, bin, stream, classes, and users.

start Stanza

The start stanza contains the attributes used by the audit start command to initialize the audit system. The format follows:

start:
 binmode = off | on | panic
 streammode = off | on

The attributes are defined as follows:

Attribute	Definition
binmode	Controls whether bin collection, as defined in the bin stanza, is used. off Bin collection is not used. This is the default value. on Bin collection is used. This value starts the auditbin daemon. panic Bin collection is used. This value starts the auditbin daemon. If an audit record cannot be written to a bin, the kernel shuts down the operating system. This mode should be specified for conditions during which the system must be working properly.
streammode	Controls whether stream data collection, as defined in the file specified in the stream stanza (normally the /etc/security/audit/streamcmds file), is configured at the start up of the audit system. off Stream data collection is not enabled. This is the default value. on Stream data collection is enabled.

Attribute

Definition

binmode

Controls whether bin collection, as defined in the bin stanza, is used.

off: Bin collection is not used. This is the default value.
on: Bin collection is used. This value starts the auditbin daemon.
panic: Bin collection is used. This value starts the auditbin daemon. If an audit record cannot be written to a bin, the kernel shuts down the operating system. This mode should be specified for conditions during which the system must be working properly.

streammode

Controls whether stream data collection, as defined in the file specified in the stream stanza (normally the /etc/security/audit/streamcmds file), is configured at the start up of the audit system.

off: Stream data collection is not enabled. This is the default value.
on: Stream data collection is enabled.

Note

If neither collection mode is defined or if both modes are in the off state, only subsystem configuration is done.

bin Stanza

The bin stanza contains the attributes used by the auditbin daemon to set up bin mode auditing. The format follows:

bin:
  trail = PathName
  bin1 = PathName
  bin2 = PathName
  binsize = DecimalString
  cmds = PathName
  bytethreshold = DecimalString
  eventthreshold = DecimalString
  freespace = DecimalString

Bin mode parameters are defined as follows:

Parameter	Definition
trail	Specifies the path name of the audit trail file. When this is defined, the auditbin daemon can substitute the path name of the audit trail file for the $trail string in the backend commands that it calls.
bin1	Specifies the path name that the auditbin daemon uses for its primary bin file. If the $bin string is the parameter value, the auditbin daemon substitutes the name of the current bin file.
bin2	Specifies the path name that the auditbin daemon uses for its secondary bin file. If the $bin string is the parameter value, the auditbin daemon substitutes the name of the current bin file.
binsize	Specifies a decimal integer string that defines the threshold size (in bytes) of each audit bin. If the binsize parameter is set to 0, no bin switching will occur, and all bin collection will go to bin1.
cmds	Specifies the path name of the file that contains the audit backend commands called by the auditbin daemon. The file contains command lines, each composed of one or more backend commands with input and output that can be piped together or redirected. See the description of the /etc/security/audit/bincmds file for more information.
bytethreshold	Specifies the decimal integer string that defines the approximate number of bytes written to an audit bin before a synchronous update is performed. If the bytethreshold is set to 0, this function is disabled. Both bytethreshold and eventthreshold can be used simultaneously.
eventthreshold	Specifies a decimal integer string that defines the maximum number of events written to an audit bin before a synchronous update is performed. If the eventthreshold is set to 0, this function is disabled. Both eventthreshold and bytethreshold can be used simultaneously.
freespace	Specifies a decimal integer string that defines the recommended number of 512-byte free blocks in the file system where the audit trail file is located. If the free space of file system is below this value, audit generates a warning message throught the syslog subsystem every time that the audit bin is switched. The default value is 65536 blocks (64 megabytes). The maximum possible value is 4194303 (about 2GB of free disk space). If this value is set to 0, no warning message is generated.

stream Stanza

The stream stanza contains the attributes that the audit start command uses to set up initial stream mode auditing. The format follows:

cmds = PathName

The PathName parameter identifies the file that contains the stream commands that are executed at the initialization of the audit system. These commands can use shell piping and redirection, but no substitution of path names is performed on $trail or $bin strings.

classes Stanza

The classes stanza defines audit classes (sets of audit events) to the system.

Each audit class name must be less than 16 characters and be unique on the system. Each class definition must be contained in a single line, with a new line acting as a delimiter between classes. The system supports up to 32 audit classes, with ALL as the last class. The audit events in the class must be defined in the /etc/security/audit/events file.

classes:
        auditclass = auditevent, ...auditevent

users Stanza

The users stanza defines audit classes (sets of events) for each user. The classes are defined to the operating system kernel.

The format is as follows:

users:
    UserName = auditclass, ... auditclass

Each UserName attribute must be the login name of a system user or the string default, and each auditclass parameter should be defined in the classes stanza.

To establish the audit activities for a user, use the chuser command with the auditclasses attribute.

Security

Access Control: This file should grant read (r) access to the root user and members of the audit group and write (w) access only to the root user.

Event	Information
AUD_CONFIG_WR	file name

Examples

To define audit classes, add a line to the classes stanza of the /etc/security/audit/config file for each set of events that you want to assign to a class:
```
classes:
  general = USER_SU,PASSWORD_Change,FILE_Unlink,
    FILE_Link,FILE_Remove
  system = USER_Change,GROUP_Change,USER_Create,
    GROUP_Create
  init = USER_Login, USER_Logout
```
These specific audit events and audit classes are described in "Setting Up Auditing" in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.
To establish the audit activities for each user, use the chuser command with the auditclasses attribute for each user for whom you want to define audit classes (sets of audit events):
```
chuser "auditclasses=general,init,system" dave
chuser "auditclasses=general,init" mary
```
These chuser commands create the following lines in the users stanza of the /etc/security/audit/config file:
```
users:
 dave=general,init,system
 mary=general,init  
```
This configuration includes dave, the administrator of the system, and mary, an employee who updates information.
To enable the auditing system, turn on bin data collection, and turn off initial stream data collection, add the following to the start stanza of the /etc/security/audit/config file:
```
start:
  binmode = on
  streammode = off
```
To enable the auditbin daemon to set up bin collection, add attributes to the bin stanza of the /etc/security/audit/config file:
```
bin:
  trail = /audit/trail
  bin1 = /audit/bin1
  bin2 = /audit/bin2
  binsize = 25000
  cmds = /etc/security/audit/bincmds
```
The attribute values in the preceding stanza enable the audit system to collect bin files of data and store the records in a long-term audit trail.
To enable the auditbin daemon to set up stream collection, add lines to the start and stream stanzas of the /etc/security/audit/config file:
```
start:
  streammode = on
stream:
  cmds = /etc/security/audit/streamcmds
```

Files

/etc/security/audit/config	Specifies the path to the file.
/etc/security/audit/objects	Contains audit events for audited objects.
/etc/security/audit/events	Contains the audit events of the system.
/etc/security/audit/bincmds	Contains auditbin backend commands.
/etc/security/audit/streamcmds	Contains auditstream commands.

Related Information

The audit command, auditbin daemon, chuser command.

The auditproc subroutine.

Setting Up Auditing in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.

Security Administration, Auditing Overview in AIX 5L Version 5.2 System Management Concepts: Operating System and Devices.