Contains audit system configuration information.
The /etc/security/audit/config file is an ASCII stanza file that contains audit system configuration information. This file contains five stanzas: start, bin, stream, classes, and users.
The start stanza contains the attributes used by the audit start command to initialize the audit system. The format follows:
start: binmode = off | on | panic streammode = off | on
The attributes are defined as follows:
The bin stanza contains the attributes used by the auditbin daemon to set up bin mode auditing. The format follows:
bin: trail = PathName bin1 = PathName bin2 = PathName binsize = DecimalString cmds = PathName bytethreshold = DecimalString eventthreshold = DecimalString freespace = DecimalString
Bin mode parameters are defined as follows:
The stream stanza contains the attributes that the audit start command uses to set up initial stream mode auditing. The format follows:
cmds = PathName
The PathName parameter identifies the file that contains the stream commands that are executed at the initialization of the audit system. These commands can use shell piping and redirection, but no substitution of path names is performed on $trail or $bin strings.
The classes stanza defines audit classes (sets of audit events) to the system.
Each audit class name must be less than 16 characters and be unique on the system. Each class definition must be contained in a single line, with a new line acting as a delimiter between classes. The system supports up to 32 audit classes, with ALL as the last class. The audit events in the class must be defined in the /etc/security/audit/events file.
classes: auditclass = auditevent, ...auditevent
The users stanza defines audit classes (sets of events) for each user. The classes are defined to the operating system kernel.
The format is as follows:
users: UserName = auditclass, ... auditclass
Each UserName attribute must be the login name of a system user or the string default, and each auditclass parameter should be defined in the classes stanza.
To establish the audit activities for a user, use the chuser command with the auditclasses attribute.
Access Control: This file should grant read (r) access to the root user and members of the audit group and write (w) access only to the root user.
Event | Information |
---|---|
AUD_CONFIG_WR | file name |
classes: general = USER_SU,PASSWORD_Change,FILE_Unlink, FILE_Link,FILE_Remove system = USER_Change,GROUP_Change,USER_Create, GROUP_Create init = USER_Login, USER_Logout
These specific audit events and audit classes are described in "Setting Up Auditing" in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.
chuser "auditclasses=general,init,system" dave chuser "auditclasses=general,init" mary
These chuser commands create the following lines in the users stanza of the /etc/security/audit/config file:
users: dave=general,init,system mary=general,init
This configuration includes dave, the administrator of the system, and mary, an employee who updates information.
start: binmode = on streammode = off
bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds
The attribute values in the preceding stanza enable the audit system to collect bin files of data and store the records in a long-term audit trail.
start: streammode = on stream: cmds = /etc/security/audit/streamcmds
/etc/security/audit/config | Specifies the path to the file. |
/etc/security/audit/objects | Contains audit events for audited objects. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |
The audit command, auditbin daemon, chuser command.
The auditproc subroutine.
Setting Up Auditing in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.
Security Administration, Auditing Overview in AIX 5L Version 5.2 System Management Concepts: Operating System and Devices.