Contains information about system audit events.
The /etc/security/audit/events file is an ASCII stanza file that contains information about audit events. The file contains just one stanza, auditpr, which lists all the audit events in the system. The stanza also contains formatting information that the auditpr command needs to write an audit tail for each event.
Each attribute in the stanza is the name of an audit event, with the following format:
AuditEvent = FormatCommand
The format command can have the following parameters:
| Parameter | Description |
|---|---|
| (empty) | The event has no tail. |
| printf Format | The tail is formatted according to the string supplied for the Format parameter. The %x symbols within the string indicate places for the audit trail to supply data. |
| Program -i n Arg ... | The tail is formatted by the program specified by the Program parameter. The -i n parameter is passed to the program as its first parameter, indicating that the output is to be indented by n spaces. Other formatting information can be specified with the Arg parameter. The audit event name is passed as the last parameter. The tail is written to the standard input of the program. |
| Format | Description |
|---|---|
| %A | Formatted output is similar to the aclget command. |
| %d | Formatted as a 32-bit signed decimal integer |
| %G | Formatted as a comma-separated list of group names or numerical identifiers. |
| %o | Formatted as 32-bit octal integer. |
| %P | Formatted output is similar to the pclget command. |
| %s | Formatted as a text string. |
| %T | Formatted as a text string giving include date and time with 6 significant digits for the seconds DD Mmm YYYY HH:MM:SS:mmmuuu). |
| %u | Formatted as a 32-bit unsigned integer. |
| %x | Formatted as a 32-bit hexidecimal integer. |
| %X | Formatted as a 32-bit hexidecimal integer with upper case letters. |
Access Control: This file should grant read (r) access to the root user and members of the audit group, and grant write (w) access only to the root user.
To format the tail of an audit record for new audit events, such as FILE_Open and PROC_Create, add format specifications like the following to the auditpr stanza in the /etc/security/audit/events file:
auditpr: FILE_Open = printf "flags: %d mode: %o \ fd: %d filename: %s" PROC_Create = printf "forked child process %d"
| /etc/security/audit/events | Specifies the path to the file. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/objects | Contains information about audited objects. |
| /etc/security/audit/bincmds | Contains auditbin backend commands. |
| /etc/security/audit/streamcmds | Contains auditstream commands. |
The audit command, auditpr command.
Setting Up Auditing in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.
Auditing Overview and Security Administration in AIX 5L Version 5.2 System Management Concepts: Operating System and Devices.