Setting Up Auditing to Monitor cron Events in AIX 4.x

Contents

This procedure is intended only for the configuration of auditing in stream mode and for the configuration of tracking the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to all levels of AIX Version 4.

Related documentation

Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:

• /etc/security/audit/config: This ASCII stanza file contains audit system configuration information. It has five stanzas: start, bin, stream, classes, and users.
• /etc/security/audit/events: This ASCII stanza file contains information about audit events. It has just one stanza, auditpr, which lists all the audit events in the system. The stanza also contains formatting information that the auditpr command needs to write an audit trail for each event.

1. In the start stanza in the /etc/security/audit/config file, streammode should be set to ON and binmode should be set to OFF.

   The default setting of the bin and stream stanzas are:

       bin: 
                 trail = /audit/trail 
                 bin1 = /audit/bin1 
                 bin2 = /audit/bin2 
                 binsize = 10240 
                 cmds = /etc/security/audit/bincmds 
   stream: 
                 cmds = /etc/security/audit/streamcmds 
   

2. Group cron audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file. The CRON_Start and CRON_Finish events monitor cron job start and finish events. The following shows the cron audit class with every event that auditing can track.

   NOTE: The following is on one line, with no spaces between commas. This line or one similar may already be present in AIX Version 4.

   cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, 
   CRON_Start,CRON_Finish 
   

3. To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. Each line is in the form

       <user> = <audit class>, <audit class> 
   

   For example, to enable tracking of cron events from root's crontab table, enter:

       root = cron 
   

4. From the list in the /etc/security/audit/events file, select or add system activities (events) to be audited. The following is an example of the CRON_Start and CRON_Finish events:

   NOTE: These lines or something similar may already be present in AIX Version 4.

       CRON_Start = printf "event = %s cmd = %s time = %s" 
       CRON_Finish = printf "user = %s pid = %s time = %s" 
   

   The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.

   NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.

5. The output file for the cron report is specified in /etc/security/audit/streamcmds. The default setting for streamcmds is:

       /etc/auditstream | auditpr -v > /audit/stream.out & 
   

6. After the config and events files have been changed, auditing must be restarted so that it will be reinitialized with the new parameters. To restart auditing, enter:

       audit shutdown 
       audit start 
   

Recommended fixes

   APAR        AIX LEVEL
 IY08644        4.3.3