Controls system auditing.
The audit command controls system auditing through several keywords. You must include one keyword each time you enter the command. The start keyword and the shutdown keyword start and stop the auditing system and reset the system configuration. The off keyword and the on keyword suspend and restart the audit system without affecting the system configuration. The query keyword lets you query the current status.
The auditing system follows the instructions established in the following configuration files:
The -@ option is not supported when you run it in a WPAR.
Item | Description |
---|---|
start | Starts the audit subsystem. This keyword reads the instructions
in the configuration files and performs the following tasks:
|
shutdown | Terminates the collection of audit records and resets the configuration information by removing the definition of classes from the kernel tables. All the audit records are flushed from the kernel buffers into the bin files or audit streams, according to the specifications for the backend commands, which are contained in the /etc/security/audit/bincmds file for binmode auditing, and in the /etc/security/audit/streamcmds file for streammode auditing. The collection of audit data stops until you give the next audit start command. When you use the -@ wparname parameter with this keyword, auditing is disabled for the specified WPAR. |
off | Suspends the auditing system, but leaves the configuration valid. Data collection pauses until you give the audit on command. The -@ option is not supported with this keyword. |
on [panic | fullpath] | Restarts the auditing system after a suspension, if the system
is properly configured (for example, if the audit start command
was used initially and the configuration is still valid). If auditing
has already started when the command is given, only bin data collection
can be changed. The -@ option is not supported with this keyword. If you specify the panic option, the system halts abruptly if bin data collection is enabled but cannot be written to a bin file. The panic option is not supported when you run it in a WPAR. If you specify the fullpath option, the FILE_Open, FILE_Read and FILE_Write auditing events capture the full path name of a file. |
query | Queries the auditing status of the audit subsystem. If you
specify the -@ option, this keyword queries the auditing status
of a global initiated WPAR. This keyword displays the current status of the audit subsystem
in the following format:
|
Access Control
This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Files Accessed
Mode | File |
---|---|
r | /etc/security/audit/config |
r | /etc/security/audit/objects |
x | /usr/sbin/auditbin |
x | /usr/sbin/auditstream |
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
/usr/sbin/audit start 1>&- 2>&-
The audit process starts, as configured, each time the system is
initialized. /usr/sbin/audit start -@ wpar1
/usr/sbin/audit shutdown
Data collection
stops until the audit start command is specified again. The
configuration of classes in the operating system kernel is lost.Note: The audit shutdown command should be in the /etc/shutdown file as well.
/usr/sbin/audit shutdown -@ wpar1
Data collection stops until the audit start -@ wpar1 command
is specified again. The configuration of classes in the operating
system kernel is lost. Remember: The audit shutdown command, without any options, shuts down the auditing process of all WPARs started from the global WPAR.
/usr/sbin/audit off
/usr/sbin/audit on
The suspended state ends and audit records are generated again,
as long as the system is configured correctly. /usr/sbin/audit query
The following is an
example of an audit query status message: auditing on
bin manager is process number 123
audit events:
authentication- USER_Login, USER_Logout
administration- USER_Create, GROUP_Create
audit objects:
/etc/security/passwd :
r = AUTH_Read
/etc/security/passwd :
w = AUTH_Write
The query informs you that audit
records are written when the specified users log in or log out, when
the specified administrators create a user or a group, and when the
system receives an authorized read or write instruction for the /etc/security/passwd file. Item | Description |
---|---|
/etc/security/audit/bincmds | Contains shell commands for processing audit bin data. |
/etc/security/audit/config | Contains audit configuration information. |
/etc/security/audit/events | Lists the audit events and their tail format specifications. |
/etc/security/audit/objects | Lists the audit events for each file (object). |
/etc/security/audit/streamcmds | Contains auditstream commands. |
/etc/rc | Contains the system initialization commands. |
/usr/sbin/audit | Contains the path of the audit command. |