auditstream Command

Purpose

Creates a channel for reading audit records.

Syntax

auditstream [ -m ] [ -c Class ...]

Description

The auditstream command is part of the audit subsystem. This command reads audit records from the /dev/audit file (the audit device) and copies the records to standard output in binary format. You can select a subset of the audit records by specifying audit classes (defined in the /etc/security/audit/config file) with the -c flag; otherwise, all currently enabled audit classes are copied.

Audit stream data can be displayed and processed as it is generated. For example, the command output can be piped to an audit backend command for further processing or redirected to a file. Both the auditselect command, which selects data records according to defined criteria, and the auditpr command, which formats the records for viewing or for printing, are examples of backend commands.

The auditstream command can be called from the command line or be configured to run multiple times as part of the audit system configuration. For information on configuring the auditstream command, refer to "Setting up Auditing" in AIX® Version 7.1 Security and to the /etc/security/audit/config file.

Note: The auditstream command should be run in the background.

Flags

Item Description
-c Class Specifies the audit classes to be copied. Each class must be configured in the etc/security/audit/config file as a list of comma-separated audit events. The default value is all the currently enabled audit events.
-m Includes the processor ID, roles and privileges in each audit record.

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed

Mode File
r /dev/audit

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To configure the stream collection of audit data when the audit system is initialized, add the following to the stream stanza of the /etc/security/audit/config file:
    cmds  =  /etc/security/audit/streamcmds
    Then add the following to the start stanza:
    streammode=on
    Next, add to the /etc/security/audit/streamcmds file all the stream commands that should be executed when the auditing system is initialized. For example:
    /usr/sbin/auditstream  -c  authentication  |  \
    /usr/sbin/auditpr  -v  >  /dev/console
     
    /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  \
    "result  ==  FAIL_ACCESS"  |  \
    /usr/sbin/auditpr  -t  2  -v  >  /dev/lpr2 
    The first command formats all records for events in the authentication class and writes them to the system console. The second command formats all records that resulted in an access denial and prints them on the printer /dev/lp2.
  2. To record audit stream events on a line printer, enter:
    /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  "event  ==  \
    USER_Login  ||  event  ==  USER_SU"    |  \
    /usr/sbin/auditpr  -v  >  /dev/lp0  &
    This command formats and writes all user login and su events to the line printer.

Files

Item Description
/usr/sbin/auditstream Specifies the path of the auditstream command.
/etc/rc Contains the system startup routines.
/dev/audit Specifies the audit device.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/bincmds Contains auditbin backend commands.
/etc/security/audit/streamcmds Contains auditstream commands.
/etc/security/audit/hosts Contains host and processor IDs.