Contains audit system configuration information.
The /etc/security/audit/config file is an ASCII stanza file that contains audit system configuration information. This file contains five stanzas: start, bin, stream, classes, and users.
start Stanza
The start stanza contains the attributes used by the audit start command to initialize the audit system. The format follows:
start:
binmode = off | on | panic
streammode = off | on
The attributes are defined as follows:
Attribute | Definition |
---|---|
binmode | Controls whether bin collection, as defined in the bin stanza,
is used.
|
streammode | Controls whether stream data collection, as defined in the
file specified in the stream stanza (normally the /etc/security/audit/streamcmds file),
is configured at the start up of the audit system.
|
bin Stanza
bin:
trail = PathName
bin1 = PathName
bin2 = PathName
binsize = DecimalString
cmds = PathName
bytethreshold = DecimalString
eventthreshold = DecimalString
freespace = DecimalString
backuppath = DirectoryPath
backupsize = DecimalString
virtual_log = PathName
bincompact = off | on
Bin mode parameters are defined as follows:
Parameter | Definition |
---|---|
trail | Specifies the path name of the audit trail file. When this is defined, the auditbin daemon can substitute the path name of the audit trail file for the $trail string in the backend commands that it calls. |
bin1 | Specifies the path name that the auditbin daemon uses for its primary bin file. If the $bin string is the parameter value, the auditbin daemon substitutes the name of the current bin file. |
bin2 | Specifies the path name that the auditbin daemon uses for its secondary bin file. If the $bin string is the parameter value, the auditbin daemon substitutes the name of the current bin file. |
bincompact | Specifies if compact audit log mode should be enabled for the bin mode auditing. The two possible values are on and off. The default value is off. |
binsize | Specifies a decimal integer string that defines the threshold size (in bytes) of each audit bin. If the binsize parameter is set to 0, no bin switching will occur, and all bin collection will go to bin1. |
cmds | Specifies the path name of the file that contains the audit backend commands called by the auditbin daemon. The file contains command lines, each composed of one or more backend commands with input and output that can be piped together or redirected. See the description of the /etc/security/audit/bincmds file for more information. |
bytethreshold | Specifies the decimal integer string that defines the approximate number of bytes written to an audit bin before a synchronous update is performed. If the bytethreshold is set to 0, this function is disabled. Both bytethreshold and eventthreshold can be used simultaneously. |
eventthreshold | Specifies a decimal integer string that defines the maximum number of events written to an audit bin before a synchronous update is performed. If the eventthreshold is set to 0, this function is disabled. Both eventthreshold and bytethreshold can be used simultaneously. |
freespace | Specifies a decimal integer string that defines the recommended number of 512-byte free blocks in the file system where the audit trail file is located. If the free space of file system is below this value, audit generates a warning message through the syslog subsystem every time that the audit bin is switched. The default value is 65536 blocks (64 megabytes). The maximum possible value is 4194303 (about 2GB of free disk space). If this value is set to 0, no warning message is generated. If the valid backuppath is mentioned and free space of file system is below this value, auditcat will take the backup of the trail file in this path every time auditbin invokes the auditcat. |
backuppath | Specifies the absolute path name of the directory, where the backup of the trail file is need to be copied, when it reaches to backupsize. See the description of the auditcat command for more information. |
backupsize | Specifies a decimal integer string that defines the recommended number of 512-byte blocks in the trail file. If the trail file size is equal to or greater than this value, backup of the trail is taken. The default value is empty (backup is disable). The maximum possible value is 4194303 (about 2GB of free disk space). If this value is set to <=0 or any invalid value this parameter will be ignored. See the description of the auditcat command for more information. |
virtual_log | Specifies the path name for a virtual_log device. The virtual log facility can be used by the auditbin daemon to write audit records into an attached VIOS system. To enable the virtual_log device on a client LPAR, first configure the corresponding vlog device on attached VIOS system, and then specify a newly created device on a client (for example, /dev/vlog0 device can be specified). |
stream Stanza
The stream stanza contains the attributes that the audit start command uses to set up initial stream mode auditing. The format follows:
cmds = PathName
The PathName parameter identifies the file that contains the stream commands that are executed at the initialization of the audit system. These commands can use shell piping and redirection, but no substitution of path names is performed on $trail or $bin strings.
classes Stanza
The classes stanza defines audit classes (sets of audit events) to the system.
Each audit class name must be less than 16 characters and be unique on the system. Each class definition must be contained in a single line, with a new line acting as a delimiter between classes. The system supports up to 32 audit classes, with ALL as the last class. The audit events in the class must be defined in the /etc/security/audit/events file.
classes:
auditclass = auditevent, ...auditevent
users Stanza
The users stanza defines audit classes (sets of events) for each user. The classes are defined to the operating system kernel.
The format is as follows:
users:
UserName = auditclass, ... auditclass
Each UserName attribute must be the login name of a system user or the string default, and each auditclass parameter should be defined in the classes stanza.
To establish the audit activities for a user, use the chuser command with the auditclasses attribute.
WPARS Stanza
The WPARS stanza defines audit classes (sets of events) for each workload partition (WPAR). The classes are defined to the operating system kernel.
WPARS:
wpar_name = auditclass, ... auditclass
Access Control: This file should grant read (r) access to the root user and members of the audit group and write (w) access only to the root user.
Event | Information |
---|---|
AUD_CONFIG_WR | file name |
classes:
general = USER_SU,PASSWORD_Change,FILE_Unlink,
FILE_Link,FILE_Remove
system = USER_Change,GROUP_Change,USER_Create,
GROUP_Create
init = USER_Login, USER_Logout
These specific audit events and audit classes are described in "Setting Up Auditing" in AIX® Version 7.1 Operating system and device management.
chuser "auditclasses=general,init,system" dave
chuser "auditclasses=general,init" mary
These chuser commands
create the following lines in the users stanza of the /etc/security/audit/config file:
users:
dave=general,init,system
mary=general,init
This configuration includes dave,
the administrator of the system, and mary, an employee who updates
information. start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
The attribute values in the preceding stanza enable the audit system to collect bin files of data and store the records in a long-term audit trail.
start:
streammode = on
stream:
cmds = /etc/security/audit/streamcmds
WPARS:
wpar1 = general,tcpip,lvm
bin:
virtual_log = /dev/vlog0
Item | Description |
---|---|
/etc/security/audit/config | Specifies the path to the file. |
/etc/security/audit/objects | Contains audit events for audited objects. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |