Contains auditstream commands.
The /etc/security/audit/streamcmds file is an ASCII template file that contains the stream mode commands that are invoked when the audit system is initialized. The path name of this file is defined in the stream stanza of the /etc/security/audit/config file.
This file contains command lines, each of which is composed of one or more commands with input and output that may be piped together or redirected. Although the commands usually are one or more of the audit system commands (auditcat, auditpr, and, auditselect), this is not a requirement. The first command, however, should be the auditstream command.
When the audit system is initialized, the audit start command runs each command. No path name substitution is performed on $trail or $bin strings in the commands.
Access Control: This file should grant read (r) access to the root user and members of the audit group, and write (w) access to the root user only.
/usr/sbin/auditstream | /usr/sbin/auditselect -e \
"result == FAIL" |/usr/sbin/auditpr -v > /dev/lpr0
This command is useful for creating a hard-copy trail of system security violations.
/usr/sbin/auditstream -c authentication | \
/usr/sbin/auditpr -t0 -v > /dev/console
This command allows timely auditing of user authentication events.
Item | Description |
---|---|
/etc/security/audit/streamcmds | Specifies the path to the file. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/objects | Contains audit events for audited objects (files). |
/etc/security/audit/bincmds | Contains auditbin backend commands. |