Contains the audit events for audited objects (files).
The /etc/security/audit/objects file is an ASCII stanza file that contains information about audited objects (files). This file contains one stanza for each audited file. The stanza has a name equal to the path name of the file.
Each file attribute has the following format:
access_mode = "audit_event "
An audit-event name can be up to 15 bytes long; longer names are rejected. Valid access modes are read (r), write (w), and execute (x) modes. For directories, search mode is substituted for execute mode.
The objects (files) in the /etc/security/audit/objects file cannot be symbolic links.
If you are using bin mode auditing, the objects designated as bin1 and bin2 in the /etc/security/audit/config file cannot be listed in the /etc/security/audit/objects file.
Access Control: This file should grant read (r) access to the root user and members of the audit group and grant write (w) access only to the root user.
/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"
These attributes generate a S_PASSWD_READ audit event each time the passwd file is
read, and a S_PASSWD_WRITE audit event each time the file
is opened for writing./wpars/wpar1/etc/security/passwd:
r = "WPAR1_PASSWD_RD"
w = "WPAR1_PASSWD_WR"
This stanza is parsed at audit
start -@ <wpar1> time to enable object auditing for the /etc/security/passwd object of wpar1. These attributes
generate a WPAR1_PASSWD_RD audit event each time the /wpars/wpar1/etc/security/passwd file is read, and generate a WPAR1_PASSWD_WR audit event
each time the file is opened for writing.Item | Description |
---|---|
/etc/security/audit/objects | Specifies the path to the file. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |