objects File

Purpose

Contains the audit events for audited objects (files).

Description

The /etc/security/audit/objects file is an ASCII stanza file that contains information about audited objects (files). This file contains one stanza for each audited file. The stanza has a name equal to the path name of the file.

Each file attribute has the following format:

access_mode = "audit_event "

An audit-event name can be up to 15 bytes long; longer names are rejected. Valid access modes are read (r), write (w), and execute (x) modes. For directories, search mode is substituted for execute mode.

The objects (files) in the /etc/security/audit/objects file cannot be symbolic links.

If you are using bin mode auditing, the objects designated as bin1 and bin2 in the /etc/security/audit/config file cannot be listed in the /etc/security/audit/objects file.

Note: The audited object files do not need to exist once the auditing starts. However, to successfully start auditing, ensure that the parent directories of the object files exist. The audit start command does not fail when the parent directory does not exist, but the affected files are not audited even if they are created later.

Security

Access Control: This file should grant read (r) access to the root user and members of the audit group and grant write (w) access only to the root user.

Examples

  1. To define the audit events for the /etc/security/passwd file, add a stanza to the /etc/security/audit/objects file. For example: 
    /etc/security/passwd:
   r = "S_PASSWD_READ"
   w = "S_PASSWD_WRITE"
    These attributes generate a S_PASSWD_READ audit event each time the passwd file is read, and a S_PASSWD_WRITE audit event each time the file is opened for writing.
  2. To define the audit events for the /wpars/wpar1/etc/security/passwd file, add a stanza to the /etc/security/audit/objects file in the AIX® system that is hosting the WPAR. For example: 
    /wpars/wpar1/etc/security/passwd:
   r = "WPAR1_PASSWD_RD"
   w = "WPAR1_PASSWD_WR"
    This stanza is parsed at audit start -@ <wpar1> time to enable object auditing for the /etc/security/passwd object of wpar1. These attributes generate a WPAR1_PASSWD_RD audit event each time the /wpars/wpar1/etc/security/passwd file is read, and generate a WPAR1_PASSWD_WR audit event each time the file is opened for writing.

Files

Item Description
/etc/security/audit/objects Specifies the path to the file.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/bincmds Contains auditbin backend commands.
/etc/security/audit/streamcmds Contains auditstream commands.