auditbin Daemon

Purpose

Manages bins of audit information.

Syntax

auditbin

Description

The auditbin daemon in the audit subsystem manages bin1 and bin2, temporary bin files that alternately collect audit event data. The command also delivers bins of data records to backend commands for processing.

As audit events occur, the operating system kernel writes a record to a bin file. When a bin file is full, the auditbin daemon reads the /etc/security/audit/bincmds file and delivers the bin records to the backend commands defined in the file. Each line of the /etc/security/audit/bincmds file contains one or more commands with input and output that can be piped together or redirected. The auditbin daemon searches each command for the $bin string and the $trail string and substitutes the path names of the current bin file and the system trail file for these strings.

The auditbin daemon ensures that each command encounters each bin at least once, but does not synchronize access to the bins. When all the commands have run, the bin file is ready to collect more audit records.

If a command is unsuccessful, the auditbin daemon stops delivering data records and sends a message to the /dev/tty device every 60 seconds until the root user or a member of the audit group stops the command.

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed

Mode File
r /etc/security/audit/config
r /etc/security/audit/bincmds
rw Defined audit bins and trail file
x All audit bin processing commands

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

  1. To configure the auditbin daemon, edit the start and bin stanzas of the /etc/security/audit/config file to include the following attribute definitions: 
    start:
         binmode = on
 
bin:
         trail = /audit/trail
         bin1 = /audit/bin1
         bin2 = /audit/bin2
         binsize = 25000
         cmds = /etc/security/audit/bincmds
  2. To define the commands that process the audit trail, edit the /etc/security/audit/bincmds file to include one or more command lines, such as the following: 
    /usr/sbin/auditcat -p -o $trail $bin
  
/usr/sbin/auditselect -e "event == USER_Login" \
$bin | /usr/sbin/auditpr >> /etc/log
    The first command line appends compressed audit bins to the audit trail file. The second line selects USER_Login records from each bin file, passes them to the auditpr command for formatting, and appends the records to the /etc/log file.
  3. To enable virtual logs in the auditbin daemon for capturing audit records in a centralized place, such as a Virtual I/O Server (VIOS) system, add the following attribute to the bin stanza of the /etc/security/audit/config file: 
    bin:
		virtual_log = /dev/vlog0
    Note: The /dev/vlog0 device path is an example. The real device name might be different on each client logical partition (LPAR), based on how the virtual logs are configured from an attached VIOS system.

Files

Item Description
/usr/sbin/auditbin Specifies the path to the auditbin daemon.
/audit/binx Specifies the path to the default bin collection files, with x indicating the bin number.
/etc/security/audit/config                     Contains audit system configuration information.
/etc/security/audit/events                   Contains the audit events of the system.
/etc/security/audit/objects                   Contains audit events for audited objects (files).
/etc/security/audit/bincmds                  Contains the auditbin backend commands.
/etc/security/audit/streamcmds                 Contains the auditstream commands.