auditbin Daemon
Purpose
Manages bins of audit information.
Syntax
auditbin
Description
The auditbin daemon in the audit subsystem manages bin1 and bin2, temporary bin files that alternately collect audit event data. The command also delivers bins of data records to backend commands for processing.
As audit events occur, the operating system kernel writes a record to a bin file. When a bin file is full, the auditbin daemon reads the /etc/security/audit/bincmds file and delivers the bin records to the backend commands defined in the file. Each line of the /etc/security/audit/bincmds file contains one or more commands with input and output that can be piped together or redirected. The auditbin daemon searches each command for the $bin string and the $trail string and substitutes the path names of the current bin file and the system trail file for these strings.
The auditbin daemon ensures that each command encounters each bin at least once, but does not synchronize access to the bins. When all the commands have run, the bin file is ready to collect more audit records.
If a command is unsuccessful, the auditbin daemon stops delivering data records and sends a message to the /dev/tty device every 60 seconds until the root user or a member of the audit group stops the command.
Security
Access Control
This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Files Accessed
| Mode | File |
|---|---|
| r | /etc/security/audit/config |
| r | /etc/security/audit/bincmds |
| rw | Defined audit bins and trail file |
| x | All audit bin processing commands |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
- To configure the auditbin daemon, edit the start and bin
stanzas of the /etc/security/audit/config file to include the
following attribute definitions:
start: binmode = on bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds - To define the commands that process the audit trail, edit the /etc/security/audit/bincmds file to include one or more command
lines, such as the following:
The first command line appends compressed audit bins to the audit trail file. The second line selects USER_Login records from each bin file, passes them to the auditpr command for formatting, and appends the records to the /etc/log file./usr/sbin/auditcat -p -o $trail $bin /usr/sbin/auditselect -e "event == USER_Login" \ $bin | /usr/sbin/auditpr >> /etc/log - To enable virtual logs in the auditbin daemon for capturing
audit records in a centralized place, such as a Virtual I/O Server
(VIOS) system, add the following attribute to the bin stanza of the /etc/security/audit/config file:
bin: virtual_log = /dev/vlog0Note: The /dev/vlog0 device path is an example. The real device name might be different on each client logical partition (LPAR), based on how the virtual logs are configured from an attached VIOS system.
Files
| Item | Description |
|---|---|
| /usr/sbin/auditbin | Specifies the path to the auditbin daemon. |
| /audit/binx | Specifies the path to the default bin collection files, with x indicating the bin number. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/events | Contains the audit events of the system. |
| /etc/security/audit/objects | Contains audit events for audited objects (files). |
| /etc/security/audit/bincmds | Contains the auditbin backend commands. |
| /etc/security/audit/streamcmds | Contains the auditstream commands. |