auditcat Command
Purpose
Writes bins of audit records.
Syntax
auditcat [ -p | -u ] [-s <size>] [-d <pathname>] [ -oOutFile ] [ -r ] [ InFile ]
Description
The auditcat command is part of the audit subsystem, and is one of several backend commands that process the audit data records.
The auditcat command reads bin files of audit records from standard input or from the file specified by the InFile parameter. The command then processes the records and writes its output to standard output or to the file specified by the 0utFile parameter. The output can be compressed or not, depending on the flag selected.
One major use of the command is appending compressed bin files to the end of the system audit trail file.
If the /etc/security/audit/bincmds file includes $bin as the input file, input comes from the current bin file, bin1 or bin2. If the /etc/security/audit/bincmds file includes $trail as the output file, the records are written to the end of the system audit trail file.
If a bin file is not properly formed with a valid header and tail, an error is returned. See the auditpr command for information about audit headers and tails and the auditbin command for information on error recovery.
If -s option is mentioned with valid value then It will take the backup of the trail file and reduces it size to the zero. If the pathname is provide it will copy the backup file in that path. The backup file name will be in the following format trail. YYYYMMDDThhmmss.<random number> If the size of the /audit filesystem is less then freespace (/etc/security/audit/config set in ) and -d specify with valid path parameter , then it will take the backup of the trail file to that path. To see the output of the different trail file, use auditmerge command.
Flags
| Item | Description |
|---|---|
| -o OutFile | Specifies the audit trail file to which the auditcat command writes records. If you specify $trail as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system audit trail file. |
| -p | Specifies that the bin files be compressed (packed) upon output. The default value specifies that the bins not be compressed. |
| -r | Requests recovery procedures. File names for both the InFile and OutFile parameters must be specified for recovery to occur, so the command syntax must be auditcat -o OutFile -r InFile. The command checks to see if the bin file specified for the InFile parameter is appended and if not, appends the bin file to the file specified by the OutFile parameter. If the bin file is incomplete, the auditcat command adds a valid tail and then appends the bin file to the file specified by the OutFile parameter. |
| -u | Specifies that compressed trail files be uncompressed upon output. |
| -s size | Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size should be specified in units of 512-byte blocks. If size parameter is –ve or zero or any invalid value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of free disk space). |
| -d pathname | Pathname should be valid full directory path , where backup of the trail file needs to be taken. Incase pathname value is invalid, auditcat will ignore the flag and the value. |
Security
Access Control
This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
To configure the system to append audit bin data to the system audit trail file, add the following line to the /etc/security/audit/bincmds file:
When the auditbin daemon calls the auditcat command, the daemon replaces the $bin string with the path name of the current bin file, and replaces the $trail string with the name of the default audit trail file.
Files
| Item | Description |
|---|---|
| /usr/sbin/auditcat | Specifies the path to the auditcat command. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/events | Contains the audit events of the system. |
| /etc/security/audit/objects | Contains audit events for audited objects (files). |
| /etc/security/audit/bincmds | Contains auditbin backend commands. |