auditstream Command

Purpose

Creates a channel for reading audit records.

Syntax

auditstream [ -m ] [ -c Class ...]

Description

The auditstream command is part of the audit subsystem. This command reads audit records from the /dev/audit file (the audit device) and copies the records to standard output in binary format. You can select a subset of the audit records by specifying audit classes (defined in the /etc/security/audit/config file) with the -c flag; otherwise, all currently enabled audit classes are copied.

Audit stream data can be displayed and processed as it is generated. For example, the command output can be piped to an audit backend command for further processing or redirected to a file. Both the auditselect command, which selects data records according to defined criteria, and the auditpr command, which formats the records for viewing or for printing, are examples of backend commands.

The auditstream command can be called from the command line or be configured to run multiple times as part of the audit system configuration. For information on configuring the auditstream command, refer to "Setting up Auditing" in Security and to the /etc/security/audit/config file.

The AIX_AUDITBUFSZ environment variable allows buffered write operation of the auditstream audit records. The buffered write option is useful for high-performance applications that generate many audit records.

The AIX_AUDITBUFSZ environment variable accepts decimal and hexadecimal values in the range 8192 bytes - 67 MB. Any other positive values outside the range of allowed values are rounded off to either the beginning of the range or the end of the range based on the nearest value. If this variable value is not set or this variable is assigned negative values or non-numerical values, the AIX_AUDITBUFSZ variable is ignored.

Flags

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed

Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

1. To configure the stream collection of audit data when the audit system is initialized, add the following to the stream stanza of the /etc/security/audit/config file:

   cmds  =  /etc/security/audit/streamcmds

   Then add the following to the start stanza:

   streammode=on

   Next, add to the /etc/security/audit/streamcmds file all the stream commands that should be executed when the auditing system is initialized. For example:

   /usr/sbin/auditstream  -c  authentication  |  \
   /usr/sbin/auditpr  -v  >  /dev/console
    
   /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  \
   "result  ==  FAIL_ACCESS"  |  \
   /usr/sbin/auditpr  -t  2  -v  >  /dev/lpr2 

   The first command formats all records for events in the authentication class and writes them to the system console. The second command formats all records that resulted in an access denial and prints them on the printer /dev/lp2.
2. To record audit stream events on a line printer, enter:

   /usr/sbin/auditstream  |  /usr/sbin/auditselect  -e  "event  ==  \
   USER_Login  ||  event  ==  USER_SU"    |  \
   /usr/sbin/auditpr  -v  >  /dev/lp0  &

   This command formats and writes all user login and su events to the line printer.
3. To use the buffered write option for the audit records with a buffer size of 520000 bytes for auditing subsystem that is started in steam mode, enter the following command:

   export AIX_AUDITBUFSZ=520000
   /usr/sbin/audit start

   Note: In stream mode, the AIX_AUDITBUFSZ environment variable must be set before the audit subsystem is started.

Files