bincmds File

Purpose

Contains the shell commands that process audit bin data.

Description

The /etc/security/audit/bincmds file is an ASCII template file that contains the backend commands that process audit binfile records. The path name of this file is defined in the bin stanza of the /etc/security/audit/config file.

This file contains command lines each composed of one or more commands with input and output that can be piped together or redirected. Although the commands usually are one or more of the audit system commands (the auditcat command, the auditpr command, the auditselect command), this is not a requirement.

As each bin file is filled by the kernel, the auditbin daemon invokes each command to process the bin records, substituting the names of the current bin file and the audit trail file for any $trail and $bin strings in the commands. Upon startup, if the auditbin daemon detects that the bin files require a recovery procedure, the command will prepend a -r to the bin file's name in $bin.
Note: The commands are executed by the trusted shell (TSH) when on the trusted path. This means that the path names in the commands must be absolute, and that environment variable substitution may be limited. See the discussion of the tsh command for more information.

Security

Access Control: This file should grant read (r) access to the root user and members of the audit group and grant write (w) access only to the root user.

Examples

  1. To compress audit bin records and append them to the system audit trail file, include the following line in the /etc/security/audit/bincmds file:
    /usr/sbin/auditcat -p -o $trail $bin

    When the command runs, the names of the current bin file and the system audit-trail file are substituted for the $bin and $trail strings. Records are compressed and appended to the /audit/trail file.

  2. To select the audit events from each bin file that are unsuccessful because of authentication or privilege reasons and append the events to the /audit/trail.violations file, you must include the following line in the /etc/security/audit/bincmds file:
    /usr/sbin/auditselect -e "result == FAIL_AUTH || \
    result == FAIL_PRIV" $bin >> /audit/trail.violations
  3. To create a hard-copy audit log of all local user authentication audit events, include the following line in the /etc/security/audit/bincmds file:
    /usr/sbin/auditselect -e "event == USER_Login || \
    event == USER_SU" $bin | \
    /usr/sbin/auditpr -t2 -v >/dev/lpr3 

    Adjust the printer name to fit your requirements.

Note: The auditselect command does not support the -r flag (recovery). To process the $bin string, use the auditcat command before using the auditselect command.

Files

Item Description
/etc/security/audit/bincmds Specifies the path to the file.
/etc/security/audit/config Contains audit-system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/streamcmds Contains auditstream commands.