streamcmds File

Purpose

Contains auditstream commands.

Description

The /etc/security/audit/streamcmds file is an ASCII template file that contains the stream mode commands that are invoked when the audit system is initialized. The path name of this file is defined in the stream stanza of the /etc/security/audit/config file.

This file contains command lines, each of which is composed of one or more commands with input and output that may be piped together or redirected. Although the commands usually are one or more of the audit system commands (auditcat, auditpr, and, auditselect), this is not a requirement. The first command, however, should be the auditstream command.

When the audit system is initialized, the audit start command runs each command. No path name substitution is performed on $trail or $bin strings in the commands.

Security

Access Control: This file should grant read (r) access to the root user and members of the audit group, and write (w) access to the root user only.

Examples

  1. To read all records from the audit device, select and format those that involve unsuccessful events, and print them on a line printer, include the following in the /etc/security/audit/streamcmds file:
    /usr/sbin/auditstream | /usr/sbin/auditselect -e \
     "result == FAIL" |/usr/sbin/auditpr -v > /dev/lpr0  

    This command is useful for creating a hard-copy trail of system security violations.

  2. To read all records from the audit device that have audit events in the authentication class, format them, and display them on the system console. Include the following in the /etc/security/audit/streamcmds file:
    /usr/sbin/auditstream -c authentication | \
    /usr/sbin/auditpr -t0 -v > /dev/console

    This command allows timely auditing of user authentication events.

Files

Item Description
/etc/security/audit/streamcmds Specifies the path to the file.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/bincmds Contains auditbin backend commands.