Setting Up Auditing to Monitor cron Events in AIX 4.x
About this document
About this document
This procedure is intended only for the configuration of auditing in stream mode
and for the configuration of tracking the cron events CRON_Start and
CRON_Finish. (In stream mode, the report is written in ASCII.) This document
applies to all levels of AIX Version 4.
The AIX Version 4.3 and hardware product documentation library is also available:
Two files in the /etc/security/audit directory must be modified in order
to monitor cron events. They are:
- /etc/security/audit/config: This ASCII stanza file contains audit system
configuration information. It has five stanzas: start, bin, stream,
classes, and users.
- /etc/security/audit/events: This ASCII stanza file contains information
about audit events. It has just one stanza, auditpr, which lists all the
audit events in the system. The stanza also contains formatting information
that the auditpr command needs to write an audit trail for each event.
- In the start stanza in the /etc/security/audit/config file,
streammode should be set to ON and binmode should be set to OFF.
The default setting of the bin and stream stanzas are:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
cmds = /etc/security/audit/streamcmds
- Group cron audit events into sets of similar items called audit classes.
Define these audit classes in the classes stanza of the
/etc/security/audit/config file. The CRON_Start and CRON_Finish events
monitor cron job start and finish events. The following shows the
cron audit class
with every event that auditing can track.
NOTE: The following is on one line, with no spaces between commas.
This line or one similar may already be present in AIX Version 4.
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,
- To assign audit classes to an individual user, add a line to the users
stanza of the /etc/security/audit/config file. Each line is in the form
<user> = <audit class>, <audit class>
For example, to enable tracking of cron events from root's crontab
root = cron
- From the list in the /etc/security/audit/events file, select or add
system activities (events) to be audited. The following is an example of the
CRON_Start and CRON_Finish events:
NOTE: These lines or something similar may already be present in AIX
CRON_Start = printf "event = %s cmd = %s time = %s"
CRON_Finish = printf "user = %s pid = %s time = %s"
The purpose of these formatting instructions is to enable the auditpr
command to write customized data in the audit record for the event.
NOTE: There was a defect in the documentation related to cron
events (IX34755). The names for the cron start and stop events were
documented as CRON_start and CRON_finish; they should have been CRON_Start and
- The output file for the cron report is specified in
/etc/security/audit/streamcmds. The default setting for streamcmds is:
/etc/auditstream | auditpr -v > /audit/stream.out &
- After the config and events files have been changed, auditing must be
restarted so that it will be reinitialized with the new parameters. To restart
APAR AIX LEVEL
[ Doc Ref: 90605200014608 Publish Date: Jan. 17, 2001 4FAX Ref: 9572 ]