Setting Up Auditing to Monitor cron Events in AIX 3.2

Contents

About This Document

This document describes a procedure that is intended only for configuration of auditing in stream mode and for configuration of tracking of the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to AIX Version 3.2.

Procedure

Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:

• /etc/security/audit/config: This ASCII stanza file contains audit system configuration information. It has five stanzas: start, bin, stream, classes, and users.
• /etc/security/audit/events: This ASCII stanza file contains information about audit events. It has just one stanza, auditpr, which lists all the audit events in the system. The stanza also contains formatting information that the auditpr command needs to write an audit trail for each event.

1. In the start stanza in the /etc/security/audit/config file, streammode should be set to ON and binmode should be set to OFF.

   The default setting of the bin and stream stanzas are:

   NOTE: The following is on one line, with no spaces between commas.

    
      bin: 
                trail = /audit/trail 
                bin1 = /audit/bin1 
                bin2 = /audit/bin2 
                binsize = 10240 
                cmds = /etc/security/audit/bincmds 
      stream: 
                cmds = /etc/security/audit/streamcmds 
   

2. Group cron audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file. The CRON_Start and CRON_Finish events monitor cron-job "start" and "finish" events. Below is the cron audit class with every event that audit can track.

   NOTE: The following is on one line, with no spaces between commas.

    
   cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, 
   CRON_Start,CRON_Finish 
   

3. To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. Each line is in the form

    
      <user> = <audit class>, <audit class> 
   

   For example, to enable tracking of cron events from root's crontab table, enter:

    
      root = cron 
   

4. Events need to be added to /etc/security/audit/events file. The following is an example of the "CRON_Start" and "CRON_Finish" events:

    
      CRON_Start = printf "event = %s cmd = %s time = %s" 
      CRON_Finish = printf "user = %s pid = %s time = %s" 
   

   The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.

   NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.

5. The output file for the cron report is specified in the /etc/security/audit/streamcmds file. The default setting for streamcmds is:

    
      /etc/auditstream | auditpr -v > /audit/stream.out & 
   

6. After the config and events files have been changed, auditing must be restarted so that it will be reinitialized with the new parameters. To restart auditing, enter the following commands:

    
      audit shutdown 
      audit start 
   

[ Doc Ref: 90605200014610     Publish Date: May. 05, 1999     4FAX Ref: 2226 ]