Setting Up Auditing to Monitor cron Events in AIX 3.2


About This Document

About This Document

This document describes a procedure that is intended only for configuration of auditing in stream mode and for configuration of tracking of the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to AIX Version 3.2.


Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:

  1. In the start stanza in the /etc/security/audit/config file, streammode should be set to ON and binmode should be set to OFF.

    The default setting of the bin and stream stanzas are:

    NOTE: The following is on one line, with no spaces between commas.

                 trail = /audit/trail 
                 bin1 = /audit/bin1 
                 bin2 = /audit/bin2 
                 binsize = 10240 
                 cmds = /etc/security/audit/bincmds 
                 cmds = /etc/security/audit/streamcmds 
  2. Group cron audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file. The CRON_Start and CRON_Finish events monitor cron-job "start" and "finish" events. Below is the cron audit class with every event that audit can track.

    NOTE: The following is on one line, with no spaces between commas.

    cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, 
  3. To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. Each line is in the form
       <user> = <audit class>, <audit class> 

    For example, to enable tracking of cron events from root's crontab table, enter:

       root = cron 
  4. Events need to be added to /etc/security/audit/events file. The following is an example of the "CRON_Start" and "CRON_Finish" events:
       CRON_Start = printf "event = %s cmd = %s time = %s" 
       CRON_Finish = printf "user = %s pid = %s time = %s" 

    The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.

    NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.

  5. The output file for the cron report is specified in the /etc/security/audit/streamcmds file. The default setting for streamcmds is:
       /etc/auditstream | auditpr -v > /audit/stream.out & 
  6. After the config and events files have been changed, auditing must be restarted so that it will be reinitialized with the new parameters. To restart auditing, enter the following commands:
       audit shutdown 
       audit start 

[ Doc Ref: 90605200014610     Publish Date: May. 05, 1999     4FAX Ref: 2226 ]