bincmds File
Purpose
Contains the shell commands that process audit bin data.
Description
The /etc/security/audit/bincmds file is an ASCII template file that contains the backend commands that process audit binfile records. The path name of this file is defined in the bin stanza of the /etc/security/audit/config file.
This file contains command lines each composed of one or more commands with input and output that can be piped together or redirected. Although the commands usually are one or more of the audit system commands (the auditcat command, the auditpr command, the auditselect command), this is not a requirement.
Audit-related parameters are configured in the
/etc/security/audit/config file. When the size of the
/audit/bin1 or /audit/bin2 file reaches the value of the
binsize parameter that is defined in the config file, the
audit log information is written to the target path or target file system that is defined in the
config file. The size of the system audit-trail file is limited by the size of
the root (/) file system. If the root (/) file system does not
have enough space to log events, the event logging operation is stopped. To solve this problem, the
following tunable parameters are defined in the /etc/security/audit/config file:- backupsize
- A backup of the system audit-trail file is saved when the size of the system audit-trail file reaches the value of the backupsize parameter. The existing system audit-trail file is truncated. The system audit-trail file is located in the /audit/trail path. You must specify the size of the backupsize parameter in units of 512-byte blocks.
- backuppath
- A valid directory path, where a backup of the system audit-trail file will be saved.
Security
Access Control: This file should grant read (r) access to the root user and members of the audit group and grant write (w) access only to the root user.
Examples
- To compress audit bin records and append them to the system audit
trail file, include the following line in the /etc/security/audit/bincmds file:
/usr/sbin/auditcat -p -o $trail $binWhen the command runs, the names of the current bin file and the system audit-trail file are substituted for the $bin and $trail strings. Records are compressed and appended to the /audit/trail file.
- To select the audit events from each bin file that are unsuccessful
because of authentication or privilege reasons and append the events
to the /audit/trail.violations file, you must include the following
line in the /etc/security/audit/bincmds file:
/usr/sbin/auditselect -e "result == FAIL_AUTH || \ result == FAIL_PRIV" $bin >> /audit/trail.violations - To create a hardcopy audit log of all local user authentication audit events, include the
following line in the /etc/security/audit/bincmds file:
/usr/sbin/auditselect -e "event == USER_Login || \ event == USER_SU" $bin | \ /usr/sbin/auditpr -t2 -v >/dev/lpr3Adjust the printer name to fit your requirements.
Note: The auditselect command does not support the -r flag (recovery). To process the $bin string, use the auditcat command before using the auditselect command. - To replace the values of $backupsize and
$backuppath tunable parameters with the values that are specified in the
/etc/security/audit/config file, run the following
command:
/usr/sbin/auditcat -p -s $backupsize -d $backuppath -o $trail $bin - To enter values for the $backupsize and
$backuppath tunable parameters from command line, enter the following
command:
/usr/sbin/auditcat -p -s <size value> -d <path value> -o $trail $bin
Files
| Item | Description |
|---|---|
| /etc/security/audit/bincmds | Specifies the path to the file. |
| /etc/security/audit/config | Contains audit-system configuration information. |
| /etc/security/audit/events | Contains the audit events of the system. |
| /etc/security/audit/objects | Contains audit events for audited objects (files). |
| /etc/security/audit/streamcmds | Contains auditstream commands. |