audit Command

Purpose

Controls system auditing.

Syntax

audit { on [ panic | fullpath] | off | query | start | shutdown }{-@ wparname ...}

Description

The audit command controls system audit through several options. Include one option each time you enter the command. The start option and the shutdown option starts and stops the auditing system and resets the system configuration. The off option and the on option suspend and restart the audit system without affecting the system configuration. The query option enables you to query the status.

The auditing system follows the instructions that are established in the following configuration files:

/etc/security/audit/config
/etc/security/audit/events
/etc/security/audit/objects
/etc/security/audit/bincmds
/etc/security/audit/streamcmds

The -@ option is not supported when you run it in a WPAR.

Options

Table 1. audit Command options
Item	Description
start	Starts the audit subsystem. This option reads the instructions in the configuration files and performs the following tasks: `role` auditing Audits all roles currently active in to the system, if they are configured in the roles stanza of the /etc/security/audit/config file. `object` auditing Writes the audit event definitions in the /etc/security/audit/objects file into the kernel to define the object audit events. Note: When the parent directory of one of the file-system objects does not exist, the flag fails and issues an ENOENT error. `event` auditing Writes the audit class definitions in the /etc/security/audit/config file into the kernel to define the audit classes. `bin` auditing Starts the auditbin daemon according to the configuration information in the bin stanza in the /etc/security/audit/config file, if the start stanza contains `binmode=on`. `stream` auditing Starts the audit stream commands as defined in the stream stanza in the /etc/security/audit/config file, if the start stanza contains `streammode=on`. Note: Avoid invoking stream auditing during boot time or from remote shell (rsh) until the standard output (`stdout`) and standard error (`stderr`) processes are closed on invocation, that is, when the following command is run: `audit start 1>&- 2>&-`. `fullpath` auditing Captures the full path name of a file or an executable file for `FILE_Open`, `FILE_Openxat`, `FILE_Read`, `FILE_Write`, `FILE_Link`, `FILE_Linkat`, `FILE_Unlink`, `FILE_Unlinkat`, `FILE_Rename`, `FILE_Renameat`, `FILE_Owner`, `FILE_Mode`, `FILE_Fchmod`, `FILE_Fchmodat`, `FILE_Fchown`, `FILE_Fchownat`, `FILE_Truncate`, `FILE_Symlink`, `FILE_Symlinkat`, `FILE_Setea`, `FILE_Removeea`, `FILE_Utimes`, `FS_Chroot`, `FILE_Mknod`, `FILE_Mknodat`, `FILE_Acl`, `FILE_Facl`, `FILE_Chpriv`, `FILE_Fchpriv`, `FILE_WriteXacl`, `FILE_Revoke`, `FILE_Frevoke`, `PROC_Execute`, and `PROC_LPExecute` auditing events, when the start stanza in the /etc/security/audit/config file contains `fullpath=on`. `user` auditing Audits all users who are logged in to the system, if they are set up in the users stanza of the /etc/security/audit/config file. `audit` logging Enables the component of audit log as defined in the start stanza in the /etc/security/audit/config file. `audit` ranges Writes into the kernel if they are set up in the WPAR Audit Ranges (WAR) stanza of the /etc/security/audit/config file. `global-initiated` WPAR auditing Audits the WPARs, if they are stored in the WPARS stanza of the /etc/security/audit/config file. The auditing can be used only from global WPAR by specifying the -@ `wparname` parameter in the command.
shutdown	Stops the collection of audit records and resets the configuration information by removing the definition of classes from the kernel tables. All the audit records from the kernel buffers are flushed into the bin files or audit streams. This process is done according to the backend commands specifications in the binmode audit /etc/security/audit/bincmds file and streammode audit /etc/security/audit/streamcmds file. The collection of audit data stops until you give the next `audit start` command. When you use the -@ `wparname` parameter with this option, auditing is disabled for the specified WPAR.
off	Suspends the auditing system, but leaves the configuration valid. Data collection pauses until you give the `audit on` command. This option does not support the -@ option.
on [panic \| fullpath]	Restarts the auditing system after a suspension, if the system is properly configured (for example, if the `audit start` command was used initially and the configuration is still valid). If auditing is started when the command is given, only bin data collection can be changed. The -@ option is not supported by this option. If you specify the panic option, the system halts abruptly if bin data collection is enabled but cannot be written to a bin file. The panic option is not supported when you run it in a WPAR. If you specify the fullpath option, the `FILE_Open`, `FILE_Read`, and FILE_Write auditing events capture the full path name of a file.
query	Queries the auditing status of the audit subsystem. If you specify the -@ option, this option queries the auditing status of a global initiated WPAR. This option displays the status of the audit subsystem in the following format: `auditing on {panic \| fullpath \| tcp_enable_all_kevents} \| auditing off bin manager off \| is process number pid audit events: audit class: audit event, audit event... audit objects: object name: object mode: audit event`

Security

Access Control

This command must grant execute (x) access to the root user and members of the audit group. The command must be setuid to the root user and have the trusted computing base attribute.

Files Accessed

Table 2. Files
Mode	File
`r`	/etc/security/audit/config
`r`	/etc/security/audit/objects
`x`	`/usr/sbin/auditbin`
`x`	`/usr/sbin/auditstream`

RBAC users

Attention RBAC users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations that are associated with this command, see the lssecattr command or the getcmdattr subcommand.

Examples

To start the audit process, configure the audit system as described in Setting up Auditing in Security, and add the following line to the system initialization file (the /etc/rc in the global environment or the /etc/rc.bootc in WPAR):
```
/usr/sbin/audit start 1>&- 2>&- 
```
The audit process starts, as configured, each time the system is initialized.
To start the audit process for the WPAR named wpar1 from the global WPAR, enter the following command:
```
/usr/sbin/audit start -@ wpar1
```
To stop the operation of the auditing process, enter the following command:
```
/usr/sbin/audit shutdown
```
Data collection stops until the audit start command is specified again. The configuration of classes in the operating system kernel is lost.
Note: The audit shutdown command mustbe in the /etc/shutdown file as well.
To stop the auditing process of the WPAR named wpar1 from global WPAR, enter the following command:
```
/usr/sbin/audit shutdown -@ wpar1
```
Data collection stops until the audit start -@ wpar1 command is specified again. The configuration of classes in the operating system kernel is lost.

Remember: The audit shutdown command, without any options, shuts down the auditing process of all WPARs started from the global WPAR.
To suspend the audit subsystem, enter the following command:
```
/usr/sbin/audit off
```
To restart an audit process suspended by the audit off command, enter the following command:
```
/usr/sbin/audit on
```
The suspended state ends and audit records are generated again, if the system is configured correctly.
To display the status of the auditing system, enter the following command:
```
/usr/sbin/audit query
```
The following message is an example of a audit query status message:
```
auditing on
 
bin manager is process number 123
 
audit events:
    authentication- USER_Login, USER_Logout
    administration- USER_Create, GROUP_Create
 
audit objects:
    /etc/security/passwd :
      r = AUTH_Read
    /etc/security/passwd : 
      w = AUTH_Write 
```
The query informs you that audit records are written when the specified users log in or log out, when the specified administrators create a user or a group, and when the system receives an authorized read or write instruction for the /etc/security/passwd file.

Files

Table 3. Files
Item	Description
/etc/security/audit/bincmds	Contains shell commands for processing audit bin data.
/etc/security/audit/config	Contains audit configuration information.
/etc/security/audit/events	Lists the audit events and their tail format specifications.
/etc/security/audit/objects	Lists the audit events for each file (object).
/etc/security/audit/streamcmds	Contains auditstream commands.
/etc/rc	Contains the system initialization commands.
/usr/sbin/audit	Contains the path of the audit command.