auditcat Command
Purpose
Writes bins of audit records.
Syntax
auditcat [ -p | -u ] [-s size] [-d pathname] [ -oOutFile ] [ -r ] [ InFile ]Description
The auditcat command is part of the audit subsystem, and is one of several backend commands that process the audit data records.
The auditcat command reads bin files of audit records from standard input or from the file that is specified by the InFile parameter. The command then processes the records and writes its output to standard output or to the file specified by the 0utFile parameter. The output can be compressed or not, depending on the flag selected.
One major use of the command is appending compressed bin files to the end of the system audit trail file.
If the /etc/security/audit/bincmds file includes $bin as the input file, input comes from the current bin file, bin1 or bin2. If the /etc/security/audit/bincmds includes $trail as the output file, the records are written to the end of the system audit trail file.
If a bin file is not properly formed with a valid header and tail, an error is returned. See the auditpr command for information about audit headers and tails and the auditbin command for information on error recovery.
If -s option is mentioned with valid value then It takes the backup of the trail file and reduces it size to the zero. If the path name is provided it copies the backup file in that path. The backup file name is in the following format trail. YYYYMMDDThhmmss.< random number> If the size of the /audit filesystem is less than free-space (/etc/security/audit/config set in) and -d specify with valid path parameter, then it takes the backup of the trail file to that path. To see the output of the different trail file, use auditmerge command.
Flags
| Item | Description |
|---|---|
| -o OutFile | Specifies the audit trail file to which the auditcat command writes records. If you specify $trail as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system audit trail file. |
| -p | Specifies that the bin files be compressed (packed) upon output. The default value specifies that the bins not be compressed. |
| -r | Requests recovery procedures. File names for both the InFile and OutFile parameters must be specified for recovery to occur, so the command syntax must be auditcat -o OutFile -r InFile. The command checks to see whether the bin file that is specified for the InFile parameter is appended and if not, appends the bin file to the file specified by the OutFile parameter. If the bin file is incomplete, the auditcat command adds a valid tail and then appends the bin file to the file specified by the OutFile parameter. |
| -u | Specifies that compressed trail files be uncompressed upon output. |
| -s size | Specifies the limit on the size of the trail file after which backup of the trail had to be taken. Size should be specified in units of 512-byte blocks. If size parameter is –ve or zero or any invalid value, auditcat ignores flag and value. The maximum value is 4194303 (about 2 GB of free disk space). |
| -d pathname | Path name should be a valid full directory path, where backup of the trail file needs to be taken. In case path name value is invalid, auditcat ignores the flag and the value. |
Security
- Access Control
-
This command must grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
- RBAC users
- Attention RBAC users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations that are associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
To configure the system to append audit bin data to the system audit trail file, add the following line to the /etc/security/audit/bincmds file:
/usr/sbin/auditcat -o $trail $binWhen the auditbin daemon calls the auditcat command, the daemon replaces the $bin string with the path name of the current bin file, and replaces the $trail string with the name of the default audit trail file.
Files
| Item | Description |
|---|---|
| /usr/sbin/auditcat | Specifies the path to the auditcat command. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/events | This file contains the audit events of the system. |
| /etc/security/audit/objects | Contains audit events for audited objects (files). |
| /etc/security/audit/bincmds | Contains auditbin backend commands. |