Three types of auditing are available in a WPAR environment:
global, system, and auditing from global.
You can enable auditing in a global WPAR, inside a WPAR, or both.
The audit configuration for system WPAR and global WPAR is similar
to the configuration in a non-wpar environment. You can initiate global
WPAR auditing for system and application WPARs.
Note: Auditing for
application WPARs cannot be initiated from inside a WPAR, but it can
be initiated by using global WPAR auditing.
Global WPAR auditing helps global system administrators audit WPARs
from a global system. A global system administrator can control the
level of auditing for each WPAR from a single location by specifying
the classes to be audited for each WPAR in the global /etc/security/audit/config file.
By adding a WPARS stanza to the
/etc/security/audit/config file, the global-system administrator can provide the list of classes
to be audited for a WPAR. For example:
WPARS:
<wpar_name> = <auditclass>, ... <auditclass>
In the preceding example, <wpar_name> must be the WPAR name
of a system, and each auditclass parameter should be defined in the
classes stanza.
To configure auditing of the testwpar WPAR with the general, tcpip,
and lvm classes, add the following stanza to the
/etc/security/audit/config file:
WPARS:
testwpar = general,tcpip,lvm
A global-system administrator can start and stop auditing on a
WPAR by using the
audit command and specifying
the WPAR name as follows:
audit start -@ <wparname1> -@ <wparname2> ...
audit shutdown -@ <wparname1> -@ <wparname2> ...
You can audit WPAR objects from the global environment by specifying
the absolute paths to the objects that you want to audit. For example,
to define the audit events for the
/wpars/wpar1/etc/security/passwd file, add the following stanza to the
/etc/security/audit/objects file in the AIX® system that
is hosting the WPAR:
/wpars/wpar1/etc/security/passwd:
r = "WPAR1_PASSWD_RD"
w = "WPAR1_PASSWD_WR"
This preceding stanza is parsed at audit start (-@ <wpar1>)
time to enable object auditing for the /etc/security/passwd object of wpar1. These attributes generate a WPAR1_PASSWD_RD audit
event each time the /wpars/wpar1/etc/security/passwd file is read. These attributes also generate a WPAR1_PASSWD_WR audit
event each time the file is opened for writing.
Note: You must enable auditing for the global environment before you
enable WPAR auditing from the global environment.
The
auditpr command can be used to generate
an audit report that displays the WPAR name. For example:
auditpr -v < /audit/trail