How To
Summary
A customized method to rotate audit BIN trail data.
Objective
Steps
You can create a copy of /etc/security/aixpert/bin/cronaudit, then modify it to meet your space and rotation requirements.
|
# You can paste the entire content of this box in to a shell script.
# Change these variables as needed. The "fFile" must match the bin: "trail" file value in /etc/security/audit/config.
# Note: By default, the cronaudit script moves the file to a new file name in the same /audit directory. You should consider a different location for best security and space practices. This example moves the file to the /auditBackup file system, and appends a date stamp. Modify this location as needed to meet your requirements.
export CUSTOMFILE=/etc/security/audit/cronaudit.custom
export tFile=/audit/trail export bFile=/auditBackup/trailOneLevelBack perl -pe 's/\/audit\/trailOneLevelBack/\$BACKUP/g;s/\/audit\/trail\b/\$TRAIL/g' /etc/security/aixpert/bin/cronaudit | \
perl -pe 's/LOG=\/etc\/security\/aixpert\/log\/aixpert.log/$&\nTRAIL=$ENV{tFile}\nBACKUP=$ENV{bFile}/' | \ perl -pe 's/mv \$TRAIL \$BACKUP/NEWBACKUP=\$BACKUP.`date '+%y%m%d%H%M'`\nmv \$TRAIL \$NEWBACKUP/' > $CUSTOMFILE printf "\n%s was created.\nModify variables as needed, starting at this line:\n" $CUSTOMFILE grep -ni "LOG=" $CUSTOMFILE printf "\nAdd compression commands if required, after this line:\n" grep -ni "mv $TRAIL" $CUSTOMFILE printf "\nAdd %s as a scheduled cron job.\n" $CUSTOMFILE # Now update permissions
chmod 500 $CUSTOMFILE
chown root.system $CUSTOMFILE |
|
/etc/security/audit/cronaudit.custom was created.
Modify variables as needed, starting at this line:
49:LOG=/etc/security/aixpert/log/aixpert.log Add compression commands if required, after this line:
113: mv $TRAIL $BACKUP Add /etc/security/audit/cronaudit.custom as a scheduled cron job.
|
|
# vi /etc/security/audit/cronaudit.custom
# Add a gzip command
if [ $freespace -lt $cutoff ]
then audit off 113:mv $TRAIL $NEWBACKUP # Add the gzip command (see the next line)
/opt/freeware/bin/gzip $NEWBACKUP audit on fi exit 0 OR use AIX native 'compress':
if [ $freespace -lt $cutoff ] then audit off 113:mv $TRAIL $NEWBACKUP
# Add the compress command (see the next line)
if compress -c $NEWBACKUP > $NEWBACKUP.Z
then rm $NEWBACKUP else echo "Could not compress!" fi audit on fi exit 0 |
|
root@hostname: # crontab -e
0 * * * * /etc/security/audit/cronaudit.custom
|
Additional Information
| SUPPORT |
|---|
|
Security configuration involves comprehensive features. Most of these features require advanced review and planning by administrators who are familiar with all of their system requirements. AIX Support does not make specific recommendations to harden your system. Customization is out of the scope of AIX Support, but if you have specific questions about documented usage, our support experts are happy to assist.
You can learn more about the audit functionality on AIX and best practices through the following resources:
If you have specific questions about usage after reviewing the recommended documentation, IBM AIX Support will be happy to assist. If you require consulting services, there are more fee-based services available.
If you require usage assistance, use the following step-by-step instructions to contact IBM to open a case for software with an active and valid support contract.
1. Document (or collect screen captures of) all symptoms, errors, and messages related to your issue. 2. Capture any logs or data relevant to the situation. 3. Contact IBM to open a case: -For electronic support, see the IBM Support Community: 4. Provide a clear, concise description of the issue. - For guidance, see: Working with IBM AIX Support: Describing the problem
5. If the system is accessible, collect a system snap, and upload all of the details and data for your case. - For guidance, see: Working with IBM AIX Support: Collecting snap data |
Related Information
Was this topic helpful?
Document Information
Modified date:
24 May 2024
UID
ibm16825065