Setting Up Auditing to Monitor cron Events in AIX 4.x


Contents

About this document
    Related documentation
Procedure
Recommended fixes

About this document

This procedure is intended only for the configuration of auditing in stream mode and for the configuration of tracking the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to all levels of AIX Version 4.

Related documentation

The AIX Version 4.3 and hardware product documentation library is also available:
http://www.rs6000.ibm.com/resource/aix_resource/Pubs/index.html


Procedure

Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:

  1. In the start stanza in the /etc/security/audit/config file, streammode should be set to ON and binmode should be set to OFF.

    The default setting of the bin and stream stanzas are:

        bin: 
                  trail = /audit/trail 
                  bin1 = /audit/bin1 
                  bin2 = /audit/bin2 
                  binsize = 10240 
                  cmds = /etc/security/audit/bincmds 
    stream: 
                  cmds = /etc/security/audit/streamcmds 
    
  2. Group cron audit events into sets of similar items called audit classes. Define these audit classes in the classes stanza of the /etc/security/audit/config file. The CRON_Start and CRON_Finish events monitor cron job start and finish events. The following shows the cron audit class with every event that auditing can track.

    NOTE: The following is on one line, with no spaces between commas. This line or one similar may already be present in AIX Version 4.

    cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, 
    CRON_Start,CRON_Finish 
    
  3. To assign audit classes to an individual user, add a line to the users stanza of the /etc/security/audit/config file. Each line is in the form
        <user> = <audit class>, <audit class> 
    

    For example, to enable tracking of cron events from root's crontab table, enter:

        root = cron 
    
  4. From the list in the /etc/security/audit/events file, select or add system activities (events) to be audited. The following is an example of the CRON_Start and CRON_Finish events:

    NOTE: These lines or something similar may already be present in AIX Version 4.

        CRON_Start = printf "event = %s cmd = %s time = %s" 
        CRON_Finish = printf "user = %s pid = %s time = %s" 
    

    The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.

    NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.

  5. The output file for the cron report is specified in /etc/security/audit/streamcmds. The default setting for streamcmds is:
        /etc/auditstream | auditpr -v > /audit/stream.out & 
    
  6. After the config and events files have been changed, auditing must be restarted so that it will be reinitialized with the new parameters. To restart auditing, enter:
        audit shutdown 
        audit start 
    

Recommended fixes

   APAR        AIX LEVEL
 IY08644        4.3.3



[ Doc Ref: 90605200014608     Publish Date: Jan. 17, 2001     4FAX Ref: 9572 ]