This procedure is intended only for the configuration of auditing in stream mode and for the configuration of tracking the cron events CRON_Start and CRON_Finish. (In stream mode, the report is written in ASCII.) This document applies to all levels of AIX Version 4.
Two files in the /etc/security/audit directory must be modified in order to monitor cron events. They are:
The default setting of the bin and stream stanzas are:
bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds stream: cmds = /etc/security/audit/streamcmds
NOTE: The following is on one line, with no spaces between commas. This line or one similar may already be present in AIX Version 4.
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove, CRON_Start,CRON_Finish
<user> = <audit class>, <audit class>
For example, to enable tracking of cron events from root's crontab table, enter:
root = cron
NOTE: These lines or something similar may already be present in AIX Version 4.
CRON_Start = printf "event = %s cmd = %s time = %s" CRON_Finish = printf "user = %s pid = %s time = %s"
The purpose of these formatting instructions is to enable the auditpr command to write customized data in the audit record for the event.
NOTE: There was a defect in the documentation related to cron events (IX34755). The names for the cron start and stop events were documented as CRON_start and CRON_finish; they should have been CRON_Start and CRON_Finish.
/etc/auditstream | auditpr -v > /audit/stream.out &
audit shutdown audit start
APAR AIX LEVEL IY08644 4.3.3
[ Doc Ref: 90605200014608 Publish Date: Jan. 17, 2001 4FAX Ref: 9572 ]