Hi Michael,
here are the configuration files:
/etc/security/audit/config
start:
binmode = off
streammode = on
bin:
bincompact = off
backupsize = 0
backuppath = /audit
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds
classes:
general = USER_SU,PASSWORD_Change
objects = S_PASSWD_READ,S_PASSWD_WRITE,AUD_CONFIG_WR
files = No_Events
TCPIP = No_Events
SRC = No_Events
kernel = No_Events
SVIPC = No_Events
mail = No_Events
cron = No_Events
users:
default = loginout,general
role:
/etc/security/audit/streamcmds
/usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &
/etc/security/audit/stream2syslog.ksh
awk '/^S_GROUP_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^AUD_CONFIG_WR/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^FILE_Open/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; sub(/\//,";/",$2); print act,";",user,";",stat,";",app,";",$2; FS=" "} \
/^FILE_Owner/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="filename"; print act,";",user,";",stat,";",app,";",$1,";",$2; FS=" "} \
/^FILE_Mode/ {act=$1; user=$2; stat=$3; app=$NF; getline; mode=$2; filename=$NF; print act,";",user,";",stat,";",app,";",mode,";",filename; FS=" "} \
/^FILE_Accessx/ {act=$1; user=$2; stat=$3; app=$NF; getline; FS="detected"; print act,";",user,";",stat,";",app,";",$2; FS=" "} \
/^S_PASSWD_WRITE/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0} \
/^PASSWORD_Change/ {act=$1; user=$2; stat=$3; app=$NF; getline; sub(/\//,";/",$0); print act,";",user,";",stat,";",app,";",$0}' |\
logger -r -p auth.notice -t audit
When you start the audit subsystem [audit start], you will find the following background process:
sh -c /usr/sbin/auditstream | auditpr -v | /etc/security/audit/stream2syslog.ksh &?
regards