AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
#Power
 View Only

  • 1.  auditing USER_Login

    Posted Tue March 03, 2009 08:36 AM

    Originally posted by: styerd


    The Files Reference for "/etc/security/audit/events" shows that one may specify an arbitrary program for formating an audit event tail of the form "AuditEvent = FormatCommand" where "FormatCommand" is "Program -i n Arg ...". It would appear that any executablable can be called at the time that an audit event is logged. There is no example of this form being used. Is anyone using this?
    #AIX-Forum


  • 2.  Re: auditing USER_Login

    Posted Fri March 20, 2009 11:07 AM

    Originally posted by: styerd


    I'll answer my own question ...

    I eventually got this to work but of course the executable only runs when "auditpr" is invoked. I find I have 2 alternatives for monitoring USER_Login; 1, the poor mans monitor, to simply add code that executes when /etc/profile executes; and 2, the cadillac, to enable audit streaming by setting "streammode = on" in "/etc/security/audit/config" and then adding an executable to the pipeline in "/etc/security/audit/streamcmds" to read and write stdin to stdout and identify the "USER_Login" audit records as they occur.
    #AIX-Forum


Related Content