Hello,

anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


Thanks in advance for your help.

------------------------------
Sylvain
------------------------------

Hi Sylvain,

I suppose you configured AIX auditing in binary mode on your system. If it is so, you have the configuration file in /etc/security/audit/config. In the file you can find the section bin:

bin:
bincompact = off
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0

The section describes the parameter for the binary audit and the command used to create the audit trail:

cmds = /etc/security/audit/bincmds

In standard AIX installation it is a very simple command:

# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin

You can try to change the command to suit your needs. E.g. you can limit the size of the trail:

-s size
Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size
should be specified in units of 512-byte blocks. If size parameter is ve or zero or any invalid
value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of
free disk space).

Or you can create filenames with the date in it and then delete it using a cron job.

-o OutFile
Specifies the audit trail file to which the auditcat command writes records. If you specify $trail
as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system
audit trail file.

I hope it helps.

------------------------------
Andrey Klyachkin

https://www.power-devops.com
------------------------------

Original Message:
Sent: Wed August 17, 2022 09:19 AM
From: Sylvain
Subject: Rotate and purge old audit trail

Hello,

anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


Thanks in advance for your help.

------------------------------
Sylvain
------------------------------

Thanks Andrey.

I tried to add timestamp like $(date +%Y%m%d%H%M%S) to trail file name either in /etc/security/audit/bincmds or in /etc/security/audit/config but without success.

Any hints on how to do that ?


Original Message:
Sent: 8/18/2022 3:49:00 AM
From: Andrey Klyachkin
Subject: RE: Rotate and purge old audit trail

Hi Sylvain,

I suppose you configured AIX auditing in binary mode on your system. If it is so, you have the configuration file in /etc/security/audit/config. In the file you can find the section bin:

bin:
bincompact = off
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0

The section describes the parameter for the binary audit and the command used to create the audit trail:

cmds = /etc/security/audit/bincmds

In standard AIX installation it is a very simple command:

# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin

You can try to change the command to suit your needs. E.g. you can limit the size of the trail:

-s size
Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size
should be specified in units of 512-byte blocks. If size parameter is ve or zero or any invalid
value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of
free disk space).

Or you can create filenames with the date in it and then delete it using a cron job.

-o OutFile
Specifies the audit trail file to which the auditcat command writes records. If you specify $trail
as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system
audit trail file.

I hope it helps.

------------------------------
Andrey Klyachkin

https://www.power-devops.com
------------------------------

Original Message:
Sent: Wed August 17, 2022 09:19 AM
From: Sylvain
Subject: Rotate and purge old audit trail

Hello,

anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


Thanks in advance for your help.

------------------------------
Sylvain
------------------------------

Hi Sylvain,

first of all I don't think that you want to have a new trail file every second ;-)

As for me the following small change works as expected:

# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail.$(date +%Y%m%d) $bin

Output:

# ls -l /audit
total 40
-rw------- 1 root system 0 Aug 18 12:25 auditb
-rw-rw---- 1 root system 0 Aug 18 12:28 bin1
-rw-rw---- 1 root system 3363 Aug 18 12:28 bin2
-rw-r----- 1 root system 0 Aug 18 12:25 trail
-rw-r----- 1 root system 12506 Aug 18 12:28 trail.20220818

Don't forget to restart audit daemon (audit shutdown, audit start) and check that your users have some audit classes to be audited:

chuser auditclasses=ALL root

I hope it helps.



------------------------------
Andrey Klyachkin

https://www.power-devops.com
------------------------------

Original Message:
Sent: Thu August 18, 2022 04:49 AM
From: Sylvain
Subject: Rotate and purge old audit trail

Thanks Andrey.

I tried to add timestamp like $(date +%Y%m%d%H%M%S) to trail file name either in /etc/security/audit/bincmds or in /etc/security/audit/config but without success.

Any hints on how to do that ?


Original Message:
Sent: 8/18/2022 3:49:00 AM
From: Andrey Klyachkin
Subject: RE: Rotate and purge old audit trail

Hi Sylvain,

I suppose you configured AIX auditing in binary mode on your system. If it is so, you have the configuration file in /etc/security/audit/config. In the file you can find the section bin:

bin:
bincompact = off
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0

The section describes the parameter for the binary audit and the command used to create the audit trail:

cmds = /etc/security/audit/bincmds

In standard AIX installation it is a very simple command:

# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin

You can try to change the command to suit your needs. E.g. you can limit the size of the trail:

-s size
Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size
should be specified in units of 512-byte blocks. If size parameter is ve or zero or any invalid
value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of
free disk space).

Or you can create filenames with the date in it and then delete it using a cron job.

-o OutFile
Specifies the audit trail file to which the auditcat command writes records. If you specify $trail
as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system
audit trail file.

I hope it helps.

------------------------------
Andrey Klyachkin

https://www.power-devops.com

Original Message:
Sent: Wed August 17, 2022 09:19 AM
From: Sylvain
Subject: Rotate and purge old audit trail

Hello,

anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


Thanks in advance for your help.

------------------------------
Sylvain
------------------------------

I have seen users add a cron job that calls the aixpert script: /etc/security/aixpert/bin/cronaudit.

Some add a compression option in the script:
audit off
mv /audit/trail /audit/trailOneLevelBack
--> gzip -c /audit/trailOneLevelBack > /audit/trailOneLevelBack.`date '+%m%d%y'`.gz
audit on


------------------------------
Jan Harris
AIX Development Support (Liaison to the AIX Toolbox for Open Source)
IBM (Contract)
Austin TX
------------------------------

Original Message:
Sent: Wed August 17, 2022 09:19 AM
From: Sylvain
Subject: Rotate and purge old audit trail

Hello,

anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


Thanks in advance for your help.

------------------------------
Sylvain
------------------------------