AIX

 View Only
  • 1.  Rotate and purge old audit trail

    Posted Wed August 17, 2022 09:19 AM
    Hello,

    anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?


    Thanks in advance for your help.

    ------------------------------
    Sylvain
    ------------------------------


  • 2.  RE: Rotate and purge old audit trail

    IBM Champion
    Posted Thu August 18, 2022 03:49 AM
    Hi Sylvain,

    I suppose you configured AIX auditing in binary mode on your system. If it is so, you have the configuration file in /etc/security/audit/config. In the file you can find the section bin:

    bin:
    bincompact = off
    trail = /audit/trail
    bin1 = /audit/bin1
    bin2 = /audit/bin2
    binsize = 10240
    cmds = /etc/security/audit/bincmds
    freespace = 65536
    backuppath = /audit
    backupsize = 0

    The section describes the parameter for the binary audit and the command used to create the audit trail:

    cmds = /etc/security/audit/bincmds

    In standard AIX installation it is a very simple command:

    # cat /etc/security/audit/bincmds
    /usr/sbin/auditcat -p -o $trail $bin

    You can try to change the command to suit your needs. E.g. you can limit the size of the trail:

    -s size
    Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size
    should be specified in units of 512-byte blocks. If size parameter is ve or zero or any invalid
    value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of
    free disk space).

    Or you can create filenames with the date in it and then delete it using a cron job.

    -o OutFile
    Specifies the audit trail file to which the auditcat command writes records. If you specify $trail
    as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system
    audit trail file.

    I hope it helps.

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 3.  RE: Rotate and purge old audit trail

    Posted Thu August 18, 2022 04:50 AM
    Thanks Andrey.

    I tried to add timestamp like $(date +%Y%m%d%H%M%S) to trail file name either in /etc/security/audit/bincmds or in /etc/security/audit/config but without success.

    Any hints on how to do that ?




  • 4.  RE: Rotate and purge old audit trail

    IBM Champion
    Posted Thu August 18, 2022 06:30 AM
    Hi Sylvain,

    first of all I don't think that you want to have a new trail file every second ;-)

    As for me the following small change works as expected:

    # cat /etc/security/audit/bincmds
    /usr/sbin/auditcat -p -o $trail.$(date +%Y%m%d) $bin

    Output:

    # ls -l /audit
    total 40
    -rw------- 1 root system 0 Aug 18 12:25 auditb
    -rw-rw---- 1 root system 0 Aug 18 12:28 bin1
    -rw-rw---- 1 root system 3363 Aug 18 12:28 bin2
    -rw-r----- 1 root system 0 Aug 18 12:25 trail
    -rw-r----- 1 root system 12506 Aug 18 12:28 trail.20220818

    Don't forget to restart audit daemon (audit shutdown, audit start) and check that your users have some audit classes to be audited:

    chuser auditclasses=ALL root

    I hope it helps.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 5.  RE: Rotate and purge old audit trail

    Posted Thu August 18, 2022 10:02 PM
    I have seen users add a cron job that calls the aixpert script: /etc/security/aixpert/bin/cronaudit.

    Some add a compression option in the script:
    audit off
    mv /audit/trail /audit/trailOneLevelBack
    --> gzip -c /audit/trailOneLevelBack > /audit/trailOneLevelBack.`date '+%m%d%y'`.gz
    audit on


    ------------------------------
    Jan Harris
    AIX Development Support (Liaison to the AIX Toolbox for Open Source)
    IBM (Contract)
    Austin TX
    ------------------------------