Hi Sylvain,
I suppose you configured AIX auditing in binary mode on your system. If it is so, you have the configuration file in /etc/security/audit/config. In the file you can find the section bin:
bin:
bincompact = off
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
The section describes the parameter for the binary audit and the command used to create the audit trail:
cmds = /etc/security/audit/bincmds
In standard AIX installation it is a very simple command:
# cat /etc/security/audit/bincmds
/usr/sbin/auditcat -p -o $trail $bin
You can try to change the command to suit your needs. E.g. you can limit the size of the trail:
-s size
Specifies the limit on size of the trail file, after which backup of trail had to be taken . Size
should be specified in units of 512-byte blocks. If size parameter is ve or zero or any invalid
value, auditcat will ignore flag and value. The maximum possible value is 4194303 (about 2GB of
free disk space).
Or you can create filenames with the date in it and then delete it using a cron job.
-o OutFile
Specifies the audit trail file to which the auditcat command writes records. If you specify $trail
as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system
audit trail file.
I hope it helps.
------------------------------
Andrey Klyachkin
https://www.power-devops.com------------------------------
Original Message:
Sent: Wed August 17, 2022 09:19 AM
From: Sylvain
Subject: Rotate and purge old audit trail
Hello,
anyone can tell me what is the best way to rotate /audit/trail file and purge when they are older than x days ?
Thanks in advance for your help.
------------------------------
Sylvain
------------------------------