Commands Reference, Volume 1

auditcat Command

Syntax

auditcat [ -p | -u ] [ -o OutFile ] [ -r ] [ InFile ]

Description

The auditcat command is part of the audit subsystem, and is one of several backend commands that process the audit data records.

The auditcat command reads bin files of audit records from standard input or from the file specified by the InFile parameter. The command then processes the records and writes its output to standard output or to the file specified by the 0utFile parameter. The output can be compressed or not, depending on the flag selected.

One major use of the command is appending compressed bin files to the end of the system audit trail file.

If the /etc/security/audit/bincmds file includes $bin as the input file, input comes from the current bin file, bin1 or bin2. If the /etc/security/audit/bincmds file includes $trail as the output file, the records are written to the end of the system audit trail file.

If a bin file is not properly formed with a valid header and tail, an error is returned. See the auditpr command for information about audit headers and tails and the auditbin command for information on error recovery.

Flags

-o OutFile	Specifies the audit trail file to which the auditcat command writes records. If you specify $trail as the file for the OutFile parameter, the auditbin daemon substitutes the name of the system audit trail file.
-p	Specifies that the bin files be compressed (packed) upon output. The default value specifies that the bins not be compressed.
-r	Requests recovery procedures. File names for both the InFile and OutFile parameters must be specified for recovery to occur, so the command syntax must be auditcat -o OutFile -r InFile. The command checks to see if the bin file specified for the InFile parameter is appended and if not, appends the bin file to the file specified by the OutFile parameter. If the bin file is incomplete, the auditcat command adds a valid tail and then appends the bin file to the file specified by the OutFile parameter.
-u	Specifies that compressed trail files be uncompressed upon output.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Examples

To configure the system to append audit bin data to the system audit trail file, add the following line to the /etc/security/audit/bincmds file:
/usr/sbin/auditcat -o $trail $bin

When the auditbin daemon calls the auditcat command, the daemon replaces the $bin string with the path name of the current bin file, and replaces the $trail string with the name of the default audit trail file.

Files

/usr/sbin/auditcat	Specifies the path to the auditcat command.
/etc/security/audit/config	Contains audit system configuration information.
/etc/security/audit/events	Contains the audit events of the system.
/etc/security/audit/objects	Contains audit events for audited objects (files).
/etc/security/audit/bincmds	Contains auditbin backend commands.

Related Information

The audit command, auditconv command, auditpr command, auditselect command.

auditbin daemon.

For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.

To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.