audit – Control the AIX auditing subsystem.

Synopsis

Provides Ansible automation support for managing AIX audit subsystem using the audit command.

The module supports start, shutdown, on, off, and query operations with validation for WPAR and fullpath/panic options.

It reads configuration from /etc/security/audit/config and related audit configuration files.

Requirements

The below requirements are needed on the host that executes this module.

• AIX >= 7.1

Parameters

action (True, str, None)

Defines the audit operation to perform.

start Starts the audit subsystem. This option reads the instructions in the configuration files and performs the auditing

shutdown Stops the collection of audit records and resets the configuration information by removing the definition of classes from the kernel tables

off Suspends the auditing system, but leaves the configuration valid. Data collection pauses until you give the ‘audit on’ command

on Restarts the auditing system after a suspension.

query Queries the auditing status of the audit subsystem.

panic (optional, bool, False)

Used only with action=on. Enables panic mode (system halts if bin data cannot be written).

fullpath (optional, bool, False)

Used with action=on. Enables full path capture for FILE_* and PROC_* events.

recorded_output (optional, str, None)

File path where audit logs will be saved using auditpr.

Log capture is only performed for query, shutdown, and off actions.

Requires binary mode (binmode = on) in /etc/security/audit/config.

The output file will be overwritten on each run to avoid duplicate data.

audit_trail_path (optional, str, None)

Path to audit trail file or directory. Overrides the path from /etc/security/audit/config.

If a specific file is provided, only that file will be processed.

If a directory is provided, all trail files (trail, bin1, bin2, auditb) in that directory will be processed.

capture_delay (optional, int, 2)

Seconds to wait before capturing logs (only for query action).

Ensures recent events are flushed to disk before reading.

auditpr_verbose (optional, bool, True)

Enable verbose output in auditpr (-v flag).

auditpr_header_type (optional, int, 1)

Header display type for auditpr output.

0 = no header, 1 = header once, 2 = header repeated.

auditpr_fields (optional, str, E,l,R,t,c,r,p,P,T,h,W)

Comma-separated list of fields to display in auditpr output.

Available fields: E (event), l (login), R (result), t (time), c (command), r (real_user), p (pid), P (ppid), T (tid), h (host), W (wpar)

auditpr_message (optional, str, None)

Custom message to display with each heading in auditpr output (-m flag).

auditpr_suppress_translation (optional, bool, False)

Suppress ID translation to symbolic names in auditpr output (-r flag).

auditpr_single_line (optional, bool, False)

Display trail and audit record in single line (-w flag). Mutually exclusive with auditpr_verbose.

auditpr_long_usernames (optional, bool, False)

Print long user names at end of audit record (-X flag).

Notes

Note

• Refer to IBM documentation for more details https://www.ibm.com/docs/en/aix/7.3?topic=a-audit-command

Examples

- name: Start the AIX audit subsystem
  audit:
    action: start

- name: Turn auditing off
  audit:
    action: 'off'

- name: Restart audit with panic mode
  audit:
    action: 'on'
    panic: true

- name: Query audit subsystem status
  audit:
    action: query

- name: Query audit and capture logs
  audit:
    action: query
    recorded_output: /var/log/audit.log

- name: Stop audit and capture complete logs
  audit:
    action: shutdown
    recorded_output: /var/log/audit_final.log

- name: Capture logs with custom fields
  audit:
    action: query
    recorded_output: /var/log/audit_custom.log
    auditpr_fields: 'E,l,t,c'

- name: Capture logs with custom auditpr options
  audit:
    action: query
    recorded_output: /var/log/audit_verbose.log
    auditpr_verbose: true
    auditpr_header_type: 1
    auditpr_fields: 'E,l,R,t,c,r,p,P,T,h,W'
    auditpr_long_usernames: true

- name: Stop and capture final logs
  audit:
    action: shutdown
    recorded_output: /var/log/audit_final.log

Return Values

msg (always, str, Audit command executed successfully with cmd: ‘audit query’ Audit logs from 2 trail file(s) written to ‘/var/log/audit.log’ using command: ‘auditpr -i /audit/trail -v -t 1 -h E,l,R,t,c,r,p,P,T,h,W’. )

Execution message indicating success or failure. Includes audit log capture details when recorded_output is specified.

cmd (always, str, audit query)

Full audit command executed.

rc (always, int, )

Return code from audit command.

stdout (always, str, )

Standard output from audit command.

stderr (on failure, str, )

Error output from audit command (if any).

log_capture_performed (when recorded_output is specified, bool, True)

Whether log capture was performed.

auditpr_cmd (when log capture is performed, str, auditpr -i /audit/trail -v -t 1 -h E,l,R,t,c,r,p,P,T,h,W)

The auditpr command used to capture audit logs.

Status

Authors

• AIX Development Team (@vivekpandeyibm)