audit_tool(8)audit_tool(8)Nameaudit_tool - ULTRIX auditlog reduction tool
Syntax
/usr/etc/sec/audit_tool [ option ... ] auditlog_filename
Description
The presents a human-understandable format of selected portions of the
collected audit data. If no arguments are provided, a brief help mes‐
sage will be displayed. The auditlog file may be compressed or uncom‐
pressed. The command will uncompress the auditlog file if necessary,
and re-compress it if it was originally compressed.
Options are used to select specific audit records of interest. For a
record to be selected, it must match at least one option of each option
type specified. For example, if two usernames and one hostname were
specified, an audit record to be selected would have to match one of
the usernames and the hostname. Only one start/end time may be
selected. Only one deselection rulesfile may be selected. It is pos‐
sible to select as many events as exists on the system. For all other
option types, up to 8 instances may be selected.
Options-a audit_id Selects audit records with a matching audit_id. The
default is to select for all audit_id's.
-b Outputs selected records in binary format. The output is
in a format suitable for analysis by the The default is to
output in ASCII format.
-B Outputs selected records in an abbreviated format. Each
selected event is displayed along with its audit_id, ruid,
result, error code, pid, event name, and parameter list.
Suppressed information includes the username, ppid, device
id, current directory, gnode information, symbolic name
referenced by any descriptors, IP address, and timestamp.
The default is to output in the non-abbreviated format.
-d filename Reads deselection rules from the specified file and sup‐
press any records matching any of the deselection rules.
The deselection rulesets take precedence over other selec‐
tion options. Each deselection rule is a tuple consisting
of hostname, audit_id, ruid, event, pathname, and flag.
The flag component is used to specify read or write mode;
it pertains only to open events. Wildcarding and simple
pattern matching are supported. Take, for example, the
following lines from a deselection file:
# HOST, AUID, RUID, EVENT, PATHNAME, FLAG
* * * open /usr/lib/* r
grumpy * * * /usr/spool/rwho* *
These lines indicate that any open operations for read
access on any object whose pathname starts with will not be
selected, and on system grumpy any operations performed on
any object whose pathname starts on will not be selected.
(Lines beginning with number signs (#) are treated as com‐
ment lines). Any field can be replaced with an asterisk
(*), which indicates a match with any value. Pathname
matching requires an exact match between strings, unless
the pathname is suffixed with an asterisk, which matches
any string (so, for example, matches The default is to
apply no deselection rulesets. (Specifying the option
instead of will additionally print the deselection rulesets
to be applied).
-e event[:success:fail]
Selects records with a matching event. Optionally select
only those records with a successful/failed return value.
For example, the option selects for only failed open
events. Multiple events may be specified on the command
line. The default is to select for all events, both suc‐
cessful and failed.
-E error Selects records with a matching error. The default is to
select for all errors.
-f Causes the not to quit at and end-of-file, but to continue
attempting to read data. This is useful for reviewing
auditlog data as it is being written by the audit daemon.
(For SMP systems, audit data should be sorted first, as
descriptor translation, loginname, current directory, and
root directory all rely on state information maintained by
the
-g gnode_id Selects records with a matching gnode identifier number.
The default is to select for all gnode id's.
-G gnode_dev major#,minor#
Selects records with matching gnode device major/minor num‐
bers. The default is to select for all gnode devices.
-h hostname/IP address
Selects records with a matching hostname or IP address.
Hostnames are translated to their IP addresses via the
local file. If the local is not available or contains
insufficient information, IP addresses should be used. The
default is to select for all hostnames and IP addresses.
-i Enter interactive selection mode to specify options.
Interactive mode may also be entered by hitting CTRL/C at
any time, then specifying ``no'' to the exit prompt. Once
in interactive mode, each option will be selected for.
Press Return to accept the current setting (or default);
enter an asterisk (*) to change the current setting back to
the default. The default, unless otherwise stated, is to
select every audit record.
-o Whenever the audit daemon switches auditlogs, an
audit_log_change event is generated. If that event did
result in an auditlog change (that is, it was an event
which occurred on the local system), the will normally
attempt to find and process the succeeding auditlog. This
is possible, however, only if the auditlog is maintained
locally. The -o option tells the not to process succeeding
auditlogs.
-p pid Selects records with a matching pid. The default is to
select for all pids.
-P ppid Selects records with a matching parent pid (ppid). The
default is to select for all ppids.
-r ruid Selects records with a matching read uid (ruid). The
default is to select for all ruids.
-R Generates an ASCII report for each audit_id found in the
selected events. Each report consists of those events
selected which have an audit_id matching that of report
suffix. Report names are of the format report.xxxx, where
xxxx is the audit_id.
-s string Selects records which contain string in either a parameter
field or a descriptor field. The default is to select for
all strings.
-S Performs a sort (by time) on the auditlog. The sort per‐
formed is an inter-cpu sort only (for any specific cpu,
data may be non-sequential for events such as fork and
vfork; this information does not need to be sorted for
proper operation of the reduction tool). This option is
useful only for data collected on an SMP system.
-t start_time
Selects records which contain a timestamp no earlier than
start_time. Timestamp format is yymmdd[hh[mm[ss]]]. The
default is to select for all timestamps.
-T end_time Selects records which contain a timestamp no later than
start_time. Timestamp format is yymmdd[hh[mm[ss]]]. The
default is to select for all timestamps.
-u uid Selects audit records with a matching uid. The default is
to select for all uid's.
-U username Selects audit records with a matching username. Usernames
are recorded at the login event and are associated with all
child processes. If login is not audited, no username will
be present in the auditlog. Selecting for a username will
display those records which have a matching username. The
default is to select for all usernames.
-x major#,minor#
Selects audit records with matching device major/minor num‐
bers. The default is to select for all devices.
The audit reduction tool generates auditlog header files, suffixed with
.hdr, when it completes processing of a auditlog file. If the -o
option is used, no auditlog header file is generated. This header file
contains the time range in which the audited operations occurred, so
searching for events by time requires only those auditlogs which were
actually written into during that time to be processed by the reduction
tool. The header file also contains the sort status of the auditlog,
so previously sorted logs don't get sorted more than once.
Restrictions
The audit reduction tool maintains the state of each process in order
to translate descriptors back to pathnames, as well as provide current
working directory, root, and username. In order not to run out of mem‐
ory, should be an audited event. In order to provide current working
directory, should be an audited event. In order to provide current
root (if not /), should be an audited event. In order to provide user‐
name, login should be an audited event.
All state relevant information current at the time of an auditlog
change is maintained in the header file. This allows subsequent scans
of a specific auditlog to not have any dependencies on previous audit‐
logs.
Examples
The following example selects all login, open and creat events per‐
formed on system grumpy by any process with audit_id 1123:
audit_tool-e login -e open -e creat -h grumpy -a 1123 auditlog.000
The following example applies deselection file deselect to auditlog.000
and selects for events between 10:47 a.m. on April 13, 1986 and 5:30
p.m. on April 20, 1986:
audit_tool-d deselect -t 8604131047 -T 8604201730 auditlog.000
See Alsoauditd(8), auditmask(8)audit_tool(8)