audit_tool man page on Ultrix

Man page or keyword search:  
man Server   3690 pages
apropos Keyword Search (all sections)
Output format
Ultrix logo
[printable version]

audit_tool(8)							 audit_tool(8)

Name
       audit_tool - ULTRIX auditlog reduction tool

Syntax
       /usr/etc/sec/audit_tool [ option ... ] auditlog_filename

Description
       The  presents a human-understandable format of selected portions of the
       collected audit data.  If no arguments are provided, a brief help  mes‐
       sage  will be displayed.	 The auditlog file may be compressed or uncom‐
       pressed.	 The command will uncompress the auditlog file	if  necessary,
       and re-compress it if it was originally compressed.

       Options	are used to select specific audit records of interest.	 For a
       record to be selected, it must match at least one option of each option
       type  specified.	  For  example, if two usernames and one hostname were
       specified, an audit record to be selected would have to	match  one  of
       the  usernames  and  the	 hostname.   Only  one	start/end  time may be
       selected.  Only one deselection rulesfile may be selected.  It is  pos‐
       sible  to select as many events as exists on the system.	 For all other
       option types, up to 8 instances may be selected.

Options
       -a audit_id Selects  audit  records  with  a  matching  audit_id.   The
		   default is to select for all audit_id's.

       -b	   Outputs  selected  records in binary format.	 The output is
		   in a format suitable for analysis by the The default is  to
		   output in ASCII format.

       -B	   Outputs  selected  records  in an abbreviated format.  Each
		   selected event is displayed along with its audit_id,	 ruid,
		   result,  error  code,  pid, event name, and parameter list.
		   Suppressed information includes the username, ppid,	device
		   id,	current	 directory,  gnode  information, symbolic name
		   referenced by any descriptors, IP address,  and  timestamp.
		   The default is to output in the non-abbreviated format.

       -d filename Reads  deselection  rules  from the specified file and sup‐
		   press any records matching any of  the  deselection	rules.
		   The	deselection rulesets take precedence over other selec‐
		   tion options.  Each deselection rule is a tuple  consisting
		   of  hostname,  audit_id,  ruid,  event, pathname, and flag.
		   The flag component is used to specify read or  write	 mode;
		   it  pertains	 only  to open events.	Wildcarding and simple
		   pattern matching are supported.   Take,  for	 example,  the
		   following lines from a deselection file:
		   # HOST, AUID, RUID, EVENT, PATHNAME, FLAG
		   * * * open /usr/lib/* r
		   grumpy * * * /usr/spool/rwho* *
		   These  lines	 indicate  that	 any  open operations for read
		   access on any object whose pathname starts with will not be
		   selected,  and on system grumpy any operations performed on
		   any object whose pathname starts on will not	 be  selected.
		   (Lines  beginning with number signs (#) are treated as com‐
		   ment lines).	 Any field can be replaced  with  an  asterisk
		   (*),	 which	indicates  a  match  with any value.  Pathname
		   matching requires an exact match  between  strings,	unless
		   the	pathname  is  suffixed with an asterisk, which matches
		   any string (so, for example,	 matches  The  default	is  to
		   apply  no  deselection  rulesets.   (Specifying  the option
		   instead of will additionally print the deselection rulesets
		   to be applied).

       -e event[:success:fail]
		   Selects  records  with a matching event.  Optionally select
		   only those records with a successful/failed	return	value.
		   For	example,  the  option  selects	for  only  failed open
		   events.  Multiple events may be specified  on  the  command
		   line.   The	default is to select for all events, both suc‐
		   cessful and failed.

       -E error	   Selects records with a matching error.  The default	is  to
		   select for all errors.

       -f	   Causes  the not to quit at and end-of-file, but to continue
		   attempting to read data.   This  is	useful	for  reviewing
		   auditlog  data  as it is being written by the audit daemon.
		   (For SMP systems, audit data should	be  sorted  first,  as
		   descriptor  translation,  loginname, current directory, and
		   root directory all rely on state information maintained  by
		   the

       -g gnode_id Selects  records  with  a matching gnode identifier number.
		   The default is to select for all gnode id's.

       -G gnode_dev major#,minor#
		   Selects records with matching gnode device major/minor num‐
		   bers.  The default is to select for all gnode devices.

       -h hostname/IP address
		   Selects  records  with  a  matching hostname or IP address.
		   Hostnames are translated to	their  IP  addresses  via  the
		   local  file.	  If  the  local  is not available or contains
		   insufficient information, IP addresses should be used.  The
		   default is to select for all hostnames and IP addresses.

       -i	   Enter   interactive	selection  mode	 to  specify  options.
		   Interactive mode may also be entered by hitting  CTRL/C  at
		   any	time, then specifying ``no'' to the exit prompt.  Once
		   in interactive mode, each  option  will  be	selected  for.
		   Press  Return  to  accept the current setting (or default);
		   enter an asterisk (*) to change the current setting back to
		   the	default.   The default, unless otherwise stated, is to
		   select every audit record.

       -o	   Whenever  the   audit   daemon   switches   auditlogs,   an
		   audit_log_change  event  is	generated.   If that event did
		   result in an auditlog change (that  is,  it	was  an	 event
		   which  occurred  on	the  local  system), the will normally
		   attempt to find and process the succeeding auditlog.	  This
		   is  possible,  however,  only if the auditlog is maintained
		   locally.  The -o option tells the not to process succeeding
		   auditlogs.

       -p pid	   Selects  records  with  a  matching pid.  The default is to
		   select for all pids.

       -P ppid	   Selects records with a matching  parent  pid	 (ppid).   The
		   default is to select for all ppids.

       -r ruid	   Selects  records  with  a  matching	read  uid (ruid).  The
		   default is to select for all ruids.

       -R	   Generates an ASCII report for each audit_id	found  in  the
		   selected  events.   Each  report  consists  of those events
		   selected which have an audit_id  matching  that  of	report
		   suffix.   Report names are of the format report.xxxx, where
		   xxxx is the audit_id.

       -s string   Selects records which contain string in either a  parameter
		   field  or a descriptor field.  The default is to select for
		   all strings.

       -S	   Performs a sort (by time) on the auditlog.  The  sort  per‐
		   formed  is  an  inter-cpu  sort only (for any specific cpu,
		   data may be non-sequential for  events  such	 as  fork  and
		   vfork;  this	 information  does  not	 need to be sorted for
		   proper operation of the reduction tool).   This  option  is
		   useful only for data collected on an SMP system.

       -t start_time
		   Selects  records  which contain a timestamp no earlier than
		   start_time.	Timestamp format is  yymmdd[hh[mm[ss]]].   The
		   default is to select for all timestamps.

       -T end_time Selects  records  which  contain  a timestamp no later than
		   start_time.	Timestamp format is  yymmdd[hh[mm[ss]]].   The
		   default is to select for all timestamps.

       -u uid	   Selects  audit records with a matching uid.	The default is
		   to select for all uid's.

       -U username Selects audit records with a matching username.   Usernames
		   are recorded at the login event and are associated with all
		   child processes.  If login is not audited, no username will
		   be  present in the auditlog.	 Selecting for a username will
		   display those records which have a matching username.   The
		   default is to select for all usernames.

       -x major#,minor#
		   Selects audit records with matching device major/minor num‐
		   bers.  The default is to select for all devices.

       The audit reduction tool generates auditlog header files, suffixed with
       .hdr,  when  it	completes  processing  of  a auditlog file.  If the -o
       option is used, no auditlog header file is generated.  This header file
       contains	 the  time  range in which the audited operations occurred, so
       searching for events by time requires only those auditlogs  which  were
       actually written into during that time to be processed by the reduction
       tool.  The header file also contains the sort status of	the  auditlog,
       so previously sorted logs don't get sorted more than once.

Restrictions
       The  audit  reduction tool maintains the state of each process in order
       to translate descriptors back to pathnames, as well as provide  current
       working directory, root, and username.  In order not to run out of mem‐
       ory, should be an audited event.	 In order to provide  current  working
       directory,  should  be  an  audited event.  In order to provide current
       root (if not /), should be an audited event.  In order to provide user‐
       name, login should be an audited event.

       All  state  relevant  information  current  at  the time of an auditlog
       change is maintained in the header file.	 This allows subsequent	 scans
       of  a specific auditlog to not have any dependencies on previous audit‐
       logs.

Examples
       The following example selects all login, open  and  creat  events  per‐
       formed on system grumpy by any process with audit_id 1123:
       audit_tool -e login -e open -e creat -h grumpy -a 1123 auditlog.000

       The following example applies deselection file deselect to auditlog.000
       and selects for events between 10:47 a.m. on April 13,  1986  and  5:30
       p.m. on April 20, 1986:
       audit_tool -d deselect -t 8604131047 -T 8604201730 auditlog.000

See Also
       auditd(8), auditmask(8)

								 audit_tool(8)
[top]

List of man pages available for Ultrix

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
...................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net