audit_tool, audit_tool.ultrix - Audit log reduction tool
/usr/sbin/audit_tool [options] auditlog_filename
/usr/sbin/audit_tool.ultrix [flags] auditlog_filename
Selection Options
Selects audit records with a matching text_string. The
rules for regular expression expansions do not apply to
this option. Selects audit records with a matching audit
ID. The default is to select for all audit IDs. Selects
records with a matching event or event.subevent. The
subevent can be applied only to site events. Optionally
select only those records with a successful or failed
return value. For example, the option -e mount:0:1 selects
for only failed mount events while -e rdb.query:1:0
selects successful rdb events with the query subevent.
Multiple events can be specified on the command line. The
default is to select for all events, both successful and
failed.
If you specify the open event, you can add a r
(read) or w (write) modifier to specify an open for
read or an open for write. The syntax is as follows:
-e open.r or -e open.w Selects records with a
matching error string or error number. The default
is to select for all errors. For use with
audit_tool.ultrix only. Selects records with a
matching inode identifier number. The default is to
select for all inode IDs. For use with
audit_tool.ultrix only. Selects records with matching
inode device major and minor numbers. The
default is to select for all inode devices.
Selects records with a matching host name or IP
address. Host names are translated to their IP
addresses by the gethostbyname() logic. The default
is to select for all host names and IP addresses.
Selects records with a matching PID. The default is
to select for all PIDs. If the specified PID is
negative, the absolute value of the PID is selected
as well as any of the PID's descendants. Selects
records with a matching parent PID (PPID). The
default is to select for all PPIDs. Selects
records with a matching real UID (RUID). The
default is to select for all RUIDs. Selects
records that contain string in a "char param" field
or in the state data file descriptor info. The
default is to select for all strings. Selects
records that contain a timestamp no earlier than
start_time. The timestamp format is yymmdd[hh[mm[ss]]].
The default is to select for all
timestamps. Note that the audit tool automatically
converts values of yy in the time string to the
appropriate year 2000 value. Specifically, values
ranging from 70 to 99 map to 1970(the epoch
year)-1999 and values ranging from 00 to 69 map to
2000-2069. Selects records that contain a timestamp
no later than start_time. Timestamp format is
yymmdd[hh[mm[ss]]]. The default is to select for
all timestamps. See the year 2000 conversion
description in the -t start_time flag. Selects
audit records with a matching UID. The default is
to select for all UIDs. Selects audit records with
a matching user name. (The username is mapped to
the UID as defined in the password database.) The
username is recorded at the login event and is
associated with all child processes. If login is
not audited, no username is present in the audit
log. Selecting for a username will display those
records that have a matching user name. The default
is to select for all user names. Selects records
with a matching inode identifier number. The
default is to select for all inode IDs. Selects
records with matching inode device major/minor numbers.
The default is to select for all inode
devices. Selects audit records with matching
device major and minor numbers. The default is to
select for all devices. Selects records with
matching process name in the "cmd name" field (provided
when the cmd_name audit style is enabled on
v5 or later) or in the state data process name
field (set by the exec and exit syscall audit
events).
Control Options [Toc] [Back]
Causes the audit_tool to use path for the archive/recovery
directory containing archived auditlogs. This overrides
the directory specified in the audit log, which by default
is /var/audit.
When you use this option, you must also specify the
full path name of the first audit log you want to
read: # audit_tool -. ./audit/newdir -e login
./audit/newdir/auditlog.jan Outputs selected
records in binary format. The output is in a format
suitable for subsequent analysis by the audit_tool.
The default is to output in ASCII format. Outputs
selected records in an abbreviated format. Each
selected event is displayed along with its audit
ID, RUID, result, error code, PID, event name, and
parameter list. For X events, the IDs displayed are
those of the X client. Suppressed information
includes the user name, PPID, device ID, current
directory, inode information, symbolic name referenced
by any descriptors, IP address, and timestamp.
The default is to output in the nonabbreviated
format. Reads deselection rules from the
specified file and suppresses any records matching
any of the deselection rules. The deselection rule
sets take precedence over other selection options.
Each deselection rule is a tuple consisting of host
name, audit ID, RUID, event, pathname, and flag.
The flag component is used to specify read or write
mode; it pertains only to open events.
Wildcarding and simple pattern matching are supported.
For example, consider the following lines
from a deselection file:
# HOST, AUID, RUID, EVENT, PATHNAME, FLAG * * *
open /usr/lib/* r alpha1 * * * /usr/spool/rwho* *
These lines indicate that any open operations for
read access on any object whose pathname starts
with /usr/lib/ will not be selected, and on system
alpha1 any operations performed on any object whose
pathname starts on /usr/spool/rwho will not be
selected. (Lines beginning with number signs (#)
are treated as comment lines). Any field can be
replaced with an asterisk (*), which indicates a
match with any value.
Pathname matching requires an exact match between
strings, unless the pathname is suffixed with an
asterisk, which matches any string (so, for example,
/usr/spool/rwho* matches /usr/spool/rwho/anything).
The default is to apply no deselection rule sets.
(Specifying the -D option instead of -d will additionally
print the deselection rulesets to be
applied). prints the deselection rules from the
specified file. Causes the audit_tool not to quit
at an end-of-file, but to continue attempting to
read data. This is useful for reviewing audit log
data as it is being written by the audit daemon.
(For SMP systems, audit data should be sorted first
because descriptor translation, the login name, the
current directory, and the root directory all rely
on state information maintained by the audit_tool).
Sets the fast mode. If you are not interested in
seeing the state-dependent data, you can use this
option to improve performance. Enter interactive
selection mode to specify options. Interactive
mode can also be entered by pressing CTRL/C at any
time, then specifying no to the exit prompt. Once
in interactive mode, individual options are
selected. Press Return to accept the current setting
(or default); enter an asterisk (*) to change
the current setting back to the default. The
default, unless otherwise stated, is to select
every audit record. Inhibits the conversion of IP
adresses to hostnames (via DNS lookup). Output
data in a delimiter seperated record. This format
is compatible with most spreadsheet applications.
The data specifiers are seperated by commas, and
are: delimiter[:<tab>] - specifies field delimiter
character. default is tab seperated field in the
output record. if this option is not specified data
is output in fixed width columns. cpu - cpu number
seq - audit event sequence number. unique to the
cpu for that boot session len - audit event record
length usec - offset from start of log in microseconds
(hex) usec10 - offset from start of log in
microseconds (decimal) time - audit event timestamp
in the format specified by time_fmt
time_fmt[:%m/%d/%y %H%M%S] - default time format is
mm/dd/yy hh:mm:ss, refer to strftime for time_fmt
options username - username associated with audit
uiduserid include audit uid, real uid, effective
uid pid - process id ppid - parent process id res -
result of operation tid - thread ID. The thread ID
(tid) is recorded if the AUDIT_USR control flag is
enabled. Processes being traced using auditmask -E
have their thread ID recorded event - audit event,
and event information host - host id on which audit
event was generated net - network connection information
(local address, remote address) Whenever the
audit daemon switches audit logs, an
audit_log_change event is generated. If that event
did result in an audit log change (that is, it was
an event that occurred on the local system), the
audit_tool normally attempts to find and process
the succeeding audit log. This is possible, however,
only if the audit log is maintained locally.
The -o option tells the audit_tool not to process
succeeding audit logs. Suppresses the progress
messages. Generates an ASCII report for each audit
ID found in the selected events. If name is a
directory, the reports are placed in the directory
with the report.audit_id file name format. Otherwise,
the reports are placed in a file called
name.audit_id. Each report consists of selected
events for the associated audit ID. Performs a
sort (by time) on the audit log. The sort performed
is an inter-CPU sort only (for any specific
CPU, data may be nonsequential for events such as
fork and vfork; this information does not need to
be sorted for proper operation of the reduction
tool). This option is useful only for data collected
on an SMP system. Display the name associated
with UIDs and GIDs using the getpw*() and
getgr* routines. This is done only if the
audit_tool has no name for the UID or GID. The name
is sent to output within parentheses. Displays the
frequency count for the selected events.
The audit_tool command, or audit reduction tool, displays
selected portions of the collected audit data. If no
arguments are provided, a brief help message is displayed.
The audit log file may be compressed or uncompressed.
Options are used to select specific audit records of
interest. For a record to be selected, it must match at
least one option of each option type specified. For example,
if two user names and one host name were specified,
an audit record to be selected would have to match one of
the user names and the host name. Only one start and end
time may be selected. Only one deselection rules file may
be selected. It is possible to select as many events as
exist on the system. For all other option types, up to
eight instances may be selected.
The audit reduction tool generates audit log header files,
suffixed with auditlog file. If the -o option is used, no
audit log header file is generated. This header file contains
the time range in which the audited operations
occurred, so searching for events by time requires only
those audit logs that were actually written into during
that time to be processed. The header file also contains
the sort status of the audit log, so previously sorted
logs do not get sorted more than once, and also state-relevant
data from previous logs.
The output from audit_tool is written to stdout. Informational
messages, such as (100000 records processed...)
are written to stderr.
The audit_tool.ultrix program is used to display audit
reports from audit data collected on ULTRIX systems. With
the exception of the -g and -G options (equivalent to the
-v and -V options for audit_tool), audit_tool.ultrix is
the same as audit_tool.
The audit reduction tool maintains the state of each process
in order to translate descriptors back to pathnames,
as well as to provide a current working directory, root,
and user name. To avoid running out of memory for statedependent
data, the exit system call should be an audited
event. The call to exit releases the memory used to hold
the state of the process. Alternatively, the logout events
release the memory used to hold the state of all the sessions
processes. If state-relevant data is not important
for your auditing requirements, exit need not be audited
and the -F flag to audit_tool can be used to improve performance.
In order to provide the current working directory, the
chdir system call should be an audited event. In order to
provide the current root (if not the root (/) directory),
the chroot system call should be an audited event. In
order to provide the user name, login should be an audited
event.
If audit_tool runs out of memory, it will not be able to
store further state-dependent data (as previously
described). If this occurs, the following warning is displayed:
warning: state_maint_{add,open,path_change): no more mem;
...
Audit events which affect the state data include : login,
logout, open, old_open, close, dup, fcntl, dup2, chdir,
chroot, fchdir, bind, connect, accept, naccept, socket,
execv, execve, exec_with_loader, proplist_syscall,
audit_suspend, audit_log_creat, audit_log_overwrite,
audit_shutdown, audit_xmit_fail.
All state-dependent information current at the time of an
audit log change is maintained in the header file. This
allows subsequent scans of a specific audit log to not
have any dependencies on previous audit logs.
See Security for further discussion of state-dependent
information.
The following example selects all login, open and exec
events performed on system alpha1 by any process with
audit ID 1123:
# audit_tool -e login -e open -e exec -h alpha1 -a 1123
auditlog.000
The following example applies deselection file deselect to
auditlog.000 and selects for events between 10:47 a.m. on
April 13, 1994 and 5:30 p.m. on April 20, 1994:
# audit_tool -d deselect -t 9404131047 -T 9404201730
auditlog.000
The following example outputs a tab delimiter seperated
record containing the audit event time stamp, event information,
network connection information (if applicable to
this event), id information of host that generated the
audit event. # audit_tool -O time,event,host,net,delimter
Commands: auditd(8), auditmask(8), auditconfig(8)
Security
audit_tool(8)
[ Back ] |
