*** UNIX MANUAL PAGE BROWSER ***

audit_tool(8) System Manager's Manual audit_tool(8) NAME audit_tool, audit_tool.ultrix - Audit log reduction tool SYNOPSIS /usr/sbin/audit_tool [ options ] auditlog_filename /usr/sbin/audit_tool.ultrix [ options ] auditlog_filename FLAGS Selection Flags Selects audit records with a matching text_string. The rules for regu- lar expression expansions do not apply to this option. Selects audit records with a matching audit ID. The default is to select for all au- dit IDs. Selects records with a matching event or event.subevent. The subevent can be applied only to site events. Optionally select only those records with a successful or failed return value. For example, the option -e mount:0:1 selects for only failed mount events while -e rdb.query:1:0 selects successful rdb events with the query subevent. Multiple events can be specified on the command line. The default is to select for all events, both successful and failed. If you specify the open event, you can add a r (read) or w (write) mod- ifier to specify an open for read or an open for write. The syntax is as follows: -e open.r or -e open.w Selects records with a matching er- ror string or error number. The default is to select for all errors. For use with audit_tool.ultrix only. Selects records with a matching inode identifier number. The default is to select for all inode IDs. For use with audit_tool.ultrix only. Selects records with matching in- ode device major and minor numbers. The default is to select for all inode devices. Selects records with a matching host name or IP ad- dress. Host names are translated to their IP addresses by the gethost- byname() logic. The default is to select for all host names and IP ad- dresses. Selects records with a matching PID. The default is to se- lect for all PIDs. If the specified PID is negative, the absolute value of the PID is selected as well as any of the PID's descendants. Selects records with a matching parent PID (PPID). The default is to select for all PPIDs. Selects records with a matching real UID (RUID). The default is to select for all RUIDs. Selects records that contain string in a parameter field or associated with a descriptor field. The default is to select for all strings. Selects records that contain a timestamp no earlier than start_time. The timestamp format is yym- mdd[hhm[ss]]]. The default is to select for all timestamps. Selects records that contain a timestamp no later than start_time. Timestamp format is yymmdd[hhm[ss]]]. The default is to select for all time- stamps. Selects audit records with a matching UID. The default is to select for all UIDs. Selects audit records with a matching user name. (The username is mapped to the UID as defined in the password data- base.) The username is recorded at the login event and is associated with all child processes. If login is not audited, no username is present in the audit log. Selecting for a username will display those records that have a matching user name. The default is to select for all user names. Selects records with a matching inode identifier num- ber. The default is to select for all inode IDs. Selects records with matching inode device major/minor numbers. The default is to select for all inode devices. Selects audit records with matching device ma- jor and minor numbers. The default is to select for all devices. Se- lects records with matching process name (name used by exec). Control Flags Outputs selected records in binary format. The output is in a format suitable for subsequent analysis by the audit_tool. The default is to output in ASCII format. Outputs selected records in an abbreviated format. Each selected event is displayed along with its audit ID, RUID, result, error code, PID, event name, and parameter list. For X events, the IDs displayed are those of the X client. Suppressed infor- mation includes the user name, PPID, device ID, current directory, in- ode information, symbolic name referenced by any descriptors, IP ad- dress, and timestamp. The default is to output in the nonabbreviated format. Reads deselection rules from the specified file and suppresses any records matching any of the deselection rules. The deselection rule sets take precedence over other selection options. Each deselec- tion rule is a tuple consisting of host name, audit ID, RUID, event, pathname, and flag. The flag component is used to specify read or write mode; it pertains only to open events. Wildcarding and simple pattern matching are supported. For ex- ample, consider the following lines from a deselection file: # HOST, AUID, RUID, EVENT, PATHNAME, FLAG * * * open /usr/lib/* r alpha1 * * * /usr/spool/rwho* * These lines indicate that any open operations for read access on any object whose pathname starts with /usr/lib/ will not be se- lected, and on system alpha1 any operations performed on any ob- ject whose pathname starts on /usr/spool/rwho will not be se- lected. (Lines beginning with number signs (#) are treated as comment lines). Any field can be replaced with an asterisk (*), which indicates a match with any value. Pathname matching requires an exact match between strings, un- less the pathname is suffixed with an asterisk, which matches any string (so, for example, /usr/spool/rwho* matches /usr/spool/rwho/anything). The default is to apply no deselection rule sets. (Specifying the -D option instead of -d will additionally print the deselec- tion rulesets to be applied). Causes the audit_tool not to quit at an end-of-file, but to continue attempting to read data. This is useful for reviewing audit log data as it is being writ- ten by the audit daemon. (For SMP systems, audit data should be sorted first because descriptor translation, the login name, the current directory, and the root directory all rely on state in- formation maintained by the audit_tool). Sets the fast mode. If you are not interested in seeing the state-dependent data, you can use this option to improve performance. Enter interac- tive selection mode to specify options. Interactive mode can also be entered by pressing CTRL/C at any time, then specifying no to the exit prompt. Once in interactive mode, individual op- tions are selected. Press Return to accept the current setting (or default); enter an asterisk (*) to change the current set- ting back to the default. The default, unless otherwise stated, is to select every audit record. Output in the specified for- mats. The formats are as follows: cpu (cpu number), usec (off- set from start of log in microseconds), time, username, userid, pid, ppid, res (result of operation), tid (thread ID), and event. The thread ID (tid) is recorded if the AUDIT_USR control flag is enabled. Processes being traced using auditmask -E have their thread ID recorded. Whenever the audit daemon switches audit logs, an audit_log_change event is generated. If that event did result in an audit log change (that is, it was an event that oc- curred on the local system), the audit_tool normally attempts to find and process the succeeding audit log. This is possible, however, only if the audit log is maintained locally. The -o option tells the audit_tool not to process succeeding audit logs. Suppresses the progress messages. Generates an ASCII re- port for each audit ID found in the selected events. If name is a directory, the reports are placed in the directory with the report.audit_id file name format. Otherwise, the reports are placed in a file called name.audit_id. Each report consists of selected events for the associated audit ID. Performs a sort (by time) on the audit log. The sort performed is an inter-CPU sort only (for any specific CPU, data may be nonsequential for events such as fork and vfork; this information does not need to be sorted for proper operation of the reduction tool). This op- tion is useful only for data collected on an SMP system. Dis- play the name associated with UIDs and GIDs using the getpw* and getgr* routines. This is done only if the audit_tool has no name for the UID or GID. The name is sent to output within parentheses. Displays the frequency count for the selected events. DESCRIPTION The audit_tool command, or audit reduction tool, displays selected por- tions of the collected audit data. If no arguments are provided, a brief help message is displayed. The audit log file may be compressed or uncompressed. Options are used to select specific audit records of interest. For a record to be selected, it must match at least one option of each option type specified. For example, if two user names and one host name were specified, an audit record to be selected would have to match one of the user names and the host name. Only one start and end time may be selected. Only one deselection rules file may be selected. It is pos- sible to select as many events as exist on the system. For all other option types, up to eight instances may be selected. The audit reduction tool generates audit log header files, suffixed with .hdr, when it completes processing of an auditlog file. If the -o option is used, no audit log header file is generated. This header file contains the time range in which the au- dited operations occurred, so searching for events by time requires only those audit logs that were actually written into during that time to be processed. The header file also contains the sort status of the audit log, so previously sorted logs do not get sorted more than once, and also state-relevant data from previous logs. The output from audit_tool is written to stdout. Informational mes- sages, such as (100000 records processed...) are written to stderr. The audit_tool.ultrix program is used to display audit reports from au- dit data collected on ULTRIX systems. With the exception of the -g and -G options (equivalent to the -v and -V options for audit_tool), au- dit_tool.ultrix is the same as audit_tool. RESTRICTIONS The audit reduction tool maintains the state of each process in order to translate descriptors back to pathnames, as well as to provide a current working directory, root, and user name. To avoid running out of memory for state-dependent data, the exit system call should be an audited event. The call to exit releases the memory used to hold the state of the process. Alternatively, the logout events release the memory used to hold the state of all the sessions processes. If state- relevant data is not important for your auditing requirements, exit need not be audited and the -F flag to audit_tool can be used to im- prove performance. In order to provide the current working directory, the chdir system call should be an audited event. In order to provide the current root (if not the root (/) directory), the chroot system call should be an audited event. In order to provide the user name, login should be an audited event. If audit_tool runs out of memory, it will not be able to store further state-dependent data (as previously described). If this occurs, the following warning is displayed: warning: state_maint_{add,open,path_change): no more mem; ... All state-dependent information current at the time of an audit log change is maintained in the header file. This allows subsequent scans of a specific audit log to not have any dependencies on previous audit logs. See Security for further discussion of state-dependent information. EXAMPLES The following example selects all login, open and exec events performed on system alpha1 by any process with audit ID 1123: # audit_tool -e login -e open -e exec -h alpha1 -a 1123 auditlog.000 The following example applies deselection file deselect to auditlog.000 and selects for events between 10:47 a.m. on April 13, 1994 and 5:30 p.m. on April 20, 1994: # audit_tool -d deselect -t 9404131047 -T 9404201730 auditlog.000 RELATED INFORMATION Commands: auditd(8), auditmask(8), audit_setup(8) Security delim off audit_tool(8)