1auditreduce(1M)         System Administration Commands         auditreduce(1M)
2
3
4

NAME

6       auditreduce - merge and select audit records from audit trail files
7

SYNOPSIS

9       auditreduce [options] [audit-trail-file]...
10
11

DESCRIPTION

13       auditreduce  allows  you  to  select  or merge records from audit trail
14       files. Audit files can be from one or more machines.
15
16
17       The merge function merges together audit records from one or more input
18       audit  trail  files  into a single output file. The records in an audit
19       trail file are assumed to be  sorted  in  chronological  order  (oldest
20       first) and this order is maintained by auditreduce in the output file.
21
22
23       Unless  instructed  otherwise,  auditreduce will merge the entire audit
24       trail, which consists of all the audit trail  files  in  the  directory
25       structure  audit_root_dir/*/files  (see audit_control(4) for details of
26       the structure of the audit root). Unless specified with the  -R  or  -S
27       option,  audit_root_dir  defaults  to /etc/security/audit. By using the
28       file selection options it is possible to select some  subset  of  these
29       files,  or  files  from another directory, or files named explicitly on
30       the command line.
31
32
33       The select function allows audit records to be selected on the basis of
34       numerous  criteria  relating  to the record's content (see audit.log(4)
35       for details of record content). A record must meet all of  the  record-
36       selection-option criteria to be selected.
37
38   Audit Trail Filename Format
39       Any  audit trail file not named on the command line must conform to the
40       audit trail filename format. Files produced by the audit system already
41       have this format. Output file names produced by auditreduce are in this
42       format. It is:
43
44         start-time.end-time.suffix
45
46
47
48
49       where start-time is the 14-character timestamp of  when  the  file  was
50       opened,  end-time  is  the  14-character timestamp of when the file was
51       closed, and suffix is the name of the machine which generated the audit
52       trail  file,  or some other meaningful suffix (for example, all, if the
53       file contains a combined group of records from many machines). The end-
54       time  can  be  the  literal string not_terminated, to indicate that the
55       file is still being written to by the audit system. Timestamps  are  of
56       the  form  yyyymmddhhmmss (year, month, day, hour, minute, second). The
57       timestamps are in Greenwich Mean Time (GMT).
58

OPTIONS

60   File Selection Options
61       The file selection options indicate which files are to be processed and
62       certain types of special treatment.
63
64       -A
65
66           All of the records from the input files will be selected regardless
67           of their timestamp. This option effectively disables  the  -a,  -b,
68           and -d options. This is useful in preventing the loss of records if
69           the -D option is used to delete the input files after they are pro‐
70           cessed.  Note,  however,  that  if  a record is not selected due to
71           another option, then -A will not override that.
72
73
74       -C
75
76           Only process complete files. Files whose  filename  end-time  time‐
77           stamp is not_terminated are not processed (such a file is currently
78           being written to by the audit system). This is useful in preventing
79           the  loss  of records if -D is used to delete the input files after
80           they are processed. It does not apply to  files  specified  on  the
81           command line.
82
83
84       -D suffix
85
86           Delete  input  files  after they are read if the entire run is suc‐
87           cessful. If auditreduce detects an error while reading a file, then
88           that  file  is  not  deleted. If -D is specified, -A, -C and -O are
89           also implied. suffix is given to the -O option. This helps  prevent
90           the  loss  of audit records by ensuring that all of the records are
91           written, only complete files are processed,  and  the  records  are
92           written to a file before being deleted. Note that if both -D and -O
93           are specified in the command line, the order  of  specification  is
94           significant. The suffix associated with the latter specification is
95           in effect.
96
97
98       -M machine
99
100           Allows selection of records from files with machine as the filename
101           suffix.  If -M is not specified, all files are processed regardless
102           of suffix. -M can also be used to allow selection of  records  from
103           files  that  contain combined records from many machines and have a
104           common suffix (such as all).
105
106
107       -N
108
109           Select objects in new  mode.This  flag  is  off  by  default,  thus
110           retaining backward compatibility. In the existing, old mode, speci‐
111           fying the -e, -f, -g, -r, or -u flags would select not only actions
112           taken  with those IDs, but also certain objects owned by those IDs.
113           When running in new mode, only actions are selected.  In  order  to
114           select objects, the -o option must be used.
115
116
117       -O suffix
118
119           Direct  output  stream to a file in the current audit_root_dir with
120           the indicated suffix. suffix can alternatively contain a full path‐
121           name,  in  which  case  the  last component is taken as the suffix,
122           ahead of which the timestamps will be placed, ahead  of  which  the
123           remainder  of  the pathname will be placed. If the -O option is not
124           specified, the output is sent to the standard output. When auditre‐
125           duce  places  timestamps  in the filename, it uses the times of the
126           first and last records in the merge as the start-time and end-time.
127
128
129       -Q
130
131           Quiet. Suppress notification about errors with input files.
132
133
134       -R pathname
135
136           Specify  the  pathname  of  an  alternate  audit   root   directory
137           audit_root_dir   to  be  pathname.  Therefore,  rather  than  using
138           /etc/security/audit/*/files by default,  pathname/*/files  will  be
139           examined instead.
140
141           Note -
142
143             The  root  file system of any non-global zones must not be refer‐
144             enced with the -R option. Doing so might damage the global zone's
145             file  system,  might  compromise the security of the global zone,
146             and might damage the non-global zone's file system. See zones(5).
147
148
149       -S server
150
151           This option causes auditreduce to read audit  trail  files  from  a
152           specific  location  (server  directory).  server is normally inter‐
153           preted as the name of a subdirectory of the audit  root,  therefore
154           auditreduce  will look in audit_root_dir/server/files for the audit
155           trail files. But if server contains any `/' characters, it  is  the
156           name of a specific directory not necessarily contained in the audit
157           root. In this case, server/files will  be  consulted.  This  option
158           allows  archived  files to be manipulated easily, without requiring
159           that they be physically located in a directory structure like  that
160           of /etc/security/audit.
161
162
163       -V
164
165           Verbose.  Display  the  name  of each file as it is opened, and how
166           many records total were written to the output stream.
167
168
169   Record Selection Options
170       The record selection options listed below are used  to  indicate  which
171       records are written to the output file produced by auditreduce.
172
173
174       Multiple arguments of the same type are not permitted.
175
176       -a date-time
177
178           Select  records  that occurred at or after date-time. The date-time
179           argument is described under Option Arguments, below.  date-time  is
180           in local time. The -a and -b options can be used together to form a
181           range.
182
183
184       -b date-time
185
186           Select records that occurred before date-time.
187
188
189       -c audit-classes
190
191           Select records by audit class. Records with events that are  mapped
192           to the audit classes specified by audit-classes are selected. Audit
193           class names are defined in audit_class(4). The audit-classes can be
194           a  comma  separated  list  of  audit  flags like those described in
195           audit_control(4). Using the audit flags,  one  can  select  records
196           based upon success and failure criteria.
197
198
199       -d date-time
200
201           Select  records  that  occurred on a specific day (a 24-hour period
202           beginning at 00:00:00 of the day specified and ending at 23:59:59).
203           The  day  specified is in local time. The time portion of the argu‐
204           ment, if supplied, is ignored. Any records with  timestamps  during
205           that  day are selected. If any hours, minutes, or seconds are given
206           in time, they are ignored. -d can not be used with -a or -b.
207
208
209       -e effective-user
210
211           Select records with the specified effective-user.
212
213
214       -f effective-group
215
216           Select records with the specified effective-group.
217
218
219       -g real-group
220
221           Select records with the specified real-group.
222
223
224       -j subject-ID
225
226           Select records with the specified subject-ID where subject-ID is  a
227           process ID.
228
229
230       -l label
231
232           Select  records  with  the  specified  label  (or  label range), as
233           explained under "Option Arguments," below. This option is available
234           only if the system is configured with Trusted Extensions.
235
236
237       -m event
238
239           Select  records  with the indicated event. The event is the literal
240           string or the event number.
241
242
243       -o object_type=objectID_value
244
245           Select records by object type. A match occurs when the record  con‐
246           tains  the information describing the specified object_type and the
247           object ID equals the value specified by objectID_value. The  allow‐
248           able object types and values are as follows:
249
250           file=pathname
251
252               Select  records  containing file system objects with the speci‐
253               fied pathname, where pathname is a comma separated list of reg‐
254               ular  expressions.  If  a  regular  expression is preceded by a
255               tilde (~), files matching the expression are excluded from  the
256               output.  For  example,  the option file=~/usr/openwin,/usr,/etc
257               would select  all  files  in  /usr  or  /etc  except  those  in
258               /usr/openwin. The order of the regular expressions is important
259               because auditreduce processes them  from  left  to  right,  and
260               stops  when  a file is known to be either selected or excluded.
261               Thus the option file= /usr, /etc,  ~/usr/openwin  would  select
262               all  files in /usr and all files in /etc. Files in /usr/openwin
263               are not excluded because the regular expression /usr is matched
264               first.  Care  should  be given in surrounding the pathname with
265               quotes so as to prevent the shell from expanding any tildes.
266
267
268           filegroup=group
269
270               Select records containing file system objects with group as the
271               owning group.
272
273
274           fileowner=user
275
276               Select  records containing file system objects with user as the
277               owning user.
278
279
280           msgqid=ID
281
282               Select records containing message queue objects with the speci‐
283               fied ID where ID is a message queue ID.
284
285
286           msgqgroup=group
287
288               Select  records  containing message queue objects with group as
289               the owning or creating group.
290
291
292           msgqowner=user
293
294               Select records containing message queue objects  with  user  as
295               the owning or creating user.
296
297
298           pid=ID
299
300               Select records containing process objects with the specified ID
301               where ID is a process ID. Process are  objects  when  they  are
302               receivers of signals.
303
304
305           procgroup=group
306
307               Select  records  containing  process  objects with group as the
308               real or effective group.
309
310
311           procowner=user
312
313               Select records containing process objects with user as the real
314               or effective user.
315
316
317           semid=ID
318
319               Select  records containing semaphore objects with the specified
320               ID where ID is a semaphore ID.
321
322
323           semgroup=group
324
325               Select records containing semaphore objects with group  as  the
326               owning or creating group.
327
328
329           semowner=user
330
331               Select  records  containing  semaphore objects with user as the
332               owning or creating user.
333
334
335           shmid=ID
336
337               Select records containing shared memory objects with the speci‐
338               fied ID where ID is a shared memory ID.
339
340
341           shmgroup=group
342
343               Select  records  containing shared memory objects with group as
344               the owning or creating group.
345
346
347           shmowner=user
348
349               Select records containing shared memory objects  with  user  as
350               the owning or creating user.
351
352
353           sock=port_number|machine
354
355               Select  records  containing  socket  objects with the specified
356               port_number or the specified machine where machine is a machine
357               name as defined in hosts(4).
358
359
360           fmri=service instance
361
362               Select  records containing fault management resource identifier
363               (FMRI) objects with the specified service instance. See smf(5).
364
365
366
367       -r real-user
368
369           Select records with the specified real-user.
370
371
372       -s session-id
373
374           Select audit records with the specified session-id.
375
376
377       -u audit-user
378
379           Select records with the specified audit-user.
380
381
382       -z zone-name
383
384           Select records from the specified zone name. The zone  name  selec‐
385           tion is case-sensitive.
386
387
388
389       When  one  or  more filename arguments appear on the command line, only
390       the named files are processed. Files specified in  this  way  need  not
391       conform  to  the  audit  trail filename format. However, -M, -S, and -R
392       must not be used when processing named files. If the filename is  ``−''
393       then the input is taken from the standard input.
394
395   Option Arguments
396       audit-trail-file
397
398           An audit trail file as defined in audit.log(4). An audit trail file
399           not named on the command line must conform to the audit trail  file
400           name  format.  Audit  trail files produced as output of auditreduce
401           are in this format as well. The format is:
402
403           start-time . end-time . suffix
404
405           start-time is the 14 character time stamp denoting  when  the  file
406           was  opened.  end-time is the 14 character time stamp denoting when
407           the file was closed.  end-time  can  also  be  the  literal  string
408           not_terminated,  indicating  the file is still be written to by the
409           audit daemon or the file was not closed properly (a system crash or
410           abrupt  halt occurred). suffix is the name of the machine that gen‐
411           erated the audit trail file (or some other meaningful  suffix;  for
412           example,  all  would  be a good suffix if the audit trail file con‐
413           tains a combined group of records from many machines).
414
415
416       date-time
417
418           The date-time argument to -a, -b, and -d can be of  two  forms:  An
419           absolute date-time takes the form:
420
421            yyyymmdd [ hh [ mm [ ss ]]]
422
423           where  yyyy  specifies a year (with 1970 as the earliest value), mm
424           is the month (01-12), dd  is  the  day  (01-31),  hh  is  the  hour
425           (00-23),  mm  is  the minute (00-59), and ss is the second (00-59).
426           The default is 00 for hh, mm and ss.
427
428           An offset can be specified as: +n d|h|m| s where n is a  number  of
429           units,  and  the tags d, h, m, and s stand for days, hours, minutes
430           and seconds, respectively. An offset is relative  to  the  starting
431           time. Thus, this form can only be used with the -b option.
432
433
434       event
435
436           The   literal   string   or   ordinal  event  number  as  found  in
437           audit_event(4). If event is not found in the audit_event file it is
438           considered invalid.
439
440
441       group
442
443           The literal string or ordinal group ID number as found in group(4).
444           If group is not found in the group file it is  considered  invalid.
445           group can be negative.
446
447
448       label
449
450           The  literal string representation of a MAC label or a range of two
451           valid MAC labels. To specify a range, use x;y where  x  and  y  are
452           valid  MAC  labels.  Only those records that are fully bounded by x
453           and y will be selected. If x or y  is  omitted,  the  default  uses
454           ADMIN_LOW  or  ADMIN_HIGH  respectively. Notice that quotes must be
455           used when specifying a range.
456
457
458       pathname
459
460           A regular expression describing a pathname.
461
462
463       user
464
465           The literal  username  or  ordinal  user  ID  number  as  found  in
466           passwd(4).  If  the  username is not found in the passwd file it is
467           considered invalid. user can be negative.
468
469

EXAMPLES

471       Example 1 The auditreduce command
472
473
474       praudit(1M) is available to display audit records in  a  human-readable
475       form.
476
477
478
479       This will display the entire audit trail in a human-readable form:
480
481
482         % auditreduce | praudit
483
484
485
486
487       If  all  the  audit trail files are being combined into one large file,
488       then deleting the original files could  be  desirable  to  prevent  the
489       records from appearing twice:
490
491
492         % auditreduce -V -D /etc/security/audit/combined/all
493
494
495
496
497       This  displays  what  user  milner did on April 13, 1988. The output is
498       displayed in a human-readable form to the standard output:
499
500
501         % auditreduce -d 19880413 -u milner | praudit
502
503
504
505
506       The above example might produce a large volume of data  if  milner  has
507       been busy. Perhaps looking at only login and logout times would be sim‐
508       pler. The -c option will select records from a specified class:
509
510
511         % auditreduce -d 19880413 -u milner -c lo | praudit
512
513
514
515
516       To see milner's login/logout activity for April 13,  14,  and  15,  the
517       following is used. The results are saved to a file in the current work‐
518       ing directory. Notice that the name of the output file will  have  mil‐
519       nerlo  as  the  suffix, with the appropriate timestamp prefixes. Notice
520       also that the long form of the name is used for the -c option:
521
522
523         % auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo
524
525
526
527
528       To follow milner's movement about the file system on April 13, 14,  and
529       15  the chdir record types could be viewed. Notice that in order to get
530       the same time range as the above example we needed to  specify  the  -b
531       time  as  the day after our range. This is because 19880416 defaults to
532       midnight of that day, and records before that fall on 0415, the end-day
533       of the range.
534
535
536         % auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit
537
538
539
540
541       In  this example, the audit records are being collected in summary form
542       (the login/logout records only). The records are  being  written  to  a
543       summary  file  in  a  different directory than the normal audit root to
544       prevent the selected records from existing twice in the audit root.
545
546
547         % auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins
548
549
550
551
552       If activity for user ID 9944 has been observed, but that  user  is  not
553       known  to  the  system administrator, then the command in the following
554       example searches the entire audit trail for any  records  generated  by
555       that user. auditreduce queries the system about the current validity of
556       ID 9944 and displays a warning message if it is not currently active:
557
558
559         % auditreduce -O /etc/security/audit_suspect/user9944 -u 9944
560
561
562
563
564       To get an audit log of only the global zone:
565
566
567         % auditreduce -z global
568
569

FILES

571       /etc/security/audit/server/files/*
572
573           location of audit trails, when stored
574
575

ATTRIBUTES

577       See attributes(5) for descriptions of the following attributes:
578
579
580
581
582       ┌─────────────────────────────┬─────────────────────────────┐
583       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
584       ├─────────────────────────────┼─────────────────────────────┤
585       │Availability                 │SUNWcsu                      │
586       ├─────────────────────────────┼─────────────────────────────┤
587       │Interface Stability          │See below.                   │
588       └─────────────────────────────┴─────────────────────────────┘
589
590
591       The command invocation is Stable. The binary file format is Stable. The
592       binary file contents is Unstable.
593

SEE ALSO

595       bsmconv(1M),   praudit(1M),  audit.log(4),  audit_class(4),  audit_con‐
596       trol(4), group(4), hosts(4), passwd(4), attributes(5), smf(5)
597
598
599       See the section on Solaris Auditing  in  System  Administration  Guide:
600       Security Services.
601

DIAGNOSTICS

603       auditreduce  displays  error  messages if there are command line errors
604       and then exits. If there are fatal errors during the  run,  auditreduce
605       displays  an  explanatory  message  and exits. In this case, the output
606       file might be in an inconsistent state (no trailer or partially written
607       record) and auditreduce displays a warning message before exiting. Suc‐
608       cessful invocation returns 0 and unsuccessful invocation returns 1.
609
610
611       Since auditreduce might be processing a large number of input files, it
612       is possible that the machine-wide limit on open files will be exceeded.
613       If this happens, auditreduce displays a message to  that  effect,  give
614       information on how many file there are, and exit.
615
616
617       If  auditreduce  displays a record's timestamp in a diagnostic message,
618       that time is in local time.  However,  when  filenames  are  displayed,
619       their timestamps are in GMT.
620

BUGS

622       Conjunction,  disjunction,  negation,  and grouping of record selection
623       options should be allowed.
624

NOTES

626       The functionality described in this man page is available only  if  the
627       Solaris  Auditing  has  been enabled. See bsmconv(1M) for more informa‐
628       tion.
629
630
631       The -z option should be used only if the audit policy zonename is  set.
632       If there is no zonename token, then no records will be selected.
633
634
635
636SunOS 5.11                        10 Apr 2006                  auditreduce(1M)
Impressum