1auditreduce(1M) System Administration Commands auditreduce(1M)
2
6 auditreduce - merge and select audit records from audit trail files
7
9 auditreduce [options] [audit-trail-file]...
10
13 auditreduce allows you to select or merge records from audit trail
14 files. Audit files can be from one or more machines.
15 The merge function merges together audit records from one or more input
18 audit trail files into a single output file. The records in an audit
19 trail file are assumed to be sorted in chronological order (oldest
20 first) and this order is maintained by auditreduce in the output file.
21 Unless instructed otherwise, auditreduce will merge the entire audit
24 trail, which consists of all the audit trail files in the directory
25 structure audit_root_dir/*/files (see audit_control(4) for details of
26 the structure of the audit root). Unless specified with the -R or -S
27 option, audit_root_dir defaults to /etc/security/audit. By using the
28 file selection options it is possible to select some subset of these
29 files, or files from another directory, or files named explicitly on
30 the command line.
31 The select function allows audit records to be selected on the basis of
34 numerous criteria relating to the record's content (see audit.log(4)
35 for details of record content). A record must meet all of the record-
36 selection-option criteria to be selected.
37 Audit Trail Filename Format
39 Any audit trail file not named on the command line must conform to the
40 audit trail filename format. Files produced by the audit system already
41 have this format. Output file names produced by auditreduce are in this
42 format. It is:
43 start-time.end-time.suffix
45 where start-time is the 14-character timestamp of when the file was
50 opened, end-time is the 14-character timestamp of when the file was
51 closed, and suffix is the name of the machine which generated the audit
52 trail file, or some other meaningful suffix (for example, all, if the
53 file contains a combined group of records from many machines). The end-
54 time can be the literal string not_terminated, to indicate that the
55 file is still being written to by the audit system. Timestamps are of
56 the form yyyymmddhhmmss (year, month, day, hour, minute, second). The
57 timestamps are in Greenwich Mean Time (GMT).
58
60 File Selection Options
61 The file selection options indicate which files are to be processed and
62 certain types of special treatment.
63 -A
65 All of the records from the input files will be selected regardless
67 of their timestamp. This option effectively disables the -a, -b,
68 and -d options. This is useful in preventing the loss of records if
69 the -D option is used to delete the input files after they are pro‐
70 cessed. Note, however, that if a record is not selected due to
71 another option, then -A will not override that.
72 -C
75 Only process complete files. Files whose filename end-time time‐
77 stamp is not_terminated are not processed (such a file is currently
78 being written to by the audit system). This is useful in preventing
79 the loss of records if -D is used to delete the input files after
80 they are processed. It does not apply to files specified on the
81 command line.
82 -D suffix
85 Delete input files after they are read if the entire run is suc‐
87 cessful. If auditreduce detects an error while reading a file, then
88 that file is not deleted. If -D is specified, -A, -C and -O are
89 also implied. suffix is given to the -O option. This helps prevent
90 the loss of audit records by ensuring that all of the records are
91 written, only complete files are processed, and the records are
92 written to a file before being deleted. Note that if both -D and -O
93 are specified in the command line, the order of specification is
94 significant. The suffix associated with the latter specification is
95 in effect.
96 -M machine
99 Allows selection of records from files with machine as the filename
101 suffix. If -M is not specified, all files are processed regardless
102 of suffix. -M can also be used to allow selection of records from
103 files that contain combined records from many machines and have a
104 common suffix (such as all).
105 -N
108 Select objects in new mode.This flag is off by default, thus
110 retaining backward compatibility. In the existing, old mode, speci‐
111 fying the -e, -f, -g, -r, or -u flags would select not only actions
112 taken with those IDs, but also certain objects owned by those IDs.
113 When running in new mode, only actions are selected. In order to
114 select objects, the -o option must be used.
115 -O suffix
118 Direct output stream to a file in the current audit_root_dir with
120 the indicated suffix. suffix can alternatively contain a full path‐
121 name, in which case the last component is taken as the suffix,
122 ahead of which the timestamps will be placed, ahead of which the
123 remainder of the pathname will be placed. If the -O option is not
124 specified, the output is sent to the standard output. When auditre‐
125 duce places timestamps in the filename, it uses the times of the
126 first and last records in the merge as the start-time and end-time.
127 -Q
130 Quiet. Suppress notification about errors with input files.
132 -R pathname
135 Specify the pathname of an alternate audit root directory
137 audit_root_dir to be pathname. Therefore, rather than using
138 /etc/security/audit/*/files by default, pathname/*/files will be
139 examined instead.
140 Note -
142 The root file system of any non-global zones must not be refer‐
144 enced with the -R option. Doing so might damage the global zone's
145 file system, might compromise the security of the global zone,
146 and might damage the non-global zone's file system. See zones(5).
147 -S server
150 This option causes auditreduce to read audit trail files from a
152 specific location (server directory). server is normally inter‐
153 preted as the name of a subdirectory of the audit root, therefore
154 auditreduce will look in audit_root_dir/server/files for the audit
155 trail files. But if server contains any `/' characters, it is the
156 name of a specific directory not necessarily contained in the audit
157 root. In this case, server/files will be consulted. This option
158 allows archived files to be manipulated easily, without requiring
159 that they be physically located in a directory structure like that
160 of /etc/security/audit.
161 -V
164 Verbose. Display the name of each file as it is opened, and how
166 many records total were written to the output stream.
167 Record Selection Options
170 The record selection options listed below are used to indicate which
171 records are written to the output file produced by auditreduce.
172 Multiple arguments of the same type are not permitted.
175 -a date-time
177 Select records that occurred at or after date-time. The date-time
179 argument is described under Option Arguments, below. date-time is
180 in local time. The -a and -b options can be used together to form a
181 range.
182 -b date-time
185 Select records that occurred before date-time.
187 -c audit-classes
190 Select records by audit class. Records with events that are mapped
192 to the audit classes specified by audit-classes are selected. Audit
193 class names are defined in audit_class(4). The audit-classes can be
194 a comma separated list of audit flags like those described in
195 audit_control(4). Using the audit flags, one can select records
196 based upon success and failure criteria.
197 -d date-time
200 Select records that occurred on a specific day (a 24-hour period
202 beginning at 00:00:00 of the day specified and ending at 23:59:59).
203 The day specified is in local time. The time portion of the argu‐
204 ment, if supplied, is ignored. Any records with timestamps during
205 that day are selected. If any hours, minutes, or seconds are given
206 in time, they are ignored. -d can not be used with -a or -b.
207 -e effective-user
210 Select records with the specified effective-user.
212 -f effective-group
215 Select records with the specified effective-group.
217 -g real-group
220 Select records with the specified real-group.
222 -j subject-ID
225 Select records with the specified subject-ID where subject-ID is a
227 process ID.
228 -l label
231 Select records with the specified label (or label range), as
233 explained under "Option Arguments," below. This option is available
234 only if the system is configured with Trusted Extensions.
235 -m event
238 Select records with the indicated event. The event is the literal
240 string or the event number.
241 -o object_type=objectID_value
244 Select records by object type. A match occurs when the record con‐
246 tains the information describing the specified object_type and the
247 object ID equals the value specified by objectID_value. The allow‐
248 able object types and values are as follows:
249 file=pathname
251 Select records containing file system objects with the speci‐
253 fied pathname, where pathname is a comma separated list of reg‐
254 ular expressions. If a regular expression is preceded by a
255 tilde (~), files matching the expression are excluded from the
256 output. For example, the option file=~/usr/openwin,/usr,/etc
257 would select all files in /usr or /etc except those in
258 /usr/openwin. The order of the regular expressions is important
259 because auditreduce processes them from left to right, and
260 stops when a file is known to be either selected or excluded.
261 Thus the option file= /usr, /etc, ~/usr/openwin would select
262 all files in /usr and all files in /etc. Files in /usr/openwin
263 are not excluded because the regular expression /usr is matched
264 first. Care should be given in surrounding the pathname with
265 quotes so as to prevent the shell from expanding any tildes.
266 filegroup=group
269 Select records containing file system objects with group as the
271 owning group.
272 fileowner=user
275 Select records containing file system objects with user as the
277 owning user.
278 msgqid=ID
281 Select records containing message queue objects with the speci‐
283 fied ID where ID is a message queue ID.
284 msgqgroup=group
287 Select records containing message queue objects with group as
289 the owning or creating group.
290 msgqowner=user
293 Select records containing message queue objects with user as
295 the owning or creating user.
296 pid=ID
299 Select records containing process objects with the specified ID
301 where ID is a process ID. Process are objects when they are
302 receivers of signals.
303 procgroup=group
306 Select records containing process objects with group as the
308 real or effective group.
309 procowner=user
312 Select records containing process objects with user as the real
314 or effective user.
315 semid=ID
318 Select records containing semaphore objects with the specified
320 ID where ID is a semaphore ID.
321 semgroup=group
324 Select records containing semaphore objects with group as the
326 owning or creating group.
327 semowner=user
330 Select records containing semaphore objects with user as the
332 owning or creating user.
333 shmid=ID
336 Select records containing shared memory objects with the speci‐
338 fied ID where ID is a shared memory ID.
339 shmgroup=group
342 Select records containing shared memory objects with group as
344 the owning or creating group.
345 shmowner=user
348 Select records containing shared memory objects with user as
350 the owning or creating user.
351 sock=port_number|machine
354 Select records containing socket objects with the specified
356 port_number or the specified machine where machine is a machine
357 name as defined in hosts(4).
358 fmri=service instance
361 Select records containing fault management resource identifier
363 (FMRI) objects with the specified service instance. See smf(5).
364 -r real-user
368 Select records with the specified real-user.
370 -s session-id
373 Select audit records with the specified session-id.
375 -u audit-user
378 Select records with the specified audit-user.
380 -z zone-name
383 Select records from the specified zone name. The zone name selec‐
385 tion is case-sensitive.
386 When one or more filename arguments appear on the command line, only
390 the named files are processed. Files specified in this way need not
391 conform to the audit trail filename format. However, -M, -S, and -R
392 must not be used when processing named files. If the filename is ``−''
393 then the input is taken from the standard input.
394 Option Arguments
396 audit-trail-file
397 An audit trail file as defined in audit.log(4). An audit trail file
399 not named on the command line must conform to the audit trail file
400 name format. Audit trail files produced as output of auditreduce
401 are in this format as well. The format is:
402 start-time . end-time . suffix
404 start-time is the 14 character time stamp denoting when the file
406 was opened. end-time is the 14 character time stamp denoting when
407 the file was closed. end-time can also be the literal string
408 not_terminated, indicating the file is still be written to by the
409 audit daemon or the file was not closed properly (a system crash or
410 abrupt halt occurred). suffix is the name of the machine that gen‐
411 erated the audit trail file (or some other meaningful suffix; for
412 example, all would be a good suffix if the audit trail file con‐
413 tains a combined group of records from many machines).
414 date-time
417 The date-time argument to -a, -b, and -d can be of two forms: An
419 absolute date-time takes the form:
420 yyyymmdd [ hh [ mm [ ss ]]]
422 where yyyy specifies a year (with 1970 as the earliest value), mm
424 is the month (01-12), dd is the day (01-31), hh is the hour
425 (00-23), mm is the minute (00-59), and ss is the second (00-59).
426 The default is 00 for hh, mm and ss.
427 An offset can be specified as: +n d|h|m| s where n is a number of
429 units, and the tags d, h, m, and s stand for days, hours, minutes
430 and seconds, respectively. An offset is relative to the starting
431 time. Thus, this form can only be used with the -b option.
432 event
435 The literal string or ordinal event number as found in
437 audit_event(4). If event is not found in the audit_event file it is
438 considered invalid.
439 group
442 The literal string or ordinal group ID number as found in group(4).
444 If group is not found in the group file it is considered invalid.
445 group can be negative.
446 label
449 The literal string representation of a MAC label or a range of two
451 valid MAC labels. To specify a range, use x;y where x and y are
452 valid MAC labels. Only those records that are fully bounded by x
453 and y will be selected. If x or y is omitted, the default uses
454 ADMIN_LOW or ADMIN_HIGH respectively. Notice that quotes must be
455 used when specifying a range.
456 pathname
459 A regular expression describing a pathname.
461 user
464 The literal username or ordinal user ID number as found in
466 passwd(4). If the username is not found in the passwd file it is
467 considered invalid. user can be negative.
468
471 Example 1 The auditreduce command
472 praudit(1M) is available to display audit records in a human-readable
475 form.
476 This will display the entire audit trail in a human-readable form:
480 % auditreduce | praudit
483 If all the audit trail files are being combined into one large file,
488 then deleting the original files could be desirable to prevent the
489 records from appearing twice:
490 % auditreduce -V -D /etc/security/audit/combined/all
493 This displays what user milner did on April 13, 1988. The output is
498 displayed in a human-readable form to the standard output:
499 % auditreduce -d 19880413 -u milner | praudit
502 The above example might produce a large volume of data if milner has
507 been busy. Perhaps looking at only login and logout times would be sim‐
508 pler. The -c option will select records from a specified class:
509 % auditreduce -d 19880413 -u milner -c lo | praudit
512 To see milner's login/logout activity for April 13, 14, and 15, the
517 following is used. The results are saved to a file in the current work‐
518 ing directory. Notice that the name of the output file will have mil‐
519 nerlo as the suffix, with the appropriate timestamp prefixes. Notice
520 also that the long form of the name is used for the -c option:
521 % auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo
524 To follow milner's movement about the file system on April 13, 14, and
529 15 the chdir record types could be viewed. Notice that in order to get
530 the same time range as the above example we needed to specify the -b
531 time as the day after our range. This is because 19880416 defaults to
532 midnight of that day, and records before that fall on 0415, the end-day
533 of the range.
534 % auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit
537 In this example, the audit records are being collected in summary form
542 (the login/logout records only). The records are being written to a
543 summary file in a different directory than the normal audit root to
544 prevent the selected records from existing twice in the audit root.
545 % auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins
548 If activity for user ID 9944 has been observed, but that user is not
553 known to the system administrator, then the command in the following
554 example searches the entire audit trail for any records generated by
555 that user. auditreduce queries the system about the current validity of
556 ID 9944 and displays a warning message if it is not currently active:
557 % auditreduce -O /etc/security/audit_suspect/user9944 -u 9944
560 To get an audit log of only the global zone:
565 % auditreduce -z global
568
571 /etc/security/audit/server/files/*
572 location of audit trails, when stored
574
577 See attributes(5) for descriptions of the following attributes:
578 ┌─────────────────────────────┬─────────────────────────────┐
583 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
584 ├─────────────────────────────┼─────────────────────────────┤
585 │Availability │SUNWcsu │
586 ├─────────────────────────────┼─────────────────────────────┤
587 │Interface Stability │See below. │
588 └─────────────────────────────┴─────────────────────────────┘
589 The command invocation is Stable. The binary file format is Stable. The
592 binary file contents is Unstable.
593
595 bsmconv(1M), praudit(1M), audit.log(4), audit_class(4), audit_con‐
596 trol(4), group(4), hosts(4), passwd(4), attributes(5), smf(5)
597 See the section on Solaris Auditing in System Administration Guide:
600 Security Services.
601
603 auditreduce displays error messages if there are command line errors
604 and then exits. If there are fatal errors during the run, auditreduce
605 displays an explanatory message and exits. In this case, the output
606 file might be in an inconsistent state (no trailer or partially written
607 record) and auditreduce displays a warning message before exiting. Suc‐
608 cessful invocation returns 0 and unsuccessful invocation returns 1.
609 Since auditreduce might be processing a large number of input files, it
612 is possible that the machine-wide limit on open files will be exceeded.
613 If this happens, auditreduce displays a message to that effect, give
614 information on how many file there are, and exit.
615 If auditreduce displays a record's timestamp in a diagnostic message,
618 that time is in local time. However, when filenames are displayed,
619 their timestamps are in GMT.
620
622 Conjunction, disjunction, negation, and grouping of record selection
623 options should be allowed.
624
626 The functionality described in this man page is available only if the
627 Solaris Auditing has been enabled. See bsmconv(1M) for more informa‐
628 tion.
629 The -z option should be used only if the audit policy zonename is set.
632 If there is no zonename token, then no records will be selected.
633SunOS 5.11 10 Apr 2006 auditreduce(1M)