1 '\" te 2 .\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved. 3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 6 .TH AUDITREDUCE 1M "Mar 6, 2017" 7 .SH NAME 8 auditreduce \- merge and select audit records from audit trail files 9 .SH SYNOPSIS 10 .LP 11 .nf 12 \fBauditreduce\fR [\fIoptions\fR] [\fIaudit-trail-file\fR]... 13 .fi 14 15 .SH DESCRIPTION 16 .LP 17 \fBauditreduce\fR allows you to select or merge records from audit trail files. 18 Audit files can be from one or more machines. 19 .sp 20 .LP 21 The merge function merges together audit records from one or more input audit 22 trail files into a single output file. The records in an audit trail file are 23 assumed to be sorted in chronological order (oldest first) and this order is 24 maintained by \fBauditreduce\fR in the output file. 25 .sp 26 .LP 27 Unless instructed otherwise, \fBauditreduce\fR will merge the entire audit 28 trail, which consists of all the audit trail files in the directory structure 29 \fIaudit_root_dir\fR/*/files. Unless specified with the -\fBR\fR or -\fBS\fR 30 option, \fIaudit_root_dir\fR defaults to \fB/etc/security/audit\fR. By using 31 the file selection options it is possible to select some subset of these files, 32 or files from another directory, or files named explicitly on the command line. 33 .sp 34 .LP 35 The select function allows audit records to be selected on the basis of 36 numerous criteria relating to the record's content (see \fBaudit.log\fR(4) for 37 details of record content). A record must meet all of the 38 \fIrecord-selection-option\fR criteria to be selected. 39 .SS "Audit Trail Filename Format" 40 .LP 41 Any audit trail file not named on the command line must conform to the audit 42 trail filename format. Files produced by the audit system already have this 43 format. Output file names produced by \fBauditreduce\fR are in this format. It 44 is: 45 .sp 46 .in +2 47 .nf 48 \fIstart-time\fR\fB\&.\fR\fI\|end-time\fR\fB\&.\fR\fI\|suffix\fR 49 .fi 50 .in -2 51 .sp 52 53 .sp 54 .LP 55 where \fIstart-time\fR is the 14-character timestamp of when the file was 56 opened, \fIend-time\fR is the 14-character timestamp of when the file was 57 closed, and \fIsuffix\fR is the name of the machine which generated the audit 58 trail file, or some other meaningful suffix (for example, \fBall\fR, if the 59 file contains a combined group of records from many machines). The 60 \fIend-time\fR can be the literal string \fBnot_terminated\fR, to indicate that 61 the file is still being written to by the audit system. Timestamps are of the 62 form \fIyyyymmddhhmmss\fR (year, month, day, hour, minute, second). The 63 timestamps are in Greenwich Mean Time (GMT). 64 .SH OPTIONS 65 .SS "File Selection Options" 66 .LP 67 The file selection options indicate which files are to be processed and certain 68 types of special treatment. 69 .sp 70 .ne 2 71 .na 72 \fB\fB-A\fR\fR 73 .ad 74 .sp .6 75 .RS 4n 76 All of the records from the input files will be selected regardless of their 77 timestamp. This option effectively disables the \fB-a\fR, \fB-b\fR, and 78 \fB-d\fR options. This is useful in preventing the loss of records if the 79 \fB-D\fR option is used to delete the input files after they are processed. 80 Note, however, that if a record is \fInot\fR selected due to another option, 81 then \fB-A\fR will not override that. 82 .RE 83 84 .sp 85 .ne 2 86 .na 87 \fB\fB-C\fR\fR 88 .ad 89 .sp .6 90 .RS 4n 91 Only process complete files. Files whose filename \fIend-time\fR timestamp is 92 \fBnot_terminated\fR are not processed (such a file is currently being written 93 to by the audit system). This is useful in preventing the loss of records if 94 \fB-D\fR is used to delete the input files after they are processed. It does 95 not apply to files specified on the command line. 96 .RE 97 98 .sp 99 .ne 2 100 .na 101 \fB\fB-D\fR \fIsuffix\fR\fR 102 .ad 103 .sp .6 104 .RS 4n 105 Delete input files after they are read if the entire run is successful. If 106 \fBauditreduce\fR detects an error while reading a file, then that file is not 107 deleted. If \fB-D\fR is specified, \fB-A\fR, \fB-C\fR and \fB-O\fR are also 108 implied. \fIsuffix\fR is given to the \fB-O\fR option. This helps prevent the 109 loss of audit records by ensuring that all of the records are written, only 110 complete files are processed, and the records are written to a file before 111 being deleted. Note that if both \fB-D\fR and \fB-O\fR are specified in the 112 command line, the order of specification is significant. The \fIsuffix\fR 113 associated with the latter specification is in effect. 114 .RE 115 116 .sp 117 .ne 2 118 .na 119 \fB\fB-M\fR \fImachine\fR\fR 120 .ad 121 .sp .6 122 .RS 4n 123 Allows selection of records from files with \fImachine\fR as the filename 124 suffix. If \fB-M\fR is not specified, all files are processed regardless of 125 suffix. \fB-M\fR can also be used to allow selection of records from files that 126 contain combined records from many machines and have a common suffix (such as 127 \fBall\fR). 128 .RE 129 130 .sp 131 .ne 2 132 .na 133 \fB\fB-N\fR\fR 134 .ad 135 .sp .6 136 .RS 4n 137 Select objects in \fBnew mode\fR.This flag is off by default, thus retaining 138 backward compatibility. In the existing, \fBold mode\fR, specifying the 139 \fB-e\fR, \fB-f\fR, \fB-g\fR, \fB-r\fR, or \fB-u\fR flags would select not only 140 actions taken with those \fBID\fRs, but also certain objects owned by those 141 \fBID\fRs. When running in \fBnew mode\fR, only actions are selected. In order 142 to select objects, the \fB-o\fR option must be used. 143 .RE 144 145 .sp 146 .ne 2 147 .na 148 \fB\fB-O\fR \fIsuffix\fR\fR 149 .ad 150 .sp .6 151 .RS 4n 152 Direct output stream to a file in the current \fBaudit_root_dir\fR with the 153 indicated suffix. \fIsuffix\fR can alternatively contain a full pathname, in 154 which case the last component is taken as the suffix, ahead of which the 155 timestamps will be placed, ahead of which the remainder of the pathname will be 156 placed. If the \fB-O\fR option is not specified, the output is sent to the 157 standard output. When \fBauditreduce\fR places timestamps in the filename, it 158 uses the times of the first and last records in the merge as the 159 \fIstart-time\fR and \fIend-time\fR. 160 .RE 161 162 .sp 163 .ne 2 164 .na 165 \fB\fB-Q\fR\fR 166 .ad 167 .sp .6 168 .RS 4n 169 Quiet. Suppress notification about errors with input files. 170 .RE 171 172 .sp 173 .ne 2 174 .na 175 \fB\fB-R\fR \fIpathname\fR\fR 176 .ad 177 .sp .6 178 .RS 4n 179 Specify the pathname of an alternate audit root directory \fIaudit_root_dir\fR 180 to be \fIpathname\fR. Therefore, rather than using 181 \fB/etc/security/audit\fR/*/files by default, \fIpathname\fR/*/files will be 182 examined instead. 183 .LP 184 Note - 185 .sp 186 .RS 2 187 The root file system of any non-global zones must not be referenced with the 188 \fB-R\fR option. Doing so might damage the global zone's file system, might 189 compromise the security of the global zone, and might damage the non-global 190 zone's file system. See \fBzones\fR(5). 191 .RE 192 .RE 193 194 .sp 195 .ne 2 196 .na 197 \fB\fB-S\fR \fIserver\fR\fR 198 .ad 199 .sp .6 200 .RS 4n 201 This option causes \fBauditreduce\fR to read audit trail files from a specific 202 location (server directory). \fIserver\fR is normally interpreted as the name 203 of a subdirectory of the audit root, therefore \fBauditreduce\fR will look in 204 \fIaudit_root_dir\fR/\fIserver\fR/files for the audit trail files. But if 205 \fIserver\fR contains any `\fB/\fR' characters, it is the name of a specific 206 directory not necessarily contained in the audit root. In this case, 207 \fIserver\fR/files will be consulted. This option allows archived files to be 208 manipulated easily, without requiring that they be physically located in a 209 directory structure like that of \fB/etc/security/audit\fR. 210 .RE 211 212 .sp 213 .ne 2 214 .na 215 \fB\fB-V\fR\fR 216 .ad 217 .sp .6 218 .RS 4n 219 Verbose. Display the name of each file as it is opened, and how many records 220 total were written to the output stream. 221 .RE 222 223 .SS "Record Selection Options" 224 .LP 225 The record selection options listed below are used to indicate which records 226 are written to the output file produced by \fBauditreduce\fR. 227 .sp 228 .LP 229 Multiple arguments of the same type are not permitted. 230 .sp 231 .ne 2 232 .na 233 \fB\fB-a\fR \fIdate-time\fR\fR 234 .ad 235 .sp .6 236 .RS 4n 237 Select records that occurred at or after \fIdate-time\fR. The \fIdate-time\fR 238 argument is described under \fBOption Arguments\fR, below. \fIdate-time\fR is 239 in local time. The \fB-a\fR and \fB-b\fR options can be used together to form a 240 range. 241 .RE 242 243 .sp 244 .ne 2 245 .na 246 \fB\fB-b\fR \fIdate-time\fR\fR 247 .ad 248 .sp .6 249 .RS 4n 250 Select records that occurred before \fIdate-time\fR. 251 .RE 252 253 .sp 254 .ne 2 255 .na 256 \fB\fB-c\fR \fIaudit-classes\fR\fR 257 .ad 258 .sp .6 259 .RS 4n 260 Select records by audit class. Records with events that are mapped to the audit 261 classes specified by \fIaudit-classes\fR are selected. Audit class names are 262 defined in \fBaudit_class\fR(4). Using the \fBaudit\fR \fIflags,\fR one can 263 select records based upon success and failure criteria. 264 .RE 265 266 .sp 267 .ne 2 268 .na 269 \fB\fB-d\fR \fIdate-time\fR\fR 270 .ad 271 .sp .6 272 .RS 4n 273 Select records that occurred on a specific day (a 24-hour period beginning at 274 00:00:00 of the day specified and ending at 23:59:59). The day specified is in 275 local time. The time portion of the argument, if supplied, is ignored. Any 276 records with timestamps during that day are selected. If any hours, minutes, or 277 seconds are given in \fItime,\fR they are ignored. \fB-d\fR can not be used 278 with \fB-a\fR or \fB\fR\fB-b\fR\fB\&.\fR 279 .RE 280 281 .sp 282 .ne 2 283 .na 284 \fB\fB-e\fR \fIeffective-user\fR\fR 285 .ad 286 .sp .6 287 .RS 4n 288 Select records with the specified \fIeffective-user.\fR 289 .RE 290 291 .sp 292 .ne 2 293 .na 294 \fB\fB-f\fR \fIeffective-group\fR\fR 295 .ad 296 .sp .6 297 .RS 4n 298 Select records with the specified \fIeffective-group.\fR 299 .RE 300 301 .sp 302 .ne 2 303 .na 304 \fB\fB-g\fR \fIreal-group\fR\fR 305 .ad 306 .sp .6 307 .RS 4n 308 Select records with the specified \fIreal-group.\fR 309 .RE 310 311 .sp 312 .ne 2 313 .na 314 \fB\fB-j\fR \fIsubject-ID\fR\fR 315 .ad 316 .sp .6 317 .RS 4n 318 Select records with the specified \fIsubject-ID\fR where \fIsubject-ID\fR is a 319 process ID. 320 .RE 321 322 .sp 323 .ne 2 324 .na 325 \fB\fB-l\fR \fIlabel\fR\fR 326 .ad 327 .sp .6 328 .RS 4n 329 Select records with the specified label (or label range), as explained under 330 "Option Arguments," below. This option is available only if the system is 331 configured with Trusted Extensions. 332 .RE 333 334 .sp 335 .ne 2 336 .na 337 \fB\fB-m\fR \fIevent\fR\fR 338 .ad 339 .sp .6 340 .RS 4n 341 Select records with the indicated \fIevent\fR. The \fIevent\fR is the literal 342 string or the \fIevent\fR number. 343 .RE 344 345 .sp 346 .ne 2 347 .na 348 \fB\fB-o\fR \fIobject_type=objectID_value\fR\fR 349 .ad 350 .sp .6 351 .RS 4n 352 Select records by object type. A match occurs when the record contains the 353 information describing the specified \fIobject_type\fR and the object ID equals 354 the value specified by \fIobjectID_value.\fR The allowable object types and 355 values are as follows: 356 .sp 357 .ne 2 358 .na 359 \fBfile=\fIpathname\fR\fR 360 .ad 361 .sp .6 362 .RS 4n 363 Select records containing file system objects with the specified pathname, 364 where pathname is a comma separated list of regular expressions. If a regular 365 expression is preceded by a tilde (\fB~\fR), files matching the expression are 366 excluded from the output. For example, the option 367 \fBfile=~/usr/openwin,/usr,/etc\fR would select all files in \fB/usr\fR or 368 \fB/etc\fR except those in \fB/usr/openwin\fR. The order of the regular 369 expressions is important because auditreduce processes them from left to right, 370 and stops when a file is known to be either selected or excluded. Thus the 371 option \fBfile=\fR \fB/usr\fR, \fB/etc\fR, \fB~/usr/openwin\fR would select all 372 files in \fB/usr\fR and all files in \fB/etc\fR. Files in \fB/usr/openwin\fR 373 are not excluded because the regular expression \fB/usr\fR is matched first. 374 Care should be given in surrounding the \fIpathname\fR with quotes so as to 375 prevent the shell from expanding any tildes. 376 .RE 377 378 .sp 379 .ne 2 380 .na 381 \fBfilegroup\fI=group\fR\fR 382 .ad 383 .sp .6 384 .RS 4n 385 Select records containing file system objects with \fIgroup\fR as the owning 386 group. 387 .RE 388 389 .sp 390 .ne 2 391 .na 392 \fBfileowner=\fIuser\fR\fR 393 .ad 394 .sp .6 395 .RS 4n 396 Select records containing file system objects with \fIuser\fR as the owning 397 user. 398 .RE 399 400 .sp 401 .ne 2 402 .na 403 \fBmsgqid=\fIID\fR\fR 404 .ad 405 .sp .6 406 .RS 4n 407 Select records containing message queue objects with the specified \fIID\fR 408 where \fIID\fR is a message queue \fBID\fR. 409 .RE 410 411 .sp 412 .ne 2 413 .na 414 \fBmsgqgroup=\fIgroup\fR\fR 415 .ad 416 .sp .6 417 .RS 4n 418 Select records containing message queue objects with \fIgroup\fR as the owning 419 or creating group. 420 .RE 421 422 .sp 423 .ne 2 424 .na 425 \fBmsgqowner=\fIuser\fR\fR 426 .ad 427 .sp .6 428 .RS 4n 429 Select records containing message queue objects with \fIuser\fR as the owning 430 or creating user. 431 .RE 432 433 .sp 434 .ne 2 435 .na 436 \fBpid=\fIID\fR\fR 437 .ad 438 .sp .6 439 .RS 4n 440 Select records containing process objects with the specified \fIID\fR where 441 \fIID\fR is a process \fBID\fR. Process are objects when they are receivers of 442 signals. 443 .RE 444 445 .sp 446 .ne 2 447 .na 448 \fBprocgroup=\fIgroup\fR\fR 449 .ad 450 .sp .6 451 .RS 4n 452 Select records containing process objects with \fIgroup\fR as the real or 453 effective group. 454 .RE 455 456 .sp 457 .ne 2 458 .na 459 \fBprocowner=\fIuser\fR\fR 460 .ad 461 .sp .6 462 .RS 4n 463 Select records containing process objects with \fIuser\fR as the real or 464 effective user. 465 .RE 466 467 .sp 468 .ne 2 469 .na 470 \fBsemid=\fIID\fR\fR 471 .ad 472 .sp .6 473 .RS 4n 474 Select records containing semaphore objects with the specified \fIID\fR where 475 \fIID\fR is a semaphore \fBID\fR. 476 .RE 477 478 .sp 479 .ne 2 480 .na 481 \fBsemgroup=\fIgroup\fR\fR 482 .ad 483 .sp .6 484 .RS 4n 485 Select records containing semaphore objects with \fIgroup\fR as the owning or 486 creating group. 487 .RE 488 489 .sp 490 .ne 2 491 .na 492 \fBsemowner=\fIuser\fR\fR 493 .ad 494 .sp .6 495 .RS 4n 496 Select records containing semaphore objects with \fIuser\fR as the owning or 497 creating user. 498 .RE 499 500 .sp 501 .ne 2 502 .na 503 \fBshmid=\fIID\fR\fR 504 .ad 505 .sp .6 506 .RS 4n 507 Select records containing shared memory objects with the specified \fIID\fR 508 where \fIID\fR is a shared memory \fBID\fR. 509 .RE 510 511 .sp 512 .ne 2 513 .na 514 \fBshmgroup=\fIgroup\fR\fR 515 .ad 516 .sp .6 517 .RS 4n 518 Select records containing shared memory objects with \fIgroup\fR as the owning 519 or creating group. 520 .RE 521 522 .sp 523 .ne 2 524 .na 525 \fBshmowner=\fIuser\fR\fR 526 .ad 527 .sp .6 528 .RS 4n 529 Select records containing shared memory objects with \fIuser\fR as the owning 530 or creating user. 531 .RE 532 533 .sp 534 .ne 2 535 .na 536 \fBsock=\fIport_number|machine\fR\fR 537 .ad 538 .sp .6 539 .RS 4n 540 Select records containing socket objects with the specified \fIport_number\fR 541 or the specified \fImachine\fR where \fImachine\fR is a machine name as defined 542 in \fBhosts\fR(4). 543 .RE 544 545 .sp 546 .ne 2 547 .na 548 \fBfmri=\fIservice instance\fR\fR 549 .ad 550 .sp .6 551 .RS 4n 552 Select records containing fault management resource identifier (FMRI) objects 553 with the specified \fIservice instance\fR. See \fBsmf\fR(5). 554 .RE 555 556 .RE 557 558 .sp 559 .ne 2 560 .na 561 \fB\fB-r\fR \fIreal-user\fR\fR 562 .ad 563 .sp .6 564 .RS 4n 565 Select records with the specified \fIreal-user\fR. 566 .RE 567 568 .sp 569 .ne 2 570 .na 571 \fB\fB-s\fR \fIsession-id\fR\fR 572 .ad 573 .sp .6 574 .RS 4n 575 Select audit records with the specified \fIsession-id\fR. 576 .RE 577 578 .sp 579 .ne 2 580 .na 581 \fB\fB-u\fR \fIaudit-user\fR\fR 582 .ad 583 .sp .6 584 .RS 4n 585 Select records with the specified \fIaudit-user\fR. 586 .RE 587 588 .sp 589 .ne 2 590 .na 591 \fB\fB-z\fR \fIzone-name\fR\fR 592 .ad 593 .sp .6 594 .RS 4n 595 Select records from the specified zone name. The zone name selection is 596 case-sensitive. 597 .RE 598 599 .sp 600 .LP 601 When one or more \fIfilename\fR arguments appear on the command line, only the 602 named files are processed. Files specified in this way need not conform to the 603 audit trail filename format. However, \fB-M\fR, \fB-S\fR, and \fB-R\fR must not 604 be used when processing named files. If the \fIfilename\fR is ``\(mi'' then the 605 input is taken from the standard input. 606 .SS "Option Arguments" 607 .ne 2 608 .na 609 \fB\fIaudit-trail-file\fR\fR 610 .ad 611 .sp .6 612 .RS 4n 613 An audit trail file as defined in \fBaudit.log\fR(4). An audit trail file not 614 named on the command line must conform to the audit trail file name format. 615 Audit trail files produced as output of \fBauditreduce\fR are in this format as 616 well. The format is: 617 .sp 618 \fIstart-time . \|end-time . \|suffix\fR 619 .sp 620 \fIstart-time\fR is the 14 character time stamp denoting when the file was 621 opened. \fIend-time\fR is the 14 character time stamp denoting when the file 622 was closed. \fIend-time\fR can also be the literal string \fBnot_terminated\fR, 623 indicating the file is still be written to by the audit daemon or the file was 624 not closed properly (a system crash or abrupt halt occurred). \fIsuffix\fR is 625 the name of the machine that generated the audit trail file (or some other 626 meaningful suffix; for example, \fBall\fR would be a good suffix if the audit 627 trail file contains a combined group of records from many machines). 628 .RE 629 630 .sp 631 .ne 2 632 .na 633 \fB\fIdate-time\fR\fR 634 .ad 635 .sp .6 636 .RS 4n 637 The \fIdate-time\fR argument to \fB-a\fR, \fB-b\fR, and \fB-d\fR can be of two 638 forms: An absolute \fIdate-time\fR takes the form: 639 .sp 640 \fI\fR yyyymmdd [ \fIhh\fR [ \fImm\fR [ \fIss\fR ]]] 641 .sp 642 where \fIyyyy\fR specifies a year (with 1970 as the earliest value), \fImm\fR 643 is the month (01-12), \fBdd\fR is the day (01-31), \fIhh\fR is the hour 644 (00-23), \fImm\fR is the minute (00-59), and \fIss\fR is the second (00-59). 645 The default is 00 for \fIhh\fR, \fImm\fR and \fIss\fR. 646 .sp 647 An offset can be specified as: \fB+\fR\fIn\fR \fBd\fR|\fBh\fR|\fBm\fR| \fBs\fR 648 where \fIn\fR is a number of units, and the tags \fBd\fR, \fBh\fR, \fBm\fR, and 649 \fBs\fR stand for days, hours, minutes and seconds, respectively. An offset is 650 relative to the starting time. Thus, this form can only be used with the 651 \fB-b\fR option. 652 .RE 653 654 .sp 655 .ne 2 656 .na 657 \fB\fIevent\fR\fR 658 .ad 659 .sp .6 660 .RS 4n 661 The literal string or ordinal event number as found in \fBaudit_event\fR(4). If 662 \fIevent\fR is not found in the \fBaudit_event\fR file it is considered 663 invalid. 664 .RE 665 666 .sp 667 .ne 2 668 .na 669 \fB\fIgroup\fR\fR 670 .ad 671 .sp .6 672 .RS 4n 673 The literal string or ordinal group ID number as found in \fBgroup\fR(4). If 674 \fIgroup\fR is not found in the \fBgroup\fR file it is considered invalid. 675 \fIgroup\fR can be negative. 676 .RE 677 678 .sp 679 .ne 2 680 .na 681 \fB\fIlabel\fR\fR 682 .ad 683 .sp .6 684 .RS 4n 685 The literal string representation of a MAC label or a range of two valid MAC 686 labels. To specify a range, use \fBx;y\fR where \fBx\fR and \fBy\fR are valid 687 MAC labels. Only those records that are fully bounded by \fBx\fR and \fBy\fR 688 will be selected. If \fBx\fR or \fBy\fR is omitted, the default uses 689 \fBADMIN_LOW\fR or \fBADMIN_HIGH\fR respectively. Notice that quotes must be 690 used when specifying a range. 691 .RE 692 693 .sp 694 .ne 2 695 .na 696 \fB\fIpathname\fR\fR 697 .ad 698 .sp .6 699 .RS 4n 700 A regular expression describing a pathname. 701 .RE 702 703 .sp 704 .ne 2 705 .na 706 \fB\fIuser\fR\fR 707 .ad 708 .sp .6 709 .RS 4n 710 The literal username or ordinal user ID number as found in \fBpasswd\fR(4). If 711 the username is not found in the \fBpasswd\fR file it is considered invalid. 712 \fIuser\fR can be negative. 713 .RE 714 715 .SH EXAMPLES 716 .LP 717 \fBExample 1 \fRThe auditreduce command 718 .sp 719 .LP 720 \fBpraudit\fR(1M) is available to display audit records in a human-readable 721 form. 722 723 .sp 724 .LP 725 This will display the entire audit trail in a human-readable form: 726 727 .sp 728 .in +2 729 .nf 730 % auditreduce | praudit 731 .fi 732 .in -2 733 .sp 734 735 .sp 736 .LP 737 If all the audit trail files are being combined into one large file, then 738 deleting the original files could be desirable to prevent the records from 739 appearing twice: 740 741 .sp 742 .in +2 743 .nf 744 % auditreduce -V -D /etc/security/audit/combined/all 745 .fi 746 .in -2 747 .sp 748 749 .sp 750 .LP 751 This displays what user \fBmilner\fR did on April 13, 1988. The output is 752 displayed in a human-readable form to the standard output: 753 754 .sp 755 .in +2 756 .nf 757 % auditreduce -d 19880413 -u milner | praudit 758 .fi 759 .in -2 760 .sp 761 762 .sp 763 .LP 764 The above example might produce a large volume of data if \fBmilner\fR has been 765 busy. Perhaps looking at only login and logout times would be simpler. The 766 \fB-c\fR option will select records from a specified class: 767 768 .sp 769 .in +2 770 .nf 771 % auditreduce -d 19880413 -u milner -c lo | praudit 772 .fi 773 .in -2 774 .sp 775 776 .sp 777 .LP 778 To see \fBmilner\fR's login/logout activity for April 13, 14, and 15, the 779 following is used. The results are saved to a file in the current working 780 directory. Notice that the name of the output file will have \fBmilnerlo\fR as 781 the \fIsuffix\fR, with the appropriate timestamp prefixes. Notice also that the 782 long form of the name is used for the \fB-c\fR option: 783 784 .sp 785 .in +2 786 .nf 787 % auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo 788 .fi 789 .in -2 790 .sp 791 792 .sp 793 .LP 794 To follow \fBmilner\fR's movement about the file system on April 13, 14, and 15 795 the \fBchdir\fR record types could be viewed. Notice that in order to get the 796 same time range as the above example we needed to specify the \fB-b\fR time as 797 the day \fBafter\fR our range. This is because \fB19880416\fR defaults to 798 midnight of that day, and records before that fall on \fB0415\fR, the end-day 799 of the range. 800 801 .sp 802 .in +2 803 .nf 804 % auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit 805 .fi 806 .in -2 807 .sp 808 809 .sp 810 .LP 811 In this example, the audit records are being collected in summary form (the 812 login/logout records only). The records are being written to a summary file in 813 a different directory than the normal audit root to prevent the selected 814 records from existing twice in the audit root. 815 816 .sp 817 .in +2 818 .nf 819 % auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins 820 .fi 821 .in -2 822 .sp 823 824 .sp 825 .LP 826 If activity for user \fBID\fR 9944 has been observed, but that user is not 827 known to the system administrator, then the command in the following example 828 searches the entire audit trail for any records generated by that user. 829 \fBauditreduce\fR queries the system about the current validity of \fBID\fR 830 9944 and displays a warning message if it is not currently active: 831 832 .sp 833 .in +2 834 .nf 835 % auditreduce -O /etc/security/audit_suspect/user9944 -u 9944 836 .fi 837 .in -2 838 .sp 839 840 .sp 841 .LP 842 To get an audit log of only the global zone: 843 844 .sp 845 .in +2 846 .nf 847 % auditreduce -z global 848 .fi 849 .in -2 850 851 .SH FILES 852 .ne 2 853 .na 854 \fB\fB/etc/security/audit/\fR\fIserver\fR\fB/files/*\fR\fR 855 .ad 856 .sp .6 857 .RS 4n 858 location of audit trails, when stored 859 .RE 860 861 .SH ATTRIBUTES 862 .LP 863 See \fBattributes\fR(5) for descriptions of the following attributes: 864 .sp 865 866 .sp 867 .TS 868 box; 869 c | c 870 l | l . 871 ATTRIBUTE TYPE ATTRIBUTE VALUE 872 _ 873 Interface Stability See below. 874 .TE 875 876 .sp 877 .LP 878 The command invocation is Stable. The binary file format is Stable. The binary 879 file contents is Unstable. 880 .SH SEE ALSO 881 .LP 882 \fBpraudit\fR(1M), \fBaudit.log\fR(4), \fBaudit_class\fR(4), 883 \fBgroup\fR(4), \fBhosts\fR(4), \fBpasswd\fR(4), 884 \fBattributes\fR(5), \fBsmf\fR(5) 885 .SH DIAGNOSTICS 886 .LP 887 \fBauditreduce\fR displays error messages if there are command line errors and 888 then exits. If there are fatal errors during the run, \fBauditreduce\fR 889 displays an explanatory message and exits. In this case, the output file might 890 be in an inconsistent state (no trailer or partially written record) and 891 \fBauditreduce\fR displays a warning message before exiting. Successful 892 invocation returns \fB0\fR and unsuccessful invocation returns \fB1\fR. 893 .sp 894 .LP 895 Since \fBauditreduce\fR might be processing a large number of input files, it 896 is possible that the machine-wide limit on open files will be exceeded. If this 897 happens, \fBauditreduce\fR displays a message to that effect, give information 898 on how many file there are, and exit. 899 .sp 900 .LP 901 If \fBauditreduce\fR displays a record's timestamp in a diagnostic message, 902 that time is in local time. However, when filenames are displayed, their 903 timestamps are in \fBGMT\fR. 904 .SH BUGS 905 .LP 906 Conjunction, disjunction, negation, and grouping of record selection options 907 should be allowed. 908 .SH NOTES 909 .LP 910 The \fB-z\fR option should be used only if the audit policy \fBzonename\fR is 911 set. If there is no zonename token, then no records will be selected.