1 '\" te 2 .\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved. 3 .\" Copyright 2018 Nexenta Systems, Inc. All rights reserved. 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH AUDITREDUCE 1M "Jul 10, 2018" 8 .SH NAME 9 auditreduce \- merge and select audit records from audit trail files 10 .SH SYNOPSIS 11 .LP 12 .nf 13 \fBauditreduce\fR [\fIoptions\fR] [\fIaudit-trail-file\fR]... 14 .fi 15 16 .SH DESCRIPTION 17 .LP 18 \fBauditreduce\fR allows you to select or merge records from audit trail files. 19 Audit files can be from one or more machines. 20 .sp 21 .LP 22 The merge function merges together audit records from one or more input audit 23 trail files into a single output file. The records in an audit trail file are 24 assumed to be sorted in chronological order (oldest first) and this order is 25 maintained by \fBauditreduce\fR in the output file. 26 .sp 27 .LP 28 Unless instructed otherwise, \fBauditreduce\fR will merge the entire audit 29 trail, which consists of all the audit trail files in the directory structure 30 \fIaudit_root_dir\fR/*/files. Unless specified with the -\fBR\fR or -\fBS\fR 31 option, \fIaudit_root_dir\fR defaults to \fB/etc/security/audit\fR. By using 32 the file selection options it is possible to select some subset of these files, 33 or files from another directory, or files named explicitly on the command line. 34 .sp 35 .LP 36 The select function allows audit records to be selected on the basis of 37 numerous criteria relating to the record's content (see \fBaudit.log\fR(4) for 38 details of record content). A record must meet all of the 39 \fIrecord-selection-option\fR criteria to be selected. 40 .SS "Audit Trail Filename Format" 41 .LP 42 Any audit trail file not named on the command line must conform to the audit 43 trail filename format. Files produced by the audit system already have this 44 format. Output file names produced by \fBauditreduce\fR are in this format. It 45 is: 46 .sp 47 .in +2 48 .nf 49 \fIstart-time\fR\fB\&.\fR\fI\|end-time\fR\fB\&.\fR\fI\|suffix\fR 50 .fi 51 .in -2 52 .sp 53 54 .sp 55 .LP 56 where \fIstart-time\fR is the 14-character timestamp of when the file was 57 opened, \fIend-time\fR is the 14-character timestamp of when the file was 58 closed, and \fIsuffix\fR is the name of the machine which generated the audit 59 trail file, or some other meaningful suffix (for example, \fBall\fR, if the 60 file contains a combined group of records from many machines). The 61 \fIend-time\fR can be the literal string \fBnot_terminated\fR, to indicate that 62 the file is still being written to by the audit system. Timestamps are of the 63 form \fIyyyymmddhhmmss\fR (year, month, day, hour, minute, second). The 64 timestamps are in Greenwich Mean Time (GMT). 65 .SH OPTIONS 66 .SS "File Selection Options" 67 .LP 68 The file selection options indicate which files are to be processed and certain 69 types of special treatment. 70 .sp 71 .ne 2 72 .na 73 \fB\fB-A\fR\fR 74 .ad 75 .sp .6 76 .RS 4n 77 All of the records from the input files will be selected regardless of their 78 timestamp. This option effectively disables the \fB-a\fR, \fB-b\fR, and 79 \fB-d\fR options. This is useful in preventing the loss of records if the 80 \fB-D\fR option is used to delete the input files after they are processed. 81 Note, however, that if a record is \fInot\fR selected due to another option, 82 then \fB-A\fR will not override that. 83 .RE 84 85 .sp 86 .ne 2 87 .na 88 \fB\fB-C\fR\fR 89 .ad 90 .sp .6 91 .RS 4n 92 Only process complete files. Files whose filename \fIend-time\fR timestamp is 93 \fBnot_terminated\fR are not processed (such a file is currently being written 94 to by the audit system). This is useful in preventing the loss of records if 95 \fB-D\fR is used to delete the input files after they are processed. It does 96 not apply to files specified on the command line. 97 .RE 98 99 .sp 100 .ne 2 101 .na 102 \fB\fB-D\fR \fIsuffix\fR\fR 103 .ad 104 .sp .6 105 .RS 4n 106 Delete input files after they are read if the entire run is successful. If 107 \fBauditreduce\fR detects an error while reading a file, then that file is not 108 deleted. If \fB-D\fR is specified, \fB-A\fR, \fB-C\fR and \fB-O\fR are also 109 implied. \fIsuffix\fR is given to the \fB-O\fR option. This helps prevent the 110 loss of audit records by ensuring that all of the records are written, only 111 complete files are processed, and the records are written to a file before 112 being deleted. Note that if both \fB-D\fR and \fB-O\fR are specified in the 113 command line, the order of specification is significant. The \fIsuffix\fR 114 associated with the latter specification is in effect. 115 .RE 116 117 .sp 118 .ne 2 119 .na 120 \fB\fB-M\fR \fImachine\fR\fR 121 .ad 122 .sp .6 123 .RS 4n 124 Allows selection of records from files with \fImachine\fR as the filename 125 suffix. If \fB-M\fR is not specified, all files are processed regardless of 126 suffix. \fB-M\fR can also be used to allow selection of records from files that 127 contain combined records from many machines and have a common suffix (such as 128 \fBall\fR). 129 .RE 130 131 .sp 132 .ne 2 133 .na 134 \fB\fB-N\fR\fR 135 .ad 136 .sp .6 137 .RS 4n 138 Select objects in \fBnew mode\fR.This flag is off by default, thus retaining 139 backward compatibility. In the existing, \fBold mode\fR, specifying the 140 \fB-e\fR, \fB-f\fR, \fB-g\fR, \fB-r\fR, or \fB-u\fR flags would select not only 141 actions taken with those \fBID\fRs, but also certain objects owned by those 142 \fBID\fRs. When running in \fBnew mode\fR, only actions are selected. In order 143 to select objects, the \fB-o\fR option must be used. 144 .RE 145 146 .sp 147 .ne 2 148 .na 149 \fB\fB-O\fR \fIsuffix\fR\fR 150 .ad 151 .sp .6 152 .RS 4n 153 Direct output stream to a file in the current \fBaudit_root_dir\fR with the 154 indicated suffix. \fIsuffix\fR can alternatively contain a full pathname, in 155 which case the last component is taken as the suffix, ahead of which the 156 timestamps will be placed, ahead of which the remainder of the pathname will be 157 placed. If the \fB-O\fR option is not specified, the output is sent to the 158 standard output. When \fBauditreduce\fR places timestamps in the filename, it 159 uses the times of the first and last records in the merge as the 160 \fIstart-time\fR and \fIend-time\fR. 161 .RE 162 163 .sp 164 .ne 2 165 .na 166 \fB\fB-Q\fR\fR 167 .ad 168 .sp .6 169 .RS 4n 170 Quiet. Suppress notification about errors with input files. 171 .RE 172 173 .sp 174 .ne 2 175 .na 176 \fB\fB-R\fR \fIpathname\fR\fR 177 .ad 178 .sp .6 179 .RS 4n 180 Specify the pathname of an alternate audit root directory \fIaudit_root_dir\fR 181 to be \fIpathname\fR. Therefore, rather than using 182 \fB/etc/security/audit\fR/*/files by default, \fIpathname\fR/*/files will be 183 examined instead. 184 .LP 185 Note - 186 .sp 187 .RS 2 188 The root file system of any non-global zones must not be referenced with the 189 \fB-R\fR option. Doing so might damage the global zone's file system, might 190 compromise the security of the global zone, and might damage the non-global 191 zone's file system. See \fBzones\fR(5). 192 .RE 193 .RE 194 195 .sp 196 .ne 2 197 .na 198 \fB\fB-S\fR \fIserver\fR\fR 199 .ad 200 .sp .6 201 .RS 4n 202 This option causes \fBauditreduce\fR to read audit trail files from a specific 203 location (server directory). \fIserver\fR is normally interpreted as the name 204 of a subdirectory of the audit root, therefore \fBauditreduce\fR will look in 205 \fIaudit_root_dir\fR/\fIserver\fR/files for the audit trail files. But if 206 \fIserver\fR contains any `\fB/\fR' characters, it is the name of a specific 207 directory not necessarily contained in the audit root. In this case, 208 \fIserver\fR/files will be consulted. This option allows archived files to be 209 manipulated easily, without requiring that they be physically located in a 210 directory structure like that of \fB/etc/security/audit\fR. 211 .RE 212 213 .sp 214 .ne 2 215 .na 216 \fB\fB-V\fR\fR 217 .ad 218 .sp .6 219 .RS 4n 220 Verbose. Display the name of each file as it is opened, and how many records 221 total were written to the output stream. 222 .RE 223 224 .SS "Record Selection Options" 225 .LP 226 The record selection options listed below are used to indicate which records 227 are written to the output file produced by \fBauditreduce\fR. 228 .sp 229 .LP 230 Multiple arguments of the same type are not permitted. 231 .sp 232 .ne 2 233 .na 234 \fB\fB-a\fR \fIdate-time\fR\fR 235 .ad 236 .sp .6 237 .RS 4n 238 Select records that occurred at or after \fIdate-time\fR. The \fIdate-time\fR 239 argument is described under \fBOption Arguments\fR, below. \fIdate-time\fR is 240 in local time. The \fB-a\fR and \fB-b\fR options can be used together to form a 241 range. 242 .RE 243 244 .sp 245 .ne 2 246 .na 247 \fB\fB-b\fR \fIdate-time\fR\fR 248 .ad 249 .sp .6 250 .RS 4n 251 Select records that occurred before \fIdate-time\fR. 252 .RE 253 254 .sp 255 .ne 2 256 .na 257 \fB\fB-c\fR \fIaudit-classes\fR\fR 258 .ad 259 .sp .6 260 .RS 4n 261 Select records by audit class. Records with events that are mapped to the audit 262 classes specified by \fIaudit-classes\fR are selected. Audit class names are 263 defined in \fBaudit_class\fR(4). Using the \fBaudit\fR \fIflags,\fR one can 264 select records based upon success and failure criteria. 265 .RE 266 267 .sp 268 .ne 2 269 .na 270 \fB\fB-d\fR \fIdate-time\fR\fR 271 .ad 272 .sp .6 273 .RS 4n 274 Select records that occurred on a specific day (a 24-hour period beginning at 275 00:00:00 of the day specified and ending at 23:59:59). The day specified is in 276 local time. The time portion of the argument, if supplied, is ignored. Any 277 records with timestamps during that day are selected. If any hours, minutes, or 278 seconds are given in \fItime,\fR they are ignored. \fB-d\fR can not be used 279 with \fB-a\fR or \fB\fR\fB-b\fR\fB\&.\fR 280 .RE 281 282 .sp 283 .ne 2 284 .na 285 \fB\fB-e\fR \fIeffective-user\fR\fR 286 .ad 287 .sp .6 288 .RS 4n 289 Select records with the specified \fIeffective-user.\fR 290 .RE 291 292 .sp 293 .ne 2 294 .na 295 \fB\fB-f\fR \fIeffective-group\fR\fR 296 .ad 297 .sp .6 298 .RS 4n 299 Select records with the specified \fIeffective-group.\fR 300 .RE 301 302 .sp 303 .ne 2 304 .na 305 \fB\fB-g\fR \fIreal-group\fR\fR 306 .ad 307 .sp .6 308 .RS 4n 309 Select records with the specified \fIreal-group.\fR 310 .RE 311 312 .sp 313 .ne 2 314 .na 315 \fB\fB-j\fR \fIsubject-ID\fR\fR 316 .ad 317 .sp .6 318 .RS 4n 319 Select records with the specified \fIsubject-ID\fR where \fIsubject-ID\fR is a 320 process ID. 321 .RE 322 323 .sp 324 .ne 2 325 .na 326 \fB\fB-l\fR \fIlabel\fR\fR 327 .ad 328 .sp .6 329 .RS 4n 330 Select records with the specified label (or label range), as explained under 331 "Option Arguments," below. This option is available only if the system is 332 configured with Trusted Extensions. 333 .RE 334 335 .sp 336 .ne 2 337 .na 338 \fB\fB-m\fR \fIevent\fR\fR 339 .ad 340 .sp .6 341 .RS 4n 342 Select records with the indicated \fIevent\fR. The \fIevent\fR is the literal 343 string or the \fIevent\fR number. 344 .RE 345 346 .sp 347 .ne 2 348 .na 349 \fB\fB-o\fR \fIobject_type=objectID_value\fR\fR 350 .ad 351 .sp .6 352 .RS 4n 353 Select records by object type. A match occurs when the record contains the 354 information describing the specified \fIobject_type\fR and the object ID equals 355 the value specified by \fIobjectID_value.\fR The allowable object types and 356 values are as follows: 357 .sp 358 .ne 2 359 .na 360 \fBfile=\fIpathname\fR\fR 361 .ad 362 .sp .6 363 .RS 4n 364 Select records containing file system objects with the specified pathname, 365 where pathname is a comma separated list of regular expressions. If a regular 366 expression is preceded by a tilde (\fB~\fR), files matching the expression are 367 excluded from the output. For example, the option 368 \fBfile=~/usr/openwin,/usr,/etc\fR would select all files in \fB/usr\fR or 369 \fB/etc\fR except those in \fB/usr/openwin\fR. The order of the regular 370 expressions is important because auditreduce processes them from left to right, 371 and stops when a file is known to be either selected or excluded. Thus the 372 option \fBfile=\fR \fB/usr\fR, \fB/etc\fR, \fB~/usr/openwin\fR would select all 373 files in \fB/usr\fR and all files in \fB/etc\fR. Files in \fB/usr/openwin\fR 374 are not excluded because the regular expression \fB/usr\fR is matched first. 375 Care should be given in surrounding the \fIpathname\fR with quotes so as to 376 prevent the shell from expanding any tildes. 377 .RE 378 379 .sp 380 .ne 2 381 .na 382 \fBfilegroup\fI=group\fR\fR 383 .ad 384 .sp .6 385 .RS 4n 386 Select records containing file system objects with \fIgroup\fR as the owning 387 group. 388 .RE 389 390 .sp 391 .ne 2 392 .na 393 \fBfileowner=\fIuser\fR\fR 394 .ad 395 .sp .6 396 .RS 4n 397 Select records containing file system objects with \fIuser\fR as the owning 398 user. 399 .RE 400 401 .sp 402 .ne 2 403 .na 404 \fBmsgqid=\fIID\fR\fR 405 .ad 406 .sp .6 407 .RS 4n 408 Select records containing message queue objects with the specified \fIID\fR 409 where \fIID\fR is a message queue \fBID\fR. 410 .RE 411 412 .sp 413 .ne 2 414 .na 415 \fBmsgqgroup=\fIgroup\fR\fR 416 .ad 417 .sp .6 418 .RS 4n 419 Select records containing message queue objects with \fIgroup\fR as the owning 420 or creating group. 421 .RE 422 423 .sp 424 .ne 2 425 .na 426 \fBmsgqowner=\fIuser\fR\fR 427 .ad 428 .sp .6 429 .RS 4n 430 Select records containing message queue objects with \fIuser\fR as the owning 431 or creating user. 432 .RE 433 434 .sp 435 .ne 2 436 .na 437 \fBpid=\fIID\fR\fR 438 .ad 439 .sp .6 440 .RS 4n 441 Select records containing process objects with the specified \fIID\fR where 442 \fIID\fR is a process \fBID\fR. Process are objects when they are receivers of 443 signals. 444 .RE 445 446 .sp 447 .ne 2 448 .na 449 \fBprocgroup=\fIgroup\fR\fR 450 .ad 451 .sp .6 452 .RS 4n 453 Select records containing process objects with \fIgroup\fR as the real or 454 effective group. 455 .RE 456 457 .sp 458 .ne 2 459 .na 460 \fBprocowner=\fIuser\fR\fR 461 .ad 462 .sp .6 463 .RS 4n 464 Select records containing process objects with \fIuser\fR as the real or 465 effective user. 466 .RE 467 468 .sp 469 .ne 2 470 .na 471 \fBsemid=\fIID\fR\fR 472 .ad 473 .sp .6 474 .RS 4n 475 Select records containing semaphore objects with the specified \fIID\fR where 476 \fIID\fR is a semaphore \fBID\fR. 477 .RE 478 479 .sp 480 .ne 2 481 .na 482 \fBsemgroup=\fIgroup\fR\fR 483 .ad 484 .sp .6 485 .RS 4n 486 Select records containing semaphore objects with \fIgroup\fR as the owning or 487 creating group. 488 .RE 489 490 .sp 491 .ne 2 492 .na 493 \fBsemowner=\fIuser\fR\fR 494 .ad 495 .sp .6 496 .RS 4n 497 Select records containing semaphore objects with \fIuser\fR as the owning or 498 creating user. 499 .RE 500 501 .sp 502 .ne 2 503 .na 504 \fBshmid=\fIID\fR\fR 505 .ad 506 .sp .6 507 .RS 4n 508 Select records containing shared memory objects with the specified \fIID\fR 509 where \fIID\fR is a shared memory \fBID\fR. 510 .RE 511 512 .sp 513 .ne 2 514 .na 515 \fBshmgroup=\fIgroup\fR\fR 516 .ad 517 .sp .6 518 .RS 4n 519 Select records containing shared memory objects with \fIgroup\fR as the owning 520 or creating group. 521 .RE 522 523 .sp 524 .ne 2 525 .na 526 \fBshmowner=\fIuser\fR\fR 527 .ad 528 .sp .6 529 .RS 4n 530 Select records containing shared memory objects with \fIuser\fR as the owning 531 or creating user. 532 .RE 533 534 .sp 535 .ne 2 536 .na 537 \fBsock=\fIport_number|machine\fR\fR 538 .ad 539 .sp .6 540 .RS 4n 541 Select records containing socket objects with the specified \fIport_number\fR 542 or the specified \fImachine\fR where \fImachine\fR is a machine name as defined 543 in \fBhosts\fR(4). 544 .RE 545 546 .sp 547 .ne 2 548 .na 549 \fBfmri=\fIservice instance\fR\fR 550 .ad 551 .sp .6 552 .RS 4n 553 Select records containing fault management resource identifier (FMRI) objects 554 with the specified \fIservice instance\fR. See \fBsmf\fR(5). 555 .RE 556 557 .sp 558 .ne 2 559 .na 560 \fBwsid=\fIWindows SID\fR\fR 561 .ad 562 .sp .6 563 .RS 4n 564 Select records containing Windows SIDS matching the specified \fISID\fR. 565 .RE 566 567 .RE 568 569 .sp 570 .ne 2 571 .na 572 \fB\fB-r\fR \fIreal-user\fR\fR 573 .ad 574 .sp .6 575 .RS 4n 576 Select records with the specified \fIreal-user\fR. 577 .RE 578 579 .sp 580 .ne 2 581 .na 582 \fB\fB-s\fR \fIsession-id\fR\fR 583 .ad 584 .sp .6 585 .RS 4n 586 Select audit records with the specified \fIsession-id\fR. 587 .RE 588 589 .sp 590 .ne 2 591 .na 592 \fB\fB-u\fR \fIaudit-user\fR\fR 593 .ad 594 .sp .6 595 .RS 4n 596 Select records with the specified \fIaudit-user\fR. 597 .RE 598 599 .sp 600 .ne 2 601 .na 602 \fB\fB-z\fR \fIzone-name\fR\fR 603 .ad 604 .sp .6 605 .RS 4n 606 Select records from the specified zone name. The zone name selection is 607 case-sensitive. 608 .RE 609 610 .sp 611 .LP 612 When one or more \fIfilename\fR arguments appear on the command line, only the 613 named files are processed. Files specified in this way need not conform to the 614 audit trail filename format. However, \fB-M\fR, \fB-S\fR, and \fB-R\fR must not 615 be used when processing named files. If the \fIfilename\fR is ``\(mi'' then the 616 input is taken from the standard input. 617 .SS "Option Arguments" 618 .ne 2 619 .na 620 \fB\fIaudit-trail-file\fR\fR 621 .ad 622 .sp .6 623 .RS 4n 624 An audit trail file as defined in \fBaudit.log\fR(4). An audit trail file not 625 named on the command line must conform to the audit trail file name format. 626 Audit trail files produced as output of \fBauditreduce\fR are in this format as 627 well. The format is: 628 .sp 629 \fIstart-time . \|end-time . \|suffix\fR 630 .sp 631 \fIstart-time\fR is the 14 character time stamp denoting when the file was 632 opened. \fIend-time\fR is the 14 character time stamp denoting when the file 633 was closed. \fIend-time\fR can also be the literal string \fBnot_terminated\fR, 634 indicating the file is still be written to by the audit daemon or the file was 635 not closed properly (a system crash or abrupt halt occurred). \fIsuffix\fR is 636 the name of the machine that generated the audit trail file (or some other 637 meaningful suffix; for example, \fBall\fR would be a good suffix if the audit 638 trail file contains a combined group of records from many machines). 639 .RE 640 641 .sp 642 .ne 2 643 .na 644 \fB\fIdate-time\fR\fR 645 .ad 646 .sp .6 647 .RS 4n 648 The \fIdate-time\fR argument to \fB-a\fR, \fB-b\fR, and \fB-d\fR can be of two 649 forms: An absolute \fIdate-time\fR takes the form: 650 .sp 651 \fI\fR yyyymmdd [ \fIhh\fR [ \fImm\fR [ \fIss\fR ]]] 652 .sp 653 where \fIyyyy\fR specifies a year (with 1970 as the earliest value), \fImm\fR 654 is the month (01-12), \fBdd\fR is the day (01-31), \fIhh\fR is the hour 655 (00-23), \fImm\fR is the minute (00-59), and \fIss\fR is the second (00-59). 656 The default is 00 for \fIhh\fR, \fImm\fR and \fIss\fR. 657 .sp 658 An offset can be specified as: \fB+\fR\fIn\fR \fBd\fR|\fBh\fR|\fBm\fR| \fBs\fR 659 where \fIn\fR is a number of units, and the tags \fBd\fR, \fBh\fR, \fBm\fR, and 660 \fBs\fR stand for days, hours, minutes and seconds, respectively. An offset is 661 relative to the starting time. Thus, this form can only be used with the 662 \fB-b\fR option. 663 .RE 664 665 .sp 666 .ne 2 667 .na 668 \fB\fIevent\fR\fR 669 .ad 670 .sp .6 671 .RS 4n 672 The literal string or ordinal event number as found in \fBaudit_event\fR(4). If 673 \fIevent\fR is not found in the \fBaudit_event\fR file it is considered 674 invalid. 675 .RE 676 677 .sp 678 .ne 2 679 .na 680 \fB\fIgroup\fR\fR 681 .ad 682 .sp .6 683 .RS 4n 684 The literal string or ordinal group ID number as found in \fBgroup\fR(4). If 685 \fIgroup\fR is not found in the \fBgroup\fR file it is considered invalid. 686 \fIgroup\fR can be negative. 687 .RE 688 689 .sp 690 .ne 2 691 .na 692 \fB\fIlabel\fR\fR 693 .ad 694 .sp .6 695 .RS 4n 696 The literal string representation of a MAC label or a range of two valid MAC 697 labels. To specify a range, use \fBx;y\fR where \fBx\fR and \fBy\fR are valid 698 MAC labels. Only those records that are fully bounded by \fBx\fR and \fBy\fR 699 will be selected. If \fBx\fR or \fBy\fR is omitted, the default uses 700 \fBADMIN_LOW\fR or \fBADMIN_HIGH\fR respectively. Notice that quotes must be 701 used when specifying a range. 702 .RE 703 704 .sp 705 .ne 2 706 .na 707 \fB\fIpathname\fR\fR 708 .ad 709 .sp .6 710 .RS 4n 711 A regular expression describing a pathname. 712 .RE 713 714 .sp 715 .ne 2 716 .na 717 \fB\fIuser\fR\fR 718 .ad 719 .sp .6 720 .RS 4n 721 The literal username or ordinal user ID number as found in \fBpasswd\fR(4). If 722 the username is not found in the \fBpasswd\fR file it is considered invalid. 723 \fIuser\fR can be negative. 724 .RE 725 726 .SH EXAMPLES 727 .LP 728 \fBExample 1 \fRThe auditreduce command 729 .sp 730 .LP 731 \fBpraudit\fR(1M) is available to display audit records in a human-readable 732 form. 733 734 .sp 735 .LP 736 This will display the entire audit trail in a human-readable form: 737 738 .sp 739 .in +2 740 .nf 741 % auditreduce | praudit 742 .fi 743 .in -2 744 .sp 745 746 .sp 747 .LP 748 If all the audit trail files are being combined into one large file, then 749 deleting the original files could be desirable to prevent the records from 750 appearing twice: 751 752 .sp 753 .in +2 754 .nf 755 % auditreduce -V -D /etc/security/audit/combined/all 756 .fi 757 .in -2 758 .sp 759 760 .sp 761 .LP 762 This displays what user \fBmilner\fR did on April 13, 1988. The output is 763 displayed in a human-readable form to the standard output: 764 765 .sp 766 .in +2 767 .nf 768 % auditreduce -d 19880413 -u milner | praudit 769 .fi 770 .in -2 771 .sp 772 773 .sp 774 .LP 775 The above example might produce a large volume of data if \fBmilner\fR has been 776 busy. Perhaps looking at only login and logout times would be simpler. The 777 \fB-c\fR option will select records from a specified class: 778 779 .sp 780 .in +2 781 .nf 782 % auditreduce -d 19880413 -u milner -c lo | praudit 783 .fi 784 .in -2 785 .sp 786 787 .sp 788 .LP 789 To see \fBmilner\fR's login/logout activity for April 13, 14, and 15, the 790 following is used. The results are saved to a file in the current working 791 directory. Notice that the name of the output file will have \fBmilnerlo\fR as 792 the \fIsuffix\fR, with the appropriate timestamp prefixes. Notice also that the 793 long form of the name is used for the \fB-c\fR option: 794 795 .sp 796 .in +2 797 .nf 798 % auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo 799 .fi 800 .in -2 801 .sp 802 803 .sp 804 .LP 805 To follow \fBmilner\fR's movement about the file system on April 13, 14, and 15 806 the \fBchdir\fR record types could be viewed. Notice that in order to get the 807 same time range as the above example we needed to specify the \fB-b\fR time as 808 the day \fBafter\fR our range. This is because \fB19880416\fR defaults to 809 midnight of that day, and records before that fall on \fB0415\fR, the end-day 810 of the range. 811 812 .sp 813 .in +2 814 .nf 815 % auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit 816 .fi 817 .in -2 818 .sp 819 820 .sp 821 .LP 822 In this example, the audit records are being collected in summary form (the 823 login/logout records only). The records are being written to a summary file in 824 a different directory than the normal audit root to prevent the selected 825 records from existing twice in the audit root. 826 827 .sp 828 .in +2 829 .nf 830 % auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins 831 .fi 832 .in -2 833 .sp 834 835 .sp 836 .LP 837 If activity for user \fBID\fR 9944 has been observed, but that user is not 838 known to the system administrator, then the command in the following example 839 searches the entire audit trail for any records generated by that user. 840 \fBauditreduce\fR queries the system about the current validity of \fBID\fR 841 9944 and displays a warning message if it is not currently active: 842 843 .sp 844 .in +2 845 .nf 846 % auditreduce -O /etc/security/audit_suspect/user9944 -u 9944 847 .fi 848 .in -2 849 .sp 850 851 .sp 852 .LP 853 To get an audit log of only the global zone: 854 855 .sp 856 .in +2 857 .nf 858 % auditreduce -z global 859 .fi 860 .in -2 861 862 .SH FILES 863 .ne 2 864 .na 865 \fB\fB/etc/security/audit/\fR\fIserver\fR\fB/files/*\fR\fR 866 .ad 867 .sp .6 868 .RS 4n 869 location of audit trails, when stored 870 .RE 871 872 .SH ATTRIBUTES 873 .LP 874 See \fBattributes\fR(5) for descriptions of the following attributes: 875 .sp 876 877 .sp 878 .TS 879 box; 880 c | c 881 l | l . 882 ATTRIBUTE TYPE ATTRIBUTE VALUE 883 _ 884 Interface Stability See below. 885 .TE 886 887 .sp 888 .LP 889 The command invocation is Stable. The binary file format is Stable. The binary 890 file contents is Unstable. 891 .SH SEE ALSO 892 .LP 893 \fBpraudit\fR(1M), \fBaudit.log\fR(4), \fBaudit_class\fR(4), 894 \fBgroup\fR(4), \fBhosts\fR(4), \fBpasswd\fR(4), 895 \fBattributes\fR(5), \fBsmf\fR(5) 896 .SH DIAGNOSTICS 897 .LP 898 \fBauditreduce\fR displays error messages if there are command line errors and 899 then exits. If there are fatal errors during the run, \fBauditreduce\fR 900 displays an explanatory message and exits. In this case, the output file might 901 be in an inconsistent state (no trailer or partially written record) and 902 \fBauditreduce\fR displays a warning message before exiting. Successful 903 invocation returns \fB0\fR and unsuccessful invocation returns \fB1\fR. 904 .sp 905 .LP 906 Since \fBauditreduce\fR might be processing a large number of input files, it 907 is possible that the machine-wide limit on open files will be exceeded. If this 908 happens, \fBauditreduce\fR displays a message to that effect, give information 909 on how many file there are, and exit. 910 .sp 911 .LP 912 If \fBauditreduce\fR displays a record's timestamp in a diagnostic message, 913 that time is in local time. However, when filenames are displayed, their 914 timestamps are in \fBGMT\fR. 915 .SH BUGS 916 .LP 917 Conjunction, disjunction, negation, and grouping of record selection options 918 should be allowed. 919 .SH NOTES 920 .LP 921 The \fB-z\fR option should be used only if the audit policy \fBzonename\fR is 922 set. If there is no zonename token, then no records will be selected.