Print this page
NEX-13644 File access audit logging
Reviewed by: Gordon Ross <gordon.ross@nexenta.com>
Reviewed by: Roman Strashkin <roman.strashkin@nexenta.com>
Reviewed by: Saso Kiselkov <saso.kiselkov@nexenta.com>
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man1m/auditreduce.1m
+++ new/usr/src/man/man1m/auditreduce.1m
1 1 '\" te
2 2 .\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved.
3 +.\" Copyright 2018 Nexenta Systems, Inc. All rights reserved.
3 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 -.TH AUDITREDUCE 1M "Mar 6, 2017"
7 +.TH AUDITREDUCE 1M "Jul 10, 2018"
7 8 .SH NAME
8 9 auditreduce \- merge and select audit records from audit trail files
9 10 .SH SYNOPSIS
10 11 .LP
11 12 .nf
12 13 \fBauditreduce\fR [\fIoptions\fR] [\fIaudit-trail-file\fR]...
13 14 .fi
14 15
15 16 .SH DESCRIPTION
16 17 .LP
17 18 \fBauditreduce\fR allows you to select or merge records from audit trail files.
18 19 Audit files can be from one or more machines.
19 20 .sp
20 21 .LP
21 22 The merge function merges together audit records from one or more input audit
22 23 trail files into a single output file. The records in an audit trail file are
23 24 assumed to be sorted in chronological order (oldest first) and this order is
24 25 maintained by \fBauditreduce\fR in the output file.
25 26 .sp
26 27 .LP
27 28 Unless instructed otherwise, \fBauditreduce\fR will merge the entire audit
28 29 trail, which consists of all the audit trail files in the directory structure
29 30 \fIaudit_root_dir\fR/*/files. Unless specified with the -\fBR\fR or -\fBS\fR
30 31 option, \fIaudit_root_dir\fR defaults to \fB/etc/security/audit\fR. By using
31 32 the file selection options it is possible to select some subset of these files,
32 33 or files from another directory, or files named explicitly on the command line.
33 34 .sp
34 35 .LP
35 36 The select function allows audit records to be selected on the basis of
36 37 numerous criteria relating to the record's content (see \fBaudit.log\fR(4) for
37 38 details of record content). A record must meet all of the
38 39 \fIrecord-selection-option\fR criteria to be selected.
39 40 .SS "Audit Trail Filename Format"
40 41 .LP
41 42 Any audit trail file not named on the command line must conform to the audit
42 43 trail filename format. Files produced by the audit system already have this
43 44 format. Output file names produced by \fBauditreduce\fR are in this format. It
44 45 is:
45 46 .sp
46 47 .in +2
47 48 .nf
48 49 \fIstart-time\fR\fB\&.\fR\fI\|end-time\fR\fB\&.\fR\fI\|suffix\fR
49 50 .fi
50 51 .in -2
51 52 .sp
52 53
53 54 .sp
54 55 .LP
55 56 where \fIstart-time\fR is the 14-character timestamp of when the file was
56 57 opened, \fIend-time\fR is the 14-character timestamp of when the file was
57 58 closed, and \fIsuffix\fR is the name of the machine which generated the audit
58 59 trail file, or some other meaningful suffix (for example, \fBall\fR, if the
59 60 file contains a combined group of records from many machines). The
60 61 \fIend-time\fR can be the literal string \fBnot_terminated\fR, to indicate that
61 62 the file is still being written to by the audit system. Timestamps are of the
62 63 form \fIyyyymmddhhmmss\fR (year, month, day, hour, minute, second). The
63 64 timestamps are in Greenwich Mean Time (GMT).
64 65 .SH OPTIONS
65 66 .SS "File Selection Options"
66 67 .LP
67 68 The file selection options indicate which files are to be processed and certain
68 69 types of special treatment.
69 70 .sp
70 71 .ne 2
71 72 .na
72 73 \fB\fB-A\fR\fR
73 74 .ad
74 75 .sp .6
75 76 .RS 4n
76 77 All of the records from the input files will be selected regardless of their
77 78 timestamp. This option effectively disables the \fB-a\fR, \fB-b\fR, and
78 79 \fB-d\fR options. This is useful in preventing the loss of records if the
79 80 \fB-D\fR option is used to delete the input files after they are processed.
80 81 Note, however, that if a record is \fInot\fR selected due to another option,
81 82 then \fB-A\fR will not override that.
82 83 .RE
83 84
84 85 .sp
85 86 .ne 2
86 87 .na
87 88 \fB\fB-C\fR\fR
88 89 .ad
89 90 .sp .6
90 91 .RS 4n
91 92 Only process complete files. Files whose filename \fIend-time\fR timestamp is
92 93 \fBnot_terminated\fR are not processed (such a file is currently being written
93 94 to by the audit system). This is useful in preventing the loss of records if
94 95 \fB-D\fR is used to delete the input files after they are processed. It does
95 96 not apply to files specified on the command line.
96 97 .RE
97 98
98 99 .sp
99 100 .ne 2
100 101 .na
101 102 \fB\fB-D\fR \fIsuffix\fR\fR
102 103 .ad
103 104 .sp .6
104 105 .RS 4n
105 106 Delete input files after they are read if the entire run is successful. If
106 107 \fBauditreduce\fR detects an error while reading a file, then that file is not
107 108 deleted. If \fB-D\fR is specified, \fB-A\fR, \fB-C\fR and \fB-O\fR are also
108 109 implied. \fIsuffix\fR is given to the \fB-O\fR option. This helps prevent the
109 110 loss of audit records by ensuring that all of the records are written, only
110 111 complete files are processed, and the records are written to a file before
111 112 being deleted. Note that if both \fB-D\fR and \fB-O\fR are specified in the
112 113 command line, the order of specification is significant. The \fIsuffix\fR
113 114 associated with the latter specification is in effect.
114 115 .RE
115 116
116 117 .sp
117 118 .ne 2
118 119 .na
119 120 \fB\fB-M\fR \fImachine\fR\fR
120 121 .ad
121 122 .sp .6
122 123 .RS 4n
123 124 Allows selection of records from files with \fImachine\fR as the filename
124 125 suffix. If \fB-M\fR is not specified, all files are processed regardless of
125 126 suffix. \fB-M\fR can also be used to allow selection of records from files that
126 127 contain combined records from many machines and have a common suffix (such as
127 128 \fBall\fR).
128 129 .RE
129 130
130 131 .sp
131 132 .ne 2
132 133 .na
133 134 \fB\fB-N\fR\fR
134 135 .ad
135 136 .sp .6
136 137 .RS 4n
137 138 Select objects in \fBnew mode\fR.This flag is off by default, thus retaining
138 139 backward compatibility. In the existing, \fBold mode\fR, specifying the
139 140 \fB-e\fR, \fB-f\fR, \fB-g\fR, \fB-r\fR, or \fB-u\fR flags would select not only
140 141 actions taken with those \fBID\fRs, but also certain objects owned by those
141 142 \fBID\fRs. When running in \fBnew mode\fR, only actions are selected. In order
142 143 to select objects, the \fB-o\fR option must be used.
143 144 .RE
144 145
145 146 .sp
146 147 .ne 2
147 148 .na
148 149 \fB\fB-O\fR \fIsuffix\fR\fR
149 150 .ad
150 151 .sp .6
151 152 .RS 4n
152 153 Direct output stream to a file in the current \fBaudit_root_dir\fR with the
153 154 indicated suffix. \fIsuffix\fR can alternatively contain a full pathname, in
154 155 which case the last component is taken as the suffix, ahead of which the
155 156 timestamps will be placed, ahead of which the remainder of the pathname will be
156 157 placed. If the \fB-O\fR option is not specified, the output is sent to the
157 158 standard output. When \fBauditreduce\fR places timestamps in the filename, it
158 159 uses the times of the first and last records in the merge as the
159 160 \fIstart-time\fR and \fIend-time\fR.
160 161 .RE
161 162
162 163 .sp
163 164 .ne 2
164 165 .na
165 166 \fB\fB-Q\fR\fR
166 167 .ad
167 168 .sp .6
168 169 .RS 4n
169 170 Quiet. Suppress notification about errors with input files.
170 171 .RE
171 172
172 173 .sp
173 174 .ne 2
174 175 .na
175 176 \fB\fB-R\fR \fIpathname\fR\fR
176 177 .ad
177 178 .sp .6
178 179 .RS 4n
179 180 Specify the pathname of an alternate audit root directory \fIaudit_root_dir\fR
180 181 to be \fIpathname\fR. Therefore, rather than using
181 182 \fB/etc/security/audit\fR/*/files by default, \fIpathname\fR/*/files will be
182 183 examined instead.
183 184 .LP
184 185 Note -
185 186 .sp
186 187 .RS 2
187 188 The root file system of any non-global zones must not be referenced with the
188 189 \fB-R\fR option. Doing so might damage the global zone's file system, might
189 190 compromise the security of the global zone, and might damage the non-global
190 191 zone's file system. See \fBzones\fR(5).
191 192 .RE
192 193 .RE
193 194
194 195 .sp
195 196 .ne 2
196 197 .na
197 198 \fB\fB-S\fR \fIserver\fR\fR
198 199 .ad
199 200 .sp .6
200 201 .RS 4n
201 202 This option causes \fBauditreduce\fR to read audit trail files from a specific
202 203 location (server directory). \fIserver\fR is normally interpreted as the name
203 204 of a subdirectory of the audit root, therefore \fBauditreduce\fR will look in
204 205 \fIaudit_root_dir\fR/\fIserver\fR/files for the audit trail files. But if
205 206 \fIserver\fR contains any `\fB/\fR' characters, it is the name of a specific
206 207 directory not necessarily contained in the audit root. In this case,
207 208 \fIserver\fR/files will be consulted. This option allows archived files to be
208 209 manipulated easily, without requiring that they be physically located in a
209 210 directory structure like that of \fB/etc/security/audit\fR.
210 211 .RE
211 212
212 213 .sp
213 214 .ne 2
214 215 .na
215 216 \fB\fB-V\fR\fR
216 217 .ad
217 218 .sp .6
218 219 .RS 4n
219 220 Verbose. Display the name of each file as it is opened, and how many records
220 221 total were written to the output stream.
221 222 .RE
222 223
223 224 .SS "Record Selection Options"
224 225 .LP
225 226 The record selection options listed below are used to indicate which records
226 227 are written to the output file produced by \fBauditreduce\fR.
227 228 .sp
228 229 .LP
229 230 Multiple arguments of the same type are not permitted.
230 231 .sp
231 232 .ne 2
232 233 .na
233 234 \fB\fB-a\fR \fIdate-time\fR\fR
234 235 .ad
235 236 .sp .6
236 237 .RS 4n
237 238 Select records that occurred at or after \fIdate-time\fR. The \fIdate-time\fR
238 239 argument is described under \fBOption Arguments\fR, below. \fIdate-time\fR is
239 240 in local time. The \fB-a\fR and \fB-b\fR options can be used together to form a
240 241 range.
241 242 .RE
242 243
243 244 .sp
244 245 .ne 2
245 246 .na
246 247 \fB\fB-b\fR \fIdate-time\fR\fR
247 248 .ad
248 249 .sp .6
249 250 .RS 4n
250 251 Select records that occurred before \fIdate-time\fR.
251 252 .RE
252 253
253 254 .sp
254 255 .ne 2
255 256 .na
256 257 \fB\fB-c\fR \fIaudit-classes\fR\fR
257 258 .ad
258 259 .sp .6
259 260 .RS 4n
260 261 Select records by audit class. Records with events that are mapped to the audit
261 262 classes specified by \fIaudit-classes\fR are selected. Audit class names are
262 263 defined in \fBaudit_class\fR(4). Using the \fBaudit\fR \fIflags,\fR one can
263 264 select records based upon success and failure criteria.
264 265 .RE
265 266
266 267 .sp
267 268 .ne 2
268 269 .na
269 270 \fB\fB-d\fR \fIdate-time\fR\fR
270 271 .ad
271 272 .sp .6
272 273 .RS 4n
273 274 Select records that occurred on a specific day (a 24-hour period beginning at
274 275 00:00:00 of the day specified and ending at 23:59:59). The day specified is in
275 276 local time. The time portion of the argument, if supplied, is ignored. Any
276 277 records with timestamps during that day are selected. If any hours, minutes, or
277 278 seconds are given in \fItime,\fR they are ignored. \fB-d\fR can not be used
278 279 with \fB-a\fR or \fB\fR\fB-b\fR\fB\&.\fR
279 280 .RE
280 281
281 282 .sp
282 283 .ne 2
283 284 .na
284 285 \fB\fB-e\fR \fIeffective-user\fR\fR
285 286 .ad
286 287 .sp .6
287 288 .RS 4n
288 289 Select records with the specified \fIeffective-user.\fR
289 290 .RE
290 291
291 292 .sp
292 293 .ne 2
293 294 .na
294 295 \fB\fB-f\fR \fIeffective-group\fR\fR
295 296 .ad
296 297 .sp .6
297 298 .RS 4n
298 299 Select records with the specified \fIeffective-group.\fR
299 300 .RE
300 301
301 302 .sp
302 303 .ne 2
303 304 .na
304 305 \fB\fB-g\fR \fIreal-group\fR\fR
305 306 .ad
306 307 .sp .6
307 308 .RS 4n
308 309 Select records with the specified \fIreal-group.\fR
309 310 .RE
310 311
311 312 .sp
312 313 .ne 2
313 314 .na
314 315 \fB\fB-j\fR \fIsubject-ID\fR\fR
315 316 .ad
316 317 .sp .6
317 318 .RS 4n
318 319 Select records with the specified \fIsubject-ID\fR where \fIsubject-ID\fR is a
319 320 process ID.
320 321 .RE
321 322
322 323 .sp
323 324 .ne 2
324 325 .na
325 326 \fB\fB-l\fR \fIlabel\fR\fR
326 327 .ad
327 328 .sp .6
328 329 .RS 4n
329 330 Select records with the specified label (or label range), as explained under
330 331 "Option Arguments," below. This option is available only if the system is
331 332 configured with Trusted Extensions.
332 333 .RE
333 334
334 335 .sp
335 336 .ne 2
336 337 .na
337 338 \fB\fB-m\fR \fIevent\fR\fR
338 339 .ad
339 340 .sp .6
340 341 .RS 4n
341 342 Select records with the indicated \fIevent\fR. The \fIevent\fR is the literal
342 343 string or the \fIevent\fR number.
343 344 .RE
344 345
345 346 .sp
346 347 .ne 2
347 348 .na
348 349 \fB\fB-o\fR \fIobject_type=objectID_value\fR\fR
349 350 .ad
350 351 .sp .6
351 352 .RS 4n
352 353 Select records by object type. A match occurs when the record contains the
353 354 information describing the specified \fIobject_type\fR and the object ID equals
354 355 the value specified by \fIobjectID_value.\fR The allowable object types and
355 356 values are as follows:
356 357 .sp
357 358 .ne 2
358 359 .na
359 360 \fBfile=\fIpathname\fR\fR
360 361 .ad
361 362 .sp .6
362 363 .RS 4n
363 364 Select records containing file system objects with the specified pathname,
364 365 where pathname is a comma separated list of regular expressions. If a regular
365 366 expression is preceded by a tilde (\fB~\fR), files matching the expression are
366 367 excluded from the output. For example, the option
367 368 \fBfile=~/usr/openwin,/usr,/etc\fR would select all files in \fB/usr\fR or
368 369 \fB/etc\fR except those in \fB/usr/openwin\fR. The order of the regular
369 370 expressions is important because auditreduce processes them from left to right,
370 371 and stops when a file is known to be either selected or excluded. Thus the
371 372 option \fBfile=\fR \fB/usr\fR, \fB/etc\fR, \fB~/usr/openwin\fR would select all
372 373 files in \fB/usr\fR and all files in \fB/etc\fR. Files in \fB/usr/openwin\fR
373 374 are not excluded because the regular expression \fB/usr\fR is matched first.
374 375 Care should be given in surrounding the \fIpathname\fR with quotes so as to
375 376 prevent the shell from expanding any tildes.
376 377 .RE
377 378
378 379 .sp
379 380 .ne 2
380 381 .na
381 382 \fBfilegroup\fI=group\fR\fR
382 383 .ad
383 384 .sp .6
384 385 .RS 4n
385 386 Select records containing file system objects with \fIgroup\fR as the owning
386 387 group.
387 388 .RE
388 389
389 390 .sp
390 391 .ne 2
391 392 .na
392 393 \fBfileowner=\fIuser\fR\fR
393 394 .ad
394 395 .sp .6
395 396 .RS 4n
396 397 Select records containing file system objects with \fIuser\fR as the owning
397 398 user.
398 399 .RE
399 400
400 401 .sp
401 402 .ne 2
402 403 .na
403 404 \fBmsgqid=\fIID\fR\fR
404 405 .ad
405 406 .sp .6
406 407 .RS 4n
407 408 Select records containing message queue objects with the specified \fIID\fR
408 409 where \fIID\fR is a message queue \fBID\fR.
409 410 .RE
410 411
411 412 .sp
412 413 .ne 2
413 414 .na
414 415 \fBmsgqgroup=\fIgroup\fR\fR
415 416 .ad
416 417 .sp .6
417 418 .RS 4n
418 419 Select records containing message queue objects with \fIgroup\fR as the owning
419 420 or creating group.
420 421 .RE
421 422
422 423 .sp
423 424 .ne 2
424 425 .na
425 426 \fBmsgqowner=\fIuser\fR\fR
426 427 .ad
427 428 .sp .6
428 429 .RS 4n
429 430 Select records containing message queue objects with \fIuser\fR as the owning
430 431 or creating user.
431 432 .RE
432 433
433 434 .sp
434 435 .ne 2
435 436 .na
436 437 \fBpid=\fIID\fR\fR
437 438 .ad
438 439 .sp .6
439 440 .RS 4n
440 441 Select records containing process objects with the specified \fIID\fR where
441 442 \fIID\fR is a process \fBID\fR. Process are objects when they are receivers of
442 443 signals.
443 444 .RE
444 445
445 446 .sp
446 447 .ne 2
447 448 .na
448 449 \fBprocgroup=\fIgroup\fR\fR
449 450 .ad
450 451 .sp .6
451 452 .RS 4n
452 453 Select records containing process objects with \fIgroup\fR as the real or
453 454 effective group.
454 455 .RE
455 456
456 457 .sp
457 458 .ne 2
458 459 .na
459 460 \fBprocowner=\fIuser\fR\fR
460 461 .ad
461 462 .sp .6
462 463 .RS 4n
463 464 Select records containing process objects with \fIuser\fR as the real or
464 465 effective user.
465 466 .RE
466 467
467 468 .sp
468 469 .ne 2
469 470 .na
470 471 \fBsemid=\fIID\fR\fR
471 472 .ad
472 473 .sp .6
473 474 .RS 4n
474 475 Select records containing semaphore objects with the specified \fIID\fR where
475 476 \fIID\fR is a semaphore \fBID\fR.
476 477 .RE
477 478
478 479 .sp
479 480 .ne 2
480 481 .na
481 482 \fBsemgroup=\fIgroup\fR\fR
482 483 .ad
483 484 .sp .6
484 485 .RS 4n
485 486 Select records containing semaphore objects with \fIgroup\fR as the owning or
486 487 creating group.
487 488 .RE
488 489
489 490 .sp
490 491 .ne 2
491 492 .na
492 493 \fBsemowner=\fIuser\fR\fR
493 494 .ad
494 495 .sp .6
495 496 .RS 4n
496 497 Select records containing semaphore objects with \fIuser\fR as the owning or
497 498 creating user.
498 499 .RE
499 500
500 501 .sp
501 502 .ne 2
502 503 .na
503 504 \fBshmid=\fIID\fR\fR
504 505 .ad
505 506 .sp .6
506 507 .RS 4n
507 508 Select records containing shared memory objects with the specified \fIID\fR
508 509 where \fIID\fR is a shared memory \fBID\fR.
509 510 .RE
510 511
511 512 .sp
512 513 .ne 2
513 514 .na
514 515 \fBshmgroup=\fIgroup\fR\fR
515 516 .ad
516 517 .sp .6
517 518 .RS 4n
518 519 Select records containing shared memory objects with \fIgroup\fR as the owning
519 520 or creating group.
520 521 .RE
521 522
522 523 .sp
523 524 .ne 2
524 525 .na
525 526 \fBshmowner=\fIuser\fR\fR
526 527 .ad
527 528 .sp .6
528 529 .RS 4n
529 530 Select records containing shared memory objects with \fIuser\fR as the owning
530 531 or creating user.
531 532 .RE
532 533
533 534 .sp
534 535 .ne 2
535 536 .na
536 537 \fBsock=\fIport_number|machine\fR\fR
537 538 .ad
538 539 .sp .6
539 540 .RS 4n
540 541 Select records containing socket objects with the specified \fIport_number\fR
541 542 or the specified \fImachine\fR where \fImachine\fR is a machine name as defined
542 543 in \fBhosts\fR(4).
543 544 .RE
544 545
545 546 .sp
|
↓ open down ↓ |
529 lines elided |
↑ open up ↑ |
546 547 .ne 2
547 548 .na
548 549 \fBfmri=\fIservice instance\fR\fR
549 550 .ad
550 551 .sp .6
551 552 .RS 4n
552 553 Select records containing fault management resource identifier (FMRI) objects
553 554 with the specified \fIservice instance\fR. See \fBsmf\fR(5).
554 555 .RE
555 556
557 +.sp
558 +.ne 2
559 +.na
560 +\fBwsid=\fIWindows SID\fR\fR
561 +.ad
562 +.sp .6
563 +.RS 4n
564 +Select records containing Windows SIDS matching the specified \fISID\fR.
565 +.RE
566 +
556 567 .RE
557 568
558 569 .sp
559 570 .ne 2
560 571 .na
561 572 \fB\fB-r\fR \fIreal-user\fR\fR
562 573 .ad
563 574 .sp .6
564 575 .RS 4n
565 576 Select records with the specified \fIreal-user\fR.
566 577 .RE
567 578
568 579 .sp
569 580 .ne 2
570 581 .na
571 582 \fB\fB-s\fR \fIsession-id\fR\fR
572 583 .ad
573 584 .sp .6
574 585 .RS 4n
575 586 Select audit records with the specified \fIsession-id\fR.
576 587 .RE
577 588
578 589 .sp
579 590 .ne 2
580 591 .na
581 592 \fB\fB-u\fR \fIaudit-user\fR\fR
582 593 .ad
583 594 .sp .6
584 595 .RS 4n
585 596 Select records with the specified \fIaudit-user\fR.
586 597 .RE
587 598
588 599 .sp
589 600 .ne 2
590 601 .na
591 602 \fB\fB-z\fR \fIzone-name\fR\fR
592 603 .ad
593 604 .sp .6
594 605 .RS 4n
595 606 Select records from the specified zone name. The zone name selection is
596 607 case-sensitive.
597 608 .RE
598 609
599 610 .sp
600 611 .LP
601 612 When one or more \fIfilename\fR arguments appear on the command line, only the
602 613 named files are processed. Files specified in this way need not conform to the
603 614 audit trail filename format. However, \fB-M\fR, \fB-S\fR, and \fB-R\fR must not
604 615 be used when processing named files. If the \fIfilename\fR is ``\(mi'' then the
605 616 input is taken from the standard input.
606 617 .SS "Option Arguments"
607 618 .ne 2
608 619 .na
609 620 \fB\fIaudit-trail-file\fR\fR
610 621 .ad
611 622 .sp .6
612 623 .RS 4n
613 624 An audit trail file as defined in \fBaudit.log\fR(4). An audit trail file not
614 625 named on the command line must conform to the audit trail file name format.
615 626 Audit trail files produced as output of \fBauditreduce\fR are in this format as
616 627 well. The format is:
617 628 .sp
618 629 \fIstart-time . \|end-time . \|suffix\fR
619 630 .sp
620 631 \fIstart-time\fR is the 14 character time stamp denoting when the file was
621 632 opened. \fIend-time\fR is the 14 character time stamp denoting when the file
622 633 was closed. \fIend-time\fR can also be the literal string \fBnot_terminated\fR,
623 634 indicating the file is still be written to by the audit daemon or the file was
624 635 not closed properly (a system crash or abrupt halt occurred). \fIsuffix\fR is
625 636 the name of the machine that generated the audit trail file (or some other
626 637 meaningful suffix; for example, \fBall\fR would be a good suffix if the audit
627 638 trail file contains a combined group of records from many machines).
628 639 .RE
629 640
630 641 .sp
631 642 .ne 2
632 643 .na
633 644 \fB\fIdate-time\fR\fR
634 645 .ad
635 646 .sp .6
636 647 .RS 4n
637 648 The \fIdate-time\fR argument to \fB-a\fR, \fB-b\fR, and \fB-d\fR can be of two
638 649 forms: An absolute \fIdate-time\fR takes the form:
639 650 .sp
640 651 \fI\fR yyyymmdd [ \fIhh\fR [ \fImm\fR [ \fIss\fR ]]]
641 652 .sp
642 653 where \fIyyyy\fR specifies a year (with 1970 as the earliest value), \fImm\fR
643 654 is the month (01-12), \fBdd\fR is the day (01-31), \fIhh\fR is the hour
644 655 (00-23), \fImm\fR is the minute (00-59), and \fIss\fR is the second (00-59).
645 656 The default is 00 for \fIhh\fR, \fImm\fR and \fIss\fR.
646 657 .sp
647 658 An offset can be specified as: \fB+\fR\fIn\fR \fBd\fR|\fBh\fR|\fBm\fR| \fBs\fR
648 659 where \fIn\fR is a number of units, and the tags \fBd\fR, \fBh\fR, \fBm\fR, and
649 660 \fBs\fR stand for days, hours, minutes and seconds, respectively. An offset is
650 661 relative to the starting time. Thus, this form can only be used with the
651 662 \fB-b\fR option.
652 663 .RE
653 664
654 665 .sp
655 666 .ne 2
656 667 .na
657 668 \fB\fIevent\fR\fR
658 669 .ad
659 670 .sp .6
660 671 .RS 4n
661 672 The literal string or ordinal event number as found in \fBaudit_event\fR(4). If
662 673 \fIevent\fR is not found in the \fBaudit_event\fR file it is considered
663 674 invalid.
664 675 .RE
665 676
666 677 .sp
667 678 .ne 2
668 679 .na
669 680 \fB\fIgroup\fR\fR
670 681 .ad
671 682 .sp .6
672 683 .RS 4n
673 684 The literal string or ordinal group ID number as found in \fBgroup\fR(4). If
674 685 \fIgroup\fR is not found in the \fBgroup\fR file it is considered invalid.
675 686 \fIgroup\fR can be negative.
676 687 .RE
677 688
678 689 .sp
679 690 .ne 2
680 691 .na
681 692 \fB\fIlabel\fR\fR
682 693 .ad
683 694 .sp .6
684 695 .RS 4n
685 696 The literal string representation of a MAC label or a range of two valid MAC
686 697 labels. To specify a range, use \fBx;y\fR where \fBx\fR and \fBy\fR are valid
687 698 MAC labels. Only those records that are fully bounded by \fBx\fR and \fBy\fR
688 699 will be selected. If \fBx\fR or \fBy\fR is omitted, the default uses
689 700 \fBADMIN_LOW\fR or \fBADMIN_HIGH\fR respectively. Notice that quotes must be
690 701 used when specifying a range.
691 702 .RE
692 703
693 704 .sp
694 705 .ne 2
695 706 .na
696 707 \fB\fIpathname\fR\fR
697 708 .ad
698 709 .sp .6
699 710 .RS 4n
700 711 A regular expression describing a pathname.
701 712 .RE
702 713
703 714 .sp
704 715 .ne 2
705 716 .na
706 717 \fB\fIuser\fR\fR
707 718 .ad
708 719 .sp .6
709 720 .RS 4n
710 721 The literal username or ordinal user ID number as found in \fBpasswd\fR(4). If
711 722 the username is not found in the \fBpasswd\fR file it is considered invalid.
712 723 \fIuser\fR can be negative.
713 724 .RE
714 725
715 726 .SH EXAMPLES
716 727 .LP
717 728 \fBExample 1 \fRThe auditreduce command
718 729 .sp
719 730 .LP
720 731 \fBpraudit\fR(1M) is available to display audit records in a human-readable
721 732 form.
722 733
723 734 .sp
724 735 .LP
725 736 This will display the entire audit trail in a human-readable form:
726 737
727 738 .sp
728 739 .in +2
729 740 .nf
730 741 % auditreduce | praudit
731 742 .fi
732 743 .in -2
733 744 .sp
734 745
735 746 .sp
736 747 .LP
737 748 If all the audit trail files are being combined into one large file, then
738 749 deleting the original files could be desirable to prevent the records from
739 750 appearing twice:
740 751
741 752 .sp
742 753 .in +2
743 754 .nf
744 755 % auditreduce -V -D /etc/security/audit/combined/all
745 756 .fi
746 757 .in -2
747 758 .sp
748 759
749 760 .sp
750 761 .LP
751 762 This displays what user \fBmilner\fR did on April 13, 1988. The output is
752 763 displayed in a human-readable form to the standard output:
753 764
754 765 .sp
755 766 .in +2
756 767 .nf
757 768 % auditreduce -d 19880413 -u milner | praudit
758 769 .fi
759 770 .in -2
760 771 .sp
761 772
762 773 .sp
763 774 .LP
764 775 The above example might produce a large volume of data if \fBmilner\fR has been
765 776 busy. Perhaps looking at only login and logout times would be simpler. The
766 777 \fB-c\fR option will select records from a specified class:
767 778
768 779 .sp
769 780 .in +2
770 781 .nf
771 782 % auditreduce -d 19880413 -u milner -c lo | praudit
772 783 .fi
773 784 .in -2
774 785 .sp
775 786
776 787 .sp
777 788 .LP
778 789 To see \fBmilner\fR's login/logout activity for April 13, 14, and 15, the
779 790 following is used. The results are saved to a file in the current working
780 791 directory. Notice that the name of the output file will have \fBmilnerlo\fR as
781 792 the \fIsuffix\fR, with the appropriate timestamp prefixes. Notice also that the
782 793 long form of the name is used for the \fB-c\fR option:
783 794
784 795 .sp
785 796 .in +2
786 797 .nf
787 798 % auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo
788 799 .fi
789 800 .in -2
790 801 .sp
791 802
792 803 .sp
793 804 .LP
794 805 To follow \fBmilner\fR's movement about the file system on April 13, 14, and 15
795 806 the \fBchdir\fR record types could be viewed. Notice that in order to get the
796 807 same time range as the above example we needed to specify the \fB-b\fR time as
797 808 the day \fBafter\fR our range. This is because \fB19880416\fR defaults to
798 809 midnight of that day, and records before that fall on \fB0415\fR, the end-day
799 810 of the range.
800 811
801 812 .sp
802 813 .in +2
803 814 .nf
804 815 % auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit
805 816 .fi
806 817 .in -2
807 818 .sp
808 819
809 820 .sp
810 821 .LP
811 822 In this example, the audit records are being collected in summary form (the
812 823 login/logout records only). The records are being written to a summary file in
813 824 a different directory than the normal audit root to prevent the selected
814 825 records from existing twice in the audit root.
815 826
816 827 .sp
817 828 .in +2
818 829 .nf
819 830 % auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins
820 831 .fi
821 832 .in -2
822 833 .sp
823 834
824 835 .sp
825 836 .LP
826 837 If activity for user \fBID\fR 9944 has been observed, but that user is not
827 838 known to the system administrator, then the command in the following example
828 839 searches the entire audit trail for any records generated by that user.
829 840 \fBauditreduce\fR queries the system about the current validity of \fBID\fR
830 841 9944 and displays a warning message if it is not currently active:
831 842
832 843 .sp
833 844 .in +2
834 845 .nf
835 846 % auditreduce -O /etc/security/audit_suspect/user9944 -u 9944
836 847 .fi
837 848 .in -2
838 849 .sp
839 850
840 851 .sp
841 852 .LP
842 853 To get an audit log of only the global zone:
843 854
844 855 .sp
845 856 .in +2
846 857 .nf
847 858 % auditreduce -z global
848 859 .fi
849 860 .in -2
850 861
851 862 .SH FILES
852 863 .ne 2
853 864 .na
854 865 \fB\fB/etc/security/audit/\fR\fIserver\fR\fB/files/*\fR\fR
855 866 .ad
856 867 .sp .6
857 868 .RS 4n
858 869 location of audit trails, when stored
859 870 .RE
860 871
861 872 .SH ATTRIBUTES
862 873 .LP
863 874 See \fBattributes\fR(5) for descriptions of the following attributes:
864 875 .sp
865 876
866 877 .sp
867 878 .TS
868 879 box;
869 880 c | c
870 881 l | l .
871 882 ATTRIBUTE TYPE ATTRIBUTE VALUE
872 883 _
873 884 Interface Stability See below.
874 885 .TE
875 886
876 887 .sp
877 888 .LP
878 889 The command invocation is Stable. The binary file format is Stable. The binary
879 890 file contents is Unstable.
880 891 .SH SEE ALSO
881 892 .LP
882 893 \fBpraudit\fR(1M), \fBaudit.log\fR(4), \fBaudit_class\fR(4),
883 894 \fBgroup\fR(4), \fBhosts\fR(4), \fBpasswd\fR(4),
884 895 \fBattributes\fR(5), \fBsmf\fR(5)
885 896 .SH DIAGNOSTICS
886 897 .LP
887 898 \fBauditreduce\fR displays error messages if there are command line errors and
888 899 then exits. If there are fatal errors during the run, \fBauditreduce\fR
889 900 displays an explanatory message and exits. In this case, the output file might
890 901 be in an inconsistent state (no trailer or partially written record) and
891 902 \fBauditreduce\fR displays a warning message before exiting. Successful
892 903 invocation returns \fB0\fR and unsuccessful invocation returns \fB1\fR.
893 904 .sp
894 905 .LP
895 906 Since \fBauditreduce\fR might be processing a large number of input files, it
896 907 is possible that the machine-wide limit on open files will be exceeded. If this
897 908 happens, \fBauditreduce\fR displays a message to that effect, give information
898 909 on how many file there are, and exit.
899 910 .sp
900 911 .LP
901 912 If \fBauditreduce\fR displays a record's timestamp in a diagnostic message,
902 913 that time is in local time. However, when filenames are displayed, their
903 914 timestamps are in \fBGMT\fR.
904 915 .SH BUGS
905 916 .LP
906 917 Conjunction, disjunction, negation, and grouping of record selection options
907 918 should be allowed.
908 919 .SH NOTES
909 920 .LP
910 921 The \fB-z\fR option should be used only if the audit policy \fBzonename\fR is
911 922 set. If there is no zonename token, then no records will be selected.
|
↓ open down ↓ |
346 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX