Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

audit_tool(8) [ultrix man page]

audit_tool(8)						      System Manager's Manual						     audit_tool(8)

Name
       audit_tool - ULTRIX auditlog reduction tool

Syntax
       /usr/etc/sec/audit_tool [ option ... ] auditlog_filename

Description
       The  presents  a  human-understandable format of selected portions of the collected audit data.	If no arguments are provided, a brief help
       message will be displayed.  The auditlog file may be compressed or uncompressed.  The command will uncompress the auditlog file	if  neces-
       sary, and re-compress it if it was originally compressed.

       Options	are  used  to  select specific audit records of interest.   For a record to be selected, it must match at least one option of each
       option type specified.  For example, if two usernames and one hostname were specified, an audit record to be selected would have  to  match
       one  of	the  usernames and the hostname.  Only one start/end time may be selected.  Only one deselection rulesfile may be selected.  It is
       possible to select as many events as exists on the system.  For all other option types, up to 8 instances may be selected.

Options
       -a audit_id Selects audit records with a matching audit_id.  The default is to select for all audit_id's.

       -b	   Outputs selected records in binary format.  The output is in a format suitable for analysis by the The default is to output	in
		   ASCII format.

       -B	   Outputs  selected  records  in  an abbreviated format.  Each selected event is displayed along with its audit_id, ruid, result,
		   error code, pid, event name, and parameter list.  Suppressed information includes the username, ppid, device id, current direc-
		   tory,  gnode  information, symbolic name referenced by any descriptors, IP address, and timestamp.  The default is to output in
		   the non-abbreviated format.

       -d filename Reads deselection rules from the specified file and suppress any records matching any of the deselection rules.   The  deselec-
		   tion rulesets take precedence over other selection options.	Each deselection rule is a tuple consisting of hostname, audit_id,
		   ruid, event, pathname, and flag.  The flag component is used to specify read or write mode; it pertains only  to  open  events.
		   Wildcarding and simple pattern matching are supported.  Take, for example, the following lines from a deselection file:
		   # HOST, AUID, RUID, EVENT, PATHNAME, FLAG
		   * * * open /usr/lib/* r
		   grumpy * * * /usr/spool/rwho* *
		   These  lines  indicate  that any open operations for read access on any object whose pathname starts with will not be selected,
		   and on system grumpy any operations performed on any object whose pathname starts on will not be  selected.	 (Lines  beginning
		   with  number  signs (#) are treated as comment lines).  Any field can be replaced with an asterisk (*), which indicates a match
		   with any value.  Pathname matching requires an exact match between strings, unless the pathname is suffixed with  an  asterisk,
		   which  matches  any	string	(so, for example, matches The default is to apply no deselection rulesets.  (Specifying the option
		   instead of will additionally print the deselection rulesets to be applied).

       -e event[:success:fail]
		   Selects records with a matching event.  Optionally select only those records with a successful/failed return value.	For  exam-
		   ple,  the option selects for only failed open events.  Multiple events may be specified on the command line.  The default is to
		   select for all events, both successful and failed.

       -E error    Selects records with a matching error.  The default is to select for all errors.

       -f	   Causes the not to quit at and end-of-file, but to continue attempting to read data.	This is useful for reviewing auditlog data
		   as  it  is  being written by the audit daemon.  (For SMP systems, audit data should be sorted first, as descriptor translation,
		   loginname, current directory, and root directory all rely on state information maintained by the

       -g gnode_id Selects records with a matching gnode identifier number.  The default is to select for all gnode id's.

       -G gnode_dev major#,minor#
		   Selects records with matching gnode device major/minor numbers.  The default is to select for all gnode devices.

       -h hostname/IP address
		   Selects records with a matching hostname or IP address.  Hostnames are translated to their IP addresses via the local file.	If
		   the local is not available or contains insufficient information, IP addresses should be used.  The default is to select for all
		   hostnames and IP addresses.

       -i	   Enter interactive selection mode to specify options.  Interactive mode may also be entered by hitting CTRL/C at any time,  then
		   specifying  ``no'' to the exit prompt.  Once in interactive mode, each option will be selected for.	Press Return to accept the
		   current setting (or default); enter an asterisk (*) to change the current setting back to the  default.   The  default,  unless
		   otherwise stated, is to select every audit record.

       -o	   Whenever  the audit daemon switches auditlogs, an audit_log_change event is generated.  If that event did result in an auditlog
		   change (that is, it was an event which occurred on the local system), the will normally attempt to find and	process  the  suc-
		   ceeding  auditlog.	This  is  possible,  however,  only if the auditlog is maintained locally.  The -o option tells the not to
		   process succeeding auditlogs.

       -p pid	   Selects records with a matching pid.  The default is to select for all pids.

       -P ppid	   Selects records with a matching parent pid (ppid).  The default is to select for all ppids.

       -r ruid	   Selects records with a matching read uid (ruid).  The default is to select for all ruids.

       -R	   Generates an ASCII report for each audit_id found in the selected events.  Each report consists of those events selected  which
		   have an audit_id matching that of report suffix.  Report names are of the format report.xxxx, where xxxx is the audit_id.

       -s string   Selects  records  which  contain  string  in  either a parameter field or a descriptor field.  The default is to select for all
		   strings.

       -S	   Performs a sort (by time) on the auditlog.  The sort performed is an inter-cpu sort only (for any specific  cpu,  data  may	be
		   non-sequential  for	events	such  as  fork	and vfork; this information does not need to be sorted for proper operation of the
		   reduction tool).  This option is useful only for data collected on an SMP system.

       -t start_time
		   Selects records which contain a timestamp no earlier than start_time.  Timestamp format is yymmdd[hh[mm[ss]]].  The default	is
		   to select for all timestamps.

       -T end_time Selects records which contain a timestamp no later than start_time.	Timestamp format is yymmdd[hh[mm[ss]]].  The default is to
		   select for all timestamps.

       -u uid	   Selects audit records with a matching uid.  The default is to select for all uid's.

       -U username Selects audit records with a matching username.  Usernames are recorded at the login event and are associated  with	all  child
		   processes.	If login is not audited, no username will be present in the auditlog.  Selecting for a username will display those
		   records which have a matching username.  The default is to select for all usernames.

       -x major#,minor#
		   Selects audit records with matching device major/minor numbers.  The default is to select for all devices.

       The audit reduction tool generates auditlog header files, suffixed with .hdr, when it completes processing of a auditlog file.  If  the	-o
       option  is  used, no auditlog header file is generated.	This header file contains the time range in which the audited operations occurred,
       so searching for events by time requires only those auditlogs which were actually written into during that time	to  be	processed  by  the
       reduction tool.	The header file also contains the sort status of the auditlog, so previously sorted logs don't get sorted more than once.

Restrictions
       The  audit  reduction tool maintains the state of each process in order to translate descriptors back to pathnames, as well as provide cur-
       rent working directory, root, and username.  In order not to run out of memory, should be an audited event.  In order  to  provide  current
       working	directory, should be an audited event.	In order to provide current root (if not /), should be an audited event.  In order to pro-
       vide username, login should be an audited event.

       All state relevant information current at the time of an auditlog change is maintained in the header file.  This allows subsequent scans of
       a specific auditlog to not have any dependencies on previous auditlogs.

Examples
       The following example selects all login, open and creat events performed on system grumpy by any process with audit_id 1123:
       audit_tool -e login -e open -e creat -h grumpy -a 1123 auditlog.000

       The  following  example	applies  deselection file deselect to auditlog.000 and selects for events between 10:47 a.m. on April 13, 1986 and
       5:30 p.m. on April 20, 1986:
       audit_tool -d deselect -t 8604131047 -T 8604201730 auditlog.000

See Also
       auditd(8), auditmask(8)

																     audit_tool(8)
Man Page