unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OSF1-V5.1-alpha)
Page:
Section:
Apropos / Subsearch:
optional field



audit_tool(8)							audit_tool(8)



NAME

  audit_tool, audit_tool.ultrix	- Audit	log reduction tool

SYNOPSIS

  /usr/sbin/audit_tool [ options ] auditlog_filename

  /usr/sbin/audit_tool.ultrix [	flags ]	auditlog_filename

FLAGS

  Selection Flags


  -/ text_string
      Selects audit records with a matching text_string. The rules for regu-
      lar expression expansions	do not apply to	this option.

  -a audit_id
      Selects audit records with a matching audit ID.  The default is to
      select for all audit IDs.

  -e event[.subevent][:success:fail]
      Selects records with a matching event or event.subevent.	The subevent
      can be applied only to site events.  Optionally select only those
      records with a successful	or failed return value.	 For example, the
      option -e	mount:0:1 selects for only failed mount	events while -e
      rdb.query:1:0 selects successful rdb events with the query subevent.
      Multiple events can be specified on the command line.  The default is
      to select	for all	events,	both successful	and failed.

      If you specify the open event, you can add a r (read) or w (write)
      modifier to specify an open for read or an open for write.  The syntax
      is as follows: -e	open.r or -e open.w

  -E error
      Selects records with a matching error string or error number.  The
      default is to select for all errors.

  -g inode_id
      For use with audit_tool.ultrix only.  Selects records with a matching
      inode identifier number.	The default is to select for all inode IDs.

  -G inode_dev major#,minor#
      For use with audit_tool.ultrix only.  Selects records with matching
      inode device major and minor numbers.  The default is to select for all
      inode devices.

  -h hostname/IP address
      Selects records with a matching host name	or IP address.	Host names
      are translated to	their IP addresses by the gethostbyname() logic.  The
      default is to select for all host	names and IP addresses.

  -p pid
      Selects records with a matching PID.  The	default	is to select for all
      PIDs.  If	the specified PID is negative, the absolute value of the PID
      is selected as well as any of the	PID's descendants.

  -P ppid
      Selects records with a matching parent PID (PPID).  The default is to
      select for all PPIDs.

  -r ruid
      Selects records with a matching real UID (RUID).	The default is to
      select for all RUIDs.

  -s string
      Selects records that contain string in a parameter field or associated
      with a descriptor	field.	The default is to select for all strings.

  -t start_time
      Selects records that contain a timestamp no earlier than start_time.
      The timestamp format is yymmdd[hh[mm[ss]]]. The default is to select
      for all timestamps.  Note	that the audit tool automatically converts
      values of	yy in the time string to the appropriate year 2000 value.
      Specifically, values ranging from	70 to 99 map to	1970(the epoch
      year)-1999 and values ranging from 00 to 69 map to 2000-2069.

  -T end_time
      Selects records that contain a timestamp no later	than start_time.
      Timestamp	format is yymmdd[hh[mm[ss]]].  The default is to select	for
      all timestamps. See the year 2000	conversion description in the -t
      start_time flag.

  -u uid
      Selects audit records with a matching UID.  The default is to select
      for all UIDs.

  -U username
      Selects audit records with a matching user name. (The username is
      mapped to	the UID	as defined in the password database.) The username is
      recorded at the login event and is associated with all child processes.
      If login is not audited, no username is present in the audit log.
      Selecting	for a username will display those records that have a match-
      ing user name. The default is to select for all user names.

  -v inode_id
      Selects records with a matching inode identifier number.	The default
      is to select for all inode IDs.

  -V inode_dev major#,minor#
      Selects records with matching inode device major/minor numbers.  The
      default is to select for all inode devices.

  -x major#,minor#
      Selects audit records with matching device major and minor numbers.
      The default is to	select for all devices.

  -y  Selects records with matching process name (name used by exec).

  Control Flags


  -b  Outputs selected records in binary format.  The output is	in a format
      suitable for subsequent analysis by the audit_tool.  The default is to
      output in	ASCII format.

  -B  Outputs selected records in an abbreviated format.  Each selected	event
      is displayed along with its audit	ID, RUID, result, error	code, PID,
      event name, and parameter	list.  For X events, the IDs displayed are
      those of the X client.  Suppressed information includes the user name,
      PPID, device ID, current directory, inode	information, symbolic name
      referenced by any	descriptors, IP	address, and timestamp.	 The default
      is to output in the nonabbreviated format.

  -d filename
      Reads deselection	rules from the specified file and suppresses any
      records matching any of the deselection rules.  The deselection rule
      sets take	precedence over	other selection	options.  Each deselection
      rule is a	tuple consisting of host name, audit ID, RUID, event, path-
      name, and	flag.  The flag	component is used to specify read or write
      mode; it pertains	only to	open events.

      Wildcarding and simple pattern matching are supported.  For example,
      consider the following lines from	a deselection file:


	   # HOST, AUID, RUID, EVENT, PATHNAME,	FLAG
	   * * * open /usr/lib/* r
	   alpha1 * * *	/usr/spool/rwho* *

      These lines indicate that	any open operations for	read access on any
      object whose pathname starts with	/usr/lib/ will not be selected,	and
      on system	alpha1 any operations performed	on any object whose pathname
      starts on	/usr/spool/rwho	will not be selected.  (Lines beginning	with
      number signs (#) are treated as comment lines).  Any field can be
      replaced with an asterisk	(*), which indicates a match with any value.

      Pathname matching	requires an exact match	between	strings, unless	the
      pathname is suffixed with	an asterisk, which matches any string (so,
      for example, /usr/spool/rwho* matches /usr/spool/rwho/anything).

      The default is to	apply no deselection rule sets.	 (Specifying the -D
      option instead of	-d will	additionally print the deselection rulesets
      to be applied).

  -f  Causes the audit_tool not	to quit	at an end-of-file, but to continue
      attempting to read data.	This is	useful for reviewing audit log data
      as it is being written by	the audit daemon.  (For	SMP systems, audit
      data should be sorted first because descriptor translation, the login
      name, the	 current directory, and	the root directory all rely on state
      information maintained by	the audit_tool).

  -F  Sets the fast mode.  If you are not interested in	seeing the state-
      dependent	data, you can use this option to improve performance.

  -i  Enter interactive	selection mode to specify options.  Interactive	mode
      can also be entered by pressing CTRL/C at	any time, then specifying no
      to the exit prompt.  Once	in interactive mode, individual	options	are
      selected.	 Press Return to accept	the current setting (or	default);
      enter an asterisk	(*) to change the current setting back to the
      default.	The default, unless otherwise stated, is to select every
      audit record.

  -I  Inhibits the conversion of IP adresses to	hostnames.

  -O format
      Output in	the specified formats.	The formats are	as follows: cpu	(cpu
      number), usec (offset from start of log in microseconds),	time, user-
      name, userid, pid, ppid, res (result of operation), tid (thread ID),
      and event.

      The thread ID (tid) is recorded if the AUDIT_USR control flag is
      enabled. Processes being traced using auditmask -E have their thread ID
      recorded.

  -o  Whenever the audit daemon	switches audit logs, an	audit_log_change
      event is generated. If that event	did result in an audit log change
      (that is,	it was an event	that occurred on the local system), the
      audit_tool normally attempts to find and process the succeeding audit
      log.  This is possible, however, only if the audit log is	maintained
      locally.	The -o option tells the	audit_tool not to process succeeding
      audit logs.

  -Q  Suppresses the progress messages.

  -R [name]
      Generates	an ASCII report	for each audit ID found	in the selected
      events.  If name is a directory, the reports are placed in the direc-
      tory with	the report.audit_id file name format. Otherwise, the reports
      are placed in a file called name.audit_id.  Each report consists of
      selected events for the associated audit ID.

  -S  Performs a sort (by time)	on the audit log.  The sort performed is an
      inter-CPU	sort only (for any specific CPU, data may be nonsequential
      for events such as fork and vfork; this information does not need	to be
      sorted for proper	operation of the reduction tool).  This	option is
      useful only for data collected on	an SMP system.

  -w  Display the name associated with UIDs and	GIDs using the getpw* and
      getgr* routines.	This is	done only if the audit_tool has	no name	for
      the UID or GID.  The name	is sent	to output within parentheses.

  -Z  Displays the frequency count for the selected events.

DESCRIPTION

  The audit_tool command, or audit reduction tool, displays selected portions
  of the collected audit data.	If no arguments	are provided, a	brief help
  message is displayed.	 The audit log file may	be compressed or
  uncompressed.

  Options are used to select specific audit records of interest.   For a
  record to be selected, it must match at least	one option of each option
  type specified.  For example,	if two user names and one host name were
  specified, an	audit record to	be selected would have to match	one of the
  user names and the host name.	 Only one start	and end	time may be selected.
  Only one deselection rules file may be selected.  It is possible to select
  as many events as exist on the system.  For all other	option types, up to
  eight	instances may be selected.

  The audit reduction tool generates audit log header files, suffixed with
  .hdr,	when it	completes processing of	an  auditlog file.  If the -o option
  is used, no audit log	header file is generated.  This	header file contains
  the time range in which the audited operations occurred, so searching	for
  events by time requires only those audit logs	that were actually written
  into during that time	to be processed. The header file also contains the
  sort status of the audit log,	so previously sorted logs do not get sorted
  more than once, and also state-relevant data from previous logs.

  The output from audit_tool is	written	to stdout.  Informational messages,
  such as (100000 records processed...)	are written to stderr.

  The audit_tool.ultrix	program	is used	to display audit reports from audit
  data collected on ULTRIX systems. With the exception of the -g and -G
  options (equivalent to the -v	and -V options for audit_tool),
  audit_tool.ultrix is the same	as audit_tool.



RESTRICTIONS

  The audit reduction tool maintains the state of each process in order	to
  translate descriptors	back to	pathnames, as well as to provide a current
  working directory, root, and user name.  To avoid running out	of memory for
  state-dependent data,	the exit system	call should be an audited event.  The
  call to exit releases	the memory used	to hold	the state of the process.
  Alternatively, the logout events release the memory used to hold the state
  of all the sessions processes.  If state-relevant data is not	important for
  your auditing	requirements, exit need	not be audited and the -F flag to
  audit_tool can be used to improve performance.

  In order to provide the current working directory, the chdir system call
  should be an audited event.  In order	to provide the current root (if	not
  the root (/) directory), the chroot system call should be an audited event.
  In order to provide the user name, login should be an	audited	event.

  If audit_tool	runs out of memory, it will not	be able	to store further
  state-dependent data (as previously described).  If this occurs, the fol-
  lowing warning is displayed:

       warning:	state_maint_{add,open,path_change): no more mem; ...

  All state-dependent information current at the time of an audit log change
  is maintained	in the header file.  This allows subsequent scans of a
  specific audit log to	not have any dependencies on previous audit logs.

  See Security for further discussion of state-dependent information.

EXAMPLES

  The following	example	selects	all login, open	and exec events	performed on
  system alpha1	by any process with audit ID 1123:

       # audit_tool -e login -e	open -e	exec -h	alpha1 -a 1123 auditlog.000

  The following	example	applies	deselection file deselect to auditlog.000 and
  selects for events between 10:47 a.m.	on April 13, 1994 and 5:30 p.m.	on
  April	20, 1994:

       # audit_tool -d deselect	-t 9404131047 -T 9404201730 auditlog.000

RELATED	INFORMATION

  Commands: auditd(8), auditmask(8), auditconfig(8)

  Security