audit_tool man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

audit_tool(8)							 audit_tool(8)

       audit_tool, audit_tool.ultrix - Audit log reduction tool

       /usr/sbin/audit_tool [options] auditlog_filename

       /usr/sbin/audit_tool.ultrix [flags] auditlog_filename

   Selection Options
       Selects	audit records with a matching text_string. The rules for regu‐
       lar expression expansions do not apply to this option.	Selects	 audit
       records	with  a	 matching  audit ID.  The default is to select for all
       audit IDs.  Selects records with a matching  event  or  event.subevent.
       The subevent can be applied only to site events. Optionally select only
       those records with a successful or failed return	 value.	 For  example,
       the  option  -e mount:0:1 selects for only failed mount events while -e
       rdb.query:1:0 selects successful rdb events with	 the  query  subevent.
       Multiple events can be specified on the command line. The default is to
       select for all events, both successful and failed.

	      If you specify the open event, you can  add  a  r	 (read)	 or  w
	      (write)  modifier	 to  specify  an  open for read or an open for
	      write. The syntax is as follows: -e open.r or -e open.w  Selects
	      records  with  a	matching  error	 string	 or  error number. The
	      default  is  to  select  for   all   errors.    For   use	  with
	      audit_tool.ultrix	 only.	Selects	 records with a matching inode
	      identifier number. The default is to select for all  inode  IDs.
	      For use with audit_tool.ultrix only. Selects records with match‐
	      ing inode device major and minor	numbers.  The  default	is  to
	      select  for  all inode devices.  Selects records with a matching
	      host name or IP address.	Host names are translated to their  IP
	      addresses by the gethostbyname() logic. The default is to select
	      for all host names and IP addresses.   Selects  records  with  a
	      matching	PID.  The  default  is to select for all PIDs.	If the
	      specified PID is negative, the absolute  value  of  the  PID  is
	      selected	as  well  as  any  of  the PID's descendants.  Selects
	      records with a matching parent PID (PPID).  The  default	is  to
	      select  for all PPIDs.  Selects records with a matching real UID
	      (RUID). The default is to select for all RUIDs.  Selects records
	      that contain string in a "char param" field or in the state data
	      file descriptor info.  The default is to select for all strings.
	      Selects  records	that  contain  a  timestamp  no	 earlier  than
	      start_time. The timestamp	 format	 is  yymmdd[hh[mm[ss]]].   The
	      default  is  to  select for all timestamps.  Note that the audit
	      tool automatically converts values of yy in the time  string  to
	      the  appropriate	year  2000 value. Specifically, values ranging
	      from 70 to 99 map to 1970(the epoch year)-1999 and values	 rang‐
	      ing  from	 00 to 69 map to 2000-2069.  Selects records that con‐
	      tain a timestamp no later than start_time. Timestamp  format  is
	      yymmdd[hh[mm[ss]]].   The	 default  is  to  select for all time‐
	      stamps. See the year  2000  conversion  description  in  the  -t
	      start_time flag.	Selects audit records with a matching UID. The
	      default is to select for all UIDs.  Selects audit records with a
	      matching	user  name.  (The  username  is	 mapped	 to the UID as
	      defined in the password database.)  The username is recorded  at
	      the  login  event and is associated with all child processes. If
	      login is not audited, no username is present in the  audit  log.
	      Selecting	 for a username will display those records that have a
	      matching user name. The default is to select for all user names.
	      Selects  records	with  a	 matching inode identifier number. The
	      default is to select for all inode IDs.	Selects	 records  with
	      matching	inode  device  major/minor numbers.  The default is to
	      select for all inode devices.  Selects audit records with match‐
	      ing  device  major  and minor numbers.  The default is to select
	      for all devices.	Selects records with matching process name  in
	      the  "cmd name" field (provided when the cmd_name audit style is
	      enabled on v5 or later) or in the state data process name	 field
	      (set by the exec and exit syscall audit events).

   Control Options
       Causes  the  audit_tool	to use path for the archive/recovery directory
       containing archived auditlogs.  This overrides the directory  specified
       in the audit log, which by default is /var/audit.

	      When  you	 use  this option, you must also specify the full path
	      name of the first audit log you want to read:  #	audit_tool  -.
	      ./audit/newdir   -e  login  ./audit/newdir/auditlog.jan  Outputs
	      selected records in binary format. The output  is	 in  a	format
	      suitable	for subsequent analysis by the audit_tool. The default
	      is to output in ASCII format.  Outputs selected  records	in  an
	      abbreviated  format. Each selected event is displayed along with
	      its audit ID, RUID, result, error code,  PID,  event  name,  and
	      parameter list. For X events, the IDs displayed are those of the
	      X client. Suppressed information includes the user  name,	 PPID,
	      device  ID,  current directory, inode information, symbolic name
	      referenced by any descriptors, IP address,  and  timestamp.  The
	      default  is to output in the nonabbreviated format.  Reads dese‐
	      lection rules from the specified file and suppresses any records
	      matching any of the deselection rules. The deselection rule sets
	      take precedence over other selection options.  Each  deselection
	      rule  is a tuple consisting of host name, audit ID, RUID, event,
	      pathname, and flag.  The flag component is used to specify  read
	      or write mode; it pertains only to open events.

	      Wildcarding and simple pattern matching are supported. For exam‐
	      ple, consider the following lines from a deselection file:

	      # HOST, AUID, RUID, EVENT, PATHNAME, FLAG * * * open  /usr/lib/*
	      r alpha1 * * * /usr/spool/rwho* *

	      These lines indicate that any open operations for read access on
	      any object whose pathname starts	with  /usr/lib/	 will  not  be
	      selected,	 and  on system alpha1 any operations performed on any
	      object whose pathname starts  on	/usr/spool/rwho	 will  not  be
	      selected.	 (Lines beginning with number signs (#) are treated as
	      comment lines).  Any field can be replaced with an asterisk (*),
	      which indicates a match with any value.

	      Pathname	matching  requires  an	exact  match  between strings,
	      unless the pathname is suffixed with an asterisk, which  matches
	      any   string   (so,   for	  example,   /usr/spool/rwho*  matches

	      The default is to apply no deselection  rule  sets.  (Specifying
	      the -D option instead of -d will additionally print the deselec‐
	      tion rulesets to be applied).  prints the deselection rules from
	      the  specified  file.   Causes  the audit_tool not to quit at an
	      end-of-file, but to continue attempting to read data.   This  is
	      useful  for  reviewing  audit log data as it is being written by
	      the audit daemon. (For SMP systems, audit data should be	sorted
	      first  because descriptor translation, the login name, the  cur‐
	      rent directory, and the root directory all rely on state	infor‐
	      mation  maintained  by  the audit_tool).	Sets the fast mode. If
	      you are not interested in seeing the state-dependent  data,  you
	      can  use	this option to improve performance.  Enter interactive
	      selection mode to specify options.  Interactive mode can also be
	      entered  by  pressing  CTRL/C at any time, then specifying no to
	      the exit prompt.	Once in interactive mode,  individual  options
	      are  selected.   Press  Return to accept the current setting (or
	      default); enter an asterisk (*) to change	 the  current  setting
	      back to the default. The default, unless otherwise stated, is to
	      select every  audit  record.   Inhibits  the  conversion	of  IP
	      adresses to hostnames (via DNS lookup).  Output data in a delim‐
	      iter seperated record.  This  format  is	compatible  with  most
	      spreadsheet  applications.  The data specifiers are seperated by
	      commas, and are: delimiter[:<tab>] - specifies  field  delimiter
	      character.  default is tab seperated field in the output record.
	      if this option is not specified data is output  in  fixed	 width
	      columns.	 cpu  -	 cpu number seq - audit event sequence number.
	      unique to the cpu for that boot session len - audit event record
	      length  usec  -  offset  from start of log in microseconds (hex)
	      usec10 - offset from start of log in microseconds (decimal) time
	      -	 audit	event  timestamp  in  the format specified by time_fmt
	      time_fmt[:%m/%d/%y %H%M%S] - default  time  format  is  mm/dd/yy
	      hh:mm:ss,	 refer	to  strftime  for  time_fmt options username -
	      username associated with audit uiduserid include audit uid, real
	      uid, effective uid pid - process id ppid - parent process id res
	      - result of operation tid - thread ID. The thread	 ID  (tid)  is
	      recorded	if  the	 AUDIT_USR  control flag is enabled. Processes
	      being traced using auditmask -E have their  thread  ID  recorded
	      event  -	audit  event,  and event information host - host id on
	      which audit event was generated net - network connection	infor‐
	      mation (local address, remote address) Whenever the audit daemon
	      switches audit logs, an audit_log_change event is generated.  If
	      that event did result in an audit log change (that is, it was an
	      event that occurred on the local system),	 the  audit_tool  nor‐
	      mally  attempts  to  find	 and process the succeeding audit log.
	      This is possible, however, only if the audit log	is  maintained
	      locally.	The -o option tells the audit_tool not to process suc‐
	      ceeding audit logs.  Suppresses the progress  messages.	Gener‐
	      ates  an	ASCII  report  for each audit ID found in the selected
	      events.  If name is a directory, the reports are placed  in  the
	      directory	 with the report.audit_id file name format. Otherwise,
	      the reports are placed in	 a  file  called  name.audit_id.  Each
	      report  consists of selected events for the associated audit ID.
	      Performs a sort (by time) on the audit log.  The sort  performed
	      is  an  inter-CPU	 sort  only (for any specific CPU, data may be
	      nonsequential for events such as fork and vfork;	this  informa‐
	      tion  does  not  need  to	 be sorted for proper operation of the
	      reduction tool).	This option is useful only for data  collected
	      on  an  SMP  system.   Display the name associated with UIDs and
	      GIDs using the getpw*() and getgr* routines.  This is done  only
	      if  the  audit_tool  has no name for the UID or GID. The name is
	      sent to output within parentheses.  Displays the frequency count
	      for the selected events.

       The audit_tool command, or audit reduction tool, displays selected por‐
       tions of the collected audit data.  If no  arguments  are  provided,  a
       brief  help message is displayed.  The audit log file may be compressed
       or uncompressed.

       Options are used to select specific audit records of interest.	For  a
       record to be selected, it must match at least one option of each option
       type specified.	For example, if two user names and one host name  were
       specified,  an  audit  record to be selected would have to match one of
       the user names and the host name.  Only one start and end time  may  be
       selected.  Only one deselection rules file may be selected.  It is pos‐
       sible to select as many events as exist on the system.  For  all	 other
       option types, up to eight instances may be selected.

       The  audit  reduction  tool  generates audit log header files, suffixed
       with auditlog file.  If the -o option is used, no audit log header file
       is  generated.  This  header  file contains the time range in which the
       audited operations occurred, so searching for events by	time  requires
       only  those audit logs that were actually written into during that time
       to be processed. The header file also contains the sort status  of  the
       audit  log, so previously sorted logs do not get sorted more than once,
       and also state-relevant data from previous logs.

       The output from audit_tool is written  to  stdout.  Informational  mes‐
       sages, such as (100000 records processed...)  are written to stderr.

       The  audit_tool.ultrix  program	is  used to display audit reports from
       audit data collected on ULTRIX systems. With the exception  of  the  -g
       and  -G	options	 (equivalent to the -v and -V options for audit_tool),
       audit_tool.ultrix is the same as audit_tool.

       The audit reduction tool maintains the state of each process  in	 order
       to  translate  descriptors  back	 to pathnames, as well as to provide a
       current working directory, root, and user name.	To avoid  running  out
       of  memory  for state-dependent data, the exit system call should be an
       audited event. The call to exit releases the memory used	 to  hold  the
       state of the process. Alternatively, the logout events release the mem‐
       ory used to hold the state of all the sessions processes. If state-rel‐
       evant  data  is not important for your auditing requirements, exit need
       not be audited and the -F flag to audit_tool can	 be  used  to  improve

       In  order  to  provide  the current working directory, the chdir system
       call should be an audited event.	 In order to provide the current  root
       (if  not	 the  root (/) directory), the chroot system call should be an
       audited event. In order to provide the user name, login	should	be  an
       audited event.

       If  audit_tool runs out of memory, it will not be able to store further
       state-dependent data (as previously described).	If  this  occurs,  the
       following warning is displayed:

       warning: state_maint_{add,open,path_change): no more mem; ...

       Audit events which affect the state data include : login, logout, open,
       old_open, close, dup, fcntl, dup2, chdir, chroot,  fchdir,  bind,  con‐
       nect,  accept,  naccept,	 socket, execv, execve, exec_with_loader, pro‐
       plist_syscall,  audit_suspend,  audit_log_creat,	  audit_log_overwrite,
       audit_shutdown, audit_xmit_fail.

       All  state-dependent  information  current  at the time of an audit log
       change is maintained in the header file.	 This allows subsequent	 scans
       of  a specific audit log to not have any dependencies on previous audit

       See Security for further discussion of state-dependent information.

       The following example selects all login, open and exec events performed
       on system alpha1 by any process with audit ID 1123:

       # audit_tool -e login -e open -e exec -h alpha1 -a 1123 auditlog.000

       The following example applies deselection file deselect to auditlog.000
       and selects for events between 10:47 a.m. on April 13,  1994  and  5:30
       p.m. on April 20, 1994:

       # audit_tool -d deselect -t 9404131047 -T 9404201730 auditlog.000

       The following example outputs a tab delimiter seperated record contain‐
       ing the audit event time stamp, event information,  network  connection
       information  (if applicable to this event), id information of host that
       generated     the     audit	event.	     #	    audit_tool	    -O

       Commands: auditd(8), auditmask(8), auditconfig(8)



List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net