audit_tool(8)audit_tool(8)NAME
audit_tool, audit_tool.ultrix - Audit log reduction tool
SYNOPSIS
/usr/sbin/audit_tool [options] auditlog_filename
/usr/sbin/audit_tool.ultrix [flags] auditlog_filename
OPTIONS
Selection Options
Selects audit records with a matching text_string. The rules for regu‐
lar expression expansions do not apply to this option. Selects audit
records with a matching audit ID. The default is to select for all
audit IDs. Selects records with a matching event or event.subevent.
The subevent can be applied only to site events. Optionally select only
those records with a successful or failed return value. For example,
the option -e mount:0:1 selects for only failed mount events while -e
rdb.query:1:0 selects successful rdb events with the query subevent.
Multiple events can be specified on the command line. The default is to
select for all events, both successful and failed.
If you specify the open event, you can add a r (read) or w
(write) modifier to specify an open for read or an open for
write. The syntax is as follows: -e open.r or -e open.w Selects
records with a matching error string or error number. The
default is to select for all errors. For use with
audit_tool.ultrix only. Selects records with a matching inode
identifier number. The default is to select for all inode IDs.
For use with audit_tool.ultrix only. Selects records with match‐
ing inode device major and minor numbers. The default is to
select for all inode devices. Selects records with a matching
host name or IP address. Host names are translated to their IP
addresses by the gethostbyname() logic. The default is to select
for all host names and IP addresses. Selects records with a
matching PID. The default is to select for all PIDs. If the
specified PID is negative, the absolute value of the PID is
selected as well as any of the PID's descendants. Selects
records with a matching parent PID (PPID). The default is to
select for all PPIDs. Selects records with a matching real UID
(RUID). The default is to select for all RUIDs. Selects records
that contain string in a "char param" field or in the state data
file descriptor info. The default is to select for all strings.
Selects records that contain a timestamp no earlier than
start_time. The timestamp format is yymmdd[hh[mm[ss]]]. The
default is to select for all timestamps. Note that the audit
tool automatically converts values of yy in the time string to
the appropriate year 2000 value. Specifically, values ranging
from 70 to 99 map to 1970(the epoch year)-1999 and values rang‐
ing from 00 to 69 map to 2000-2069. Selects records that con‐
tain a timestamp no later than start_time. Timestamp format is
yymmdd[hh[mm[ss]]]. The default is to select for all time‐
stamps. See the year 2000 conversion description in the -t
start_time flag. Selects audit records with a matching UID. The
default is to select for all UIDs. Selects audit records with a
matching user name. (The username is mapped to the UID as
defined in the password database.) The username is recorded at
the login event and is associated with all child processes. If
login is not audited, no username is present in the audit log.
Selecting for a username will display those records that have a
matching user name. The default is to select for all user names.
Selects records with a matching inode identifier number. The
default is to select for all inode IDs. Selects records with
matching inode device major/minor numbers. The default is to
select for all inode devices. Selects audit records with match‐
ing device major and minor numbers. The default is to select
for all devices. Selects records with matching process name in
the "cmd name" field (provided when the cmd_name audit style is
enabled on v5 or later) or in the state data process name field
(set by the exec and exit syscall audit events).
Control Options
Causes the audit_tool to use path for the archive/recovery directory
containing archived auditlogs. This overrides the directory specified
in the audit log, which by default is /var/audit.
When you use this option, you must also specify the full path
name of the first audit log you want to read: # audit_tool-.
./audit/newdir -e login ./audit/newdir/auditlog.jan Outputs
selected records in binary format. The output is in a format
suitable for subsequent analysis by the audit_tool. The default
is to output in ASCII format. Outputs selected records in an
abbreviated format. Each selected event is displayed along with
its audit ID, RUID, result, error code, PID, event name, and
parameter list. For X events, the IDs displayed are those of the
X client. Suppressed information includes the user name, PPID,
device ID, current directory, inode information, symbolic name
referenced by any descriptors, IP address, and timestamp. The
default is to output in the nonabbreviated format. Reads dese‐
lection rules from the specified file and suppresses any records
matching any of the deselection rules. The deselection rule sets
take precedence over other selection options. Each deselection
rule is a tuple consisting of host name, audit ID, RUID, event,
pathname, and flag. The flag component is used to specify read
or write mode; it pertains only to open events.
Wildcarding and simple pattern matching are supported. For exam‐
ple, consider the following lines from a deselection file:
# HOST, AUID, RUID, EVENT, PATHNAME, FLAG * * * open /usr/lib/*
r alpha1 * * * /usr/spool/rwho* *
These lines indicate that any open operations for read access on
any object whose pathname starts with /usr/lib/ will not be
selected, and on system alpha1 any operations performed on any
object whose pathname starts on /usr/spool/rwho will not be
selected. (Lines beginning with number signs (#) are treated as
comment lines). Any field can be replaced with an asterisk (*),
which indicates a match with any value.
Pathname matching requires an exact match between strings,
unless the pathname is suffixed with an asterisk, which matches
any string (so, for example, /usr/spool/rwho* matches
/usr/spool/rwho/anything).
The default is to apply no deselection rule sets. (Specifying
the -D option instead of -d will additionally print the deselec‐
tion rulesets to be applied). prints the deselection rules from
the specified file. Causes the audit_tool not to quit at an
end-of-file, but to continue attempting to read data. This is
useful for reviewing audit log data as it is being written by
the audit daemon. (For SMP systems, audit data should be sorted
first because descriptor translation, the login name, the cur‐
rent directory, and the root directory all rely on state infor‐
mation maintained by the audit_tool). Sets the fast mode. If
you are not interested in seeing the state-dependent data, you
can use this option to improve performance. Enter interactive
selection mode to specify options. Interactive mode can also be
entered by pressing CTRL/C at any time, then specifying no to
the exit prompt. Once in interactive mode, individual options
are selected. Press Return to accept the current setting (or
default); enter an asterisk (*) to change the current setting
back to the default. The default, unless otherwise stated, is to
select every audit record. Inhibits the conversion of IP
adresses to hostnames (via DNS lookup). Output data in a delim‐
iter seperated record. This format is compatible with most
spreadsheet applications. The data specifiers are seperated by
commas, and are: delimiter[:<tab>] - specifies field delimiter
character. default is tab seperated field in the output record.
if this option is not specified data is output in fixed width
columns. cpu - cpu number seq - audit event sequence number.
unique to the cpu for that boot session len - audit event record
length usec - offset from start of log in microseconds (hex)
usec10 - offset from start of log in microseconds (decimal) time
- audit event timestamp in the format specified by time_fmt
time_fmt[:%m/%d/%y %H%M%S] - default time format is mm/dd/yy
hh:mm:ss, refer to strftime for time_fmt options username -
username associated with audit uiduserid include audit uid, real
uid, effective uid pid - process id ppid - parent process id res
- result of operation tid - thread ID. The thread ID (tid) is
recorded if the AUDIT_USR control flag is enabled. Processes
being traced using auditmask -E have their thread ID recorded
event - audit event, and event information host - host id on
which audit event was generated net - network connection infor‐
mation (local address, remote address) Whenever the audit daemon
switches audit logs, an audit_log_change event is generated. If
that event did result in an audit log change (that is, it was an
event that occurred on the local system), the audit_tool nor‐
mally attempts to find and process the succeeding audit log.
This is possible, however, only if the audit log is maintained
locally. The -o option tells the audit_tool not to process suc‐
ceeding audit logs. Suppresses the progress messages. Gener‐
ates an ASCII report for each audit ID found in the selected
events. If name is a directory, the reports are placed in the
directory with the report.audit_id file name format. Otherwise,
the reports are placed in a file called name.audit_id. Each
report consists of selected events for the associated audit ID.
Performs a sort (by time) on the audit log. The sort performed
is an inter-CPU sort only (for any specific CPU, data may be
nonsequential for events such as fork and vfork; this informa‐
tion does not need to be sorted for proper operation of the
reduction tool). This option is useful only for data collected
on an SMP system. Display the name associated with UIDs and
GIDs using the getpw*() and getgr* routines. This is done only
if the audit_tool has no name for the UID or GID. The name is
sent to output within parentheses. Displays the frequency count
for the selected events.
DESCRIPTION
The audit_tool command, or audit reduction tool, displays selected por‐
tions of the collected audit data. If no arguments are provided, a
brief help message is displayed. The audit log file may be compressed
or uncompressed.
Options are used to select specific audit records of interest. For a
record to be selected, it must match at least one option of each option
type specified. For example, if two user names and one host name were
specified, an audit record to be selected would have to match one of
the user names and the host name. Only one start and end time may be
selected. Only one deselection rules file may be selected. It is pos‐
sible to select as many events as exist on the system. For all other
option types, up to eight instances may be selected.
The audit reduction tool generates audit log header files, suffixed
with auditlog file. If the -o option is used, no audit log header file
is generated. This header file contains the time range in which the
audited operations occurred, so searching for events by time requires
only those audit logs that were actually written into during that time
to be processed. The header file also contains the sort status of the
audit log, so previously sorted logs do not get sorted more than once,
and also state-relevant data from previous logs.
The output from audit_tool is written to stdout. Informational mes‐
sages, such as (100000 records processed...) are written to stderr.
The audit_tool.ultrix program is used to display audit reports from
audit data collected on ULTRIX systems. With the exception of the -g
and -G options (equivalent to the -v and -V options for audit_tool),
audit_tool.ultrix is the same as audit_tool.
RESTRICTIONS
The audit reduction tool maintains the state of each process in order
to translate descriptors back to pathnames, as well as to provide a
current working directory, root, and user name. To avoid running out
of memory for state-dependent data, the exit system call should be an
audited event. The call to exit releases the memory used to hold the
state of the process. Alternatively, the logout events release the mem‐
ory used to hold the state of all the sessions processes. If state-rel‐
evant data is not important for your auditing requirements, exit need
not be audited and the -F flag to audit_tool can be used to improve
performance.
In order to provide the current working directory, the chdir system
call should be an audited event. In order to provide the current root
(if not the root (/) directory), the chroot system call should be an
audited event. In order to provide the user name, login should be an
audited event.
If audit_tool runs out of memory, it will not be able to store further
state-dependent data (as previously described). If this occurs, the
following warning is displayed:
warning: state_maint_{add,open,path_change): no more mem; ...
Audit events which affect the state data include : login, logout, open,
old_open, close, dup, fcntl, dup2, chdir, chroot, fchdir, bind, con‐
nect, accept, naccept, socket, execv, execve, exec_with_loader, pro‐
plist_syscall, audit_suspend, audit_log_creat, audit_log_overwrite,
audit_shutdown, audit_xmit_fail.
All state-dependent information current at the time of an audit log
change is maintained in the header file. This allows subsequent scans
of a specific audit log to not have any dependencies on previous audit
logs.
See Security for further discussion of state-dependent information.
EXAMPLES
The following example selects all login, open and exec events performed
on system alpha1 by any process with audit ID 1123:
# audit_tool-e login -e open -e exec -h alpha1 -a 1123 auditlog.000
The following example applies deselection file deselect to auditlog.000
and selects for events between 10:47 a.m. on April 13, 1994 and 5:30
p.m. on April 20, 1994:
# audit_tool-d deselect -t 9404131047 -T 9404201730 auditlog.000
The following example outputs a tab delimiter seperated record contain‐
ing the audit event time stamp, event information, network connection
information (if applicable to this event), id information of host that
generated the audit event. # audit_tool-O
time,event,host,net,delimter
SEE ALSO
Commands: auditd(8), auditmask(8), auditconfig(8)
Security
audit_tool(8)
