This section describes a few common uses of auditreduce and praudit to select and manage data. See the auditreduce(1M) man page for more examples.
Prerequisites for running the auditreduce and praudit commands:
You are in an administrative role that includes the Audit Review profile. The role admin includes this profile by default.
You are in an admin_high
workspace of that role.
To create an admin_high
workspace,
see "To Create an Admin_High Workspace" in Chapter 2, Auditing Setup.
You have launched a terminal window.
To access the audit trail for a distributed system:
You issue the auditreduce command from the audit administration server.
The praudit command enables you to display audit records interactively and create very basic reports. For multiple files, the input is piped from auditreduce.
Specify the audit file as the file argument to the praudit command.
$ praudit 19970401000000.19970601000000.grebe |
This displays audit token per line to standard output.
Specify the audit file as the file argument to the praudit -l command.
$ praudit -l 19970401000000.19970601000000.grebe |
This displays one audit record per line to standard output.
Use the tail(1) command to see what is currently being written to an active audit file.
$ praudit | tail -40 19970401000000.not_terminated.grebe |
This displays the latest 40 tokens that were recorded to standard output.
To display several audit files in chronological order in the terminal window, pipe the output of auditreduce into praudit.
$ auditreduce 19970413000000.19970413235959.willet \ 19970413000000.19970413235959.grebe | praudit |
To display the whole audit trail in the terminal window, pipe the output of auditreduce into praudit.
$ auditreduce | praudit |
The auditreduce command without options does not disturb open audit files.
Use praudit with a pipe to lp, to send the output of one file to the printer.
$ praudit 19970413000000.19970413235959.audubon | lp |
Use auditreduce piped through praudit with a pipe to lp, to send the output of all closed audit files to the printer.
$ auditreduce | praudit | lp |
In the Trusted Solaris environment, the printer must be able to accept admin_high
print jobs.
Use the -d option to the auditreduce command to see audit information collected during a specified 24-hour period.
In the following example, the security administrator checks to see when a user named doris logged in and logged out on April 13, 1997, by requesting the lo message class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.)
$ auditreduce -d 970413 --u doris -c lo | praudit |
Use the auditreduce command with a pipe through praudit to lp, to send selected output to a printer.
In the Trusted Solaris environment, the printer must be able to accept admin_high
print jobs.
$ auditreduce -d 970413 -u doris -c lo | praudit | lp |
In this example, login/logout messages for a particular day are summarized in a file. The target file is written in a directory other than the normal audit root.
$ auditreduce -c lo -d 970413 \ -O /usr/audit_summary/logins |
The -O option creates an audit file in the /usr/audit_summary directory. The file name has 14-character timestamps for both start-time and end-time, and the suffix logins:
/usr/audit_summary/19970413000000.19970413235959.logins
The date-time options -b and -a allow specifying records before or after a particular day and time. A day begins at yyyymmdd00:00:00 and ends at yyyymmdd23:59:59. The six parameters of a day are: year, month, day, hour, minute, and second. The digits (19) of the year are assumed and need not be specified.
The auditreduce -a command with the date shown in the following screen example sends all audit records created after midnight on July 15, 1997 through praudit to standard output.
$ auditreduce -a 97071500:00:00 | praudit |
If -a is not specified, auditreduce defaults to 00:00:00, January 1, 1970.
The auditreduce -b command with the same date shown above sends all audit records created before midnight on July 15, 1997 through praudit to standard output.
$ auditreduce -b 97071500:00:00 | praudit |
If -b is not specified, auditreduce defaults to the current time of day (GMT). The -d option selects a particular 24-hour period, as shown in "To Copy Login/Logout Messages to a Single File ".
Use the message type selection for auditreduce (-m option) to find a particular audit event.
The -m option accepts either numeric message identifiers or AUE_xxxxx event names. The screen example below finds all kernel-level login events in the audit trail and displays them to standard output.
$ auditreduce -m AUE_LOGIN | praudit |
The auditreduce command rejects an incorrect format, but does not describe the correct format.
Although auditreduce can do this type of combination and deletion automatically (see the -C and -D options in the auditreduce(1M) man page), it is often easier to select the files manually (perhaps with find) and use the auditreduce command to combine just the named set of files.
List the audit files as arguments to the auditreduce command.
In the following example, a recurring job that starts a bit before midnight merges the audit files from two days before. The final time on the file is the time the job ended, here just before midnight, Greenwich Mean Time (GMT).
$ auditreduce 19970413000000.19970413235959.grebe \ 19970413000000.19970413235959.willet \ 19970413000000.19970413235959.sora $ ls *audubon 19970413000000.19970414235959.audubon |
Delete the input files and move the output file to the audit root directory on the administration server.
In this example, the auditreduce(1M) command was run on the audit administration server, audubon, and then placed in its audit root directory so that future calls to auditreduce locate the file.
$ rm /etc/security/tsol/grebe/files/19970413000000.19970413235959.grebe $ rm /etc/security/tsol/willet/files/19970413000000.19970413235959.willet $ rm /etc/security/tsol/sora/files/19970413000000.19970413235959.sora $ mv 19970413000000.19970414235959.audubon /etc/security/audit/audubon/files/ |
The auditreduce program can also reduce the number of records in its output file by eliminating the less interesting ones as it combines the input files.
You might use auditreduce to eliminate all except the login/logout events in audit files over a month old, assuming that if you needed to retrieve the complete audit trail you could recover it from backup tapes. The following example selects just the audit records from April 1997.
$ auditreduce -m AUE_LOGIN -a 19970401000000 \ -b 19970501000000 \ -O /usr/audit_summary/logins_april97 |
The output is a smaller file containing just the April 1997 login/logout records. Note that the end-time stamp is the date (in GMT) that the command was run (June 1, 1997), not the last date of the merged records. You specified the file suffix, logins_april97, on the command line with the directory name.
/usr/audit_summary/19970401000000.19970601000000.logins_april97
When the praudit command displays an audit token, it separates the data fields with commas. However, if a field (such as a time stamp) contains a comma, this cannot be distinguished from a field-separating comma.
Press the Tab key as the value of the -d option to praudit(1M).
$ praudit -d"<press Tab key>" 19970413120429.19970413180433.grebe |
There is no space between the -d option and the delimiter. Surround the delimiter with double quotes. The delimiter can be up to four characters long.
Audit tokens are separated by newlines by default. When audit records are printed one per line using the -l option, the audit token separator is the same as the audit field separator. In the following screen example, the audit tokens are separated by tabs, as are the audit fields.
$ praudit -l -d"<press Tab key>" 19970413120429.19970413180433.grebe |
To accomplish more sophisticated display and reports, process the output from praudit with sed or awk, or write programs to interpret and process the binary audit records.
It is sometimes useful to manipulate praudit output as lines of text; for example to perform selections that cannot be done with auditreduce. A simple shell script can process the output of praudit. The following example is called praudit_grep:
#!/bin/sh praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\ | tr '\\012\\001' '\\002\\012' \\ | grep "$1" \\ | tr '\\002' '\\012'
The example script marks the header tokens by prefixing them with Control-A. (Note that the ^a is Control-A, not the two characters ^ and a. Prefixing is necessary to distinguish them from the string header that might appear as text.) The script then combines all the tokens for a record onto one line while preserving the line breaks as Control-A, runs the grep command, and restores the original newlines.
To run the script in the Trusted Solaris environment, the following conditions must be met:
The script exists in an admin_low
directory (to make it visible to the Profile Manager).
The security administrator has added the script to the appropriate profile (such as Custom Admin Role), and given it the forced privileges:
The security administrator has added any commands in the script that are not in the role's profile to the appropriate profile.
The admin role runs the script in an admin_high
profile shell in a directory where
the admin role has write access.