test

Trusted Solaris Audit Administration

Using the auditreduce and praudit Commands

This section describes a few common uses of auditreduce and praudit to select and manage data. See the auditreduce(1M) man page for more examples.

Prerequisites for running the auditreduce and praudit commands:

To access the audit trail for a distributed system:

To Read a Closed Audit File

The praudit command enables you to display audit records interactively and create very basic reports. For multiple files, the input is piped from auditreduce.

    Specify the audit file as the file argument to the praudit command.


    $ praudit 19970401000000.19970601000000.grebe

    This displays audit token per line to standard output.

    Specify the audit file as the file argument to the praudit -l command.


    $ praudit -l 19970401000000.19970601000000.grebe

    This displays one audit record per line to standard output.

To Read a Current Audit File

    Use the tail(1) command to see what is currently being written to an active audit file. 


    $ praudit | tail -40 19970401000000.not_terminated.grebe

    This displays the latest 40 tokens that were recorded to standard output.

To Display Several Audit Files as One Audit File

    To display several audit files in chronological order in the terminal window, pipe the output of auditreduce into praudit. 


    $ auditreduce 19970413000000.19970413235959.willet \
19970413000000.19970413235959.grebe | praudit

    To display the whole audit trail in the terminal window, pipe the output of auditreduce into praudit. 


    $ auditreduce | praudit
    Note -

    The auditreduce command without options does not disturb open audit files.

To Print an Audit Log

    Use praudit with a pipe to lp, to send the output of one file to the printer. 


    $ praudit 19970413000000.19970413235959.audubon | lp

    Use auditreduce piped through praudit with a pipe to lp, to send the output of all closed audit files to the printer. 


    $ auditreduce | praudit | lp
    Note -

    In the Trusted Solaris environment, the printer must be able to accept admin_high print jobs.

To Display User Activity on a Selected Date

    Use the -d option to the auditreduce command to see audit information collected during a specified 24-hour period.

    In the following example, the security administrator checks to see when a user named doris logged in and logged out on April 13, 1997, by requesting the lo message class. The short-form date is in the form yymmdd. (The long form is described in the auditreduce(1M) man page.) 


    $ auditreduce -d 970413 --u doris -c lo | praudit

To Print User Activity on a Selected Date

    Use the auditreduce command with a pipe through praudit to lp, to send selected output to a printer.

    Note -

    In the Trusted Solaris environment, the printer must be able to accept admin_high print jobs.


    $ auditreduce -d 970413 -u doris -c lo | praudit | lp

To Copy Login/Logout Messages to a Single File

In this example, login/logout messages for a particular day are summarized in a file. The target file is written in a directory other than the normal audit root. 


$ auditreduce -c lo -d 970413 \
-O /usr/audit_summary/logins

The -O option creates an audit file in the /usr/audit_summary directory. The file name has 14-character timestamps for both start-time and end-time, and the suffix logins: 

/usr/audit_summary/19970413000000.19970413235959.logins

To Display Audit Records Created Before or After a Designated Date

The date-time options -b and -a allow specifying records before or after a particular day and time. A day begins at yyyymmdd00:00:00 and ends at yyyymmdd23:59:59. The six parameters of a day are: year, month, day, hour, minute, and second. The digits (19) of the year are assumed and need not be specified.

The auditreduce -a command with the date shown in the following screen example sends all audit records created after midnight on July 15, 1997 through praudit to standard output. 


$ auditreduce -a 97071500:00:00 | praudit

If -a is not specified, auditreduce defaults to 00:00:00, January 1, 1970.

The auditreduce -b command with the same date shown above sends all audit records created before midnight on July 15, 1997 through praudit to standard output. 


$ auditreduce -b 97071500:00:00 | praudit

If -b is not specified, auditreduce defaults to the current time of day (GMT). The -d option selects a particular 24-hour period, as shown in "To Copy Login/Logout Messages to a Single File ".

To Find an Audit Event

    Use the message type selection for auditreduce (-m option) to find a particular audit event.

    The -m option accepts either numeric message identifiers or AUE_xxxxx event names. The screen example below finds all kernel-level login events in the audit trail and displays them to standard output.


    $ auditreduce -m AUE_LOGIN | praudit

    The auditreduce command rejects an incorrect format, but does not describe the correct format.

To Combine Selected Audit Files

Although auditreduce can do this type of combination and deletion automatically (see the -C and -D options in the auditreduce(1M) man page), it is often easier to select the files manually (perhaps with find) and use the auditreduce command to combine just the named set of files.

  1. List the audit files as arguments to the auditreduce command.

    In the following example, a recurring job that starts a bit before midnight merges the audit files from two days before. The final time on the file is the time the job ended, here just before midnight, Greenwich Mean Time (GMT).


    $ auditreduce 19970413000000.19970413235959.grebe \
19970413000000.19970413235959.willet \
19970413000000.19970413235959.sora
$ ls *audubon 19970413000000.19970414235959.audubon

  2. Delete the input files and move the output file to the audit root directory on the administration server.

    In this example, the auditreduce(1M) command was run on the audit administration server, audubon, and then placed in its audit root directory so that future calls to auditreduce locate the file. 


    $ rm /etc/security/tsol/grebe/files/19970413000000.19970413235959.grebe
$ rm /etc/security/tsol/willet/files/19970413000000.19970413235959.willet
$ rm /etc/security/tsol/sora/files/19970413000000.19970413235959.sora
$ mv 19970413000000.19970414235959.audubon /etc/security/audit/audubon/files/

To Reduce Audit Files

The auditreduce program can also reduce the number of records in its output file by eliminating the less interesting ones as it combines the input files.

You might use auditreduce to eliminate all except the login/logout events in audit files over a month old, assuming that if you needed to retrieve the complete audit trail you could recover it from backup tapes. The following example selects just the audit records from April 1997. 


$ auditreduce -m AUE_LOGIN -a 19970401000000 \
-b 19970501000000 \
-O /usr/audit_summary/logins_april97

The output is a smaller file containing just the April 1997 login/logout records. Note that the end-time stamp is the date (in GMT) that the command was run (June 1, 1997), not the last date of the merged records. You specified the file suffix, logins_april97, on the command line with the directory name. 

/usr/audit_summary/19970401000000.19970601000000.logins_april97

To Change the praudit Field Separator to a Tab

When the praudit command displays an audit token, it separates the data fields with commas. However, if a field (such as a time stamp) contains a comma, this cannot be distinguished from a field-separating comma.

    Press the Tab key as the value of the -d option to praudit(1M).


    $ praudit -d"<press Tab key>" 19970413120429.19970413180433.grebe

    There is no space between the -d option and the delimiter. Surround the delimiter with double quotes. The delimiter can be up to four characters long.

To Change the praudit Token Separator to a Tab

Audit tokens are separated by newlines by default. When audit records are printed one per line using the -l option, the audit token separator is the same as the audit field separator. In the following screen example, the audit tokens are separated by tabs, as are the audit fields. 


$ praudit -l -d"<press Tab key>" 19970413120429.19970413180433.grebe

To Perform Selections Using a praudit Script

To accomplish more sophisticated display and reports, process the output from praudit with sed or awk, or write programs to interpret and process the binary audit records.

It is sometimes useful to manipulate praudit output as lines of text; for example to perform selections that cannot be done with auditreduce. A simple shell script can process the output of praudit. The following example is called praudit_grep: 

#!/bin/sh
praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\
| tr '\\012\\001' '\\002\\012' \\
| grep "$1" \\
| tr '\\002' '\\012'

The example script marks the header tokens by prefixing them with Control-A. (Note that the ^a is Control-A, not the two characters ^ and a. Prefixing is necessary to distinguish them from the string header that might appear as text.) The script then combines all the tokens for a record onto one line while preserving the line breaks as Control-A, runs the grep command, and restores the original newlines.

To run the script in the Trusted Solaris environment, the following conditions must be met: