Audit Files Management
Two commands, praudit(1M) and auditreduce(1M), enable the audit reviewer to process audit records. The praudit command makes the records readable, and the auditreduce command enables selecting particular audit records and merging the records into one audit trail.
Note –
The auditreduce command can only find records that have been preselected by the security administrator. Events that are not recorded in the audit trail are unavailable to postselection tools.
Merging the Audit Trail
The auditreduce command merges audit records from one or more input audit files to create a single, chronologically ordered output file. On a distributed system, the input audit files originate from different hosts. Therefore, when issued from the audit administration server, the auditreduce command treats the distributed system as if it were one system. This treatment simplifies audit administration. Coupled with backup audit partitions, the distributed system is robust in the face of system failures.
The auditreduce command also includes options for selecting sets of records to examine. For instance, records from the past 24 hours can be selected to generate a daily report; all records generated by a specific user can be selected to examine that user's activities; or all records caused by a specific event type can be selected to see how often that type occurs.
Selecting Records from the Audit Trail
Options to the auditreduce(1M) command enable you to select audit records based on file characteristics and record characteristics, as shown in the following table.
Table 3–1 Some Options to the auditreduce Command|
Characteristic |
Option(s) |
|---|---|
|
Time, date (start, finish) |
-d, -a, -f |
|
Host (system) ID |
-M, -h, -S |
|
Audit class |
-c |
|
Audit event |
-m |
|
Audit User ID – AUID |
-u |
|
Effective and Real User ID – EUID, RUID |
-e, -r |
|
Effective and Real Group ID – EGID, RGID |
-f, -g |
|
Process ID – PID |
-j |
|
Sensitivity label |
-s |
|
Filename |
filename |
Uppercase options select operations or parameters for files, and lowercase options select parameters for records. When piped through praudit, audit files processed by the auditreduce command are readable. Otherwise, they remain in binary format.
The merging and selecting functions of auditreduce are logically independent. The auditreduce command selects messages from the input files as the records are read, before the files are merged and written to disk.
Using the auditreduce and praudit Commands
This section describes a few common uses of auditreduce and praudit to select and manage data. See the auditreduce(1M) man page for more examples.
Prerequisites for running the auditreduce and praudit commands:
-
You are in an administrative role that includes the Audit Review profile. The role admin includes this profile by default.
-
You are in an
admin_highworkspace of that role.To create an
admin_highworkspace, see To Create an Admin_High Workspace in Chapter 2, Auditing Setup. -
You have launched a terminal window.
To access the audit trail for a distributed system:
-
You issue the auditreduce command from the audit administration server.
- © 2010, Oracle Corporation and/or its affiliates