To accomplish more sophisticated display and reports, process the output from praudit with sed or awk, or write programs to interpret and process the binary audit records.
It is sometimes useful to manipulate praudit output as lines of text; for example to perform selections that cannot be done with auditreduce. A simple shell script can process the output of praudit. The following example is called praudit_grep:
#!/bin/sh praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\ | tr '\\012\\001' '\\002\\012' \\ | grep "$1" \\ | tr '\\002' '\\012'
The example script marks the header tokens by prefixing them with Control-A. (Note that the ^a is Control-A, not the two characters ^ and a. Prefixing is necessary to distinguish them from the string header that might appear as text.) The script then combines all the tokens for a record onto one line while preserving the line breaks as Control-A, runs the grep command, and restores the original newlines.
To run the script in the Trusted Solaris environment, the following conditions must be met:
The script exists in an admin_low
directory (to make it visible to the Profile Manager).
The security administrator has added the script to the appropriate profile (such as Custom Admin Role), and given it the forced privileges:
The security administrator has added any commands in the script that are not in the role's profile to the appropriate profile.
The admin role runs the script in an admin_high
profile shell in a directory where
the admin role has write access.