test

System Administration Guide: Security Services

Managing Audit Records (Task Map)

By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.

The following task map describes the tasks in this section.

Task 

Description 

For Instructions 

Display the formats of audit records 

Displays the order of tokens for a particular audit event. 

How to Display Audit Record Formats

Display audit records 

Displays the audit records in readable format. 

How to Display Audit Records

Merge audit records 

Combines audit files from several machines into one audit trail. 

How to Merge Audit Records

Prevent audit trail overflow 

Prevents the audit file systems from completely filling up. 

How to Prevent Audit Trail Overflow

How to Display Audit Record Formats

The bsmrecord command displays the audit id, audit class, selection mask, and record format of an audit event. The command operates on records in the audit_class and audit_event files.

The -a option in the following command lists all audit event record formats. The -h option puts the list in HTML format. The resulting file can be displayed in a browser.

    Use the bsmrecord command to put the format of all audit event records in an HTML file.


    % bsmrecord -a -h > audit.events.html

    You can display the *html file in a browser. Use the browser's Find tool to find specific records.

    See the bsmrecord(1M) man page for more information.

Example—Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated by the login program are displayed. 


% bsmrecord -p login

terminal login
  program     /usr/sbin/login      see login(1)
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header
      subject
      text                         error message or "successful login"
      return

login: logout
  program     /usr/sbin/login      see login(1)
  event ID    6153                 AUE_logout
  class       lo                   (0x00001000)
      header
      subject
      text                         "logout" username
      return

rlogin
  program     /usr/sbin/login      see login(1) - rlogin
  event ID    6155                 AUE_rlogin
  class       lo                   (0x00001000)
      header
      subject
      text                         success/fail message
      return

telnet login
  program     /usr/sbin/login      see login(1) - telnet
  event ID    6154                 AUE_telnet
  class       lo                   (0x00001000)
      header
      subject
      text                         success/fail message
      return

Example—Displaying the Audit Record Formats of an Audit Class

In this example, the format of all audit records in the fd class are displayed.


% bsmrecord -c fd

ftruncate
    Not used.

truncate
    Not used.

unlink
  system call unlink               see unlink(2)
  event ID    6                    AUE_UNLINK
  class       fd                   (0x00000020)
      header
      path
      [attribute]
      subject
      return

How to Merge Audit Records

This task shows you how to merge all audit files in all the audit directories. Follow these steps when you want to analyze the contents of the audit trail.

  1. Become superuser or assume an equivalent role.

  2. Change directories to the primary audit directory.


    # cd /etc/security/audit/server-name.1/files

    The merged file is placed in the /etc/security/audit/server-name.1/files directory. This directory is a protected directory.

  3. Merge the audit records.


    # auditreduce > merged.log

    All directories that are listed in the dir: lines of the audit_control file on server-name are merged. The merged records are then placed in the merged.log file in the current directory.

Example—Displaying the Entire Audit Trail

To display the entire audit trail at once, pipe the output of the auditreduce command into the praudit command. 


# auditreduce | praudit

Example—Printing the Entire Audit Trail

With a pipe to the lp command, the output goes to the printer. 


# auditreduce | praudit | lp

Example—Combining and Reducing Audit Files

Use the auditreduce command with the -O option to combine several audit files into one file and to save the files in a specified output file. auditreduce can do this type of combination and deletion automatically. See the -C and -D options in the auditreduce(1M) man page. However, you can select the files manually to good effect. Use the find command, then use auditreduce to combine just the named set of files.

When used in this way, the auditreduce command merges all the records from its input files into a single output file. The input files should then be deleted. In addition, the output file should be kept in a directory that is named /etc/security/audit/server-name/files so that auditreduce can find the output file.


# auditreduce -O combined-filename

The auditreduce command can also reduce the number of records in its output file. The command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup tapes. 


# auditreduce -O daily.summary -b 19990413 -c lo; compress *daily.summary
# mv *daily.summary /etc/security/summary.dir

Example—Displaying User Activity From a Selected Date

In the following example, the system administrator checks to see when user tamiko logged in and logged out on April 13, 1999. The administrator requests the lo event class. The short-form date is in the form yymmdd. The long form is described in the auditreduce(1M) man page. 


# auditreduce -d 990413 -u tamiko -c lo | praudit

Example—Copying Selected Records to a Single File

In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory. 


# auditreduce -c lo -d 990413 -O /usr/audit_summary/logins

The -O option creates an audit file with 14-character timestamps for both the start-time and the end-time, with the suffix logins: 


/usr/audit_summary/19990413000000.19990413235959.logins

Example—Cleaning Up a not_terminated Audit File

Occasionally, an audit daemon dies while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end-time, even though the file is no longer used for audit records. When you find such a file, you can manually verify that the file is no longer in use. You can clean up the open file by specifying the name of the file with the correct options. 


# audit -s
19990414121112.not_terminated.egret
# auditreduce -O egret 19990413120429.not_terminated.egret

The audit command checks the name of the current audit file. The auditreduce command creates a new audit file with the correct name and correct timestamps. The correct name includes the correct suffix (egret). The auditreduce then copies all the records into the file.

How to Display Audit Records

  1. Become superuser or assume an equivalent role.

  2. Change directories to an audit files directory, such as /usr/audit_summary/logins.


    # cd /usr/audit_summary/logins

  3. Read a file by using the praudit command.


    # praudit 19990413000000.19990413235959.logins | more

Example—Putting Audit Records in XML Format

In this example, the audit records are converted to XML format. XML format can be displayed in a browser. The format can also be used to create a report.


# praudit -x 19990413000000.19990413235959.logins > 19990413.logins.xml

The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.

How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

  1. Set up a schedule to regularly archive audit files. Set up a schedule to delete the archived audit files from the audit file system.

  2. Manually archive audit files by backing up the files on tape. You can also move the files to an archive file system.

  3. Store context-sensitive information that is necessary to interpret audit records, along with the audit trail.

  4. Keep records of which audit files are moved offline.

  5. Store the archived tapes appropriately.

  6. Reduce the volume of audit data that you store by creating summary files.

    You can extract summary files from the audit trail by using options to the auditreduce command. The summary files then contain only records for certain specified types of audit events. For examples, see Example—Combining and Reducing Audit Files and Example—Copying Selected Records to a Single File.