As an administrator who is assigned the Audit Review rights profile, you can view the contents of binary audit files by using the praudit command.
# praudit options
The following is a partial list of options. You can combine any one of these options with the –l option to display each record on one line.
Displays audit records in a short format, one token per line.
Displays audit records in their raw format, one token per line.
Displays audit records in XML format, one token per line. This option is useful for further processing.
You can also use the auditreduce and praudit commands together by piping the praudit output from the auditreduce command.
Example 5-7 Displaying Audit Records in a Short FormatIn this example, log in and log out events that are extracted by the auditreduce command are displayed in short format.
# auditreduce -c lo | praudit -s header,69,2,AUE_screenlock,,mach1,2010-10-14 08:02:56.348 -07:00 subject,jdoe,root,staff,jdoe,staff,856,50036632,82 0 mach1 return,success,0 sequence,1298Example 5-8 Displaying Audit Records in Raw Format
In this example, log in and log out events that are extracted by the auditreduce command are displayed in raw format.
# auditreduce -c lo | praudit -r 21,69,2,6222,0x0000,10.132.136.45,1287070091,698391050 36,26700,0,10,26700,10,856,50036632,82 0 10.132.136.45 39,0,0 47,1298Example 5-9 Putting Audit Records in XML Format
In this example, the audit records are converted to XML format.
# praudit -x 20100827183214.20100827215318.logins > 20100827.logins.xml
Similarly, you can display audit records filtered by the auditreduce command in XML format.
# auditreduce -c lo | praudit -x <record version="2" event="screenlock - unlock" host="mach1" iso8601="2010-10-14 08:28:11.698 -07:00"> <subject audit-uid="jdoe" uid="root" gid="staff" ruid="jdoe rgid="staff" pid="856" sid="50036632" tid="82 0 mach1"/> <return errval="success" retval="0"/> <sequence seq-num="1298"/> </record>
The contents of the file can be operated on by a script to extract the relevant information.
Example 5-10 Making Audit Records in XML Format Readable in a BrowserYou can reformat records in the XML file to become readable in any browser by using the xsltproc tool. This tool applies stylesheet definitions to the file contents. To put the reformatted contents in a separate file, you would type the following:
# auditreduce -c lo | praudit -x | xsltproc - > logins.html
In a browser, the contents of logins.html would be displayed in a format similar to the following:
Audit Trail Data File: time: 2013-11-04 12:54:28.000 -08:00 Event: login - local time: 2013-11-04 12:54:28.418 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff pid: 1534 sid: 3583012893 tid: 0 0 host RETURN errval: success retval: 0 Event: connect to RAD time: 2013-11-04 12:54:52.029 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff pid: 1835 sid: 3583012893 tid: 0 0 host RETURN errval: success retval: 0 Event: role login time: 2013-11-08 08:42:52.286 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root pid: 4265 sid: 3583012893 tid: 0 0 host RETURN errval: success retval: 0 Event: role logout time: 2013-11-08 08:43:37.125 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root pid: 4265 sid: 3583012893 tid: 0 0 host RETURN errval: success retval: 0 Event: login - ssh time: 2013-12-23 12:24:37.292 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff pid: 2002 sid: 39351741 tid: 14632 202240 host.example.com RETURN errval: success retval: 0 Event: role login time: 2013-12-23 12:25:07.345 -08:00 vers: 2 mod: fe host: host SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root pid: 2023 sid: 39351741 tid: 14632 202240 host.example.com RETURN errval: failure retval: Permission denied Event: su time: 2013-12-23 17:19:24.031 -08:00 vers: 2 mod: na host: host RETURN errval: success retval: 0 Event: su logout time: 2013-12-23 17:19:24.362 -08:00 vers: 2 mod: na host: host RETURN errval: success retval: 0 Event: login - ssh time: 2013-12-23 17:27:21.306 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff pid: 2583 sid: 3401970889 tid: 13861 5632 host.example.com RETURN errval: success retval: 0 Event: role login time: 2013-12-23 17:27:28.361 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com RETURN errval: success retval: 0 Event: role logout time: 2013-12-23 17:30:39.029 -08:00 vers: 2 mod: host: host SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com RETURN errval: success retval: 0 Other eventsExample 5-11 Displaying pfedit Records Only
You can use filters to extract and view only specific records from the audit trail. In this example, records that capture the use of the pfedit command are filtered. Suppose that the summary file is 20130827183936.20130827232326.logins. Use of the pfedit command generates the AUE_admin_edit event. Therefore, to extract pfedit records, run the following command:
auditreduce -m AUE_admin_edit 20130827183936.20130827232326.logins | prauditExample 5-12 Printing the Entire Audit Trail
With a pipe to the print command, the output for the entire audit trail goes to the printer. For security reasons, the printer has limited access.
# auditreduce | praudit | lp -d example.protected.printerExample 5-13 Viewing a Specific Audit File
In this example, a summary login file is examined in a terminal window.
# cd /var/audit/audit_summary/logins # praudit 20100827183936.20100827232326.logins | moreExample 5-14 Processing praudit Output With a Script
You might want to process output from the praudit command as lines of text. For example, you might want to select records that the auditreduce command cannot select. You can use a simple shell script to process the output of the praudit command. The following sample script puts one audit record on one line, searches for a user-specified string, then returns the audit file to its original form.
#!/bin/sh # ## This script takes an argument of a user-specified string. # The sed command prefixes the header tokens with Control-A # The first tr command puts the audit tokens for one record # onto one line while preserving the line breaks as Control-A # praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\ | tr '\\012\\001' '\\002\\012' \\ | grep "$1" \\ Finds the user-specified string | tr '\\002' '\\012' Restores the original newline breaks
Note that the ^a in the script is Control-A, not the two characters ^ and a. The prefix distinguishes the header token from the string header that might appear as text.
A message similar to the following indicates that you do not have enough privilege to use the praudit command:
praudit: Can't assign 20090408164827.20090408171614.sys1.1 to stdin.
Run the praudit command in a profile shell. You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .