Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Viewing the Contents of Binary Audit Files

As an administrator who is assigned the Audit Review rights profile, you can view the contents of binary audit files by using the praudit command.

# praudit options

The following is a partial list of options. You can combine any one of these options with the –l option to display each record on one line.

–s

Displays audit records in a short format, one token per line.

–r

Displays audit records in their raw format, one token per line.

–x

Displays audit records in XML format, one token per line. This option is useful for further processing.

You can also use the auditreduce and praudit commands together by piping the praudit output from the auditreduce command.

Example 5-7  Displaying Audit Records in a Short Format

In this example, log in and log out events that are extracted by the auditreduce command are displayed in short format.

# auditreduce -c lo | praudit -s

header,69,2,AUE_screenlock,,mach1,2010-10-14 08:02:56.348 -07:00
subject,jdoe,root,staff,jdoe,staff,856,50036632,82 0 mach1
return,success,0
sequence,1298
Example 5-8  Displaying Audit Records in Raw Format

In this example, log in and log out events that are extracted by the auditreduce command are displayed in raw format.

# auditreduce -c lo | praudit -r

21,69,2,6222,0x0000,10.132.136.45,1287070091,698391050
36,26700,0,10,26700,10,856,50036632,82 0 10.132.136.45
39,0,0
47,1298
Example 5-9  Putting Audit Records in XML Format

In this example, the audit records are converted to XML format.

# praudit -x 20100827183214.20100827215318.logins > 20100827.logins.xml

Similarly, you can display audit records filtered by the auditreduce command in XML format.

# auditreduce -c lo | praudit -x
<record version="2" event="screenlock - unlock" host="mach1"
iso8601="2010-10-14 08:28:11.698 -07:00">
<subject audit-uid="jdoe" uid="root" gid="staff" ruid="jdoe
rgid="staff" pid="856" sid="50036632" tid="82 0 mach1"/>
<return errval="success" retval="0"/>
<sequence seq-num="1298"/>
</record>

The contents of the file can be operated on by a script to extract the relevant information.

Example 5-10  Making Audit Records in XML Format Readable in a Browser

You can reformat records in the XML file to become readable in any browser by using the xsltproc tool. This tool applies stylesheet definitions to the file contents. To put the reformatted contents in a separate file, you would type the following:

# auditreduce -c lo | praudit -x | xsltproc - > logins.html

In a browser, the contents of logins.html would be displayed in a format similar to the following:

                     Audit Trail Data

File: time: 2013-11-04 12:54:28.000 -08:00

Event: login - local
time: 2013-11-04 12:54:28.418 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
      pid: 1534 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: connect to RAD
time: 2013-11-04 12:54:52.029 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
      pid: 1835 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: role login
time: 2013-11-08 08:42:52.286 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
      pid: 4265 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: role logout
time: 2013-11-08 08:43:37.125 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
      pid: 4265 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: login - ssh
time: 2013-12-23 12:24:37.292 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
      pid: 2002 sid: 39351741 tid: 14632 202240 host.example.com 
RETURN errval: success retval: 0 

Event: role login
time: 2013-12-23 12:25:07.345 -08:00 vers: 2 mod: fe host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root
      pid: 2023 sid: 39351741 tid: 14632 202240 host.example.com 
RETURN errval: failure retval: Permission denied 

Event: su
time: 2013-12-23 17:19:24.031 -08:00 vers: 2 mod: na host: host 
RETURN errval: success retval: 0 

Event: su logout
time: 2013-12-23 17:19:24.362 -08:00 vers: 2 mod: na host: host 
RETURN errval: success retval: 0 

Event: login - ssh
time: 2013-12-23 17:27:21.306 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
      pid: 2583 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Event: role login
time: 2013-12-23 17:27:28.361 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root 
      pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Event: role logout
time: 2013-12-23 17:30:39.029 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root 
      pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Other events 
Example 5-11  Displaying pfedit Records Only

You can use filters to extract and view only specific records from the audit trail. In this example, records that capture the use of the pfedit command are filtered. Suppose that the summary file is 20130827183936.20130827232326.logins. Use of the pfedit command generates the AUE_admin_edit event. Therefore, to extract pfedit records, run the following command:

auditreduce -m AUE_admin_edit 20130827183936.20130827232326.logins | praudit
Example 5-12  Printing the Entire Audit Trail

With a pipe to the print command, the output for the entire audit trail goes to the printer. For security reasons, the printer has limited access.

# auditreduce | praudit | lp -d example.protected.printer
Example 5-13  Viewing a Specific Audit File

In this example, a summary login file is examined in a terminal window.

# cd /var/audit/audit_summary/logins

# praudit 20100827183936.20100827232326.logins | more
Example 5-14  Processing praudit Output With a Script

You might want to process output from the praudit command as lines of text. For example, you might want to select records that the auditreduce command cannot select. You can use a simple shell script to process the output of the praudit command. The following sample script puts one audit record on one line, searches for a user-specified string, then returns the audit file to its original form.

#!/bin/sh
#
## This script takes an argument of a user-specified string.
#  The sed command prefixes the header tokens with Control-A
#  The first tr command puts the audit tokens for one record
#  onto one line while preserving the line breaks as Control-A
#
praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\
| tr '\\012\\001' '\\002\\012' \\
| grep "$1" \\ 
Finds the user-specified string

| tr '\\002' '\\012' 
Restores the original newline breaks

Note that the ^a in the script is Control-A, not the two characters ^ and a. The prefix distinguishes the header token from the string header that might appear as text.

A message similar to the following indicates that you do not have enough privilege to use the praudit command:

praudit: Can't assign 20090408164827.20090408171614.sys1.1 to stdin.

Run the praudit command in a profile shell. You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .