Go to main content

Managing Auditing in Oracle® Solaris 11.3

Exit Print View

Updated: October 2017
 
 

Displaying Audit Trail Data

The default plugin, audit_binfile, creates an audit trail. The trail can contain large amounts of data. The following sections describe how to work with this data.

Displaying Audit Record Definitions

To display audit record definitions, use the auditrecord command. The definitions provide the audit event number, audit class, selection mask, and record format of an audit event.

$ auditrecord -options

The screen output generated by the command depends on the option that you use. Some common options are:

  • –p – Displays the audit record definitions of a program.

  • –c – Displays the audit record definitions of an audit class.

  • –a – Lists all audit event definitions.

  • –h – Generates the output in an HTML file. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions. See Example 33, Printing Audit Record Definitions to a File.

For more information, see the auditrecord(1M) man page.

Example 31  Displaying the Audit Record Definitions of a Program

This example displays the definition of all audit records that are generated by the login program. Login programs include rlogin, telnet, newgrp, and the Secure Shell feature of Oracle Solaris.

$ auditrecord -p login
...
login: logout
program     various              See login(1)
event ID    6153                 AUE_logout
class       lo                  (0x0000000000001000)
...
newgrp
program     newgrp               See newgrp login
event ID    6212                 AUE_newgrp_login
class       lo                  (0x0000000000001000)
...
rlogin
program     /usr/sbin/login      See login(1) - rlogin
event ID    6155                 AUE_rlogin
class       lo                   (0x0000000000001000)
...
/usr/lib/ssh/sshd
program     /usr/lib/ssh/sshd    See login - ssh
event ID    6172                 AUE_ssh
class       lo                   (0x0000000000001000)
...
telnet login
program     /usr/sbin/login      See login(1) - telnet
event ID    6154                 AUE_telnet
class       lo                   (0x0000000000001000)
…
Example 32  Displaying the Audit Record Definitions of an Audit Class

This example displays the definitions of all audit records in the pf class that was created in Example 15, Creating a New Audit Class is displayed.

$ auditrecord -c pf
pfexec
system call pfexec               See execve(2) with pfexec enabled
event ID    116                  AUE_PFEXEC
class       pf                   (0x0100000000000000)
header
path                    pathname of the executable
path                    pathname of working directory
[privileges]            privileges if the limit or inheritable set are changed
[privileges]            privileges if the limit or inheritable set are changed
[process]               process if ruid, euid, rgid or egid is changed
exec_arguments
[exec_environment]      output if arge policy is set
subject
[use_of_privilege]
return

The use_of_privilege token is recorded whenever privilege is used. The privileges tokens are recorded if the limit or inheritable set is changed. The process token is recorded if an ID is changed. No policy option is required for these tokens to be included in the record.

Example 33  Printing Audit Record Definitions to a File

In this example, the –h option is added to put all the audit record definitions to a file in HTML format. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions.

$ auditrecord -ah > audit.events.html

Selecting Audit Events to Be Displayed

As an administrator who is assigned the Audit Review rights profile, you can filter audit records for examination by using the auditreduce command. This command can eliminate the less interesting records as it combines the input files.

auditreduce -option argument [filename]

Some commonly used record selection options and their corresponding arguments are:

–c

Selects an audit class where argument is an audit class, such as ua.

–d

Selects all of the events on a particular date. The date format is yyyymmdd. Other date options such as –b and –a select events before and after a particular date, respectively.

–u

Selects all of the events attributable to a particular user. For this option, you specify a user name. Another user option, –e , selects all of the events attributable to an effective user ID.

–g

Selects all of the events attributable to a particular group. For this option, specify a group name.

–m

Selects all of the instances of a particular audit event.

–o

Selects by object type. Use this option to select by file, group, file owner, FMRI, PID, and other object types.

filename

The name of an audit file.

The command also uses file selection options that determine which files are to be processed and certain types of special treatment. They are all in upper case as shown in the following examples. For the full list of options, see the auditreduce(1M) man page.

Example 34  Combining and Reducing Audit Files

In this example, only the login and logout records in audit files that are over a month old are retained. The example assumes that the current date is Sept 27. If you need to retrieve the complete audit trail, you could recover the trail from backup media. The –O option directs the command's output to a file named lo.summary. Records are included if they occurred before the date specified by the –b option.

# cd /var/audit/audit_summary
# auditreduce -O lo.summary -b 20100827 -c lo; compress *lo.summary
Example 35  Copying One User's Audit Records to a Summary File

In this example, the records in the audit trail that contain the name of a particular user are merged. The –e option finds the effective user. The –u option finds the login user. The –O option directs the output to the file tamiko.

# cd /var/audit/audit_summary
# auditreduce -e tamiko -O tamiko

You can further narrow the displayed information. In this next example, the following data is filtered and printed to a file called tamikolo.

  • Time of user login and logout, specified by the –c option.

  • Date of Sept 7, 2013, specified by the –d option. The short form of the date is yyyymmdd.

  • User name of tamiko, specified by the –u option.

  • Name of system, specified by the –M (Machine) option.

# auditreduce -M system1 -O tamikolo -d 20130907 -u tamiko -c lo
Example 36  Merging Selected Records to a Single File

In this example, login and logout records for a particular day are selected from the audit trail. The records are merged into a target file. The target file is written in a file system other than the file system that contains the audit root directory.

# auditreduce -c lo -d 20130827 -O /var/audit/audit_summary/logins

# ls /var/audit/audit_summary/*logins
/var/audit/audit_summary/20130827183936.20130827232326.logins

Viewing the Contents of Binary Audit Files

As an administrator who is assigned the Audit Review rights profile, you can view the contents of binary audit files by using the praudit command.

# praudit options

The following options are commonly used. You can combine any of these options with the –l option to display each record on one line. For a complete list of options, see the praudit(1M) man page.

–s

Displays audit records in a short format, one token per line.

–r

Displays audit records in their raw format, one token per line.

–x

Displays audit records in XML format, one token per line. This option is useful for further processing.

You can reformat records in the XML file to become readable in any browser by using the xsltproc tool. This tool applies stylesheet definitions to the file contents. See Example 40, Making Audit Records in XML Format Readable in a Browser.

You can also use the auditreduce and praudit commands together by piping the praudit output from the auditreduce command.

You have the option to process output from the praudit command as lines of text.

Example 37  Displaying Audit Records in a Short Format

In this example, login and logout events that are extracted by the auditreduce command display in short format.

# auditreduce -c lo | praudit -s

header,69,2,AUE_screenlock,,mach1,2010-10-14 08:02:56.348 -07:00
subject,jdoe,root,staff,jdoe,staff,856,50036632,82 0 mach1
return,success,0
sequence,1298
Example 38  Displaying Audit Records in Raw Format

In this example, login and logout events that are extracted by the auditreduce command are displayed in raw format.

# auditreduce -c lo | praudit -r

21,69,2,6222,0x0000,192.0.2.45,1287070091,698391050
36,26700,0,10,26700,10,856,50036632,82 0 192.0.2.45
39,0,0
47,1298
Example 39  Putting Audit Records in XML Format

In this example, the audit records are converted to XML format.

# praudit -x 20100827183214.20100827215318.logins > 20100827.logins.xml

Similarly, you can display audit records filtered by the auditreduce command in XML format.

# auditreduce -c lo | praudit -x
<record version="2" event="screenlock - unlock" host="mach1"
iso8601="2010-10-14 08:28:11.698 -07:00">
<subject audit-uid="jdoe" uid="root" gid="staff" ruid="jdoe
rgid="staff" pid="856" sid="50036632" tid="82 0 mach1"/>
<return errval="success" retval="0"/>
<sequence seq-num="1298"/>
</record>

The contents of the file can be operated on by a script to extract the relevant information.

Example 40  Making Audit Records in XML Format Readable in a Browser

In this example the xsltproc tool is used to reformat records in the XML file to become readable in any browser. This tool applies stylesheet definitions to the file contents. To put the reformatted contents in a separate file, you would type the following:

# auditreduce -c lo | praudit -x | xsltproc - > logins.html

In a browser, the contents of logins.html would be displayed in a format similar to the following:

                     Audit Trail Data

File: time: 2013-11-04 12:54:28.000 -08:00

Event: login - local
time: 2013-11-04 12:54:28.418 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
      pid: 1534 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: connect to RAD
time: 2013-11-04 12:54:52.029 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
      pid: 1835 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: role login
time: 2013-11-08 08:42:52.286 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
      pid: 4265 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: role logout
time: 2013-11-08 08:43:37.125 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
      pid: 4265 sid: 3583012893 tid: 0 0 host 
RETURN errval: success retval: 0 

Event: login - ssh
time: 2013-12-23 12:24:37.292 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
      pid: 2002 sid: 39351741 tid: 14632 202240 host.example.com 
RETURN errval: success retval: 0 

Event: role login
time: 2013-12-23 12:25:07.345 -08:00 vers: 2 mod: fe host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root
      pid: 2023 sid: 39351741 tid: 14632 202240 host.example.com 
RETURN errval: failure retval: Permission denied 

Event: su
time: 2013-12-23 17:19:24.031 -08:00 vers: 2 mod: na host: host 
RETURN errval: success retval: 0 

Event: su logout
time: 2013-12-23 17:19:24.362 -08:00 vers: 2 mod: na host: host 
RETURN errval: success retval: 0 

Event: login - ssh
time: 2013-12-23 17:27:21.306 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
      pid: 2583 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Event: role login
time: 2013-12-23 17:27:28.361 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root 
      pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Event: role logout
time: 2013-12-23 17:30:39.029 -08:00 vers: 2 mod: host: host 
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root 
      pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com 
RETURN errval: success retval: 0 

Other events 
Example 41  Displaying pfedit Records Only

You can use filters to extract and view only specific records from the audit trail. In this example, records that capture the use of the pfedit command are filtered. Suppose that the summary file is 20130827183936.20130827232326.logins. Use of the pfedit command generates the AUE_admin_edit event. Therefore, to extract pfedit records, run the following command:

auditreduce -m AUE_admin_edit 20130827183936.20130827232326.logins | praudit
Example 42  Printing the Entire Audit Trail

With a pipe to the print command, the output for the entire audit trail goes to the printer. For security reasons, the printer has limited access.

# auditreduce | praudit | lp -d example.protected.printer
Example 43  Viewing a Specific Audit File

In this example, a summary login file is examined in a terminal window.

# cd /var/audit/audit_summary/logins

# praudit 20100827183936.20100827232326.logins | more
Example 44  Processing praudit Output With a Script

In this example, you process output from the praudit command as lines of text. If, for example, you want to select records that the auditreduce command cannot select, you can use a simple shell script to process the output of the praudit command. The following sample script puts one audit record on one line, searches for a user-specified string, then returns the audit file to its original form.

#!/bin/sh
#
## This script takes an argument of a user-specified string.
#  The sed command prefixes the header tokens with Control-A
#  The first tr command puts the audit tokens for one record
#  onto one line while preserving the line breaks as Control-A
#
praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\
| tr '\\012\\001' '\\002\\012' \\
| grep "$1" \\ 
Finds the user-specified string

| tr '\\002' '\\012' 
Restores the original newline breaks

Note that the ^a in the script is Control-A, not the two characters ^ and a. The prefix distinguishes the header token from the string header that might appear as text.

A message similar to the following indicates that you do not have enough privilege to use the praudit command.

praudit: Can't assign 20090408164827.20090408171614.sys1.1 to stdin.

Run the praudit command in a profile shell. You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.