The default plugin, audit_binfile, creates an audit trail. The trail can contain large amounts of data. The following sections describe how to work with this data.
To display audit record definitions, use the auditrecord command. The definitions provide the audit event number, audit class, selection mask, and record format of an audit event.
$ auditrecord -options
The screen output generated by the command depends on the option that you use. Some common options are:
–p – Displays the audit record definitions of a program.
–c – Displays the audit record definitions of an audit class.
–a – Lists all audit event definitions.
–h – Generates the output in an HTML file. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions. See Example 33, Printing Audit Record Definitions to a File.
For more information, see the auditrecord(1M) man page.
Example 31 Displaying the Audit Record Definitions of a ProgramThis example displays the definition of all audit records that are generated by the login program. Login programs include rlogin, telnet, newgrp, and the Secure Shell feature of Oracle Solaris.
$ auditrecord -p login ... login: logout program various See login(1) event ID 6153 AUE_logout class lo (0x0000000000001000) ... newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login class lo (0x0000000000001000) ... rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin class lo (0x0000000000001000) ... /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh class lo (0x0000000000001000) ... telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet class lo (0x0000000000001000) …Example 32 Displaying the Audit Record Definitions of an Audit Class
This example displays the definitions of all audit records in the pf class that was created in Example 15, Creating a New Audit Class is displayed.
$ auditrecord -c pf pfexec system call pfexec See execve(2) with pfexec enabled event ID 116 AUE_PFEXEC class pf (0x0100000000000000) header path pathname of the executable path pathname of working directory [privileges] privileges if the limit or inheritable set are changed [privileges] privileges if the limit or inheritable set are changed [process] process if ruid, euid, rgid or egid is changed exec_arguments [exec_environment] output if arge policy is set subject [use_of_privilege] return
The use_of_privilege token is recorded whenever privilege is used. The privileges tokens are recorded if the limit or inheritable set is changed. The process token is recorded if an ID is changed. No policy option is required for these tokens to be included in the record.
Example 33 Printing Audit Record Definitions to a FileIn this example, the –h option is added to put all the audit record definitions to a file in HTML format. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions.
$ auditrecord -ah > audit.events.html
As an administrator who is assigned the Audit Review rights profile, you can filter audit records for examination by using the auditreduce command. This command can eliminate the less interesting records as it combines the input files.
auditreduce -option argument [filename]
Some commonly used record selection options and their corresponding arguments are:
Selects an audit class where argument is an audit class, such as ua.
Selects all of the events on a particular date. The date format is yyyymmdd. Other date options such as –b and –a select events before and after a particular date, respectively.
Selects all of the events attributable to a particular user. For this option, you specify a user name. Another user option, –e, selects all of the events attributable to an effective user ID.
Selects all of the events attributable to a particular group. For this option, specify a group name.
Selects all of the instances of a particular audit event.
Selects by object type. Use this option to select by file, group, file owner, FMRI, PID, and other object types.
The name of an audit file.
The command also uses file selection options that determine which files are to be processed and certain types of special treatment. They are all in upper case as shown in the following examples. For the full list of options, see the auditreduce(1M) man page.
Example 34 Combining and Reducing Audit FilesIn this example, only the login and logout records in audit files that are over a month old are retained. The example assumes that the current date is Sept 27. If you need to retrieve the complete audit trail, you could recover the trail from backup media. The –O option directs the command's output to a file named lo.summary. Records are included if they occurred before the date specified by the –b option.
# cd /var/audit/audit_summary # auditreduce -O lo.summary -b 20100827 -c lo; compress *lo.summaryExample 35 Copying One User's Audit Records to a Summary File
In this example, the records in the audit trail that contain the name of a particular user are merged. The –e option finds the effective user. The –u option finds the login user. The –O option directs the output to the file tamiko.
# cd /var/audit/audit_summary # auditreduce -e tamiko -O tamiko
You can further narrow the displayed information. In this next example, the following data is filtered and printed to a file called tamikolo.
Time of user login and logout, specified by the –c option.
Date of Sept 7, 2013, specified by the –d option. The short form of the date is yyyymmdd.
User name of tamiko, specified by the –u option.
Name of system, specified by the –M (Machine) option.
# auditreduce -M system1 -O tamikolo -d 20130907 -u tamiko -c loExample 36 Merging Selected Records to a Single File
In this example, login and logout records for a particular day are selected from the audit trail. The records are merged into a target file. The target file is written in a file system other than the file system that contains the audit root directory.
# auditreduce -c lo -d 20130827 -O /var/audit/audit_summary/logins # ls /var/audit/audit_summary/*logins /var/audit/audit_summary/20130827183936.20130827232326.logins
As an administrator who is assigned the Audit Review rights profile, you can view the contents of binary audit files by using the praudit command.
# praudit options
The following options are commonly used. You can combine any of these options with the –l option to display each record on one line. For a complete list of options, see the praudit(1M) man page.
Displays audit records in a short format, one token per line.
Displays audit records in their raw format, one token per line.
Displays audit records in XML format, one token per line. This option is useful for further processing.
You can reformat records in the XML file to become readable in any browser by using the xsltproc tool. This tool applies stylesheet definitions to the file contents. See Example 40, Making Audit Records in XML Format Readable in a Browser.
You can also use the auditreduce and praudit commands together by piping the praudit output from the auditreduce command.
You have the option to process output from the praudit command as lines of text.
Example 37 Displaying Audit Records in a Short FormatIn this example, login and logout events that are extracted by the auditreduce command display in short format.
# auditreduce -c lo | praudit -s header,69,2,AUE_screenlock,,mach1,2010-10-14 08:02:56.348 -07:00 subject,jdoe,root,staff,jdoe,staff,856,50036632,82 0 mach1 return,success,0 sequence,1298Example 38 Displaying Audit Records in Raw Format
In this example, login and logout events that are extracted by the auditreduce command are displayed in raw format.
# auditreduce -c lo | praudit -r 21,69,2,6222,0x0000,192.0.2.45,1287070091,698391050 36,26700,0,10,26700,10,856,50036632,82 0 192.0.2.45 39,0,0 47,1298Example 39 Putting Audit Records in XML Format
In this example, the audit records are converted to XML format.
# praudit -x 20100827183214.20100827215318.logins > 20100827.logins.xml
Similarly, you can display audit records filtered by the auditreduce command in XML format.
# auditreduce -c lo | praudit -x <record version="2" event="screenlock - unlock" host="mach1" iso8601="2010-10-14 08:28:11.698 -07:00"> <subject audit-uid="jdoe" uid="root" gid="staff" ruid="jdoe rgid="staff" pid="856" sid="50036632" tid="82 0 mach1"/> <return errval="success" retval="0"/> <sequence seq-num="1298"/> </record>
The contents of the file can be operated on by a script to extract the relevant information.
Example 40 Making Audit Records in XML Format Readable in a BrowserIn this example the xsltproc tool is used to reformat records in the XML file to become readable in any browser. This tool applies stylesheet definitions to the file contents. To put the reformatted contents in a separate file, you would type the following:
# auditreduce -c lo | praudit -x | xsltproc - > logins.html
In a browser, the contents of logins.html would be displayed in a format similar to the following:
Audit Trail Data
File: time: 2013-11-04 12:54:28.000 -08:00
Event: login - local
time: 2013-11-04 12:54:28.418 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
pid: 1534 sid: 3583012893 tid: 0 0 host
RETURN errval: success retval: 0
Event: connect to RAD
time: 2013-11-04 12:54:52.029 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jdoe uid: jdoe gid: staff ruid: jdoe rgid: staff
pid: 1835 sid: 3583012893 tid: 0 0 host
RETURN errval: success retval: 0
Event: role login
time: 2013-11-08 08:42:52.286 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
pid: 4265 sid: 3583012893 tid: 0 0 host
RETURN errval: success retval: 0
Event: role logout
time: 2013-11-08 08:43:37.125 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jdoe uid: root gid: root ruid: root rgid: root
pid: 4265 sid: 3583012893 tid: 0 0 host
RETURN errval: success retval: 0
Event: login - ssh
time: 2013-12-23 12:24:37.292 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
pid: 2002 sid: 39351741 tid: 14632 202240 host.example.com
RETURN errval: success retval: 0
Event: role login
time: 2013-12-23 12:25:07.345 -08:00 vers: 2 mod: fe host: host
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root
pid: 2023 sid: 39351741 tid: 14632 202240 host.example.com
RETURN errval: failure retval: Permission denied
Event: su
time: 2013-12-23 17:19:24.031 -08:00 vers: 2 mod: na host: host
RETURN errval: success retval: 0
Event: su logout
time: 2013-12-23 17:19:24.362 -08:00 vers: 2 mod: na host: host
RETURN errval: success retval: 0
Event: login - ssh
time: 2013-12-23 17:27:21.306 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jsmith uid: jsmith gid: staff ruid: jsmith rgid: staff
pid: 2583 sid: 3401970889 tid: 13861 5632 host.example.com
RETURN errval: success retval: 0
Event: role login
time: 2013-12-23 17:27:28.361 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root
pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com
RETURN errval: success retval: 0
Event: role logout
time: 2013-12-23 17:30:39.029 -08:00 vers: 2 mod: host: host
SUBJECT audit-uid: jsmith uid: root gid: root ruid: root rgid: root
pid: 2593 sid: 3401970889 tid: 13861 5632 host.example.com
RETURN errval: success retval: 0
Other events
Example 41 Displaying pfedit Records Only
You can use filters to extract and view only specific records from the audit trail. In this example, records that capture the use of the pfedit command are filtered. Suppose that the summary file is 20130827183936.20130827232326.logins. Use of the pfedit command generates the AUE_admin_edit event. Therefore, to extract pfedit records, run the following command:
auditreduce -m AUE_admin_edit 20130827183936.20130827232326.logins | prauditExample 42 Printing the Entire Audit Trail
With a pipe to the print command, the output for the entire audit trail goes to the printer. For security reasons, the printer has limited access.
# auditreduce | praudit | lp -d example.protected.printerExample 43 Viewing a Specific Audit File
In this example, a summary login file is examined in a terminal window.
# cd /var/audit/audit_summary/logins # praudit 20100827183936.20100827232326.logins | moreExample 44 Processing praudit Output With a Script
In this example, you process output from the praudit command as lines of text. If, for example, you want to select records that the auditreduce command cannot select, you can use a simple shell script to process the output of the praudit command. The following sample script puts one audit record on one line, searches for a user-specified string, then returns the audit file to its original form.
#!/bin/sh # ## This script takes an argument of a user-specified string. # The sed command prefixes the header tokens with Control-A # The first tr command puts the audit tokens for one record # onto one line while preserving the line breaks as Control-A # praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\ | tr '\\012\\001' '\\002\\012' \\ | grep "$1" \\ Finds the user-specified string | tr '\\002' '\\012' Restores the original newline breaks
Note that the ^a in the script is Control-A, not the two characters ^ and a. The prefix distinguishes the header token from the string header that might appear as text.
A message similar to the following indicates that you do not have enough privilege to use the praudit command.
praudit: Can't assign 20090408164827.20090408171614.sys1.1 to stdin.
Run the praudit command in a profile shell. You must become an administrator who is assigned the Audit Review rights profile. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.