 |
Index for
Section 8 |
|
 |
Alphabetical
listing for A |
|
 |
Bottom of
page |
|
audit_tool(8)
NAME
audit_tool, audit_tool.ultrix - Audit log reduction tool
SYNOPSIS
/usr/sbin/audit_tool [options] auditlog_filename
/usr/sbin/audit_tool.ultrix [flags] auditlog_filename
OPTIONS
Selection Options
-/ text_string
Selects audit records with a matching text_string. The rules for
regular expression expansions do not apply to this option.
-a audit_id
Selects audit records with a matching audit ID. The default is to
select for all audit IDs.
-e event[.subevent][:success:fail]
Selects records with a matching event or event.subevent. The subevent
can be applied only to site events. Optionally select only those
records with a successful or failed return value. For example, the
option -e mount:0:1 selects for only failed mount events while -e
rdb.query:1:0 selects successful rdb events with the query subevent.
Multiple events can be specified on the command line. The default is to
select for all events, both successful and failed.
If you specify the open event, you can add a r (read) or w (write)
modifier to specify an open for read or an open for write. The syntax
is as follows: -e open.r or -e open.w
-E error
Selects records with a matching error string or error number. The
default is to select for all errors.
-g inode_id
For use with audit_tool.ultrix only. Selects records with a matching
inode identifier number. The default is to select for all inode IDs.
-G inode_dev major#,minor#
For use with audit_tool.ultrix only. Selects records with matching
inode device major and minor numbers. The default is to select for all
inode devices.
-h hostname/IP address
Selects records with a matching host name or IP address. Host names
are translated to their IP addresses by the gethostbyname() logic. The
default is to select for all host names and IP addresses.
-p pid
Selects records with a matching PID. The default is to select for all
PIDs. If the specified PID is negative, the absolute value of the PID
is selected as well as any of the PID's descendants.
-P ppid
Selects records with a matching parent PID (PPID). The default is to
select for all PPIDs.
-r ruid
Selects records with a matching real UID (RUID). The default is to
select for all RUIDs.
-s string
Selects records that contain string in a "char param" field or in the
state data file descriptor info. The default is to select for all
strings.
-t start_time
Selects records that contain a timestamp no earlier than start_time.
The timestamp format is yymmdd[hh[mm[ss]]]. The default is to select
for all timestamps. Note that the audit tool automatically converts
values of yy in the time string to the appropriate year 2000 value.
Specifically, values ranging from 70 to 99 map to 1970(the epoch
year)-1999 and values ranging from 00 to 69 map to 2000-2069.
-T end_time
Selects records that contain a timestamp no later than start_time.
Timestamp format is yymmdd[hh[mm[ss]]]. The default is to select for
all timestamps. See the year 2000 conversion description in the -t
start_time flag.
-u uid
Selects audit records with a matching UID. The default is to select for
all UIDs.
-U username
Selects audit records with a matching user name. (The username is
mapped to the UID as defined in the password database.) The username is
recorded at the login event and is associated with all child processes.
If login is not audited, no username is present in the audit log.
Selecting for a username will display those records that have a
matching user name. The default is to select for all user names.
-v inode_id
Selects records with a matching inode identifier number. The default is
to select for all inode IDs.
-V inode_dev major#,minor#
Selects records with matching inode device major/minor numbers. The
default is to select for all inode devices.
-x major#,minor#
Selects audit records with matching device major and minor numbers.
The default is to select for all devices.
-y Selects records with matching process name in the "cmd name" field
(provided when the cmd_name audit style is enabled on v5 or later) or
in the state data process name field (set by the exec and exit syscall
audit events).
Control Options
-b Outputs selected records in binary format. The output is in a format
suitable for subsequent analysis by the audit_tool. The default is to
output in ASCII format.
-B Outputs selected records in an abbreviated format. Each selected event
is displayed along with its audit ID, RUID, result, error code, PID,
event name, and parameter list. For X events, the IDs displayed are
those of the X client. Suppressed information includes the user name,
PPID, device ID, current directory, inode information, symbolic name
referenced by any descriptors, IP address, and timestamp. The default
is to output in the nonabbreviated format.
-d filename
Reads deselection rules from the specified file and suppresses any
records matching any of the deselection rules. The deselection rule
sets take precedence over other selection options. Each deselection
rule is a tuple consisting of host name, audit ID, RUID, event,
pathname, and flag. The flag component is used to specify read or
write mode; it pertains only to open events.
Wildcarding and simple pattern matching are supported. For example,
consider the following lines from a deselection file:
# HOST, AUID, RUID, EVENT, PATHNAME, FLAG
* * * open /usr/lib/* r
alpha1 * * * /usr/spool/rwho* *
These lines indicate that any open operations for read access on any
object whose pathname starts with /usr/lib/ will not be selected, and
on system alpha1 any operations performed on any object whose pathname
starts on /usr/spool/rwho will not be selected. (Lines beginning with
number signs (#) are treated as comment lines). Any field can be
replaced with an asterisk (*), which indicates a match with any value.
Pathname matching requires an exact match between strings, unless the
pathname is suffixed with an asterisk, which matches any string (so,
for example, /usr/spool/rwho* matches /usr/spool/rwho/anything).
The default is to apply no deselection rule sets. (Specifying the -D
option instead of -d will additionally print the deselection rulesets
to be applied).
-D prints the deselection rules from the specified file.
-f Causes the audit_tool not to quit at an end-of-file, but to continue
attempting to read data. This is useful for reviewing audit log data
as it is being written by the audit daemon. (For SMP systems, audit
data should be sorted first because descriptor translation, the login
name, the current directory, and the root directory all rely on state
information maintained by the audit_tool).
-F Sets the fast mode. If you are not interested in seeing the state-
dependent data, you can use this option to improve performance.
-i Enter interactive selection mode to specify options. Interactive mode
can also be entered by pressing CTRL/C at any time, then specifying no
to the exit prompt. Once in interactive mode, individual options are
selected. Press Return to accept the current setting (or default);
enter an asterisk (*) to change the current setting back to the
default. The default, unless otherwise stated, is to select every audit
record.
-I Inhibits the conversion of IP adresses to hostnames (via DNS lookup).
usec,usec10,username,userid,pid,ppid,tid,comm,res,event,host,net
-O delimiter[:<tab>],time_fmt[:%m/%d/%y %H%M%S],time,cpu,seq,len,
Output data in a delimiter seperated record. This format is compatible
with most spreadsheet applications. The data specifiers are seperated
by commas, and are:
· delimiter[:<tab>] - specifies field delimiter character. default
is tab seperated field in the output record. if this option is not
specified data is output in fixed width columns.
· cpu - cpu number
· seq - audit event sequence number. unique to the cpu for that boot
session
· len - audit event record length
· usec - offset from start of log in microseconds (hex)
· usec10 - offset from start of log in microseconds (decimal)
· time - audit event timestamp in the format specified by time_fmt
· time_fmt[:%m/%d/%y %H%M%S] - default time format is mm/dd/yy
hh:mm:ss, refer to strftime for time_fmt options
· username - username associated with audit uiduserid include audit
uid, real uid, effective uid
· pid - process id
· ppid - parent process id
· res - result of operation
· tid - thread ID. The thread ID (tid) is recorded if the AUDIT_USR
control flag is enabled. Processes being traced using auditmask -E
have their thread ID recorded
· event - audit event, and event information
· host - host id on which audit event was generated
· net - network connection information (local address, remote
address)
-o Whenever the audit daemon switches audit logs, an audit_log_change
event is generated. If that event did result in an audit log change
(that is, it was an event that occurred on the local system), the
audit_tool normally attempts to find and process the succeeding audit
log. This is possible, however, only if the audit log is maintained
locally. The -o option tells the audit_tool not to process succeeding
audit logs.
-Q Suppresses the progress messages.
-R [name]
Generates an ASCII report for each audit ID found in the selected
events. If name is a directory, the reports are placed in the
directory with the report.audit_id file name format. Otherwise, the
reports are placed in a file called name.audit_id. Each report consists
of selected events for the associated audit ID.
-S Performs a sort (by time) on the audit log. The sort performed is an
inter-CPU sort only (for any specific CPU, data may be nonsequential
for events such as fork and vfork; this information does not need to be
sorted for proper operation of the reduction tool). This option is
useful only for data collected on an SMP system.
-w Display the name associated with UIDs and GIDs using the getpw*() and
getgr* routines. This is done only if the audit_tool has no name for
the UID or GID. The name is sent to output within parentheses.
-Z Displays the frequency count for the selected events.
DESCRIPTION
The audit_tool command, or audit reduction tool, displays selected portions
of the collected audit data. If no arguments are provided, a brief help
message is displayed. The audit log file may be compressed or
uncompressed.
Options are used to select specific audit records of interest. For a
record to be selected, it must match at least one option of each option
type specified. For example, if two user names and one host name were
specified, an audit record to be selected would have to match one of the
user names and the host name. Only one start and end time may be selected.
Only one deselection rules file may be selected. It is possible to select
as many events as exist on the system. For all other option types, up to
eight instances may be selected.
The audit reduction tool generates audit log header files, suffixed with
.hdr, when it completes processing of an auditlog file. If the -o option
is used, no audit log header file is generated. This header file contains
the time range in which the audited operations occurred, so searching for
events by time requires only those audit logs that were actually written
into during that time to be processed. The header file also contains the
sort status of the audit log, so previously sorted logs do not get sorted
more than once, and also state-relevant data from previous logs.
The output from audit_tool is written to stdout. Informational messages,
such as (100000 records processed...) are written to stderr.
The audit_tool.ultrix program is used to display audit reports from audit
data collected on ULTRIX systems. With the exception of the -g and -G
options (equivalent to the -v and -V options for audit_tool),
audit_tool.ultrix is the same as audit_tool.
RESTRICTIONS
The audit reduction tool maintains the state of each process in order to
translate descriptors back to pathnames, as well as to provide a current
working directory, root, and user name. To avoid running out of memory for
state-dependent data, the exit system call should be an audited event. The
call to exit releases the memory used to hold the state of the process.
Alternatively, the logout events release the memory used to hold the state
of all the sessions processes. If state-relevant data is not important for
your auditing requirements, exit need not be audited and the -F flag to
audit_tool can be used to improve performance.
In order to provide the current working directory, the chdir system call
should be an audited event. In order to provide the current root (if not
the root (/) directory), the chroot system call should be an audited event.
In order to provide the user name, login should be an audited event.
If audit_tool runs out of memory, it will not be able to store further
state-dependent data (as previously described). If this occurs, the
following warning is displayed:
warning: state_maint_{add,open,path_change): no more mem; ...
Audit events which affect the state data include : login, logout, open,
old_open, close, dup, fcntl, dup2, chdir, chroot, fchdir, bind, connect,
accept, naccept, socket, execv, execve, exec_with_loader, proplist_syscall,
audit_suspend, audit_log_creat, audit_log_overwrite, audit_shutdown,
audit_xmit_fail.
All state-dependent information current at the time of an audit log change
is maintained in the header file. This allows subsequent scans of a
specific audit log to not have any dependencies on previous audit logs.
See Security for further discussion of state-dependent information.
EXAMPLES
The following example selects all login, open and exec events performed on
system alpha1 by any process with audit ID 1123:
# audit_tool -e login -e open -e exec -h alpha1 -a 1123 auditlog.000
The following example applies deselection file deselect to auditlog.000 and
selects for events between 10:47 a.m. on April 13, 1994 and 5:30 p.m. on
April 20, 1994:
# audit_tool -d deselect -t 9404131047 -T 9404201730 auditlog.000
The following example outputs a tab delimiter seperated record containing
the audit event time stamp, event information, network connection
information (if applicable to this event), id information of host that
generated the audit event.
# audit_tool -O time,event,host,net,delimter
SEE ALSO
Commands: auditd(8), auditmask(8), auditconfig(8)
Security
|
Index for
Section 8 |
|
|
Alphabetical
listing for A |
|
 |
Top of
page |
|