| 
        audit_tool, audit_tool.ultrix - Audit log reduction tool
        /usr/sbin/audit_tool [options] auditlog_filename
       /usr/sbin/audit_tool.ultrix [flags] auditlog_filename
   Selection Options
       Selects  audit  records  with  a matching text_string. The
       rules for regular expression expansions do  not  apply  to
       this  option.  Selects audit records with a matching audit
       ID.  The default is to select for all audit IDs.   Selects
       records  with  a  matching  event  or  event.subevent. The
       subevent can be applied only to  site  events.  Optionally
       select  only  those  records  with  a successful or failed
       return value. For example, the option -e mount:0:1 selects
       for  only  failed  mount  events  while  -e  rdb.query:1:0
       selects successful rdb events  with  the  query  subevent.
       Multiple  events can be specified on the command line. The
       default is to select for all events, both  successful  and
       failed.
              If  you  specify  the  open  event, you can add a r
              (read) or w (write) modifier to specify an open for
              read  or  an  open for write. The syntax is as follows:
 -e open.r or -e open.w Selects records with a
              matching  error string or error number. The default
              is  to  select  for  all  errors.   For  use   with
              audit_tool.ultrix  only.  Selects  records  with  a
              matching inode identifier number. The default is to
              select   for   all   inode   IDs.    For  use  with
              audit_tool.ultrix only. Selects records with matching
  inode  device  major  and  minor  numbers. The
              default  is  to  select  for  all  inode   devices.
              Selects  records  with  a  matching host name or IP
              address.  Host names are  translated  to  their  IP
              addresses by the gethostbyname() logic. The default
              is to select for all host names and  IP  addresses.
              Selects records with a matching PID. The default is
              to select for all PIDs.  If the  specified  PID  is
              negative, the absolute value of the PID is selected
              as well as any of the PID's  descendants.   Selects
              records  with  a  matching  parent  PID (PPID). The
              default  is  to  select  for  all  PPIDs.   Selects
              records  with  a  matching  real  UID  (RUID).  The
              default  is  to  select  for  all  RUIDs.   Selects
              records that contain string in a "char param" field
              or in the state data  file  descriptor  info.   The
              default  is  to  select  for  all strings.  Selects
              records that contain a timestamp  no  earlier  than
              start_time.    The   timestamp   format   is   yymmdd[hh[mm[ss]]].
  The default is to select for  all
              timestamps.  Note that the audit tool automatically
              converts values of yy in the  time  string  to  the
              appropriate  year  2000 value. Specifically, values
              ranging  from  70  to  99  map  to  1970(the  epoch
              year)-1999  and values ranging from 00 to 69 map to
              2000-2069.  Selects records that contain  a  timestamp
  no later than start_time. Timestamp format is
              yymmdd[hh[mm[ss]]].  The default is to  select  for
              all   timestamps.  See  the  year  2000  conversion
              description in the  -t  start_time  flag.   Selects
              audit  records  with a matching UID. The default is
              to select for all UIDs.  Selects audit records with
              a  matching  user  name. (The username is mapped to
              the UID as defined in the password database.)   The
              username  is  recorded  at  the  login event and is
              associated with all child processes.  If  login  is
              not  audited,  no  username is present in the audit
              log. Selecting for a username  will  display  those
              records that have a matching user name. The default
              is to select for all user names.   Selects  records
              with   a  matching  inode  identifier  number.  The
              default is to select for all  inode  IDs.   Selects
              records with matching inode device major/minor numbers.
  The default  is  to  select  for  all  inode
              devices.    Selects  audit  records  with  matching
              device major and minor numbers.  The default is  to
              select  for  all  devices.   Selects  records  with
              matching process name in the "cmd name" field (provided
  when  the cmd_name audit style is enabled on
              v5 or later) or in  the  state  data  process  name
              field  (set  by  the  exec  and  exit syscall audit
              events).
   Control Options    [Toc]    [Back]
       Causes the audit_tool to use path for the archive/recovery
       directory  containing  archived auditlogs.  This overrides
       the directory specified in the audit log, which by default
       is /var/audit.
              When you use this option, you must also specify the
              full path name of the first audit log you  want  to
              read:  #  audit_tool  -.  ./audit/newdir  -e  login
              ./audit/newdir/auditlog.jan    Outputs     selected
              records in binary format. The output is in a format
              suitable for subsequent analysis by the audit_tool.
              The  default is to output in ASCII format.  Outputs
              selected records in  an  abbreviated  format.  Each
              selected  event  is  displayed along with its audit
              ID, RUID, result, error code, PID, event name,  and
              parameter list. For X events, the IDs displayed are
              those  of  the  X  client.  Suppressed  information
              includes  the  user  name, PPID, device ID, current
              directory, inode information, symbolic name  referenced
  by  any  descriptors, IP address, and timestamp.
 The default is to output in  the  nonabbreviated
  format.   Reads  deselection  rules  from the
              specified file and suppresses any records  matching
              any  of the deselection rules. The deselection rule
              sets take precedence over other selection  options.
              Each deselection rule is a tuple consisting of host
              name, audit ID, RUID, event,  pathname,  and  flag.
              The flag component is used to specify read or write
              mode; it pertains only to open events.
              Wildcarding and simple pattern  matching  are  supported.
  For  example, consider the following lines
              from a deselection file:
              # HOST, AUID, RUID, EVENT, PATHNAME,  FLAG  *  *  *
              open /usr/lib/* r alpha1 * * * /usr/spool/rwho* *
              These  lines  indicate that any open operations for
              read access on any  object  whose  pathname  starts
              with  /usr/lib/ will not be selected, and on system
              alpha1 any operations performed on any object whose
              pathname  starts  on  /usr/spool/rwho  will  not be
              selected.  (Lines beginning with number  signs  (#)
              are  treated  as  comment lines).  Any field can be
              replaced with an asterisk (*),  which  indicates  a
              match with any value.
              Pathname  matching  requires an exact match between
              strings, unless the pathname is  suffixed  with  an
              asterisk,  which  matches any string (so, for example,
 /usr/spool/rwho* matches  /usr/spool/rwho/anything).
              The  default  is to apply no deselection rule sets.
              (Specifying the -D option instead of -d will  additionally
  print  the  deselection  rulesets  to  be
              applied).  prints the deselection  rules  from  the
              specified  file.  Causes the audit_tool not to quit
              at an end-of-file, but to  continue  attempting  to
              read  data.  This is useful for reviewing audit log
              data as it is being written by  the  audit  daemon.
              (For SMP systems, audit data should be sorted first
              because descriptor translation, the login name, the
              current  directory, and the root directory all rely
              on state information maintained by the audit_tool).
              Sets  the  fast  mode. If you are not interested in
              seeing the state-dependent data, you can  use  this
              option  to  improve performance.  Enter interactive
              selection mode  to  specify  options.   Interactive
              mode  can also be entered by pressing CTRL/C at any
              time, then specifying no to the exit prompt.   Once
              in   interactive   mode,   individual  options  are
              selected.  Press Return to accept the current  setting
  (or default); enter an asterisk (*) to change
              the  current  setting  back  to  the  default.  The
              default,  unless  otherwise  stated,  is  to select
              every audit record.  Inhibits the conversion of  IP
              adresses  to  hostnames  (via  DNS lookup).  Output
              data in a delimiter seperated record.  This  format
              is  compatible  with most spreadsheet applications.
              The data specifiers are seperated  by  commas,  and
              are:  delimiter[:<tab>] - specifies field delimiter
              character.  default is tab seperated field  in  the
              output record. if this option is not specified data
              is output in fixed width columns.  cpu - cpu number
              seq  -  audit  event sequence number. unique to the
              cpu for that boot session len - audit event  record
              length usec - offset from start of log in microseconds
 (hex) usec10 - offset from  start  of  log  in
              microseconds (decimal) time - audit event timestamp
              in    the    format    specified    by     time_fmt
              time_fmt[:%m/%d/%y %H%M%S] - default time format is
              mm/dd/yy hh:mm:ss, refer to strftime  for  time_fmt
              options  username  - username associated with audit
              uiduserid include audit uid,  real  uid,  effective
              uid pid - process id ppid - parent process id res -
              result of operation tid - thread ID. The thread  ID
              (tid)  is recorded if the AUDIT_USR control flag is
              enabled. Processes being traced using auditmask  -E
              have  their thread ID recorded event - audit event,
              and event information host - host id on which audit
              event was generated net - network connection information
 (local address, remote address) Whenever the
              audit    daemon    switches    audit    logs,    an
              audit_log_change event is generated. If that  event
              did  result in an audit log change (that is, it was
              an event that occurred on the  local  system),  the
              audit_tool  normally  attempts  to find and process
              the succeeding audit log.  This is  possible,  however,
  only if the audit log is maintained locally.
              The -o option tells the audit_tool not  to  process
              succeeding  audit  logs.   Suppresses  the progress
              messages.  Generates an ASCII report for each audit
              ID  found  in  the  selected  events.  If name is a
              directory, the reports are placed in the  directory
              with  the  report.audit_id file name format. Otherwise,
 the reports  are  placed  in  a  file  called
              name.audit_id.  Each  report  consists  of selected
              events for the associated  audit  ID.   Performs  a
              sort  (by  time)  on  the audit log.  The sort performed
 is an inter-CPU sort only (for any  specific
              CPU,  data  may be nonsequential for events such as
              fork and vfork; this information does not  need  to
              be  sorted  for  proper  operation of the reduction
              tool).  This option is useful only  for  data  collected
  on an SMP system.  Display the name associated
 with UIDs and  GIDs  using  the  getpw*()  and
              getgr*   routines.    This  is  done  only  if  the
              audit_tool has no name for the UID or GID. The name
              is sent to output within parentheses.  Displays the
              frequency count for the selected events.
       The audit_tool command, or audit reduction tool,  displays
       selected  portions  of  the  collected  audit data.  If no
       arguments are provided, a brief help message is displayed.
       The audit log file may be compressed or uncompressed.
       Options  are  used  to  select  specific  audit records of
       interest.   For a record to be selected, it must match  at
       least one option of each option type specified.  For example,
 if two user names and one host name  were  specified,
       an  audit record to be selected would have to match one of
       the user names and the host name.  Only one start and  end
       time  may be selected. Only one deselection rules file may
       be selected.  It is possible to select as many  events  as
       exist  on  the  system.  For all other option types, up to
       eight instances may be selected.
       The audit reduction tool generates audit log header files,
       suffixed with auditlog file.  If the -o option is used, no
       audit log header file is generated. This header file  contains
  the  time  range  in  which  the audited operations
       occurred, so searching for events by  time  requires  only
       those  audit  logs  that were actually written into during
       that time to be processed. The header file  also  contains
       the  sort  status  of  the audit log, so previously sorted
       logs do not get sorted more than once, and also state-relevant
 data from previous logs.
       The  output from audit_tool is written to stdout. Informational
 messages, such  as  (100000  records  processed...)
       are written to stderr.
       The  audit_tool.ultrix  program  is  used to display audit
       reports from audit data collected on ULTRIX systems.  With
       the  exception of the -g and -G options (equivalent to the
       -v and -V options for  audit_tool),  audit_tool.ultrix  is
       the same as audit_tool.
       The  audit reduction tool maintains the state of each process
 in order to translate descriptors back to  pathnames,
       as  well  as to provide a current working directory, root,
       and user name.  To avoid running out of memory for  statedependent
  data, the exit system call should be an audited
       event. The call to exit releases the memory used  to  hold
       the state of the process. Alternatively, the logout events
       release the memory used to hold the state of all the  sessions
  processes.  If state-relevant data is not important
       for your auditing requirements, exit need not  be  audited
       and  the -F flag to audit_tool can be used to improve performance.
       In order to provide the  current  working  directory,  the
       chdir system call should be an audited event.  In order to
       provide the current root (if not the root (/)  directory),
       the  chroot  system  call  should  be an audited event. In
       order to provide the user name, login should be an audited
       event.
       If  audit_tool  runs out of memory, it will not be able to
       store  further   state-dependent   data   (as   previously
       described).  If this occurs, the following warning is displayed:
       warning: state_maint_{add,open,path_change): no more  mem;
       ...
       Audit  events which affect the state data include : login,
       logout, open, old_open, close, dup,  fcntl,  dup2,  chdir,
       chroot,  fchdir,  bind,  connect, accept, naccept, socket,
       execv,   execve,    exec_with_loader,    proplist_syscall,
       audit_suspend,    audit_log_creat,    audit_log_overwrite,
       audit_shutdown, audit_xmit_fail.
       All state-dependent information current at the time of  an
       audit  log  change is maintained in the header file.  This
       allows subsequent scans of a specific  audit  log  to  not
       have any dependencies on previous audit logs.
       See  Security  for  further  discussion of state-dependent
       information.
       The following example selects all  login,  open  and  exec
       events  performed  on  system  alpha1  by any process with
       audit ID 1123:
       # audit_tool -e login -e open -e exec -h  alpha1  -a  1123
       auditlog.000
       The following example applies deselection file deselect to
       auditlog.000 and selects for events between 10:47 a.m.  on
       April 13, 1994 and 5:30 p.m. on April 20, 1994:
       #  audit_tool  -d  deselect  -t  9404131047  -T 9404201730
       auditlog.000
       The following example outputs a  tab  delimiter  seperated
       record containing the audit event time stamp, event information,
 network connection information (if  applicable  to
       this  event),  id  information  of host that generated the
       audit event.  # audit_tool -O time,event,host,net,delimter
       Commands: auditd(8), auditmask(8), auditconfig(8)
       Security
                                                    audit_tool(8)
[ Back ] |