Managing Audit Records
By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.
How to Display Audit Record Formats
To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.
Example 30-24 Displaying the Audit Record Formats of a Program
In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.
% bsmrecord -p login terminal login program /usr/sbin/login See login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject text error message or "successful login" return login: logout program various See login(1) event ID 6153 AUE_logout … newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login … rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin … SMC: role login program SMC server See role login event ID 6173 AUE_role_login … /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh … telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet …
Example 30-25 Displaying the Audit Record Formats of an Audit Class
In this example, the format of all audit records in the fd class are displayed.
% bsmrecord -c fd rmdir system call rmdir See rmdir(2) event ID 48 AUE_RMDIR class fd (0x00000020) header path [attribute] subject [use_of_privilege] return unlink system call unlink See unlink(2) event ID 6 AUE_UNLINK … unlinkat system call unlinkat See openat(2) event ID 286 AUE_UNLINKAT …
How to Merge Audit Files From the Audit Trail
By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.
Note - This procedure applies only to binary audit records.
Example 30-26 Copying Audit Files to a Summary File
$ whoami sysadmin $ mkdir /var/audit/audit_summary.dir $ chmod 700 /var/audit/audit_summary.dir $ cd /var/audit/audit_summary.dir $ auditreduce -A -O All $ ls *All 20030827183214.20030827215318.All
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O Complete $ ls *Complete 20030827183214.20030827214217.Complete
$ cd /var/audit/audit_summary.dir $ auditreduce -M example1 -O example1summ $ ls *summ 20030827183214.20030827214217.example1summ
Example 30-27 Moving Audit Files to a Summary File
The -D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.
$ cd /var/audit/audit_summary.dir $ auditreduce -C -O daily_example1 -D example1 $ ls *example1 20030827183214.20030827214217.daily_example1
The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes.
How to Select Audit Events From the Audit Trail
You can filter audit records for examination. For the complete list of filtering options, see the auditreduce(1M) man page.
Example 30-28 Combining and Reducing Audit Files
The auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.
# cd /var/audit/audit_summary.dir # auditreduce -O lo.summary -b 20030827 -c lo; compress *lo.summary
Example 30-29 Copying na Audit Records to a Summary File
$ whoami sysadmin $ cd /var/audit/audit_summary.dir $ auditreduce -c na -O nasumm $ ls *nasumm 20030827183214.20030827215318.nasumm
The merged nasumm audit file is time stamped with the beginning and ending date of the na records.
Example 30-30 Finding Audit Events in a Specified Audit File
You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.
$ auditreduce -m 113 -O systemboot 20030827183214.20030827215318.nasumm 20030827183214.20030827183214.systemboot
The 20030827183214.20030827183214.systemboot file contains only system boot audit events.
Example 30-31 Copying One User's Audit Records to a Summary File
$ cd /var/audit/audit_summary.dir $ auditreduce -e tamiko -O tamiko
You can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2003, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.
# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo
Example 30-32 Copying Selected Records to a Single File
In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.
# auditreduce -c lo -d 20030827 -O /var/audit/audit_summary.dir/logins # ls /var/audit/audit_summary.dir/*logins /var/audit/audit_summary.dir/20030827183936.20030827232326.logins
How to View the Contents of Binary Audit Files
The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The -x option is useful for further processing.
Example 30-33 Printing the Entire Audit Trail
With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.
# auditreduce | praudit | lp -d example.protected.printer
Example 30-34 Viewing a Specific Audit File
In this example, a summary login file is examined in a terminal window.
# cd /var/audit/audit_summary.dir/logins # praudit 20030827183936.20030827232326.logins | more
Example 30-35 Putting Audit Records in XML Format
In this example, the audit records are converted to XML format.
# praudit -x 20030827183214.20030827215318.logins > 20030827.logins.xml
The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.
How to Clean Up a not_terminated Audit File
Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.
Example 30-36 Cleaning Up Closed not_terminated Audit Files
In the following example, not_terminated files are found, renamed, then the originals are removed.
ls -R1t */files/* | grep not_terminated …/egret.1/20030908162220.not_terminated.egret …/egret.1/20030827215359.not_terminated.egret # cd */files/egret.1 # auditreduce -O egret 20030908162220.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Input (old) audit file 20030827215359.not_terminated.egret # rm 20030827215359.not_terminated.egret # ls -1t 20030908162220.not_terminated.egret Current audit file 20030827230920.20030830000909.egret Cleaned up audit file
The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.
How to Prevent Audit Trail Overflow
If your security policy requires that all audit data be saved, do the following: