Audit Commands
This section provides information about the following commands:
auditd Daemon
The following list summarizes what the auditd daemon does.
The auditd daemon opens and closes audit files in the directories that are specified in the audit_control file. The files are opened in order.
The auditd daemon loads one or more plugins. Sun provides two plugins. The /lib/security/audit_binfile.so.1 plugin writes binary audit data to a file. The /lib/security audit_syslog.so.1 plugin sends text summaries of audit records to the syslogd daemon.
The auditd daemon reads audit data from the kernel and outputs the data by using an auditd plugin.
The auditd daemon executes the audit_warn script to warn of configuration errors. The binfile.so.1 plugin executes the audit_warn script. The script, by default, sends warnings to the audit_warn email alias and to the console. The syslog.so.1 plugin does not execute the audit_warn script.
By default, when all audit directories are full, processes that generate audit records are suspended. In addition, the auditd daemon writes a message to the console and to the audit_warn email alias. At this point, only the system administrator can fix the auditing service. The administrator can log in to write audit files to offline media, delete audit files from the system, and do other cleanup tasks.
The audit policy can be reconfigured with the auditconfig command.
The auditd daemon can be started automatically when the system is brought up
to multiuser mode. Or, you can start the daemon from the command line.
When the auditd daemon is started, it calculates the amount of free space
necessary for audit files.
The auditd daemon uses the list of audit directories in the audit_control file as
possible locations for creating audit files. The daemon maintains a pointer into this
list of directories, starting with the first directory. Every time the auditd daemon
needs to create an audit file, the daemon puts the file into the
first available directory in the list. The list starts at the auditd daemon's
current pointer. You can reset the pointer to the beginning of the list
by running the audit -s command. The audit -n command instructs the daemon
to switch to a new audit file. The new file is created in
the same directory as the current file.
audit Command
The audit command controls the actions of the auditd daemon. The audit
command can do the following tasks:
Enable and disable auditing
Reset the auditd daemon
Adjust the auditing preselection mask on the local system
Write audit records to a different audit file
For a discussion of the available options, see the audit(1M) man page.
bsmrecord Command
The bsmrecord command displays the format of audit events that are defined in
the /etc/security/audit_event file. The output includes the event's audit ID, audit class,
audit flag, and the record's audit tokens in order. With no option, the
bsmrecord output displays in a terminal window. With the -h option, the output
is suitable for viewing in a browser. For examples of the use
of the bsmrecord command, see How to Display Audit Record Formats. Also, see the bsmrecord(1M) man page.
auditreduce Command
The auditreduce command summarizes audit records that are stored in binary format. The
command can merge audit records from one or more input audit files. The
command can also be used to perform a post selection of audit records.
The records remain in binary format. To merge the entire audit trail, run
this command on the audit server. The audit server is the system that
mounts all the audit file systems for the installation. For more information, see
the auditreduce(1M) man page.
The auditreduce command enables you to track all audited actions on multiple systems
from a single location. The command can read the logical combination of all
audit files as a single audit trail. You must identically configure all systems
at a site for auditing, and create servers and local directories for the
audit files. The auditreduce command ignores how the records were generated or where
the records are stored. Without options, the auditreduce command merges audit records from all
the audit files in all of the subdirectories in the audit root
directory. Typically, /etc/security/audit is the audit root directory. The auditreduce command sends the merged
results to standard output. You can also place the results into a single,
chronologically ordered output file. The file contains binary data.
The auditreduce command can also select particular types of records for analysis. The
merging functions and selecting functions of the auditreduce command are logically independent. The
auditreduce command captures data from the input files as the records are read,
before the files are merged and then written to disk.
By specifying options to the auditreduce command, you can also do the
following:
Request audit records that were generated by specified audit classes
Request audit records that were generated by one particular user
Request audit records that were generated on specific dates
With no arguments, the auditreduce command checks the subdirectories within the /etc/security/audit directory, the default
audit root directory. The command checks for a files directory in which
the start-time.end-time.hostname files reside. The auditreduce command is very useful when audit data
resides in separate directories. Figure 31-1 illustrates audit data in separate directories for different
hosts. Figure 31-2 illustrates audit data in separate directories for different audit servers.
Figure 31-1 Audit Trail Storage Sorted by Host
Figure 31-2 Audit Trail Storage Sorted by Server
If the partition for the /etc/security/audit directory is very small, you might not
store audit data in the default directory. You can pass the auditreduce command
another directory by using the -R option:
# auditreduce -R /var/audit-alt
You can also specify a particular subdirectory by using the -S option:
# auditreduce -S /var/audit-alt/host1
For other options and more examples, see the auditreduce(1M) man page.
praudit Command
The praudit command makes the binary output of the auditreduce command readable. The
praudit command reads audit records in binary format from standard input and displays
the records in a presentable format. The input can be piped from the
auditreduce command or from a single audit file. Input can also be
produced with the cat command to concatenate several files, or the tail command
for a current audit file.
The praudit command can generate four output formats. A fifth option, -l
(long), prints one audit record per line of output. The default is to
place one audit token per line of output. The -d option changes the
delimiter that is used between token fields and between tokens. The default delimiter
is a comma.
Default – The praudit command with no options displays one audit token per line. The command displays the audit event by its description, such as the ioctl(2) system call. Any value that can be displayed as text is displayed in text format. For example, a user is displayed as the user name, not as the user ID.
–r option – The raw option displays as a number any value that could be numeric. For example, a user is displayed by user ID, Internet addresses are in hexadecimal format, and modes are in octal format. The audit event is displayed as its event number, such as 158.
–s option – The short option displays the audit event by its table name, for example, AUE_IOCTL. The option displays the other tokens as the default option displays them.
–x option – The XML option displays the audit record in XML format. This option is useful as input to browsers, or as input to scripts that manipulate XML.
The XML is described by a DTD that the auditing service provides. Solaris software also provides a style sheet. The DTD and the style sheet are in the /usr/share/lib/xml directory.
In the default output format of the praudit command, each record is easily
identified as a sequence of audit tokens. Each token is presented on a
separate line. Each record begins with a header token. You could, for example,
further process the output with the awk command.
Here is the output from the praudit -l command for a header
token:
header,173,2,settppriv(2),,example1,2003-10-13 13:46:02.174 -07:00
Here is the output from the praudit -r command for the same
header token:
121,173,2,289,0x0000,192.168.86.166,1066077962,174352445
Example 31-1 Processing praudit Output With a Script
You might want to process output from the praudit command as lines of
text. For example, you might want to select records that the auditreduce
command cannot select. You can use a simple shell script to process the
output of the praudit command. The following simple example script puts one audit
record on one line, searches for a user-specified string, then returns the audit
file to its original form.
#!/bin/sh
#
## This script takes an argument of a user-specified string.
# The sed command prefixes the header tokens with Control-A
# The first tr command puts the audit tokens for one record
# onto one line while preserving the line breaks as Control-A
#
praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\
| tr '\\012\\001' '\\002\\012' \\
| grep "$1" \\ Finds the user-specified string
| tr '\\002' '\\012' Restores the original newline breaks
Note that the ^a in the script is Control-A, not the two characters
^ and a. The prefix distinguishes the header token from the string header
that might appear as text.
auditconfig Command
The auditconfig command provides a command-line interface to retrieve and set audit configuration
parameters. The auditconfig command can do the following tasks:
Display, check, and configure audit policy
Determine if auditing is turned on or turned off
Turn auditing off and turn auditing on
Manage the audit directory and the audit file
Manage the audit queue
Get and set preselection masks
Get and set audit event to audit class mappings
Get and set configuration information, such as session ID and audit ID
Configure audit characteristics for a process, a shell, and a session
Reset audit statistics
For a discussion of the command options, see the auditconfig(1M) man page.
