audselect(1M) DG/UX B2 Security R4.12MU02 audselect(1M)
NAME
audselect - select audit records from audit trails
SYNOPSIS
audselect [-s {spec_file_name | -}]
[-fdv]
[-c | -C]
[-o {out_trail_file | -}]
[in_trail_file . . .]
where:
spec_file_name The pathname of the file containing the selection
criteria
out_trail_file The pathname of the file where the selected audit
records are to be written
in_trail_file The pathname of an audit trail file
DESCRIPTION
The audselect command selects audit records from the input audit
trail files and writes them to the specified output file. The
selection criteria (see below for format) is taken from
spec_file_name if the -s option is specified. The selected records
are written to out_trail_file if the -o option is specified,
otherwise the selected records are written to standard output. The
input is taken from the specified input trail files given, otherwise
the input is taken from the currently active trail file if there is
one, regardless of whether or not auditing is currently turned on.
audselect can only be run by an administrator with appropriate
privilege.
The default if no options are given is:
audselect -s - -o - -c
where "-" equals the standard input or standard output,
respectively
Options
-s Tell audselect where to get the selection criteria, either
from a file or standard input (specified by using a "-"). If
the selection criteria are to be taken from standard input and
standard input is a terminal device, audselect will write the
following prompt to standard output: Enter selection
criteria:
If you omit the -s option, audselect writes the contents of
the specified input audit trail files to the output file.
This is useful if you want to use audselect with the -f and/or
-C options to follow the specified trail files writing them to
a backup device.
-f Specify that the trail file links of the specified input files
are followed. (When auditing is on and a switch is made from
one trail file to another, that fact is recorded in both trail
files, "linking" them.) As an example, if a linked audit
trail file list started with trail1 and continued sequentially
through trail10, and if the option -f were specified and
in_trail_file was trail4, audselect would process the files:
trail4], trail5, trail6, trail7, trail8, trail9 and trail10.
This option is affected by the -d option. If a linked audit
trail file list started with trail1 then trail2 and back to
trail1 (appended to the end of the previous data), the -d
option must be used with the -f option. With both the -f and
-d options, audselect would process all of the trail1 file,
the all of the trail2 file and stop; other references to
trail1 or trail2 would be duplicates and would not be
processed. Without the -d option, audselect would loop
infinitely between trail1 and trail2.
-d Look for duplicate files in the specified audit trail files.
This can occur if the -f option is specified and a trail file
given on the command line also appears in the linked trail
file list of one of the input trail files. (Of course, it can
also occur if the same file name is listed twice on the
command line.) All files are guaranteed to have a unique file
identifier composed of the file's major and minor device
number and its inode number. This also works for systems with
NFS-mounted file systems because the minor device number of a
NFS-mounted file system is modified to ensure its uniqueness.
If the -d option is specified, a file is processed the first
time it is encountered and is skipped thereafter.
-o Specify where the output file is to be written. "-" specifies
that the output file is to be written to standard output. The
output file is formatted as an audit trail file. The output
file contains information to indicate that it was created by
audselect and is not an original trail file.
-v The -v option places audselect in verbose mode. In verbose
mode, audselect writes status information to standard error.
This information includes:
· Trail file names processed
· Duplicate trail files skipped
· The total number of records processed and the total
number selected.
The statistics produced by the -v option only include audit
event audit records, and do not include non-event audit
records such as header, trailer and select audit records.
-c Use the current audit trail file (as known by the audit
system) as input. If other input trail files are specified,
then those are processed first and the current audit trail
file is processed last. This option cannot be specified if
the -C option is also specified.
-C Do the same as the -c option, except continue to process the
current audit trail file as additional records are added to
it. audselect will terminate normally upon receipt of an
interrupt key from the keyboard, or upon receipt of a sigterm
(kill -15) interrupt or if auditing is stopped.
If an audit trail switch occurs while the current audit trail
is being operated upon by audselect with the -C option,
audselect will also switch to the new audit trail file.
Format of Selection Criteria
The selection criteria are composed of individual audit record field
selection specifiers separated by or modified by logical operators.
The valid logical operators are:
& Both "conditions" must be true.
| Either "condition" may be true
~ Logically negate the result of the "condition"
A "condition" is a logical result (TRUE or FALSE) of the evaluation
of a group of (possibly modified) selectors. Selectors are grouped
together with & for the AND operation and | for the OR operation. A
~ before a selector inverts the logical value of the selector's
evaluation. A selector group is started with a ( and terminated by a
). Selectors are delimited by a space, by a selector logical
operator, or by a parenthesis (i.e., by " ", "&", "|", "~", "(" or
")"). Control characters and white space are ignored. A comment is
started by a number sign (#) and is terminated by an new-line
character.
An example of the use of the selection criteria operators is:
(sel 1 & ~(sel 2 | sel 3)) | #comment
(sel 1 & sel 2 & (sel 5 | ~sel 6))
A selector is composed of a keyword, an equal sign (=), and a value
set (KEYWORD=valueset).
In general, a value set is a semicolon-separated list of values and
ranges. To specify the list which includes 1, 3, 4, 5, 6, 7, 10, 13,
14, 15, 16, and 17, the value set could be encoded as:
1;3-7;10;13-17
The following keywords and associated value sets are currently
defined for the system. Keywords must be uppercase. Except where
excluded, a list includes both single and range entries.
Keyword Comments
EVENT A list of event numbers or event names. If event numbers
are used, 10,000 must be added to the event numbers as
listed in the audit_event_defs(4M) file for kernel events.
Command event numbers are as listed in audit_event_defs(4M).
CLASS A list of class numbers or of class names.
REASON A list of reason numbers or reason names.
TIME A time range, where the time format is the same as the
format used in the date(1) command: [mmdd] HHMM |
mmddHHMM[cc]yy. The time range is specified as time-time.
PATH A list of file pathnames. Any audit record for which the
given pathname is a substring of the pathname in the record
will be selected. For example, PATH=sbin will select
records with /sbin, /usr/sbin, ../../sbin, etc. Pathname
ranges have no meaning and are not accepted. Wildcards are
not accepted.
AUTHID A list of user IDs or user names matched against the audit
record AUID.
PID A list of process IDs.
REALUID A list of user ids matched against the real UID.
EFFUID A list of user ids matched against the effective UID.
REALGID A list of group ids matched against the real GIDs.
EFFGID A list of group ids matched against the effective GIDs.
EXAMPLES
An example of using a selection criteria file to select all failed
login attempts from the current trail file and writing them to
standard output in a human-readable form follows:
audselect -s select.bad_logins | audprint
Where the file select.bad_logins contains the text:
(CLASS=AUTHCMD & ~REASON=S & ~REASON=PS & ~REASON=CS)
FILES
/etc/tcb/audit/audit_mask_defs File of basic aliases for classes
and reasons
/etc/tcb/audit/audit_event_defs File of aliases for events
DIAGNOSTICS
audselect writes all diagnostic and statistical messages to standard
error.
audselect exits with one of the following values:
0 audselect executed normally. This includes the case where the
-C option was specified and the process was terminated by a
keyboard interrupt, a sigterm signal, or auditing was stopped.
1 audselect could not open at least one of the input audit trail
files.
2 -c or -C was specified, and there is no current audit trail
file, and possibly audselect could not open one of the other
audit trail files
3 audselect usage is wrong.
4 audselect could not open the output file.
SEE ALSO
audadmin(1M), audprint(1M), audit_event_defs(4M),
audit_mask_defs(4M).
NOTES
Audselect will continue to process all input audit trail files
regardless of whether any individual audit trail file could not be
found or any errors were encountered while processing an audit trail
file.
If the selection criteria are missing, that is, spec_file_name is
empty or standard input is read but is empty, audselect reports an
error, and returns exit code 3.
To force all audit records into the current audit trail that are
resident in an unfilled kernel audit buffer, use the audadmin -o
flush command.
Licensed material--property of copyright holder(s)