Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audselect(1M) — DG/UX 5.4.2T

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audprint(1M)

audadmin(1M)



audselect(1M)              C2 Trusted DG/UX 5.4.2T             audselect(1M)


NAME
       audselect - select audit records from audit trails

SYNOPSIS
       audselect  [-s {specfilename | -}]
                  [-fdv]
                  [-c]
                  [-o {outtrailfile | -}]
                  [intrailfile . . .]

   where:
       specfilename  is the pathname of the file containing the selection
                       criteria
       outtrailfile  is the pathname of the file where the selected audit
                       records are to be written
       intrailfile   is the pathname of an audit trail file

DESCRIPTION
       The audselect command selects audit records from the input audit
       trail files and writes them to the specified output file.  The
       selection criteria (see below for format) is taken from
       specfilename if the -s option is specified, otherwise it is taken
       from standard input.  The selected records are written to
       outtrailfile if the -o option is specified, otherwise the selected
       records are written to standard output.  The input is taken from the
       specified input trail files given, otherwise the input is taken from
       the currently active trail file if there is one, regardless of
       whether or not auditing is currently turned on.  audselect can only
       be run by an administrator with appropriate privilege.

       The default if no options are given is:

            audselect -s - -o - -c

            where "-" equals the standard input or standard output,
            respectively

       Options are:

       -s {specfilename | -}
                 The -s option tells audselect where to get the selection
                 criteria, either from a file or standard input (specified
                 by using a "-").  If the -s option is omitted, audselect
                 defaults to getting the selection criteria from standard
                 input.

       -f        The -f option specifies that the trail file links of the
                 specified input files are followed.  (When auditing is on
                 and a switch is made from one trail file to another, that
                 fact is recorded in both trail files, "linking" them.)  As
                 an example, if a linked audit trail file list started with
                 trail1 and continued sequentially through trail10, and if
                 the option -f were specified and intrailfile was trail4,
                 audselect would process the files: trail4, trail5, trail6,



Licensed material--property of copyright holder(s)                         1




audselect(1M)              C2 Trusted DG/UX 5.4.2T             audselect(1M)


                 trail7, trail8, trail9 and trail10.  This option is
                 affected by the -d option.  If a linked audit trail file
                 list started with trail1 then trail2 and back to trail1
                 (appended to the end of the previous data), the -d option
                 must be used with the -f option.  With both the -f and -d
                 options, audselect would process all of the trail1 file,
                 the all of the trail2 file and stop; other references to
                 trail1 or trail2 would be duplicates and would not be
                 processed.  Without the -d option, audselect would loop
                 infinitely between trail1 and trail2.

       -d        The -d option causes audselect to look for duplicate files
                 in the specified audit trail files.  This can occur if the
                 -f option is specified and a trail file given on the
                 command line also appears in the linked trail file list of
                 one of the input trail files.  (Of course, it can also
                 occur if the same file name is listed twice on the command
                 line.)  All files are guaranteed to have a unique file
                 identifier composed of the file's major and minor device
                 number and its inode number.  This also works for systems
                 with NFS-mounted file systems because the minor device
                 number of a NFS-mounted file system is modified to ensure
                 its uniqueness.  If the -d option is specified, a file is
                 processed the first time it is encountered and is skipped
                 thereafter.

       -o {outtrailfile | -}
                 The -o option specifies where the output file is to be
                 written.  "-" specifies that the output file is to be
                 written to standard output.  The output file is formatted
                 as an audit trail file.  The output file contains
                 information to indicate that it was created by audselect
                 and is not an original trail file.

       -v        The -v option places audselect in verbose mode.  In verbose
                 mode, audselect writes status information to standard
                 error.  This information includes:

                 -   trail file names processed.

                 -   duplicate trail files skipped.

                 -   The total number of records processed and the total
                     number selected.

                 The statistics produced by the -v option only include audit
                 event audit records, and do not include non-event audit
                 records such as header, trailer and select audit records.

       -c        The -c option specifies that audselect is to use the
                 current audit trail file (as known by the audit system) as
                 input.  If other input trail files are specified, then
                 those are processed first and the current audit trail file
                 is processed last.



Licensed material--property of copyright holder(s)                         2




audselect(1M)              C2 Trusted DG/UX 5.4.2T             audselect(1M)


FORMAT OF SELECTION CRITERIA
       The selection criteria are composed of individual audit record field
       selection specifiers separated by or modified by logical operators.
       The valid logical operators are:

            &    Both "conditions" must be true.

            |    Either "condition" may be true

            ~    Logically negate the result of the "condition"

       A "condition" is a logical result (TRUE or FALSE) of the evaluation
       of a group of (possibly modified) selectors.  Selectors are grouped
       together with "&" for the AND operation and "|" for the OR operation.
       A "~" before a selector inverts the logical value of the selector's
       evaluation.  A selector group is started with a "(" and terminated by
       a ")".  Selectors are delimited by a space, by a selector logical
       operator, or by a parenthesis (i.e., by " ", "&", "|", "~", "(" or
       ")").  Control characters and white space are ignored.  A comment is
       started by a "#" and is terminated by an newline character.

       An example of the use of the selection criteria operators is:

            (sel 1 & ~(sel 2 | sel 3)) |  #comment

            (sel 1 & sel 2 & (sel 5 | ~sel 6))

       A selector is composed of a keyword, an equal sign (=), and a value
       set.

            KEYWORD=valueset

       In general, a value set is a semicolon-separated list of values and
       ranges.  To specify the list which includes 1, 3, 4, 5, 6, 7, 10, 13,
       14, 15, 16, and 17, the value set could be encoded as:

            1;3-7;10;13-17

       The following keywords and associated value sets are currently
       defined for the system.  Keywords must be in upper case.  Except
       where excluded, a list includes both single and range entries.

       Keyword        Comments

       EVENT          A list of event numbers or event names.  If event
                      numbers are used, 10,000 must be added to the event
                      numbers as listed in the auditeventdefs(4M) file for
                      kernel events.  Command event numbers are as listed in
                      auditeventdefs(4M).

       CLASS          A list of class numbers or of class names.

       REASON         A list of reason numbers or reason names.




Licensed material--property of copyright holder(s)                         3




audselect(1M)              C2 Trusted DG/UX 5.4.2T             audselect(1M)


       TIME           A time range, where the time format is the same as the
                      format used in the date(1) command: [mmdd] HHMM |
                      mmddHHMM[cc]yy.  The time range is specified as time-
                      time.

       PATH           A list of file pathnames.  Any audit record for which
                      the given pathname is a substring of the pathname in
                      the record will be selected.  For example, PATH=sbin
                      will select records with /sbin, /usr/sbin, ../../sbin,
                      etc.  Pathname ranges have no meaning and are not
                      accepted.  Wildcards are not accepted.

       AUTHID         A list of user IDs or user names matched against the
                      audit record AUID.

       PID            A list of process IDs.

       REALUID        A list of user ids matched against the real UID.

       EFFUID         A list of user ids matched against the effective UID.

       REALGID        A list of group ids matched against the real GIDs.

       EFFGID         A list of group ids matched against the effective
                      GIDs.

EXAMPLES
       An example of using a selection criteria file to select all failed
       login attempts from the current trail file and writing them to
       standard output in a human-readable form follows:

            audselect -s select.bad_logins | audprint

       Where the file select.bad_logins contains the text:

            (CLASS=AUTHCMD & ~REASON=S & ~REASON=PS & ~REASON=CS)

FILES
       /etc/tcb/audit/auditmaskdefs  File of basic aliases for classes and
                                       reasons.

       /etc/tcb/audit/auditeventdefs  File of aliases for events.

DIAGNOSTICS
       audselect writes all diagnostic and statistical messages to standard
       error.

       audselect exits with one of the following values:

       0    audselect executed normally.

       1    audselect could not open at least one of the input audit trail
            files.




Licensed material--property of copyright holder(s)                         4




audselect(1M)              C2 Trusted DG/UX 5.4.2T             audselect(1M)


       2    -c was specified, and there is no current audit trail file, and
            possibly audselect could not open one of the other audit trail
            files

       3    audselect usage is wrong.

       4    audselect could not open the output file.

NOTES
       audselect will continue to process all input audit trail files
       regardless of whether any individual audit trail file could not be
       found or any errors were encountered while processing an audit trail
       file.

       If the selection criteria are missing, that is, specfilename is
       empty or standard input is read but is empty, audselect reports an
       error, and returns exit code 3.

       To force all audit records into the current audit trail that are
       resident in a non-full kernel audit buffer, use the audadmin -o
       flush command.

SEE ALSO
       audprint(1M), audadmin(1M), auditeventdefs(4M),
       auditmaskdefs(4M).

       Audit System Administrator's Guide for the C2 Trusted DG/UX System.






























Licensed material--property of copyright holder(s)                         5


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026