audselect(1M) C2 Trusted DG/UX 5.4.2T audselect(1M)
NAME
audselect - select audit records from audit trails
SYNOPSIS
audselect [-s {specfilename | -}]
[-fdv]
[-c]
[-o {outtrailfile | -}]
[intrailfile . . .]
where:
specfilename is the pathname of the file containing the selection
criteria
outtrailfile is the pathname of the file where the selected audit
records are to be written
intrailfile is the pathname of an audit trail file
DESCRIPTION
The audselect command selects audit records from the input audit
trail files and writes them to the specified output file. The
selection criteria (see below for format) is taken from
specfilename if the -s option is specified, otherwise it is taken
from standard input. The selected records are written to
outtrailfile if the -o option is specified, otherwise the selected
records are written to standard output. The input is taken from the
specified input trail files given, otherwise the input is taken from
the currently active trail file if there is one, regardless of
whether or not auditing is currently turned on. audselect can only
be run by an administrator with appropriate privilege.
The default if no options are given is:
audselect -s - -o - -c
where "-" equals the standard input or standard output,
respectively
Options are:
-s {specfilename | -}
The -s option tells audselect where to get the selection
criteria, either from a file or standard input (specified
by using a "-"). If the -s option is omitted, audselect
defaults to getting the selection criteria from standard
input.
-f The -f option specifies that the trail file links of the
specified input files are followed. (When auditing is on
and a switch is made from one trail file to another, that
fact is recorded in both trail files, "linking" them.) As
an example, if a linked audit trail file list started with
trail1 and continued sequentially through trail10, and if
the option -f were specified and intrailfile was trail4,
audselect would process the files: trail4, trail5, trail6,
Licensed material--property of copyright holder(s) 1
audselect(1M) C2 Trusted DG/UX 5.4.2T audselect(1M)
trail7, trail8, trail9 and trail10. This option is
affected by the -d option. If a linked audit trail file
list started with trail1 then trail2 and back to trail1
(appended to the end of the previous data), the -d option
must be used with the -f option. With both the -f and -d
options, audselect would process all of the trail1 file,
the all of the trail2 file and stop; other references to
trail1 or trail2 would be duplicates and would not be
processed. Without the -d option, audselect would loop
infinitely between trail1 and trail2.
-d The -d option causes audselect to look for duplicate files
in the specified audit trail files. This can occur if the
-f option is specified and a trail file given on the
command line also appears in the linked trail file list of
one of the input trail files. (Of course, it can also
occur if the same file name is listed twice on the command
line.) All files are guaranteed to have a unique file
identifier composed of the file's major and minor device
number and its inode number. This also works for systems
with NFS-mounted file systems because the minor device
number of a NFS-mounted file system is modified to ensure
its uniqueness. If the -d option is specified, a file is
processed the first time it is encountered and is skipped
thereafter.
-o {outtrailfile | -}
The -o option specifies where the output file is to be
written. "-" specifies that the output file is to be
written to standard output. The output file is formatted
as an audit trail file. The output file contains
information to indicate that it was created by audselect
and is not an original trail file.
-v The -v option places audselect in verbose mode. In verbose
mode, audselect writes status information to standard
error. This information includes:
- trail file names processed.
- duplicate trail files skipped.
- The total number of records processed and the total
number selected.
The statistics produced by the -v option only include audit
event audit records, and do not include non-event audit
records such as header, trailer and select audit records.
-c The -c option specifies that audselect is to use the
current audit trail file (as known by the audit system) as
input. If other input trail files are specified, then
those are processed first and the current audit trail file
is processed last.
Licensed material--property of copyright holder(s) 2
audselect(1M) C2 Trusted DG/UX 5.4.2T audselect(1M)
FORMAT OF SELECTION CRITERIA
The selection criteria are composed of individual audit record field
selection specifiers separated by or modified by logical operators.
The valid logical operators are:
& Both "conditions" must be true.
| Either "condition" may be true
~ Logically negate the result of the "condition"
A "condition" is a logical result (TRUE or FALSE) of the evaluation
of a group of (possibly modified) selectors. Selectors are grouped
together with "&" for the AND operation and "|" for the OR operation.
A "~" before a selector inverts the logical value of the selector's
evaluation. A selector group is started with a "(" and terminated by
a ")". Selectors are delimited by a space, by a selector logical
operator, or by a parenthesis (i.e., by " ", "&", "|", "~", "(" or
")"). Control characters and white space are ignored. A comment is
started by a "#" and is terminated by an newline character.
An example of the use of the selection criteria operators is:
(sel 1 & ~(sel 2 | sel 3)) | #comment
(sel 1 & sel 2 & (sel 5 | ~sel 6))
A selector is composed of a keyword, an equal sign (=), and a value
set.
KEYWORD=valueset
In general, a value set is a semicolon-separated list of values and
ranges. To specify the list which includes 1, 3, 4, 5, 6, 7, 10, 13,
14, 15, 16, and 17, the value set could be encoded as:
1;3-7;10;13-17
The following keywords and associated value sets are currently
defined for the system. Keywords must be in upper case. Except
where excluded, a list includes both single and range entries.
Keyword Comments
EVENT A list of event numbers or event names. If event
numbers are used, 10,000 must be added to the event
numbers as listed in the auditeventdefs(4M) file for
kernel events. Command event numbers are as listed in
auditeventdefs(4M).
CLASS A list of class numbers or of class names.
REASON A list of reason numbers or reason names.
Licensed material--property of copyright holder(s) 3
audselect(1M) C2 Trusted DG/UX 5.4.2T audselect(1M)
TIME A time range, where the time format is the same as the
format used in the date(1) command: [mmdd] HHMM |
mmddHHMM[cc]yy. The time range is specified as time-
time.
PATH A list of file pathnames. Any audit record for which
the given pathname is a substring of the pathname in
the record will be selected. For example, PATH=sbin
will select records with /sbin, /usr/sbin, ../../sbin,
etc. Pathname ranges have no meaning and are not
accepted. Wildcards are not accepted.
AUTHID A list of user IDs or user names matched against the
audit record AUID.
PID A list of process IDs.
REALUID A list of user ids matched against the real UID.
EFFUID A list of user ids matched against the effective UID.
REALGID A list of group ids matched against the real GIDs.
EFFGID A list of group ids matched against the effective
GIDs.
EXAMPLES
An example of using a selection criteria file to select all failed
login attempts from the current trail file and writing them to
standard output in a human-readable form follows:
audselect -s select.bad_logins | audprint
Where the file select.bad_logins contains the text:
(CLASS=AUTHCMD & ~REASON=S & ~REASON=PS & ~REASON=CS)
FILES
/etc/tcb/audit/auditmaskdefs File of basic aliases for classes and
reasons.
/etc/tcb/audit/auditeventdefs File of aliases for events.
DIAGNOSTICS
audselect writes all diagnostic and statistical messages to standard
error.
audselect exits with one of the following values:
0 audselect executed normally.
1 audselect could not open at least one of the input audit trail
files.
Licensed material--property of copyright holder(s) 4
audselect(1M) C2 Trusted DG/UX 5.4.2T audselect(1M)
2 -c was specified, and there is no current audit trail file, and
possibly audselect could not open one of the other audit trail
files
3 audselect usage is wrong.
4 audselect could not open the output file.
NOTES
audselect will continue to process all input audit trail files
regardless of whether any individual audit trail file could not be
found or any errors were encountered while processing an audit trail
file.
If the selection criteria are missing, that is, specfilename is
empty or standard input is read but is empty, audselect reports an
error, and returns exit code 3.
To force all audit records into the current audit trail that are
resident in a non-full kernel audit buffer, use the audadmin -o
flush command.
SEE ALSO
audprint(1M), audadmin(1M), auditeventdefs(4M),
auditmaskdefs(4M).
Audit System Administrator's Guide for the C2 Trusted DG/UX System.
Licensed material--property of copyright holder(s) 5