Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auconvert(1M) — Motorola System V 88k Release 4 Version 4.3

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

aureport(1M)

auscan(1M)

auclassmgmt(1M)

aueventmgmt(1M)

aumaskmgmt(1M)

auclass(4)

audit_file(4)

auevent(4)

aumask(4)

auconvert(1M)  —  ADMINISTRATOR COMMANDS

NAME

auconvert − translates binary-format audit information into text format

SYNOPSIS

auconvert [-p p_file] [-g g_file] [-c c_file] [-m m_file]
[-v v_file] [-f fld_delim] [-r rec_delim] [file ...]

DESCRIPTION

auconvert allows root to transform audit records recorded in binary format into text format.  The input file must be in the binary audit format created by the audit-trail system (see audit_file(4)).  If no input files are specified, auconvert will convert binary audit information from standard input.  The output is designed to be further processed by additional programs or loaded into a database system.  To generate a formatted report, see aureport(1M). 

-p Uses p_file as an alternate password file for translating user information contained in the processed audit-trail file (default is /etc/passwd). 

-g Uses g_file as an alternate group file for translating user information contained in the processed audit-trail file (default is /etc/group). 

-c Uses c_file as an alternate audit class file for translating class information contained in the processed audit-trail file (default is /var/security/auclass). 

-m Uses m_file as an alternate audit mask file for translating mask information contained in the processed audit-trail file (default is /var/security/aumask). 

-v Uses v_file as an alternate event type file for translating event information contained in the processed audit-trail file (default is /var/security/auevent). 

-f Uses fld_dlm as an alternate field delimiter character.  The default field delimiter character is a new line (octal 012).  To use a control character as a delimiter, the character must be preceded with a caret symbol (i.e., ^A will use a control-A as a delimiter).  Note, however, that the delimiter must be in quotes to use the caret symbol.  The delimiter must not be a null byte (i.e., ^@). 

-r Uses rec_dlm as an alternate record delimiter character.  The default record delimiter character is a carriage return (octal 015).  To use a control character as a delimiter, the character can be preceded with a caret symbol (i.e., ^A will use a control-A as a delimiter).  Note, however, that the delimiter must be in quotes to use the caret symbol.  The delimiter must not be a null byte (i.e., ^@). 

files One or more binary format audit-trail files can be specified for conversion.  If no files are specified, standard input will be used. 

Typically, auscan(1M) is used to preprocess the audit-trail file and selectively retrieve information before formatting with auconvert(1M). 

Parts of each audit-trail record are translated into text format so that administrators can review or further process the information.  For the actual content of each audit-trail record before its conversion, see audit_file(4).  The information below provides a general form of output after conversion by auconvert. 

Standard Header Information

The time stamp is converted to the form yymmddhhmm.ss, where yy represents the last two digits of the year, mm is the month number, dd is the day of the month, hh is the hour (24-hour system), mm is the minute, and ss is the second. 

User IDs are converted to the name representation as seen in the password file. 

Group IDs are converted to the name representation as seen in the group file. 

Devices are reported as major and minor number pairs. 

Message types and reasons are converted to textual format. 

Error numbers are reported in decimal format. 

Information specific to events is interpreted. 

Arguments to the event are formatted as appropriate for the message type. See audit_file(4) for more information about event-specific arguments that may have been audited. 

EXAMPLES

The following is an example of an output record from auconvert(1M), where RS is a record separator, FS is a field separator, and NL is a new line. 

auid=goodguy<FS>
ruid=goodguy<FS>
euid=goodguy<FS>
rgid=bin<FS>
egid=bin<FS>
audit class=utime<FS>
syscall=utime<FS>
pid=3146<FS>
ppid=3078<FS>
seq no=7<FS>
term=3,6<FS>
time=8810150919.59<FS>
errno=0<RS><NL>
reason=File Object Event<FS>
msg type=AU_FSEC<FS>
event type=OBJECT_EVT<FS>
object=1334<RS><NL>
owner=goodguy<FS>
group=bin<FS>
mode=600<FS>
inum=1334<FS>
device=17,6<RS><NL>

FILES

/etc/passwd Default password file for user information and for ACLs conversions

/etc/group Default group file

/var/security/auclass Default audit class file

/var/security/auevent Default audit event type file

/var/security/aumask Default user audit mask file

SEE ALSO

aureport(1M), auscan(1M), auclassmgmt(1M), aueventmgmt(1M), aumaskmgmt(1M), auclass(4), audit_file(4), auevent(4), aumask(4)

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026