Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ aureport(1M) — Motorola System V 88k Release 4 Version 4.3

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auconvert(1M)

auscan(1M)

auclassmgmt(1M)

aueventmgmt(1M)

auclass(4)

audit_file(4)

auevent(4)

aureport(1M)  —  ADMINISTRATOR COMMANDS

NAME

aureport − translate binary-format audit information into a report

SYNOPSIS

aureport [-s] [-h] [file ...]

DESCRIPTION

aureport allows root to transform audit records recorded in binary format into a report.  The input file must be in the binary audit format created by the audit-trail system (see audit_file(4)).  aureport will convert binary audit information from standard input if no input files are specified.  To convert files into a format more suitable for post-processing by other programs, see auconvert(1M). 

-s Use a short form of output design.  The short form is oriented toward 80-character output; the default long form is oriented towards 132-character output.  Note that both forms can exceed the standard width if there is significant data associated with the audit records. 

-h Suppress report headers and trailers that give the filename, column headers, etc. 

file One or more binary format audit-trail files can be specified for conversion.  If no files are specified, standard input will be used. 

Typically, auscan(1M) is used to preprocess the audit-trail file and selectively retrieve information before formatting with aureport. 

Parts of each audit-trail record are translated into text format so that administrators can review or further process the information.  For the actual content of each audit-trail record before its conversion, see the audit_file(4) manual page.  The information below provides a general form of output after conversion by auconvert. 

Standard Header Information

The time stamp is converted to the form yymmddhhmm.ss where yy represents the two digits of the year, mm is the month number, dd is the day of the month, hh is the hour (24-hour system), mm is the minute, and ss is the second. 

User IDs are converted to the name representation as seen in the password file. 

Group IDs are converted to the name representation as seen in the group file. 

Devices are reported as major and minor number pairs. 

Message types and reasons are converted to text-file format. 

Error numbers are reported in decimal format. 

Information specific to events is interpreted. 

Arguments to events are formatted as appropriate for the message type.  See the audit_file(4) manual page for more information about event-specific arguments that may have been audited. 

EXAMPLE

The following is a sample output from aureport when executed with the -s option:


∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
 AUDIT FILE /usr/spool/audit/file7 BEING PRINTED AT Thu Feb  2 14:31:05 1989
 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
 AUDIT ID RUID     AUDIT CL SYSCALL  PID   TIME
     REASON   MSG TYPE EVENT TYPE           OBJECT
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
 smith    smith    au_ctl   au_ctl   1582  8901302215.26
     Success  AU_KSTR  AU_CTL_2             0
        Auditing started
     Success  AU_FSEC  AU_CTL_2             1074941020
        owner=root, group=users, mode=100600, device=17,2
 smith    smith    audit    au_setpm 1582  8901302216.31
     Success  AU_INT   AU_PARAM             0
        -1073610324
     Success  AU_UDATA AU_PARAM             -1073610324
        3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f ...
     Success  AU_KDATA AU_SETPMASK_3        0
         0  0  0  0  0 10  0  0  0  2  0 10 20  0 10 20  2  0  0  0 ...
     Success  AU_INT   AU_PARAM             122
        0
 jones    jones    open     open     1583  8901302216.31
     Success  AU_USTR  AU_PARAM             0
        attacklog
     Success  AU_INT   AU_PARAM             1
        769
     Success  AU_FSEC  OPEN_1               1074942244
        owner=root, group=users, mode=100640, device=17,2
     Success  AU_INT   AU_PARAM             5
        3
 smith    smith    exit     exit    1582  8901302218.45
     Success  AU_INT   AU_PARAM             0
        0
     Success  AU_INT   EXIT_1               0
        0
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
 AUDIT FILE /usr/spool/audit/file7 COMPLETED AT Thu Feb  2 14:31:05 1989
 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗

FILES

/etc/passwd Default password file for user information

/etc/group Default group file

/var/security/auclass Default audit class file

/var/security/auevent Default audit event type file

SEE ALSO

auconvert(1M), auscan(1M), auclassmgmt(1M), aueventmgmt(1M), auclass(4), audit_file(4), auevent(4)

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026