Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ reduce(ADM) — OpenDesktop 1.0.0y

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auditsh(ADM)

auditd(ADM)

audit(HW)


     REDUCE(ADM)                        UNIX System V



     Name
          reduce - perform audit data analysis and reduction


     Syntax
          /tcb/bin/reduce [ -s session ] [ -p selection file ]


     Description
          reduce performs selective audit data reduction on  compacted
          audit  output  files which were written by the audit daemon.
          Each audit record from  the  compaction  files  is  examined
          during reduction to see if it meets the selectivity criteria
          established by the Audit Administrator.  If so,  the  record
          is formatted and output to standard output.

          Reduction is performed on all files  written  by  the  audit
          daemon  during a specified boot session. Each time the Audit
          subsystem is enabled and disabled, a new session  number  is
          generated  and this is used to stamp the filenames generated
          during that session so that they  are  easily  recognizable.
          The  audit  daemon  records  each  filename  that  it writes
          compacted data to in a log file.  The  log  file  is  always
          written  to  the  secure  directory,  /tcb/files/audit. Each
          session log file is uniquely named with the  prefix  CAFLOG.
          followed by the session number. Thus by specifying a session
          number for reduction, reduce is able to locate the log  file
          and  read  it  to determine certain setup parameters and the
          list of input files to be reduced.

          Data is reduced based on a set of input  selection  criteria
          that  governs the selection of records for printing. Records
          may  be  selected  based  on  event  types,  time  of  event
          occurrence,  user  ID  of  record, group ID of record, or by
          specific object type. To selectively reduce, auditsh(ADM) is
          used  to  set up the audit selection file. This file is then
          specified to reduce upon invocation. Time interval selection
          allows  for  records  to  be  selected only if they occurred
          within a certain time period. Event  type  selection  allows
          records  to  be selected only if the specified event type is
          desired. Both user ID and group ID selection allows  records
          that  were  generated  by  certain  users  or  groups  to be
          selected. Lastly, object selection applies to  those  record
          types  referring  to  a specific file. Some records refer to
          multiple files and a single match  for  those  record  types
          will  result  in  the  record being selected. Time and event
          type selection always takes precedence  over  user/group  ID
          and  object  selection  (e.g.  if a record has an event type
          that is not selected but the user ID is, the record will  be
          discarded).  If a record is selected based on time and event
          type, if any of user ID, group ID, or object matches a field
          in  the  record,  the  record  is selected. If only time and
          event types are specified, all  records  of  matching  event
          types  in  the  interval  are  selected.  If only event type
          selection is requested, all  matching  events  are  selected
          from  every  record  produced in that session.  (e.g. If the
          event mask enables selection for  all  events  and  no  time
          interval is specified, all records will be output)

          The format of the reduced data varies on the type  of  event
          being processed.  Each record will include the process ID of
          the process being audited, the date and time of  the  event,
          the type of audit event, an indication of success or failure
          for the event, and if applicable,  object  names  that  were
          accessed.

          Items that are displayed for events include the following:

          Process ID  The process ID of the process that generated the
                      audit record.

          User IDs    The login user ID, effective user ID, real  user
                      ID,  effective  group  ID, and the real group ID
                      are output for the process generating the  audit
                      record.

          Date/Time   Each audit record is time stamped at  generation
                      time.  The  time value is formatted to produce a
                      date/time string  similar  to  that  printed  by
                      ctime(S).

          Event Type  Each audit record is classified into  a  certain
                      event  depending on what type of system call was
                      performed or what type of action was taken by  a
                      trusted application.

          Action      Many event types are broad categories into which
                      certain  actions  are classified.  The reduction
                      program makes use of other data in the record to
                      provide  further  discrimination between process
                      actions that fall into the category. For  system
                      calls, the actual system call audited is output.
                      For  applications,  a   more   specific   action
                      identifier is provided.

          Object(s)   Many events involve  files  or  special  devices
                      which  are  classified  as objects.  The name of
                      the objects  affected  by  process  actions  are
                      recorded  for  data  reduction. Depending on the
                      event and action type, some output  records  may
                      include one or more object names.

          Modes       For certain event types, the modes of a file  or
                      IPC  object may be modified.  For these records,
                      the old and new values of the owner, group,  and
                      the object mode are displayed.

          Username    Some events are user account  oriented  such  as
                      login    and   logoff   as   well   as   certain
                      administrative functions. These  output  records
                      include  the  username  of  the account that was
                      responsible for the audited action.

          Result      Each  output  record  carries  an  indicator  of
                      whether   the  action  was  successful  or  not.
                      Unsuccessful   actions   are   sometimes    more
                      important  that  successful  ones since they may
                      indicate attempts to penetrate the  system.  For
                      system  calls  that  fail,  the  specific  error
                      number  and  error  message   is   output.   For
                      applications,  an  error  message describing the
                      failure is output.

     See Also
          auditsh(ADM), auditd(ADM), audit(HW),  ``Maintaining  System
          Security,'' chapter of the System Administrator's Guide


     Diagnostics
          Upon successful completion, the program exits with status 0.


     Value Added
          reduce is an extension of AT&T  System  V  provided  by  the
          Santa Cruz Operation.


     (printed 8/23/89)                                  REDUCE(ADM)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026