REDUCE(ADM) UNIX System V
Name
reduce - perform audit data analysis and reduction
Syntax
/tcb/bin/reduce [ -s session ] [ -p selection file ]
Description
reduce performs selective audit data reduction on compacted
audit output files which were written by the audit daemon.
Each audit record from the compaction files is examined
during reduction to see if it meets the selectivity criteria
established by the Audit Administrator. If so, the record
is formatted and output to standard output.
Reduction is performed on all files written by the audit
daemon during a specified boot session. Each time the Audit
subsystem is enabled and disabled, a new session number is
generated and this is used to stamp the filenames generated
during that session so that they are easily recognizable.
The audit daemon records each filename that it writes
compacted data to in a log file. The log file is always
written to the secure directory, /tcb/files/audit. Each
session log file is uniquely named with the prefix CAFLOG.
followed by the session number. Thus by specifying a session
number for reduction, reduce is able to locate the log file
and read it to determine certain setup parameters and the
list of input files to be reduced.
Data is reduced based on a set of input selection criteria
that governs the selection of records for printing. Records
may be selected based on event types, time of event
occurrence, user ID of record, group ID of record, or by
specific object type. To selectively reduce, auditsh(ADM) is
used to set up the audit selection file. This file is then
specified to reduce upon invocation. Time interval selection
allows for records to be selected only if they occurred
within a certain time period. Event type selection allows
records to be selected only if the specified event type is
desired. Both user ID and group ID selection allows records
that were generated by certain users or groups to be
selected. Lastly, object selection applies to those record
types referring to a specific file. Some records refer to
multiple files and a single match for those record types
will result in the record being selected. Time and event
type selection always takes precedence over user/group ID
and object selection (e.g. if a record has an event type
that is not selected but the user ID is, the record will be
discarded). If a record is selected based on time and event
type, if any of user ID, group ID, or object matches a field
in the record, the record is selected. If only time and
event types are specified, all records of matching event
types in the interval are selected. If only event type
selection is requested, all matching events are selected
from every record produced in that session. (e.g. If the
event mask enables selection for all events and no time
interval is specified, all records will be output)
The format of the reduced data varies on the type of event
being processed. Each record will include the process ID of
the process being audited, the date and time of the event,
the type of audit event, an indication of success or failure
for the event, and if applicable, object names that were
accessed.
Items that are displayed for events include the following:
Process ID The process ID of the process that generated the
audit record.
User IDs The login user ID, effective user ID, real user
ID, effective group ID, and the real group ID
are output for the process generating the audit
record.
Date/Time Each audit record is time stamped at generation
time. The time value is formatted to produce a
date/time string similar to that printed by
ctime(S).
Event Type Each audit record is classified into a certain
event depending on what type of system call was
performed or what type of action was taken by a
trusted application.
Action Many event types are broad categories into which
certain actions are classified. The reduction
program makes use of other data in the record to
provide further discrimination between process
actions that fall into the category. For system
calls, the actual system call audited is output.
For applications, a more specific action
identifier is provided.
Object(s) Many events involve files or special devices
which are classified as objects. The name of
the objects affected by process actions are
recorded for data reduction. Depending on the
event and action type, some output records may
include one or more object names.
Modes For certain event types, the modes of a file or
IPC object may be modified. For these records,
the old and new values of the owner, group, and
the object mode are displayed.
Username Some events are user account oriented such as
login and logoff as well as certain
administrative functions. These output records
include the username of the account that was
responsible for the audited action.
Result Each output record carries an indicator of
whether the action was successful or not.
Unsuccessful actions are sometimes more
important that successful ones since they may
indicate attempts to penetrate the system. For
system calls that fail, the specific error
number and error message is output. For
applications, an error message describing the
failure is output.
See Also
auditsh(ADM), auditd(ADM), audit(HW), ``Maintaining System
Security,'' chapter of the System Administrator's Guide
Diagnostics
Upon successful completion, the program exits with status 0.
Value Added
reduce is an extension of AT&T System V provided by the
Santa Cruz Operation.
(printed 8/23/89) REDUCE(ADM)