reduce(ADM) 06 January 1993 reduce(ADM) Name reduce - perform audit data analysis and reduction Syntax /tcb/bin/reduce [ -s session ] [ -e nproc ] [ -i ] [ -p selectionfile ] Description reduce performs selective audit data reduction on compacted audit output files that were written by the audit daemon. Each audit record from the compaction files is examined during reduction to see if it meets the selectivity criteria established by the audit administrator. If so, the record is formatted and sent to standard output. Reduction is performed on all files written by the audit daemon during a specified boot session. Each time the audit subsystem is enabled and disabled, a new session number is generated. This session number is used to stamp the filenames generated during the session so that they are easily recognizable. The audit daemon records each filename to which it writes compacted data in a log file. The log file is always written to the secure directory, /tcb/files/audit. Each session log file is uniquely named with the prefix CAFLOG. followed by the session number. Thus, by specifying a session number for reduction, reduce is able to locate the log file and read it to determine certain setup parameters and the list of input files to be reduced. If necessary, the -e option may be used to specify the process table size (NPROC) of the kernel that produced the audit session. The argument nproc should be greater than or equal to the kernel's NPROC. The -i option overrides the suspension of auditing on processes that have suspendaudit authorization set. Note that only mandatory system calls are audited for processes which have suspendaudit set. Use the sysadmsh(ADM) Accounts selection to reduce data selectively. This calls auditsh(ADM) to set up an audit selection file. Specify this file to reduce using the argument selectionfile to the -p option. Data is reduced based on a set of input selection criteria that governs the selection of records for printing. Records may be selected based on event types, time of event occurrence, user ID of record, group ID of record, or by specific object type: + Time interval selection allows for records to be selected only if they occurred within a certain time period. + Event type selection allows records to be selected only if the speci- fied event type is desired. + Both user ID and group ID selection allow records that were generated by certain users or groups to be selected. + Object selection applies to those record types referring to a specific file. Some records refer to multiple files and a single match for those record types will result in the record being selected. Time and event type selection always take precedence over user/group ID and object selection (for example, if a record has an event type that is not selected but the user ID is, the record will be discarded). If a record is selected based on time and event type and if any of user ID, group ID, or object matches a field in the record, the record is selected. If only time and event types are specified, all records of matching event types in the interval are selected. If only event type selection is requested, all matching events are selected from every record produced in that session. (For example, if the event mask enables selection for all events and no time interval is specified, all records will be listed.) The format of the reduced data varies on the type of event being pro- cessed. Each record will include the process ID of the process being audited, the date and time of the event, the type of audit event, an indication of success or failure for the event, and if applicable, the object names that were accessed. Items that are displayed for events include the following: Process ID The process ID of the process that generated the audit record. User IDs The login user ID, effective user ID, real user ID, effective group ID, and the real group ID are output for the process generating the audit record. Date/Time Each audit record is time stamped at generation time. The time value is formatted to produce a date/time string similar to that printed by ctime(S). Event type Each audit record is classified into a certain event depend- ing on what type of system call was performed or what type of action was taken by a trusted application. Action Many event types are broad categories into which certain actions are classified. The reduction program makes use of other data in the record to provide further discrimination between process actions that fall into the category. For sys- tem calls, the actual system call audited is output. For applications, a more specific action identifier is provided. Object(s) Many events involve files or special devices that are classi- fied as objects. The name of the objects affected by process actions are recorded for data reduction. Depending on the event and action type, some output records may include one or more object names. Modes For certain event types, the modes of a file or an IPC object may be modified. For these records, the old and new values of the owner, group, and the object mode are displayed. Username Some events are user-account oriented such as login and log- off as well as certain administrative functions. These output records include the username of the account that was respon- sible for the audited action. Result Each output record carries an indicator of whether the action was successful or not. Unsuccessful actions are sometimes more important that successful ones since they may indicate attempts to penetrate the system. For system calls that fail, the specific error number and error message is output. For applications, an error message describing the failure is out- put. See also audit(HW), auditd(ADM) and auditsh(ADM). ``Using the audit subsystem'' in the System Administrator's Guide Diagnostics Upon successful completion, the program exits with status 0. Value added reduce is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.