Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ reduce(ADM) — OpenDesktop 3.0.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(HW)

auditd(ADM)

auditsh(ADM)


 reduce(ADM)                   06 January 1993                    reduce(ADM)


 Name

    reduce - perform audit data analysis and reduction

 Syntax

    /tcb/bin/reduce [ -s session ] [ -e nproc ] [ -i ] [ -p selectionfile ]

 Description

    reduce performs selective audit data reduction on compacted audit output
    files that were written by the audit daemon.  Each audit record from the
    compaction files is examined during reduction to see if it meets the
    selectivity criteria established by the audit administrator.  If so, the
    record is formatted and sent to standard output.

    Reduction is performed on all files written by the audit daemon during a
    specified boot session.  Each time the audit subsystem is enabled and
    disabled, a new session number is generated.  This session number is used
    to stamp the filenames generated during the session so that they are
    easily recognizable. The audit daemon records each filename to which it
    writes compacted data in a log file. The log file is always written to
    the secure directory, /tcb/files/audit.  Each session log file is
    uniquely named with the prefix CAFLOG. followed by the session number.
    Thus, by specifying a session number for reduction, reduce is able to
    locate the log file and read it to determine certain setup parameters and
    the list of input files to be reduced.

    If necessary, the -e option may be used to specify the process table size
    (NPROC) of the kernel that produced the audit session. The argument nproc
    should be greater than or equal to the kernel's NPROC.

    The -i option overrides the suspension of auditing on processes that have
    suspendaudit authorization set.  Note that only mandatory system calls
    are audited for processes which have suspendaudit set.

    Use the sysadmsh(ADM) Accounts selection to reduce data selectively. This
    calls auditsh(ADM) to set up an audit selection file. Specify this file
    to reduce using the argument selectionfile to the -p option.

    Data is reduced based on a set of input selection criteria that governs
    the selection of records for printing. Records may be selected based on
    event types, time of event occurrence, user ID of record, group ID of
    record, or by specific object type:

    +  Time interval selection allows for records to be selected only if they
       occurred within a certain time period.

    +  Event type selection allows records to be selected only if the speci-
       fied event type is desired.

    +  Both user ID and group ID selection allow records that were generated
       by certain users or groups to be selected.

    +  Object selection applies to those record types referring to a specific
       file. Some records refer to multiple files and a single match for
       those record types will result in the record being selected.

    Time and event type selection always take precedence over user/group ID
    and object selection (for example, if a record has an event type that is
    not selected but the user ID is, the record will be discarded).

    If a record is selected based on time and event type and if any of user
    ID, group ID, or object matches a field in the record, the record is
    selected. If only time and event types are specified, all records of
    matching event types in the interval are selected. If only event type
    selection is requested, all matching events are selected from every
    record produced in that session.  (For example, if the event mask enables
    selection for all events and no time interval is specified, all records
    will be listed.)

    The format of the reduced data varies on the type of event being pro-
    cessed.  Each record will include the process ID of the process being
    audited, the date and time of the event, the type of audit event, an
    indication of success or failure for the event, and if applicable, the
    object names that were accessed.

    Items that are displayed for events include the following:

    Process ID  The process ID of the process that generated the audit
                record.

    User IDs    The login user ID, effective user ID, real user ID, effective
                group ID, and the real group ID are output for the process
                generating the audit record.

    Date/Time   Each audit record is time stamped at generation time. The
                time value is formatted to produce a date/time string similar
                to that printed by ctime(S).

    Event type  Each audit record is classified into a certain event depend-
                ing on what type of system call was performed or what type of
                action was taken by a trusted application.

    Action      Many event types are broad categories into which certain
                actions are classified.  The reduction program makes use of
                other data in the record to provide further discrimination
                between process actions that fall into the category. For sys-
                tem calls, the actual system call audited is output. For
                applications, a more specific action identifier is provided.

    Object(s)   Many events involve files or special devices that are classi-
                fied as objects.  The name of the objects affected by process
                actions are recorded for data reduction. Depending on the
                event and action type, some output records may include one or
                more object names.

    Modes       For certain event types, the modes of a file or an IPC object
                may be modified.  For these records, the old and new values
                of the owner, group, and the object mode are displayed.

    Username    Some events are user-account oriented such as login and log-
                off as well as certain administrative functions. These output
                records include the username of the account that was respon-
                sible for the audited action.

    Result      Each output record carries an indicator of whether the action
                was successful or not. Unsuccessful actions are sometimes
                more important that successful ones since they may indicate
                attempts to penetrate the system. For system calls that fail,
                the specific error number and error message is output. For
                applications, an error message describing the failure is out-
                put.

 See also

    audit(HW), auditd(ADM) and auditsh(ADM).

    ``Using the audit subsystem'' in the System Administrator's Guide

 Diagnostics

    Upon successful completion, the program exits with status 0.

 Value added

    reduce is an extension of AT&T System V provided by The Santa Cruz
    Operation, Inc.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026