Managing Audit Records

By managing the audit trail, you can monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.

How to Display Audit Record Formats

To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The bsmrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.

• Put the format of all audit event records in an HTML file.

  The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.

  % bsmrecord -a -h > audit.events.html

  When you display the *html file in a browser, use the browser's Find tool to find specific records.

  For more information, see the bsmrecord(1M) man page.

Example 30-24 Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.

% bsmrecord -p login
terminal login
  program     /usr/sbin/login      See login(1)
              /usr/dt/bin/dtlogin  See dtlogin
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header
      subject
      text                         error message or "successful login"
      return

login: logout
  program     various              See login(1)
  event ID    6153                 AUE_logout
…

newgrp
  program     newgrp               See newgrp login
  event ID    6212                 AUE_newgrp_login
…

rlogin
  program     /usr/sbin/login      See login(1) - rlogin
  event ID    6155                 AUE_rlogin
…

SMC: role login
  program     SMC server           See role login
  event ID    6173                 AUE_role_login
…

/usr/lib/ssh/sshd
  program     /usr/lib/ssh/sshd    See login - ssh
  event ID    6172                 AUE_ssh
…

telnet login
  program     /usr/sbin/login      See login(1) - telnet
  event ID    6154                 AUE_telnet
  …

Example 30-25 Displaying the Audit Record Formats of an Audit Class

In this example, the format of all audit records in the fd class are displayed.

% bsmrecord -c fd

rmdir
  system call rmdir                See rmdir(2)
  event ID    48                   AUE_RMDIR
  class       fd                   (0x00000020)
      header
      path
      [attribute]
      subject
      [use_of_privilege]
      return

unlink
  system call unlink               See unlink(2)
  event ID    6                    AUE_UNLINK
  …

unlinkat
  system call unlinkat             See openat(2)
  event ID    286                  AUE_UNLINKAT
  …

How to Merge Audit Files From the Audit Trail

By merging all audit files in all the audit directories, you can analyze the contents of the entire audit trail. The auditreduce command merges all the records from its input files into a single output file. The input files can then be deleted. When the output file is placed in a directory that is named /etc/security/auditserver-name/files, the auditreduce command can find the output file without your specifying the full path.

---

Note - This procedure applies only to binary audit records.

---

1. Assume a role that includes the Audit Review profile, or become superuser.

   The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

2. Create a directory for storing merged audit files.

   # mkdir audit-trail-directory

3. Limit access to the directory.

   # chmod 700 audit-trail-directory
   # ls -la audit-trail-directory
   drwx------   3 root     sys          512 May 12 11:47 .
   drwxr-xr-x   4 root     sys         1024 May 12 12:47 ..

4. Merge the audit records in the audit trail.

   Change directories to the audit-trail-directory and merge the audit records into a file with a named suffix. All directories that are listed in the dir lines of the audit_control file on the local system are merged.

   # cd audit-trail-directory
   # auditreduce -Uppercase-option -O suffix

   The uppercase options to the auditreduce command manipulate files in the audit trail. The uppercase options include the following:

   -A

   Selects all of the files in the audit trail.

   -C

   Selects complete files only. This option ignores files with the suffix not_terminated.

   -M

   Selects files with a particular suffix. The suffix can be a machine name, or it can be a suffix that you have specified for a summary file.

   -O

   Creates an audit file with 14-character timestamps for both the start time and the end time, with the suffix suffix in the current directory.

Example 30-26 Copying Audit Files to a Summary File

In the following example, the System Administrator role, sysadmin, copies all files from the audit trail into a merged file.

$ whoami
sysadmin
$ mkdir /var/audit/audit_summary.dir
$ chmod 700 /var/audit/audit_summary.dir
$ cd /var/audit/audit_summary.dir
$ auditreduce -A -O All
$ ls *All
20030827183214.20030827215318.All

In the following example, only complete files are copied from the audit trail into a merged file.

$ cd /var/audit/audit_summary.dir
$ auditreduce -C -O Complete
$ ls *Complete
20030827183214.20030827214217.Complete

In the following example, only complete files are copied from the example1 machine into a merged file.

$ cd /var/audit/audit_summary.dir
$ auditreduce -M example1 -O example1summ
$ ls *summ
20030827183214.20030827214217.example1summ

Example 30-27 Moving Audit Files to a Summary File

The -D option to the auditreduce command deletes an audit file when you copy it to another location. In the following example, the complete audit files from one system are copied to the summary directory for later examination.

$ cd /var/audit/audit_summary.dir
$ auditreduce -C -O daily_example1 -D example1
$ ls *example1
20030827183214.20030827214217.daily_example1

The audit files from the example1 system that were the input to the *daily_example1 file are removed when this command successfully completes.

How to Select Audit Events From the Audit Trail

You can filter audit records for examination. For the complete list of filtering options, see the auditreduce(1M) man page.

1. Assume a role that includes the Audit Review profile, or become superuser.

   The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

2. Select the kinds of records that you want from the audit trail, or from a specified audit file.

   auditreduce -lowercase-option argument [optional-file]

   argument

   Specific argument that a lowercase option requires. For example, the -c option requires an argument of an audit class, such as ua.

   -d

   Selects all of the events on a particular date. The date format for argument is yyymmdd. Other date options, -b and -a, select events before and after a particular date.

   -u

   Selects all of the events attributable to a particular user. The argument is a user name. Another user option, -e, selects all of the events attributable to an effective user ID.

   -c

   Selects all of the events in a preselected audit class. The argument is an audit class name.

   -m

   Selects all of the instances of a particular audit event. The argument is an audit event.

   optional-file

   Is the name of an audit file.

Example 30-28 Combining and Reducing Audit Files

The auditreduce command can eliminate the less interesting records as it combines the input files. For example, you might use the auditreduce command to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover the trail from backup media.

# cd /var/audit/audit_summary.dir
# auditreduce -O lo.summary -b 20030827 -c lo; compress *lo.summary

Example 30-29 Copying na Audit Records to a Summary File

In this example, all the records of nonattributable audit events in the audit trail are collected into one file.

$ whoami
sysadmin
$ cd /var/audit/audit_summary.dir
$ auditreduce -c na -O nasumm
$ ls *nasumm
20030827183214.20030827215318.nasumm

The merged nasumm audit file is time stamped with the beginning and ending date of the na records.

Example 30-30 Finding Audit Events in a Specified Audit File

You can select audit files manually to search just the named set of files. For example, you can further process the *nasumm file in the previous example to find system boot events. To do so, you would specify the file name as the final argument to the auditreduce command.

$ auditreduce -m 113 -O systemboot 20030827183214.20030827215318.nasumm
20030827183214.20030827183214.systemboot

The 20030827183214.20030827183214.systemboot file contains only system boot audit events.

Example 30-31 Copying One User's Audit Records to a Summary File

In this example, the records in the audit trail that contain the name of a particular user are merged. The -e option finds the effective user. The -u option finds the audit user.

$ cd /var/audit/audit_summary.dir
$ auditreduce -e tamiko -O tamiko

You can look for specific events in this file. In the following example, what time the user logged in and out on Sept 7, 2003, your time, is checked. Only those files with the user's name as the file suffix are checked. The short form of the date is yyyymmdd.

# auditreduce -M tamiko -O tamikolo -d 20030907 -u tamiko -c lo

Example 30-32 Copying Selected Records to a Single File

In this example, login and logout messages for a particular day are selected from the audit trail. The messages are merged into a target file. The target file is written in a directory other than the normal audit root directory.

# auditreduce -c lo -d 20030827 -O /var/audit/audit_summary.dir/logins
# ls /var/audit/audit_summary.dir/*logins
/var/audit/audit_summary.dir/20030827183936.20030827232326.logins

How to View the Contents of Binary Audit Files

The praudit command enables you to view the contents of binary audit files. You can pipe the output from the auditreduce command, or you can read a particular audit file. The -x option is useful for further processing.

1. Assume a role that includes the Audit Review profile, or become superuser.

   The System Administrator role includes the Audit Review profile. You can also create a separate role that includes the Audit Review profile. To create a role and assign the role to a user, see Configuring RBAC (Task Map).

2. Use one of the following praudit commands to produce the output that is best for your purposes.

   The following examples show praudit output from the same audit event. Audit policy has been set to include the sequence and trailer tokens.

   • The praudit -s command displays audit records in a short format, one token per line. Use the -l option to place each record on one line.

     $ auditreduce -c lo | praudit -s
     header,101,2,AUE_rlogin,,example1,2003-10-13 11:23:31.050 -07:00
     subject,jdoe,jdoe,staff,jdoe,staff,749,749,195 1234 server1
     text,successful login 
     return,success,0 
     sequence,1298

   • The praudit -r command displays audit records in their raw format, one token per line. Use the -l option to place each record on one line.

     $ auditreduce -c lo | praudit -r
     21,101,2,6155,0x0000,192.168.60.83,1062021202,64408258
     36,2026700,2026700,10,2026700,10,749,749,195 1234 192.168.60.17
     40,successful login
     39,0,0
     47,1298

   • The praudit -x command displays audit records in XML format, one token per line. Use the -l option to place the XML output for one record on one line.

     $ auditreduce -c lo | praudit -x
     <record version="2" event="login - rlogin" host="example1" 
     time="Wed Aug 27 14:53:22 PDT 2003" msec="64">
     <subject audit-uid="jdoe" uid="jdoe" gid="staff" ruid="jdoe" 
     rgid="staff" pid="749" sid="749" tid="195 1234 server1"/>
     <text>successful login</text>
     <return errval="success" retval="0"/>
     <sequence seq-num="1298"/>
     
     </record>

Example 30-33 Printing the Entire Audit Trail

With a pipe to the lp command, the output for the entire audit trail goes to the printer. The printer should have limited access.

# auditreduce | praudit | lp -d example.protected.printer

Example 30-34 Viewing a Specific Audit File

In this example, a summary login file is examined in a terminal window.

# cd /var/audit/audit_summary.dir/logins
# praudit 20030827183936.20030827232326.logins | more

Example 30-35 Putting Audit Records in XML Format

In this example, the audit records are converted to XML format.

# praudit -x 20030827183214.20030827215318.logins > 20030827.logins.xml

The *xml file can be displayed in a browser. The contents of the file can be operated on by a script to extract the relevant information.

How to Clean Up a not_terminated Audit File

Occasionally, an audit daemon exits while its audit file is still open. Or, a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end timestamp, even though the file is no longer used for audit records. Use the auditreduce -O command to give the file the correct timestamp.

1. List the files with the not_terminated string on your audit file system in order of creation.

   # ls -R1t audit-directory*/files/* | grep not_terminated

   -R

   Lists files in subdirectories.

   -t

   Lists files from most recent to oldest.

   -1

   Lists the files in one column.

2. Clean up the old not_terminated file.

   Specify the name of the old file to the auditreduce -O command.

   # auditreduce -O system-name old-not-terminated-file

3. Remove the old not_terminated file.

   # rm system-name old-not-terminated-file

Example 30-36 Cleaning Up Closed not_terminated Audit Files

In the following example, not_terminated files are found, renamed, then the originals are removed.

ls -R1t */files/* | grep not_terminated
…/egret.1/20030908162220.not_terminated.egret
…/egret.1/20030827215359.not_terminated.egret
# cd */files/egret.1
# auditreduce -O egret 20030908162220.not_terminated.egret
# ls -1t
20030908162220.not_terminated.egret Current audit file
20030827230920.20030830000909.egret Input (old) audit file
20030827215359.not_terminated.egret
# rm 20030827215359.not_terminated.egret
# ls -1t
20030908162220.not_terminated.egret Current audit file
20030827230920.20030830000909.egret Cleaned up audit file

The start timestamp on the new file reflects the time of the first audit event in the not_terminated file. The end timestamp reflects the time of the last audit event in the file.

How to Prevent Audit Trail Overflow

If your security policy requires that all audit data be saved, do the following:

1. Set up a schedule to regularly archive audit files.

   Archive audit files by backing up the files to offline media. You can also move the files to an archive file system.

   If you are collecting text audit logs with the syslog utility, archive the text logs. For more information, see the logadm(1M) man page.

2. Set up a schedule to delete the archived audit files from the audit file system.
3. Save and store auxiliary information.

   Archive information that is necessary to interpret audit records along with the audit trail.

4. Keep records of which audit files have been archived.
5. Store the archived media appropriately.
6. Reduce the volume of audit data that you store by creating summary files.

   You can extract summary files from the audit trail by using options to the auditreduce command. The summary files contain only records for specified types of audit events. To extract summary files, see Example 30-28 and Example 30-32.