FreeBSD 7.0 manual page repository

FreeBSD is a free computer operating system based on BSD UNIX originally. Many IT companies, like DeployIS is using it to provide an up-to-date, stable operating system.

auditreduce - select records from audit trail files

 

NAME

      auditreduce - select records from audit trail files
 

SYNOPSIS

      auditreduce [-A] [-a YYYYMMDD[HH[MM[SS]]]] [-b YYYYMMDD[HH[MM[SS]]]]
                  [-c flags] [-d YYYYMMDD] [-e euid] [-f egid] [-g rgid]
                  [-j id] [-m event] [-o object=value] [-r ruid] [-u auid]
                  [file ...]
 

DESCRIPTION

      The auditreduce utility selects records from the audit trail files based
      on the specified criteria.  Matching audit records are printed to the
      standard output in their raw binary form.  If no file argument is speci‐
      fied, the standard input is used by default.  Use the praudit(1) utility
      to print the selected audit records in human-readable form.
 
      The options are as follows:
 
      -A      Select all records.
 
      -a YYYYMMDD[HH[MM[SS]]]
              Select records that occurred after or on the given datetime.
 
      -b YYYYMMDD[HH[MM[SS]]]
              Select records that occurred before the given datetime.
 
      -c flags
              Select records matching the given audit classes specified as a
              comma separated list of audit flags.  See audit_control(5) for a
              description of audit flags.
 
      -d YYYYMMDD
              Select records that occurred on a given date.  This option cannot
              be used with -a or -b.
 
      -e euid
              Select records with the given effective user ID or name.
 
      -f egid
              Select records with the given effective group ID or name.
 
      -g rgid
              Select records with the given real group ID or name.
 
      -j id   Select records having a subject token with matching ID.
 
      -m event
              Select records with the given event name or number.  See
              audit_event(5) for a description of audit event names and num‐
              bers.
 
      -o object=value
 
              file    Select records containing path tokens, where the pathname
                      matches one of the comma delimited extended regular
                      expression contained in given specification.  Regular
                      expressions which are prefixed with a tilde (‘~’) are
                      excluded from the search results.  These extended regular
                      expressions are processed from left to right, and a path
                      will either be selected or deslected based on the first
                      match.
 
                      Since commas are used to delimit the regular expressions,
                      a backslash (‘\’) character should be used to escape the
                      comma if it is a part of the search pattern.
 
              msgqid  Select records containing the given message queue ID.
 
              pid     Select records containing the given process ID.
 
              semid   Select records containing the given semaphore ID.
 
              shmid   Select records containing the given shared memory ID.
 
      -r ruid
              Select records with the given real user ID or name.
 
      -u auid
              Select records with the given audit ID.
 

EXAMPLES

      To select all records associated with effective user ID root from the
      audit log /var/audit/20031016184719.20031017122634:
 
            auditreduce -e root \
                /var/audit/20031016184719.20031017122634
 
      To select all setlogin(2) events from that log:
 
            auditreduce -m AUE_SETLOGIN \
                /var/audit/20031016184719.20031017122634
 
      Output from the above command lines will typically be piped to a new
      trail file, or via standard output to the praudit(1) command.
 
      Select all records containing a path token where the pathname contains
      /etc/master.passwd:
 
            auditreduce -o file="/etc/master.passwd" \
                /var/audit/20031016184719.20031017122634
 
      Select all records containing path tokens, where the pathname is a TTY
      device:
 
            auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \
                /var/audit/20031016184719.20031017122634
 
      Select all records containing path tokens, where the pathname is a TTY
      except for /dev/ttyp2:
 
            auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \
                /var/audit/20031016184719.20031017122634
      praudit(1), audit_control(5), audit_event(5)
 

HISTORY

      The OpenBSM implementation was created by McAfee Research, the security
      division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
      It was subsequently adopted by the TrustedBSD Project as the foundation
      for the OpenBSM distribution.
 

AUTHORS

      This software was created by McAfee Research, the security research divi‐
      sion of McAfee, Inc., under contract to Apple Computer Inc.  Additional
      authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
 
      The Basic Security Module (BSM) interface to audit records and audit
      event stream format were defined by Sun Microsystems.
 

Sections

Based on BSD UNIX
FreeBSD is an advanced operating system for x86 compatible (including Pentium and Athlon), amd64 compatible (including Opteron, Athlon64, and EM64T), UltraSPARC, IA-64, PC-98 and ARM architectures. It is derived from BSD, the version of UNIX developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Additional platforms are in various stages of development.