Managing Audit Records
Managing the audit trail enables you to monitor the actions of users on your network. Auditing can generate large amounts of data. The following tasks show you how to work with all this data.
Managing Audit Records (Task Map)
The following task map describes the tasks in this section.
Task | Description | For Instructions |
|---|---|---|
Merge audit records | Combines audit files from several machines into one audit trail. | |
Display audit record formats | Displays the order of tokens for a particular audit event. | |
Prevent audit trail overflow | Prevents the audit file systems from completely filling up. |
How to Merge Audit Records
This task shows you how to merge all audit files in all the audit directories. Follow these steps when you want to analyze the contents of the audit trail.
Become superuser or assume an equivalent role.
Change directories to the primary audit directory.
# cd /etc/security/audit/server-name.1/files
Moving to this directory places the merged file in this protected directory.
Merge the audit records.
# auditreduce > merged.log
All directories that are listed in the dir: lines of the audit_control file on server-name are merged and placed in the file called merged.log.
Example -- Displaying the Entire Audit Trail
To display the entire audit trail at once, pipe the output of the auditreduce command into the praudit command.
# auditreduce | praudit |
Example -- Printing the Entire Audit Trail
With a pipe to the lp command, the output goes to the printer.
# auditreduce | praudit | lp |
Example -- Combining and Reducing Audit Files
Use auditreduce with the -O option to combine several audit files into one file and to save them in a specified output file. auditreduce can do this type of combination and deletion automatically (see the -C and -D options in the auditreduce(1M) man page). However, it is often easier to select the files manually (perhaps with the find command) and use auditreduce to combine just the named set of files.
When used in this way, auditreduce merges all the records from its input files into a single output file. The input files should then be deleted. In addition, the output file should be kept in a directory that is named /etc/security/audit/server-name/files so that auditreduce can find it.
# auditreduce -O combined-filename |
The auditreduce command can also reduce the number of records in its output file by eliminating the less interesting records as it combines the input files. For example, you might use auditreduce to retain only the login and logout records in audit files that are over a month old. If you need to retrieve the complete audit trail, you could recover it from backup tapes.
# auditreduce -O daily.summary -b 19990413 -c lo; compress *daily.summary # mv *daily.summary /etc/security/summary.dir |
Example -- Displaying User Activity From a Selected Date
In the following example, the system administrator checks to see when user tamiko logged in and logged out on April 13, 1999, by requesting the lo event class. The short-form date is in the form yymmdd. The long form is described in the auditreduce(1M) man page.
# auditreduce -d 990413 -u tamiko -c lo | praudit |
Example -- Copying Selected Records to a Single File
In this example, login and logout messages for a particular day are selected from the audit trail and merged into a target file. The target file is written in a directory other than the normal audit root directory.
# auditreduce -c lo -d 990413 -O /usr/audit_summary/logins |
The -O option creates an audit file with 14-character timestamps for both the start-time and the end-time, with the suffix logins:
/usr/audit_summary/19990413000000.19990413235959.logins |
Example -- Cleaning Up a not_terminated Audit File
Occasionally, an audit daemon dies while its audit file is still open, or a server becomes inaccessible and forces the machine to switch to a new server. In such instances, an audit file remains with the string not_terminated as the end-time, even though the file is no longer used for audit records. When you find such a file, you can manually verify that the file is no longer in use and clean it up by specifying the name of the file with the correct options.
# audit -s 19990414121112.not_terminated.egret # auditreduce -O egret 19990413120429.not_terminated.egret |
The audit command checks the name of the current audit file. The auditreduce command creates a new audit file with the correct name and correct timestamps, with the correct suffix (egret), and copies all the records into it.
How to Display Audit Record Formats
The following command displays the formats of all audit event records. This command operates on records in the audit_class, audit_event, and audit_record_attr files.
# bsmrecord -a |
Example -- Displaying the Format of an Audit Record
In this example, the format of the audit record with an ID of 6152 is displayed.
# bsmrecord -i 6152 # login: terminal login program /usr/sbin/login see login(1) event ID 6152 AUE_login class lo (0x00001000) header-token subject-token text-token error message exit-token # |
How to Prevent Audit Trail Overflow
If your security policy requires that all audit data be saved, do the following:
Set up a schedule to regularly archive audit files and to delete the archived audit files from the audit file system.
Manually archive audit files by backing them up on tape or by moving them to an archive file system.
Store context-sensitive information that will be needed to interpret audit records, along with the audit trail.
Keep records of which audit files are moved offline.
Store the archived tapes appropriately.
Reduce the volume of audit data that you store by creating summary files.
You can extract summary files from the audit trail by using options to auditreduce so that the summary files contain only records for certain specified types of audit events. For examples, see "Example -- Combining and Reducing Audit Files" and "Example -- Copying Selected Records to a Single File".
Managing Device Allocation
You can use device allocation to decrease the security risk that is associated with various removable media.
Adding an Allocatable Device (Task Map)
The following task map describes the major steps that are required to define a new allocatable device.
Task | Description | For Instructions |
|---|---|---|
1. Create or change an entry in the device_allocate file | Defines which devices are controlled by the device-allocation mechanism. | |
2. Create a lock file | Enables the device allocation mechanism to work on a specific device. | |
3. (Optional) Create a device-clean script | Purges data from a physical device. | |
4. Allocate the device | Adds a device to the device-allocation mechanism. | |
5. (Optional) Deallocate the device | Removes a device from use. |