The praudit Command

The praudit command reads audit records in binary format from standard input and displays the records in a presentable format. The input can be piped from the auditreduce command or from a single audit file. Input can also be produced with the cat command to concatenate several files, or the tail command for a current audit file.

The praudit command can generate four output formats:

• Default - The default option displays one audit token per line. The default option displays the audit event by its description, such as ioctl(2), and displays any value that could be text in text format. For example, a user is displayed as the user name, not as the user ID.

• -l option - The long option displays one audit record per line. The -d option changes the delimiter used between token fields, and between tokens. The default delimiter is a comma.

• -r option - The raw option displays any value that could be numeric as a number. For example, a user is displayed by user ID, Internet addresses are in hexadecimal format, and modes are in octal format. The audit event is displayed as its event number, such as 158.

• -s option - The short option displays the audit event by its table name, for example, AUE_IOCTL. The option displays the other tokens as the default option displays them.

In the default output format of praudit, each record is easily identified as a sequence of audit tokens where each token is on a separate line. Each record begins with a header token. You could, for example, further process the output with the awk command.

Here is the default output from the praudit command for a header token:

header,240,1,ioctl(2),es,Tue Sept  7 16:11:44 1999, + 270 msec

Here is the output from the praudit -r command for the same header token:

20,240,1,158,0003,699754304, + 270 msec

Sometimes, you might want to manipulate output from the praudit command as lines of text. For example, you might want to select records that the auditreduce command cannot select. You can use a simple shell script to process the output of praudit. The following simple example script marks the header tokens by prefixing them with Control-A, combines all the audit tokens for one record onto one line while preserving the line breaks as Control-A, runs the grep command, and restores the original newline breaks.

#!/bin/sh
praudit | sed -e '1,2d' -e '$s/^file.*$//' -e 's/^header/^aheader/' \\
| tr '\\012\\001' '\\002\\012' \\
| grep "$1" \\
| tr '\\002' '\\012'

Note that the ^a in the script is Control-A, not the two characters ^ and a. The prefix distinguishes the header token from the string header that might appear as text.

The auditconfig Command

The auditconfig command provides a command-line interface to retrieve and set audit configuration parameters. See the auditconfig(1M) man page. Options to the auditconfig command include the following:

-chkconf

Checks the configuration of kernel event-to-class mappings and reports any inconsistencies

-conf

Reconfigures kernel event-to-class mappings at runtime to match the current mappings in the audit_event file.

-getcond

Retrieves the state of auditing on the machine. The following table shows the possible responses.

Table 25-1 Possible Auditing Conditions

Response	Meaning
auditing	Auditing is enabled and turned on.
no audit	Auditing is enabled, but the audit daemon is not running.
disabled	Auditing is not enabled.

-setcond condition

Sets the state of auditing on the machine to one of auditing or noaudit.

-getclass event_number

Retrieves the preselection classes to which the specified event is mapped.

-setclass event_number audit_flags

Sets the preselection classes to which the specified event is mapped.

-lsevent

Displays the currently configured (runtime) kernel and user audit event information.

-getpinfo pid

Retrieves the audit ID, preselection mask, terminal ID, and audit session ID of the specified process.

-setpmask pid flags

Sets the preselection mask of the specified process.

-setsmask asid flags

Sets the preselection mask of all processes with the specified audit session ID.

-setumask auid flags

Sets the preselection mask of all processes with the specified user audit ID.

-lspolicy

Displays the list of audit policies with a short description of each policy.

-getpolicy

Shows the current audit policy flags.

-setpolicy policy_flag[,policy_flag]

Sets the audit policy flags to the specified policies (see "Determining Which Audit Policies to Use").

Audit Files

Auditing uses the following files:

• "The /etc/system File"

• "The audit_class File"

• "The audit_control File"

• "The audit_data File"

• "The audit_event File"

• "The audit_startup Script"

• "The audit_user File"

• "The audit_warn Script"

The /etc/system File

The /etc/system file contains commands that the kernel reads during initialization to customize the system operations. The bsmconv and bsmunconv shell scripts, which are used to activate and deactivate auditing, modify the /etc/system file. The bsmconv shell script adds the following lines to the /etc/system file:

set c2audit:audit_load=1
set abort_enable=0

The first command causes the c2audit loadable kernel module (auditing module) to be loaded when the system is booted. The second command disables the use of the Stop-A keyboard sequence. The Stop-A keyboard sequence halts the system and can invoke a debugger, which could be a security breach. The bsmunconv shell script removes these lines, which results in auditing being disabled when the system is rebooted.