AUDITREDUCE(1) | General Commands Manual | AUDITREDUCE(1) |
auditreduce
—
select records from audit trail files
auditreduce
[-A
]
[-a
YYYYMMDD[HH[MM[SS]]]]
[-b
YYYYMMDD[HH[MM[SS]]]]
[-c
flags]
[-d
YYYYMMDD]
[-e
euid]
[-f
egid]
[-g
rgid]
[-j
id]
[-m
event]
[-o
object=value]
[-r
ruid]
[-U
] [-u
auid] [-v
]
[file ...]
The auditreduce
utility selects records
from the audit trail files based on the specified criteria. Matching audit
records are printed to the standard output in their raw binary form. If no
file argument is specified, the standard input is used
by default. Use the praudit(1) utility to print the
selected audit records in human-readable form.
The options are as follows:
-A
-a
YYYYMMDD[HH[MM[SS]]]-b
YYYYMMDD[HH[MM[SS]]]-c
flags-d
YYYYMMDD-a
or -b
.-e
euid-f
egid-g
rgid-j
id-m
event-o
object=valuefile
~
’) are excluded from the
search results. These extended regular expressions are processed from
left to right, and a path will either be selected or deslected based
on the first match.
Since commas are used to delimit the regular expressions,
a backslash (‘\
’) character
should be used to escape the comma if it is a part of the search
pattern.
msgqid
pid
semid
shmid
-r
ruid-U
-u
auid-v
To select all records associated with effective user ID root from the audit log /var/audit/20031016184719.20031017122634:
auditreduce -e root \ /var/audit/20031016184719.20031017122634
To select all setlogin(2) events from that log:
auditreduce -m AUE_SETLOGIN \ /var/audit/20031016184719.20031017122634
Output from the above command lines will typically be piped to a new trail file, or via standard output to the praudit(1) command.
Select all records containing a path token where the pathname contains /etc/master.passwd:
auditreduce -o file="/etc/master.passwd" \ /var/audit/20031016184719.20031017122634
Select all records containing path tokens, where the pathname is a TTY device:
auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \ /var/audit/20031016184719.20031017122634
Select all records containing path tokens, where the pathname is a TTY except for /dev/ttyp2:
auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \ /var/audit/20031016184719.20031017122634
The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.
This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.
January 24, 2004 | Mac OS X 12 |