diff options
Diffstat (limited to 'contrib/openbsm/bin/auditreduce/auditreduce.1')
| -rw-r--r-- | contrib/openbsm/bin/auditreduce/auditreduce.1 | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1 new file mode 100644 index 0000000..6374e5b --- /dev/null +++ b/contrib/openbsm/bin/auditreduce/auditreduce.1 @@ -0,0 +1,153 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDITREDUCE 1 +.Os +.Sh NAME +.Nm auditreduce +.Nd "select records from audit trail files" +.Sh SYNOPSIS +.Nm auditreduce +.Op Fl A +.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl c Ar flags +.Op Fl d Ar YYYYMMDD +.Op Fl e Ar euid +.Op Fl f Ar egid +.Op Fl g Ar rgid +.Op Fl r Ar ruid +.Op Fl u Ar auid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object=value +.Op Ar file ... +.Sh DESCRIPTION +The +.Nm +utility selects records from the audit trail files based on the specified +criteria. +Matching audit records are printed to the standard output in +their raw binary form. +If no filename is specified, the standard input is used +by default. +Use the +.Nm praudit +utility to print the selected audit records in human-readable form. +See +.Xr praudit 1 +for more information. +.Pp +The options are as follows: +.Bl -tag -width Ds +.It Fl A +Select all records. +.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred after or on the given datetime. +.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +Select records that occurred before the given datetime. +.It Fl c Ar flags +Select records matching the given audit classes specified as a comma +separated list of audit flags. +See +.Xr audit_control 5 +for a description of audit flags. +.It Fl d Ar YYYYMMDD +Select records that occurred on a given date. +This option cannot be used with +.Fl a +or +.Fl b +.It Fl e Ar euid +Select records with the given effective user id or name. +.It Fl f Ar egid +Select records with the given effective group id or name. +.It Fl g Ar rgid +Select records with the given real group id or name. +.It Fl r Ar ruid +Select records with the given real user id or name. +.It Fl u Ar auid +Select records with the given audit id. +.It Fl j Ar id +Select records having a subject token with matching ID. +.It Fl m Ar event +Select records with the given event name or number. +See +.Xr audit_event 5 +for a description of audit event names and numbers. +.It Fl o Ar object=value +.Bl -tag -width Ds +.It Nm file +Select records containing the given path name. +file="/usr" matches paths +starting with +.Pa usr . +file="~/usr" matches paths not starting with +.Pa usr . +.It Nm msgqid +Select records containing the given message queue id. +.It Nm pid +Select records containing the given process id. +.It Nm semid +Select records containing the given semaphore id. +.It Nm shmid +Select records containing the given shared memory id. +.El +.El +.Sh Examples +.Pp +To select all records associated with effective user ID root from the audit +log /var/audit/20031016184719.20031017122634: +.Pp +.Nm +-e root /var/audit/20031016184719.20031017122634 +.Pp +To select all +.Xr setlogin 2 +events from that log: +.Pp +.Nm +-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Sh SEE ALSO +.Xr audit_control 5 , +.Xr audit_event 5 , +.Xr praudit 1 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. |
