reduce(ADM)

reduce -- perform audit data analysis and reduction

Syntax

/tcb/bin/reduce [ -s session ] [ -e nproc ] [ -i ] [ -p selection_file ]

Description

reduce performs selective audit data reduction on compacted audit output files that were written by the audit daemon. Each audit record from the compaction files is examined during reduction to see if it meets the selectivity criteria established by the audit administrator. If so, the record is formatted and sent to standard output.

Reduction is performed on all files written by the audit daemon during a specified boot session. Each time the audit subsystem is enabled and disabled, a new session number is generated. This session number is used to stamp the filenames generated during the session so that they are easily recognizable. The audit daemon records each filename to which it writes compacted data in a log file. The log file is always written to the secure directory, /tcb/files/audit. Each session log file is uniquely named with the prefix ``CAFLOG'' followed by the session number. Thus, by specifying a session number for reduction, reduce is able to locate the log file and read it to determine certain setup parameters and the list of input files to be reduced.

If necessary, the -e option may be used to specify the process table size (NPROC) of the kernel that produced the audit session. The argument nproc should be greater than or equal to the kernel's NPROC.

The -i option overrides the suspension of auditing on processes that have suspendaudit authorization set. Note that only mandatory system calls are audited for processes which have suspendaudit set.

Use the Accounts selection of the Audit manager to reduce data selectively. This calls auditsh(ADM) to set up an audit selection file. Specify this file to reduce using the argument selection_file to the -p option.

Data is reduced based on a set of input selection criteria that governs the selection of records for printing. Records may be selected based on event types, time of event occurrence, user ID of record, or group ID of record, or by specific object type:

Time interval selection allows for records to be selected only if they occurred within a certain time period.
Event type selection allows records to be selected only if the specified event type is desired.
Both user ID and group ID selection allow records that were generated by certain users or groups to be selected.
Object selection applies to those record types referring to a specific file. Some records refer to multiple files and a single match for those record types will result in the record being selected.

Time and event type selection always take precedence over user/group ID and object selection (for example, if a record has an event type that is not selected but the user ID is, the record is discarded).

If a record is selected based on time and event type and if the user ID, group ID, or object matches a field in the record, the record is selected. If only time and event types are specified, all records of matching event types in the interval are selected. If only event type selection is requested, all matching events are selected from every record produced in that session (for example, if the event mask enables selection for all events and no time interval is specified, all records will be listed.)

The format of the reduced data varies with the type of event being processed. Each record includes the process ID of the process being audited, the date and time of the event, the type of audit event, an indication of success or failure for the event, and if applicable, the object names that were accessed.

Items that are displayed for events include the following:

Process ID: The process ID of the process that generated the audit record.
User IDs: The login user ID, effective user ID, real user ID, effective group ID, and the real group ID are output for the process generating the audit record.
Date/Time: Each audit record is time stamped at generation time. The time value is formatted to produce a date/time string similar to that printed by ctime(S).
Event type: Each audit record is classified into a certain event depending on what type of system call was performed or what type of action was taken by a trusted application.
Action: Many event types are broad categories into which certain actions are classified. The reduction program makes use of other data in the record to provide further discrimination between process actions that fall into the category. For system calls, the actual system call audited is output. For applications, a more specific action identifier is provided.
Object(s): Many events involve files or special devices that are classified as objects. The name of the objects affected by process actions are recorded for data reduction. Depending on the event and action type, some output records may include one or more object names.
Modes: For certain event types, the modes of a file or an IPC object may be modified. For these records, the old and new values of the owner, group, and object mode are displayed.
Username: Some events are user-account oriented, such as login and logoff, as are certain administrative functions. These output records include the username of the account that was responsible for the audited action.
Result: Each output record carries an indicator of whether the action was successful or not. Unsuccessful actions are sometimes more important that successful ones since they may indicate attempts to penetrate the system. For system calls that fail, the specific error number and error message is output. For applications, an error message describing the failure is output.

Exit values

Upon successful completion, the program exits with status 0.

Authorization

Permission to use this utility requires the audit authorization in authorize(F).

Standards conformance