Viewing binary audit files

December 19, 2007 12:25 pm admin Solaris Security

Previously i setup auditing (see this post), but used only praudit for very basic viewing of audit files. There is another, more powerful command known as auditreduce. As always, use the man pages but here are the most common uses of this command.

Of course first up it will not work on the currently active audit file, so use the audit -n command to roll that over.

An audit log file looks like this: 20071218114258.20071218143001.amsterdam

The date goes yyyymmddhhmm.yyyymmddhhmm.hostname. The first field is the log start time and 2nd the end time. An unterminated logfile looks like: 20071218143001.not_terminated.amsterdam. The audit -n command would roll that over to 20071218143001.20071219010332.amsterdam which also allows it to be read.

To just list one of these files use: # praudit 20071218143001.20071219010332.amsterdam. This can be made more readable by using the -l flag which converts it to ascii and print 1 record per line. # praudit -l 20071218143001.20071219010332.amsterdam

To not bother with filenames the auditreduce command can be used. # auditreduce | praudit -l will show ALL logged events. Fortunately auditreduce allows us to be more specific.

# auditreduce -c lo | praudit -l will show ALL login/logout events.

# auditreduce -u <username> -c lo | praudit -l will show ALL logins/logouts for the specified user.

# auditreduce -u <username> -a 20071216 -c lo | praudit will show ALL logins/logouts from 16/12/07 for specified user.

# auditreduce -u <username> -a 20071101 -b +31d -c lo | praudit will show ALL logins/logouts for November 07 for specified user.

So i created a quick script to collect this information and log it for me. Every day it will log the last 2 days of all user logins. The requirement for this script is the coreutils package and the directory /var/audit/log to be created. Oh, to save space this script will only work in December.

#!/bin/bash
audit -n
DATE=`/usr/local/bin/date -d “-2 day”`
month=`echo $DATE | awk ‘{print $2}’`
case $month in
Dec) DATE=”$DATE 12″ ;;
esac
datetocheck=`echo $DATE | awk ‘{print $6$7$3}’`
DATE=`date ‘+%y-%m-%d’`
auditreduce -a $datetocheck -c lo | praudit -l | grep login | awk ‘{print $3 $4 $5}’ >> /var/audit/log/log.$DATE

See: praudit, auditreduce, bsmconv, auditd

Leave a Comment

Your comment

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.