152267f74SRobert Watson.\" Copyright (c) 2004 Apple Inc. 2ca0716f5SRobert Watson.\" All rights reserved. 3ca0716f5SRobert Watson.\" 4ca0716f5SRobert Watson.\" Redistribution and use in source and binary forms, with or without 5ca0716f5SRobert Watson.\" modification, are permitted provided that the following conditions 6ca0716f5SRobert Watson.\" are met: 7ca0716f5SRobert Watson.\" 1. Redistributions of source code must retain the above copyright 8ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer. 9ca0716f5SRobert Watson.\" 2. Redistributions in binary form must reproduce the above copyright 10ca0716f5SRobert Watson.\" notice, this list of conditions and the following disclaimer in the 11ca0716f5SRobert Watson.\" documentation and/or other materials provided with the distribution. 1252267f74SRobert Watson.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of 13ca0716f5SRobert Watson.\" its contributors may be used to endorse or promote products derived 14ca0716f5SRobert Watson.\" from this software without specific prior written permission. 15ca0716f5SRobert Watson.\" 16ca0716f5SRobert Watson.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 17ca0716f5SRobert Watson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 18ca0716f5SRobert Watson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 19ca0716f5SRobert Watson.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 20ca0716f5SRobert Watson.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21ca0716f5SRobert Watson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22ca0716f5SRobert Watson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23ca0716f5SRobert Watson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24ca0716f5SRobert Watson.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25ca0716f5SRobert Watson.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26ca0716f5SRobert Watson.\" POSSIBILITY OF SUCH DAMAGE. 27ca0716f5SRobert Watson.\" 28*71f8f483SKyle Evans.Dd February 20, 2020 29ca0716f5SRobert Watson.Dt AUDITREDUCE 1 30ca0716f5SRobert Watson.Os 31ca0716f5SRobert Watson.Sh NAME 32ca0716f5SRobert Watson.Nm auditreduce 33ca0716f5SRobert Watson.Nd "select records from audit trail files" 34ca0716f5SRobert Watson.Sh SYNOPSIS 35bc168a6cSRobert Watson.Nm 36ca0716f5SRobert Watson.Op Fl A 37bc168a6cSRobert Watson.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS 38bc168a6cSRobert Watson.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS 39ca0716f5SRobert Watson.Op Fl c Ar flags 40ca0716f5SRobert Watson.Op Fl d Ar YYYYMMDD 41ca0716f5SRobert Watson.Op Fl e Ar euid 42ca0716f5SRobert Watson.Op Fl f Ar egid 43ca0716f5SRobert Watson.Op Fl g Ar rgid 44ca0716f5SRobert Watson.Op Fl j Ar id 45ca0716f5SRobert Watson.Op Fl m Ar event 46bc168a6cSRobert Watson.Op Fl o Ar object Ns = Ns Ar value 47bc168a6cSRobert Watson.Op Fl r Ar ruid 48bc168a6cSRobert Watson.Op Fl u Ar auid 4952267f74SRobert Watson.Op Fl v 50*71f8f483SKyle Evans.Op Fl z Ar zone 51bc168a6cSRobert Watson.Op Ar 52ca0716f5SRobert Watson.Sh DESCRIPTION 53ca0716f5SRobert WatsonThe 54ca0716f5SRobert Watson.Nm 55ca0716f5SRobert Watsonutility selects records from the audit trail files based on the specified 56ca0716f5SRobert Watsoncriteria. 57ca0716f5SRobert WatsonMatching audit records are printed to the standard output in 58ca0716f5SRobert Watsontheir raw binary form. 59bc168a6cSRobert WatsonIf no 60bc168a6cSRobert Watson.Ar file 61bc168a6cSRobert Watsonargument is specified, the standard input is used 62ca0716f5SRobert Watsonby default. 63ca0716f5SRobert WatsonUse the 64ca0716f5SRobert Watson.Xr praudit 1 65bc168a6cSRobert Watsonutility to print the selected audit records in human-readable form. 66ca0716f5SRobert Watson.Pp 67ca0716f5SRobert WatsonThe options are as follows: 68bc168a6cSRobert Watson.Bl -tag -width indent 69ca0716f5SRobert Watson.It Fl A 70ca0716f5SRobert WatsonSelect all records. 71bc168a6cSRobert Watson.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS 72ca0716f5SRobert WatsonSelect records that occurred after or on the given datetime. 73bc168a6cSRobert Watson.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS 74ca0716f5SRobert WatsonSelect records that occurred before the given datetime. 75ca0716f5SRobert Watson.It Fl c Ar flags 76ca0716f5SRobert WatsonSelect records matching the given audit classes specified as a comma 77ca0716f5SRobert Watsonseparated list of audit flags. 78ca0716f5SRobert WatsonSee 79ca0716f5SRobert Watson.Xr audit_control 5 80ca0716f5SRobert Watsonfor a description of audit flags. 81ca0716f5SRobert Watson.It Fl d Ar YYYYMMDD 82ca0716f5SRobert WatsonSelect records that occurred on a given date. 83ca0716f5SRobert WatsonThis option cannot be used with 84ca0716f5SRobert Watson.Fl a 85ca0716f5SRobert Watsonor 86742561f0SRobert Watson.Fl b . 87ca0716f5SRobert Watson.It Fl e Ar euid 88bc168a6cSRobert WatsonSelect records with the given effective user ID or name. 89ca0716f5SRobert Watson.It Fl f Ar egid 90bc168a6cSRobert WatsonSelect records with the given effective group ID or name. 91ca0716f5SRobert Watson.It Fl g Ar rgid 92bc168a6cSRobert WatsonSelect records with the given real group ID or name. 93ca0716f5SRobert Watson.It Fl j Ar id 94aa772005SRobert WatsonSelect records having a subject token with matching ID, where ID is a process ID. 95ca0716f5SRobert Watson.It Fl m Ar event 9652267f74SRobert WatsonSelect records with the given event name or number. This option can 9752267f74SRobert Watsonbe used more then once to select records of multiple event types. 98ca0716f5SRobert WatsonSee 99ca0716f5SRobert Watson.Xr audit_event 5 100ca0716f5SRobert Watsonfor a description of audit event names and numbers. 101bc168a6cSRobert Watson.It Fl o Ar object Ns = Ns Ar value 102bc168a6cSRobert Watson.Bl -tag -width ".Cm msgqid" 103bc168a6cSRobert Watson.It Cm file 1044bd0c025SRobert WatsonSelect records containing path tokens, where the pathname matches 1054bd0c025SRobert Watsonone of the comma delimited extended regular expression contained in 1064bd0c025SRobert Watsongiven specification. 107bc168a6cSRobert WatsonRegular expressions which are prefixed with a tilde 108bc168a6cSRobert Watson.Pq Ql ~ 109bc168a6cSRobert Watsonare excluded 1104bd0c025SRobert Watsonfrom the search results. 1114bd0c025SRobert WatsonThese extended regular expressions are processed from left to right, 1124bd0c025SRobert Watsonand a path will either be selected or deslected based on the first match. 1134bd0c025SRobert Watson.Pp 114bc168a6cSRobert WatsonSince commas are used to delimit the regular expressions, a backslash 115bc168a6cSRobert Watson.Pq Ql \e 116bc168a6cSRobert Watsoncharacter should be used to escape the comma if it is a part of the search 1174bd0c025SRobert Watsonpattern. 118bc168a6cSRobert Watson.It Cm msgqid 119bc168a6cSRobert WatsonSelect records containing the given message queue ID. 120bc168a6cSRobert Watson.It Cm pid 121bc168a6cSRobert WatsonSelect records containing the given process ID. 122bc168a6cSRobert Watson.It Cm semid 123bc168a6cSRobert WatsonSelect records containing the given semaphore ID. 124bc168a6cSRobert Watson.It Cm shmid 125bc168a6cSRobert WatsonSelect records containing the given shared memory ID. 126ca0716f5SRobert Watson.El 127bc168a6cSRobert Watson.It Fl r Ar ruid 128bc168a6cSRobert WatsonSelect records with the given real user ID or name. 129bc168a6cSRobert Watson.It Fl u Ar auid 130bc168a6cSRobert WatsonSelect records with the given audit ID. 13152267f74SRobert Watson.It Fl v 13252267f74SRobert WatsonInvert sense of matching, to select records that do not match. 133*71f8f483SKyle Evans.It Fl z Ar zone 134*71f8f483SKyle EvansSelect records from the given zone(s). 135*71f8f483SKyle Evans.Ar zone 136*71f8f483SKyle Evansis a glob for zones to match. 137ca0716f5SRobert Watson.El 138bc168a6cSRobert Watson.Sh EXAMPLES 139ca0716f5SRobert WatsonTo select all records associated with effective user ID root from the audit 14023bf6e20SRobert Watsonlog 14123bf6e20SRobert Watson.Pa /var/audit/20031016184719.20031017122634 : 142bc168a6cSRobert Watson.Bd -literal -offset indent 143bc168a6cSRobert Watsonauditreduce -e root \e 144bc168a6cSRobert Watson /var/audit/20031016184719.20031017122634 145bc168a6cSRobert Watson.Ed 146ca0716f5SRobert Watson.Pp 147ca0716f5SRobert WatsonTo select all 148ca0716f5SRobert Watson.Xr setlogin 2 149ca0716f5SRobert Watsonevents from that log: 150bc168a6cSRobert Watson.Bd -literal -offset indent 151bc168a6cSRobert Watsonauditreduce -m AUE_SETLOGIN \e 152bc168a6cSRobert Watson /var/audit/20031016184719.20031017122634 153bc168a6cSRobert Watson.Ed 1544bd0c025SRobert Watson.Pp 1554bd0c025SRobert WatsonOutput from the above command lines will typically be piped to a new trail 1564bd0c025SRobert Watsonfile, or via standard output to the 1574bd0c025SRobert Watson.Xr praudit 1 1584bd0c025SRobert Watsoncommand. 1594bd0c025SRobert Watson.Pp 1604bd0c025SRobert WatsonSelect all records containing a path token where the pathname contains 161bc168a6cSRobert Watson.Pa /etc/master.passwd : 162bc168a6cSRobert Watson.Bd -literal -offset indent 163bc168a6cSRobert Watsonauditreduce -o file="/etc/master.passwd" \e 164bc168a6cSRobert Watson /var/audit/20031016184719.20031017122634 165bc168a6cSRobert Watson.Ed 1664bd0c025SRobert Watson.Pp 1674bd0c025SRobert WatsonSelect all records containing path tokens, where the pathname is a TTY 1684bd0c025SRobert Watsondevice: 169bc168a6cSRobert Watson.Bd -literal -offset indent 170bc168a6cSRobert Watsonauditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e 171bc168a6cSRobert Watson /var/audit/20031016184719.20031017122634 172bc168a6cSRobert Watson.Ed 1734bd0c025SRobert Watson.Pp 1744bd0c025SRobert WatsonSelect all records containing path tokens, where the pathname is a TTY 1754bd0c025SRobert Watsonexcept for 176bc168a6cSRobert Watson.Pa /dev/ttyp2 : 177bc168a6cSRobert Watson.Bd -literal -offset indent 178bc168a6cSRobert Watsonauditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e 179bc168a6cSRobert Watson /var/audit/20031016184719.20031017122634 180bc168a6cSRobert Watson.Ed 181ca0716f5SRobert Watson.Sh SEE ALSO 18223bf6e20SRobert Watson.Xr praudit 1 , 183ca0716f5SRobert Watson.Xr audit_control 5 , 18423bf6e20SRobert Watson.Xr audit_event 5 185bc168a6cSRobert Watson.Sh HISTORY 186bc168a6cSRobert WatsonThe OpenBSM implementation was created by McAfee Research, the security 187bc168a6cSRobert Watsondivision of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. 188bc168a6cSRobert WatsonIt was subsequently adopted by the TrustedBSD Project as the foundation for 189bc168a6cSRobert Watsonthe OpenBSM distribution. 190ca0716f5SRobert Watson.Sh AUTHORS 191bc168a6cSRobert Watson.An -nosplit 192ca0716f5SRobert WatsonThis software was created by McAfee Research, the security research division 193ca0716f5SRobert Watsonof McAfee, Inc., under contract to Apple Computer Inc. 194bc168a6cSRobert WatsonAdditional authors include 195bc168a6cSRobert Watson.An Wayne Salamon , 196bc168a6cSRobert Watson.An Robert Watson , 197bc168a6cSRobert Watsonand SPARTA Inc. 198ca0716f5SRobert Watson.Pp 199ca0716f5SRobert WatsonThe Basic Security Module (BSM) interface to audit records and audit event 200ca0716f5SRobert Watsonstream format were defined by Sun Microsystems. 201