User's Manual
Solaris 9 Security CX-310-301 32
Interpreting the Results
Continuing the example scenario, you now want to inspect the audit file(s) to see if any files have been
deleted by the root user. Use the auditreduce command to select only the records of interest and then pipe
the result to praudit to present the data in readable form. The following command achieves this:
# auditreduce –a 20040412 –u root –c fd | praudit
header,127,2,unlink(2),,Tue Apr 13 10:27:34 BST 2004, + 917 msec
path,/etc/inet/hosts attribute,100444,root,other,32,2619,0
subject,root,root,other,root,other,521,390,0 0 ultra
return,success,0
The above command searches the audit data files (in /var/audit) for the date 20040412, the user root and
the class fd (file deletions). It returns the item of interest showing that user root deleted the file
/etc/inet/hosts and that the deletion was successful.
There are other search criteria for use with auditreduce. Consult the man pages for detailed options.
The audit command
This command sends instructions to the auditd daemon process. It has three options:
¾ -n – Close the current log file and open a new one
¾ -s - Re-read the configuration files
¾ -t – Close the current log file and terminate
Audit Log Files
The default location for audit log files is /var/audit. This is specified in the configuration file
/etc/security/audit_control. Each log file has the following format:
<startdatetime>.<enddatetime>.<hostname>
So, for a file that started at 0813 on 9 Apr 2004 and ended at 0906 on the same day for hostname “ultra”,
the file would be:
20040409081343.20040409090640.ultra
If the file is still being written to, i.e. the current log file, then it’s name would take the form:
<startdatetime>.not_terminated.<hostname>
If the filename above was still the active file, then it’s name would have been:
20040409081343.not_terminated.ultra