auditselect Command

Purpose

Selects audit records for analysis according to defined criteria.

Syntax

auditselect { -e "Expression" | -f File} [ -m ] [ Trail ]

Description

The auditselect command is part of the audit subsystem. The command is called by the auditbin daemon if it is configured in the /etc/security/audit/bincmds file as a backend command for processing bin files.

The auditselect command selects audit records that match identified criteria and writes the records to standard output. With the auditselect command, you can filter the audit trail to obtain specific records for analysis or select specific records for long-term storage. The command takes stream or bin input from the file specified by the Trail parameter or from standard input. If you specify the $bin string as the value of the Trail parameter, the auditbin daemon substitutes the path name of the current bin file when it calls the auditselect command. The selection criteria can be entered as an expression or from the file specified by the -f flag. If the bin files are compressed, the auditselect command unpacks them prior to processing.

For stream data, configure both the auditstream command and the auditselect command in the /etc/security/audit/streamcmds file, or enter both commands from the command line.

Flags

Item Description
-e "Expression" Defines the selection criteria. The Expression parameter consists of one or more terms joined by logical operators.
-f File Specifies the File that contains the selection criteria.
-m Specifies the output audit record with record extensions.

Creating Expressions

A valid expression consists of one or more terms joined by logical operators.

Logical Operators

Logical operators allow more than one term to be used in an expression. Normal precedence rules apply in evaluating expressions with more than one logical operator, and parentheses may be used to force the order of evaluation. The valid logical operators include the following:

Item Description
&& (And) The expression term1 && term2 is true (selected) if both term1 and term2 are true.
|| (Or) The expression term1 || term2 is true (selected) if either term1 or term2 is true.
! (Not) The expression !term1 is true (selected) if term1 is not true.

Terms

Each term of the expression has the following form:

Field Relational_Operator Value

Fields

Fields correspond to the information in the audit header of each record. Valid values for fields include the following:

Item Description
event Name of the audit event, for example, FILE_Open.
command Name of the command that generated the audit event.
result Status of the audit event. The value of the result field must be one of the following:
  • OK
  • FAIL
  • FAIL_PRIV
  • FAIL_AUTH
  • FAIL_ACCESS
  • FAIL_DAC Indicates the event failed because of a discretionary access control (DAC) denial. Access Control Lists are a form of information repository that contain data relative to the rights of access (permission) to shared resources/objects. ACLs are categorized on DAC mechanism.

FAIL matches all other error codes.

login ID of the login user of the process that generated the audit event.
real ID of the real user of the process that generated the audit event.
pid ID of the process that generated the audit event.
ppid ID of the parent of the process that generated the audit event.
tid ID of the kernel thread that generated the event.
time Time of day the audit event was generated.
date Date the audit event was generated.
host Hostname of the machine that generated the record. The reserved name UNKNOWN can be used to match any machines that are not listed in the /etc/security/audit/hosts file.

Relational Operators

Relational operators are used to compare the field in the audit record to the specified value. Valid relational operators include:

Item Description
== Equal to
!= Not equal to
< Less than
> Greater than
>= Greater than or equal to
<= Less than or equal to

Valid Terms

A valid term consists of a field, a relational operator, and a value. In addition, not all relational operators and values are valid for each field. The following are the valid combinations:

Field Valid Operators Valid Values
event = =, ! = Text string audit event name
result = =, ! = Text string audit status codes
command = =, ! = Text string command name
pid all Decimal integer process ID
ppid all Decimal integer process ID
login all Decimal integer user ID
login = =, ! = Text string user name
real all Decimal integer user ID
real = =, ! = Text string user name
tid all Decimal integer thread ID
time all String in the format specified by the current locale
date all String in the format specified by the current locale
host = =, ! = Text string host name or 16 character cpu ID
priv = =, ! = Privilege name
sl = =, ! = Sensitivity label name
tl = =, ! = Integrity label name
role = =, ! = Role name

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

RBAC Environment and

This command implements and can perform privileged operations. Only privileged users can run such privileged operations. For more information about authorizations and privileges, refer to the RBAC section: Privileged Command Database in AIX® Version 7.1 Security. To review the list of privileges and the authorizations associated with this command, refer to the /etc/security/privcmds database.

Examples

Configuration

  1. To select bin-collected data records that match the USER_SU or USER_Login audit events, add the auditselect command to the /etc/security/audit/bincmds file by entering:
    /usr/sbin/auditselect -e "event== USER_SU || event== \
    USER_Login" $bin >> /audit/trail.login
    While auditing is enabled, the records for each initiation of a user session are read from the current bin file and written to the /audit/trail.login file.
  2. To select stream-collected data records that match a user login that was unsuccessful, add the auditselect command to the auditstream stanza in the /etc/security/audit/streamcmds file by entering:
    /usr/sbin/auditstream -c authentication | \
    /usr/sbin/auditselect -e "event == \
    USER_Login && result == FAIL" | \
    /usr/sbin/auditpr -t 2 -v >> /dev/lpr2
    To produce a hardcopy audit trail, records of unsuccessful authentication events are written to the /dev/lpr2 line printer.

Select Authentication or Login Events

  1. To search an audit trail file for all events that involve authentication errors:
    /usr/sbin/auditselect -e "result == FAIL_AUTH"
    /audit/oldtrail | /usr/sbin/auditpr -t -helt -v
    The records of events that were unsuccessful because authentication was denied are printed. The header titles will be printed once, followed by the event, login ID, and time fields, and then the audit trail.
  2. To select audit records that are generated when smith logs in during prime working hours during the first week in May of 1987, enter:

    /usr/sbin/auditselect  -f /aaa/bbb \
    /audit/trail1987 | /usr/sbin/auditpr

    The /aaa/bbb file must contain the following line:
     command == login && login == smith && 
     time >= 08:00:00 && time <= 17:00:00 && 
     date >= 05/01/87 && date <= 05/05/87

String Comparison

  1. To compare the name of the audit event to the USER_Login string, enter one of the following:
    "event == USER_Login"
     
    "event != USER_Login"
  2. To find out if the passwd command generated the audit event, use:
    "command == passwd"
    To find out if the audit event was not generated by the passwd command, use:
    "command != passwd"
  3. To compare the audit status to the OK result string, enter:
    "result == OK"
  4. To compare the login or real user ID of the process that generated the audit event to a specific user ID (user ID 014 or the user name carol), enter one of the following:
    "login == 014"
    "login != carol"
    "login == 014 || login != carol"
    "real == carol"
  5. To compare the ID of the process or the parent of the process that generated the audit event to the process ID 2006, enter one of the following:
    "pid == 2006"
    "pid != 2006"
    "ppid ==  2006" 
    Note: Although login and real user IDs and process IDs can be compared with the inequality operators ( < =, > =, <, > ), it is normally unnecessary to do this.
  6. To compare the time the audit event was generated to the 08:03:00 time string, enter one of the following:
    "time == 08:03:00"
    "time != 08:03:00"
    "time <  08:03:00"
    "time <= 08:03:00"
    "time >  08:03:00"
    "time >= 08:03:00"
    Audit records are selected that fit the indicated comparison to the 08:03:00 time string. The time string must agree with the format specified by the current locale.
  7. To compare the date that the audit event was generated to the 05/05/89 date string, enter one of the following:
    "date == 05/03/89"
    "date != 05/03/89"
    "date <  05/03/89"
    "date <= 05/03/89"
    "date >  05/03/89"
    "date >= 05/03/89" 
    Audit records are selected that fit the indicated comparison to the 05/05/89 date string. The date string must agree with the format specified by the current locale.
Note: The auditselect command does not support the -r flag for the recovery mode.

Files

Item Description
/usr/sbin/auditselect Specifies the path of the auditselect command.
/etc/rc Contains the system initialization commands.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/bincmds Contains auditbin backend commands.
/etc/security/audit/streamcmds Contains auditstream commands.
/etc/security/audit/hosts Contains the CPU ID to hostname mappings.