Selects audit records for analysis according to defined criteria.
The auditselect command is part of the audit subsystem. The command is called by the auditbin daemon if it is configured in the /etc/security/audit/bincmds file as a backend command for processing bin files.
The auditselect command selects audit records that match identified criteria and writes the records to standard output. With the auditselect command, you can filter the audit trail to obtain specific records for analysis or select specific records for long-term storage. The command takes stream or bin input from the file specified by the Trail parameter or from standard input. If you specify the $bin string as the value of the Trail parameter, the auditbin daemon substitutes the path name of the current bin file when it calls the auditselect command. The selection criteria can be entered as an expression or from the file specified by the -f flag. If the bin files are compressed, the auditselect command unpacks them prior to processing.
For stream data, configure both the auditstream command and the auditselect command in the /etc/security/audit/streamcmds file, or enter both commands from the command line.
Item | Description |
---|---|
-e "Expression" | Defines the selection criteria. The Expression parameter consists of one or more terms joined by logical operators. |
-f File | Specifies the File that contains the selection criteria. |
-m | Specifies the output audit record with record extensions. |
A valid expression consists of one or more terms joined by logical operators.
Logical Operators
Logical operators allow more than one term to be used in an expression. Normal precedence rules apply in evaluating expressions with more than one logical operator, and parentheses may be used to force the order of evaluation. The valid logical operators include the following:
Item | Description |
---|---|
&& | (And) The expression term1 && term2 is true (selected) if both term1 and term2 are true. |
|| | (Or) The expression term1 || term2 is true (selected) if either term1 or term2 is true. |
! | (Not) The expression !term1 is true (selected) if term1 is not true. |
Terms
Each term of the expression has the following form:
Field Relational_Operator Value
Fields
Fields correspond to the information in the audit header of each record. Valid values for fields include the following:
Item | Description |
---|---|
event | Name of the audit event, for example, FILE_Open. |
command | Name of the command that generated the audit event. |
result | Status of the audit event. The value of the result field must be one of the following:
FAIL matches all other error codes. |
login | ID of the login user of the process that generated the audit event. |
real | ID of the real user of the process that generated the audit event. |
pid | ID of the process that generated the audit event. |
ppid | ID of the parent of the process that generated the audit event. |
tid | ID of the kernel thread that generated the event. |
time | Time of day the audit event was generated. |
date | Date the audit event was generated. |
host | Hostname of the machine that generated the record. The reserved name UNKNOWN can be used to match any machines that are not listed in the /etc/security/audit/hosts file. |
Relational Operators
Relational operators are used to compare the field in the audit record to the specified value. Valid relational operators include:
Item | Description |
---|---|
== | Equal to |
!= | Not equal to |
< | Less than |
> | Greater than |
>= | Greater than or equal to |
<= | Less than or equal to |
Valid Terms
A valid term consists of a field, a relational operator, and a value. In addition, not all relational operators and values are valid for each field. The following are the valid combinations:
Field | Valid Operators | Valid Values |
---|---|---|
event | = =, ! = | Text string audit event name |
result | = =, ! = | Text string audit status codes |
command | = =, ! = | Text string command name |
pid | all | Decimal integer process ID |
ppid | all | Decimal integer process ID |
login | all | Decimal integer user ID |
login | = =, ! = | Text string user name |
real | all | Decimal integer user ID |
real | = =, ! = | Text string user name |
tid | all | Decimal integer thread ID |
time | all | String in the format specified by the current locale |
date | all | String in the format specified by the current locale |
host | = =, ! = | Text string host name or 16 character cpu ID |
priv | = =, ! = | Privilege name |
sl | = =, ! = | Sensitivity label name |
tl | = =, ! = | Integrity label name |
role | = =, ! = | Role name |
Access Control
This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
RBAC Environment and
This command implements and can perform privileged operations. Only privileged users can run such privileged operations. For more information about authorizations and privileges, refer to the RBAC section: Privileged Command Database in AIX® Version 7.1 Security. To review the list of privileges and the authorizations associated with this command, refer to the /etc/security/privcmds database.
Configuration
/usr/sbin/auditselect -e "event== USER_SU || event== \
USER_Login" $bin >> /audit/trail.login
While auditing
is enabled, the records for each initiation of a user session are
read from the current bin file and written to the /audit/trail.login file./usr/sbin/auditstream -c authentication | \
/usr/sbin/auditselect -e "event == \
USER_Login && result == FAIL" | \
/usr/sbin/auditpr -t 2 -v >> /dev/lpr2
To produce a hardcopy
audit trail, records of unsuccessful authentication events are written
to the /dev/lpr2 line printer.Select Authentication or Login Events
/usr/sbin/auditselect -e "result == FAIL_AUTH"
/audit/oldtrail | /usr/sbin/auditpr -t -helt -v
The records
of events that were unsuccessful because authentication was denied
are printed. The header titles will be printed once, followed by the
event, login ID, and time fields, and then the audit trail./usr/sbin/auditselect -f /aaa/bbb \
/audit/trail1987 | /usr/sbin/auditpr
command == login && login == smith &&
time >= 08:00:00 && time <= 17:00:00 &&
date >= 05/01/87 && date <= 05/05/87
String Comparison
"event == USER_Login"
"event != USER_Login"
"command == passwd"
To find out if the
audit event was not generated by the passwd command, use: "command != passwd"
"result == OK"
"login == 014"
"login != carol"
"login == 014 || login != carol"
"real == carol"
"pid == 2006"
"pid != 2006"
"ppid == 2006"
Note: Although login and real user IDs and process IDs can be compared with the inequality operators ( < =, > =, <, > ), it is normally unnecessary to do this.
"time == 08:03:00"
"time != 08:03:00"
"time < 08:03:00"
"time <= 08:03:00"
"time > 08:03:00"
"time >= 08:03:00"
Audit records are selected that fit
the indicated comparison to the 08:03:00 time string. The
time string must agree with the format specified by the current locale."date == 05/03/89"
"date != 05/03/89"
"date < 05/03/89"
"date <= 05/03/89"
"date > 05/03/89"
"date >= 05/03/89"
Audit records are selected that fit
the indicated comparison to the 05/05/89 date string. The
date string must agree with the format specified by the current locale.Item | Description |
---|---|
/usr/sbin/auditselect | Specifies the path of the auditselect command. |
/etc/rc | Contains the system initialization commands. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/objects | Contains audit events for audited objects (files). |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |
/etc/security/audit/hosts | Contains the CPU ID to hostname mappings. |