reduce -- perform audit data analysis and reduction


/tcb/bin/reduce [ -s session ] [ -e nproc ] [ -i ] [ -p selection_file ]


reduce performs selective audit data reduction on compacted audit output files that were written by the audit daemon. Each audit record from the compaction files is examined during reduction to see if it meets the selectivity criteria established by the audit administrator. If so, the record is formatted and sent to standard output.

Reduction is performed on all files written by the audit daemon during a specified boot session. Each time the audit subsystem is enabled and disabled, a new session number is generated. This session number is used to stamp the filenames generated during the session so that they are easily recognizable. The audit daemon records each filename to which it writes compacted data in a log file. The log file is always written to the secure directory, /tcb/files/audit. Each session log file is uniquely named with the prefix ``CAFLOG'' followed by the session number. Thus, by specifying a session number for reduction, reduce is able to locate the log file and read it to determine certain setup parameters and the list of input files to be reduced.

If necessary, the -e option may be used to specify the process table size (NPROC) of the kernel that produced the audit session. The argument nproc should be greater than or equal to the kernel's NPROC.

The -i option overrides the suspension of auditing on processes that have suspendaudit authorization set. Note that only mandatory system calls are audited for processes which have suspendaudit set.

Use the Accounts selection of the Audit manager to reduce data selectively. This calls auditsh(ADM) to set up an audit selection file. Specify this file to reduce using the argument selection_file to the -p option.

Data is reduced based on a set of input selection criteria that governs the selection of records for printing. Records may be selected based on event types, time of event occurrence, user ID of record, or group ID of record, or by specific object type:

Time and event type selection always take precedence over user/group ID and object selection (for example, if a record has an event type that is not selected but the user ID is, the record is discarded).

If a record is selected based on time and event type and if the user ID, group ID, or object matches a field in the record, the record is selected. If only time and event types are specified, all records of matching event types in the interval are selected. If only event type selection is requested, all matching events are selected from every record produced in that session (for example, if the event mask enables selection for all events and no time interval is specified, all records will be listed.)

The format of the reduced data varies with the type of event being processed. Each record includes the process ID of the process being audited, the date and time of the event, the type of audit event, an indication of success or failure for the event, and if applicable, the object names that were accessed.

Items that are displayed for events include the following:

Process ID
The process ID of the process that generated the audit record.

User IDs
The login user ID, effective user ID, real user ID, effective group ID, and the real group ID are output for the process generating the audit record.

Each audit record is time stamped at generation time. The time value is formatted to produce a date/time string similar to that printed by ctime(S).

Event type
Each audit record is classified into a certain event depending on what type of system call was performed or what type of action was taken by a trusted application.

Many event types are broad categories into which certain actions are classified. The reduction program makes use of other data in the record to provide further discrimination between process actions that fall into the category. For system calls, the actual system call audited is output. For applications, a more specific action identifier is provided.

Many events involve files or special devices that are classified as objects. The name of the objects affected by process actions are recorded for data reduction. Depending on the event and action type, some output records may include one or more object names.

For certain event types, the modes of a file or an IPC object may be modified. For these records, the old and new values of the owner, group, and object mode are displayed.

Some events are user-account oriented, such as login and logoff, as are certain administrative functions. These output records include the username of the account that was responsible for the audited action.

Each output record carries an indicator of whether the action was successful or not. Unsuccessful actions are sometimes more important that successful ones since they may indicate attempts to penetrate the system. For system calls that fail, the specific error number and error message is output. For applications, an error message describing the failure is output.

Exit values

Upon successful completion, the program exits with status 0.


Permission to use this utility requires the audit authorization in authorize(F).

See also

audit(HW), auditd(ADM), auditsh(ADM)

``Understanding the audit subsystem'' in the System Administration Guide

Standards conformance

reduce is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003