perform audit data analysis and reduction
/tcb/bin/reduce [ -s session ]
[ -e nproc ]
[ -i ]
[ -p selection_file ]
reduce performs selective audit data reduction on
compacted audit output
files that were written by the audit daemon.
Each audit record from the compaction files is examined during reduction to
see if it meets the selectivity criteria established by the audit administrator.
If so, the record is formatted and sent to standard output.
Reduction is performed on all files written by the audit daemon during a
Each time the audit subsystem is enabled and disabled, a new session number
is generated. This session number is used to stamp the filenames
generated during the session so that they are easily recognizable. The
audit daemon records each
filename to which it writes compacted data in a log file. The log file is always
written to the secure directory,
Each session log file is uniquely named with the prefix
``CAFLOG'' followed by
the session number. Thus, by specifying a session number for reduction,
is able to locate the log file and read it to determine certain setup
parameters and the list of input files to be reduced.
If necessary, the -e option may be used to specify the process
table size (NPROC) of the kernel that produced the audit session.
The argument nproc should be greater than or equal to the kernel's
The -i option overrides the suspension of auditing on processes
that have suspendaudit authorization set.
Note that only mandatory system calls are audited for processes which have
Use the Accounts selection
of the Audit manager to reduce data selectively. This calls
to set up an audit selection file. Specify this file to
reduce using the argument selection_file to the
Data is reduced based on a set of input selection criteria that governs
the selection of records for printing. Records may be selected based on
event types, time of event occurrence, user ID of record, or group
ID of record, or by specific object type:
Time and event type selection always take precedence
over user/group ID and object selection (for example, if a
record has an event type that is
not selected but the user ID is, the record is discarded).
Time interval selection allows for records to be selected
only if they occurred within a certain time period.
Event type selection allows
records to be selected only if the specified event type is desired.
user ID and group ID selection allow records that were
generated by certain users or groups to be selected.
applies to those record types referring to a specific file. Some records refer
to multiple files and a single match for those record types will result in the
record being selected.
If a record is selected based on time and event type and if the user
ID, group ID, or
object matches a field in the record, the record is selected. If only time
and event types are specified, all records of matching event types in the
interval are selected. If only event type selection is requested, all
matching events are selected from every record produced in that session
(for example, if the event mask enables selection for all events and no
time interval is specified, all records will be listed.)
The format of the reduced data varies with the type of event being processed.
Each record includes the process ID of the process being audited, the date and time of the event, the type of audit event, an indication
of success or failure for the event, and if applicable, the object names
that were accessed.
Items that are displayed for events include the following:
The process ID of the process that generated the audit record.
The login user ID, effective user ID, real user
ID, effective group ID, and the real group ID are output for the process generating the audit record.
Each audit record is time stamped at generation time. The time value is
formatted to produce a date/time string similar to that printed by
Each audit record is classified into a certain event depending on what type
of system call was performed or what type of action was taken by a trusted
Many event types are broad categories into which certain actions are classified.
The reduction program makes use of other data in the record to provide further
discrimination between process actions that fall into the category. For system
calls, the actual system call audited is output. For applications, a more
specific action identifier is provided.
Many events involve files or special devices that are classified as objects.
The name of the objects affected by process actions are recorded for data
reduction. Depending on the event and action type, some output records may
include one or more object names.
For certain event types, the modes of a file or an IPC object may be
modified. For these records, the old and new values of the owner, group,
and object mode are displayed.
Some events are user-account oriented, such as login and logoff, as are
certain administrative functions. These output records include the username
of the account that was responsible for the audited action.
Each output record carries an indicator of whether the action was successful
or not. Unsuccessful actions are sometimes more important that successful
ones since they may indicate attempts to penetrate the system. For system
calls that fail, the specific error number and error message is output. For
applications, an error message describing the failure is output.
Upon successful completion, the program exits with status 0.
Permission to use this utility requires the audit authorization
``Understanding the audit subsystem'' in the System Administration Guide
reduce is not part of any currently supported standard; it is
an extension of AT&T System V
provided by The Santa Cruz Operation, Inc.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003