Using the Audit Manager

Running an audit report

In the Audit Manager, select Report -> Generate. Enter the session number or press <F3> for a list; do the same for the report template. You are then asked where to send the output, to the terminal, a file, or the printer. It is best to direct the output to a file.

When the report generation begins, note that it may take some time if the volume of data is high. For example, if your report template does not specify dates and times for beginning and ending selection, the entire audit session is reduced, which could consist of tens of megabytes of data.

Example report and template

``Audit report output'' is a sample audit report based on a template with these characteristics:

Events: B K M T
Times: Start: Fri Feb 2 19:00 Stop: Fri Feb 2 21:00
Users: johnp
Groups: None
Files: All

The report template concentrates on undesirable activities, such as attempts to access restricted system files, running restricted administrative programs, and so forth. In this simplified example, user johnp logged on and attempted to remove (unlink) /etc/passwd. In a real scenario, there would be more records to examine. This example serves to demonstrate the power of audit data. ``Understanding audit reports'' contains a detailed study of how audit information is interpreted.

Audit report output

   		***** Audit Data Reduction Program *****

Audit session number: 2 Collection system name: unix Collection file count: 15 Compaction file count: 1 Total audit records: 11034 Total uncompacted size: 696050 Total compacted size: 243262 Data compression rate: 65.05 Collection start time: Fri Feb 7 19:00:15 1992 Collection end time: Fri Feb 7 21:00:00 1992

***** Selection Criteria *****

Time Interval Selection: Start: Fri Feb 7 19:00:00 1992 Stop: Fri Feb 7 21:00:00 1992 Event Type Selection: Event type: Login/Logoff activity Event type: Access denial Event type: Insufficient privilege

UID selection in effect.


***** Audit Records *****

Process ID: 235 Date/Time: Fri Feb 7 19:55:42 1992 Event type: Login/Logoff activity Action: Successful login Username: johnp Login terminal: /dev/tty01

Process ID: 267 Date/Time: Fri Feb 7 19:56:11 1992 Luid: johnp Euid: johnp Ruid: johnp Egid: group Rgid: group Event type: Access denial System call: Unlink Object: /etc/passwd Result: Failed-EACCES (Access denial) Security policy: discretionary

Process ID: 280 Date/Time: Fri Feb 7 19:58:14 1992 Event type: Login/Logoff activity Action: Logoff Username: johnp Terminal: /dev/tty01

Next topic: Understanding audit reports
Previous topic: Removing report templates

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003