#! /bin/sh # audit_trace # swb@aurora.phys.utk.edu # 02/18/96 # trace audit file given on command line or current audit file # 11/26/96 # updated for BSM under Solaris 2.5.1 # #SYNOPSIS # audit_trace [ filename ] # #DESCRIPTION # audit_trace uses praudit to read the listed filename or # the currently open audit trail file and interprets the # data as records as defined in audit_control(5). Awk is # used to parse and print the output records to standard output. # #if instead of a filename, audit_trace is given the argument #'daily' then auditreduce(8) is used to combine todays records #to produce an audit report for all the days activity so far # #SEE ALSO # audit(2), setuseraudit(2), getauditflags(3), # praudit(8) audit_control(5) # # cmd line args # [ [audit_file] | [dumpstyle] | [ ] ] # dumpstyle = [ daily | tail ] dumpval=0 # # # # The copyright above and this notice must be preserved in all # copies of this source code. # # if [ ! -z "$1" ] then if [ -f "$1" ] then fname="$1" if [ ! -z "$2" ] then dumpval=$2 fi else fname=`/usr/ucb/tail /etc/security/audit_data | cut -f2 -d:` dumpval=$1 fi else fname=`/usr/ucb/tail /etc/security/audit_data | cut -f2 -d:` fi if [ "$dumpval" != "0" ] then if [ "$dumpval" != "daily" ] then cmd="/usr/ucb/tail -0f" else cmd="/usr/sbin/auditreduce" fname="-d19`date +%y%m%d`" fi else cmd="/bin/cat" fi echo "Audit report" ; date; echo "Tracing audit file: $fname" "$cmd" "$fname" | /usr/sbin/praudit -l | awk \ ' BEGIN { # set the output record seperator to blank_space ORS=" " curdate="today" line_num=99# force header on page 1 page_num=1 done=0 } { # split the input line on the commas N = split($_,A,",") # constant audit record fields are: # 1: "header" # 4: syscall # 6: date # path string follows "path" (matches 2nd field after exec_args) # audit-id follows "subject" # pid is sixth field after "subject" # exec_args begin 3 fields past "exec_args", count is 1 past # (exec_arg reporting enabled by 'auditconfig -setpolicy +argv') # path string follows "path" (matches 2nd field after exec_args) # return value is A[N-1] leader="" trailer="" subject="" path="" exec_args="" tstrg="" # 4: syscall syscall=A[4] # 6: date # split date and extract timestamp M = split(A[6],B," "); curdate=B[3] tstamp=B[4] ## find audit id and path string for (k=1;k<=N;k++) { # path string follows "path" if ( A[k] == "path") path=A[k+1] # audit-id follows "subject" # pid is sixth field after "subject" if ( A[k] == "subject" ) { subject=A[k+1] prev_pid=pid pid=A[k+6] machine=A[k+9] } # exec_args begin 3 fields past "exec_args", count is 1 past # (exec_arg reporting enabled by 'auditconfig -setpolicy +argv') if ( A[k] == "exec_args") { tstrg="" if ( A[k+2] == "awk" ) { exec_args="awk" } else { for (j=0;j<=A[k+1]-2;j++) { n=k+3+j exec_args=sprintf("%s %s",tstrg,A[n]); tstrg=exec_args } } } } # prepare the output string if ( A[1] != "file") # skip first lines { if ( pid != prev_pid ) # currently the leaders match - edit to taste re: control break on pid { leader=\ sprintf("\n\n%-9s %-9s %s [ %s <%s %s> ] %s",tstamp,pid,\ subject,syscall,path,exec_args,A[N-1]); } else { leader=\ sprintf("\n%-9s %-9s %s [ %s <%s %s> ] %s", tstamp,pid,subject,syscall,\ path,exec_args,A[N-1]); } } # page break ? if ( line_num >= 60 ) { hdr = sprintf\ ("\n\n%s%20s %s\n\n%s %s %s %s %s\n==============================\n",\ A[4],"page",page_num,"Time","Subject","PID", "Syscall","Path","status") print trailer trailer="" if ( page_num > 1) { print "\n" line_num=8 } else { line_num = 12 } print hdr page_num++; } # now print the output line print trailer, leader, body line_num=line_num+1 } ' dumpall=$dumpval # eof