Selects audit records for analysis according to defined criteria.
auditselect { -e "Expression" | -f File} [ -m ] [ Trail ]
The auditselect command is part of the audit subsystem. The command is called by the auditbin daemon if it is configured in the /etc/security/audit/bincmds file as a backend command for processing bin files.
The auditselect command selects audit records that match identified criteria and writes the records to standard output. With the auditselect command, you can filter the audit trail to obtain specific records for analysis or select specific records for long-term storage. The command takes stream or bin input from the file specified by the Trail parameter or from standard input. If you specify the $bin string as the value of the Trail parameter, the auditbin daemon substitutes the path name of the current bin file when it calls the auditselect command. The selection criteria can be entered as an expression or from the file specified by the -f flag. If the bin files are compressed, the auditselect command unpacks them prior to processing.
For stream data, configure both the auditstream command and the auditselect command in the /etc/security/audit/streamcmds file, or enter both commands from the command line.
A valid expression consists of one or more terms joined by logical operators.
Logical operators allow more than one term to be used in an expression. Normal precedence rules apply in evaluating expressions with more than one logical operator, and parentheses may be used to force the order of evaluation. The valid logical operators include the following:
Each term of the expression has the following form:
Field Relational_Operator Value
Fields correspond to the information in the audit header of each record. Valid values for fields include the following:
Relational operators are used to compare the field in the audit record to the specified value. Valid relational operators include:
== | Equal to |
!= | Not equal to |
< | Less than |
> | Greater than |
>= | Greater than or equal to |
<= | Less than or equal to |
A valid term consists of a field, a relational operator, and a value. In addition, not all relational operators and values are valid for each field. The following are the valid combinations:
Field | Valid Operators | Valid Values |
event | = =, ! = | Text string audit event name |
result | = =, ! = | Text string audit status codes |
command | = =, ! = | Text string command name |
pid | all | Decimal integer process ID |
ppid | all | Decimal integer process ID |
login | all | Decimal integer user ID |
login | = =, ! = | Text string user name |
real | all | Decimal integer user ID |
real | = =, ! = | Text string user name |
tid | all | Decimal integer thread ID |
time | all | String in the format specified by the current locale |
date | all | String in the format specified by the current locale |
host | = =, ! = | Text string host name or 16 character cpu ID |
Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
/usr/sbin/auditselect -e "event== USER_SU || event== \ USER_Login" $bin >> /audit/trail.login
While auditing is enabled, the records for each initiation of a user session are read from the current bin file and written to the /audit/trail.login file.
/usr/sbin/auditstream -c authentication | \ /usr/sbin/auditselect -e "event == \ USER_Login && result == FAIL" | \ /usr/sbin/auditpr -t 2 -v >> /dev/lpr2
To produce a hardcopy audit trail, records of unsuccessful authentication events are written to the /dev/lpr2 line printer.
/usr/sbin/auditselect -e "result == FAIL_AUTH" /audit/oldtrail | /usr/sbin/auditpr -t -helt -v
The records of events that were unsuccessful because authentication was denied are printed. The header titles will be printed once, followed by the event, login ID, and time fields, and then the audit trail.
command == login && login == smith && time >= 08:00:00 && time <= 17:00:00 && date >= 05/01/87 && date <= 05/05/87
"event == USER_Login" "event != USER_Login"
"command == passwd"
To find out if the audit event was not generated by the passwd command, use:
"command != passwd"
"result == OK"
"login == 014" "login != carol" "login == 014 || login != carol" "real == carol"
"pid == 2006" "pid != 2006" "ppid == 2006"
Note: Although login and real user IDs and process IDs can be compared with the inequality operators ( < =, > =, <, > ), it is normally unnecessary to do this.
"time == 08:03:00" "time != 08:03:00" "time < 08:03:00" "time <= 08:03:00" "time > 08:03:00" "time >= 08:03:00"
Audit records are selected that fit the indicated comparison to the 08:03:00 time string. The time string must agree with the format specified by the current locale.
"date == 05/03/89" "date != 05/03/89" "date < 05/03/89" "date <= 05/03/89" "date > 05/03/89" "date >= 05/03/89"
Audit records are selected that fit the indicated comparison to the 05/05/89 date string. The date string must agree with the format specified by the current locale.
/usr/sbin/auditselect | Specifies the path of the auditselect command. |
/etc/rc | Contains the system initialization commands. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/audit/events | Contains the audit events of the system. |
/etc/security/audit/objects | Contains audit events for audited objects (files). |
/etc/security/audit/bincmds | Contains auditbin backend commands. |
/etc/security/audit/streamcmds | Contains auditstream commands. |
/etc/security/audit/hosts | Contains the CPU ID to hostname mappings. |
The audit command, auditcat command, auditconv command, auditpr command, auditstream command, env command.
auditbin daemon.
For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.2 Security Guide.
To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.2 Security Guide.
For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Standalone System Security in AIX 5L Version 5.2 Security Guide.