auditselect Command

Purpose

Selects audit records for analysis according to defined criteria.

Syntax

auditselect { -e "Expression" | -f File} [ -m ] [ Trail ]

Description

The auditselect command is part of the audit subsystem. The command is called by the auditbin daemon if it is configured in the /etc/security/audit/bincmds file as a backend command for processing bin files.

The auditselect command selects audit records that match identified criteria and writes the records to standard output. With the auditselect command, you can filter the audit trail to obtain specific records for analysis or select specific records for long-term storage. The command takes stream or bin input from the file specified by the Trail parameter or from standard input. If you specify the $bin string as the value of the Trail parameter, the auditbin daemon substitutes the path name of the current bin file when it calls the auditselect command. The selection criteria can be entered as an expression or from the file specified by the -f flag. If the bin files are compressed, the auditselect command unpacks them prior to processing.

For stream data, configure both the auditstream command and the auditselect command in the /etc/security/audit/streamcmds file, or enter both commands from the command line.

The AIX_AUDITBUFSZ environment variable allows buffered write operation of the auditselect audit records. The buffered write option is useful for high-performance applications that generate many audit records.

The AIX_AUDITBUFSZ environment variable accepts decimal and hexadecimal values in the range 8192 bytes - 67 MB. Any other positive values outside the range of allowed values are rounded off to either the beginning of the range or the end of the range based on the nearest value. If this variable value is not set or this variable is assigned negative values or non-numerical values, the AIX_AUDITBUFSZ variable is ignored.

Flags

Item	Description
-e "Expression"	Defines the selection criteria. The Expression parameter consists of one or more terms joined by logical operators.
-f File	Specifies the File that contains the selection criteria.
-m	Specifies the output audit record with record extensions.

Creating Expressions

A valid expression consists of one or more terms joined by logical operators.

Logical Operators

Logical operators allow more than one term to be used in an expression. Normal precedence rules apply in evaluating expressions with more than one logical operator, and parentheses may be used to force the order of evaluation. The valid logical operators include the following:

Item	Description
&&	(And) The expression `term1 && term2` is true (selected) if both term1 and term2 are true.
\|\|	(Or) The expression `term1 \|\| term2` is true (selected) if either term1 or term2 is true.
!	(Not) The expression `!term1` is true (selected) if term1 is not true.

Terms

Each term of the expression has the following form:

Field Relational_Operator Value

Fields

Fields correspond to the information in the audit header of each record. Valid values for fields include the following:

Item	Description
`event`	Name of the audit event, for example, `FILE_Open`.
`command`	Name of the command that generated the audit event.
`result`	Status of the audit event. The value of the `result` field must be one of the following: OK FAIL FAIL_PRIV FAIL_AUTH FAIL_ACCESS FAIL_DAC Indicates the event failed because of a discretionary access control (DAC) denial. Access Control Lists are a form of information repository that contain data relative to the rights of access (permission) to shared resources/objects. ACLs are categorized on DAC mechanism. FAIL matches all other error codes.
`login`	ID of the login user of the process that generated the audit event.
`real`	ID of the real user of the process that generated the audit event.
`pid`	ID of the process that generated the audit event.
`ppid`	ID of the parent of the process that generated the audit event.
`tid`	ID of the kernel thread that generated the event.
`time`	Time of day the audit event was generated.
`date`	Date the audit event was generated.
`host`	Hostname of the machine that generated the record. The reserved name UNKNOWN can be used to match any machines that are not listed in the /etc/security/audit/hosts file.

Relational Operators

Relational operators are used to compare the field in the audit record to the specified value. Valid relational operators include:

Item	Description
==	Equal to
!=	Not equal to
<	Less than
>	Greater than
>=	Greater than or equal to
<=	Less than or equal to

Valid Terms

A valid term consists of a field, a relational operator, and a value. In addition, not all relational operators and values are valid for each field. The following are the valid combinations:

Field	Valid Operators	Valid Values
`event`	`= =, ! =`	`Text string audit event name`
`result`	`= =, ! =`	`Text string audit status codes`
`command`	`= =, ! =`	`Text string command name`
`pid`	`all`	`Decimal integer process ID`
`ppid`	`all`	`Decimal integer process ID`
`login`	`all`	`Decimal integer user ID`
`login`	`= =, ! =`	`Text string user name`
`real`	`all`	`Decimal integer user ID`
`real`	`= =, ! =`	`Text string user name`
`tid`	`all`	`Decimal integer thread ID`
`time`	`all`	`String in the format specified by the current locale`
`date`	`all`	`String in the format specified by the current locale`
`host`	`= =, ! =`	`Text string host name or 16 character cpu ID`
`priv`	`= =, ! =`	`Privilege name`
`sl`	`= =, ! =`	`Sensitivity label name`
`tl`	`= =, ! =`	`Integrity label name`
`role`	`= =, ! =`	`Role name`

Security

Access Control

This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

RBAC Environment and

This command implements and can perform privileged operations. Only privileged users can run such privileged operations. To review the list of privileges and the authorizations associated with this command, refer to the /etc/security/privcmds database.

Examples

Configuration

To select bin-collected data records that match the USER_SU or USER_Login audit events, add the auditselect command to the /etc/security/audit/bincmds file by entering:
```
/usr/sbin/auditselect -e "event== USER_SU || event== \
USER_Login" $bin >> /audit/trail.login
```
While auditing is enabled, the records for each initiation of a user session are read from the current bin file and written to the /audit/trail.login file.
To select stream-collected data records that match a user login that was unsuccessful, add the auditselect command to the auditstream stanza in the /etc/security/audit/streamcmds file by entering:
```
/usr/sbin/auditstream -c authentication | \
/usr/sbin/auditselect -e "event == \
USER_Login && result == FAIL" | \
/usr/sbin/auditpr -t 2 -v >> /dev/lpr2
```
To produce a hardcopy audit trail, records of unsuccessful authentication events are written to the /dev/lpr2 line printer.

Select authentication or login events

To search an audit trail file for all events that involve authentication errors:
```
/usr/sbin/auditselect -e "result == FAIL_AUTH"
/audit/oldtrail | /usr/sbin/auditpr -t -helt -v
```
The records of events that were unsuccessful because authentication was denied are printed. The header titles will be printed once, followed by the event, login ID, and time fields, and then the audit trail.
To select audit records that are generated when smith logs in during prime working hours during the first week in May of 1987, enter:
/usr/sbin/auditselect -f /aaa/bbb \ /audit/trail1987 | /usr/sbin/auditpr
The /aaa/bbb file must contain the following line:
```
 command == login && login == smith && 
 time >= 08:00:00 && time <= 17:00:00 && 
 date >= 05/01/87 && date <= 05/05/87
```

String comparison

To compare the name of the audit event to the USER_Login string, enter one of the following:
```
"event == USER_Login"
 
"event != USER_Login"
```
To find out if the passwd command generated the audit event, use:
```
"command == passwd"
```
To find out if the audit event was not generated by the passwd command, use:
```
"command != passwd"
```
To compare the audit status to the OK result string, enter:
```
"result == OK"
```
To compare the login or real user ID of the process that generated the audit event to a specific user ID (user ID 014 or the user name carol), enter one of the following:
```
"login == 014"
"login != carol"
"login == 014 || login != carol"
"real == carol"
```
To compare the ID of the process or the parent of the process that generated the audit event to the process ID 2006, enter one of the following:
```
"pid == 2006"
"pid != 2006"
"ppid ==  2006" 
```
Note: Although login and real user IDs and process IDs can be compared with the inequality operators ( < =, > =, <, > ), it is normally unnecessary to do this.
To compare the time the audit event was generated to the 08:03:00 time string, enter one of the following:
```
"time == 08:03:00"
"time != 08:03:00"
"time <  08:03:00"
"time <= 08:03:00"
"time >  08:03:00"
"time >= 08:03:00"
```
Audit records are selected that fit the indicated comparison to the 08:03:00 time string. The time string must agree with the format specified by the current locale.
To compare the date that the audit event was generated to the 05/05/89 date string, enter one of the following:
```
"date == 05/03/89"
"date != 05/03/89"
"date <  05/03/89"
"date <= 05/03/89"
"date >  05/03/89"
"date >= 05/03/89" 
```
Audit records are selected that fit the indicated comparison to the 05/05/89 date string. The date string must agree with the format specified by the current locale.

Note: The auditselect command does not support the -r flag for the recovery mode.

Buffered write option for audit records

To use the buffered write option for the audit records with a buffer size of 520000 bytes for auditing subsystem that is started in bin mode, enter the following command:
```
export AIX_AUDITBUFSZ=520000
/usr/sbin/auditselect -e "event== USER_SU || event==USER_Login" $bin >> /audit/trail.login 
```

Files

Item	Description
/usr/sbin/auditselect	Specifies the path of the auditselect command.
/etc/rc	Contains the system initialization commands.
/etc/security/audit/config	Contains audit system configuration information.
/etc/security/audit/events	Contains the audit events of the system.
/etc/security/audit/objects	Contains audit events for audited objects (files).
/etc/security/audit/bincmds	Contains auditbin backend commands.
/etc/security/audit/streamcmds	Contains auditstream commands.
/etc/security/audit/hosts	Contains the CPU ID to hostname mappings.