Running an audit report
When the report generation begins, note that it may take some time if the volume of data is high. For example, if your report template does not specify dates and times for beginning and ending selection, the entire audit session is reduced, which could consist of tens of megabytes of data.
is a sample audit report based on
a template with these characteristics:
Events: B K M T
Times: Start: Fri Feb 2 19:00 Stop: Fri Feb 2 21:00
The report template concentrates on undesirable activities,
such as attempts to access restricted system files,
running restricted administrative programs, and so forth.
In this simplified example, user johnp logged on
and attempted to remove (unlink) /etc/passwd.
In a real scenario, there would be more records to examine.
This example serves to demonstrate the power of audit data.
``Understanding audit reports''
contains a detailed study of how audit information is interpreted.
Example 6-3 Audit report output
***** Audit Data Reduction Program *****
Audit session number: 2 Collection system name: unix Collection file count: 15 Compaction file count: 1 Total audit records: 11034 Total uncompacted size: 696050 Total compacted size: 243262 Data compression rate: 65.05 Collection start time: Fri Feb 7 19:00:15 1992 Collection end time: Fri Feb 7 21:00:00 1992
***** Selection Criteria *****
Time Interval Selection: Start: Fri Feb 7 19:00:00 1992 Stop: Fri Feb 7 21:00:00 1992 Event Type Selection: Event type: Login/Logoff activity Event type: Access denial Event type: Insufficient privilege
UID selection in effect.
***** Audit Records *****
Process ID: 235 Date/Time: Fri Feb 7 19:55:42 1992 Event type: Login/Logoff activity Action: Successful login Username: johnp Login terminal: /dev/tty01
Process ID: 267 Date/Time: Fri Feb 7 19:56:11 1992 Luid: johnp Euid: johnp Ruid: johnp Egid: group Rgid: group Event type: Access denial System call: Unlink Object: /etc/passwd Result: Failed-EACCES (Access denial) Security policy: discretionary
Process ID: 280 Date/Time: Fri Feb 7 19:58:14 1992 Event type: Login/Logoff activity Action: Logoff Username: johnp Terminal: /dev/tty01