Merge commit 'dc97a43d4a70c8773a619f11b95b07a787f6f5b7' into merges

[unleashed.git] / share / man / man8 / auditreduce.8

'\" te
.\" Copyright (c) 2006  Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH AUDITREDUCE 8 "Mar 6, 2017"
.SH NAME
auditreduce \- merge and select audit records from audit trail files
.SH SYNOPSIS
.LP
.nf
\fBauditreduce\fR [\fIoptions\fR] [\fIaudit-trail-file\fR]...
.fi

.SH DESCRIPTION
.LP
\fBauditreduce\fR allows you to select or merge records from audit trail files.
Audit files can be from one or more machines.
.sp
.LP
The merge function merges together audit records from one or more input audit
trail files into a single output file. The records in an audit trail file are
assumed to be sorted in chronological order (oldest first) and this order is
maintained by \fBauditreduce\fR in the output file.
.sp
.LP
Unless instructed otherwise, \fBauditreduce\fR will merge the entire audit
trail, which consists of all the audit trail files in the directory structure
\fIaudit_root_dir\fR/*/files. Unless specified with the -\fBR\fR or -\fBS\fR
option, \fIaudit_root_dir\fR defaults to \fB/etc/security/audit\fR. By using
the file selection options it is possible to select some subset of these files,
or files from another directory, or files named explicitly on the command line.
.sp
.LP
The select function allows audit records to be selected on the basis of
numerous criteria relating to the record's content (see \fBaudit.log\fR(4) for
details of record content). A record must meet all of the
\fIrecord-selection-option\fR criteria to be selected.
.SS "Audit Trail Filename Format"
.LP
Any audit trail file not named on the command line must conform to the audit
trail filename format. Files produced by the audit system already have this
format. Output file names produced by \fBauditreduce\fR are in this format. It
is:
.sp
.in +2
.nf
\fIstart-time\fR\fB\&.\fR\fI\|end-time\fR\fB\&.\fR\fI\|suffix\fR
.fi
.in -2
.sp

.sp
.LP
where \fIstart-time\fR is the 14-character timestamp of when the file was
opened, \fIend-time\fR is the 14-character timestamp of when the file was
closed, and \fIsuffix\fR is the name of the machine which generated the audit
trail file, or some other meaningful suffix (for example, \fBall\fR, if the
file contains a combined group of records from many machines). The
\fIend-time\fR can be the literal string \fBnot_terminated\fR, to indicate that
the file is still being written to by the audit system. Timestamps are of the
form \fIyyyymmddhhmmss\fR (year, month, day, hour, minute, second). The
timestamps are in Greenwich Mean Time (GMT).
.SH OPTIONS
.SS "File Selection Options"
.LP
The file selection options indicate which files are to be processed and certain
types of special treatment.
.sp
.ne 2
.na
\fB\fB-A\fR\fR
.ad
.sp .6
.RS 4n
All of the records from the input files will be selected regardless of their
timestamp. This option effectively disables the \fB-a\fR, \fB-b\fR, and
\fB-d\fR options. This is useful in preventing the loss of records if the
\fB-D\fR option is used to delete the input files after they are processed.
Note, however, that if a record is \fInot\fR selected due to another option,
then \fB-A\fR will not override that.
.RE

.sp
.ne 2
.na
\fB\fB-C\fR\fR
.ad
.sp .6
.RS 4n
Only process complete files. Files whose filename \fIend-time\fR timestamp is
\fBnot_terminated\fR are not processed (such a file is currently being written
to by the audit system). This is useful in preventing the loss of records if
\fB-D\fR is used to delete the input files after they are processed. It does
not apply to files specified on the command line.
.RE

.sp
.ne 2
.na
\fB\fB-D\fR \fIsuffix\fR\fR
.ad
.sp .6
.RS 4n
Delete input files after they are read if the entire run is successful. If
\fBauditreduce\fR detects an error while reading a file, then that file is not
deleted. If \fB-D\fR is specified, \fB-A\fR, \fB-C\fR and \fB-O\fR are also
implied. \fIsuffix\fR is given to the \fB-O\fR option. This helps prevent the
loss of audit records by ensuring that all of the records are written, only
complete files are processed, and the records are written to a file before
being deleted. Note that if both \fB-D\fR and \fB-O\fR are specified in the
command line, the order of specification is significant. The \fIsuffix\fR
associated with the latter specification is in effect.
.RE

.sp
.ne 2
.na
\fB\fB-M\fR \fImachine\fR\fR
.ad
.sp .6
.RS 4n
Allows selection of records from files with \fImachine\fR as the filename
suffix. If \fB-M\fR is not specified, all files are processed regardless of
suffix. \fB-M\fR can also be used to allow selection of records from files that
contain combined records from many machines and have a common suffix (such as
\fBall\fR).
.RE

.sp
.ne 2
.na
\fB\fB-N\fR\fR
.ad
.sp .6
.RS 4n
Select objects in \fBnew mode\fR.This flag is off by default, thus retaining
backward compatibility. In the existing, \fBold mode\fR, specifying the
\fB-e\fR, \fB-f\fR, \fB-g\fR, \fB-r\fR, or \fB-u\fR flags would select not only
actions taken with those \fBID\fRs, but also certain objects owned by those
\fBID\fRs. When running in \fBnew mode\fR, only actions are selected. In order
to select objects, the \fB-o\fR option must be used.
.RE

.sp
.ne 2
.na
\fB\fB-O\fR \fIsuffix\fR\fR
.ad
.sp .6
.RS 4n
Direct output stream to a file in the current \fBaudit_root_dir\fR with the
indicated suffix. \fIsuffix\fR can alternatively contain a full pathname, in
which case the last component is taken as the suffix, ahead of which the
timestamps will be placed, ahead of which the remainder of the pathname will be
placed. If the \fB-O\fR option is not specified, the output is sent to the
standard output. When \fBauditreduce\fR places timestamps in the filename, it
uses the times of the first and last records in the merge as the
\fIstart-time\fR and \fIend-time\fR.
.RE

.sp
.ne 2
.na
\fB\fB-Q\fR\fR
.ad
.sp .6
.RS 4n
Quiet. Suppress notification about errors with input files.
.RE

.sp
.ne 2
.na
\fB\fB-R\fR \fIpathname\fR\fR
.ad
.sp .6
.RS 4n
Specify the pathname of an alternate audit root directory \fIaudit_root_dir\fR
to be \fIpathname\fR. Therefore, rather than using
\fB/etc/security/audit\fR/*/files by default, \fIpathname\fR/*/files will be
examined instead.
.LP
Note -
.sp
.RS 2
The root file system of any non-global zones must not be referenced with the
\fB-R\fR option. Doing so might damage the global zone's file system, might
compromise the security of the global zone, and might damage the non-global
zone's file system. See \fBzones\fR(5).
.RE
.RE

.sp
.ne 2
.na
\fB\fB-S\fR \fIserver\fR\fR
.ad
.sp .6
.RS 4n
This option causes \fBauditreduce\fR to read audit trail files from a specific
location (server directory). \fIserver\fR is normally interpreted as the name
of a subdirectory of the audit root, therefore \fBauditreduce\fR will look in
\fIaudit_root_dir\fR/\fIserver\fR/files for the audit trail files. But if
\fIserver\fR contains any `\fB/\fR' characters, it is the name of a specific
directory not necessarily contained in the audit root. In this case,
\fIserver\fR/files will be consulted. This option allows archived files to be
manipulated easily, without requiring that they be physically located in a
directory structure like that of \fB/etc/security/audit\fR.
.RE

.sp
.ne 2
.na
\fB\fB-V\fR\fR
.ad
.sp .6
.RS 4n
Verbose. Display the name of each file as it is opened, and how many records
total were written to the output stream.
.RE

.SS "Record Selection Options"
.LP
The record selection options listed below are used to indicate which records
are written to the output file produced by \fBauditreduce\fR.
.sp
.LP
Multiple arguments of the same type are not permitted.
.sp
.ne 2
.na
\fB\fB-a\fR \fIdate-time\fR\fR
.ad
.sp .6
.RS 4n
Select records that occurred at or after \fIdate-time\fR. The \fIdate-time\fR
argument is described under \fBOption Arguments\fR, below. \fIdate-time\fR is
in local time. The \fB-a\fR and \fB-b\fR options can be used together to form a
range.
.RE

.sp
.ne 2
.na
\fB\fB-b\fR \fIdate-time\fR\fR
.ad
.sp .6
.RS 4n
Select records that occurred before \fIdate-time\fR.
.RE

.sp
.ne 2
.na
\fB\fB-c\fR \fIaudit-classes\fR\fR
.ad
.sp .6
.RS 4n
Select records by audit class. Records with events that are mapped to the audit
classes specified by \fIaudit-classes\fR are selected. Audit class names are
defined in \fBaudit_class\fR(4). Using the \fBaudit\fR \fIflags,\fR one can
select records based upon success and failure criteria.
.RE

.sp
.ne 2
.na
\fB\fB-d\fR \fIdate-time\fR\fR
.ad
.sp .6
.RS 4n
Select records that occurred on a specific day (a 24-hour period beginning at
00:00:00 of the day specified and ending at 23:59:59). The day specified is in
local time. The time portion of the argument, if supplied, is ignored. Any
records with timestamps during that day are selected. If any hours, minutes, or
seconds are given in \fItime,\fR they are ignored. \fB-d\fR can not be used
with \fB-a\fR or \fB\fR\fB-b\fR\fB\&.\fR
.RE

.sp
.ne 2
.na
\fB\fB-e\fR \fIeffective-user\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIeffective-user.\fR
.RE

.sp
.ne 2
.na
\fB\fB-f\fR \fIeffective-group\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIeffective-group.\fR
.RE

.sp
.ne 2
.na
\fB\fB-g\fR \fIreal-group\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIreal-group.\fR
.RE

.sp
.ne 2
.na
\fB\fB-j\fR \fIsubject-ID\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIsubject-ID\fR where \fIsubject-ID\fR is a
process ID.
.RE

.sp
.ne 2
.na
\fB\fB-m\fR \fIevent\fR\fR
.ad
.sp .6
.RS 4n
Select records with the indicated \fIevent\fR. The \fIevent\fR is the literal
string or the \fIevent\fR number.
.RE

.sp
.ne 2
.na
\fB\fB-o\fR \fIobject_type=objectID_value\fR\fR
.ad
.sp .6
.RS 4n
Select records by object type. A match occurs when the record contains the
information describing the specified \fIobject_type\fR and the object ID equals
the value specified by \fIobjectID_value.\fR The allowable object types and
values are as follows:
.sp
.ne 2
.na
\fBfile=\fIpathname\fR\fR
.ad
.sp .6
.RS 4n
Select records containing file system objects with the specified pathname,
where pathname is a comma separated list of regular expressions. If a regular
expression is preceded by a tilde (\fB~\fR), files matching the expression are
excluded from the output. For example, the option
\fBfile=~/usr/openwin,/usr,/etc\fR would select all files in \fB/usr\fR or
\fB/etc\fR except those in \fB/usr/openwin\fR. The order of the regular
expressions is important because auditreduce processes them from left to right,
and stops when a file is known to be either selected or excluded. Thus the
option \fBfile=\fR \fB/usr\fR, \fB/etc\fR, \fB~/usr/openwin\fR would select all
files in \fB/usr\fR and all files in \fB/etc\fR. Files in \fB/usr/openwin\fR
are not excluded because the regular expression \fB/usr\fR is matched first.
Care should be given in surrounding the \fIpathname\fR with quotes so as to
prevent the shell from expanding any tildes.
.RE

.sp
.ne 2
.na
\fBfilegroup\fI=group\fR\fR
.ad
.sp .6
.RS 4n
Select records containing file system objects with \fIgroup\fR as the owning
group.
.RE

.sp
.ne 2
.na
\fBfileowner=\fIuser\fR\fR
.ad
.sp .6
.RS 4n
Select records containing file system objects with \fIuser\fR as the owning
user.
.RE

.sp
.ne 2
.na
\fBmsgqid=\fIID\fR\fR
.ad
.sp .6
.RS 4n
Select records containing message queue objects with the specified \fIID\fR
where \fIID\fR is a message queue \fBID\fR.
.RE

.sp
.ne 2
.na
\fBmsgqgroup=\fIgroup\fR\fR
.ad
.sp .6
.RS 4n
Select records containing message queue objects with \fIgroup\fR as the owning
or creating group.
.RE

.sp
.ne 2
.na
\fBmsgqowner=\fIuser\fR\fR
.ad
.sp .6
.RS 4n
Select records containing message queue objects with \fIuser\fR as the owning
or creating user.
.RE

.sp
.ne 2
.na
\fBpid=\fIID\fR\fR
.ad
.sp .6
.RS 4n
Select records containing process objects with the specified \fIID\fR where
\fIID\fR is a process \fBID\fR. Process are objects when they are receivers of
signals.
.RE

.sp
.ne 2
.na
\fBprocgroup=\fIgroup\fR\fR
.ad
.sp .6
.RS 4n
Select records containing process objects with \fIgroup\fR as the real or
effective group.
.RE

.sp
.ne 2
.na
\fBprocowner=\fIuser\fR\fR
.ad
.sp .6
.RS 4n
Select records containing process objects with \fIuser\fR as the real or
effective user.
.RE

.sp
.ne 2
.na
\fBsemid=\fIID\fR\fR
.ad
.sp .6
.RS 4n
Select records containing semaphore objects with the specified \fIID\fR where
\fIID\fR is a semaphore \fBID\fR.
.RE

.sp
.ne 2
.na
\fBsemgroup=\fIgroup\fR\fR
.ad
.sp .6
.RS 4n
Select records containing semaphore objects with \fIgroup\fR as the owning or
creating group.
.RE

.sp
.ne 2
.na
\fBsemowner=\fIuser\fR\fR
.ad
.sp .6
.RS 4n
Select records containing semaphore objects with \fIuser\fR as the owning or
creating user.
.RE

.sp
.ne 2
.na
\fBshmid=\fIID\fR\fR
.ad
.sp .6
.RS 4n
Select records containing shared memory objects with the specified \fIID\fR
where \fIID\fR is a shared memory \fBID\fR.
.RE

.sp
.ne 2
.na
\fBshmgroup=\fIgroup\fR\fR
.ad
.sp .6
.RS 4n
Select records containing shared memory objects with \fIgroup\fR as the owning
or creating group.
.RE

.sp
.ne 2
.na
\fBshmowner=\fIuser\fR\fR
.ad
.sp .6
.RS 4n
Select records containing shared memory objects with \fIuser\fR as the owning
or creating user.
.RE

.sp
.ne 2
.na
\fBsock=\fIport_number|machine\fR\fR
.ad
.sp .6
.RS 4n
Select records containing socket objects with the specified \fIport_number\fR
or the specified \fImachine\fR where \fImachine\fR is a machine name as defined
in \fBhosts\fR(4).
.RE

.sp
.ne 2
.na
\fBfmri=\fIservice instance\fR\fR
.ad
.sp .6
.RS 4n
Select records containing fault management resource identifier (FMRI) objects
with the specified \fIservice instance\fR. See \fBsmf\fR(5).
.RE

.RE

.sp
.ne 2
.na
\fB\fB-r\fR \fIreal-user\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIreal-user\fR.
.RE

.sp
.ne 2
.na
\fB\fB-s\fR \fIsession-id\fR\fR
.ad
.sp .6
.RS 4n
Select audit records with the specified \fIsession-id\fR.
.RE

.sp
.ne 2
.na
\fB\fB-u\fR \fIaudit-user\fR\fR
.ad
.sp .6
.RS 4n
Select records with the specified \fIaudit-user\fR.
.RE

.sp
.ne 2
.na
\fB\fB-z\fR \fIzone-name\fR\fR
.ad
.sp .6
.RS 4n
Select records from the specified zone name. The zone name selection is
case-sensitive.
.RE

.sp
.LP
When one or more \fIfilename\fR arguments appear on the command line, only the
named files are processed. Files specified in this way need not conform to the
audit trail filename format. However, \fB-M\fR, \fB-S\fR, and \fB-R\fR must not
be used when processing named files. If the \fIfilename\fR is ``\(mi'' then the
input is taken from the standard input.
.SS "Option Arguments"
.ne 2
.na
\fB\fIaudit-trail-file\fR\fR
.ad
.sp .6
.RS 4n
An audit trail file as defined in \fBaudit.log\fR(4). An audit trail file not
named on the command line must conform to the audit trail file name format.
Audit trail files produced as output of \fBauditreduce\fR are in this format as
well. The format is:
.sp
\fIstart-time . \|end-time . \|suffix\fR
.sp
\fIstart-time\fR is the 14 character time stamp denoting when the file was
opened. \fIend-time\fR is the 14 character time stamp denoting when the file
was closed. \fIend-time\fR can also be the literal string \fBnot_terminated\fR,
indicating the file is still be written to by the audit daemon or the file was
not closed properly (a system crash or abrupt halt occurred). \fIsuffix\fR is
the name of the machine that generated the audit trail file (or some other
meaningful suffix; for example, \fBall\fR would be a good suffix if the audit
trail file contains a combined group of records from many machines).
.RE

.sp
.ne 2
.na
\fB\fIdate-time\fR\fR
.ad
.sp .6
.RS 4n
The \fIdate-time\fR argument to \fB-a\fR, \fB-b\fR, and \fB-d\fR can be of two
forms: An absolute \fIdate-time\fR takes the form:
.sp
\fI\fR yyyymmdd [ \fIhh\fR [ \fImm\fR [ \fIss\fR ]]]
.sp
where \fIyyyy\fR specifies a year (with 1970 as the earliest value), \fImm\fR
is the month (01-12), \fBdd\fR is the day (01-31), \fIhh\fR is the hour
(00-23), \fImm\fR is the minute (00-59), and \fIss\fR is the second (00-59).
The default is 00 for \fIhh\fR, \fImm\fR and \fIss\fR.
.sp
An offset can be specified as: \fB+\fR\fIn\fR \fBd\fR|\fBh\fR|\fBm\fR| \fBs\fR
where \fIn\fR is a number of units, and the tags \fBd\fR, \fBh\fR, \fBm\fR, and
\fBs\fR stand for days, hours, minutes and seconds, respectively. An offset is
relative to the starting time. Thus, this form can only be used with the
\fB-b\fR option.
.RE

.sp
.ne 2
.na
\fB\fIevent\fR\fR
.ad
.sp .6
.RS 4n
The literal string or ordinal event number as found in \fBaudit_event\fR(4). If
\fIevent\fR is not found in the \fBaudit_event\fR file it is considered
invalid.
.RE

.sp
.ne 2
.na
\fB\fIgroup\fR\fR
.ad
.sp .6
.RS 4n
The literal string or ordinal group ID number as found in \fBgroup\fR(4). If
\fIgroup\fR is not found in the \fBgroup\fR file it is considered invalid.
\fIgroup\fR can be negative.
.RE

.sp
.ne 2
.na
\fB\fIlabel\fR\fR
.ad
.sp .6
.RS 4n
The literal string representation of a MAC label or a range of two valid MAC
labels. To specify a range, use \fBx;y\fR where \fBx\fR and \fBy\fR are valid
MAC labels. Only those records that are fully bounded by \fBx\fR and \fBy\fR
will be selected. If \fBx\fR or \fBy\fR is omitted, the default uses
\fBADMIN_LOW\fR or \fBADMIN_HIGH\fR respectively. Notice that quotes must be
used when specifying a range.
.RE

.sp
.ne 2
.na
\fB\fIpathname\fR\fR
.ad
.sp .6
.RS 4n
A regular expression describing a pathname.
.RE

.sp
.ne 2
.na
\fB\fIuser\fR\fR
.ad
.sp .6
.RS 4n
The literal username or ordinal user ID number as found in \fBpasswd\fR(4). If
the username is not found in the \fBpasswd\fR file it is considered invalid.
\fIuser\fR can be negative.
.RE

.SH EXAMPLES
.LP
\fBExample 1 \fRThe auditreduce command
.sp
.LP
\fBpraudit\fR(8) is available to display audit records in a human-readable
form.

.sp
.LP
This will display the entire audit trail in a human-readable form:

.sp
.in +2
.nf
% auditreduce | praudit
.fi
.in -2
.sp

.sp
.LP
If all the audit trail files are being combined into one large file, then
deleting the original files could be desirable to prevent the records from
appearing twice:

.sp
.in +2
.nf
% auditreduce -V -D /etc/security/audit/combined/all
.fi
.in -2
.sp

.sp
.LP
This displays what user \fBmilner\fR did on April 13, 1988. The output is
displayed in a human-readable form to the standard output:

.sp
.in +2
.nf
% auditreduce -d 19880413 -u milner | praudit
.fi
.in -2
.sp

.sp
.LP
The above example might produce a large volume of data if \fBmilner\fR has been
busy. Perhaps looking at only login and logout times would be simpler. The
\fB-c\fR option will select records from a specified class:

.sp
.in +2
.nf
% auditreduce -d 19880413 -u milner -c lo | praudit
.fi
.in -2
.sp

.sp
.LP
To see \fBmilner\fR's login/logout activity for April 13, 14, and 15, the
following is used. The results are saved to a file in the current working
directory. Notice that the name of the output file will have \fBmilnerlo\fR as
the \fIsuffix\fR, with the appropriate timestamp prefixes. Notice also that the
long form of the name is used for the \fB-c\fR option:

.sp
.in +2
.nf
% auditreduce -a 19880413 -b +3d -u milner -c login_logout -O milnerlo
.fi
.in -2
.sp

.sp
.LP
To follow \fBmilner\fR's movement about the file system on April 13, 14, and 15
the \fBchdir\fR record types could be viewed. Notice that in order to get the
same time range as the above example we needed to specify the \fB-b\fR time as
the day \fBafter\fR our range. This is because \fB19880416\fR defaults to
midnight of that day, and records before that fall on \fB0415\fR, the end-day
of the range.

.sp
.in +2
.nf
% auditreduce -a 19880413 -b 19880416 -u milner -m AUE_CHDIR | praudit
.fi
.in -2
.sp

.sp
.LP
In this example, the audit records are being collected in summary form (the
login/logout records only). The records are being written to a summary file in
a different directory than the normal audit root to prevent the selected
records from existing twice in the audit root.

.sp
.in +2
.nf
% auditreduce -d 19880330 -c lo -O /etc/security/audit_summary/logins
.fi
.in -2
.sp

.sp
.LP
If activity for user \fBID\fR 9944 has been observed, but that user is not
known to the system administrator, then the command in the following example
searches the entire audit trail for any records generated by that user.
\fBauditreduce\fR queries the system about the current validity of \fBID\fR
9944 and displays a warning message if it is not currently active:

.sp
.in +2
.nf
% auditreduce -O /etc/security/audit_suspect/user9944 -u 9944
.fi
.in -2
.sp

.sp
.LP
To get an audit log of only the global zone:

.sp
.in +2
.nf
% auditreduce -z global
.fi
.in -2

.SH FILES
.ne 2
.na
\fB\fB/etc/security/audit/\fR\fIserver\fR\fB/files/*\fR\fR
.ad
.sp .6
.RS 4n
location of audit trails, when stored
.RE

.SH ATTRIBUTES
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE  ATTRIBUTE VALUE
_
Interface Stability     See below.
.TE

.sp
.LP
The command invocation is Stable. The binary file format is Stable. The binary
file contents is Unstable.
.SH SEE ALSO
.LP
\fBpraudit\fR(8), \fBaudit.log\fR(4), \fBaudit_class\fR(4),
\fBgroup\fR(4), \fBhosts\fR(4), \fBpasswd\fR(4),
\fBattributes\fR(5), \fBsmf\fR(5)
.SH DIAGNOSTICS
.LP
\fBauditreduce\fR displays error messages if there are command line errors and
then exits. If there are fatal errors during the run, \fBauditreduce\fR
displays an explanatory message and exits. In this case, the output file might
be in an inconsistent state (no trailer or partially written record) and
\fBauditreduce\fR displays a warning message before exiting. Successful
invocation returns \fB0\fR and unsuccessful invocation returns \fB1\fR.
.sp
.LP
Since \fBauditreduce\fR might be processing a large number of input files, it
is possible that the machine-wide limit on open files will be exceeded. If this
happens, \fBauditreduce\fR displays a message to that effect, give information
on how many file there are, and exit.
.sp
.LP
If \fBauditreduce\fR displays a record's timestamp in a diagnostic message,
that time is in local time. However, when filenames are displayed, their
timestamps are in \fBGMT\fR.
.SH BUGS
.LP
Conjunction, disjunction, negation, and grouping of record selection options
should be allowed.
.SH NOTES
.LP
The \fB-z\fR option should be used only if the audit policy \fBzonename\fR is
set. If there is no zonename token, then no records will be selected.