bsmpseu(1) manual page Table of Contents

Name

bsmpseu - pseudonymize records from audit trail files

Synopsis

bsmpseu [ options ] [ audit-trail-file... ]

Description

bsmpseu allows you to pseudonymize records from audit trail files. Personal data such as user IDs is replaced with pseudonyms, so that the generated output doesn't reveal private information about the system's users, but still preserves a maximum of integrity and consistency. bsmpseu has been designed with efficiency and privacy in mind.

bsmpseu sequentially reads one or more input audit trail files and writes the pseudonymized audit trail to standard output. The input and output audit trail files can be in plain BSM audit or in zlib(3) / gzip(1) compressed format. bsmpseu pseudonymizes a 200MB audit trail file on a plain Sun Ultra 10 in 50 seconds and pseudonymizes and compresses the same file within 8 minutes.

Depending on the type of information, the personal data is replaced by random data, cleared/blanked or shifted by a random value. Details are listed below.

User IDs, Group IDs and Process IDs

User IDs, group IDs and process IDs are replaced with unique random values. The same random value is mapped to the same ID to preserve the audit context.

Pathnames

Pathnames are matched against list of pathname prefixes. The suffix of a matched pathname is replaced by unique random characters. The same random characters are mapped to the same pathname suffix. E.g. pathname /tmp/foo/bar matching the prefix /tmp/ is mapped to /tmp/Drs/g/T.

Internet Addresses

Internet addresses beside the local addresses 0.0.0.0 (IPv4) and 0::0 (IPv6) are replaced by random internet addresses within the range 60.0.0.0 - 200.0.0.0. Private, local or public addresses will be treated the same.

Execution Arguments and Environment

Execution arguments and environment are overwritten with space characters. Instead of using this option disable execution arguments and environment using the auditconfig(1M) .

Timestamps

The timestamps of all audit records are shifted by a random value in order to preserve temporal context within the audit trail.

Options

-d list
Pseudonymize pathnames that match one of the prefixes from the colon-separated list. Trailing slashes are not appended to the prefixes. [Default: /export/home/:/home/:/var/mail/:/tmp/:/var/tmp/]

-D

Don't pseudonymize pathnames.

-u min:max

Pseudonymize user IDs using random values from the integer interval [ min to max ]. Default: 200 to 60000 uid.

-U

Don't pseudonymize user IDs.

-g min:max

Pseudonymize group IDs using random values from the integer interval [ min to max ]. Default: 10 to 60000 gid.

-G

Don't pseudonymize group IDs.

-p min:max

Pseudonymize process IDs using random values from the integer interval [ min to max ]. Default: 500 to 65535 pid.

-P

Don't pseudonymize process IDs.

-s shift

Pseudonymize timestamps of audit records by shifting upto a maximum of seconds. [Default: 604800 seconds]

-S

Don't pseudonymize timestamps of audit records.

-A

Don't pseudonymize internet (IPv4 and IPv6) addresses.

-E

Don't pseudonymize execution arguments and execution environment.

-z

Compress output stream using zlib(3) compress functions. This options slows down the pseudonymizing process.

-v

Display verbose information during pseudonymizing to standard error output.

-V

Display version information to standard error output.

-h

Display a help screen to standard error output.

Examples

Example 1: The bsmpseu command.

This will pseudonymize the content of the specified audit files using the default options and display the pseudonymized audit records in human-readable form:

% bsmpseu /export/audit/* | praudit

bsmpseu is able to generate compressed output using the -z options, but it is also able to read compressed input audit trail files, as shown in the example below.

% bsmpseu /export/audit/friday.bsm.gz > /tmp/audit.bsm

Often it is not useful to pseudonymize all data types in an audit trail file. The example below shows the use of the bsmpseu tool where the process IDs and internet addresses are not pseudonymized.

% bsmpseu -P -A /var/audit/audit.bsm > /tmp/audit.bsm

See Also

bsmconv(1M) , praudit(1M) , auditreduce(1M) , audit.log(4) , audit_class(4) , audit_control(4) , group(4) , hosts(4) , passwd(4) , attributes(5)

Table of Contents