auditrecord man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

auditrecord(1M)		System Administration Commands	       auditrecord(1M)

NAME
       auditrecord - display Solaris audit record formats

SYNOPSIS
       /usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
	     [-i id] | [-p programname] | [-s systemcall] | [-h]]

DESCRIPTION
       The  auditrecord	 utility displays the event ID, audit class and selec‐
       tion mask, and record format for audit record event  types  defined  in
       audit_event(4). You can use auditrecord to generate a list of all audit
       record formats, or to select audit record formats based on event class,
       event name, generating program name, system call name, or event ID.

       There  are  two output formats. The default format is intended for dis‐
       play in a terminal window; the optional HTML  format  is	 intended  for
       viewing with a web browser.

       Tokens  contained in square brackets ( [ ] ) are optional and might not
       be present in every record.

OPTIONS
       The following options are supported:

       -a

	   List all audit records.

       -c class

	   List all audit records selected by class. class is one of the  two-
	   character class codes from the file /etc/security/audit_class.

       -d

	   Debug  mode.	 Display  number  of audit records that are defined in
	   audit_event, the number of classes defined in audit_class, any mis‐
	   matches  between  the two files, and report which defined events do
	   not have format information available to auditrecord.

       -e string

	   List all audit records for which the event ID  label	 contains  the
	   string string. The match is case insensitive.

       -h

	   Generate the output in HTML format.

       -i id

	   List the audit records having the numeric event ID id.

       -p programname

	   List	 all  audit  records generated by the program programname, for
	   example, audit records generated by a user-space program.

       -s systemcall

	   List all audit records generated by the system call systemcall, for
	   example, audit records generated by a system call.

       The  -p	and  -s options are different names for the same thing and are
       mutually exclusive. The -a option is ignored if any of -c, -e, -i,  -p,
       or  -s  are  given. Combinations of -c, -e, -i, and either -p or -s are
       ANDed together.

EXAMPLES
       Example 1 Displaying an Audit Record with a Specified Event ID

       The following example shows how to display the contents of a  specified
       audit record.

	 % auditrecord -i 6152
	   terminal login
	   program     /usr/sbin/login	    see login(1)
		       /usr/dt/bin/dtlogin  See dtlogin
	   event ID    6152		    AUE_login
	   class       lo		    (0x00001000)
	       header
	       subject
	       [text]			    error message
	       return

       Example	2  Displaying an Audit Record with an Event ID Label that Con‐
       tains a Specified String

       The following example shows how to display  the	contents  of  a	 audit
       record with an event ID label that contains the string login.

	 # auditrecord -e login
	 terminal login
	   program     /usr/sbin/login	    see login(1)
		       /usr/dt/bin/dtlogin  See dtlogin
	   event ID    6152		    AUE_login
	   class       lo		    (0x00001000)
	       header
	       subject
	       [text]			    error message
	       return

	 rlogin
	   program     /usr/sbin/login	    see login(1) - rlogin
	   event ID    6155		    AUE_rlogin
	   class       lo		    (0x00001000)
	       header
	       subject
	       [text]			    error message
	       return

EXIT STATUS
       0

	   Successful operation

       non-zero

	   Error

FILES
       /etc/security/audit_class

	   Provides the list of valid classes and the associated audit mask.

       /etc/security/audit_event

	   Provides the numeric event ID, the literal event name, and the name
	   of the associated system call or program.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │SUNWcs			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │CSI			     │Enabled			   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Uncommitted		   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       auditconfig(1M),	    praudit(1M),     audit.log(4),     audit_class(4),
       audit_event(4), attributes(5)

       See  the	 section  on  Solaris Auditing in System Administration Guide:
       Security Services.

DIAGNOSTICS
       If unable to read either of its input files  or	to  write  its	output
       file,  auditrecord  shows  the  name of the file on which it failed and
       exits with a non-zero return.

       If no options are provided, if an invalid option	 is  provided,	or  if
       both  -s	 and  -p  are  provided,  an  error  message  is displayed and
       auditrecord displays a usage message then exits with a non-zero return.

NOTES
       This command was formerly known as bsmrecord.

       If /etc/security/audit_event has	 been  modified	 to  add  user-defined
       audit events, auditrecord displays the record format as undefined.

       The  audit  records displayed by auditrecord are the core of the record
       that can be produced. Various audit policies and optional tokens,  such
       as those shown below, might also be present.

       The  following is a list of praudit(1M) token names with their descrip‐
       tions.

       group

	   Present if the group audit policy is set.

       sensitivity label

	   Present when Trusted Extensions is enabled and represents the label
	   of  the  subject  or object with which it is associated. The manda‐
	   tory_label token is noted in the basic audit record where  a	 label
	   is explicitly part of the record.

       sequence

	   Present when the seq audit policy is set.

       trailer

	   Present when the trail audit policy is set.

       zone

	   The	name of the zone generating the record when the zonename audit
	   policy is set. The zonename token  is  noted	 in  the  basic	 audit
	   record where a zone name is explicitly part of the record.

SunOS 5.11			  15 Oct 2009		       auditrecord(1M)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net