System Administration Commands auditrecord(1M)
NAME
auditrecord - display Solaris audit record formats
SYNOPSIS
/usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
[-i id] | [-p programname] | [-s systemcall] | [-h]]
DESCRIPTION
The auditrecord utility displays the event ID, audit class
and selection mask, and record format for audit record eventtypes defined in audit_event(4). You can use auditrecord to
generate a list of all audit record formats, or to selectaudit record formats based on event class, event name, gen-
erating program name, system call name, or event ID. There are two output formats. The default format is intended for display in a terminal window; the optional HTML format is intended for viewing with a web browser. Tokens contained in square brackets ( [ ] ) are optional and might not be present in every record. OPTIONS The following options are supported:-a
List all audit records.-c class
List all audit records selected by class. class is oneof the two-character class codes from the file
/etc/security/audit_class.
-d
Debug mode. Display number of audit records that aredefined in audit_event, the number of classes defined in
audit_class, any mismatches between the two files, and
report which defined events do not have format informa-
tion available to auditrecord.
-e string
List all audit records for which the event ID labelSunOS 5.11 Last change: 15 Oct 2009 1
System Administration Commands auditrecord(1M)
contains the string string. The match is case insensi-
tive.-h
Generate the output in HTML format.-i id
List the audit records having the numeric event ID id.-p programname
List all audit records generated by the program program-
name, for example, audit records generated by a user-
space program.-s systemcall
List all audit records generated by the system call sys-
temcall, for example, audit records generated by a sys-
tem call.The -p and -s options are different names for the same thing
and are mutually exclusive. The -a option is ignored if any
of -c, -e, -i, -p, or -s are given. Combinations of -c, -e,
-i, and either -p or -s are ANDed together.
EXAMPLES
Example 1 Displaying an Audit Record with a Specified Event ID The following example shows how to display the contents of a specified audit record.% auditrecord -i 6152
terminal login program /usr/sbin/login see login(1) /usr/dt/bin/dtlogin See dtloginevent ID 6152 AUE_login
class lo (0x00001000) header subject [text] error messageSunOS 5.11 Last change: 15 Oct 2009 2
System Administration Commands auditrecord(1M)
return Example 2 Displaying an Audit Record with an Event ID Label that Contains a Specified String The following example shows how to display the contents of a audit record with an event ID label that contains the string login.# auditrecord -e login
terminal login program /usr/sbin/login see login(1) /usr/dt/bin/dtlogin See dtloginevent ID 6152 AUE_login
class lo (0x00001000) header subject [text] error message return rloginprogram /usr/sbin/login see login(1) - rlogin
event ID 6155 AUE_rlogin
class lo (0x00001000) header subject [text] error message return EXIT STATUS 0 Successful operationnon-zero
Error FILES/etc/security/audit_class
Provides the list of valid classes and the associated audit mask.SunOS 5.11 Last change: 15 Oct 2009 3
System Administration Commands auditrecord(1M)
/etc/security/audit_event
Provides the numeric event ID, the literal event name, and the name of the associated system call or program.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcs ||_____________________________|_____________________________|
| CSI | Enabled ||_____________________________|_____________________________|
| Interface Stability | Uncommitted ||_____________________________|_____________________________|
SEE ALSO
auditconfig(1M), praudit(1M), audit.log(4), audit_class(4),
audit_event(4), attributes(5)
See the section on Solaris Auditing in System Administration Guide: Security Services. DIAGNOSTICS If unable to read either of its input files or to write itsoutput file, auditrecord shows the name of the file on which
it failed and exits with a non-zero return.
If no options are provided, if an invalid option is pro-
vided, or if both -s and -p are provided, an error message
is displayed and auditrecord displays a usage message then
exits with a non-zero return.
NOTES This command was formerly known as bsmrecord.If /etc/security/audit_event has been modified to add user-
defined audit events, auditrecord displays the record format
as undefined.SunOS 5.11 Last change: 15 Oct 2009 4
System Administration Commands auditrecord(1M)
The audit records displayed by auditrecord are the core of
the record that can be produced. Various audit policies and optional tokens, such as those shown below, might also be present. The following is a list of praudit(1M) token names with their descriptions. group Present if the group audit policy is set. sensitivity label Present when Trusted Extensions is enabled and represents the label of the subject or object with whichit is associated. The mandatory_label token is noted in
the basic audit record where a label is explicitly part of the record. sequence Present when the seq audit policy is set. trailer Present when the trail audit policy is set. zone The name of the zone generating the record when the zonename audit policy is set. The zonename token is noted in the basic audit record where a zone name is explicitly part of the record.SunOS 5.11 Last change: 15 Oct 2009 5