AUDITRECORD(8) Maintenance Procedures AUDITRECORD(8)
NAME
auditrecord - display audit record formats
SYNOPSIS
/usr/sbin/auditrecord [
-d] [ [
-a] | [
-e string] | [
-c class] |
[
-i id] | [
-p programname] | [
-s systemcall] | [
-h]]
DESCRIPTION
The
auditrecord utility displays the event ID, audit class and selection
mask, and record format for audit record event types defined in
audit_event(5). You can use
auditrecord to generate a list of all audit
record formats, or to select audit record formats based on event class,
event name, generating program name, system call name, or event ID.
There are two output formats. The default format is intended for display
in a terminal window; the optional HTML format is intended for viewing
with a web browser.
Tokens contained in square brackets (
[ ] ) are optional and might not be
present in every record.
OPTIONS
The following options are supported:
-a List all audit records.
-c class List all audit records selected by
class.
class is one of the two-
character class codes from the file
/etc/security/audit_class.
-d Debug mode. Display number of audit records that are defined in
audit_event, the number of classes defined in
audit_class, any
mismatches between the two files, and report which defined events do
not have format information available to
auditrecord.
-e string List all audit records for which the event ID label contains the
string
string. The match is case insensitive.
-h Generate the output in HTML format.
-i id List the audit records having the numeric event ID
id.
-p programname List all audit records generated by the program
programname, for
example, audit records generated by a user-space program.
-s systemcall List all audit records generated by the system call
systemcall, for
example, audit records generated by a system call.
The
-p and
-s options are different names for the same thing and are
mutually exclusive. The
-a option is ignored if any of
-c,
-e,
-i,
-p, or
-s are given. Combinations of
-c,
-e,
-i, and either
-p or
-s are ANDed
together.
EXAMPLES
Example 1: Displaying an Audit Record with a Specified Event ID
The following example shows how to display the contents of a specified
audit record.
% auditrecord -i 6152
terminal login
program /usr/sbin/login see
login(1) /usr/dt/bin/dtlogin See dtlogin
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
[text] error message
return
Example 2: Displaying an Audit Record with an Event ID Label that Contains
a Specified String
The following example shows how to display the contents of a audit record
with an event ID label that contains the string
login.
# auditrecord -e login
terminal login
program /usr/sbin/login see
login(1) /usr/dt/bin/dtlogin See dtlogin
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
[text] error message
return
rlogin
program /usr/sbin/login see
login(1) - rlogin
event ID 6155 AUE_rlogin
class lo (0x00001000)
header
subject
[text] error message
return
EXIT STATUS
0 Successful operation
non-zero Error
FILES
/etc/security/audit_class Provides the list of valid classes and the associated audit mask.
/etc/security/audit_event Provides the numeric event ID, the literal event name, and the name
of the associated system call or program.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+----------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+----------------------+
|CSI | Enabled |
+--------------------+----------------------+
|Interface Stability | Obsolete Uncommitted |
+--------------------+----------------------+
SEE ALSO
audit.log(5),
audit_class(5),
audit_event(5),
attributes(7),
auditconfig(8),
praudit(8)DIAGNOSTICS
If unable to read either of its input files or to write its output file,
auditrecord shows the name of the file on which it failed and exits with
a non-zero return.
If no options are provided, if an invalid option is provided, or if both
-s and
-p are provided, an error message is displayed and
auditrecord displays a usage message then exits with a non-zero return.
NOTES
This command is Obsolete and may be removed and replaced with equivalent
functionality in the future. This command was formerly known as
bsmrecord.
If
/etc/security/audit_event has been modified to add user-defined audit
events,
auditrecord displays the record format as
undefined.
The audit records displayed by
auditrecord are the core of the record
that can be produced. Various audit policies and optional tokens, such as
those shown below, might also be present.
The following is a list of
praudit(8) token names with their
descriptions.
group Present if the
group audit policy is set.
sensitivity label Present when Trusted Extensions is enabled and represents the label
of the subject or object with which it is associated. The
mandatory_label token is noted in the basic audit record where a
label is explicitly part of the record.
sequence Present when the
seq audit policy is set.
trailer Present when the
trail audit policy is set.
zone The name of the zone generating the record when the
zonename audit
policy is set. The
zonename token is noted in the basic audit record
where a zone name is explicitly part of the record.
March 6, 2017
AUDITRECORD(8)