1auditrecord(1M) System Administration Commands auditrecord(1M)
2
6 auditrecord - display Solaris audit record formats
7
9 /usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
10 [-i id] | [-p programname] | [-s systemcall] | [-h]]
11
14 The auditrecord utility displays the event ID, audit class and selec‐
15 tion mask, and record format for audit record event types defined in
16 audit_event(4). You can use auditrecord to generate a list of all audit
17 record formats, or to select audit record formats based on event class,
18 event name, generating program name, system call name, or event ID.
19 There are two output formats. The default format is intended for dis‐
22 play in a terminal window; the optional HTML format is intended for
23 viewing with a web browser.
24 Tokens contained in square brackets ( [ ] ) are optional and might not
27 be present in every record.
28
30 The following options are supported:
31 -a
33 List all audit records.
35 -c class
38 List all audit records selected by class. class is one of the two-
40 character class codes from the file /etc/security/audit_class.
41 -d
44 Debug mode. Display number of audit records that are defined in
46 audit_event, the number of classes defined in audit_class, any mis‐
47 matches between the two files, and report which defined events do
48 not have format information available to auditrecord.
49 -e string
52 List all audit records for which the event ID label contains the
54 string string. The match is case insensitive.
55 -h
58 Generate the output in HTML format.
60 -i id
63 List the audit records having the numeric event ID id.
65 -p programname
68 List all audit records generated by the program programname, for
70 example, audit records generated by a user-space program.
71 -s systemcall
74 List all audit records generated by the system call systemcall, for
76 example, audit records generated by a system call.
77 The -p and -s options are different names for the same thing and are
81 mutually exclusive. The -a option is ignored if any of -c, -e, -i, -p,
82 or -s are given. Combinations of -c, -e, -i, and either -p or -s are
83 ANDed together.
84
86 Example 1 Displaying an Audit Record with a Specified Event ID
87 The following example shows how to display the contents of a specified
90 audit record.
91 % auditrecord -i 6152
94 terminal login
95 program /usr/sbin/login see login(1)
96 /usr/dt/bin/dtlogin See dtlogin
97 event ID 6152 AUE_login
98 class lo (0x00001000)
99 header
100 subject
101 [text] error message
102 return
103 Example 2 Displaying an Audit Record with an Event ID Label that Con‐
107 tains a Specified String
108 The following example shows how to display the contents of a audit
111 record with an event ID label that contains the string login.
112 # auditrecord -e login
115 terminal login
116 program /usr/sbin/login see login(1)
117 /usr/dt/bin/dtlogin See dtlogin
118 event ID 6152 AUE_login
119 class lo (0x00001000)
120 header
121 subject
122 [text] error message
123 return
124 rlogin
126 program /usr/sbin/login see login(1) - rlogin
127 event ID 6155 AUE_rlogin
128 class lo (0x00001000)
129 header
130 subject
131 [text] error message
132 return
133
137 0
138 Successful operation
140 non-zero
143 Error
145
148 /etc/security/audit_class
149 Provides the list of valid classes and the associated audit mask.
151 /etc/security/audit_event
154 Provides the numeric event ID, the literal event name, and the name
156 of the associated system call or program.
157
160 See attributes(5) for descriptions of the following attributes:
161 ┌─────────────────────────────┬─────────────────────────────┐
166 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
167 ├─────────────────────────────┼─────────────────────────────┤
168 │Availability │SUNWcsr │
169 ├─────────────────────────────┼─────────────────────────────┤
170 │CSI │Enabled │
171 ├─────────────────────────────┼─────────────────────────────┤
172 │Interface Stability │Obsolete Uncommitted │
173 └─────────────────────────────┴─────────────────────────────┘
174
176 auditconfig(1M), praudit(1M), audit.log(4), audit_class(4),
177 audit_event(4), attributes(5)
178 See the section on Solaris Auditing in System Administration Guide:
181 Security Services.
182
184 If unable to read either of its input files or to write its output
185 file, auditrecord shows the name of the file on which it failed and
186 exits with a non-zero return.
187 If no options are provided, if an invalid option is provided, or if
190 both -s and -p are provided, an error message is displayed and
191 auditrecord displays a usage message then exits with a non-zero return.
192
194 This command is Obsolete and may be removed and replaced with equiva‐
195 lent functionality in a future release of Solaris. This command was
196 formerly known as bsmrecord.
197 If /etc/security/audit_event has been modified to add user-defined
200 audit events, auditrecord displays the record format as undefined.
201 The audit records displayed by bsmrecord are the core of the record
204 that can be produced. Various audit policies and optional tokens, such
205 as those shown below, might also be present.
206 The following is a list of praudit(1M) token names with their descrip‐
209 tions.
210 group
212 Present if the group audit policy is set.
214 sensitivity label
217 Present when Trusted Extensions is enabled and represents the label
219 of the subject or object with which it is associated. The manda‐
220 tory_label token is noted in the basic audit record where a label
221 is explicitly part of the record.
222 sequence
225 Present when the seq audit policy is set.
227 trailer
230 Present when the trail audit policy is set.
232 zone
235 The name of the zone generating the record when the zonename audit
237 policy is set. The zonename token is noted in the basic audit
238 record where a zone name is explicitly part of the record.
239SunOS 5.11 13 May 2009 auditrecord(1M)