1auditrecord(1M) System Administration Commands auditrecord(1M)
2
3
4
6 auditrecord - display Solaris audit record formats
7
9 /usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
10 [-i id] | [-p programname] | [-s systemcall] | [-h]]
11
12
14 The auditrecord utility displays the event ID, audit class and selec‐
15 tion mask, and record format for audit record event types defined in
16 audit_event(4). You can use auditrecord to generate a list of all audit
17 record formats, or to select audit record formats based on event class,
18 event name, generating program name, system call name, or event ID.
19
20
21 There are two output formats. The default format is intended for dis‐
22 play in a terminal window; the optional HTML format is intended for
23 viewing with a web browser.
24
25
26 Tokens contained in square brackets ( [ ] ) are optional and might not
27 be present in every record.
28
30 The following options are supported:
31
32 -a
33
34 List all audit records.
35
36
37 -c class
38
39 List all audit records selected by class. class is one of the two-
40 character class codes from the file /etc/security/audit_class.
41
42
43 -d
44
45 Debug mode. Display number of audit records that are defined in
46 audit_event, the number of classes defined in audit_class, any mis‐
47 matches between the two files, and report which defined events do
48 not have format information available to auditrecord.
49
50
51 -e string
52
53 List all audit records for which the event ID label contains the
54 string string. The match is case insensitive.
55
56
57 -h
58
59 Generate the output in HTML format.
60
61
62 -i id
63
64 List the audit records having the numeric event ID id.
65
66
67 -p programname
68
69 List all audit records generated by the program programname, for
70 example, audit records generated by a user-space program.
71
72
73 -s systemcall
74
75 List all audit records generated by the system call systemcall, for
76 example, audit records generated by a system call.
77
78
79
80 The -p and -s options are different names for the same thing and are
81 mutually exclusive. The -a option is ignored if any of -c, -e, -i, -p,
82 or -s are given. Combinations of -c, -e, -i, and either -p or -s are
83 ANDed together.
84
86 Example 1 Displaying an Audit Record with a Specified Event ID
87
88
89 The following example shows how to display the contents of a specified
90 audit record.
91
92
93 % auditrecord -i 6152
94 terminal login
95 program /usr/sbin/login see login(1)
96 /usr/dt/bin/dtlogin See dtlogin
97 event ID 6152 AUE_login
98 class lo (0x00001000)
99 header
100 subject
101 [text] error message
102 return
103
104
105
106 Example 2 Displaying an Audit Record with an Event ID Label that Con‐
107 tains a Specified String
108
109
110 The following example shows how to display the contents of a audit
111 record with an event ID label that contains the string login.
112
113
114 # auditrecord -e login
115 terminal login
116 program /usr/sbin/login see login(1)
117 /usr/dt/bin/dtlogin See dtlogin
118 event ID 6152 AUE_login
119 class lo (0x00001000)
120 header
121 subject
122 [text] error message
123 return
124
125 rlogin
126 program /usr/sbin/login see login(1) - rlogin
127 event ID 6155 AUE_rlogin
128 class lo (0x00001000)
129 header
130 subject
131 [text] error message
132 return
133
134
135
137 0
138
139 Successful operation
140
141
142 non-zero
143
144 Error
145
146
148 /etc/security/audit_class
149
150 Provides the list of valid classes and the associated audit mask.
151
152
153 /etc/security/audit_event
154
155 Provides the numeric event ID, the literal event name, and the name
156 of the associated system call or program.
157
158
160 See attributes(5) for descriptions of the following attributes:
161
162
163
164
165 ┌─────────────────────────────┬─────────────────────────────┐
166 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
167 ├─────────────────────────────┼─────────────────────────────┤
168 │Availability │SUNWcsr │
169 ├─────────────────────────────┼─────────────────────────────┤
170 │CSI │Enabled │
171 ├─────────────────────────────┼─────────────────────────────┤
172 │Interface Stability │Obsolete Uncommitted │
173 └─────────────────────────────┴─────────────────────────────┘
174
176 auditconfig(1M), praudit(1M), audit.log(4), audit_class(4),
177 audit_event(4), attributes(5)
178
179
180 See the section on Solaris Auditing in System Administration Guide:
181 Security Services.
182
184 If unable to read either of its input files or to write its output
185 file, auditrecord shows the name of the file on which it failed and
186 exits with a non-zero return.
187
188
189 If no options are provided, if an invalid option is provided, or if
190 both -s and -p are provided, an error message is displayed and
191 auditrecord displays a usage message then exits with a non-zero return.
192
194 This command is Obsolete and may be removed and replaced with equiva‐
195 lent functionality in a future release of Solaris. This command was
196 formerly known as bsmrecord.
197
198
199 If /etc/security/audit_event has been modified to add user-defined
200 audit events, auditrecord displays the record format as undefined.
201
202
203 The audit records displayed by bsmrecord are the core of the record
204 that can be produced. Various audit policies and optional tokens, such
205 as those shown below, might also be present.
206
207
208 The following is a list of praudit(1M) token names with their descrip‐
209 tions.
210
211 group
212
213 Present if the group audit policy is set.
214
215
216 sensitivity label
217
218 Present when Trusted Extensions is enabled and represents the label
219 of the subject or object with which it is associated. The manda‐
220 tory_label token is noted in the basic audit record where a label
221 is explicitly part of the record.
222
223
224 sequence
225
226 Present when the seq audit policy is set.
227
228
229 trailer
230
231 Present when the trail audit policy is set.
232
233
234 zone
235
236 The name of the zone generating the record when the zonename audit
237 policy is set. The zonename token is noted in the basic audit
238 record where a zone name is explicitly part of the record.
239
240
241
242
243SunOS 5.11 13 May 2009 auditrecord(1M)