AUDITRECORD(8) Maintenance Commands and Procedures AUDITRECORD(8)

NAME


auditrecord - display audit record formats

SYNOPSIS


/usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
[-i id] | [-p programname] | [-s systemcall] | [-h]]


DESCRIPTION


The auditrecord utility displays the event ID, audit class and
selection mask, and record format for audit record event types
defined in audit_event(5). You can use auditrecord to generate a list
of all audit record formats, or to select audit record formats based
on event class, event name, generating program name, system call
name, or event ID.


There are two output formats. The default format is intended for
display in a terminal window; the optional HTML format is intended
for viewing with a web browser.


Tokens contained in square brackets ( [ ] ) are optional and might
not be present in every record.

OPTIONS


The following options are supported:

-a

List all audit records.


-c class

List all audit records selected by class. class is one of the
two-character class codes from the file
/etc/security/audit_class.


-d

Debug mode. Display number of audit records that are defined in
audit_event, the number of classes defined in audit_class, any
mismatches between the two files, and report which defined events
do not have format information available to auditrecord.


-e string

List all audit records for which the event ID label contains the
string string. The match is case insensitive.


-h

Generate the output in HTML format.


-i id

List the audit records having the numeric event ID id.


-p programname

List all audit records generated by the program programname, for
example, audit records generated by a user-space program.


-s systemcall

List all audit records generated by the system call systemcall,
for example, audit records generated by a system call.


The -p and -s options are different names for the same thing and are
mutually exclusive. The -a option is ignored if any of -c, -e, -i,
-p, or -s are given. Combinations of -c, -e, -i, and either -p or -s
are ANDed together.

EXAMPLES


Example 1: Displaying an Audit Record with a Specified Event ID




The following example shows how to display the contents of a
specified audit record.


% auditrecord -i 6152
terminal login
program /usr/sbin/login see login(1)
/usr/dt/bin/dtlogin See dtlogin
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
[text] error message
return


Example 2: Displaying an Audit Record with an Event ID Label that


Contains a Specified String


The following example shows how to display the contents of a audit
record with an event ID label that contains the string login.


# auditrecord -e login
terminal login
program /usr/sbin/login see login(1)
/usr/dt/bin/dtlogin See dtlogin
event ID 6152 AUE_login
class lo (0x00001000)
header
subject
[text] error message
return

rlogin
program /usr/sbin/login see login(1) - rlogin
event ID 6155 AUE_rlogin
class lo (0x00001000)
header
subject
[text] error message
return


EXIT STATUS


0

Successful operation


non-zero

Error


FILES


/etc/security/audit_class

Provides the list of valid classes and the associated audit mask.


/etc/security/audit_event

Provides the numeric event ID, the literal event name, and the
name of the associated system call or program.


ATTRIBUTES


See attributes(7) for descriptions of the following attributes:


+--------------------+----------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+----------------------+
|CSI | Enabled |
+--------------------+----------------------+
|Interface Stability | Obsolete Uncommitted |
+--------------------+----------------------+

SEE ALSO


audit.log(5), audit_class(5), audit_event(5), attributes(7),
auditconfig(8), praudit(8)

DIAGNOSTICS


If unable to read either of its input files or to write its output
file, auditrecord shows the name of the file on which it failed and
exits with a non-zero return.


If no options are provided, if an invalid option is provided, or if
both -s and -p are provided, an error message is displayed and
auditrecord displays a usage message then exits with a non-zero
return.

NOTES


This command is Obsolete and may be removed and replaced with
equivalent functionality in the future. This command was formerly
known as bsmrecord.


If /etc/security/audit_event has been modified to add user-defined
audit events, auditrecord displays the record format as undefined.


The audit records displayed by auditrecord are the core of the record
that can be produced. Various audit policies and optional tokens,
such as those shown below, might also be present.


The following is a list of praudit(8) token names with their
descriptions.

group

Present if the group audit policy is set.


sensitivity label

Present when Trusted Extensions is enabled and represents the
label of the subject or object with which it is associated. The
mandatory_label token is noted in the basic audit record where a
label is explicitly part of the record.


sequence

Present when the seq audit policy is set.


trailer

Present when the trail audit policy is set.


zone

The name of the zone generating the record when the zonename
audit policy is set. The zonename token is noted in the basic
audit record where a zone name is explicitly part of the record.


March 6, 2017 AUDITRECORD(8)
tribblix@gmail.com :: GitHub :: Privacy