'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH AUDITRECORD 1M "May 13, 2009"
.SH NAME
auditrecord \- display Solaris audit record formats
.SH SYNOPSIS
.LP
.nf
\fB/usr/sbin/auditrecord\fR [\fB-d\fR] [ [\fB-a\fR] | [\fB-e\fR \fIstring\fR] | [\fB-c\fR \fIclass\fR] |
      [\fB-i\fR \fIid\fR] | [\fB-p\fR \fIprogramname\fR] | [\fB-s\fR \fIsystemcall\fR] | [\fB-h\fR]]
.fi

.SH DESCRIPTION
.sp
.LP
The \fBauditrecord\fR utility displays the event ID, audit class and selection
mask, and record format for audit record event types defined in
\fBaudit_event\fR(4). You can use \fBauditrecord\fR to generate a list of all
audit record formats, or to select audit record formats based on event class,
event name, generating program name, system call name, or event ID.
.sp
.LP
There are two output formats. The default format is intended for display in a
terminal window; the optional HTML format is intended for viewing with a web
browser.
.sp
.LP
Tokens contained in square brackets ( \fB[ ]\fR ) are optional and might not be
present in every record.
.SH OPTIONS
.sp
.LP
The following options are supported:
.sp
.ne 2
.na
\fB\fB-a\fR\fR
.ad
.sp .6
.RS 4n
List all audit records.
.RE

.sp
.ne 2
.na
\fB\fB-c\fR \fIclass\fR\fR
.ad
.sp .6
.RS 4n
List all audit records selected by \fIclass\fR. \fIclass\fR is one of the
two-character class codes from the file \fB/etc/security/audit_class\fR.
.RE

.sp
.ne 2
.na
\fB\fB-d\fR\fR
.ad
.sp .6
.RS 4n
Debug mode. Display number of audit records that are defined in
\fBaudit_event\fR, the number of classes defined in \fBaudit_class\fR, any
mismatches between the two files, and report which defined events do not have
format information available to \fBauditrecord\fR.
.RE

.sp
.ne 2
.na
\fB\fB-e\fR \fIstring\fR\fR
.ad
.sp .6
.RS 4n
List all audit records for which the event ID label contains the string
\fIstring\fR. The match is case insensitive.
.RE

.sp
.ne 2
.na
\fB\fB-h\fR\fR
.ad
.sp .6
.RS 4n
Generate the output in HTML format.
.RE

.sp
.ne 2
.na
\fB\fB-i\fR \fIid\fR\fR
.ad
.sp .6
.RS 4n
List the audit records having the numeric event ID \fIid\fR.
.RE

.sp
.ne 2
.na
\fB\fB-p\fR \fIprogramname\fR\fR
.ad
.sp .6
.RS 4n
List all audit records generated by the program \fIprogramname\fR, for example,
audit records generated by a user-space program.
.RE

.sp
.ne 2
.na
\fB\fB-s\fR \fIsystemcall\fR\fR
.ad
.sp .6
.RS 4n
List all audit records generated by the system call \fIsystemcall\fR, for
example, audit records generated by a system call.
.RE

.sp
.LP
The \fB-p\fR and \fB-s\fR options are different names for the same thing and
are mutually exclusive. The \fB-a\fR option is ignored if any of \fB-c\fR,
\fB-e\fR, \fB-i\fR, \fB-p\fR, or \fB-s\fR are given. Combinations of \fB-c\fR,
\fB-e\fR, \fB-i\fR, and either \fB-p\fR or \fB-s\fR are ANDed together.
.SH EXAMPLES
.LP
\fBExample 1 \fRDisplaying an Audit Record with a Specified Event ID
.sp
.LP
The following example shows how to display the contents of a specified audit
record.

.sp
.in +2
.nf
% auditrecord -i 6152
  terminal login
  program     /usr/sbin/login      see login(1)
              /usr/dt/bin/dtlogin  See dtlogin
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header
      subject
      [text]                       error message
      return
.fi
.in -2
.sp

.LP
\fBExample 2 \fRDisplaying an Audit Record with an Event ID Label that Contains
a Specified String
.sp
.LP
The following example shows how to display the contents of a audit record with
an event ID label that contains the string \fBlogin\fR.

.sp
.in +2
.nf
# auditrecord -e login
terminal login
  program     /usr/sbin/login      see login(1)
              /usr/dt/bin/dtlogin  See dtlogin
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header
      subject
      [text]                       error message
      return

rlogin
  program     /usr/sbin/login      see login(1) - rlogin
  event ID    6155                 AUE_rlogin
  class       lo                   (0x00001000)
      header
      subject
      [text]                       error message
      return
.fi
.in -2
.sp

.SH EXIT STATUS
.sp
.ne 2
.na
\fB\fB0\fR\fR
.ad
.sp .6
.RS 4n
Successful operation
.RE

.sp
.ne 2
.na
\fB\fBnon-zero\fR\fR
.ad
.sp .6
.RS 4n
Error
.RE

.SH FILES
.sp
.ne 2
.na
\fB\fB/etc/security/audit_class\fR\fR
.ad
.sp .6
.RS 4n
Provides the list of valid classes and the associated audit mask.
.RE

.sp
.ne 2
.na
\fB\fB/etc/security/audit_event\fR\fR
.ad
.sp .6
.RS 4n
Provides the numeric event ID, the literal event name, and the name of the
associated system call or program.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
CSI	Enabled
_
Interface Stability	Obsolete Uncommitted
.TE

.SH SEE ALSO
.sp
.LP
\fBauditconfig\fR(1M), \fBpraudit\fR(1M), \fBaudit.log\fR(4),
\fBaudit_class\fR(4), \fBaudit_event\fR(4), \fBattributes\fR(5)
.sp
.LP
See the section on Solaris Auditing in \fISystem Administration Guide: Security
Services\fR.
.SH DIAGNOSTICS
.sp
.LP
If unable to read either of its input files or to write its output file,
\fBauditrecord\fR shows the name of the file on which it failed and exits with
a non-zero return.
.sp
.LP
If no options are provided, if an invalid option is provided, or if both
\fB-s\fR and \fB-p\fR are provided, an error message is displayed and
\fBauditrecord\fR displays a usage message then exits with a non-zero return.
.SH NOTES
.sp
.LP
This command is Obsolete and may be removed and replaced with equivalent
functionality in a future release of Solaris. This command was formerly known
as \fBbsmrecord\fR.
.sp
.LP
If \fB/etc/security/audit_event\fR has been modified to add user-defined audit
events, \fBauditrecord\fR displays the record format as \fBundefined\fR.
.sp
.LP
The audit records displayed by \fBbsmrecord\fR are the core of the record that
can be produced. Various audit policies and optional tokens, such as those
shown below, might also be present.
.sp
.LP
The following is a list of \fBpraudit\fR(1M) token names with their
descriptions.
.sp
.ne 2
.na
\fB\fBgroup\fR\fR
.ad
.sp .6
.RS 4n
Present if the \fBgroup\fR audit policy is set.
.RE

.sp
.ne 2
.na
\fB\fBsensitivity label\fR\fR
.ad
.sp .6
.RS 4n
Present when Trusted Extensions is enabled and represents the label of the
subject or object with which it is associated. The \fBmandatory_label\fR token
is noted in the basic audit record where a label is explicitly part of the
record.
.RE

.sp
.ne 2
.na
\fB\fBsequence\fR\fR
.ad
.sp .6
.RS 4n
Present when the \fBseq\fR audit policy is set.
.RE

.sp
.ne 2
.na
\fB\fBtrailer\fR\fR
.ad
.sp .6
.RS 4n
Present when the \fBtrail\fR audit policy is set.
.RE

.sp
.ne 2
.na
\fB\fBzone\fR\fR
.ad
.sp .6
.RS 4n
The name of the zone generating the record when the \fBzonename\fR audit policy
is set. The \fBzonename\fR token is noted in the basic audit record where a
zone name is explicitly part of the record.
.RE