Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
/usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] | [-i id] | [-p programname] | [-s systemcall] | [-h]]
The auditrecord utility displays the event ID, audit class and selection mask, and record format for audit record event types defined in audit_event(4). You can use auditrecord to generate a list of all audit record formats, or to select audit record formats based on event class, event name, generating program name, system call name, or event ID.
There are two output formats. The default format is intended for display in a terminal window; the optional HTML format is intended for viewing with a web browser.
Tokens contained in square brackets ( [ ] ) are optional and might not be present in every record.
The following options are supported:
-a
List all audit records.
-c class
List all audit records selected by class. class is one of the two-character class codes from the file /etc/security/audit_class.
-d
Debug mode. Display number of audit records that are defined in audit_event, the number of classes defined in audit_class, any mismatches between the two files, and report which defined events do not have format information available to auditrecord.
-e string
List all audit records for which the event ID label contains the string string. The match is case insensitive.
-h
Generate the output in HTML format.
-i id
List the audit records having the numeric event ID id.
-p programname
List all audit records generated by the program programname, for example, audit records generated by a user-space program.
-s systemcall
List all audit records generated by the system call systemcall, for example, audit records generated by a system call.
The -p and -s options are different names for the same thing and are mutually exclusive. The -a option is ignored if any of -c, -e, -i, -p, or -s are given. Combinations of -c, -e, -i, and either -p or -s are ANDed together.
Example 1 Displaying an Audit Record with a Specified Event ID
The following example shows how to display the contents of a specified audit record.
% auditrecord -i 6152 terminal login program /usr/sbin/login see login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject [text] error message return
Example 2 Displaying an Audit Record with an Event ID Label that Contains a Specified String
The following example shows how to display the contents of a audit record with an event ID label that contains the string login.
# auditrecord -e login terminal login program /usr/sbin/login see login(1) /usr/dt/bin/dtlogin See dtlogin event ID 6152 AUE_login class lo (0x00001000) header subject [text] error message return rlogin program /usr/sbin/login see login(1) - rlogin event ID 6155 AUE_rlogin class lo (0x00001000) header subject [text] error message return
0
Successful operation
non-zero
Error
Provides the list of valid classes and the associated audit mask.
Provides the numeric event ID, the literal event name, and the name of the associated system call or program.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
CSI | Enabled |
Interface Stability | Obsolete Uncommitted |
auditconfig(1M), praudit(1M), audit.log(4), audit_class(4), audit_event(4), attributes(5)
See the section on Solaris Auditing in System Administration Guide: Security Services.
If unable to read either of its input files or to write its output file, auditrecord shows the name of the file on which it failed and exits with a non-zero return.
If no options are provided, if an invalid option is provided, or if both -s and -p are provided, an error message is displayed and auditrecord displays a usage message then exits with a non-zero return.
This command is Obsolete and may be removed and replaced with equivalent functionality in a future release of Solaris. This command was formerly known as bsmrecord.
If /etc/security/audit_event has been modified to add user-defined audit events, auditrecord displays the record format as undefined.
The audit records displayed by bsmrecord are the core of the record that can be produced. Various audit policies and optional tokens, such as those shown below, might also be present.
The following is a list of praudit(1M) token names with their descriptions.
group
Present if the group audit policy is set.
sensitivity label
Present when Trusted Extensions is enabled and represents the label of the subject or object with which it is associated. The mandatory_label token is noted in the basic audit record where a label is explicitly part of the record.
sequence
Present when the seq audit policy is set.
trailer
Present when the trail audit policy is set.
zone
The name of the zone generating the record when the zonename audit policy is set. The zonename token is noted in the basic audit record where a zone name is explicitly part of the record.