xref: /titanic_52/usr/src/man/man1m/praudit.1m (revision e0724c534a46ca4754330bc022bf1e2a68f5bb93)
te
Copyright (c) 2003, Sun Microsystems, Inc.
The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
PRAUDIT 1M "Jul 26, 2009"
NAME
praudit - print contents of an audit trail file
SYNOPSIS

praudit [-lrsx] [-ddel] [filename]...
DESCRIPTION

praudit reads the listed filenames (or standard input, if no filename is specified) and interprets the data as audit trail records as defined in audit.log(4). By default, times, user and group IDs (UIDs and GIDs, respectively) are converted to their ASCII representation. Record type and event fields are converted to their ASCII representation. A maximum of 100 audit files can be specified on the command line.

OPTIONS

The following options are supported: -ddel

Use del as the field delimiter instead of the default delimiter, which is the comma. If del has special meaning for the shell, it must be quoted. The maximum size of a delimiter is three characters. The delimiter is not meaningful and is not used when the -x option is specified.

-l

Print one line per record.

-r

Print records in their raw form. Times, UIDs, GIDs, record types, and events are displayed as integers. This option is useful when naming services are offline. The -r option and the -s option are exclusive. If both are used, a format usage error message is output.

-s

Display records in their short form. Numeric fields' ASCII equivalents are looked up by means of the sources specified in the /etc/nsswitch.conf file (see nsswitch.conf(4)). All numeric fields are converted to ASCII and then displayed. The short ASCII representations for the record type and event fields are used. This option and the -r option are exclusive. If both are used, a format usage error message is output.

-x

Print records in XML form. Tags are included in the output to identify tokens and fields within tokens. Output begins with a valid XML prolog, which includes identification of the DTD which can be used to parse the XML.

FILES
/etc/security/audit_event

Audit event definition and class mappings.

/etc/security/audit_class

Audit class definitions.

/usr/share/lib/xml/dtd

Directory containing the verisioned DTD file referenced in XML output, for example, adt_record.dtd.1.

/usr/share/lib/xml/style

Directory containing the versioned XSL file referenced in XML output, for example, adt_record.xsl.1.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE ATTRIBUTE VALUE
Interface Stability See below

The command stability is evolving. The output format is unstable.

SEE ALSO

bsmconv(1M), getent(1M), audit(2), getauditflags(3BSM), getpwuid(3C), gethostbyaddr(3NSL), ethers(3SOCKET), getipnodebyaddr(3SOCKET), audit.log(4), audit_class(4), audit_event(4), group(4), nsswitch.conf(4), passwd(4), attributes(5)

See the section on Solaris Auditing in System Administration Guide: Security Services.

NOTES

This functionality is available only if the Solaris Auditing feature has been enabled. See bsmconv(1M) for more information.