To display audit record definitions, use the auditrecord command. The definitions provide the audit event number, audit class, selection mask, and record format of an audit event.
% auditrecord -options
The screen output generated by the command depends on the option that you use, as shown in the following partial list.
The –p option displays the audit record definitions of a program.
The –c option displays the audit record definitions of an audit class.
The –a option lists all audit event definitions.
You can also the print displayed output to a file.
For more information, see the auditrecord(1M) man page.
Example 5-1 Displaying the Audit Record Definitions of a ProgramIn this example, the definition of all audit records that are generated by the login program are displayed. Login programs include rlogin, telnet, newgrp, and the Secure Shell feature of Oracle Solaris.
% auditrecord -p login ... login: logout program various See login(1) event ID 6153 AUE_logout class lo (0x0000000000001000) ... newgrp program newgrp See newgrp login event ID 6212 AUE_newgrp_login class lo (0x0000000000001000) ... rlogin program /usr/sbin/login See login(1) - rlogin event ID 6155 AUE_rlogin class lo (0x0000000000001000) ... /usr/lib/ssh/sshd program /usr/lib/ssh/sshd See login - ssh event ID 6172 AUE_ssh class lo (0x0000000000001000) ... telnet login program /usr/sbin/login See login(1) - telnet event ID 6154 AUE_telnet class lo (0x0000000000001000) …Example 5-2 Displaying the Audit Record Definitions of an Audit Class
In this example, the definitions of all audit records in the pf class that was created in Example 3–15 is displayed.
% auditrecord -c pf pfexec system call pfexec See execve(2) with pfexec enabled event ID 116 AUE_PFEXEC class pf (0x0100000000000000) header path pathname of the executable path pathname of working directory [privileges] privileges if the limit or inheritable set are changed [privileges] privileges if the limit or inheritable set are changed [process] process if ruid, euid, rgid or egid is changed exec_arguments [exec_environment] output if arge policy is set subject [use_of_privilege] return
The use_of_privilege token is recorded whenever privilege is used. The privileges tokens are recorded if the limit or inheritable set is changed. The process token is recorded if an ID is changed. No policy option is required for these tokens to be included in the record.
Example 5-3 Printing Audit Record Definitions to a FileIn this example, the –h option is added to put all the audit record definitions to a file in HTML format. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions.
% auditrecord -ah > audit.events.html