System Administration Guide: Security Services

ProcedureHow to Display Audit Record Formats

To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The auditrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.

  1. Put the format of all audit event records in an HTML file.

    The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.

    % auditrecord -a -h >

    When you display the *html file in a browser, use the browser's Find tool to find specific records.

    For more information, see the auditrecord(1M) man page.

Example 30–23 Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.

% auditrecord -p login
terminal login   program     /usr/sbin/login      See login(1)           
   /usr/dt/bin/dtlogin  See dtlogin   event ID    6152                 AUE_login
  class       lo                   (0x00001000)       header       subject
      text                         error message or "successful login"   
login: logout
  program     various              See login(1)
  event ID    6153                 AUE_logout

  program     newgrp               See newgrp login
  event ID    6212                 AUE_newgrp_login

  program     /usr/sbin/login      See login(1) - rlogin
  event ID    6155                 AUE_rlogin

SMC: role login
  program     SMC server           See role login
  event ID    6173                 AUE_role_login

  program     /usr/lib/ssh/sshd    See login - ssh
  event ID    6172                 AUE_ssh

telnet login
  program     /usr/sbin/login      See login(1) - telnet
  event ID    6154                 AUE_telnet

Example 30–24 Displaying the Audit Record Formats of an Audit Class

In this example, the format of all audit records in the fd class are displayed.

% auditrecord -c fd

  system call rmdir                See rmdir(2)
  event ID    48                   AUE_RMDIR
  class       fd                   (0x00000020)

  system call unlink               See unlink(2)
  event ID    6                    AUE_UNLINK

  system call unlinkat             See openat(2)
  event ID    286                  AUE_UNLINKAT