praudit reads the listed filenames (or standard input, if no filename is specified) and interprets the data as audit trail records as defined in audit.log(4). By default, times, user and group IDs (UIDs and GIDs, respectively) are converted to their ASCII representation. Record type and event fields are converted to their ASCII representation. A maximum of 100 audit files can be specified on the command line.
In the Trusted Solaris environment, the praudit command is run at the label
and requires either the
file_dac_read privilege or an effective UID of 0 to succeed. The
PAF_LABEL_VIEW process attribute flag for the current process affects how
ADMIN_LOW binary labels are translated to their text equivalents. See pattr(1) and getpattr(2) for more information.
Prints one line per record.
Print records in their raw form. Times, UIDs, GIDs, record types, and events are displayed as integers. This option and the -s option are exclusive. If both are used, a format usage error message is output.
Print records in their short form. All numeric fields are converted to text and displayed. The short text representations for the record type and event fields are used. This option and the -r option are exclusive. If both are used, a format usage error message is output.
Use del as the field delimiter instead of the default delimiter, which is the comma. If del has special meaning for the shell, it must be quoted. The maximum size of a delimiter is three characters.
Audit event definition and class mappings.
Audit class definitions.
See attributes(5) for descriptions of the following attributes:
The praudit command uses the
PAF_LABEL_VIEW process attribute flag and converts security labels as well as times and IDs. It is run at
ADMIN_HIGH and requires either the
file_dac_read privilege or an effective UID of 0 to succeed.
The functionality described in this man page is available only if auditing is enabled. By default, auditing is enabled in the Trusted Solaris environment.
Trusted Solaris Audit Administration