test

System Administration Guide: Security Services

ProcedureHow to Display Audit Record Formats

To write scripts that can find the audit data that you want, you need to know the order of tokens in an audit event. The auditrecord command displays the audit event number, audit class, selection mask, and record format of an audit event.

  1. Put the format of all audit event records in an HTML file.

    The -a option lists all audit event record formats. The -h option puts the list in HTML format that can be displayed in a browser.


    % auditrecord -a -h > audit.events.html

    When you display the *html file in a browser, use the browser's Find tool to find specific records.

    For more information, see the auditrecord(1M) man page.

Example 30–23 Displaying the Audit Record Formats of a Program

In this example, the format of all audit records that are generated by the login program are displayed. The login programs include rlogin, telnet, newgrp, role login to the Solaris Management Console, and Solaris Secure Shell.


% auditrecord -p login
terminal login   program     /usr/sbin/login      See login(1)           
   /usr/dt/bin/dtlogin  See dtlogin   event ID    6152                 AUE_login
  class       lo                   (0x00001000)       header       subject
      text                         error message or "successful login"   
   return 
login: logout
  program     various              See login(1)
  event ID    6153                 AUE_logout
…

newgrp
  program     newgrp               See newgrp login
  event ID    6212                 AUE_newgrp_login
…

rlogin
  program     /usr/sbin/login      See login(1) - rlogin
  event ID    6155                 AUE_rlogin
…

SMC: role login
  program     SMC server           See role login
  event ID    6173                 AUE_role_login
…

/usr/lib/ssh/sshd
  program     /usr/lib/ssh/sshd    See login - ssh
  event ID    6172                 AUE_ssh
…

telnet login
  program     /usr/sbin/login      See login(1) - telnet
  event ID    6154                 AUE_telnet
  …
Example 30–24 Displaying the Audit Record Formats of an Audit Class

In this example, the format of all audit records in the fd class are displayed.


% auditrecord -c fd

rmdir
  system call rmdir                See rmdir(2)
  event ID    48                   AUE_RMDIR
  class       fd                   (0x00000020)
      header
      path
      [attribute]
      subject
      [use_of_privilege]
      return

unlink
  system call unlink               See unlink(2)
  event ID    6                    AUE_UNLINK
  …

unlinkat
  system call unlinkat             See openat(2)
  event ID    286                  AUE_UNLINKAT
  …