bsmrecord(1M) (man pages section 1M: System Administration Commands)

man pages section 1M: System Administration Commands

bsmrecord(1M)

NAME

bsmrecord- display Basic Security Module (BSM) audit record formats

SYNOPSIS

/usr/bin/bsmrecord

-d

-a

-e

string

-c

class

-i

id

-p

programname

-s

systemcall

-h

DESCRIPTION

For audit record types defined in /etc/security/audit_event, the bsmrecord utility shows the audit id, audit class, selection mask, and record format. It can be used to generate a list of all audit records or to select records based on class, event name, program or system call name, or id. The bsmrecord utility requires root privileges.

There are two listing formats. The default format is intended for display in a terminal window; the optional HTML format is intended for viewing with a web browser.

OPTIONS

The following options are supported:

-a: List all audit records.
-c class: List all audit records selected by class. class is one of the two-character class codes from the file /etc/security/audit_class.
-d: Debug mode. Display number of audit records that are defined in audit_event, the number of classes defined in audit_class, any mismatches between the two files, and report which defined events do not have format information available to bsmrecord.
-e string: List all audit records for which the id label contains the string string. The match is case insensitive.
-h: Generate the output in HTML format.
-i id: List the audit record having the numeric id id.
-p programname: List all audit records generated by the program programname, for example, audit records generated by a user-space program.
-s systemcall: List all audit records generated by the system call systemcall, for example, audit records generated by a system call.

The -p and -s options are different names for the same thing and are mutually exclusive. The -a option is ignored if any of -c, -e, -i, -p, or -s are given. Combinations of -c, -e, -i, and either -p or -s are ANDed together.

EXAMPLES

Example 1 Display Audit Record with a Specified ID

The following example shows how to display the contents of a specified audit record.

% bsmrecord -i 6152
login: terminal login
  program     /usr/sbin/login      see login(1)
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header-token
      subject-token
      text-token                   error message
      exit-token

Example 2 Display Audit Record with ID Label that Contains a Specified String

The following example shows how to display the contents of a audit record with an id label that contains the string login.

# bsmrecord -e login
terminal login
  program     /usr/sbin/login      see login(1)
  event ID    6152                 AUE_login
  class       lo                   (0x00001000)
      header-token
      subject-token
      text-token                   error message
      exit-token

rlogin
  program     /usr/sbin/login      see login(1) - rlogin
  event ID    6155                 AUE_rlogin
  class       lo                   (0x00001000)
     header-token
     subject-token
     text-token                   error message
     exit-token

EXIT STATUS

0: Successful operation
non-zero: Error

FILES

/etc/security/audit_class: Provides the list of valid classes and the associated audit mask.
/etc/security/audit_event: Provides the numeric id, the literal event name, and the name of the associated system call or program.
/etc/security/audit_display_attr: Provides annotation information for each audit event. The primary content is the record format information but audit_display_attr also overrides the program name or system call information from audit_event as needed.
/usr/perl5/5.6.1/lib/Sun/Solaris/BSM/_BSMparse.pm: Perl module used by bsmrecord.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWcsr
CSI	Enabled
Interface Stability	Unstable

DIAGNOSTICS

If unable to read either of its input files or to write its output file, bsmrecord shows the name of the file on which it failed and exits with a non-zero return.

If no options are provided, if an invalid option is provided, or if both -s and -p are provided, an error message is displayed and bsmrecord displays a usage message then exits with a non-zero return.

NOTES

If the file permissions for /etc/security/audit_event or /etc/security/audit_class are not world-readable, then bsmrecord must be run by root.

If /etc/security/audit_event has been modified to add user-defined audit events, bsmrecord displays the record format as undefined.

SunOS 5.9 Last Revised 27 Nov 2001