Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014
 
 

Displaying Audit Record Definitions

To display audit record definitions, use the auditrecord command. The definitions provide the audit event number, audit class, selection mask, and record format of an audit event.

% auditrecord -options

The screen output generated by the command depends on the option that you use, as shown in the following partial list.

  • The –p option displays the audit record definitions of a program.

  • The –c option displays the audit record definitions of an audit class.

  • The –a option lists all audit event definitions.

You can also the print displayed output to a file.

For more information, see the auditrecord(1M) man page.

Example 5-1  Displaying the Audit Record Definitions of a Program

In this example, the definition of all audit records that are generated by the login program are displayed. Login programs include rlogin, telnet, newgrp, and the Secure Shell feature of Oracle Solaris.

% auditrecord -p login
...
login: logout
program     various              See login(1)
event ID    6153                 AUE_logout
class       lo                  (0x0000000000001000)
...
newgrp
program     newgrp               See newgrp login
event ID    6212                 AUE_newgrp_login
class       lo                  (0x0000000000001000)
...
rlogin
program     /usr/sbin/login      See login(1) - rlogin
event ID    6155                 AUE_rlogin
class       lo                   (0x0000000000001000)
...
/usr/lib/ssh/sshd
program     /usr/lib/ssh/sshd    See login - ssh
event ID    6172                 AUE_ssh
class       lo                   (0x0000000000001000)
...
telnet login
program     /usr/sbin/login      See login(1) - telnet
event ID    6154                 AUE_telnet
class       lo                   (0x0000000000001000)
…
Example 5-2  Displaying the Audit Record Definitions of an Audit Class

In this example, the definitions of all audit records in the pf class that was created in Example 3–15 is displayed.

% auditrecord -c pf
pfexec
system call pfexec               See execve(2) with pfexec enabled
event ID    116                  AUE_PFEXEC
class       pf                   (0x0100000000000000)
header
path                    pathname of the executable
path                    pathname of working directory
[privileges]            privileges if the limit or inheritable set are changed
[privileges]            privileges if the limit or inheritable set are changed
[process]               process if ruid, euid, rgid or egid is changed
exec_arguments
[exec_environment]      output if arge policy is set
subject
[use_of_privilege]
return

The use_of_privilege token is recorded whenever privilege is used. The privileges tokens are recorded if the limit or inheritable set is changed. The process token is recorded if an ID is changed. No policy option is required for these tokens to be included in the record.

Example 5-3  Printing Audit Record Definitions to a File

In this example, the –h option is added to put all the audit record definitions to a file in HTML format. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions.

% auditrecord -ah > audit.events.html