Managing Auditing in Oracle® Solaris 11.2

Exit Print View

Updated: July 2014

Displaying Audit Record Definitions

To display audit record definitions, use the auditrecord command. The definitions provide the audit event number, audit class, selection mask, and record format of an audit event.

% auditrecord -options

The screen output generated by the command depends on the option that you use, as shown in the following partial list.

  • The –p option displays the audit record definitions of a program.

  • The –c option displays the audit record definitions of an audit class.

  • The –a option lists all audit event definitions.

You can also the print displayed output to a file.

For more information, see the auditrecord(1M) man page.

Example 5-1  Displaying the Audit Record Definitions of a Program

In this example, the definition of all audit records that are generated by the login program are displayed. Login programs include rlogin, telnet, newgrp, and the Secure Shell feature of Oracle Solaris.

% auditrecord -p login
login: logout
program     various              See login(1)
event ID    6153                 AUE_logout
class       lo                  (0x0000000000001000)
program     newgrp               See newgrp login
event ID    6212                 AUE_newgrp_login
class       lo                  (0x0000000000001000)
program     /usr/sbin/login      See login(1) - rlogin
event ID    6155                 AUE_rlogin
class       lo                   (0x0000000000001000)
program     /usr/lib/ssh/sshd    See login - ssh
event ID    6172                 AUE_ssh
class       lo                   (0x0000000000001000)
telnet login
program     /usr/sbin/login      See login(1) - telnet
event ID    6154                 AUE_telnet
class       lo                   (0x0000000000001000)
Example 5-2  Displaying the Audit Record Definitions of an Audit Class

In this example, the definitions of all audit records in the pf class that was created in Example 3–15 is displayed.

% auditrecord -c pf
system call pfexec               See execve(2) with pfexec enabled
event ID    116                  AUE_PFEXEC
class       pf                   (0x0100000000000000)
path                    pathname of the executable
path                    pathname of working directory
[privileges]            privileges if the limit or inheritable set are changed
[privileges]            privileges if the limit or inheritable set are changed
[process]               process if ruid, euid, rgid or egid is changed
[exec_environment]      output if arge policy is set

The use_of_privilege token is recorded whenever privilege is used. The privileges tokens are recorded if the limit or inheritable set is changed. The process token is recorded if an ID is changed. No policy option is required for these tokens to be included in the record.

Example 5-3  Printing Audit Record Definitions to a File

In this example, the –h option is added to put all the audit record definitions to a file in HTML format. When you display the HTML file in a browser, use the browser's Find tool to find specific audit record definitions.

% auditrecord -ah >