New Feature – Viewing a Summary of Audit Records - Managing Auditing in Oracle® Solaris 11.4

Language:

New Feature – Viewing a Summary of Audit Records

Using the new admhist command, administrators can view a summary of successful privileged execution audit records in a helpful, easy-to-understand format. The admhist command extracts from the audit trail those commands that successfully used an administrative privilege, so the output displays commands that are more likely to have modified the system.

Note - Users must be assigned the Audit Review rights profile to use the admhist utility.

The admhist command pulls successful audit records from the privileged execution (pe) audit class and displays them in summary form. See also New Feature – Per-Privilege Logging of Audit Events.

Using the admhist command options, you can view events that occurred during a specified time period, events from a specified zone name, or events in one or more functional areas labeled with audit tags as described in New Feature – Filtering Audit Records by Functional Area.

For example, the following command displays successful events that occurred in zone1.

$ pfexec ; admhist -z zone1

The following command displays successful administrative commands that occurred on the system in the last six hours.

$ admhist -a "last 6 hours"

Note - The admhist facility does not record events that are run by root. Use the auditreduce and praudit commands to view audit events that root is responsible for, such as device attachment and detachment. The events must be in the preselection mask. Audit events that are in the other audit class are not in the preselection mask by default. To enable the events to be audited, see How to Add an Audit Class.

For further information, see the admhist(8) man page.