admhist - display a summary of system administration related events successfully executed on the system
admhist [-a date-time] [-b date-time] [-d date-time] [-z zonename] [-u username] [-v] [-R pathname] [audit-trail-file]...
admhist [-a date-time] [-b date-time] [-d date-time] [-z zonename] [-u username] [-v] -R pathname
The admhist command displays a summary of the successful system administration related events in ASCII format. By default, the events are selected from the audit trail files under /var/audit. However, an alternate audit directory can be specified by using the –R option, or specific audit trail files can be specified on the command line. Only users with the PRIV_FILE_DAC_READ privilege can use the admhist utility. If Trusted Extensions have been enabled, users must also have the PRIV_SYS_TRANS_LABEL privilege. Both of these privileges are included in the Audit Review rights profile.
The following options are supported:
Selects administrative events that occurred on or after the date-time. The date-time argument is described under the 'Time Formats' section below. The –a and –b options can be used together to form a range.
Selects administrative events that occurred before the date-time. The date-time argument is described under the 'Time Formats' section below.
Selects administrative events that occurred on a specific day. The date-time argument is described under the 'Time Formats' section below.
Selects administrative events which match the definition for one or more of the specified tags. See the audit_tags(5) man page for more details on including information about default tag names.
Selects administrative events from the specified zone name. This option only applies to administrative events generated when the zonename audit policy has been enabled. For more information, refer to the auditconfig(8) man page.
Select events for the specified (audit) userid/username. Can be specified multiple times to select events from multiple users.
Verbose. Includes the hostname and current working directory associated with each administrative event.
Specifies the pathname of an alternate directory containing audit trail files.
The date-time argument to –a, –b, and –d options can be any one of the following forms:
An absolute date-time which has the following form:
yyyymmdd [ hh [ mm [ ss ]]]
where yyyy specifies a year (with 1970 as the earliest value), mm is the month (value between 01 through 12), dd is the day (value between 01 through 31), hh is the hour (value between 00 through 23), mm is the minute (value between 00 through 59), and ss is the second (value between 00 through 59). The default value is 00 for hh, mm, and ss.
Plain language descriptions of dates which have the following form:
today, yesterday last week, last month, last year last N hours, last N days, last N weeks, last N months, last N years
where N is the number of units.
When entering commands at a shell prompt or in a shell script, dates specified as multiple words will generally need to be quoted in order for them to be treated as a single argument, as shown in the Examples below.
The default location of audit trail files, when stored locally by using audit_binfile(7).
The following command displays the system administration events that occurred in zone myzone.
# admhist -z myzoneExample 2 Displaying System Administration Events on the System
The following command displays the system administration events that occurred on the system in the last eight hours.
# admhist -a "last 8 hours"Example 3 Displaying System Administration Events from Past Week
The following command displays the system administration events that occurred in the past week excluding yesterday.
# admhist -a "last week" -b yesterdayExample 4 Displaying Events in a Specific Audit Trail File
The following command displays the system administration events present in a specific audit trail file.
# admhist /var/audit/20150507091957.20150521095216.hostname
See attributes(7) for descriptions of the following attributes:
The interface stability of the admhist command is Committed. The interface stability of the output of admhist is Not-an-Interface.
The admhist command was added in Oracle Solaris 11.4.0.