Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Friday, August 13, 2021
 
 

admhist(8)

Name

admhist - display a summary of system administration related events successfully executed on the system

Synopsis

admhist [-a date-time] [-b date-time] [-d date-time] [-z zonename]
     [-u username] [-v] [-R pathname] [audit-trail-file]...
admhist [-a date-time] [-b date-time] [-d date-time] [-z zonename]
     [-u username] [-v] -R pathname

Description

The admhist command displays a summary of the successful system administration related events in ASCII format. By default, the events are selected from the audit trail files under /var/audit. However, an alternate audit directory can be specified by using the –R option, or specific audit trail files can be specified on the command line. Only users with the PRIV_FILE_DAC_READ privilege can use the admhist utility. If Trusted Extensions have been enabled, users must also have the PRIV_SYS_TRANS_LABEL privilege. Both of these privileges are included in the Audit Review rights profile.

Options

The following options are supported:

–a date-time

Selects administrative events that occurred on or after the date-time. The date-time argument is described under the 'Time Formats' section below. The –a and –b options can be used together to form a range.

–b date-time

Selects administrative events that occurred before the date-time. The date-time argument is described under the 'Time Formats' section below.

–d date-time

Selects administrative events that occurred on a specific day. The date-time argument is described under the 'Time Formats' section below.

–t [tags-file:]tag[,tag...]

Selects administrative events which match the definition for one or more of the specified tags. See the audit_tags(5) man page for more details on including information about default tag names.

–z zonename

Selects administrative events from the specified zone name. This option only applies to administrative events generated when the zonename audit policy has been enabled. For more information, refer to the auditconfig(8) man page.

–u username/uid

Select events for the specified (audit) userid/username. Can be specified multiple times to select events from multiple users.

–v

Verbose. Includes the hostname and current working directory associated with each administrative event.

–R

Specifies the pathname of an alternate directory containing audit trail files.

Time Formats

The date-time argument to –a, –b, and –d options can be any one of the following forms:

  • An absolute date-time which has the following form:

    yyyymmdd [ hh [ mm [ ss ]]]

    where yyyy specifies a year (with 1970 as the earliest value), mm is the month (value between 01 through 12), dd is the day (value between 01 through 31), hh is the hour (value between 00 through 23), mm is the minute (value between 00 through 59), and ss is the second (value between 00 through 59). The default value is 00 for hh, mm, and ss.

  • Plain language descriptions of dates which have the following form:

    today, yesterday
    last week, last month, last year
    last N hours, last N days, last N weeks, last N months,
    last N years

    where N is the number of units.

    When entering commands at a shell prompt or in a shell script, dates specified as multiple words will generally need to be quoted in order for them to be treated as a single argument, as shown in the Examples below.

Files

/var/audit/*

The default location of audit trail files, when stored locally by using audit_binfile(7).

Examples

Example 1 Displaying System Administration Events in a Zone

The following command displays the system administration events that occurred in zone myzone.

# admhist -z myzone
Example 2 Displaying System Administration Events on the System

The following command displays the system administration events that occurred on the system in the last eight hours.

# admhist -a "last 8 hours"
Example 3 Displaying System Administration Events from Past Week

The following command displays the system administration events that occurred in the past week excluding yesterday.

# admhist -a "last week" -b yesterday
Example 4 Displaying Events in a Specific Audit Trail File

The following command displays the system administration events present in a specific audit trail file.

# admhist /var/audit/20150507091957.20150521095216.hostname

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
Interface Stability
See below

The interface stability of the admhist command is Committed. The interface stability of the output of admhist is Not-an-Interface.

See Also

audit.log(5), audit_tags(5), attributes(7), privileges(7), auditconfig(8), auditreduce(8)

Managing Auditing in Oracle Solaris 11.4

History

The admhist command was added in Oracle Solaris 11.4.0.