Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, July 27, 2022
 
 

auditrecord(8)

Name

auditrecord - display Oracle Solaris audit record formats

Synopsis

/usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
      [-i id] | [-p programname] | [-s systemcall] | [-h]]

Description

The auditrecord utility displays the event ID, audit class and selection mask, and record format for audit record event types defined in audit_event(5). You can use auditrecord to generate a list of all audit record formats, or to select audit record formats based on event class, event name, generating program name, system call name, or event ID.

There are two output formats. The default format is intended for display in a terminal window; the optional HTML format is intended for viewing with a web browser.

Tokens contained in square brackets ( [ ] ) are optional and might not be present in every record.

Options

The following options are supported:

–a

List all audit records.

–c class

List all the audit records selected by the list of classes, class. Valid classes are found in the audit_class files. For more information, see the audit_class(5) man page.

–d

Debug mode. Display the number of audit records that are defined in audit_event, the number of classes defined in audit_class, any mismatches between the two files, and report which defined events do not have format information available to auditrecord.

–e string

List all audit records for which the event ID label contains the string string. The match is case insensitive.

–h

Generate the output in HTML format.

–i id

List the audit records having the numeric event ID id.

–p programname

List all audit records generated by the user-space program programname.

–s systemcall

List all audit records generated by the system call systemcall.

The –p and –s options are different names for the same thing and are mutually exclusive. The –a option is ignored if any of –c, –e, –i, –p, or –s are given. Combinations of –c, –e, –i, and either –p or –s are ANDed together.

Examples

Example 1 Displaying an Audit Record with a Specified Event ID

The following example shows how to display the contents of a specified audit record.

% auditrecord -i 6152

terminal login
  program     /usr/sbin/login      See login(1)
              /usr/sbin/gdm        See gdm(8)
  event ID    6152                 AUE_login
  class       lo                   (0x0000000000001000)
      header
      subject
      return
Example 2 Displaying an Audit Record with an Event ID Label that Contains a Specified String

The following example shows how to display the contents of a audit record with an event ID label that contains the string login.

% auditrecord -e login

terminal login
  program     /usr/sbin/login      See login(1)
              /usr/sbin/gdm        See gdm(8)
  event ID    6152                 AUE_login
  class       lo                   (0x0000000000001000)
      header
      subject
      return

RBAC: role login
  program     /usr/bin/su          See role login
  event ID    6173                 AUE_role_login
  class       lo                   (0x0000000000001000)
      header
      subject
      return

zone login
  program     /usr/sbin/login      See zlogin(1)
  event ID    6227                 AUE_zlogin
  class       lo                   (0x0000000000001000)
      header
      subject
      [text]                       error message
      return

[...]

Exit Status

0

Successful operation

non-zero

Error

Files

/etc/security/audit_class
/etc/security/audit_class.system

Provides the list of valid classes and the associated audit mask.

/etc/security/audit_event

Provides the numeric event ID, the literal event name, and the name of the associated system call or program.

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/core-os
CSI
Enabled
Interface Stability
Uncommitted

See Also

audit.log(5), audit_class(5), audit_event(5), attributes(7), auditconfig(8), praudit(8)

Managing Auditing in Oracle Solaris 11.4

Diagnostics

If unable to read either of its input files or to write its output file, auditrecord shows the name of the file on which it failed and exits with a non-zero return.

If no options are provided, if an invalid option is provided, or if both –s and –p are provided, an error message is displayed and auditrecord displays a usage message then exits with a non-zero return.

Notes

If /etc/security/audit_event has been modified to add user-defined audit events, auditrecord displays the record format as undefined.

The audit records displayed by auditrecord are the core of the record that can be produced. Various audit policies and optional tokens, such as those shown below, might also be present.

The following is a list of praudit(8) token names with their descriptions.

annotation

Present if audit record annotation is present.

group

Present if the group audit policy is set.

sensitivity label

Present when Trusted Extensions is enabled and represents the label of the subject or object with which it is associated. The mandatory_label token is noted in the basic audit record where a label is explicitly part of the record.

sequence

Present when the seq audit policy is set.

trailer

Present when the trail audit policy is set.

zone

The name of the zone generating the record when the zonename audit policy is set. The zonename token is noted in the basic audit record where a zone name is explicitly part of the record.

History

This functionality was originally provided in the bsmrecord command, which was added in Solaris 9. The command was renamed to auditrecord in Oracle Solaris 11.0.0.

Copyright © 1993, 2022, Oracle and/or its affiliates.  
Previous
Next