svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
auditrecord(8)
System Administration Commands auditrecord(8)
NAME
auditrecord - display Oracle Solaris audit record formats
SYNOPSIS
/usr/sbin/auditrecord [-d] [ [-a] | [-e string] | [-c class] |
[-i id] | [-p programname] | [-s systemcall] | [-h]]
DESCRIPTION
The auditrecord utility displays the event ID, audit class and selec‐
tion mask, and record format for audit record event types defined in
audit_event(5). You can use auditrecord to generate a list of all audit
record formats, or to select audit record formats based on event class,
event name, generating program name, system call name, or event ID.
There are two output formats. The default format is intended for dis‐
play in a terminal window; the optional HTML format is intended for
viewing with a web browser.
Tokens contained in square brackets ( [ ] ) are optional and might not
be present in every record.
OPTIONS
The following options are supported:
-a
List all audit records.
-c class
List all the audit records selected by the list of classes, class.
Valid classes are found in the audit_class files. For more informa‐
tion, see the audit_class(5) man page.
-d
Debug mode. Display the number of audit records that are defined in
audit_event, the number of classes defined in audit_class, any mis‐
matches between the two files, and report which defined events do
not have format information available to auditrecord.
-e string
List all audit records for which the event ID label contains the
string string. The match is case insensitive.
-h
Generate the output in HTML format.
-i id
List the audit records having the numeric event ID id.
-p programname
List all audit records generated by the user-space program program‐
name.
-s systemcall
List all audit records generated by the system call systemcall.
The -p and -s options are different names for the same thing and are
mutually exclusive. The -a option is ignored if any of -c, -e, -i, -p,
or -s are given. Combinations of -c, -e, -i, and either -p or -s are
ANDed together.
EXAMPLES
Example 1 Displaying an Audit Record with a Specified Event ID
The following example shows how to display the contents of a specified
audit record.
% auditrecord -i 6152
terminal login
program /usr/sbin/login See login(1)
/usr/sbin/gdm See gdm(8)
event ID 6152 AUE_login
class lo (0x0000000000001000)
header
subject
return
Example 2 Displaying an Audit Record with an Event ID Label that Con‐
tains a Specified String
The following example shows how to display the contents of a audit
record with an event ID label that contains the string login.
% auditrecord -e login
terminal login
program /usr/sbin/login See login(1)
/usr/sbin/gdm See gdm(8)
event ID 6152 AUE_login
class lo (0x0000000000001000)
header
subject
return
RBAC: role login
program /usr/bin/su See role login
event ID 6173 AUE_role_login
class lo (0x0000000000001000)
header
subject
return
zone login
program /usr/sbin/login See zlogin(1)
event ID 6227 AUE_zlogin
class lo (0x0000000000001000)
header
subject
[text] error message
return
[...]
EXIT STATUS
0
Successful operation
non-zero
Error
FILES
/etc/security/audit_class
/etc/security/audit_class.system
Provides the list of valid classes and the associated audit mask.
/etc/security/audit_event
Provides the numeric event ID, the literal event name, and the name
of the associated system call or program.
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ CSIEnabled _ Interface
StabilityUncommitted
SEE ALSO
audit.log(5), audit_class(5), audit_event(5), attributes(7), auditcon‐
fig(8), praudit(8)
Managing Auditing in Oracle Solaris 11.4
DIAGNOSTICS
If unable to read either of its input files or to write its output
file, auditrecord shows the name of the file on which it failed and
exits with a non-zero return.
If no options are provided, if an invalid option is provided, or if
both -s and -p are provided, an error message is displayed and
auditrecord displays a usage message then exits with a non-zero return.
NOTES
If /etc/security/audit_event has been modified to add user-defined
audit events, auditrecord displays the record format as undefined.
The audit records displayed by auditrecord are the core of the record
that can be produced. Various audit policies and optional tokens, such
as those shown below, might also be present.
The following is a list of praudit(8) token names with their descrip‐
tions.
annotation
Present if audit record annotation is present.
group
Present if the group audit policy is set.
sensitivity label
Present when Trusted Extensions is enabled and represents the label
of the subject or object with which it is associated. The manda‐
tory_label token is noted in the basic audit record where a label
is explicitly part of the record.
sequence
Present when the seq audit policy is set.
trailer
Present when the trail audit policy is set.
zone
The name of the zone generating the record when the zonename audit
policy is set. The zonename token is noted in the basic audit
record where a zone name is explicitly part of the record.
HISTORY
This functionality was originally provided in the bsmrecord command,
which was added in Solaris 9. The command was renamed to auditrecord in
Oracle Solaris 11.0.0.
Oracle Solaris 11.4 21 Jun 2021 auditrecord(8)