[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 1


auditpr Command

Purpose

Formats bin or stream audit records to a display device or printer.

Syntax

auditpr [ -m "Message" ] [ -t { 0 | 1 | 2 } ] [ -h { e l R t c r p P T h } ] [ -r ] [ -v ]

Description

The auditpr command is part of the audit subsystem. This command reads audit records, in bin or stream format, from standard input and sends formatted records to standard output.

The output format is determined by the flags that are selected. If you specify the -m flag, a message is displayed before each heading. Use the -t and -h flags to change the default header titles and fields and the -v flag to append an audit trail. The auditpr command searches the local /etc/passwd file to convert user and group IDs to names.

An example of output using default header information follows:

event   login   status   time                             command
login   dick     OK       Fri  Feb;8   14:03:57    1990   login
 . . . . . trail portion . . . . .

For examples of audit trails, see the /etc/security/audit/events file where audit trail formats are defined.

Invalid records are skipped when possible, and an error message is issued. If the command cannot recover from an error, processing stops.

Flags


-d Outputs data in microsecond resolutions. The output of the date in that format is:

DD MMM YYYY hh:mm:ss.uuuuuu 
-h Fields Selects the fields to display and the order in which to display them, by default e, l, R, t, and c. The legal values are:

e
The audit event

l
The user's login name

R
The audit status

t
The time the record was written

c
The command name

r
The real user name

p
The process ID

P
The ID of the parent process.

T
The kernel thread ID. This is local to the process; different processes may contain threads with the same thread ID.

h
The name of the host that generated the audit record. If there is no CPU ID in the audit record, the value none is used. If there is no matching entry for the CPU ID in the audit record, the 16 character value for the CPU ID is used instead.
-m "Message" Specifies a Message to be displayed with each heading. You must enclose the Message string in double quotation marks.
-r Suppresses ID translation to the symbolic name.
-t {0 | 1 | 2} Specifies when header titles are displayed. The default title consists of an optional message (see the -m flag) followed by the name of each column of output.

0
Ignores any title.

1
Displays a title once at the beginning of a series of records.

2
Displays a title before each record.
-v Displays the trail of each audit record, using the format specifications in the /etc/security/audit/events file.

Security

Access Control: This command should grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.

Files Accessed:

Mode File
r /etc/security/audit/events
r /etc/passwd
r /etc/group

Examples

  1. To read the system audit trail file with default header titles and fields and an audit trail, enter:
    /usr/sbin/auditpr -v < /audit/trail
    The /audit/trail file must contain valid audit bins or records.
  2. To format from an audit trail file all the audit events caused by user witte, enter:
    /usr/sbin/auditselect -e"login == witte"\
    /audit/trail | auditpr -v

    The resulting record is formatted with the default values ( e, c, l, R, and t) and includes a trail.
  3. To read records interactively from the audit device, enter:

    /usr/sbin/auditstream | /usr/sbin/auditpr -t0 -heRl 
    

Files


/usr/sbin/auditpr Specifies the path of the auditpr command.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/audit/events Contains the audit events of the system.
/etc/security/audit/objects Contains audit events for audited objects (files).
/etc/security/audit/bincmds Contains auditbin backend commands.
/etc/security/audit/streamcmds Contains auditstream commands.
/etc/security/audit/hosts Contains the CPU ID to host name mappings.

Related Information

The audit command, auditcat command, auditconv command, auditselect command, auditstream command.

The auditbin daemon.

The audit subroutine.

The events file.

For general information on auditing, refer to Auditing Overview in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.

To see the steps you must take to establish an Auditing System, refer to Setting up Auditing in AIX 5L Version 5.1 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX 5L Version 5.1 System Management Concepts: Operating System and Devices.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]