auditrpt(1M)


auditrpt -- display recorded information from audit trail

Synopsis

auditrpt [-o] [-i] [-b | -w] [-x]
[-e[!]event[,. . .]] [-u user[,. . .]] [-f object_id[,. . .]]
[-t object_type[,. . .]]
[-s time] [-h time] [-a outcome] [-m map]
[-p all | priv[,. . .]] [-v subtype] [log [. . .]]

Description

The auditrpt shell level command allows the administrator with the appropriate privileges to selectively display the contents of audit log files. Note that if the log files are presented as standard input that only one log file may be presented at a time. If more than one log file is presented in this manner, auditrpt will fail when it encounters data from the second log file. Specify the file names on the command line if you wish to process multiple log files. The privileges required are audit and setplevel.

The contents of log files created with previous releases of the Auditing Package may be displayed using this command. Version numbers are assigned to the audit log files associated with each release. The auditrpt command uses these version numbers to determine the release used to create the audit log under examination. The version numbers and releases currently recognized are:


1.0
UNIX System V Release 4.1ES

2.0
UNIX System V Release 4.0, UNIX System V Release 4.0MP

3.0
UNIX System V Release 4.2

4.0
UNIX System V Release 4.2ES/MP, UnixWare 1.x, UnixWare 2.0
The following options are available:

-o
Display the events that correspond to the union of the specified auditing criteria.

-i
Take input audit records from standard input.

-b
Display the events in reverse chronological order (backwards). This option cannot be used with the -w option.

-w
Display the events as they are being written to the event log file. This option cannot be used with the -b option.

-x
Display the Lightweight Process ID (LWP ID) of the LWP associated with the event.

-e[!] event[,. . .]
Display the selected event types or event classes. If ! is specified, all the events except those listed are displayed. Event classes, which are aliases for groups of events, are defined in the /etc/security/audit/classes file.

-u user[,. . .]
Display all the recorded events for the specified real and effective uids and/or login names.

-f object_id[,. . .]
Display all the recorded events for the specified object_ids. The object_id must be the full pathname of a regular file, special file, directory, or a named pipe, or the ID of an IPC object or loadable module.

-t object_type[,. . .]
Display all the recorded events for the specified object_types. Valid arguments are:

c
character special file

d
directory

f
regular file

h
shared memory

l
link

m
message

p
named pipe or unnamed pipe

s
semaphore

-s time
Display all the events occurring at or after the specified time. The time should be specified in the format used by the date command. The following are valid values for times: for hours, 00 to 23; for minutes, 00 to 59; for days, 01 to 31; for months, 01 to 12; and for years, 00 to 99.

When both -s and -h are specified without the -o option, the start time (-s) must be earlier than the end time (-h).


-h time
Display all the events existing at or before the specified time. Format and valid values for time are the same as the -s option.

-a outcome
Display all the recorded events for the specified outcome: s (success) or f (failure).

-m map
Specify the path (absolute or relative) of the auditmap directory.

-p all | priv[,. . .]
Display the recorded events that use the specified privilege(s). If the word all follows the -p option, display all recorded events that use any privilege.

-v subtype
Display all miscellaneous records with the specified subtype. Only the first 20 characters of the specified subtype are considered for record matching. The command will parse the first field of the miscellaneous record, up to 20 characters or the colon separator, whichever comes first.

log[. . .]
Name (absolute or relative pathname) of the audit log(s) to use.

Output

The first part of the output of auditrpt consists of the command line entered by the administrator. For each log file, the output consists of two parts. First, auditrpt displays audit log file and system identification information to verify that the correct log file was specified. This includes the internal identification of the audit log file, the version of the audit software that produced the log file, and the identification of the machine that produced the log file. Second, all records that
meet the selection criteria are displayed one record per line. Records are displayed in the following format:
   time,event,pid(LWP_id),outcome,user,group(s),session,subj_lvl, \
      (obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]

The meanings of the fields are as follows:


time
The time is printed as hour:minute:second:day:month:year. For example, ``10:30:00:15:04:91'' is 10:30am of April 15, 1991.

event
The event type.

pid
The process ID number of the process that triggered the event, preceded by the letter ``P''.

LWP_id
The LWP ID number of the lightweight process that triggered the event.

outcome
The outcome of the event is either s for success or f(exit value) for failure.

user
Real and effective user names are displayed. User names are separated by a colon (that is, real_user_name:effective_user_name).

group(s)
Real and effective groups are displayed, followed by a list of supplementary groups, if any. Groups are separated by a colon (that is, real_grp:effective_grp:suppl_grp1:suppl_grp2: . . .).

session
The session ID number, preceded by the letter ``S''.

subj_lvl
This field is currently unused.

(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)
This field contains file identification information, enclosed in parentheses. If multiple objects are accessed in a single event, the field is repeated. This field contains the following subfields:

obj_id
The name of a regular file, special file, directory, named pipe, or the id of an IPC object. If the full pathname of a filesystem object cannot be determined, the partial pathname will be printed with an asterisk (*) as a prefix.

obj_type
The object type, using the codes described in the description of the -t option.

obj_lvl
This field is unused.

device
The object's device number.

maj
The major number component of the object's device.

min
The minor number component of the object's device.

inode
The object's inode number.

fsid
The object's filesystem ID number.

pgm_prm
This field is specific to each audit event and may be composed of several subfields. The subfields described for each event will be displayed in the order shown below and will be separated by commas, unless otherwise specified.

The pgm_prm field can be one of the following:

For most events generated from file descriptor based system calls, file information is returned in the file identification information field.

All the commas in the output line, except possibly the last one (if pgm_prm is empty), will be displayed as place holders. For all the output fields, null will be displayed if the field is not appropriate for the event type being displayed. For example, the date event has no objects related to it, so the obj_id:obj_type:device:maj:min:inode:fsid fields will be null (only the comma separator will be displayed for these fields).

The auditrpt command will use the audit map to translate users, groups, privileges, events and system calls from IDs(numbers) to names. If the information for translating a number to a name is not found in the map, raw data (ASCII representation of the numeric value) will be displayed for the corresponding field.

All numeric values are displayed in decimal representation unless preceded by ``0x'', which indicates hexadecimal representation.

If a field is appropriate for an event but its value is invalid, a ``?'' will be displayed. For example, if a login event fails because the logname used is unknown to the system (cannot be translated into a UID in the log record), the user will be flagged as invalid and a ``?'' will be displayed.

Miscellaneous records

Application programs can generate audit records with the auditdmp system call. The auditrpt command processes these records as events of the type misc. The misc record will have a string in the final field of its output; this string will contain all the information written by the application program that created the misc audit record.

Files

/var/tmp/
/var/audit/MMDD###
/var/audit/auditmap/auditmap

Return values

If successful, auditrpt exits with a value of zero (0). If there are errors, it exits with one of the following values and prints the corresponding error message:

1
usage: auditrpt . . .

Invalid command syntax.


1
argument list for option option too long

The argument list exceeds the current implementation limits.


1
Option requires an argument -- e

1
start time must be earlier than the end time

When the -s and -h options are used without -o, the time specified by -s must be earlier than that specified by -h.


1
invalid argument given to option option

user specified with the -u option contains at least one non-alphanumeric character.


1
event type or class event does not exist

The argument to the -e option was an invalid event type or class (that is, an event not found in the audit map information).


1
full pathname must be specified for object_id

1
invalid object type specified: object_type

The object type was not a f, c, d, p, l, s, h, or m.


1
invalid outcome specified

The outcome specified by -a must be either s or f.


1
invalid option combination option1, option2,. . .
usage: auditrpt . . .

1
auditing currently disabled, logfile must be specified

1
auditing disabled

The -w option was specified while auditing was disabled.


1
cannot open auditmap directory dirname

1
invalid time format

The argument to the -h or -s option is not correct.


1
invalid privilege priv supplied

1
-x may not be used with this version

The -x option may not be used when printing records from audit trails created by previous releases.


3
system service not installed

If the -w option is used or no log file is specified, then auditing must be installed on the machine in which auditing is executing.


4
Permission denied

Failure because of insufficient privilege.


5
chmod() failed for temporary file, errno = number

5
error manipulating file

5
could not obtain version number

An attempt to read the audit log file to obtain the audit trail version number failed. The log file may be corrupted or is not in the correct format.


5
unknown audit version number

The audit trail version number read was invalid. The recognized version numbers are 1.0, 2.0, 3.0, and 4.0.


5
Incompatible log file version number

When reading records from standard input, the beginning of a new log file was detected, but the version number for this file was invalid.


6
could not get buffer attributes

The call to the auditbuf system call to get the audit buffer attributes failed.


8
could not get current log attributes

The call to the auditlog system call to get the current log file attributes failed.


12
could not determine status of auditing

The call to the auditctl system call to get the current status of auditing failed.


13
bad log record type record number

An invalid record type was encountered in the audit event log file.


15
all event log files specified are inaccessible

24
unable to allocate space

26
additional options required
usage: auditrpt . . .

The -o option was specified without additional criteria selection options.


28
bad map record type record number

An invalid element was encountered in an audit map file.


32
log file's format or byte ordering ((format id)
is not readable in current architecture

The magic number of the event log file is not what was expected. Possibly the file is in External Data Representation (XDR) format, or the magic number indicates the file was generated by another version or architecture.


33
Version specific auditrpt not found: version

33
Version specific auditrpt not executable: version
The following warning messages may be displayed:

event log file(s) are not in sequence or missing
The log files specified on the command line may not be in order, or a file may be missing.

missing pathname for process Ppid
auditrpt did not find the expected number of filename records for the given process.

event log file log does not exist
A log file specified on the command line does not exist.

no match found in event log file(s)
The log file or files do not contain a record that matches the selection criteria.

machines in log file filename (mach_info) and map file (mach_info) do not match
The event log file and the audit map files were generated on different machines.

data in audit buffer will not be immediately displayed
The -w option is specified, but the audit log high water mark is not zero.

log file filename ignored
The -i option or the -w option was used along with a log file argument.

cannot open audit map file map_file
auditrpt could not open the auditmap directory for reading.

misformed miscellaneous record
The miscellaneous record did not have a subtype name followed by a colon (:) in the first 20 characters of the ASCII string.

cannot read and write character special device simultaneously
The specified (or default) log file is a character special device and is also the current active log file.

user id user does not exist in audit map

keyword all should not be used in conjunction with individual privileges
The privilege list specified with the -p option can not contain both the keyword all and individual privileges

credential information for Ppid is incomplete
Credential records for the given process were not found previously in the audit log file(s).

credential structure could not be freed

References

auditfltr(1M), auditlog(1M), auditmap(1M), auditoff(1M), auditon(1M), auditset(1M)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004