auditrpt(1M) auditrpt(1M)
NAME
auditrpt - display recorded information from audit trail
SYNOPSIS
auditrpt [-o] [-i] [-b | -w] [-x]
[-e[!]event[,. . .]] [-u user[,. . .]] [-f object_id[,. . .]]
[-t object_type[,. . .]] [-s time] [-h time] [-a outcome] [-m map]
[-p all | priv[,. . .]] [-v subtype] [log [. . .]]
DESCRIPTION
The auditrpt shell level command allows the administrator with
the appropriate privileges to selectively display the contents
of audit log files. Note that if the log files are presented
as standard input that only one log file may be presented at a
time. If more than one log file is presented in this manner,
auditrpt will fail when it encounters data from the second log
file. Specify the file names on the command line if you wish
to process multiple log files. The privileges required are
audit and setplevel.
The contents of log files created with previous releases of
the Auditing Package may be displayed using this command.
Version numbers are assigned to the audit log files associated
with each release. The auditrpt command uses these version
numbers to determine the release used to create the audit log
under examination. The version numbers and releases currently
recognized are:
1.0 UNIX System V Release 4.1ES
2.0 UNIX System V Release 4.0, UNIX System V Release 4.0MP
3.0 UNIX System V Release 4.2
4.0 UNIX System V Release 4.2ES/MP, UnixWare 1.x, UnixWare
2.0
The following options are available:
-o Display the events that correspond to the union
of the specified auditing criteria.
-i Take input audit records from standard input.
Copyright 1994 Novell, Inc. Page 1
auditrpt(1M) auditrpt(1M)
-b Display the events in reverse chronological
order (backwards). This option cannot be used
with the -w option.
-w Display the events as they are being written to
the event log file. This option cannot be used
with the -b option.
-x Display the Lightweight Process ID (LWP ID) of
the LWP associated with the event.
-e[!] event[,. . .]
Display the selected event types or event
classes. If ! is specified, all the events
except those listed are displayed. Event
classes, which are aliases for groups of
events, are defined in the
/etc/security/audit/classes file.
-u user[,. . .]
Display all the recorded events for the
specified real and effective uids and/or login
names.
-f object_id[,. . .]
Display all the recorded events for the
specified object_ids. The object_id must be
the full pathname of a regular file, special
file, directory, or a named pipe, or the ID of
an IPC object or loadable module.
-t object_type[,. . .]
Display all the recorded events for the
specified object_types. Valid arguments are f
(regular file), c (character special file), l
(links), d (directories), p (named pipes or
unnamed pipes), s (semaphores), h (shared
memory), and m (messages).
-s time Display all the events occurring at or after
the specified time. The time should be
specified in the format used by the date
command. The following are valid values for
times: for hours, 00 to 23; for minutes, 00 to
59; for days, 01 to 31; for months, 01 to 12;
and for years, 00 to 99.
Copyright 1994 Novell, Inc. Page 2
auditrpt(1M) auditrpt(1M)
When both -s and -h are specified without the
-o option, the start time (-s) must be earlier
than the end time (-h).
-h time Display all the events existing at or before
the specified time. Format and valid values
for time are the same as the -s option.
-a outcome Display all the recorded events for the
specified outcome: s (success) or f (failure).
-m map Specify the path (absolute or relative) of the
auditmap directory.
-p all | priv[,. . .]
Display the recorded events that use the
specified privilege(s). If the word all
follows the -p option, display all recorded
events that use any privilege.
-v subtype Display all miscellaneous records with the
specified subtype. Only the first 20
characters of the specified subtype are
considered for record matching. The command
will parse the first field of the miscellaneous
record, up to 20 characters or the colon
separator, whichever comes first.
log[. . .] Name (absolute or relative pathname) of the
audit log(s) to use.
OUTPUT
The first part of the output of auditrpt consists of the
command line entered by the administrator. For each log file,
the output consists of two parts. First, auditrpt displays
audit log file and system identification information to verify
that the correct log file was specified. This includes the
internal identification of the audit log file, the version of
the audit software that produced the log file, and the
identification of the machine that produced the log file.
Second, all records that meet the selection criteria are
displayed one record per line. Records are displayed in the
following format:
Copyright 1994 Novell, Inc. Page 3
auditrpt(1M) auditrpt(1M)
time,event,pid(LWP_id),outcome,user,group(s),session,subj_lvl, \
(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]
The meanings of the fields are as follows:
time The time is printed as
hour:minute:second:day:month:year. For example,
10:30:00:15:04:91 is 10:30am of April 15, 1991.
event The event type.
pid The process ID number of the process that
triggered the event, preceded by the letter P.
LWP_id The LWP ID number of the lightweight process that
triggered the event.
outcome The outcome of the event is either s for success
or f(exit value) for failure.
user Real and effective user names are displayed. User
names are separated by a colon (that is,
real_user_name:effective_user_name).
group(s) Real and effective groups are displayed, followed
by a list of supplementary groups, if any. Groups
are separated by a colon (that is,
real_grp:effective_grp:suppl_grp1:suppl_grp2: . .
.).
session The session ID number, preceded by the letter S.
subj_lvl Subject level information is recorded only if the
MAC feature was installed on the system that
generated the audit log file. This field will be
blank otherwise.
(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)
This field contains file identification
information, enclosed in parentheses. If multiple
objects are accessed in a single event, the field
is repeated. This field contains the following
subfields:
Copyright 1994 Novell, Inc. Page 4
auditrpt(1M) auditrpt(1M)
obj_id
The name of a regular file, special file,
directory, named pipe, or the id of an IPC
object. If the full pathname of a file
system object cannot be determined, the
partial pathname will be printed with an
asterisk (*) as a prefix.
obj_type
The object type, using the codes described
in the description of the -t option.
obj_lvl
Object level information is recorded only if
the MAC feature was installed on the system
that generated the audit log file. This
field will be blank otherwise.
device
The object's device number.
maj The major number component of the object's
device.
min The minor number component of the object's
device.
inode The object's inode number.
fsid The object's file system ID number.
pgm_prm This field is specific to each audit event and may
be composed of several subfields. The subfields
described for each event will be displayed in the
order shown below and will be separated by commas,
unless otherwise specified.
The pgm_prm field can be one of the following:
For the audit_ctl/audit_evt/audit_log/audit_map events
when generated by the audit user level commands auditon,
auditoff, auditset, auditlog, auditmap, respectively:
the entire command line.
Copyright 1994 Novell, Inc. Page 5
auditrpt(1M) auditrpt(1M)
For the add_grp/add_usr/add_usr_grp/mod_grp/mod_usr
events: the entire command line.
For the tfadmin event: the entire command line.
For the chg_times/date events: the new date. For the
chg_times event only, the file name is also given.
For the fork event: the child process ID, the number of
LWPs created, and the LWP ID's.
For the init event: if generated by the user level
command init(1M), the entire command line. If generated
by the init process (``process 1''):
current state: state1 new_state: state2
The old init state is represented by state1, and the new
init state by state2.
For the kill event: the signal and a list of pids to
which the signal was posted.
For the set_uid event: new user.
For the set_gid event: the new group.
For the set_pgrps event: the name of the system call
that generated the event (setpgrp or setpgid). In
addition, if generated by the setpgid system call, the
process ID and process group ID passed to the system
call.
For the set_grps event: the supplementary group access
list.
For the link event: the pathname of the target file.
For the dac_own_grp event: if the owner was changed, the
new user ID (preceded by user:) or if the group was
changed, the new group ID (preceded by group:). In
addition, for the chown system call, the file name.
For the dac_mode event: the new mode.
For the
msg_ctl/msg_get/msg_op/sem_ctl/sem_get/sem_op/shm_ctl/
shm_get/shm_op events: the operation code, flag and
Copyright 1994 Novell, Inc. Page 6
auditrpt(1M) auditrpt(1M)
command value. If a subfield does not pertain to an
event type, a zero will be displayed.
For the login/bad_auth events, the terminal
identification (tty), user, and group, of the user
attempting to log on (if valid). In addition, for the
bad_auth event: the error message (LOGIN, PASWD or
AUDIT)
For the passwd event: the user whose password is being
changed (if valid).
For the pm_denied event: the requested privilege, system
call name, and maximum set of privileges.
For the cron event: user's effective uid, user's
effective gid, user's level (enclosed in double quotes),
and cron job name. User refers to the user that cron is
running on behalf of. Note that the level subfield will
be blank if the Enhanced Security Utilities were not
installed and running on the audited system.
For the open_rd/open_wr events: the file descriptor.
For the file_lvl event: new security level (enclosed in
double quotes). In addition, for the flvlfile system
call, the file name.
For the disp_attr/set_attr events: the release flag
(persistent, lastclose, or system), device mode (static
or dynamic), low_level (enclosed in double quotes),
high_level (enclosed in double quotes) and device state
(private or public). In addition, for the disp_attr
event: the inuse flag (inuse or unused). For the
fdevstat system call, the file descriptor.
For the file_acl event: all ACL entries and the file
name.
For the ipc_acl event: the ipc type, the ipc id and all
ACL entries.
For the ulimit event: the new limit.
Copyright 1994 Novell, Inc. Page 7
auditrpt(1M) auditrpt(1M)
For the setrlimit event: the resource (RLIMIT_CORE,
RLIMIT_CPU, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_NOFILE,
RLIMIT_STACK, RLIMIT_VMEM), soft limit and hard limit.
For the sched_lk event: the action (PROCLOCK, TXTLOCK,
DATLOCK) if generated by the plock system call. The
page mapping attributes (PRIVATE or SHARED) and page
protection attributes (one or more of the following:
PROT_READ, PROT_WRITE, PROT_EXEC) if generated by the
memctl system call.
For the sched_fp/sched_ts/sched_fc events: If generated
by the priocntl system call with the PC_ADMIN command,
the function name (FP_SETDPTBL, FC_SETDPTBL, or
TS_SETDPTBL), global priority and time quantum. In
addition, if TS_SETDPTBL or FC_SETDPTBL, the time-
sharing dispatcher parameters: tqexp, slpret, maxwait
and lwait. If generated by the priocntl system call
with the PC_SETPARMS command, the function name (FP_NEW,
FC_NEW, TS_NEW, FP_PARMSET, FC_PARMSET, TS_PARMSET),
process id and user priority. In addition, if the
sched_ts or sched_fc event, user priority limit. If
sched_fp event, the seconds in time quantum.
For the modadm event: the module type (character device,
block device, streams, filesystem, misc, none), the
command (register), and the module name. Also, module
type specific data as follows: if module type is
character device or block device, the major number; if
module type is filesystem, the file system name; if
module type is misc or none, no specific data is
displayed.
For the modload event: the loadable module id.
For the modpath event: the absolute pathname added to
the loadable module search path or NULL if the default
search path is set.
For the iocntl event: the command argument id passed to
the system call, the flags found in the file table
entry, if any (separated by colons), (FOPEN, FREAD,
FWRITE, FNDELAY, FAPPEND, FSYNC, FNONBLOC, FMASK,
FCREAT, FTRUNC, FEXCL, FNOCTTY, FASYNC, FNMFS).
Copyright 1994 Novell, Inc. Page 8
auditrpt(1M) auditrpt(1M)
For the fcntl event: the command argument passed to the
system call. If command is F_SETFD, close-on-exec flag
(0 or 1). If command is F_SETFL, status flags
(separated by colons) (O_APPEND, O_NDELAY, O_NONBLOCK,
O_SYNC). If a struct flock was passed to the system
call: the command argument passed to the system call,
(F_ALLOCSP, F_FREESP, F_SETLCK, F_SETLKW, F_RSETLCK,
F_RSETLKW) and the following structure members: l_type,
l_whence, l_start, l_len.
For the mount event: the flags passed to the system call
and one or more of the following: RDONLY (read-only),
FSS (old (4-argument) mount), DATA (6-argument mount),
NOSUID (setuid disallowed), REMOUNT (remount), NOTRUNC
(return ENAMETOOLONG for long file names).
For the file_priv event: all information in the priv_t
masks passed to the system call, in the following
format:
priv_type1:priv_name[:priv_name],priv_type2:. . .
priv_type will be the name of the privilege type, if it
is recognized by the privilege mechanism of the audited
system. If it is not recognized, it will be the
character representation of the first byte of the priv_t
mask (for example, i for inheritable). For a list of
privileges, see intro(2).
For the recvfd event: the receiver's process ID and LWP
ID.
For the misc event: the free form string provided by the
application.
For the audit_buf event: the high water mark value.
For the audit_ctl event when generated by the auditctl
system call: the action taken (AUDITON or AUDITOFF).
For the audit_log event when generated by the auditlog
system call: all information passed in the alog
structure to the system call. This will include: log
file attributes (PPATH:PNODE:APATH:ANODE:PSIZE
:ASPECIAL:PSPECIAL), the action taken when the log is
full (ASHUT,ADISA,AALOG, AALOG:APROG), the action taken
when there is an audit error (ASHUT or ADISA), the
maximum log size, the primary node name, the alternate
Copyright 1994 Novell, Inc. Page 9
auditrpt(1M) auditrpt(1M)
node name, the primary log pathname, the alternate log
pathname and the program to be run during a log switch.
For the audit_dmp event when generated by the auditdmp
system call: the event type and the status (if success:
SUCCESS, if failure: FAILURE(status)).
For the audit_evt event when generated by the auditevt
system call: all information passed in the aevt
structure to the system call. This will include:
command argument (ASETME,ASETSYS,ASETUSR,
ANAUDIT,AYAUDIT). If the command is ASETME, the new
user event mask for the invoking process. If the
command is ASETSYS, the new system event mask. If the
command is ASETUSR, the user whose mask has been
modified, the new user event mask.
For the lwp_create event, the ID of the LWP that was
created.
For the lwp_bind and lwp_unbind events, the LWP or
process flag argument to the system call, the ID of the
process or LWP, the processor ID supplied by the caller,
and the processor ID returned by the system.
For the p_online event, the command type (P_ONLINE or
P_OFFLINE).
For the logoff event, the type of logoff.
For the keyctl event, the command (either
K_SETPROCESSORS or K_SETUNLIMITED) and the contents of
the nskeys structures passed as arguments to the system
call.
For most events generated from file descriptor based system
calls, file information is returned in the file identification
information field.
All the commas in the output line, except possibly the last
one (if pgm_prm is empty), will be displayed as place holders.
For all the output fields, null will be displayed if the field
is not appropriate for the event type being displayed. For
example, the date event has no objects related to it, so the
obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid fields will
be null (only the comma separator will be displayed for these
Copyright 1994 Novell, Inc. Page 10
auditrpt(1M) auditrpt(1M)
fields). Also, in a base system the MAC level fields will be
null.
The auditrpt command will use the audit map to translate
users, groups, security levels, privileges, events and system
calls from IDs(numbers) to names. If the information for
translating a number to a name is not found in the map, raw
data (ASCII representation of the numeric value) will be
displayed for the corresponding field.
All numeric values are displayed in decimal representation
unless preceded by 0x, which indicates hexadecimal
representation.
If a field is appropriate for an event but its value is
"invalid," a ? will be displayed. For example, if a login
event fails because the logname used is unknown to the system
(cannot be translated into a UID in the log record), the user
will be flagged as "invalid" and a ? will be displayed.
Miscellaneous Records
Application programs can generate audit records with the
auditdmp system call. The auditrpt command processes these
records as events of the type misc. The misc record will have
a string in the final field of its output; this string will
contain all the information written by the application program
that created the misc audit record.
Return Values
If successful, auditrpt exits with a value of zero (0). If
there are errors, it exits with one of the following values
and prints the corresponding error message:
1 usage: auditrpt . . .
Invalid command syntax.
1 argument list for option option too long
The argument list exceeds the current implementation
limits.
1 Option requires an argument -- e
Copyright 1994 Novell, Inc. Page 11
auditrpt(1M) auditrpt(1M)
1 start time must be earlier than the end time
When the -s and -h options are used without -o, the time
specified by -s must be earlier than that specified by
-h.
1 invalid argument given to option option
user specified with the -u option contains at least one
non-alphanumeric character.
1 event type or class event does not exist
The argument to the -e option was an invalid event type
or class (that is, an event not found in the audit map
information).
1 full pathname must be specified for object_id
1 invalid object type specified: object_type
The object type was not a f, c, d, p, l, s, h, or m.
1 invalid outcome specified
The outcome specified by -a must be either s or f.
1 invalid option combination option1, option2,. . .
usage: auditrpt . . .
1 auditing currently disabled, logfile must be specified
1 auditing disabled
The -w option was specified while auditing was disabled.
1 cannot open auditmap directory dirname
1 invalid time format
The argument to the -h or -s option is not correct.
1 invalid privilege "priv" supplied
Copyright 1994 Novell, Inc. Page 12
auditrpt(1M) auditrpt(1M)
1 -x may not be used with this version
This option may not be used when printing records from
audit trails created by previous releases.
3 system service not installed
If the -w option is used or no log file is specified,
then auditing must be installed on the machine in which
auditing is executing.
4 Permission denied
Failure because of insufficient privilege.
5 chmod() failed for temporary file, errno = number
5 error manipulating file
5 could not obtain version number
An attempt to read the audit log file to obtain the audit
trail version number failed. The log file may be
corrupted or is not in the correct format.
5 unknown audit version number
The audit trail version number read was invalid. The
recognized version numbers are 1.0, 2.0, 3.0, and 4.0.
5 Incompatible log file version number
When reading records from standard input, the beginning
of a new log file was detected, but the version number
for this file was invalid.
6 could not get buffer attributes
The call to the auditbuf system call to get the audit
buffer attributes failed.
8 could not get current log attributes
The call to the auditlog system call to get the current
log file attributes failed.
Copyright 1994 Novell, Inc. Page 13
auditrpt(1M) auditrpt(1M)
12 could not determine status of auditing
The call to the auditctl system call to get the current
status of auditing failed.
13 bad log record type record number
An invalid record type was encountered in the audit event
log file.
15 all event log files specified are inaccessible
24 unable to allocate space
26 additional options required
usage: auditrpt . . .
The -o option was specified without additional criteria
selection options.
28 bad map record type record number
An invalid element was encountered in an audit map file.
32 log file's format or byte ordering (format id)
is not readable in current architecture
The magic number of the event log file is not what was
expected. Possibly the file is in External Data
Representation (XDR) format, or the magic number
indicates the file was generated by another version or
architecture.
33 Version specific auditrpt not found: version
33 Version specific auditrpt not executable: version
The following warning messages may be displayed:
event log file(s) are not in sequence or missing
The log files specified on the command line may not be in
order, or a file may be missing.
missing pathname for process Ppid
auditrpt did not find the expected number of filename
records for the given process.
Copyright 1994 Novell, Inc. Page 14
auditrpt(1M) auditrpt(1M)
event log file log does not exist
A log file specified on the command line does not exist.
no match found in event log file(s)
The log file or files do not contain a record that
matches the selection criteria.
machines in log file "filename" (mach_info) and map file (mach_info)
do not match
The event log file and the audit map files were generated
on different machines.
data in audit buffer will not be immediately displayed
The -w option is specified, but the audit log high water
mark is not zero.
log file "filename" ignored
The -i option or the -w option was used along with a log
file argument.
the ltdb files are missing or incomplete in the auditmap directory
auditrpt could not access some or all the audit map files
containing security level information.
cannot open audit map file map_file
auditrpt could not open the auditmap directory for
reading.
misformed miscellaneous record
The miscellaneous record did not have a subtype name
followed by a colon (:) in the first 20 characters of the
ASCII string.
cannot read and write character special device simultaneously
The specified (or default) log file is a character
special device and is also the current active log file.
user id user does not exist in audit map
keyword "all" should not be used in conjunction with
individual privileges
Copyright 1994 Novell, Inc. Page 15
auditrpt(1M) auditrpt(1M)
The privilege list specified with the -p option can not
contain both the keyword all and individual privileges
credential information for Ppid is incomplete
Credential records for the given process were not found
previously in the audit log file(s).
credential structure could not be freed
Files
/var/tmp/
/var/audit/MMDD###
/var/audit/auditmap/auditmap
REFERENCES
auditfltr(1M), auditlog(1M), auditmap(1M), auditoff(1M),
auditon(1M), auditset(1M)
Copyright 1994 Novell, Inc. Page 16