Displaying audit trail information

Displaying information by object level

NOTE: This section assumes that you are familiar with the concepts of Mandatory Access Control (MAC) and security levels. Level information is available only if the system that generated the audit log file was running an earlier release that supported MAC. This section does not apply to audit log files generated by systems running this release.

If you are processing audit log files from a system running an earlier release, specifically UNIX System V Release 4.1, or UNIX System V Release 4.2MP, you may have object level information available in the log files. This is true if the system was running with the Enhanced Security Utilities installed.

The -l and -r options of the auditrpt command display audit information about security level(s) of objects recorded in the audit event log file. The argument to the -l option is an individual security level. The argument to the -r option is a security level range. The -r and -l options cannot be used on the same command line.

When you invoke auditrpt with the -l option, the command displays information about all events that involve objects at the specified security level.

For example, to report all audit information related to objects at the restricted security level, enter the following command

auditrpt -l restricted

Security levels are validated against the information contained in the audit map files. Refer to the auditmap(1M) manual page for further information on the audit map files. If the individual security level is invalid, auditrpt displays the following error message and terminates processing:

security level specified does not exist in map

When you invoke auditrpt with the -r option, the command displays information about all events that involve objects within the specified security level range. The two levels in a level range are separated by a minus (-), with the second level dominating the first. If the second level does not dominate the first level the following error message is displayed and processing is terminated:

maximum security level does not dominate minimum security level

For example, assume that your site has the following three levels: Restricted, Confidential, and Proprietary. The Restricted level is the lowest, while Proprietary is the highest. The following command displays all audit information relating to objects whose security level is within the specified security level range:

auditrpt -r Restricted-Proprietary

The security levels used as input to the -r option are also validated against the audit map files. Refer to the auditmap(1M) manual page for further information.

© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999