Format of auditrpt output
The output of the
auditrpt
command consists of three sections.
The first section is the command line entered by the administrator.
The remaining two sections are repeated for each audit event log file that
is being processed.
The second section contains log file and system identification
information.
This information includes the internal identification of the log
file, the audit version that generated the log file, and the identification
of the machine that generated the log file.
The third section contains the audit record(s) that match the selection
criteria specified on the command line.
One audit record is displayed per line
and consists of a series of fields, separated by commas.
The format of an audit record is as follows:
time,event,pid(LWP_id),outcome,user,group(s),session,subj_lvl, \
(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]
where
- time
-
The time of the event.
The format is hour:minute:second:day:month:year.
- event
-
The event type.
See
``Summary of auditable events and classes''
for a complete list of events.
- pid
-
The process ID preceded by the letter P.
- LWP_id
-
The LWP ID number of the lightweight process that triggered the
event.
- outcome
-
The outcome of the event: s for success or f(exit code) for failure.
- user
-
The real and effective user names separated by a colon
(for example, real_user_name:effective_user_name).
- group
-
The real and effective groups separated by a colon and
followed by a list of supplementary groups (if any) separated by colons
(for example, real_grp:effective_grp:suppl_grp1:suppl_grp2...).
- session
-
The numerical session ID preceded by the letter S.
- subj_lvl
-
Normally blank, but if the log file is from a system running an
earlier release that supports Mandatory Access Control (MAC), this field
will contain the subject's MAC level.
- (obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)
-
This field contains object identification information,
enclosed in parentheses.
If multiple objects are accessed in a single event,
the field is repeated.
This field contains the following subfields:
- obj_id
-
Object identification information.
- obj_type
-
The object type which may be either: f (regular file),
c (character special file),
b (block special file),
l (link),
d (directory),
p (named pipe or unnamed pipe),
s (semaphores),
h (shared memory), or
m (messages).
- obj_lvl
-
Normally blank, but if the log file is from a system running an
earlier release that supports Mandatory Access Control (MAC), this field
will contain the object's MAC level.
- device
-
The object's device number.
- maj
-
The major number component of the object's device.
- min
-
The minor number component of the object's device.
- inode
-
The object's inode number.
- fsid
-
The object's file system ID number.
- pgm_prm
-
This field is specific to each event and may
be composed of several subfields.
The pgm_prm field for each event is described
fully in the
auditrpt(1M)
manual page.
Commas in the display of an audit record serve either to separate fields
or act as place holders if the field is not appropriate for the specific event.
For example, the date event has no objects related to it;
therefore.
the (obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)
field will be replaced with a comma.
If a field is appropriate for an event but its value is ``invalid,''
a ? will be displayed.
For example, if a login event
fails because the logname used is unknown to the system
(cannot be translated into a
UID), the user will be flagged as ``invalid'' and a
? will be displayed.
The following is an example of an audit record:
14:32:00:18:05:91,open_rd,P4556(2),f(13),boris:boris,irs:staff:proj43,
S328,"Restricted:Proj43",
(/etc/shadow:f:"system:private":0x440000:17:2:148:0x440000)
- 14:32:00:18:05:91
-
The time when the event occurred: 2:32p.m. on May 18, 1991.
- open_rd
-
The event type..
See
``Summary of auditable events and classes''
for a complete list of events.
- P4556(2)
-
The process ID number of the process that
triggered the event, preceded by the letter P.
The ID of the LWP that triggered the event is in parentheses.
- f(13)
-
The event failed with an exit code of 13.
- boris:boris
-
The real user and the effective user separated by a colon.
- irs:staff:proj43
-
The real group and the effective group followed by a supplementary group.
Each subfield is separated by a colon.
- S328
-
The session ID number preceded by the letter S.
- Restricted:proj43
-
The security level of the process enclosed in double quotes.
- (/etc/shadow:f:system:private:0x440000:17:2:148:0x440000)
-
The object identification information which includes the following subfields:
- /etc/shadow
-
The name of the object.
- f
-
The object type which is a regular file.
- system:private
-
The security level of the object enclosed in double quotes.
- 0x440000
-
The device number.
- 17
-
The major number of the object's device.
- 2
-
The minor number of the object's device.
- 148
-
The object's inode number.
- 0x440000
-
The object's file system ID.
© 1999 The Santa Cruz Operation, Inc. All rights reserved.
UnixWare 7 Release 7.1.1 - 5 November 1999