Displaying audit trail information

Displaying information about privileges

The -p option of the auditrpt command displays information about events that involved privileged operations. The argument to the -p option may consist of one or more privilege names or the keyword all. Each privilege name must be separated by a comma. A space will be interpreted as the end of the privilege list. If you specify the keyword all, auditrpt will display all audit records for all privileges. If you specify a privilege name or names after the -p option, auditrpt will display only the audit records that involve the specified privilege(s).

For example, most audit user-level commands and system calls require the audit privilege. An exception is the auditdmp(2) system call, which requires the auditwr privilege to write miscellaneous audit records to the audit event log file. If you want to see all events that involve the p_audit privilege, enter the following command:

auditrpt -p audit

The dacread and dacwrite privileges are needed to override Discretionary Access Control (DAC) protections for objects. If any user who is not a system administrator acquires these privileges, there has been a serious breach of system security. If you want to see all uses of these privileges, use the following command:

auditrpt -p dacread,dacwrite

For a complete list of privileges, see the intro(2) manual page.

Next topic: Displaying information about a time interval
Previous topic: Object type codes

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005