DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 
Displaying audit trail information

Format of auditrpt output

The output of the auditrpt command consists of three sections. The first section is the command line entered by the administrator. The remaining two sections are repeated for each audit event log file that is being processed. The second section contains log file and system identification information. This information includes the internal identification of the log file, the audit version that generated the log file, and the identification of the machine that generated the log file. The third section contains the audit record(s) that match the selection criteria specified on the command line. One audit record is displayed per line and consists of a series of fields, separated by commas. The format of an audit record is as follows:

time,event,pid(LWP_id),outcome,user,group(s),session,subj_lvl, \
(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]

where


time
The time of the event. The format is hour:minute:second:day:month:year.

event
The event type. See ``Summary of auditable events and classes'' for a complete list of events.

pid
The process ID preceded by the letter P.

LWP_id
The LWP ID number of the lightweight process that triggered the event.

outcome
The outcome of the event: s for success or f(exit code) for failure.

user
The real and effective user names separated by a colon (for example, real_user_name:effective_user_name).

group
The real and effective groups separated by a colon and followed by a list of supplementary groups (if any) separated by colons (for example, real_grp:effective_grp:suppl_grp1:suppl_grp2...).

session
The numerical session ID preceded by the letter S.

subj_lvl
Currently unused.

(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)
This field contains object identification information, enclosed in parentheses. If multiple objects are accessed in a single event, the field is repeated. This field contains the following subfields:

obj_id
Object identification information.

obj_type
The object type which may be either: f (regular file), c (character special file), b (block special file), l (link), d (directory), p (named pipe or unnamed pipe), s (semaphores), h (shared memory), or m (messages).

obj_lvl
Currently unused.

device
The object's device number.

maj
The major number component of the object's device.

min
The minor number component of the object's device.

inode
The object's inode number.

fsid
The object's file system ID number.

pgm_prm
This field is specific to each event and may be composed of several subfields. The pgm_prm field for each event is described fully in the auditrpt(ADM) manual page.
Commas in the display of an audit record serve either to separate fields or act as place holders if the field is not appropriate for the specific event. For example, the date event has no objects related to it; therefore. the (obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid) field will be replaced with a comma.

If a field is appropriate for an event but its value is ``invalid,'' a ? will be displayed. For example, if a login event fails because the login name used is unknown to the system (cannot be translated into a UID), the user will be flagged as ``invalid'' and a ? will be displayed.

The following is an example of an audit record:

14:32:00:18:05:91,open_rd,P4556(2),f(13),boris:boris,irs:staff:proj43,
S328,(/etc/shadow:f::0x440000:17:2:148:0x440000)


14:32:00:18:05:91
The time when the event occurred: 2:32p.m. on May 18, 1991.

open_rd
The event type.. See ``Summary of auditable events and classes'' for a complete list of events.

P4556(2)
The process ID number of the process that triggered the event, preceded by the letter P. The ID of the LWP that triggered the event is in parentheses.

f(13)
The event failed with an exit code of 13.

boris:boris
The real user and the effective user separated by a colon.

irs:staff:proj43
The real group and the effective group followed by a supplementary group. Each subfield is separated by a colon.

S328
The session ID number preceded by the letter S.

(/etc/shadow:f::0x440000:17:2:148:0x440000)
The object identification information which includes the following subfields:

/etc/shadow
The name of the object.

f
The object type which is a regular file.

0x440000
The device number.

17
The major number of the object's device.

2
The minor number of the object's device.

148
The object's inode number.

0x440000
The object's file system ID.

Next topic: Displaying information from the audit log
Previous topic: Displaying audit trail information

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005