|
|
The -p option of the auditrpt command displays information about events that involved privileged operations. The argument to the -p option may consist of one or more privilege names or the keyword all. Each privilege name must be separated by a comma. A space will be interpreted as the end of the privilege list. If you specify the keyword all, auditrpt will display all audit records for all privileges. If you specify a privilege name or names after the -p option, auditrpt will display only the audit records that involve the specified privilege(s).
For example, most audit user-level commands and system calls require the
audit
privilege.
An exception is the
auditdmp(2)
system call, which requires the
auditwr
privilege to write miscellaneous audit records to the audit event log file.
If you want to see all events that involve the
p_audit
privilege,
enter the following command:
auditrpt -p audit
The
dacread
and
dacwrite
privileges are needed to override Discretionary Access Control (DAC)
protections for objects.
If any user who is not a system administrator acquires these
privileges,
there has been a serious breach of system security.
If you want to see all uses of these privileges, use the following command:
auditrpt -p dacread,dacwrite
For a complete list of privileges, see the intro(2) manual page.