auditrpt(1M)

Synopsis

Description

The contents of log files created with previous releases of the Auditing Package may be displayed using this command. Version numbers are assigned to the audit log files associated with each release. The auditrpt command uses these version numbers to determine the release used to create the audit log under examination. The version numbers and releases currently recognized are:

1.0

UNIX System V Release 4.1ES

2.0

UNIX System V Release 4.0, UNIX System V Release 4.0MP

3.0

UNIX System V Release 4.2

4.0

UNIX System V Release 4.2ES/MP, UnixWare 1.x, UnixWare 2.0

-o

Display the events that correspond to the union of the specified auditing criteria.

-i

Take input audit records from standard input.

-b

Display the events in reverse chronological order (backwards). This option cannot be used with the -w option.

-w

Display the events as they are being written to the event log file. This option cannot be used with the -b option.

-x

Display the Lightweight Process ID (LWP ID) of the LWP associated with the event.

-e[!] event[,. . .]

Display the selected event types or event classes. If ! is specified, all the events except those listed are displayed. Event classes, which are aliases for groups of events, are defined in the /etc/security/audit/classes file.

-u user[,. . .]

Display all the recorded events for the specified real and effective uids and/or login names.

-f object_id[,. . .]

Display all the recorded events for the specified object_ids. The object_id must be the full pathname of a regular file, special file, directory, or a named pipe, or the ID of an IPC object or loadable module.

-t object_type[,. . .]

Display all the recorded events for the specified object_types. Valid arguments are:

c

character special file

d

directory

f

regular file

h

shared memory

l

link

m

message

p

named pipe or unnamed pipe

s

semaphore

-s time

Display all the events occurring at or after the specified time. The time should be specified in the format used by the date command. The following are valid values for times: for hours, 00 to 23; for minutes, 00 to 59; for days, 01 to 31; for months, 01 to 12; and for years, 00 to 99.

When both -s and -h are specified without the -o option, the start time (-s) must be earlier than the end time (-h).

-h time

Display all the events existing at or before the specified time. Format and valid values for time are the same as the -s option.

-a outcome

Display all the recorded events for the specified outcome: s (success) or f (failure).

-m map

Specify the path (absolute or relative) of the auditmap directory.

-p all | priv[,. . .]

Display the recorded events that use the specified privilege(s). If the word all follows the -p option, display all recorded events that use any privilege.

-v subtype

Display all miscellaneous records with the specified subtype. Only the first 20 characters of the specified subtype are considered for record matching. The command will parse the first field of the miscellaneous record, up to 20 characters or the colon separator, whichever comes first.

log[. . .]

Name (absolute or relative pathname) of the audit log(s) to use.

Output

   time,event,pid(LWP_id),outcome,user,group(s),session,subj_lvl, \
      (obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]

The meanings of the fields are as follows:

time

The time is printed as hour:minute:second:day:month:year. For example, ``10:30:00:15:04:91'' is 10:30am of April 15, 1991.

event

The event type.

pid

The process ID number of the process that triggered the event, preceded by the letter ``P''.

LWP_id

The LWP ID number of the lightweight process that triggered the event.

outcome

The outcome of the event is either s for success or f(exit value) for failure.

user

Real and effective user names are displayed. User names are separated by a colon (that is, real_user_name:effective_user_name).

group(s)

Real and effective groups are displayed, followed by a list of supplementary groups, if any. Groups are separated by a colon (that is, real_grp:effective_grp:suppl_grp1:suppl_grp2: . . .).

session

The session ID number, preceded by the letter ``S''.

subj_lvl

This field is currently unused.

(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)

This field contains file identification information, enclosed in parentheses. If multiple objects are accessed in a single event, the field is repeated. This field contains the following subfields:

obj_id

The name of a regular file, special file, directory, named pipe, or the id of an IPC object. If the full pathname of a filesystem object cannot be determined, the partial pathname will be printed with an asterisk (*) as a prefix.

obj_type

The object type, using the codes described in the description of the -t option.

obj_lvl

This field is unused.

device

The object's device number.

maj

The major number component of the object's device.

min

The minor number component of the object's device.

inode

The object's inode number.

fsid

The object's filesystem ID number.

pgm_prm

This field is specific to each audit event and may be composed of several subfields. The subfields described for each event will be displayed in the order shown below and will be separated by commas, unless otherwise specified.

The pgm_prm field can be one of the following:

• For the audit_ctl/audit_evt/audit_log/audit_map events when generated by the audit user level commands auditon, auditoff, auditset, auditlog, auditmap, respectively: the entire command line.

• For the add_grp/add_usr/add_usr_grp/mod_grp/mod_usr events: the entire command line.

• For the tfadmin event: the entire command line.

• For the chg_times/date events: the new date. For the chg_times event only, the file name is also given.

• For the fork event: the child process ID, the number of LWPs created, and the LWP ID's.

• For the init event: if generated by the user level command init(1M), the entire command line. If generated by the init process (``process 1''):

  current state: state1 new_state: state2

  The old init state is represented by state1, and the new init state by state2.

• For the kill event: the signal and a list of pids to which the signal was posted.

• For the set_uid event: new user.

• For the set_gid event: the new group.

• For the set_pgrps event: the name of the system call that generated the event (setpgrp or setpgid). In addition, if generated by the setpgid system call, the process ID and process group ID passed to the system call.

• For the set_grps event: the supplementary group access list.

• For the link event: the pathname of the target file.

• For the dac_own_grp event: if the owner was changed, the new user ID (preceded by user:) or if the group was changed, the new group ID (preceded by group:). In addition, for the chown system call, the file name.

• For the dac_mode event: the new mode.

• For the msg_ctl/msg_get/msg_op/sem_ctl/sem_get/sem_op/shm_ctl/ shm_get/shm_op events: the operation code, flag and command value. If a subfield does not pertain to an event type, a zero will be displayed.

• For the login/bad_auth events, the terminal identification (tty), user, and group, of the user attempting to log on (if valid). In addition, for the bad_auth event: the error message (LOGIN, PASWD or AUDIT)

• For the passwd event: the user whose password is being changed (if valid).

• For the pm_denied event: the requested privilege, system call name, and maximum set of privileges.

• For the cron event: user's effective uid, user's effective gid, and cron job name. User refers to the user that cron is running on behalf of.

• For the open_rd/open_wr events: the file descriptor.

• For the disp_attr/set_attr events: the release flag (persistent, lastclose, or system), device state (private or public). In addition, for the disp_attr event: the inuse flag (inuse or unused). For the fdevstat system call, the file descriptor.

• For the fd_acl event: all ACL entries.

• For the file_acl event: all ACL entries and the file name.

• For the ipc_acl event: the ipc type, the ipc id and all ACL entries.

• For the ulimit event: the new limit.

• For the setrlimit event: the resource (RLIMIT_CORE, RLIMIT_CPU, RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_NOFILE, RLIMIT_STACK, RLIMIT_VMEM), soft limit and hard limit.

• For the sched_lk event: the action (PROCLOCK, TXTLOCK, DATLOCK) if generated by the plock system call. The page mapping attributes (PRIVATE or SHARED) and page protection attributes (one or more of the following: PROT_READ, PROT_WRITE, PROT_EXEC) if generated by the memctl system call.

• For the sched_fp/sched_ts/sched_fc events: If generated by the priocntl system call with the PC_ADMIN command, the function name (FP_SETDPTBL, FC_SETDPTBL, or TS_SETDPTBL), global priority and time quantum. In addition, if TS_SETDPTBL or FC_SETDPTBL, the time-sharing dispatcher parameters: tqexp, slpret, maxwait and lwait. If generated by the priocntl system call with the PC_SETPARMS command, the function name (FP_NEW, FC_NEW, TS_NEW, FP_PARMSET, FC_PARMSET, TS_PARMSET), process id and user priority. In addition, if the sched_ts or sched_fc event, user priority limit. If sched_fp event, the seconds in time quantum.

• For the modadm event: the module type (character device, block device, streams, filesystem, misc, none), the command (register), and the module name. Also, module type specific data as follows: if module type is character device or block device, the major number; if module type is filesystem, the filesystem name; if module type is misc or none, no specific data is displayed.

• For the modload event: the loadable module id.

• For the modpath event: the absolute pathname added to the loadable module search path or NULL if the default search path is set.

• For the iocntl event: the command argument id passed to the system call, the flags found in the file table entry, if any (separated by colons), (FOPEN, FREAD, FWRITE, FNDELAY, FAPPEND, FSYNC, FNONBLOC, FMASK, FCREAT, FTRUNC, FEXCL, FNOCTTY, FASYNC, FNMFS).

• For the fcntl event: the command argument passed to the system call. If command is F_SETFD, close-on-exec flag (0 or 1). If command is F_SETFL, status flags (separated by colons) (O_APPEND, O_NDELAY, O_NONBLOCK, O_SYNC). If a struct flock was passed to the system call: the command argument passed to the system call, (F_ALLOCSP, F_FREESP, F_SETLCK, F_SETLKW, F_RSETLCK, F_RSETLKW) and the following structure members: l_type, l_whence, l_start, l_len.

• For the mount event: the flags passed to the system call and one or more of the following: RDONLY (read-only), FSS (old (4-argument) mount), DATA (6-argument mount), NOSUID (setuid disallowed), REMOUNT (remount), NOTRUNC (return ENAMETOOLONG for long file names).

• For the file_priv event: all information in the priv_t masks passed to the system call, in the following format:

     priv_type1:priv_name[:priv_name],priv_type2:. . .
  

  priv_type will be the name of the privilege type, if it is recognized by the privilege mechanism of the audited system. If it is not recognized, it will be the character representation of the first byte of the priv_t mask (for example, i for inheritable). For a list of privileges, see intro(2).

• For the recvfd event: the receiver's process ID and LWP ID.

• For the misc event: the free form string provided by the application.

• For the audit_buf event: the high water mark value.

• For the audit_ctl event when generated by the auditctl system call: the action taken (AUDITON or AUDITOFF).

• For the audit_log event when generated by the auditlog system call: all information passed in the alog structure to the system call. This will include: log file attributes (PPATH:PNODE:APATH:ANODE:PSIZE :ASPECIAL:PSPECIAL), the action taken when the log is full (ASHUT,ADISA,AALOG, AALOG:APROG), the action taken when there is an audit error (ASHUT or ADISA), the maximum log size, the primary node name, the alternate node name, the primary log pathname, the alternate log pathname and the program to be run during a log switch.

• For the audit_dmp event when generated by the auditdmp system call: the event type and the status (if success: SUCCESS, if failure: FAILURE(status)).

• For the audit_evt event when generated by the auditevt system call: all information passed in the aevt structure to the system call. This will include: command argument (ASETME,ASETSYS,ASETUSR, ANAUDIT,AYAUDIT). If the command is ASETME, the new user event mask for the invoking process. If the command is ASETSYS, the new system event mask. If the command is ASETUSR, the user whose mask has been modified, the new user event mask.

• For the lwp_create event, the ID of the LWP that was created.

• For the lwp_bind and lwp_unbind events, the LWP or process flag argument to the system call, the ID of the process or LWP, the processor ID supplied by the caller, and the processor ID returned by the system.

• For the p_online event, the command type (P_ONLINE or P_OFFLINE).

• For the logoff event, the type of logoff.

• For the keyctl event, the command (either K_SETPROCESSORS or K_SETUNLIMITED) and the contents of the nskeys structures passed as arguments to the system call.

All the commas in the output line, except possibly the last one (if pgm_prm is empty), will be displayed as place holders. For all the output fields, null will be displayed if the field is not appropriate for the event type being displayed. For example, the date event has no objects related to it, so the obj_id:obj_type:device:maj:min:inode:fsid fields will be null (only the comma separator will be displayed for these fields).

The auditrpt command will use the audit map to translate users, groups, privileges, events and system calls from IDs(numbers) to names. If the information for translating a number to a name is not found in the map, raw data (ASCII representation of the numeric value) will be displayed for the corresponding field.

All numeric values are displayed in decimal representation unless preceded by ``0x'', which indicates hexadecimal representation.

If a field is appropriate for an event but its value is invalid, a ``?'' will be displayed. For example, if a login event fails because the logname used is unknown to the system (cannot be translated into a UID in the log record), the user will be flagged as invalid and a ``?'' will be displayed.

Miscellaneous records

Files

Return values

1

usage: auditrpt . . .

Invalid command syntax.

1

argument list for option option too long

The argument list exceeds the current implementation limits.

1

Option requires an argument -- e

1

start time must be earlier than the end time

When the -s and -h options are used without -o, the time specified by -s must be earlier than that specified by -h.

1

invalid argument given to option option

user specified with the -u option contains at least one non-alphanumeric character.

1

event type or class event does not exist

The argument to the -e option was an invalid event type or class (that is, an event not found in the audit map information).

1

full pathname must be specified for object_id

1

invalid object type specified: object_type

The object type was not a f, c, d, p, l, s, h, or m.

1

invalid outcome specified

The outcome specified by -a must be either s or f.

1

invalid option combination option1, option2,. . .
usage: auditrpt . . .

1

auditing currently disabled, logfile must be specified

1

auditing disabled

The -w option was specified while auditing was disabled.

1

cannot open auditmap directory dirname

1

invalid time format

The argument to the -h or -s option is not correct.

1

invalid privilege priv supplied

1

-x may not be used with this version

The -x option may not be used when printing records from audit trails created by previous releases.

3

system service not installed

If the -w option is used or no log file is specified, then auditing must be installed on the machine in which auditing is executing.

4

Permission denied

Failure because of insufficient privilege.

5

chmod() failed for temporary file, errno = number

5

error manipulating file

5

could not obtain version number

An attempt to read the audit log file to obtain the audit trail version number failed. The log file may be corrupted or is not in the correct format.

5

unknown audit version number

The audit trail version number read was invalid. The recognized version numbers are 1.0, 2.0, 3.0, and 4.0.

5

Incompatible log file version number

When reading records from standard input, the beginning of a new log file was detected, but the version number for this file was invalid.

6

could not get buffer attributes

The call to the auditbuf system call to get the audit buffer attributes failed.

8

could not get current log attributes

The call to the auditlog system call to get the current log file attributes failed.

12

could not determine status of auditing

The call to the auditctl system call to get the current status of auditing failed.

13

bad log record type record number

An invalid record type was encountered in the audit event log file.

15

all event log files specified are inaccessible

24

unable to allocate space

26

additional options required
usage: auditrpt . . .

The -o option was specified without additional criteria selection options.

28

bad map record type record number

An invalid element was encountered in an audit map file.

32

log file's format or byte ordering ((format id)
is not readable in current architecture

The magic number of the event log file is not what was expected. Possibly the file is in External Data Representation (XDR) format, or the magic number indicates the file was generated by another version or architecture.

33

Version specific auditrpt not found: version

33

Version specific auditrpt not executable: version

event log file(s) are not in sequence or missing

The log files specified on the command line may not be in order, or a file may be missing.

missing pathname for process Ppid

auditrpt did not find the expected number of filename records for the given process.

event log file log does not exist

A log file specified on the command line does not exist.

no match found in event log file(s)

The log file or files do not contain a record that matches the selection criteria.

machines in log file filename (mach_info) and map file (mach_info) do not match

The event log file and the audit map files were generated on different machines.

data in audit buffer will not be immediately displayed

The -w option is specified, but the audit log high water mark is not zero.

log file filename ignored

The -i option or the -w option was used along with a log file argument.

cannot open audit map file map_file

auditrpt could not open the auditmap directory for reading.

misformed miscellaneous record

The miscellaneous record did not have a subtype name followed by a colon (:) in the first 20 characters of the ASCII string.

cannot read and write character special device simultaneously

The specified (or default) log file is a character special device and is also the current active log file.

user id user does not exist in audit map

keyword all should not be used in conjunction with individual privileges

The privilege list specified with the -p option can not contain both the keyword all and individual privileges

credential information for Ppid is incomplete

Credential records for the given process were not found previously in the audit log file(s).

credential structure could not be freed

References