Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

bsmrecord


NAME
     bsmrecord - display Solaris audit record formats

SYNOPSIS
     /usr/sbin/bsmrecord [-d] [ [-a] | [-e string] | [-c class] |
           [-i id] | [-p programname] | [-s systemcall] | [-h]]


DESCRIPTION
     The bsmrecord utility displays the event ID, audit class and
     selection  mask,  and  record  format for audit record event
     types defined in audit_event(4). You can  use  bsmrecord  to
     generate  a  list  of all audit record formats, or to select
     audit record formats based on event class, event name,  gen-
     erating program name, system call name, or event ID.


     There are two output formats. The default format is intended
     for  display  in a terminal window; the optional HTML format
     is intended for viewing with a web browser.


     Tokens contained in square brackets ( [ ] ) are optional and
     might not be present in every record.

OPTIONS
     The following options are supported:

     -a

         List all audit records.


     -c class

         List all audit records selected by class. class  is  one
         of   the   two-character   class  codes  from  the  file
         /etc/security/audit_class.


     -d

         Debug mode. Display number of  audit  records  that  are
         defined in audit_event, the number of classes defined in
         audit_class, any mismatches between the two  files,  and
         report  which defined events do not have format informa-
         tion available to bsmrecord.


     -e string

         List all audit records for  which  the  event  ID  label
         contains  the  string string. The match is case insensi-
         tive.


     -h

         Generate the output in HTML format.


     -i id

         List the audit records having the numeric event ID id.


     -p programname

         List all audit records generated by the program program-
         name,  for  example,  audit records generated by a user-
         space program.


     -s systemcall

         List all audit records generated by the system call sys-
         temcall,  for example, audit records generated by a sys-
         tem call.



     The -p and -s options are different names for the same thing
     and  are mutually exclusive. The -a option is ignored if any
     of -c, -e, -i, -p, or -s are given. Combinations of -c,  -e,
     -i, and either -p or -s are ANDed together.

EXAMPLES
     Example 1 Displaying an Audit Record with a Specified  Event
     ID


     The following example shows how to display the contents of a
     specified audit record.


       % bsmrecord -i 6152
         terminal login
         program     /usr/sbin/login      see login(1)
                     /usr/dt/bin/dtlogin  See dtlogin
         event ID    6152                 AUE_login
         class       lo                   (0x00001000)
             header
             subject
             [text]                       error message
             return



     Example 2 Displaying an Audit Record with an Event ID  Label
     that Contains a Specified String


     The following example shows how to display the contents of a
     audit record with an event ID label that contains the string
     login.


       # bsmrecord -e login
       terminal login
         program     /usr/sbin/login      see login(1)
                     /usr/dt/bin/dtlogin  See dtlogin
         event ID    6152                 AUE_login
         class       lo                   (0x00001000)
             header
             subject
             [text]                       error message
             return

       rlogin
         program     /usr/sbin/login      see login(1) - rlogin
         event ID    6155                 AUE_rlogin
         class       lo                   (0x00001000)
             header
             subject
             [text]                       error message
             return



EXIT STATUS
     0

         Successful operation


     non-zero

         Error


FILES
     /etc/security/audit_class

         Provides the list of valid classes  and  the  associated
         audit mask.

     /etc/security/audit_event

         Provides the numeric event ID, the literal  event  name,
         and the name of the associated system call or program.


ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:



     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsr                     |
    |_____________________________|_____________________________|
    | CSI                         | Enabled                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Obsolete Uncommitted        |
    |_____________________________|_____________________________|


SEE ALSO
     auditconfig(1M), praudit(1M), audit.log(4),  audit_class(4),
     audit_event(4), attributes(5)


     See the section on Solaris Auditing in System Administration
     Guide: Security Services.

DIAGNOSTICS
     If unable to read either of its input files or to write  its
     output  file,  bsmrecord shows the name of the file on which
     it failed and exits with a non-zero return.


     If no options are provided, if an  invalid  option  is  pro-
     vided,  or  if both -s and -p are provided, an error message
     is displayed and bsmrecord displays  a  usage  message  then
     exits with a non-zero return.

NOTES
     This command is Obsolete and may  be  removed  and  replaced
     with   equivalent  functionality  in  a  future  release  of
     Solaris.


     If /etc/security/audit_event has been modified to add  user-
     defined  audit  events, bsmrecord displays the record format
     as undefined.

     The audit records displayed by bsmrecord are the core of the
     record  that  can  be  produced.  Various audit policies and
     optional tokens, such as those shown below,  might  also  be
     present.


     The following is a list  of  praudit(1M)  token  names  with
     their descriptions.

     group

         Present if the group audit policy is set.


     sensitivity label

         Present  when  Trusted   Extensions   is   enabled   and
         represents the label of the subject or object with which
         it is associated. The mandatory_label token is noted  in
         the  basic audit record where a label is explicitly part
         of the record.


     sequence

         Present when the seq audit policy is set.


     trailer

         Present when the trail audit policy is set.


     zone

         The name of the zone  generating  the  record  when  the
         zonename  audit  policy  is  set.  The zonename token is
         noted in the basic audit record where  a  zone  name  is
         explicitly part of the record.










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments