display recorded information from audit trail
auditrpt [-o] [-i]
[-b | -w] [-x]
[-e[!]event[,. . .]]
[-u user[,. . .]]
[-f object_id[,. . .]]
[-t object_type[,. . .]]
[-p all | priv[,. . .]]
[-v subtype] [log [. . .]]
The auditrpt shell level command allows the administrator with
the appropriate privileges
to selectively display the contents of audit log files.
Note that if the log files are presented as standard input that only
one log file may be presented at a time.
If more than one log file is presented in this manner,
auditrpt will fail when it encounters data from the second
Specify the file names on the command line if you wish to process
multiple log files.
The privileges required are
audit and setplevel.
The contents of log files created with previous releases of the
Auditing Package may be displayed using this command.
Version numbers are assigned to the audit log files associated with each
The auditrpt command uses these version numbers
to determine the release used to create the audit log under
The version numbers and releases currently recognized are:
The following options are available:
UNIX System V Release 4.1ES
UNIX System V Release 4.0, UNIX System V Release 4.0MP
UNIX System V Release 4.2
UNIX System V Release 4.2ES/MP, UnixWare 1.x, UnixWare 2.0
Display the events that correspond to the
union of the specified auditing criteria.
Take input audit records from standard input.
Display the events in reverse chronological order (backwards).
This option cannot be used with the -w option.
Display the events as they are being written to the event log file.
This option cannot be used with the -b option.
Display the Lightweight Process ID (LWP ID) of the LWP associated
with the event.
-e[!] event[,. . .]
Display the selected event types or event classes.
If ! is specified, all the events except those listed
Event classes, which are aliases for groups of events, are defined
in the /etc/security/audit/classes file.
-u user[,. . .]
Display all the recorded events for the specified
real and effective uids and/or login names.
-f object_id[,. . .]
Display all the recorded events for the specified object_ids.
The object_id must be
the full pathname of a regular file, special file, directory,
or a named pipe, or the ID of an IPC object or loadable module.
-t object_type[,. . .]
Display all the recorded events for the specified object_types.
Valid arguments are:
character special file
named pipe or unnamed pipe
Display all the events occurring at or after the specified time.
The time should be specified in the format
used by the date command.
The following are valid values for times:
for hours, 00 to 23;
for minutes, 00 to 59;
for days, 01 to 31;
for months, 01 to 12;
and for years, 00 to 99.
When both -s and -h are specified without the -o option,
the start time (-s) must be earlier than the end time (-h).
Display all the events existing at or before the specified time.
Format and valid values for time are the same as the -s option.
Display all the recorded events for the specified outcome:
s (success) or f (failure).
Specify the path (absolute or relative) of the auditmap directory.
-p all | priv[,. . .]
Display the recorded events that use the specified privilege(s).
If the word all follows the -p option,
display all recorded events that use any privilege.
Display all miscellaneous records with the specified subtype.
Only the first 20 characters of the specified subtype are considered
for record matching.
The command will parse the first field of the miscellaneous record,
up to 20 characters or the colon separator, whichever comes first.
log[. . .]
Name (absolute or relative pathname) of the audit log(s) to use.
The first part of the output of auditrpt
consists of the command line entered by the administrator.
For each log file, the output consists of two parts.
First, auditrpt displays audit log file and system identification
information to verify that the
correct log file was specified.
This includes the internal identification of the audit log
file, the version of the audit software that produced the log file, and the
identification of the machine that produced the log file.
Second, all records that
meet the selection criteria
are displayed one record per line.
Records are displayed in the following format:
(obj_id:obj_type:obj_lvl:device:maj:min:inode:fsid)(. . .)[,pgm_prm]
The meanings of the fields are as follows:
The time is printed as hour:minute:second:day:month:year.
For example, ``10:30:00:15:04:91''
is 10:30am of April 15, 1991.
The event type.
The process ID number of the process that triggered the
event, preceded by the letter ``P''.
The LWP ID number of the lightweight process that triggered the
The outcome of the event is either s for success or
f(exit value) for failure.
Real and effective user names are displayed.
are separated by a colon (that is,
Real and effective groups are displayed, followed by a list
of supplementary groups, if any.
Groups are separated by a colon
real_grp:effective_grp:suppl_grp1:suppl_grp2: . . .).
The session ID number, preceded by the letter ``S''.
This field is currently unused.
This field contains file identification information,
enclosed in parentheses.
If multiple objects are accessed in a single event,
the field is repeated.
This field contains the following subfields:
The name of a regular file,
special file, directory, named pipe, or the id
of an IPC object.
If the full pathname of a filesystem object cannot be determined,
the partial pathname will be printed with an asterisk (*) as a prefix.
The object type, using the codes described
in the description of the -t option.
This field is unused.
The object's device number.
The major number component of the object's device.
The minor number component of the object's device.
The object's inode number.
The object's filesystem ID number.
This field is specific to each audit event and may
be composed of several subfields.
The subfields described for each event will be displayed in the order shown
below and will be separated by commas, unless otherwise specified.
The pgm_prm field can be one of the following:
For most events generated from file descriptor based system calls,
file information is returned in the file identification information field.
For the audit_ctl/audit_evt/audit_log/audit_map events when generated by the audit
user level commands
auditon, auditoff, auditset, auditlog, auditmap,
respectively: the entire command line.
For the add_grp/add_usr/add_usr_grp/mod_grp/mod_usr events:
the entire command line.
For the tfadmin event: the entire command line.
For the chg_times/date events: the new date.
For the chg_times event only, the file name is also given.
For the fork event: the child process
ID, the number of LWPs created, and the LWP ID's.
For the init event: if
generated by the user level command
the entire command line.
If generated by the init process (``process 1''):
current state: state1 new_state: state2
The old init state is represented by state1, and the new init state by state2.
For the kill event: the signal and
a list of pids
to which the signal was posted.
For the set_uid event: new user.
For the set_gid event: the new group.
For the set_pgrps event:
the name of the system call that generated
the event (setpgrp or setpgid).
In addition, if generated by the setpgid system call,
the process ID and process group ID passed to the system call.
For the set_grps event:
the supplementary group access list.
For the link event: the pathname of the target file.
For the dac_own_grp event: if the owner was changed, the
new user ID (preceded by user:) or if the group was changed,
the new group ID (preceded by group:).
In addition, for the chown system call, the file name.
For the dac_mode event: the new mode.
For the msg_ctl/msg_get/msg_op/sem_ctl/sem_get/sem_op/shm_ctl/
shm_get/shm_op events: the operation code, flag and command value.
If a subfield does not pertain to an event type, a zero will be displayed.
For the login/bad_auth events,
the terminal identification (tty), user, and group,
of the user attempting to log on (if valid).
In addition, for the bad_auth event: the
error message (LOGIN, PASWD or AUDIT)
For the passwd event: the user whose password is being changed (if valid).
For the pm_denied event:
the requested privilege, system call name, and maximum set of
For the cron event:
user's effective uid, user's effective gid,
and cron job name.
User refers to the user that cron is running on behalf of.
For the open_rd/open_wr events:
the file descriptor.
For the disp_attr/set_attr events: the
release flag (persistent, lastclose, or system),
device state (private or public).
In addition, for the disp_attr event:
the inuse flag (inuse or unused).
For the fdevstat system call, the file descriptor.
For the fd_acl event: all ACL entries.
For the file_acl event: all ACL
entries and the file name.
For the ipc_acl event: the ipc type, the ipc id and all ACL entries.
For the ulimit event: the new limit.
For the setrlimit event:
the resource (RLIMIT_CORE, RLIMIT_CPU,
RLIMIT_DATA, RLIMIT_FSIZE, RLIMIT_NOFILE,
soft limit and hard limit.
For the sched_lk event:
the action (PROCLOCK, TXTLOCK, DATLOCK)
if generated by the plock system call.
The page mapping attributes (PRIVATE or SHARED) and
page protection attributes (one or more of the following: PROT_READ,
if generated by the memctl system call.
If generated by the priocntl system call
with the PC_ADMIN command,
the function name
global priority and time quantum.
In addition, if TS_SETDPTBL
the time-sharing dispatcher parameters:
tqexp, slpret, maxwait and lwait.
If generated by the priocntl
system call with the PC_SETPARMS command, the
process id and user priority.
In addition, if the sched_ts
event, user priority limit.
event, the seconds in time quantum.
For the modadm event:
the module type (character device, block device,
streams, filesystem, misc, none),
the command (register), and the module name.
Also, module type specific data as follows:
if module type is character device or block device,
the major number; if module type is filesystem, the filesystem
name; if module type is misc or none, no
specific data is displayed.
For the modload event:
the loadable module id.
For the modpath event:
the absolute pathname added to the loadable module search path
or NULL if the default search path is set.
For the iocntl event:
the command argument id passed to the system call,
the flags found in the file table entry, if any (separated by colons),
(FOPEN, FREAD, FWRITE,
FNDELAY, FAPPEND, FSYNC,
FNONBLOC, FMASK, FCREAT,
FTRUNC, FEXCL, FNOCTTY,
For the fcntl event:
the command argument passed to the system call.
If command is F_SETFD, close-on-exec flag (0 or 1).
If command is F_SETFL, status flags (separated by colons)
If a struct flock was passed to the system call:
the command argument passed to the system call,
(F_ALLOCSP, F_FREESP, F_SETLCK,
F_SETLKW, F_RSETLCK, F_RSETLKW) and
the following structure members:
For the mount event: the flags passed to the system call and
one or more of the following:
FSS (old (4-argument) mount),
DATA (6-argument mount),
NOSUID (setuid disallowed),
NOTRUNC (return ENAMETOOLONG for long file names).
For the file_priv event:
all information in the priv_t masks passed to the system call,
in the following format:
priv_type1:priv_name[:priv_name],priv_type2:. . .
priv_type will be the name of the privilege type, if it is recognized
by the privilege mechanism of the audited system.
If it is not recognized, it will be the character representation of
the first byte of the priv_t mask
(for example, i for inheritable).
For a list of privileges, see
For the recvfd event:
the receiver's process ID and LWP ID.
For the misc event:
the free form string provided by the application.
For the audit_buf event: the high water mark value.
For the audit_ctl event when generated by the
auditctl system call:
the action taken (AUDITON or AUDITOFF).
For the audit_log event when generated by
the auditlog system call:
all information passed in the alog
structure to the system call.
This will include: log file attributes (PPATH:PNODE:APATH:ANODE:PSIZE
the action taken when the log is full (ASHUT,ADISA,AALOG,
the action taken when there is an audit error
(ASHUT or ADISA),
the maximum log size, the primary node name, the alternate node name,
the primary log pathname, the alternate log pathname
and the program to be run during a log switch.
For the audit_dmp event when generated by
the auditdmp system call:
the event type and
the status (if success: SUCCESS, if failure: FAILURE(status)).
For the audit_evt event when generated by
the auditevt system call:
all information passed in the aevt
structure to the system call.
This will include: command argument (ASETME,ASETSYS,ASETUSR,
If the command is ASETME,
the new user event mask for the invoking process.
If the command is ASETSYS,
the new system event mask.
If the command is ASETUSR,
the user whose mask has been modified, the new user event mask.
For the lwp_create event, the ID of the LWP that was created.
For the lwp_bind and lwp_unbind events, the LWP or
process flag argument to the system call, the ID of the process or
LWP, the processor ID supplied by the caller, and the processor ID
returned by the system.
For the p_online event, the command type (P_ONLINE or
For the logoff event, the type of logoff.
For the keyctl event, the command (either
K_SETPROCESSORS or K_SETUNLIMITED) and the contents of
the nskeys structures passed as arguments to the system call.
All the commas in the output line, except possibly the last one (if pgm_prm
is empty), will be displayed as place holders.
For all the output fields, null will be displayed if the field is not appropriate
for the event type being displayed.
For example, the date event has no
objects related to it, so the obj_id:obj_type:device:maj:min:inode:fsid
fields will be null
(only the comma separator will be displayed for these fields).
The auditrpt command will use the audit map to translate users,
groups, privileges, events and system calls from
IDs(numbers) to names.
If the information for translating a number to a name is not found in the map,
raw data (ASCII representation of the numeric value) will be displayed for the
All numeric values are displayed in decimal representation unless preceded
by ``0x'', which indicates hexadecimal representation.
If a field is appropriate for an event but its value is
invalid, a ``?'' will be displayed.
For example, if a login event
fails because the logname used is unknown to the system (cannot be translated
into a UID in the log record), the user will be flagged as invalid
and a ``?'' will be displayed.
Application programs can generate audit records with the auditdmp
The auditrpt command processes these records as events of the type
The misc record will have a string in the final field of its output;
this string will contain all the information written by the application
program that created the misc audit record.
If successful, auditrpt exits with a value of zero (0).
If there are errors, it
exits with one of the following values and prints
the corresponding error message:
The following warning messages may be displayed:
usage: auditrpt . . .
Invalid command syntax.
argument list for option option
The argument list exceeds the current implementation limits.
Option requires an argument -- e
start time must be earlier than the end time
When the -s and -h options are used without -o,
the time specified by -s must be earlier than that
specified by -h.
invalid argument given to option option
user specified with the -u option contains at least one non-alphanumeric character.
event type or class event
does not exist
The argument to the -e option was
an invalid event type or class (that is, an event not found in the
audit map information).
full pathname must be specified for object_id
invalid object type specified: object_type
The object type was not a f, c, d,
p, l, s, h, or m.
invalid outcome specified
The outcome specified by -a must be either s or f.
invalid option combination option1, option2
,. . .
usage: auditrpt . . .
auditing currently disabled, logfile must be specified
The -w option was specified while auditing was disabled.
cannot open auditmap directory dirname
invalid time format
The argument to the -h or -s option is not correct.
invalid privilege priv
-x may not be used with this version
The -x option may not be used when printing records from audit
trails created by previous releases.
system service not installed
If the -w option is used or no log file is specified,
then auditing must be installed
on the machine in which auditing is executing.
Failure because of insufficient privilege.
chmod() failed for temporary file, errno = number
error manipulating file
could not obtain version number
An attempt to read the audit log file to obtain the audit trail
version number failed.
The log file may be corrupted or is not in the correct format.
unknown audit version number
The audit trail version number read was invalid.
The recognized version numbers are 1.0, 2.0, 3.0, and 4.0.
Incompatible log file version number
When reading records from standard input, the beginning of a new
log file was detected, but the version number for this file was invalid.
could not get buffer attributes
The call to the auditbuf system call to get the audit buffer
could not get current log attributes
The call to the auditlog system call to get the current log file
could not determine status of auditing
The call to the auditctl system call to get the current status
of auditing failed.
bad log record type record number
An invalid record type was encountered in the audit event log file.
all event log files specified are inaccessible
unable to allocate space
additional options required
usage: auditrpt . . .
The -o option was specified without additional criteria selection
bad map record type record number
An invalid element was encountered in an audit map file.
log file's format or byte ordering ((format id
is not readable in current architecture
The magic number of the event log file is not what was expected.
Possibly the file is in External Data Representation (XDR) format, or
the magic number indicates the file was generated by another version
Version specific auditrpt not found: version
Version specific auditrpt not executable: version
event log file(s) are not in sequence or missing
The log files specified on the command line may not be in order, or
a file may be missing.
missing pathname for process Ppid
auditrpt did not find the expected number of filename records
for the given process.
event log file log
does not exist
A log file specified on the command line does not exist.
no match found in event log file(s)
The log file or files do not contain a record that matches the selection
machines in log file filename
) and map file (mach_info
) do not match
The event log file and the audit map files were
generated on different machines.
data in audit buffer will not be immediately displayed
The -w option is specified, but the audit log high water mark is
log file filename
The -i option or the -w option
was used along with a log file argument.
cannot open audit map file map_file
auditrpt could not open the auditmap directory for reading.
misformed miscellaneous record
The miscellaneous record did not have a subtype name followed by a colon (:)
in the first 20 characters of the ASCII string.
cannot read and write character special device simultaneously
The specified (or default) log file is a character special device and is also
the current active log file.
user id user
does not exist in audit map
keyword all should not be used in conjunction with individual privileges
The privilege list specified with the -p
option can not contain both the keyword all and individual privileges
credential information for Ppid
Credential records for the given process were not found previously
in the audit log file(s).
credential structure could not be freed
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004