bsmrecord(1M)
NAME
bsmrecord - display Solaris audit record formats
SYNOPSIS
/usr/sbin/bsmrecord [-d] [ [-a] | [-e string] | [-c class] |
[-i id] | [-p programname] | [-s systemcall] | [-h]]
DESCRIPTION
The bsmrecord utility displays the event ID, audit class and
selection mask, and record format for audit record event
types defined in audit_event(4). You can use bsmrecord to
generate a list of all audit record formats, or to select
audit record formats based on event class, event name, gen-
erating program name, system call name, or event ID.
There are two output formats. The default format is intended
for display in a terminal window; the optional HTML format
is intended for viewing with a web browser.
OPTIONS
The following options are supported:
-a List all audit records.
-c class
List all audit records selected by class. class is one
of the two-character class codes from the file
/etc/security/audit_class.
-d Debug mode. Display number of audit records that are
defined in audit_event, the number of classes defined
in audit_class, any mismatches between the two files,
and report which defined events do not have format
information available to bsmrecord.
-e string
List all audit records for which the event ID label
contains the string string. The match is case insensi-
tive.
-h Generate the output in HTML format.
-i id List the audit records having the numeric event ID id.
-p programname
List all audit records generated by the program pro-
gramname, for example, audit records generated by a
user-space program.
-s systemcall
List all audit records generated by the system call
systemcall, for example, audit records generated by a
system call.
The -p and -s options are different names for the same thing
and are mutually exclusive. The -a option is ignored if any
of -c, -e, -i, -p, or -s are given. Combinations of -c, -e,
-i, and either -p or -s are ANDed together.
EXAMPLES
Example 1: Displaying an Audit Record with a Specified Event
ID
The following example shows how to display the contents of a
specified audit record.
% bsmrecord -i 6152
login: terminal login
program /usr/sbin/login see login(1)
event ID 6152 AUE_login
class lo (0x00001000)
header-token
subject-token
text-token error message
exit-token
Example 2: Displaying an Audit Record with an Event ID Label
that Contains a Specified String
The following example shows how to display the contents of a
audit record with an event ID label that contains the string
login.
# bsmrecord -e login
terminal login
program /usr/sbin/login see login(1)
event ID 6152 AUE_login
class lo (0x00001000)
header-token
subject-token
text-token error message
exit-token
rlogin
program /usr/sbin/login see login(1) - rlogin
event ID 6155 AUE_rlogin
class lo (0x00001000)
header-token
subject-token
text-token error message
exit-token
EXIT STATUS
0 Successful operation
non-zero
Error
FILES
/etc/security/audit_class
Provides the list of valid classes and the associated
audit mask.
/etc/security/audit_event
Provides the numeric event ID, the literal event name,
and the name of the associated system call or program.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsr |
|_____________________________|_____________________________|
| CSI | Enabled |
|_____________________________|_____________________________|
| Interface Stability | Unstable |
|_____________________________|_____________________________|
SEE ALSO
audit_class(4), audit_event(4), attributes(5)
DIAGNOSTICS
If unable to read either of its input files or to write its
output file, bsmrecord shows the name of the file on which
it failed and exits with a non-zero return.
If no options are provided, if an invalid option is pro-
vided, or if both -s and -p are provided, an error message
is displayed and bsmrecord displays a usage message then
exits with a non-zero return.
NOTES
If /etc/security/audit_event has been modified to add user-
defined audit events, bsmrecord displays the record format
as undefined.
Man(1) output converted with
man2html