NAME
audisp — display the audit information as requested by the parameters
SYNOPSIS
audisp
[-u
username]
[-e
eventname]
[-c
syscall]
[-p]
[-f]
[-l
ttyid]
[-t
start_time]
[-s
stop_time]
[-y2|-y4]
audit_trail...
DESCRIPTION
audisp
analyzes and displays the audit information contained
in the specified audit trails. All specified audit trails
are merged into a single audit trail in time order.
Although the entire audit trail is analyzed,
audisp
allows you to limit the information displayed by specifying different options.
This command is restricted to privileged users.
Each audit trail
(audit_trail)
is identified by a file name
if the audit information was collected in compatibility mode. If the
audit information was collected in regular mode, the audit trail
(audit_trail)
is identified by a directory name.
Which auditing mode is used, compatibility or regular,
is configurable by privileged users (see
audsys(1M)).
When displaying audit trails that are generated in regular mode, audit trails
cannot be identified by file names in audit trail directories
since these file names
may not represent complete trail information
for analysis or display. Instead, audit trails must be identified by
directory names.
Any unspecified option is interpreted as an
unrestricted specification. For example, a missing
-u username
option causes all users' audit information
in the audit trail to be displayed as long as
all other specified options are satisfied.
For another example, providing the option
-t start_time
without
-s stop_time
causes all audit information beginning from
start_time
to the end of the trail to be displayed.
If
audisp
is run without any options, it displays all recorded information
from the start of the audit trail to the end.
Specifying an option without its required parameter
results in error. For example, specifying
-e
without any
eventname
returns an error message.
Options
- -u username
Specify the
username (login name)
about whom to display information.
If no
username
is specified,
audisp
displays audit information about all users in the audit file.
- -e eventname
Display audit information for the specified event category.
eventname
must be a valid event category (base event or event alias) that is defined
in
/etc/audit/audit.conf
or
/etc/audit/audit_site.conf
(see
audit.conf(4)).
Another way to be certain an
eventname
is valid is to
read the output of
'audevent -l'
for a list of valid event category names and
their associated system calls (see
audevent(1M)).
- -c syscall
Display audit information about the specified system call.
The
syscall
must be a valid system call name or system call alias name that is defined in
/etc/audit/audit.conf
or
/etc/audit/audit_site.conf
(see
audit.conf(4)).
Another way to be certain a
syscall
is valid is to read the output of
'audevent -l'
for a list of valid syscall names (see
audevent(1M)).
- -p
Display only successful operations that were recorded
in the audit trail. No user event that results in a failure
is displayed, even if
username
and
eventname
are specified.
The
-p
and the
-f
options are mutually exclusive;
do not specify both on the same command line.
To display both successful and failed operations, omit both
-p
and
-f
options.
- -f
Display only failed operations that are recorded
in the audit trail.
- -l ttyid
Display all operations that occurred on the specified terminal
(ttyid)
and were recorded in the audit trail.
By default, operations on all terminals are displayed.
- -t start_time
Display all audited operations occurring since
start_time,
specified as
mmddhhmm[yy]
(month, day, hour, minute, year).
If the year is specified and is greater than 70,
it is interpreted as in
the twentieth century.
Otherwise, it is interpreted as in the twenty-first century.
If no year is given, the current year is used.
No operation in the audit trail
occurring before the specified time is displayed.
- -s stop_time
Display all audited operations occurring before
stop_time,
specified as
mmddhhmm[yy]
(month, day, hour, minute, year).
If the year is specified and is greater than 70,
it is interpreted as in the twentieth century.
Otherwise, it is interpreted as in the twenty-first century.
If no year is given, the current year is used.
No operation in the audit trail
occurring after the specified time is displayed.
- -y2|-y4
The year is displayed as a two digit number (with
-y2),
or as a four digit number (with
-y4).
The default is
-y2.
Note that
start_time
and
stop_time
must still be specified as two digit numbers.
AUTHOR
audisp
was developed by HP.
FILES
/etc/audit/audit.conf - file containing event mapping information
/etc/audit/audit_site.conf - file containing site-specific event mapping information
Printable version
