auditpr Command
Purpose
Formats bin or stream audit records to a display device or printer.
Syntax
auditpr [-i inputfile ] [ -t 0 | 1 | 2 ] [ -m Message ] [ -r ] [ -v | -w] [ -X][ -h field[,field]*]Description
The auditpr command is part of the audit subsystem. This command reads audit records, in bin or stream format, from standard input and sends formatted records to standard output.
The output format is determined by the flags that are selected. If you specify the -m flag, a message is displayed before each heading. Use the -t and -h flags to change the default header titles and fields and the -v flag to append an audit trail. The auditpr command searches the local /etc/passwd file to convert user and group IDs to names.
An example of output by using default header information follows:
event login status time command
wpar name
login dick OK Fri Feb;8 14:03:57 1990 login
Global
. . . . . trail portion . . . . .For examples of audit trails, see the /etc/security/audit/events file where audit trail formats are defined.
Invalid records are skipped when possible, and an error message is issued. If the command cannot recover from an error, processing stops.
The AIX_AUDITBUFSZ environment variable allows buffered write operation of the auditpr audit records. The buffered write option is useful for high-performance applications that generate many audit records.
The AIX_AUDITBUFSZ environment variable accepts decimal and hexadecimal values in the range 8192 bytes - 67 MB. Any other positive values outside the range of allowed values are rounded off to either the beginning of the range or the end of the range based on the nearest value. If this variable value is not set or this variable is assigned negative values or non-numerical values, the AIX_AUDITBUFSZ variable is ignored.
Flags
| Item | Description |
|---|---|
-h
field[,field]* |
Selects the fields to display and the order in which to display them, by default
e, l, R,t, and c. You can
specify the following values:
|
| -i inputfile | Indicates the path to the audit trail file. If the -i flag is not
specified, the auditpr command reads data from stdin. |
-m
"Message" |
Specifies a Message to be displayed with each heading. Enclose the Message string in double quotation marks. |
| -r | Suppresses ID translation to the symbolic name. |
-t {0 | 1 | 2} |
Specifies when header titles are displayed. The default title consists of an optional
message (see the -m flag) followed by the name of
each column of output.
|
| -v | Displays the trail of each audit record, by using the format specifications in the /etc/security/audit/events file. The -v flag is mutually exclusive with the -w flag. |
| -w | Displays the trail and audit record in a single line, by using the format specified in the /etc/security/audit/events file. The -w flag is mutually exclusive with -v flag. |
| -X | Prints long user names at the end of the audit record when the
-X flag is used with other flags that display the user names. The maximum limit
is determined by the max_logname Object Data Manager (ODM) attribute in the
PdAt and CuAt object classes. If a username is greater than the
max_logname attribute, it is truncated to the number of characters minus 1
character, which is specified by the max_logname attribute. |
Security
- Access Control
-
This command must grant execute (x) access to the root user and members of the audit group. The command should be setuid to the root user and have the trusted computing base attribute.
- Files Accessed
-
Table 2. File Accessed Mode File r /etc/security/audit/events r /etc/passwd r /etc/group - RBAC users
- Attention RBAC users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations that are associated with this command, see the lssecattr command or the getcmdattr subcommand.
Examples
- To read the system audit trail file with default header titles and fields and an audit trail,
enter:
. The /audit/trail file must contain valid audit bins or records./usr/sbin/auditpr -v < /audit/trail - To format from an audit trail file all the audit events caused by user
witte, enter:
The resulting record is formatted with the default values (/usr/sbin/auditselect -e"login == witte"\ /audit/trail | auditpr -ve, c, l, R, and t) and includes a trail. - To read records interactively from the audit device, enter:
/usr/sbin/auditstream | /usr/sbin/auditpr -t0 -heRl - To enable the buffered write option for the audit records with a buffer size of
520000 bytes for auditing subsystem that is started in bin mode, enter the following
command:
export AIX_AUDITBUFSZ=520000 /usr/sbin/auditpr -v -i /audit/trail > output
Files
| Item | Description |
|---|---|
| /usr/sbin/auditpr | Specifies the path of the auditpr command. |
| /etc/security/audit/config | Contains audit system configuration information. |
| /etc/security/audit/events | This file contains the audit events of the system. |
| /etc/security/audit/objects | This file contains audit events for audited objects (files). |
| /etc/security/audit/bincmds | This file contains auditbin backend commands. |
| /etc/security/audit/streamcmds | This file contains auditstream commands. |
| /etc/security/audit/hosts | This file contains the CPU ID to hostname mappings. |