audisp(1M)audisp(1M)NAMEaudisp - display the audit information as requested by the parameters
SYNOPSIS
username] profile] eventname] compartmentname] syscall] ttyid]
start_time] stop_time] audit_trail...
DESCRIPTION
analyzes and displays the audit information contained in the specified
audit trails. All specified audit trails are merged into a single audit
trail in chronological order. Although the entire audit trail is ana‐
lyzed, the command allows you to limit the information displayed by
specifying different options. This command is restricted to privileged
users.
If the audit information was collected in compatibility mode, each
audit trail (audit_trail) is identified by a file name. If the audit
information was collected in regular mode, the audit trail
(audit_trail) is identified by a directory name. Only a privileged
user can configure the auditing mode (compatibility or regular); see
audsys(1M). The audit information that is collected in regular mode is
identified and displayed by directory names and not by file name since
the file names may not represent complete trail information for analy‐
sis or display.
Any unspecified option is interpreted as an unrestricted specification.
For example, a missing option causes all users' audit information in
the audit trail to be displayed as long as all other specified options
are satisfied. As well, providing the option without the option causes
all audit information beginning from start_time to the end of the trail
to be displayed.
If you invoke the command without any options, displays all recorded
information from the start of the audit trail to the end.
Specifying an option without its required parameter results in an
error. For example, specifying without any eventname returns an error
message.
Options
If this option is specified,
does not terminate after it displays the last event.
Instead, it waits for and displays audit events as they
become available.
Specify the username (login name) for which to display the audit
information. If no username is specified, displays
audit information for all users in the audit file.
Display audit information for the specified profile.
profile must be a valid profile that is defined in or
(see audit.conf(4)).
Display audit information for the specified event category.
eventname must be a valid event category (base event or
event alias) that is defined in or (see audit.conf(4)).
Another way to be certain an eventname is valid is to
read the output of for a list of valid event category
names and their associated system calls (see aude‐
vent(1M)).
Display audit information on the specified compartment. See
compartments(5). If no compartmentname is specified,
displays audit information about all the compartments in
the audit file. If compartments feature is disabled in
the running configuration, this option is ignored.
Display audit information about the specified system call.
The syscall must be a valid system call name or system
call alias name that is defined in or (see
audit.conf(4)). Another way to be certain a syscall is
valid is to read the output of for a list of valid
syscall names (see audevent(1M)).
Display only successful operations that were recorded
in the audit trail. A user event that results in a
failure is not displayed, even if username and eventname
are specified.
The and the options are mutually exclusive; do not spec‐
ify both on the same command line. To display both suc‐
cessful and failed operations, omit both and options.
Display only failed operations that are recorded
in the audit trail.
Display all operations that occurred on the specified terminal
(ttyid) and were recorded in the audit trail. By
default, operations on all terminals are displayed.
Display all audited operations occurring since
start_time, specified as mmddhhmm[yy] (month, day, hour,
minute, year). If the year is specified and is greater
than 70, it is interpreted as in the twentieth century.
Otherwise, it is interpreted as in the twenty-first cen‐
tury. If no year is given, the current year is used.
No operation in the audit trail occurring before the
specified time is displayed.
Display all audited operations occurring before
stop_time, specified as mmddhhmm[yy] (month, day, hour,
minute, year). If the year is specified and is greater
than 70, it is interpreted as in the twentieth century.
Otherwise, it is interpreted as in the twenty-first cen‐
tury. If no year is given, the current year is used.
No operation in the audit trail occurring after the
specified time is displayed.
The year is displayed as a two digit number (with
or as a four digit number (with The default is Note that
start_time and stop_time must still be specified as two
digit numbers.
AUTHOR
was developed by HP.
FILES
file containing event mapping information
file containing site-specific event mapping information
SEE ALSOaudevent(1M), audit(4), audit.conf(4), audit(5), compartments(5).
audisp(1M)