audisp(1M) audisp(1M)
NAME
audisp - display the audit information as requested by the parameters
SYNOPSIS
username] eventname] compartmentname] syscall] ttyid] start_time] stop_time] audit_trail...
DESCRIPTION
analyzes and displays the audit information contained in the specified audit trails. All specified audit trails are merged into a single
audit trail in chronological order. Although the entire audit trail is analyzed, the command allows you to limit the information displayed
by specifying different options. This command is restricted to privileged users.
If the audit information was collected in compatibility mode, each audit trail (audit_trail) is identified by a file name. If the audit
information was collected in regular mode, the audit trail (audit_trail) is identified by a directory name. Only a privileged user can
configure the auditing mode (compatibility or regular); see audsys(1M). The audit information that is collected in regular mode is identi-
fied and displayed by directory names and not by file name since the file names may not represent complete trail information for analysis
or display.
Any unspecified option is interpreted as an unrestricted specification. For example, a missing option causes all users' audit information
in the audit trail to be displayed as long as all other specified options are satisfied. As well, providing the option without the option
causes all audit information beginning from start_time to the end of the trail to be displayed.
If you invoke the command without any options, displays all recorded information from the start of the audit trail to the end.
Specifying an option without its required parameter results in an error. For example, specifying without any eventname returns an error
message.
Options
If this option is specified,
does not terminate after it displays the last event. Instead, it waits for and displays audit events as they become avail-
able.
Specify the username (login name) for which to display the audit information. If no username is specified, displays audit information
for all users in the audit file.
Display audit information for the specified event category.
eventname must be a valid event category (base event or event alias) that is defined in or (see audit.conf(4)). Another way
to be certain an eventname is valid is to read the output of for a list of valid event category names and their associated
system calls (see audevent(1M)).
Display audit information on the specified compartment. See
compartments(5). If no compartmentname is specified, displays audit information about all the compartments in the audit
file. If compartments feature is disabled in the running configuration, this option is ignored.
Display audit information about the specified system call.
The syscall must be a valid system call name or system call alias name that is defined in or (see audit.conf(4)). Another
way to be certain a syscall is valid is to read the output of for a list of valid syscall names (see audevent(1M)).
Display only successful operations that were recorded
in the audit trail. A user event that results in a failure is not displayed, even if username and eventname are specified.
The and the options are mutually exclusive; do not specify both on the same command line. To display both successful and
failed operations, omit both and options.
Display only failed operations that are recorded
in the audit trail.
Display all operations that occurred on the specified terminal
(ttyid) and were recorded in the audit trail. By default, operations on all terminals are displayed.
Display all audited operations occurring since
start_time, specified as mmddhhmm[yy] (month, day, hour, minute, year). If the year is specified and is greater than 70, it
is interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first century. If no year is
given, the current year is used. No operation in the audit trail occurring before the specified time is displayed.
Display all audited operations occurring before
stop_time, specified as mmddhhmm[yy] (month, day, hour, minute, year). If the year is specified and is greater than 70, it
is interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first century. If no year is
given, the current year is used. No operation in the audit trail occurring after the specified time is displayed.
The year is displayed as a two digit number (with
or as a four digit number (with The default is Note that start_time and stop_time must still be specified as two digit num-
bers.
AUTHOR
was developed by HP.
FILES
file containing event mapping information
file containing site-specific event mapping information
SEE ALSO
audevent(1M), audit(4), audit.conf(4), audit(5), compartments(5).
audisp(1M)