audisp.1m (2010 09)
a
audisp(1M) audisp(1M)
NAME
audisp - display the audit information as requested by the parameters
SYNOPSIS
audisp [-F][-u username ][
-e eventname ][-C compartmentname ][
-c syscall ][-p ][
-f ]
[
-l ttyid ][-t
start_time ][-s stop_time ][-y2-y4 ] audit_trail...
DESCRIPTION
audisp analyzes and displays the audit information contained in the specified audit trails. All specified
audit trails are merged into a single audit trail in chronological order. Although the entire audit trail is
analyzed, the audisp command allows you to limit the information displayed by specifying different
options. This command is restricted to privileged users.
If the audit information was collected in compatibility mode, each audit trail (audit_trail ) is identified by
a file name. If the audit information was collected in regular mode, the audit trail (audit_trail )is
identified by a directory name. Only a privileged user can configure the auditing mode (compatibility or
regular); see audsys (1M). The audit information that is collected in regular mode is identified and
displayed by directory names and not by file name since the file names may not represent complete trail
information for analysis or display.
Any unspecified option is interpreted as an unrestricted specification. For example, a missing
-u user-
name option causes all users’ audit information in the audit trail to be displayed as long as all other
specified options are satisfied. As well, providing the option
-t start_time without the option
-s
stop_time causes all audit information beginning from start_time to the end of the trail to be displayed.
If you invoke the
audisp command without any options, audisp displays all recorded information from
the start of the audit trail to the end.
Specifying an option without its required parameter results in an error. For example, specifying
-e
without any eventname returns an error message.
Options
-F If this option is specified, audisp does not terminate after it displays the last event.
Instead, it waits for and displays audit events as they become available.
-u username Specify the username (login name) for which to display the audit information. If no user-
name is specified,
audisp displays audit information for all users in the audit file.
-e eventname Display audit information for the specified event category. eventname must be a valid
event category (base event or event alias) that is defined in /etc/audit/audit.conf
or /etc/audit/audit_site.conf
(see audit.conf (4)). Another way to be certain an
eventname is valid is to read the output of ’
audevent -l’ for a list of valid event
category names and their associated system calls (see audevent (1M)).
-C compartmentname
Display audit information on the specified compartment. See compartments (5). If no
compartmentname is specified, audisp displays audit information about all the com-
partments in the audit file. If compartments feature is disabled in the running
configuration, this option is ignored.
-c syscall Display audit information about the specified system call. The syscall must be a valid
system call name or system call alias name that is defined in
/etc/audit/audit.conf or /etc/audit/audit_site.conf
(see
audit.conf (4)). Another way to be certain a syscall is valid is to read the output of
’
audevent -l’ for a list of valid syscall names (see audevent (1M)).
-p Display only successful operations that were recorded in the audit trail. A user event
that results in a failure is not displayed, even if username and eventname are specified.
The
-p and the -f options are mutually exclusive; do not specify both on the same com-
mand line. To display both successful and failed operations, omit both -p and -f
options.
-f Display only failed operations that are recorded in the audit trail.
-l ttyid Display all operations that occurred on the specified terminal (ttyid ) and were recorded
in the audit trail. By default, operations on all terminals are displayed.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1