auditdp.1m (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

auditdp(1M) auditdp(1M)

See audit_dpms_ﬁlter (4) for more details about the supported attributes, operators,

and types of values. You can also write a ﬁlter string in a more complex form, as

long as the string is supported by the ﬁlter ﬁle. Only the audit data matching the

ﬁltering criteria will be included in the target output.

The

-s and -S options cannot both be speciﬁed. If neither

-s nor -S is speciﬁed,

all data from the input stream is processed.

Security Restrictions

This command is restricted to users possessing the (

hpux.security.audit.read, *

) authorization.

See authadm (1M).

RETURN VALUE

The

auditdp command returns 0 for success and non-zero for errors.

EXAMPLES

1. Read raw data from

audit_trail, write portable data to ./portable.

auditdp -r /var/.audit/audit_trail -P portable

2. Read raw data and write to stdout using the

audisp display format (see audisp (1M)).

auditdp -r /var/.audit/audit_trail

3. Read portable data and display only the last four events.

auditdp -p portable -n -4

4. Read portable data from stdin and write portable data to ./portable2.

cat portable | auditdp -p -P portable2

5. Read and then write portable data, saving only the login events.

auditdp -p portable -P portable2 -s "+event=login"

6. Extract exec events from a particular session:

auditdp -r /var/.audit/audit_trail -s "+sid=1234" -P | \

auditdp -p -s "+event=exec"

7. The following command is the same as the above command:

auditdp -r /var/.audit/audit_trail -s "+sid=1234; +event=exec"

8. Enable the debug option for read and the silent and

sync options for write.

auditdp -p portable -P portable2 -o debug -O "sync silent"

9. Write only those events speciﬁed in the ﬁlter conﬁguration ﬁle,

filter.

auditdp -p portable -P portable2 -S filter

10. Write audit data using a speciﬁed DPMS service module and data format.

auditdp -p portable -M "./my_dpms_module" mydata

11. Enable the follow and no_dns options for read, and the sync option for write. auditdp will

read data from audit_trail without attempting to resolve the hostname from where the user was

logged in. auditdp will wait for and display audit data as it becomes available. Then auditdp

will pipe the audit events to a script that converts the portable data into syslog-like messages (one

line per event). See a sample script at /opt/audit/AudReport/bin/audit_p2l

auditdp -r /var/.audit/audit_trail -o follow -o no_dns -P -O sync \

| audit_p2l

12. Extract login events and save the results in XML format. Then apply a stylesheet on the XML docu-

ment to generate the report in HTML format.

auditdp -p /var/.audit/portable/audit_trail \

-s "+event=file_ops" \

-X file_access_history.xml

java -cp /opt/hpws/xmltools/xalan-j/bin/xalan.jar \

org.apache.xalan.xslt.Process \

-IN file_access_history.xml \

HP-UX 11i Version 3: September 2010 − 3 − Hewlett-Packard Company 3