HP-UX Reference (11i v3 07/02) - 1M System Administration Commands A-M (vol 3)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

audisp(1M) audisp(1M)

NAME

audisp - display the audit information as requested by the parameters

SYNOPSIS

audisp [ -u username ][-e

eventname ][-c syscall ][-p ][-f ][

-l ttyid ][-t start_time ]

[

-s stop_time ][-y2

-y4 ] audit_trail...

DESCRIPTION

audisp analyzes and displays the audit information contained in the speciﬁed audit trails. All speciﬁed

audit trails are merged into a single audit trail in time order. Although the entire audit trail is analyzed,

audisp allows you to limit the information displayed by specifying different options. This command is

restricted to privileged users.

Each audit trail (audit_trail) is identiﬁed by a ﬁle name if the audit information was collected in compatibil-

ity mode. If the audit information was collected in regular mode, the audit trail (audit_trail) is identiﬁed

by a directory name. Which auditing mode is used, compatibility or regular, is conﬁgurable by privileged

users (see audsys(1M)). When displaying audit trails that are generated in regular mode, audit trails can-

not be identiﬁed by ﬁle names in audit trail directories since these ﬁle names may not represent complete

trail information for analysis or display. Instead, audit trails must be identiﬁed by directory names.

Any unspeciﬁed option is interpreted as an unrestricted speciﬁcation. For example, a missing

-u username

option causes all users’ audit information in the audit trail to be displayed as long as all other speciﬁed

options are satisﬁed. For another example, providing the option

-t start_time without

-s stop_time

causes all audit information beginning from start_time to the end of the trail to be displayed.

audisp is run without any options, it displays all recorded information from the start of the audit trail

to the end.

Specifying an option without its required parameter results in error. For example, specifying -e

without

any eventname returns an error message.

Options

-u username Specify the username (login name) about whom to display information. If no username is

speciﬁed,

audisp displays audit information about all users in the audit ﬁle.

-e eventname Display audit information for the speciﬁed event category. eventname must be a valid

event category (base event or event alias) that is deﬁned in /etc/audit/audit.conf

or /etc/audit/audit_site.conf

(see audit.conf(4)). Another way to be certain an

eventname is valid is to read the output of

’audevent -l’ for a list of valid event

category names and their associated system calls (see audevent(1M)).

-c syscall Display audit information about the speciﬁed system call. The syscall must be a valid sys-

tem call name or system call alias name that is deﬁned in

/etc/audit/audit.conf

or /etc/audit/audit_site.conf

(see audit.conf(4)). Another way to be certain a

syscall is valid is to read the output of

’audevent -l’ for a list of valid syscall names

(see audevent(1M)).

-p Display only successful operations that were recorded in the audit trail. No user event that

results in a failure is displayed, even if username and eventname are speciﬁed.

The -p and the -f options are mutually exclusive; do not specify both on the same com-

mand line. To display both successful and failed operations, omit both -p and -f options.

-f Display only failed operations that are recorded in the audit trail.

-l ttyid Display all operations that occurred on the speciﬁed terminal (ttyid) and were recorded in

the audit trail. By default, operations on all terminals are displayed.

-t start_time Display all audited operations occurring since start_time, speciﬁed as mmddhhmm[yy]

(month, day, hour, minute, year). If the year is speciﬁed and is greater than 70, it is inter-

preted as in the twentieth century. Otherwise, it is interpreted as in the twenty-ﬁrst cen-

tury. If no year is given, the current year is used. No operation in the audit trail occurring

before the speciﬁed time is displayed.

-s stop_time Display all audited operations occurring before stop_time, speciﬁed as mmddhhmm[yy]

(month, day, hour, minute, year). If the year is speciﬁed and is greater than 70, it is inter-

preted as in the twentieth century. Otherwise, it is interpreted as in the twenty-ﬁrst cen-

tury. If no year is given, the current year is used. No operation in the audit trail occurring

48 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007