 |
» |
|
|
|
NAMEaudisp — display the audit information as requested by the parameters SYNOPSISaudisp
[-u
username]
[-e
eventname]
[-c
syscall]
[-p]
[-f]
[-l
ttyid]
[-t
start_time]
[-s
stop_time]
[-y2|-y4]
audit_filename ... DESCRIPTIONaudisp
analyzes and displays the audit information
contained in the specified
audit_filename
audit files.
The audit files are merged into a single audit trail in time order.
Although the entire audit trail is analyzed,
audisp
allows you to limit the information displayed, by specifying options.
This command is restricted to privileged users. Any unspecified option is interpreted as an unrestricted specification.
For example, a missing
-u username
option causes all users' audit information in the audit trail
to be displayed as long as it satisfies all other specified options.
By the same principle, citing
-t start_time
without
-s stop_time
displays all audit information beginning from
start_time
to the end of the file. audisp
without any options displays all recorded information
from the start of the audit file to the end. Specifying an option without its required parameter results in error.
For example, specifying
-e
without any
eventname
returns with an error message. Options- -u username
Specify the login name
(username)
about whom to display information.
If no
(username)
is specified,
audisp
displays audit information about all users in the audit file. - -e eventname
Display audit information of the specified event types.
The defined event types are
admin,
close,
create,
delete,
ipcclose,
ipccreat,
ipcdgram,
ipcopen,
login,
modaccess,
moddac,
open,
process,
readdac,
removable,
uevent1,
uevent2,
and
uevent3
(see
audevent(1M)). - -c syscall
Display audit information about the specified system calls. - -p
Display only successful operations that were recorded in the audit trail.
No user event that results in a failure is displayed, even if
username
and
eventname
are specified. The
-p
and the
-f
options are mutually exclusive;
do not specify both on the same command line.
To display both successful and failed operations, omit both
-p
and
-f
options. - -f
Display only failed operations that are recorded in the audit trail. - -l ttyid
Display all operations that occurred on the specified terminal
(ttyid)
and were recorded in the audit trail.
By default, operations on all terminals are displayed. - -t start_time
Display all audited operations occurring since
start_time,
specified as
mmddhhmm[yy]
(month, day, hour, minute, year).
If the year is specified and is greater than 70, it is interpreted as in
the twentieth century.
Otherwise, it is interpreted as in the twenty-first century.
If no year is given, the current year is used.
No operation in the audit trail
occurring before the specified time is displayed. - -s stop_time
Display all audited operations occurring before
stop_time,
specified as
mmddhhmm[yy]
(month, day, hour, minute, year).
If the year is specified and is greater than 70, it is interpreted as in
the twentieth century.
Otherwise, it is interpreted as in the twenty-first century.
If no year is given, the current year is used.
No operation in the audit trail
occurring after the specified time is displayed. - -y2|-y4
The year is displayed as a two digit number (with
-y2),
or as a four digit number (with
-y4).
The default is
-y2.
Note that
start_time
and
stop_time
must still be specified as two digit numbers.
AUTHORaudisp
was developed by HP.
|