The
utility selects records from the audit trail files based on the specified
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
If no
file
argument is specified, the standard input is used
by default.
Use the
praudit(1)
utility to print the selected audit records in human-readable form.
The options are as follows:
-A
Select all records.
-a YYYYMMDD [HH [MM [SS
]
]
]
Select records that occurred after or on the given datetime.
-b YYYYMMDD [HH [MM [SS
]
]
]
Select records that occurred before the given datetime.
-c flags
Select records matching the given audit classes specified as a comma
separated list of audit flags.
See
audit_control5
for a description of audit flags.
-d YYYYMMDD
Select records that occurred on a given date.
This option cannot be used with
-a
or
-b
-e euid
Select records with the given effective user ID or name.
-f egid
Select records with the given effective group ID or name.
-g rgid
Select records with the given real group ID or name.
-j id
Select records having a subject token with matching ID.
-m event
Select records with the given event name or number.
See
audit_event5
for a description of audit event names and numbers.
-o object = value
file
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
Regular expressions which are prefixed with a tilde
(`~'
)
are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
Since commas are used to delimit the regular expressions, a backslash
(`\'
)
character should be used to escape the comma if it is a part of the search
pattern.
msgqid
Select records containing the given message queue ID.
pid
Select records containing the given process ID.
semid
Select records containing the given semaphore ID.
shmid
Select records containing the given shared memory ID.
-r ruid
Select records with the given real user ID or name.
-u auid
Select records with the given audit ID.
EXAMPLES
To select all records associated with effective user ID root from the audit
log
/var/audit/20031016184719.20031017122634
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
AUTHORS
An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include
An Wayne Salamon ,
An Robert Watson ,
and SPARTA Inc.
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
