aureport(1M) — ADMINISTRATOR COMMANDS
NAME
aureport − translate binary-format audit information into a report
SYNOPSIS
aureport [-s] [-h] [file ...]
DESCRIPTION
aureport allows root to transform audit records recorded in binary format into a report. The input file must be in the binary audit format created by the audit-trail system (see audit_file(4)). aureport will convert binary audit information from standard input if no input files are specified. To convert files into a format more suitable for post-processing by other programs, see auconvert(1M).
-s Use a short form of output design. The short form is oriented toward 80-character output; the default long form is oriented towards 132-character output. Note that both forms can exceed the standard width if there is significant data associated with the audit records.
-h Suppress report headers and trailers that give the filename, column headers, etc.
file One or more binary format audit-trail files can be specified for conversion. If no files are specified, standard input will be used.
Typically, auscan(1M) is used to preprocess the audit-trail file and selectively retrieve information before formatting with aureport.
Parts of each audit-trail record are translated into text format so that administrators can review or further process the information. For the actual content of each audit-trail record before its conversion, see the audit_file(4) manual page. The information below provides a general form of output after conversion by auconvert.
Standard Header Information
The time stamp is converted to the form yymmddhhmm.ss where yy represents the two digits of the year, mm is the month number, dd is the day of the month, hh is the hour (24-hour system), mm is the minute, and ss is the second.
User IDs are converted to the name representation as seen in the password file.
Group IDs are converted to the name representation as seen in the group file.
Devices are reported as major and minor number pairs.
Message types and reasons are converted to text-file format.
Error numbers are reported in decimal format.
Information specific to events is interpreted.
Arguments to events are formatted as appropriate for the message type. See the audit_file(4) manual page for more information about event-specific arguments that may have been audited.
EXAMPLE
The following is a sample output from aureport when executed with the -s option:
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
AUDIT FILE /usr/spool/audit/file7 BEING PRINTED AT Thu Feb 2 14:31:05 1989
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
AUDIT ID RUID AUDIT CL SYSCALL PID TIME
REASON MSG TYPE EVENT TYPE OBJECT
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
smith smith au_ctl au_ctl 1582 8901302215.26
Success AU_KSTR AU_CTL_2 0
Auditing started
Success AU_FSEC AU_CTL_2 1074941020
owner=root, group=users, mode=100600, device=17,2
smith smith audit au_setpm 1582 8901302216.31
Success AU_INT AU_PARAM 0
-1073610324
Success AU_UDATA AU_PARAM -1073610324
3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f ...
Success AU_KDATA AU_SETPMASK_3 0
0 0 0 0 0 10 0 0 0 2 0 10 20 0 10 20 2 0 0 0 ...
Success AU_INT AU_PARAM 122
0
jones jones open open 1583 8901302216.31
Success AU_USTR AU_PARAM 0
attacklog
Success AU_INT AU_PARAM 1
769
Success AU_FSEC OPEN_1 1074942244
owner=root, group=users, mode=100640, device=17,2
Success AU_INT AU_PARAM 5
3
smith smith exit exit 1582 8901302218.45
Success AU_INT AU_PARAM 0
0
Success AU_INT EXIT_1 0
0
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
AUDIT FILE /usr/spool/audit/file7 COMPLETED AT Thu Feb 2 14:31:05 1989
∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
FILES
/etc/passwd Default password file for user information
/etc/group Default group file
/var/security/auclass Default audit class file
/var/security/auevent Default audit event type file
SEE ALSO
auconvert(1M), auscan(1M), auclassmgmt(1M), aueventmgmt(1M), auclass(4), audit_file(4), auevent(4)
(Security Enhancement)