Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > A

audisp(1M)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

audisp — display the audit information as requested by the parameters

SYNOPSIS

audisp [-u username] [-e eventname] [-c syscall] [-p] [-f] [-l ttyid] [-t start_time] [-s stop_time] [-y2|-y4] audit_trail...

DESCRIPTION

audisp analyzes and displays the audit information contained in the specified audit trails. All specified audit trails are merged into a single audit trail in time order. Although the entire audit trail is analyzed, audisp allows you to limit the information displayed by specifying different options. This command is restricted to privileged users.

Each audit trail (audit_trail) is identified by a file name if the audit information was collected in compatibility mode. If the audit information was collected in regular mode, the audit trail (audit_trail) is identified by a directory name. Which auditing mode is used, compatibility or regular, is configurable by privileged users (see audsys(1M)). When displaying audit trails that are generated in regular mode, audit trails cannot be identified by file names in audit trail directories since these file names may not represent complete trail information for analysis or display. Instead, audit trails must be identified by directory names.

Any unspecified option is interpreted as an unrestricted specification. For example, a missing -u username option causes all users' audit information in the audit trail to be displayed as long as all other specified options are satisfied. For another example, providing the option -t start_time without -s stop_time causes all audit information beginning from start_time to the end of the trail to be displayed.

If audisp is run without any options, it displays all recorded information from the start of the audit trail to the end.

Specifying an option without its required parameter results in error. For example, specifying -e without any eventname returns an error message.

Options

-u username

Specify the username (login name) about whom to display information. If no username is specified, audisp displays audit information about all users in the audit file.

-e eventname

Display audit information for the specified event category. eventname must be a valid event category (base event or event alias) that is defined in /etc/audit/audit.conf or /etc/audit/audit_site.conf (see audit.conf(4)). Another way to be certain an eventname is valid is to read the output of 'audevent -l' for a list of valid event category names and their associated system calls (see audevent(1M)).

-c syscall

Display audit information about the specified system call. The syscall must be a valid system call name or system call alias name that is defined in /etc/audit/audit.conf or /etc/audit/audit_site.conf (see audit.conf(4)). Another way to be certain a syscall is valid is to read the output of 'audevent -l' for a list of valid syscall names (see audevent(1M)).

-p

Display only successful operations that were recorded in the audit trail. No user event that results in a failure is displayed, even if username and eventname are specified.

The -p and the -f options are mutually exclusive; do not specify both on the same command line. To display both successful and failed operations, omit both -p and -f options.

-f

Display only failed operations that are recorded in the audit trail.

-l ttyid

Display all operations that occurred on the specified terminal (ttyid) and were recorded in the audit trail. By default, operations on all terminals are displayed.

-t start_time

Display all audited operations occurring since start_time, specified as mmddhhmm[yy] (month, day, hour, minute, year). If the year is specified and is greater than 70, it is interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first century. If no year is given, the current year is used. No operation in the audit trail occurring before the specified time is displayed.

-s stop_time

Display all audited operations occurring before stop_time, specified as mmddhhmm[yy] (month, day, hour, minute, year). If the year is specified and is greater than 70, it is interpreted as in the twentieth century. Otherwise, it is interpreted as in the twenty-first century. If no year is given, the current year is used. No operation in the audit trail occurring after the specified time is displayed.

-y2|-y4

The year is displayed as a two digit number (with -y2), or as a four digit number (with -y4). The default is -y2. Note that start_time and stop_time must still be specified as two digit numbers.

AUTHOR

audisp was developed by HP.

FILES

/etc/audit/audit.conf - file containing event mapping information

/etc/audit/audit_site.conf - file containing site-specific event mapping information

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.