Administrator's Guide
a record will be produced for each event type and system call that has been enabled
for audit, not just for the new event type being added.
9.9.1 Examples of Using the audisp Command
The following examples show audit information displayed using the audisp command:
• Display the log output on the screen:
#/usr/sbin/audisp
audit_trail
• Direct the log output to /tmp/mylogoutput:
#/usr/sbin/audisp
audit_trail
> /tmp/mylogoutput
• View successful events only:
#/usr/sbin/audisp -p
audit_trail
• View activities owned by user joe:
#/usr/sbin/audisp -u joe
audit_trail
• View activities on terminal, ttypa:
#/usr/sbin/audisp -l ttypa
audit_trail
• View login events only:
#/usr/sbin/audisp -e login
audit_trail
9.10 Self-Auditing
Some processes invoke a series of actions that can be audited. To reduce the amount of
audit log data collected and to provide for more meaningful notations in the audit log
files, some of these processes are programmed to suspend auditing of the actions they
invoke and produce one audit log entry describing the process that occurred. Processes
programmed in this way are called self-auditing programs; using self-auditing programs
streamlines audit log data.
NOTE: The list of self-auditing processes varies from system to system.
Self-auditing processes
The following processes have self-auditing capabilities:
chfn Change finger entry
chsh Change login shell
login The login utility
newgrp Change effective group
passwd Change password
9.10 Self-Auditing 187