The -p option of the auditrpt command displays information about events that involved privileged operations. The argument to the -p option may consist of one or more privilege names or the keyword all. Each privilege name must be separated by a comma. A space will be interpreted as the end of the privilege list. If you specify the keyword all, auditrpt will display all audit records for all privileges. If you specify a privilege name or names after the -p option, auditrpt will display only the audit records that involve the specified privilege(s).
For example, most audit user-level commands and system calls require the
An exception is the
system call, which requires the
privilege to write miscellaneous audit records to the audit event log file.
If you want to see all events that involve the
enter the following command:
auditrpt -p audit
privileges are needed to override Discretionary Access Control (DAC)
protections for objects.
If any user who is not a system administrator acquires these
there has been a serious breach of system security.
If you want to see all uses of these privileges, use the following command:
auditrpt -p dacread,dacwrite
For a complete list of privileges, see the intro(2) manual page.