NAME
audit — file format and other information for auditing
DESCRIPTION
Audit records are generated when users make security-relevant
system calls, as well as by self-auditing processes that call
audwrite()
(see
audwrite(2)).
Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header
and a record body.
The record header is comprised of time, process
ID,
error, event type, and record body length.
The time refers to the time the audited event completes
in either success or failure; the process
ID
belongs to the process being audited;
the event type is a field identifying the type of audited activity;
the length is the record body length expressed in bytes.
The exact format of the header is defined in
<sys/audit.h>
as follows:
struct audit_hdr {
u_long ah_time; /* date/time (tv_sec of timeeval) */
u_short ah_pid; /* process ID */
u_short ah_error; /* success/failure */
u_short ah_event; /* event being audited */
u_short ah_len; /* length of variant part */
};
The record body is the variable-length component
of an audit record containing more information
about the audited activity.
For records generated by system calls,
the body contains the parameters of the system calls;
for records generated by self-auditing processes,
the body consists of a high-level description of the event (see
audwrite(2)).
The records in the audit file are compressed to save file space.
When a process is audited the first time, a
pid
identification record
(PIR)
is written into the audit file
containing information that remains constant
throughout the lifetime of the process.
This includes the parent's process
ID,
audit
ID,
real user
ID,
real group
ID,
effective user
ID,
effective group
ID,
and the terminal
ID
(tty).
The
PIR
is entered only once per process per audit file,
and is also defined in
<sys/audit.h>
as follows:
struct pir_body { /* pir-related info */
short ppid; /* parent process ID */
int32_t aid; /* audit ID */
uid_t ruid; /* user_ID */
gid_t rgid; /* group ID */
uid_t euid; /* effective user_ID */
gid_t egid; /* effective group_ID */
dev_t tty; /* tty number */
};
Information accumulated in an audit file
is analyzed and displayed by
audisp
(see
audisp(1M)).
Whenever auditing is turned on,
a ``current'' audit file is required
and a ``next'' audit file (for backup)
is recommended (see
audsys(1M)
and
audomon(1M)).
When the ``current'' audit file is full
and the ``next'' audit file is available,
the auditing system switches files automatically.
AUTHOR
audit
was developed by HP.