Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit(5) — AIX/RT 2.2.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit

auditlog

a_action

audit

auditpr

pack

AIX Oper-

audit

Purpose

     Describes the audit trail file format.

Synopsis

     #include <sys/audit.h>
     #include <auditlog.h>

Description

     The  file /usr/include/sys/audit.h  contains kernel-level
     definitions   for   the    auditing   system,   and   the
     /usr/include/auditlog.h  file  contains user-level  defi-
     nitions  for  the  auditing  system.   When  auditing  is
     enabled, the  /local/etc/security/audit/a_trail file con-
     tains  the  name  of  the audit  trail  file,  while  the
     /local/etc/security/audit/a_trail.past file  contains the
     audit trail name history.

     An  audit trail  file consists  of a  sequence of  3-part
     frames, with each frame containing  a head, a body, and a
     tail.  The body consists of a sequence of possibly packed
     audit records,  and the head  and tail are  structures of
     type x.  The x structure  is defined in the ?????  header
     file, and it contains the following members:

           ushort   id;          /* head = 0xf0f0, tail = 0x0f0f */
           ushort   bin;         /* bin # */
           ushort   before;      /* unpacked length of body */
           ushort   after;       /* packed (current) length of body */
           ulong    nid;         /* node identifier */

     Other than the id field, the head and tail of a frame are
     identical,  which allows  the audit  trail to  be scanned
     forwards  or backwards.   When  the value  stored in  the
     after field is less than or  equal to the value stored in
     the before field, then the body is unpacked.  The body is
     packed  when the  after  field is  less  than the  before
     field.  For  packing and  unpacking, the  auditpr command
     uses a  Huffman encoding algorithm  like the one  used by
     the pack command.

     In the body, each unpacked audit record itself has a head
     and an optional tail.  The  head of an audit trail record
     is contained in a structure  of type aud_head, as defined
     in the sys/audit.h header file,  and it contains the fol-
     lowing members:

           short    ah_aid;      /* action ID */
           short    ah_type;     /* type of audit record */
           short    ah_length;   /* length tail */
           ushort   ah_luid;     /* login user ID */
           time_t   ah_time;     /* write time of audit record */
           ushort   ah_uid;      /* effective user ID */
           ushort   ah_gid;      /* effective group ID */
           ushort   ah_ruid;     /* real user ID */
           ushort   ah_rgid;     /* real group ID */
           ulong    ah_nid;      /* node ID */
           short    ah_pid;      /* process ID */
           short    ah_ppid;     /* parent process ID */

     An audit record  type of A_HEADONLY means  the record has
     no  tail.  Negative  record  type  numbers correspond  to
     kernel-level records, such  as A_SYSTEMCALL, and positive
     audit  record  type   numbers  correspond  to  user-level
     records like A_TEXT.  Each nonzero  type value has a tem-
     plate, such as a C  structure, that defines the format of
     an audit  record tail.  The  /usr/include/sys/audit.h and
     /usr/include/auditlog.h files define tail templates.  The
     auditpr command, which prints  audit trail records on the
     standard output, uses these templates.

Files

     /usr/include/sys/audit.h
     /usr/include/auditlog.h
     /local/etc/security/audit/a_trail
     /local/etc/security/audit/a_trail.past

Related Information

     In this book:  "audit,"  "auditlog," and "a_action."

     The audit,  auditpr, and pack  commands in the  AIX Oper-
     ating System Commands Reference.

     &c2off.

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026