audit
Purpose
Describes the audit trail file format.
Synopsis
#include <sys/audit.h>
#include <auditlog.h>
Description
The file /usr/include/sys/audit.h contains kernel-level
definitions for the auditing system, and the
/usr/include/auditlog.h file contains user-level defi-
nitions for the auditing system. When auditing is
enabled, the /local/etc/security/audit/a_trail file con-
tains the name of the audit trail file, while the
/local/etc/security/audit/a_trail.past file contains the
audit trail name history.
An audit trail file consists of a sequence of 3-part
frames, with each frame containing a head, a body, and a
tail. The body consists of a sequence of possibly packed
audit records, and the head and tail are structures of
type x. The x structure is defined in the ????? header
file, and it contains the following members:
ushort id; /* head = 0xf0f0, tail = 0x0f0f */
ushort bin; /* bin # */
ushort before; /* unpacked length of body */
ushort after; /* packed (current) length of body */
ulong nid; /* node identifier */
Other than the id field, the head and tail of a frame are
identical, which allows the audit trail to be scanned
forwards or backwards. When the value stored in the
after field is less than or equal to the value stored in
the before field, then the body is unpacked. The body is
packed when the after field is less than the before
field. For packing and unpacking, the auditpr command
uses a Huffman encoding algorithm like the one used by
the pack command.
In the body, each unpacked audit record itself has a head
and an optional tail. The head of an audit trail record
is contained in a structure of type aud_head, as defined
in the sys/audit.h header file, and it contains the fol-
lowing members:
short ah_aid; /* action ID */
short ah_type; /* type of audit record */
short ah_length; /* length tail */
ushort ah_luid; /* login user ID */
time_t ah_time; /* write time of audit record */
ushort ah_uid; /* effective user ID */
ushort ah_gid; /* effective group ID */
ushort ah_ruid; /* real user ID */
ushort ah_rgid; /* real group ID */
ulong ah_nid; /* node ID */
short ah_pid; /* process ID */
short ah_ppid; /* parent process ID */
An audit record type of A_HEADONLY means the record has
no tail. Negative record type numbers correspond to
kernel-level records, such as A_SYSTEMCALL, and positive
audit record type numbers correspond to user-level
records like A_TEXT. Each nonzero type value has a tem-
plate, such as a C structure, that defines the format of
an audit record tail. The /usr/include/sys/audit.h and
/usr/include/auditlog.h files define tail templates. The
auditpr command, which prints audit trail records on the
standard output, uses these templates.
Files
/usr/include/sys/audit.h
/usr/include/auditlog.h
/local/etc/security/audit/a_trail
/local/etc/security/audit/a_trail.past
Related Information
In this book: "audit," "auditlog," and "a_action."
The audit, auditpr, and pack commands in the AIX Oper-
ating System Commands Reference.
&c2off.