Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ adt(7) — CLIX 3.1r7.6.22

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auditd(8)



  adt(7)                              CLIX                              adt(7)



  NAME

    adt - Audit trail record device

  DESCRIPTION

    The /dev/audit file is a special file used to enable and record file
    system accesses.  Auditing is initiated by opening the /dev/audit file.
    Audit records may then be read by issuing read commands to the opened
    audit device.  Only one process may have the audit device open on the
    system at a time.

    The types of events recorded by the audit device are open(), creat(),
    unlink(), link(), exit(), mount(), rmount(), umount() and rumount()
    function.

    Each audit record consists of a record preamble and a record body.  The
    record types and preamble formats are defined as follows in the include
    file <sys/audit.h>:

    #define ADT_VERSION 0

    #define OPEN   0  /* open()/creat() */
    #define LINK   1  /* link() */
    #define UNLINK 2  /* unlink() */
    #define EXEC   3  /* exec() and exece() */
    #define MOUNT  4  /* mount() and rmount() */
    #define UMOUNT 5  /* umount() and rmount() */

    typedef struct preamble {
         long   p_version; /* version that generated this record */
         short  p_type;    /* type of record to follow */
         cnt_t  p_flen;    /* bytes to next record */
         time_t p_time;    /* since Jan 1, 1970 */
         char   p_addr[6]; /* hardware ID of this machine */
         uid_t  p_uid;     /* users uid */
         gid_t  p_gid;     /* users gid */
         dev_t  p_tty;     /* controlling tty if one */
         char   p_comm[DIRSIZ]; /* command name */
         char   p_error;   /* 0 = success, else errno */
         char   p_pad[3];  /* word boundary */
    };

    The raw audit records have the following formats:

    struct adt_open {
         uint mode;
         uint owner;
         uint group;
         uint len;
         char file[];



  2/94 - Intergraph Corporation                                              1






  adt(7)                              CLIX                              adt(7)



    };

    struct adt_link {
         uint len1;
         uint len2;
         char files[];
    };

    struct adt_unlink {
         uint len;
         char file[];
    };

    struct adt_exec {
         char args[PSARGSZ]; /* psargs not currently supported */
         uint len;
         char file[];
    };

    struct adt_mount {
         uint flag;    /* local or remote info structure to */
         uint len;     /*    follow the mntpt */
         char mntpt[];
    };

    struct local_mnt {
         uint len;
         char special[];
    };

    struct rfs_mnt {
         uint dlen;   /* domain.host (RFS) */
         uint alen;   /* advertise (RFS) */
         char data[]; /* two null terminated fields */
                      /*    whose offsets are defined above */
    };

    struct nfs_mnt {
         uint hlen;   /* length of hostname */
         uint rplen;  /* length of remote path */
         char data[]; /* two null terminated fields */
                      /*    whose offsets are defined above */
    };

    struct adt_umount {
         uint len;
         char data[]; /* advertise (RFS) or mntpt or special */
    };

    If auditing is being used for system security, it is best to initiate it
    as early during system boot as possible and shut it down as late as



  2                                              Intergraph Corporation - 2/94






  adt(7)                              CLIX                              adt(7)



    possible during system shutdown.

  FILES

    /dev/audit   Audit device.

  CAUTIONS

    Audit records are queued internally to CLIX in a memory heap.  If this
    queue or heap runs out of space, processes generating audit events will
    block until space becomes available.

  RELATED INFORMATION

    Commands:  auditd(8)







































  2/94 - Intergraph Corporation                                              3




Typewritten Software • bear@typewritten.org • Edmonds, WA 98026