adt(7) CLIX adt(7)
NAME
adt - Audit trail record device
DESCRIPTION
The /dev/audit file is a special file used to enable and record file
system accesses. Auditing is initiated by opening the /dev/audit file.
Audit records may then be read by issuing read commands to the opened
audit device. Only one process may have the audit device open on the
system at a time.
The types of events recorded by the audit device are open(), creat(),
unlink(), link(), exit(), mount(), rmount(), umount() and rumount()
function.
Each audit record consists of a record preamble and a record body. The
record types and preamble formats are defined as follows in the include
file <sys/audit.h>:
#define ADT_VERSION 0
#define OPEN 0 /* open()/creat() */
#define LINK 1 /* link() */
#define UNLINK 2 /* unlink() */
#define EXEC 3 /* exec() and exece() */
#define MOUNT 4 /* mount() and rmount() */
#define UMOUNT 5 /* umount() and rmount() */
typedef struct preamble {
long p_version; /* version that generated this record */
short p_type; /* type of record to follow */
cnt_t p_flen; /* bytes to next record */
time_t p_time; /* since Jan 1, 1970 */
char p_addr[6]; /* hardware ID of this machine */
uid_t p_uid; /* users uid */
gid_t p_gid; /* users gid */
dev_t p_tty; /* controlling tty if one */
char p_comm[DIRSIZ]; /* command name */
char p_error; /* 0 = success, else errno */
char p_pad[3]; /* word boundary */
};
The raw audit records have the following formats:
struct adt_open {
uint mode;
uint owner;
uint group;
uint len;
char file[];
2/94 - Intergraph Corporation 1
adt(7) CLIX adt(7)
};
struct adt_link {
uint len1;
uint len2;
char files[];
};
struct adt_unlink {
uint len;
char file[];
};
struct adt_exec {
char args[PSARGSZ]; /* psargs not currently supported */
uint len;
char file[];
};
struct adt_mount {
uint flag; /* local or remote info structure to */
uint len; /* follow the mntpt */
char mntpt[];
};
struct local_mnt {
uint len;
char special[];
};
struct rfs_mnt {
uint dlen; /* domain.host (RFS) */
uint alen; /* advertise (RFS) */
char data[]; /* two null terminated fields */
/* whose offsets are defined above */
};
struct nfs_mnt {
uint hlen; /* length of hostname */
uint rplen; /* length of remote path */
char data[]; /* two null terminated fields */
/* whose offsets are defined above */
};
struct adt_umount {
uint len;
char data[]; /* advertise (RFS) or mntpt or special */
};
If auditing is being used for system security, it is best to initiate it
as early during system boot as possible and shut it down as late as
2 Intergraph Corporation - 2/94
adt(7) CLIX adt(7)
possible during system shutdown.
FILES
/dev/audit Audit device.
CAUTIONS
Audit records are queued internally to CLIX in a memory heap. If this
queue or heap runs out of space, processes generating audit events will
block until space becomes available.
RELATED INFORMATION
Commands: auditd(8)
2/94 - Intergraph Corporation 3