Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit_d(1M) — Motorola System V 88k Release 4 Version 4.2

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(1M)

au_ctl(3A)

audit_sys(5)

audit_d(1M)  —  ADMINISTRATOR COMMANDS

NAME

audit_d − audit daemon

SYNOPSIS

audit_d  [-f] [-i] [-m] [-s]

DESCRIPTION

audit_d is the audit daemon process.  In addition to accepting instructions from the audit command, the audit daemon monitors file sizes, file system fullness, and file expiration dates, generates warnings when necessary, and switches between files as appropriate.  The audit daemon does not directly store audit data, it specifies to the kernel the current audit file.  The kernel alone performs audit data collection and storage. 

The audit daemon should be started at boot time.  When audit_d is invoked, it creates any necessary communications mechanisms, sets the state of the audit system, forks a child to monitor the audit system and communications channel, and then returns.  The state of the audit system is modified by using the audit(1M) command, which communicates with the audit daemon.  The audit daemon and audit command communicate using FIFOs (named pipes). 

Only one audit daemon may be running at a time.  The lock file /usr/spool/audit/DLOCK is used to prevent multiple daemons from starting.  This file should be removed at system boot time (typically by a startup script) before starting the daemon or before restarting the daemon if it fails. 

The audit daemon may only be invoked by root. 

Initialization Phase

When the audit daemon starts up, it attempts to reestablish the last audit system state from the last-state file /usr/spool/audit/last_state.  (The last-state file is written by the audit daemon whenever its state changes.) If the audit daemon cannot find this file, or if it is directed by the -i option to ignore the last-state file, it will set the audit system state to a default initial value, as follows:

Auditing is stopped. 

No audit file is selected. 

File switching is enabled. 

Overwrite is disabled. 

The audit file list is empty. 

Warnings and mail are disabled and the user list is empty. 

The threshold at which warnings are displayed (always to the system console) is 95% of the file system size, and the increment value is five blocks. 

The system will shut down if auditing cannot be performed (once activated). 

When the audit daemon initializes the audit system state, it simultaneously initializes the audit kernel state by stopping auditing (if it was running) and setting the kernel shutdown-on-failure state to on. 

If initialization to default values is not performed, the audit daemon then will check to see whether kernel auditing is active.  If so, the daemon will update the audit system state to match the kernel audit state.  Otherwise, the kernel audit state is set from the audit system state.  If the daemon cannot get the kernel audit state, or if it cannot fork a child process, then it will shut the system down if the -s option is specified. 

If the audit communications mechanism exists when audit_d is invoked, audit_d will terminate with an error condition.  The -f option overrides this and removes the communications mechanism if it exists. 

If the audit command lock file exists when the daemon starts, it will be removed. 

Once the audit daemon has performed the above functions, it has completed its initialization phase. 

Monitoring Phase

Based on the commands passed through the communications mechanism from audit, audit_d will monitor the audit system and also handle and report problems with the audit file and file system sizes. 

When auditing is active, the audit daemon periodically checks whether the file system containing the current audit file has reached the warning threshold, as defined in the audit(1M) manual page.  When the warning threshold is reached, the audit daemon generates warnings to all users on the notification list as determined by the -w and -m options of audit.  It then generates subsequent warnings each time the incremental number of blocks (see the audit -t option) is written to the audit file.  If the file system free space rises above the warning threshold, then warning messages will cease. 

When the action threshold is reached, the audit daemon attempts to find a new file to use for auditing.  (See the audit manual page for a definition of action threshold.)  If file switching is enabled (see the audit -f option), the daemon searches the file list for a suitable file on a file system different from that of the current file (because the reason for switching is due to file system fullness), which is, in decreasing order of suitability, one of the following:

1.  A file that has not exceeded its maximum size or expiration time, so that the file system has enough room to allow the file to grow to its maximum size (if any) without reaching the warning threshold, and where the file system has not reached its warning threshold. 

2.  A file system which has not reached its warning threshold (ignoring any file size or time restrictions). 

3.  A file system which has not reached its action threshold. 

If such a file is found, the daemon will switch to that file.  If there is no such file, if file switching is disabled, or if there is a problem switching to the new file, and if overwrite is enabled (see the audit -o option), then the daemon will overwrite the current audit file.  If none of these alternatives is successful, the daemon will either stop auditing or halt the system, as determined by the shutdown flag (see the audit -s option). 

The audit daemon also monitors the file size and/or expiration time, if one or both of those values were set with the audit -a option.  When the file size reaches 98% of the established size limit, the audit daemon attempts to find a new file to use for auditing by searching the file list for a file that has not reached its expiration time or maximum size, is on a file system that has not reached its warning threshold, and has enough room to allow the file to grow to the maximum size without reaching the warning threshold.  If such a file is found, the daemon will switch to that file.  If there is no such file, the limit (expiration time or file size) will be ignored, and auditing will continue to write to that file. 

The audit daemon is normally started as part of the system boot procedure.  It should generally have the -f and -s options specified to recreate the communications endpoint if needed, and shut the system down if an initialization error occurs. 

System shutdown in the case of audit daemon failure is advisable.  Without a functioning audit daemon, file errors cannot be handled smoothly (e.g., audit file switching and overwriting cannot occur and File System Full warnings cannot be issued), and audit state changes cannot be executed (e.g., auditing cannot be turned on or off, audit files cannot be specified, and automatic shutdown on audit subsystem failure cannot be changed).  Note that if auditing is on, audit data collection and storage will continue correctly as long as no file errors occur and no audit state changes are requested.  However, if auditing is active and auditing cannot be performed (e.g., the file system containing the current audit file will become full), the kernel will suspend all processes generating audit data and will attempt to send an audit panic message to the audit daemon.  If the audit daemon is functioning, audit_d will either shut down the system or disable auditing, depending on the action previously specified by root.  If the audit daemon has malfunctioned, the kernel will shut down the system or disable auditing. 

Most noncritical error messages (such as problems allocating space, or unexpected return codes from system calls) are written to the audit log but neither displayed on the console nor sent to the users on the warning list.  To see all messages, the -m option should be specified when starting the audit daemon. 

FILES

/usr/spool/audit/CFIFO FIFO to send commands to the audit daemon

/usr/spool/audit/RFIFO FIFO to get responses from the audit daemon

/usr/spool/audit/ALOCK Lock file for the audit command

/usr/spool/audit/DLOCK Lock file for the audit daemon

/usr/spool/audit/last_state Last state of the audit daemon

/usr/spool/audit/audit_log Log file of problems, errors, etc. 

/etc/shadow Reference file for validation of user names

/etc/utmp Reference file for list of logged-in users for notification

SEE ALSO

audit(1M), au_ctl(3A), audit_sys(5)

DIAGNOSTICS

If the audit daemon is unable to initialize itself, it will exit with a nonzero exit code, as shown below.  Once the daemon creates a child process, the parent terminates with an exit code of zero.  If the child exits (which occurs under only the most extreme circumstances), it will use an exit code of 99.  The exit codes possible from audit_d are as follows:

0 OK, child process created. 

1 User is not root. 

2 Could not create lock file. 

3 Invalid option. 

4 Could not get pmask. 

5 Could not set pmask. 

6 Could not initialize state. 

7 Could not set subject parameters. 

8 Could not set object parameters. 

9 Could not restart auditing. 

10 Auditing state unknown. 

11 Could not allocate memory. 

12 FIFO queue already exists. 

13 Cannot create FIFO queue. 

16 Could not fork child process. 

Diagnostic messages are intended to be self-explanatory. 

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026