audit_file(4) — FILE FORMATS
NAME
audit_file − audit system data file
SYNOPSIS
#include <sys/audit.h>
DESCRIPTION
audit_file is the audit system’s binary format file that contains all event records generated while the audit system was active. Each event record is in the following format:
audit_header event_header event_info event_header event_info ...
There can be a maximum of 10 events (defined by AU_STACK_BUFS in <sys/audit.h>) associated with an audit header record. Following are the definitions of the various portions of the audit record:
audit_header
This structure is defined in <sys/audit.h>:
struct au_header
{
ushort magic; /∗ magic number to id start of rec ∗/
ushort version; /∗ version that created record ∗/
uid_t auid; /∗ audit uid from proc table ∗/
uid_t ruid; /∗ real uid from u_area or proc table ∗/
uid_t euid; /∗ effective uid from u_area ∗/
gid_t rgid; /∗ real gid from u_area ∗/
gid_t egid; /∗ effective gid from u_area ∗/
ushort class; /∗ audit class from sysent or au_entry() ∗/
uint syscall; /∗ system call number (index into sysent) ∗/
uint syscparam /∗ first parameter of system call ∗/
ushort nentries; /∗ number of auditbufs in record ∗/
pid_t pid; /∗ process id from proc table ∗/
pid_t ppid; /∗ parent’s process id from proc table ∗/
ulong seq_no; /∗ audit record sequence number ∗/
dev_t term; /∗ controlling terminal from u_area ∗/
time_t timest; /∗ time of audit event from time ∗/
int errno; /∗ errno from sys call or status from command ∗/
};
event_header
This structure is defined in <sys/audit.h>:
struct auditbuf
{
uchar reason; /∗ reason audit event occurred ∗/
uchar msg_type; /∗ type of message (AU_USTR, etc.) ∗/
ushort event_type; /∗ determines subclass ∗/
ushort msg_len; /∗ indicates length of data when needed ∗/
ulong object; /∗ msqid, inode pointer, etc. ∗/
union msg_u msg; /∗ event data; see below ∗/
};
event_info
This is an event-specific data region whose length is provided in the msg_len field of the auditbuf structure. The data region is expressed as a union within the auditbuf structure; however, it is logically separate. The format of the structure (event data) is defined by the msg_type field of auditbuf:
AU_USTR or AU_KSTRCharacter string
AU_INTInteger
AU_UDATA or AU_KDATAA byte stream
AU_PROCProcess information
AU_FSECFile security information
AU_SOCKSocket communication information
AU_IPCInterprocess communication information
AU_USERUser information
AU_AUAn audit mask
Additional message types can be defined as desired with corresponding event data. The union that describes the event data is defined in <sys/audit.h>:
union msg_u
{
char buf[1]; /∗ used in file record, start of data ∗/
long i_msg; /∗ integer value ∗/
caddr_t p_msg; /∗ pointer to data ∗/
struct fsec_obj_info fsec_msg; /∗ file object audit info ∗/
struct proc_info pr_msg; /∗ process object audit info ∗/
struct sock_obj_info sock_msg; /∗ socket object audit info ∗/
struct ipc_obj_info ip_msg; /∗ ipc object audit info ∗/
aumask_t am_msg; /∗ an audit mask ∗/
};
Refer to audit(4) for a list of commands and system calls that are audited.
FILES
/usr/include/sys/audit.haudit system data file
SEE ALSO
audit(4), audit_alias(4), audit_sys(5)
(Security Enhancement)