Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ audit_file(4) — Motorola System V 88k Release 4 Version 4.3

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(4)

audit_alias(4)

audit_sys(5)

audit_file(4)  —  FILE FORMATS

NAME

audit_file − audit system data file

SYNOPSIS

#include <sys/audit.h>

DESCRIPTION

audit_file is the audit system’s binary format file that contains all event records generated while the audit system was active.  Each event record is in the following format:

audit_header event_header event_info event_header event_info ...

There can be a maximum of 10 events (defined by AU_STACK_BUFS in <sys/audit.h>) associated with an audit header record.  Following are the definitions of the various portions of the audit record:

audit_header
This structure is defined in <sys/audit.h>:

struct au_header
{
ushort   magic;        /∗ magic number to id start of rec ∗/
ushort   version;      /∗  version that created record ∗/
 uid_t    auid;         /∗ audit uid from proc table ∗/
uid_t    ruid;         /∗ real uid from u_area or proc table ∗/
uid_t    euid;         /∗ effective uid from u_area ∗/
gid_t    rgid;         /∗ real gid from u_area ∗/
gid_t    egid;         /∗ effective gid from u_area ∗/
ushort   class;        /∗ audit class from sysent or au_entry() ∗/
uint     syscall;      /∗ system call number (index into sysent) ∗/
uint     syscparam     /∗ first parameter of system call ∗/
ushort   nentries;     /∗ number of auditbufs in record ∗/
pid_t    pid;          /∗ process id from proc table ∗/
pid_t    ppid;         /∗ parent’s process id from proc table ∗/
ulong    seq_no;       /∗ audit record sequence number ∗/
dev_t    term;         /∗ controlling terminal from u_area ∗/
time_t   timest;       /∗ time of audit event from time ∗/
int      errno;        /∗ errno from sys call or status from command ∗/
};

event_header
This structure is defined in <sys/audit.h>:

struct auditbuf
{
uchar           reason;     /∗ reason audit event occurred ∗/
uchar           msg_type;   /∗ type of message (AU_USTR, etc.) ∗/
ushort          event_type; /∗ determines subclass ∗/
ushort          msg_len;    /∗ indicates length of data when needed ∗/
ulong           object;     /∗ msqid, inode pointer, etc. ∗/
union msg_u     msg;        /∗ event data; see below ∗/
};

event_info
This is an event-specific data region whose length is provided in the msg_len field of the auditbuf structure.  The data region is expressed as a union within the auditbuf structure; however, it is logically separate.  The format of the structure (event data) is defined by the msg_type field of auditbuf:

AU_USTR or AU_KSTRCharacter string
AU_INTInteger
AU_UDATA or AU_KDATAA byte stream
AU_PROCProcess information
AU_FSECFile security information
AU_SOCKSocket communication information
AU_IPCInterprocess communication information
AU_USERUser information
AU_AUAn audit mask

Additional message types can be defined as desired with corresponding event data.  The union that describes the event data is defined in <sys/audit.h>:

union msg_u
{
char                 buf[1];    /∗ used in file record, start of data ∗/
long                 i_msg;     /∗ integer value ∗/
caddr_t              p_msg;     /∗ pointer to data ∗/
struct fsec_obj_info fsec_msg;  /∗ file object audit info ∗/
struct proc_info     pr_msg;    /∗ process object audit info ∗/
struct sock_obj_info sock_msg;  /∗ socket object audit info ∗/
struct ipc_obj_info  ip_msg;    /∗ ipc object audit info ∗/
aumask_t             am_msg;    /∗ an audit mask ∗/
};

Refer to audit(4) for a list of commands and system calls that are audited. 

FILES

/usr/include/sys/audit.haudit system data file

SEE ALSO

audit(4), audit_alias(4), audit_sys(5)

(Security Enhancement)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026