Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditd(ADM) — OpenDesktop 1.0.0y

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(HW)


     AUDITD(ADM)                        UNIX System V



     Name
          auditd - read audit collection files generated by the  audit
                   subsystem and compact the records


     Syntax
          /tcb/bin/auditd [ -y ] [ -n ]


     Description
          auditd is the audit daemon process which is spawned whenever
          the   audit   subsystem  is  enabled.  The  audit  subsystem
          continually  generates  audit  records   writing   them   to
          intermediate  files  called  audit  collection files. At any
          time, there may be many collection files since the subsystem
          continually  switches  files  to  ensure that no single file
          grows excessively large.

          The daemon is responsible for reading the  audit  collection
          file  records from the subsystem, compacting them to provide
          space savings, and writing the compacted  records  to  files
          which  will later be used for reduction. To read the records
          from the subsystem, the daemon uses the /dev/auditr  device.
          The  daemon  exclusively reads this file which is managed by
          the subsystem.  Each read request returns a  block  of  data
          from a collection file. The audit subsystem insures that the
          data is returned in the proper order and also  handles  file
          management  associated  with  the multiple collection files.
          This provides the daemon with a single read focal point.

          As a block  of  data  is  returned  to  the  daemon,  it  is
          optionally  compacted  and  the  record  along with its size
          prepended is written to the current audit output file.  Like
          the  audit  subsystem, the daemon is capable of writing many
          different  output  files  in  a  number   of   administrator
          specified  directories  to  avoid  overflowing  any one file
          system. As each output file is written, the  daemon  records
          the  name  in  a  log  file  which  is used by the reduction
          program.  This  log  file  provides  an  output  file  trail
          alleviating  the  need for the administrator to keep up with
          file generation or to recreate the sequence of  output  file
          writing.   The  compaction of output files and the selection
          of audit directories  is  controlled  by  the  administrator
          interface utility auditsh(ADM).

          Each time the  audit  subsystem  is  enabled,  a  new  audit
          session  is  created. The session is identified by a session
          ID which is used to stamp the output files generated by  the
          audit daemon and the log file that identifies them.  auditif
          is used to examine daemon log files in the  /tcb/files/audit
          directory  to  identify the session and the date/time of the
          start  and  end  of  the  session.  In  this   manner,   the
          administrator  need  not  know  the  session ID but only the
          dates for which data reduction is desired.

          When the daemon is started, a recovery mechanism is  invoked
          to  determine  if  the previous audit session was terminated
          normally. If abnormal termination  occurred,  there  may  be
          audit  records  written by the subsystem to collection files
          that were not read by the daemon and compacted to  an  audit
          output  file.  The  daemon  recovery  mechanism provides the
          capability to recover these records and  update  the  output
          files  from  the previous session as necessary. The recovery
          mechanism  will  interactively  query  whether  recovery  is
          desired  if  abnormal  termination  occurred.  The -y and -n
          options may be to used avoid the interactive question.

          The daemon also provides a  mechanism  whereby  applications
          that  are  not privileged to open and write audit records to
          the audit device are able to send the daemon audit  records.
          These  are,  in  turn, written to to the audit subsystem. To
          provide this service, the daemon  creates  a  message  queue
          which only certain applications with specific permission are
          able to send messages  to.  When  one  of  the  applications
          wishes to generate an audit record using this mechanism, the
          record is first constructed and then written to the  message
          queue.  The specific message queue is identified in the file
          /tcb/files/audit/auditdmninfo.  This  file   contains   the
          audit_dmninfo structure which is defined in the include file
          sys/audit.h. The first field is the process ID of the daemon
          and  the  second is the message queue identifier.  After the
          message has been written to the queue  by  the  application,
          the  application  will  generate  a  SIGUSR1  to  the daemon
          indicating a message is  waiting.  The  daemon  responds  by
          reading  the  message  queue  and  writing the record to the
          audit subsystem device.


     Files
          /dev/auditr
          /dev/auditw
          /tcb/files/audit/audit_dmninfo
          /tcb/files/audit/CAFLOG.xxxxxx


     See Also
          audit(HW), ``Maintaining System Security,'' chapter  of  the
          System Administrator's Guide


     Diagnostics
          Upon successful completion at the termination of auditing by
          the  subsystem,  the  program  exits  with  a  status  of 0.
          Otherwise, a diagnostic message is printed and  the  program
          exits with a status of -1.


     Value Added
          auditd is an extension of AT&T  System  V  provided  by  the
          Santa Cruz Operation.


     (printed 8/23/89)                                  AUDITD(ADM)

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026