AUDITD(ADM) UNIX System V
Name
auditd - read audit collection files generated by the audit
subsystem and compact the records
Syntax
/tcb/bin/auditd [ -y ] [ -n ]
Description
auditd is the audit daemon process which is spawned whenever
the audit subsystem is enabled. The audit subsystem
continually generates audit records writing them to
intermediate files called audit collection files. At any
time, there may be many collection files since the subsystem
continually switches files to ensure that no single file
grows excessively large.
The daemon is responsible for reading the audit collection
file records from the subsystem, compacting them to provide
space savings, and writing the compacted records to files
which will later be used for reduction. To read the records
from the subsystem, the daemon uses the /dev/auditr device.
The daemon exclusively reads this file which is managed by
the subsystem. Each read request returns a block of data
from a collection file. The audit subsystem insures that the
data is returned in the proper order and also handles file
management associated with the multiple collection files.
This provides the daemon with a single read focal point.
As a block of data is returned to the daemon, it is
optionally compacted and the record along with its size
prepended is written to the current audit output file. Like
the audit subsystem, the daemon is capable of writing many
different output files in a number of administrator
specified directories to avoid overflowing any one file
system. As each output file is written, the daemon records
the name in a log file which is used by the reduction
program. This log file provides an output file trail
alleviating the need for the administrator to keep up with
file generation or to recreate the sequence of output file
writing. The compaction of output files and the selection
of audit directories is controlled by the administrator
interface utility auditsh(ADM).
Each time the audit subsystem is enabled, a new audit
session is created. The session is identified by a session
ID which is used to stamp the output files generated by the
audit daemon and the log file that identifies them. auditif
is used to examine daemon log files in the /tcb/files/audit
directory to identify the session and the date/time of the
start and end of the session. In this manner, the
administrator need not know the session ID but only the
dates for which data reduction is desired.
When the daemon is started, a recovery mechanism is invoked
to determine if the previous audit session was terminated
normally. If abnormal termination occurred, there may be
audit records written by the subsystem to collection files
that were not read by the daemon and compacted to an audit
output file. The daemon recovery mechanism provides the
capability to recover these records and update the output
files from the previous session as necessary. The recovery
mechanism will interactively query whether recovery is
desired if abnormal termination occurred. The -y and -n
options may be to used avoid the interactive question.
The daemon also provides a mechanism whereby applications
that are not privileged to open and write audit records to
the audit device are able to send the daemon audit records.
These are, in turn, written to to the audit subsystem. To
provide this service, the daemon creates a message queue
which only certain applications with specific permission are
able to send messages to. When one of the applications
wishes to generate an audit record using this mechanism, the
record is first constructed and then written to the message
queue. The specific message queue is identified in the file
/tcb/files/audit/audit_dmninfo. This file contains the
audit_dmninfo structure which is defined in the include file
sys/audit.h. The first field is the process ID of the daemon
and the second is the message queue identifier. After the
message has been written to the queue by the application,
the application will generate a SIGUSR1 to the daemon
indicating a message is waiting. The daemon responds by
reading the message queue and writing the record to the
audit subsystem device.
Files
/dev/auditr
/dev/auditw
/tcb/files/audit/audit_dmninfo
/tcb/files/audit/CAFLOG.xxxxxx
See Also
audit(HW), ``Maintaining System Security,'' chapter of the
System Administrator's Guide
Diagnostics
Upon successful completion at the termination of auditing by
the subsystem, the program exits with a status of 0.
Otherwise, a diagnostic message is printed and the program
exits with a status of -1.
Value Added
auditd is an extension of AT&T System V provided by the
Santa Cruz Operation.
(printed 2/15/90) AUDITD(ADM)