DLVR_AUDIT(ADM) UNIX System V
Name
dlvr_audit - produce audit records for subsystem events
Syntax
/etc/auth/dlvr_audit [ -v ] tstamp event record pid cmd code
[ args ... ]
Description
dlvr_audit is used by programs implementing protected
subsystems as the means for sending audit records to the
audit subsystem. Because those programs do not have the
writeaudit privilege, they invoke dlvr_audit which sends the
data over a message queue to the audit daemon, which appends
the record to the audit trail. Because dlvr_audit is run as
a child process of the process producing the record, it does
not have the ability to write the audit device either. The
message queue that it uses is only usable by the audit user,
so dlvr_audit must be run SUID to the audit user. The group
is inherited from the invoking process and is checked
against those groups associated with protected subsystems.
If the group cannot be identified with a protected
subsystem, the record is ignored (so that general user
programs cannot flood the audit subsystem with invalid
messages).
The -v flag forces the program to report all of its actions.
Normally, this flag is not used so that audit records can be
made without the knowledge of the program user.
The required arguments apply to all audit records. The
tstamp argument is the (ASCII number representation of the)
time in seconds past Jan 1, 1970 that the audit record was
produced. The event argument is the number of the event
type as described in <sys/audit.h>. Similarly, the record
argument is the audit record format type as described in
<sys/audit.h>. The pid is the process ID of the event
process. Cmd is the name of the protected subsystem command.
Code is specific to the event type being generated.
There may be 0 or more optional arguments depending on the
code. dlvr_audit uses the extra arguments to fill in
specific fields required by the particular record format.
See Also
authaudit(S), audit(HW), ``Maintaining System Security,''
chapter of the System Administrator's Guide
Value Added
dlvr_audit is an extension of AT&T System V provided by the
Santa Cruz Operation.
(printed 2/15/90) DLVR_AUDIT(ADM)