Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditd(ADM) — OpenDesktop 3.0.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit(HW)


 auditd(ADM)                     19 June 1992                     auditd(ADM)


 Name

    auditd - read audit collection files generated by the audit subsystem and
    compact the records

 Syntax

    /tcb/bin/auditd [ -y ] [ -n ]

 Description

    auditd is the audit daemon process which is spawned whenever the audit
    subsystem is enabled. The audit subsystem continually generates audit
    records writing them to intermediate files called audit collection files.
    At any time, there may be many collection files since the subsystem con-
    tinually switches files to ensure that no single file grows excessively
    large.

    The daemon is responsible for reading the audit collection file records
    from the subsystem, compacting them to provide space savings, and writing
    the compacted records to files which will later be used for reduction. To
    read the records from the subsystem, the daemon uses the /dev/auditr de-
    vice. The daemon exclusively reads this file which is managed by the sub-
    system.  Each read request returns a block of data from a collection
    file. The audit subsystem insures that the data is returned in the proper
    order and also handles file management associated with the multiple col-
    lection files. This provides the daemon with a single read focal point.

    As a block of data is returned to the daemon, it is optionally compacted
    and the record, with its size prepended, is written to the current audit
    output file. Like the audit subsystem, the daemon is capable of writing
    many different output files in a number of administrator-specified direc-
    tories to avoid overflowing any one file system. As each output file is
    written, the daemon records the name in a log file which is used by the
    reduction program. This log file provides an output file trail alleviat-
    ing the need for the administrator to keep up with file generation or to
    recreate the sequence of output file writing.  The compaction of output
    files and the selection of audit directories is controlled by the
    administrator interface utility auditsh(ADM).

    Each time the audit subsystem is enabled, a new audit session is created.
    The session is identified by a session ID which is used to stamp the out-
    put files generated by the audit daemon and the log file that identifies
    them.  auditif is used to examine daemon log files in the
    /tcb/files/audit directory to identify the session and the date/time of
    the start and end of the session. In this manner, the administrator need
    not know the session ID but only the dates for which data reduction is
    desired.

    When the daemon is started, a recovery mechanism is invoked to determine
    if the previous audit session was terminated normally. If abnormal termi-
    nation occurred, there may be audit records written by the subsystem to
    collection files that were not read by the daemon and compacted to an
    audit output file. The daemon recovery mechanism provides the capability
    to recover these records and update the output files from the previous
    session as necessary. The recovery mechanism will interactively query
    whether recovery is desired if abnormal termination occurred. The -y and
    -n options may be used to avoid the interactive question.

    The daemon also provides a mechanism whereby applications that are not
    privileged to open and write audit records to the audit device are able
    to send the daemon audit records. These are, in turn, written to the
    audit subsystem. To provide this service, the daemon creates a message
    queue which only certain applications with specific permission are able
    to send messages to. When one of the applications wishes to generate an
    audit record using this mechanism, the record is first constructed and
    then written to the message queue. The specific message queue is identi-
    fied in the file /tcb/files/audit/audit_dmninfo.  This file contains the
    auditdmninfo structure which is defined in the include file sys/audit.h.
    The first field is the process ID of the daemon and the second is the
    message queue identifier.  After the message has been written to the
    queue by the application, the application will generate a SIGUSR1 to the
    daemon indicating a message is waiting. The daemon responds by reading
    the message queue and writing the record to the audit subsystem device.

 Files

    /dev/auditr
    /dev/auditw
    /tcb/files/audit/audit_dmninfo
    /tcb/files/audit/CAFLOG.xxxxxx

 See also

    audit(HW)

    ``Using the audit subsystem,'' chapter of the System Administrator's
    Guide

 Diagnostics

    Upon successful completion at the termination of auditing by the subsys-
    tem, the program exits with a status of 0. Otherwise, a diagnostic mes-
    sage is printed and the program exits with a status of -1.

 Value added

    auditd is an extension of AT&T System V provided by The Santa Cruz Opera-
    tion, Inc.


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026