dlvr_audit(ADM) 19 June 1992 dlvr_audit(ADM) Name dlvr_audit - produce audit records for subsystem events Syntax /etc/auth/dlvraudit [ -v ] tstamp event record pid cmd code [ args ... ] Description dlvraudit is used by programs implementing protected subsystems as the means for sending audit records to the audit subsystem. Because those programs do not have the writeaudit privilege, they invoke dlvraudit which sends the data over a message queue to the audit daemon, which appends the record to the audit trail. Because dlvraudit is run as a child process of the process producing the record, it does not have the ability to write the audit device either. The message queue that it uses is only usable by the audit user, so dlvraudit must be run SUID to the audit user. The group is inherited from the invoking process and is checked against those groups associated with protected subsystems. If the group cannot be identified with a protected subsystem, the record is ignored (so that general user programs cannot flood the audit subsystem with invalid messages). The -v flag forces the program to report all of its actions. Normally, this flag is not used so that audit records can be made without the knowledge of the program user. The required arguments apply to all audit records. The tstamp argument is the (ASCII number representation of the) time in seconds past Jan 1, 1970 that the audit record was produced. The event argument is the num- ber of the event type as described in sys/audit.h. Similarly, the record argument is the audit record format type as described in sys/audit.h. The pid is the process ID of the event process. cmd is the name of the protected subsystem command. code is specific to the event type being generated. There may be 0 or more optional arguments depending on the code. dlvraudit uses the extra arguments to fill in specific fields required by the particular record format. See also audit(HW), authaudit(S) ``Using the audit subsystem'', chapter of the System Administrator's Guide Value added dlvraudit is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.