unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (HP-UX-11.11)
Page:
Section:
Apropos / Subsearch:
optional field



 audit(4)							    audit(4)




 NAME
      audit - file format and other information for auditing

 SYNOPSIS
      #include <&lt&lt&lt;sys/audit.h>&gt&gt&gt;

 DESCRIPTION
      Audit records are generated when users make security-relevant system
      calls, as well as by self-auditing processes that call audwrite() (see
      audwrite(2)).  Access to the auditing system is restricted to super-
      user.

      Each audit record consists of an audit record header and a record
      body.  The record header is comprised of time, process ID, error,
      event type, and record body length.  The time refers to the time the
      audited event completes in either success or failure; the process ID
      belongs to the process being audited; the event type is a field
      identifying the type of audited activity; the length is the record
      body length expressed in bytes.  The exact format of the header is
      defined in <sys/audit.h> as follows:

	   struct audit_hdr {
	       u_long ah_time;	     /* date/time (tv_sec of timeeval) */
	       u_short ah_pid;	     /* process ID */
	       u_short ah_error;     /* success/failure */
	       u_short ah_event;     /* event being audited */
	       u_short ah_len;	     /* length of variant part */
	   };

      The record body is the variable-length component of an audit record
      containing more information about the audited activity.  For records
      generated by system calls, the body contains the parameters of the
      system calls; for records generated by self-auditing processes, the
      body consists of a high-level description of the event (see
      audwrite(2)).

      The records in the audit file are compressed to save file space.	When
      a process is audited the first time, a pid identification record (PIR)
      is written into the audit file containing information that remains
      constant throughout the lifetime of the process.	This includes the
      parent's process ID, audit ID, real user ID, real group ID, effective
      user ID, effective group ID, and the terminal ID (tty).  The PIR is
      entered only once per process per audit file, and is also defined in
      <sys/audit.h> as follows:

	   struct pir_body {	     /* pir-related info */
	       short   ppid;	     /* parent process ID */
	       int32_t aid;	     /* audit ID */
	       uid_t   ruid;	     /* user_ID */
	       gid_t   rgid;	     /* group ID */
	       uid_t   euid;	     /* effective user_ID */



 Hewlett-Packard Company	    - 1 -   HP-UX Release 11i: November 2000






 audit(4)							    audit(4)




	       gid_t   egid;	     /* effective group_ID */
	       dev_t   tty;	     /* tty number */
	   };

      Information accumulated in an audit file is analyzed and displayed by
      audisp (see audisp(1M)).

      Whenever auditing is turned on, a ``current'' audit file is required
      and a ``next'' audit file (for backup) is recommended (see audsys(1M)
      and audomon(1M)).	 When the ``current'' audit file is full and the
      ``next'' audit file is available, the auditing system switches files
      automatically.

 AUTHOR
      audit was developed by HP.

 SEE ALSO
      audsys(1M), audevent(1M), audisp(1M), audomon(1M), audwrite(2),
      getevent(2), setevent(2).



































 Hewlett-Packard Company	    - 2 -   HP-UX Release 11i: November 2000