up | Inhaltsverzeichniss | Kommentar

Manual page for AUDIT.LOG(5)

audit.log - the security audit trail file

SYNOPSIS

#include <sys/label.h>
#include <sys/audit.h>
#include <sys/user.h>

DESCRIPTION

The audit.log file begins with a header record consisting of an audit_header structure followed by the previous audit file name. When the audit daemon is started (usually only at boot time), the previous audit file name is NULL.

struct audit_header {
	int	ah_magic;	/* magic number */
	time_t	ah_time;  	/* the time */
	short	ah_namelen;	/* length of file name */
};
typedef struct audit_header audit_header_t;

The file may end with a trailer record consisting of an audit_trailer structure followed by the name of the next audit file.

struct audit_trailer {
	short	at_record_size;		/* size of this */
	short	at_record_type;		/* its type, a trailer */
	time_t	at_time;   		/* the time */
	short	at_namelen;		/* length of file name */
};
typedef struct audit_trailer audit_trailer_t;

The audit.log file contains audit records in their raw form. The records are of varying size depending on the record type. Each record has a header which is an audit_record structure.

struct audit_record {
	short		au_record_size;		/* size of this */
	short		au_record_type;		/* its type */
	time_t		au_time;  		/* the time */
	short		au_uid;			/* real uid */
	short		au_auid;  		/* audit uid */
	short		au_euid;  		/* effective */
	short		au_gid;			/* real group */
	short		au_pid;			/* effective */
	int		au_errno;		/* error code */
	int		au_return;		/* a return value */
	blabel_t       	au_label;		/* also ... */
	short		au_param_count;		/* # of parameters */
};
typedef struct audit_record audit_record_t;

Immediately following the header is a set of two byte integers, the number of which exist for a given record is contained in the au_param_count field. These numbers are the lengths of the additional data items. The additional data items follow the list of lengths, the first length describing the first data item. Interpretation of this data is left to the program accessing it.

SEE ALSO

audit.2 audit.8

[a manual with the abbreviation SECUR]


index | Inhaltsverzeichniss | Kommentar

Created by unroff & hp-tools. © by Hans-Peter Bischof. All Rights Reserved (1997).

Last modified 21/April/97