See the auditon(ADM) and related manual pages listed in the ``See also'' section, below, for a description of the updated auditing subsystem.
The /dev/auditr device provides open, read and close operations. Open is for exclusive access, and requires the P_AUDIT and P_AUDITWR privileges (analogs of the legacy SEC_CONFIG_AUDIT and SEC_WRITE_AUDIT privileges, which are no longer supported by the kernel). This device is implemented solely as a compatibility measure for the benefit of auditd(ADM) Reads of /dev/auditr are like reads of /dev/null. Writes of /dev/auditr return an error.
The /dev/auditw device provides open, write and close operations. Any process may open this device, but the P_AUDITWR privilege (analog of the legacy SEC_WRITE_AUDIT privilege, which is no longer supported by the kernel) is required to write to it. This device allows privileged applications to write legacy-format audit records (shown below) into the supported audit log stream.
Reads of /dev/auditw return an error.
This driver provides no support for ioctl(). All ioctls on /dev/auditr or /dev/auditw return EINVAL.
struct audit_header {
ushort rec_length; /* total record length */
time_t tstamp; /* date/time of record */
ulong event_id; /* event sequence id */
ushort event_type; /* event classification */
ushort record_type; /* record format */
ushort obj_type; /* object type */
ushort pid; /* process_id */
};
Some of the record types have variable-length string areas that follow the fixed portion of the audit record. Each text string that is part of the record has its size recorded in a count field. Each string is null-terminated and the count must include the null character. When the record is written to the device, the amount of data written includes the fixed portion plus all text strings. The supported record types for application programs are:
Each record type indicates a unique record structure definition. for more information on the legacy record format, see the Release 5.0.7 manual page on the documentation web site: audit-legacy(HW).