Describes the auditing data structures.
The /usr/include/sys/audit.h file contains structure and constant definitions for the auditing system commands, subroutines, and daemons:
Audit Bin Format
The format of the audit bin is described by the aud_bin structure. An audit trail consists of a sequence of bins, each of which must start with a bin head and end with a bin tail. The aud_bin structure contains the following fields:
| Item | Description |
|---|---|
| bin_magic | The magic number for the bin (0xf0f0). |
| bin_version | The version number for the bin (0). |
| bin_tail | Indicates whether the bin describes the audit trail head
or tail:
|
| bin_len | The (unpacked) length of the bin's records. A nonzero value indicates that the bin has a tail record. |
| bin_plen | The current length of the bin's record (might be packed). |
| bin_time | The time at which the head or tail was written. |
| bin_reserved1 | Not currently used. |
| bin_reserved2 | Not currently used. |
Audit Class Format
The format of the audit class is described by the audit_class structure, which contains the following fields:
| Item | Description |
|---|---|
| ae_name | A pointer to the name of the audit class. |
| ae_list | A pointer to a list of null-terminated audit event names
for this audit class. The list is ended by a null name (a leading
null byte or two consecutive null bytes). Note: Event and class names
are limited to 15 significant characters.
|
| ae_len | The length of the event list in the ae_list member. This length includes the terminating null bytes. On an AUDIT_SET operation, the caller must set this member to indicate the actual length of the list (in bytes) pointed to by ae_list. On an AUDIT_GET or AUDIT_LOCK operation, the auditevents subroutine sets this member to indicate the actual size of the list. |
Audit Object Format
The format of the audit object is described by the o_event structure, which contains the following fields:
| Item | Description |
|---|---|
| o_type | Specifies the type of the object, in terms of naming space.
Currently, only one object-naming space is supported:
|
| o_name | Specifies the name of the object. |
| o_event | Specifies any array of event names to be generated when the
object is accessed. Note that event names are currently limited to
16 bytes, including the trailing null. The index of an event name
in this array corresponds to an access mode. Valid indexes are defined
in the audit.h file and include the following:
Note: The C++ compiler will generate a warning indicating that o_event is defined both as a structure and a field within that
structure. Although the o_event field can be used within C++,
the warning can by bypassed by defining O_EVENT_RENAME. This
will replace the o_event field with o_event_array. o_event is the default field.
|
Audit Record Format
Each audit record consists of a list of fixed-length event identifiers, each of which can be followed by a variable-length tail. The format of the audit record is described by the aud_rec structure, which contains the following fields to identify the event:
| Item | Description |
|---|---|
| ah_magic | Magic number for audit record. |
| ah_length | The length of the tail portion of the audit record. |
| ah_event[16] | The name of the event and a null terminator. |
| ah_result | An indication of whether the event describes a successful
operation. The values for this field are:
|
The aud_rec structure also contains the following fields to identify the user and the process:
| Item | Description |
|---|---|
| ah_ruid | The real user ID; that is, the ID number of the user who created the process that wrote this record. |
| ah_luid | The login ID of the user who created the process that wrote this record. |
| ah_name[16] | The program name of the process, along with a null terminator. |
| ah_pid | The process ID of the process that wrote this record. |
| ah_ppid | The process ID of the parent of this process. |
| ah_time | The time in seconds at which this audit record was written. |
| ah_ntime | The nanoseconds offset from ah_time. |
The record tail follows this header information.