[ Previous | Next | Table of Contents | Index | Library Home |
Legal |
Search ]
Files Reference
Describes the auditing data
structures.
The
/usr/include/sys/audit.h file contains structure and
constant definitions for the auditing system commands, subroutines, and
daemons:
The format of the audit bin is
described by the aud_bin structure. An audit trail consists
of a sequence of bins, each of which must start with a bin head and end with a
bin tail. The aud_bin structure contains the following
fields:
bin_magic
| The magic number for the bin (0xf0f0).
|
bin_version
| The version number for the bin (0).
|
bin_tail
| Indicates whether the bin describes the audit trail head or tail:
- 0
- Identifies the bin header.
- 1
- Identifies the bin end (tail).
- 2
- Identifies the trail end.
|
bin_len
| The (unpacked) length of the bin's records. A nonzero value
indicates that the bin has a tail record.
|
bin_plen
| The current length of the bin's record (might be packed).
|
bin_time
| The time at which the head or tail was written.
|
bin_reserved1
| Not currently used.
|
bin_reserved2
| Not currently used.
|
The format of the audit class is
described by the audit_class structure, which contains the
following fields:
ae_name
| A pointer to the name of the audit class.
|
ae_list
| A pointer to a list of null-terminated audit event names for this audit
class. The list is ended by a null name (a leading null byte or two
consecutive null bytes).
Note: Event and class names are limited to 15 significant
characters.
|
ae_len
| The length of the event list in the ae_list member.
This length includes the terminating null bytes. On an
AUDIT_SET operation, the caller must set this member to indicate the
actual length of the list (in bytes) pointed to by ae_list.
On an AUDIT_GET or AUDIT_LOCK operation, the auditevents subroutine sets this member to
indicate the actual size of the list.
|
The format of the audit object is
described by the o_event structure, which contains the following
fields:
o_type
| Specifies the type of the object, in terms of naming space.
Currently, only one object-naming space is supported:
- AUDIT_FILE
- Denotes the file system naming space.
|
o_name
| Specifies the name of the object.
|
o_event
| Specifies any array of event names to be generated when the object is
accessed. Note that event names are currently limited to 16 bytes,
including the trailing null. The index of an event name in this array
corresponds to an access mode. Valid indexes are defined in the
audit.h file and include the following:
- AUDIT_READ
- AUDIT_WRITE
- AUDIT_EXEC
|
Each audit record consists of a
list of fixed-length event identifiers, each of which can be followed by a
variable-length tail. The format of the audit record is described by
the aud_rec structure, which contains the following fields to
identify the event:
ah_magic
| Magic number for audit record.
|
ah_length
| The length of the tail portion of the audit record.
|
ah_event[16]
| The name of the event and a null terminator.
|
ah_result
| An indication of whether the event describes a successful
operation. The values for this field are:
- 0
- Indicates successful completion.
- 1
- Indicates a failure.
- >1
- An errno value describing the failure.
|
The aud_rec structure
also contains the following fields to identify the user and the process:
ah_ruid
| The real user ID; that is, the ID number of the user who created the
process that wrote this record.
|
ah_luid
| The login ID of the user who created the process that wrote this
record.
|
ah_name[16]
| The program name of the process, along with a null terminator.
|
ah_pid
| The process ID of the process that wrote this record.
|
ah_ppid
| The process ID of the parent of this process.
|
ah_time
| The time in seconds at which this audit record was written.
|
ah_ntime
| The nanoseconds offset from ah_time.
|
The record tail follows this
header information.
The audit command, auditcat command, auditpr command, auditselect command, auditstream command.
The auditbin daemon.
The audit subroutine, auditbin subroutine, auditevents subroutine, auditlog subroutine, auditobj subroutine, auditproc subroutine, auditwrite subroutine.
Header Files Overview in AIX 5L Version 5.1 Files
Reference.
[ Previous | Next | Table of Contents | Index |
Library Home |
Legal |
Search ]