Describes the auditing data structures.
The /usr/include/sys/audit.h file contains structure and constant definitions for the auditing system commands, subroutines, and daemons:
The format of the audit bin is described by the aud_bin structure. An audit trail consists of a sequence of bins, each of which must start with a bin head and end with a bin tail. The aud_bin structure contains the following fields:
| bin_magic | The magic number for the bin (0xf0f0). |
| bin_version | The version number for the bin (0). |
| bin_tail | Indicates whether the bin describes the audit trail head or tail:
|
| bin_len | The (unpacked) length of the bin's records. A nonzero value indicates that the bin has a tail record. |
| bin_plen | The current length of the bin's record (might be packed). |
| bin_time | The time at which the head or tail was written. |
| bin_reserved1 | Not currently used. |
| bin_reserved2 | Not currently used. |
The format of the audit class is described by the audit_class structure, which contains the following fields:
| ae_name | A pointer to the name of the audit class. |
| ae_list | A pointer to a list of null-terminated audit event names for this
audit class. The list is ended by a null name (a leading null byte or two
consecutive null bytes).
Note
Event and class names are limited
to 15 significant characters. |
| ae_len | The length of the event list in the ae_list member. This length includes the terminating null bytes. On an AUDIT_SET operation, the caller must set this member to indicate the actual length of the list (in bytes) pointed to by ae_list. On an AUDIT_GET or AUDIT_LOCK operation, the auditevents subroutine sets this member to indicate the actual size of the list. |
The format of the audit object is described by the o_event structure, which contains the following fields:
| o_type | Specifies the type of the object, in terms of naming space. Currently,
only one object-naming space is supported:
|
| o_name | Specifies the name of the object. |
| o_event | Specifies any array of event names to be generated when the object
is accessed. Note that event names are currently limited to 16 bytes, including
the trailing null. The index of an event name in this array corresponds to
an access mode. Valid indexes are defined in the audit.h file and include the following:
|
Each audit record consists of a list of fixed-length event identifiers, each of which can be followed by a variable-length tail. The format of the audit record is described by the aud_rec structure, which contains the following fields to identify the event:
| ah_magic | Magic number for audit record. |
| ah_length | The length of the tail portion of the audit record. |
| ah_event[16] | The name of the event and a null terminator. |
| ah_result | An indication of whether the event describes a successful operation.
The values for this field are:
|
The aud_rec structure also contains the following fields to identify the user and the process:
| ah_ruid | The real user ID; that is, the ID number of the user who created the process that wrote this record. |
| ah_luid | The login ID of the user who created the process that wrote this record. |
| ah_name[16] | The program name of the process, along with a null terminator. |
| ah_pid | The process ID of the process that wrote this record. |
| ah_ppid | The process ID of the parent of this process. |
| ah_time | The time in seconds at which this audit record was written. |
| ah_ntime | The nanoseconds offset from ah_time. |
The record tail follows this header information.
The audit command, auditcat command, auditpr command, auditselect command, auditstream command.
The auditbin daemon.
The audit subroutine, auditbin subroutine, auditevents subroutine, auditlog subroutine, auditobj subroutine, auditproc subroutine, auditwrite subroutine.
Header Files Overview in AIX 5L Version 5.2 Files Reference.