audit File Format

Purpose

Describes the auditing data structures.

Description

The /usr/include/sys/audit.h file contains structure and constant definitions for the auditing system commands, subroutines, and daemons:

Audit Bin Format

The format of the audit bin is described by the aud_bin structure. An audit trail consists of a sequence of bins, each of which must start with a bin head and end with a bin tail. The aud_bin structure contains the following fields:

Item Description
bin_magic The magic number for the bin (0xf0f0).
bin_version The version number for the bin (0).
bin_tail Indicates whether the bin describes the audit trail head or tail:
0
Identifies the bin header.
1
Identifies the bin end (tail).
2
Identifies the trail end.
bin_len The (unpacked) length of the bin's records. A nonzero value indicates that the bin has a tail record.
bin_plen The current length of the bin's record (might be packed).
bin_time The time at which the head or tail was written.
bin_reserved1 Not currently used.
bin_reserved2 Not currently used.

Audit Class Format

The format of the audit class is described by the audit_class structure, which contains the following fields:

Item Description
ae_name A pointer to the name of the audit class.
ae_list A pointer to a list of null-terminated audit event names for this audit class. The list is ended by a null name (a leading null byte or two consecutive null bytes).
Note: Event and class names are limited to 15 significant characters.
ae_len The length of the event list in the ae_list member. This length includes the terminating null bytes. On an AUDIT_SET operation, the caller must set this member to indicate the actual length of the list (in bytes) pointed to by ae_list. On an AUDIT_GET or AUDIT_LOCK operation, the auditevents subroutine sets this member to indicate the actual size of the list.

Audit Object Format

The format of the audit object is described by the o_event structure, which contains the following fields:

Item Description
o_type Specifies the type of the object, in terms of naming space. Currently, only one object-naming space is supported:
AUDIT_FILE
Denotes the file system naming space.
o_name Specifies the name of the object.
o_event Specifies any array of event names to be generated when the object is accessed. Note that event names are currently limited to 16 bytes, including the trailing null. The index of an event name in this array corresponds to an access mode. Valid indexes are defined in the audit.h file and include the following:
  • AUDIT_READ
  • AUDIT_WRITE
  • AUDIT_EXEC
Note: The C++ compiler will generate a warning indicating that o_event is defined both as a structure and a field within that structure. Although the o_event field can be used within C++, the warning can by bypassed by defining O_EVENT_RENAME. This will replace the o_event field with o_event_array. o_event is the default field.

Audit Record Format

Each audit record consists of a list of fixed-length event identifiers, each of which can be followed by a variable-length tail. The format of the audit record is described by the aud_rec structure, which contains the following fields to identify the event:

Item Description
ah_magic Magic number for audit record.
ah_length The length of the tail portion of the audit record.
ah_event[16] The name of the event and a null terminator.
ah_result An indication of whether the event describes a successful operation. The values for this field are:
0
Indicates successful completion.
1
Indicates a failure.
>1
An errno value describing the failure.

The aud_rec structure also contains the following fields to identify the user and the process:

Item Description
ah_ruid The real user ID; that is, the ID number of the user who created the process that wrote this record.
ah_luid The login ID of the user who created the process that wrote this record.
ah_name[16] The program name of the process, along with a null terminator.
ah_pid The process ID of the process that wrote this record.
ah_ppid The process ID of the parent of this process.
ah_time The time in seconds at which this audit record was written.
ah_ntime The nanoseconds offset from ah_time.

The record tail follows this header information.