Describes the auditing data structures.
The /usr/include/sys/audit.h file contains structure and constant definitions for the auditing system commands, subroutines, and daemons:
The format of the audit bin is described by the aud_bin structure. An audit trail consists of a sequence of bins, each of which must start with a bin head and end with a bin tail. The aud_bin structure contains the following fields:
The format of the audit class is described by the audit_class structure, which contains the following fields:
| ae_name | A pointer to the name of the audit class. |
| ae_list | A pointer to a list of null-terminated audit event names for this audit class. The list is ended by a null name (a leading null byte or two consecutive null bytes).
Note: Event and class names are limited to 15 significant characters. |
| ae_len | The length of the event list in the ae_list member. This length includes the terminating null bytes. On an AUDIT_SET operation, the caller must set this member to indicate the actual length of the list (in bytes) pointed to by ae_list. On an AUDIT_GET or AUDIT_LOCK operation, the auditevents subroutine sets this member to indicate the actual size of the list. |
The format of the audit object is described by the o_event structure, which contains the following fields:
| o_type | Specifies the type of the object, in terms of naming space. Currently, only one object-naming space is supported:
| ||
| o_name | Specifies the name of the object. | ||
| o_event | Specifies any array of event names to be generated when the object is accessed. Note that event names in AIX are currently limited to 16 bytes, including the trailing null. The index of an event name in this array corresponds to an access mode. Valid indexes are defined in the audit.h file and include the following: |
Each audit record consists of a list of fixed-length event identifiers, each of which can be followed by a variable-length tail. The format of the audit record is described by the aud_rec structure, which contains the following fields to identify the event:
| ah_magic | Magic number for audit record. | ||||||
| ah_length | The length of the tail portion of the audit record. | ||||||
| ah_event[16] | The name of the event and a null terminator. | ||||||
| ah_result | An indication of whether the event describes a successful operation. The values for this field are:
|
The aud_rec structure also contains the following fields to identify the user and the process:
| ah_ruid | The real user ID; that is, the ID number of the user who created the process that wrote this record. |
| ah_luid | The login ID of the user who created the process that wrote this record. |
| ah_name[16] | The program name of the process, along with a null terminator. |
| ah_pid | The process ID of the process that wrote this record. |
| ah_ppid | The process ID of the parent of this process. |
| ah_time | The time in seconds at which this audit record was written. |
| ah_ntime | The nanoseconds offset from ah_time. |
The record tail follows this header information.
The audit command, auditcat command, auditpr command, auditselect command, auditstream command.
The auditbin daemon.
The audit subroutine, auditbin subroutine, auditevents subroutine, auditlog subroutine, auditobj subroutine, auditproc subroutine, auditwrite subroutine.
Header Files Overview in AIX Version 4.3 Files Reference.