#include <sys/label.h> #include <sys/audit.h> #include <sys/user.h>
The audit.log file begins with a header record consisting of an audit_header structure followed by the previous audit file name. When the audit daemon is started (usually only at boot time), the previous audit file name is NULL.
struct audit_header { int ah_magic; /* magic number */ time_t ah_time; /* the time */ short ah_namelen; /* length of file name */ }; typedef struct audit_header audit_header_t;
The file may end with a trailer record consisting of an audit_trailer structure followed by the name of the next audit file.
struct audit_trailer { short at_record_size; /* size of this */ short at_record_type; /* its type, a trailer */ time_t at_time; /* the time */ short at_namelen; /* length of file name */ }; typedef struct audit_trailer audit_trailer_t;
The audit.log file contains audit records in their raw form. The records are of varying size depending on the record type. Each record has a header which is an audit_record structure.
struct audit_record { short au_record_size; /* size of this */ short au_record_type; /* its type */ time_t au_time; /* the time */ short au_uid; /* real uid */ short au_auid; /* audit uid */ short au_euid; /* effective */ short au_gid; /* real group */ short au_pid; /* effective */ int au_errno; /* error code */ int au_return; /* a return value */ blabel_t au_label; /* also ... */ short au_param_count; /* # of parameters */ }; typedef struct audit_record audit_record_t;
Immediately following the header is a set of two byte integers, the number
of which exist for a given record is contained in the
au_param_count
field.
These numbers are the lengths of the additional data items.
The additional data items follow the list of lengths, the first
length describing the first data item.
Interpretation of this data is left to the program accessing it.
[a manual with the abbreviation SECUR]
Created by unroff & hp-tools. © somebody (See intro for details). All Rights Reserved. Last modified 11/5/97