audit — audit trail format and other information for auditing
Audit records are generated when users make security-relevant
system calls, as well as by self-auditing processes that call
Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header
and a record body.
The record header is comprised of sequence number, process ID,
event type, and record body length.
The sequence number gives relative order of all records;
the process ID belongs to the process being audited;
the event type is a field identifying the type of audited activity;
the length is the record body length expressed in bytes.
The record body is the variable-length component
of an audit record containing more information
about the audited activity.
For records generated by system calls,
the body contains
the time the audited event completes in either success or failure,
and the parameters of the system calls;
for records generated by self-auditing processes,
the body consists of
writes the records and
the high-level description of the event (see
The records in the audit trail are compressed to save file space.
When a process is audited the first time, a
identification record (PIR)
is written into the audit trail
containing information that remains constant
throughout the lifetime of the process.
This includes the parent's process ID,
audit tag, real user ID, real group ID,
effective user ID,
effective group ID,
group ID list,
effective, permitted, and retained privileges,
and the terminal ID (tty).
The PIR is entered only once per process per audit trail.
Information accumulated in an audit trail
is analyzed and displayed by
was developed by HP.