audit(4)audit(4)NAMEaudit - audit trail format and other information for auditing
Audit records are generated when users make security-relevant system
calls, as well as by self-auditing processes that call (see aud‐
write(2)). Access to the auditing system is restricted to super-user.
Each audit record consists of an audit record header and a record body.
The record header is comprised of sequence number, process ID, event
type, and record body length. The sequence number gives relative order
of all records; the process ID belongs to the process being audited;
the event type is a field identifying the type of audited activity; the
length is the record body length expressed in bytes.
The record body is the variable-length component of an audit record
containing more information about the audited activity. For records
generated by system calls, the body contains the time the audited event
completes in either success or failure, and the parameters of the sys‐
tem calls; for records generated by self-auditing processes, the body
consists of the time audwrite(2) writes the records and the high-level
description of the event (see audwrite(2)).
The records in the audit trail are compressed to save file space. When
a process is audited the first time, a pid identification record (PIR)
is written into the audit trail containing information that remains
constant throughout the lifetime of the process. This includes the
parent's process ID, audit tag, real user ID, real group ID, effective
user ID, effective group ID, group ID list, effective, permitted, and
retained privileges, compartment ID, and the terminal ID (tty). The
PIR is entered only once per process per audit trail.
Information accumulated in an audit trail is analyzed and displayed by
was developed by HP.
SEE ALSOaudsys(1M), audevent(1M), audisp(1M), audomon(1M), audwrite(2),
audit(5), compartments(5), privileges(5).