audit -- audit subsystem device interface (obsolete)


In previous releases, the aud driver was the primary driver for the Audit Subsystem. This driver is obsolete, and provides only basic support for legacy OSR5 auditing functionality. Specifically, it allows legacy applications to write to the legacy auditing devices so they do not fail because of the change in the auditing subsystem.

See the auditon(ADM) and related manual pages listed in the ``See also'' section, below, for a description of the updated auditing subsystem.

The /dev/auditr device provides open, read and close operations. Open is for exclusive access, and requires the P_AUDIT and P_AUDITWR privileges (analogs of the legacy SEC_CONFIG_AUDIT and SEC_WRITE_AUDIT privileges, which are no longer supported by the kernel). This device is implemented solely as a compatibility measure for the benefit of auditd(ADM) Reads of /dev/auditr are like reads of /dev/null. Writes of /dev/auditr return an error.

The /dev/auditw device provides open, write and close operations. Any process may open this device, but the P_AUDITWR privilege (analog of the legacy SEC_WRITE_AUDIT privilege, which is no longer supported by the kernel) is required to write to it. This device allows privileged applications to write legacy-format audit records (shown below) into the supported audit log stream.

Reads of /dev/auditw return an error.

This driver provides no support for ioctl(). All ioctls on /dev/auditr or /dev/auditw return EINVAL.

Legacy record structure

The information in this section is provided for compatibility and informational purposes only.
   struct audit_header {
        ushort     rec_length;     /* total record length */
        time_t     tstamp;	        /* date/time of record */
        ulong      event_id;       /* event sequence id */
        ushort     event_type;     /* event classification */
        ushort     record_type;    /* record format */
        ushort     obj_type;       /* object type */
        ushort     pid;            /* process_id */

Some of the record types have variable-length string areas that follow the fixed portion of the audit record. Each text string that is part of the record has its size recorded in a count field. Each string is null-terminated and the count must include the null character. When the record is written to the device, the amount of data written includes the fixed portion plus all text strings. The supported record types for application programs are:

login/logout events

password modifications

protected database modifications

privileged subsystem events

terminal and account locking

audit subsystem events

Each record type indicates a unique record structure definition. for more information on the legacy record format, see the Release 5.0.7 manual page on the documentation web site: audit-legacy(HW).


Upon successful completion, the device returns a 0. Otherwise, a -1 is returned and errno is set to indicate the error.

See also

auditdmp(S), auditlog(ADM), auditmap(ADM), auditoff(ADM), auditoff(ADM), auditrpt(ADM), auditset(ADM)
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005