dlvr_audit -- produce audit records for subsystem events


/etc/auth/dlvr_audit [ -v ] tstamp event record pid cmd code [ args ... ]


dlvr_audit is used by programs implementing protected subsystems as the means for sending audit records to the audit subsystem. Because those programs do not have the writeaudit privilege, they invoke dlvr_audit which sends the data over a message queue to the audit daemon, which appends the record to the audit trail. Because dlvr_audit is run as a child process of the process producing the record, it does not have the ability to write the audit device either. The message queue that it uses is only usable by the audit user, so dlvr_audit must be run SUID to the audit user. The group is inherited from the invoking process and is checked against those groups associated with protected subsystems. If the group cannot be identified with a protected subsystem, the record is ignored (so that general user programs cannot flood the audit subsystem with invalid messages).

The -v flag forces the program to report all of its actions. Normally, this flag is not used so that audit records can be made without the knowledge of the program user.

The required arguments apply to all audit records. The tstamp argument is the (ASCII number representation of the) time in seconds past Jan 1, 1970 that the audit record was produced. The event argument is the number of the event type as described in <sys/audit.h>. Similarly, the record argument is the audit record format type as described in <sys/audit.h>. The pid is the process ID of the event process. cmd is the name of the protected subsystem command. code is specific to the event type being generated.

There may be 0 or more optional arguments depending on the code. dlvr_audit uses the extra arguments to fill in specific fields required by the particular record format.

See also

audit(HW), authaudit(S)

``Understanding the audit subsystem'' in the System Administration Guide

Standards conformance

dlvr_audit is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003