I'm sponsoring the case on behalf of myself, the Audit Project Team
and the RBAC and Admin Project Team.
It requests a Patch Release Binding. However, there is no intention to
back port unless there is a business need to do so. The exposed interfaces
were never formally ARCed. They have been treated as Committed by the
Audit Project team for some time. The man pages are updated to indicate
this. The project requests a Committed Interface Taxonomy for the
proposed changes.
Full diff-marked man pages are in the case directory.
The timer is set for 11 Jan, 2010.
Gary..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Background:
==========
Audit records include information on who did what to what. The who is
the subject of the audit record, the what is the audit event and the
to what is the object of the audit record. Audit records are generally
searchable based on who, what and to what by auditreduce(1m).
Audit records dealing with the administration of user attributes are not
searchable for the user affected. Present audit records contain a text
token of the user name. Examples of such audit records are those
generated by passwd user, passwd -f user, usermod <options> user.
Text tokens are generally used for supplemental information not object
identifiers. Current object types include "path" for files, "fmri" for
FMRIs, "ipc" for System V IPC, "process" for processes.
Proposal:
========
Add a new audit token named "user" and permit selection of audit records
that contain that user value. The auditreduce user object user name is
the same form as the other auditreduce user specifications. The actual
token value is both a uid_t and a user name string. Both are needed for
the case where the user has been removed from the system and the name to
uid translation is not available.
audit.log(4):
++++++++++++
NAME
audit.log - audit trail file
DESCRIPTION
The audit.log files contains audit records. Each audit
record is made up of audit tokens. Each record contains a
header token followed by various data tokens. Depending on
the audit policy in place by auditon(2), optional other
tokens such as trailers or sequences may be included.
+ The user token consists of:
+ token ID 1 byte
+ user ID 4 bytes
+ user name length 2 bytes
+ user name <user name len> including terminating NULL byte
auditreduce(1m):
+++++++++++++++
NAME
auditreduce - merge and select audit records from audit
trail files
SYNOPSIS
auditreduce [options] [audit-trail-file]...
OPTIONS
Record Selection Options
The record selection options listed below are used to indi-
cate which records are written to the output file produced
by auditreduce.
Multiple arguments of the same type are not permitted.
-o object_type=objectID_value
Select records by object type. A match occurs when the
record contains the information describing the specified
object_type and the object ID equals the value specified
by objectID_value. The allowable object types and values
are as follows:
+ user=user name
+ Select records containing the user object whose name
+ is specified. User objects are generally specified
+ for administrative actions on a user.
