produce audit records for subsystem events
[ -v ] tstamp event record
pid cmd code [ args ... ]
is used by programs implementing protected subsystems as the means for
sending audit records to the audit subsystem.
Because those programs do not have the writeaudit privilege,
they invoke dlvr_audit
which sends the data over a message queue to the audit daemon, which
appends the record to the audit trail.
Because dlvr_audit is run as a child process of the process
producing the record, it does not have the ability to write the audit
The message queue that it uses is only usable by the audit user,
must be run SUID to the audit user.
The group is inherited from the invoking process and is checked against
those groups associated with protected subsystems.
If the group cannot be identified with a protected subsystem, the record
is ignored (so that general user programs cannot flood the audit subsystem
with invalid messages).
flag forces the program to report all of its actions.
Normally, this flag is not used so that audit records can be made
without the knowledge of the program user.
The required arguments apply to all audit records.
argument is the (ASCII number representation of the)
time in seconds past Jan 1, 1970 that the audit record
The event argument is the number of the event type
as described in <sys/audit.h>.
Similarly, the record
argument is the audit record format type as described in
is the process ID of the event process.
is the name of the protected subsystem command.
is specific to the
type being generated.
There may be 0 or more optional arguments depending on the code.
uses the extra arguments to fill in specific fields required by the
particular record format.
``Understanding the audit subsystem'' in the System Administration Guide
dlvr_audit is not part of any currently supported standard; it is
an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003