Displaying audit trail information

The audit map file

The auditmap command generates the audit map files. The audit map files contain system dependent information used by the auditrpt command to translate numeric data contained in the log file. Numeric data is recorded in the log file to minimize its size and to reduce processing overhead at recording time.

The auditrpt command will use the audit map files to translate users, groups, privileges, events and system calls from numbers to names. If the audit map files are not available or the information contained within does not allow for a translation, auditrpt will display the ASCII representation of the numeric data. For example, if the audit map files do not contain information for user ID 9424, auditrpt displays the number 9424 instead of the user name in its output. Without the audit map files the output of auditrpt is hard to read and interpret.

By default, the audit map files reside in the directory /var/audit/auditmap. The audit map files are as follows:

The auditmap file is an ASCII file. It contains file identification information, which includes the audit software version, timezone information, privilege mechanism information, the system name, machine node name, operating system release and version, and the machine type. It also contains information on all login names and their corresponding user IDs, all group names and their group IDs, all events and their corresponding event numbers, all event classes and their corresponding events, all privilege names and their corresponding numbers, and all system call names and their corresponding numbers.

The auditmap command is automatically invoked whenever auditing is enabled. If the audit map file(s) already exist they will be renamed by prefixing with an ``o''. The new audit map files will then be created.

The -m option of the auditmap command allows the administrator to specify a directory where the audit map files will reside. For example, if you want to create the audit map files in the directory /etc/audit/auditmap, enter the following command:

auditmap -m /etc/audit/auditmap

Next topic: Specifying the auditmap directory
Previous topic: Displaying information from multiple logs

© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005