The audit map file

The auditmap command generates the audit map files. The audit map files contain system dependent information used by the auditrpt command to translate numeric data contained in the log file. Numeric data is recorded in the log file to minimize its size and to reduce processing overhead at recording time.

The auditrpt command will use the audit map files to translate users, groups, security levels, privileges, events and system calls from numbers to names. If the audit map files are not available or the information contained within does not allow for a translation, auditrpt will display the ASCII representation of the numeric data. For example, if the audit map files do not contain information for user ID 9424, auditrpt displays the number 9424 instead of the user name in its output. Without the audit map files the output of auditrpt is hard to read and interpret.

By default, the audit map files reside in the directory /var/audit/auditmap. The audit map files are as follows:

auditmap

The auditmap file is an ASCII file. It contains file identification information, which includes the audit software version, timezone information, privilege mechanism information, the system name, machine node name, operating system release and version, and the machine type. It also contains information on all login names and their corresponding user IDs, all group names and their group IDs, all events and their corresponding event numbers, all event classes and their corresponding events, all privilege names and their corresponding numbers, and all system call names and their corresponding numbers.

lid.internal

The lid.internal file is a binary file. It contains information on the security level identifiers (LIDs) defined on the system. This file is not present in the current release; it is present only in earlier releases that have the Enhanced Security Utilities installed.

ltf.alias

The ltf.alias file is an ASCII file. It contains information on the security level aliases defined on the system. This file is not present in the current release; it is present only in earlier releases that have the Enhanced Security Utilities installed.

ltf.cat

The ltf.cat file is an ASCII file. It contains information on the security level categories defined on the system. This file is not present in the current release; it is present only in earlier releases that have the Enhanced Security Utilities installed.

ltf.class

The ltf.class file is an ASCII file. It contains information on the security level classifications defined on the system. This file is not present in the current release; it is present only in earlier releases that have the Enhanced Security Utilities installed.

The last four files are mentioned even though they do not exist in this release. They can exist on earlier releases, and if you are processing an audit log file from a system running such a release, you will need to use these files from that same system to obtain the best translation.

The auditmap command is automatically invoked whenever auditing is enabled. If the audit map file(s) already exist they will be renamed by prefixing with an ``o''. The new audit map files will then be created.

The -m option of the auditmap command allows the administrator to specify a directory where the audit map files will reside. For example, if you want to create the audit map files in the directory /etc/audit/auditmap, enter the following command:

auditmap -m /etc/audit/auditmap