The audit_data File

When auditd starts on each system, it creates the file /etc/security/audit_data. The format of the file consists of a single entry with the two fields separated by a colon (see the audit_data(4) man page). The first field is the audit daemon's process ID, and the second field is the pathname of the audit file to which the audit daemon is currently writing audit records. Here is an example:

# cat /etc/security/audit_data
116:/etc/security/audit/egret.1/files/19910320100002.not_terminated.tern

In the Trusted Solaris environment, the audit_date file is protected at the label admin_high.

Previous: Process Audit Characteristics
Next: The Audit Daemon's Role