Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

aud_sitevent(3) [osf1 man page]

aud_sitevent(3) 					     Library Functions Manual						   aud_sitevent(3)

NAME

       aud_sitevent, aud_sitevent_num - audit site event operations

LIBRARY

       Audit Library  - libaud.a and libaud.so

SYNOPSIS

       aud_sitevent(
	    int event,
	    int subevent,
	    int *eventname,
	    char *subeventname);

       aud_sitevent_num(
	    char *eventname,
	    char *subeventname,
	    int *ev_num,
	    int *subev_num);

DESCRIPTION

       Audit  site events are specific to and defined by a particular installation.  For example, an installation could have its own database pro-
       gram, and want to have it use the audit subsystem.  To do so, the installation's database events and subevents would be registered  in  the
       /etc/sec/site_events file.

       The site_events file contains one entry for each site event.  Each site event entry can contain any number of subevents.  Both preselection
       (see auditmask(8)) and postreduction (see audit_tool(8)) capabilities are supported for site events.  Postreduction capabilities  are  also
       supported for subevents.

       The  aud_sitevent  function, when provided event and subevent numbers, copies the corresponding event and subevent names into eventname and
       subeventname.  If no subevent for that site event exists, subevent should be set to -1, and no subeventname will be  copied.   The  maximum
       length of an event or subevent name is AUD_MAXEVENT_LEN bytes. If the requested mapping does not exist, -1 is returned.

       The  aud_sitevent_num function, when provided eventname and subeventname, copies the corresponding event numbers into ev_num and subev_num.
       If no subevent for that site event exists, subeventname should be set to the null string,  and  subev_num  will	be  set  to  -1.   If  the
       requested mapping does not exist, -1 is returned.

       Mappings between the event and subevent numbers and names are placed into the file /etc/sec/site_events.  A sample file follows:

	    eventname 2048,
		subevent0 0,
		subevent1 1,
		...
		subevent99 99;
	    my_rdb 2049,
		rdb_creat 0,
		rdb_open 1,
		rdb_delete 2;
	    nosubeventevent 2050;

       Each  line contains an event or subevent name followed by its number.  An event number must be between MIN_SITE_EVENT (see sys/audit.h) and
       MIN_SITE_EVENT + the output of the sysconfig -q sec audit_site_events for the running kernel.  A subevent number  must  be  a  non-negative
       integer.   The  line is terminated either with a comma (,) if an associated subevent follows, or with a semicolon (;) if no further associ-
       ated subevents follow.

EXAMPLES

       The following example looks up the event and subevent numbers for event "my_rdb" and subevent "rdb_open", and generates an audit record	if
       the lookup succeeded:

       if ( aud_sitevent_num ( "my_rdb", "rdb_open",
					      &event, &subev ) == 0 )
	  audgenl ( event, T_SUBEVENT, subev, T_CHARP,
					      "sample rec", 0 );

RELATED INFORMATION

       sysconfig(8), sysconfigdb(8)

       Security

       Programming Support Tools

       delim off

																   aud_sitevent(3)

Check Out this Related Man Page

event_class(5)															    event_class(5)

NAME

       event class file - The file that contains the declaration of an event class.

DESCRIPTION

       Audit events can be logically grouped into event classes.  Event classes are defined in event class files.  An event class file contains an
       event class number and a list of event numbers corresponding to audit events.

       All event class files must be created in the dcelocal/etc/audit/ec directory.

       The name of the event class file becomes the name of the event class.  The recommended naming convention for event class files is:

       dce_server-name_class

       where class is a descriptive text that characterizes the event class.

       Event class files must be write-protected by the local operating system (that is, only administrators should have  write  access  to  these
       files).	Audit clients read these files to maintain an event table in their address space.

       Optionally,  an	event class file can contain a SEP line.  This line contains a list of prefixes of the event numbers in the file.  The SEP
       line speeds up the scanning performed by the Audit clients.  Audit clients which do not have events with one of the  prefixes  listed  will
       not  scan  the event list.  If the SEP line is not provided in the file, Audit clients will have to read the entire file to find out if the
       event class file contains any of their events.

       Empty lines are ignored in the event class file.

       Comments are designated by the number sign (#) placed before the comment text.

   The Event Class File Format
       The format of an event class file is: ECN=event_class_number SEP=prefix_1 prefix_2 ...  # comments start with the  number  sign	event_num-
       ber_1 event_number_2

EXAMPLES

       Following  is  an  example  of  an  event class file for the event class ec_local_authentication: ECN = 0x00000001 SEP = 0x100 # AS_Request
       0x00000100 # TGS_TicketReq 0x00000101 # TGS_RenewReq 0x00000102 # TGS_ValidateReq 0x00000103

																    event_class(5)
Man Page