Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

au_mask(3) [osx man page]

AU_MASK(3)						   BSD Library Functions Manual 						AU_MASK(3)

NAME

     au_preselect, getauditflagsbin, getauditflagschar -- convert between string and numeric values of audit masks

LIBRARY

     Basic Security Module Library (libbsm, -lbsm)

SYNOPSIS

     #include <bsm/libbsm.h>

     int
     au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);

     int
     getauditflagsbin(char *auditstr, au_mask_t *masks);

     int
     getauditflagschar(char *auditstr, au_mask_t *masks, int verbose);

DESCRIPTION

     These interfaces support processing of an audit mask represented by type au_mask_t, including conversion between numeric and text formats,
     and computing whether or not an event is matched by a mask.

     The au_preselect() function calculates whether or not the audit event passed via event is matched by the audit mask passed via mask_p.  The
     sorf argument indicates whether or not to consider the event as a success, if the AU_PRS_SUCCESS flag is set, or failure, if the
     AU_PRS_FAILURE flag is set.  The flag argument accepts additional arguments influencing the behavior of au_preselect(), including
     AU_PRS_REREAD, which causes the event to be re-looked up rather than read from the cache, or AU_PRS_USECACHE which forces use of the cache.

     The getauditflagsbin() function converts a string representation of an audit mask passed via a character string pointed to by auditstr,
     returning the resulting mask, if valid, via *masks.

     The getauditflagschar() function converts the audit event mask passed via *masks and converts it to a character string in a buffer pointed to
     by auditstr.  See the BUGS section for more information on how to provide a buffer of sufficient size.  If the verbose flag is set, the class
     description string retrieved from audit_class(5) will be used; otherwise, the two-character class name.

IMPLEMENTATION NOTES

     The au_preselect() function makes implicit use of various audit database routines, and may influence the behavior of simultaneous or inter-
     leaved processing of those databases by other code.

RETURN VALUES

     The au_preselect() function returns 0 on success, or returns -1 if there is a failure looking up the event type or other database access, in
     which case errno will be set to indicate the error.  It returns 1 if the event is matched; 0 if not.

     The getauditflagsbin() and getauditflagschar() functions return the value 0 if successful; otherwise the value -1 is returned and the global
     variable errno is set to indicate the error.

SEE ALSO

     libbsm(3), audit_class(5)

HISTORY

     The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in
     2004.  It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.

AUTHORS

     This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of
     McAfee, Inc., under contract to Apple Computer, Inc.

     The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.

BUGS

     The errno variable may not always be properly set in the event of an error.

     The getauditflagschar() function does not provide a way to indicate how long the character buffer is, in order to detect overflow.  As a
     result, the caller must always provide a buffer of sufficient length for any possible mask, which may be calculated as three times the number
     of non-zero bits in the mask argument in the event non-verbose class names are used, and is not trivially predictable for verbose class
     names.  This API should be replaced with a more robust one.

BSD
								  April 19, 2005							       BSD

Check Out this Related Man Page

au_preselect(3BSM)														au_preselect(3BSM)

NAME

       au_preselect - preselect an audit event

SYNOPSIS

       cc [ flag... ] file... -lbsm -lsocket -lnsl  [ library... ]
       #include <bsm/libbsm.h>

       int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);

       The  au_preselect()  function  determines  whether the audit event event is preselected	against the binary preselection mask pointed to by
       mask_p (usually obtained by a  call  to	getaudit(2)).  The  au_preselect()  function  looks  up  the  classes  associated  with  event	in
       audit_event(4)  and  compares them with the classes in mask_p. If the classes associated with event match the classes in the specified por-
       tions of the binary preselection mask  pointed to by mask_p, the event is said to be preselected.

       The sorf argument indicates whether the comparison is made with the success portion, the failure portion, or  both  portions  of  the  mask
       pointed to by mask_p.

       The following are the valid values of sorf:

       AU_PRS_SUCCESS	       Compare the event class with the success portion of the preselection mask.

       AU_PRS_FAILURE	       Compare the event class with the failure portion of the preselection mask.

       AU_PRS_BOTH	       Compare the event class with both the success and failure portions of the  preselection mask.

       The  flag  argument  tells  au_preselect()  how	to  read  the  audit_event(4)  database. Upon initial invocation, au_preselect() reads the
       audit_event(4) database and allocates space in an internal cache for each entry with malloc(3C). In subsequent invocations,  the  value	of
       flag determines where au_preselect() obtains audit event information. The following are the valid values of flag:

       AU_PRS_REREAD	       Get audit event information by searching the audit_event(4) database.

       AU_PRS_USECACHE	       Get audit event information from internal cache created upon the initial invocation. This option is much faster.

       Upon  successful  completion,au_preselect() returns 0 if event is not preselected or 1 if event is preselected. If au_preselect() could not
       allocate memory or could not find  event in the audit_event(4) database, -1 is returned.

       /etc/security/audit_class       file mapping audit class number to audit class names and descriptions

       /etc/security/audit_event       file mappint audit even number to audit event names and associates

       See attributes(5) for a description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Stable			   |
       +-----------------------------+-----------------------------+
       |MT-Level		     |MT-Safe			   |
       +-----------------------------+-----------------------------+

       bsmconv(1M), getaudit(2), au_open(3BSM), getauclassent(3BSM), getauevent(3BSM), malloc(3C), audit_class(4), audit_event(4), attributes(5)

       The au_preselect() function is normally called prior to constructing and writing an audit record. If the  event	is  not  preselected,  the
       overhead of constructing and writing the  record can be saved.

       The functionality described on this manual page is available only if the Basic Security Module (BSM) has been enabled.  See bsmconv(1M) for
       more information.

								    31 Mar 2005 						au_preselect(3BSM)
Man Page