Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

audgen(2) [osf1 man page]

audgen(2)							System Calls Manual							 audgen(2)

NAME

       audgen - generate an audit record

SYNOPSIS

       #include <sys/audit.h>
       audgen(
	    int event,
	    char *tokenp,
	    char *argv[],
	    char *userbuff,
	    long *size);

DESCRIPTION

       The system call generates an audit record.

       The  argument  event  is an integer indicating the event type of the operation being audited (see The value of event must be between one of
       the following values: MIN_TRUSTED_EVENT and MIN_TRUSTED_EVENT + N_TRUSTED_EVENTS -1 MIN_SITE_EVENT and MIN_SITE_EVENT  +  n_site_events	-1
       The  number of site-defined events, n_site_events, is determined by the sysconfig sec parameter audit_site_events.  Use sysconfig -q sec to
       view the security configuration controlled by /etc/sysconfigtab.  See aud_sitevent(3) and aud_sitevent_num(3) for  information  on  mapping
       site-defined event names and event numbers.

       The  tokenp  argument  is a null-terminated array of token_type (see each of which represents the type of argument referenced by the corre-
       sponding *argv argument.

       The argv argument is a pointer to an array containing either the actual arguments or pointers to those arguments that are to be recorded in
       the  audit record.  A pointer to the actual argument is placed in that array when the argument is a string, array, or other variable length
       structure.  Arguments represented as an int or a long are placed directly in that array.  The available public tokens  are  listed  in  the
       audit.h file.

       If size is nonzero, *size is the size of userbuff provided to audgen, and the audit record created is not passed into the system audit data
       stream, but is copied out to userbuff.  On return, *size is updated to the number of bytes of data placed into userbuff.  If  the  size	of
       the audit record exceeds *size, then errno is set to E2BIG.  Applications can use this feature to create their own audit records.

RESTRICTIONS

       The  call is a privileged system call.  No record is generated for the system audit data stream if the specified event is not being audited
       for the current process.  The maximum number of arguments referenced by argv is AUD_NPARAM (128) with no more than 8 of any one token_type.

RETURN VALUES

       Upon successful completion, returns a value of 0.  Otherwise, it returns a value of -1 and sets the global integer variable errno to  indi-
       cate the error.

ERRORS

       The system call fails under the following conditions:

       [EACCES]       The user is not privileged for this operation.

       [EINVAL]       The value supplied for the event, tokenp, or argv argument is invalid.

       [E2BIG]	      The audit record exceeds the audit buffer size.

       [ENOSYS]       Indicates an attempt to use a system call that is not configured.

       [EIO]	      The tokenmask data is invalid.

       [EIO]	      The size argument is non-zero, and the userbuff argument is invalid.

       [EFAULT]       A value referenced by the argv argument is invalid.

RELATED INFORMATION

       Functions: audgenl(3), aud_sitevent(3), aud_sitevent_num(3)

       Commands: audgen(8)

       Security delim off

																	 audgen(2)

Check Out this Related Man Page

aud_sitevent(3) 					     Library Functions Manual						   aud_sitevent(3)

NAME

       aud_sitevent, aud_sitevent_num - audit site event operations

LIBRARY

       Audit Library  - libaud.a and libaud.so

SYNOPSIS

       aud_sitevent(
	    int event,
	    int subevent,
	    int *eventname,
	    char *subeventname);

       aud_sitevent_num(
	    char *eventname,
	    char *subeventname,
	    int *ev_num,
	    int *subev_num);

DESCRIPTION

       Audit  site events are specific to and defined by a particular installation.  For example, an installation could have its own database pro-
       gram, and want to have it use the audit subsystem.  To do so, the installation's database events and subevents would be registered  in  the
       /etc/sec/site_events file.

       The site_events file contains one entry for each site event.  Each site event entry can contain any number of subevents.  Both preselection
       (see auditmask(8)) and postreduction (see audit_tool(8)) capabilities are supported for site events.  Postreduction capabilities  are  also
       supported for subevents.

       The  aud_sitevent  function, when provided event and subevent numbers, copies the corresponding event and subevent names into eventname and
       subeventname.  If no subevent for that site event exists, subevent should be set to -1, and no subeventname will be  copied.   The  maximum
       length of an event or subevent name is AUD_MAXEVENT_LEN bytes. If the requested mapping does not exist, -1 is returned.

       The  aud_sitevent_num function, when provided eventname and subeventname, copies the corresponding event numbers into ev_num and subev_num.
       If no subevent for that site event exists, subeventname should be set to the null string,  and  subev_num  will	be  set  to  -1.   If  the
       requested mapping does not exist, -1 is returned.

       Mappings between the event and subevent numbers and names are placed into the file /etc/sec/site_events.  A sample file follows:

	    eventname 2048,
		subevent0 0,
		subevent1 1,
		...
		subevent99 99;
	    my_rdb 2049,
		rdb_creat 0,
		rdb_open 1,
		rdb_delete 2;
	    nosubeventevent 2050;

       Each  line contains an event or subevent name followed by its number.  An event number must be between MIN_SITE_EVENT (see sys/audit.h) and
       MIN_SITE_EVENT + the output of the sysconfig -q sec audit_site_events for the running kernel.  A subevent number  must  be  a  non-negative
       integer.   The  line is terminated either with a comma (,) if an associated subevent follows, or with a semicolon (;) if no further associ-
       ated subevents follow.

EXAMPLES

       The following example looks up the event and subevent numbers for event "my_rdb" and subevent "rdb_open", and generates an audit record	if
       the lookup succeeded:

       if ( aud_sitevent_num ( "my_rdb", "rdb_open",
					      &event, &subev ) == 0 )
	  audgenl ( event, T_SUBEVENT, subev, T_CHARP,
					      "sample rec", 0 );

RELATED INFORMATION

       sysconfig(8), sysconfigdb(8)

       Security

       Programming Support Tools

       delim off

																   aud_sitevent(3)
Man Page