audgen - generate an audit record
#include <sys/audit.h>
audgen(
int event,
char *tokenp,
char *argv,
char *userbuff,
long *size );
The audgen system call generates an audit record.
The argument event is an integer indicating the event type
of the operation being audited (see audit.h). The value
of event must be between one of the following values:
MIN_TRUSTED_EVENT and MIN_TRUSTED_EVENT + N_TRUSTED_EVENTS
-1 MIN_SITE_EVENT and MIN_SITE_EVENT + n_site_events -1
The number of site-defined events, n_site_events, is
determined by the sysconfig sec parameter
audit_site_events. Use sysconfig -q sec to view the security
configuration controlled by /etc/sysconfigtab. See
aud_sitevent(3) and aud_sitevent_num(3) for information on
mapping site-defined event names and event numbers.
The tokenp argument is a null-terminated array of
token_type (see audit.h), each of which represents the
type of argument referenced by the corresponding *argv
argument.
The argv argument is a pointer to an array containing
either the actual arguments or pointers to those arguments
that are to be recorded in the audit record. A pointer to
the actual argument is placed in that array when the argument
is a string, array, or other variable length structure.
Arguments represented as an int or a long are placed
directly in that array. The available public tokens are
listed in the audit.h file.
If size is nonzero, *size is the size of userbuff provided
to audgen, and the audit record created is not passed into
the system audit data stream, but is copied out to userbuff.
On return, *size is updated to the number of bytes
of data placed into userbuff. If the size of the audit
record exceeds *size, then errno is set to E2BIG. Applications
can use this feature to create their own audit
records.
The audgen call is a privileged system call. No record is
generated for the system audit data stream if the specified
event is not being audited for the current process.
The maximum number of arguments referenced by argv is
AUD_NPARAM (128) with no more than 8 of any one
token_type.
Upon successful completion, audgen returns a value of 0.
Otherwise, it returns a value of -1 and sets the global
integer variable errno to indicate the error.
The audgen system call fails under the following conditions:
The user is not privileged for this operation. The
value supplied for the event, tokenp, or argv argument is
invalid. The audit record exceeds the audit buffer size.
Indicates an attempt to use a system call that is not configured.
The tokenmask data is invalid. The size argument
is non-zero, and the userbuff argument is invalid. A
value referenced by the argv argument is invalid.
Functions: audgenl(3), aud_sitevent(3),
aud_sitevent_num(3)
Commands: audgen(8)
Security
audgen(2)
[ Back ] | 