Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ dg_auditwrite(2) — DG/UX 5.4.2T

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

sysconf(2)

audclassmap(1m)

audadmin(1m)



dg_auditwrite(2)           C2 Trusted DG/UX 5.4.2T          dg_auditwrite(2)


NAME
       dgauditwrite - write a record to the audit trail.

SYNOPSIS
       #include <sys/audit.h>
       #include <sys/auditevents.h>

       int dgauditwrite(audrechandlet  rechandle);

   where:
       rechandle      The address of the structure that describes the
                       record to be written to the audit trail.

DESCRIPTION
       The dgauditwrite() system call is used to write non-kernel audit
       records.  The audit record is written to the current audit trail file
       if auditing is on, the header record given by rechandle is valid,
       and the effective audit mask of the target process, audpid, enables
       the auditing of the event-class given in rechandle.  Because this
       function does not require privilege, no indication is given when a
       record is discarded because auditing is off or the effective audit
       mask blocks it.  This prevents it from being used to determine if
       auditing is on or which events are being audited.

       The audit record is created from the header record and any optional
       record section(s) in the user buffer defined by rechandle.  Before
       writing the record dgauditwrite adds a record tail and fills in some
       fields of the headers as described below.

       The record header contains the following fields which are filled in
       as described:

       Name            Description

       hdr             A structure of type struct audhdrhdr, filled in by
                       dgauditwrite, containing the magic number
                       AUDRECORDHEADERMAGIC and the length of the audit
                       record.

       audtv          The current time, filled in by dgauditwrite.

       audpid         The ID of the process that initiated the event being
                       audited.  When this field is 0, dgauditwrite sets it
                       to the ID of the calling process and sets the
                       audauid field to the authentication ID of the user
                       associated with the process.  Appropriate privilege
                       is required to pass this field with a non zero value.

       audauid        The authentication ID of the user associated with the
                       process given by audpid.  If audpid is 0, then this
                       field is set to the authID of the calling process. If
                       audpid is not 0, this field is assumed to have been
                       set by the caller.




Licensed material--property of copyright holder(s)                         1




dg_auditwrite(2)           C2 Trusted DG/UX 5.4.2T          dg_auditwrite(2)


       audeventid    This field is set by the caller to the event number
                       of the event being audited.

                       Only user level auditable events may be audited via
                       this function.  That is, auditable events generated
                       by the operating system cannot be audited via this
                       function.  The event numbers reserved by the
                       operating system are defined in <sys/auditevents.h>,
                       from AUD_ET_KERNEL_BASE to AUD_ET_KERNEL_BASE +
                       AUD_NUM_KERNEL_EVENTS inclusive.

       audreason      Set by the caller to one of the audit reasons defined
                       in <sys/audit.h>.

       audclass       The audit class to which the event audeventid is
                       mapped.  An audit class represents a grouping of
                       related auditable events and the audit reasons for
                       auditing the class.  This field is set by
                       dgauditwrite to the class to which audeventid is
                       mapped. See the AUDSETCMDSETMAP option of
                       auditctl(2).

       auderror       This field is set by the caller to the error code
                       generated by the event being audited.

       Optionally the header record is followed by an array of struct
       audsectheader which typically contain the arguments and results
       needed to understand the event and its outcome. The audsectheader
       contains the following fields:

       name            description

       divtype        The division type.  This type associates the data in
                       the section with one of the entities involved in the
                       operation being audited.  This field must be one of:

                   AUDDIVSAME          This record contains data
                                         associated with the previous
                                         entity.  The header record contains
                                         data about the subject (the process
                                         and its user) and so a header
                                         record followed by this division
                                         contains information about the
                                         subject.

                   AUDDIVOBJECT        The first record containing
                                         information about an object
                                         involved in the event.

                   AUDDIVOPAQUE        The beginning of event-specific
                                         data.

                   AUDDIVTAIL          The last entry in the audit record.




Licensed material--property of copyright holder(s)                         2




dg_auditwrite(2)           C2 Trusted DG/UX 5.4.2T          dg_auditwrite(2)


       secttype       Identifies the type of the data that follows this
                       header.  The number of data entries in this section
                       is given by the size of each entries and the length
                       of the section.  Note that some of these sections are
                       used by features that may not be configured on your
                       system.  Valid entries for this field are:

                   AUDSECTOPAQUE       This section contains one or more
                                         event-specific entries.

                   AUDSECTPATHNAME     One or more null terminated
                                         pathnames follow.

                   AUDSECTIDS          This section contains one or more
                                         process credentials (IDS), ex.,
                                         uids, gids, supplementary groups
                                         etc.

                   AUDSECTACL          This section contains one or more
                                         ACLs (access control lists).

                   AUDSECTGID          This section contains one or more
                                         group IDs.

                   AUDSECTUID          This section contains one or more
                                         user IDs.

                   AUDSECTSIGNAL       This section contains one or more
                                         signal numbers.

                   AUDSECTUSERNAME     This section contains one or more
                                         strings representing user names.

                   AUDSECTFDS          This section contains one or more
                                         file descriptors.

                   AUDSECTPID          This section contains one or more
                                         process IDs.

                   AUDSECTUFID         This section contains one or more
                                         unique file IDs.

                   AUDSECTMODE         This section contains one or more
                                         access modes.

                   AUDSECTDEV          This section contains one or more
                                         device numbers.

                   AUDSECTAUDITMASK    This section contains one or more
                                         audit masks.

                   AUDSECTERRNO        This section contains one or more
                                         error numbers.




Licensed material--property of copyright holder(s)                         3




dg_auditwrite(2)           C2 Trusted DG/UX 5.4.2T          dg_auditwrite(2)


                   AUDSECTSTRINGS      This section contains one or more
                                         strings.

                   AUDSECTINTS         This section contains one or more
                                         integers.

                   AUDSECTSHORTS       This section contains one or more
                                         16 bits values.

                   AUDSECTBYTES        This section contains one or more 8
                                         bits values.

                   AUDSECTTAIL         This is the header of the audit
                                         tail record.

       sectlen        The length of the section, including the header and
                       any padding added to align the next section on a 4
                       bytes boundary.  This entry must contain a value
                       greater than or equal to sizeof(audsectheader).


ACCESS CONTROL
       The caller must have appropriate privilege.

RETURN VALUE
       Upon successful completion, dgauditwrite() returns a value of 0.
       Otherwise, it returns the value -1, and sets errno to indicate an
       error.

DIAGNOSTICS
       Errno may be set to one of the following error codes:

       EFAULT          The memory buffer specified by rechandle is not
                       accessible by the caller.

       EINVAL          Invalid event number, the given number is not the
                       audit events to audit class map for user level
                       events.

       ENOMEM          The operating system could not allocate the memory
                       needed to complete this request.

SEE ALSO
       dgauditctl(2), dgsetsmask(2), sysconf(2), audclassmap(1m),
       audadmin(1m)

       Audit System Administrator's Guide for the C2 Trusted DG/UX System










Licensed material--property of copyright holder(s)                         4


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026