dg_auditwrite(2) C2 Trusted DG/UX 5.4.2T dg_auditwrite(2)
NAME
dgauditwrite - write a record to the audit trail.
SYNOPSIS
#include <sys/audit.h>
#include <sys/auditevents.h>
int dgauditwrite(audrechandlet rechandle);
where:
rechandle The address of the structure that describes the
record to be written to the audit trail.
DESCRIPTION
The dgauditwrite() system call is used to write non-kernel audit
records. The audit record is written to the current audit trail file
if auditing is on, the header record given by rechandle is valid,
and the effective audit mask of the target process, audpid, enables
the auditing of the event-class given in rechandle. Because this
function does not require privilege, no indication is given when a
record is discarded because auditing is off or the effective audit
mask blocks it. This prevents it from being used to determine if
auditing is on or which events are being audited.
The audit record is created from the header record and any optional
record section(s) in the user buffer defined by rechandle. Before
writing the record dgauditwrite adds a record tail and fills in some
fields of the headers as described below.
The record header contains the following fields which are filled in
as described:
Name Description
hdr A structure of type struct audhdrhdr, filled in by
dgauditwrite, containing the magic number
AUDRECORDHEADERMAGIC and the length of the audit
record.
audtv The current time, filled in by dgauditwrite.
audpid The ID of the process that initiated the event being
audited. When this field is 0, dgauditwrite sets it
to the ID of the calling process and sets the
audauid field to the authentication ID of the user
associated with the process. Appropriate privilege
is required to pass this field with a non zero value.
audauid The authentication ID of the user associated with the
process given by audpid. If audpid is 0, then this
field is set to the authID of the calling process. If
audpid is not 0, this field is assumed to have been
set by the caller.
Licensed material--property of copyright holder(s) 1
dg_auditwrite(2) C2 Trusted DG/UX 5.4.2T dg_auditwrite(2)
audeventid This field is set by the caller to the event number
of the event being audited.
Only user level auditable events may be audited via
this function. That is, auditable events generated
by the operating system cannot be audited via this
function. The event numbers reserved by the
operating system are defined in <sys/auditevents.h>,
from AUD_ET_KERNEL_BASE to AUD_ET_KERNEL_BASE +
AUD_NUM_KERNEL_EVENTS inclusive.
audreason Set by the caller to one of the audit reasons defined
in <sys/audit.h>.
audclass The audit class to which the event audeventid is
mapped. An audit class represents a grouping of
related auditable events and the audit reasons for
auditing the class. This field is set by
dgauditwrite to the class to which audeventid is
mapped. See the AUDSETCMDSETMAP option of
auditctl(2).
auderror This field is set by the caller to the error code
generated by the event being audited.
Optionally the header record is followed by an array of struct
audsectheader which typically contain the arguments and results
needed to understand the event and its outcome. The audsectheader
contains the following fields:
name description
divtype The division type. This type associates the data in
the section with one of the entities involved in the
operation being audited. This field must be one of:
AUDDIVSAME This record contains data
associated with the previous
entity. The header record contains
data about the subject (the process
and its user) and so a header
record followed by this division
contains information about the
subject.
AUDDIVOBJECT The first record containing
information about an object
involved in the event.
AUDDIVOPAQUE The beginning of event-specific
data.
AUDDIVTAIL The last entry in the audit record.
Licensed material--property of copyright holder(s) 2
dg_auditwrite(2) C2 Trusted DG/UX 5.4.2T dg_auditwrite(2)
secttype Identifies the type of the data that follows this
header. The number of data entries in this section
is given by the size of each entries and the length
of the section. Note that some of these sections are
used by features that may not be configured on your
system. Valid entries for this field are:
AUDSECTOPAQUE This section contains one or more
event-specific entries.
AUDSECTPATHNAME One or more null terminated
pathnames follow.
AUDSECTIDS This section contains one or more
process credentials (IDS), ex.,
uids, gids, supplementary groups
etc.
AUDSECTACL This section contains one or more
ACLs (access control lists).
AUDSECTGID This section contains one or more
group IDs.
AUDSECTUID This section contains one or more
user IDs.
AUDSECTSIGNAL This section contains one or more
signal numbers.
AUDSECTUSERNAME This section contains one or more
strings representing user names.
AUDSECTFDS This section contains one or more
file descriptors.
AUDSECTPID This section contains one or more
process IDs.
AUDSECTUFID This section contains one or more
unique file IDs.
AUDSECTMODE This section contains one or more
access modes.
AUDSECTDEV This section contains one or more
device numbers.
AUDSECTAUDITMASK This section contains one or more
audit masks.
AUDSECTERRNO This section contains one or more
error numbers.
Licensed material--property of copyright holder(s) 3
dg_auditwrite(2) C2 Trusted DG/UX 5.4.2T dg_auditwrite(2)
AUDSECTSTRINGS This section contains one or more
strings.
AUDSECTINTS This section contains one or more
integers.
AUDSECTSHORTS This section contains one or more
16 bits values.
AUDSECTBYTES This section contains one or more 8
bits values.
AUDSECTTAIL This is the header of the audit
tail record.
sectlen The length of the section, including the header and
any padding added to align the next section on a 4
bytes boundary. This entry must contain a value
greater than or equal to sizeof(audsectheader).
ACCESS CONTROL
The caller must have appropriate privilege.
RETURN VALUE
Upon successful completion, dgauditwrite() returns a value of 0.
Otherwise, it returns the value -1, and sets errno to indicate an
error.
DIAGNOSTICS
Errno may be set to one of the following error codes:
EFAULT The memory buffer specified by rechandle is not
accessible by the caller.
EINVAL Invalid event number, the given number is not the
audit events to audit class map for user level
events.
ENOMEM The operating system could not allocate the memory
needed to complete this request.
SEE ALSO
dgauditctl(2), dgsetsmask(2), sysconf(2), audclassmap(1m),
audadmin(1m)
Audit System Administrator's Guide for the C2 Trusted DG/UX System
Licensed material--property of copyright holder(s) 4