Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditproc(2) — AIX/RT 2.2.1

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

audit

auditlog

auditsys

a_state

s_group

s_user

auditproc

Purpose

     Gets and sets the audit state of a process.

Syntax

     #include <sys/audit.h>

     int auditproc  (cmd)
     int cmd;

Description

     The auditproc  system call is  used to query and  set the
     auditing state  of this process.  audit  users.  Possible
     values of the cmd parameter are:

     A_SUSPEND         Disables   auditing   of  the   current
                       process.  While auditing is disabled, a
                       process  can call  the auditlog  system
                       call  to  write  audit records  to  the
                       audit trail file.  (See "auditlog.")

     A_RESUME          Enables   auditing   of   the   current
                       process.

     A_QUERY_SUSPEND   Returns  the  current  setting  of  the
                       process audit flag:   SUSPEND for disa-
                       bled and RESUME for enabled.

     A_SPECIAL         Specifies  the current  audit class  as
                       special.  Only  those events  listed in
                       the special stanza  of the a_state file
                       are written to the audit trail file.

     A_GENERAL         Specifies  the current  audit class  as
                       general.  Only  those events  listed in
                       the general stanza  of the a_state file
                       are  written to  the audit  trail file.
                       An  audit  class  of A_GENERAL  is  the
                       default if no value is specified.

     A_QUERY_SPECIAL   Returns  the  current  setting  of  the
                       audit class flag:   GENERAL for general
                       user auditing  and SPECIAL  for special
                       user  auditing.  Users  and groups  are
                       assigned  to   audit  classes   in  the
                       s_group and s_user files.

     With careful use, the auditproc and auditlog system calls
     can help  limit the growth  rate of the audit  trail file
     and still  provide effective  auditing.  Sometimes  it is
     more appropriate to write  one special audit trail record

     with the auditlog system call  for a section of code than
     to use  standard auditing for  that section.  To  do this
     within a process, the sequence of events is:

     1.  Suspend auditing for the process, using the A_SUSPEND
         flag of the auditproc system call.

     2.  Write  one  or  more  audit trail  records  with  the
         auditlog system call.

     3.  Resume  auditing   with  the  A_RESUME  cmd   of  the
         auditproc system call.

     Two  classes  of users  are  recognized  by the  auditing
     system,  general and  special.   Each class  of users  is
     associated with a  different set of events  to be audited
     in the  a_state file.  (See "a_state.")   The audit class
     of a  process is  inherited across  fork and  exec system
     calls.  The special and general commands of the auditproc
     system call  are intended  to be  invoked at  login time.
     The  special/general audit  class should  not be  changed
     during a  login session,  but auditproc does  not prevent
     this.

     The  effective user  ID of  the calling  process must  be
     superuser to use the auditproc system call.

Return Value

     For cmd values  A_QUERY_SUSPEND and A_QUERY_SPECIAL, upon
     successful  completion,  auditproc  returns  the  current
     value of the process audit  flag or the audit class flag,
     respectively.   For all  other values  of cmd,  auditproc
     returns a value of 0  upon successful completion.  If the
     auditproc system  call fails, a  value of -1  is returned
     and errno is set to indicate the error.

Diagnostics

     The auditproc  system call  fails if one  or more  of the
     following are true:

     EINVAL     The cmd parameter is  not one of the following
                values:  A_SUSPEND, A_RESUME, A_QUERY_SUSPEND,
                A_SPECIAL, A_GENERAL, or A_QUERY_SPECIAL.

     EPERM      The effective  user ID of the  calling process
                is not superuser.

Related Information

     In   this  book:    "audit,"   "auditlog,"   "auditsys,"
     "a_state," "s_group," and "s_user."

Typewritten Software • bear@typewritten.org • Edmonds, WA 98026