auditproc
Purpose
Gets and sets the audit state of a process.
Syntax
#include <sys/audit.h>
int auditproc (cmd)
int cmd;
Description
The auditproc system call is used to query and set the
auditing state of this process. audit users. Possible
values of the cmd parameter are:
A_SUSPEND Disables auditing of the current
process. While auditing is disabled, a
process can call the auditlog system
call to write audit records to the
audit trail file. (See "auditlog.")
A_RESUME Enables auditing of the current
process.
A_QUERY_SUSPEND Returns the current setting of the
process audit flag: SUSPEND for disa-
bled and RESUME for enabled.
A_SPECIAL Specifies the current audit class as
special. Only those events listed in
the special stanza of the a_state file
are written to the audit trail file.
A_GENERAL Specifies the current audit class as
general. Only those events listed in
the general stanza of the a_state file
are written to the audit trail file.
An audit class of A_GENERAL is the
default if no value is specified.
A_QUERY_SPECIAL Returns the current setting of the
audit class flag: GENERAL for general
user auditing and SPECIAL for special
user auditing. Users and groups are
assigned to audit classes in the
s_group and s_user files.
With careful use, the auditproc and auditlog system calls
can help limit the growth rate of the audit trail file
and still provide effective auditing. Sometimes it is
more appropriate to write one special audit trail record
with the auditlog system call for a section of code than
to use standard auditing for that section. To do this
within a process, the sequence of events is:
1. Suspend auditing for the process, using the A_SUSPEND
flag of the auditproc system call.
2. Write one or more audit trail records with the
auditlog system call.
3. Resume auditing with the A_RESUME cmd of the
auditproc system call.
Two classes of users are recognized by the auditing
system, general and special. Each class of users is
associated with a different set of events to be audited
in the a_state file. (See "a_state.") The audit class
of a process is inherited across fork and exec system
calls. The special and general commands of the auditproc
system call are intended to be invoked at login time.
The special/general audit class should not be changed
during a login session, but auditproc does not prevent
this.
The effective user ID of the calling process must be
superuser to use the auditproc system call.
Return Value
For cmd values A_QUERY_SUSPEND and A_QUERY_SPECIAL, upon
successful completion, auditproc returns the current
value of the process audit flag or the audit class flag,
respectively. For all other values of cmd, auditproc
returns a value of 0 upon successful completion. If the
auditproc system call fails, a value of -1 is returned
and errno is set to indicate the error.
Diagnostics
The auditproc system call fails if one or more of the
following are true:
EINVAL The cmd parameter is not one of the following
values: A_SUSPEND, A_RESUME, A_QUERY_SUSPEND,
A_SPECIAL, A_GENERAL, or A_QUERY_SPECIAL.
EPERM The effective user ID of the calling process
is not superuser.
Related Information
In this book: "audit," "auditlog," "auditsys,"
"a_state," "s_group," and "s_user."