auditbuf(2) auditbuf(2)
NAME
auditbuf - get or set the audit buffer attributes
SYNOPSIS
#include <sys/types.h>
#include <audit.h>
int auditbuf(int cmd, struct abuf *bufp, int size);
DESCRIPTION
The auditbuf system call is used to get or set the
high_water_mark (vhigh) and size (bsize) of the audit
buffer(s). The high_water_mark limits the amount of memory
that can be held within the audit buffer.
The default high_water_mark is equal to the size of an audit
buffer (ADT_BSIZE). The valid range of values for vhigh is
greater than or equal to zero and less than or equal to
ADT_BSIZE. If vhigh is equal to zero, the audit buffer
mechanism is bypassed and all records are written directly to
the audit log file. The size of the audit buffer (ADT_BSIZE)
is a tunable parameter found in /etc/conf/mtune.d/audit and
cannot be modified by the auditbuf system call.
Two values for cmd are supported: ABUFGET and ABUFSET. When
the specified cmd is ABUFGET, the value of the high_water_mark
is returned in vhigh, and the size of the audit buffer is
returned in bsize.
When the specified cmd is ABUFSET, the value of the
high_water_mark is changed to vhigh, and the bsize of the
audit buffer is ignored.
The bufp argument points to a structure of type abuf that
contains the following elements:
struct abuf {
int vhigh; /* audit buffer high_water_mark */
int bsize; /* audit buffer size */
}
The size argument is used to verify the size of the abuf
structure being passed to determine the version of auditing.
Auditing must be installed on the system before this system
call can be used. Use of the auditbuf system call requires
the appropriate privilege(P_AUDIT).
Copyright 1994 Novell, Inc. Page 1
auditbuf(2) auditbuf(2)
Return Values
On success, auditbuf returns 0. On failure, auditbuf returns
-1 and sets errno to identify the error.
Errors
In the following conditions, auditbuf fails and sets errno to:
EFAULT The cmd is ABUFGET and abufp is invalid.
EFAULT The cmd is ABUFSET and abufp is invalid.
EINVAL The size of abuf is not equal to size.
EINVAL The cmd is ABUFSET and the value of vhigh is less
than zero or greater than ADT_BSIZE.
EINVAL The cmd is invalid.
EPERM The process does not have the appropriate privilege
(P_AUDIT).
ENOPKG The audit package is not installed.
REFERENCES
auditctl(2), auditdmp(2), auditevt(2), auditlog(2)
Copyright 1994 Novell, Inc. Page 2