auditctl(2) auditctl(2)
NAME
auditctl - get or set the status of auditing
SYNOPSIS
#include <sys/types.h>
#include <audit.h>
int auditctl(int cmd, struct actl *actlp, int size);
DESCRIPTION
The auditctl system call fills the appropriate audit control
structures or reports the status of auditing, depending on the
values of cmd. Three values of cmd are supported: AUDITON,
AUDITOFF, and ASTATUS.
When the specified cmd is AUDITON, the auditctl system call
performs the following actions:
It copies in the offset in seconds from Greenwich Mean
Time (GMT).
It initializes the vnode for the primary audit log file.
It initializes the audit buffer and log control
structures.
It exempts system resident processes and /sbin/init from
auditing.
It writes a machine-specific header record.
It sets the auditon flag to 1.
When the specified cmd is AUDITOFF, the auditctl system call
sets the auditon field to zero; frees all process audit
structures; and locks, flushes, and releases the audit
buffers.
When the specified cmd is ASTATUS, the auditctl system call
returns the current status of auditing. A zero value for
auditon in the actl structure indicates that auditing is
disabled, and a value of one indicates that auditing is
enabled.
The actlp argument points to a structure of type actl that
contains the following elements:
Copyright 1994 Novell, Inc. Page 1
auditctl(2) auditctl(2)
struct actl {
int auditon; /* audit status variable */
char version[ADT_VERLEN]; /* audit version */
long gmtsecoff; /* UTC offset in seconds */
}
The size argument is used to verify the size of the actl
structure being passed to determine the version of auditing.
Auditing must be installed on the system for this system call
to be used. The use of the auditctl system call requires the
appropriate privilege(P_AUDIT).
Return Values
On success, auditctl returns 0. On failure, auditctl returns
-1 and sets errno to identify the error.
Errors
In the following conditions, auditctl fails and sets errno to:
EEXIST All the possible log files exist when attempting to
enable auditing.
EFAULT The cmd is AUDITON and the actlp argument is
invalid.
EFAULT The cmd is ASTATUS and the actlp argument is
invalid.
EINVAL The size of actl is not equal to size.
EINVAL An attempt was made to disable auditing while it was
already disabled.
EINVAL An attempt was made to enable auditing while it was
already enabled.
EINVAL The cmd is invalid.
EINVAL The cmd is AUDITON and it is not possible to
initialize the audit buffers.
EINVAL The cmd is AUDITOFF and it is not possible to lock
the audit buffers, because auditing is already
disabled.
Copyright 1994 Novell, Inc. Page 2
auditctl(2) auditctl(2)
ENOENT It is not possible to access the primary event log
path.
EPERM The invoking subject does not have the appropriate
privilege(P_AUDIT).
EROFS The primary audit log file resides within a file
system that is mounted read-only.
EIO An I/O error occurred while performing a write to
the audit log file.
ENOPKG The audit package is not installed.
REFERENCES
auditbuf(2), auditdmp(2), auditevt(2), auditlog(2)
Copyright 1994 Novell, Inc. Page 3