Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ auditlog(2) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

auditbuf(2)

auditctl(2)

auditdmp(2)

auditevt(2)






       auditlog(2)                                              auditlog(2)


       NAME
             auditlog - get or set audit log file attributes

       SYNOPSIS
             #include <limits.h>
             #include <sys/types.h>
             #include <audit.h>
             int auditlog(int cmd, struct alog *alogp, int size);

       DESCRIPTION
             The auditlog system call is used to get or to set the audit
             log file attributes, depending on whether the cmd field is
             ALOGGET or ALOGSET.  Use of the auditlog system call requires
             the appropriate privilege(P_AUDIT).  The alogp argument points
             to a structure of type alog that contains the following
             elements:

             struct alog {
               int   flags;              /* log file attributes */
               int   onfull;             /* action on log file full */
               int   onerr;              /* action on log file error */
               int   maxsize;            /* maximum log file size */
               int   seqnum;             /* log file sequence number 001-999 */
               char  mmp[ADT_DATESZ];    /* current month time stamp */
               char  ddp[ADT_DATESZ];    /* current day time stamp */
               char  pnodep[ADT_NODESZ]; /* optional primary log file node name */
               char  anodep[ADT_NODESZ]; /* optional alternate log file node name */
               char  *ppathp;            /* optional primary log file pathname */
               char  *apathp;            /* optional alternate primary log file
                                            pathname */
               char  *progp;             /* optional program to run during log file
                                            switch */
               char  *defpathp;          /* default primary log file pathname */
               char  *defnodep;          /* default primary log file node name */
               char  *defpgmp;           /* default program to run during log file
                                            switch */
               int   defonfull;          /* default action on log file full */
             }

             The following elements and corresponding values of the alog
             structure may be either modified or retrieved:

             flags                 /* log file attributes */
                 PPATH           /* primary log file pathname */
                 PNODE           /* primary log file nodename */
                 APATH           /* alternate log file pathname */


                           Copyright 1994 Novell, Inc.               Page 1













      auditlog(2)                                              auditlog(2)


                ANODE           /* alternate log file nodename */
                PSIZE           /* maximum size for primary log file */
                PSPECIAL        /* character special primary log file */
                ASPECIAL        /* character special alternate log file */
            onfull                /* action taken on log file full */
                ASHUT           /* shutdown to Firmware Mode */
                ADISA           /* disable auditing */
                AALOG           /* switch to alternate log file */
                APROG            /* run log file switch program
                                    (only valid with AALOG) */
            onerr                 /* action taken on log file error */
                ASHUT            /* shutdown to Firmware Mode */
                ADISA            /* disable auditing */
            maxsize integer          /* Zero or >= audit buffer size */
            pnodep  character[s]       /* nodename that may be appended */
            anodep  character[s]       /* nodename that may be appended */
            ppathp  /full/pathname     /* directory or DSF <= ADT_MAXPATHLEN */
            apathp  /full/pathname     /* directory or DSF <= ADT_MAXPATHLEN */
            progp   /full/pathname     /* executable program <= PATH_MAX */

            The following elements and corresponding values of the alog
            structure may only be retrieved because they can only be set
            internally:

            seqnum  integer/* log file number[001-999] */
            mmp     character[s]/* current month time stamp[01-12] */
            ddp      character[s]/* current day time stamp[01-31] */

            The following elements and corresponding values of the alog
            structure may only be set because the defaults are read from
            the /etc/default directory:

            defpathp /full/pathname/* directory or DSF <= ADT_MAXPATHLEN */
            defnodep character[s]/* nodename that may be appended */
            defpgmp  /full/pathname/* executable program <= PATH_MAX */
            defonfull
                  ASHUT           /* shutdown to Firmware Mode */
                  ADISA           /* disable auditing */
                  AALOG           /* switch to alternate log file */
                  APROG           /* run log file switch program
                                     (valid with AALOG only) */

            When the specified value of cmd is ALOGGET, the current values
            of the flags, onfull, onerr, maxsize, mmp, ddp, seqnum,
            pnodep, anodep, ppathp, apathp, and progp elements are
            returned in the alog structure.  Note that the space required


                          Copyright 1994 Novell, Inc.               Page 2













       auditlog(2)                                              auditlog(2)


             for the ppathp, apathp and progp must be allocated by the
             invoking process.  The values of the defpathp, defnodep,
             defpgmp and defonfull elements are ignored since they are only
             valid for the ALOGSET cmd.

             Note that the pnodep, anodep, ppathp, apathp and progp fields
             are not touched if the corresponding values are not set in the
             kernel.  You must check the values of the PNODE, ANODE, PPATH,
             and APATH bits in the flag field, and the APROG bit in the
             onfull field to see if the corresponding fields have been
             populated.  If a bit is not set, the corresponding field will
             be untouched.

             When the value of cmd is ALOGSET, the elements of the alog
             structure determine what actions are to be performed.

             The PPATH bit is used to set the pathname to the primary audit
             log file and is invalid while auditing is enabled.  An error
             is returned if the ppathp element cannot be copied into an
             internal storage area for further validation; if the ppathp
             element does not point to a valid directory or character
             special device; or if the ppathp element exceeds
             ADT_MAXPATHLEN (1009) characters.

             Setting ppathp to a character special device cannot be used
             with the PNODE or PSIZE flags bits, or maxsize element.  If
             the ppathp element points to a character special device, the
             PSPECIAL flags bit is set, and any log file restrictions are
             cleared.  This is done by turning off the internal PSIZE flags
             bit and setting the maxsize element to ZERO.  A ZERO setting
             indicates that the log file is limited by the available file
             system space or device.  If the PNODE flags bit was previously
             set, it must be turned off because node names for character
             special devices are invalid.  Turning off the PNODE bit
             involves turning off, freeing, and clearing the pnodep element
             of its internal data storage.

             The PSIZE flags bit is used to set the maximum size of the
             primary audit log file.  If the ppathp element points to a
             valid directory, then the PNODE and PSIZE flags are also
             valid.  The maxsize element must be either ZERO or greater
             than or equal to the size of an audit buffer(ADT_BSIZE).  If
             maxsize is ZERO, then the PSIZE flags bit is turned off
             internally to indicate that the log file is limited by the
             available file system space or device.



                           Copyright 1994 Novell, Inc.               Page 3













      auditlog(2)                                              auditlog(2)


            The PNODE flags bit is used to append a machine specific node
            name to the primary audit log file and is invalid while
            auditing is enabled.  If the PNODE flags bit is set, the
            internal storage is updated and no validation of the pnodep
            pointer is done.

            The onfull element is used to set the action to be taken on
            audit log file full.  If the onfull element is not equal to
            ASHUT, ADISA, AALOG or the combination of AALOG and APROG an
            error is returned.  If the ASHUT or ADISA values are
            specified, then any alternate log file criteria is cleared.
            This is done by turning off the AALOG, APROG and ANODE flags
            and freeing the internal storage associated with the
            corresponding fields.

            The onerr element is used to set the action to be taken when
            an audit error occurs.  If the onerr element is not equal to
            ASHUT or ADISA, an error is returned.

            The AALOG value of the flags element is used to indicate that
            an alternate log file should be used when the primary log file
            becomes full.  The APROG value is used to indicate that an
            executable program will be executed on audit log file switch.
            If the AALOG onfull element and the APATH flags bit is set, an
            error is returned if the apathp element cannot be copied into
            an internal storage area for further validation; if the apathp
            element does not point to a valid directory or character
            special device; or if the apathp element exceeds
            ADT_MAXPATHLEN (1009) characters.

            Setting apathp to a character special device can not be used
            in with the ANODE flags bit element.  If the apathp element
            points to a character special device, the ASPECIAL flags bit
            is set.  If the ANODE flags bit was previously set, it must be
            turned off because node names for character special devices
            are invalid.  Turning off the ANODE bit involves turning off,
            freeing, and clearing the anodep element of its internal data
            storage.

            After the AALOG onfull validation completes, the onfull mask
            element is checked for APROG.  If set, an error is returned if
            unable to read in the progp element into an internal storage
            area or if it is greater than PATH_MAX (1024).





                          Copyright 1994 Novell, Inc.               Page 4













       auditlog(2)                                              auditlog(2)


             If the defpathp element is not NULL, an error is returned if
             it cannot be copied into an internal storage area for further
             validation; if the defpathp element does not point to a valid
             directory or character special device; or if the defpathp
             element exceeds ADT_MAXPATHLEN (1009) characters.

             If the defnodep element is not NULL, the internal storage area
             is updated and no validation of the defnodep pointer is done.

             If the defpgmp element is not NULL and the AALOG onfull bit is
             set, an error is returned if unable to read in the defpgmp
             element into an internal storage area or if it is greater than
             PATH_MAX (1024).

             If the defonfull element is invalid, it defaults to ADISA.

             The size argument is used to verify the size of the alog
             structure being passed to determine the version of auditing.

          Return Values
             On success, auditlog returns 0.  On failure, auditlog returns
             -1 and sets errno to identify the error.

          Errors
             In the following conditions, auditlog fails and sets errno to:

             EACCES    The cmd is ALOGSET, and ppathp, apathp, or aprogp
                       cannot be accessed.

             EAGAIN    It is not possible to allocate memory for the alogp.

             EAGAIN    The cmd is ALOGSET, and it is not possible to
                       allocate memory for various elements used to fill in
                       the alog structure.

             EFAULT    The value of alogp ppathp, apathp, progp, defprogp,
                       defnodep, or defpathp is invalid.

             EINVAL    The size of alog does not equal size.

             EINVAL    The value of cmd is invalid.

             EINVAL    The cmd is ALOGSET, and the value of onfull is not
                       either ASHUT, AALOG, ADISA or AALOG|APROG.




                           Copyright 1994 Novell, Inc.               Page 5













      auditlog(2)                                              auditlog(2)


            EINVAL    The cmd is ALOGSET, and the value of onerr is not
                      either ASHUT or ADISA.

            EINVAL    The cmd is ALOGSET and the value of maxsize is not
                      equal to zero and less than the size of the audit
                      buffer (ADT_BSIZE).

            EINVAL    The cmd is ALOGSET, and the flags field contains
                      PPATH or NODE when auditing is enabled.

            ENOENT    The cmd is ALOGSET and the pathname to the primary
                      log file, alternate log file, or program to be run
                      during a log switch does not exist.

            ENAMETOOLONG
                      The cmd is ALOGSET, and the ppathp, apathp, or
                      defpathp fields are longer than ADT_MAXPATHLEN.

            ENOTBLK   The cmd is ALOGSET, the flags field contains PSIZE,
                      and the maxsize value is not zero.

            EPERM     The invoking subject does not have the appropriate
                      privilege(P_AUDIT).

            ENOPKG    The audit package is not installed.

      REFERENCES
            auditbuf(2), auditctl(2), auditdmp(2), auditevt(2)




















                          Copyright 1994 Novell, Inc.               Page 6








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026