audwrite.2 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

audwrite(2) audwrite(2)

NAME

audwrite() - write an audit record for a self-auditing process

SYNOPSIS

#include <sys/audit.h>

int audwrite(const struct self_audit_rec *audrec_p);

DESCRIPTION

audwrite() is called by self-auditing processes, which are capable of turning off the regular auditing

using the audswitch() system call (see audswitch (2)) and doing higher-level auditing on their own.

audwrite() is restricted to users with the

SELFAUDIT privilege.

audwrite() checks to see if the auditing system is on and the calling process and the event speciﬁed

are being audited. If these conditions are met,

audwrite() writes the audit record pointed to by

audrec_p into the audit trail. The record consists of an audit record body and a header with the following

ﬁelds:

u_long ah_time; /* Date/time (tv_sec of timeval) */

pid_t ah_pid; /* Process ID */

u_short ah_error; /* Success/failure */

u_short ah_event; /* Event being audited */

u_short ah_len; /* Length of variant part */

The body contains additional information about the high-level audit event. The header ﬁelds

ah_error,

ah_event, and ah_len are speciﬁed by the calling process. audwrite() ﬁlls in

ah_time and

ah_pid ﬁelds with the correct values. this is done to reduce the risk of forgery. Beginning with 11i ver-

sion 3 release, audwrite() converts the record into a different format before writing it into the current

audit trail.

Security Restrictions

Some or all of the actions associated with this system call require the

SELFAUDIT privilege. Processes

owned by the superuser have this privilege. Processes owned by other users may have this privilege,

depending on system conﬁguration. See privileges (5) for more information about privileged access on sys-

tems that support ﬁne-grained privileges.

RETURN VALUE

If the write is successful, a value of

0 is returned. Otherwise, a value of -1

is returned and errno is set

to indicate the reason for the failure.

ERRORS

audwrite() fails if one of the following is true:

[EPERM] The caller does not possess the

SELFAUDIT privilege.

[EINVAL] The event number in the audit record is invalid.

WARNINGS

audwrite() causes a ﬁle space overﬂow, the calling process might be suspended until the ﬁle space is

cleaned up. However, a returned call with the return value of 0 indicates that the audit record has been

successfully written.

AUTHOR

audwrite() was developed by HP.

Summary of content (2 pages)

PAGE 1
audwrite(2) audwrite(2) NAME audwrite() - write an audit record for a self-auditing process SYNOPSIS #include int audwrite(const struct self_audit_rec *audrec_p); DESCRIPTION audwrite() is called by self-auditing processes, which are capable of turning off the regular auditing using the audswitch() system call (see audswitch (2)) and doing higher-level auditing on their own. audwrite() is restricted to users with the SELFAUDIT privilege.
PAGE 2
(Notes) A (Notes) aA 2 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010