Manualshelf

HP-UX Reference (11i v1 00/12) - 2 System Calls (vol 5)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
41424344454647484950
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man2/!!!intro.2
________________________________________________________________
___ ___
a
audwrite(2) audwrite(2)
NAME
audwrite - write an audit record for a self-auditing process
SYNOPSIS
#include <sys/audit.h>
int audwrite(const struct self_audit_rec *audrec_p);
DESCRIPTION
audwrite() is called by trusted self-auditing processes, which are capable of turning off the regular
auditing (using audswitch(2)) and doing higher-level auditing on their own. audwrite() is restricted to
superusers.
audwrite() checks to see if the auditing system is on and the calling process and the event specified are
being audited. If these conditions are met, audwrite() writes the audit record pointed to by audrec_p
into the audit file. The record consists of an audit record body and a header with the following fields:
u_long ah_time; / Date/time (tv_sec of timeval) /
u_short ah_pid; / Process ID /
u_short ah_error; / Success/failure /
u_short ah_event; / Event being audited /
u_short ah_len; / Length of variant part /
The header has the same format as the regular audit record, while the body contains additional information
about the high-level audit event. The header fields ah_error, ah_event, and ah_len are specified
by the calling process.
audwrite() fills in ah_time and ah_pid fields with the correct values. this
is done to reduce the risk of forgery. After the header is completed, the record body is attached and the
entire record is written into the current audit file.
RETURN VALUE
If the write is successful, a value of 0 is returned. Otherwise, a value of -1 is returned and
errno is set
to indicate the reason for the failure.
ERRORS
audwrite() fails if one of the following is true:
[EPERM] The caller is not a superuser.
[EINVAL] The event number in the audit record is invalid.
WARNINGS
If audwrite causes a file space overflow, the calling process might be suspended until the file space is
cleaned up. However a returned call with the return value of 0 indicates that the audit record has been
successfully written.
AUTHOR
audwrite() was developed by HP.
SEE ALSO
audswitch(2), audit(4).
HP-UX Release 11i: December 2000 1 Section 225
___
___