Manualshelf

HP-UX Reference (11i v2 07/12) - 2 System Calls (vol 5)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
51525354555657585960
a
audwrite(2) audwrite(2)
NAME
audwrite() - write an audit record for a self-auditing process
SYNOPSIS
#include <sys/audit.h>
int audwrite(const struct self_audit_rec *audrec_p);
DESCRIPTION
audwrite() is called by trusted self-auditing processes, which are capable of turning off the regular
auditing (using the audswitch() system call, see audswitch(2),) and doing higher-level auditing on their
own.
audwrite() is restricted to users with the
SELFAUDIT privilege.
audwrite() checks to see if the auditing system is on and the calling process and the event specified are
being audited. If these conditions are met, audwrite()
writes the audit record pointed to by audrec_p
into the audit file. The record consists of an audit record body and a header with the following fields:
u_long ah_time; /*; Date/time (tv_sec of timeval) */
pid_t ah_pid; /*; Process ID */
u_short ah_error; /*; Success/failure */
u_short ah_event; /*; Event being audited */
u_short ah_len; /*; Length of variant part */
The header has the same format as the regular audit record, while the body contains additional information
about the high-level audit event. The header fields ah_error, ah_event, and ah_len are specified by
the calling process.
audwrite() fills in ah_time and ah_pid fields with the correct values. this is
done to reduce the risk of forgery. After the header is completed, the record body is attached and the
entire record is written into the current audit file.
Security Restrictions
Some or all of the actions associated with this system call require the SELFAUDIT privilege. Processes
owned by the superuser have this privilege. Processes owned by other users may have this privilege,
depending on system configuration. See privileges(5) for more information about privileged access on sys-
tems that support fine-grained privileges.
RETURN VALUE
If the write is successful, a value of
0 is returned. Otherwise, a value of -1
is returned and errno is set
to indicate the reason for the failure.
ERRORS
audwrite() fails if one of the following is true:
[EPERM] The caller does not possess the SELFAUDIT privilege.
[EINVAL] The event number in the audit record is invalid.
WARNINGS
If audwrite() causes a file space overflow, the calling process might be suspended until the file space is
cleaned up. However, a returned call with the return value of 0 indicates that the audit record has been
successfully written.
AUTHOR
audwrite() was developed by HP.
SEE ALSO
audswitch(2), audit(4), privileges(5).
HP-UX 11i Version 2: December 2007 Update 1 Hewlett-Packard Company 55