NAME
audwrite — write an audit record for a self-auditing process
SYNOPSIS
#include <sys/audit.h>
int audwrite(const struct self_audit_rec *audrec_p);
DESCRIPTION
audwrite()
is called by trusted self-auditing processes,
which are capable of turning off the regular auditing (using
audswitch(2))
and doing higher-level auditing on their own.
audwrite()
is restricted to superusers.
audwrite()
checks to see if the auditing system is on
and the calling process and the event specified are being audited.
If these conditions are met,
audwrite()
writes the audit record pointed to by
audrec_p
into the audit file.
The record consists of an audit record body
and a header with the following fields:
- u_long ah_time;
/* Date/time (tv_sec of timeval) */
- u_short ah_pid;
/* Process ID */
- u_short ah_error;
/* Success/failure */
- u_short ah_event;
/* Event being audited */
- u_short ah_len;
/* Length of variant part */
The header has the same format as the regular audit record,
while the body contains additional information
about the high-level audit event.
The header fields
ah_error,
ah_event,
and
ah_len
are specified by the calling process.
audwrite()
fills in
ah_time
and
ah_pid
fields with the correct values.
this is done to reduce the risk of forgery.
After the header is completed, the record body is attached
and the entire record is written into the current audit file.
RETURN VALUE
If the write is successful, a value of
0
is returned.
Otherwise, a value of
-1
is returned and
errno
is set to indicate the reason for the failure.
ERRORS
audwrite()
fails if one of the following is true:
- [EPERM]
The caller is not a superuser.
- [EINVAL]
The event number in the audit record is invalid.
WARNINGS
If
audwrite
causes a file space overflow,
the calling process might be suspended until the file space is cleaned up.
However a returned call with the return value of 0
indicates that the audit record has been successfully written.
AUTHOR
audwrite()
was developed by HP.