auditdmp(2)


auditdmp -- write audit record to audit buffer

Synopsis

   #include <sys/types.h> 
   #include <audit.h> 
   

int auditdmp(struct arec *arecp, int size);

Description

The auditdmp system call is used to write an audit record to the audit buffer. Trusted user-level commands with the appropriate privilege(P_AUDIT) append user-level event records to the audit buffer. Privileged applications append only records of type misc to the audit buffer if they have the appropriate privilege(P_AUDITWR).

The arecp argument points to a structure of type arec that contains the following elements:

   typedef struct arec { 
   	int rtype;       /* audit record event type    */ 
   	int rstatus;     /* audit record event status  */ 
   	int rsize;       /* audit records size of argp */ 
   	char *argp;      /* audit record data          */ 
   } arec_t 

The rtype element of the arec structure specifies the event type of the audit record. If the rtype argument is valid (one of the user-level events, [see audit(5)]) and if its corresponding bit is set in the process emask [see auditevt(2)] for the invoking process, the system generates an audit record. The rstatus element of the arec structure is the status of the user-level event, zero for success, non-zero for failure. The rsize element of the arec structure specifies the size of memory required to record the data to be written. The argp element of the arec structure is a character pointer to the audit data.

The size argument is used to verify the size of the arec structure being passed to determine the version of auditing.

Return values

On success, auditdmp returns 0. On failure, auditdmp returns -1 and sets errno to identify the error.

Errors

In the following conditions, auditdmp fails and sets errno to:

EAGAIN
It is not possible to allocate memory for the size of rsize.

EAGAIN
It is not possible to allocate memory for the arecp.

EFAULT
The arecp is invalid.

EFAULT
The argp is invalid.

EFAULT
The rtype is ADT_BAD_AUTH, ADT_BAD_LVL, ADT_DEF_LVL, or ADT_LOGIN and an invalid bamsg[] or tty[] is passed.

EFAULT
The rtype is ADT_CRON and an invalid cronjob[] is passed.

EINVAL
The system call is invoked while auditing is disabled.

EINVAL
The size of arec is not equal to size.

EINVAL
The rtype is invalid.

EPERM
The invoking subject does not have the appropriate privilege (P_AUDIT or P_AUDITWR).

ENOPKG
The audit package is not installed.

References

auditbuf(2), auditctl(2), auditevt(2), auditlog(2)
30 January 1998
© 1998 The Santa Cruz Operation, Inc. All rights reserved.