Defines files to contain audit records.
Standard C Library (libc.a)
The auditbin subroutine establishes an audit bin file into which the kernel writes audit records. Optionally, this subroutine can be used to establish an overflow bin into which records are written when the current bin reaches the size specified by the Threshold parameter.
Item | Description |
---|---|
Command | If nonzero, this parameter is a logical ORing of the following
values, which are defined in the sys/audit.h file:
|
Current | A file descriptor for a file to which the kernel should immediately write audit records. |
Next | Specifies the file descriptor that will be used as the current audit bin if the value of the Threshold parameter is exceeded or if a write to the current bin fails. If this value is -1, no switch occurs. |
Threshold | Specifies the maximum size of the current bin. If 0, the auditing subsystem will not switch bins. If it is nonzero, the kernel begins writing records to the file specified by the Next parameter, if writing a record to the file specified by the Cur parameter would cause the size of this file to exceed the number of bytes specified by the Threshold parameter. If no next bin is defined and AUDIT_PANIC was specified when the auditing subsystem was enabled, the system is shut down. If the size of the Threshold parameter is too small to contain a bin header and a bin tail, the auditbin subroutine fails and the errno variable is set to EINVAL. |
If the auditbin subroutine is successful, a value of 0 returns.
If the auditbin subroutine fails, a value of -1 returns and the errno global variable is set to indicate the error. If this occurs, the result of the call does not indicate whether any records were written to the bin.
The auditbin subroutine fails if any of the following is true:
Item | Description |
---|---|
EBADF | The Current parameter is not a file descriptor for a regular file open for writing, or the Next parameter is neither -1 nor a file descriptor for a regular file open for writing. |
EBUSY | The Command parameter specifies AUDIT_EXCL and the kernel is not writing audit records to the file specified by the Current parameter. |
EBUSY | The Command parameter specifies AUDIT_WAIT and another process has already registered a bin. |
EINTR | The auditing subsystem is shut down. |
EINVAL | The Command parameter specifies a nonzero value other than AUDIT_EXCL or AUDIT_WAIT. |
EINVAL | The Threshold parameter value is less than the size of a bin header and trailer. |
EPERM | The caller does not have root user authority. |