Gets or sets the status of system event auditing.
Standard C Library (libc.a)
The auditevents subroutine queries or sets the audit class definitions that control event auditing. Each audit class is a set of one or more audit events.
System auditing need not be enabled before calling the auditevents subroutine. The audit (audit Subroutine)subroutine can be directed with the AUDIT_RESET command to clear all event lists.
Item | Description |
---|---|
Command | Specifies whether the event lists are to be queried or set.
The values, defined in the sys/audit.h file, for the Command parameter
are:
|
Classes | Specifies the array of a_event structures for the AUDIT_SET operation,
or after an AUDIT_GET or AUDIT_LOCK operation. The audit_class structure
is defined in the sys/audit.h file and contains the following
members:
|
NClasses | Serves a dual purpose. For AUDIT_SET, the NClasses parameter specifies the number of elements in the events array. For AUDIT_GET and AUDIT_LOCK, the NClasses parameter specifies the size of the buffer pointed to by the Classes parameter. |
Attention: Only 32 audit classes are supported. One class is implicitly defined by the system to include all audit events (ALL). The administrator of your system should not attempt to define more than 31 audit classes.
The calling process must have root user authority in order to use the auditevents subroutine.
If the auditevents subroutine completes successfully, the number of audit classes is returned if the Command parameter is AUDIT_GET or AUDIT_LOCK. A value of 0 is returned if the Command parameter is AUDIT_SET. If this call fails, a value of -1 is returned and the errno global variable is set to indicate the error.
The auditevents subroutine fails if one or more of the following are true:
Item | Description |
---|---|
EPERM | The calling process does not have root user authority. |
EINVAL | The value of Command is not AUDIT_SET, AUDIT_GET, or AUDIT_LOCK. |
EINVAL | The Command parameter is AUDIT_SET, and the value of the NClasses parameter is greater than or equal to 32. |
EINVAL | A class name or event name is longer than 15 significant characters. |
ENOSPC | The value of Command is AUDIT_GET or AUDIT_LOCK and the size of the buffer specified by the NClasses parameter is not large enough to hold the list of event structures and names. If this occurs, the first word of the buffer is set to the required buffer size. |
EFAULT | The Classes parameter points outside of the process' address space. |
EFAULT | The ae_list member of one or more audit_class structures passed for an AUDIT_SET operation points outside of the process' address space. |
EFAULT | The Command value is AUDIT_GET or AUDIT_LOCK and the size of the Classes buffer is not large enough to hold an integer. |
EBUSY | Another process has already called the auditevents subroutine with AUDIT_LOCK. |
ENOMEM | Memory allocation failed. |