Appends an audit record to the audit trail file.
Standard C Library (libc.a)
#include <sys/audit.h>
int auditlog ( Event, Result, Buffer, BufferSize)
char *Event;
int Result;
char *Buffer;
int BufferSize;
The auditlog subroutine generates an audit record. The kernel audit-logging component appends a record for the specified Event if system auditing is enabled, process auditing is not suspended, and the Event parameter is in one or more of the audit classes for the current process.
The audit logger generates the audit record by adding the Event and Result parameters to the audit header and including the resulting information in the Buffer parameter as the audit tail.
Item | Description |
---|---|
Event | The name of the audit event to be generated. This parameter should be the name of an audit event. Audit event names are truncated to 15 characters plus null. |
Result | Describes the result of this event. Valid values are defined
in the sys/audit.h file and include the following:
Other nonzero values of the Result parameter are converted into the AUDIT_FAIL value. |
Buffer | Points to a buffer containing the tail of the audit record. The format of the information in this buffer depends on the event name. |
BufferSize | Specifies the size of the Buffer parameter, including the terminating null. |
Upon successful completion, the auditlog subroutine returns a value of 0. If auditlog fails, a value of -1 is returned and the errno global variable is set to indicate the error.
The auditlog subroutine does not return any indication of failure to write the record where this is due to inappropriate tailoring of auditing subsystem configuration files or user-written code. Accidental omissions and typographical errors in the configuration are potential causes of such a failure.
The auditlog subroutine fails if any of the following are true:
Item | Description |
---|---|
EFAULT | The Event or Buffer parameter points outside of the process' address space. |
EINVAL | The auditing system is either interrupted or not initialized. |
EINVAL | The length of the audit record is greater than 32 kilobytes. |
EPERM | The process does not have root user authority. |
ENOMEM | Memory allocation failed. |