auditlog Subroutine

Purpose

Appends an audit record to the audit trail file.

Library

Standard C Library (libc.a)

Syntax

#include <sys/audit.h>

int auditlog ( Event Result Buffer BufferSize)
char *Event;
int Result;
char *Buffer;
int BufferSize;

Description

The auditlog subroutine generates an audit record. The kernel audit-logging component appends a record for the specified Event if system auditing is enabled, process auditing is not suspended, and the Event parameter is in one or more of the audit classes for the current process.

The audit logger generates the audit record by adding the Event and Result parameters to the audit header and including the resulting information in the Buffer parameter as the audit tail.

Parameters

Item Description
Event The name of the audit event to be generated. This parameter should be the name of an audit event. Audit event names are truncated to 15 characters plus null.
Result Describes the result of this event. Valid values are defined in the sys/audit.h file and include the following:
AUDIT_OK
The event was successful.
AUDIT_FAIL
The event failed.
AUDIT_FAIL_ACCESS
The event failed because of any access control denial.
AUDIT_FAIL_DAC
The event failed because of a discretionary access control denial.
AUDIT_FAIL_PRIV
The event failed because of a privilege control denial.
AUDIT_FAIL_AUTH
The event failed because of an authentication denial.

Other nonzero values of the Result parameter are converted into the AUDIT_FAIL value.

Buffer Points to a buffer containing the tail of the audit record. The format of the information in this buffer depends on the event name.
BufferSize Specifies the size of the Buffer parameter, including the terminating null.

Return Values

Upon successful completion, the auditlog subroutine returns a value of 0. If auditlog fails, a value of -1 is returned and the errno global variable is set to indicate the error.

The auditlog subroutine does not return any indication of failure to write the record where this is due to inappropriate tailoring of auditing subsystem configuration files or user-written code. Accidental omissions and typographical errors in the configuration are potential causes of such a failure.

Error Codes

The auditlog subroutine fails if any of the following are true:

Item Description
EFAULT The Event or Buffer parameter points outside of the process' address space.
EINVAL The auditing system is either interrupted or not initialized.
EINVAL The length of the audit record is greater than 32 kilobytes.
EPERM The process does not have root user authority.
ENOMEM Memory allocation failed.