Reads an audit record.
Security Library (libc.a)
#include <sys/audit.h>
#include <stdio.h>
char *auditread ( FilePointer, AuditRecord)
FILE *FilePointer;
struct aud_rec *AuditRecord;
char *auditread_r ( FilePointer, AuditRecord, RecordSize, StreamInfo)
FILE *FilePointer;
struct aud_rec *AuditRecord;
size_t RecordSize;
void **StreamInfo;
The auditread subroutine reads the next audit record from the specified file descriptor. Bins on this input stream are unpacked and uncompressed if necessary.
The auditread subroutine can not be used on more than one FilePointer as the results can be unpredictable. Use the auditread_r subroutine instead.
The auditread_r subroutine reads the next audit from the specified file descriptor. This subroutine is thread safe and can be used to handle multiple open audit files simultaneously by multiple threads of execution.
The auditread_r subroutine is able to read multiple versions of audit records. The version information contained in an audit record is used to determine the correct size and format of the record. When an input record header is larger than AuditRecord, an error is returned. In order to provide for binary compatibility with previous versions, if RecordSize is the same size as the original (struct aud_rec), the input record is converted to the original format and returned to the caller.
Item | Description |
---|---|
FilePointer | Specifies the file descriptor from which to read. |
AuditRecord | Specifies the buffer to contain the header. The first short in this buffer must contain a valid number for the header. |
RecordSize | The size of the buffer referenced by AuditRecord. |
StreamInfo | A pointer to an opaque datatype used to hold information related to the current value of FilePointer. For each new value of FilePointer, a new StreamInfo pointer must be used. StreamInfo must be initialized to NULL by the user and is initialized by auditread_r when first used. When FilePointer has been closed, the value of StreamInfo can be passed to the free subroutine to be deallocated. |
If the auditread subroutine completes successfully, a pointer to a buffer containing the tail of the audit record is returned. The length of this buffer is returned in the ah_length field of the header file. If this subroutine is unsuccessful, a null pointer is returned and the errno global variable is set to indicate the error.
The auditread subroutine fails if one or more of the following is true:
Item | Description |
---|---|
EBADF | The FilePointer value is not valid. |
ENOSPC | The auditread subroutine is unable to allocate space for the tail buffer. |
Other error codes are returned by the read subroutine.