Initiates an audit record for a system call.
#include <sys/types.h> #include <sys/errno.h> #include <sys/audit.h> int audit_svcstart (eventnam , eventnum, numargs, arg1, arg2, ...) char * eventnam; int * eventnum; int numargs; int arg1; int arg2; ...
Item | Description |
---|---|
eventnam | Specifies the name of the event. In the current implementation, event names must be less than 17 characters, including the trailing null character. Longer names are truncated. |
eventnum | Specifies the number of the event. This is an internal table index meaningful only to the kernel audit logger. The system call should initialize this parameter to 0. The first time the audit_svcstart kernel service is called, this parameter is set to the actual table index. The system call should not reset the parameter. The parameter should be declared a static. |
numargs | Specifies the number of parameters to be included in the buffer for this record. These parameters are normally zero or more of the system call parameters, although this is not a requirement. |
arg1, arg2, ... | Specifies the parameters to be included in the buffer. |
The audit_svcstart kernel service initiates auditing for a system call event. It dynamically allocates a buffer to contain event information. The arguments to the system call (which should be specified as parameters to this kernel service) are automatically added to the buffer, as is the internal number of the event. You can use the audit_svcbcopy service to add additional information that cannot be passed by value.
The system call commits this record with the audit_svcfinis kernel service. The system call should call the audit_svcfinis kernel service before calling another system call.
The audit_svcstart kernel service can be called from the process environment only.
Item | Description |
---|---|
Nonzero | Indicates that auditing is on for this routine. |
0 | Indicates that auditing is off for this routine. |
svccrash(int x, int y, int z)
{
static int eventnum;
if (audit_svcstart("crashed", &eventnum, 2, x, y))
{
audit_svcfinis();
}
body of svccrash
}
The preceding example allocates an audit event record buffer for the crashed event and copies the first and second arguments into it. The third argument is unnecessary and not copied.