auditbuf(2)


auditbuf -- get or set the audit buffer attributes

Synopsis

   #include <sys/types.h>
   #include <audit.h>
   

int auditbuf(int cmd, struct abuf *bufp, int size);

Description

The auditbuf system call is used to get or set the high_water_mark (vhigh) and size (bsize) of the audit buffer(s). The high_water_mark limits the amount of memory that can be held within the audit buffer.

The default high_water_mark is equal to the size of an audit buffer (ADT_BSIZE). The valid range of values for vhigh is greater than or equal to zero and less than or equal to ADT_BSIZE. If vhigh is equal to zero, the audit buffer mechanism is bypassed and all records are written directly to the audit log file. The size of the audit buffer (ADT_BSIZE) is a tunable parameter found in /etc/conf/mtune.d/audit and cannot be modified by the auditbuf system call.

Two values for cmd are supported: ABUFGET and ABUFSET. When the specified cmd is ABUFGET, the value of the high_water_mark is returned in vhigh, and the size of the audit buffer is returned in bsize.

When the specified cmd is ABUFSET, the value of the high_water_mark is changed to vhigh, and the bsize of the audit buffer is ignored.

The bufp argument points to a structure of type abuf that contains the following elements:

   struct abuf {
   	int vhigh;	/* audit buffer high_water_mark */
   	int bsize;	/* audit buffer size */
   }

The size argument is used to verify the size of the abuf structure being passed to determine the version of auditing.

Auditing must be installed on the system before this system call can be used. Use of the auditbuf system call requires the appropriate privilege(P_AUDIT).

Return values

On success, auditbuf returns 0. On failure, auditbuf returns -1 and sets errno to identify the error.

Errors

In the following conditions, auditbuf fails and sets errno to:

EFAULT
The cmd is ABUFGET and ``abufp'' is invalid.

EFAULT
The cmd is ABUFSET and ``abufp'' is invalid.

EINVAL
The size of abuf is not equal to size.

EINVAL
The cmd is ABUFSET and the value of vhigh is less than zero or greater than ADT_BSIZE.

EINVAL
The cmd is invalid.

EPERM
The process does not have the appropriate privilege (P_AUDIT).

ENOPKG
The audit package is not installed.

References

auditctl(2), auditdmp(2), auditevt(2), auditlog(2)
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004