aud_sitevent, aud_sitevent_num - audit site event operations
aud_sitevent(
int event,
int subevent,
int *eventname,
char *subeventname ); aud_sitevent_num(
char *eventname,
char *subeventname,
int *ev_num,
int *subev_num );
Audit Library - libaud.a and libaud.so
Audit site events are specific to and defined by a particular
installation. For example, an installation could have
its own database program, and want to have it use the
audit subsystem. To do so, the installation's database
events and subevents would be registered in the
/etc/sec/site_events file.
The site_events file contains one entry for each site
event. Each site event entry can contain any number of
subevents. Both preselection (see auditmask(8)) and
postreduction (see audit_tool(8)) capabilities are supported
for site events. Postreduction capabilities are
also supported for subevents.
The aud_sitevent function, when provided event and
subevent numbers, copies the corresponding event and
subevent names into eventname and subeventname. If no
subevent for that site event exists, subevent should be
set to -1, and no subeventname will be copied. The maximum
length of an event or subevent name is AUD_MAXEVENT_LEN
bytes. If the requested mapping does not exist,
-1 is returned.
The aud_sitevent_num function, when provided eventname and
subeventname, copies the corresponding event numbers into
ev_num and subev_num. If no subevent for that site event
exists, subeventname should be set to the null string, and
subev_num will be set to -1. If the requested mapping
does not exist, -1 is returned.
Mappings between the event and subevent numbers and names
are placed into the file /etc/sec/site_events. A sample
file follows:
eventname 2048,
subevent0 0,
subevent1 1,
...
subevent99 99;
my_rdb 2049,
rdb_creat 0,
rdb_open 1,
rdb_delete 2;
nosubeventevent 2050;
Each line contains an event or subevent name followed by
its number. An event number must be between
MIN_SITE_EVENT (see sys/audit.h) and MIN_SITE_EVENT + the
output of the sysconfig -q sec audit_site_events for the
running kernel. A subevent number must be a non-negative
integer. The line is terminated either with a comma (,)
if an associated subevent follows, or with a semicolon (;)
if no further associated subevents follow.
The following example looks up the event and subevent numbers
for event "my_rdb" and subevent "rdb_open", and generates
an audit record if the lookup succeeded:
if ( aud_sitevent_num ( "my_rdb", "rdb_open",
&event, &subev ) ==
0 )
audgenl ( event, T_SUBEVENT, subev, T_CHARP,
"sample rec", 0 );
sysconfig(8), sysconfigdb(8)
Security
Programming Support Tools
aud_sitevent(3)
[ Back ] |