[ Previous | Next | Contents | Home | Search ]
AIX Version 4.3 Kernel and Subsystems Technical Reference, Volume 1

audit_svcstart Kernel Service


Initiates an audit record for a system call.


#include <sys/types.h>
#include <sys/errno.h>
#include <sys/audit.h>

int audit_svcstart (eventnam eventnumnumargsarg1arg2...)
char *eventnam;
int *eventnum;
int numargs;
int arg1;
int arg2


eventnam Specifies the name of the event. In the current implementation, event names must be less than 17 characters, including the trailing null character. Longer names are truncated.
eventnum Specifies the number of the event. This is an internal table index meaningful only to the kernel audit logger. The system call should initialize this parameter to 0. The first time the audit_svcstart kernel service is called, this parameter is set to the actual table index. The system call should not reset the parameter. The parameter should be declared a static.
numargs Specifies the number of parameters to be included in the buffer for this record. These parameters are normally zero or more of the system call parameters, although this is not a requirement.
arg1, arg2, ... Specifies the parameters to be included in the buffer.


The audit_svcstart kernel service initiates auditing for a system call event. It dynamically allocates a buffer to contain event information. The arguments to the system call (which should be specified as parameters to this kernel service) are automatically added to the buffer, as is the internal number of the event. You can use the audit_svcbcopy service to add additional information that cannot be passed by value.

The system call commits this record with the audit_svcfinis kernel service. The system call should call the audit_svcfinis kernel service before calling another system call.

Execution Environment

The audit_svcstart kernel service can be called from the process environment only.

Return Values

Nonzero Indicates that auditing is on for this routine.
0 Indicates that auditing is off for this routine.


svccrash(int x, int y, int z) 
        static int eventnum;
        if (audit_svcstart("crashed", &eventnum, 2, x, y))
        body of svccrash

The preceding example allocates an audit event record buffer for the crashed event and copies the first and second arguments into it. The third argument is unnecessary and not copied.

Implementation Specifics

This kernel service is part of Base Operating System (BOS) Runtime.

Related Information

The audit_svcbcopy kernel service, audit_svcfinis kernel service.

Security Kernel Services in AIX Version 4.3 Kernel Extensions and Device Support Programming Concepts.

[ Previous | Next | Contents | Home | Search ]