Technical Reference: Base Operating System and Extensions, Volume 1

audit Subroutine

Purpose

Enables and disables system auditing.

Library

Standard C Library (libc.a)

Syntax

#include <sys/audit.h>

int audit ( Command, Argument) int Command; int Argument;

Description

The audit subroutine enables or disables system auditing.

When auditing is enabled, audit records are created for security-relevant events. These records can be collected through the auditbin (auditbin Subroutine) subroutine, or through the /dev/audit special file interface.

Parameters

Command

Defined in the sys/audit.h file, can be one of the following values:

AUDIT_QUERY: Returns a mask indicating the state of the auditing subsystem. The mask is a logical ORing of the AUDIT_ON, AUDIT_OFF, and AUDIT_PANIC flags. The Argument parameter is ignored.
AUDIT_ON: Enables auditing. If auditing is already enabled, only the failure-mode behavior changes. The Argument parameter specifies recovery behavior in the event of failure and may be either 0 or the value AUDIT_PANIC.
Note

If AUDIT_PANIC is specified, bin-mode auditing must be enabled before the audit subroutine call.
AUDIT_OFF: Disables the auditing system if auditing is enabled. If the auditing system is disabled, the audit subroutine does nothing. The Argument parameter is ignored.
AUDIT_RESET: Disables the auditing system (as does AUDIT_OFF) and resets the auditing system. If auditing is already disabled, only the system configuration is reset. Resetting the audit configuration involves clearing the audit events and audited objects table, and terminating bin and stream auditing. The Argument parameter is ignored.
AUDIT_EVENT_THRESHOLD: Audit event records will be buffered until a total of Argument records have been saved, at which time the audit event records will be flushed to disk. An Argument value of zero disables this functionality. This parameter only applies to AIX 4.1.4 and later.
AUDIT_BYTE_THRESHOLD: Audit event data will be buffered until a total of Argument bytes of data have been saved, at which time the audit event data will be flushed to disk. An Argument value of zero disables this functionality. This parameter only applies to AIX 4.1.4 and later.

Argument

Specifies the behavior when a bin write fails (for AUDIT_ON) or specifies the size of the audit event buffer (for AUDIT_EVENT_THRESHOLD and AUDIT_BYTE_THRESHOLD). For all other commands, the value of Argument is ignored. The valid values are:

AUDIT_PANIC: The operating system shuts down if an audit record cannot be written to a bin.
Note

If AUDIT_PANIC is specified, bin-mode auditing must be enabled before the audit subroutine call.
BufferSize: The number of bytes or audit event records which will be buffered. This parameter is valid only with the command AUDIT_BYTE_THRESHOLD and AUDIT_EVENT_THRESHOLD. A value of zero will disable either byte (for AUDIT_BYTE_THRESHOLD) or event (for AUDIT_EVENT_THRESHOLD) buffering.

Return Values

For a Command value of AUDIT_QUERY, the audit subroutine returns, upon successful completion, a mask indicating the state of the auditing subsystem. The mask is a logical ORing of the AUDIT_ON, AUDIT_OFF, AUDIT_PANIC, and AUDIT_NO_PANIC flags. For any other Command value, the audit subroutine returns 0 on successful completion.

If the audit subroutine fails, a value of -1 is returned and the errno global variable is set to indicate the error.

Error Codes

The audit subroutine fails if either of the following is true:

EINVAL	The Command parameter is not one of AUDIT_ON, AUDIT_OFF, AUDIT_RESET, or AUDIT_QUERY.
EINVAL	The Command parameter is AUDIT_ON and the Argument parameter specifies values other than AUDIT_PANIC.
EPERM	The calling process does not have root user authority.

Files

dev/audit

Specifies the audit pseudo-device from which the audit records are read.

Related Information

The auditbin (auditbin Subroutine) subroutine, auditevents (auditevents Subroutine) subroutine, auditlog (auditlog Subroutine) subroutine, auditobj (auditobj Subroutine) subroutine, auditproc (auditproc Subroutine) subroutine.

The audit command.

List of Security and Auditing Subroutines and Subroutines Overview in AIX 5L Version 5.2 General Programming Concepts: Writing and Debugging Programs.