authaudit(S)

Syntax

#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>

int audit_adjust_mask (pr)
struct pr_passwd *pr;

void audit_auth_entry (desired_entry, type, problem)
char *desired_entry;
int type;
char *problem;

void audit_lax_file (path, problem)
char *path;
char *problem;

int audit_lock (name, code, trys)
char *name;
int code;
int trys;

int audit_login (pr, pwd, terminal_name, code)
struct pr_passwd *pr;
struct passwd *pwd;
char *terminal_name;
int code;

void audit_no_resource (resource, object, problem)
char *resource;
int object;
char *problem;

int audit_passwd (name, code)
char *name;
int code;

void audit_security_failure (object, expected, curr, action, result)
int object;
long expected;
long curr;
char *action;
char *result;

void audit_subsystem (subsystem_type, action, result)
int subsystem_type;
char *action;
char *result;

Description

audit_adjust_mask

If the user has a special mask, present it here to the audit subsystem.

audit_auth_entry

produces an audit record noting that the name desired_entry has a problem in the type database, which is a component database (one of: /etc/passwd, /etc/group, Protected Password database, Terminal Control database, File control database, Command Control database, System Default database, Subsystem database) of the Authentication database. This is the means to report a database inconsistency in an entry of the appropriate database.

audit_lax_file

produces an audit record about the file path and the exact problem that makes the file differ from the File Control database entry describing it. This is the means to report a breakdown of a sanity check on the proper setup of system files.

audit_lock

Audit both successful and unsuccessful database locking operations. This audit record is always written directly to the audit device because the programs that must use locking (for writing) are run as the superuser, who can access the device.

audit_login

Audit both successful and unsuccessful logins. This audit record is always written directly to the audit device because login is run as the superuser, who can access the device.

audit_no_resource

prints an audit record that says the resource could not be obtained of system type object, as defined in <sys/audit.h>. The problem that results is also recorded. Typically, this is used to denote that a vital resource like memory could not be allocated and a security operation had to be aborted.

audit_passwd

Audit both successful and unsuccessful password changes. This audit record is always written directly to the audit device because login is run as the superuser, who can access the device.

audit_security_failure

records a problem involving a system object, as defined in the sys/audit.h header file. Even though kernel auditing may have recorded the same security problem as one or a series of failed system calls, this routine produces an audit record specifically noting the high-level security problem in terms of trusted entity failure. If appropriate, the expected and current curr values are recorded to further help in diagnosing the problem. The high level action attempted and the level of the failure are required. This is the means to report a high-level security problem that prevents or impedes the correct operation of a trusted process or subsystem. If the trusted process detects and corrects security problems, the invocation of this routine is the detection component of that mechanism.

audit_subsystem

records an audit record for high-level security events specific to a subsystem as defined by subsystem_type defined in <sys/audit.h>. The high-level action and either positive or negative result is recorded. This is the means to report a problem or significant event in a specific subsystem.

Notes

Files

See also

Standards conformance