Index Index for
Section 3
Index Alphabetical
listing for A
Bottom of page Bottom of
page		 

aud_sitevent(3)


NAME

  aud_sitevent, aud_sitevent_num - audit site event operations


SYNOPSIS

  aud_sitevent(
	  int event,
	  int subevent,
	  int *eventname,
	  char *subeventname );

  aud_sitevent_num(
	  char *eventname,
	  char *subeventname,
	  int *ev_num,
	  int *subev_num );


LIBRARY

  Audit Library	 - libaud.a and libaud.so


DESCRIPTION

  Audit site events are specific to and defined by a particular installation.
  For example, an installation could have its own database program, and want
  to have it use the audit subsystem.  To do so, the installation's database
  events and subevents would be registered in the /etc/sec/site_events file.

  The site_events file contains one entry for each site event.	Each site
  event entry can contain any number of subevents.  Both preselection (see
  auditmask(8)) and postreduction (see audit_tool(8)) capabilities are
  supported for site events.  Postreduction capabilities are also supported
  for subevents.

  The aud_sitevent function, when provided event and subevent numbers, copies
  the corresponding event and subevent names into eventname and subeventname.
  If no subevent for that site event exists, subevent should be set to -1,
  and no subeventname will be copied.  The maximum length of an event or
  subevent name is AUD_MAXEVENT_LEN bytes. If the requested mapping does not
  exist, -1 is returned.

  The aud_sitevent_num function, when provided eventname and subeventname,
  copies the corresponding event numbers into ev_num and subev_num.  If no
  subevent for that site event exists, subeventname should be set to the null
  string, and subev_num will be set to -1.  If the requested mapping does not
  exist, -1 is returned.

  Mappings between the event and subevent numbers and names are placed into
  the file /etc/sec/site_events.  A sample file follows:

	    eventname 2048,
		 subevent0 0,
		 subevent1 1,
		 ...
		 subevent99 99;
	     my_rdb 2049,
		 rdb_creat 0,
		 rdb_open 1,
		 rdb_delete 2;
	     nosubeventevent 2050;

  Each line contains an event or subevent name followed by its number.	An
  event number must be between MIN_SITE_EVENT (see sys/audit.h) and
  MIN_SITE_EVENT + the output of the sysconfig -q sec audit_site_events for
  the running kernel.  A subevent number must be a non-negative integer.  The
  line is terminated either with a comma (,) if an associated subevent
  follows, or with a semicolon (;) if no further associated subevents follow.


EXAMPLES

  The following example looks up the event and subevent numbers for event
  "my_rdb" and subevent "rdb_open", and generates an audit record if the
  lookup succeeded:

       if ( aud_sitevent_num ( "my_rdb", "rdb_open",
					      &event, &subev ) == 0 )
	  audgenl ( event, T_SUBEVENT, subev, T_CHARP,
					      "sample rec", 0 );


SEE ALSO

  sysconfig(8), sysconfigdb(8)

  Security

  Programming Support Tools

Index Index for
Section 3
Index Alphabetical
listing for A
Top of page Top of
page