aud_sitevent, aud_sitevent_num - audit site event operations
char *subeventname ); aud_sitevent_num(
int *subev_num );
Audit Library - libaud.a and libaud.so
Audit site events are specific to and defined by a particular installa‐
tion. For example, an installation could have its own database program,
and want to have it use the audit subsystem. To do so, the installa‐
tion's database events and subevents would be registered in the
The site_events file contains one entry for each site event. Each site
event entry can contain any number of subevents. Both preselection
(see auditmask(8)) and postreduction (see audit_tool(8)) capabilities
are supported for site events. Postreduction capabilities are also
supported for subevents.
The aud_sitevent function, when provided event and subevent numbers,
copies the corresponding event and subevent names into eventname and
subeventname. If no subevent for that site event exists, subevent
should be set to -1, and no subeventname will be copied. The maximum
length of an event or subevent name is AUD_MAXEVENT_LEN bytes. If the
requested mapping does not exist, -1 is returned.
The aud_sitevent_num function, when provided eventname and subevent‐
name, copies the corresponding event numbers into ev_num and subev_num.
If no subevent for that site event exists, subeventname should be set
to the null string, and subev_num will be set to -1. If the requested
mapping does not exist, -1 is returned.
Mappings between the event and subevent numbers and names are placed
into the file /etc/sec/site_events. A sample file follows:
Each line contains an event or subevent name followed by its number.
An event number must be between MIN_SITE_EVENT (see sys/audit.h) and
MIN_SITE_EVENT + the output of the sysconfig -q sec audit_site_events
for the running kernel. A subevent number must be a non-negative inte‐
ger. The line is terminated either with a comma (,) if an associated
subevent follows, or with a semicolon (;) if no further associated
The following example looks up the event and subevent numbers for event
"my_rdb" and subevent "rdb_open", and generates an audit record if the
if ( aud_sitevent_num ( "my_rdb", "rdb_open",
&event, &subev ) == 0 )
audgenl ( event, T_SUBEVENT, subev, T_CHARP,
"sample rec", 0 );
SEE ALSOsysconfig(8), sysconfigdb(8)
Programming Support Tools