audgen(2)audgen(2)NAMEaudgen - generate an audit record
long *size );
The audgen system call generates an audit record.
The argument event is an integer indicating the event type of the oper‐
ation being audited (see audit.h). The value of event must be between
one of the following values: MIN_TRUSTED_EVENT and MIN_TRUSTED_EVENT +
N_TRUSTED_EVENTS -1 MIN_SITE_EVENT and MIN_SITE_EVENT + n_site_events
-1 The number of site-defined events, n_site_events, is determined by
the sysconfig sec parameter audit_site_events. Use sysconfig -q sec to
view the security configuration controlled by /etc/sysconfigtab. See
aud_sitevent(3) and aud_sitevent_num(3) for information on mapping
site-defined event names and event numbers.
The tokenp argument is a null-terminated array of token_type (see
audit.h), each of which represents the type of argument referenced by
the corresponding *argv argument.
The argv argument is a pointer to an array containing either the actual
arguments or pointers to those arguments that are to be recorded in the
audit record. A pointer to the actual argument is placed in that array
when the argument is a string, array, or other variable length struc‐
ture. Arguments represented as an int or a long are placed directly in
that array. The available public tokens are listed in the audit.h file.
If size is nonzero, *size is the size of userbuff provided to audgen,
and the audit record created is not passed into the system audit data
stream, but is copied out to userbuff. On return, *size is updated to
the number of bytes of data placed into userbuff. If the size of the
audit record exceeds *size, then errno is set to E2BIG. Applications
can use this feature to create their own audit records.
The audgen call is a privileged system call. No record is generated for
the system audit data stream if the specified event is not being
audited for the current process. The maximum number of arguments refer‐
enced by argv is AUD_NPARAM (128) with no more than 8 of any one
Upon successful completion, audgen returns a value of 0. Otherwise, it
returns a value of -1 and sets the global integer variable errno to
indicate the error.
The audgen system call fails under the following conditions: The user
is not privileged for this operation. The value supplied for the
event, tokenp, or argv argument is invalid. The audit record exceeds
the audit buffer size. Indicates an attempt to use a system call that
is not configured. The tokenmask data is invalid. The size argument
is non-zero, and the userbuff argument is invalid. A value referenced
by the argv argument is invalid.
Functions: audgenl(3), aud_sitevent(3), aud_sitevent_num(3)