audwrite - write an audit record for a self-auditing process
int audwrite(const struct self_audit_rec *audrec_p);
audwrite() is called by trusted self-auditing processes, which are
capable of turning off the regular auditing (using audswitch(2)) and
doing higher-level auditing on their own. audwrite() is restricted to
audwrite() checks to see if the auditing system is on and the calling
process and the event specified are being audited. If these
conditions are met, audwrite() writes the audit record pointed to by
audrec_p into the audit file. The record consists of an audit record
body and a header with the following fields:
u_long ah_time; /* Date/time (tv_sec of timeval) */
u_short ah_pid; /* Process ID */
u_short ah_error; /* Success/failure */
u_short ah_event; /* Event being audited */
u_short ah_len; /* Length of variant part */
The header has the same format as the regular audit record, while the
body contains additional information about the high-level audit event.
The header fields ah_error, ah_event, and ah_len are specified by the
calling process. audwrite() fills in ah_time and ah_pid fields with
the correct values. this is done to reduce the risk of forgery.
After the header is completed, the record body is attached and the
entire record is written into the current audit file.
If the write is successful, a value of 0 is returned. Otherwise, a
value of -1 is returned and errno is set to indicate the reason for
audwrite() fails if one of the following is true:
[EPERM] The caller is not a superuser.
[EINVAL] The event number in the audit record is invalid.
If audwrite causes a file space overflow, the calling process might be
suspended until the file space is cleaned up. However a returned call
with the return value of 0 indicates that the audit record has been
Hewlett-Packard Company - 1 - HP-UX Release 11i: November 2000
audwrite() was developed by HP.
Hewlett-Packard Company - 2 - HP-UX Release 11i: November 2000