DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH
 

authaudit(S)


authaudit -- produce audit records due to authentication events

Syntax

cc . . . -lprot

#include <sys/types.h>
#include <sys/security.h>
#include <sys/audit.h>
#include <prot.h>

int audit_adjust_mask (pr) struct pr_passwd *pr;

void audit_auth_entry (desired_entry, type, problem) char *desired_entry; int type; char *problem;

void audit_lax_file (path, problem) char *path; char *problem;

int audit_lock (name, code, trys) char *name; int code; int trys;

int audit_login (pr, pwd, terminal_name, code) struct pr_passwd *pr; struct passwd *pwd; char *terminal_name; int code;

void audit_no_resource (resource, object, problem) char *resource; int object; char *problem;

int audit_passwd (name, code) char *name; int code;

void audit_security_failure (object, expected, curr, action, result) int object; long expected; long curr; char *action; char *result;

void audit_subsystem (subsystem_type, action, result)
int subsystem_type;
char *action;
char *result;

Description

These routines provide standard interfaces to the secure audit facility from routines and programs that manipulate the Authentication database. Depending on the circumstances (UIDs, privileges), they either write directly to the audit special device /dev/auditw, or they pass the information onto the dlvr_audit(ADM) utility.


audit_adjust_mask
If the user has a special mask, present it here to the audit subsystem.

audit_auth_entry
produces an audit record noting that the name desired_entry has a problem in the type database, which is a component database (one of: /etc/passwd, /etc/group, Protected Password database, Terminal Control database, File control database, Command Control database, System Default database, Subsystem database) of the Authentication database. This is the means to report a database inconsistency in an entry of the appropriate database.

audit_lax_file
produces an audit record about the file path and the exact problem that makes the file differ from the File Control database entry describing it. This is the means to report a breakdown of a sanity check on the proper setup of system files.

audit_lock
Audit both successful and unsuccessful database locking operations. This audit record is always written directly to the audit device because the programs that must use locking (for writing) are run as the superuser, who can access the device.

audit_login
Audit both successful and unsuccessful logins. This audit record is always written directly to the audit device because login is run as the superuser, who can access the device.

audit_no_resource
prints an audit record that says the resource could not be obtained of system type object, as defined in <sys/audit.h>. The problem that results is also recorded. Typically, this is used to denote that a vital resource like memory could not be allocated and a security operation had to be aborted.

audit_passwd
Audit both successful and unsuccessful password changes. This audit record is always written directly to the audit device because login is run as the superuser, who can access the device.

audit_security_failure
records a problem involving a system object, as defined in the sys/audit.h header file. Even though kernel auditing may have recorded the same security problem as one or a series of failed system calls, this routine produces an audit record specifically noting the high-level security problem in terms of trusted entity failure. If appropriate, the expected and current curr values are recorded to further help in diagnosing the problem. The high level action attempted and the level of the failure are required. This is the means to report a high-level security problem that prevents or impedes the correct operation of a trusted process or subsystem. If the trusted process detects and corrects security problems, the invocation of this routine is the detection component of that mechanism.

audit_subsystem
records an audit record for high-level security events specific to a subsystem as defined by subsystem_type defined in <sys/audit.h>. The high-level action and either positive or negative result is recorded. This is the means to report a problem or significant event in a specific subsystem.

Notes

These routines work correctly only if set_auth_parameters(S) (described on the identity(S) manual page) is called as the first item in the main () routine.

Files

/dev/auditw

See also

audit(HW), identity(S)

Standards conformance

authaudit is an extension of AT&T System V provided by the Santa Cruz Operation.
© 2003 System Services (S)
SCO OpenServer Release 5.0.7 -- 11 February 2003