116 lines
2.4 KiB
Groff
116 lines
2.4 KiB
Groff
'\"macro stdmacro
|
|
.Op c p a
|
|
.TH satwrite 2
|
|
.SH NAME
|
|
satwrite, satvwrite \- write a block of audit record data
|
|
.SH C SYNOPSIS
|
|
\f3#include <sys/sat.h>\f1
|
|
.sp .6v
|
|
\f3int satwrite (int event, int outcome, char *buffer, unsigned nbytes)\f1
|
|
.sp .6v
|
|
\f3#include <stdarg.h>\f1
|
|
\f3#include <sat.h>\f1
|
|
.sp .6v
|
|
\f3int satvwrite (int event, int outcome, char *format, ...)\f1
|
|
.SH DESCRIPTION
|
|
.I satwrite
|
|
writes
|
|
.I nbytes
|
|
bytes to the security audit trail record queue from the buffer pointed to by
|
|
.IR buffer .
|
|
.PP
|
|
.I satvwrite
|
|
is a more convenient libc interface for generating audit records,
|
|
which are generally text strings.
|
|
.I Format
|
|
is a printf-like format string, followed by a variable number of arguments.
|
|
See
|
|
.IR printf (3S)
|
|
for more information on the possible formatting characters.
|
|
.PP
|
|
.I Event
|
|
must be equal to one of the SAT record type constants
|
|
for administrative events, as defined in
|
|
.I /usr/include/sys/sat.h.
|
|
Permissible values are:
|
|
.TP 20
|
|
.B SAT_AE_AUDIT
|
|
.I satwrite
|
|
is called by audit subsystem utilities.
|
|
.TP 20
|
|
.B SAT_AE_IDENTITY
|
|
.I satwrite
|
|
is called by programs in the identification and authentication subsystem.
|
|
.TP 20
|
|
.B SAT_AE_DBEDIT
|
|
.I satwrite
|
|
is called by the program which edits administrative databases.
|
|
.TP 20
|
|
.B SAT_AE_MOUNT
|
|
.I satwrite
|
|
is called by the programs which mount filesystems.
|
|
.TP 20
|
|
.B SAT_AE_CUSTOM
|
|
.I satwrite
|
|
is called by customer written self auditing applications.
|
|
.PP
|
|
.I outcome
|
|
should be equal to
|
|
.B SAT_SUCCESS
|
|
or
|
|
.BR SAT_FAILURE ,
|
|
as defined in
|
|
.I /usr/include/sys/sat.h.
|
|
.I satwrite
|
|
interprets any value other than
|
|
.B SAT_FAILURE
|
|
as an alternate representation of
|
|
.BR SAT_SUCCESS .
|
|
.PP
|
|
.I Buffer
|
|
should contain audit data in human readable form.
|
|
Although there are no restrictions on its content,
|
|
.IR sat_interpret (1m)
|
|
always interprets the data as a null-terminated string.
|
|
.SH ERRORS
|
|
.I satwrite
|
|
fails if these conditions are true:
|
|
.TP 15
|
|
[ENOPKG]
|
|
Audit is not configured on this system.
|
|
.TP 15
|
|
[EPERM]
|
|
The caller does not have \fBCAP_AUDIT_WRITE\fP capability.
|
|
.TP 15
|
|
[EINVAL]
|
|
.I buffer
|
|
is null, or
|
|
.I nbytes
|
|
is greater than
|
|
.BR SAT_MAX_USER_REC .
|
|
.TP 15
|
|
[EDOM]
|
|
.I event
|
|
is not one of the permitted values.
|
|
.TP 15
|
|
[EFAULT]
|
|
data can't be copied from
|
|
.I buffer
|
|
into the kernel.
|
|
.SH "RETURN VALUE"
|
|
A return value of
|
|
.B \-1
|
|
indicates an error and
|
|
.I errno
|
|
is set to indicate the error.
|
|
Otherwise
|
|
.B 0
|
|
is returned.
|
|
.SH "SEE ALSO"
|
|
sat_echo(1m),
|
|
satoff(2),
|
|
saton(2),
|
|
satread(2),
|
|
satstate(2),
|
|
printf(3S)
|