au_preselect - preselect an audit event
cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
#include <bsm/libbsm.h>
int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);
The au_preselect() function determines whether the audit event
event is preselected against the binary preselection mask pointed to by
mask_p (usually obtained by a call to getaudit(2)). The
au_preselect() function looks up the classes associated with
event in audit_event(5) and compares them with the classes in
mask_p. If the classes associated with event match the classes
in the specified portions of the binary preselection mask pointed to by
mask_p, the event is said to be preselected.
The sorf argument indicates whether the comparison is made
with the success portion, the failure portion, or both portions of the mask
pointed to by mask_p.
The following are the valid values of sorf:
AU_PRS_SUCCESS
Compare the event class with the success portion of the
preselection mask.
AU_PRS_FAILURE
Compare the event class with the failure portion of the
preselection mask.
AU_PRS_BOTH
Compare the event class with both the success and failure
portions of the preselection mask.
The flag argument tells au_preselect() how to read
the audit_event(5) database. Upon initial invocation,
au_preselect() reads the audit_event(5) database and allocates
space in an internal cache for each entry with malloc(3C). In
subsequent invocations, the value of flag determines where
au_preselect() obtains audit event information. The following are the
valid values of flag:
AU_PRS_REREAD
AU_PRS_USECACHE
Get audit event information from internal cache created
upon the initial invocation. This option is much faster.
Upon successful completion,au_preselect() returns 0 if event is
not preselected or 1 if event is preselected. If au_preselect()
could not allocate memory or could not find event in the
audit_event(5) database, −1 is returned.
/etc/security/audit_class
file mapping audit class number to audit class names and
descriptions
/etc/security/audit_event
file mapping audit event number to audit event names,
descriptions and associated audit classes
See attributes(7) for a description of the following attributes:
ATTRIBUTE
TYPE |
ATTRIBUTE VALUE |
Interface Stability |
Stable |
MT-Level |
MT-Safe |
The au_preselect() function is normally called prior to constructing and
writing an audit record. If the event is not preselected, the overhead of
constructing and writing the record can be saved.