1au_preselect(3BSM) Security and Auditing Library Functions au_preselect(3BSM)
2
6 au_preselect - preselect an audit event
7
9 cc [ flag... ] file... -lbsm -lsocket -lnsl [ library... ]
10 #include <bsm/libbsm.h>
11 int au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag);
13
16 The au_preselect() function determines whether the audit event event is
17 preselected against the binary preselection mask pointed to by mask_p
18 (usually obtained by a call to getaudit(2)). The au_preselect() func‐
19 tion looks up the classes associated with event in audit_event(4) and
20 compares them with the classes in mask_p. If the classes associated
21 with event match the classes in the specified portions of the binary
22 preselection mask pointed to by mask_p, the event is said to be prese‐
23 lected.
24 The sorf argument indicates whether the comparison is made with the
27 success portion, the failure portion, or both portions of the mask
28 pointed to by mask_p.
29 The following are the valid values of sorf:
32 AU_PRS_SUCCESS Compare the event class with the success portion of
34 the preselection mask.
35 AU_PRS_FAILURE Compare the event class with the failure portion of
38 the preselection mask.
39 AU_PRS_BOTH Compare the event class with both the success and
42 failure portions of the preselection mask.
43 The flag argument tells au_preselect() how to read the audit_event(4)
47 database. Upon initial invocation, au_preselect() reads the
48 audit_event(4) database and allocates space in an internal cache for
49 each entry with malloc(3C). In subsequent invocations, the value of
50 flag determines where au_preselect() obtains audit event information.
51 The following are the valid values of flag:
52 AU_PRS_REREAD Get audit event information by searching the
54 audit_event(4) database.
55 AU_PRS_USECACHE Get audit event information from internal cache cre‐
58 ated upon the initial invocation. This option is
59 much faster.
60
63 Upon successful completion,au_preselect() returns 0 if event is not
64 preselected or 1 if event is preselected. If au_preselect() could not
65 allocate memory or could not find event in the audit_event(4) data‐
66 base, −1 is returned.
67
69 /etc/security/audit_class file mapping audit class number to audit
70 class names and descriptions
71 /etc/security/audit_event file mappint audit even number to audit
74 event names and associates
75
78 See attributes(5) for a description of the following attributes:
79 ┌─────────────────────────────┬─────────────────────────────┐
84 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
85 ├─────────────────────────────┼─────────────────────────────┤
86 │Interface Stability │Stable │
87 ├─────────────────────────────┼─────────────────────────────┤
88 │MT-Level │MT-Safe │
89 └─────────────────────────────┴─────────────────────────────┘
90
92 bsmconv(1M), getaudit(2), au_open(3BSM), getauclassent(3BSM),
93 getauevent(3BSM), malloc(3C), audit_class(4), audit_event(4),
94 attributes(5)
95
97 The au_preselect() function is normally called prior to constructing
98 and writing an audit record. If the event is not preselected, the over‐
99 head of constructing and writing the record can be saved.
100 The functionality described on this manual page is available only if
103 the Solaris Auditing has been enabled. See bsmconv(1M) for more infor‐
104 mation.
105SunOS 5.11 31 Mar 2005 au_preselect(3BSM)