Specifying a Preselection Mask

Audit records are selected according to a process preselection mask set for the execution environment as explained in "Audit Control (Process Preselection Mask)". In addition, the auditwrite(3TSOL) routine has an AW_PRESELECT token that takes an audit mask structure for its value. This token causes subsequent calls to auditwrite() to audit classes based on the settings in the audit mask value until the AW_NOPRESELECT token is passed to auditwrite() telling it to use the environment preselection mask.

This example creates a process preselection mask to audit the example class (ec) for failures and passes it to the auditwrite(3TSOL) routine with AW_PRESELECT token to put it into effect. Now, only failed events belonging to the example class are logged to the audit trail. When preselection is turned off, the environment process preselection mask is restored, which for the purposes of these examples, audits events in the example class for success and failure.

char succ_or_fail;
u_int retval;
au_mask_t mask;

/* Create mask to audit failed events only in the ec class */
	getauditflagsbin("-ec", &mask);

/* Use new audit preselection mask */
	auditwrite(AW_PRESELECT, &mask, AW_END);

/* Code to generate audit records */
	auditwrite(AW_TEXT, "Second signature needed," AW_APPEND, AW_END);
	if (signature_request() == -1) {
		succ_or_fail = -1;
		retval = -2;
	} else {
		succ_or_fail = 0;
		retval = 1;
	}
	auditwrite(AW_EVENT, "AUE_second_signature",
		AW_RETURN succ_or_fail, retval, AW_WRITE, AW_END);

/* Restore environment preselection mask */
/* Events in the ec class are again audited for success and failure */
	auditwrite(AW_NOPRESELECT, AW_END);