An application can log its own third-party audit events with the auditwrite(3TSOL) library routine. This example creates a user audit record in one call to auditwrite(). The audit event logged is AUE_su with the text "successful login at console". Normally, auditwrite() logs application-level audit events. This example logs a Trusted Solaris user event to show how the routine is used. Chapter 8, Application Auditing shows third-party audit events.
The process executing this program needs the proc_audit_tcb privilege in its effective set because AUE_su is a Trusted Computing Base (TCB) audit event. The code comments indicate where privilege bracketing as described in Chapter 3, Privileges should take place. The aw_strerror(3TSOL) routine converts auditwrite error messages (aw_errno) to strings. The parameters passed to auditwrite() are as follows:
AW_EVENT specifies the audit event to be written to the audit log. AW_EVENT is a user event string name as defined in audit_event. There can be only one event written to a single audit record.
AW_TEXT is a null-terminated string placed in the audit record to provide additional information on the audit event.
AW_WRITE writes the event and its associated text to the audit trail.
AW_END tells auditwrite() to stop parsing information.
#include <bsm/auditwrite.h> #include <types.h> #include <unistd.h> main() { char *aw_string; int retval, errno; /* Turn proc_audit_tcb on in the effective set */ retval = auditwrite( AW_EVENT, "AUE_su", AW_TEXT, "Successful login at console", AW_WRITE, AW_END); /* Turn the proc_audit_tcb privilege off */ aw_string = aw_strerror(aw_errno); printf("Retval = %d AW_ERROR = %s ERRNO = %d\n", retval, aw_string, errno); }
To run the program and view the audit record, do the following:
Assume an administrative role, open a terminal at ADMIN_HIGH, and execute the following command where lo is the class to which AUE_su belongs and pid is the process ID of the terminal.
#auditconfig -setpmask pid lo
Assume an administrative role, open a second viewing terminal at ADMIN_HIGH, and use praudit(1M) to read the not_terminated (most recent and not yet closed) audit log file by typing the command and options shown:
This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.
phoenix% tail -0f *not_terminated* | praudit |
Compile and run the code from the first terminal window.
These libraries are needed for the example to successfully compile. -lbsm -lnsl -lintl -lsocket -ltsol
The process needs the proc_audit_tcb privilege for this example to work. Use setfpriv(1) to set the privileges as follows. The file_setpriv privilege is required with setfpriv(1)so this command must be executed from the profile shell with this privilege. phoenix% setfpriv -s -a proc_audit_tcb executable
The printf statement prints the following in the first terminal window:
Retval = 0, AW_ERROR = No error, ERRNO = 0
The viewing window shows the following audit record:
header, 129,2,su,,Wed Jun 26 14:50:19 1996, +698 msec text, Successful login at console subject,zelda,zelda,staff,zelda,staff,1050,853,24,7 phoenix slabel,Confidential return,success,0 |
The audit record consists of a sequence of tokens. Each line starts with a token followed by the token value. In the example, the tokens for audit event AUE_su are header, text, subject, slabel, and return; and the token values are the information following the tokens until the next token is encountered. Trusted Solaris Audit Administration describes the tokens in detail.