Application Auditing

An application can log its own third-party audit events with the auditwrite(3TSOL) library routine. This example creates a user audit record in one call to auditwrite(). The audit event logged is AUE_su with the text "successful login at console". Normally, auditwrite() logs application-level audit events. This example logs a Trusted Solaris user event to show how the routine is used. Chapter 8, Application Auditing shows third-party audit events.

The process executing this program needs the proc_audit_tcb privilege in its effective set because AUE_su is a Trusted Computing Base (TCB) audit event. The code comments indicate where privilege bracketing as described in Chapter 3, Privileges should take place. The aw_strerror(3TSOL) routine converts auditwrite error messages (aw_errno) to strings. The parameters passed to auditwrite() are as follows:

• AW_EVENT specifies the audit event to be written to the audit log. AW_EVENT is a user event string name as defined in audit_event. There can be only one event written to a single audit record.

• AW_TEXT is a null-terminated string placed in the audit record to provide additional information on the audit event.

• AW_WRITE writes the event and its associated text to the audit trail.

• AW_END tells auditwrite() to stop parsing information.

#include <bsm/auditwrite.h>
#include <types.h>
#include <unistd.h>

main()
{
	char *aw_string;
	int retval, errno;

/* Turn proc_audit_tcb on in the effective set */
	retval = auditwrite( AW_EVENT, "AUE_su", AW_TEXT,
		"Successful login at console", AW_WRITE, AW_END);
/* Turn the proc_audit_tcb privilege off */

	aw_string = aw_strerror(aw_errno);
	printf("Retval = %d AW_ERROR = %s ERRNO = %d\n", retval,
		aw_string, errno);
}

To run the program and view the audit record, do the following:

1. Assume an administrative role, open a terminal at ADMIN_HIGH, and execute the following command where lo is the class to which AUE_su belongs and pid is the process ID of the terminal.

   #auditconfig -setpmask pid lo

2. Assume an administrative role, open a second viewing terminal at ADMIN_HIGH, and use praudit(1M) to read the not_terminated (most recent and not yet closed) audit log file by typing the command and options shown:

   ---

   Note -

   This syntax works when there is only one *not_terminated* file. If there are others, delete the older ones before executing this command.

   ---

   phoenix% tail -0f *not_terminated* | praudit

3. Compile and run the code from the first terminal window.

   These libraries are needed for the example to successfully compile. -lbsm -lnsl -lintl -lsocket -ltsol

   The process needs the proc_audit_tcb privilege for this example to work. Use setfpriv(1) to set the privileges as follows. The file_setpriv privilege is required with setfpriv(1)so this command must be executed from the profile shell with this privilege. phoenix% setfpriv -s -a proc_audit_tcb executable

   The printf statement prints the following in the first terminal window:

   Retval = 0, AW_ERROR = No error, ERRNO = 0

   The viewing window shows the following audit record:

   header, 129,2,su,,Wed Jun 26 14:50:19 1996, +698 msec text, Successful login at console subject,zelda,zelda,staff,zelda,staff,1050,853,24,7 phoenix slabel,Confidential return,success,0

   The audit record consists of a sequence of tokens. Each line starts with a token followed by the token value. In the example, the tokens for audit event AUE_su are header, text, subject, slabel, and return; and the token values are the information following the tokens until the next token is encountered. Trusted Solaris Audit Administration describes the tokens in detail.