Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > A


HP-UX 11i Version 3: February 2007

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index


audwrite() — write an audit record for a self-auditing process


#include <sys/audit.h>

int audwrite(const struct self_audit_rec *audrec_p);


audwrite() is called by self-auditing processes, which are capable of turning off the regular auditing using the audswitch() system call (see audswitch(2)) and doing higher-level auditing on their own. audwrite() is restricted to users with the SELFAUDIT privilege.

audwrite() checks to see if the auditing system is on and the calling process and the event specified are being audited. If these conditions are met, audwrite() writes the audit record pointed to by audrec_p into the audit trail. The record consists of an audit record body and a header with the following fields:

u_long ah_time;

/* Date/time (tv_sec of timeval) */

pid_t ah_pid;

/* Process ID */

u_short ah_error;

/* Success/failure */

u_short ah_event;

/* Event being audited */

u_short ah_len;

/* Length of variant part */

The body contains additional information about the high-level audit event. The header fields ah_error, ah_event, and ah_len are specified by the calling process. audwrite() fills in ah_time and ah_pid fields with the correct values. this is done to reduce the risk of forgery. Beginning with 11i version 3 release, audwrite() converts the record into a different format before writing it into the current audit trail.

Security Restrictions

Some or all of the actions associated with this system call require the SELFAUDIT privilege. Processes owned by the superuser have this privilege. Processes owned by other users may have this privilege, depending on system configuration. See privileges(5) for more information about privileged access on systems that support fine-grained privileges.


If the write is successful, a value of 0 is returned. Otherwise, a value of -1 is returned and errno is set to indicate the reason for the failure.


audwrite() fails if one of the following is true:


The caller does not possess the SELFAUDIT privilege.


The event number in the audit record is invalid.


If audwrite() causes a file space overflow, the calling process might be suspended until the file space is cleaned up. However, a returned call with the return value of 0 indicates that the audit record has been successfully written.


audwrite() was developed by HP.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.