VMS Help  —  System Services, $AUDIT EVENT
    Appends an event message to the system security audit log file or
    sends an alarm to a security operator terminal.

    Format

      SYS$AUDIT_EVENT  [efn] ,[flags] ,itmlst ,[audsts] ,[astadr]

                       ,[astprm]

    C Prototype

      int sys$audit_event  (unsigned int efn, unsigned int flags,

                           void *itmlst, unsigned int *audsts, void

                           (*astadr)(__unknown_params), int astprm);

1  –  Arguments

 efn

    OpenVMS usage:ef_number
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Number of the event flag to be set when the audit completes. The
    efn argument is a longword containing the number of the event
    flag; however, $AUDIT_EVENT uses only the low-order byte. If efn
    is not specified, event flag 0 is used.

    Upon request initiation, $AUDIT_EVENT clears the specified event
    flag.

 flags

    OpenVMS usage:mask_longword
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Flags specifying options for the $AUDIT_EVENT system operation.
    The flags argument is a longword bit mask, where each bit
    corresponds to an option.

    Each flag option has a symbolic name. The $NSADEF macro defines
    the following symbolic names:

    Symbolic Name      Description

    NSA$M_ACL          Specifies an event generated by an Alarm ACE
                       or Audit ACE. This flag is Reserved to VSI.

    NSA$M_FLUSH        Specifies that all messages in the audit
                       server buffer be written to the audit log
                       file.

    NSA$M_INTERNAL     Specifies that the $AUDIT_EVENT call
                       originates in the context of a trusted
                       computing base (TCB) component. The auditing
                       components use this flag to indicate that
                       internal auditing failures should result in a
                       SECAUDTCB bugcheck. This flag is reserved to
                       VSI.

    NSA$M_MANDATORY    Specifies that an audit is to be performed,
                       regardless of system alarm and audit settings.

    NSA$M_NOEVTCHECK   Specifies that an audit is to be performed,
                       regardless of the system alarm or audit
                       settings. This flag is similar to the NSA$M_
                       MANDATORY bit but, unlike the NSA$M_MANDATORY
                       bit, this flag is not reflected in the NSA$W_
                       FLAGS field in the resulting audit record on
                       disk.

    NSA$M_SERVER       Indicates that the call originates in a TCB
                       server process and that the event should be
                       audited regardless of the state of a process-
                       specific, no-audit bit.

                       Trusted servers use this flag to override
                       the no-audit bit when they want to perform
                       explicit auditing on behalf of a client
                       process. This flag is Reserved to VSI.

 itmlst

    OpenVMS usage:item_list_3
    type:         longword (unsigned)
    access:       read only
    mechanism:    by reference
    Item list specifying information to include in the audit record.
    The itmlst argument is the address of a list of item descriptors.
    The list of item descriptors is terminated by a longword of 0.

    The item list for all calls to $AUDIT_EVENT must include the
    following item codes:

    o  NSA$_EVENT_TYPE

    o  NSA$_EVENT_SUBTYPE

    o  At least one of the NSA$_ALARM_NAME item code or the NSA$_
       AUDIT_NAME item code.

    o  If the event being reported is an object access (NSA$C_MSG_
       OBJ_ACCESS) or an object delete (NSA$C_MSG_OBJ_DELETE), the
       NSA$_FINAL_STATUS, NSA$_ACCESS_DESIRED, and NSA$_OBJECT_CLASS
       item codes must be specified.

    o  If the event being reported is an object create (NSA$C_MSG_
       OBJ_CREATE), the NSA$_FINAL_STATUS and NSA$_OBJECT_CLASS item
       codes must be specified.

    o  If the event being reported is a privilege audit (NSA$C_MSG_
       PRVAUD), the NSA$_PRIVS_USED or the NSA$_PRIVS_MISSING item
       code must be specified.

    o  If the audit event being reported is a deaccess event (NSA$C_
       MSG_OBJ_DEACCESS), the NSA$_OBJECT_CLASS item code must be
       specified.

    The item list is a standard format item list.

    To view the item code diagram and descriptor fields table, see
    the VSI OpenVMS System Services Reference Manual.

 audsts

    OpenVMS usage:cond_value_type
    type:         longword (unsigned)
    access:       write only
    mechanism:    by reference
    Longword condition value that receives the final completion
    status from the operation. If a security audit is required,
    the final completion status represents either the successful
    completion of the resulting security audit or any failing status
    that occurred while the security audit was performed within the
    audit server process.

    The audsts argument is valid only when the service returns
    success and the status is not SS$_EVTNOTENAB. In addition, the
    caller must either make use of the astadr argument or use the
    $AUDIT_EVENTW service before attempting to access audsts.

 astadr

    OpenVMS usage:ast_procedure
    type:         procedure value
    access:       call without stack unwinding
    mechanism:    by reference
    Asynchronous system trap (AST) routine to be executed after the
    audsts is updated. The astadr argument, which is the address of a
    longword value, is the procedure value of the AST routine.

    The AST routine executes in the access mode of the caller of
    $AUDIT_EVENT.

 astprm

    OpenVMS usage:user_arg
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Asynchronous system trap (AST) parameter passed to the AST
    service routine. The astprm argument is a longword value
    containing the AST parameter.
Close Help