Index: head/contrib/openbsm/CHANGELOG =================================================================== --- head/contrib/openbsm/CHANGELOG (revision 155364) +++ head/contrib/openbsm/CHANGELOG (revision 155365) @@ -1,75 +1,85 @@ +OpenBSM 1.0 alpha 3 + +- Man page formatting, cross reference, mlinks, and accuracy improvements. +- auditd and tools now compile and run on FreeBSD/arm. +- auditd will now fchown() the trail file to the audit review group, if + defined at compile-time. +- Added AUE_SYSARCH for FreeBSD. +- Definition of AUE_SETFSGID fixed for Linux. + OpenBSM 1.0 alpha 2 - Man page formatting improvements. - A number of new audit event identifiers for FreeBSD, Linux, and POSIX.1b events. - Remove 'tfm' class, unused in OpenBSM. OpenBSM 1.0 alpha 1 - Import of Darwin74 BSM drop - Use 'syslog' for audit log warnings, rather than echoing to a file in audit_warn. - Compile using BSD make infrastructure. - Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM. - Narrow set of symbols and defines that are exposed in user space: don't compile in code relying on kernel-only types such as 'struct socket'. - Add README, including basic build documentation. - Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__. - Staticize libbsm global variables to avoid leakage into application. - Add free_au_user_ent() so that au_user_ent's don't have to be leaked. - Clean up bogus nul-termination checks in libbsm. - Add libbsm API man pages: au_class.3 au_control.3 au_event.3 au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3. - Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2 getauid.2 setaudit.2 setauid.2 - Modify various libbsm interfaces to more consistently return 'errno' values on failure. - Break out au_close() into constituent parts, allowing records to be written to memory as well as files. - Prefix various defines with 'BSM_' to reduce name space pollution. - Added audit_internal.h, which can be used by a kernel audit implementation wanting to rely on libbsm components. - Build with warnings, and eliminate warnings. - Make libbsm endian-independent, storing and reading BSM are big endian (network byte order) rather than native byte order. More consistently print IP addresses using the IP address print routine. These changes make use of sys/endian.h from *BSD; since this isn't present on Darwin, add it to OpenBSM as compat/endian.h, which is used only on Darwin. - Import of Darwin80 BSM drop, including 64-bit file IDs, better documentation of private APIs, and bug fixes. - White space cleanup. - Add audit.log.5, a first cut at a man page documenting the BSM file format. - Teach au_read_rec() to recognize stand-alone file tokens, which are present at the beginning and end of Solaris audit trails. Technically, these appear to violate the high level BSM spec, which suggests that all tokens are present in records, but need to be supported. - Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible to run praudit(1) on basic Solaris BSM streams. - Switched to Solaris spelling of token names; Darwin spellings are now deprecated and will be removed in a future version of OpenBSM. - Adopt Solaris model for representing IPv4 and IPv6 addresses. - Prefer C99 types. - Attempt to universally adopt the BSD style(9) coding style for consistency. - auditreduce(1) now has a usage message. - Update support for auditctl(2) system call to support FreeBSD. - Add support for /dev/audit as the trigger source on FreeBSD. - Add additional event types for Darwin, FreeBSD, and Solaris. Annotate conflicts (there are a few, unfortunately). Correct spellings, comment, sort, etc. These include {get,set}res[ug]id(), sendfile(), lchflags(), eaccess(), kqueue(), kevent(), poll(), lchmod(). - Relicensed under a BSD license, many thanks to Apple, Inc! - Many bug fixes, cleanups, thread safety in the class, control, event, and user system audit databases. Annotate some persisting atomicity bugs associated with the API and implementation. - Add audump test tool. - Adopt OpenSolaris BSM API memory semantics: caller allocates memory, or static memory is returned for non-_r() versions of API calls. _free() calls dropped as a result, and source code compatibility with OpenSolaris improved significantly. - Annotate BSM events with origin OS and compatibility information. - auditd(8), audit(8) added to the OpenBSM distribution. auditd extended to support reloading of kernel event table. +- Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#7 $ +$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#10 $ Index: head/contrib/openbsm/README =================================================================== --- head/contrib/openbsm/README (revision 155364) +++ head/contrib/openbsm/README (revision 155365) @@ -1,86 +1,88 @@ OpenBSM 1.0 Introduction OpenBSM provides an open source implementation of Sun's BSM Audit API. Originally created under contract to Apple Computer by McAfee Research, this implementation is now maintained by volunteers and the generous contribution of several organizations. Coupled with a kernel audit implementation, OpenBSM can be used to maintain system audit streams, and is a foundation for an Audit-enabled system. Contents OpenBSM consists of several directories: bin/ Audit-related command line tools bsm/ System include files for BSM etc/ Sample /etc/security configuration files libbsm/ Implementation of BSM library interfaces and man pages man/ System call and configuration file man pages OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment and minor tweaks, it should build without problems on a broad range of POSIX-like systems. Building OpenBSM is currently built using a series of BSD make files which should work on both FreeBSD and Darwin. One known issue is that versions of Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from "sys/proc.h", which can result in type definition conflicts. If running with include files from an earlier version of Darwin, the nested include must be manually removed in order that libbsm can be built, due to potentially conflicting types resulting from an include of "sys/sysctl.h" by that file. On Darwin, the use of BSD make must be specified explicitly by using "bsdmake" rather than "make", which on Darwin refers to GNU make. Typical invocations from the OpenBSM tree root: FreeBSD % make # make install Darwin % bsdmake # bsdmake install Credits The following organizations and individuals have contributed substantially to the development of OpenBSM: Apple Computer, Inc. McAfee Research, McAfee, Inc. SPARTA, Inc. Robert Watson Wayne Salamon Suresh Krishnaswamy Kevin Van Vechten Tom Rhodes Wojciech Koszek Chunyang Yuan Poul-Henning Kamp + Christian Brueffer + Olivier Houchard In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel Software's FlexeLint tool were used to identify a number of bugs in the OpenBSM implementation. Contributions The TrustedBSD Project would appreciate the contribution of bug fixes, enhancements, etc, under identically or substantially similar licenses to those present on the remainder of the OpenBSM source code. Location Information on OpenBSM may be found on the OpenBSM home page: http://www.OpenBSM.org/ Information on TrustedBSD may be found on the TrustedBSD home page: http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/openbsm/README#11 $ +$P4: //depot/projects/trustedbsd/openbsm/README#13 $ Index: head/contrib/openbsm/VERSION =================================================================== --- head/contrib/openbsm/VERSION (revision 155364) +++ head/contrib/openbsm/VERSION (revision 155365) @@ -1 +1 @@ -OPENBSM_1_0_ALPHA_2 +OPENBSM_1_0_ALPHA_3 Index: head/contrib/openbsm/bin/audit/audit.8 =================================================================== --- head/contrib/openbsm/bin/audit/audit.8 (revision 155364) +++ head/contrib/openbsm/bin/audit/audit.8 (revision 155365) @@ -1,88 +1,90 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" @APPLE_BSD_LICENSE_HEADER_START@ .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE .\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY .\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt AUDIT 8 .Os .Sh NAME .Nm audit .Nd audit management utility .Sh SYNOPSIS .Nm audit .Op Fl nst .Op Ar file .Sh DESCRIPTION The .Nm utility controls the state of the audit system. The optional .Ar file operand specifies the location of the audit control input file (default -.Pa /etc/security/audit_control ). +.Pa /etc/security/audit_control ) . .Pp The options are as follows: .Bl -tag -width Ds .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. .It Fl s Specifies that the audit system should [re]synchronize its configuration from the audit control file. A new log file will be created. .It Fl t Specifies that the audit system should terminate. Log files are closed and renamed to indicate the time of the shutdown. .El .Sh NOTES -The auditd(8) daemon must already be running. +The +.Xr auditd 8 +daemon must already be running. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control Default audit policy file used to configure the auditing system. .El .Sh SEE ALSO +.Xr audit_control 5 , .Xr auditd 8 -.Xr audit_control 5 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/bin/audit/audit.c =================================================================== --- head/contrib/openbsm/bin/audit/audit.c (revision 155364) +++ head/contrib/openbsm/bin/audit/audit.c (revision 155365) @@ -1,102 +1,102 @@ /* * Copyright (c) 2005 Apple Computer, Inc. * All rights reserved. * * @APPLE_BSD_LICENSE_HEADER_START@ * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#4 $ */ /* * Program to trigger the audit daemon with a message that is either: * - Open a new audit log file * - Read the audit control file and take action on it * - Close the audit log file and exit * */ #include #include #include #include #include #include #include #include static void usage(void) { (void)fprintf(stderr, "Usage: audit -n | -s | -t \n"); exit(-1); } /* * Main routine to process command line options. */ int main(int argc, char **argv) { - char ch; + int ch; unsigned int trigger = 0; if (argc != 2) usage(); while ((ch = getopt(argc, argv, "nst")) != -1) { switch(ch) { case 'n': trigger = AUDIT_TRIGGER_OPEN_NEW; break; case 's': trigger = AUDIT_TRIGGER_READ_FILE; break; case 't': trigger = AUDIT_TRIGGER_CLOSE_AND_DIE; break; case '?': default: usage(); break; } } if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) { perror("Error sending trigger"); exit(-1); } else { printf("Trigger sent.\n"); exit (0); } } Index: head/contrib/openbsm/bin/auditd/auditd.8 =================================================================== --- head/contrib/openbsm/bin/auditd/auditd.8 (revision 155364) +++ head/contrib/openbsm/bin/auditd/auditd.8 (revision 155365) @@ -1,94 +1,99 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" @APPLE_BSD_LICENSE_HEADER_START@ .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE .\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY .\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES .\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; .\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt AUDITD 8 .Os .Sh NAME .Nm auditd .Nd audit log management daemon .Sh SYNOPSIS .Nm auditd .Op Fl dhs .Sh DESCRIPTION The .Nm daemon responds to requests from the audit(1) utility and notifications from the kernel. It manages the resulting audit log files and specified log file locations. .Pp The options are as follows: .Bl -tag -width Ds .It Fl d Starts the daemon in debug mode - it will not daemonize. .It Fl h Specifies that if auditing cannot be performed as specified, the system should halt (panic). Normally, the system will attempt to proceed - although individual processes may be stopped (see the -s option). .It Fl s Specifies that individual processes should stop rather than perform operations that may cause audit records to be lost due to log file full conditions .El .Sh NOTE .Pp To assure uninterrupted audit support, the .Nm auditd -daemon should not be started and stopped manually. Instead, the audit(1) command +daemon should not be started and stopped manually. +Instead, the +.Xr audit 8 +command should be used to inform the daemon to change state/configuration after altering -the audit_control file. +the +.Pa audit_control +file. .Pp .\" Sending a SIGHUP to a running .\" .Nm auditd .\" daemon will force it to exit. Sending a SIGTERM to a running .Nm auditd daemon will force it to exit. .Sh FILES .Bl -tag -width "/var/audit" -compact .It Pa /var/audit Default directory for storing audit log files. .El .Sh SEE ALSO .Xr audit 8 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/bin/auditd/auditd.c =================================================================== --- head/contrib/openbsm/bin/auditd/auditd.c (revision 155364) +++ head/contrib/openbsm/bin/auditd/auditd.c (revision 155365) @@ -1,760 +1,817 @@ /* * Copyright (c) 2004 Apple Computer, Inc. * All rights reserved. * * @APPLE_BSD_LICENSE_HEADER_START@ * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#11 $ */ #include #include #include #include #include #include #include #include #include #include #include +#include #include #include #include #include #include #include #include #include "auditd.h" #define NA_EVENT_STR_SIZE 25 static int ret, minval; static char *lastfile = NULL; static int allhardcount = 0; static int triggerfd = 0; static int sighups, sighups_handled; static int sigterms, sigterms_handled; static long global_flags; static TAILQ_HEAD(, dir_ent) dir_q; static int config_audit_controls(void); /* * Error starting auditd */ static void fail_exit(void) { audit_warn_nostart(); exit(1); } /* * Free our local list of directory names. */ static void free_dir_q() { struct dir_ent *dirent; while ((dirent = TAILQ_FIRST(&dir_q))) { TAILQ_REMOVE(&dir_q, dirent, dirs); free(dirent->dirname); free(dirent); } } /* * Generate the timestamp string. */ static int getTSstr(char *buf, int len) { struct timeval ts; struct timezone tzp; time_t tt; if (gettimeofday(&ts, &tzp) != 0) return (-1); tt = (time_t)ts.tv_sec; if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt))) return (-1); return (0); } /* * Concat the directory name to the given file name. * XXX We should affix the hostname also */ static char * affixdir(char *name, struct dir_ent *dirent) { char *fn; char *curdir; const char *sep = "/"; curdir = dirent->dirname; syslog(LOG_INFO, "dir = %s\n", dirent->dirname); fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1); if (fn == NULL) return (NULL); strcpy(fn, curdir); strcat(fn, sep); strcat(fn, name); return (fn); } /* * Close the previous audit trail file. */ static int close_lastfile(char *TS) { char *ptr; char *oldname; if (lastfile != NULL) { oldname = (char *)malloc(strlen(lastfile) + 1); if (oldname == NULL) return (-1); strcpy(oldname, lastfile); /* Rename the last file -- append timestamp. */ if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) { *ptr = '.'; strcpy(ptr+1, TS); if (rename(oldname, lastfile) != 0) syslog(LOG_ERR, "Could not rename %s to %s \n", oldname, lastfile); else syslog(LOG_INFO, "renamed %s to %s \n", oldname, lastfile); } free(lastfile); free(oldname); lastfile = NULL; } return (0); } /* + * Create the new audit file with appropriate permissions and ownership. Try + * to clean up if something goes wrong. + */ +static int +#ifdef AUDIT_REVIEW_GROUP +open_trail(const char *fname, uid_t uid, gid_t gid) +#else +open_trail(const char *fname) +#endif +{ + int error, fd; + + fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); + if (fd < 0) + return (-1); +#ifdef AUDIT_REVIEW_GROUP + if (fchown(fd, uid, gid) < 0) { + error = errno; + close(fd); + (void)unlink(fname); + errno = error; + return (-1); + } +#endif + return (fd); +} + +/* * Create the new file name, swap with existing audit file. */ static int swap_audit_file(void) { char timestr[2 * POSTFIX_LEN]; char *fn; char TS[POSTFIX_LEN]; struct dir_ent *dirent; - int fd; +#ifdef AUDIT_REVIEW_GROUP + struct group *grp; + gid_t gid; + uid_t uid; +#endif + int error, fd; if (getTSstr(TS, POSTFIX_LEN) != 0) return (-1); strcpy(timestr, TS); strcat(timestr, NOT_TERMINATED); +#ifdef AUDIT_REVIEW_GROUP + /* + * XXXRW: Currently, this code falls back to the daemon gid, which is + * likely the wheel group. Is there a better way to deal with this? + */ + grp = getgrnam(AUDIT_REVIEW_GROUP); + if (grp == NULL) { + syslog(LOG_INFO, + "Audit review group '%s' not available, using daemon gid", + AUDIT_REVIEW_GROUP); + gid = -1; + } else + gid = grp->gr_gid; + uid = getuid(); +#endif + /* Try until we succeed. */ while ((dirent = TAILQ_FIRST(&dir_q))) { if ((fn = affixdir(timestr, dirent)) == NULL) { syslog(LOG_INFO, "Failed to swap log at time %s\n", timestr); return (-1); } /* * Create and open the file; then close and pass to the * kernel if all went well. */ syslog(LOG_INFO, "New audit file is %s\n", fn); - fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP); +#ifdef AUDIT_REVIEW_GROUP + fd = open_trail(fn, uid, gid); +#else + fd = open_trail(fn); +#endif if (fd < 0) - perror("File open"); - else if (auditctl(fn) != 0) { - syslog(LOG_ERR, - "auditctl failed setting log file! : %s\n", - strerror(errno)); - close(fd); - } else { - /* Success. */ - close_lastfile(TS); - lastfile = fn; - close(fd); - return (0); + warn("open(%s)", fn); + if (fd >= 0) { + error = auditctl(fn); + if (error) { + syslog(LOG_ERR, + "auditctl failed setting log file! : %s\n", + strerror(errno)); + close(fd); + } else { + /* Success. */ + close_lastfile(TS); + lastfile = fn; + close(fd); + return (0); + } } /* * Tell the administrator about lack of permissions for dir. */ audit_warn_getacdir(dirent->dirname); /* Try again with a different directory. */ TAILQ_REMOVE(&dir_q, dirent, dirs); free(dirent->dirname); free(dirent); } syslog(LOG_INFO, "Log directories exhausted\n"); return (-1); } /* * Read the audit_control file contents. */ static int read_control_file(void) { char cur_dir[MAXNAMLEN]; struct dir_ent *dirent; au_qctrl_t qctrl; /* * Clear old values. Force a re-read of the file the next time. */ free_dir_q(); endac(); /* * Read the list of directories into a local linked list. * * XXX We should use the reentrant interfaces once they are * available. */ while (getacdir(cur_dir, MAXNAMLEN) >= 0) { dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent)); if (dirent == NULL) return (-1); dirent->softlim = 0; dirent->dirname = (char *) malloc(MAXNAMLEN); if (dirent->dirname == NULL) { free(dirent); return (-1); } strcpy(dirent->dirname, cur_dir); TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); } allhardcount = 0; if (swap_audit_file() == -1) { syslog(LOG_ERR, "Could not swap audit file\n"); /* * XXX Faulty directory listing? - user should be given * XXX an opportunity to change the audit_control file * XXX switch to a reduced mode of auditing? */ return (-1); } /* * XXX There are synchronization problems here * XXX what should we do if a trigger for the earlier limit * XXX is generated here? */ if (0 == (ret = getacmin(&minval))) { syslog(LOG_INFO, "min free = %d\n", minval); if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) { syslog(LOG_ERR, "could not get audit queue settings\n"); return (-1); } qctrl.aq_minfree = minval; if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) { syslog(LOG_ERR, "could not set audit queue settings\n"); return (-1); } } return (0); } /* * Close all log files, control files, and tell the audit system. */ static int close_all(void) { int err_ret = 0; char TS[POSTFIX_LEN]; int aufd; token_t *tok; long cond; /* Generate an audit record. */ if ((aufd = au_open()) == -1) syslog(LOG_ERR, "Could not create audit shutdown event.\n"); else { if ((tok = au_to_text("auditd::Audit shutdown")) != NULL) au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_shutdown) == -1) syslog(LOG_ERR, "Could not close audit shutdown event.\n"); } /* Flush contents. */ cond = AUC_DISABLED; err_ret = auditon(A_SETCOND, &cond, sizeof(cond)); if (err_ret != 0) { syslog(LOG_ERR, "Disabling audit failed! : %s\n", strerror(errno)); err_ret = 1; } if (getTSstr(TS, POSTFIX_LEN) == 0) close_lastfile(TS); if (lastfile != NULL) free(lastfile); free_dir_q(); if ((remove(AUDITD_PIDFILE) == -1) || err_ret) { syslog(LOG_ERR, "Could not unregister\n"); audit_warn_postsigterm(); return (1); } endac(); if (close(triggerfd) != 0) syslog(LOG_ERR, "Error closing control file\n"); syslog(LOG_INFO, "Finished.\n"); return (0); } /* * When we get a signal, we are often not at a clean point. So, little can * be done in the signal handler itself. Instead, we send a message to the * main servicing loop to do proper handling from a non-signal-handler * context. */ static void relay_signal(int signal) { if (signal == SIGHUP) sighups++; if (signal == SIGTERM) sigterms++; } /* * Registering the daemon. */ static int register_daemon(void) { FILE * pidfile; int fd; pid_t pid; /* Set up the signal hander. */ if (signal(SIGTERM, relay_signal) == SIG_ERR) { syslog(LOG_ERR, "Could not set signal handler for SIGTERM\n"); fail_exit(); } if (signal(SIGCHLD, relay_signal) == SIG_ERR) { syslog(LOG_ERR, "Could not set signal handler for SIGCHLD\n"); fail_exit(); } if (signal(SIGHUP, relay_signal) == SIG_ERR) { syslog(LOG_ERR, "Could not set signal handler for SIGHUP\n"); fail_exit(); } if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) { syslog(LOG_ERR, "Could not open PID file\n"); audit_warn_tmpfile(); return (-1); } /* Attempt to lock the pid file; if a lock is present, exit. */ fd = fileno(pidfile); if (flock(fd, LOCK_EX | LOCK_NB) < 0) { syslog(LOG_ERR, "PID file is locked (is another auditd running?).\n"); audit_warn_ebusy(); return (-1); } pid = getpid(); ftruncate(fd, 0); if (fprintf(pidfile, "%u\n", pid) < 0) { /* Should not start the daemon. */ fail_exit(); } fflush(pidfile); return (0); } /* * Suppress duplicate messages within a 30 second interval. This should be * enough to time to rotate log files without thrashing from soft warnings * generated before the log is actually rotated. */ #define DUPLICATE_INTERVAL 30 static void handle_audit_trigger(int trigger) { static int last_trigger; static time_t last_time; struct dir_ent *dirent; int rc; /* * Suppres duplicate messages from the kernel within the specified * interval. */ struct timeval ts; struct timezone tzp; time_t tt; if (gettimeofday(&ts, &tzp) == 0) { tt = (time_t)ts.tv_sec; if ((trigger == last_trigger) && (tt < (last_time + DUPLICATE_INTERVAL))) return; last_trigger = trigger; last_time = tt; } /* * Message processing is done here. */ dirent = TAILQ_FIRST(&dir_q); switch(trigger) { case AUDIT_TRIGGER_LOW_SPACE: syslog(LOG_INFO, "Got low space trigger\n"); if (dirent && (dirent->softlim != 1)) { TAILQ_REMOVE(&dir_q, dirent, dirs); /* Add this node to the end of the list. */ TAILQ_INSERT_TAIL(&dir_q, dirent, dirs); audit_warn_soft(dirent->dirname); dirent->softlim = 1; if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL && swap_audit_file() == -1) syslog(LOG_ERR, "Error swapping audit file\n"); /* * Check if the next dir has already reached its soft * limit. */ dirent = TAILQ_FIRST(&dir_q); if (dirent->softlim == 1) { /* All dirs have reached their soft limit. */ audit_warn_allsoft(); } } else { /* * Continue auditing to the current file. Also * generate an allsoft warning. * XXX do we want to do this ? */ audit_warn_allsoft(); } break; case AUDIT_TRIGGER_NO_SPACE: syslog(LOG_INFO, "Got no space trigger\n"); /* Delete current dir, go on to next. */ TAILQ_REMOVE(&dir_q, dirent, dirs); audit_warn_hard(dirent->dirname); free(dirent->dirname); free(dirent); if (swap_audit_file() == -1) syslog(LOG_ERR, "Error swapping audit file\n"); /* We are out of log directories. */ audit_warn_allhard(++allhardcount); break; case AUDIT_TRIGGER_OPEN_NEW: /* * Create a new file and swap with the one being used in * kernel */ syslog(LOG_INFO, "Got open new trigger\n"); if (swap_audit_file() == -1) syslog(LOG_ERR, "Error swapping audit file\n"); break; case AUDIT_TRIGGER_READ_FILE: syslog(LOG_INFO, "Got read file trigger\n"); if (read_control_file() == -1) syslog(LOG_ERR, "Error in audit control file\n"); if (config_audit_controls() == -1) syslog(LOG_ERR, "Error setting audit controls\n"); break; default: syslog(LOG_ERR, "Got unknown trigger %d\n", trigger); break; } } static void handle_sighup(void) { sighups_handled = sighups; config_audit_controls(); } /* * Read the control file for triggers and handle appropriately. */ static int wait_for_triggers(void) { int num; unsigned int trigger; for (;;) { num = read(triggerfd, &trigger, sizeof(trigger)); if ((num == -1) && (errno != EINTR)) { syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno); return (-1); } if (sigterms != sigterms_handled) { syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__); break; } if (sighups != sighups_handled) { syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__); handle_sighup(); } if ((num == -1) && (errno == EINTR)) continue; if (num == 0) { syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__); return (-1); } syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger); if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE) break; else handle_audit_trigger(trigger); } return (close_all()); } /* * Reap our children. */ static void reap_children(void) { pid_t child; int wstatus; while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) { if (!wstatus) continue; syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child, ((WIFEXITED(wstatus)) ? "exited with non-zero status" : "exited as a result of signal"), ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) : WTERMSIG(wstatus))); } } /* * Configure the audit controls in the kernel: the event to class mapping, * kernel preselection mask, etc. */ static int config_audit_controls(void) { au_event_ent_t ev, *evp; au_evclass_map_t evc_map; au_mask_t aumask; int ctr = 0; char naeventstr[NA_EVENT_STR_SIZE]; /* * Process the audit event file, obtaining a class mapping for each * event, and send that mapping into the kernel. * XXX There's a risk here that the BSM library will return NULL * for an event when it can't properly map it to a class. In that * case, we will not process any events beyond the one that failed, * but should. We need a way to get a count of the events. */ ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX); ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX); if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) { syslog(LOG_ERR, "Memory allocation error when configuring audit controls."); return (-1); } evp = &ev; setauevent(); while ((evp = getauevent_r(evp)) != NULL) { evc_map.ec_number = evp->ae_number; evc_map.ec_class = evp->ae_class; if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t)) != 0) syslog(LOG_ERR, "Failed to register class mapping for event %s", evp->ae_name); else ctr++; } endauevent(); free(ev.ae_name); free(ev.ae_desc); if (ctr == 0) syslog(LOG_ERR, "No events to class mappings registered."); else syslog(LOG_INFO, "Registered %d event to class mappings.", ctr); /* * Get the non-attributable event string and set the kernel mask from * that. */ if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) && (getauditflagsbin(naeventstr, &aumask) == 0)) { if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t))) syslog(LOG_ERR, "Failed to register non-attributable event mask."); else syslog(LOG_INFO, "Registered non-attributable event mask."); } else syslog(LOG_ERR, "Failed to obtain non-attributable event mask."); /* * Set the audit policy flags based on passed in parameter values. */ if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags))) syslog(LOG_ERR, "Failed to set audit policy."); return (0); } static void setup(void) { int aufd; token_t *tok; if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) { syslog(LOG_ERR, "Error opening trigger file\n"); fail_exit(); } TAILQ_INIT(&dir_q); if (read_control_file() == -1) { syslog(LOG_ERR, "Error reading control file\n"); fail_exit(); } /* Generate an audit record. */ if ((aufd = au_open()) == -1) syslog(LOG_ERR, "Could not create audit startup event.\n"); else { if ((tok = au_to_text("auditd::Audit startup")) != NULL) au_write(aufd, tok); if (au_close(aufd, 1, AUE_audit_startup) == -1) syslog(LOG_ERR, "Could not close audit startup event.\n"); } if (config_audit_controls() == 0) syslog(LOG_INFO, "Audit controls init successful\n"); else syslog(LOG_INFO, "Audit controls init failed\n"); } int main(int argc, char **argv) { - char ch; + int ch; int debug = 0; int rc; global_flags |= AUDIT_CNT; while ((ch = getopt(argc, argv, "dhs")) != -1) { switch(ch) { case 'd': /* Debug option. */ debug = 1; break; case 's': /* Fail-stop option. */ global_flags &= ~(AUDIT_CNT); break; case 'h': /* Halt-stop option. */ global_flags |= AUDIT_AHLT; break; case '?': default: (void)fprintf(stderr, "usage: auditd [-h | -s] [-d] \n"); exit(1); } } openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY); syslog(LOG_INFO, "starting...\n"); if (debug == 0 && daemon(0, 0) == -1) { syslog(LOG_ERR, "Failed to daemonize\n"); exit(1); } if (register_daemon() == -1) { syslog(LOG_ERR, "Could not register as daemon\n"); exit(1); } setup(); rc = wait_for_triggers(); syslog(LOG_INFO, "auditd exiting.\n"); exit(rc); } Index: head/contrib/openbsm/bin/auditd/auditd.h =================================================================== --- head/contrib/openbsm/bin/auditd/auditd.h (revision 155364) +++ head/contrib/openbsm/bin/auditd/auditd.h (revision 155365) @@ -1,80 +1,87 @@ /* * Copyright (c) 2005 Apple Computer, Inc. * All rights reserved. * * @APPLE_BSD_LICENSE_HEADER_START@ * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $ */ #ifndef _AUDITD_H_ #define _AUDITD_H_ #include #include #include #define MAX_DIR_SIZE 255 #define AUDITD_NAME "auditd" + +/* + * If defined, then the audit daemon will attempt to chown newly created logs + * to this group. Otherwise, they will be the default for the user running + * auditd, likely the audit group. + */ +#define AUDIT_REVIEW_GROUP "audit" #define POSTFIX_LEN 16 #define NOT_TERMINATED ".not_terminated" struct dir_ent { char *dirname; char softlim; TAILQ_ENTRY(dir_ent) dirs; }; #define HARDLIM_ALL_WARN "allhard" #define SOFTLIM_ALL_WARN "allsoft" #define AUDITOFF_WARN "aditoff" #define EBUSY_WARN "ebusy" #define GETACDIR_WARN "getacdir" #define HARDLIM_WARN "hard" #define NOSTART_WARN "nostart" #define POSTSIGTERM_WARN "postsigterm" #define SOFTLIM_WARN "soft" #define TMPFILE_WARN "tmpfile" #define AUDITWARN_SCRIPT "/etc/security/audit_warn" #define AUDITD_PIDFILE "/var/run/auditd.pid" int audit_warn_allhard(int count); int audit_warn_allsoft(void); int audit_warn_auditoff(void); int audit_warn_ebusy(void); int audit_warn_getacdir(char *filename); int audit_warn_hard(char *filename); int audit_warn_nostart(void); int audit_warn_postsigterm(void); int audit_warn_soft(char *filename); int audit_warn_tmpfile(void); #endif /* !_AUDITD_H_ */ Index: head/contrib/openbsm/bin/auditreduce/auditreduce.1 =================================================================== --- head/contrib/openbsm/bin/auditreduce/auditreduce.1 (revision 155364) +++ head/contrib/openbsm/bin/auditreduce/auditreduce.1 (revision 155365) @@ -1,153 +1,154 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#8 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt AUDITREDUCE 1 .Os .Sh NAME .Nm auditreduce .Nd "select records from audit trail files" .Sh SYNOPSIS .Nm auditreduce .Op Fl A .Op Fl a Ar YYYYMMDD[HH[MM[SS]]] .Op Fl b Ar YYYYMMDD[HH[MM[SS]]] .Op Fl c Ar flags .Op Fl d Ar YYYYMMDD .Op Fl e Ar euid .Op Fl f Ar egid .Op Fl g Ar rgid .Op Fl r Ar ruid .Op Fl u Ar auid .Op Fl j Ar id .Op Fl m Ar event .Op Fl o Ar object=value .Op Ar file ... .Sh DESCRIPTION The .Nm utility selects records from the audit trail files based on the specified criteria. Matching audit records are printed to the standard output in their raw binary form. If no filename is specified, the standard input is used by default. Use the .Nm praudit utility to print the selected audit records in human-readable form. See .Xr praudit 1 for more information. .Pp The options are as follows: .Bl -tag -width Ds .It Fl A Select all records. .It Fl a Ar YYYYMMDD[HH[MM[SS]]] Select records that occurred after or on the given datetime. .It Fl b Ar YYYYMMDD[HH[MM[SS]]] Select records that occurred before the given datetime. .It Fl c Ar flags Select records matching the given audit classes specified as a comma separated list of audit flags. See .Xr audit_control 5 for a description of audit flags. .It Fl d Ar YYYYMMDD Select records that occurred on a given date. This option cannot be used with .Fl a or .Fl b . .It Fl e Ar euid Select records with the given effective user id or name. .It Fl f Ar egid Select records with the given effective group id or name. .It Fl g Ar rgid Select records with the given real group id or name. .It Fl r Ar ruid Select records with the given real user id or name. .It Fl u Ar auid Select records with the given audit id. .It Fl j Ar id Select records having a subject token with matching ID. .It Fl m Ar event Select records with the given event name or number. See .Xr audit_event 5 for a description of audit event names and numbers. .It Fl o Ar object=value .Bl -tag -width Ds .It Nm file Select records containing the given path name. file="/usr" matches paths starting with .Pa usr . file="~/usr" matches paths not starting with .Pa usr . .It Nm msgqid Select records containing the given message queue id. .It Nm pid Select records containing the given process id. .It Nm semid Select records containing the given semaphore id. .It Nm shmid Select records containing the given shared memory id. .El .El .Sh Examples .Pp To select all records associated with effective user ID root from the audit -log /var/audit/20031016184719.20031017122634: +log +.Pa /var/audit/20031016184719.20031017122634 : .Pp .Nm -e root /var/audit/20031016184719.20031017122634 .Pp To select all .Xr setlogin 2 events from that log: .Pp .Nm -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 .Sh SEE ALSO +.Xr praudit 1 , .Xr audit_control 5 , -.Xr audit_event 5 , -.Xr praudit 1 +.Xr audit_event 5 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/bin/auditreduce/auditreduce.c =================================================================== --- head/contrib/openbsm/bin/auditreduce/auditreduce.c (revision 155364) +++ head/contrib/openbsm/bin/auditreduce/auditreduce.c (revision 155365) @@ -1,699 +1,699 @@ /* * Copyright (c) 2004 Apple Computer, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#13 $ */ /* * Tool used to merge and select audit records from audit trail files */ /* * XXX Currently we do not support merging of records from multiple * XXX audit trail files * XXX We assume that records are sorted chronologically - both wrt to * XXX the records present within the file and between the files themselves */ #include #include #include #include #include #include #include #include #include #include "auditreduce.h" extern char *optarg; extern int optind, optopt, opterr,optreset; static au_mask_t maskp; /* Class. */ static time_t p_atime; /* Created after this time. */ static time_t p_btime; /* Created before this time. */ static uint16_t p_evtype; /* Event that we are searching for. */ static int p_auid; /* Audit id. */ static int p_euid; /* Effective user id. */ static int p_egid; /* Effective group id. */ static int p_rgid; /* Real group id. */ static int p_ruid; /* Real user id. */ static int p_subid; /* Subject id. */ /* * Following are the objects (-o option) that we can select upon. */ static char *p_fileobj = NULL; static char *p_msgqobj = NULL; static char *p_pidobj = NULL; static char *p_semobj = NULL; static char *p_shmobj = NULL; static char *p_sockobj = NULL; static uint32_t opttochk = 0; static void usage(const char *msg) { fprintf(stderr, "%s\n", msg); fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n"); fprintf(stderr, "\tOptions are : \n"); fprintf(stderr, "\t-A : all records\n"); fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n"); fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n"); fprintf(stderr, "\t-c : matching class\n"); fprintf(stderr, "\t-d YYYYMMDD : on date\n"); fprintf(stderr, "\t-e : effective user\n"); fprintf(stderr, "\t-f : effective group\n"); fprintf(stderr, "\t-g : real group\n"); fprintf(stderr, "\t-j : subject id \n"); fprintf(stderr, "\t-m : matching event\n"); fprintf(stderr, "\t-o objecttype=objectvalue\n"); fprintf(stderr, "\t\t file=\n"); fprintf(stderr, "\t\t msgqid=\n"); fprintf(stderr, "\t\t pid=\n"); fprintf(stderr, "\t\t semid=\n"); fprintf(stderr, "\t\t shmid=\n"); fprintf(stderr, "\t-r : real user\n"); fprintf(stderr, "\t-u : audit user\n"); exit(EX_USAGE); } /* * Check if the given auid matches the selection criteria. */ static int select_auid(int au) { /* Check if we want to select on auid. */ if (ISOPTSET(opttochk, OPT_u)) { if (au != p_auid) return (0); } return (1); } /* * Check if the given euid matches the selection criteria. */ static int select_euid(int euser) { /* Check if we want to select on euid. */ if (ISOPTSET(opttochk, OPT_e)) { if (euser != p_euid) return (0); } return (1); } /* * Check if the given egid matches the selection criteria. */ static int select_egid(int egrp) { /* Check if we want to select on egid. */ if (ISOPTSET(opttochk, OPT_f)) { if (egrp != p_egid) return (0); } return (1); } /* * Check if the given rgid matches the selection criteria. */ static int select_rgid(int grp) { /* Check if we want to select on rgid. */ if (ISOPTSET(opttochk, OPT_g)) { if (grp != p_rgid) return (0); } return (1); } /* * Check if the given ruid matches the selection criteria. */ static int select_ruid(int user) { /* Check if we want to select on rgid. */ if (ISOPTSET(opttochk, OPT_r)) { if (user != p_ruid) return (0); } return (1); } /* * Check if the given subject id (pid) matches the selection criteria. */ static int select_subid(int subid) { /* Check if we want to select on subject uid. */ if (ISOPTSET(opttochk, OPT_j)) { if (subid != p_subid) return (0); } return (1); } /* * Check if object's pid maches the given pid. */ static int select_pidobj(uint32_t pid) { if (ISOPTSET(opttochk, OPT_op)) { if (pid != strtol(p_pidobj, (char **)NULL, 10)) return (0); } return (1); } /* * Check if the given ipc object with the given type matches the selection * criteria. */ static int select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) { if (type == AT_IPC_MSG) { SETOPT((*optchkd), OPT_om); if (ISOPTSET(opttochk, OPT_om)) { if (id != strtol(p_msgqobj, (char **)NULL, 10)) return (0); } return (1); } else if (type == AT_IPC_SEM) { SETOPT((*optchkd), OPT_ose); if (ISOPTSET(opttochk, OPT_ose)) { if (id != strtol(p_semobj, (char **)NULL, 10)) return (0); } return (1); } else if (type == AT_IPC_SHM) { SETOPT((*optchkd), OPT_osh); if (ISOPTSET(opttochk, OPT_osh)) { if (id != strtol(p_shmobj, (char **)NULL, 10)) return (0); } return (1); } /* Unknown type -- filter if *any* ipc filtering is required. */ if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose) || ISOPTSET(opttochk, OPT_osh)) return (0); return (1); } /* * Check if the file name matches selection criteria. */ static int select_filepath(char *path, uint32_t *optchkd) { char *loc; SETOPT((*optchkd), OPT_of); if (ISOPTSET(opttochk, OPT_of)) { if (p_fileobj[0] == '~') { /* Object should not be in path. */ loc = strstr(path, p_fileobj + 1); if ((loc != NULL) && (loc == path)) return (0); } else { /* Object should be in path. */ loc = strstr(path, p_fileobj); if ((loc == NULL) || (loc != path)) return (0); } } return (1); } /* * Returns 1 if the following pass the selection rules: * * before-time, * after time, * date, * class, * event */ static int select_hdr32(tokenstr_t tok, uint32_t *optchkd) { SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m)); /* The A option overrides a, b and d. */ if (!ISOPTSET(opttochk, OPT_A)) { if (ISOPTSET(opttochk, OPT_a)) { if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) { /* Record was created before p_atime. */ return (0); } } if (ISOPTSET(opttochk, OPT_b)) { if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) { /* Record was created after p_btime. */ return (0); } } } if (ISOPTSET(opttochk, OPT_c)) { /* * Check if the classes represented by the event matches * given class. */ if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH, AU_PRS_USECACHE) != 1) return (0); } /* Check if event matches. */ if (ISOPTSET(opttochk, OPT_m)) { if (tok.tt.hdr32.e_type != p_evtype) return (0); } return (1); } /* * Return 1 if checks for the the following succeed * auid, * euid, * egid, * rgid, * ruid, * process id */ static int select_proc32(tokenstr_t tok, uint32_t *optchkd) { SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op)); if (!select_auid(tok.tt.proc32.auid)) return (0); if (!select_euid(tok.tt.proc32.euid)) return (0); if (!select_egid(tok.tt.proc32.egid)) return (0); if (!select_rgid(tok.tt.proc32.rgid)) return (0); if (!select_ruid(tok.tt.proc32.ruid)) return (0); if (!select_pidobj(tok.tt.proc32.pid)) return (0); return (1); } /* * Return 1 if checks for the the following succeed * auid, * euid, * egid, * rgid, * ruid, * subject id */ static int select_subj32(tokenstr_t tok, uint32_t *optchkd) { SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j)); if (!select_auid(tok.tt.subj32.auid)) return (0); if (!select_euid(tok.tt.subj32.euid)) return (0); if (!select_egid(tok.tt.subj32.egid)) return (0); if (!select_rgid(tok.tt.subj32.rgid)) return (0); if (!select_ruid(tok.tt.subj32.ruid)) return (0); if (!select_subid(tok.tt.subj32.pid)) return (0); return (1); } /* * Read each record from the audit trail. Check if it is selected after * passing through each of the options */ static int select_records(FILE *fp) { u_char *buf; tokenstr_t tok; int reclen; int bytesread; int selected; uint32_t optchkd; int err = 0; while ((reclen = au_read_rec(fp, &buf)) != -1) { optchkd = 0; bytesread = 0; selected = 1; while ((selected == 1) && (bytesread < reclen)) { if (-1 == au_fetch_tok(&tok, buf + bytesread, reclen - bytesread)) { /* Is this an incomplete record? */ err = 1; break; } /* * For each token type we have have different * selection criteria. */ switch(tok.id) { case AU_HEADER_32_TOKEN: selected = select_hdr32(tok, &optchkd); break; case AU_PROCESS_32_TOKEN: selected = select_proc32(tok, &optchkd); break; case AU_SUBJECT_32_TOKEN: selected = select_subj32(tok, &optchkd); break; case AU_IPC_TOKEN: selected = select_ipcobj( tok.tt.ipc.type, tok.tt.ipc.id, &optchkd); break; case AU_FILE_TOKEN: selected = select_filepath( tok.tt.file.name, &optchkd); break; case AU_PATH_TOKEN: selected = select_filepath( tok.tt.path.path, &optchkd); break; /* * The following tokens dont have any relevant * attributes that we can select upon. */ case AU_TRAILER_TOKEN: case AU_ARG32_TOKEN: case AU_ATTR32_TOKEN: case AU_EXIT_TOKEN: case AU_NEWGROUPS_TOKEN: case AU_IN_ADDR_TOKEN: case AU_IP_TOKEN: case AU_IPCPERM_TOKEN: case AU_IPORT_TOKEN: case AU_OPAQUE_TOKEN: case AU_RETURN_32_TOKEN: case AU_SEQ_TOKEN: case AU_TEXT_TOKEN: case AU_ARB_TOKEN: case AU_SOCK_TOKEN: default: break; } bytesread += tok.len; } if ((selected == 1) && (!err)) { /* Check if all the options were matched. */ if (!(opttochk & ~optchkd)) { /* XXX Write this record to the output file. */ /* default to stdout */ fwrite(buf, 1, reclen, stdout); } } free(buf); } return (0); } /* * The -o option has the form object_type=object_value. Identify the object * components. */ void parse_object_type(char *name, char *val) { if (val == NULL) return; if (!strcmp(name, FILEOBJ)) { p_fileobj = val; SETOPT(opttochk, OPT_of); } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; SETOPT(opttochk, OPT_om); } else if (!strcmp(name, PIDOBJ)) { p_pidobj = val; SETOPT(opttochk, OPT_op); } else if (!strcmp(name, SEMIDOBJ)) { p_semobj = val; SETOPT(opttochk, OPT_ose); } else if (!strcmp(name, SHMIDOBJ)) { p_shmobj = val; SETOPT(opttochk, OPT_osh); } else if (!strcmp(name, SOCKOBJ)) { p_sockobj = val; SETOPT(opttochk, OPT_oso); } else usage("unknown value for -o"); } int main(int argc, char **argv) { struct group *grp; struct passwd *pw; struct tm tm; au_event_t *n; FILE *fp; int i; char *objval, *converr; - char ch; + int ch; char timestr[128]; char *fname; converr = NULL; while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) { switch(ch) { case 'A': SETOPT(opttochk, OPT_A); break; case 'a': if (ISOPTSET(opttochk, OPT_a)) { usage("d is exclusive with a and b"); } SETOPT(opttochk, OPT_a); strptime(optarg, "%Y%m%d%H%M%S", &tm); strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", &tm); /* fprintf(stderr, "Time converted = %s\n", timestr); */ p_atime = mktime(&tm); break; case 'b': if (ISOPTSET(opttochk, OPT_b)) { usage("d is exclusive with a and b"); } SETOPT(opttochk, OPT_b); strptime(optarg, "%Y%m%d%H%M%S", &tm); strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", &tm); /* fprintf(stderr, "Time converted = %s\n", timestr); */ p_btime = mktime(&tm); break; case 'c': if (0 != getauditflagsbin(optarg, &maskp)) { /* Incorrect class */ usage("Incorrect class"); } SETOPT(opttochk, OPT_c); break; case 'd': if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk, OPT_a)) usage("'d' is exclusive with 'a' and 'b'"); SETOPT(opttochk, OPT_d); strptime(optarg, "%Y%m%d", &tm); strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); /* fprintf(stderr, "Time converted = %s\n", timestr); */ p_atime = mktime(&tm); tm.tm_hour = 23; tm.tm_min = 59; tm.tm_sec = 59; strftime(timestr, sizeof(timestr), "%Y%m%d", &tm); /* fprintf(stderr, "Time converted = %s\n", timestr); */ p_btime = mktime(&tm); break; case 'e': p_euid = strtol(optarg, &converr, 10); if (*converr != '\0') { /* Try the actual name */ if ((pw = getpwnam(optarg)) == NULL) break; p_euid = pw->pw_uid; } SETOPT(opttochk, OPT_e); break; case 'f': p_egid = strtol(optarg, &converr, 10); if (*converr != '\0') { /* Try actual group name. */ if ((grp = getgrnam(optarg)) == NULL) break; p_egid = grp->gr_gid; } SETOPT(opttochk, OPT_f); break; case 'g': p_rgid = strtol(optarg, &converr, 10); if (*converr != '\0') { /* Try actual group name. */ if ((grp = getgrnam(optarg)) == NULL) break; p_rgid = grp->gr_gid; } SETOPT(opttochk, OPT_g); break; case 'j': p_subid = strtol(optarg, (char **)NULL, 10); SETOPT(opttochk, OPT_j); break; case 'm': p_evtype = strtol(optarg, (char **)NULL, 10); if (p_evtype == 0) { /* Could be the string representation. */ n = getauevnonam(optarg); if (n == NULL) usage("Incorrect event name"); p_evtype = *n; free(n); } SETOPT(opttochk, OPT_m); break; case 'o': objval = strchr(optarg, '='); if (objval != NULL) { *objval = '\0'; objval += 1; parse_object_type(optarg, objval); } break; case 'r': p_ruid = strtol(optarg, &converr, 10); if (*converr != '\0') { if ((pw = getpwnam(optarg)) == NULL) break; p_ruid = pw->pw_uid; } SETOPT(opttochk, OPT_r); break; case 'u': p_auid = strtol(optarg, &converr, 10); if (*converr != '\0') { if ((pw = getpwnam(optarg)) == NULL) break; p_auid = pw->pw_uid; } SETOPT(opttochk, OPT_u); break; case '?': default: usage("Unknown option"); } } argv += optind; argc -= optind; if (argc == 0) usage("Filename needed"); /* * XXX: We should actually be merging records here. */ for (i = 0; i < argc; i++) { fname = argv[i]; fp = fopen(fname, "r"); if (fp == NULL) errx(EXIT_FAILURE, "Couldn't open %s", fname); if (select_records(fp) == -1) { errx(EXIT_FAILURE, "Couldn't select records %s", fname); } fclose(fp); } exit(EXIT_SUCCESS); } Index: head/contrib/openbsm/bin/praudit/praudit.1 =================================================================== --- head/contrib/openbsm/bin/praudit/praudit.1 (revision 155364) +++ head/contrib/openbsm/bin/praudit/praudit.1 (revision 155365) @@ -1,97 +1,97 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt PRAUDIT 1 .Os .Sh NAME .Nm praudit .Nd "print the contents of audit trail files" .Sh SYNOPSIS .Nm praudit .Op Fl lrs .Op Fl d Ar del .Op Ar file ... .Sh DESCRIPTION The .Nm utility prints the contents of the audit trail files to the standard output in human-readable form. If no filename is specified, the standard input is used by default. .Pp The options are as follows: .Bl -tag -width Ds .It Fl l Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line. .It Fl r Prints the records in their raw, numeric form. This option is exclusive from .Fl s .It Fl s Prints the tokens in their short form. Short text representations for record and event type are displayed. This option is exclusive from .Fl r .It Fl d Ar del Specifies the delimiter. The default delimiter is the comma. .El .Pp If the raw or short forms are not specified, the default is to print the tokens in their long form. Events are displayed as per their descriptions given in .Pa /etc/security/audit_event ; uids and gids are expanded to their names; dates and times are displayed in human-readable format. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_class Descriptions of audit event classes .It Pa /etc/security/audit_event Descriptions of audit events .El .Sh SEE ALSO .Xr audit_class 5 , .Xr audit_event 5 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/bin/praudit/praudit.c =================================================================== --- head/contrib/openbsm/bin/praudit/praudit.c (revision 155364) +++ head/contrib/openbsm/bin/praudit/praudit.c (revision 155365) @@ -1,157 +1,157 @@ /* * Copyright (c) 2004 Apple Computer, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $ */ /* * Tool used to parse audit records conforming to the BSM structure. */ /* * praudit [-lrs] [-ddel] [filenames] */ #include #include #include #include extern char *optarg; extern int optind, optopt, opterr,optreset; static char *del = ","; /* Default delimiter. */ static int oneline = 0; static int raw = 0; static int shortfrm = 0; static int partial = 0; static void usage() { fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n"); exit(1); } /* * Token printing for each token type . */ static int print_tokens(FILE *fp) { u_char *buf; tokenstr_t tok; int reclen; int bytesread; /* Allow tail -f | praudit to work. */ if (partial) { u_char type = 0; /* Record must begin with a header token. */ do { type = fgetc(fp); } while(type != AU_HEADER_32_TOKEN); ungetc(type, fp); } while ((reclen = au_read_rec(fp, &buf)) != -1) { bytesread = 0; while (bytesread < reclen) { /* Is this an incomplete record? */ if (-1 == au_fetch_tok(&tok, buf + bytesread, reclen - bytesread)) break; au_print_tok(stdout, &tok, del, raw, shortfrm); bytesread += tok.len; if (oneline) printf("%s", del); else printf("\n"); } free(buf); if (oneline) printf("\n"); } return (0); } int main(int argc, char **argv) { - char ch; + int ch; int i; FILE *fp; while ((ch = getopt(argc, argv, "lprsd:")) != -1) { switch(ch) { case 'l': oneline = 1; break; case 'r': if (shortfrm) usage(); /* Exclusive from shortfrm. */ raw = 1; break; case 's': if (raw) usage(); /* Exclusive from raw. */ shortfrm = 1; break; case 'd': del = optarg; break; case 'p': partial = 1; break; case '?': default: usage(); } } /* For each of the files passed as arguments dump the contents. */ if (optind == argc) { print_tokens(stdin); return (1); } for (i = optind; i < argc; i++) { fp = fopen(argv[i], "r"); if ((fp == NULL) || (print_tokens(fp) == -1)) perror(argv[i]); if (fp != NULL) fclose(fp); } return (1); } Index: head/contrib/openbsm/bsm/audit_kevents.h =================================================================== --- head/contrib/openbsm/bsm/audit_kevents.h (revision 155364) +++ head/contrib/openbsm/bsm/audit_kevents.h (revision 155365) @@ -1,520 +1,522 @@ /* * Copyright (c) 2005 Apple Computer, Inc. * All rights reserved. * * @APPLE_BSD_LICENSE_HEADER_START@ * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of * its contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#34 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#37 $ */ #ifndef _BSM_AUDIT_KEVENTS_H_ #define _BSM_AUDIT_KEVENTS_H_ /* * Values marked as AUE_NULL are not required to be audited as per CAPP. * * Some conflicts exist in the assignment of name to event number mappings * between BSM implementations. In general, we prefer the OpenSolaris * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has * been inserted for the Darwin variants. If necessary, other tags will be * added in the future. */ #define AUE_NULL 0 #define AUE_EXIT 1 #define AUE_FORK 2 #define AUE_OPEN 3 #define AUE_CREAT 4 #define AUE_LINK 5 #define AUE_UNLINK 6 #define AUE_DELETE AUE_UNLINK #define AUE_EXEC 7 #define AUE_CHDIR 8 #define AUE_MKNOD 9 #define AUE_CHMOD 10 #define AUE_CHOWN 11 #define AUE_UMOUNT 12 #define AUE_JUNK 13 /* Solaris-specific. */ #define AUE_ACCESS 14 #define AUE_CHECKUSERACCESS AUE_ACCESS #define AUE_KILL 15 #define AUE_STAT 16 #define AUE_LSTAT 17 #define AUE_ACCT 18 #define AUE_MCTL 19 /* Solaris-specific. */ #define AUE_REBOOT 20 /* XXX: Darwin conflict. */ #define AUE_SYMLINK 21 #define AUE_READLINK 22 #define AUE_EXECVE 23 #define AUE_CHROOT 24 #define AUE_VFORK 25 #define AUE_SETGROUPS 26 #define AUE_SETPGRP 27 #define AUE_SWAPON 28 #define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */ #define AUE_FCNTL 30 #define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */ #define AUE_CONNECT 32 #define AUE_ACCEPT 33 #define AUE_BIND 34 #define AUE_SETSOCKOPT 35 #define AUE_VTRACE 36 /* Solaris-specific. */ #define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */ #define AUE_FCHOWN 38 #define AUE_FCHMOD 39 #define AUE_SETREUID 40 #define AUE_SETREGID 41 #define AUE_RENAME 42 #define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */ #define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */ #define AUE_FLOCK 45 /* XXX: Darwin conflict. */ #define AUE_SHUTDOWN 46 #define AUE_MKDIR 47 #define AUE_RMDIR 48 #define AUE_UTIMES 49 #define AUE_ADJTIME 50 #define AUE_SETRLIMIT 51 #define AUE_KILLPG 52 #define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */ #define AUE_STATFS 54 #define AUE_FSTATFS 55 #define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */ #define AUE_ASYNC_DAEMON 57 #define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */ #define AUE_SETDOMAINNAME 59 #define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */ #define AUE_EXPORTFS 61 #define AUE_MOUNT 62 #define AUE_SEMSYS 63 #define AUE_MSGSYS 64 #define AUE_SHMSYS 65 #define AUE_BSMSYS 66 /* Solaris-specific. */ #define AUE_RFSSYS 67 /* Solaris-specific. */ #define AUE_FCHDIR 68 #define AUE_FCHROOT 69 #define AUE_VPIXSYS 70 /* Solaris-specific. */ #define AUE_PATHCONF 71 #define AUE_OPEN_R 72 #define AUE_OPEN_RC 73 #define AUE_OPEN_RT 74 #define AUE_OPEN_RTC 75 #define AUE_OPEN_W 76 #define AUE_OPEN_WC 77 #define AUE_OPEN_WT 78 #define AUE_OPEN_WTC 79 #define AUE_OPEN_RW 80 #define AUE_OPEN_RWC 81 #define AUE_OPEN_RWT 82 #define AUE_OPEN_RWTC 83 #define AUE_MSGCTL 84 #define AUE_MSGCTL_RMID 85 #define AUE_MSGCTL_SET 86 #define AUE_MSGCTL_STAT 87 #define AUE_MSGGET 88 #define AUE_MSGRCV 89 #define AUE_MSGSND 90 #define AUE_SHMCTL 91 #define AUE_SHMCTL_RMID 92 #define AUE_SHMCTL_SET 93 #define AUE_SHMCTL_STAT 94 #define AUE_SHMGET 95 #define AUE_SHMAT 96 #define AUE_SHMDT 97 #define AUE_SEMCTL 98 #define AUE_SEMCTL_RMID 99 #define AUE_SEMCTL_SET 100 #define AUE_SEMCTL_STAT 101 #define AUE_SEMCTL_GETNCNT 102 #define AUE_SEMCTL_GETPID 103 #define AUE_SEMCTL_GETVAL 104 #define AUE_SEMCTL_GETALL 105 #define AUE_SEMCTL_GETZCNT 106 #define AUE_SEMCTL_SETVAL 107 #define AUE_SEMCTL_SETALL 108 #define AUE_SEMGET 109 #define AUE_SEMOP 110 #define AUE_CORE 111 /* Solaris-specific, currently. */ #define AUE_CLOSE 112 #define AUE_SYSTEMBOOT 113 #define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */ #define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */ #define AUE_WRITEL 128 /* Solaris-specific. */ #define AUE_WRITEVL 129 /* Solaris-specific. */ #define AUE_GETAUID 130 #define AUE_SETAUID 131 #define AUE_GETAUDIT 132 #define AUE_SETAUDIT 133 #define AUE_GETUSERAUDIT 134 /* Solaris-specific. */ #define AUE_SETUSERAUDIT 135 /* Solaris-specific. */ #define AUE_AUDITSVC 136 /* Solaris-specific. */ #define AUE_AUDITUSER 137 /* Solaris-specific. */ #define AUE_AUDITON 138 #define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */ #define AUE_AUDITON_STERMID 140 /* Solaris-specific. */ #define AUE_AUDITON_GPOLICY 141 #define AUE_AUDITON_SPOLICY 142 #define AUE_AUDITON_GQCTRL 145 #define AUE_AUDITON_SQCTRL 146 #define AUE_GETKERNSTATE 147 /* Solaris-specific. */ #define AUE_SETKERNSTATE 148 /* Solaris-specific. */ #define AUE_GETPORTAUDIT 149 /* Solaris-specific. */ #define AUE_AUDISTAT 150 /* Solaris-specific. */ #define AUE_ENTERPROM 153 /* Solaris-specific. */ #define AUE_EXITPROM 154 /* Solaris-specific. */ #define AUE_IOCTL 158 #define AUE_SOCKET 183 #define AUE_SENDTO 184 #define AUE_PIPE 185 #define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */ #define AUE_SEND 187 #define AUE_SENDMSG 188 #define AUE_RECV 189 #define AUE_RECVMSG 190 #define AUE_RECVFROM 191 #define AUE_READ 192 #define AUE_LSEEK 194 #define AUE_WRITE 195 #define AUE_WRITEV 196 #define AUE_NFS 197 /* Solaris-specific. */ #define AUE_READV 198 /* XXXRW: XXX Solaris old stat()? */ #define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */ #define AUE_STIME 201 /* XXXRW: Solaris old stime? */ #define AUE_UTIME 202 /* XXXRW: Solaris old utime? */ #define AUE_NICE 203 /* XXXRW: Solaris old nice? */ /* XXXRW: Solaris old setpgrp? */ #define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */ /* XXXRW: Solaris readl? */ /* XXXRW: Solaris readvl()? */ #define AUE_DUP2 209 #define AUE_MMAP 210 #define AUE_AUDIT 211 #define AUE_PRIOCNTLSYS 212 #define AUE_MUNMAP 213 #define AUE_SETEGID 214 #define AUE_SETEUID 215 #define AUE_PUTMSG 216 #define AUE_GETMSG 217 /* Solaris-specific. */ #define AUE_PUTPMSG 218 /* Solaris-specific. */ #define AUE_GETPMSG 219 /* Solaris-specific. */ #define AUE_AUDITSYS 220 /* Solaris-specific. */ #define AUE_AUDITON_GETKMASK 221 #define AUE_AUDITON_SETKMASK 222 #define AUE_AUDITON_GETCWD 223 #define AUE_AUDITON_GETCAR 224 #define AUE_AUDITON_GETSTAT 225 #define AUE_AUDITON_SETSTAT 226 #define AUE_AUDITON_SETUMASK 227 #define AUE_AUDITON_SETSMASK 228 #define AUE_AUDITON_GETCOND 229 #define AUE_AUDITON_SETCOND 230 #define AUE_AUDITON_GETCLASS 231 #define AUE_AUDITON_SETCLASS 232 #define AUE_UTSSYS 233 /* Solaris-specific. */ #define AUE_STATVFS 234 #define AUE_XSTAT 235 #define AUE_LXSTAT 236 #define AUE_LCHOWN 237 #define AUE_MEMCNTL 238 /* Solaris-specific. */ #define AUE_SYSINFO 239 /* Solaris-specific. */ #define AUE_XMKNOD 240 /* Solaris-specific. */ #define AUE_FORK1 241 /* XXXRW: Solaris modctl()? */ #define AUE_MODLOAD 243 #define AUE_MODUNLOAD 244 #define AUE_MODCONFIG 245 /* Solaris-specific. */ #define AUE_MODADDMAJ 246 /* Solaris-specific. */ #define AUE_SOCKACCEPT 247 #define AUE_SOCKCONNECT 248 #define AUE_SOCKSEND 249 #define AUE_SOCKRECEIVE 250 #define AUE_ACLSET 251 #define AUE_FACLSET 252 #define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */ #define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */ #define AUE_P_ONLINE 262 /* Solaris-specific. */ #define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */ #define AUE_INST_SYNC 264 /* Solaris-specific. */ #define AUE_SOCK_CONFIG 265 /* Solaris-specific. */ #define AUE_SETAUDIT_ADDR 266 #define AUE_GETAUDIT_ADDR 267 #define AUE_CLOCK_SETTIME 287 #define AUE_NTP_ADJTIME 288 /* * Events not present in OpenSolaris BSM, generally derived from Apple Darwin * BSM or added in OpenBSM. This start a little too close to the top end of * the OpenSolaris event list for my comfort. */ #define AUE_GETFSSTAT 301 #define AUE_PTRACE 302 #define AUE_CHFLAGS 303 #define AUE_FCHFLAGS 304 #define AUE_PROFILE 305 #define AUE_KTRACE 306 #define AUE_SETLOGIN 307 #define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */ #define AUE_REVOKE 309 #define AUE_UMASK 310 #define AUE_MPROTECT 311 #define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */ #define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */ #define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */ #define AUE_MKFIFO 315 #define AUE_POLL 316 #define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */ #define AUE_FUTIMES 318 #define AUE_SETSID 319 #define AUE_SETPRIVEXEC 320 /* Darwin-specific. */ #define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */ #define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */ #define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */ #define AUE_ADDPROFILE 324 /* Darwin-specific. */ #define AUE_KDEBUGTRACE 325 /* Darwin-specific. */ #define AUE_KDBUGTRACE AUE_KDEBUGTRACE #define AUE_FSTAT 326 #define AUE_FPATHCONF 327 #define AUE_GETDIRENTRIES 328 #define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */ #define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */ #define AUE_SYSCTL 331 #define AUE_MLOCK 332 #define AUE_MUNLOCK 333 #define AUE_UNDELETE 334 #define AUE_GETATTRLIST 335 /* Darwin-specific. */ #define AUE_SETATTRLIST 336 /* Darwin-specific. */ #define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */ #define AUE_EXCHANGEDATA 338 /* Darwin-specific. */ #define AUE_SEARCHFS 339 /* Darwin-specific. */ #define AUE_MINHERIT 340 #define AUE_SEMCONFIG 341 #define AUE_SEMOPEN 342 #define AUE_SEMCLOSE 343 #define AUE_SEMUNLINK 344 #define AUE_SHMOPEN 345 #define AUE_SHMUNLINK 346 #define AUE_LOADSHFILE 347 /* Darwin-specific. */ #define AUE_RESETSHFILE 348 /* Darwin-specific. */ #define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */ #define AUE_PTHREADKILL 350 /* Darwin-specific. */ #define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */ #define AUE_AUDITCTL 352 #define AUE_RFORK 353 #define AUE_LCHMOD 354 #define AUE_SWAPOFF 355 #define AUE_INITPROCESS 356 /* Darwin-specific. */ #define AUE_MAPFD 357 /* Darwin-specific. */ #define AUE_TASKFORPID 358 /* Darwin-specific. */ #define AUE_PIDFORTASK 359 /* Darwin-specific. */ #define AUE_SYSCTL_NONADMIN 360 #define AUE_COPYFILE 361 /* Darwin-specific. */ #define AUE_LUTIMES 362 #define AUE_LCHFLAGS 363 /* FreeBSD-specific. */ #define AUE_SENDFILE 364 /* BSD/Linux-specific. */ #define AUE_USELIB 365 /* Linux-specific. */ #define AUE_GETRESUID 366 #define AUE_SETRESUID 367 #define AUE_GETRESGID 368 #define AUE_SETRESGID 369 #define AUE_WAIT4 370 /* FreeBSD-specific. */ #define AUE_LGETFH 371 /* FreeBSD-specific. */ #define AUE_FHSTATFS 372 /* FreeBSD-specific. */ #define AUE_FHOPEN 373 /* FreeBSD-specific. */ #define AUE_FHSTAT 374 /* FreeBSD-specific. */ #define AUE_JAIL 375 /* FreeBSD-specific. */ #define AUE_EACCESS 376 /* FreeBSD-specific. */ #define AUE_KQUEUE 377 /* FreeBSD-specific. */ #define AUE_KEVENT 378 /* FreeBSD-specific. */ #define AUE_FSYNC 379 #define AUE_NMOUNT 380 /* FreeBSD-specific. */ #define AUE_BDFLUSH 381 /* Linux-specific. */ #define AUE_SETFSUID 382 /* Linux-specific. */ -#define AUE_GETFSUID 383 /* Linux-specific. */ +#define AUE_SETFSGID 383 /* Linux-specific. */ #define AUE_PERSONALITY 384 /* Linux-specific. */ #define AUE_SCHED_GETSCHEDULER 385 /* POSIX.1b. */ #define AUE_SCHED_SETSCHEDULER 386 /* POSIX.1b. */ #define AUE_PRCTL 387 /* Linux-specific. */ #define AUE_GETCWD 388 /* FreeBSD/Linux-specific. */ #define AUE_CAPGET 389 /* Linux-specific. */ #define AUE_CAPSET 390 /* Linux-specific. */ #define AUE_PIVOT_ROOT 391 /* Linux-specific. */ #define AUE_RTPRIO 392 /* FreeBSD-specific. */ #define AUE_SCHED_GETPARAM 393 /* POSIX.1b. */ #define AUE_SCHED_SETPARAM 394 /* POSIX.1b. */ #define AUE_SCHED_GET_PRIORITY_MAX 395 /* POSIX.1b. */ #define AUE_SCHED_GET_PRIORITY_MIN 396 /* POSIX.1b. */ #define AUE_SCHED_RR_GET_INTERVAL 397 /* POSIX.1b. */ #define AUE_ACL_GET_FILE 398 /* FreeBSD. */ #define AUE_ACL_SET_FILE 399 /* FreeBSD. */ #define AUE_ACL_GET_FD 400 /* FreeBSD. */ #define AUE_ACL_SET_FD 401 /* FreeBSD. */ #define AUE_ACL_DELETE_FILE 402 /* FreeBSD. */ #define AUE_ACL_DELETE_FD 403 /* FreeBSD. */ #define AUE_ACL_CHECK_FILE 404 /* FreeBSD. */ #define AUE_ACL_CHECK_FD 405 /* FreeBSD. */ +#define AUE_SYSARCH 406 /* FreeBSD. */ /* * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat * interface. In most cases, Darwin has never implemented these system calls * but picked up the fields in their system call table from their FreeBSD * import. Happily, these have different names than the AUE_O* definitions * in Solaris BSM. */ #define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */ #define AUE_O_EXECVE AUE_NULL /* Darwin */ #define AUE_O_SBREAK AUE_NULL /* Darwin */ #define AUE_O_LSEEK AUE_NULL /* Darwin */ #define AUE_O_MOUNT AUE_NULL /* Darwin */ #define AUE_O_UMOUNT AUE_NULL /* Darwin */ #define AUE_O_STAT AUE_STAT /* Darwin */ #define AUE_O_LSTAT AUE_LSTAT /* Darwin */ #define AUE_O_FSTAT AUE_FSTAT /* Darwin */ #define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */ #define AUE_O_VREAD AUE_NULL /* Darwin */ #define AUE_O_VWRITE AUE_NULL /* Darwin */ #define AUE_O_MMAP AUE_MMAP /* Darwin */ #define AUE_O_VADVISE AUE_NULL /* Darwin */ #define AUE_O_VHANGUP AUE_NULL /* Darwin */ #define AUE_O_VLIMIT AUE_NULL /* Darwin */ #define AUE_O_WAIT AUE_NULL /* Darwin */ #define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */ #define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */ #define AUE_O_GETDOPT AUE_NULL /* Darwin */ #define AUE_O_SETDOPT AUE_NULL /* Darwin */ #define AUE_O_ACCEPT AUE_NULL /* Darwin */ #define AUE_O_SEND AUE_SENDMSG /* Darwin */ #define AUE_O_RECV AUE_RECVMSG /* Darwin */ #define AUE_O_VTIMES AUE_NULL /* Darwin */ #define AUE_O_SIGVEC AUE_NULL /* Darwin */ #define AUE_O_SIGBLOCK AUE_NULL /* Darwin */ #define AUE_O_SIGSETMASK AUE_NULL /* Darwin */ #define AUE_O_SIGSTACK AUE_NULL /* Darwin */ #define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */ #define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */ #define AUE_O_VTRACE AUE_NULL /* Darwin */ #define AUE_O_RESUBA AUE_NULL /* Darwin */ #define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */ #define AUE_O_SETREUID AUE_SETREUID /* Darwin */ #define AUE_O_SETREGID AUE_SETREGID /* Darwin */ +#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /* Darwin */ #define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */ #define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */ #define AUE_O_GETPEERNAME AUE_NULL /* Darwin */ #define AUE_O_GETHOSTID AUE_NULL /* Darwin */ #define AUE_O_SETHOSTID AUE_NULL /* Darwin */ #define AUE_O_GETRLIMIT AUE_NULL /* Darwin */ #define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */ #define AUE_O_KILLPG AUE_KILL /* Darwin */ #define AUE_O_SETQUOTA AUE_NULL /* Darwin */ #define AUE_O_QUOTA AUE_NULL /* Darwin */ #define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */ #define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */ #define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */ #define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */ #define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */ #define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */ #define AUE_O_EXPORTFS AUE_NULL /* Darwin */ #define AUE_O_USTATE AUE_NULL /* Darwin */ #define AUE_O_WAIT3 AUE_NULL /* Darwin */ #define AUE_O_RPAUSE AUE_NULL /* Darwin */ #define AUE_O_GETDENTS AUE_NULL /* Darwin */ /* * Possible desired future values based on review of BSD/Darwin system calls. */ #define AUE_DUP AUE_NULL #define AUE_FSCTL AUE_NULL #define AUE_FSTATV AUE_NULL #define AUE_GCCONTROL AUE_NULL #define AUE_GETDTABLESIZE AUE_NULL #define AUE_GETEGID AUE_NULL #define AUE_GETEUID AUE_NULL #define AUE_GETGID AUE_NULL #define AUE_GETGROUPS AUE_NULL #define AUE_GETITIMER AUE_NULL #define AUE_GETLOGIN AUE_NULL #define AUE_GETPEERNAME AUE_NULL #define AUE_GETPGID AUE_NULL #define AUE_GETPGRP AUE_NULL #define AUE_GETPID AUE_NULL #define AUE_GETPPID AUE_NULL #define AUE_GETPRIORITY AUE_NULL #define AUE_GETRLIMIT AUE_NULL #define AUE_GETRUSAGE AUE_NULL #define AUE_GETSID AUE_NULL #define AUE_GETSOCKNAME AUE_NULL #define AUE_GETTIMEOFDAY AUE_NULL #define AUE_GETUID AUE_NULL #define AUE_GETSOCKOPT AUE_NULL #define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */ #define AUE_ISSETUGID AUE_NULL #define AUE_LISTEN AUE_NULL #define AUE_LSTATV AUE_NULL #define AUE_MADVISE AUE_NULL #define AUE_MINCORE AUE_NULL #define AUE_MKCOMPLEX AUE_NULL #define AUE_MLOCKALL AUE_NULL #define AUE_MODWATCH AUE_NULL #define AUE_MSGCL AUE_NULL #define AUE_MSYNC AUE_NULL #define AUE_MUNLOCKALL AUE_NULL #define AUE_PREAD AUE_NULL #define AUE_PWRITE AUE_NULL #define AUE_PREADV AUE_NULL #define AUE_PWRITEV AUE_NULL #define AUE_SBRK AUE_NULL #define AUE_SELECT AUE_NULL #define AUE_SEMDESTROY AUE_NULL #define AUE_SEMGETVALUE AUE_NULL #define AUE_SEMINIT AUE_NULL #define AUE_SEMPOST AUE_NULL #define AUE_SEMTRYWAIT AUE_NULL #define AUE_SEMWAIT AUE_NULL #define AUE_SETITIMER AUE_NULL #define AUE_SIGACTION AUE_NULL #define AUE_SIGALTSTACK AUE_NULL #define AUE_SIGPENDING AUE_NULL #define AUE_SIGPROCMASK AUE_NULL #define AUE_SIGRETURN AUE_NULL #define AUE_SIGSUSPEND AUE_NULL #define AUE_SIGWAIT AUE_NULL #define AUE_SSTK AUE_NULL #define AUE_STATV AUE_NULL #define AUE_SYNC AUE_NULL #define AUE_SYSCALL AUE_NULL #define AUE_TABLE AUE_NULL #define AUE_WAITEVENT AUE_NULL #define AUE_WATCHEVENT AUE_NULL #endif /* !_BSM_AUDIT_KEVENTS_H_ */ Index: head/contrib/openbsm/libbsm/Makefile =================================================================== --- head/contrib/openbsm/libbsm/Makefile (revision 155364) +++ head/contrib/openbsm/libbsm/Makefile (revision 155365) @@ -1,119 +1,125 @@ # # OpenBSM libbsm # -# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $ +# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#13 $ # LIB= bsm SHLIB_MAJOR= 1 CFLAGS+=-I- \ -I .. \ -Wall SRCS= bsm_audit.c \ bsm_class.c \ bsm_control.c \ bsm_event.c \ bsm_flags.c \ bsm_io.c \ bsm_mask.c \ bsm_notify.c \ bsm_token.c \ bsm_user.c \ bsm_wrappers.c MAN= libbsm.3 \ au_class.3 \ au_control.3 \ au_event.3 \ au_free_token.3 \ au_io.3 \ au_mask.3 \ au_token.3 \ au_user.3 MLINKS= libbsm.3 bsm.3 \ au_class.3 getauclassent.3 \ + au_class.3 getauclassent_r.3 \ au_class.3 getauclassnam.3 \ + au_class.3 getauclassnam_r.3 \ au_class.3 setauclass.3 \ au_class.3 endauclass.3 \ au_control.3 setac.3 \ au_control.3 endac.3 \ au_control.3 getacdir.3 \ au_control.3 getacmin.3 \ au_control.3 getacflg.3 \ au_control.3 getacna.3 \ au_event.3 setauevent.3 \ au_event.3 endauevent.3 \ au_event.3 getauevent.3 \ + au_event.3 getauevent_r.3 \ au_event.3 getauevnam.3 \ + au_event.3 getauevnam_r.3 \ au_event.3 getauevnum.3 \ + au_event.3 getauevnum_r.3 \ au_event.3 getauevnonam.3 \ + au_event.3 getauevnonam_r.3 \ au_io.3 au_fetch_tok.3 \ au_io.3 au_print_tok.3 \ au_io.3 au_read_rec.3 \ au_mask.3 au_preselect.3 \ au_mask.3 getauditflagsbin.3 \ au_mask.3 getauditflagschar.3 \ au_user.3 setauuser.3 \ au_user.3 endauuser.3 \ au_user.3 getauuserent.3 \ au_user.3 getauusernam.3 \ au_user.3 au_user_mask.3 \ au_user.3 getfauditflags.3 \ au_token.3 au_to_arg32.3 \ au_token.3 au_to_arg64.3 \ au_token.3 au_to_arg.3 \ au_token.3 au_to_attr64.3 \ au_token.3 au_to_data.3 \ au_token.3 au_to_exit.3 \ au_token.3 au_to_groups.3 \ au_token.3 au_to_newgroups.3 \ au_token.3 au_to_in_addr.3 \ au_token.3 au_to_in_addr_ex.3 \ au_token.3 au_to_ip.3 \ au_token.3 au_to_ipc.3 \ au_token.3 au_to_ipc_perm.3 \ au_token.3 au_to_iport.3 \ au_token.3 au_to_opaque.3 \ au_token.3 au_to_file.3 \ au_token.3 au_to_text.3 \ au_token.3 au_to_path.3 \ au_token.3 au_to_process32.3 \ au_token.3 au_to_process64.3 \ au_token.3 au_to_process.3 \ au_token.3 au_to_process32_ex.3 \ au_token.3 au_to_process64_ex.3 \ au_token.3 au_to_process_ex.3 \ au_token.3 au_to_return32.3 \ au_token.3 au_to_return64.3 \ au_token.3 au_to_return.3 \ au_token.3 au_to_seq.3 \ au_token.3 au_to_socket.3 \ au_token.3 au_to_socket_ex_32.3 \ au_token.3 au_to_socket_ex_128.3 \ au_token.3 au_to_sock_inet32.3 \ au_token.3 au_to_sock_inet128.3 \ au_token.3 au_to_sock_inet.3 \ au_token.3 au_to_subject32.3 \ au_token.3 au_to_subject64.3 \ au_token.3 au_to_subject.3 \ au_token.3 au_to_subject32_ex.3 \ au_token.3 au_to_subject64_ex.3 \ au_token.3 au_to_subject_ex.3 \ au_token.3 au_to_me.3 \ au_token.3 au_to_exec_args.3 \ au_token.3 au_to_exec_env.3 \ au_token.3 au_to_header.3 \ au_token.3 au_to_header32.3 \ au_token.3 au_to_header64.3 \ au_token.3 au_to_trailer.3 beforeinstall: if test -d ${INCSDIR}; then \ else \ mkdir ${INCSDIR}; \ fi; .include Index: head/contrib/openbsm/libbsm/au_control.3 =================================================================== --- head/contrib/openbsm/libbsm/au_control.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_control.3 (revision 155365) @@ -1,136 +1,136 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#3 $ .\" .Dd April 19, 2005 .Dt AU_CONTROL 3 .Os .Sh NAME .Nm setac , .Nm endac , .Nm getacdir , .Nm getacmin , .Nm getacflg , .Nm getacna .Nd "Look up information from the audit_control database" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft void .Fn setac "void" .Ft void .Fn endac "void" .Ft int .Fn getacdir "char *name" "int len" .Ft int .Fn getacmin "int *min_val" .Ft int .Fn getacflg "char *auditstr" "int len" .Ft int .Fn getacna "char *auditstr" "int len" .Sh DESCRIPTION These interfaces may be used to look up information from the .Xr audit_control 5 database, which contains various audit-related administrative parameters. .Pp .Fn setac resets the database iterator to the beginning of the database; see the BUGS section for more information. .Pp .Fn sendac closes the .Xr audit_control 5 database. .Pp .Fn getacdir -Return the name of the directory where log data is stored via the passed +returns the name of the directory where log data is stored via the passed character buffer .Va name of length .Va len . .Pp .Fn getacmin returns the minimum free disk space for the audit log target file system via the passed .Va min_val variable. .Pp .Fn getacflg returns the audit system flags via the the passed character buffer .Va auditstr of length .Va len . .Pp .Fn getacna returns the non-attributable flags via the passed character buffer .Va auditstr of length .Va len . .Sh RETURN VALULES .Fn getacdir , .Fn getacmin , .Fn getacflg , and .Fn getacna return 0 on success, or a negative value on failure, along with error information in .Va errno . Functions that return a string value will return a failure if there is insufficient room in the passed character buffer for the full string. .Sh SEE ALSO .Xr libbsm 3 , .Xr audit_control 5 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS These routines cannot currently distinguish between an entry not being found and an error accessing the database. The implementation should be changed to return an error via .Va errno when .Dv NULL is returned. .Sh BUGS There is no reason for the .Fn setac interface to be exposed as part of the public API, as it is called implicitly by other access functions and iteration is not supported. .Pp These interfaces inconsistently return various negative values depending on the failure mode, and do not always set .Va errno on failure. Index: head/contrib/openbsm/libbsm/au_event.3 =================================================================== --- head/contrib/openbsm/libbsm/au_event.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_event.3 (revision 155365) @@ -1,153 +1,153 @@ .\"- .\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $ .\" .Dd April 19, 2005 .Dt AU_EVENT 3 .Os .Sh NAME .Nm free_au_event_ent , .Nm setauevent , .Nm endauevent , .Nm getauevent , .Nm getauevent_r , .Nm getauevnam , .Nm getauevnam_r , .Nm getauevnum , .Nm getauevnum_r , .Nm getauevnonam , .Nm getauevnonam_r , .Nd "Look up information from the audit_event database" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft void .Fn setauevent "void" .Ft void .Fn endauevent "void" .Ft "struct au_event_ent *" .Fn getauevent "void" .Ft "struct au_event_ent *" .Fn getauevent_r "struct au_event_ent *e" .Ft "struct au_event_ent *" .Fn getauevnam "char *name" .Ft "struct au_event_ent *" .Fn getauevnam_r "struct au_event_ent *e" "char *name" .Ft "struct au_event_ent *" .Fn getauevnum "au_event_t event_number" .Ft "struct au_event_ent *" .Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number" .Ft "au_event_t *" .Fn getauevnonam "char *event_name" .Ft "au_event_t *" .Fn getauevnonam_r "au_event_t *ev" "char *event_name" .Sh DESCRIPTION These interfaces may be used to look up information from the .Xr audit_event 5 database, which describes audit events. Entries in the database are described by .Vt struct au_event_ent entries, which are returned by calls to .Fn getauevent , .Fn getauevnam , or .Fn getauevnum . It is also possible look up an event number via a call to .Nm getauevnonam . .Pp .Fn setauevent resets the database access session for .Xr audit_event 5 , so that the next call to .Fn getauevent will start with the first entry in the database. .Pp .Fn endauevent closes the .Xr audit_event 5 database session. .Pp .Fn getauevent returns a reference to the next entry in the .Xr audit_event 5 database. .Pp .Fn getauevnam returns a reference to the entry in the .Xr audit_event 5 database with a name of .Va name . .Pp .Fn getauevnum returns a reference to the entry in the .Xr audit_event 5 database with an event number of .Va event_number . .Pp .Fn getauevnonam returns a reference to an audit event number using the .Xr audit_event 5 database. .Sh RETURN VALUES Functions .Fn getauevent , .Fn getauevent_r , .Fn getauevnam , .Fn getauevnam_r , .Fn getauevnum , .Fn getauevnum_r , and .Fn getauevnuam will return a reference to a -.Dt struct au_event_ent +.Ft struct au_event_ent or -.Dt au_event_t +.Ft au_event_t on success, or .Dv NULL on failure, with .Va errno set to provide further error information. .Sh SEE ALSO .Xr libbsm 3 , .Xr audit_event 5 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS .Va errno is not always properly set following a failure. .Pp These routines are thread-safe, but not re-entrant, so simultaneous or interleaved use of these functions will affect the iterator. Index: head/contrib/openbsm/libbsm/au_free_token.3 =================================================================== --- head/contrib/openbsm/libbsm/au_free_token.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_free_token.3 (revision 155365) @@ -1,91 +1,91 @@ .\"- .\" Copyright (c) 2004 Apple Computer, Inc. .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $ .\" .Dd April 19, 2005 .Dt AU_FREE_TOKEN 3 .Os .Sh NAME .Nm au_free_token .Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft void -.Fn au_free_tokenen "token_t *tok" +.Fn au_free_token "token_t *tok" .Sh DESCRIPTION The BSM API generally manages deallocation of .Vt token_t objects. However, if .Xr au_write 3 is passed a bad audit descriptor, the .Vt token_t * parameter will be left untouched. In that case, the caller can deallocate the .Vt token_t using .Nm if desired. .Pp The .Va tok argument is a .Vt token_t * generated by one of the au_to_*() BSM API calls. For convenience, .Va tok may be .Dv NULL , in which case .Nm returns immediately. .Sh IMPLEMENTATION NOTES This is, in fact, what .Xr audit_write 3 does, in keeping with the existing memory management model of the BSM API. .Sh SEE ALSO .Xr au_write 3 , .Xr audit_write 3 , .Xr libbsm 3 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/libbsm/au_mask.3 =================================================================== --- head/contrib/openbsm/libbsm/au_mask.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_mask.3 (revision 155365) @@ -1,140 +1,140 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $ .\" .Dd April 19, 2005 .Dt AU_MASK 3 .Os .Sh NAME .Nm au_preselect , .Nm getauditflagsbin , .Nm getauditflagschar .Nd "Convert between string and numeric values of audit masks" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft int .Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag" .Ft int .Fn getauditflagsbin "char *auditstr" "au_mask_t *masks" .Ft int .Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose" .Sh DESCRIPTION These interfaces support processing of an audit mask represented by type .Vt au_mask_t , including conversion between numeric and text formats, and computing whether or not an event is matched by a mask. .Pp .Fn au_preselect calculates whether or not the audit event passed via .Va event is matched by the audit mask passed via .Va au_mask_t . The .Va sorf argument indicates whether or not to consider the event as a success, if the .Dv AU_PRS_SUCCESS flag is set, or failure, if the .Dv AU_PRS_FAILURE flag is set. The .Va flag argument accepts additional arguments influencing the behavior of .Fn au_preselect , including .Dv AU_PRS_REREAD , which causes the event to be re-looked up rather than read from the cache, or .Dv AU_PRS_USECACHE which forces use of the cache. .Pp .Fn getauditflagsbin converts a string representation of an audit mask passed via a character string pointed to by .Va auditstr , returning the resulting mask, if valid, via .Va *masks . .Pp .Fn getauditflagschar converts the audit event mask passed via .Va *masks and converts it to a character string in a buffer pointed to by .Va auditstr . See the BUGS section for more information on how to provide a buffer of sufficient size. If the .Va verbose flag is set, the class description string retrieved from .Xr audit_class 5 will be used; otherwise, the two-character class name. .Sh RETURN VALUES .Fn au_preselect returns 0 on success, or returns -1 if there is a failure looking up the event type or other database access, in which case .Va errno will be set to indicate the error. It returns 1 if the event is matched; 0 if not. .Pp .Fn getauditflagsbin and .Fn getauditflagschar returns 0 on success, or -1 if there is a failure, in which case .Va errno will be set to indicate the error. .Sh IMPLEMENTATION NOTES .Fn au_preselect makes implicit use of various audit database routines, and may influence -the behavior of simultaenous or interleaved processing of those databases by +the behavior of simultaneous or interleaved processing of those databases by other code. .Sh SEE ALSO .Xr libbsm 3 , .Xr audit_class 5 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS .Va errno may not always be properly set in the event of an error. .Pp .Fn getauditflagschar does not provide a way to indicate how long the character buffer is, in order to detect overflow. As a result, the caller must always provide a buffer of sufficient length for any possible mask, which may be calculated as three times the number of non-zero bits in the mask argument in the event non-verbose class names are used, and is not trivially predictable for verbose class names. This API should be replaced with a more robust one. Index: head/contrib/openbsm/libbsm/au_token.3 =================================================================== --- head/contrib/openbsm/libbsm/au_token.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_token.3 (revision 155365) @@ -1,209 +1,209 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#5 $ .\" .Dd April 19, 2005 .Dt AU_TOKEN 3 .Os .Sh NAME .Nm au_to_arg32 , .Nm au_to_arg64 , .Nm au_to_arg , .Nm au_to_attr64 , .Nm au_to_data , .Nm au_to_exit , .Nm au_to_groups , .Nm au_to_newgroups , .Nm au_to_in_addr , .Nm au_to_in_addr_ex , .Nm au_to_ip , .Nm au_to_ipc , .Nm au_to_ipc_perm , .Nm au_to_iport , .Nm au_to_opaque , .Nm au_to_file , .Nm au_to_text , .Nm au_to_path , .Nm au_to_process32 , .Nm au_to_process64 , .Nm au_to_process , .Nm au_to_process32_ex , .Nm au_to_process64_ex , .Nm au_to_process_ex , .Nm au_to_return32 , .Nm au_to_return64 , .Nm au_to_return , .Nm au_to_seq , .Nm au_to_socket , .Nm au_to_socket_ex_32 , .Nm au_to_socket_ex_128 , .Nm au_to_sock_inet32 , .Nm au_to_sock_inet128 , .Nm au_to_sock_inet , .Nm au_to_subject32 , .Nm au_to_subject64 , .Nm au_to_subject , .Nm au_to_subject32_ex , .Nm au_to_subject64_ex , .Nm au_to_subject_ex , .Nm au_to_me , .Nm au_to_exec_args , .Nm au_to_exec_env , .Nm au_to_header , .Nm au_to_header32 , .Nm au_to_header64 , .Nm au_to_trailer . .Nd "Routines for generating BSM audit tokens" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft token_t * .Fn au_to_arg32 "char n" "char *text" "u_int32_t v" .Ft token_t * .Fn au_to_arg64 "char n" "char *text" "u_int64_t v" .Ft token_t * .Fn au_to_arg "char n" "char *text" "u_int32_t v" .Ft token_t * .Fn au_to_attr32 "struct vattr *attr" .Ft token_t * .Fn au_to_attr64 "struct vattr *attr" .Ft token_t * .Fn au_to_attr "struct vattr *attr" .Ft token_t * .Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p" .Ft token_t * .Fn au_to_exit "int retval" "int err" .Ft token_t * .Fn au_to_groups "int *groups" .Ft token_t * .Fn au_to_newgroups "u_int16_t n" "gid_t *groups" .Ft token_t * .Fn au_to_in_addr "struct in_addr *internet_addr" .Ft token_t * .Fn au_to_in_addr_ex "struct in6_addr *internet_addr" .Ft token_t * .Fn au_to_ip "struct ip *ip" .Ft token_t * .Fn au_to_ipc "char type" "int id" .Ft token_t * .Fn au_to_ipc_perm "struct ipc_perm *perm" .Ft token_t * .Fn au_to_iport "u_int16_t iport" .Ft token_t * .Fn au_to_opaque "char *data" "u_int64_t bytes" .Ft token_t * .Fn au_to_file "char *file" .Ft token_t * .Fn au_to_file "char *file" .Ft token_t * .Fn au_to_text "char *text" .Ft token_t * .Fn au_to_path "char *text" .Ft token_t * .Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" .Ft token_t * .Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" .Ft token_t * .Fn au_to_return32 "char status" "u_int32_t ret" .Ft token_t * .Fn au_to_return64 "char status" "u_int64_t ret" .Ft token_t * .Fn au_to_return "char status" "u_int32_t ret" .Ft token_t * .Fn au_to_seq "long audit_count" .Ft token_t * .Fn au_to_socket "struct socket *so" .Ft token_t * .Fn au_to_socket_ex_32 "struct socket *so" .Ft token_t * .Fn au_to_socket_ex_128 "struct socket *so" .Ft token_t * .Fn au_to_sock_inet32 "struct sockaddr_in *so" .Ft token_t * .Fn au_to_sock_inet128 "struct sockaddr_in6 *so" .Ft token_t * .Fn au_to_sock_int "struct sockaddr_in *so" .Ft token_t * .Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid" .Ft token_t * .Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" .Ft token_t * .Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid" .Ft token_t * .Fn au_to_me "void" .Ft token_t * .Fn au_to_exec_args "const char **args" .Ft token_t * .Fn au_to_exec_env "const char **env" .Ft token_t * .Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod" .Ft token_t * .Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod" .Ft token_t * .Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod" .Ft token_t * .Fn au_to_trailer "int rec_size" .Sh DESCRIPTION These interfaces support the allocation of BSM audit tokens, represented by -.Dt token_t , +.Ft token_t , for various data types. .Sh RETURN VALUES -On sucess, a pointer to a +On success, a pointer to a .Vt token_t will be returned; the allocated .Vt token_t can be freed via a call to .Xr au_free_token 3 . On failure, .Dv NULL will be returned, and an error condition returned via .Va errno . .Sh SEE ALSO .Xr libbsm 3 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS Index: head/contrib/openbsm/libbsm/au_user.3 =================================================================== --- head/contrib/openbsm/libbsm/au_user.3 (revision 155364) +++ head/contrib/openbsm/libbsm/au_user.3 (revision 155365) @@ -1,136 +1,136 @@ .\"- .\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $ .\" .Dd April 19, 2005 .Dt AU_USER 3 .Os .Sh NAME .Nm setauuser , .Nm endauuser , .Nm getauuserent , .Nm getauuserent_r , .Nm getauusernam , .Nm getauusernam_r , .Nm au_user_mask , .Nm getfauditflags .Nd "Look up information from the audit_user database" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Ft void .Fn setauuser "void" .Ft void .Fn endauuser "void" .Ft struct au_user_ent * .Fn getauuserent "void" .Ft struct au_user_ent * .Fn getauuserent_r "struct au_user_ent *u" "void" .Ft struct au_user_ent * .Fn getauusernam "const char *name" .Ft struct au_user_ent * .Fn getauusernam_r "struct au_user_ent *u" "const char *name" .Ft int .Fn au_user_mask "char *username" "au_mask_t *mask_p" .Ft int .Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask" .Sh DESCRIPTION These interfaces may be used to look up information from the .Xr audit_user 5 database, which describes per-user audit configuration. Audit user entries are described by a .Vt au_user_ent , which stores the user's name in .Dv au_name , events to always audit in .Dv au_always , and events never to audit .Dv au_never . .Pp .Fn getauuserent -return the next user found in the +returns the next user found in the .Xr audit_user 5 database, or the first if the function has not yet been called. .Dv NULL will be returned if no further records are available. .Pp .Fn getauusernam looks up a user by name. .Dv NULL will be returned if no matching class can be found. .Pp .Fn setauuser resets the iterator through the .Xr audit_user 5 database, causing the next call to .Fn getauuserent to start again from the beginning of the file. .Pp .Fn endauuser closes the .Xr audit_user 5 database, if open. .Pp .Nm au_user_mask -calculate a new session audit mask to be returned via +calculates a new session audit mask to be returned via .Dv mask_p for the user identified by .Dv username . If the user audit configuration is not found, the default system audit properties returned by .Xr getacflg 3 . The resulting mask may be set via a call to .Xr setaudit 3 or related variants. .Pp .Nm getfauditflags XXXXXXXXXXXXXXXXX .Sh SEE ALSO .Xr libbsm 3 , .Xr getacflg 3 , .Xr setaudit 3 , .Xr audit_user 5 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS These routines cannot currently distinguish between an entry not being found and an error accessing the database. The implementation should be changed to return an error via .Va errno when .Dv NULL is returned. Index: head/contrib/openbsm/libbsm/libbsm.3 =================================================================== --- head/contrib/openbsm/libbsm/libbsm.3 (revision 155364) +++ head/contrib/openbsm/libbsm/libbsm.3 (revision 155365) @@ -1,220 +1,219 @@ .\"- .\" Copyright (c) 2005-2006 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#4 $ .\" .Dd April 19, 2005 .Dt LIBBSM 3 .Os .Sh NAME .Nm libbsm .Nd "Basic Security Module (BSM) Audit API" .Sh LIBRARY .Lb libbsm .Sh SYNOPSIS .In libbsm.h .Sh DESCRIPTION The .Nm library routines provide an interface to BSM audit record streams, allowing both the parsing of existing audit streams, as well as the creation of new audit records and streams. .Sh INTERFACES .Nm provides a large number of Audit programming interfaces in several classes: event stream interfaces, class interfaces, control interfaces, event interfaces, I/O interfaces, mask interfaces, notification interfaces, token interfaces, and user interfaces. These are described respectively in the -.Xr au_stream 3 , .Xr au_class 3 , .Xr au_control 3 , .Xr au_event 3 , .Xr au_mask 3 , .Xr au_notify 3 , +.Xr au_stream 3 , .Xr au_token 3 , .Xr au_user 3 man pages. .Ss Audit Event Stream Interfaces Audit event stream interfaces support interaction with file-backed audit event streams: +.Xr au_close 3 . .Xr au_free_token 3 , -.Xr au_free_token 3 , .Xr au_open 3 , .Xr au_write 3 , -.Xr au_close 3 . .Ss Audit Class Interfaces Audit class interfaces support the look up of information from the .Xr audit_class 5 database: +.Xr endauclass 3 , .Xr getauclassent 3 , .Xr getauclassent_r 3 , .Xr getauclassnam 3 , .Xr getauclassnam_r 3 , -.Xr setauclass 3 , -.Xr endauclass 3 . +.Xr setauclass 3 . .Ss Audit Control Interfaces Audit control interfaces support the look up of information from the .Xr audit_control 5 database: -.Xr setac 3 , .Xr endac 3 , +.Xr setac 3 , .Xr getacdir 3 , -.Xr getacmin 3 , .Xr getacflg 3 , +.Xr getacmin 3 , .Xr getacna 3 . .Ss Audit Event Interfaces Audit event interfaces support the look up of information from the .Xr audit_event 5 database: -.Xr setauevent 3 , .Xr endauevent 3 , +.Xr setauevent 3 , .Xr getauevent 3 , .Xr getauevent_r 3 , .Xr getauevnam 3 , .Xr getauevnam_r 3 , -.Xr getauevnum 3 , -.Xr getauevnum_r 3 , .Xr getauevnonam 3 , .Xr getauevnonam_r 3 , +.Xr getauevnum 3 , +.Xr getauevnum_r 3 . .Ss Audit I/O Interfaces Audit I/O interfaces support the processing and printing of tokens, as well as the reading of audit records: .Xr au_fetch_tok 3 , .Xr au_print_tok 3 , .Xr au_read_rec 3 . .Ss Audit Mask Interfaces Audit mask interfaces convert support the conversion between strings and .Vt au_mask_t values. They may also be used to determine if a particular audit event is matched by a mask: .Xr au_preselect 3 , .Xr getauditflagsbin 3 , .Xr getauditflagschar 3 . .Ss Audit Notification Interfaces Audit notification routines track audit state in a form permitting efficient update, avoiding frequent system calls to check the kernel audit state: +.Xr au_get_state 3 , .Xr au_notify_initialize 3 , -.Xr au_notify_terminate 3 , -.Xr au_get_state 3 . +.Xr au_notify_terminate 3 . These interfaces are implemented only for Darwin/Mac OS X. .Ss Audit Token Interface Audit token interfaces permit the creation of tokens for use in creating audit records for submission to event streams. Each interface converts a C type to its .Vt token_t representation. +.Xr au_to_arg 3 , .Xr au_to_arg32 3 , .Xr au_to_arg64 3 , -.Xr au_to_arg 3 , .Xr au_to_attr64 3 , .Xr au_to_data 3 , +.Xr au_to_exec_args 3 , +.Xr au_to_exec_env 3 , .Xr au_to_exit 3 , +.Xr au_to_file 3 , .Xr au_to_groups 3 , -.Xr au_to_newgroups 3 , +.Xr au_to_header32 3 , +.Xr au_to_header64 3 , .Xr au_to_in_addr 3 , .Xr au_to_in_addr_ex 3 , .Xr au_to_ip 3 , .Xr au_to_ipc 3 , .Xr au_to_ipc_perm 3 , .Xr au_to_iport 3 , +.Xr au_to_me 3 , +.Xr au_to_newgroups 3 , .Xr au_to_opaque 3 , -.Xr au_to_file 3 , -.Xr au_to_text 3 , .Xr au_to_path 3 , +.Xr au_to_process 3 , .Xr au_to_process32 3 , .Xr au_to_process64 3 , -.Xr au_to_process 3 , +.Xr au_to_process_ex 3 , .Xr au_to_process32_ex 3 , .Xr au_to_process64_ex 3 , -.Xr au_to_process_ex 3 , +.Xr au_to_return 3 , .Xr au_to_return32 3 , .Xr au_to_return64 3 , -.Xr au_to_return 3 , .Xr au_to_seq 3 , .Xr au_to_socket 3 , .Xr au_to_socket_ex_32 3 , .Xr au_to_socket_ex_128 3 , +.Xr au_to_sock_inet 3 , .Xr au_to_sock_inet32 3 , .Xr au_to_sock_inet128 3 , -.Xr au_to_sock_inet 3 , +.Xr au_to_subject 3 , .Xr au_to_subject32 3 , .Xr au_to_subject64 3 , -.Xr au_to_subject 3 , +.Xr au_to_subject_ex 3 , .Xr au_to_subject32_ex 3 , .Xr au_to_subject64_ex 3 , -.Xr au_to_subject_ex 3 , -.Xr au_to_me 3 , -.Xr au_to_exec_args 3 , -.Xr au_to_exec_env 3 , -.Xr au_to_header32 3 , -.Xr au_to_header64 3 , +.Xr au_to_text 3 , .Xr au_to_trailer 3 . .Ss Audit User Interfaces Audit user interfaces support the look up of information from the .Xr audit_user 5 database: -.Xr setauuser 3 , +.Xr au_user_mask 3 , .Xr endauuser 3 , +.Xr setauuser 3 , .Xr getauuserent 3 , .Xr getauuserent_r 3 , .Xr getauusernam 3 , .Xr getauusernam_r 3 , -.Xr au_user_mask 3 , .Xr getfauditflags 3 . .Sh SEE ALSO .Xr au_class 3 , .Xr au_mask 3 , .Xr au_notify 3 , .Xr au_stream 3 , .Xr au_token 3 , .Xr au_user 3 , .Xr audit_class 5 , .Xr audit_control 5 .Sh AUTHORS This software was created by Robert Watson, Wayne Salamon, and Suresh Krishnaswamy for McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer, Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer, Inc., in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS Bugs would not be unlikely. .Pp The .Nm library implementations are generally thread-safe, but not reentrant. .Pp The assignment of routines to classes could use some work, as it is decidely ad hoc. For example, .Fn au_read_rec should probably be considered a stream routine. Index: head/contrib/openbsm/man/audit.log.5 =================================================================== --- head/contrib/openbsm/man/audit.log.5 (revision 155364) +++ head/contrib/openbsm/man/audit.log.5 (revision 155365) @@ -1,625 +1,625 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#7 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $ .\" .Dd May 1, 2005 .Dt AUDIT.LOG 5 .Os .Sh NAME .Nm audit .Nd "Basic Security Module (BSM) File Format" .Sh DESCRIPTION The .Nm file format is based on Sun's Basic Security Module (BSM) file format, a token-based record stream to represent system audit data. This file format is both flexible and extensible, able to describe a broad range of data types, and easily extended to describe new data types in a moderately backward and forward compatible way. .Pp BSM token streams typically begin and end with a .Dv file token, which provides time stamp and file name information for the stream; when processing a BSM token stream from a stream as opposed to a single file source, file tokens may be seen at any point between ordinary records identifying when particular parts of the stream begin and end. All other tokens will appear in the context of a complete BSM audit record, which begins with a .Dv header token, and ends with a .Dv trailer token, which describe the audit record. Between these two tokens will appear a variety of data tokens, such as process information, file path names, IPC object information, MAC labels, socket information, and so on. .Pp The BSM file format defines specific token orders for each record event type; however, some variation may occur depending on the operating system in use, what system options, such as mandatory access control, are present. .Pp This manual page documents the common token types and their binary format, and is intended for reference purposes only. It is recommended that application programmers use the .Xr libbsm 3 interface to read and write tokens, rather than parsing or constructing records by hand. .Ss File Token The .Dv file token is used at the beginning and end of an audit log file to indicate when the audit log begins and ends. It includes a pathname so that, if concatenated together, original file boundaries are still observable, and gaps in the audit log can be identified. A .Dv file token can be created using .Xr au_to_file 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Seconds" Ta "4 bytes" Ta "File time stamp" .It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" .It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" .It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" .El .Ss Header Token The .Dv header token is used to mark the beginning of a complete audit record, and includes the length of the total record in bytes, a version number for the record layout, the event type and subtype, and the time at which the event occurred. A .Dv header token can be created using .Xr au_to_header32 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" .It Li "Version Number" Ta "2 bytes" Ta "Record version number" .It Li "Event Type" Ta "2 bytes" Ta "Event type" .It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" .It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" .It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" .El .Ss Expanded Header Token The .Dv expanded header token is an expanded version of the .Dv header token, with the addition of a machine IPv4 or IPv6 address. The .Xr libbsm 3 API cannot currently create an .Dv expanded header token. .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" .It Li "Version Number" Ta "2 bytes" Ta "Record version number" .It Li "Event Type" Ta "2 bytes" Ta "Event type" .It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" .It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" .It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" .It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" .It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" .El .Ss Trailer Token The .Dv trailer terminates a BSM audit record, and contains a magic number, .Dv TRAILER_PAD_MAGIC and length that can be used to validate that the record was read properly. A .Dv trailer token can be created using .Xr au_to_trailer 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" .It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" .El .Ss Arbitrary Data Token The .Dv arbitrary data token contains a byte stream of opaque (untyped) data. The size of the data is calculated as the size of each unit of data multipled by the number of units of data. A .Dv How to print field is present to specify how to print the data, but interpretation of that field is not currently defined. The .Xr libbsm 3 API cannot currently create an .Dv arbitrary data token. .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" .It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" .It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" .It Li "Data Items" Ta "Variable" Ta "User data" .El .Ss in_addr Token The .Dv in_addr token holds a network byte order IPv4 or IPv6 address. An .Dv in_addr token can be created using .Xr au_to_in_addr 3 for an IPv4 address, or .Xr au_to_in_addr_ex 3 for an IPv6 address. .Pp See the BUGS section for information on the storage of this token. .Pp .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "IP Address Type" Ta "1 byte" Ta "Type of address" .It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" .El .Ss Expanded in_addr Token The .Dv expanded in_addr token ... .Pp See the BUGS section for information on the storage of this token. .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It XXXX .El .Ss ip Token The .Dv ip token contains an IP packet header in network byte order. An .Dv ip -token can be cread using +token can be created using .Xr au_to_ip 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" .It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" .It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" .It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" .It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" .It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" .It Li "Protocol" Ta "1 byte" Ta "IP protocol number" .It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" .It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" .It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" .El .Ss Expanded ip Token The .Dv expanded ip token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It XXXX .El .Ss iport Token The .Dv iport token stores an IP port number in network byte order. An .Dv iport token can be created using .Xr au_to_iport 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" .El .Ss Path Token The .Dv path token contains a pathname. A .Dv path token can be created using -.Xr auto_path 3 . +.Xr au_to_path 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" .It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" .El .Ss path_attr Token The .Dv path_attr token contains a set of nul-terminated path names. The .Xr libbsm 3 -API cannot currently create an +API cannot currently create a .Dv path_attr token. .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" .It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" .El .Ss Process Token The .Dv process token contains a description of the security properties of a process involved as the target of an auditable event, such as the destination for signal delivery. It should not be confused with the .Dv subject token, which describes the subject performing an auditable event. This includes both the traditional .Ux security properties, such as user IDs and group IDs, but also audit -information such as the audit user ID and sesion. +information such as the audit user ID and session. A .Dv process token can be created using .Xr au_to_process32 3 or .Xr au_to_process64 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" .It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" .It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" .It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" .It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" .It Li "Process ID" Ta "4 bytes" Ta "Process ID" .It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" .It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" .It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" .El .Ss Expanded Process Token The .Dv expanded process token contains the contents of the .Dv process token, with the addition of a machine address type and variable length address storage capable of containing IPv6 addresses. -A +An .Dv expanded process token can be created using .Xr au_to_process32_ex 3 or -.Xr au_to_process64 3 . +.Xr au_to_process64_ex 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" .It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" .It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" .It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" .It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" .It Li "Process ID" Ta "4 bytes" Ta "Process ID" .It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" .It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" .It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" .It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" .El .Ss Return Token The .Dv return token contains a system call or library function return condition, including return value and error number associated with the global variable .Er errno . A .Dv return token can be created using .Xr au_to_return32 3 or .Xr au_to_return64 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" .It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" .El .Ss Subject Token The .Dv subject token contains information on the subject performing the operation described by an audit record, and includes similar information to that found in the .Dv process and .Dv expanded process tokens. However, those tokens are used where the process being described is the target of the operation, not the authorizing party. A .Dv subject token can be created using .Xr au_to_subject32 3 and .Xr au_to_subject64 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" .It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" .It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" .It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" .It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" .It Li "Process ID" Ta "4 bytes" Ta "Process ID" .It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" .It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" .It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" .El .Ss Expanded Subject Token The .Dv expanded subject token consists of the same elements as the .Dv subject token, with the addition of type/length and variable size machine address information in the terminal ID. -A +An .Dv expanded subject token can be created using .Xr au_to_subject32_ex 3 or .Xr au_to_subject64_ex 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" .It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" .It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" .It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" .It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" .It Li "Process ID" Ta "4 bytes" Ta "Process ID" .It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" .It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" .It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" .It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" .El .Ss System V IPC Token The .Dv System V IPC token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" -.It Li "object ID type" Ta "1 byte" Ta "Object ID" +.It Li "Object ID type" Ta "1 byte" Ta "Object ID" .It Li "Object ID" Ta "4 bytes" Ta "Object ID" .El .Ss Text Token The .Dv text token contains a single nul-terminated text string. A .Dv text token may be created using .Xr au_to_text 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" .It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" .El .Ss Attribute Token The .Dv attribute token describes the attributes of a file associated with the audit event. As files may be identified by 0, 1, or many path names, a path name is not included with the attribute block for a file; optional .Dv path tokens may also be present in an audit record indicating which path, if any, was used to reach the object. -A +An .Dv attribute token can be created using .Xr au_to_attr32 3 or .Xr au_to_attr64 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" .It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" .It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" .It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" .It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" .It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" .El .Ss Groups Token The .Dv groups token contains a list of group IDs associated with the audit event. A .Dv groups token can be created using .Xr au_to_groups 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" .It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" .El .Ss System V IPC Permission Token The .Dv System V IPC permission token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Arg Token The .Dv arg token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss exec_args Token The .Dv exec_args token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss exec_env Token The .Dv exec_env token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Exit Token The .Dv exit token contains process exit/return code information. An .Dv exit token can be created using .Xr au_to_exit 3 . .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Status" Ta "4 bytes" Ta "Process status on exit" .It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" .El .Ss Socket Token The .Dv socket token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Expanded Socket Token The .Dv expanded socket token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Seq Token The .Dv seq token contains a unique and monotonically increasing audit event sequence ID. Due to the limited range of 32 bits, serial number arithmetic and caution should be used when comparing sequence numbers. .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" .El .Ss privilege Token The .Dv privilege token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Use-of-auth Token The .Dv use-of-auth token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Command Token The .Dv command token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss ACL Token The .Dv ACL token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Ss Zonename Token The .Dv zonename token ... .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" .It Sy "Field" Ta Sy Bytes Ta Sy Description .It Li "Token ID" Ta "1 byte" Ta "Token ID" .It Li XXXXX .El .Sh SEE ALSO -.Xr audit 8, -.Xr libbsm 3 +.Xr libbsm 3 , +.Xr audit 8 .Sh AUTHORS The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Robert Watson Aq rwatson@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh BUGS The .Dv How to print field in the .Dv arbitrary data token has undefined values. .Pp The .Dv in_addr and .Dv in_addr_ex token layout documented here appears to be in conflict with the .Xr libbsm 3 implementations of .Xr au_to_in_addr 3 and .Xr au_to_in_addr_ex 3 . Index: head/contrib/openbsm/man/audit_class.5 =================================================================== --- head/contrib/openbsm/man/audit_class.5 (revision 155364) +++ head/contrib/openbsm/man/audit_class.5 (revision 155365) @@ -1,70 +1,71 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt AUDIT_CLASS 5 .Os .Sh NAME .Nm audit_class .Nd "contains audit event class descriptions" .Sh DESCRIPTION The .Nm file contains descriptions of the auditable event classes on the system. Each auditable event is a member of an event class. Each line maps an audit event mask (bitmap) to a class and a description. -Entries are of the form -.Dl classmask:eventclass:description. +Entries are of the form: +.Pp +.Dl classmask:eventclass:description .Pp Example entries in this file are: .Bd -literal -offset indent 0x00000000:no:invalid class 0x00000001:fr:file read 0x00000002:fw:file write 0x00000004:fa:file attribute access 0x00000080:pc:process 0xffffffff:all:all flags set .Ed .Sh FILES .Bl -tag -width "/etc/security/audit_class" -compact .It Pa /etc/security/audit_class .El .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/audit_control.5 =================================================================== --- head/contrib/openbsm/man/audit_control.5 (revision 155364) +++ head/contrib/openbsm/man/audit_control.5 (revision 155365) @@ -1,121 +1,124 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $ .\" -.Dd Jan 24, 2004 +.Dd January 4, 2006 .Dt AUDIT_CONTROL 5 .Os .Sh NAME .Nm audit_control .Nd "contains audit system parameters" .Sh DESCRIPTION The .Nm file contains several audit system parameters. Each line of this file is of the form: -.Dl parameter:value. +.Pp +.Dl parameter:value +.Pp The parameters are: .Bl -tag -width Ds .It Pa dir The directory where audit log files are stored. There may be more than one of these entries. Changes to this entry can only be enacted by restarting the audit system. See .Xr audit 1 for a description of how to restart the audit system. .It Va flags Specifies which audit event classes are audited for all users. .Xr audit_user 5 describes how to audit events for individual users. See the information below for the format of the audit flags. .It Va naflags Contains the audit flags that define what classes of events are audited when an action cannot be attributed to a specific user. .It Va minfree The minimum free space required on the file system audit logs are being written to. When the free space falls below this limit a warning will be issued. Not currently used as the value of 20 percent is chosen by the kernel. .El .Sh AUDIT FLAGS -Audit flags are a comma delimited list of audit classes as defined in the -audit_class file. +Audit flags are a comma-delimited list of audit classes as defined in the +.Pa audit_class +file. See .Xr audit_class 5 for details. Event classes may be preceded by a prefix which changes their interpretation. The following prefixes may be used for each class: +.Pp .Bl -tag -width Ds -compact -offset indent .It + Record successful events .It - Record failed events .It ^ Record both successful and failed events .It ^+ -Don't record successful events +Do not record successful events .It ^- -Don't record failed events +Do not record failed events .El .Sh DEFAULT The following settings appear in the default .Nm file: .Bd -literal -offset indent dir:/var/audit -flags:lo,ad,-all,^-fc,^-cl +flags:lo minfree:20 naflags:lo .Ed .Pp The .Va flags parameter above specifies the system-wide mask corresponding to login/logout -events, administrative events, and all failures except for failures in creating -or closing files. +events. .Sh FILES .Bl -tag -width "/etc/security/audit_control" -compact .It Pa /etc/security/audit_control .El .Sh SEE ALSO -.Xr audit 1 , -.Xr auditd 8 , .Xr audit_class 5 , -.Xr audit_user 5 +.Xr audit_user 5 , +.Xr audit 8 , +.Xr auditd 8 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/audit_event.5 =================================================================== --- head/contrib/openbsm/man/audit_event.5 (revision 155364) +++ head/contrib/openbsm/man/audit_event.5 (revision 155365) @@ -1,74 +1,78 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $ .\" -.Dd Jan 24, 2004 +.Dd January 24, 2004 .Dt AUDIT_EVENT 5 .Os .Sh NAME .Nm audit_event .Nd "contains audit event descriptions" .Sh DESCRIPTION The .Nm file contains descriptions of the auditable events on the system. Each line maps an audit event number to a name, a description, and a class. -Entries are of the form -.Dl eventnum:eventname:description:eventclass . +Entries are of the form: +.Pp +.Dl eventnum:eventname:description:eventclass +.Pp Each .Vt eventclass -should have a corresponding entry in the audit_class file. +should have a corresponding entry in the +.Pa audit_class +file. See .Xr audit_class 5 for details. .Pp Example entries in this file are: .Bd -literal -offset indent 0:AUE_NULL:indir system call:no 1:AUE_EXIT:exit(2):pc 2:AUE_FORK:fork(2):pc 3:AUE_OPEN:open(2):fa .Ed .Sh FILES .Bl -tag -width "/etc/security/audit_event" -compact .It Pa /etc/security/audit_event .El .Sh SEE ALSO .Xr audit_class 5 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/audit_user.5 =================================================================== --- head/contrib/openbsm/man/audit_user.5 (revision 155364) +++ head/contrib/openbsm/man/audit_user.5 (revision 155365) @@ -1,91 +1,93 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $ .\" -.Dd Jan 24, 2004 +.Dd February 5, 2006 .Dt AUDIT_USER 5 .Os .Sh NAME .Nm audit_user .Nd "specifies events to be audited for the given users" .Sh DESCRIPTION The .Nm file specifies which audit event classes are to be audited for the given users. If specified, these flags are combined with the system-wide audit flags in the .Pa audit_control file to determine which classes of events to audit for that user. These settings take effect when the user logs in. .Pp Each line maps a user name to a list of classes that should be audited and a list of classes that should not be audited. -Entries are of the form of -.Dl username:alwaysaudit:neveraudit , -where +Entries are of the form: +.Pp +.Dl username:alwaysaudit:neveraudit +.Pp +In the format above, .Vt alwaysaudit is a set of event classes that are always audited, and .Vt neveraudit is a set of event classes that should not be audited. These sets can indicate the inclusion or exclusion of multiple classes, and whether to audit successful or failed events. See .Xr audit_control 5 for more information about audit flags. .Pp Example entries in this file are: .Bd -literal -offset indent root:lo,ad:no jdoe:-fc,ad:+fw .Ed .Pp -These settings would cause login and administrative events that succeed on -behalf of user root to be audited. +These settings would cause login/logout and administrative events that +succeed on behalf of user root to be audited. No failure events are audited. For the user .Em jdoe , failed file creation events are audited, administrative events are audited, and successful file write events are never audited. .Sh FILES .Bl -tag -width "/etc/security/audit_user" -compact .It Pa /etc/security/audit_user .El .Sh SEE ALSO .Xr audit_control 5 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/audit_warn.5 =================================================================== --- head/contrib/openbsm/man/audit_warn.5 (revision 155364) +++ head/contrib/openbsm/man/audit_warn.5 (revision 155365) @@ -1,69 +1,69 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived .\" from this software without specific prior written permission. .\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR .\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, .\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $ .\" -.Dd Mar 17, 2004 +.Dd March 17, 2004 .Dt AUDIT_WARN 5 .Os .Sh NAME .Nm audit_warn .Nd "alert when audit daemon issues warnings" .Sh DESCRIPTION .Nm runs when .Xr auditd 8 generates warning messages. .Pp The default .Nm is a script whose first parameter is the type of warning; the script appends its arguments to .Pa /etc/security/audit_messages . Administrators may replace this script: a more comprehensive one would take different actions based on the type of warning. For example, a low-space warning could result in an email message being sent to the administrator. .Sh FILES .Bl -tag -width "/etc/security/audit_warn" -compact .It Pa /etc/security/audit_warn .It Pa /etc/security/audit_messages .El .Sh SEE ALSO .Xr auditd 8 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/auditon.2 =================================================================== --- head/contrib/openbsm/man/auditon.2 (revision 155364) +++ head/contrib/openbsm/man/auditon.2 (revision 155365) @@ -1,288 +1,291 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" Copyright (c) 2005 Tom Rhodes .\" Copyright (c) 2005 Wayne J. Salamon .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $ .\" .Dd April 19, 2005 .Dt AUDITON 2 .Os .Sh NAME .Nm auditon .Nd "Configure system audit parameters" .Sh SYNOPSIS .In bsm/audit.h .Ft int .Fn auditon "int cmd" "void *data" "u_int length" .Sh DESCRIPTION The .Nm system call is used to manipulate various audit control operations. .Ft *data should point to a structure whose type depends on the command. .Ft length specifies the size of the .Em data in bytes. .Ft cmd may be any of the following: .Bl -tag -width ".It Dv A_GETPINFO_ADDR" .It Dv A_SETPOLICY Set audit policy flags. .Ft *data -must point to an long value set to one of the audit -policy control values defined in audit.h. +must point to a long value set to one of the audit +policy control values defined in +.Pa audit.h . Currently, only .Dv AUDIT_CNT and .Dv AUDIT_AHLT are implemented. In the .Dv AUDIT_CNT case, the action will continue regardless if an event will not be audited. In the .Dv AUDIT_AHLT case, a .Xr panic 9 will result if an event will not be written to the audit log file. .It Dv A_SETKAUDIT Return .Er ENOSYS . .It Dv A_SETKMASK Set the kernel preselection masks (success and failure). .Ft *data must point to a .Ft au_mask_t structure containing the mask values. These masks are used for non-attributable audit event preselection. .It Dv A_SETQCTRL Set kernel audit queue parameters. .Ft *data -must point to a +must point to a .Ft au_qctrl_t structure containing the kernel audit queue control settings: .Va high water , .Va low water , .Va output buffer size , .Va percent min free disk space , and .Em delay (not currently used). .It Dv A_SETSTAT Return .Er ENOSYS . .It Dv A_SETUMASK Return .Er ENOSYS . .It Dv A_SETSMASK Return .Er ENOSYS . .It Dv A_SETCOND Set the current auditing condition. .Ft *data -must point to an long value containing the new +must point to a long value containing the new audit condition, one of .Dv AUC_AUDITING , .Dv AUC_NOAUDIT , or .Dv AUC_DISABLED . .It Dv A_SETCLASS Set the event class preselection mask for an audit event. .Ft *data -must point to a +must point to a .Ft au_evclass_map_t structure containing the audit event and mask. .It Dv A_SETPMASK Set the preselection masks for a process. .Ft *data -must point to a +must point to a .Ft auditpinfo_t structure that contains the given process's audit preselection masks for both success and failure. .It Dv A_SETFSIZE Set the maximum size of the audit log file. .Ft *data must point to a .Ft au_fstat_t structure with the .Ft af_filesz field set to the maximum audit log file size. A value of 0 indicates no limit to the size. .It Dv A_SETKAUDIT Return .Er ENOSYS . .It Dv A_GETCLASS Return the event to class mapping for the designated audit event. .Ft *data must point to a .Ft au_evclass_map_t structure. .It Dv A_GETKAUDIT Return .Er ENOSYS . .It Dv A_GETPINFO Return the audit settings for a process. .Ft *data must point to a .Ft auditpinfo_t structure which will be set to contain the audit ID, preselection mask, terminal ID, and audit session ID of the given process. .It Dv A_GETPINFO_ADDR Return .Er ENOSYS . .It Dv A_GETKMASK Return the current kernel preselection masks. .Ft *data must point to a .Ft au_mask_t structure which will be set to the current kernel preselection masks for non-attributable events. .It Dv A_GETPOLICY Return the current audit policy setting. .Ft *data -must point to an long value which will be set to +must point to a long value which will be set to one of the current audit policy flags. Currently, only .Dv AUDIT_CNT and .Dv AUDIT_AHLT are implemented. .It Dv A_GETQCTRL Return the current kernel audit queue control parameters. .Ft *data must point to a .Ft au_qctrl_t structure which will be set to the current kernel audit queue control parameters. .It Dv A_GETFSIZE Returns the maximum size of the audit log file. .Ft *data must point to a .Ft au_fstat_t structure. The .Ft af_filesz -field will set to the maximum audit log file size. A value of 0 -indicates no limit to the size. +field will be set to the maximum audit log file size. +A value of 0 indicates no limit to the size. The .Ft af_filesz will be set to the current audit log file size. .It Dv A_GETCWD .\" [COMMENTED OUT]: Valid description, not yet implemented. .\" Return the current working directory as stored in the audit subsystem. Return .Er ENOSYS . .It Dv A_GETCAR .\" [COMMENTED OUT]: Valid description, not yet implemented. .\"Stores and returns the current active root as stored in the audit .\"subsystem. Return .Er ENOSYS . .It Dv A_GETSTAT .\" [COMMENTED OUT]: Valid description, not yet implemented. .\"Return the statistics stored in the audit system. Return .Er ENOSYS . .It Dv A_GETCOND Return the current auditing condition. .Ft *data must point to a long value which will be set to the current audit condition, either .Dv AUC_AUDITING or .Dv AUC_NOAUDIT . .It Dv A_SENDTRIGGER Send a trigger to the audit daemon. .Fr *data must point to a long value set to one of the acceptable trigger values: .Dv AUDIT_TRIGGER_LOW_SPACE (low disk space where the audit log resides), .Dv AUDIT_TRIGGER_OPEN_NEW (open a new audit log file), .Dv AUDIT_TRIGGER_READ_FILE -(read the audit_control file), +(read the +.Pa audit_control +file), .Dv AUDIT_TRIGGER_CLOSE_AND_DIE (close the current log file and exit), or .Dv AUDIT_TRIGGER_NO_SPACE (no disk space left for audit log file). .El .Sh RETURN VALUES .Rv -std .Sh ERRORS The .Fn auditon function will fail if: .Bl -tag -width Er .It Bq Er ENOSYS Returned by options not yet implemented. .It Bq Er EFAULT A failure occurred while data transferred to or from the kernel failed. .It Bq Er EINVAL Illegal argument was passed by a system call. .It Bq Er EPERM The process does not have sufficient permission to complete the operation. .El .Pp The .Dv A_SENDTRIGGER command is specific to the .Fx and Mac OS X implementations, and is not present in Solaris. .Sh SEE ALSO .Xr audit 2 , .Xr auditctl 2 , .Xr getauid 2 , .Xr setauid 2 , .Xr getaudit 2 , .Xr setaudit 2 , .Xr getaudit_addr 2 , .Xr setaudit_addr 2 , .Xr libbsm 3 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Tom Rhodes Aq trhodes@FreeBSD.org , .An Robert Watson Aq rwatson@FreeBSD.org , and .An Wayne Salamon Aq wsalamon@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2003. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/getaudit.2 =================================================================== --- head/contrib/openbsm/man/getaudit.2 (revision 155364) +++ head/contrib/openbsm/man/getaudit.2 (revision 155365) @@ -1,80 +1,80 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $ .\" .Dd April 19, 2005 .Dt GETAUDIT 2 .Os .Sh NAME .Nm getaudit , .Nm getaudit_addr .Nd "Retrieve audit session state" .Sh SYNOPSIS .In bsm/audit.h .Ft int .Fn getaudit "auditinfo_t *auditinfo" .Ft int .Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length" .Sh DESCRIPTION .Fn getaudit retrieves the active audit session state for the current process via the .Vt auditinfo_t pointed to by .Va auditinfo . .Fn getaudit_addr retrieves extended state via .Va auditinfo_addr and .Va length . .Pp -This system call required appropriate privilege to complete. +This system call requires appropriate privilege to complete. .Sh RETURN VALUES .Nm returns 0 on success, or returns -1 on failure, providing additional error information via .Va errno . .Sh SEE ALSO .Xr audit 2 , .Xr auditon 2 , .Xr getauid 2 , .Xr setauid 2 , .Xr setaudit 2 , .Xr libbsm 3 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Robert Watson Aq rwatson@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/getauid.2 =================================================================== --- head/contrib/openbsm/man/getauid.2 (revision 155364) +++ head/contrib/openbsm/man/getauid.2 (revision 155365) @@ -1,74 +1,74 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $ .\" .Dd April 19, 2005 .Dt GETAUID 2 .Os .Sh NAME .Nm getauid .Nd "Retrieve audit session ID" .Sh SYNOPSIS .In bsm/audit.h .Ft int .Fn getauid "au_id_t *auid" .Sh DESCRIPTION .Nm retrieves the active audit session ID for the current process via the .Vt au_id_t pointed to by .Va auid . .Pp -This system call required appropriate privilege to complete. +This system call requires appropriate privilege to complete. .Sh RETURN VALUES .Nm returns 0 on success, or returns -1 on failure, providing additional error information via .Va errno . .Sh SEE ALSO .Xr audit 2 , .Xr auditon 2 , .Xr setauid 2 , .Xr getaudit 2 , .Xr setaudit 2 , .Xr getaudit_addr 2 , .Xr setaudit_addr 2 , .Xr libbsm 3 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Robert Watson Aq rwatson@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/setaudit.2 =================================================================== --- head/contrib/openbsm/man/setaudit.2 (revision 155364) +++ head/contrib/openbsm/man/setaudit.2 (revision 155365) @@ -1,81 +1,81 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $ .\" .Dd April 19, 2005 .Dt SETAUDIT 2 .Os .Sh NAME .Nm setaudit , .Nm setaudit_addr .Nd "Set audit session state" .Sh SYNOPSIS .In bsm/audit.h .Ft int .Fn setaudit "auditinfo_t *auditinfo" .Ft int .Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length" .Sh DESCRIPTION .Nm sets the active audit session state for the current process via the .Vt auditinfo_t pointed to by .Va auditinfo . .Fn setaudit_addr sets extended state via .Va auditinfo_addr and .Va length . .Pp -This system call required appropriate privilege to complete. +This system call requires appropriate privilege to complete. .Sh RETURN VALUES .Nm returns 0 on success, or returns -1 on failure, providing additional error information via .Va errno . .Sh SEE ALSO .Xr audit 2 , .Xr auditon 2 , .Xr getaudit 2 , .Xr getauid 2 , .Xr setauid 2 , .Xr getaudit 2 , .Xr libbsm 3 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Robert Watson Aq rwatson@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. Index: head/contrib/openbsm/man/setauid.2 =================================================================== --- head/contrib/openbsm/man/setauid.2 (revision 155364) +++ head/contrib/openbsm/man/setauid.2 (revision 155365) @@ -1,74 +1,74 @@ .\"- .\" Copyright (c) 2005 Robert N. M. Watson .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright .\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $ .\" .Dd April 19, 2005 .Dt SETAUID 2 .Os .Sh NAME .Nm setauid .Nd "Set audit session ID" .Sh SYNOPSIS .In bsm/audit.h .Ft int .Fn setauid "au_id_t *auid" .Sh DESCRIPTION .Nm sets the active audit session ID for the current process from the .Vt au_id_t pointed to by .Va auid . .Pp -This system call required appropriate privilege to complete. +This system call requires appropriate privilege to complete. .Sh RETURN VALUES .Nm returns 0 on success, or returns -1 on failure, providing additional error information via .Va errno . .Sh SEE ALSO .Xr audit 2 , .Xr auditon 2 , .Xr getauid 2 , .Xr getaudit 2 , .Xr setaudit 2 , .Xr getaudit_addr 2 , .Xr setaudit_addr 2 , .Xr libbsm 3 .Sh AUTHORS This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. .Pp This manual page was written by .An Robert Watson Aq rwatson@FreeBSD.org . .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security division of McAfee Inc., under contract to Apple Computer Inc. in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution.