mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-04 09:09:56 +00:00
Vendor branch import of OpenBSM 1.0 alpha 3:
- Man page formatting, cross reference, mlinks, and accuracy improvements. - auditd and tools now compile and run on FreeBSD/arm. - auditd will now fchown() the trail file to the audit review group, if defined at compile-time. - Added AUE_SYSARCH for FreeBSD. - Definition of AUE_SETFSGID fixed for Linux. Many thanks to: brueffer, cognet Obtained from: TrustedBSD Project
This commit is contained in:
parent
742561f0d7
commit
23bf6e2091
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/vendor/openbsm/dist/; revision=155364 svn path=/vendor/openbsm/1.0-ALPHA-3/; revision=155366; tag=vendor/openbsm/1.0-ALPHA-3
@ -1,3 +1,12 @@
|
||||
OpenBSM 1.0 alpha 3
|
||||
|
||||
- Man page formatting, cross reference, mlinks, and accuracy improvements.
|
||||
- auditd and tools now compile and run on FreeBSD/arm.
|
||||
- auditd will now fchown() the trail file to the audit review group, if
|
||||
defined at compile-time.
|
||||
- Added AUE_SYSARCH for FreeBSD.
|
||||
- Definition of AUE_SETFSGID fixed for Linux.
|
||||
|
||||
OpenBSM 1.0 alpha 2
|
||||
|
||||
- Man page formatting improvements.
|
||||
@ -71,5 +80,6 @@ OpenBSM 1.0 alpha 1
|
||||
- Annotate BSM events with origin OS and compatibility information.
|
||||
- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
|
||||
to support reloading of kernel event table.
|
||||
- Allow comments in /etc/security configuration files.
|
||||
|
||||
$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#7 $
|
||||
$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#10 $
|
||||
|
@ -62,6 +62,8 @@ to the development of OpenBSM:
|
||||
Wojciech Koszek
|
||||
Chunyang Yuan
|
||||
Poul-Henning Kamp
|
||||
Christian Brueffer
|
||||
Olivier Houchard
|
||||
|
||||
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
|
||||
Software's FlexeLint tool were used to identify a number of bugs in the
|
||||
@ -83,4 +85,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
|
||||
|
||||
http://www.TrustedBSD.org/
|
||||
|
||||
$P4: //depot/projects/trustedbsd/openbsm/README#11 $
|
||||
$P4: //depot/projects/trustedbsd/openbsm/README#13 $
|
||||
|
@ -1 +1 @@
|
||||
OPENBSM_1_0_ALPHA_2
|
||||
OPENBSM_1_0_ALPHA_3
|
||||
|
@ -29,9 +29,9 @@
|
||||
.\"
|
||||
.\" @APPLE_BSD_LICENSE_HEADER_END@
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDIT 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -48,7 +48,7 @@ utility controls the state of the audit system.
|
||||
The optional
|
||||
.Ar file
|
||||
operand specifies the location of the audit control input file (default
|
||||
.Pa /etc/security/audit_control ).
|
||||
.Pa /etc/security/audit_control ) .
|
||||
.Pp
|
||||
The options are as follows:
|
||||
.Bl -tag -width Ds
|
||||
@ -65,15 +65,17 @@ Log files are closed
|
||||
and renamed to indicate the time of the shutdown.
|
||||
.El
|
||||
.Sh NOTES
|
||||
The auditd(8) daemon must already be running.
|
||||
The
|
||||
.Xr auditd 8
|
||||
daemon must already be running.
|
||||
.Sh FILES
|
||||
.Bl -tag -width "/etc/security/audit_control" -compact
|
||||
.It Pa /etc/security/audit_control
|
||||
Default audit policy file used to configure the auditing system.
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr audit_control 5 ,
|
||||
.Xr auditd 8
|
||||
.Xr audit_control 5
|
||||
.Sh AUTHORS
|
||||
This software was created by McAfee Research, the security research division
|
||||
of McAfee, Inc., under contract to Apple Computer Inc.
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#4 $
|
||||
*/
|
||||
/*
|
||||
* Program to trigger the audit daemon with a message that is either:
|
||||
@ -65,7 +65,7 @@ usage(void)
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char ch;
|
||||
int ch;
|
||||
unsigned int trigger = 0;
|
||||
|
||||
if (argc != 2)
|
||||
|
@ -29,9 +29,9 @@
|
||||
.\"
|
||||
.\" @APPLE_BSD_LICENSE_HEADER_END@
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDITD 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -63,9 +63,14 @@ that may cause audit records to be lost due to log file full conditions
|
||||
.Pp
|
||||
To assure uninterrupted audit support, the
|
||||
.Nm auditd
|
||||
daemon should not be started and stopped manually. Instead, the audit(1) command
|
||||
daemon should not be started and stopped manually.
|
||||
Instead, the
|
||||
.Xr audit 8
|
||||
command
|
||||
should be used to inform the daemon to change state/configuration after altering
|
||||
the audit_control file.
|
||||
the
|
||||
.Pa audit_control
|
||||
file.
|
||||
.Pp
|
||||
.\" Sending a SIGHUP to a running
|
||||
.\" .Nm auditd
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#11 $
|
||||
*/
|
||||
|
||||
#include <sys/dirent.h>
|
||||
@ -46,6 +46,7 @@
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
#include <grp.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
@ -170,6 +171,34 @@ close_lastfile(char *TS)
|
||||
return (0);
|
||||
}
|
||||
|
||||
/*
|
||||
* Create the new audit file with appropriate permissions and ownership. Try
|
||||
* to clean up if something goes wrong.
|
||||
*/
|
||||
static int
|
||||
#ifdef AUDIT_REVIEW_GROUP
|
||||
open_trail(const char *fname, uid_t uid, gid_t gid)
|
||||
#else
|
||||
open_trail(const char *fname)
|
||||
#endif
|
||||
{
|
||||
int error, fd;
|
||||
|
||||
fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
|
||||
if (fd < 0)
|
||||
return (-1);
|
||||
#ifdef AUDIT_REVIEW_GROUP
|
||||
if (fchown(fd, uid, gid) < 0) {
|
||||
error = errno;
|
||||
close(fd);
|
||||
(void)unlink(fname);
|
||||
errno = error;
|
||||
return (-1);
|
||||
}
|
||||
#endif
|
||||
return (fd);
|
||||
}
|
||||
|
||||
/*
|
||||
* Create the new file name, swap with existing audit file.
|
||||
*/
|
||||
@ -180,7 +209,12 @@ swap_audit_file(void)
|
||||
char *fn;
|
||||
char TS[POSTFIX_LEN];
|
||||
struct dir_ent *dirent;
|
||||
int fd;
|
||||
#ifdef AUDIT_REVIEW_GROUP
|
||||
struct group *grp;
|
||||
gid_t gid;
|
||||
uid_t uid;
|
||||
#endif
|
||||
int error, fd;
|
||||
|
||||
if (getTSstr(TS, POSTFIX_LEN) != 0)
|
||||
return (-1);
|
||||
@ -188,6 +222,22 @@ swap_audit_file(void)
|
||||
strcpy(timestr, TS);
|
||||
strcat(timestr, NOT_TERMINATED);
|
||||
|
||||
#ifdef AUDIT_REVIEW_GROUP
|
||||
/*
|
||||
* XXXRW: Currently, this code falls back to the daemon gid, which is
|
||||
* likely the wheel group. Is there a better way to deal with this?
|
||||
*/
|
||||
grp = getgrnam(AUDIT_REVIEW_GROUP);
|
||||
if (grp == NULL) {
|
||||
syslog(LOG_INFO,
|
||||
"Audit review group '%s' not available, using daemon gid",
|
||||
AUDIT_REVIEW_GROUP);
|
||||
gid = -1;
|
||||
} else
|
||||
gid = grp->gr_gid;
|
||||
uid = getuid();
|
||||
#endif
|
||||
|
||||
/* Try until we succeed. */
|
||||
while ((dirent = TAILQ_FIRST(&dir_q))) {
|
||||
if ((fn = affixdir(timestr, dirent)) == NULL) {
|
||||
@ -201,20 +251,27 @@ swap_audit_file(void)
|
||||
* kernel if all went well.
|
||||
*/
|
||||
syslog(LOG_INFO, "New audit file is %s\n", fn);
|
||||
fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
|
||||
#ifdef AUDIT_REVIEW_GROUP
|
||||
fd = open_trail(fn, uid, gid);
|
||||
#else
|
||||
fd = open_trail(fn);
|
||||
#endif
|
||||
if (fd < 0)
|
||||
perror("File open");
|
||||
else if (auditctl(fn) != 0) {
|
||||
syslog(LOG_ERR,
|
||||
"auditctl failed setting log file! : %s\n",
|
||||
strerror(errno));
|
||||
close(fd);
|
||||
} else {
|
||||
/* Success. */
|
||||
close_lastfile(TS);
|
||||
lastfile = fn;
|
||||
close(fd);
|
||||
return (0);
|
||||
warn("open(%s)", fn);
|
||||
if (fd >= 0) {
|
||||
error = auditctl(fn);
|
||||
if (error) {
|
||||
syslog(LOG_ERR,
|
||||
"auditctl failed setting log file! : %s\n",
|
||||
strerror(errno));
|
||||
close(fd);
|
||||
} else {
|
||||
/* Success. */
|
||||
close_lastfile(TS);
|
||||
lastfile = fn;
|
||||
close(fd);
|
||||
return (0);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
@ -708,7 +765,7 @@ setup(void)
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char ch;
|
||||
int ch;
|
||||
int debug = 0;
|
||||
int rc;
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
|
||||
*/
|
||||
|
||||
#ifndef _AUDITD_H_
|
||||
@ -43,6 +43,13 @@
|
||||
#define MAX_DIR_SIZE 255
|
||||
#define AUDITD_NAME "auditd"
|
||||
|
||||
/*
|
||||
* If defined, then the audit daemon will attempt to chown newly created logs
|
||||
* to this group. Otherwise, they will be the default for the user running
|
||||
* auditd, likely the audit group.
|
||||
*/
|
||||
#define AUDIT_REVIEW_GROUP "audit"
|
||||
|
||||
#define POSTFIX_LEN 16
|
||||
#define NOT_TERMINATED ".not_terminated"
|
||||
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#8 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDITREDUCE 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -124,7 +124,8 @@ Select records containing the given shared memory id.
|
||||
.Sh Examples
|
||||
.Pp
|
||||
To select all records associated with effective user ID root from the audit
|
||||
log /var/audit/20031016184719.20031017122634:
|
||||
log
|
||||
.Pa /var/audit/20031016184719.20031017122634 :
|
||||
.Pp
|
||||
.Nm
|
||||
-e root /var/audit/20031016184719.20031017122634
|
||||
@ -136,9 +137,9 @@ events from that log:
|
||||
.Nm
|
||||
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
|
||||
.Sh SEE ALSO
|
||||
.Xr praudit 1 ,
|
||||
.Xr audit_control 5 ,
|
||||
.Xr audit_event 5 ,
|
||||
.Xr praudit 1
|
||||
.Xr audit_event 5
|
||||
.Sh AUTHORS
|
||||
This software was created by McAfee Research, the security research division
|
||||
of McAfee, Inc., under contract to Apple Computer Inc.
|
||||
|
@ -26,7 +26,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#13 $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -529,7 +529,7 @@ main(int argc, char **argv)
|
||||
FILE *fp;
|
||||
int i;
|
||||
char *objval, *converr;
|
||||
char ch;
|
||||
int ch;
|
||||
char timestr[128];
|
||||
char *fname;
|
||||
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt PRAUDIT 1
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -26,7 +26,7 @@
|
||||
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
|
||||
*/
|
||||
|
||||
/*
|
||||
@ -105,7 +105,7 @@ print_tokens(FILE *fp)
|
||||
int
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
char ch;
|
||||
int ch;
|
||||
int i;
|
||||
FILE *fp;
|
||||
|
||||
|
@ -30,7 +30,7 @@
|
||||
*
|
||||
* @APPLE_BSD_LICENSE_HEADER_END@
|
||||
*
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#34 $
|
||||
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#37 $
|
||||
*/
|
||||
|
||||
#ifndef _BSM_AUDIT_KEVENTS_H_
|
||||
@ -360,7 +360,7 @@
|
||||
#define AUE_NMOUNT 380 /* FreeBSD-specific. */
|
||||
#define AUE_BDFLUSH 381 /* Linux-specific. */
|
||||
#define AUE_SETFSUID 382 /* Linux-specific. */
|
||||
#define AUE_GETFSUID 383 /* Linux-specific. */
|
||||
#define AUE_SETFSGID 383 /* Linux-specific. */
|
||||
#define AUE_PERSONALITY 384 /* Linux-specific. */
|
||||
#define AUE_SCHED_GETSCHEDULER 385 /* POSIX.1b. */
|
||||
#define AUE_SCHED_SETSCHEDULER 386 /* POSIX.1b. */
|
||||
@ -383,6 +383,7 @@
|
||||
#define AUE_ACL_DELETE_FD 403 /* FreeBSD. */
|
||||
#define AUE_ACL_CHECK_FILE 404 /* FreeBSD. */
|
||||
#define AUE_ACL_CHECK_FD 405 /* FreeBSD. */
|
||||
#define AUE_SYSARCH 406 /* FreeBSD. */
|
||||
|
||||
/*
|
||||
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
|
||||
@ -428,6 +429,7 @@
|
||||
#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
|
||||
#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
|
||||
#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
|
||||
#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /* Darwin */
|
||||
#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
|
||||
#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
|
||||
#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# OpenBSM libbsm
|
||||
#
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
|
||||
# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#13 $
|
||||
#
|
||||
|
||||
LIB= bsm
|
||||
@ -35,7 +35,9 @@ MAN= libbsm.3 \
|
||||
|
||||
MLINKS= libbsm.3 bsm.3 \
|
||||
au_class.3 getauclassent.3 \
|
||||
au_class.3 getauclassent_r.3 \
|
||||
au_class.3 getauclassnam.3 \
|
||||
au_class.3 getauclassnam_r.3 \
|
||||
au_class.3 setauclass.3 \
|
||||
au_class.3 endauclass.3 \
|
||||
au_control.3 setac.3 \
|
||||
@ -47,9 +49,13 @@ MLINKS= libbsm.3 bsm.3 \
|
||||
au_event.3 setauevent.3 \
|
||||
au_event.3 endauevent.3 \
|
||||
au_event.3 getauevent.3 \
|
||||
au_event.3 getauevent_r.3 \
|
||||
au_event.3 getauevnam.3 \
|
||||
au_event.3 getauevnam_r.3 \
|
||||
au_event.3 getauevnum.3 \
|
||||
au_event.3 getauevnum_r.3 \
|
||||
au_event.3 getauevnonam.3 \
|
||||
au_event.3 getauevnonam_r.3 \
|
||||
au_io.3 au_fetch_tok.3 \
|
||||
au_io.3 au_print_tok.3 \
|
||||
au_io.3 au_read_rec.3 \
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#3 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_CONTROL 3
|
||||
@ -67,7 +67,7 @@ closes the
|
||||
database.
|
||||
.Pp
|
||||
.Fn getacdir
|
||||
Return the name of the directory where log data is stored via the passed
|
||||
returns the name of the directory where log data is stored via the passed
|
||||
character buffer
|
||||
.Va name
|
||||
of length
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_EVENT 3
|
||||
@ -123,9 +123,9 @@ Functions
|
||||
and
|
||||
.Fn getauevnuam
|
||||
will return a reference to a
|
||||
.Dt struct au_event_ent
|
||||
.Ft struct au_event_ent
|
||||
or
|
||||
.Dt au_event_t
|
||||
.Ft au_event_t
|
||||
on success, or
|
||||
.Dv NULL on failure, with
|
||||
.Va errno
|
||||
|
@ -27,7 +27,7 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_FREE_TOKEN 3
|
||||
@ -40,7 +40,7 @@
|
||||
.Sh SYNOPSIS
|
||||
.In libbsm.h
|
||||
.Ft void
|
||||
.Fn au_free_tokenen "token_t *tok"
|
||||
.Fn au_free_token "token_t *tok"
|
||||
.Sh DESCRIPTION
|
||||
The BSM API generally manages deallocation of
|
||||
.Vt token_t
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_MASK 3
|
||||
@ -109,7 +109,7 @@ will be set to indicate the error.
|
||||
.Sh IMPLEMENTATION NOTES
|
||||
.Fn au_preselect
|
||||
makes implicit use of various audit database routines, and may influence
|
||||
the behavior of simultaenous or interleaved processing of those databases by
|
||||
the behavior of simultaneous or interleaved processing of those databases by
|
||||
other code.
|
||||
.Sh SEE ALSO
|
||||
.Xr libbsm 3 ,
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#5 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_TOKEN 3
|
||||
@ -179,10 +179,10 @@
|
||||
.Fn au_to_trailer "int rec_size"
|
||||
.Sh DESCRIPTION
|
||||
These interfaces support the allocation of BSM audit tokens, represented by
|
||||
.Dt token_t ,
|
||||
.Ft token_t ,
|
||||
for various data types.
|
||||
.Sh RETURN VALUES
|
||||
On sucess, a pointer to a
|
||||
On success, a pointer to a
|
||||
.Vt token_t
|
||||
will be returned; the allocated
|
||||
.Vt token_t
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AU_USER 3
|
||||
@ -72,7 +72,7 @@ and events never to audit
|
||||
.Dv au_never .
|
||||
.Pp
|
||||
.Fn getauuserent
|
||||
return the next user found in the
|
||||
returns the next user found in the
|
||||
.Xr audit_user 5
|
||||
database, or the first if the function has not yet been called.
|
||||
.Dv NULL
|
||||
@ -96,7 +96,7 @@ closes the
|
||||
database, if open.
|
||||
.Pp
|
||||
.Nm au_user_mask
|
||||
calculate a new session audit mask to be returned via
|
||||
calculates a new session audit mask to be returned via
|
||||
.Dv mask_p
|
||||
for the user identified by
|
||||
.Dv username .
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#4 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt LIBBSM 3
|
||||
@ -48,57 +48,56 @@ event stream interfaces, class interfaces, control interfaces, event
|
||||
interfaces, I/O interfaces, mask interfaces, notification interfaces, token
|
||||
interfaces, and user interfaces.
|
||||
These are described respectively in the
|
||||
.Xr au_stream 3 ,
|
||||
.Xr au_class 3 ,
|
||||
.Xr au_control 3 ,
|
||||
.Xr au_event 3 ,
|
||||
.Xr au_mask 3 ,
|
||||
.Xr au_notify 3 ,
|
||||
.Xr au_stream 3 ,
|
||||
.Xr au_token 3 ,
|
||||
.Xr au_user 3
|
||||
man pages.
|
||||
.Ss Audit Event Stream Interfaces
|
||||
Audit event stream interfaces support interaction with file-backed audit
|
||||
event streams:
|
||||
.Xr au_free_token 3 ,
|
||||
.Xr au_close 3 .
|
||||
.Xr au_free_token 3 ,
|
||||
.Xr au_open 3 ,
|
||||
.Xr au_write 3 ,
|
||||
.Xr au_close 3 .
|
||||
.Ss Audit Class Interfaces
|
||||
Audit class interfaces support the look up of information from the
|
||||
.Xr audit_class 5
|
||||
database:
|
||||
.Xr endauclass 3 ,
|
||||
.Xr getauclassent 3 ,
|
||||
.Xr getauclassent_r 3 ,
|
||||
.Xr getauclassnam 3 ,
|
||||
.Xr getauclassnam_r 3 ,
|
||||
.Xr setauclass 3 ,
|
||||
.Xr endauclass 3 .
|
||||
.Xr setauclass 3 .
|
||||
.Ss Audit Control Interfaces
|
||||
Audit control interfaces support the look up of information from the
|
||||
.Xr audit_control 5
|
||||
database:
|
||||
.Xr setac 3 ,
|
||||
.Xr endac 3 ,
|
||||
.Xr setac 3 ,
|
||||
.Xr getacdir 3 ,
|
||||
.Xr getacmin 3 ,
|
||||
.Xr getacflg 3 ,
|
||||
.Xr getacmin 3 ,
|
||||
.Xr getacna 3 .
|
||||
.Ss Audit Event Interfaces
|
||||
Audit event interfaces support the look up of information from the
|
||||
.Xr audit_event 5
|
||||
database:
|
||||
.Xr setauevent 3 ,
|
||||
.Xr endauevent 3 ,
|
||||
.Xr setauevent 3 ,
|
||||
.Xr getauevent 3 ,
|
||||
.Xr getauevent_r 3 ,
|
||||
.Xr getauevnam 3 ,
|
||||
.Xr getauevnam_r 3 ,
|
||||
.Xr getauevnum 3 ,
|
||||
.Xr getauevnum_r 3 ,
|
||||
.Xr getauevnonam 3 ,
|
||||
.Xr getauevnonam_r 3 ,
|
||||
.Xr getauevnum 3 ,
|
||||
.Xr getauevnum_r 3 .
|
||||
.Ss Audit I/O Interfaces
|
||||
Audit I/O interfaces support the processing and printing of tokens, as well
|
||||
as the reading of audit records:
|
||||
@ -117,9 +116,9 @@ by a mask:
|
||||
.Ss Audit Notification Interfaces
|
||||
Audit notification routines track audit state in a form permitting efficient
|
||||
update, avoiding frequent system calls to check the kernel audit state:
|
||||
.Xr au_get_state 3 ,
|
||||
.Xr au_notify_initialize 3 ,
|
||||
.Xr au_notify_terminate 3 ,
|
||||
.Xr au_get_state 3 .
|
||||
.Xr au_notify_terminate 3 .
|
||||
These interfaces are implemented only for Darwin/Mac OS X.
|
||||
.Ss Audit Token Interface
|
||||
Audit token interfaces permit the creation of tokens for use in creating
|
||||
@ -127,63 +126,63 @@ audit records for submission to event streams.
|
||||
Each interface converts a C type to its
|
||||
.Vt token_t
|
||||
representation.
|
||||
.Xr au_to_arg 3 ,
|
||||
.Xr au_to_arg32 3 ,
|
||||
.Xr au_to_arg64 3 ,
|
||||
.Xr au_to_arg 3 ,
|
||||
.Xr au_to_attr64 3 ,
|
||||
.Xr au_to_data 3 ,
|
||||
.Xr au_to_exec_args 3 ,
|
||||
.Xr au_to_exec_env 3 ,
|
||||
.Xr au_to_exit 3 ,
|
||||
.Xr au_to_file 3 ,
|
||||
.Xr au_to_groups 3 ,
|
||||
.Xr au_to_newgroups 3 ,
|
||||
.Xr au_to_header32 3 ,
|
||||
.Xr au_to_header64 3 ,
|
||||
.Xr au_to_in_addr 3 ,
|
||||
.Xr au_to_in_addr_ex 3 ,
|
||||
.Xr au_to_ip 3 ,
|
||||
.Xr au_to_ipc 3 ,
|
||||
.Xr au_to_ipc_perm 3 ,
|
||||
.Xr au_to_iport 3 ,
|
||||
.Xr au_to_me 3 ,
|
||||
.Xr au_to_newgroups 3 ,
|
||||
.Xr au_to_opaque 3 ,
|
||||
.Xr au_to_file 3 ,
|
||||
.Xr au_to_text 3 ,
|
||||
.Xr au_to_path 3 ,
|
||||
.Xr au_to_process 3 ,
|
||||
.Xr au_to_process32 3 ,
|
||||
.Xr au_to_process64 3 ,
|
||||
.Xr au_to_process 3 ,
|
||||
.Xr au_to_process_ex 3 ,
|
||||
.Xr au_to_process32_ex 3 ,
|
||||
.Xr au_to_process64_ex 3 ,
|
||||
.Xr au_to_process_ex 3 ,
|
||||
.Xr au_to_return 3 ,
|
||||
.Xr au_to_return32 3 ,
|
||||
.Xr au_to_return64 3 ,
|
||||
.Xr au_to_return 3 ,
|
||||
.Xr au_to_seq 3 ,
|
||||
.Xr au_to_socket 3 ,
|
||||
.Xr au_to_socket_ex_32 3 ,
|
||||
.Xr au_to_socket_ex_128 3 ,
|
||||
.Xr au_to_sock_inet 3 ,
|
||||
.Xr au_to_sock_inet32 3 ,
|
||||
.Xr au_to_sock_inet128 3 ,
|
||||
.Xr au_to_sock_inet 3 ,
|
||||
.Xr au_to_subject 3 ,
|
||||
.Xr au_to_subject32 3 ,
|
||||
.Xr au_to_subject64 3 ,
|
||||
.Xr au_to_subject 3 ,
|
||||
.Xr au_to_subject_ex 3 ,
|
||||
.Xr au_to_subject32_ex 3 ,
|
||||
.Xr au_to_subject64_ex 3 ,
|
||||
.Xr au_to_subject_ex 3 ,
|
||||
.Xr au_to_me 3 ,
|
||||
.Xr au_to_exec_args 3 ,
|
||||
.Xr au_to_exec_env 3 ,
|
||||
.Xr au_to_header32 3 ,
|
||||
.Xr au_to_header64 3 ,
|
||||
.Xr au_to_text 3 ,
|
||||
.Xr au_to_trailer 3 .
|
||||
.Ss Audit User Interfaces
|
||||
Audit user interfaces support the look up of information from the
|
||||
.Xr audit_user 5
|
||||
database:
|
||||
.Xr setauuser 3 ,
|
||||
.Xr au_user_mask 3 ,
|
||||
.Xr endauuser 3 ,
|
||||
.Xr setauuser 3 ,
|
||||
.Xr getauuserent 3 ,
|
||||
.Xr getauuserent_r 3 ,
|
||||
.Xr getauusernam 3 ,
|
||||
.Xr getauusernam_r 3 ,
|
||||
.Xr au_user_mask 3 ,
|
||||
.Xr getfauditflags 3 .
|
||||
.Sh SEE ALSO
|
||||
.Xr au_class 3 ,
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#7 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $
|
||||
.\"
|
||||
.Dd May 1, 2005
|
||||
.Dt AUDIT.LOG 5
|
||||
@ -204,7 +204,7 @@ The
|
||||
token contains an IP packet header in network byte order.
|
||||
An
|
||||
.Dv ip
|
||||
token can be cread using
|
||||
token can be created using
|
||||
.Xr au_to_ip 3 .
|
||||
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
|
||||
.It Sy "Field" Ta Sy Bytes Ta Sy Description
|
||||
@ -249,7 +249,7 @@ token contains a pathname.
|
||||
A
|
||||
.Dv path
|
||||
token can be created using
|
||||
.Xr auto_path 3 .
|
||||
.Xr au_to_path 3 .
|
||||
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
|
||||
.It Sy "Field" Ta Sy Bytes Ta Sy Description
|
||||
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
|
||||
@ -262,7 +262,7 @@ The
|
||||
token contains a set of nul-terminated path names.
|
||||
The
|
||||
.Xr libbsm 3
|
||||
API cannot currently create an
|
||||
API cannot currently create a
|
||||
.Dv path_attr
|
||||
token.
|
||||
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
|
||||
@ -283,7 +283,7 @@ token, which describes the subject performing an auditable event.
|
||||
This includes both the traditional
|
||||
.Ux
|
||||
security properties, such as user IDs and group IDs, but also audit
|
||||
information such as the audit user ID and sesion.
|
||||
information such as the audit user ID and session.
|
||||
A
|
||||
.Dv process
|
||||
token can be created using
|
||||
@ -310,12 +310,12 @@ token contains the contents of the
|
||||
.Dv process
|
||||
token, with the addition of a machine address type and variable length
|
||||
address storage capable of containing IPv6 addresses.
|
||||
A
|
||||
An
|
||||
.Dv expanded process
|
||||
token can be created using
|
||||
.Xr au_to_process32_ex 3
|
||||
or
|
||||
.Xr au_to_process64 3 .
|
||||
.Xr au_to_process64_ex 3 .
|
||||
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
|
||||
.It Sy "Field" Ta Sy Bytes Ta Sy Description
|
||||
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
|
||||
@ -385,7 +385,7 @@ token consists of the same elements as the
|
||||
.Dv subject
|
||||
token, with the addition of type/length and variable size machine address
|
||||
information in the terminal ID.
|
||||
A
|
||||
An
|
||||
.Dv expanded subject
|
||||
token can be created using
|
||||
.Xr au_to_subject32_ex 3
|
||||
@ -412,7 +412,7 @@ token ...
|
||||
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
|
||||
.It Sy "Field" Ta Sy Bytes Ta Sy Description
|
||||
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
|
||||
.It Li "object ID type" Ta "1 byte" Ta "Object ID"
|
||||
.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
|
||||
.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
|
||||
.El
|
||||
.Ss Text Token
|
||||
@ -438,7 +438,7 @@ included with the attribute block for a file; optional
|
||||
.Dv path
|
||||
tokens may also be present in an audit record indicating which path, if any,
|
||||
was used to reach the object.
|
||||
A
|
||||
An
|
||||
.Dv attribute
|
||||
token can be created using
|
||||
.Xr au_to_attr32 3
|
||||
@ -593,8 +593,8 @@ token ...
|
||||
.It Li XXXXX
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr audit 8,
|
||||
.Xr libbsm 3
|
||||
.Xr libbsm 3 ,
|
||||
.Xr audit 8
|
||||
.Sh AUTHORS
|
||||
The Basic Security Module (BSM) interface to audit records and audit event
|
||||
stream format were defined by Sun Microsystems.
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDIT_CLASS 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -40,8 +40,9 @@ file contains descriptions of the auditable event classes on the system.
|
||||
Each auditable event is a member of an event class.
|
||||
Each line maps an audit event
|
||||
mask (bitmap) to a class and a description.
|
||||
Entries are of the form
|
||||
.Dl classmask:eventclass:description.
|
||||
Entries are of the form:
|
||||
.Pp
|
||||
.Dl classmask:eventclass:description
|
||||
.Pp
|
||||
Example entries in this file are:
|
||||
.Bd -literal -offset indent
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 4, 2006
|
||||
.Dt AUDIT_CONTROL 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -38,7 +38,9 @@ The
|
||||
.Nm
|
||||
file contains several audit system parameters.
|
||||
Each line of this file is of the form:
|
||||
.Dl parameter:value.
|
||||
.Pp
|
||||
.Dl parameter:value
|
||||
.Pp
|
||||
The parameters are:
|
||||
.Bl -tag -width Ds
|
||||
.It Pa dir
|
||||
@ -63,13 +65,15 @@ When the free space falls below this limit a warning will be issued.
|
||||
Not currently used as the value of 20 percent is chosen by the kernel.
|
||||
.El
|
||||
.Sh AUDIT FLAGS
|
||||
Audit flags are a comma delimited list of audit classes as defined in the
|
||||
audit_class file.
|
||||
Audit flags are a comma-delimited list of audit classes as defined in the
|
||||
.Pa audit_class
|
||||
file.
|
||||
See
|
||||
.Xr audit_class 5
|
||||
for details.
|
||||
Event classes may be preceded by a prefix which changes their interpretation.
|
||||
The following prefixes may be used for each class:
|
||||
.Pp
|
||||
.Bl -tag -width Ds -compact -offset indent
|
||||
.It +
|
||||
Record successful events
|
||||
@ -78,9 +82,9 @@ Record failed events
|
||||
.It ^
|
||||
Record both successful and failed events
|
||||
.It ^+
|
||||
Don't record successful events
|
||||
Do not record successful events
|
||||
.It ^-
|
||||
Don't record failed events
|
||||
Do not record failed events
|
||||
.El
|
||||
.Sh DEFAULT
|
||||
The following settings appear in the default
|
||||
@ -88,7 +92,7 @@ The following settings appear in the default
|
||||
file:
|
||||
.Bd -literal -offset indent
|
||||
dir:/var/audit
|
||||
flags:lo,ad,-all,^-fc,^-cl
|
||||
flags:lo
|
||||
minfree:20
|
||||
naflags:lo
|
||||
.Ed
|
||||
@ -96,17 +100,16 @@ naflags:lo
|
||||
The
|
||||
.Va flags
|
||||
parameter above specifies the system-wide mask corresponding to login/logout
|
||||
events, administrative events, and all failures except for failures in creating
|
||||
or closing files.
|
||||
events.
|
||||
.Sh FILES
|
||||
.Bl -tag -width "/etc/security/audit_control" -compact
|
||||
.It Pa /etc/security/audit_control
|
||||
.El
|
||||
.Sh SEE ALSO
|
||||
.Xr audit 1 ,
|
||||
.Xr auditd 8 ,
|
||||
.Xr audit_class 5 ,
|
||||
.Xr audit_user 5
|
||||
.Xr audit_user 5 ,
|
||||
.Xr audit 8 ,
|
||||
.Xr auditd 8
|
||||
.Sh AUTHORS
|
||||
This software was created by McAfee Research, the security research division
|
||||
of McAfee, Inc., under contract to Apple Computer Inc.
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd January 24, 2004
|
||||
.Dt AUDIT_EVENT 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -38,11 +38,15 @@ The
|
||||
.Nm
|
||||
file contains descriptions of the auditable events on the system.
|
||||
Each line maps an audit event number to a name, a description, and a class.
|
||||
Entries are of the form
|
||||
.Dl eventnum:eventname:description:eventclass .
|
||||
Entries are of the form:
|
||||
.Pp
|
||||
.Dl eventnum:eventname:description:eventclass
|
||||
.Pp
|
||||
Each
|
||||
.Vt eventclass
|
||||
should have a corresponding entry in the audit_class file.
|
||||
should have a corresponding entry in the
|
||||
.Pa audit_class
|
||||
file.
|
||||
See
|
||||
.Xr audit_class 5
|
||||
for details.
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
|
||||
.\"
|
||||
.Dd Jan 24, 2004
|
||||
.Dd February 5, 2006
|
||||
.Dt AUDIT_USER 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -44,9 +44,11 @@ These settings take effect when the user logs in.
|
||||
.Pp
|
||||
Each line maps a user name to a list of classes that should be audited and a
|
||||
list of classes that should not be audited.
|
||||
Entries are of the form of
|
||||
.Dl username:alwaysaudit:neveraudit ,
|
||||
where
|
||||
Entries are of the form:
|
||||
.Pp
|
||||
.Dl username:alwaysaudit:neveraudit
|
||||
.Pp
|
||||
In the format above,
|
||||
.Vt alwaysaudit
|
||||
is a set of event classes that are always audited, and
|
||||
.Vt neveraudit
|
||||
@ -64,8 +66,8 @@ root:lo,ad:no
|
||||
jdoe:-fc,ad:+fw
|
||||
.Ed
|
||||
.Pp
|
||||
These settings would cause login and administrative events that succeed on
|
||||
behalf of user root to be audited.
|
||||
These settings would cause login/logout and administrative events that
|
||||
succeed on behalf of user root to be audited.
|
||||
No failure events are audited.
|
||||
For the user
|
||||
.Em jdoe ,
|
||||
|
@ -25,9 +25,9 @@
|
||||
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
.\" POSSIBILITY OF SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $
|
||||
.\"
|
||||
.Dd Mar 17, 2004
|
||||
.Dd March 17, 2004
|
||||
.Dt AUDIT_WARN 5
|
||||
.Os
|
||||
.Sh NAME
|
||||
|
@ -25,7 +25,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt AUDITON 2
|
||||
@ -53,8 +53,9 @@ may be any of the following:
|
||||
.It Dv A_SETPOLICY
|
||||
Set audit policy flags.
|
||||
.Ft *data
|
||||
must point to an long value set to one of the audit
|
||||
policy control values defined in audit.h.
|
||||
must point to a long value set to one of the audit
|
||||
policy control values defined in
|
||||
.Pa audit.h .
|
||||
Currently, only
|
||||
.Dv AUDIT_CNT
|
||||
and
|
||||
@ -83,7 +84,7 @@ These masks are used for non-attributable audit event preselection.
|
||||
.It Dv A_SETQCTRL
|
||||
Set kernel audit queue parameters.
|
||||
.Ft *data
|
||||
must point to a
|
||||
must point to a
|
||||
.Ft au_qctrl_t
|
||||
structure containing the
|
||||
kernel audit queue control settings:
|
||||
@ -106,7 +107,7 @@ Return
|
||||
.It Dv A_SETCOND
|
||||
Set the current auditing condition.
|
||||
.Ft *data
|
||||
must point to an long value containing the new
|
||||
must point to a long value containing the new
|
||||
audit condition, one of
|
||||
.Dv AUC_AUDITING ,
|
||||
.Dv AUC_NOAUDIT ,
|
||||
@ -115,13 +116,13 @@ or
|
||||
.It Dv A_SETCLASS
|
||||
Set the event class preselection mask for an audit event.
|
||||
.Ft *data
|
||||
must point to a
|
||||
must point to a
|
||||
.Ft au_evclass_map_t
|
||||
structure containing the audit event and mask.
|
||||
.It Dv A_SETPMASK
|
||||
Set the preselection masks for a process.
|
||||
.Ft *data
|
||||
must point to a
|
||||
must point to a
|
||||
.Ft auditpinfo_t
|
||||
structure that contains the given process's audit
|
||||
preselection masks for both success and failure.
|
||||
@ -167,7 +168,7 @@ the current kernel preselection masks for non-attributable events.
|
||||
.It Dv A_GETPOLICY
|
||||
Return the current audit policy setting.
|
||||
.Ft *data
|
||||
must point to an long value which will be set to
|
||||
must point to a long value which will be set to
|
||||
one of the current audit policy flags.
|
||||
Currently, only
|
||||
.Dv AUDIT_CNT
|
||||
@ -188,8 +189,8 @@ must point to a
|
||||
.Ft au_fstat_t
|
||||
structure. The
|
||||
.Ft af_filesz
|
||||
field will set to the maximum audit log file size. A value of 0
|
||||
indicates no limit to the size.
|
||||
field will be set to the maximum audit log file size.
|
||||
A value of 0 indicates no limit to the size.
|
||||
The
|
||||
.Ft af_filesz
|
||||
will be set to the current audit log file size.
|
||||
@ -227,7 +228,9 @@ trigger values:
|
||||
.Dv AUDIT_TRIGGER_OPEN_NEW
|
||||
(open a new audit log file),
|
||||
.Dv AUDIT_TRIGGER_READ_FILE
|
||||
(read the audit_control file),
|
||||
(read the
|
||||
.Pa audit_control
|
||||
file),
|
||||
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
|
||||
(close the current log file and exit),
|
||||
or
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt GETAUDIT 2
|
||||
@ -50,7 +50,7 @@ retrieves extended state via
|
||||
and
|
||||
.Va length .
|
||||
.Pp
|
||||
This system call required appropriate privilege to complete.
|
||||
This system call requires appropriate privilege to complete.
|
||||
.Sh RETURN VALUES
|
||||
.Nm
|
||||
returns 0 on success, or returns -1 on failure, providing additional error
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt GETAUID 2
|
||||
@ -42,7 +42,7 @@ retrieves the active audit session ID for the current process via the
|
||||
pointed to by
|
||||
.Va auid .
|
||||
.Pp
|
||||
This system call required appropriate privilege to complete.
|
||||
This system call requires appropriate privilege to complete.
|
||||
.Sh RETURN VALUES
|
||||
.Nm
|
||||
returns 0 on success, or returns -1 on failure, providing additional error
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt SETAUDIT 2
|
||||
@ -50,7 +50,7 @@ sets extended state via
|
||||
and
|
||||
.Va length .
|
||||
.Pp
|
||||
This system call required appropriate privilege to complete.
|
||||
This system call requires appropriate privilege to complete.
|
||||
.Sh RETURN VALUES
|
||||
.Nm
|
||||
returns 0 on success, or returns -1 on failure, providing additional error
|
||||
|
@ -23,7 +23,7 @@
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
|
||||
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $
|
||||
.\"
|
||||
.Dd April 19, 2005
|
||||
.Dt SETAUID 2
|
||||
@ -42,7 +42,7 @@ sets the active audit session ID for the current process from the
|
||||
pointed to by
|
||||
.Va auid .
|
||||
.Pp
|
||||
This system call required appropriate privilege to complete.
|
||||
This system call requires appropriate privilege to complete.
|
||||
.Sh RETURN VALUES
|
||||
.Nm
|
||||
returns 0 on success, or returns -1 on failure, providing additional error
|
||||
|
Loading…
Reference in New Issue
Block a user