1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-04 09:09:56 +00:00

Vendor branch import of OpenBSM 1.0 alpha 3:

- Man page formatting, cross reference, mlinks, and accuracy improvements.
- auditd and tools now compile and run on FreeBSD/arm.
- auditd will now fchown() the trail file to the audit review group, if
  defined at compile-time.
- Added AUE_SYSARCH for FreeBSD.
- Definition of AUE_SETFSGID fixed for Linux.

Many thanks to:	brueffer, cognet
Obtained from:	TrustedBSD Project
This commit is contained in:
Robert Watson 2006-02-06 00:06:04 +00:00
parent 742561f0d7
commit 23bf6e2091
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/vendor/openbsm/dist/; revision=155364
svn path=/vendor/openbsm/1.0-ALPHA-3/; revision=155366; tag=vendor/openbsm/1.0-ALPHA-3
32 changed files with 256 additions and 152 deletions

View File

@ -1,3 +1,12 @@
OpenBSM 1.0 alpha 3
- Man page formatting, cross reference, mlinks, and accuracy improvements.
- auditd and tools now compile and run on FreeBSD/arm.
- auditd will now fchown() the trail file to the audit review group, if
defined at compile-time.
- Added AUE_SYSARCH for FreeBSD.
- Definition of AUE_SETFSGID fixed for Linux.
OpenBSM 1.0 alpha 2
- Man page formatting improvements.
@ -71,5 +80,6 @@ OpenBSM 1.0 alpha 1
- Annotate BSM events with origin OS and compatibility information.
- auditd(8), audit(8) added to the OpenBSM distribution. auditd extended
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#7 $
$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#10 $

View File

@ -62,6 +62,8 @@ to the development of OpenBSM:
Wojciech Koszek
Chunyang Yuan
Poul-Henning Kamp
Christian Brueffer
Olivier Houchard
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
@ -83,4 +85,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
http://www.TrustedBSD.org/
$P4: //depot/projects/trustedbsd/openbsm/README#11 $
$P4: //depot/projects/trustedbsd/openbsm/README#13 $

View File

@ -1 +1 @@
OPENBSM_1_0_ALPHA_2
OPENBSM_1_0_ALPHA_3

View File

@ -29,9 +29,9 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt AUDIT 8
.Os
.Sh NAME
@ -48,7 +48,7 @@ utility controls the state of the audit system.
The optional
.Ar file
operand specifies the location of the audit control input file (default
.Pa /etc/security/audit_control ).
.Pa /etc/security/audit_control ) .
.Pp
The options are as follows:
.Bl -tag -width Ds
@ -65,15 +65,17 @@ Log files are closed
and renamed to indicate the time of the shutdown.
.El
.Sh NOTES
The auditd(8) daemon must already be running.
The
.Xr auditd 8
daemon must already be running.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
Default audit policy file used to configure the auditing system.
.El
.Sh SEE ALSO
.Xr audit_control 5 ,
.Xr auditd 8
.Xr audit_control 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#4 $
*/
/*
* Program to trigger the audit daemon with a message that is either:
@ -65,7 +65,7 @@ usage(void)
int
main(int argc, char **argv)
{
char ch;
int ch;
unsigned int trigger = 0;
if (argc != 2)

View File

@ -29,9 +29,9 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#8 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt AUDITD 8
.Os
.Sh NAME
@ -63,9 +63,14 @@ that may cause audit records to be lost due to log file full conditions
.Pp
To assure uninterrupted audit support, the
.Nm auditd
daemon should not be started and stopped manually. Instead, the audit(1) command
daemon should not be started and stopped manually.
Instead, the
.Xr audit 8
command
should be used to inform the daemon to change state/configuration after altering
the audit_control file.
the
.Pa audit_control
file.
.Pp
.\" Sending a SIGHUP to a running
.\" .Nm auditd

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#11 $
*/
#include <sys/dirent.h>
@ -46,6 +46,7 @@
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
@ -170,6 +171,34 @@ close_lastfile(char *TS)
return (0);
}
/*
* Create the new audit file with appropriate permissions and ownership. Try
* to clean up if something goes wrong.
*/
static int
#ifdef AUDIT_REVIEW_GROUP
open_trail(const char *fname, uid_t uid, gid_t gid)
#else
open_trail(const char *fname)
#endif
{
int error, fd;
fd = open(fname, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
if (fd < 0)
return (-1);
#ifdef AUDIT_REVIEW_GROUP
if (fchown(fd, uid, gid) < 0) {
error = errno;
close(fd);
(void)unlink(fname);
errno = error;
return (-1);
}
#endif
return (fd);
}
/*
* Create the new file name, swap with existing audit file.
*/
@ -180,7 +209,12 @@ swap_audit_file(void)
char *fn;
char TS[POSTFIX_LEN];
struct dir_ent *dirent;
int fd;
#ifdef AUDIT_REVIEW_GROUP
struct group *grp;
gid_t gid;
uid_t uid;
#endif
int error, fd;
if (getTSstr(TS, POSTFIX_LEN) != 0)
return (-1);
@ -188,6 +222,22 @@ swap_audit_file(void)
strcpy(timestr, TS);
strcat(timestr, NOT_TERMINATED);
#ifdef AUDIT_REVIEW_GROUP
/*
* XXXRW: Currently, this code falls back to the daemon gid, which is
* likely the wheel group. Is there a better way to deal with this?
*/
grp = getgrnam(AUDIT_REVIEW_GROUP);
if (grp == NULL) {
syslog(LOG_INFO,
"Audit review group '%s' not available, using daemon gid",
AUDIT_REVIEW_GROUP);
gid = -1;
} else
gid = grp->gr_gid;
uid = getuid();
#endif
/* Try until we succeed. */
while ((dirent = TAILQ_FIRST(&dir_q))) {
if ((fn = affixdir(timestr, dirent)) == NULL) {
@ -201,20 +251,27 @@ swap_audit_file(void)
* kernel if all went well.
*/
syslog(LOG_INFO, "New audit file is %s\n", fn);
fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
#ifdef AUDIT_REVIEW_GROUP
fd = open_trail(fn, uid, gid);
#else
fd = open_trail(fn);
#endif
if (fd < 0)
perror("File open");
else if (auditctl(fn) != 0) {
syslog(LOG_ERR,
"auditctl failed setting log file! : %s\n",
strerror(errno));
close(fd);
} else {
/* Success. */
close_lastfile(TS);
lastfile = fn;
close(fd);
return (0);
warn("open(%s)", fn);
if (fd >= 0) {
error = auditctl(fn);
if (error) {
syslog(LOG_ERR,
"auditctl failed setting log file! : %s\n",
strerror(errno));
close(fd);
} else {
/* Success. */
close_lastfile(TS);
lastfile = fn;
close(fd);
return (0);
}
}
/*
@ -708,7 +765,7 @@ setup(void)
int
main(int argc, char **argv)
{
char ch;
int ch;
int debug = 0;
int rc;

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
*/
#ifndef _AUDITD_H_
@ -43,6 +43,13 @@
#define MAX_DIR_SIZE 255
#define AUDITD_NAME "auditd"
/*
* If defined, then the audit daemon will attempt to chown newly created logs
* to this group. Otherwise, they will be the default for the user running
* auditd, likely the audit group.
*/
#define AUDIT_REVIEW_GROUP "audit"
#define POSTFIX_LEN 16
#define NOT_TERMINATED ".not_terminated"

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#8 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt AUDITREDUCE 1
.Os
.Sh NAME
@ -124,7 +124,8 @@ Select records containing the given shared memory id.
.Sh Examples
.Pp
To select all records associated with effective user ID root from the audit
log /var/audit/20031016184719.20031017122634:
log
.Pa /var/audit/20031016184719.20031017122634 :
.Pp
.Nm
-e root /var/audit/20031016184719.20031017122634
@ -136,9 +137,9 @@ events from that log:
.Nm
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
.Xr audit_event 5 ,
.Xr praudit 1
.Xr audit_event 5
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#13 $
*/
/*
@ -529,7 +529,7 @@ main(int argc, char **argv)
FILE *fp;
int i;
char *objval, *converr;
char ch;
int ch;
char timestr[128];
char *fname;

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt PRAUDIT 1
.Os
.Sh NAME

View File

@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
* $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
*/
/*
@ -105,7 +105,7 @@ print_tokens(FILE *fp)
int
main(int argc, char **argv)
{
char ch;
int ch;
int i;
FILE *fp;

View File

@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#34 $
* $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#37 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@ -360,7 +360,7 @@
#define AUE_NMOUNT 380 /* FreeBSD-specific. */
#define AUE_BDFLUSH 381 /* Linux-specific. */
#define AUE_SETFSUID 382 /* Linux-specific. */
#define AUE_GETFSUID 383 /* Linux-specific. */
#define AUE_SETFSGID 383 /* Linux-specific. */
#define AUE_PERSONALITY 384 /* Linux-specific. */
#define AUE_SCHED_GETSCHEDULER 385 /* POSIX.1b. */
#define AUE_SCHED_SETSCHEDULER 386 /* POSIX.1b. */
@ -383,6 +383,7 @@
#define AUE_ACL_DELETE_FD 403 /* FreeBSD. */
#define AUE_ACL_CHECK_FILE 404 /* FreeBSD. */
#define AUE_ACL_CHECK_FD 405 /* FreeBSD. */
#define AUE_SYSARCH 406 /* FreeBSD. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
@ -428,6 +429,7 @@
#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /* Darwin */
#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */

View File

@ -1,7 +1,7 @@
#
# OpenBSM libbsm
#
# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#13 $
#
LIB= bsm
@ -35,7 +35,9 @@ MAN= libbsm.3 \
MLINKS= libbsm.3 bsm.3 \
au_class.3 getauclassent.3 \
au_class.3 getauclassent_r.3 \
au_class.3 getauclassnam.3 \
au_class.3 getauclassnam_r.3 \
au_class.3 setauclass.3 \
au_class.3 endauclass.3 \
au_control.3 setac.3 \
@ -47,9 +49,13 @@ MLINKS= libbsm.3 bsm.3 \
au_event.3 setauevent.3 \
au_event.3 endauevent.3 \
au_event.3 getauevent.3 \
au_event.3 getauevent_r.3 \
au_event.3 getauevnam.3 \
au_event.3 getauevnam_r.3 \
au_event.3 getauevnum.3 \
au_event.3 getauevnum_r.3 \
au_event.3 getauevnonam.3 \
au_event.3 getauevnonam_r.3 \
au_io.3 au_fetch_tok.3 \
au_io.3 au_print_tok.3 \
au_io.3 au_read_rec.3 \

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@ -67,7 +67,7 @@ closes the
database.
.Pp
.Fn getacdir
Return the name of the directory where log data is stored via the passed
returns the name of the directory where log data is stored via the passed
character buffer
.Va name
of length

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $
.\"
.Dd April 19, 2005
.Dt AU_EVENT 3
@ -123,9 +123,9 @@ Functions
and
.Fn getauevnuam
will return a reference to a
.Dt struct au_event_ent
.Ft struct au_event_ent
or
.Dt au_event_t
.Ft au_event_t
on success, or
.Dv NULL on failure, with
.Va errno

View File

@ -27,7 +27,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_FREE_TOKEN 3
@ -40,7 +40,7 @@
.Sh SYNOPSIS
.In libbsm.h
.Ft void
.Fn au_free_tokenen "token_t *tok"
.Fn au_free_token "token_t *tok"
.Sh DESCRIPTION
The BSM API generally manages deallocation of
.Vt token_t

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $
.\"
.Dd April 19, 2005
.Dt AU_MASK 3
@ -109,7 +109,7 @@ will be set to indicate the error.
.Sh IMPLEMENTATION NOTES
.Fn au_preselect
makes implicit use of various audit database routines, and may influence
the behavior of simultaenous or interleaved processing of those databases by
the behavior of simultaneous or interleaved processing of those databases by
other code.
.Sh SEE ALSO
.Xr libbsm 3 ,

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_TOKEN 3
@ -179,10 +179,10 @@
.Fn au_to_trailer "int rec_size"
.Sh DESCRIPTION
These interfaces support the allocation of BSM audit tokens, represented by
.Dt token_t ,
.Ft token_t ,
for various data types.
.Sh RETURN VALUES
On sucess, a pointer to a
On success, a pointer to a
.Vt token_t
will be returned; the allocated
.Vt token_t

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $
.\"
.Dd April 19, 2005
.Dt AU_USER 3
@ -72,7 +72,7 @@ and events never to audit
.Dv au_never .
.Pp
.Fn getauuserent
return the next user found in the
returns the next user found in the
.Xr audit_user 5
database, or the first if the function has not yet been called.
.Dv NULL
@ -96,7 +96,7 @@ closes the
database, if open.
.Pp
.Nm au_user_mask
calculate a new session audit mask to be returned via
calculates a new session audit mask to be returned via
.Dv mask_p
for the user identified by
.Dv username .

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#4 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@ -48,57 +48,56 @@ event stream interfaces, class interfaces, control interfaces, event
interfaces, I/O interfaces, mask interfaces, notification interfaces, token
interfaces, and user interfaces.
These are described respectively in the
.Xr au_stream 3 ,
.Xr au_class 3 ,
.Xr au_control 3 ,
.Xr au_event 3 ,
.Xr au_mask 3 ,
.Xr au_notify 3 ,
.Xr au_stream 3 ,
.Xr au_token 3 ,
.Xr au_user 3
man pages.
.Ss Audit Event Stream Interfaces
Audit event stream interfaces support interaction with file-backed audit
event streams:
.Xr au_free_token 3 ,
.Xr au_close 3 .
.Xr au_free_token 3 ,
.Xr au_open 3 ,
.Xr au_write 3 ,
.Xr au_close 3 .
.Ss Audit Class Interfaces
Audit class interfaces support the look up of information from the
.Xr audit_class 5
database:
.Xr endauclass 3 ,
.Xr getauclassent 3 ,
.Xr getauclassent_r 3 ,
.Xr getauclassnam 3 ,
.Xr getauclassnam_r 3 ,
.Xr setauclass 3 ,
.Xr endauclass 3 .
.Xr setauclass 3 .
.Ss Audit Control Interfaces
Audit control interfaces support the look up of information from the
.Xr audit_control 5
database:
.Xr setac 3 ,
.Xr endac 3 ,
.Xr setac 3 ,
.Xr getacdir 3 ,
.Xr getacmin 3 ,
.Xr getacflg 3 ,
.Xr getacmin 3 ,
.Xr getacna 3 .
.Ss Audit Event Interfaces
Audit event interfaces support the look up of information from the
.Xr audit_event 5
database:
.Xr setauevent 3 ,
.Xr endauevent 3 ,
.Xr setauevent 3 ,
.Xr getauevent 3 ,
.Xr getauevent_r 3 ,
.Xr getauevnam 3 ,
.Xr getauevnam_r 3 ,
.Xr getauevnum 3 ,
.Xr getauevnum_r 3 ,
.Xr getauevnonam 3 ,
.Xr getauevnonam_r 3 ,
.Xr getauevnum 3 ,
.Xr getauevnum_r 3 .
.Ss Audit I/O Interfaces
Audit I/O interfaces support the processing and printing of tokens, as well
as the reading of audit records:
@ -117,9 +116,9 @@ by a mask:
.Ss Audit Notification Interfaces
Audit notification routines track audit state in a form permitting efficient
update, avoiding frequent system calls to check the kernel audit state:
.Xr au_get_state 3 ,
.Xr au_notify_initialize 3 ,
.Xr au_notify_terminate 3 ,
.Xr au_get_state 3 .
.Xr au_notify_terminate 3 .
These interfaces are implemented only for Darwin/Mac OS X.
.Ss Audit Token Interface
Audit token interfaces permit the creation of tokens for use in creating
@ -127,63 +126,63 @@ audit records for submission to event streams.
Each interface converts a C type to its
.Vt token_t
representation.
.Xr au_to_arg 3 ,
.Xr au_to_arg32 3 ,
.Xr au_to_arg64 3 ,
.Xr au_to_arg 3 ,
.Xr au_to_attr64 3 ,
.Xr au_to_data 3 ,
.Xr au_to_exec_args 3 ,
.Xr au_to_exec_env 3 ,
.Xr au_to_exit 3 ,
.Xr au_to_file 3 ,
.Xr au_to_groups 3 ,
.Xr au_to_newgroups 3 ,
.Xr au_to_header32 3 ,
.Xr au_to_header64 3 ,
.Xr au_to_in_addr 3 ,
.Xr au_to_in_addr_ex 3 ,
.Xr au_to_ip 3 ,
.Xr au_to_ipc 3 ,
.Xr au_to_ipc_perm 3 ,
.Xr au_to_iport 3 ,
.Xr au_to_me 3 ,
.Xr au_to_newgroups 3 ,
.Xr au_to_opaque 3 ,
.Xr au_to_file 3 ,
.Xr au_to_text 3 ,
.Xr au_to_path 3 ,
.Xr au_to_process 3 ,
.Xr au_to_process32 3 ,
.Xr au_to_process64 3 ,
.Xr au_to_process 3 ,
.Xr au_to_process_ex 3 ,
.Xr au_to_process32_ex 3 ,
.Xr au_to_process64_ex 3 ,
.Xr au_to_process_ex 3 ,
.Xr au_to_return 3 ,
.Xr au_to_return32 3 ,
.Xr au_to_return64 3 ,
.Xr au_to_return 3 ,
.Xr au_to_seq 3 ,
.Xr au_to_socket 3 ,
.Xr au_to_socket_ex_32 3 ,
.Xr au_to_socket_ex_128 3 ,
.Xr au_to_sock_inet 3 ,
.Xr au_to_sock_inet32 3 ,
.Xr au_to_sock_inet128 3 ,
.Xr au_to_sock_inet 3 ,
.Xr au_to_subject 3 ,
.Xr au_to_subject32 3 ,
.Xr au_to_subject64 3 ,
.Xr au_to_subject 3 ,
.Xr au_to_subject_ex 3 ,
.Xr au_to_subject32_ex 3 ,
.Xr au_to_subject64_ex 3 ,
.Xr au_to_subject_ex 3 ,
.Xr au_to_me 3 ,
.Xr au_to_exec_args 3 ,
.Xr au_to_exec_env 3 ,
.Xr au_to_header32 3 ,
.Xr au_to_header64 3 ,
.Xr au_to_text 3 ,
.Xr au_to_trailer 3 .
.Ss Audit User Interfaces
Audit user interfaces support the look up of information from the
.Xr audit_user 5
database:
.Xr setauuser 3 ,
.Xr au_user_mask 3 ,
.Xr endauuser 3 ,
.Xr setauuser 3 ,
.Xr getauuserent 3 ,
.Xr getauuserent_r 3 ,
.Xr getauusernam 3 ,
.Xr getauusernam_r 3 ,
.Xr au_user_mask 3 ,
.Xr getfauditflags 3 .
.Sh SEE ALSO
.Xr au_class 3 ,

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#7 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#8 $
.\"
.Dd May 1, 2005
.Dt AUDIT.LOG 5
@ -204,7 +204,7 @@ The
token contains an IP packet header in network byte order.
An
.Dv ip
token can be cread using
token can be created using
.Xr au_to_ip 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
@ -249,7 +249,7 @@ token contains a pathname.
A
.Dv path
token can be created using
.Xr auto_path 3 .
.Xr au_to_path 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
@ -262,7 +262,7 @@ The
token contains a set of nul-terminated path names.
The
.Xr libbsm 3
API cannot currently create an
API cannot currently create a
.Dv path_attr
token.
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
@ -283,7 +283,7 @@ token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and sesion.
information such as the audit user ID and session.
A
.Dv process
token can be created using
@ -310,12 +310,12 @@ token contains the contents of the
.Dv process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
A
An
.Dv expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64 3 .
.Xr au_to_process64_ex 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
@ -385,7 +385,7 @@ token consists of the same elements as the
.Dv subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
A
An
.Dv expanded subject
token can be created using
.Xr au_to_subject32_ex 3
@ -412,7 +412,7 @@ token ...
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "object ID type" Ta "1 byte" Ta "Object ID"
.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
.El
.Ss Text Token
@ -438,7 +438,7 @@ included with the attribute block for a file; optional
.Dv path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
A
An
.Dv attribute
token can be created using
.Xr au_to_attr32 3
@ -593,8 +593,8 @@ token ...
.It Li XXXXX
.El
.Sh SEE ALSO
.Xr audit 8,
.Xr libbsm 3
.Xr libbsm 3 ,
.Xr audit 8
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt AUDIT_CLASS 5
.Os
.Sh NAME
@ -40,8 +40,9 @@ file contains descriptions of the auditable event classes on the system.
Each auditable event is a member of an event class.
Each line maps an audit event
mask (bitmap) to a class and a description.
Entries are of the form
.Dl classmask:eventclass:description.
Entries are of the form:
.Pp
.Dl classmask:eventclass:description
.Pp
Example entries in this file are:
.Bd -literal -offset indent

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#9 $
.\"
.Dd Jan 24, 2004
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
@ -38,7 +38,9 @@ The
.Nm
file contains several audit system parameters.
Each line of this file is of the form:
.Dl parameter:value.
.Pp
.Dl parameter:value
.Pp
The parameters are:
.Bl -tag -width Ds
.It Pa dir
@ -63,13 +65,15 @@ When the free space falls below this limit a warning will be issued.
Not currently used as the value of 20 percent is chosen by the kernel.
.El
.Sh AUDIT FLAGS
Audit flags are a comma delimited list of audit classes as defined in the
audit_class file.
Audit flags are a comma-delimited list of audit classes as defined in the
.Pa audit_class
file.
See
.Xr audit_class 5
for details.
Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
.Bl -tag -width Ds -compact -offset indent
.It +
Record successful events
@ -78,9 +82,9 @@ Record failed events
.It ^
Record both successful and failed events
.It ^+
Don't record successful events
Do not record successful events
.It ^-
Don't record failed events
Do not record failed events
.El
.Sh DEFAULT
The following settings appear in the default
@ -88,7 +92,7 @@ The following settings appear in the default
file:
.Bd -literal -offset indent
dir:/var/audit
flags:lo,ad,-all,^-fc,^-cl
flags:lo
minfree:20
naflags:lo
.Ed
@ -96,17 +100,16 @@ naflags:lo
The
.Va flags
parameter above specifies the system-wide mask corresponding to login/logout
events, administrative events, and all failures except for failures in creating
or closing files.
events.
.Sh FILES
.Bl -tag -width "/etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
.El
.Sh SEE ALSO
.Xr audit 1 ,
.Xr auditd 8 ,
.Xr audit_class 5 ,
.Xr audit_user 5
.Xr audit_user 5 ,
.Xr audit 8 ,
.Xr auditd 8
.Sh AUTHORS
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $
.\"
.Dd Jan 24, 2004
.Dd January 24, 2004
.Dt AUDIT_EVENT 5
.Os
.Sh NAME
@ -38,11 +38,15 @@ The
.Nm
file contains descriptions of the auditable events on the system.
Each line maps an audit event number to a name, a description, and a class.
Entries are of the form
.Dl eventnum:eventname:description:eventclass .
Entries are of the form:
.Pp
.Dl eventnum:eventname:description:eventclass
.Pp
Each
.Vt eventclass
should have a corresponding entry in the audit_class file.
should have a corresponding entry in the
.Pa audit_class
file.
See
.Xr audit_class 5
for details.

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
.\"
.Dd Jan 24, 2004
.Dd February 5, 2006
.Dt AUDIT_USER 5
.Os
.Sh NAME
@ -44,9 +44,11 @@ These settings take effect when the user logs in.
.Pp
Each line maps a user name to a list of classes that should be audited and a
list of classes that should not be audited.
Entries are of the form of
.Dl username:alwaysaudit:neveraudit ,
where
Entries are of the form:
.Pp
.Dl username:alwaysaudit:neveraudit
.Pp
In the format above,
.Vt alwaysaudit
is a set of event classes that are always audited, and
.Vt neveraudit
@ -64,8 +66,8 @@ root:lo,ad:no
jdoe:-fc,ad:+fw
.Ed
.Pp
These settings would cause login and administrative events that succeed on
behalf of user root to be audited.
These settings would cause login/logout and administrative events that
succeed on behalf of user root to be audited.
No failure events are audited.
For the user
.Em jdoe ,

View File

@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $
.\"
.Dd Mar 17, 2004
.Dd March 17, 2004
.Dt AUDIT_WARN 5
.Os
.Sh NAME

View File

@ -25,7 +25,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#7 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
@ -53,8 +53,9 @@ may be any of the following:
.It Dv A_SETPOLICY
Set audit policy flags.
.Ft *data
must point to an long value set to one of the audit
policy control values defined in audit.h.
must point to a long value set to one of the audit
policy control values defined in
.Pa audit.h .
Currently, only
.Dv AUDIT_CNT
and
@ -83,7 +84,7 @@ These masks are used for non-attributable audit event preselection.
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
.Ft *data
must point to a
must point to a
.Ft au_qctrl_t
structure containing the
kernel audit queue control settings:
@ -106,7 +107,7 @@ Return
.It Dv A_SETCOND
Set the current auditing condition.
.Ft *data
must point to an long value containing the new
must point to a long value containing the new
audit condition, one of
.Dv AUC_AUDITING ,
.Dv AUC_NOAUDIT ,
@ -115,13 +116,13 @@ or
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
.Ft *data
must point to a
must point to a
.Ft au_evclass_map_t
structure containing the audit event and mask.
.It Dv A_SETPMASK
Set the preselection masks for a process.
.Ft *data
must point to a
must point to a
.Ft auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
@ -167,7 +168,7 @@ the current kernel preselection masks for non-attributable events.
.It Dv A_GETPOLICY
Return the current audit policy setting.
.Ft *data
must point to an long value which will be set to
must point to a long value which will be set to
one of the current audit policy flags.
Currently, only
.Dv AUDIT_CNT
@ -188,8 +189,8 @@ must point to a
.Ft au_fstat_t
structure. The
.Ft af_filesz
field will set to the maximum audit log file size. A value of 0
indicates no limit to the size.
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
.Ft af_filesz
will be set to the current audit log file size.
@ -227,7 +228,9 @@ trigger values:
.Dv AUDIT_TRIGGER_OPEN_NEW
(open a new audit log file),
.Dv AUDIT_TRIGGER_READ_FILE
(read the audit_control file),
(read the
.Pa audit_control
file),
.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
(close the current log file and exit),
or

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $
.\"
.Dd April 19, 2005
.Dt GETAUDIT 2
@ -50,7 +50,7 @@ retrieves extended state via
and
.Va length .
.Pp
This system call required appropriate privilege to complete.
This system call requires appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $
.\"
.Dd April 19, 2005
.Dt GETAUID 2
@ -42,7 +42,7 @@ retrieves the active audit session ID for the current process via the
pointed to by
.Va auid .
.Pp
This system call required appropriate privilege to complete.
This system call requires appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $
.\"
.Dd April 19, 2005
.Dt SETAUDIT 2
@ -50,7 +50,7 @@ sets extended state via
and
.Va length .
.Pp
This system call required appropriate privilege to complete.
This system call requires appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error

View File

@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $
.\"
.Dd April 19, 2005
.Dt SETAUID 2
@ -42,7 +42,7 @@ sets the active audit session ID for the current process from the
pointed to by
.Va auid .
.Pp
This system call required appropriate privilege to complete.
This system call requires appropriate privilege to complete.
.Sh RETURN VALUES
.Nm
returns 0 on success, or returns -1 on failure, providing additional error