Vendor import TrustedBSD OpenBSM 1.0 alpha 12, with the following change

history notes since the last import:

OpenBSM 1.0 alpha 12

- Correct bug in auditreduce which prevented the -c option from working
  correctly when the user specifies to process successful or failed events.
  The problem stemmed from not having access to the return token at the time
  the initial preselection occurred, but now a second preselection process
  occurs while processing the return token.
- getacfilesz(3) API added to read new audit_control(5) filesz setting,
  which auditd(8) now sets the kernel audit trail rotation size to.
- auditreduce(1) now uses stdin if no file names are specified on the command
  line; this was the documented behavior previously, but it was not
  implemented.  Be more specific in auditreduce(1)'s examples section about
  what might be done with the output of auditreduce.
- Add audit_warn(5) closefile event so that administrators can hook
  termination of an audit trail file.  For example, this might be used to
  compress the trail file after it is closed.
- auditreduce(1) now uses regular expressions for pathname matching. Users can
  now supply one or more (comma delimited) regular expressions for searching
  the pathnames. If one of the regular expressions is prefixed with a tilde
  (~), and a path matches, it will be excluded from the search results.

MFC after:	3 days
Obtained from:	TrustedBSD Project

1 files changed, 36 insertions, 7 deletions

diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index 9ae9726..f590e35 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@@ -105,12 +105,17 @@ for a description of audit event names and numbers.
 .It Fl o Ar object=value
 .Bl -tag -width Ds
 .It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
 .It Nm msgqid
 Select records containing the given message queue id.
 .It Nm pid
@@ -136,6 +141,30 @@ events from that log:
 .Pp
 .Nm
 -m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Pp
+Output from the above command lines will typically be piped to a new trail
+file, or via standard output to the
+.Xr praudit 1
+command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,