This commit was generated by cvs2svn to compensate for changes in r155131,

which included commits to RCS files with non-trunk default branches.

21 files changed, 7813 insertions, 0 deletions

diff --git a/contrib/openbsm/libbsm/Makefile b/contrib/openbsm/libbsm/Makefile
new file mode 100644
index 0000000..4137f4a
--- /dev/null
+++ b/contrib/openbsm/libbsm/Makefile
@@ -0,0 +1,119 @@
+#
+# OpenBSM libbsm
+#
+# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
+#
+
+LIB=		bsm
+SHLIB_MAJOR=	1
+
+CFLAGS+=-I-								\
+	-I ..								\
+	-Wall
+
+SRCS=	bsm_audit.c							\
+	bsm_class.c							\
+	bsm_control.c							\
+	bsm_event.c							\
+	bsm_flags.c							\
+	bsm_io.c							\
+	bsm_mask.c							\
+	bsm_notify.c							\
+	bsm_token.c							\
+	bsm_user.c							\
+	bsm_wrappers.c
+
+MAN=	libbsm.3							\
+	au_class.3							\
+	au_control.3							\
+	au_event.3							\
+	au_free_token.3							\
+	au_io.3								\
+	au_mask.3							\
+	au_token.3							\
+	au_user.3
+
+MLINKS=	libbsm.3 bsm.3							\
+	au_class.3 getauclassent.3					\
+	au_class.3 getauclassnam.3					\
+	au_class.3 setauclass.3						\
+	au_class.3 endauclass.3						\
+	au_control.3 setac.3						\
+	au_control.3 endac.3						\
+	au_control.3 getacdir.3						\
+	au_control.3 getacmin.3						\
+	au_control.3 getacflg.3						\
+	au_control.3 getacna.3						\
+	au_event.3 setauevent.3						\
+	au_event.3 endauevent.3						\
+	au_event.3 getauevent.3						\
+	au_event.3 getauevnam.3						\
+	au_event.3 getauevnum.3						\
+	au_event.3 getauevnonam.3					\
+	au_io.3	au_fetch_tok.3						\
+	au_io.3	au_print_tok.3						\
+	au_io.3	au_read_rec.3						\
+	au_mask.3 au_preselect.3					\
+	au_mask.3 getauditflagsbin.3					\
+	au_mask.3 getauditflagschar.3					\
+	au_user.3 setauuser.3						\
+	au_user.3 endauuser.3						\
+	au_user.3 getauuserent.3					\
+	au_user.3 getauusernam.3					\
+	au_user.3 au_user_mask.3					\
+	au_user.3 getfauditflags.3					\
+	au_token.3 au_to_arg32.3					\
+	au_token.3 au_to_arg64.3					\
+	au_token.3 au_to_arg.3						\
+	au_token.3 au_to_attr64.3					\
+	au_token.3 au_to_data.3						\
+	au_token.3 au_to_exit.3						\
+	au_token.3 au_to_groups.3					\
+	au_token.3 au_to_newgroups.3					\
+	au_token.3 au_to_in_addr.3					\
+	au_token.3 au_to_in_addr_ex.3					\
+	au_token.3 au_to_ip.3						\
+	au_token.3 au_to_ipc.3						\
+	au_token.3 au_to_ipc_perm.3					\
+	au_token.3 au_to_iport.3					\
+	au_token.3 au_to_opaque.3					\
+	au_token.3 au_to_file.3						\
+	au_token.3 au_to_text.3						\
+	au_token.3 au_to_path.3						\
+	au_token.3 au_to_process32.3					\
+	au_token.3 au_to_process64.3					\
+	au_token.3 au_to_process.3					\
+	au_token.3 au_to_process32_ex.3					\
+	au_token.3 au_to_process64_ex.3					\
+	au_token.3 au_to_process_ex.3					\
+	au_token.3 au_to_return32.3					\
+	au_token.3 au_to_return64.3					\
+	au_token.3 au_to_return.3					\
+	au_token.3 au_to_seq.3						\
+	au_token.3 au_to_socket.3					\
+	au_token.3 au_to_socket_ex_32.3					\
+	au_token.3 au_to_socket_ex_128.3				\
+	au_token.3 au_to_sock_inet32.3					\
+	au_token.3 au_to_sock_inet128.3					\
+	au_token.3 au_to_sock_inet.3					\
+	au_token.3 au_to_subject32.3					\
+	au_token.3 au_to_subject64.3					\
+	au_token.3 au_to_subject.3					\
+	au_token.3 au_to_subject32_ex.3					\
+	au_token.3 au_to_subject64_ex.3					\
+	au_token.3 au_to_subject_ex.3					\
+	au_token.3 au_to_me.3						\
+	au_token.3 au_to_exec_args.3					\
+	au_token.3 au_to_exec_env.3					\
+	au_token.3 au_to_header.3					\
+	au_token.3 au_to_header32.3					\
+	au_token.3 au_to_header64.3					\
+	au_token.3 au_to_trailer.3
+
+beforeinstall:
+	if test -d ${INCSDIR}; then					\
+	else								\
+		mkdir ${INCSDIR};					\
+	fi;
+
+.include <bsd.lib.mk>
diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3
new file mode 100644
index 0000000..f1cd9e9
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_class.3
@@ -0,0 +1,108 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CLASS 3
+.Os
+.Sh NAME
+.Nm getauclassent ,
+.Nm getauclassent_r ,
+.Nm getauclassnam ,
+.Nm getauclassnam_r ,
+.Nm setauclass ,
+.Nm endauclass
+.Nd "Look up information from the audit_class database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft struct au_class_ent *
+.Fn getauclassent "void"
+.Ft struct au_class_ent *
+.Fn getauclassent_r "struct au_class_ent *e"
+.Ft struct au_class_ent *
+.Fn getauclassnam "const char *name"
+.Ft struct au_class_ent *
+.Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
+.Ft void
+.Fn setauclass "void"
+.Ft void
+.Fn endauclass "void"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_class 5
+database, which describes audit event classes.
+Audit event classes are described by
+.Vt struct au_class_ent .
+.Pp
+.Pp
+.Fn getauclassent
+will return the next class found in the
+.Xr audit_class 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauclassnam
+looks up a class by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauclass
+resets the iterator through the
+.Xr audit_class 5
+database, causing the next call to
+.Fn getauclassent
+to start again from the beginning of the file.
+.Pp
+.Fn endauclass
+closes the
+.Xr audit_class 5
+database, if open.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
new file mode 100644
index 0000000..915c521
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CONTROL 3
+.Os
+.Sh NAME
+.Nm setac ,
+.Nm endac ,
+.Nm getacdir ,
+.Nm getacmin ,
+.Nm getacflg ,
+.Nm getacna
+.Nd "Look up information from the audit_control database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setac "void"
+.Ft void
+.Fn endac "void"
+.Ft int
+.Fn getacdir "char *name" "int len"
+.Ft int
+.Fn getacmin "int *min_val"
+.Ft int
+.Fn getacflg "char *auditstr" "int len"
+.Ft int
+.Fn getacna "char *auditstr" "int len"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_control 5
+database, which contains various audit-related administrative parameters.
+.Pp
+.Fn setac
+resets the database iterator to the beginning of the database; see the
+BUGS section for more information.
+.Pp
+.Fn sendac
+closes the
+.Xr audit_control 5
+database.
+.Pp
+.Fn getacdir
+Return the name of the directory where log data is stored via the passed
+character buffer
+.Va name
+of length
+.Va len .
+.Pp
+.Fn getacmin
+returns the minimum free disk space for the audit log target file system via
+the passed
+.Va min_val
+variable.
+.Pp
+.Fn getacflg
+returns the audit system flags via the the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Pp
+.Fn getacna
+returns the non-attributable flags via the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Sh RETURN VALULES
+.Fn getacdir ,
+.Fn getacmin ,
+.Fn getacflg ,
+and
+.Fn getacna
+return 0 on success, or a negative value on failure, along with error
+information in
+.Va errno .
+Functions that return a string value will return a failure if there is
+insufficient room in the passed character buffer for the full string.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
+.Sh BUGS
+There is no reason for the
+.Fn setac
+interface to be exposed as part of the public API, as it is called implicitly
+by other access functions and iteration is not supported.
+.Pp
+These interfaces inconsistently return various negative values depending on
+the failure mode, and do not always set
+.Va errno
+on failure.
diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3
new file mode 100644
index 0000000..bd021de
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_event.3
@@ -0,0 +1,153 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_EVENT 3
+.Os
+.Sh NAME
+.Nm free_au_event_ent ,
+.Nm setauevent ,
+.Nm endauevent ,
+.Nm getauevent ,
+.Nm getauevent_r ,
+.Nm getauevnam ,
+.Nm getauevnam_r ,
+.Nm getauevnum ,
+.Nm getauevnum_r ,
+.Nm getauevnonam ,
+.Nm getauevnonam_r ,
+.Nd "Look up information from the audit_event database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauevent "void"
+.Ft void
+.Fn endauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent_r "struct au_event_ent *e"
+.Ft "struct au_event_ent *"
+.Fn getauevnam "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnum "au_event_t event_number"
+.Ft "struct au_event_ent *"
+.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
+.Ft "au_event_t *"
+.Fn getauevnonam "char *event_name"
+.Ft "au_event_t *"
+.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_event 5
+database, which describes audit events.
+Entries in the database are described by
+.Vt struct au_event_ent
+entries, which are returned by calls to
+.Fn getauevent ,
+.Fn getauevnam ,
+or
+.Fn getauevnum .
+It is also possible look up an event number via a call to
+.Nm getauevnonam .
+.Pp
+.Fn setauevent
+resets the database access session for
+.Xr audit_event 5 ,
+so that the next call to
+.Fn getauevent
+will start with the first entry in the database.
+.Pp
+.Fn endauevent
+closes the
+.Xr audit_event 5
+database session.
+.Pp
+.Fn getauevent
+returns a reference to the next entry in the
+.Xr audit_event 5
+database.
+.Pp
+.Fn getauevnam
+returns a reference to the entry in the
+.Xr audit_event 5
+database with a name of
+.Va name .
+.Pp
+.Fn getauevnum
+returns a reference to the entry in the
+.Xr audit_event 5
+database with an event number of
+.Va event_number .
+.Pp
+.Fn getauevnonam
+returns a reference to an audit event number using the
+.Xr audit_event 5
+database.
+.Sh RETURN VALUES
+Functions
+.Fn getauevent ,
+.Fn getauevent_r ,
+.Fn getauevnam ,
+.Fn getauevnam_r ,
+.Fn getauevnum ,
+.Fn getauevnum_r ,
+and
+.Fn getauevnuam
+will return a reference to a
+.Dt struct au_event_ent
+or
+.Dt au_event_t
+on success, or
+.Dv NULL on failure, with
+.Va errno
+set to provide further error information.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_event 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+is not always properly set following a failure.
+.Pp
+These routines are thread-safe, but not re-entrant, so simultaneous or
+interleaved use of these functions will affect the iterator.
diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3
new file mode 100644
index 0000000..fc4ab0b
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_free_token.3
@@ -0,0 +1,91 @@
+.\"-
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_FREE_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_free_token
+.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn au_free_tokenen "token_t *tok"
+.Sh DESCRIPTION
+The BSM API generally manages deallocation of
+.Vt token_t
+objects.
+However, if
+.Xr au_write 3
+is passed a bad audit descriptor, the
+.Vt token_t *
+parameter will be left untouched.
+In that case, the caller can deallocate the
+.Vt token_t
+using
+.Nm
+if desired.
+.Pp
+The
+.Va tok
+argument is a
+.Vt token_t *
+generated by one of the au_to_*() BSM API calls.
+For convenience,
+.Va tok
+may be
+.Dv NULL ,
+in which case
+.Nm
+returns immediately.
+.Sh IMPLEMENTATION NOTES
+This is, in fact, what
+.Xr audit_write 3
+does, in keeping with the existing memory management model of the BSM API.
+.Sh SEE ALSO
+.Xr au_write 3 ,
+.Xr audit_write 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+
diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3
new file mode 100644
index 0000000..0c520a1
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_io.3
@@ -0,0 +1,119 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_IO 3
+.Os
+.Sh NAME
+.Nm au_fetch_tok ,
+.Nm au_print_tok ,
+.Nm au_read_rec
+.Nd "Perform I/O involving an audit record"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
+.Ft void
+.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Ft int
+.Fn au_read_rec "FILE *fp" "u_char **buf"
+.Sh DESCRIPTION
+These interfaces support input and output (I/O) involving audit records,
+internalizing an audit record from a byte stream, converting a token to
+either a raw or default string, and reading a single record from a file.
+.Pp
+.Fn au_fetch_tok
+reads a token from the passed buffer
+.Va buf
+of length
+.Va len
+bytes, and returns a pointer to the token via
+.Va tok .
+.Pp
+.Fn au_print_tok
+prints a string form of the token
+.Va tok
+to the file output stream
+.Va outfp,
+either in default mode, or raw mode if
+.Va raw
+is set non-zero.
+The delimiter
+.Va del
+is used when printing.
+.Pp
+.Fn au_read_rec
+reads an audit record from the file stream
+.Va fp ,
+and returns an allocated memory buffer containing the record via
+.Va *buf ,
+which must be freed by the caller using
+.Xr free 3 .
+.Pp
+A typical use of these routines might open a file with
+.Xr fopen 3 ,
+then read records from the file sequentially by calling
+.Fn au_read_rec .
+Each record would be broken down into components tokens through sequential
+calls to
+.Fn au_fetch_tok
+on the buffer, and then invoking
+.Fn au_print_tok
+to print each token to an output stream such as
+.Dv stdout .
+On completion of the processing of each record, a call to
+.Xr free 3
+would be used to free the record buffer.
+Finally, the source stream would be closed by a call to
+.Xr fclose 3 .
+.Sh RETURN VALUES
+.Fn au_fetch_tok
+and
+.Fn au_read_rec
+return 0 on success, or -1 on failure along with additional error information
+returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr free 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3
new file mode 100644
index 0000000..67bb187
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_mask.3
@@ -0,0 +1,140 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_MASK 3
+.Os
+.Sh NAME
+.Nm au_preselect ,
+.Nm getauditflagsbin ,
+.Nm getauditflagschar
+.Nd "Convert between string and numeric values of audit masks"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
+.Ft int
+.Fn getauditflagsbin "char *auditstr" "au_mask_t *masks"
+.Ft int
+.Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose"
+.Sh DESCRIPTION
+These interfaces support processing of an audit mask represented by type
+.Vt au_mask_t ,
+including conversion between numeric and text formats, and computing whether
+or not an event is matched by a mask.
+.Pp
+.Fn au_preselect
+calculates whether or not the audit event passed via
+.Va event
+is matched by the audit mask passed via
+.Va au_mask_t .
+The
+.Va sorf
+argument indicates whether or not to consider the event as a success,
+if the
+.Dv AU_PRS_SUCCESS
+flag is set, or failure, if the
+.Dv AU_PRS_FAILURE
+flag is set.
+The
+.Va flag
+argument accepts additional arguments influencing the behavior of
+.Fn au_preselect ,
+including
+.Dv AU_PRS_REREAD ,
+which causes the event to be re-looked up rather than read from the cache,
+or
+.Dv AU_PRS_USECACHE
+which forces use of the cache.
+.Pp
+.Fn getauditflagsbin
+converts a string representation of an audit mask passed via a character
+string pointed to by
+.Va auditstr ,
+returning the resulting mask, if valid, via
+.Va *masks .
+.Pp
+.Fn getauditflagschar
+converts the audit event mask passed via
+.Va *masks
+and converts it to a character string in a buffer pointed to by
+.Va auditstr .
+See the BUGS section for more information on how to provide a buffer of
+sufficient size.
+If the
+.Va verbose
+flag is set, the class description string retrieved from
+.Xr audit_class 5
+will be used; otherwise, the two-character class name.
+.Sh RETURN VALUES
+.Fn au_preselect
+returns 0 on success, or returns -1 if there is a failure looking up the
+event type or other database access, in which case
+.Va errno
+will be set to indicate the error.
+It returns 1 if the event is matched; 0 if not.
+.Pp
+.Fn getauditflagsbin
+and
+.Fn getauditflagschar
+returns 0 on success, or -1 if there is a failure, in which case
+.Va errno
+will be set to indicate the error.
+.Sh IMPLEMENTATION NOTES
+.Fn au_preselect
+makes implicit use of various audit database routines, and may influence
+the behavior of simultaenous or interleaved processing of those databases by
+other code.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
+.Pp
+.Fn getauditflagschar
+does not provide a way to indicate how long the character buffer is, in order
+to detect overflow.
+As a result, the caller must always provide a buffer of sufficient length for
+any possible mask, which may be calculated as three times the number of
+non-zero bits in the mask argument in the event non-verbose class names are
+used, and is not trivially predictable for verbose class names.
+This API should be replaced with a more robust one.
diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3
new file mode 100644
index 0000000..dd0ce27
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_token.3
@@ -0,0 +1,209 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
+.\"
+.Dd April 19, 2005
+.Dt AU_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_to_arg32 ,
+.Nm au_to_arg64 ,
+.Nm au_to_arg ,
+.Nm au_to_attr64 ,
+.Nm au_to_data ,
+.Nm au_to_exit ,
+.Nm au_to_groups ,
+.Nm au_to_newgroups ,
+.Nm au_to_in_addr ,
+.Nm au_to_in_addr_ex ,  
+.Nm au_to_ip ,
+.Nm au_to_ipc ,
+.Nm au_to_ipc_perm ,
+.Nm au_to_iport ,
+.Nm au_to_opaque ,
+.Nm au_to_file ,
+.Nm au_to_text ,
+.Nm au_to_path ,
+.Nm au_to_process32 ,
+.Nm au_to_process64 ,
+.Nm au_to_process ,
+.Nm au_to_process32_ex ,
+.Nm au_to_process64_ex ,
+.Nm au_to_process_ex ,
+.Nm au_to_return32 ,
+.Nm au_to_return64 ,
+.Nm au_to_return ,
+.Nm au_to_seq ,
+.Nm au_to_socket ,
+.Nm au_to_socket_ex_32 ,
+.Nm au_to_socket_ex_128 ,
+.Nm au_to_sock_inet32 ,
+.Nm au_to_sock_inet128 ,
+.Nm au_to_sock_inet ,
+.Nm au_to_subject32 ,
+.Nm au_to_subject64 ,
+.Nm au_to_subject ,
+.Nm au_to_subject32_ex ,
+.Nm au_to_subject64_ex ,
+.Nm au_to_subject_ex ,
+.Nm au_to_me ,
+.Nm au_to_exec_args ,
+.Nm au_to_exec_env ,
+.Nm au_to_header ,
+.Nm au_to_header32 ,
+.Nm au_to_header64 ,
+.Nm au_to_trailer .
+.Nd "Routines for generating BSM audit tokens"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft token_t *
+.Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
+.Ft token_t *
+.Fn au_to_arg "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_attr32 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr64 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
+.Ft token_t *
+.Fn au_to_exit "int retval" "int err"
+.Ft token_t *
+.Fn au_to_groups "int *groups"
+.Ft token_t *
+.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
+.Ft token_t *
+.Fn au_to_in_addr "struct in_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_ip "struct ip *ip"
+.Ft token_t *
+.Fn au_to_ipc "char type" "int id"
+.Ft token_t *
+.Fn au_to_ipc_perm "struct ipc_perm *perm"
+.Ft token_t *
+.Fn au_to_iport "u_int16_t iport"
+.Ft token_t *
+.Fn au_to_opaque "char *data" "u_int64_t bytes"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_text "char *text"
+.Ft token_t *
+.Fn au_to_path "char *text"
+.Ft token_t *
+.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_return32 "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_return64 "char status" "u_int64_t ret"
+.Ft token_t *
+.Fn au_to_return "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_seq "long audit_count"
+.Ft token_t *
+.Fn au_to_socket "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_32 "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_128 "struct socket *so"
+.Ft token_t *
+.Fn au_to_sock_inet32 "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
+.Ft token_t *
+.Fn au_to_sock_int "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_me "void"
+.Ft token_t *
+.Fn au_to_exec_args "const char **args"
+.Ft token_t *
+.Fn au_to_exec_env "const char **env"
+.Ft token_t *
+.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
+.Ft token_t *
+.Fn au_to_trailer "int rec_size"
+.Sh DESCRIPTION
+These interfaces support the allocation of BSM audit tokens, represented by
+.Dt token_t ,
+for various data types.
+.Sh RETURN VALUES
+On sucess, a pointer to a
+.Vt token_t
+will be returned; the allocated
+.Vt token_t
+can be freed via a call to
+.Xr au_free_token 3 .
+On failure,
+.Dv NULL
+will be returned, and an error condition returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3
new file mode 100644
index 0000000..e71deae
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_user.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_USER 3
+.Os
+.Sh NAME
+.Nm setauuser ,
+.Nm endauuser ,
+.Nm getauuserent ,
+.Nm getauuserent_r ,
+.Nm getauusernam ,
+.Nm getauusernam_r ,
+.Nm au_user_mask ,
+.Nm getfauditflags
+.Nd "Look up information from the audit_user database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauuser "void"
+.Ft void
+.Fn endauuser "void"
+.Ft struct au_user_ent *
+.Fn getauuserent "void"
+.Ft struct au_user_ent *
+.Fn getauuserent_r "struct au_user_ent *u" "void"
+.Ft struct au_user_ent *
+.Fn getauusernam "const char *name"
+.Ft struct au_user_ent *
+.Fn getauusernam_r "struct au_user_ent *u" "const char *name"
+.Ft int
+.Fn au_user_mask "char *username" "au_mask_t *mask_p"
+.Ft int
+.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_user 5
+database, which describes per-user audit configuration.
+Audit user entries are described by a
+.Vt au_user_ent ,
+which stores the user's name in
+.Dv au_name ,
+events to always audit in
+.Dv au_always ,
+and events never to audit
+.Dv au_never .
+.Pp
+.Fn getauuserent
+return the next user found in the
+.Xr audit_user 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauusernam
+looks up a user by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauuser
+resets the iterator through the
+.Xr audit_user 5
+database, causing the next call to
+.Fn getauuserent
+to start again from the beginning of the file.
+.Pp
+.Fn endauuser
+closes the
+.Xr audit_user 5
+database, if open.
+.Pp
+.Nm au_user_mask
+calculate a new session audit mask to be returned via
+.Dv mask_p
+for the user identified by
+.Dv username .
+If the user audit configuration is not found, the default system audit
+properties returned by
+.Xr getacflg 3 .
+The resulting mask may be set via a call to
+.Xr setaudit 3
+or related variants.
+.Pp
+.Nm getfauditflags
+XXXXXXXXXXXXXXXXX
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr getacflg 3 ,
+.Xr setaudit 3 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/bsm_audit.c b/contrib/openbsm/libbsm/bsm_audit.c
new file mode 100644
index 0000000..c4374cd
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_audit.c
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#18 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* array of used descriptors */
+static au_record_t	*open_desc_table[MAX_AUDIT_RECORDS];
+
+/* The current number of active record descriptors */
+static int	bsm_rec_count = 0;
+
+/*
+ * Records that can be recycled are maintained in the list given below.  The
+ * maximum number of elements that can be present in this list is bounded by
+ * MAX_AUDIT_RECORDS.  Memory allocated for these records are never freed.
+ */
+static LIST_HEAD(, au_record)	bsm_free_q;
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * This call frees a token_t and its internal data.
+ */
+void
+au_free_token(token_t *tok)
+{
+
+	if (tok != NULL) {
+		if (tok->t_data)
+			free(tok->t_data);
+		free(tok);
+	}
+}
+
+/*
+ * This call reserves memory for the audit record.  Memory must be guaranteed
+ * before any auditable event can be generated.  The au_record_t structure
+ * maintains a reference to the memory allocated above and also the list of
+ * tokens associated with this record.  Descriptors are recyled once the
+ * records are added to the audit trail following au_close().
+ */
+int
+au_open(void)
+{
+	au_record_t *rec = NULL;
+
+	pthread_mutex_lock(&mutex);
+
+	if (bsm_rec_count == 0)
+		LIST_INIT(&bsm_free_q);
+
+	/*
+	 * Find an unused descriptor, remove it from the free list, mark as
+	 * used.
+	 */
+	if (!LIST_EMPTY(&bsm_free_q)) {
+		rec = LIST_FIRST(&bsm_free_q);
+		rec->used = 1;
+		LIST_REMOVE(rec, au_rec_q);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (rec == NULL) {
+		/*
+		 * Create a new au_record_t if no descriptors are available.
+		 */
+		rec = malloc (sizeof(au_record_t));
+		if (rec == NULL)
+			return (-1);
+
+		rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
+		if (rec->data == NULL) {
+			free(rec);
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		pthread_mutex_lock(&mutex);
+
+		if (bsm_rec_count == MAX_AUDIT_RECORDS) {
+			pthread_mutex_unlock(&mutex);
+			free(rec->data);
+			free(rec);
+
+			/* XXX We need to increase size of MAX_AUDIT_RECORDS */
+			errno = ENOMEM;
+			return (-1);
+		}
+		rec->desc = bsm_rec_count;
+		open_desc_table[bsm_rec_count] = rec;
+		bsm_rec_count++;
+
+		pthread_mutex_unlock(&mutex);
+
+	}
+
+	memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
+
+	TAILQ_INIT(&rec->token_q);
+	rec->len = 0;
+	rec->used = 1;
+
+	return (rec->desc);
+}
+
+/*
+ * Store the token with the record descriptor.
+ *
+ * Don't permit writing more to the buffer than would let the trailer be
+ * appended later.
+ */
+int
+au_write(int d, token_t *tok)
+{
+	au_record_t *rec;
+
+	if (tok == NULL) {
+		errno = EINVAL;
+		return (-1); /* Invalid Token */
+	}
+
+	/* Write the token to the record descriptor */
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1); /* Invalid descriptor */
+	}
+
+	if (rec->len + tok->len + BSM_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
+		errno = ENOMEM;
+		return (-1);
+	}
+
+	/* Add the token to the tail */
+	/*
+	 * XXX Not locking here -- we should not be writing to
+	 * XXX the same descriptor from different threads
+	 */
+	TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
+
+	rec->len += tok->len; /* grow record length by token size bytes */
+
+	/* Token should not be available after this call */
+	tok = NULL;
+	return (0); /* Success */
+}
+
+/*
+ * Assemble an audit record out of its tokens, including allocating header and
+ * trailer tokens.  Does not free the token chain, which must be done by the
+ * caller if desirable.
+ *
+ * XXX: Assumes there is sufficient space for the header and trailer.
+ */
+static int
+au_assemble(au_record_t *rec, short event)
+{
+	token_t *header, *tok, *trailer;
+	size_t tot_rec_size;
+	u_char *dptr;
+	int error;
+
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+	header = au_to_header32(tot_rec_size, event, 0);
+	if (header == NULL)
+		return (-1);
+
+	trailer = au_to_trailer(tot_rec_size);
+	if (trailer == NULL) {
+		error = errno;
+		au_free_token(header);
+		errno = error;
+		return (-1);
+	}
+
+	TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
+	TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
+
+	rec->len = tot_rec_size;
+	dptr = rec->data;
+
+	TAILQ_FOREACH(tok, &rec->token_q, tokens) {
+		memcpy(dptr, tok->t_data, tok->len);
+		dptr += tok->len;
+	}
+
+	return (0);
+}
+
+/*
+ * Given a record that is no longer of interest, tear it down and convert to a
+ * free record.
+ */
+static void
+au_teardown(au_record_t *rec)
+{
+	token_t *tok;
+
+	/* Free the token list */
+	while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
+		TAILQ_REMOVE(&rec->token_q, tok, tokens);
+		free(tok->t_data);
+		free(tok);
+	}
+
+	rec->used = 0;
+	rec->len = 0;
+
+	pthread_mutex_lock(&mutex);
+
+	/* Add the record to the freelist tail */
+	LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q);
+
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Add the header token, identify any missing tokens.  Write out the tokens to
+ * the record memory and finally, call audit.
+ */
+int au_close(int d, int keep, short event)
+{
+	au_record_t *rec;
+	size_t tot_rec_size;
+	int retval = 0;
+
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1); /* Invalid descriptor */
+	}
+
+	if (!keep) {
+		retval = 0;
+		goto cleanup;
+	}
+
+
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+
+	if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
+		/*
+		 * XXXRW: Since au_write() is supposed to prevent this, spew
+		 * an error here.
+		 */
+		fprintf(stderr, "au_close failed");
+		errno = ENOMEM;
+		retval = -1;
+		goto cleanup;
+	}
+
+	if (au_assemble(rec, event) < 0) {
+		/*
+		 * XXXRW: This is also not supposed to happen, but might if we
+		 * are unable to allocate header and trailer memory.
+		 */
+		retval = -1;
+		goto cleanup;
+	}
+
+	/* Call the kernel interface to audit */
+	retval = audit(rec->data, rec->len);
+
+cleanup:
+	/* CLEANUP */
+	au_teardown(rec);
+	return (retval);
+}
+
+/*
+ * au_close(), except onto an in-memory buffer.  Buffer size as an argument,
+ * record size returned via same argument on success.
+ */
+int
+au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
+{
+	size_t tot_rec_size;
+	au_record_t *rec;
+	int retval;
+
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	retval = 0;
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+	if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
+	    (tot_rec_size > *buflen)) {
+		/*
+		 * XXXRW: See au_close() comment.
+		 */
+		fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
+		errno = ENOMEM;
+		retval = -1;
+		goto cleanup;
+	}
+
+	if (au_assemble(rec, event) < 0) {
+		/* XXXRW: See au_close() comment. */
+		retval = -1;
+		goto cleanup;
+	}
+
+	memcpy(buffer, rec->data, rec->len);
+	*buflen = rec->len;
+
+cleanup:
+	au_teardown(rec);
+	return (retval);
+}
diff --git a/contrib/openbsm/libbsm/bsm_class.c b/contrib/openbsm/libbsm/bsm_class.c
new file mode 100644
index 0000000..5982d7e
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_class.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_class.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_class file to return struct au_class_ent
+ * entries.
+ */
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*classdelim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse a single line from the audit_class file passed in str to the struct
+ * au_class_ent elements; store the result in c.
+ */
+static struct au_class_ent *
+classfromstr(char *str, struct au_class_ent *c)
+{
+	char *classname, *classdesc, *classflag;
+	char *last;
+
+	/* Each line contains flag:name:desc. */
+	classflag = strtok_r(str, classdelim, &last);
+	classname = strtok_r(NULL, classdelim, &last);
+	classdesc = strtok_r(NULL, classdelim, &last);
+
+	if ((classflag == NULL) || (classname == NULL) || (classdesc == NULL))
+		return (NULL);
+
+	/*
+	 * Check for very large classnames.
+	 */
+	if (strlen(classname) >= AU_CLASS_NAME_MAX)
+		return (NULL);
+
+	strcpy(c->ac_name, classname);
+
+	/*
+	 * Check for very large class description.
+	 */
+	if (strlen(classdesc) >= AU_CLASS_DESC_MAX)
+		return (NULL);
+	strcpy(c->ac_desc, classdesc);
+	c->ac_class = strtoul(classflag, (char **) NULL, 0);
+
+	return (c);
+}
+
+/*
+ * Return the next au_class_ent structure from the file setauclass should be
+ * called before invoking this function for the first time.
+ *
+ * Must be called with mutex held.
+ */
+static struct au_class_ent *
+getauclassent_r_locked(struct au_class_ent *c)
+{
+	char *tokptr, *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_CLASS_FILE, "r")) == NULL))
+		return (NULL);
+
+	/*
+	 * Read until next non-comment line is found, or EOF.
+	 */
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Remove trailing new line character. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Parse tokptr to au_class_ent components. */
+		tokptr = linestr;
+		if (classfromstr(tokptr, c) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (c);
+}
+
+struct au_class_ent *
+getauclassent_r(struct au_class_ent *c)
+{
+	struct au_class_ent *cp;
+
+	pthread_mutex_lock(&mutex);
+	cp = getauclassent_r_locked(c);
+	pthread_mutex_unlock(&mutex);
+	return (cp);
+}
+
+struct au_class_ent *
+getauclassent(void)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c, *cp;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	pthread_mutex_lock(&mutex);
+	cp = getauclassent_r_locked(&c);
+	pthread_mutex_unlock(&mutex);
+	return (cp);
+}
+
+/*
+ * Rewind to the beginning of the enumeration.
+ *
+ * Must be called with mutex held.
+ */
+static void
+setauclass_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauclass(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return the next au_class_entry having the given class name.
+ */
+struct au_class_ent *
+getauclassnam_r(struct au_class_ent *c, const char *name)
+{
+	struct au_class_ent *cp;
+
+	if (name == NULL)
+		return (NULL);
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	while ((cp = getauclassent_r_locked(c)) != NULL) {
+		if (strcmp(name, cp->ac_name) == 0) {
+			pthread_mutex_unlock(&mutex);
+			return (cp);
+		}
+	}
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+}
+
+struct au_class_ent *
+getauclassnam(const char *name)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	return (getauclassnam_r(&c, name));
+}
+
+
+/*
+ * Return the next au_class_entry having the given class number.
+ *
+ * OpenBSM extension.
+ */
+struct au_class_ent *
+getauclassnum_r(struct au_class_ent *c, au_class_t class_number)
+{
+	struct au_class_ent *cp;
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	while ((cp = getauclassent_r_locked(c)) != NULL) {
+		if (class_number == cp->ac_class)
+			return (cp);
+	}
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+}
+
+struct au_class_ent *
+getauclassnum(au_class_t class_number)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	return (getauclassnum_r(&c, class_number));
+}
+
+/*
+ * audit_class processing is complete; close any open files.
+ */
+void
+endauclass(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c
new file mode 100644
index 0000000..438082b
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_control.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_control file to return the audit control
+ * parameters.
+ */
+static FILE	*fp = NULL;
+static char	linestr[AU_LINE_MAX];
+static char	*delim = ":";
+
+static char	inacdir = 0;
+static char	ptrmoved = 0;
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Returns the string value corresponding to the given label from the
+ * configuration file.
+ *
+ * Must be called with mutex held.
+ */
+static int
+getstrfromtype_locked(char *name, char **str)
+{
+	char *type, *nl;
+	char *tokptr;
+	char *last;
+
+	*str = NULL;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_CONTROL_FILE, "r")) == NULL))
+		return (-1); /* Error */
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL) {
+			if (ferror(fp))
+				return (-1);
+			return (0);	/* EOF */
+		}
+
+		if (linestr[0] == '#')
+			continue;
+
+		/* Remove trailing new line character. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		tokptr = linestr;
+		if ((type = strtok_r(tokptr, delim, &last)) != NULL) {
+			if (strcmp(name, type) == 0) {
+				/* Found matching name. */
+				*str = strtok_r(NULL, delim, &last);
+				if (*str == NULL) {
+					errno = EINVAL;
+					return (-1); /* Parse error in file */
+				}
+				return (0); /* Success */
+			}
+		}
+	}
+}
+
+/*
+ * Rewind the file pointer to beginning.
+ */
+void
+setac(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	ptrmoved = 1;
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the audit_control file
+ */
+void
+endac(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	ptrmoved = 1;
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return audit directory information from the audit control file.
+ */
+int
+getacdir(char *name, int len)
+{
+	char *dir;
+	int ret = 0;
+
+	if (name == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	/*
+	 * Check if another function was called between
+	 * successive calls to getacdir
+	 */
+	if (inacdir && ptrmoved) {
+		ptrmoved = 0;
+		if (fp != NULL)
+			fseek(fp, 0, SEEK_SET);
+		ret = 2;
+	}
+
+
+	if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (dir == NULL)
+		return (-1);
+
+	if (strlen(dir) >= len)
+		return (-3);
+
+	strcpy(name, dir);
+
+	return (ret);
+}
+
+/*
+ * Return the minimum free diskspace value from the audit control file
+ */
+int
+getacmin(int *min_val)
+{
+	char *min;
+
+	setac();
+
+	if (min_val == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (min == NULL)
+		return (1);
+
+	*min_val = atoi(min);
+
+	return (0);
+}
+
+/*
+ * Return the system audit value from the audit contol file.
+ */
+int
+getacflg(char *auditstr, int len)
+{
+	char *str;
+
+	setac();
+
+	if (auditstr == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (str == NULL)
+		return (1);
+
+	if (strlen(str) >= len)
+		return (-3);
+
+	strcpy(auditstr, str);
+
+	return (0);
+}
+
+/*
+ * Return the non attributable flags from the audit contol file.
+ */
+int
+getacna(char *auditstr, int len)
+{
+	char *str;
+
+	setac();
+
+	if (auditstr == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+	pthread_mutex_unlock(&mutex);
+
+	if (str == NULL)
+		return (1);
+
+	if (strlen(str) >= len)
+		return (-3);
+
+	strcpy(auditstr, str);
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_event.c b/contrib/openbsm/libbsm/bsm_event.c
new file mode 100644
index 0000000..6e22e4c
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_event.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_event file to return
+ * au_event_ent entries
+ */
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*eventdelim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_event file into the au_event_ent structure.
+ */
+static struct au_event_ent *
+eventfromstr(char *str, struct au_event_ent *e)
+{
+	char *evno, *evname, *evdesc, *evclass;
+	struct au_mask evmask;
+	char *last;
+
+	evno = strtok_r(str, eventdelim, &last);
+	evname = strtok_r(NULL, eventdelim, &last);
+	evdesc = strtok_r(NULL, eventdelim, &last);
+	evclass = strtok_r(NULL, eventdelim, &last);
+
+	if ((evno == NULL) || (evname == NULL) || (evdesc == NULL) ||
+	    (evclass == NULL))
+		return (NULL);
+
+	if (strlen(evname) >= AU_EVENT_NAME_MAX)
+		return (NULL);
+
+	strcpy(e->ae_name, evname);
+	if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
+		return (NULL);
+	strcpy(e->ae_desc, evdesc);
+
+	e->ae_number = atoi(evno);
+
+	/*
+	 * Find out the mask that corresponds to the given list of classes.
+	 */
+	if (getauditflagsbin(evclass, &evmask) != 0)
+		e->ae_class = AU_NULL;
+	else
+		e->ae_class = evmask.am_success;
+
+	return (e);
+}
+
+/*
+ * Rewind the audit_event file.
+ */
+static void
+setauevent_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauevent(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauevent_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the open file pointers.
+ */
+void
+endauevent(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_event_ent entries.
+ */
+static struct au_event_ent *
+getauevent_r_locked(struct au_event_ent *e)
+{
+	char *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Get the next event structure. */
+		if (eventfromstr(linestr, e) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (e);
+}
+
+struct au_event_ent *
+getauevent_r(struct au_event_ent *e)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevent_r_locked(e);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevent(void)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevent_r(&e));
+}
+
+/*
+ * Search for an audit event structure having the given event name.
+ *
+ * XXXRW: Why accept NULL name?
+ */
+static struct au_event_ent *
+getauevnam_r_locked(struct au_event_ent *e, const char *name)
+{
+	char *nl;
+
+	if (name == NULL)
+		return (NULL);
+
+	/* Rewind to beginning of the file. */
+	setauevent_locked();
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		if (eventfromstr(linestr, e) != NULL) {
+			if (strcmp(name, e->ae_name) == 0)
+				return (e);
+		}
+	}
+
+	return (NULL);
+}
+
+struct au_event_ent *
+getauevnam_r(struct au_event_ent *e, const char *name)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevnam_r_locked(e, name);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevnam(const char *name)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevnam_r(&e, name));
+}
+
+/*
+ * Search for an audit event structure having the given event number.
+ */
+static struct au_event_ent *
+getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
+{
+	char *nl;
+
+	/* Rewind to beginning of the file. */
+	setauevent_locked();
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		if (eventfromstr(linestr, e) != NULL) {
+			if (event_number == e->ae_number)
+				return (e);
+		}
+	}
+
+	return (NULL);
+}
+
+struct au_event_ent *
+getauevnum_r(struct au_event_ent *e, au_event_t event_number)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevnum_r_locked(e, event_number);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevnum(au_event_t event_number)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevnum_r(&e, event_number));
+}
+
+/*
+ * Search for an audit_event entry with a given event_name and returns the
+ * corresponding event number.
+ */
+au_event_t *
+getauevnonam_r(au_event_t *ev, const char *event_name)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e, *ep;
+
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	bzero(&e, sizeof(e));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+
+	ep = getauevnam_r(&e, event_name);
+	if (ep == NULL)
+		return (NULL);
+
+	*ev = e.ae_number;
+	return (ev);
+}
+
+au_event_t *
+getauevnonam(const char *event_name)
+{
+	static au_event_t event;
+
+	return (getauevnonam_r(&event, event_name));
+}
diff --git a/contrib/openbsm/libbsm/bsm_flags.c b/contrib/openbsm/libbsm/bsm_flags.c
new file mode 100644
index 0000000..e514c86
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_flags.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_flags.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+static const char	*flagdelim = ",";
+
+/*
+ * Convert the character representation of audit values into the au_mask_t
+ * field.
+ */
+int
+getauditflagsbin(char *auditstr, au_mask_t *masks)
+{
+	char class_ent_name[AU_CLASS_NAME_MAX];
+	char class_ent_desc[AU_CLASS_DESC_MAX];
+	struct au_class_ent c;
+	char *tok;
+	char sel, sub;
+	char *last;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	masks->am_success = 0;
+	masks->am_failure = 0;
+
+	tok = strtok_r(auditstr, flagdelim, &last);
+	while (tok != NULL) {
+		/* Check for the events that should not be audited. */
+		if (tok[0] == '^') {
+			sub = 1;
+			tok++;
+		} else
+			sub = 0;
+
+		/* Check for the events to be audited for success. */
+		if (tok[0] == '+') {
+			sel = AU_PRS_SUCCESS;
+			tok++;
+		} else if (tok[0] == '-') {
+			sel = AU_PRS_FAILURE;
+			tok++;
+		} else
+			sel = AU_PRS_BOTH;
+
+		if ((getauclassnam_r(&c, tok)) != NULL) {
+			if (sub)
+				SUB_FROM_MASK(masks, c.ac_class, sel);
+			else
+				ADD_TO_MASK(masks, c.ac_class, sel);
+		} else {
+			errno = EINVAL;
+			return (-1);
+		}
+
+		/* Get the next class. */
+		tok = strtok_r(NULL, flagdelim, &last);
+	}
+	return (0);
+}
+
+/*
+ * Convert the au_mask_t fields into a string value.  If verbose is non-zero
+ * the long flag names are used else the short (2-character)flag names are
+ * used.
+ *
+ * XXXRW: If bits are specified that are not matched by any class, they are
+ * omitted rather than rejected with EINVAL.
+ *
+ * XXXRW: This is not thread-safe as it relies on atomicity between
+ * setauclass() and sequential calls to getauclassent().  This could be
+ * fixed by iterating through the bitmask fields rather than iterating
+ * through the classes.
+ */
+int
+getauditflagschar(char *auditstr, au_mask_t *masks, int verbose)
+{
+	char class_ent_name[AU_CLASS_NAME_MAX];
+	char class_ent_desc[AU_CLASS_DESC_MAX];
+	struct au_class_ent c;
+	char *strptr = auditstr;
+	u_char sel;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	/*
+	 * Enumerate the class entries, check if each is selected in either
+	 * the success or failure masks.
+	 */
+	setauclass();
+	while ((getauclassent_r(&c)) != NULL) {
+		sel = 0;
+
+		/* Dont do anything for class = no. */
+		if (c.ac_class == 0)
+			continue;
+
+		sel |= ((c.ac_class & masks->am_success) == c.ac_class) ?
+		    AU_PRS_SUCCESS : 0;
+		sel |= ((c.ac_class & masks->am_failure) == c.ac_class) ?
+		    AU_PRS_FAILURE : 0;
+
+		/*
+		 * No prefix should be attached if both success and failure
+		 * are selected.
+		 */
+		if ((sel & AU_PRS_BOTH) == 0) {
+			if ((sel & AU_PRS_SUCCESS) != 0) {
+				*strptr = '+';
+				strptr = strptr + 1;
+			} else if ((sel & AU_PRS_FAILURE) != 0) {
+				*strptr = '-';
+				strptr = strptr + 1;
+			}
+		}
+
+		if (sel != 0) {
+			if (verbose) {
+				strcpy(strptr, c.ac_desc);
+				strptr += strlen(c.ac_desc);
+			} else {
+				strcpy(strptr, c.ac_name);
+				strptr += strlen(c.ac_name);
+			}
+			*strptr = ','; /* delimiter */
+			strptr = strptr + 1;
+		}
+	}
+
+	/* Overwrite the last delimiter with the string terminator. */
+	if (strptr != auditstr)
+		*(strptr-1) = '\0';
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
new file mode 100644
index 0000000..bfdd366
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -0,0 +1,2831 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <bsm/audit_internal.h>
+
+#define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
+	if (bytesread + size > len) {					\
+		err = 1;						\
+	} else {							\
+		memcpy(dest, buf + bytesread, size);			\
+		bytesread += size;					\
+	}								\
+} while (0)
+
+#define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_char) <= len) {			\
+		dest = buf[bytesread];					\
+		bytesread += sizeof(u_char);				\
+	} else								\
+		err = 1;						\
+} while (0)
+
+#define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int16_t) <= len) {			\
+		dest = be16dec(buf + bytesread);			\
+		bytesread += sizeof(u_int16_t);				\
+	} else								\
+		err = 1;						\
+} while (0)
+
+#define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int32_t) <= len) {			\
+		dest = be32dec(buf + bytesread);			\
+		bytesread += sizeof(u_int32_t);				\
+	} else								\
+		err = 1; 						\
+} while (0)
+
+#define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int64_t) <= len) {			\
+		dest = be64dec(buf + bytesread);			\
+		bytesread += sizeof(u_int64_t);				\
+	} else								\
+		err = 1; 						\
+} while (0)
+
+#define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
+	if ((bytesread) + (size) > (len))				\
+		(err) = 1;						\
+	else {								\
+		(ptr) = (buf) + (bytesread);				\
+		(bytesread) += (size);					\
+	}								\
+} while (0)
+
+/*
+ * Prints the delimiter string.
+ */
+static void
+print_delim(FILE *fp, const char *del)
+{
+
+	fprintf(fp, "%s", del);
+}
+
+/*
+ * Prints a single byte in the given format.
+ */
+static void
+print_1_byte(FILE *fp, u_char val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Print 2 bytes in the given format.
+ */
+static void
+print_2_bytes(FILE *fp, u_int16_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints 4 bytes in the given format.
+ */
+static void
+print_4_bytes(FILE *fp, u_int32_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints 8 bytes in the given format.
+ */
+static void
+print_8_bytes(FILE *fp, u_int64_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints the given size of data bytes in hex.
+ */
+static void
+print_mem(FILE *fp, u_char *data, size_t len)
+{
+	int i;
+
+	if (len > 0) {
+		fprintf(fp, "0x");
+		for (i = 0; i < len; i++)
+			fprintf(fp, "%x", data[i]);
+	}
+}
+
+/*
+ * Prints the given data bytes as a string.
+ */
+static void
+print_string(FILE *fp, u_char *str, size_t len)
+{
+	int i;
+
+	if (len > 0) {
+		for (i = 0; i < len; i++) {
+			if (str[i] != '\0')
+				fprintf(fp, "%c", str[i]);
+		}
+	}
+}
+
+/*
+ * Prints the token type in either the raw or the default form.
+ */
+static void
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+{
+
+	if (raw)
+		fprintf(fp, "%u", type);
+	else
+		fprintf(fp, "%s", tokname);
+}
+
+/*
+ * Prints a user value.
+ */
+static void
+print_user(FILE *fp, u_int32_t usr, char raw)
+{
+	struct passwd *pwent;
+
+	if (raw)
+		fprintf(fp, "%d", usr);
+	else {
+		pwent = getpwuid(usr);
+		if (pwent != NULL)
+			fprintf(fp, "%s", pwent->pw_name);
+		else
+			fprintf(fp, "%d", usr);
+	}
+}
+
+/*
+ * Prints a group value.
+ */
+static void
+print_group(FILE *fp, u_int32_t grp, char raw)
+{
+	struct group *grpent;
+
+	if (raw)
+		fprintf(fp, "%d", grp);
+	else {
+		grpent = getgrgid(grp);
+		if (grpent != NULL)
+			fprintf(fp, "%s", grpent->gr_name);
+		else
+			fprintf(fp, "%d", grp);
+	}
+}
+
+/*
+ * Prints the event from the header token in either the short, default or raw
+ * form.
+ */
+static void
+print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
+{
+	char event_ent_name[AU_EVENT_NAME_MAX];
+	char event_ent_desc[AU_EVENT_DESC_MAX];
+	struct au_event_ent e, *ep;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+
+	ep = getauevnum_r(&e, ev);
+	if (ep == NULL) {
+		fprintf(fp, "%u", ev);
+		return;
+	}
+
+	if (raw)
+		fprintf(fp, "%u", ev);
+	else if (sfrm)
+		fprintf(fp, "%s", e.ae_name);
+	else
+		fprintf(fp, "%s", e.ae_desc);
+}
+
+
+/*
+ * Prints the event modifier from the header token in either the default or
+ * raw form.
+ */
+static void
+print_evmod(FILE *fp, u_int16_t evmod, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", evmod);
+	else
+		fprintf(fp, "%u", evmod);
+}
+
+/*
+ * Prints seconds in the ctime format.
+ */
+static void
+print_sec32(FILE *fp, u_int32_t sec, char raw)
+{
+	time_t timestamp;
+	char timestr[26];
+
+	if (raw)
+		fprintf(fp, "%u", sec);
+	else {
+		timestamp = (time_t)sec;
+		ctime_r(&timestamp, timestr);
+		timestr[24] = '\0'; /* No new line */
+		fprintf(fp, "%s", timestr);
+	}
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
+ * assume a 32-bit time_t, we simply truncate for now.
+ */
+static void
+print_sec64(FILE *fp, u_int64_t sec, char raw)
+{
+	time_t timestamp;
+	char timestr[26];
+
+	if (raw)
+		fprintf(fp, "%u", (u_int32_t)sec);
+	else {
+		timestamp = (time_t)sec;
+		ctime_r(&timestamp, timestr);
+		timestr[24] = '\0'; /* No new line */
+		fprintf(fp, "%s", timestr);
+	}
+}
+
+/*
+ * Prints the excess milliseconds.
+ */
+static void
+print_msec32(FILE *fp, u_int32_t msec, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", msec);
+	else
+		fprintf(fp, " + %u msec", msec);
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
+ * a 32-bit msec, we simply truncate for now.
+ */
+static void
+print_msec64(FILE *fp, u_int64_t msec, char raw)
+{
+
+	msec &= 0xffffffff;
+	if (raw)
+		fprintf(fp, "%u", (u_int32_t)msec);
+	else
+		fprintf(fp, " + %u msec", (u_int32_t)msec);
+}
+
+/*
+ * Prints a dotted form for the IP address.
+ */
+static void
+print_ip_address(FILE *fp, u_int32_t ip)
+{
+	struct in_addr ipaddr;
+
+	ipaddr.s_addr = ip;
+	fprintf(fp, "%s", inet_ntoa(ipaddr));
+}
+
+/* 
+ * Prints a string value for the given ip address.
+ */
+static void
+print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
+{
+	struct in_addr ipv4;
+	struct in6_addr ipv6;
+	char dst[INET6_ADDRSTRLEN];
+
+	switch (type) {
+	case AU_IPv4:
+		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
+		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
+		    INET6_ADDRSTRLEN));
+		break;
+
+	case AU_IPv6:
+		ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0];
+		ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1];
+		ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2];
+		ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3];
+		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
+		    INET6_ADDRSTRLEN));
+		break;
+
+	default:
+		fprintf(fp, "invalid");
+	}
+}
+
+/*
+ * Prints return value as success or failure.
+ */
+static void
+print_retval(FILE *fp, u_char status, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", status);
+	else {
+		if (status == 0)
+			fprintf(fp, "success");
+		else
+			fprintf(fp, "failure : %s", strerror(status));
+	}
+}
+
+/*
+ * Prints the exit value.
+ */
+static void
+print_errval(FILE *fp, u_int32_t val)
+{
+
+	fprintf(fp, "Error %u", val);
+}
+
+/*
+ * Prints IPC type.
+ */
+static void
+print_ipctype(FILE *fp, u_char type, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", type);
+	else {
+		if (type == AT_IPC_MSG)
+			fprintf(fp, "Message IPC");
+		else if (type == AT_IPC_SEM)
+			fprintf(fp, "Semaphore IPC");
+		else if (type == AT_IPC_SHM)
+			fprintf(fp, "Shared Memory IPC");
+		else
+			fprintf(fp, "%u", type);
+	}
+}
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+static int
+fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr32.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.hdr32.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.hdr32.ms, raw);
+}
+
+/*
+ * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
+ * depending on the bit of the specifications found.  The OpenSolaris source
+ * code uses a 4-byte address length, followed by some number of bytes of
+ * address data.  This contrasts with the Solaris audit.log.5 man page, which
+ * specifies a 1-byte length field.  We use the Solaris 10 definition so that
+ * we can parse audit trails from that system.
+ *
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     4 bytes
+ *   [ Solaris man page: address type/length     1 byte]
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+static int
+fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
+	switch (tok->tt.hdr32_ex.ad_type) {
+	case AU_IPv4:
+		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
+		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+		break;
+
+	case AU_IPv6:
+		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
+		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
+		break;
+	}
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header_ex", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+	    tok->tt.hdr32_ex.addr);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+}
+
+/*
+ * record byte count       4 bytes
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ * version #              
+ */
+static int
+fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr64.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+	print_delim(fp, del);
+	print_sec64(fp, tok->tt.hdr64.s, raw);
+	print_delim(fp, del);
+	print_msec64(fp, tok->tt.hdr64.ms, raw);
+}
+/*
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     4 bytes
+ *   [ Solaris man page: address type/length     1 byte]
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ *
+ * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
+ * accuracy of the BSM spec.
+ */
+static int
+fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
+	switch (tok->tt.hdr64_ex.ad_type) {
+	case AU_IPv4:
+		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
+		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+		break;
+
+	case AU_IPv6:
+		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
+		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
+		break;
+	}
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header_ex", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+	    tok->tt.hdr64_ex.addr);
+	print_delim(fp, del);
+	print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+	print_delim(fp, del);
+	print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+}
+
+/*
+ * trailer magic                        2 bytes
+ * record size                          4 bytes
+ */
+static int
+fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "trailer", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.trail.count, "%u");
+}
+
+/*
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "argument", raw);
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.arg32.no, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.arg32.val, "%#x");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+}
+
+static int
+fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "argument", raw);
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.arg64.no, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.arg64.val, "%#llx");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+}
+
+/*
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+static int
+fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int datasize;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
+	if (err)
+		return (-1);
+
+	/*
+	 * Determine the size of the basic unit.
+	 */
+	switch(tok->tt.arb.bu) {
+	case AUR_BYTE:
+		datasize = AUR_BYTE_SIZE;
+		break;
+
+	case AUR_SHORT:
+		datasize = AUR_SHORT_SIZE;
+		break;
+
+	case AUR_LONG:
+		datasize = AUR_LONG_SIZE;
+		break;
+
+	default:
+		return (-1);
+	}
+
+	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	char *str;
+	char *format;
+	size_t size;
+	int i;
+
+	print_tok_type(fp, tok->id, "arbitrary", raw);
+	print_delim(fp, del);
+
+	switch(tok->tt.arb.howtopr) {
+	case AUP_BINARY:
+		str = "binary";
+		format = " %c";
+		break;
+
+	case AUP_OCTAL:
+		str = "octal";
+		format = " %o";
+		break;
+
+	case AUP_DECIMAL:
+		str = "decimal";
+		format = " %d";
+		break;
+
+	case AUP_HEX:
+		str = "hex";
+		format = " %x";
+		break;
+
+	case AUP_STRING:
+		str = "string";
+		format = "%c";
+		break;
+
+	default:
+		return;
+	}
+
+	print_string(fp, str, strlen(str));
+	print_delim(fp, del);
+	switch(tok->tt.arb.bu) {
+	case AUR_BYTE:
+		str = "byte";
+		size = AUR_BYTE_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
+		break;
+
+	case AUR_SHORT:
+		str = "short";
+		size = AUR_SHORT_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
+			    (size * i))));
+		break;
+
+	case AUR_LONG:
+		str = "int";
+		size = AUR_LONG_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
+			    (size * i))));
+		break;
+
+	default:
+		return;
+	}
+}
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "attribute", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+	print_delim(fp, del);
+	print_user(fp, tok->tt.attr32.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.attr32.gid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+}
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "attribute", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+	print_delim(fp, del);
+	print_user(fp, tok->tt.attr64.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.attr64.gid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+}
+
+/*
+ * status                  4 bytes
+ * return value            4 bytes
+ */
+static int
+fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "exit", raw);
+	print_delim(fp, del);
+	print_errval(fp, tok->tt.exit.status);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.exit.ret, "%u");
+}
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+static int
+fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int i;
+	char *bptr;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i < tok->tt.execarg.count; i++) {
+		bptr = buf + tok->len;
+		tok->tt.execarg.text[i] = bptr;
+
+		/* Look for a null terminated string. */
+		while (bptr && (*bptr != '\0')) {
+			if (++tok->len >=len)
+				return (-1);
+			bptr = buf + tok->len;
+		}
+		if (!bptr)
+			return (-1);
+		tok->len++; /* \0 character */
+	}
+
+	return (0);
+}
+
+static void
+print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "exec arg", raw);
+	for (i = 0; i < tok->tt.execarg.count; i++) {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.execarg.text[i],
+		    strlen(tok->tt.execarg.text[i]));
+	}
+}
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+static int
+fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int i;
+	char *bptr;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i< tok->tt.execenv.count; i++) {
+		bptr = buf + tok->len;
+		tok->tt.execenv.text[i] = bptr;
+
+		/* Look for a null terminated string. */
+		while (bptr && (*bptr != '\0')) {
+			if (++tok->len >=len)
+				return (-1);
+			bptr = buf + tok->len;
+		}
+		if (!bptr)
+			return (-1);
+		tok->len++; /* \0 character */
+	}
+
+	return (0);
+}
+
+static void
+print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "exec arg", raw);
+	for (i = 0; i< tok->tt.execenv.count; i++) {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.execenv.text[i],
+		    strlen(tok->tt.execenv.text[i]));
+	}
+}
+
+/*
+ * seconds of time          4 bytes
+ * milliseconds of time     4 bytes
+ * file name len            2 bytes
+ * file pathname            N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_file_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "file", raw);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.file.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.file.ms, raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.file.name, tok->tt.file.len);
+}
+
+/*
+ * number groups           2 bytes
+ * group list              count * 4 bytes
+ */
+static int
+fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int i;
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i<tok->tt.grps.no; i++) {
+		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
+		    err);
+    		if (err)
+    			return (-1);
+	}
+
+	return (0);
+}
+
+static void
+print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "group", raw);
+	for (i = 0; i < tok->tt.grps.no; i++) {
+		print_delim(fp, del);
+		print_group(fp, tok->tt.grps.list[i], raw);
+	}
+}
+
+/*
+ * Internet addr 4 bytes
+ */
+static int
+fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+
+}
+
+static void
+print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip addr", raw);
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.inaddr.addr);
+}
+
+/*
+ * type 	4 bytes
+ * address 16 bytes
+ */
+static int
+fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.inaddr_ex.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
+		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
+		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip addr ex", raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+	    tok->tt.inaddr_ex.addr);
+}
+
+/*
+ * ip header     20 bytes
+ */
+static int
+fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip", raw);
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.len, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.id, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.offset, "%u");
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.chksm, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.ip.src);
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.ip.dest);
+}
+
+/*
+ * object ID type       1 byte
+ * Object ID            4 bytes
+ */
+static int
+fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "IPC", raw);
+	print_delim(fp, del);
+	print_ipctype(fp, tok->tt.ipc.type, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipc.id, "%u");
+}
+
+/*
+ * owner user id        4 bytes
+ * owner group id       4 bytes
+ * creator user id      4 bytes
+ * creator group id     4 bytes
+ * access mode          4 bytes
+ * slot seq                     4 bytes
+ * key                          4 bytes
+ */
+static int
+fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "IPC perm", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.ipcperm.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.ipcperm.gid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.ipcperm.puid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.ipcperm.pgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+}
+
+/*
+ * port Ip address  2 bytes
+ */
+static int
+fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip port", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.iport.port, "%#x");
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "opaque", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.opaque.size, "%u");
+	print_delim(fp, del);
+	print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_path_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "path", raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.path.path, tok->tt.path.len);
+}
+
+/*
+ * token ID                     1 byte
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes
+ *   machine id         4 bytes
+ */
+static int
+fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "process", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.proc32.tid.addr);
+}
+
+static int
+fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
+		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
+		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "process_ex", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32_ex.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32_ex.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+	    tok->tt.proc32_ex.tid.addr);
+}
+
+/*
+ * errno                        1 byte
+ * return value         4 bytes
+ */
+static int
+fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "return", raw);
+	print_delim(fp, del);
+	print_retval(fp, tok->tt.ret32.status, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+}
+
+static int
+fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "return", raw);
+	print_delim(fp, del);
+	print_retval(fp, tok->tt.ret64.err, raw);
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+}
+
+/*
+ * seq                          4 bytes
+ */
+static int
+fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "sequence", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+}
+
+/*
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes
+ */
+static int
+fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
+	    sizeof(tok->tt.sockinet32.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket-inet", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockinet32.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.sockinet32.addr);
+}
+
+/*
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket-unix", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.sockunix.path,
+	    strlen(tok->tt.sockunix.path));
+}
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local address           4 bytes
+ * remote port             2 bytes
+ * remote address          4 bytes
+ */
+static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+	    sizeof(tok->tt.socket.l_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+	    sizeof(tok->tt.socket.r_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.type, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.l_port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket.l_addr);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.r_port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket.r_addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine id         4 bytes
+ */
+static int
+fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
+	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.subj32.tid.addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine id         4 bytes
+ */
+static int
+fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
+	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj64.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj64.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.subj64.tid.addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes
+ *	 type				4 bytes
+ *   machine id         16 bytes
+ */
+static int
+fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
+		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
+		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject_ex", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32_ex.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32_ex.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+	    tok->tt.subj32_ex.tid.addr);
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_text_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "text", raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.text.text, tok->tt.text.len);
+}
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes
+ */
+static int
+fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+	    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+	    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+}
+
+static int
+fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int recoversize;
+
+	recoversize = len - (tok->len + BSM_TRAILER_SIZE);
+	if (recoversize <= 0)
+		return (-1);
+
+	tok->tt.invalid.length = recoversize;
+
+	SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "unknown", raw);
+	print_delim(fp, del);
+	print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
+}
+
+
+/*
+ * Reads the token beginning at buf into tok.
+ */
+int
+au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+
+	if (len <= 0)
+		return (-1);
+
+	tok->len = 1;
+	tok->data = buf;
+	tok->id = *buf;
+
+	switch(tok->id) {
+	case AUT_HEADER32:
+		return (fetch_header32_tok(tok, buf, len));
+
+	case AUT_HEADER32_EX:
+		return (fetch_header32_ex_tok(tok, buf, len));
+
+	case AUT_HEADER64:
+		return (fetch_header64_tok(tok, buf, len));
+
+	case AUT_HEADER64_EX:
+		return (fetch_header64_ex_tok(tok, buf, len));
+
+	case AUT_TRAILER:
+		return (fetch_trailer_tok(tok, buf, len));
+
+	case AUT_ARG32:
+		return (fetch_arg32_tok(tok, buf, len));
+
+	case AUT_ARG64:
+		return (fetch_arg64_tok(tok, buf, len));
+
+	case AUT_ATTR32:
+		return (fetch_attr32_tok(tok, buf, len));
+
+	case AUT_ATTR64:
+		return (fetch_attr64_tok(tok, buf, len));
+
+	case AUT_EXIT:
+		return (fetch_exit_tok(tok, buf, len));
+
+	case AUT_EXEC_ARGS:
+		return (fetch_execarg_tok(tok, buf, len));
+
+	case AUT_EXEC_ENV:
+		return (fetch_execenv_tok(tok, buf, len));
+
+	case AUT_OTHER_FILE32:
+		return (fetch_file_tok(tok, buf, len));
+
+	case AUT_NEWGROUPS:
+		return (fetch_newgroups_tok(tok, buf, len));
+
+	case AUT_IN_ADDR:
+		return (fetch_inaddr_tok(tok, buf, len));
+
+	case AUT_IN_ADDR_EX:
+		return (fetch_inaddr_ex_tok(tok, buf, len));
+
+	case AUT_IP:
+		return (fetch_ip_tok(tok, buf, len));
+
+	case AUT_IPC:
+		return (fetch_ipc_tok(tok, buf, len));
+
+	case AUT_IPC_PERM:
+		return (fetch_ipcperm_tok(tok, buf, len));
+
+	case AUT_IPORT:
+		return (fetch_iport_tok(tok, buf, len));
+
+	case AUT_OPAQUE:
+		return (fetch_opaque_tok(tok, buf, len));
+
+	case AUT_PATH:
+		return (fetch_path_tok(tok, buf, len));
+
+	case AUT_PROCESS32:
+		return (fetch_process32_tok(tok, buf, len));
+
+	case AUT_PROCESS32_EX:
+		return (fetch_process32ex_tok(tok, buf, len));
+
+	case AUT_RETURN32:
+		return (fetch_return32_tok(tok, buf, len));
+
+	case AUT_RETURN64:
+		return (fetch_return64_tok(tok, buf, len));
+
+	case AUT_SEQ:
+		return (fetch_seq_tok(tok, buf, len));
+
+	case AUT_SOCKET:
+		return (fetch_socket_tok(tok, buf, len));
+
+	case AUT_SOCKINET32:
+		return (fetch_sock_inet32_tok(tok, buf, len));
+
+	case AUT_SOCKUNIX:
+		return (fetch_sock_unix_tok(tok, buf, len));
+
+	case AUT_SUBJECT32:
+		return (fetch_subject32_tok(tok, buf, len));
+
+	case AUT_SUBJECT64:
+		return (fetch_subject64_tok(tok, buf, len));
+
+	case AUT_SUBJECT32_EX:
+		return (fetch_subject32ex_tok(tok, buf, len));
+
+	case AUT_TEXT:
+		return (fetch_text_tok(tok, buf, len));
+
+	case AUT_SOCKET_EX:
+		return (fetch_socketex32_tok(tok, buf, len));
+
+	case AUT_DATA:
+		return (fetch_arb_tok(tok, buf, len));
+
+	default:
+		return (fetch_invalid_tok(tok, buf, len));
+	}
+}
+
+/*
+ * 'prints' the token out to outfp
+ */
+void
+au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	switch(tok->id) {
+	case AUT_HEADER32:
+		print_header32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER32_EX:
+		print_header32_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER64:
+		print_header64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER64_EX:
+		print_header64_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_TRAILER:
+		print_trailer_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ARG32:
+		print_arg32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ARG64:
+		print_arg64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_DATA:
+		print_arb_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ATTR32:
+		print_attr32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ATTR64:
+		print_attr64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXIT:
+		print_exit_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXEC_ARGS:
+		print_execarg_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXEC_ENV:
+		print_execenv_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_OTHER_FILE32:
+		print_file_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_NEWGROUPS:
+		print_newgroups_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IN_ADDR:
+		print_inaddr_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IN_ADDR_EX:
+		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IP:
+		print_ip_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPC:
+		print_ipc_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPC_PERM:
+		print_ipcperm_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPORT:
+		print_iport_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_OPAQUE:
+		print_opaque_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PATH:
+		print_path_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PROCESS32:
+		print_process32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PROCESS32_EX:
+		print_process32ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_RETURN32:
+		print_return32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_RETURN64:
+		print_return64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SEQ:
+		print_seq_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKET:
+		print_socket_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKINET32:
+		print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKUNIX:
+		print_sock_unix_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT32:
+		print_subject32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT64:
+		print_subject64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT32_EX:
+		print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_TEXT:
+		print_text_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKET_EX:
+		print_socketex32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	default:
+		print_invalid_tok(outfp, tok, del, raw, sfrm);
+	}
+}
+
+/*
+ * Read a record from the file pointer, store data in buf memory for buf is
+ * also allocated in this function and has to be free'd outside this call.
+ *
+ * au_read_rec() handles two possibilities: a stand-alone file token, or a
+ * complete audit record.
+ *
+ * XXXRW: Note that if we hit an error, we leave the stream in an unusable
+ * state, because it will be partly offset into a record.  We should rewind
+ * or do something more intelligent.  Particularly interesting is the case
+ * where we perform a partial read of a record from a non-blockable file
+ * descriptor.  We should return the partial read and continue...?
+ */
+int
+au_read_rec(FILE *fp, u_char **buf)
+{
+	u_char *bptr;
+	u_int32_t recsize;
+	u_int32_t bytestoread;
+	u_char type;
+
+	u_int32_t sec, msec;
+	u_int16_t filenamelen;
+
+	type = fgetc(fp);
+
+	switch (type) {
+	case AUT_HEADER32:
+	case AUT_HEADER32_EX:
+	case AUT_HEADER64:
+	case AUT_HEADER64_EX:
+		/* read the record size from the token */
+		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
+		    sizeof(u_int32_t)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		recsize = be32toh(recsize);
+
+		/* Check for recsize sanity */
+		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
+			errno = EINVAL;
+			return (-1);
+		}
+
+		*buf = malloc(recsize * sizeof(u_char));
+		if (*buf == NULL)
+			return (-1);
+		bptr = *buf;
+		memset(bptr, 0, recsize);
+
+		/* store the token contents already read, back to the buffer*/
+		*bptr = type;
+		bptr++;
+		be32enc(bptr, recsize);
+		bptr += sizeof(u_int32_t);
+
+		/* now read remaining record bytes */
+		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
+
+		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
+			free(*buf);
+			errno = EINVAL;
+			return (-1);
+		}
+		break;
+
+	case AUT_OTHER_FILE32:
+		/*
+		 * The file token is variable-length, as it includes a
+		 * pathname.  As a result, we have to read incrementally
+		 * until we know the total length, then allocate space and
+		 * read the rest.
+		 */
+		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
+		    sizeof(filenamelen)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
+		    sizeof(filenamelen) + ntohs(filenamelen);
+		*buf = malloc(recsize);
+		if (*buf == NULL)
+			return (-1);
+		bptr = *buf;
+
+		bcopy(&type, bptr, sizeof(type));
+		bptr += sizeof(type);
+		bcopy(&sec, bptr, sizeof(sec));
+		bptr += sizeof(sec);
+		bcopy(&msec, bptr, sizeof(msec));
+		bptr += sizeof(msec);
+		bcopy(&filenamelen, bptr, sizeof(filenamelen));
+		bptr += sizeof(filenamelen);
+
+		if (fread(bptr, 1, ntohs(filenamelen), fp) <
+		    ntohs(filenamelen)) {
+			free(buf);
+			errno = EINVAL;
+			return (-1);
+		}
+		break;
+
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+
+	return (recsize);
+}
diff --git a/contrib/openbsm/libbsm/bsm_mask.c b/contrib/openbsm/libbsm/bsm_mask.c
new file mode 100644
index 0000000..b575bbc
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_mask.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_mask.c#11 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/libbsm.h>
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* MT-Safe */
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+static int		firsttime = 1;
+
+/*
+ * XXX ev_cache, once created, sticks around until the calling program exits.
+ * This may or may not be a problem as far as absolute memory usage goes, but
+ * at least there don't appear to be any leaks in using the cache.
+ *
+ * XXXRW: Note that despite (mutex), load_event_table() could race with
+ * other consumers of the getauevents() API.
+ */
+struct audit_event_map {
+	char				 ev_name[AU_EVENT_NAME_MAX];
+	char				 ev_desc[AU_EVENT_DESC_MAX];
+	struct au_event_ent		 ev;
+	LIST_ENTRY(audit_event_map)	 ev_list;
+};
+static LIST_HEAD(, audit_event_map)	ev_cache;
+
+static struct audit_event_map *
+audit_event_map_alloc(void)
+{
+	struct audit_event_map *aemp;
+
+	aemp = malloc(sizeof(*aemp));
+	if (aemp == NULL)
+		return (aemp);
+	bzero(aemp, sizeof(*aemp));
+	aemp->ev.ae_name = aemp->ev_name;
+	aemp->ev.ae_desc = aemp->ev_desc;
+	return (aemp);
+}
+
+static void
+audit_event_map_free(struct audit_event_map *aemp)
+{
+
+	free(aemp);
+}
+
+/*
+ * When reading into the cache fails, we need to flush the entire cache to
+ * prevent it from containing some but not all records.
+ */
+static void
+flush_cache(void)
+{
+	struct audit_event_map *aemp;
+
+	/* XXX: Would assert 'mutex'. */
+
+	while ((aemp = LIST_FIRST(&ev_cache)) != NULL) {
+		LIST_REMOVE(aemp, ev_list);
+		audit_event_map_free(aemp);
+	}
+}
+
+static int
+load_event_table(void)
+{
+	struct audit_event_map *aemp;
+	struct au_event_ent *ep;
+
+	/*
+	 * XXX: Would assert 'mutex'.
+	 * Loading of the cache happens only once; dont check if cache is
+	 * already loaded.
+	 */
+	LIST_INIT(&ev_cache);
+	setauevent();	/* Rewind to beginning of entries. */
+	do {
+		aemp = audit_event_map_alloc();
+		if (aemp == NULL) {
+			flush_cache();
+			return (-1);
+		}
+		ep = getauevent_r(&aemp->ev);
+		if (ep != NULL)
+			LIST_INSERT_HEAD(&ev_cache, aemp, ev_list);
+		else
+			audit_event_map_free(aemp);
+	} while (ep != NULL);
+	return (1);
+}
+
+/*
+ * Read the event with the matching event number from the cache.
+ */
+static struct au_event_ent *
+read_from_cache(au_event_t event)
+{
+	struct audit_event_map *elem;
+
+	/* XXX: Would assert 'mutex'. */
+
+	LIST_FOREACH(elem, &ev_cache, ev_list) {
+		if (elem->ev.ae_number == event)
+			return (&elem->ev);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Check if the audit event is preselected against the preselection mask.
+ */
+int
+au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag)
+{
+	struct au_event_ent *ev;
+	au_class_t effmask = 0;
+
+	if (mask_p == NULL)
+		return (-1);
+
+
+	pthread_mutex_lock(&mutex);
+	if (firsttime) {
+		firsttime = 0;
+		if ( -1 == load_event_table()) {
+			pthread_mutex_unlock(&mutex);
+			return (-1);
+		}
+	}
+	switch (flag) {
+	case AU_PRS_REREAD:
+		flush_cache();
+		if (load_event_table() == -1) {
+			pthread_mutex_unlock(&mutex);
+			return (-1);
+		}
+		ev = read_from_cache(event);
+		break;
+	case AU_PRS_USECACHE:
+		ev = read_from_cache(event);
+		break;
+	default:
+		ev = NULL;
+	}
+	if (ev == NULL) {
+		pthread_mutex_unlock(&mutex);
+		return (-1);
+	}
+	if (sorf & AU_PRS_SUCCESS)
+		effmask |= (mask_p->am_success & ev->ae_class);
+	if (sorf & AU_PRS_FAILURE)
+		effmask |= (mask_p->am_failure & ev->ae_class);
+	pthread_mutex_unlock(&mutex);
+	if (effmask != 0)
+		return (1);
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c
new file mode 100644
index 0000000..92f9b50
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#8 $
+ */
+
+#ifdef __APPLE__
+
+/*
+ * Based on sample code from Marc Majka.
+ */
+#include <notify.h>
+#include <string.h>	/* strerror() */
+#include <sys/errno.h>	/* errno */
+#include <bsm/libbsm.h>
+#include <stdint.h>	/* uint32_t */
+#include <syslog.h>	/* syslog() */
+#include <stdarg.h>	/* syslog() */
+
+/* If 1, assumes a kernel that sends the right notification. */
+#define	AUDIT_NOTIFICATION_ENABLED	1
+
+#if AUDIT_NOTIFICATION_ENABLED
+static int	token = 0;
+#endif	/* AUDIT_NOTIFICATION_ENABLED */
+
+static long	au_cond = AUC_UNSET;	/* <bsm/audit.h> */
+
+uint32_t
+au_notify_initialize(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+	uint32_t status, ignore_first;
+
+	status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
+	if (status != NOTIFY_STATUS_OK)
+		return (status);
+	status = notify_check(token, &ignore_first);
+	if (status != NOTIFY_STATUS_OK)
+		return (status);
+#endif
+
+	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+		syslog(LOG_ERR, "Initial audit status check failed (%s)",
+		    strerror(errno));
+		if (errno == ENOSYS)	/* auditon() unimplemented. */
+			return (AU_UNIMPL);
+		return (NOTIFY_STATUS_FAILED);	/* Is there a better code? */
+	}
+	return (NOTIFY_STATUS_OK);
+}
+
+int
+au_notify_terminate(void)
+{
+
+#if AUDIT_NOTIFICATION_ENABLED
+	return ((notify_cancel(token) == NOTIFY_STATUS_OK) ? 0 : -1);
+#else
+	return (0);
+#endif
+}
+
+/*
+ * On error of any notify(3) call, reset 'au_cond' to ensure we re-run
+ * au_notify_initialize() next time 'round--but assume auditing is on.  This
+ * is a slight performance hit if auditing is off, but at least the system
+ * will behave correctly.  The notification calls are unlikely to fail,
+ * anyway.
+ */
+int
+au_get_state(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+	uint32_t did_notify;
+#endif
+	int status;
+
+	/*
+	 * Don't make the client initialize this set of routines, but take the
+	 * slight performance hit by checking ourselves every time.
+	 */
+	if (au_cond == AUC_UNSET) {
+		status = au_notify_initialize();
+		if (status != NOTIFY_STATUS_OK) {
+			if (status == AU_UNIMPL)
+				return (AU_UNIMPL);
+			return (AUC_AUDITING);
+		} else
+			return (au_cond);
+	}
+#if AUDIT_NOTIFICATION_ENABLED
+	status = notify_check(token, &did_notify);
+	if (status != NOTIFY_STATUS_OK) {
+		au_cond = AUC_UNSET;
+		return (AUC_AUDITING);
+	}
+
+	if (did_notify == 0)
+		return (au_cond);
+#endif
+
+	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+		/* XXX Reset au_cond to AUC_UNSET? */
+		syslog(LOG_ERR, "Audit status check failed (%s)",
+		    strerror(errno));
+		if (errno == ENOSYS)	/* Function unimplemented. */
+			return (AU_UNIMPL);
+		return (errno);
+	}
+
+	switch (au_cond) {
+	case AUC_NOAUDIT:	/* Auditing suspended. */
+	case AUC_DISABLED:	/* Auditing shut off. */
+		return (AUC_NOAUDIT);
+
+	case AUC_UNSET:		/* Uninitialized; shouldn't get here. */
+	case AUC_AUDITING:	/* Audit on. */
+	default:
+		return (AUC_AUDITING);
+	}
+}
+
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
new file mode 100644
index 0000000..d7eadb2
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -0,0 +1,1219 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#34 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <sys/ipc.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socketvar.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#define	GET_TOKEN_AREA(t, dptr, length) do {				\
+	(t) = malloc(sizeof(token_t));					\
+	if ((t) != NULL) {						\
+		(t)->len = (length);					\
+		(dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \
+		if ((dptr) == NULL) {					\
+			free(t);					\
+			(t) = NULL;					\
+		} else							\
+			memset((dptr), 0, (length));			\
+	} else								\
+		(dptr) = NULL;						\
+	assert(t == NULL || dptr != NULL);				\
+} while (0)
+
+/*
+ * token ID                1 byte
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_arg32(char n, char *text, u_int32_t v)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ARG32);
+	ADD_U_CHAR(dptr, n);
+	ADD_U_INT32(dptr, v);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+
+}
+
+token_t *
+au_to_arg64(char n, char *text, u_int64_t v)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
+	    sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ARG64);
+	ADD_U_CHAR(dptr, n);
+	ADD_U_INT64(dptr, v);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+
+}
+
+token_t *
+au_to_arg(char n, char *text, u_int32_t v)
+{
+
+	return (au_to_arg32(n, text, v));
+}
+
+#if defined(_KERNEL) || defined(KERNEL)
+/*
+ * token ID                1 byte
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+token_t *
+au_to_attr32(struct vnode_au_info *vni)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0_16 = 0;
+	u_int16_t pad0_32 = 0;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ATTR32);
+
+	/*
+	 * Darwin defines the size for the file mode
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0_16);
+	ADD_U_INT16(dptr, vni->vn_mode);
+
+	ADD_U_INT32(dptr, vni->vn_uid);
+	ADD_U_INT32(dptr, vni->vn_gid);
+	ADD_U_INT32(dptr, vni->vn_fsid);
+
+	/*
+	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+	 * Attempt to handle both, and let the compiler sort it out.  If we
+	 * could pick this out at compile-time, it would be better, so as to
+	 * avoid the else case below.
+	 */
+	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+		ADD_U_INT32(dptr, pad0_32);
+		ADD_U_INT32(dptr, vni->vn_fileid);
+	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+		ADD_U_INT64(dptr, vni->vn_fileid);
+	else
+		ADD_U_INT64(dptr, 0LL);
+
+	ADD_U_INT32(dptr, vni->vn_dev);
+
+	return (t);
+}
+
+token_t *
+au_to_attr64(struct vnode_au_info *vni)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_attr(struct vnode_au_info *vni)
+{
+
+	return (au_to_attr32(vni));
+}
+#endif /* !(defined(_KERNEL) || defined(KERNEL) */
+
+/*
+ * token ID                1 byte
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+token_t *
+au_to_data(char unit_print, char unit_type, char unit_count, char *p)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	size_t datasize, totdata;
+
+	/* Determine the size of the basic unit. */
+	switch (unit_type) {
+	case AUR_BYTE:
+		datasize = AUR_BYTE_SIZE;
+		break;
+
+	case AUR_SHORT:
+		datasize = AUR_SHORT_SIZE;
+		break;
+
+	case AUR_LONG:
+		datasize = AUR_LONG_SIZE;
+		break;
+
+	default:
+		errno = EINVAL;
+ 		return (NULL);
+	}
+
+	totdata = datasize * unit_count;
+
+	GET_TOKEN_AREA(t, dptr, totdata + 4 * sizeof(u_char));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_DATA);
+	ADD_U_CHAR(dptr, unit_print);
+	ADD_U_CHAR(dptr, unit_type);
+	ADD_U_CHAR(dptr, unit_count);
+	ADD_MEM(dptr, p, totdata);
+
+	return (t);
+}
+
+
+/*
+ * token ID                1 byte
+ * status		   4 bytes
+ * return value            4 bytes
+ */
+token_t *
+au_to_exit(int retval, int err)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXIT);
+	ADD_U_INT32(dptr, err);
+	ADD_U_INT32(dptr, retval);
+
+	return (t);
+}
+
+/*
+ */
+token_t *
+au_to_groups(int *groups)
+{
+
+	return (au_to_newgroups(BSM_MAX_GROUPS, groups));
+}
+
+/*
+ * token ID                1 byte
+ * number groups           2 bytes
+ * group list              count * 4 bytes
+ */
+token_t *
+au_to_newgroups(u_int16_t n, gid_t *groups)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	int i;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+	    n * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_NEWGROUPS);
+	ADD_U_INT16(dptr, n);
+	for (i = 0; i < n; i++)
+		ADD_U_INT32(dptr, groups[i]);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * internet address        4 bytes
+ */
+token_t *
+au_to_in_addr(struct in_addr *internet_addr)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IN_ADDR);
+	ADD_U_INT32(dptr, internet_addr->s_addr);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * address type/length     4 bytes
+ * Address                16 bytes
+ */
+token_t *
+au_to_in_addr_ex(struct in6_addr *internet_addr)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t type = AF_INET6;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
+	ADD_U_INT32(dptr, type);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * ip header		   20 bytes
+ */
+token_t *
+au_to_ip(struct ip *ip)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IP);
+	/*
+	 * XXXRW: Any byte order work needed on the IP header before writing?
+	 */
+	ADD_MEM(dptr, ip, sizeof(struct ip));
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * object ID type          1 byte
+ * object ID               4 bytes
+ */
+token_t *
+au_to_ipc(char type, int id)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPC);
+	ADD_U_CHAR(dptr, type);
+	ADD_U_INT32(dptr, id);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * creator user ID         4 bytes
+ * creator group ID        4 bytes
+ * access mode             4 bytes
+ * slot sequence #         4 bytes
+ * key                     4 bytes
+ */
+token_t *
+au_to_ipc_perm(struct ipc_perm *perm)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0 = 0;
+
+	GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPC_PERM);
+
+	/*
+	 * Darwin defines the sizes for ipc_perm members
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->uid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->gid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->cuid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->cgid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->mode);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->seq);
+
+	ADD_U_INT32(dptr, perm->key);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * port IP address         2 bytes
+ */
+token_t *
+au_to_iport(u_int16_t iport)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPORT);
+	ADD_U_INT16(dptr, iport);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * size                    2 bytes
+ * data                    size bytes
+ */
+token_t *
+au_to_opaque(char *data, u_int16_t bytes)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_OPAQUE);
+	ADD_U_INT16(dptr, bytes);
+	ADD_MEM(dptr, data, bytes);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * seconds of time         4 bytes
+ * milliseconds of time    4 bytes
+ * file name len           2 bytes
+ * file pathname           N bytes + 1 terminating NULL byte
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_file(char *file, struct timeval tm)
+#else
+au_to_file(char *file)
+#endif
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t filelen;
+	u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+	struct timeval tm;
+	struct timezone tzp;
+
+	if (gettimeofday(&tm, &tzp) == -1)
+		return (NULL);
+#endif
+
+	filelen = strlen(file);
+	filelen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
+	    sizeof(u_int16_t) + filelen);
+	if (t == NULL)
+		return (NULL);
+
+	timems = tm.tv_usec/1000;
+
+	ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
+	ADD_U_INT32(dptr, tm.tv_sec);
+	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+	ADD_U_INT16(dptr, filelen);
+	ADD_STRING(dptr, file, filelen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_text(char *text)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_TEXT);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * path length             2 bytes
+ * path                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_path(char *text)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PATH);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine address       4 bytes
+ */
+token_t *
+au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS32);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->port);
+	ADD_U_INT32(dptr, tid->machine);
+
+	return (t);
+}
+
+token_t *
+au_to_process64(__unused au_id_t auid, __unused uid_t euid,
+    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_process(__unused au_id_t auid, __unused uid_t euid,
+    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   address type-len      4 bytes
+ *   machine address      16 bytes
+ */
+token_t *
+au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_U_INT32(dptr, tid->at_addr[1]);
+	ADD_U_INT32(dptr, tid->at_addr[2]);
+	ADD_U_INT32(dptr, tid->at_addr[3]);
+
+	return (t);
+}
+
+token_t *
+au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * error status            1 byte
+ * return value            4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+au_to_return32(char status, u_int32_t ret)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_RETURN32);
+	ADD_U_CHAR(dptr, status);
+	ADD_U_INT32(dptr, ret);
+
+	return (t);
+}
+
+token_t *
+au_to_return64(char status, u_int64_t ret)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_RETURN64);
+	ADD_U_CHAR(dptr, status);
+	ADD_U_INT64(dptr, ret);
+
+	return (t);
+}
+
+token_t *
+au_to_return(char status, u_int32_t ret)
+{
+
+	return (au_to_return32(status, ret));
+}
+
+/*
+ * token ID                1 byte
+ * sequence number         4 bytes
+ */
+token_t *
+au_to_seq(long audit_count)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SEQ);
+	ADD_U_INT32(dptr, audit_count);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local Internet address  4 bytes
+ * remote port             2 bytes
+ * remote Internet address 4 bytes
+ */
+token_t *
+au_to_socket(struct socket *so)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+/*
+ * token ID                1 byte
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+token_t *
+au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+    struct sockaddr *ra)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+    struct sockaddr *ra)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+/*
+ * token ID                1 byte
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+token_t *
+au_to_sock_unix(struct sockaddr_un *so)
+{
+	token_t *t;
+	u_char *dptr;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
+	/* BSM token has two bytes for family */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sun_family);
+	ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes
+ */
+token_t *
+au_to_sock_inet32(struct sockaddr_in *so)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+	    sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SOCKINET32);
+	/*
+	 * In Darwin, sin_family is one octet, but BSM defines the token
+ 	 * to store two. So we copy in a 0 first.
+ 	 */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sin_family);
+	ADD_U_INT16(dptr, so->sin_port);
+	ADD_U_INT32(dptr, so->sin_addr.s_addr);
+
+	return (t);
+
+}
+
+token_t *
+au_to_sock_inet128(struct sockaddr_in6 *so)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+	    4 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SOCKINET128);
+	/*
+	 * In Darwin, sin6_family is one octet, but BSM defines the token
+ 	 * to store two. So we copy in a 0 first.
+ 	 */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sin6_family);
+
+	ADD_U_INT16(dptr, so->sin6_port);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
+
+	return (t);
+
+}
+
+token_t *
+au_to_sock_inet(struct sockaddr_in *so)
+{
+
+	return (au_to_sock_inet32(so));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine address       4 bytes
+ */
+token_t *
+au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT32);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->port);
+	ADD_U_INT32(dptr, tid->machine);
+
+	return (t);
+}
+
+token_t *
+au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+	return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   address type/length   4 bytes
+ *   machine address      16 bytes
+ */
+token_t *
+au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_U_INT32(dptr, tid->at_addr[1]);
+	ADD_U_INT32(dptr, tid->at_addr[2]);
+	ADD_U_INT32(dptr, tid->at_addr[3]);
+
+	return (t);
+}
+
+token_t *
+au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+/*
+ * Collects audit information for the current process
+ * and creates a subject token from it
+ */
+token_t *
+au_to_me(void)
+{
+	auditinfo_t auinfo;
+
+	if (getaudit(&auinfo) != 0)
+		return (NULL);
+
+	return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
+	    getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
+}
+#endif
+
+/*
+ * token ID				1 byte
+ * count				4 bytes
+ * text					count null-terminated strings
+ */
+token_t *
+au_to_exec_args(const char **args)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	const char *nextarg;
+	int i, count = 0;
+	size_t totlen = 0;
+
+	nextarg = *args;
+
+	while (nextarg != NULL) {
+		int nextlen;
+
+		nextlen = strlen(nextarg);
+		totlen += nextlen + 1;
+		count++;
+		nextarg = *(args + count);
+	}
+
+	totlen += count * sizeof(char);	/* nul terminations. */
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
+	ADD_U_INT32(dptr, count);
+
+	for (i = 0; i < count; i++) {
+		nextarg = *(args + i);
+		ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
+	}
+
+	return (t);
+}
+
+/*
+ * token ID				1 byte
+ * count				4 bytes
+ * text					count null-terminated strings
+ */
+token_t *
+au_to_exec_env(const char **env)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	int i, count = 0;
+	size_t totlen = 0;
+	const char *nextenv;
+
+	nextenv = *env;
+
+	while (nextenv != NULL) {
+		int nextlen;
+
+		nextlen = strlen(nextenv);
+		totlen += nextlen + 1;
+		count++;
+		nextenv = *(env + count);
+	}
+
+	totlen += sizeof(char) * count;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXEC_ENV);
+	ADD_U_INT32(dptr, count);
+
+	for (i = 0; i < count; i++) {
+		nextenv = *(env + i);
+		ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
+	}
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm)
+#else
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
+#endif
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+	struct timeval tm;
+	struct timezone tzp;
+
+	if (gettimeofday(&tm, &tzp) == -1)
+		return (NULL);
+#endif
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_HEADER32);
+	ADD_U_INT32(dptr, rec_size);
+	ADD_U_CHAR(dptr, HEADER_VERSION);
+	ADD_U_INT16(dptr, e_type);
+	ADD_U_INT16(dptr, e_mod);
+
+	timems = tm.tv_usec/1000;
+	/* Add the timestamp */
+	ADD_U_INT32(dptr, tm.tv_sec);
+	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+
+	return (t);
+}
+
+token_t *
+au_to_header64(__unused int rec_size, __unused au_event_t e_type,
+    __unused au_emod_t e_mod)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+
+	return (au_to_header32(rec_size, e_type, e_mod));
+}
+
+/*
+ * token ID                1 byte
+ * trailer magic number    2 bytes
+ * record byte count       4 bytes
+ */
+token_t *
+au_to_trailer(int rec_size)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t magic = TRAILER_PAD_MAGIC;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+	    sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_TRAILER);
+	ADD_U_INT16(dptr, magic);
+	ADD_U_INT32(dptr, rec_size);
+
+	return (t);
+}
diff --git a/contrib/openbsm/libbsm/bsm_user.c b/contrib/openbsm/libbsm/bsm_user.c
new file mode 100644
index 0000000..3927423
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_user.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_user.c#14 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_user file into au_user_ent structures.
+ */
+
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*user_delim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_user file into the au_user_ent structure.
+ */
+static struct au_user_ent *
+userfromstr(char *str, struct au_user_ent *u)
+{
+	char *username, *always, *never;
+	char *last;
+
+	username = strtok_r(str, user_delim, &last);
+	always = strtok_r(NULL, user_delim, &last);
+	never = strtok_r(NULL, user_delim, &last);
+
+	if ((username == NULL) || (always == NULL) || (never == NULL))
+		return (NULL);
+
+	if (strlen(username) >= AU_USER_NAME_MAX)
+		return (NULL);
+
+	strcpy(u->au_name, username);
+	if (getauditflagsbin(always, &(u->au_always)) == -1)
+		return (NULL);
+
+	if (getauditflagsbin(never, &(u->au_never)) == -1)
+		return (NULL);
+
+	return (u);
+}
+
+/*
+ * Rewind to beginning of the file
+ */
+static void
+setauuser_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauuser(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauuser_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the file descriptor
+ */
+void
+endauuser(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_user_ent structures from the file
+ */
+static struct au_user_ent *
+getauuserent_r_locked(struct au_user_ent *u)
+{
+	char *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_USER_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Get the next structure. */
+		if (userfromstr(linestr, u) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (u);
+}
+
+struct au_user_ent *
+getauuserent_r(struct au_user_ent *u)
+{
+	struct au_user_ent *up;
+
+	pthread_mutex_lock(&mutex);
+	up = getauuserent_r_locked(u);
+	pthread_mutex_unlock(&mutex);
+	return (up);
+}
+
+struct au_user_ent *
+getauuserent(void)
+{
+	static char user_ent_name[AU_USER_NAME_MAX];
+	static struct au_user_ent u;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	return (getauuserent_r(&u));
+}
+
+/*
+ * Find a au_user_ent structure matching the given user name.
+ */
+struct au_user_ent *
+getauusernam_r(struct au_user_ent *u, const char *name)
+{
+	struct au_user_ent *up;
+
+	if (name == NULL)
+		return (NULL);
+
+	pthread_mutex_lock(&mutex);
+
+	setauuser_locked();
+	while ((up = getauuserent_r_locked(u)) != NULL) {
+		if (strcmp(name, u->au_name) == 0) {
+			pthread_mutex_unlock(&mutex);
+			return (u);
+		}
+	}
+
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+
+}
+
+struct au_user_ent *
+getauusernam(const char *name)
+{
+	static char user_ent_name[AU_USER_NAME_MAX];
+	static struct au_user_ent u;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	return (getauusernam_r(&u, name));
+}
+
+/*
+ * Read the default system wide audit classes from audit_control, combine with
+ * the per-user audit class and update the binary preselection mask.
+ */
+int
+au_user_mask(char *username, au_mask_t *mask_p)
+{
+	char auditstring[MAX_AUDITSTRING_LEN + 1];
+	char user_ent_name[AU_USER_NAME_MAX];
+	struct au_user_ent u, *up;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	/* Get user mask. */
+	if ((up = getauusernam_r(&u, username)) != NULL) {
+		if (-1 == getfauditflags(&up->au_always, &up->au_never,
+		    mask_p))
+			return (-1);
+		return (0);
+	}
+
+	/* Read the default system mask. */
+	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+		if (-1 == getauditflagsbin(auditstring, mask_p))
+			return (-1);
+		return (0);
+	}
+
+	/* No masks defined. */
+	return (-1);
+}
+
+/*
+ * Generate the process audit state by combining the audit masks passed as
+ * parameters with the system audit masks.
+ */
+int
+getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask)
+{
+	char auditstring[MAX_AUDITSTRING_LEN + 1];
+
+	if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL))
+		return (-1);
+
+	lastmask->am_success = 0;
+	lastmask->am_failure = 0;
+
+	/* Get the system mask. */
+	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+		if (getauditflagsbin(auditstring, lastmask) != 0)
+			return (-1);
+	}
+
+	ADDMASK(lastmask, usremask);
+	SUBMASK(lastmask, usrdmask);
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c
new file mode 100644
index 0000000..e7600e7
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#14 $
+ */
+
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <syslog.h>
+#include <string.h>
+#include <errno.h>
+
+/* These are not advertised in libbsm.h */
+int audit_set_terminal_port(dev_t *p);
+int audit_set_terminal_host(uint32_t *m);
+
+int
+audit_set_terminal_port(dev_t *p)
+{
+	struct stat st;
+
+	if (p == NULL)
+		return (kAUBadParamErr);
+
+	*p = NODEV;
+
+	/* for /usr/bin/login, try fstat() first */
+	if (fstat(STDIN_FILENO, &st) != 0) {
+		if (errno != EBADF) {
+			syslog(LOG_ERR, "fstat() failed (%s)",
+			    strerror(errno));
+			return (kAUStatErr);
+		}
+		if (stat("/dev/console", &st) != 0) {
+			syslog(LOG_ERR, "stat() failed (%s)",
+			    strerror(errno));
+			return (kAUStatErr);
+		}
+	}
+	*p = st.st_rdev;
+	return (kAUNoErr);
+}
+
+int
+audit_set_terminal_host(uint32_t *m)
+{
+	int name[2] = { CTL_KERN, KERN_HOSTID };
+	size_t len;
+
+	if (m == NULL)
+		return (kAUBadParamErr);
+	*m = 0;
+	len = sizeof(*m);
+	if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
+		syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
+		return (kAUSysctlErr);
+	}
+	return (kAUNoErr);
+}
+
+int
+audit_set_terminal_id(au_tid_t *tid)
+{
+	int ret;
+
+	if (tid == NULL)
+		return (kAUBadParamErr);
+	if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
+		return (ret);
+	return (audit_set_terminal_host(&tid->machine));
+}
+
+/*
+ * This is OK for those callers who have only one token to write.  If you have
+ * multiple tokens that logically form part of the same audit record, you need
+ * to use the existing au_open()/au_write()/au_close() API:
+ *
+ * aufd = au_open();
+ * tok = au_to_random_token_1(...);
+ * au_write(aufd, tok);
+ * tok = au_to_random_token_2(...);
+ * au_write(aufd, tok);
+ * ...
+ * au_close(aufd, 1, AUE_your_event_type);
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ *
+ * XXX: Should be more robust against bad arguments.
+ */
+int
+audit_write(short event_code, token_t *subject, token_t *misctok, char retval,
+    int errcode)
+{
+	int aufd;
+	char *func = "audit_write()";
+	token_t *rettok;
+
+	if ((aufd = au_open()) == -1) {
+		au_free_token(subject);
+		au_free_token(misctok);
+		syslog(LOG_ERR, "%s: au_open() failed", func);
+		return (kAUOpenErr);
+	}
+
+	/* Save subject. */
+	if (subject && au_write(aufd, subject) == -1) {
+		au_free_token(subject);
+		au_free_token(misctok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of subject failed", func);
+		return (kAUWriteSubjectTokErr);
+	}
+
+	/* Save the event-specific token. */
+	if (misctok && au_write(aufd, misctok) == -1) {
+		au_free_token(misctok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of caller token failed", func);
+		return (kAUWriteCallerTokErr);
+	}
+
+	/* Tokenize and save the return value. */
+	if ((rettok = au_to_return32(retval, errcode)) == NULL) {
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: au_to_return32() failed", func);
+		return (kAUMakeReturnTokErr);
+	}
+
+	if (au_write(aufd, rettok) == -1) {
+		au_free_token(rettok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of return code failed", func);
+		return (kAUWriteReturnTokErr);
+	}
+
+	/*
+	 * au_close()'s second argument is "keep": if keep == 0, the record is
+	 * discarded.  We assume the caller wouldn't have bothered with this
+	 * function if it hadn't already decided to keep the record.
+	 */
+	if (au_close(aufd, 1, event_code) < 0) {
+		syslog(LOG_ERR, "%s: au_close() failed", func);
+		return (kAUCloseErr);
+	}
+
+	return (kAUNoErr);
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes success; use audit_write_failure() on error.
+ */
+int
+audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
+    gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+    au_tid_t *tid)
+{
+	char *func = "audit_write_success()";
+	token_t *subject = NULL;
+
+	/* Tokenize and save subject. */
+	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid);
+	if (subject == NULL) {
+		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+		return kAUMakeSubjectTokErr;
+	}
+
+	return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes success; use audit_write_failure_self() on error.
+ */
+int
+audit_write_success_self(short event_code, token_t *tok)
+{
+	token_t *subject;
+	char *func = "audit_write_success_self()";
+
+	if ((subject = au_to_me()) == NULL) {
+		syslog(LOG_ERR, "%s: au_to_me() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+
+	return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes failure; use audit_write_success() otherwise.
+ *
+ * XXX  This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
+    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+    au_tid_t *tid)
+{
+	char *func = "audit_write_failure()";
+	token_t *subject, *errtok;
+
+	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
+	if (subject == NULL) {
+		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+
+	/* tokenize and save the error message */
+	if ((errtok = au_to_text(errmsg)) == NULL) {
+		au_free_token(subject);
+		syslog(LOG_ERR, "%s: au_to_text() failed", func);
+		return (kAUMakeTextTokErr);
+	}
+
+	return (audit_write(event_code, subject, errtok, -1, errcode));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes failure; use audit_write_success_self() otherwise.
+ *
+ * XXX  This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure_self(short event_code, char *errmsg, int errret)
+{
+	char *func = "audit_write_failure_self()";
+	token_t *subject, *errtok;
+
+	if ((subject = au_to_me()) == NULL) {
+		syslog(LOG_ERR, "%s: au_to_me() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+	/* tokenize and save the error message */
+	if ((errtok = au_to_text(errmsg)) == NULL) {
+		au_free_token(subject);
+		syslog(LOG_ERR, "%s: au_to_text() failed", func);
+		return (kAUMakeTextTokErr);
+	}
+	return (audit_write(event_code, subject, errtok, -1, errret));
+}
+
+/*
+ * For auditing errors during login.  Such errors are implicitly
+ * non-attributable (i.e., not ascribable to any user).
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ */
+int
+audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
+    uid_t egid, pid_t pid, au_tid_t *tid)
+{
+
+	return (audit_write_failure(event_code, errmsg, errret, -1, euid,
+	    egid, -1, -1, pid, -1, tid));
+}
+
+/* END OF au_write() WRAPPERS */
+
+#ifdef __APPLE__
+void
+audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
+    gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
+    au_tid_t *tidp)
+{
+
+	if (auidp != NULL)
+		*auidp = (uid_t)atoken.val[0];
+	if (euidp != NULL)
+		*euidp = (uid_t)atoken.val[1];
+	if (egidp != NULL)
+		*egidp = (gid_t)atoken.val[2];
+	if (ruidp != NULL)
+		*ruidp = (uid_t)atoken.val[3];
+	if (rgidp != NULL)
+		*rgidp = (gid_t)atoken.val[4];
+	if (pidp != NULL)
+		*pidp = (pid_t)atoken.val[5];
+	if (asidp != NULL)
+		*asidp = (au_asid_t)atoken.val[6];
+	if (tidp != NULL) {
+		audit_set_terminal_host(&tidp->machine);
+		tidp->port = (dev_t)atoken.val[7];
+	}
+}
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
new file mode 100644
index 0000000..3ec8168
--- /dev/null
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -0,0 +1,220 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt LIBBSM 3
+.Os
+.Sh NAME
+.Nm libbsm
+.Nd "Basic Security Module (BSM) Audit API"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Sh DESCRIPTION
+The
+.Nm
+library routines provide an interface to BSM audit record streams, allowing
+both the parsing of existing audit streams, as well as the creation of new
+audit records and streams.
+.Sh INTERFACES
+.Nm
+provides a large number of Audit programming interfaces in several classes:
+event stream interfaces, class interfaces, control interfaces, event
+interfaces, I/O interfaces, mask interfaces, notification interfaces, token
+interfaces, and user interfaces.
+These are described respectively in the
+.Xr au_stream 3 ,
+.Xr au_class 3 ,
+.Xr au_control 3 ,
+.Xr au_event 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3
+man pages.
+.Ss Audit Event Stream Interfaces
+Audit event stream interfaces support interaction with file-backed audit
+event streams:
+.Xr au_free_token 3 ,
+.Xr au_free_token 3 ,
+.Xr au_open 3 ,
+.Xr au_write 3 ,
+.Xr au_close 3 .
+.Ss Audit Class Interfaces
+Audit class interfaces support the look up of information from the
+.Xr audit_class 5
+database:
+.Xr getauclassent 3 ,
+.Xr getauclassent_r 3 ,
+.Xr getauclassnam 3 ,
+.Xr getauclassnam_r 3 ,
+.Xr setauclass 3 ,
+.Xr endauclass 3 .
+.Ss Audit Control Interfaces
+Audit control interfaces support the look up of information from the
+.Xr audit_control 5
+database:
+.Xr setac 3 ,
+.Xr endac 3 ,
+.Xr getacdir 3 ,
+.Xr getacmin 3 ,
+.Xr getacflg 3 ,
+.Xr getacna 3 .
+.Ss Audit Event Interfaces
+Audit event interfaces support the look up of information from the
+.Xr audit_event 5
+database:
+.Xr setauevent 3 ,
+.Xr endauevent 3 ,
+.Xr getauevent 3 ,
+.Xr getauevent_r 3 ,
+.Xr getauevnam 3 ,
+.Xr getauevnam_r 3 ,
+.Xr getauevnum 3 ,
+.Xr getauevnum_r 3 ,
+.Xr getauevnonam 3 ,
+.Xr getauevnonam_r 3 ,
+.Ss Audit I/O Interfaces
+Audit I/O interfaces support the processing and printing of tokens, as well
+as the reading of audit records:
+.Xr au_fetch_tok 3 ,
+.Xr au_print_tok 3 ,
+.Xr au_read_rec 3 .
+.Ss Audit Mask Interfaces
+Audit mask interfaces convert support the conversion between strings and
+.Vt au_mask_t
+values.
+They may also be used to determine if a particular audit event is matched
+by a mask:
+.Xr au_preselect 3 ,
+.Xr getauditflagsbin 3 ,
+.Xr getauditflagschar 3 .
+.Ss Audit Notification Interfaces
+Audit notification routines track audit state in a form permitting efficient
+update, avoiding frequent system calls to check the kernel audit state:
+.Xr au_notify_initialize 3 ,
+.Xr au_notify_terminate 3 ,
+.Xr au_get_state 3 .
+These interfaces are implemented only for Darwin/Mac OS X.
+.Ss Audit Token Interface
+Audit token interfaces permit the creation of tokens for use in creating
+audit records for submission to event streams.
+Each interface converts a C type to its
+.Vt token_t
+representation.
+.Xr au_to_arg32 3 ,
+.Xr au_to_arg64 3 ,
+.Xr au_to_arg 3 ,
+.Xr au_to_attr64 3 ,
+.Xr au_to_data 3 ,
+.Xr au_to_exit 3 ,
+.Xr au_to_groups 3 ,
+.Xr au_to_newgroups 3 ,
+.Xr au_to_in_addr 3 ,
+.Xr au_to_in_addr_ex 3 ,
+.Xr au_to_ip 3 ,
+.Xr au_to_ipc 3 ,
+.Xr au_to_ipc_perm 3 ,
+.Xr au_to_iport 3 ,
+.Xr au_to_opaque 3 ,
+.Xr au_to_file 3 ,
+.Xr au_to_text 3 ,
+.Xr au_to_path 3 ,
+.Xr au_to_process32 3 ,
+.Xr au_to_process64 3 ,
+.Xr au_to_process 3 ,
+.Xr au_to_process32_ex 3 ,
+.Xr au_to_process64_ex 3 ,
+.Xr au_to_process_ex 3 ,
+.Xr au_to_return32 3 ,
+.Xr au_to_return64 3 ,
+.Xr au_to_return 3 ,
+.Xr au_to_seq 3 ,
+.Xr au_to_socket 3 ,
+.Xr au_to_socket_ex_32 3 ,
+.Xr au_to_socket_ex_128 3 ,
+.Xr au_to_sock_inet32 3 ,
+.Xr au_to_sock_inet128 3 ,
+.Xr au_to_sock_inet 3 ,
+.Xr au_to_subject32 3 ,
+.Xr au_to_subject64 3 ,
+.Xr au_to_subject 3 ,
+.Xr au_to_subject32_ex 3 ,
+.Xr au_to_subject64_ex 3 ,
+.Xr au_to_subject_ex 3 ,
+.Xr au_to_me 3 ,
+.Xr au_to_exec_args 3 ,
+.Xr au_to_exec_env 3 ,
+.Xr au_to_header32 3 ,
+.Xr au_to_header64 3 ,
+.Xr au_to_trailer 3 .
+.Ss Audit User Interfaces
+Audit user interfaces support the look up of information from the
+.Xr audit_user 5
+database:
+.Xr setauuser 3 ,
+.Xr endauuser 3 ,
+.Xr getauuserent 3 ,
+.Xr getauuserent_r 3 ,
+.Xr getauusernam 3 ,
+.Xr getauusernam_r 3 ,
+.Xr au_user_mask 3 ,
+.Xr getfauditflags 3 .
+.Sh SEE ALSO
+.Xr au_class 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_stream 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+Bugs would not be unlikely.
+.Pp
+The
+.Nm
+library implementations are generally thread-safe, but not reentrant.
+.Pp
+The assignment of routines to classes could use some work, as it is
+decidely ad hoc.
+For example,
+.Fn au_read_rec
+should probably be considered a stream routine.