This commit was generated by cvs2svn to compensate for changes in r168777,

which included commits to RCS files with non-trunk default branches.

15 files changed, 2864 insertions, 856 deletions

diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3
index f1cd9e9..d270b52 100644
--- a/contrib/openbsm/libbsm/au_class.3
+++ b/contrib/openbsm/libbsm/au_class.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CLASS 3
@@ -35,69 +35,81 @@
 .Nm getauclassnam_r ,
 .Nm setauclass ,
 .Nm endauclass
-.Nd "Look up information from the audit_class database"
+.Nd "look up information from the audit_class database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
-.Ft struct au_class_ent *
-.Fn getauclassent "void"
-.Ft struct au_class_ent *
+.In bsm/libbsm.h
+.Ft "struct au_class_ent *"
+.Fn getauclassent void
+.Ft "struct au_class_ent *"
 .Fn getauclassent_r "struct au_class_ent *e"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
 .Fn getauclassnam "const char *name"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
 .Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
 .Ft void
-.Fn setauclass "void"
+.Fn setauclass void
 .Ft void
-.Fn endauclass "void"
+.Fn endauclass void
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_class 5
 database, which describes audit event classes.
 Audit event classes are described by
-.Vt struct au_class_ent .
-.Pp
+.Vt "struct au_class_ent" .
 .Pp
+The
 .Fn getauclassent
+function
 will return the next class found in the
 .Xr audit_class 5
 database, or the first if the function has not yet been called.
 .Dv NULL
 will be returned if no further records are available.
 .Pp
+The
 .Fn getauclassnam
+function
 looks up a class by name.
 .Dv NULL
 will be returned if no matching class can be found.
 .Pp
+The
 .Fn setauclass
+function
 resets the iterator through the
 .Xr audit_class 5
 database, causing the next call to
 .Fn getauclassent
 to start again from the beginning of the file.
 .Pp
+The
 .Fn endauclass
+function
 closes the
 .Xr audit_class 5
 database, if open.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_class 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
index 0985825..daf045f 100644
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#8 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CONTROL 3
@@ -37,17 +37,17 @@
 .Nm getacflg ,
 .Nm getacna ,
 .Nm getacpol ,
-.Nm au_poltostr
+.Nm au_poltostr ,
 .Nm au_strtopol
-.Nd "Look up information from the audit_control database"
+.Nd "look up information from the audit_control database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setac "void"
+.Fn setac void
 .Ft void
-.Fn endac "void"
+.Fn endac void
 .Ft int
 .Fn getacdir "char *name" "int len"
 .Ft int
@@ -69,64 +69,88 @@ These interfaces may be used to look up information from the
 .Xr audit_control 5
 database, which contains various audit-related administrative parameters.
 .Pp
+The
 .Fn setac
+function
 resets the database iterator to the beginning of the database; see the
-BUGS section for more information.
+.Sx BUGS
+section for more information.
 .Pp
+The
 .Fn sendac
+function
 closes the
 .Xr audit_control 5
 database.
 .Pp
+The
 .Fn getacdir
+function
 returns the name of the directory where log data is stored via the passed
 character buffer
-.Va name
+.Fa name
 of length
-.Va len .
+.Fa len .
 .Pp
+The
 .Fn getacmin
+function
 returns the minimum free disk space for the audit log target file system via
 the passed
-.Va min_val
+.Fa min_val
 variable.
 .Pp
+The
 .Fn getacfilesz
-returns the audit trail rotation size in the passed size_t buffer
+function
+returns the audit trail rotation size in the passed
+.Vt size_t
+buffer
 .Fa size_val .
 .Pp
+The
 .Fn getacflg
+function
 returns the audit system flags via the the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
+The
 .Fn getacna
+function
 returns the non-attributable flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
+The
 .Fn getacpol
+function
 returns the audit policy flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
+The
 .Fn au_poltostr
+function
 converts a numeric audit policy mask,
-.Va policy ,
-value to a string in the passed character buffer
-.Va buf
+.Fa policy ,
+to a string in the passed character buffer
+.Fa buf
 of lenth
-.Va maxsize .
+.Fa maxsize .
 .Pp
+The
 .Fn au_strtopol
+function
 converts an audit policy flags string,
-.Va polstr ,
+.Fa polstr ,
 to a numeric audit policy mask returned via
-.Va policy .
+.Fa policy .
 .Sh RETURN VALULES
+The
 .Fn getacdir ,
 .Fn getacmin ,
 .Fn getacflg ,
@@ -134,11 +158,14 @@ to a numeric audit policy mask returned via
 .Fn getacpol ,
 and
 .Fn au_strtopol
+functions
 return 0 on success, or a negative value on failure, along with error
 information in
 .Va errno .
 .Pp
+The
 .Fn au_poltostr
+function
 returns a string length of 0 or more on success, or a negative value on
 if there is a failure.
 .Pp
@@ -147,18 +174,23 @@ insufficient room in the passed character buffer for the full string.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_control 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3
index dfaea02..8abaaa8 100644
--- a/contrib/openbsm/libbsm/au_event.3
+++ b/contrib/openbsm/libbsm/au_event.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#7 $
 .\"
 .Dd April 19, 2005
 .Dt AU_EVENT 3
@@ -39,76 +39,86 @@
 .Nm getauevnum ,
 .Nm getauevnum_r ,
 .Nm getauevnonam ,
-.Nm getauevnonam_r ,
-.Nd "Look up information from the audit_event database"
+.Nm getauevnonam_r
+.Nd "look up information from the audit_event database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setauevent "void"
+.Fn setauevent void
 .Ft void
-.Fn endauevent "void"
+.Fn endauevent void
 .Ft "struct au_event_ent *"
-.Fn getauevent "void"
+.Fn getauevent void
 .Ft "struct au_event_ent *"
 .Fn getauevent_r "struct au_event_ent *e"
 .Ft "struct au_event_ent *"
-.Fn getauevnam "char *name"
+.Fn getauevnam "const char *name"
 .Ft "struct au_event_ent *"
-.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Fn getauevnam_r "struct au_event_ent *e" "const char *name"
 .Ft "struct au_event_ent *"
 .Fn getauevnum "au_event_t event_number"
 .Ft "struct au_event_ent *"
 .Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
 .Ft "au_event_t *"
-.Fn getauevnonam "char *event_name"
+.Fn getauevnonam "const char *event_name"
 .Ft "au_event_t *"
-.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Fn getauevnonam_r "au_event_t *ev" "const char *event_name"
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_event 5
 database, which describes audit events.
 Entries in the database are described by
-.Vt struct au_event_ent
+.Vt "struct au_event_ent"
 entries, which are returned by calls to
 .Fn getauevent ,
 .Fn getauevnam ,
 or
 .Fn getauevnum .
-It is also possible look up an event number via a call to
-.Nm getauevnonam .
+It is also possible to look up an event number via a call to
+.Fn getauevnonam .
 .Pp
+The
 .Fn setauevent
+function
 resets the database access session for
 .Xr audit_event 5 ,
 so that the next call to
 .Fn getauevent
 will start with the first entry in the database.
 .Pp
+The
 .Fn endauevent
+function
 closes the
 .Xr audit_event 5
 database session.
 .Pp
+The
 .Fn getauevent
+function
 returns a reference to the next entry in the
 .Xr audit_event 5
 database.
 .Pp
+The
 .Fn getauevnam
+function
 returns a reference to the entry in the
 .Xr audit_event 5
 database with a name of
-.Va name .
+.Fa name .
 .Pp
 .Fn getauevnum
 returns a reference to the entry in the
 .Xr audit_event 5
 database with an event number of
-.Va event_number .
+.Fa event_number .
 .Pp
+The
 .Fn getauevnonam
+function
 returns a reference to an audit event number using the
 .Xr audit_event 5
 database.
@@ -123,30 +133,38 @@ Functions
 and
 .Fn getauevnuam
 will return a reference to a
-.Ft struct au_event_ent
+.Vt "struct au_event_ent"
 or
-.Ft au_event_t
+.Vt au_event_t
 on success, or
-.Dv NULL on failure, with
+.Dv NULL
+on failure, with
 .Va errno
 set to provide further error information.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_event 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
+The
 .Va errno
+variable
 is not always properly set following a failure.
 .Pp
 These routines are thread-safe, but not re-entrant, so simultaneous or
diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3
index 84fa443..7ce109a 100644
--- a/contrib/openbsm/libbsm/au_free_token.3
+++ b/contrib/openbsm/libbsm/au_free_token.3
@@ -13,7 +13,7 @@
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -27,18 +27,18 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_FREE_TOKEN 3
 .Os
 .Sh NAME
 .Nm au_free_token
-.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Nd "deallocate a token_t created by any of the au_to_*() BSM API functions"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
 .Fn au_free_token "token_t *tok"
 .Sh DESCRIPTION
@@ -48,44 +48,50 @@ objects.
 However, if
 .Xr au_write 3
 is passed a bad audit descriptor, the
-.Vt token_t *
+.Vt "token_t *"
 parameter will be left untouched.
 In that case, the caller can deallocate the
 .Vt token_t
 using
-.Nm
+.Fn au_free_token
 if desired.
 .Pp
 The
-.Va tok
+.Fa tok
 argument is a
-.Vt token_t *
-generated by one of the au_to_*() BSM API calls.
+.Vt "token_t *"
+generated by one of the
+.Fn au_to_*
+BSM API calls.
 For convenience,
-.Va tok
+.Fa tok
 may be
 .Dv NULL ,
 in which case
-.Nm
+.Fn au_free_token
 returns immediately.
 .Sh IMPLEMENTATION NOTES
 This is, in fact, what
 .Xr audit_write 3
 does, in keeping with the existing memory management model of the BSM API.
 .Sh SEE ALSO
-.Xr au_write 3 ,
 .Xr audit_write 3 ,
+.Xr au_write 3 ,
 .Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
-
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3
index 0c520a1..5e9045f 100644
--- a/contrib/openbsm/libbsm/au_io.3
+++ b/contrib/openbsm/libbsm/au_io.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#5 $
 .\"
 .Dd April 19, 2005
 .Dt AU_IO 3
@@ -32,15 +32,17 @@
 .Nm au_fetch_tok ,
 .Nm au_print_tok ,
 .Nm au_read_rec
-.Nd "Perform I/O involving an audit record"
+.Nd "perform I/O involving an audit record"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
 .Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
 .Ft void
-.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Fo au_print_tok
+.Fa "FILE *outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Fc
 .Ft int
 .Fn au_read_rec "FILE *fp" "u_char **buf"
 .Sh DESCRIPTION
@@ -48,31 +50,37 @@ These interfaces support input and output (I/O) involving audit records,
 internalizing an audit record from a byte stream, converting a token to
 either a raw or default string, and reading a single record from a file.
 .Pp
+The
 .Fn au_fetch_tok
+function
 reads a token from the passed buffer
-.Va buf
+.Fa buf
 of length
-.Va len
+.Fa len
 bytes, and returns a pointer to the token via
-.Va tok .
+.Fa tok .
 .Pp
+The
 .Fn au_print_tok
+function
 prints a string form of the token
-.Va tok
+.Fa tok
 to the file output stream
-.Va outfp,
+.Fa outfp ,
 either in default mode, or raw mode if
-.Va raw
+.Fa raw
 is set non-zero.
 The delimiter
-.Va del
+.Fa del
 is used when printing.
 .Pp
+The
 .Fn au_read_rec
+function
 reads an audit record from the file stream
-.Va fp ,
+.Fa fp ,
 and returns an allocated memory buffer containing the record via
-.Va *buf ,
+.Fa *buf ,
 which must be freed by the caller using
 .Xr free 3 .
 .Pp
@@ -93,27 +101,36 @@ would be used to free the record buffer.
 Finally, the source stream would be closed by a call to
 .Xr fclose 3 .
 .Sh RETURN VALUES
+The
 .Fn au_fetch_tok
 and
 .Fn au_read_rec
-return 0 on success, or -1 on failure along with additional error information
+functions
+return 0 on success, or \-1 on failure along with additional error information
 returned via
 .Va errno .
 .Sh SEE ALSO
 .Xr free 3 ,
 .Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
+The
 .Va errno
+variable
 may not always be properly set in the event of an error.
diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3
index 6698ae5..2845279 100644
--- a/contrib/openbsm/libbsm/au_mask.3
+++ b/contrib/openbsm/libbsm/au_mask.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_MASK 3
@@ -32,11 +32,11 @@
 .Nm au_preselect ,
 .Nm getauditflagsbin ,
 .Nm getauditflagschar
-.Nd "Convert between string and numeric values of audit masks"
+.Nd "convert between string and numeric values of audit masks"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
 .Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
 .Ft int
@@ -49,13 +49,15 @@ These interfaces support processing of an audit mask represented by type
 including conversion between numeric and text formats, and computing whether
 or not an event is matched by a mask.
 .Pp
+The
 .Fn au_preselect
+function
 calculates whether or not the audit event passed via
-.Va event
+.Fa event
 is matched by the audit mask passed via
-.Va au_mask_t .
+.Fa mask_p .
 The
-.Va sorf
+.Fa sorf
 argument indicates whether or not to consider the event as a success,
 if the
 .Dv AU_PRS_SUCCESS
@@ -63,7 +65,7 @@ flag is set, or failure, if the
 .Dv AU_PRS_FAILURE
 flag is set.
 The
-.Va flag
+.Fa flag
 argument accepts additional arguments influencing the behavior of
 .Fn au_preselect ,
 including
@@ -73,64 +75,78 @@ or
 .Dv AU_PRS_USECACHE
 which forces use of the cache.
 .Pp
+The
 .Fn getauditflagsbin
+function
 converts a string representation of an audit mask passed via a character
 string pointed to by
-.Va auditstr ,
+.Fa auditstr ,
 returning the resulting mask, if valid, via
-.Va *masks .
+.Fa *masks .
 .Pp
+The
 .Fn getauditflagschar
+function
 converts the audit event mask passed via
-.Va *masks
+.Fa *masks
 and converts it to a character string in a buffer pointed to by
-.Va auditstr .
-See the BUGS section for more information on how to provide a buffer of
+.Fa auditstr .
+See the
+.Sx BUGS
+section for more information on how to provide a buffer of
 sufficient size.
 If the
-.Va verbose
+.Fa verbose
 flag is set, the class description string retrieved from
 .Xr audit_class 5
 will be used; otherwise, the two-character class name.
+.Sh IMPLEMENTATION NOTES
+The
+.Fn au_preselect
+function
+makes implicit use of various audit database routines, and may influence
+the behavior of simultaneous or interleaved processing of those databases by
+other code.
 .Sh RETURN VALUES
+The
 .Fn au_preselect
-returns 0 on success, or returns -1 if there is a failure looking up the
+function
+returns 0 on success, or returns \-1 if there is a failure looking up the
 event type or other database access, in which case
 .Va errno
 will be set to indicate the error.
 It returns 1 if the event is matched; 0 if not.
 .Pp
-.Fn getauditflagsbin
-and
-.Fn getauditflagschar
-returns 0 on success, or -1 if there is a failure, in which case
-.Va errno
-will be set to indicate the error.
-.Sh IMPLEMENTATION NOTES
-.Fn au_preselect
-makes implicit use of various audit database routines, and may influence
-the behavior of simultaneous or interleaved processing of those databases by
-other code.
+.Rv -std getauditflagsbin getauditflagschar
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_class 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
+The
 .Va errno
+variable
 may not always be properly set in the event of an error.
 .Pp
+The
 .Fn getauditflagschar
+function
 does not provide a way to indicate how long the character buffer is, in order
 to detect overflow.
 As a result, the caller must always provide a buffer of sufficient length for
diff --git a/contrib/openbsm/libbsm/au_open.3 b/contrib/openbsm/libbsm/au_open.3
index db9e9b3..bbb0eca 100644
--- a/contrib/openbsm/libbsm/au_open.3
+++ b/contrib/openbsm/libbsm/au_open.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#8 $
 .\"
 .Dd March 4, 2006
 .Dt AU_OPEN 3
@@ -34,13 +34,13 @@
 .Nm au_close_token ,
 .Nm au_open ,
 .Nm au_write
-.Nd "Create and commit audit records"
+.Nd "create and commit audit records"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
-.Fn au_open "void"
+.Fn au_open void
 .Ft int
 .Fn au_write "int d" "token_t *tok"
 .Ft int
@@ -73,7 +73,7 @@ function is used to commit an audit record to the system audit log, or
 abandon the record.
 In either cases, all resources associated with the record will be released.
 The
-.Va keep
+.Fa keep
 argument determines the behavior: a value of
 .Dv AU_TO_WRITE
 causes the record to be committed; a value of
@@ -81,28 +81,30 @@ causes the record to be committed; a value of
 causes it to be abandoned.
 When the audit record is committed, a BSM header will be inserted before
 tokens added to the record, using the event identifier passed via
-.Va event ,
+.Fa event ,
 and a trailer added to the end.
 Committing a record to the system audit log requires privilege.
 .Pp
 The
 .Fn au_close_buffer
 function writes the resulting record to an in-memory buffer of size
-.Va *buflen ;
+.Fa *buflen ;
 it will write back the filled buffer length into the same variable.
 The argument
-.Va short
+.Fa event
 is the event identifier to use in the record header.
 .Pp
 The
 .Fn au_close_token
 function generates the BSM stream output for a single token,
-.Va tok ,
+.Fa tok ,
 in the passed buffer
-.Va buffer .
+.Fa buffer .
 The initial buffer size and resulting data size are passed via
-.Va *buflen .
+.Fa *buflen .
+The
 .Fn au_close_token
+function
 will free the token before returning.
 .Sh RETURN VALUES
 The function
@@ -123,18 +125,23 @@ information in
 .Sh SEE ALSO
 .Xr audit_submit 3 ,
 .Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
 Currently,
 .Fn au_open
diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3
index 384a5b8..e4ea65f 100644
--- a/contrib/openbsm/libbsm/au_token.3
+++ b/contrib/openbsm/libbsm/au_token.3
@@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#13 $
 .\"
 .Dd April 19, 2005
 .Dt AU_TOKEN 3
@@ -38,7 +38,7 @@
 .Nm au_to_groups ,
 .Nm au_to_newgroups ,
 .Nm au_to_in_addr ,
-.Nm au_to_in_addr_ex ,  
+.Nm au_to_in_addr_ex ,
 .Nm au_to_ip ,
 .Nm au_to_ipc ,
 .Nm au_to_ipc_perm ,
@@ -72,103 +72,136 @@
 .Nm au_to_header ,
 .Nm au_to_header32 ,
 .Nm au_to_header64 ,
-.Nm au_to_trailer .
-.Nd "Routines for generating BSM audit tokens"
+.Nm au_to_trailer ,
+.Nm au_to_zonename
+.Nd "routines for generating BSM audit tokens"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
-.Ft token_t *
+.In bsm/libbsm.h
+.Ft "token_t *"
 .Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_arg "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr32 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr64 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_exit "int retval" "int err"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_groups "int *groups"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_in_addr "struct in_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ip "struct ip *ip"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ipc "char type" "int id"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ipc_perm "struct ipc_perm *perm"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_iport "u_int16_t iport"
-.Ft token_t *
-.Fn au_to_opaque "char *data" "u_int64_t bytes"
-.Ft token_t *
+.Ft "token_t *"
+.Fn au_to_opaque "char *data" "u_int16_t bytes"
+.Ft "token_t *"
 .Fn au_to_file "char *file" "struct timeval tm"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_text "char *text"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_path "char *text"
-.Ft token_t *
-.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
+.Ft "token_t *"
+.Fo au_to_process32
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process64
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process32_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process64_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
 .Fn au_to_return32 "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_return64 "char status" "u_int64_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_return "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_seq "long audit_count"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_inet32 "struct sockaddr_in *so"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_int "struct sockaddr_in *so"
-.Ft token_t *
-.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_me "void"
-.Ft token_t *
+.Ft "token_t *"
+.Fo au_to_subject32
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject64
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject32_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject64_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fn au_to_me void
+.Ft "token_t *"
 .Fn au_to_exec_args "char **argv"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_exec_env "char **envp"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_trailer "int rec_size"
+.Ft "token_t *"
+.Fn au_to_zonename "char *zonename"
 .Sh DESCRIPTION
 These interfaces support the allocation of BSM audit tokens, represented by
-.Ft token_t ,
+.Vt token_t ,
 for various data types.
 .Sh RETURN VALUES
 On success, a pointer to a
@@ -183,16 +216,20 @@ will be returned, and an error condition returned via
 .Va errno .
 .Sh SEE ALSO
 .Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
-.Sh BUGS
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3
index c0fab6f..3016f65 100644
--- a/contrib/openbsm/libbsm/au_user.3
+++ b/contrib/openbsm/libbsm/au_user.3
@@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#10 $
 .\"
 .Dd April 19, 2005
 .Dt AU_USER 3
@@ -37,27 +37,29 @@
 .Nm getauusernam_r ,
 .Nm au_user_mask ,
 .Nm getfauditflags
-.Nd "Look up information from the audit_user database"
+.Nd "look up information from the audit_user database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setauuser "void"
+.Fn setauuser void
 .Ft void
-.Fn endauuser "void"
-.Ft struct au_user_ent *
-.Fn getauuserent "void"
-.Ft struct au_user_ent *
-.Fn getauuserent_r "struct au_user_ent *u" "void"
-.Ft struct au_user_ent *
+.Fn endauuser void
+.Ft "struct au_user_ent *"
+.Fn getauuserent void
+.Ft "struct au_user_ent *"
+.Fn getauuserent_r "struct au_user_ent *u"
+.Ft "struct au_user_ent *"
 .Fn getauusernam "const char *name"
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
 .Fn getauusernam_r "struct au_user_ent *u" "const char *name"
 .Ft int
 .Fn au_user_mask "char *username" "au_mask_t *mask_p"
 .Ft int
-.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Fo getfauditflags
+.Fa "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Fc
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_user 5
@@ -65,67 +67,85 @@ database, which describes per-user audit configuration.
 Audit user entries are described by a
 .Vt au_user_ent ,
 which stores the user's name in
-.Dv au_name ,
+.Va au_name ,
 events to always audit in
-.Dv au_always ,
+.Va au_always ,
 and events never to audit
-.Dv au_never .
+.Va au_never .
 .Pp
+The
 .Fn getauuserent
+function
 returns the next user found in the
 .Xr audit_user 5
 database, or the first if the function has not yet been called.
 .Dv NULL
 will be returned if no further records are available.
 .Pp
+The
 .Fn getauusernam
+function
 looks up a user by name.
 .Dv NULL
 will be returned if no matching class can be found.
 .Pp
+The
 .Fn setauuser
+function
 resets the iterator through the
 .Xr audit_user 5
 database, causing the next call to
 .Fn getauuserent
 to start again from the beginning of the file.
 .Pp
+The
 .Fn endauuser
+function
 closes the
 .Xr audit_user 5
 database, if open.
 .Pp
-.Nm au_user_mask
+The
+.Fn au_user_mask
+function
 calculates a new session audit mask to be returned via
-.Dv mask_p
+.Fa mask_p
 for the user identified by
-.Dv username .
+.Fa username .
 If the user audit configuration is not found, the default system audit
 properties returned by
-.Xr getacflg 3 .
+.Xr getacflg 3
+are used.
 The resulting mask may be set via a call to
-.Xr setaudit 3
+.Xr setaudit 2
 or related variants.
 .Pp
-.Nm getfauditflags
-XXXXXXXXXXXXXXXXX
+The
+.Fn getfauditflags
+function generates a new process audit state by combining the audit masks
+passed as parameters with the system audit masks.
 .Sh SEE ALSO
-.Xr libbsm 3 ,
+.Xr setaudit 2 ,
 .Xr getacflg 3 ,
-.Xr setaudit 3 ,
+.Xr libbsm 3 ,
 .Xr audit_user 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/audit_submit.3 b/contrib/openbsm/libbsm/audit_submit.3
index 9e4d230..46cb217 100644
--- a/contrib/openbsm/libbsm/audit_submit.3
+++ b/contrib/openbsm/libbsm/audit_submit.3
@@ -27,23 +27,26 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#11 $
 .\"
 .Dd May 29, 2006
 .Dt audit_submit 3
 .Os
 .Sh NAME
 .Nm audit_submit
-.Nd general purpose audit record submission
+.Nd "general purpose audit record submission"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In stdio.h
+.In bsm/libbsm.h
 .Ft int
-.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ...
+.Fo audit_submit
+.Fa "short au_event" "au_id_t auid" "char status"
+.Fa "int reterr" "const char * restrict format" ...
+.Fc
 .Sh DESCRIPTION
 The
-.Nm
+.Fn audit_submit
 function provides a generic programming interface for audit record submission.
 This audit record will contain a header, subject token, an optional text token,
 return token, and a trailer.
@@ -66,14 +69,16 @@ variable-length argument facilities of
 are converted for output.
 If
 .Fa format
-is NULL, then no text token is created in the audit record.
+is
+.Dv NULL ,
+then no text token is created in the audit record.
 .Pp
 It should be noted that
-.Nm
+.Fn audit_submit
 assumes that
 .Xr setaudit 2 ,
 or
-.Xr setaudit_addr 2 
+.Xr setaudit_addr 2
 has already been called.
 As a direct result, the terminal ID for the
 subject will be retrieved from the kernel via
@@ -116,11 +121,12 @@ trailer,94
 .Xr stdarg 3
 .Sh HISTORY
 The
-.Nm
+.Fn audit_submit
 function first appeared in OpenBSM version 1.0.
-OpenBSM 1.0 was introduced in FreeBSD 7.0.
+OpenBSM 1.0 was introduced in
+.Fx 7.0 .
 .Sh AUTHORS
 The
-.Nm
+.Fn audit_submit
 function was written by
 .An Christian S.J. Peron Aq csjp@FreeBSD.org .
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
index 2587735..afb0fd4 100644
--- a/contrib/openbsm/libbsm/bsm_io.c
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -2,6 +2,7 @@
  * Copyright (c) 2004 Apple Computer, Inc.
  * Copyright (c) 2005 SPARTA, Inc.
  * Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006 Martin Voros
  * All rights reserved.
  *
  * This code was developed in part by Robert N. M. Watson, Senior Principal
@@ -31,7 +32,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#48 $
  */
 
 #include <sys/types.h>
@@ -126,6 +127,12 @@
 } while (0)
 
 /*
+ * XML option.
+ */
+#define	AU_PLAIN	0
+#define	AU_XML		1
+
+/*
  * Prints the delimiter string.
  */
 static void
@@ -194,7 +201,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
  * Prints the given data bytes as a string.
  */
 static void
-print_string(FILE *fp, u_char *str, size_t len)
+print_string(FILE *fp, const char *str, size_t len)
 {
 	int i;
 
@@ -207,16 +214,366 @@ print_string(FILE *fp, u_char *str, size_t len)
 }
 
 /*
+ * Prints the beggining of attribute.
+ */
+static void
+open_attr(FILE *fp, const char *str)
+{
+
+	fprintf(fp,"%s=\"", str);
+}
+
+/*
+ * Prints the end of attribute.
+ */
+static void
+close_attr(FILE *fp)
+{
+
+	fprintf(fp,"\" ");
+}
+
+/*
+ * Prints the end of tag.
+ */
+static void
+close_tag(FILE *fp, u_char type)
+{
+
+	switch(type) {
+	case AUT_HEADER32:
+		fprintf(fp, ">");
+		break;
+
+	case AUT_HEADER32_EX:
+		fprintf(fp, ">");
+		break;
+
+	case AUT_HEADER64:
+		fprintf(fp, ">");
+		break;
+
+	case AUT_HEADER64_EX:
+		fprintf(fp, ">");
+		break;
+
+	case AUT_ARG32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_ARG64:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_ATTR32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_ATTR64:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_EXIT:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_EXEC_ARGS:
+		fprintf(fp, "</exec_args>");
+		break;
+
+	case AUT_EXEC_ENV:
+		fprintf(fp, "</exec_env>");
+		break;
+
+	case AUT_OTHER_FILE32:
+		fprintf(fp, "</file>");
+		break;
+
+	case AUT_NEWGROUPS:
+		fprintf(fp, "</group>");
+		break;
+
+	case AUT_IN_ADDR:
+		fprintf(fp, "</ip_address>");
+		break;
+
+	case AUT_IN_ADDR_EX:
+		fprintf(fp, "</ip_address>");
+		break;
+
+	case AUT_IP:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_IPC:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_IPC_PERM:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_IPORT:
+		fprintf(fp, "</ip_port>");
+		break;
+
+	case AUT_OPAQUE:
+		fprintf(fp, "</opaque>");
+		break;
+
+	case AUT_PATH:
+		fprintf(fp, "</path>");
+		break;
+
+	case AUT_PROCESS32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_PROCESS32_EX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_PROCESS64:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_PROCESS64_EX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_RETURN32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_RETURN64:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SEQ:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SOCKET:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SOCKINET32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SOCKUNIX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SUBJECT32:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SUBJECT64:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SUBJECT32_EX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_SUBJECT64_EX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_TEXT:
+		fprintf(fp, "</text>");
+		break;
+
+	case AUT_SOCKET_EX:
+		fprintf(fp, "/>");
+		break;
+
+	case AUT_DATA:
+		fprintf(fp, "</arbitrary>");
+		break;
+
+	case AUT_ZONENAME:
+		fprintf(fp, "/>");
+		break;
+	}
+}
+
+/*
  * Prints the token type in either the raw or the default form.
  */
 static void
-print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
 {
 
-	if (raw)
-		fprintf(fp, "%u", type);
-	else
-		fprintf(fp, "%s", tokname);
+	if (xml) {
+		switch(type) {
+		case AUT_HEADER32:
+			fprintf(fp, "<record ");
+			break;
+
+		case AUT_HEADER32_EX:
+			fprintf(fp, "<record ");
+			break;
+
+		case AUT_HEADER64:
+			fprintf(fp, "<record ");
+			break;
+
+		case AUT_HEADER64_EX:
+			fprintf(fp, "<record ");
+			break;
+
+		case AUT_TRAILER:
+			fprintf(fp, "</record>");
+			break;
+
+		case AUT_ARG32:
+			fprintf(fp, "<argument ");
+			break;
+
+		case AUT_ARG64:
+			fprintf(fp, "<argument ");
+			break;
+
+		case AUT_ATTR32:
+			fprintf(fp, "<attribute ");
+			break;
+
+		case AUT_ATTR64:
+			fprintf(fp, "<attribute ");
+			break;
+
+		case AUT_EXIT:
+			fprintf(fp, "<exit ");
+			break;
+
+		case AUT_EXEC_ARGS:
+			fprintf(fp, "<exec_args>");
+			break;
+
+		case AUT_EXEC_ENV:
+			fprintf(fp, "<exec_env>");
+			break;
+
+		case AUT_OTHER_FILE32:
+			fprintf(fp, "<file ");
+			break;
+
+		case AUT_NEWGROUPS:
+			fprintf(fp, "<group>");
+			break;
+
+		case AUT_IN_ADDR:
+			fprintf(fp, "<ip_address>");
+			break;
+
+		case AUT_IN_ADDR_EX:
+			fprintf(fp, "<ip_address>");
+			break;
+
+		case AUT_IP:
+			fprintf(fp, "<ip ");
+			break;
+
+		case AUT_IPC:
+			fprintf(fp, "<IPC");
+			break;
+
+		case AUT_IPC_PERM:
+			fprintf(fp, "<IPC_perm ");
+			break;
+
+		case AUT_IPORT:
+			fprintf(fp, "<ip_port>");
+			break;
+
+		case AUT_OPAQUE:
+			fprintf(fp, "<opaque>");
+			break;
+
+		case AUT_PATH:
+			fprintf(fp, "<path>");
+			break;
+
+		case AUT_PROCESS32:
+			fprintf(fp, "<process ");
+			break;
+
+		case AUT_PROCESS32_EX:
+			fprintf(fp, "<process ");
+			break;
+
+		case AUT_PROCESS64:
+			fprintf(fp, "<process ");
+			break;
+
+		case AUT_PROCESS64_EX:
+			fprintf(fp, "<process ");
+			break;
+
+		case AUT_RETURN32:
+			fprintf(fp, "<return ");
+			break;
+
+		case AUT_RETURN64:
+			fprintf(fp, "<return ");
+			break;
+
+		case AUT_SEQ:
+			fprintf(fp, "<sequence ");
+			break;
+
+		case AUT_SOCKET:
+			fprintf(fp, "<socket ");
+			break;
+
+		case AUT_SOCKINET32:
+			fprintf(fp, "<old_socket");
+			break;
+
+		case AUT_SOCKUNIX:
+			fprintf(fp, "<old_socket");
+			break;
+
+		case AUT_SUBJECT32:
+			fprintf(fp, "<subject ");
+			break;
+
+		case AUT_SUBJECT64:
+			fprintf(fp, "<subject ");
+			break;
+
+		case AUT_SUBJECT32_EX:
+			fprintf(fp, "<subject ");
+			break;
+
+		case AUT_SUBJECT64_EX:
+			fprintf(fp, "<subject ");
+			break;
+
+		case AUT_TEXT:
+			fprintf(fp, "<text>");
+			break;
+
+		case AUT_SOCKET_EX:
+			fprintf(fp, "<socket ");
+			break;
+
+		case AUT_DATA:
+			fprintf(fp, "<arbitrary ");
+			break;
+
+		case AUT_ZONENAME:
+			fprintf(fp, "<zone ");
+			break;
+		}
+	} else {
+		if (raw)
+			fprintf(fp, "%u", type);
+		else
+			fprintf(fp, "%s", tokname);
+	}
 }
 
 /*
@@ -380,7 +737,7 @@ print_ip_address(FILE *fp, u_int32_t ip)
 	fprintf(fp, "%s", inet_ntoa(ipaddr));
 }
 
-/* 
+/*
  * Prints a string value for the given ip address.
  */
 static void
@@ -455,6 +812,27 @@ print_ipctype(FILE *fp, u_char type, char raw)
 }
 
 /*
+ * Print XML header.
+ */
+void
+au_print_xml_header(FILE *outfp)
+{
+	
+	fprintf(outfp, "<?xml version='1.0' ?>\n");
+	fprintf(outfp, "<audit>\n");
+}
+
+/*
+ * Print XML footer.
+ */
+void
+au_print_xml_footer(FILE *outfp)
+{
+	
+	fprintf(outfp, "</audit>\n");
+}
+
+/*
  * record byte count       4 bytes
  * version #               1 byte    [2]
  * event type              2 bytes
@@ -463,7 +841,7 @@ print_ipctype(FILE *fp, u_char type, char raw)
  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
  */
 static int
-fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -495,22 +873,42 @@ fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
 }
 
 static void
-print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+    int xml)
 {
 
-	print_tok_type(fp, tok->id, "header", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.hdr32.size, "%u");
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.hdr32.version, "%u");
-	print_delim(fp, del);
-	print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
-	print_delim(fp, del);
-	print_evmod(fp, tok->tt.hdr32.e_mod, raw);
-	print_delim(fp, del);
-	print_sec32(fp, tok->tt.hdr32.s, raw);
-	print_delim(fp, del);
-	print_msec32(fp, tok->tt.hdr32.ms, raw);
+	print_tok_type(fp, tok->id, "header", raw, xml);
+	if (xml) {
+		open_attr(fp, "version");
+		print_1_byte(fp, tok->tt.hdr32.version, "%u");
+		close_attr(fp);
+		open_attr(fp, "event");
+		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+		close_attr(fp);
+		open_attr(fp, "modifier");
+		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+		close_attr(fp);
+		open_attr(fp, "time");
+		print_sec32(fp, tok->tt.hdr32.s, raw);
+		close_attr(fp);
+		open_attr(fp, "msec");
+		print_msec32(fp, tok->tt.hdr32.ms, 1);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.hdr32.version, "%u");
+		print_delim(fp, del);
+		print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+		print_delim(fp, del);
+		print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+		print_delim(fp, del);
+		print_sec32(fp, tok->tt.hdr32.s, raw);
+		print_delim(fp, del);
+		print_msec32(fp, tok->tt.hdr32.ms, raw);
+	}
 }
 
 /*
@@ -532,7 +930,7 @@ print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
  */
 static int
-fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -584,25 +982,50 @@ fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    char sfrm)
+    char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "header_ex", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
-	print_delim(fp, del);
-	print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
-	print_delim(fp, del);
-	print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
-	print_delim(fp, del);
-	print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
-	    tok->tt.hdr32_ex.addr);
-	print_delim(fp, del);
-	print_sec32(fp, tok->tt.hdr32_ex.s, raw);
-	print_delim(fp, del);
-	print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+	print_tok_type(fp, tok->id, "header_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "version");
+		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+		close_attr(fp);
+		open_attr(fp, "event");
+		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+		close_attr(fp);
+		open_attr(fp, "modifier");
+		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+		close_attr(fp);
+		/*
+		 * No attribute for additional types.
+		 *
+		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+		    tok->tt.hdr32_ex.addr);
+		 */
+		open_attr(fp, "time");
+		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+		close_attr(fp);
+		open_attr(fp, "msec");
+		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+		print_delim(fp, del);
+		print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+		print_delim(fp, del);
+		print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+		    tok->tt.hdr32_ex.addr);
+		print_delim(fp, del);
+		print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+		print_delim(fp, del);
+		print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+	}
 }
 
 /*
@@ -611,10 +1034,10 @@ print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * event modifier          2 bytes
  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
- * version #              
+ * version #
  */
 static int
-fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -646,23 +1069,44 @@ fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
 }
 
 static void
-print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+    int xml)
 {
-
-	print_tok_type(fp, tok->id, "header", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.hdr64.size, "%u");
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.hdr64.version, "%u");
-	print_delim(fp, del);
-	print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
-	print_delim(fp, del);
-	print_evmod(fp, tok->tt.hdr64.e_mod, raw);
-	print_delim(fp, del);
-	print_sec64(fp, tok->tt.hdr64.s, raw);
-	print_delim(fp, del);
-	print_msec64(fp, tok->tt.hdr64.ms, raw);
+	
+	print_tok_type(fp, tok->id, "header", raw, xml);
+	if (xml) {
+		open_attr(fp, "version");
+		print_1_byte(fp, tok->tt.hdr64.version, "%u");
+		close_attr(fp);
+		open_attr(fp, "event");
+		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+		close_attr(fp);
+		open_attr(fp, "modifier");
+		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+		close_attr(fp);
+		open_attr(fp, "time");
+		print_sec64(fp, tok->tt.hdr64.s, raw);
+		close_attr(fp);
+		open_attr(fp, "msec");
+		print_msec64(fp, tok->tt.hdr64.ms, raw);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.hdr64.version, "%u");
+		print_delim(fp, del);
+		print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+		print_delim(fp, del);
+		print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+		print_delim(fp, del);
+		print_sec64(fp, tok->tt.hdr64.s, raw);
+		print_delim(fp, del);
+		print_msec64(fp, tok->tt.hdr64.ms, raw);
+	}
 }
+
 /*
  * record byte count       4 bytes
  * version #               1 byte     [2]
@@ -678,7 +1122,7 @@ print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
  * accuracy of the BSM spec.
  */
 static int
-fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -729,25 +1173,51 @@ fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
 }
 
 static void
-print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "header_ex", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
-	print_delim(fp, del);
-	print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
-	print_delim(fp, del);
-	print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
-	print_delim(fp, del);
-	print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
-	    tok->tt.hdr64_ex.addr);
-	print_delim(fp, del);
-	print_sec64(fp, tok->tt.hdr64_ex.s, raw);
-	print_delim(fp, del);
-	print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+	print_tok_type(fp, tok->id, "header_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "version");
+		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+		close_attr(fp);
+		open_attr(fp, "event");
+		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+		close_attr(fp);
+		open_attr(fp, "modifier");
+		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+		close_attr(fp);
+		/*
+		 * No attribute for additional types.
+		 *
+		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+		    tok->tt.hdr64_ex.addr);
+		 */
+		open_attr(fp, "time");
+		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+		close_attr(fp);
+		open_attr(fp, "msec");
+		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+		print_delim(fp, del);
+		print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+		print_delim(fp, del);
+		print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+		    tok->tt.hdr64_ex.addr);
+		print_delim(fp, del);
+		print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+		print_delim(fp, del);
+		print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+	}
 }
 
 /*
@@ -755,7 +1225,7 @@ print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
  * record size                          4 bytes
  */
 static int
-fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
+fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -772,12 +1242,14 @@ fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "trailer", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.trail.count, "%u");
+	print_tok_type(fp, tok->id, "trailer", raw, xml);
+	if (!xml) {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.trail.count, "%u");
+	}
 }
 
 /*
@@ -787,7 +1259,7 @@ print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * text                    N bytes + 1 terminating NULL byte
  */
 static int
-fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -803,8 +1275,8 @@ fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
-	    err);
+	SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
+	    tok->len, err);
 	if (err)
 		return (-1);
 
@@ -813,20 +1285,32 @@ fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "argument", raw);
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.arg32.no, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
-	print_delim(fp, del);
-	print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+	print_tok_type(fp, tok->id, "argument", raw, xml);
+	if (xml) {
+		open_attr(fp, "arg-num");
+		print_1_byte(fp, tok->tt.arg32.no, "%u");
+		close_attr(fp);
+		open_attr(fp, "value");
+		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+		close_attr(fp);
+		open_attr(fp, "desc");
+		print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arg32.no, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+		print_delim(fp, del);
+	}
 }
 
 static int
-fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -842,8 +1326,8 @@ fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
-	    err);
+	SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
+	    tok->len, err);
 	if (err)
 		return (-1);
 
@@ -852,16 +1336,29 @@ fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "argument", raw);
-	print_delim(fp, del);
-	print_1_byte(fp, tok->tt.arg64.no, "%u");
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
-	print_delim(fp, del);
-	print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+	print_tok_type(fp, tok->id, "argument", raw, xml);
+	if (xml) {
+		open_attr(fp, "arg-num");
+		print_1_byte(fp, tok->tt.arg64.no, "%u");
+		close_attr(fp);
+		open_attr(fp, "value");
+		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+		close_attr(fp);
+		open_attr(fp, "desc");
+		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arg64.no, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+		print_delim(fp, del);
+		print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+	}
 }
 
 /*
@@ -871,7 +1368,7 @@ print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * data items              (depends on basic unit)
  */
 static int
-fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 	int datasize;
@@ -924,15 +1421,16 @@ fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 	char *str;
 	char *format;
 	size_t size;
 	int i;
 
-	print_tok_type(fp, tok->id, "arbitrary", raw);
-	print_delim(fp, del);
+	print_tok_type(fp, tok->id, "arbitrary", raw, xml);
+	if (!xml)
+		print_delim(fp, del);
 
 	switch(tok->tt.arb.howtopr) {
 	case AUP_BINARY:
@@ -964,56 +1462,125 @@ print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
 		return;
 	}
 
-	print_string(fp, str, strlen(str));
-	print_delim(fp, del);
+	if (xml) {
+		open_attr(fp, "print");
+		fprintf(fp, "%s",str);
+		close_attr(fp);
+	} else {
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+	}
 	switch(tok->tt.arb.bu) {
 	case AUR_BYTE:
 	/* case AUR_CHAR: */
 		str = "byte";
 		size = AUR_BYTE_SIZE;
-		print_string(fp, str, strlen(str));
-		print_delim(fp, del);
-		print_1_byte(fp, tok->tt.arb.uc, "%u");
-		print_delim(fp, del);
-		for (i = 0; i<tok->tt.arb.uc; i++)
-			fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
+		if (xml) {
+			open_attr(fp, "type");
+			fprintf(fp, "%u", size);
+			close_attr(fp);
+			open_attr(fp, "count");
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			close_attr(fp);
+			fprintf(fp, ">");
+			for (i = 0; i<tok->tt.arb.uc; i++)
+				fprintf(fp, format, *(tok->tt.arb.data +
+				    (size * i)));
+			close_tag(fp, tok->id);
+		} else {
+			print_string(fp, str, strlen(str));
+			print_delim(fp, del);
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			print_delim(fp, del);
+			for (i = 0; i<tok->tt.arb.uc; i++)
+				fprintf(fp, format, *(tok->tt.arb.data +
+				    (size * i)));
+		}
 		break;
 
 	case AUR_SHORT:
 		str = "short";
 		size = AUR_SHORT_SIZE;
-		print_string(fp, str, strlen(str));
-		print_delim(fp, del);
-		print_1_byte(fp, tok->tt.arb.uc, "%u");
-		print_delim(fp, del);
-		for (i = 0; i < tok->tt.arb.uc; i++)
-			fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
-			    (size * i))));
+		if (xml) {
+			open_attr(fp, "type");
+			fprintf(fp, "%u", size);
+			close_attr(fp);
+			open_attr(fp, "count");
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			close_attr(fp);
+			fprintf(fp, ">");
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int16_t *)(tok->tt.arb.data +
+				    (size * i))));
+			close_tag(fp, tok->id);
+		} else {
+			print_string(fp, str, strlen(str));
+			print_delim(fp, del);
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			print_delim(fp, del);
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int16_t *)(tok->tt.arb.data +
+				    (size * i))));
+		}
 		break;
 
 	case AUR_INT32:
 	/* case AUR_INT: */
 		str = "int";
 		size = AUR_INT32_SIZE;
-		print_string(fp, str, strlen(str));
-		print_delim(fp, del);
-		print_1_byte(fp, tok->tt.arb.uc, "%u");
-		print_delim(fp, del);
-		for (i = 0; i < tok->tt.arb.uc; i++)
-			fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
-			    (size * i))));
+		if (xml) {
+			open_attr(fp, "type");
+			fprintf(fp, "%u", size);
+			close_attr(fp);
+			open_attr(fp, "count");
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			close_attr(fp);
+			fprintf(fp, ">");
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int32_t *)(tok->tt.arb.data +
+				    (size * i))));
+			close_tag(fp, tok->id);
+		} else {
+			print_string(fp, str, strlen(str));
+			print_delim(fp, del);
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			print_delim(fp, del);
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int32_t *)(tok->tt.arb.data +
+				    (size * i))));
+		}
 		break;
 
 	case AUR_INT64:
 		str = "int64";
 		size = AUR_INT64_SIZE;
-		print_string(fp, str, strlen(str));
-		print_delim(fp, del);
-		print_1_byte(fp, tok->tt.arb.uc, "%u");
-		print_delim(fp, del);
-		for (i = 0; i < tok->tt.arb.uc; i++)
-			fprintf(fp, format, *((u_int64_t *)(tok->tt.arb.data +
-			    (size * i))));
+		if (xml) {
+			open_attr(fp, "type");
+			fprintf(fp, "%u", size);
+			close_attr(fp);
+			open_attr(fp, "count");
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			close_attr(fp);
+			fprintf(fp, ">");
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int64_t *)(tok->tt.arb.data +
+				    (size * i))));
+			close_tag(fp, tok->id);
+		} else {
+			print_string(fp, str, strlen(str));
+			print_delim(fp, del);
+			print_1_byte(fp, tok->tt.arb.uc, "%u");
+			print_delim(fp, del);
+			for (i = 0; i < tok->tt.arb.uc; i++)
+				fprintf(fp, format,
+				    *((u_int64_t *)(tok->tt.arb.data +
+				    (size * i))));
+		}
 		break;
 
 	default:
@@ -1030,7 +1597,7 @@ print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * device                  4 bytes/8 bytes (32-bit/64-bit)
  */
 static int
-fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1063,22 +1630,44 @@ fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "attribute", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.attr32.mode, "%o");
-	print_delim(fp, del);
-	print_user(fp, tok->tt.attr32.uid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.attr32.gid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+	print_tok_type(fp, tok->id, "attribute", raw, xml);
+	if (xml) {
+		open_attr(fp, "mode");
+		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.attr32.uid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.attr32.gid, raw);
+		close_attr(fp);
+		open_attr(fp, "fsid");
+		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+		close_attr(fp);
+		open_attr(fp, "nodeid");
+		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+		close_attr(fp);
+		open_attr(fp, "device");
+		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+		print_delim(fp, del);
+		print_user(fp, tok->tt.attr32.uid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.attr32.gid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+	}
 }
 
 /*
@@ -1090,7 +1679,7 @@ print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * device                  4 bytes/8 bytes (32-bit/64-bit)
  */
 static int
-fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1123,22 +1712,44 @@ fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "attribute", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.attr64.mode, "%o");
-	print_delim(fp, del);
-	print_user(fp, tok->tt.attr64.uid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.attr64.gid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+	print_tok_type(fp, tok->id, "attribute", raw, xml);
+	if (xml) {
+		open_attr(fp, "mode");
+		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.attr64.uid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.attr64.gid, raw);
+		close_attr(fp);
+		open_attr(fp, "fsid");
+		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+		close_attr(fp);
+		open_attr(fp, "nodeid");
+		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+		close_attr(fp);
+		open_attr(fp, "device");
+		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+		print_delim(fp, del);
+		print_user(fp, tok->tt.attr64.uid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.attr64.gid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+	}
 }
 
 /*
@@ -1146,7 +1757,7 @@ print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * return value            4 bytes
  */
 static int
-fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
+fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1163,14 +1774,24 @@ fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "exit", raw);
-	print_delim(fp, del);
-	print_errval(fp, tok->tt.exit.status);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.exit.ret, "%u");
+	print_tok_type(fp, tok->id, "exit", raw, xml);
+	if (xml) {
+		open_attr(fp, "errval");
+		print_errval(fp, tok->tt.exit.status);
+		close_attr(fp);
+		open_attr(fp, "retval");
+		print_4_bytes(fp, tok->tt.exit.ret, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_errval(fp, tok->tt.exit.status);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.exit.ret, "%u");
+	}
 }
 
 /*
@@ -1178,11 +1799,11 @@ print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * text                    count null-terminated string(s)
  */
 static int
-fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
+fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 	int i;
-	char *bptr;
+	u_char *bptr;
 
 	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
 	if (err)
@@ -1191,7 +1812,7 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
 	for (i = 0; i < tok->tt.execarg.count; i++) {
 		bptr = buf + tok->len;
 		if (i < AUDIT_MAX_ARGS)
-			tok->tt.execarg.text[i] = bptr;
+			tok->tt.execarg.text[i] = (char*)bptr;
 
 		/* Look for a null terminated string. */
 		while (bptr && (*bptr != '\0')) {
@@ -1211,16 +1832,25 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 	int i;
 
-	print_tok_type(fp, tok->id, "exec arg", raw);
+	print_tok_type(fp, tok->id, "exec arg", raw, xml);
 	for (i = 0; i < tok->tt.execarg.count; i++) {
-		print_delim(fp, del);
-		print_string(fp, tok->tt.execarg.text[i],
-		    strlen(tok->tt.execarg.text[i]));
+		if (xml) {
+			fprintf(fp, "<arg>");
+			print_string(fp, tok->tt.execarg.text[i],
+			    strlen(tok->tt.execarg.text[i]));
+			fprintf(fp, "</arg>");
+		} else {
+			print_delim(fp, del);
+			print_string(fp, tok->tt.execarg.text[i],
+			    strlen(tok->tt.execarg.text[i]));
+		}
 	}
+	if (xml)
+		close_tag(fp, tok->id);
 }
 
 /*
@@ -1228,11 +1858,11 @@ print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * text                    count null-terminated string(s)
  */
 static int
-fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
+fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 	int i;
-	char *bptr;
+	u_char *bptr;
 
 	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
 	if (err)
@@ -1241,7 +1871,7 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
 	for (i = 0; i < tok->tt.execenv.count; i++) {
 		bptr = buf + tok->len;
 		if (i < AUDIT_MAX_ENV)
-			tok->tt.execenv.text[i] = bptr;
+			tok->tt.execenv.text[i] = (char*)bptr;
 
 		/* Look for a null terminated string. */
 		while (bptr && (*bptr != '\0')) {
@@ -1261,16 +1891,25 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 	int i;
 
-	print_tok_type(fp, tok->id, "exec env", raw);
+	print_tok_type(fp, tok->id, "exec env", raw, xml);
 	for (i = 0; i< tok->tt.execenv.count; i++) {
-		print_delim(fp, del);
-		print_string(fp, tok->tt.execenv.text[i],
-		    strlen(tok->tt.execenv.text[i]));
+		if (xml) {
+			fprintf(fp, "<env>");
+			print_string(fp, tok->tt.execenv.text[i],
+			    strlen(tok->tt.execenv.text[i]));
+			fprintf(fp, "</env>");
+		} else {
+			print_delim(fp, del);
+			print_string(fp, tok->tt.execenv.text[i],
+			    strlen(tok->tt.execenv.text[i]));
+		}
 	}
+	if (xml)
+		close_tag(fp, tok->id);
 }
 
 /*
@@ -1280,7 +1919,7 @@ print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * file pathname            N bytes + 1 terminating NULL byte
  */
 static int
-fetch_file_tok(tokenstr_t *tok, char *buf, int len)
+fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1296,7 +1935,8 @@ fetch_file_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
+	SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
+	    err);
 	if (err)
 		return (-1);
 
@@ -1305,16 +1945,28 @@ fetch_file_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "file", raw);
-	print_delim(fp, del);
-	print_sec32(fp, tok->tt.file.s, raw);
-	print_delim(fp, del);
-	print_msec32(fp, tok->tt.file.ms, raw);
-	print_delim(fp, del);
-	print_string(fp, tok->tt.file.name, tok->tt.file.len);
+	print_tok_type(fp, tok->id, "file", raw, xml);
+	if (xml) {
+		open_attr(fp, "time");
+		print_sec32(fp, tok->tt.file.s, raw);
+		close_attr(fp);
+		open_attr(fp, "msec");
+		print_msec32(fp, tok->tt.file.ms, raw);
+		close_attr(fp);
+		fprintf(fp, ">");
+		print_string(fp, tok->tt.file.name, tok->tt.file.len);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_sec32(fp, tok->tt.file.s, raw);
+		print_delim(fp, del);
+		print_msec32(fp, tok->tt.file.ms, raw);
+		print_delim(fp, del);
+		print_string(fp, tok->tt.file.name, tok->tt.file.len);
+	}
 }
 
 /*
@@ -1322,7 +1974,7 @@ print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * group list              count * 4 bytes
  */
 static int
-fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
+fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int i;
 	int err = 0;
@@ -1343,14 +1995,21 @@ fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 	int i;
 
-	print_tok_type(fp, tok->id, "group", raw);
+	print_tok_type(fp, tok->id, "group", raw, xml);
 	for (i = 0; i < tok->tt.grps.no; i++) {
-		print_delim(fp, del);
-		print_group(fp, tok->tt.grps.list[i], raw);
+		if (xml) {
+			fprintf(fp, "<gid>");
+			print_group(fp, tok->tt.grps.list[i], raw);
+			fprintf(fp, "</gid>");
+			close_tag(fp, tok->id);
+		} else {
+			print_delim(fp, del);
+			print_group(fp, tok->tt.grps.list[i], raw);
+		}
 	}
 }
 
@@ -1358,7 +2017,7 @@ print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * Internet addr 4 bytes
  */
 static int
-fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
+fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1373,12 +2032,17 @@ fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "ip addr", raw);
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.inaddr.addr);
+	print_tok_type(fp, tok->id, "ip addr", raw, xml);
+	if (xml) {
+		print_ip_address(fp, tok->tt.inaddr.addr);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.inaddr.addr);
+	}
 }
 
 /*
@@ -1386,7 +2050,7 @@ print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * address 16 bytes
  */
 static int
-fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1412,20 +2076,26 @@ fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "ip addr ex", raw);
-	print_delim(fp, del);
-	print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
-	    tok->tt.inaddr_ex.addr);
+	print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
+	if (xml) {
+		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+		    tok->tt.inaddr_ex.addr);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+		    tok->tt.inaddr_ex.addr);
+	}
 }
 
 /*
  * ip header     20 bytes
  */
 static int
-fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1480,30 +2150,66 @@ fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "ip", raw);
-	print_delim(fp, del);
-	print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
-	print_delim(fp, del);
-	print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
-	print_delim(fp, del);
-	print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
-	print_delim(fp, del);
-	print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.ip.src);
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.ip.dest);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "ip", raw, xml);
+	if (xml) {
+		open_attr(fp, "version");
+		print_mem(fp, (u_char *)(&tok->tt.ip.version),
+		    sizeof(u_char));
+		close_attr(fp);
+		open_attr(fp, "service_type");
+		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+		close_attr(fp);
+		open_attr(fp, "len");
+		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
+		close_attr(fp);
+		open_attr(fp, "id");
+		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
+		close_attr(fp);
+		open_attr(fp, "offset");
+		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
+		close_attr(fp);
+		open_attr(fp, "time_to_live");
+		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+		close_attr(fp);
+		open_attr(fp, "protocol");
+		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+		close_attr(fp);
+		open_attr(fp, "cksum");
+		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
+		close_attr(fp);
+		open_attr(fp, "src_addr");
+		print_ip_address(fp, tok->tt.ip.src);
+		close_attr(fp);
+		open_attr(fp, "dest_addr");
+		print_ip_address(fp, tok->tt.ip.dest);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_mem(fp, (u_char *)(&tok->tt.ip.version),
+		    sizeof(u_char));
+		print_delim(fp, del);
+		print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
+		print_delim(fp, del);
+		print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+		print_delim(fp, del);
+		print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.ip.src);
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.ip.dest);
+	}
 }
 
 /*
@@ -1511,7 +2217,7 @@ print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * Object ID            4 bytes
  */
 static int
-fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1528,14 +2234,24 @@ fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "IPC", raw);
-	print_delim(fp, del);
-	print_ipctype(fp, tok->tt.ipc.type, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.ipc.id, "%u");
+	print_tok_type(fp, tok->id, "IPC", raw, xml);
+	if (xml) {
+		open_attr(fp, "ipc-type");
+		print_ipctype(fp, tok->tt.ipc.type, raw);
+		close_attr(fp);
+		open_attr(fp, "ipc-id");
+		print_4_bytes(fp, tok->tt.ipc.id, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_ipctype(fp, tok->tt.ipc.type, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.ipc.id, "%u");
+	}
 }
 
 /*
@@ -1548,7 +2264,7 @@ print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * key                          4 bytes
  */
 static int
-fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1585,31 +2301,56 @@ fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "IPC perm", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.ipcperm.uid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.ipcperm.gid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.ipcperm.puid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.ipcperm.pgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+	print_tok_type(fp, tok->id, "IPC perm", raw, xml);
+	if (xml) {
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.ipcperm.uid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.ipcperm.gid, raw);
+		close_attr(fp);
+		open_attr(fp, "creator-uid");
+		print_user(fp, tok->tt.ipcperm.puid, raw);
+		close_attr(fp);
+		open_attr(fp, "creator-gid");
+		print_group(fp, tok->tt.ipcperm.pgid, raw);
+		close_attr(fp);
+		open_attr(fp, "mode");
+		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+		close_attr(fp);
+		open_attr(fp, "seq");
+		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+		close_attr(fp);
+		open_attr(fp, "key");
+		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.ipcperm.uid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.ipcperm.gid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.ipcperm.puid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.ipcperm.pgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+	}
 }
 
 /*
  * port Ip address  2 bytes
  */
 static int
-fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
+fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1623,12 +2364,17 @@ fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "ip port", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+	print_tok_type(fp, tok->id, "ip port", raw, xml);
+	if (xml) {
+		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+	}
 }
 
 /*
@@ -1636,7 +2382,7 @@ print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * data                         size bytes
  */
 static int
-fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
+fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1644,8 +2390,8 @@ fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
-	    err);
+	SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
+	    tok->len, err);
 	if (err)
 		return (-1);
 
@@ -1654,14 +2400,21 @@ fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "opaque", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, tok->tt.opaque.size, "%u");
-	print_delim(fp, del);
-	print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
+	print_tok_type(fp, tok->id, "opaque", raw, xml);
+	if (xml) {
+		print_mem(fp, (u_char*)tok->tt.opaque.data,
+		    tok->tt.opaque.size);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.opaque.size, "%u");
+		print_delim(fp, del);
+		print_mem(fp, (u_char*)tok->tt.opaque.data,
+		    tok->tt.opaque.size);
+	}
 }
 
 /*
@@ -1669,7 +2422,7 @@ print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * data                         size bytes
  */
 static int
-fetch_path_tok(tokenstr_t *tok, char *buf, int len)
+fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1677,7 +2430,8 @@ fetch_path_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
+	SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
+	    err);
 	if (err)
 		return (-1);
 
@@ -1686,12 +2440,17 @@ fetch_path_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "path", raw);
-	print_delim(fp, del);
-	print_string(fp, tok->tt.path.path, tok->tt.path.len);
+	print_tok_type(fp, tok->id, "path", raw, xml);
+	if (xml) {
+		print_string(fp, tok->tt.path.path, tok->tt.path.len);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.path.path, tok->tt.path.len);
+	}
 }
 
 /*
@@ -1708,7 +2467,7 @@ print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  *   machine id         4 bytes
  */
 static int
-fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1754,32 +2513,187 @@ fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "process", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32.auid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32.euid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.proc32.egid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32.ruid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.proc32.rgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32.pid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32.sid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.proc32.tid.addr);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "process", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.proc32.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.proc32.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.proc32.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.proc32.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.proc32.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+		print_ip_address(fp, tok->tt.proc32.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc32.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc32.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.proc32.tid.addr);
+	}
 }
 
+/*
+ * token ID                     1 byte
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             8 bytes
+ *   machine id         4 bytes
+ */
 static int
-fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
+	    sizeof(tok->tt.proc64.tid.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+	print_tok_type(fp, tok->id, "process", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.proc64.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.proc64.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.proc64.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.proc64.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.proc64.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
+		print_ip_address(fp, tok->tt.proc64.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc64.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc64.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc64.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc64.sid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.proc64.tid.addr);
+	}
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes
+ *   address type-len      4 bytes
+ *   machine address      16 bytes
+ */
+static int
+fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1839,29 +2753,188 @@ fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "process_ex", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32_ex.auid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32_ex.euid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.proc32_ex.egid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.proc32_ex.ruid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.proc32_ex.rgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
-	print_delim(fp, del);
-	print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
-	    tok->tt.proc32_ex.tid.addr);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "process_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.proc32_ex.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.proc32_ex.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.proc32_ex.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.proc32_ex.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.proc32_ex.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+		    tok->tt.proc32_ex.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32_ex.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32_ex.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc32_ex.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc32_ex.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc32_ex.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+		    tok->tt.proc32_ex.tid.addr);
+	}
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               8 bytes
+ *   address type-len      4 bytes
+ *   machine address      16 bytes
+ */
+static int
+fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
+		    sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
+		    sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+	print_tok_type(fp, tok->id, "process_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.proc64_ex.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.proc64_ex.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.proc64_ex.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.proc64_ex.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.proc64_ex.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
+		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
+		    tok->tt.proc64_ex.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64_ex.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64_ex.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc64_ex.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.proc64_ex.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.proc64_ex.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
+		    tok->tt.proc64_ex.tid.addr);
+	}
 }
 
 /*
@@ -1869,7 +2942,7 @@ print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * return value         4 bytes
  */
 static int
-fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1886,18 +2959,28 @@ fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "return", raw);
-	print_delim(fp, del);
-	print_retval(fp, tok->tt.ret32.status, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+	print_tok_type(fp, tok->id, "return", raw, xml);
+	if (xml) {
+		open_attr(fp ,"errval");
+		print_retval(fp, tok->tt.ret32.status, raw);
+		close_attr(fp);
+		open_attr(fp, "retval");
+		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_retval(fp, tok->tt.ret32.status, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+	}
 }
 
 static int
-fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1914,21 +2997,31 @@ fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "return", raw);
-	print_delim(fp, del);
-	print_retval(fp, tok->tt.ret64.err, raw);
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+	print_tok_type(fp, tok->id, "return", raw, xml);
+	if (xml) {
+		open_attr(fp, "errval");
+		print_retval(fp, tok->tt.ret64.err, raw);
+		close_attr(fp);
+		open_attr(fp, "retval");
+		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_retval(fp, tok->tt.ret64.err, raw);
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+	}
 }
 
 /*
  * seq                          4 bytes
  */
 static int
-fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
+fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1941,12 +3034,19 @@ fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "sequence", raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+	print_tok_type(fp, tok->id, "sequence", raw, xml);
+	if (xml) {
+		open_attr(fp, "seq-num");
+		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+	}
 }
 
 /*
@@ -1955,7 +3055,7 @@ print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * socket address          4 bytes
  */
 static int
-fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -1979,16 +3079,29 @@ fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "socket-inet", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.sockinet32.addr);
+	print_tok_type(fp, tok->id, "socket-inet", raw, xml);
+	if (xml) {
+		open_attr(fp, "type");
+		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+		close_attr(fp);
+		open_attr(fp, "port");
+		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
+		close_attr(fp);
+		open_attr(fp, "addr");
+		print_ip_address(fp, tok->tt.sockinet32.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.sockinet32.addr);
+	}
 }
 
 /*
@@ -1996,7 +3109,7 @@ print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * path                    104 bytes
  */
 static int
-fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
+fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2014,15 +3127,28 @@ fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "socket-unix", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, tok->tt.sockunix.family, "%u");
-	print_delim(fp, del);
-	print_string(fp, tok->tt.sockunix.path,
-	    strlen(tok->tt.sockunix.path));
+	print_tok_type(fp, tok->id, "socket-unix", raw, xml);
+	if (xml) {
+		open_attr(fp, "type");
+		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+		close_attr(fp);
+		open_attr(fp, "port");
+		close_attr(fp);
+		open_attr(fp, "addr");
+		print_string(fp, tok->tt.sockunix.path,
+			strlen(tok->tt.sockunix.path));
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+		print_delim(fp, del);
+		print_string(fp, tok->tt.sockunix.path,
+			strlen(tok->tt.sockunix.path));
+	}
 }
 
 /*
@@ -2033,7 +3159,7 @@ print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * remote address          4 bytes
  */
 static int
-fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
+fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2066,20 +3192,39 @@ fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "socket", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, tok->tt.socket.type, "%u");
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.socket.l_addr);
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.socket.r_addr);
+	print_tok_type(fp, tok->id, "socket", raw, xml);
+	if (xml) {
+		open_attr(fp, "sock_type");
+		print_2_bytes(fp, tok->tt.socket.type, "%u");
+		close_attr(fp);
+		open_attr(fp, "lport");
+		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
+		close_attr(fp);
+		open_attr(fp, "laddr");
+		print_ip_address(fp, tok->tt.socket.l_addr);
+		close_attr(fp);
+		open_attr(fp, "fport");
+		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
+		close_attr(fp);
+		open_attr(fp, "faddr");
+		print_ip_address(fp, tok->tt.socket.r_addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.socket.type, "%u");
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.socket.l_addr);
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.socket.r_addr);
+	}
 }
 
 /*
@@ -2095,7 +3240,7 @@ print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  *   machine id         4 bytes
  */
 static int
-fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2141,28 +3286,57 @@ fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "subject", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32.auid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32.euid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj32.egid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32.ruid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj32.rgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32.pid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32.sid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.subj32.tid.addr);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.subj32.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.subj32.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.subj32.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.subj32.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.subj32.rgid, raw);
+		close_attr(fp);
+		open_attr(fp,"pid");
+		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+		close_attr(fp);
+		open_attr(fp,"sid");
+		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+		close_attr(fp);
+		open_attr(fp,"tid");
+		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
+		print_ip_address(fp, tok->tt.subj32.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj32.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj32.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.subj32.tid.addr);
+	}
 }
 
 /*
@@ -2178,7 +3352,7 @@ print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  *   machine id         4 bytes
  */
 static int
-fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2224,28 +3398,57 @@ fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "subject", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj64.auid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj64.euid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj64.egid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj64.ruid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj64.rgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj64.pid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj64.sid, "%u");
-	print_delim(fp, del);
-	print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.subj64.tid.addr);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.subj64.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.subj64.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.subj64.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.subj64.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.subj64.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+		print_ip_address(fp, tok->tt.subj64.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj64.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj64.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.subj64.tid.addr);
+	}
 }
 
 /*
@@ -2262,7 +3465,7 @@ print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  *   machine id         16 bytes
  */
 static int
-fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2322,29 +3525,187 @@ fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
-{
-
-	print_tok_type(fp, tok->id, "subject_ex", raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32_ex.auid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32_ex.euid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj32_ex.egid, raw);
-	print_delim(fp, del);
-	print_user(fp, tok->tt.subj32_ex.ruid, raw);
-	print_delim(fp, del);
-	print_group(fp, tok->tt.subj32_ex.rgid, raw);
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
-	print_delim(fp, del);
-	print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
-	print_delim(fp, del);
-	print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
-	    tok->tt.subj32_ex.tid.addr);
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.subj32_ex.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.subj32_ex.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.subj32_ex.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.subj32_ex.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.subj32_ex.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+		    tok->tt.subj32_ex.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32_ex.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32_ex.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj32_ex.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj32_ex.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj32_ex.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+		    tok->tt.subj32_ex.tid.addr);
+	}
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             8 bytes
+ *   type               4 bytes
+ *   machine id         16 bytes
+ */
+static int
+fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
+		    sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
+		    sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+	print_tok_type(fp, tok->id, "subject_ex", raw, xml);
+	if (xml) {
+		open_attr(fp, "audit-uid");
+		print_user(fp, tok->tt.subj64_ex.auid, raw);
+		close_attr(fp);
+		open_attr(fp, "uid");
+		print_user(fp, tok->tt.subj64_ex.euid, raw);
+		close_attr(fp);
+		open_attr(fp, "gid");
+		print_group(fp, tok->tt.subj64_ex.egid, raw);
+		close_attr(fp);
+		open_attr(fp, "ruid");
+		print_user(fp, tok->tt.subj64_ex.ruid, raw);
+		close_attr(fp);
+		open_attr(fp, "rgid");
+		print_group(fp, tok->tt.subj64_ex.rgid, raw);
+		close_attr(fp);
+		open_attr(fp, "pid");
+		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
+		close_attr(fp);
+		open_attr(fp, "sid");
+		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
+		close_attr(fp);
+		open_attr(fp, "tid");
+		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
+		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
+		    tok->tt.subj64_ex.tid.addr);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64_ex.auid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64_ex.euid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj64_ex.egid, raw);
+		print_delim(fp, del);
+		print_user(fp, tok->tt.subj64_ex.ruid, raw);
+		print_delim(fp, del);
+		print_group(fp, tok->tt.subj64_ex.rgid, raw);
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
+		print_delim(fp, del);
+		print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
+		print_delim(fp, del);
+		print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
+		print_delim(fp, del);
+		print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
+		    tok->tt.subj64_ex.tid.addr);
+	}
 }
 
 /*
@@ -2352,7 +3713,7 @@ print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * data                         size bytes
  */
 static int
-fetch_text_tok(tokenstr_t *tok, char *buf, int len)
+fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2360,7 +3721,7 @@ fetch_text_tok(tokenstr_t *tok, char *buf, int len)
 	if (err)
 		return (-1);
 
-	SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
+	SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
 	    err);
 	if (err)
 		return (-1);
@@ -2370,12 +3731,17 @@ fetch_text_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "text", raw);
-	print_delim(fp, del);
-	print_string(fp, tok->tt.text.text, tok->tt.text.len);
+	print_tok_type(fp, tok->id, "text", raw, xml);
+	if (xml) {
+		print_string(fp, tok->tt.text.text, tok->tt.text.len);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.text.text, tok->tt.text.len);
+	}
 }
 
 /*
@@ -2388,7 +3754,7 @@ print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
  * remote Internet address 4 bytes
  */
 static int
-fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 
@@ -2432,24 +3798,43 @@ fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
 {
 
-	print_tok_type(fp, tok->id, "socket", raw);
-	print_delim(fp, del);
-	print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
-	print_delim(fp, del);
-	print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.socket_ex32.l_addr);
-	print_delim(fp, del);
-	print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
-	print_delim(fp, del);
-	print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+	print_tok_type(fp, tok->id, "socket", raw, xml);
+	if (xml) {
+		open_attr(fp, "sock_type");
+		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+		close_attr(fp);
+		open_attr(fp, "lport");
+		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
+		close_attr(fp);
+		open_attr(fp, "laddr");
+		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+		close_attr(fp);
+		open_attr(fp, "faddr");
+		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+		close_attr(fp);
+		open_attr(fp, "fport");
+		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+		print_delim(fp, del);
+		print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+		print_delim(fp, del);
+		print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
+		print_delim(fp, del);
+		print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+	}
 }
 
 static int
-fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
+fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 	int err = 0;
 	int recoversize;
@@ -2460,7 +3845,8 @@ fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
 
 	tok->tt.invalid.length = recoversize;
 
-	SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
+	SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
+	    err);
 	if (err)
 		return (-1);
 
@@ -2469,14 +3855,55 @@ fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
 
 static void
 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
-    __unused char sfrm)
+    __unused char sfrm, int xml)
+{
+
+	if (!xml) {
+		print_tok_type(fp, tok->id, "unknown", raw, 0);
+		print_delim(fp, del);
+		print_mem(fp, (u_char*)tok->tt.invalid.data,
+		    tok->tt.invalid.length);
+	}
+}
+
+
+/*
+ * size                         2 bytes;
+ * zonename                     size bytes;
+ */
+static int
+fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
 {
+	int err = 0;
 
-	print_tok_type(fp, tok->id, "unknown", raw);
-	print_delim(fp, del);
-	print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
+	READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
+	if (err)
+		return (-1);
+	SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
+	    tok->len, err);
+	if (err)
+		return (-1);
+	return (0);
 }
 
+static void
+print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm, int xml)
+{
+
+	print_tok_type(fp, tok->id, "zone", raw, xml);
+	if (xml) {
+		open_attr(fp, "name");
+		print_string(fp, tok->tt.zonename.zonename,
+		    tok->tt.zonename.len);
+		close_attr(fp);
+		close_tag(fp, tok->id);
+	} else {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.zonename.zonename,
+		    tok->tt.zonename.len);
+	}
+}
 
 /*
  * Reads the token beginning at buf into tok.
@@ -2565,6 +3992,12 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
 	case AUT_PROCESS32_EX:
 		return (fetch_process32ex_tok(tok, buf, len));
 
+	case AUT_PROCESS64:
+		return (fetch_process64_tok(tok, buf, len));
+
+	case AUT_PROCESS64_EX:
+		return (fetch_process64ex_tok(tok, buf, len));
+
 	case AUT_RETURN32:
 		return (fetch_return32_tok(tok, buf, len));
 
@@ -2586,11 +4019,14 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
 	case AUT_SUBJECT32:
 		return (fetch_subject32_tok(tok, buf, len));
 
+	case AUT_SUBJECT32_EX:
+		return (fetch_subject32ex_tok(tok, buf, len));
+
 	case AUT_SUBJECT64:
 		return (fetch_subject64_tok(tok, buf, len));
 
-	case AUT_SUBJECT32_EX:
-		return (fetch_subject32ex_tok(tok, buf, len));
+	case AUT_SUBJECT64_EX:
+		return (fetch_subject64ex_tok(tok, buf, len));
 
 	case AUT_TEXT:
 		return (fetch_text_tok(tok, buf, len));
@@ -2601,13 +4037,16 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
 	case AUT_DATA:
 		return (fetch_arb_tok(tok, buf, len));
 
+	case AUT_ZONENAME:
+		return (fetch_zonename_tok(tok, buf, len));
+
 	default:
 		return (fetch_invalid_tok(tok, buf, len));
 	}
 }
 
 /*
- * 'prints' the token out to outfp
+ * 'prints' the token out to outfp.
  */
 void
 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
@@ -2615,151 +4054,341 @@ au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
 
 	switch(tok->id) {
 	case AUT_HEADER32:
-		print_header32_tok(outfp, tok, del, raw, sfrm);
+		print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_HEADER32_EX:
-		print_header32_ex_tok(outfp, tok, del, raw, sfrm);
+		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_HEADER64:
-		print_header64_tok(outfp, tok, del, raw, sfrm);
+		print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_HEADER64_EX:
-		print_header64_ex_tok(outfp, tok, del, raw, sfrm);
+		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_TRAILER:
-		print_trailer_tok(outfp, tok, del, raw, sfrm);
+		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_ARG32:
-		print_arg32_tok(outfp, tok, del, raw, sfrm);
+		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_ARG64:
-		print_arg64_tok(outfp, tok, del, raw, sfrm);
+		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_DATA:
-		print_arb_tok(outfp, tok, del, raw, sfrm);
+		print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_ATTR32:
-		print_attr32_tok(outfp, tok, del, raw, sfrm);
+		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_ATTR64:
-		print_attr64_tok(outfp, tok, del, raw, sfrm);
+		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_EXIT:
-		print_exit_tok(outfp, tok, del, raw, sfrm);
+		print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_EXEC_ARGS:
-		print_execarg_tok(outfp, tok, del, raw, sfrm);
+		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_EXEC_ENV:
-		print_execenv_tok(outfp, tok, del, raw, sfrm);
+		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_OTHER_FILE32:
-		print_file_tok(outfp, tok, del, raw, sfrm);
+		print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_NEWGROUPS:
-		print_newgroups_tok(outfp, tok, del, raw, sfrm);
+		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IN_ADDR:
-		print_inaddr_tok(outfp, tok, del, raw, sfrm);
+		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IN_ADDR_EX:
-		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
+		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IP:
-		print_ip_tok(outfp, tok, del, raw, sfrm);
+		print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IPC:
-		print_ipc_tok(outfp, tok, del, raw, sfrm);
+		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IPC_PERM:
-		print_ipcperm_tok(outfp, tok, del, raw, sfrm);
+		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_IPORT:
-		print_iport_tok(outfp, tok, del, raw, sfrm);
+		print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_OPAQUE:
-		print_opaque_tok(outfp, tok, del, raw, sfrm);
+		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_PATH:
-		print_path_tok(outfp, tok, del, raw, sfrm);
+		print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_PROCESS32:
-		print_process32_tok(outfp, tok, del, raw, sfrm);
+		print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_PROCESS32_EX:
-		print_process32ex_tok(outfp, tok, del, raw, sfrm);
+		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	case AUT_PROCESS64:
+		print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	case AUT_PROCESS64_EX:
+		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_RETURN32:
-		print_return32_tok(outfp, tok, del, raw, sfrm);
+		print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_RETURN64:
-		print_return64_tok(outfp, tok, del, raw, sfrm);
+		print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SEQ:
-		print_seq_tok(outfp, tok, del, raw, sfrm);
+		print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SOCKET:
-		print_socket_tok(outfp, tok, del, raw, sfrm);
+		print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SOCKINET32:
-		print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
+		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SOCKUNIX:
-		print_sock_unix_tok(outfp, tok, del, raw, sfrm);
+		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SUBJECT32:
-		print_subject32_tok(outfp, tok, del, raw, sfrm);
+		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SUBJECT64:
-		print_subject64_tok(outfp, tok, del, raw, sfrm);
+		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SUBJECT32_EX:
-		print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	case AUT_SUBJECT64_EX:
+		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_TEXT:
-		print_text_tok(outfp, tok, del, raw, sfrm);
+		print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
 		return;
 
 	case AUT_SOCKET_EX:
-		print_socketex32_tok(outfp, tok, del, raw, sfrm);
+		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	case AUT_ZONENAME:
+		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+		return;
+
+	default:
+		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+	}
+}
+
+/*
+ * 'prints' the token out to outfp in XML format.
+ */
+void
+au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
+    char sfrm)
+{
+
+	switch(tok->id) {
+	case AUT_HEADER32:
+		print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_HEADER32_EX:
+		print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_HEADER64:
+		print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_HEADER64_EX:
+		print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_TRAILER:
+		print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_ARG32:
+		print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_ARG64:
+		print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_DATA:
+		print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_ATTR32:
+		print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_ATTR64:
+		print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_EXIT:
+		print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_EXEC_ARGS:
+		print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_EXEC_ENV:
+		print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_OTHER_FILE32:
+		print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_NEWGROUPS:
+		print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IN_ADDR:
+		print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IN_ADDR_EX:
+		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IP:
+		print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IPC:
+		print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IPC_PERM:
+		print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_IPORT:
+		print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_OPAQUE:
+		print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_PATH:
+		print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_PROCESS32:
+		print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_PROCESS32_EX:
+		print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_PROCESS64:
+		print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_PROCESS64_EX:
+		print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_RETURN32:
+		print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_RETURN64:
+		print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SEQ:
+		print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SOCKET:
+		print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SOCKINET32:
+		print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SOCKUNIX:
+		print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SUBJECT32:
+		print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SUBJECT64:
+		print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SUBJECT32_EX:
+		print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SUBJECT64_EX:
+		print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_TEXT:
+		print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_SOCKET_EX:
+		print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+		return;
+
+	case AUT_ZONENAME:
+		print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
 		return;
 
 	default:
-		print_invalid_tok(outfp, tok, del, raw, sfrm);
+		print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
 	}
 }
 
diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c
index 3ebfb25..e7d3ea2 100644
--- a/contrib/openbsm/libbsm/bsm_notify.c
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#13 $
  */
 
 /*
@@ -66,7 +66,8 @@ uint32_t
 au_notify_initialize(void)
 {
 #if AUDIT_NOTIFICATION_ENABLED
-	uint32_t status, ignore_first;
+	uint32_t status;
+	int ignore_first;
 
 	status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
 	if (status != NOTIFY_STATUS_OK)
@@ -108,7 +109,7 @@ int
 au_get_state(void)
 {
 #if AUDIT_NOTIFICATION_ENABLED
-	uint32_t did_notify;
+	int did_notify;
 #endif
 	int status;
 
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
index fecbeb8..86c1f60 100644
--- a/contrib/openbsm/libbsm/bsm_token.c
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -30,7 +30,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#52 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#62 $
  */
 
 #include <sys/types.h>
@@ -212,9 +212,46 @@ au_to_attr32(struct vnode_au_info *vni)
 token_t *
 au_to_attr64(struct vnode_au_info *vni)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0_16 = 0;
+	u_int16_t pad0_32 = 0;
 
-	errno = ENOTSUP;
-	return (NULL);
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ATTR64);
+
+	/*
+	 * Darwin defines the size for the file mode
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0_16);
+	ADD_U_INT16(dptr, vni->vn_mode);
+
+	ADD_U_INT32(dptr, vni->vn_uid);
+	ADD_U_INT32(dptr, vni->vn_gid);
+	ADD_U_INT32(dptr, vni->vn_fsid);
+
+	/*
+	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+	 * Attempt to handle both, and let the compiler sort it out.  If we
+	 * could pick this out at compile-time, it would be better, so as to
+	 * avoid the else case below.
+	 */
+	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+		ADD_U_INT32(dptr, pad0_32);
+		ADD_U_INT32(dptr, vni->vn_fileid);
+	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+		ADD_U_INT64(dptr, vni->vn_fileid);
+	else
+		ADD_U_INT64(dptr, 0LL);
+
+	ADD_U_INT64(dptr, vni->vn_dev);
+
+	return (t);
 }
 
 token_t *
@@ -308,7 +345,7 @@ token_t *
 au_to_groups(int *groups)
 {
 
-	return (au_to_newgroups(AUDIT_MAX_GROUPS, groups));
+	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
 }
 
 /*
@@ -382,6 +419,8 @@ au_to_in_addr_ex(struct in6_addr *internet_addr)
 /*
  * token ID                1 byte
  * ip header		   20 bytes
+ *
+ * The IP header should be submitted in network byte order.
  */
 token_t *
 au_to_ip(struct ip *ip)
@@ -394,9 +433,6 @@ au_to_ip(struct ip *ip)
 		return (NULL);
 
 	ADD_U_CHAR(dptr, AUT_IP);
-	/*
-	 * XXXRW: Any byte order work needed on the IP header before writing?
-	 */
 	ADD_MEM(dptr, ip, sizeof(struct ip));
 
 	return (t);
@@ -650,19 +686,34 @@ au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
 }
 
 token_t *
-au_to_process64(__unused au_id_t auid, __unused uid_t euid,
-    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
-    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
+	    sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
 
-	errno = ENOTSUP;
-	return (NULL);
+	ADD_U_CHAR(dptr, AUT_PROCESS64);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->port);
+	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+	return (t);
 }
 
 token_t *
-au_to_process(__unused au_id_t auid, __unused uid_t euid,
-    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
-    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
 {
 
 	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
@@ -713,11 +764,11 @@ au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 	if (tid->at_type == AU_IPv6) {
-		ADD_U_INT32(dptr, tid->at_addr[1]);
-		ADD_U_INT32(dptr, tid->at_addr[2]);
-		ADD_U_INT32(dptr, tid->at_addr[3]);
+		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
 	}
 
 	return (t);
@@ -727,9 +778,42 @@ token_t *
 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
 
-	errno = ENOTSUP;
-	return (NULL);
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    2 * sizeof(u_int32_t));
+	else if (tid->at_type == AU_IPv6)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    5 * sizeof(u_int32_t));
+	else {
+		errno = EINVAL;
+		return (NULL);
+	}
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+	if (tid->at_type == AU_IPv6) {
+		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
+		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
+	}
+
+	return (t);
 }
 
 token_t *
@@ -944,9 +1028,26 @@ token_t *
 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
     pid_t pid, au_asid_t sid, au_tid_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
+	    sizeof(u_int64_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
 
-	errno = ENOTSUP;
-	return (NULL);
+	ADD_U_CHAR(dptr, AUT_SUBJECT64);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->port);
+	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+	return (t);
 }
 
 token_t *
@@ -1002,12 +1103,10 @@ au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-	ADD_U_INT32(dptr, tid->at_addr[0]);
-	if (tid->at_type == AU_IPv6) {
-		ADD_U_INT32(dptr, tid->at_addr[1]);
-		ADD_U_INT32(dptr, tid->at_addr[2]);
-		ADD_U_INT32(dptr, tid->at_addr[3]);
-	}
+	if (tid->at_type == AU_IPv6)
+		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
+	else
+		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 
 	return (t);
 }
@@ -1016,9 +1115,40 @@ token_t *
 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
     gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
+	token_t *t;
+	u_char *dptr = NULL;
 
-	errno = ENOTSUP;
-	return (NULL);
+	if (tid->at_type == AU_IPv4)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    2 * sizeof(u_int32_t));
+	else if (tid->at_type == AU_IPv6)
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+		    5 * sizeof(u_int32_t));
+	else {
+		errno = EINVAL;
+		return (NULL);
+	}
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT64(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	if (tid->at_type == AU_IPv6)
+		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
+	else
+		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+
+	return (t);
 }
 
 token_t *
@@ -1090,6 +1220,27 @@ au_to_exec_args(char **argv)
 }
 
 /*
+ * token ID                1 byte
+ * zonename length         2 bytes
+ * zonename                N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_zonename(char *zonename)
+{
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+	token_t *t;
+
+	textlen = strlen(zonename);
+	textlen += 1;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+	ADD_U_CHAR(dptr, AUT_ZONENAME);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, zonename, textlen);
+	return (t);
+}
+
+/*
  * token ID				1 byte
  * count				4 bytes
  * text					count null-terminated strings
@@ -1166,6 +1317,33 @@ au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	return (t);
 }
 
+token_t *
+au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t timems;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_HEADER64);
+	ADD_U_INT32(dptr, rec_size);
+	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
+	ADD_U_INT16(dptr, e_type);
+	ADD_U_INT16(dptr, e_mod);
+
+	timems = tm.tv_usec/1000;
+	/* Add the timestamp */
+	ADD_U_INT64(dptr, tm.tv_sec);
+	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
+
+	return (t);
+}
+
 #if !defined(KERNEL) && !defined(_KERNEL)
 token_t *
 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
@@ -1181,9 +1359,11 @@ token_t *
 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
     __unused au_emod_t e_mod)
 {
+	struct timeval tm;
 
-	errno = ENOTSUP;
-	return (NULL);
+	if (gettimeofday(&tm, NULL) == -1)
+		return (NULL);
+	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
 }
 
 token_t *
diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c
index 98f286c..f001e5f 100644
--- a/contrib/openbsm/libbsm/bsm_wrappers.c
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#24 $
  */
 
 #ifdef __APPLE__
@@ -66,8 +66,9 @@ audit_submit(short au_event, au_id_t auid, char status,
 	long acond;
 	va_list ap;
 	pid_t pid;
-	int error, afd;
+	int error, afd, subj_ex;
 	struct auditinfo ai;
+	struct auditinfo_addr aia;
 
 	if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
 		/*
@@ -84,6 +85,7 @@ audit_submit(short au_event, au_id_t auid, char status,
 	}
 	if (acond == AUC_NOAUDIT)
 		return (0);
+	/* XXXCSJP we should be doing a pre-select here */
 	afd = au_open();
 	if (afd < 0) {
 		error = errno;
@@ -92,7 +94,20 @@ audit_submit(short au_event, au_id_t auid, char status,
 		errno = error;
 		return (-1);
 	}
-	if (getaudit(&ai) < 0) {
+	/*
+	 * Some operating systems do not have getaudit_addr(2) implemented
+	 * yet.  So we try to use getaudit(2) first, if the subject is
+	 * using IPv6, then we will have to try getaudit_addr(2).  Failing
+	 * this, we return error.
+	 */
+	subj_ex = 0;
+	error = getaudit(&ai);
+	if (error < 0 && errno == E2BIG) {
+		error = getaudit_addr(&aia, sizeof(aia));
+		if (error == 0)
+			subj_ex = 1;
+	}
+	if (error < 0) {
 		error = errno;
 		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
 		    strerror(errno));
@@ -100,8 +115,12 @@ audit_submit(short au_event, au_id_t auid, char status,
 		return (-1);
 	}
 	pid = getpid();
-	token = au_to_subject32(auid, geteuid(), getegid(),
-	    getuid(), getgid(), pid, pid, &ai.ai_termid);
+	if (subj_ex == 0)
+		token = au_to_subject32(auid, geteuid(), getegid(),
+		    getuid(), getgid(), pid, pid, &ai.ai_termid);
+	else
+		token = au_to_subject_ex(auid, geteuid(), getegid(),
+		    getuid(), getgid(), pid, pid, &aia.ai_termid);
 	if (token == NULL) {
 		syslog(LOG_AUTH | LOG_ERR,
 		    "audit: unable to build subject token");
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
index f87cf55..e84ea94 100644
--- a/contrib/openbsm/libbsm/libbsm.3
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#13 $
 .\"
 .Dd April 19, 2005
 .Dt LIBBSM 3
@@ -34,7 +34,7 @@
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Sh DESCRIPTION
 The
 .Nm
@@ -42,7 +42,9 @@ library routines provide an interface to BSM audit record streams, allowing
 both the parsing of existing audit streams, as well as the creation of new
 audit records and streams.
 .Sh INTERFACES
+The
 .Nm
+library
 provides a large number of Audit programming interfaces in several classes:
 event stream interfaces, class interfaces, control interfaces, event
 interfaces, I/O interfaces, mask interfaces, notification interfaces, token
@@ -132,7 +134,7 @@ Audit token interfaces permit the creation of tokens for use in creating
 audit records for submission to event streams.
 Each interface converts a C type to its
 .Vt token_t
-representation.
+representation:
 .Xr au_to_arg 3 ,
 .Xr au_to_arg32 3 ,
 .Xr au_to_arg64 3 ,
@@ -175,7 +177,8 @@ representation.
 .Xr au_to_subject32_ex 3 ,
 .Xr au_to_subject64_ex 3 ,
 .Xr au_to_text 3 ,
-.Xr au_to_trailer 3 .
+.Xr au_to_trailer 3 ,
+.Xr au_to_zonename 3 .
 .Ss Audit User Interfaces
 Audit user interfaces support the look up of information from the
 .Xr audit_user 5
@@ -190,26 +193,31 @@ database:
 .Xr getfauditflags 3 .
 .Sh SEE ALSO
 .Xr au_class 3 ,
+.Xr audit_submit 3 ,
 .Xr au_mask 3 ,
 .Xr au_notify 3 ,
 .Xr au_stream 3 ,
 .Xr au_token 3 ,
 .Xr au_user 3 ,
-.Xr audit_submit 3 ,
 .Xr audit_class 5 ,
 .Xr audit_control 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
 .Sh BUGS
 Bugs would not be unlikely.
 .Pp