Initial vendor import of the TrustedBSD OpenBSM distribution, version

1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems.  Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs.  This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>.  The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to:	wsalamon, trhodes
Obtained from:	TrustedBSD Project

14 files changed, 1837 insertions, 0 deletions

diff --git a/contrib/openbsm/man/Makefile b/contrib/openbsm/man/Makefile
new file mode 100644
index 0000000..fec6651
--- /dev/null
+++ b/contrib/openbsm/man/Makefile
@@ -0,0 +1,19 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $
+#
+
+MAN=	audit.2								\
+	auditctl.2							\
+	auditon.2							\
+	getaudit.2							\
+	getauid.2							\
+	setaudit.2							\
+	setauid.2							\
+	audit.log.5							\
+	audit_class.5							\
+	audit_control.5							\
+	audit_event.5							\
+	audit_user.5							\
+	audit_warn.5
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
new file mode 100644
index 0000000..6e14899
--- /dev/null
+++ b/contrib/openbsm/man/audit.2
@@ -0,0 +1,96 @@
+.\"-
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDIT 2
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Commit a BSM audit record to the audit log"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn audit "const char *record" "u_int length"
+.Sh DESCRIPTION
+.Fn audit
+submits a completed BSM audit record to the system audit log.
+.Pp
+.Fa record
+is a pointer to the the specific event to be recorded and
+.Vt length
+is the size in bytes of the data to be written.
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn audit
+system call will fail and the data never written if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+The
+.Fa record
+argument is beyond the allocated address space of the process.
+.It Bq Er EINVAL
+The token ID is invalid or
+.Vt length
+is larger than
+.Vt MAXAUDITDATA .
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Sh SEE ALSO
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Fx
+kernel does not fully validate that the argument passed is syntactically
+valid BSM.
+Submitting invalid audit records may corrupt the audit log.
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
new file mode 100644
index 0000000..5d2dec4
--- /dev/null
+++ b/contrib/openbsm/man/audit.log.5
@@ -0,0 +1,622 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $
+.\"
+.Dd May 1, 2005
+.Dt AUDIT.LOG 5
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Basic Security Module (BSM) File Format"
+.Sh DESCRIPTION
+The
+.Nm
+file format is based on Sun's Basic Security Module (BSM) file format, a
+token-based record stream to represent system audit data.
+This file format is both flexible and extensible, able to describe a broad
+range of data types, and easily extended to describe new data types in a
+moderately backward and forward compatible way.
+.Pp
+BSM token streams typically begin and end with a
+.Dv file
+token, which provides time stamp and file name information for the stream;
+when processing a BSM token stream from a stream as opposed to a single file
+source, file tokens may be seen at any point between ordinary records
+identifying when particular parts of the stream begin and end.
+All other tokens will appear in the context of a complete BSM audit record,
+which begins with a
+.Dv header
+token, and ends with a
+.Dv trailer
+token, which describe the audit record.
+Between these two tokens will appear a variety of data tokens, such as
+process information, file path names, IPC object information, MAC labels,
+socket information, and so on.
+.Pp
+The BSM file format defines specific token orders for each record event type;
+however, some variation may occur depending on the operating system in use,
+what system options, such as mandatory access control, are present.
+.Pp
+This manual page documents the common token types and their binary format, and
+is intended for reference purposes only.
+It is recommended that application programmers use the
+.Xr libbsm 3
+interface to read and write tokens, rather than parsing or constructing
+records by hand.
+.Ss File Token
+The
+.Dv file
+token is used at the beginning and end of an audit log file to indicate
+when the audit log begins and ends.
+It includes a pathname so that, if concatenated together, original file
+boundaries are still observable, and gaps in the audit log can be identified.
+A
+.Dv file
+token can be created using
+.Xr au_to_file 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
+.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.El
+.Ss Header Token
+The
+.Dv header
+token is used to mark the beginning of a complete audit record, and includes
+the length of the total record in bytes, a version number for the record
+layout, the event type and subtype, and the time at which the event occurred.
+A
+.Dv header
+token can be created using
+.Xr au_to_header32 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Expanded Header Token
+The
+.Dv expanded header
+token is an expanded version of the
+.Dv header
+token, with the addition of a machine IPv4 or IPv6 address.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv expanded header
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
+.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Trailer Token
+The
+.Dv trailer
+terminates a BSM audit record, and contains a magic number,
+.Dv TRAILER_PAD_MAGIC
+and length that can be used to validate that the record was read properly.
+A
+.Dv trailer
+token can be created using
+.Xr au_to_trailer 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.El
+.Ss Arbitrary Data Token
+The
+.Dv arbitrary data
+token contains a byte stream of opaque (untyped) data.
+The size of the data is calculated as the size of each unit of data
+multipled by the number of units of data.
+A
+.Dv How to print
+field is present to specify how to print the data, but interpretation of
+that field is not currently defined.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv arbitrary data
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
+.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
+.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
+.It Li "Data Items" Ta "Variable" Ta "User data"
+.El
+.Ss in_addr Token
+The
+.Dv in_addr
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dv in_addr
+token can be created using
+.Xr au_to_in_addr 3
+for an IPv4 address, or
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
+.Pp
+See the BUGS section for information on the storage of this token.
+.Pp
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
+.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.El
+.Ss Expanded in_addr Token
+The
+.Dv expanded in_addr
+token ...
+.Pp
+See the BUGS section for information on the storage of this token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss ip Token
+The
+.Dv ip
+token contains an IP packet header in network byte order.
+An
+.Dv ip
+token can be cread using
+.Xr au_to_ip 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
+.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
+.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
+.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
+.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
+.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
+.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
+.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
+.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
+.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
+.El
+.Ss Expanded ip Token
+The
+.Dv expanded ip
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss iport Token
+The
+.Dv iport
+token stores an IP port number in network byte order.
+An
+.Dv iport
+token can be created using
+.Xr au_to_iport 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.El
+.Ss Path Token
+The
+.Dv path
+token contains a pathname.
+A
+.Dv path
+token can be created using
+.Xr auto_path 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
+.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.El
+.Ss path_attr Token
+The
+.Dv path_attr
+token contains a set of nul-terminated path names.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv path_attr
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
+.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.El
+.Ss Process Token
+The
+.Dv process
+token contains a description of the security properties of a process
+involved as the target of an auditable event, such as the destination for
+signal delivery.
+It should not be confused with the
+.Dv subject
+token, which describes the subject performing an auditable event.
+This includes both the traditional
+.Ux
+security properties, such as user IDs and group IDs, but also audit
+information such as the audit user ID and sesion.
+A
+.Dv process
+token can be created using
+.Xr au_to_process32 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Process Token
+The .Dv expanded process
+token contains the contents of the
+.Dv process
+token, with the addition of a machine address type and variable length
+address storage capable of containing IPv6 addresses.
+A
+.Dv expanded process
+token can be created using
+.Xr au_to_process32_ex 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss Return Token
+The
+.Dv return
+token contains a system call or library function return condition, including
+return value and error number associated with the global variable
+.Er errno .
+A 
+.Dv return
+token can be created using
+.Xr au_to_return32 3
+or
+.Xr au_to_return64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
+.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.El
+.Ss Subject Token
+The
+.Dv subject
+token contains information on the subject performing the operation described
+by an audit record, and includes similar information to that found in the
+.Dv process
+and
+.Dv expanded process
+tokens.
+However, those tokens are used where the process being described is the
+target of the operation, not the authorizing party.
+A
+.Dv subject
+token can be created using
+.Xr au_to_subject32 3
+and
+.Xr au_to_subject64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Subject Token
+The
+.Dv expanded subject
+token consists of the same elements as the
+.Dv subject
+token, with the addition of type/length and variable size machine address
+information in the terminal ID.
+A
+.Dv expanded subject
+token can be created using
+.Xr au_to_subject32_ex 3
+or
+.Xr au_to_subject64_ex 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss System V IPC Token
+The
+.Dv System V IPC
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Text Token
+The
+.Dv text
+token contains a single nul-terminated text string.
+A
+.Dv text
+token may be created using
+.Xr au_to_text 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.El
+.Ss Attribute Token
+The
+.Dv attribute
+token describes the attributes of a file associated with the audit event.
+As files may be identified by 0, 1, or many path names, a path name is not
+included with the attribute block for a file; optional
+.Dv path
+tokens may also be present in an audit record indicating which path, if any,
+was used to reach the object.
+A
+.Dv attribute
+token can be created using
+.Xr au_to_attr32 3
+or
+.Xr au_to_attr64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
+.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
+.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
+.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
+.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
+.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.El
+.Ss Groups Token
+The
+.Dv groups
+token contains a list of group IDs associated with the audit event.
+A
+.Dv groups
+token can be created using
+.Xr au_to_groups 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
+.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.El
+.Ss System V IPC Permission Token
+The
+.Dv System V IPC permission
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Arg Token
+The
+.Dv arg
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_args Token
+The
+.Dv exec_args
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_env Token
+The
+.Dv exec_env
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Exit Token
+The
+.Dv exit
+token contains process exit/return code information.
+An
+.Dv exit
+token can be created using
+.Xr au_to_exit 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
+.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.El
+.Ss Socket Token
+The
+.Dv socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Expanded Socket Token
+The
+.Dv expanded socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Seq Token
+The
+.Dv seq
+token contains a unique and monotonically increasing audit event sequence ID.
+Due to the limited range of 32 bits, serial number arithmetic and caution
+should be used when comparing sequence numbers.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.El
+.Ss privilege Token
+The
+.Dv privilege
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Use-of-auth Token
+The
+.Dv use-of-auth
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Command Token
+The
+.Dv command
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss ACL Token
+The
+.Dv ACL
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Zonename Token
+The
+.Dv zonename
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Dv How to print
+field in the
+.Dv arbitrary data
+token has undefined values.
+.Pp
+The
+.Dv in_addr
+and
+.Dv in_addr_ex
+token layout documented here appears to be in conflict with the
+.Xr libbsm 3
+implementations of
+.Xr au_to_in_addr 3
+and
+.Xr au_to_in_addr_ex 3 .
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
new file mode 100644
index 0000000..81b60cb
--- /dev/null
+++ b/contrib/openbsm/man/audit_class.5
@@ -0,0 +1,70 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CLASS 5
+.Os
+.Sh NAME
+.Nm audit_class
+.Nd "contains audit event class descriptions"
+.Sh DESCRIPTION
+The
+.Nm 
+file contains descriptions of the auditable event classes on the system.
+Each auditable event is a member of an event class.
+Each line maps an audit event 
+mask (bitmap) to a class and a description.
+Entries are of the form 
+.Dl classmask:eventclass:description.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0x00000000:no:invalid class
+0x00000001:fr:file read
+0x00000002:fw:file write
+0x00000004:fa:file attribute access
+0x00000080:pc:process
+0xffffffff:all:all flags set
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_class" -compact
+.It Pa /etc/security/audit_class
+.El
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
new file mode 100644
index 0000000..d39b681
--- /dev/null
+++ b/contrib/openbsm/man/audit_control.5
@@ -0,0 +1,121 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CONTROL 5
+.Os
+.Sh NAME
+.Nm audit_control
+.Nd "contains audit system parameters"
+.Sh DESCRIPTION
+The
+.Nm
+file contains several audit system parameters.
+Each line of this file is of the form:
+.Dl parameter:value.
+The parameters are:
+.Bl -tag -width Ds
+.It Pa dir
+The directory where audit log files are stored.
+There may be more than one of these entries.
+Changes to this entry can only be enacted by restarting the
+audit system.
+See
+.Xr audit 1
+for a description of how to restart the audit system.
+.It Va flags
+Specifies which audit event classes are audited for all users.  
+.Xr audit_user 5
+describes how to audit events for individual users.
+See the information below for the format of the audit flags.
+.It Va naflags
+Contains the audit flags that define what classes of events are audited when
+an action cannot be attributed to a specific user.
+.It Va minfree
+The minimum free space required on the file system audit logs are being written to.
+When the free space falls below this limit a warning will be issued.
+Not currently used as the value of 20 percent is chosen by the kernel.
+.El
+.Sh AUDIT FLAGS
+Audit flags are a comma delimited list of audit classes as defined in the
+audit_class file.
+See
+.Xr audit_class 5
+for details.
+Event classes may be preceded by a prefix which changes their interpretation.
+The following prefixes may be used for each class:
+.Bl -tag -width Ds -compact -offset indent
+.It +
+Record successful events
+.It -
+Record failed events
+.It ^
+Record both successful and failed events
+.It ^+
+Don't record successful events
+.It ^-
+Don't record failed events
+.El
+.Sh DEFAULT
+The following settings appear in the default
+.Nm
+file:
+.Bd -literal -offset indent
+dir:/var/audit
+flags:lo,ad,-all,^-fc,^-cl
+minfree:20
+naflags:lo
+.Ed
+.Pp
+The
+.Va flags
+parameter above specifies the system-wide mask corresponding to login/logout
+events, administrative events, and all failures except for failures in creating
+or closing files.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_control
+.El
+.Sh SEE ALSO
+.Xr audit 1 ,
+.Xr auditd 8 ,
+.Xr audit_class 5 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
new file mode 100644
index 0000000..36029ef
--- /dev/null
+++ b/contrib/openbsm/man/audit_event.5
@@ -0,0 +1,74 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_EVENT 5
+.Os
+.Sh NAME
+.Nm audit_event
+.Nd "contains audit event descriptions"
+.Sh DESCRIPTION
+The
+.Nm 
+file contains descriptions of the auditable events on the system.
+Each line maps an audit event number to a name, a description, and a class.
+Entries are of the form
+.Dl eventnum:eventname:description:eventclass .
+Each
+.Vt eventclass
+should have a corresponding entry in the audit_class file.
+See 
+.Xr audit_class 5
+for details.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0:AUE_NULL:indir system call:no
+1:AUE_EXIT:exit(2):pc
+2:AUE_FORK:fork(2):pc
+3:AUE_OPEN:open(2):fa
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_event" -compact
+.It Pa /etc/security/audit_event
+.El
+.Sh SEE ALSO
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
new file mode 100644
index 0000000..abb74a3
--- /dev/null
+++ b/contrib/openbsm/man/audit_user.5
@@ -0,0 +1,91 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_USER 5
+.Os
+.Sh NAME
+.Nm audit_user
+.Nd "specifies events to be audited for the given users"
+.Sh DESCRIPTION
+The
+.Nm 
+file specifies which audit event classes are to be audited for the given users.
+If specified, these flags are combined with the system-wide audit flags in the
+.Pa audit_control
+file to determine which classes of events to audit for that user.
+These settings take effect when the user logs in.
+.Pp
+Each line maps a user name to a list of classes that should be audited and a
+list of classes that should not be audited. 
+Entries are of the form of
+.Dl username:alwaysaudit:neveraudit ,
+where
+.Vt alwaysaudit
+is a set of event classes that are always audited, and
+.Vt neveraudit
+is a set of event classes that should not be audited.
+These sets can indicate
+the inclusion or exclusion of multiple classes, and whether to audit successful
+or failed events.
+See
+.Xr audit_control 5
+for more information about audit flags.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+root:lo,ad:no
+jdoe:-fc,ad:+fw
+.Ed
+.Pp
+These settings would cause login and administrative events that succeed on
+behalf of user root to be audited.
+No failure events are audited.
+For the user
+.Em jdoe ,
+failed file creation events are audited, administrative events are
+audited, and successful file write events are never audited.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_user" -compact
+.It Pa /etc/security/audit_user
+.El
+.Sh SEE ALSO
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
new file mode 100644
index 0000000..4581d8c
--- /dev/null
+++ b/contrib/openbsm/man/audit_warn.5
@@ -0,0 +1,69 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
+.\"
+.Dd Mar 17, 2004
+.Dt AUDIT_WARN 5
+.Os
+.Sh NAME
+.Nm audit_warn
+.Nd "alert when audit daemon issues warnings"
+.Sh DESCRIPTION
+.Nm 
+runs when 
+.Xr auditd 8
+generates warning messages.  
+.Pp
+The default 
+.Nm
+is a script whose first parameter is the type of warning; the script
+appends its arguments to 
+.Pa /etc/security/audit_messages .
+Administrators may replace this script: a more comprehensive one would take
+different actions based on the type of warning.
+For example, a low-space warning
+could result in an email message being sent to the administrator.  
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_warn" -compact
+.It Pa /etc/security/audit_warn
+.It Pa /etc/security/audit_messages
+.El
+.Sh SEE ALSO
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
new file mode 100644
index 0000000..48bec1cd
--- /dev/null
+++ b/contrib/openbsm/man/auditctl.2
@@ -0,0 +1,78 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITCTL 2
+.Os
+.Sh NAME
+.Nm auditctl
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "const char *path"
+.Sh DESCRIPTION
+The
+.Fn auditctl
+system call directs the kernel to open a new audit trail log file.
+.Fn auditctl
+requires appropriate privilege.
+In the
+.Fx
+implementation,
+.Fn auditctl
+opens new files, but
+.Fn auditon
+is used to disable the audit log.
+In the Mac OS X implementation, passing
+.Va NULL
+to
+.Fn auditctl
+will disable the audit log.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
new file mode 100644
index 0000000..4e38dc4
--- /dev/null
+++ b/contrib/openbsm/man/auditon.2
@@ -0,0 +1,288 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Wayne J. Salamon
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITON 2
+.Os
+.Sh NAME
+.Nm auditon
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "int cmd" "void *data" "u_int length"
+.Sh DESCRIPTION
+The
+.Nm
+system call is used to manipulate various audit control operations.
+.Ft *data
+should point to a structure whose type depends on the command.
+.Ft length
+specifies the size of the 
+.Em data 
+in bytes.
+.Ft cmd
+may be any of the following:
+.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
+.It Dv A_SETPOLICY
+Set audit policy flags.
+.Ft *data
+must point to an long value set to one of the audit 
+policy control values defined in audit.h.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+In the
+.Dv AUDIT_CNT
+case, the action will continue regardless if
+an event will not be audited.
+In the
+.Dv AUDIT_AHLT
+case, a
+.Xr panic 9
+will result if an event will not be written to the
+audit log file.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_SETKMASK
+Set the kernel preselection masks (success and failure).
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure containing the mask values.
+These masks are used for non-attributable audit event preselection.
+.It Dv A_SETQCTRL
+Set kernel audit queue parameters.
+.Ft *data
+must point to a 
+.Ft au_qctrl_t
+structure containing the
+kernel audit queue control settings:
+.Va high water ,
+.Va low water ,
+.Va output buffer size ,
+.Va percent min free disk space ,
+and
+.Em delay
+(not currently used).
+.It Dv A_SETSTAT
+Return
+.Er ENOSYS .
+.It Dv A_SETUMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETSMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETCOND
+Set the current auditing condition.
+.Ft *data
+must point to an long value containing the new
+audit condition, one of
+.Dv AUC_AUDITING ,
+.Dv AUC_NOAUDIT ,
+or
+.Dv AUC_DISABLED .
+.It Dv A_SETCLASS
+Set the event class preselection mask for an audit event.
+.Ft *data
+must point to a 
+.Ft au_evclass_map_t
+structure containing the audit event and mask.
+.It Dv A_SETPMASK
+Set the preselection masks for a process.
+.Ft *data
+must point to a 
+.Ft auditpinfo_t
+structure that contains the given process's audit 
+preselection masks for both success and failure.
+.It Dv A_SETFSIZE
+Set the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure with the
+.Ft af_filesz
+field set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETCLASS
+Return the event to class mapping for the designated audit event.
+.Ft *data
+must point to a 
+.Ft au_evclass_map_t
+structure.
+.It Dv A_GETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETPINFO
+Return the audit settings for a process.
+.Ft *data
+must point to a
+.Ft auditpinfo_t
+structure which will be set to contain
+the audit ID, preselection mask, terminal ID, and audit session
+ID of the given process.
+.It Dv A_GETPINFO_ADDR
+Return
+.Er ENOSYS .
+.It Dv A_GETKMASK
+Return the current kernel preselection masks.
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure which will be set to 
+the current kernel preselection masks for non-attributable events.
+.It Dv A_GETPOLICY
+Return the current audit policy setting.
+.Ft *data
+must point to an long value which will be set to
+one of the current audit policy flags.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+.It Dv A_GETQCTRL
+Return the current kernel audit queue control parameters.
+.Ft *data
+must point to a 
+.Ft au_qctrl_t
+structure which will be set to the current
+kernel audit queue control parameters.
+.It Dv A_GETFSIZE
+Returns the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure. The
+.Ft af_filesz
+field will set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+The
+.Ft af_filesz
+will be set to the current audit log file size.
+.It Dv A_GETCWD
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\" Return the current working directory as stored in the audit subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETCAR
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Stores and returns the current active root as stored in the audit
+.\"subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETSTAT
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Return the statistics stored in the audit system.
+Return
+.Er ENOSYS .
+.It Dv A_GETCOND
+Return the current auditing condition.
+.Ft *data
+must point to a long value which will be set to
+the current audit condition, either
+.Dv AUC_AUDITING
+or
+.Dv AUC_NOAUDIT .
+.It Dv A_SENDTRIGGER
+Send a trigger to the audit daemon.
+.Fr *data
+must point to a long value set to one of the acceptable
+trigger values:
+.Dv AUDIT_TRIGGER_LOW_SPACE
+(low disk space where the audit log resides),
+.Dv AUDIT_TRIGGER_OPEN_NEW
+(open a new audit log file),
+.Dv AUDIT_TRIGGER_READ_FILE
+(read the audit_control file),
+.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
+(close the current log file and exit),
+or
+.Dv AUDIT_TRIGGER_NO_SPACE
+(no disk space left for audit log file).
+.El
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn auditon
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er ENOSYS
+Returned by options not yet implemented.
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Pp
+The
+.Dv A_SENDTRIGGER
+command is specific to the
+.Fx
+and Mac OS X implementations, and is not present in Solaris.
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditctl 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org ,
+.An Robert Watson Aq rwatson@FreeBSD.org ,
+and
+.An Wayne Salamon Aq wsalamon@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
new file mode 100644
index 0000000..c20aab0
--- /dev/null
+++ b/contrib/openbsm/man/getaudit.2
@@ -0,0 +1,80 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUDIT 2
+.Os
+.Sh NAME
+.Nm getaudit ,
+.Nm getaudit_addr
+.Nd "Retrieve audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
+.Sh DESCRIPTION
+.Fn getaudit
+retrieves the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn getaudit_addr
+retrieves extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr setaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
new file mode 100644
index 0000000..de36f73
--- /dev/null
+++ b/contrib/openbsm/man/getauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUID 2
+.Os
+.Sh NAME
+.Nm getauid
+.Nd "Retrieve audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+retrieves the active audit session ID for the current process via the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
new file mode 100644
index 0000000..2d994ec
--- /dev/null
+++ b/contrib/openbsm/man/setaudit.2
@@ -0,0 +1,81 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUDIT 2
+.Os
+.Sh NAME
+.Nm setaudit ,
+.Nm setaudit_addr
+.Nd "Set audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn setaudit_addr
+sets extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getaudit 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
new file mode 100644
index 0000000..d03b0d9
--- /dev/null
+++ b/contrib/openbsm/man/setauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUID 2
+.Os
+.Sh NAME
+.Nm setauid
+.Nd "Set audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session ID for the current process from the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.