Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both

contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge). - Add OpenBSM contrib tree to include paths for audit(8) and auditd(8). - Merge support for new tokens, fixes to existing token generation to audit_bsm_token.c. - Synchronize bsm includes and definitions. OpenBSM history for imported revisions below for reference. MFC after: 1 month Sponsored by: Apple Inc. Obtained from: TrustedBSD Project -- OpenBSM 1.1 alpha 2 - Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM. Submitted by Stacey Son. - Configure option --with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build. Submitted by Stacey Son. - Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s or asprintf(). Added compat/strlcpy.h for Linux. - Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used. - Add support for extended header tokens, which contain space for information on the host generating the record. - Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a "host" parameter which can be used by auditd to set the information; if not present, the kernel parameters won't be set and auditd uses unextended headers for records that it generates. OpenBSM 1.1 alpha 1 - Add option to auditreduce(1) which allows users to invert sense of matching, such that BSM records that do not match, are selected. - Fix bug in audit_write() where we commit an incomplete record in the event there is an error writing the subject token. This was submitted by Diego Giagio. - Build support for Mac OS X 10.5.1 submitted by Eric Hall. - Fix a bug which resulted in host XML attributes not being arguments so that const strings can be passed as arguments to tokens. This patch was submitted by Xin LI. - Modify the -m option so users can select more then one audit event. - For Mac OS X, added Mach IPC support for audit trigger messages. - Fixed a bug in getacna() which resulted in a locking problem on Mac OS X. - Added LOG_PERROR flag to openlog when -d option is used with auditd. - AUE events added for Mac OS X Leopard system calls.
author: rwatson <rwatson@FreeBSD.org> 2008-12-02 23:26:43 +0000
committer: rwatson <rwatson@FreeBSD.org> 2008-12-02 23:26:43 +0000
commit: 0ac6f8ebdfebed8ad6c6fa1334d227524df2c013 (patch)
tree: 909e4490f5c6d4141d466ad2fdf963beeb90afca /contrib/openbsm/man
parent: 1383cec09e16a1fb5117c67951f100e7931363e7 (diff)
parent: 208cf4160e79a64866887cc5f89f964cc899f97e (diff)
download: FreeBSD-src-0ac6f8ebdfebed8ad6c6fa1334d227524df2c013.zip
FreeBSD-src-0ac6f8ebdfebed8ad6c6fa1334d227524df2c013.tar.gz
14 files changed, 489 insertions, 113 deletions
diff --git a/contrib/openbsm/man/Makefile.in b/contrib/openbsm/man/Makefile.in
index 13a0d76..a24804a 100644
--- a/contrib/openbsm/man/Makefile.in
+++ b/contrib/openbsm/man/Makefile.in
@@ -15,7 +15,7 @@
 @SET_MAKE@
 
 #
-# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.in#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.in#7 $
 #
 VPATH = @srcdir@
 pkgdatadir = $(datadir)/@PACKAGE@
@@ -93,6 +93,7 @@ LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
 MAINT = @MAINT@
 MAKEINFO = @MAKEINFO@
+MIG = @MIG@
 MKDIR_P = @MKDIR_P@
 OBJEXT = @OBJEXT@
 PACKAGE = @PACKAGE@
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
index a9cd143..1ee61b9 100644
--- a/contrib/openbsm/man/audit.2
+++ b/contrib/openbsm/man/audit.2
@@ -24,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#9 $
 .\"
 .Dd April 19, 2005
 .Dt AUDIT 2
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
index d0f85ff..dac0067 100644
--- a/contrib/openbsm/man/audit.log.5
+++ b/contrib/openbsm/man/audit.log.5
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#19 $
 .\"
 .Dd November 5, 2006
 .Dt AUDIT.LOG 5
@@ -176,29 +176,27 @@ token can be created using
 .Ss in_addr Token
 The
 .Dq in_addr
-token holds a network byte order IPv4 or IPv6 address.
+token holds a network byte order IPv4 address.
 An
 .Dq in_addr
 token can be created using
 .Xr au_to_in_addr 3
-for an IPv4 address, or
-.Xr au_to_in_addr_ex 3
-for an IPv6 address.
-.Pp
-See the
-.Sx BUGS
-section for information on the storage of this token.
+for an IPv4 address.
 .Pp
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
-.It "IP Address Type	1 byte	Type of address"
-.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
+.It "IP Address	4 bytes	IPv4 address"
 .El
 .Ss Expanded in_addr Token
 The
-.Dq expanded in_addr
-token ...
+.Dq in_addr_ex
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dq in_addr_ex
+token can be created using
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
 .Pp
 See the
 .Sx BUGS
@@ -206,7 +204,8 @@ section for information on the storage of this token.
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
-.It XXXX
+.It "IP Address Type	1 byte	Type of address"
+.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
 .El
 .Ss ip Token
 The
@@ -230,15 +229,6 @@ token can be created using
 .It "Source Address	4 bytes	IPv4 source address"
 .It "Destination Address	4 bytes	IPv4 destination address"
 .El
-.Ss Expanded ip Token
-The
-.Dq expanded ip
-token ...
-.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field	Bytes	Description"
-.It "Token ID	1 byte	Token ID"
-.It XXXX
-.El
 .Ss iport Token
 The
 .Dq iport
@@ -556,13 +546,14 @@ token can be created using
 .Ss Socket Token
 The
 .Dq socket
-token contains informations about UNIX domain and Internet sockets.
+token contains information about UNIX domain and Internet sockets.
 Each token has four or eight fields.
-Depend on type of socket a socket token may be created using
+Depending on the type of socket, a socket token may be created using
 .Xr au_to_sock_unix 3 ,
-.Xr au_to_sock_inet32 3 or
+.Xr au_to_sock_inet32 3 
+or
 .Xr au_to_sock_inet128 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
 .It Sy "Field" Ta Sy Bytes Ta Sy Description
 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
 .It Li "Socket family" Ta "2 bytes" Ta "Socket family"
@@ -572,18 +563,18 @@ Depend on type of socket a socket token may be created using
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
-+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
-+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
-+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
-+.It Li "Local port" Ta "2 bytes" Ta "Local port"
-+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
-+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
-+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
 .El
 .Ss Expanded Socket Token
 The
 .Dq expanded socket
-token ...
+token contains information about IPv4 and IPv6 sockets.
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
@@ -639,11 +630,18 @@ token ...
 .Ss Zonename Token
 The
 .Dq zonename
-token ...
+token holds a NUL-terminated string with the name of the zone or jail from
+which the record originated.
+A
+.Dz zonename
+token can be created using
+.Xr au_to_zonename 3 .
+.Pp
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
-.It XXXXX
+.It "Zonename length	2 bytes	Length of zonename string including NUL"
+.It "Zonename	N bytes + 1 NUL	Zonename string including NUL"
 .El
 .Sh SEE ALSO
 .Xr auditreduce 1 ,
@@ -676,7 +674,5 @@ and
 .Dq in_addr_ex
 token layout documented here appears to be in conflict with the
 .Xr libbsm 3
-implementations of
-.Xr au_to_in_addr 3
-and
+implementation of
 .Xr au_to_in_addr_ex 3 .
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
index cc5b122f..c92f57f 100644
--- a/contrib/openbsm/man/audit_class.5
+++ b/contrib/openbsm/man/audit_class.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
 .\"     documentation and/or other materials provided with the distribution.
-.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
 .\"     from this software without specific prior written permission.
 .\"
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#11 $
 .\"
 .Dd January 24, 2004
 .Dt AUDIT_CLASS 5
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
index a91f504..be89a12 100644
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
 .\" Copyright (c) 2006 Robert N. M. Watson
 .\" All rights reserved.
 .\"
@@ -10,7 +10,7 @@
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
 .\"     documentation and/or other materials provided with the distribution.
-.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
 .\"     from this software without specific prior written permission.
 .\"
@@ -26,7 +26,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#17 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
 .\"
 .Dd January 4, 2006
 .Dt AUDIT_CONTROL 5
@@ -57,13 +57,26 @@ Specifies which audit event classes are audited for all users.
 .Xr audit_user 5
 describes how to audit events for individual users.
 See the information below for the format of the audit flags.
+.It Va host
+Specify the hostname or IP address to be used when setting the local
+systems's audit host information.
+This hostname will be converted into an IP or IPv6 address and will
+be included in the header of each audit record.
+Due to the possibility of transient errors coupled with the
+security issues in the DNS protocol itself, the use of DNS
+should be avoided.
+Instead, it is strongly recommended that the hostname be
+specified in the /etc/hosts file.
+For more information see
+.Xr hosts 5 .
 .It Va naflags
 Contains the audit flags that define what classes of events are audited when
 an action cannot be attributed to a specific user.
 .It Va minfree
 The minimum free space required on the file system audit logs are being written to.
 When the free space falls below this limit a warning will be issued.
-Not currently used as the value of 20 percent is chosen by the kernel.
+If no value for the minimum free space is set, the default of 20 percent is
+applied by the kernel.
 .It Va policy
 A list of global audit policy flags specifying various behaviors, such as
 fail stop, auditing of paths and arguments, etc.
@@ -185,6 +198,7 @@ file size.
 .It Pa /etc/security/audit_control
 .El
 .Sh SEE ALSO
+.Xr auditon 2 ,
 .Xr audit 4 ,
 .Xr audit_class 5 ,
 .Xr audit_event 5 ,
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
index 75e67aa..184a82d 100644
--- a/contrib/openbsm/man/audit_event.5
+++ b/contrib/openbsm/man/audit_event.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
 .\"     documentation and/or other materials provided with the distribution.
-.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
 .\"     from this software without specific prior written permission.
 .\"
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#12 $
 .\"
 .Dd January 24, 2004
 .Dt AUDIT_EVENT 5
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
index 1779941..947f5c8 100644
--- a/contrib/openbsm/man/audit_user.5
+++ b/contrib/openbsm/man/audit_user.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
 .\"     documentation and/or other materials provided with the distribution.
-.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
 .\"     from this software without specific prior written permission.
 .\"
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#13 $
 .\"
 .Dd February 5, 2006
 .Dt AUDIT_USER 5
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
index d7b20b6..c53f163 100644
--- a/contrib/openbsm/man/audit_warn.5
+++ b/contrib/openbsm/man/audit_warn.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
 .\"     documentation and/or other materials provided with the distribution.
-.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3.  Neither the name of Apple Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
 .\"     from this software without specific prior written permission.
 .\"
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#10 $
 .\"
 .Dd March 17, 2004
 .Dt AUDIT_WARN 5
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
index ac3c41a..a5346fb 100644
--- a/contrib/openbsm/man/auditctl.2
+++ b/contrib/openbsm/man/auditctl.2
@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc. 
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#9 $
 .\"
 .Dd April 19, 2005
 .Dt AUDITCTL 2
@@ -40,20 +41,25 @@ The
 .Fn auditctl
 system call directs the kernel to open a new audit trail log file.
 It requires an appropriate privilege.
-In the
-.Fx
-implementation,
+The
 .Fn auditctl
+system call
 opens new files, but
 .Xr auditon 2
 is used to disable the audit log.
-In the Mac OS X implementation, passing
-.Dv NULL
-to
-.Fn auditctl
-will disable the audit log.
 .Sh RETURN VALUES
 .Rv -std
+.Sh ERRORS
+The
+.Fn auditctl
+system call will fail if:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The path is invalid.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete the
+operation.
+.El
 .Sh SEE ALSO
 .Xr auditon 2 ,
 .Xr libbsm 3 ,
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
index 953484c..e47bbb8 100644
--- a/contrib/openbsm/man/auditon.2
+++ b/contrib/openbsm/man/auditon.2
@@ -25,9 +25,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
 .\"
-.Dd April 19, 2005
+.Dd July 10, 2008
 .Dt AUDITON 2
 .Os
 .Sh NAME
@@ -63,27 +63,38 @@ The
 argument
 must point to a
 .Vt long
-value set to one of the audit
-policy control values defined in
-.In bsm/audit.h .
-Currently, only
-.Dv AUDIT_CNT
+value set to one or more the following audit
+policy control values bitwise OR'ed together:
+.Dv AUDIT_CNT ,
+.Dv AUDIT_AHLT ,
+.Dv AUDIT_ARGV ,
 and
-.Dv AUDIT_AHLT
-are implemented.
-In the
-.Dv AUDIT_CNT
-case, the action will continue regardless if
-an event will not be audited.
-In the
-.Dv AUDIT_AHLT
-case, a
+.Dv AUDIT_ARGE .
+If
+.Dv AUDIT_CNT is set, the system will continue even if it becomes low
+on space and discontinue logging events until the low space condition is 
+remedied.
+If it is not set, audited events will block until the low space 
+condition is remedied.
+Unaudited events, however, are unaffected.
+If 
+.Dv AUDIT_AHLT is set, a 
 .Xr panic 9
-will result if an event will not be written to the
-audit log file.
+if it cannot write an event to the global audit log file.
+If 
+.Dv AUDIT_ARGV
+is set, then the argument list passed to the 
+.Xr execve 2 
+system call will be audited.  If
+.Dv AUDIT_ARGE
+is set, then the environment variables passed to the
+.Xr execve 2
+system call will be audited.  The default policy is none of the audit policy
+control flags set. 
 .It Dv A_SETKAUDIT
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_SETKMASK
 Set the kernel preselection masks (success and failure).
 The
@@ -91,8 +102,19 @@ The
 argument
 must point to a
 .Vt au_mask_t
-structure containing the mask values.
-These masks are used for non-attributable audit event preselection.
+structure containing the mask values as defined in 
+.In bsm/audit.h .
+These masks are used for non-attributable audit event preselection. 
+The field
+.Fa am_success
+specifies which classes of successful audit events are to be logged to the
+audit trail. The field
+.Fa am_failure
+specifies which classes of failed audit events are to be logged. The value of
+both fields is the bitwise OR'ing of the audit event classes specified in
+.Fa bsm/audit.h .
+The various audit classes are described more fully in
+.Xr audit_class 5 .
 .It Dv A_SETQCTRL
 Set kernel audit queue parameters.
 The
@@ -100,24 +122,51 @@ The
 argument
 must point to a
 .Vt au_qctrl_t
-structure containing the
-kernel audit queue control settings:
-.Dq "high water" ,
-.Dq "low water" ,
-.Dq "output buffer size" ,
-.Dq "percent min free disk space" ,
+structure (defined in
+.In bsm/audit.h )
+containing the kernel audit queue control settings:
+.Fa aq_hiwater ,
+.Fa aq_lowater ,
+.Fa aq_bufsz ,
+.Fa aq_delay ,
 and
-.Dq delay
-(not currently used).
+.Fa aq_minfree .
+The field
+.Fa aq_hiwater
+defines the maximum number of audit record entries in the queue used to store
+the audit records ready for delivery to disk.
+New records are inserted at the tail of the queue and removed from the head.
+For new records which would exceed the
+high water mark, the calling thread is inserted into the wait queue, waiting
+for the audit queue to have enough space available as defined with the field
+.Fa aq_lowater .
+The field
+.Fa aq_bufsz
+defines the maximum length of the audit record that can be supplied with
+.Xr audit 2 .
+The field
+.Fa aq_delay
+is unused.
+The field
+.Fa aq_minfree
+specifies the minimum amount of free blocks on the disk device used to store
+audit records.
+If the value of free blocks falls below the configured
+minimum amount, the kernel informs the audit daemon about low disk space.
+The value is to be specified in percent of free file system blocks.
+A value of 0 results in a disabling of the check.
 .It Dv A_SETSTAT
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_SETUMASK
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_SETSMASK
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_SETCOND
 Set the current auditing condition.
 The
@@ -131,6 +180,14 @@ audit condition, one of
 .Dv AUC_NOAUDIT ,
 or
 .Dv AUC_DISABLED .
+If 
+.Dv AUC_NOAUDIT 
+is set, then auditing is temporarily suspended. If 
+.Dv AUC_AUDITING
+is set, auditing is resumed. If 
+.Dv AUC_DISABLED 
+is set, the auditing system will
+shutdown, draining all audit records and closing out the audit trail file. 
 .It Dv A_SETCLASS
 Set the event class preselection mask for an audit event.
 The
@@ -139,6 +196,13 @@ argument
 must point to a
 .Vt au_evclass_map_t
 structure containing the audit event and mask.
+The field
+.Fa ec_number
+is the audit event and 
+.Fa ec_class
+is the audit class mask. See
+.Xr audit_event 5
+for more information on audit event to class mapping.
 .It Dv A_SETPMASK
 Set the preselection masks for a process.
 The
@@ -148,6 +212,16 @@ must point to a
 .Vt auditpinfo_t
 structure that contains the given process's audit
 preselection masks for both success and failure.
+The field
+.Fa ap_pid
+is the process id of the target process.
+The field
+.Fa ap_mask
+must point to a
+.Fa au_mask_t
+structure which holds the preselection masks as described in the
+.Da A_SETKMASK
+section above.
 .It Dv A_SETFSIZE
 Set the maximum size of the audit log file.
 The
@@ -163,6 +237,7 @@ indicates no limit to the size.
 .It Dv A_SETKAUDIT
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_GETCLASS
 Return the event to class mapping for the designated audit event.
 The
@@ -170,10 +245,13 @@ The
 argument
 must point to a
 .Vt au_evclass_map_t
-structure.
+structure. See the
+.Dv A_SETCLASS 
+section above for more information.
 .It Dv A_GETKAUDIT
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_GETPINFO
 Return the audit settings for a process.
 The
@@ -182,11 +260,47 @@ argument
 must point to a
 .Vt auditpinfo_t
 structure which will be set to contain
-the audit ID, preselection mask, terminal ID, and audit session
-ID of the given process.
+.Fa ap_auid 
+(the audit ID), 
+.Fa ap_mask
+(the preselection mask),
+.Fa ap_termid
+(the terminal ID), and
+.Fa ap_asid 
+(the audit session ID)
+of the given target process.
+The process ID of the target process is passed 
+into the kernel using the
+.Fa ap_pid
+field.
+See the section
+.Dv A_SETPMASK
+above and 
+.Xr getaudit 2 
+for more information.
 .It Dv A_GETPINFO_ADDR
-Return
-.Er ENOSYS .
+Return the extended audit settings for a process.
+The
+.Fa data
+argument
+must point to a
+.Vt auditpinfo_addr_t
+structure which is similar to the 
+.Vt auditpinfo_addr_t
+structure described above. 
+The exception is the 
+.Fa ap_termid
+(the terminal ID) field which points to a
+.Vt au_tid_addr_t 
+structure can hold much a larger terminal address and an address type. 
+The process ID of the target process is passed into the kernel using the
+.Fa ap_pid
+field.
+See the section 
+.Dv A_SETPMASK
+above and 
+.Xr getaudit 2
+for more information.
 .It Dv A_GETKMASK
 Return the current kernel preselection masks.
 The
@@ -205,11 +319,10 @@ must point to a
 .Vt long
 value which will be set to
 one of the current audit policy flags.
-Currently, only
-.Dv AUDIT_CNT
-and
-.Dv AUDIT_AHLT
-are implemented.
+The audit policy flags are
+described in the 
+.Dv A_SETPOLICY 
+section above.
 .It Dv A_GETQCTRL
 Return the current kernel audit queue control parameters.
 The
@@ -219,6 +332,9 @@ must point to a
 .Vt au_qctrl_t
 structure which will be set to the current
 kernel audit queue control parameters.
+See the
+.Dv A_SETQCTL
+section above for more information.
 .It Dv A_GETFSIZE
 Returns the maximum size of the audit log file.
 The
@@ -240,17 +356,20 @@ will be set to the current audit log file size.
 .\" Return the current working directory as stored in the audit subsystem.
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_GETCAR
 .\" [COMMENTED OUT]: Valid description, not yet implemented.
 .\"Stores and returns the current active root as stored in the audit
 .\"subsystem.
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_GETSTAT
 .\" [COMMENTED OUT]: Valid description, not yet implemented.
 .\"Return the statistics stored in the audit system.
 Return
 .Er ENOSYS .
+(Not implemented.)
 .It Dv A_GETCOND
 Return the current auditing condition.
 The
@@ -259,10 +378,14 @@ argument
 must point to a
 .Vt long
 value which will be set to
-the current audit condition, either
-.Dv AUC_AUDITING
+the current audit condition, one of 
+.Dv AUC_AUDITING ,
+.Dv AUC_NOAUDIT 
 or
-.Dv AUC_NOAUDIT .
+.Dv AUC_DISABLED .
+See the 
+.Dv A_SETCOND
+section above for more information.
 .It Dv A_SENDTRIGGER
 Send a trigger to the audit daemon.
 The
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
index 0592721..77a0f8e 100644
--- a/contrib/openbsm/man/getaudit.2
+++ b/contrib/openbsm/man/getaudit.2
@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,9 +24,9 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#10 $
 .\"
-.Dd April 19, 2005
+.Dd October 19, 2008
 .Dt GETAUDIT 2
 .Os
 .Sh NAME
@@ -54,9 +55,111 @@ retrieves extended state via
 and
 .Fa length .
 .Pp
+The
+.Fa auditinfo_t
+data structure is defined as follows:
+.Bd -literal -offset indent
+struct auditinfo {
+	au_id_t        ai_auid;         /* Audit user ID */
+	au_mask_t      ai_mask;         /* Audit masks */
+	au_tid_t       ai_termid;       /* Terminal ID */
+	au_asid_t      ai_asid;         /* Audit session ID */
+};
+typedef struct auditinfo        auditinfo_t;
+.Ed
+.Pp
+The
+.Fa ai_auid
+variable contains the audit identifier which is recorded in the audit log for
+each event the process caused.
+.Pp
+The
+.Fa au_mask_t
+data structure defines the bit mask for auditing successful and failed events
+out of the predefined list of event classes.
+It is defined as follows:
+.Bd -literal -offset indent
+struct au_mask {
+	unsigned int    am_success;     /* success bits */
+	unsigned int    am_failure;     /* failure bits */
+};
+typedef struct au_mask  au_mask_t;
+.Ed
+.Pp
+The
+.Fa au_termid_t
+data structure defines the Terminal ID recorded with every event caused by the
+process.
+It is defined as follows:
+.Bd -literal -offset indent
+struct au_tid {
+	dev_t           port;
+	u_int32_t       machine;
+};
+typedef struct au_tid   au_tid_t;
+.Ed
+.Pp
+The
+.Fa ai_asid
+variable contains the audit session ID which is recorded with every event
+caused by the process.
+.Pp
+The
+.Fn getaudit_addr
+system call
+uses the expanded
+.Fa auditinfo_addr_t
+data structure and supports Terminal IDs with larger addresses
+such as those used in IP version 6.
+It is defined as follows:
+.Bd -literal -offset indent
+struct auditinfo_addr {
+	au_id_t         ai_auid;        /* Audit user ID. */
+	au_mask_t       ai_mask;        /* Audit masks. */
+	au_tid_addr_t   ai_termid;      /* Terminal ID. */
+	au_asid_t       ai_asid;        /* Audit session ID. */
+};
+typedef struct auditinfo_addr   auditinfo_addr_t;
+.Ed
+.Pp
+The
+.Fa au_tid_addr_t
+data structure which includes a larger address storage field and an additional
+field with the type of address stored:
+.Bd -literal -offset indent
+struct au_tid_addr {
+	dev_t           at_port;
+	u_int32_t       at_type;
+	u_int32_t       at_addr[4];
+};
+typedef struct au_tid_addr      au_tid_addr_t;
+.Ed
+.Pp
 These system calls require an appropriate privilege to complete.
 .Sh RETURN VALUES
 .Rv -std getaudit getaudit_addr
+.Sh ERRORS
+The
+.Fn getaudit
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.It Bq Er EOVERFLOW
+The
+.Fa length
+argument indicates an overflow condition will occur.
+.It Bq Er E2BIG
+The address is too big and, therefore, 
+.Fn getaudit_addr
+should be used instead.
+.El
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
index 2624f1e..dc6ae0a 100644
--- a/contrib/openbsm/man/getauid.2
+++ b/contrib/openbsm/man/getauid.2
@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#9 $
 .\"
 .Dd April 19, 2005
 .Dt GETAUID 2
@@ -47,6 +48,18 @@ pointed to by
 This system call requires an appropriate privilege to complete.
 .Sh RETURN VALUES
 .Rv -std
+.Sh ERRORS
+The
+.Fn getauid
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred from
+the kernel failed.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
index 22e2192..5426c87 100644
--- a/contrib/openbsm/man/setaudit.2
+++ b/contrib/openbsm/man/setaudit.2
@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#10 $
 .\"
 .Dd April 19, 2005
 .Dt SETAUDIT 2
@@ -54,9 +55,115 @@ sets extended state via
 and
 .Fa length .
 .Pp
+The
+.Fa auditinfo_t
+data structure is defined as follows:
+.nf
+.in +4n
+
+struct auditinfo {
+	au_id_t        ai_auid;         /* Audit user ID */
+	au_mask_t      ai_mask;         /* Audit masks */
+	au_tid_t       ai_termid;       /* Terminal ID */
+	au_asid_t      ai_asid;         /* Audit session ID */
+};
+typedef struct auditinfo        auditinfo_t;
+.in
+.fi
+.Pp
+The
+.Fa ai_auid
+variable contains the audit identifier which is recorded in the audit log for 
+each event the process caused.
+.PP
+
+The
+.Fa au_mask_t
+data structure defines the bit mask for auditing successful and failed events 
+out of the predefined list of event classes. It is defined as follows:
+.nf
+.in +4n
+
+struct au_mask {
+	unsigned int    am_success;     /* success bits */
+	unsigned int    am_failure;     /* failure bits */
+};
+typedef struct au_mask  au_mask_t;
+.in
+.fi
+.PP
+
+The
+.Fa au_termid_t
+data structure defines the Terminal ID recorded with every event caused by the 
+process. It is defined as follows:
+.nf
+.in +4n
+
+struct au_tid {
+	dev_t           port;
+	u_int32_t       machine;
+};
+typedef struct au_tid   au_tid_t;
+
+.in
+.fi
+.PP
+The
+.Fa ai_asid
+variable contains the audit session ID which is recorded with every event 
+caused by the process.
+.Pp
+The
+.Fn setaudit_addr
+system call
+uses the expanded
+.Fa auditinfo_addr_t 
+data structure supports Terminal IDs with larger addresses such as those used
+in IP version 6.  It is defined as follows:
+.nf
+.in +4n
+
+struct auditinfo_addr {
+	au_id_t         ai_auid;        /* Audit user ID. */
+	au_mask_t       ai_mask;        /* Audit masks. */
+	au_tid_addr_t   ai_termid;      /* Terminal ID. */
+	au_asid_t       ai_asid;        /* Audit session ID. */
+};
+typedef struct auditinfo_addr   auditinfo_addr_t;
+.in
+.fi
+.Pp
+The 
+.Fa au_tid_addr_t
+data structure which includes a larger address storage field and an additional 
+field with the type of address stored:
+.nf
+.in +4n
+
+struct au_tid_addr {
+	dev_t           at_port;
+	u_int32_t       at_type;
+	u_int32_t       at_addr[4];
+};
+typedef struct au_tid_addr      au_tid_addr_t;
+.in
+.fi
+.Pp
 These system calls require an appropriate privilege to complete.
 .Sh RETURN VALUES
 .Rv -std setaudit setaudit_addr
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
index a736a34..770c32b 100644
--- a/contrib/openbsm/man/setauid.2
+++ b/contrib/openbsm/man/setauid.2
@@ -1,5 +1,6 @@
 .\"-
 .\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#9 $
 .\"
 .Dd April 19, 2005
 .Dt SETAUID 2
@@ -47,6 +48,18 @@ pointed to by
 This system call requires an appropriate privilege to complete.
 .Sh RETURN VALUES
 .Rv -std
+.Sh ERRORS
+The
+.Fn setauid
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to
+the kernel failed.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
author	rwatson <rwatson@FreeBSD.org>	2008-12-02 23:26:43 +0000
committer	rwatson <rwatson@FreeBSD.org>	2008-12-02 23:26:43 +0000
commit	0ac6f8ebdfebed8ad6c6fa1334d227524df2c013 (patch)
tree	909e4490f5c6d4141d466ad2fdf963beeb90afca /contrib/openbsm/man
parent	1383cec09e16a1fb5117c67951f100e7931363e7 (diff)
parent	208cf4160e79a64866887cc5f89f964cc899f97e (diff)
download	FreeBSD-src-0ac6f8ebdfebed8ad6c6fa1334d227524df2c013.zip FreeBSD-src-0ac6f8ebdfebed8ad6c6fa1334d227524df2c013.tar.gz