Vendor import of OpenBSM 1.0 alpha 9, with the following change history

notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
  strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
  for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
  APIs, pass in the audit filter daemon state pointer, which is then used by
  the module using an audit_filter_{get,set}cookie() API.  This will allow
  future service APIs provided by the filter daemon to maintain their own
  state -- for example, per-module preselection state.

OpenBSM 1.0 alpha 8

- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
  commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
  collisions with Solaris.  Darwin events renamed to AUE_DARWIN_foo, as they
  are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.

This is an MFC candidate to RELENG_6.

Obtained from:	TrustedBSD Project

1 files changed, 19 insertions, 13 deletions

diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
index b53b1fc..f6e28ab 100644
--- a/contrib/openbsm/man/audit.log.5
+++ b/contrib/openbsm/man/audit.log.5
@@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#10 $
 .\"
 .Dd May 1, 2005
 .Dt AUDIT.LOG 5
@@ -91,10 +91,14 @@ The
 token is used to mark the beginning of a complete audit record, and includes
 the length of the total record in bytes, a version number for the record
 layout, the event type and subtype, and the time at which the event occurred.
-A
+A 32-bit
+.Dv header
+token can be created using
+.Xr au_to_header32 3 ;
+a 64-bit
 .Dv header
 token can be created using
-.Xr au_to_header32 3 .
+.Xr au_to_header64 3 .
 .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
 .It Sy "Field" Ta Sy Bytes Ta Sy Description
 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
@@ -111,11 +115,14 @@ The
 token is an expanded version of the
 .Dv header
 token, with the addition of a machine IPv4 or IPv6 address.
-The
-.Xr libbsm 3
-API cannot currently create an
-.Dv expanded header
-token.
+A 32-bit extended
+.Dv header
+token can be created using
+.Xr au_to_header32_ex 3 ;
+a 64-bit extended
+.Dv header
+token can be created using
+.Xr au_to_header64_ex 3 .
 .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
 .It Sy "Field" Ta Sy Bytes Ta Sy Description
 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
@@ -154,11 +161,10 @@ A
 .Dv How to print
 field is present to specify how to print the data, but interpretation of
 that field is not currently defined.
-The
-.Xr libbsm 3
-API cannot currently create an
+An
 .Dv arbitrary data
-token.
+token can be created using
+.Xr au_to_data 3 .
 .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
 .It Sy "Field" Ta Sy Bytes Ta Sy Description
 .It Li "Token ID" Ta "1 byte" Ta "Token ID"