Add audit.4 man page, providing basic documentation for configuring the

kernel audit facility, warnings about the experimental nature of this
implementation, and pointers at a large number of other audit related
man pages.

Obtained from:	TrustedBSD Project

1 files changed, 114 insertions, 0 deletions

diff --git a/share/man/man4/audit.4 b/share/man/man4/audit.4
new file mode 100644
index 0000000..85d5e68
--- /dev/null
+++ b/share/man/man4/audit.4
@@ -0,0 +1,114 @@
+.\" Copyright (c) 2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 2, 2006
+.Os
+.Dt AUDIT 4
+.Sh NAME
+.Nm audit
+.Nd Security Event Audit
+.Sh SYNOPSIS
+.Cd "options AUDIT"
+.Sh DESCRIPTION
+Security Event Audit is a facility to provide fine-grained, configurable
+logging of security-relevant events, and is intended to meet the requirements
+of the Common Criteria (CC) Common Access Protection Profile (CAPP)
+evaluation.
+The
+.Fx
+audit facility implements the de facto industry standard BSM API, file
+formats, and command line interface, first found in the Solaris operating
+system.
+Information on the user space implementation can be found in
+.Xr libbsm 3
+man page.
+.Pp
+Audit support is enabled at boot, if present in the kernel, using an
+.Xr rc.conf 5
+flag.
+The audit daemon,
+.Xr auditd 8 ,
+is responsible for configuring the kernel to perform audit, pushing
+configuration data from the various audit configuration files into the
+kernel.
+.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr praudit 1 ,
+.Xr audit 2 ,
+.Xr auditctl 2 ,
+.Xr auditon 2 ,
+.Xr getaudit 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
+.Xr setauid 2 ,
+.Xr libbsm 3 ,
+.Xr audit.log 5 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr audit_user 5 ,
+.Xr audit_warn 5 ,
+.Xr event_code 5 ,
+.Xr rc.conf 5 ,
+.Xr audit 8 ,
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Pp
+Support for kernel audit first appeared in
+.Fx 6.1 .
+.Sh BUGS
+The audit facility in
+.Fx
+is considered experimental, and production deployment should occur only after
+careful consideration of the risks of deploying experimental software.
+.Pp
+The
+.Fx
+kernel does not fully validate that audit records submitted by user
+applications are syntactically valid BSM; as submission of records is limited
+to privileged processes, this is not a critical bug.
+.Pp
+Instrumentation of auditable events in the kernel is not complete, as some
+system calls do not generate audit records, or generate audit records with
+incomplete argument information.
+.Pp
+Mandatory Access Control (MAC) labels, as provided by the
+.Xr mac 4
+facility, are not audited as part of records involving MAC decisions.