summaryrefslogtreecommitdiffstats
path: root/contrib/openbsm/bin
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/openbsm/bin')
-rw-r--r--contrib/openbsm/bin/audit/audit.856
-rw-r--r--contrib/openbsm/bin/auditd/auditd.880
-rw-r--r--contrib/openbsm/bin/auditd/auditd.c6
-rw-r--r--contrib/openbsm/bin/auditfilterd/auditfilterd.833
-rw-r--r--contrib/openbsm/bin/auditfilterd/auditfilterd.c8
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.1148
-rw-r--r--contrib/openbsm/bin/praudit/praudit.179
-rw-r--r--contrib/openbsm/bin/praudit/praudit.c50
8 files changed, 267 insertions, 193 deletions
diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
index 1d490f5..5e4d373 100644
--- a/contrib/openbsm/bin/audit/audit.8
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -2,20 +2,20 @@
.\" All rights reserved.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_START@
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
-.\"
+.\"
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -26,32 +26,27 @@
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#9 $
.\"
-.Dd January 24, 2004
+.Dd October 2, 2006
.Dt AUDIT 8
.Os
.Sh NAME
.Nm audit
.Nd audit management utility
.Sh SYNOPSIS
-.Nm audit
-.Op Fl nst
-.Op Ar file
+.Nm
+.Fl n | s | t
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility controls the state of the audit system.
-The optional
-.Ar file
-operand specifies the location of the audit control input file (default
-.Pa /etc/security/audit_control ) .
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
+One of the following flags is required as an argument to
+.Nm :
+.Bl -tag -width indent
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
@@ -69,22 +64,27 @@ The
.Xr auditd 8
daemon must already be running.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
-Default audit policy file used to configure the auditing system.
+Audit policy file used to configure the auditing system.
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr audit_control 5 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8
index 11e45e1..a4e0dbf 100644
--- a/contrib/openbsm/bin/auditd/auditd.8
+++ b/contrib/openbsm/bin/auditd/auditd.8
@@ -29,46 +29,35 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#12 $
.\"
-.Dd January 24, 2004
+.Dd October 2, 2006
.Dt AUDITD 8
.Os
.Sh NAME
.Nm auditd
.Nd audit log management daemon
.Sh SYNOPSIS
-.Nm auditd
-.Op Fl dhs
+.Nm
+.Op Fl d
.Sh DESCRIPTION
The
.Nm
-daemon responds to requests from the audit(1) utility and notifications
-from the kernel. It manages the resulting audit log files and specified
+daemon responds to requests from the
+.Xr audit 8
+utility and notifications
+from the kernel.
+It manages the resulting audit log files and specified
log file locations.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
.It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+Starts the daemon in debug mode \[em] it will not daemonize.
.El
-.Pp
-The historical
-.Fl h
-and
-.Fl s
-flags are now configured using
-.Xr audit_control 5
-policy flags
-.Dv ahlt
-and
-.Dv cnt ,
-and are no longer available as arguments to
-.Xr auditd 8 .
.Sh NOTE
-.Pp
To assure uninterrupted audit support, the
-.Nm auditd
+.Nm
daemon should not be started and stopped manually.
Instead, the
.Xr audit 8
@@ -78,28 +67,51 @@ the
.Pa audit_control
file.
.Pp
-.\" Sending a SIGHUP to a running
-.\" .Nm auditd
+.\" Sending a
+.\" .Dv SIGHUP
+.\" to a running
+.\" .Nm
.\" daemon will force it to exit.
-Sending a SIGTERM to a running
-.Nm auditd
+Sending a
+.Dv SIGTERM
+to a running
+.Nm
daemon will force it to exit.
.Sh FILES
-.Bl -tag -width "/var/audit" -compact
+.Bl -tag -width ".Pa /var/audit" -compact
.It Pa /var/audit
Default directory for storing audit log files.
.El
+.Sh COMPATIBILITY
+The historical
+.Fl h
+and
+.Fl s
+flags are now configured using
+.Xr audit_control 5
+policy flags
+.Cm ahlt
+and
+.Cm cnt ,
+and are no longer available as arguments to
+.Nm .
.Sh SEE ALSO
+.Xr audit 4 ,
+.Xr audit_control 5 ,
.Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index 7ca2123..9b5ba07 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#25 $
*/
#include <sys/types.h>
@@ -865,7 +865,7 @@ setup(void)
syslog(LOG_ERR, "Could not create audit startup event.");
else {
/*
- * XXXCSJP Perhaps we wan't more robust audit records for
+ * XXXCSJP Perhaps we want more robust audit records for
* audit start up and shutdown. This might include capturing
* failures to initialize the audit subsystem?
*/
@@ -896,7 +896,7 @@ main(int argc, char **argv)
int debug = 0;
int rc;
- while ((ch = getopt(argc, argv, "dhs")) != -1) {
+ while ((ch = getopt(argc, argv, "d")) != -1) {
switch(ch) {
case 'd':
/* Debug option. */
diff --git a/contrib/openbsm/bin/auditfilterd/auditfilterd.8 b/contrib/openbsm/bin/auditfilterd/auditfilterd.8
index 0d9d2cb..ae6ba0b 100644
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.8
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.8
@@ -23,18 +23,19 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#4 $
.\"
-.Dd March 27, 2006
+.Dd October 3, 2006
.Dt AUDITFILTERD 8
.Os
.Sh NAME
.Nm auditfilterd
.Nd audit filter daemon
.Sh SYNOPSIS
-.Nm auditfilterd
+.Nm
.Op Fl d
.Op Fl c Ar conffile
+.Op Fl p Ar pipefile
.Op Fl t Ar trailfile
.Sh DESCRIPTION
The
@@ -44,18 +45,23 @@ modules to track audit events from a live audit source.
It is configured using the
.Xr audit_filter 5
configuration file.
+The source can either be a pipe or a file.
.Pp
The options are as follows:
-.Bl -tag -width Ds
-.It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+.Bl -tag -width indent
.It Fl c Ar conffile
Specify an alternative configuration file.
+.It Fl d
+Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl p Ar pipefile
+Specify a pipe as an alternative source of audit event records.
+Default is
+.Pa /dev/auditpipe .
.It Fl t Ar trailfile
-Specify an alternative source of audit event records.
+Specify a file as an alternative source of audit event records.
.El
.Sh FILES
-.Bl -tag -width "/etc/security/audit_filterd" -compact
+.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact
.It Pa /etc/security/audit_filterd
Default configuration file for
.Nm .
@@ -66,12 +72,13 @@ Default audit record source for
.Sh SEE ALSO
.Xr audit 8 ,
.Xr auditd 8
-.Sh AUTHORS
-The
-.Nm
-daemon and audit filter APIs were created by Robert Watson.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+The
+.Nm
+daemon and audit filter APIs were created by
+.An Robert Watson .
diff --git a/contrib/openbsm/bin/auditfilterd/auditfilterd.c b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
index 2723a97..110b7cf 100644
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.c
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#11 $
*/
/*
@@ -48,6 +48,10 @@
#include <compat/queue.h>
#endif
+#ifndef HAVE_CLOCK_GETTIME
+#include <compat/clock_gettime.h>
+#endif
+
#include <bsm/libbsm.h>
#include <bsm/audit_filter.h>
@@ -76,7 +80,7 @@ static void
usage(void)
{
- fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]"
+ fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]"
" [-t trailfile]\n");
fprintf(stderr, " -c Specify configuration file (default: %s)\n",
AUDITFILTERD_CONFFILE);
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index f590e35..1f900f9 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -34,44 +34,43 @@
.Nm auditreduce
.Nd "select records from audit trail files"
.Sh SYNOPSIS
-.Nm auditreduce
+.Nm
.Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
.Op Fl c Ar flags
.Op Fl d Ar YYYYMMDD
.Op Fl e Ar euid
.Op Fl f Ar egid
.Op Fl g Ar rgid
-.Op Fl r Ar ruid
-.Op Fl u Ar auid
.Op Fl j Ar id
.Op Fl m Ar event
-.Op Fl o Ar object=value
-.Op Ar file ...
+.Op Fl o Ar object Ns = Ns Ar value
+.Op Fl r Ar ruid
+.Op Fl u Ar auid
+.Op Ar
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility selects records from the audit trail files based on the specified
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
by default.
-Use the
-.Nm praudit
-utility to print the selected audit records in human-readable form.
-See
+Use the
.Xr praudit 1
-for more information.
+utility to print the selected audit records in human-readable form.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
.It Fl A
Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred before the given datetime.
.It Fl c Ar flags
Select records matching the given audit classes specified as a comma
@@ -86,15 +85,11 @@ This option cannot be used with
or
.Fl b .
.It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
.It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
.It Fl g Ar rgid
-Select records with the given real group id or name.
-.It Fl r Ar ruid
-Select records with the given real user id or name.
-.It Fl u Ar auid
-Select records with the given audit id.
+Select records with the given real group ID or name.
.It Fl j Ar id
Select records having a subject token with matching ID.
.It Fl m Ar event
@@ -102,45 +97,53 @@ Select records with the given event name or number.
See
.Xr audit_event 5
for a description of audit event names and numbers.
-.It Fl o Ar object=value
-.Bl -tag -width Ds
-.It Nm file
+.It Fl o Ar object Ns = Ns Ar value
+.Bl -tag -width ".Cm msgqid"
+.It Cm file
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
+.Pq Ql ~
+are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
-character should be used to escape the comma if it's a part of the search
+Since commas are used to delimit the regular expressions, a backslash
+.Pq Ql \e
+character should be used to escape the comma if it is a part of the search
pattern.
-.It Nm msgqid
-Select records containing the given message queue id.
-.It Nm pid
-Select records containing the given process id.
-.It Nm semid
-Select records containing the given semaphore id.
-.It Nm shmid
-Select records containing the given shared memory id.
+.It Cm msgqid
+Select records containing the given message queue ID.
+.It Cm pid
+Select records containing the given process ID.
+.It Cm semid
+Select records containing the given semaphore ID.
+.It Cm shmid
+Select records containing the given shared memory ID.
.El
+.It Fl r Ar ruid
+Select records with the given real user ID or name.
+.It Fl u Ar auid
+Select records with the given audit ID.
.El
-.Sh Examples
-.Pp
+.Sh EXAMPLES
To select all records associated with effective user ID root from the audit
log
.Pa /var/audit/20031016184719.20031017122634 :
-.Pp
-.Nm
--e root /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -e root \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
To select all
.Xr setlogin 2
events from that log:
-.Pp
-.Nm
--m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -m AUE_SETLOGIN \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
@@ -148,36 +151,43 @@ file, or via standard output to the
command.
.Pp
Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
-.Pp
-.Nm
--ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pa /etc/master.passwd :
+.Bd -literal -offset indent
+auditreduce -o file="/etc/master.passwd" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
-.Pp
-.Nm
--ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
-.Pa /dev/ttyp2
-.Pp
-.Nm
--ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pa /dev/ttyp2 :
+.Bd -literal -offset indent
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1
index 00cbfcd..c32c37c 100644
--- a/contrib/openbsm/bin/praudit/praudit.1
+++ b/contrib/openbsm/bin/praudit/praudit.1
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,73 +25,94 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $
.\"
-.Dd January 24, 2004
+.Dd November 5, 2006
.Dt PRAUDIT 1
.Os
.Sh NAME
.Nm praudit
.Nd "print the contents of audit trail files"
.Sh SYNOPSIS
-.Nm praudit
-.Op Fl lrs
+.Nm
+.Op Fl lpx
+.Op Fl r | s
.Op Fl d Ar del
-.Op Ar file ...
+.Op Ar
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility prints the contents of the audit trail files to the standard output in
human-readable form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
by default.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
+.It Fl d Ar del
+Specifies the delimiter.
+The default delimiter is the comma.
.It Fl l
Prints the entire record on the same line.
If this option is not specified,
every token is displayed on a different line.
+.It Fl p
+Specify this option if input to
+.Nm
+is piped from the
+.Xr tail 1
+utility.
+This causes
+.Nm
+to sync to the start of the next record.
.It Fl r
Prints the records in their raw, numeric form.
-This option is exclusive from
-.Fl s
+This option is exclusive from
+.Fl s .
.It Fl s
Prints the tokens in their short form.
Short text representations for
record and event type are displayed.
This option is exclusive from
-.Fl r
-.It Fl d Ar del
-Specifies the delimiter.
-The default delimiter is the comma.
+.Fl r .
+.It Fl x
+Print audit records in the XML output format.
.El
.Pp
If the raw or short forms are not specified, the default is to print the tokens
in their long form.
Events are displayed as per their descriptions given in
.Pa /etc/security/audit_event ;
-uids and gids are expanded to their names;
+UIDs and GIDs are expanded to their names;
dates and times are displayed in human-readable format.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_class
-Descriptions of audit event classes
+Descriptions of audit event classes.
.It Pa /etc/security/audit_event
-Descriptions of audit events
+Descriptions of audit events.
.El
.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
.Xr audit_class 5 ,
.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c
index e812f98..bf36806 100644
--- a/contrib/openbsm/bin/praudit/praudit.c
+++ b/contrib/openbsm/bin/praudit/praudit.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Martin Voros
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 $
*/
/*
@@ -34,7 +35,7 @@
*/
/*
- * praudit [-lrs] [-ddel] [filenames]
+ * praudit [-lpx] [-r | -s] [-d del] [file ...]
*/
#include <bsm/libbsm.h>
@@ -51,12 +52,14 @@ static int oneline = 0;
static int raw = 0;
static int shortfrm = 0;
static int partial = 0;
+static int xml = 0;
static void
-usage()
+usage(void)
{
- fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
+ fprintf(stderr, "usage: praudit [-lpx] [-r | -s] [-d del] "
+ "[file ...]\n");
exit(1);
}
@@ -88,11 +91,17 @@ print_tokens(FILE *fp)
if (-1 == au_fetch_tok(&tok, buf + bytesread,
reclen - bytesread))
break;
- au_print_tok(stdout, &tok, del, raw, shortfrm);
- bytesread += tok.len;
- if (oneline)
- printf("%s", del);
+ if (xml)
+ au_print_tok_xml(stdout, &tok, del, raw,
+ shortfrm);
else
+ au_print_tok(stdout, &tok, del, raw,
+ shortfrm);
+ bytesread += tok.len;
+ if (oneline) {
+ if (!xml)
+ printf("%s", del);
+ } else
printf("\n");
}
free(buf);
@@ -109,12 +118,20 @@ main(int argc, char **argv)
int i;
FILE *fp;
- while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
+ while ((ch = getopt(argc, argv, "d:lprsx")) != -1) {
switch(ch) {
+ case 'd':
+ del = optarg;
+ break;
+
case 'l':
oneline = 1;
break;
+ case 'p':
+ partial = 1;
+ break;
+
case 'r':
if (shortfrm)
usage(); /* Exclusive from shortfrm. */
@@ -127,12 +144,8 @@ main(int argc, char **argv)
shortfrm = 1;
break;
- case 'd':
- del = optarg;
- break;
-
- case 'p':
- partial = 1;
+ case 'x':
+ xml = 1;
break;
case '?':
@@ -141,6 +154,9 @@ main(int argc, char **argv)
}
}
+ if (xml)
+ au_print_xml_header(stdout);
+
/* For each of the files passed as arguments dump the contents. */
if (optind == argc) {
print_tokens(stdin);
@@ -153,5 +169,9 @@ main(int argc, char **argv)
if (fp != NULL)
fclose(fp);
}
+
+ if (xml)
+ au_print_xml_footer(stdout);
+
return (1);
}
OpenPOWER on IntegriCloud