summaryrefslogtreecommitdiffstats
path: root/contrib/openbsm/man
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/openbsm/man')
-rw-r--r--contrib/openbsm/man/audit.238
-rw-r--r--contrib/openbsm/man/audit.log.5641
-rw-r--r--contrib/openbsm/man/audit_class.543
-rw-r--r--contrib/openbsm/man/audit_control.5134
-rw-r--r--contrib/openbsm/man/audit_event.550
-rw-r--r--contrib/openbsm/man/audit_user.573
-rw-r--r--contrib/openbsm/man/audit_warn.545
-rw-r--r--contrib/openbsm/man/auditctl.235
-rw-r--r--contrib/openbsm/man/auditon.2177
-rw-r--r--contrib/openbsm/man/getaudit.241
-rw-r--r--contrib/openbsm/man/getauid.239
-rw-r--r--contrib/openbsm/man/setaudit.244
-rw-r--r--contrib/openbsm/man/setauid.239
13 files changed, 797 insertions, 602 deletions
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
index 6e14899..a9cd143 100644
--- a/contrib/openbsm/man/audit.2
+++ b/contrib/openbsm/man/audit.2
@@ -24,25 +24,29 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#8 $
.\"
.Dd April 19, 2005
.Dt AUDIT 2
.Os
.Sh NAME
.Nm audit
-.Nd "Commit a BSM audit record to the audit log"
+.Nd "commit BSM audit record to audit log"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn audit "const char *record" "u_int length"
.Sh DESCRIPTION
+The
.Fn audit
+system call
submits a completed BSM audit record to the system audit log.
.Pp
+The
.Fa record
-is a pointer to the the specific event to be recorded and
-.Vt length
+argument
+is a pointer to the specific event to be recorded and
+.Fa length
is the size in bytes of the data to be written.
.Sh RETURN VALUES
.Rv -std
@@ -57,37 +61,41 @@ The
argument is beyond the allocated address space of the process.
.It Bq Er EINVAL
The token ID is invalid or
-.Vt length
+.Va length
is larger than
-.Vt MAXAUDITDATA .
+.Dv MAXAUDITDATA .
.It Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
.El
.Sh SEE ALSO
.Xr auditon 2 ,
-.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Tom Rhodes Aq trhodes@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
.Sh BUGS
The
.Fx
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
index f6e28ab..d0f85ff 100644
--- a/contrib/openbsm/man/audit.log.5
+++ b/contrib/openbsm/man/audit.log.5
@@ -23,14 +23,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
.\"
-.Dd May 1, 2005
+.Dd November 5, 2006
.Dt AUDIT.LOG 5
.Os
.Sh NAME
.Nm audit
-.Nd "Basic Security Module (BSM) File Format"
+.Nd "Basic Security Module (BSM) file format"
.Sh DESCRIPTION
The
.Nm
@@ -41,16 +41,16 @@ range of data types, and easily extended to describe new data types in a
moderately backward and forward compatible way.
.Pp
BSM token streams typically begin and end with a
-.Dv file
+.Dq file
token, which provides time stamp and file name information for the stream;
when processing a BSM token stream from a stream as opposed to a single file
source, file tokens may be seen at any point between ordinary records
identifying when particular parts of the stream begin and end.
All other tokens will appear in the context of a complete BSM audit record,
which begins with a
-.Dv header
+.Dq header
token, and ends with a
-.Dv trailer
+.Dq trailer
token, which describe the audit record.
Between these two tokens will appear a variety of data tokens, such as
process information, file path names, IPC object information, MAC labels,
@@ -68,561 +68,612 @@ interface to read and write tokens, rather than parsing or constructing
records by hand.
.Ss File Token
The
-.Dv file
+.Dq file
token is used at the beginning and end of an audit log file to indicate
when the audit log begins and ends.
It includes a pathname so that, if concatenated together, original file
boundaries are still observable, and gaps in the audit log can be identified.
A
-.Dv file
+.Dq file
token can be created using
.Xr au_to_file 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
-.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
-.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
-.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Seconds 4 bytes File time stamp"
+.It "Microseconds 4 bytes File time stamp"
+.It "File name lengh 2 bytes File name of audit trail"
+.It "File pathname N bytes + 1 NUL File name of audit trail"
.El
.Ss Header Token
The
-.Dv header
+.Dq header
token is used to mark the beginning of a complete audit record, and includes
the length of the total record in bytes, a version number for the record
layout, the event type and subtype, and the time at which the event occurred.
A 32-bit
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header32 3 ;
a 64-bit
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Record Byte Count 4 bytes Number of bytes in record"
+.It "Version Number 2 bytes Record version number"
+.It "Event Type 2 bytes Event type"
+.It "Event Modifier 2 bytes Event sub-type"
+.It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
+.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
.El
.Ss Expanded Header Token
The
-.Dv expanded header
+.Dq expanded header
token is an expanded version of the
-.Dv header
+.Dq header
token, with the addition of a machine IPv4 or IPv6 address.
A 32-bit extended
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header32_ex 3 ;
a 64-bit extended
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
-.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
-.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Record Byte Count 4 bytes Number of bytes in record"
+.It "Version Number 2 bytes Record version number"
+.It "Event Type 2 bytes Event type"
+.It "Event Modifier 2 bytes Event sub-type"
+.It "Address Type/Length 1 byte Host address type and length"
+.It "Machine Address 4/16 bytes IPv4 or IPv6 address"
+.It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
+.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
.El
.Ss Trailer Token
The
-.Dv trailer
+.Dq trailer
terminates a BSM audit record, and contains a magic number,
.Dv TRAILER_PAD_MAGIC
and length that can be used to validate that the record was read properly.
A
-.Dv trailer
+.Dq trailer
token can be created using
.Xr au_to_trailer 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Trailer Magic 2 bytes Trailer magic number"
+.It "Record Byte Count 4 bytes Number of bytes in record"
.El
.Ss Arbitrary Data Token
The
-.Dv arbitrary data
+.Dq arbitrary data
token contains a byte stream of opaque (untyped) data.
The size of the data is calculated as the size of each unit of data
multipled by the number of units of data.
A
-.Dv How to print
+.Dq How to print
field is present to specify how to print the data, but interpretation of
that field is not currently defined.
An
-.Dv arbitrary data
+.Dq arbitrary data
token can be created using
.Xr au_to_data 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
-.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
-.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
-.It Li "Data Items" Ta "Variable" Ta "User data"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "How to Print 1 byte User-defined printing information"
+.It "Basic Unit 1 byte Size of a unit in bytes"
+.It "Unit Count 1 byte Number of units of data present"
+.It "Data Items Variable User data"
.El
.Ss in_addr Token
The
-.Dv in_addr
+.Dq in_addr
token holds a network byte order IPv4 or IPv6 address.
An
-.Dv in_addr
+.Dq in_addr
token can be created using
.Xr au_to_in_addr 3
for an IPv4 address, or
.Xr au_to_in_addr_ex 3
for an IPv6 address.
.Pp
-See the BUGS section for information on the storage of this token.
+See the
+.Sx BUGS
+section for information on the storage of this token.
.Pp
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
-.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "IP Address Type 1 byte Type of address"
+.It "IP Address 4/16 bytes IPv4 or IPv6 address"
.El
.Ss Expanded in_addr Token
The
-.Dv expanded in_addr
+.Dq expanded in_addr
token ...
.Pp
-See the BUGS section for information on the storage of this token.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+See the
+.Sx BUGS
+section for information on the storage of this token.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
.It XXXX
.El
.Ss ip Token
The
-.Dv ip
+.Dq ip
token contains an IP packet header in network byte order.
An
-.Dv ip
+.Dq ip
token can be created using
.Xr au_to_ip 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
-.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
-.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
-.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
-.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
-.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
-.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
-.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
-.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
-.It Li "Destination Address" Ta "4 bytes" Ta "IPv4 destination address"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Version and IHL 1 byte Version and IP header length"
+.It "Type of Service 1 byte IP TOS field"
+.It "Length 2 bytes IP packet length in network byte order"
+.It "ID 2 bytes IP header ID for reassembly"
+.It "Offset 2 bytes IP fragment offset and flags, network byte order"
+.It "TTL 1 byte IP Time-to-Live"
+.It "Protocol 1 byte IP protocol number"
+.It "Checksum 2 bytes IP header checksum, network byte order"
+.It "Source Address 4 bytes IPv4 source address"
+.It "Destination Address 4 bytes IPv4 destination address"
.El
.Ss Expanded ip Token
The
-.Dv expanded ip
+.Dq expanded ip
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
.It XXXX
.El
.Ss iport Token
The
-.Dv iport
+.Dq iport
token stores an IP port number in network byte order.
An
-.Dv iport
+.Dq iport
token can be created using
.Xr au_to_iport 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Port Number 2 bytes Port number in network byte order"
.El
.Ss Path Token
The
-.Dv path
+.Dq path
token contains a pathname.
A
-.Dv path
+.Dq path
token can be created using
.Xr au_to_path 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
-.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Path Length 2 bytes Length of path in bytes"
+.It "Path N bytes + 1 NUL Path name"
.El
.Ss path_attr Token
The
-.Dv path_attr
-token contains a set of nul-terminated path names.
+.Dq path_attr
+token contains a set of NUL-terminated path names.
The
.Xr libbsm 3
API cannot currently create a
-.Dv path_attr
+.Dq path_attr
token.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
-.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Count 2 bytes Number of NUL-terminated string(s) in token"
+.It "Path Variable count NUL-terminated string(s)"
.El
.Ss Process Token
The
-.Dv process
+.Dq process
token contains a description of the security properties of a process
involved as the target of an auditable event, such as the destination for
signal delivery.
It should not be confused with the
-.Dv subject
+.Dq subject
token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and session.
A
-.Dv process
+.Dq process
token can be created using
.Xr au_to_process32 3
or
.Xr au_to_process64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address 4 bytes IP address of machine"
.El
.Ss Expanded Process Token
The
-.Dv expanded process
+.Dq expanded process
token contains the contents of the
-.Dv process
+.Dq process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
An
-.Dv expanded process
+.Dq expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length 1 byte Length of machine address"
+.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
.El
.Ss Return Token
The
-.Dv return
+.Dq return
token contains a system call or library function return condition, including
return value and error number associated with the global variable
.Er errno .
-A
-.Dv return
+A
+.Dq return
token can be created using
.Xr au_to_return32 3
or
.Xr au_to_return64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
-.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Error Number 1 byte Errno value, or 0 if undefined"
+.It "Return Value 4/8 bytes Return value (32/64-bits)"
.El
.Ss Subject Token
The
-.Dv subject
+.Dq subject
token contains information on the subject performing the operation described
by an audit record, and includes similar information to that found in the
-.Dv process
+.Dq process
and
-.Dv expanded process
+.Dq expanded process
tokens.
However, those tokens are used where the process being described is the
target of the operation, not the authorizing party.
A
-.Dv subject
+.Dq subject
token can be created using
.Xr au_to_subject32 3
and
.Xr au_to_subject64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address 4 bytes IP address of machine"
.El
.Ss Expanded Subject Token
The
-.Dv expanded subject
+.Dq expanded subject
token consists of the same elements as the
-.Dv subject
+.Dq subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
An
-.Dv expanded subject
+.Dq expanded subject
token can be created using
.Xr au_to_subject32_ex 3
or
.Xr au_to_subject64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length 1 byte Length of machine address"
+.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
.El
.Ss System V IPC Token
The
-.Dv System V IPC
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
-.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
+.Dq System V IPC
+token contains the System V IPC message handle, semaphore handle or shared
+memory handle.
+A System V IPC token may be created using
++.Xr au_to_ipc 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Object ID type 1 byte Object ID"
+.It "Object ID 4 bytes Object ID"
.El
.Ss Text Token
The
-.Dv text
-token contains a single nul-terminated text string.
+.Dq text
+token contains a single NUL-terminated text string.
A
-.Dv text
+.Dq text
token may be created using
.Xr au_to_text 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
-.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Text Length 2 bytes Length of text string including NUL"
+.It "Text N bytes + 1 NUL Text string including NUL"
.El
.Ss Attribute Token
The
-.Dv attribute
+.Dq attribute
token describes the attributes of a file associated with the audit event.
As files may be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
-.Dv path
+.Dq path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
An
-.Dv attribute
+.Dq attribute
token can be created using
.Xr au_to_attr32 3
or
.Xr au_to_attr64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
-.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
-.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
-.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
-.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
-.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "File Access Mode 1 byte mode_t associated with file"
+.It "Owner User ID 4 bytes uid_t associated with file"
+.It "Owner Group ID 4 bytes gid_t associated with file"
+.It "File System ID 4 bytes fsid_t associated with file"
+.It "File System Node ID 8 bytes ino_t associated with file"
+.It "Device 4/8 bytes Device major/minor number (32/64-bit)"
.El
.Ss Groups Token
The
-.Dv groups
+.Dq groups
token contains a list of group IDs associated with the audit event.
A
-.Dv groups
+.Dq groups
token can be created using
.Xr au_to_groups 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
-.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Number of Groups 2 bytes Number of groups in token"
+.It "Group List N * 4 bytes List of N group IDs"
.El
.Ss System V IPC Permission Token
The
-.Dv System V IPC permission
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq System V IPC permission
+token contains a System V IPC access permissions.
+A System V IPC permission token may be created using
+.Xr au_to_ipc_perm 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
+.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
+.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
+.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
+.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
+.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
+.It Li "Key" Ta "4 bytes" Ta "IPC key"
.El
.Ss Arg Token
The
-.Dv arg
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq arg
+token contains informations about arguments of the system call.
+Depending on the size of the desired argument value, an Arg token may be
+created using
+.Xr au_to_arg32 3
+or
+.Xr au_to_arg64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
+.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
+.It Li "Length" Ta "2 bytes" Ta "Length of the text"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
.El
.Ss exec_args Token
The
-.Dv exec_args
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq exec_args
+token contains informations about arguements of the exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_args 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
+.It Li "Text" Ta "* bytes" Ta "Count null-terminated strings"
.El
.Ss exec_env Token
The
-.Dv exec_env
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq exec_env
+token contains current eviroment variables to an exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_env 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
+.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
.El
.Ss Exit Token
The
-.Dv exit
+.Dq exit
token contains process exit/return code information.
An
-.Dv exit
+.Dq exit
token can be created using
.Xr au_to_exit 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
-.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Status 4 bytes Process status on exit"
+.It "Return Value 4 bytes Process return value on exit"
.El
.Ss Socket Token
The
-.Dv socket
-token ...
+.Dq socket
+token contains informations about UNIX domain and Internet sockets.
+Each token has four or eight fields.
+Depend on type of socket a socket token may be created using
+.Xr au_to_sock_unix 3 ,
+.Xr au_to_sock_inet32 3 or
+.Xr au_to_sock_inet128 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
+.El
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
++.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
++.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
++.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
++.It Li "Local port" Ta "2 bytes" Ta "Local port"
++.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
++.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
++.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
.El
.Ss Expanded Socket Token
The
-.Dv expanded socket
+.Dq expanded socket
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Seq Token
The
-.Dv seq
+.Dq seq
token contains a unique and monotonically increasing audit event sequence ID.
Due to the limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Sequence Number 4 bytes Audit event sequence number"
.El
.Ss privilege Token
The
-.Dv privilege
+.Dq privilege
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Use-of-auth Token
The
-.Dv use-of-auth
+.Dq use-of-auth
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Command Token
The
-.Dv command
+.Dq command
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss ACL Token
The
-.Dv ACL
+.Dq ACL
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Zonename Token
The
-.Dv zonename
+.Dq zonename
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr praudit 1 ,
.Xr libbsm 3 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
.Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
.Sh BUGS
The
-.Dv How to print
+.Dq How to print
field in the
-.Dv arbitrary data
+.Dq arbitrary data
token has undefined values.
.Pp
The
-.Dv in_addr
+.Dq in_addr
and
-.Dv in_addr_ex
+.Dq in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
implementations of
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
index dfd44a9..cc5b122f 100644
--- a/contrib/openbsm/man/audit_class.5
+++ b/contrib/openbsm/man/audit_class.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,24 +25,24 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#10 $
.\"
.Dd January 24, 2004
.Dt AUDIT_CLASS 5
.Os
.Sh NAME
.Nm audit_class
-.Nd "contains audit event class descriptions"
+.Nd "audit event class descriptions"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file contains descriptions of the auditable event classes on the system.
Each auditable event is a member of an event class.
-Each line maps an audit event
+Each line maps an audit event
mask (bitmap) to a class and a description.
Entries are of the form:
.Pp
-.Dl classmask:eventclass:description
+.D1 Ar classmask Ns : Ns Ar eventclass Ns : Ns Ar description
.Pp
Example entries in this file are:
.Bd -literal -offset indent
@@ -54,18 +54,27 @@ Example entries in this file are:
0xffffffff:all:all flags set
.Ed
.Sh FILES
-.Bl -tag -width "/etc/security/audit_class" -compact
+.Bl -tag -width ".Pa /etc/security/audit_class" -compact
.It Pa /etc/security/audit_class
.El
+.Sh SEE ALSO
+.Xr audit 4 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr audit_user 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
index 25cb226..a91f504 100644
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@@ -1,19 +1,19 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -26,34 +26,34 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#17 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
.Nm audit_control
-.Nd "contains audit system parameters"
+.Nd "audit system parameters"
.Sh DESCRIPTION
The
.Nm
file contains several audit system parameters.
Each line of this file is of the form:
.Pp
-.Dl parameter:value
+.D1 Ar parameter Ns : Ns Ar value
.Pp
The parameters are:
-.Bl -tag -width Ds
-.It Pa dir
+.Bl -tag -width indent
+.It Va dir
The directory where audit log files are stored.
There may be more than one of these entries.
Changes to this entry can only be enacted by restarting the
audit system.
See
-.Xr audit 1
+.Xr audit 8
for a description of how to restart the audit system.
.It Va flags
-Specifies which audit event classes are audited for all users.
+Specifies which audit event classes are audited for all users.
.Xr audit_user 5
describes how to audit events for individual users.
See the information below for the format of the audit flags.
@@ -76,73 +76,85 @@ If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
-.Pa audit_class
-file.
-See
.Xr audit_class 5
-for details.
+file.
Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
-.Bl -tag -width Ds -compact -offset indent
+.Bl -tag -width indent -compact -offset indent
.It (none)
-Record both successful and failed events
-.It +
-Record successful events
-.It -
-Record failed events
-.It ^
-Record neither successful nor failed events
-.It ^+
-Do not record successful events
-.It ^-
-Do not record failed events
+Record both successful and failed events.
+.It Li +
+Record successful events.
+.It Li -
+Record failed events.
+.It Li ^
+Record neither successful nor failed events.
+.It Li ^+
+Do not record successful events.
+.It Li ^-
+Do not record failed events.
.El
.Sh AUDIT POLICY FLAGS
The policy flags field is a comma-delimited list of policy flags from the
following list:
.Pp
-.Bl -tag -width zonename -compact -offset indent
-.It cnt
+.Bl -tag -width ".Cm zonename" -compact -offset indent
+.It Cm cnt
Allow processes to continue running even though events are not being audited.
If not set, processes will be suspended when the audit store space is
exhausted.
Currently, this is not a recoverable state.
-.It ahlt
-Fail stop the system if unable to audit an event--this consists of first
+.It Cm ahlt
+Fail stop the system if unable to audit an event\[em]this consists of first
draining pending records to disk, and then halting the operating system.
-.It argv
+.It Cm argv
Audit command line arguments to
.Xr execve 2 .
-.It arge
+.It Cm arge
Audit environmental variable arguments to
.Xr execve 2 .
-.It seq
+.It Cm seq
Include a unique audit sequence number token in generated audit records (not
-implemented on FreeBSD or Darwin).
-.It group
+implemented on
+.Fx
+or Darwin).
+.It Cm group
Include supplementary groups list in generated audit records (not implemented
-on FreeBSD or Darwin; supplementary groups are never included in records on
+on
+.Fx
+or Darwin; supplementary groups are never included in records on
these systems).
-.It trail
-Append a trailer token to each audit record (not implemented on FreeBSD or
+.It Cm trail
+Append a trailer token to each audit record (not implemented on
+.Fx
+or
Darwin; trailers are always included in records on these systems).
-.It path
-Include secondary file paths in audit records (not implemented on FreeBSD or
+.It Cm path
+Include secondary file paths in audit records (not implemented on
+.Fx
+or
Darwin; secondary paths are never included in records on these systems).
-.It zonename
-Include a zone ID token with each audit record (not implemented on FreeBSD or
-Darwin; FreeBSD audit records do not currently include the jail ID or name.)
-.It perzone
-Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on
-FreeBSD, audit records are collected from all jails and placed in a single
-global trail, and only limited audit controls are permitted within a jail.)
+.It Cm zonename
+Include a zone ID token with each audit record (not implemented on
+.Fx
+or
+Darwin;
+.Fx
+audit records do not currently include the jail ID or name).
+.It Cm perzone
+Enable auditing for each local zone (not implemented on
+.Fx
+or Darwin; on
+.Fx ,
+audit records are collected from all jails and placed in a single
+global trail, and only limited audit controls are permitted within a jail).
.El
.Pp
It is recommended that installations set the
-.Dv cnt
+.Cm cnt
flag but not
-.Dv ahlt
+.Cm ahlt
flag unless it is intended that audit logs exceeding available disk space
halt the system.
.Sh DEFAULT
@@ -169,23 +181,29 @@ processes when the audit store fills.
The trail file will not be automatically rotated by the audit daemon based on
file size.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr audit_class 5 ,
+.Xr audit_event 5 ,
.Xr audit_user 5 ,
.Xr audit 8 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
index cfa81f6..75e67aa 100644
--- a/contrib/openbsm/man/audit_event.5
+++ b/contrib/openbsm/man/audit_event.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,31 +25,30 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#11 $
.\"
.Dd January 24, 2004
.Dt AUDIT_EVENT 5
.Os
.Sh NAME
.Nm audit_event
-.Nd "contains audit event descriptions"
+.Nd "audit event descriptions"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file contains descriptions of the auditable events on the system.
Each line maps an audit event number to a name, a description, and a class.
Entries are of the form:
.Pp
-.Dl eventnum:eventname:description:eventclass
+.Sm off
+.D1 Ar eventnum : eventname : description : eventclass
+.Sm on
.Pp
Each
-.Vt eventclass
+.Ar eventclass
should have a corresponding entry in the
-.Pa audit_class
-file.
-See
.Xr audit_class 5
-for details.
+file.
.Pp
Example entries in this file are:
.Bd -literal -offset indent
@@ -59,20 +58,27 @@ Example entries in this file are:
3:AUE_OPEN:open(2):fa
.Ed
.Sh FILES
-.Bl -tag -width "/etc/security/audit_event" -compact
+.Bl -tag -width ".Pa /etc/security/audit_event" -compact
.It Pa /etc/security/audit_event
.El
.Sh SEE ALSO
-.Xr audit_class 5
+.Xr audit 4 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_user 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
index 05877d5..1779941 100644
--- a/contrib/openbsm/man/audit_user.5
+++ b/contrib/openbsm/man/audit_user.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,33 +25,33 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
.\"
.Dd February 5, 2006
.Dt AUDIT_USER 5
.Os
.Sh NAME
.Nm audit_user
-.Nd "specifies events to be audited for the given users"
+.Nd "events to be audited for given users"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file specifies which audit event classes are to be audited for the given users.
If specified, these flags are combined with the system-wide audit flags in the
-.Pa audit_control
+.Xr audit_control 5
file to determine which classes of events to audit for that user.
These settings take effect when the user logs in.
.Pp
Each line maps a user name to a list of classes that should be audited and a
-list of classes that should not be audited.
+list of classes that should not be audited.
Entries are of the form:
.Pp
-.Dl username:alwaysaudit:neveraudit
+.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit
.Pp
In the format above,
-.Vt alwaysaudit
+.Ar alwaysaudit
is a set of event classes that are always audited, and
-.Vt neveraudit
+.Ar neveraudit
is a set of event classes that should not be audited.
These sets can indicate
the inclusion or exclusion of multiple classes, and whether to audit successful
@@ -67,27 +67,54 @@ jdoe:-fc,ad:+fw
.Ed
.Pp
These settings would cause login/logout and administrative events that
-succeed on behalf of user root to be audited.
+succeed on behalf of user
+.Dq Li root
+to be audited.
No failure events are audited.
For the user
-.Em jdoe ,
+.Dq Li jdoe ,
failed file creation events are audited, administrative events are
audited, and successful file write events are never audited.
+.Sh IMPLEMENTATION NOTES
+Per-user and global audit preselection configuration are evaluated at time of
+login, so users must log out and back in again for audit changes relating to
+preselection to take effect.
+.Pp
+Audit record preselection occurs with respect to the audit identifier
+associated with a process, rather than with respect to the UNIX user or group
+ID.
+The audit identifier is set as part of the user credential context as part of
+login, and typically does not change as a result of running setuid or setgid
+applications, such as
+.Xr su 1 .
+This has the advantage that events that occur after running
+.Xr su 1
+can be audited to the original authenticated user, as required by CAPP, but
+may be surprising if not expected.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_user" -compact
+.Bl -tag -width ".Pa /etc/security/audit_user" -compact
.It Pa /etc/security/audit_user
.El
.Sh SEE ALSO
-.Xr audit_control 5
+.Xr login 1 ,
+.Xr su 1 ,
+.Xr audit 4 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
index 18cb74e..d7b20b6 100644
--- a/contrib/openbsm/man/audit_warn.5
+++ b/contrib/openbsm/man/audit_warn.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#9 $
.\"
.Dd March 17, 2004
.Dt AUDIT_WARN 5
@@ -34,36 +34,43 @@
.Nm audit_warn
.Nd "alert when audit daemon issues warnings"
.Sh DESCRIPTION
-.Nm
-runs when
+The
+.Nm
+script
+runs when
.Xr auditd 8
-generates warning messages.
+generates warning messages.
.Pp
-The default
+The default
.Nm
is a script whose first parameter is the type of warning; the script
-appends its arguments to
+appends its arguments to
.Pa /etc/security/audit_messages .
Administrators may replace this script: a more comprehensive one would take
different actions based on the type of warning.
For example, a low-space warning
-could result in an email message being sent to the administrator.
+could result in an email message being sent to the administrator.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_warn" -compact
+.Bl -tag -width ".Pa /etc/security/audit_messages" -compact
.It Pa /etc/security/audit_warn
.It Pa /etc/security/audit_messages
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
index afda8e4..ac3c41a 100644
--- a/contrib/openbsm/man/auditctl.2
+++ b/contrib/openbsm/man/auditctl.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,14 +23,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#7 $
.\"
.Dd April 19, 2005
.Dt AUDITCTL 2
.Os
.Sh NAME
.Nm auditctl
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
@@ -39,40 +39,41 @@
The
.Fn auditctl
system call directs the kernel to open a new audit trail log file.
-.Fn auditctl
-requires appropriate privilege.
+It requires an appropriate privilege.
In the
.Fx
implementation,
.Fn auditctl
opens new files, but
-.Fn auditon
+.Xr auditon 2
is used to disable the audit log.
In the Mac OS X implementation, passing
-.Va NULL
+.Dv NULL
to
.Fn auditctl
will disable the audit log.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
+.Xr auditon 2 ,
.Xr libbsm 3 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
index 04eb775..953484c 100644
--- a/contrib/openbsm/man/auditon.2
+++ b/contrib/openbsm/man/auditon.2
@@ -25,37 +25,47 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
.Os
.Sh NAME
.Nm auditon
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn auditon "int cmd" "void *data" "u_int length"
.Sh DESCRIPTION
The
-.Nm
+.Fn auditon
system call is used to manipulate various audit control operations.
-.Ft *data
+The
+.Fa data
+argument
should point to a structure whose type depends on the command.
-.Ft length
-specifies the size of the
-.Em data
+The
+.Fa length
+argument
+specifies the size of
+.Fa *data
in bytes.
-.Ft cmd
+The
+.Fa cmd
+argument
may be any of the following:
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
.It Dv A_SETPOLICY
Set audit policy flags.
-.Ft *data
-must point to a long value set to one of the audit
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value set to one of the audit
policy control values defined in
-.Pa audit.h .
+.In bsm/audit.h .
Currently, only
.Dv AUDIT_CNT
and
@@ -76,24 +86,28 @@ Return
.Er ENOSYS .
.It Dv A_SETKMASK
Set the kernel preselection masks (success and failure).
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_mask_t
+.Vt au_mask_t
structure containing the mask values.
These masks are used for non-attributable audit event preselection.
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_qctrl_t
+.Vt au_qctrl_t
structure containing the
kernel audit queue control settings:
-.Va high water ,
-.Va low water ,
-.Va output buffer size ,
-.Va percent min free disk space ,
+.Dq "high water" ,
+.Dq "low water" ,
+.Dq "output buffer size" ,
+.Dq "percent min free disk space" ,
and
-.Em delay
+.Dq delay
(not currently used).
.It Dv A_SETSTAT
Return
@@ -106,8 +120,12 @@ Return
.Er ENOSYS .
.It Dv A_SETCOND
Set the current auditing condition.
-.Ft *data
-must point to a long value containing the new
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value containing the new
audit condition, one of
.Dv AUC_AUDITING ,
.Dv AUC_NOAUDIT ,
@@ -115,43 +133,54 @@ or
.Dv AUC_DISABLED .
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_evclass_map_t
+.Vt au_evclass_map_t
structure containing the audit event and mask.
.It Dv A_SETPMASK
Set the preselection masks for a process.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft auditpinfo_t
-structure that contains the given process's audit
+.Vt auditpinfo_t
+structure that contains the given process's audit
preselection masks for both success and failure.
.It Dv A_SETFSIZE
Set the maximum size of the audit log file.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_fstat_t
+.Vt au_fstat_t
structure with the
-.Ft af_filesz
-field set to the maximum audit log file size. A value of 0
+.Va af_filesz
+field set to the maximum audit log file size.
+A value of 0
indicates no limit to the size.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETCLASS
Return the event to class mapping for the designated audit event.
-.Ft *data
-must point to a
-.Ft au_evclass_map_t
+The
+.Fa data
+argument
+must point to a
+.Vt au_evclass_map_t
structure.
.It Dv A_GETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETPINFO
Return the audit settings for a process.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft auditpinfo_t
+.Vt auditpinfo_t
structure which will be set to contain
the audit ID, preselection mask, terminal ID, and audit session
ID of the given process.
@@ -160,15 +189,21 @@ Return
.Er ENOSYS .
.It Dv A_GETKMASK
Return the current kernel preselection masks.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_mask_t
-structure which will be set to
+.Vt au_mask_t
+structure which will be set to
the current kernel preselection masks for non-attributable events.
.It Dv A_GETPOLICY
Return the current audit policy setting.
-.Ft *data
-must point to a long value which will be set to
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value which will be set to
one of the current audit policy flags.
Currently, only
.Dv AUDIT_CNT
@@ -177,22 +212,28 @@ and
are implemented.
.It Dv A_GETQCTRL
Return the current kernel audit queue control parameters.
-.Ft *data
-must point to a
-.Ft au_qctrl_t
+The
+.Fa data
+argument
+must point to a
+.Vt au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
.It Dv A_GETFSIZE
Returns the maximum size of the audit log file.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_fstat_t
-structure. The
-.Ft af_filesz
+.Vt au_fstat_t
+structure.
+The
+.Va af_filesz
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
-.Ft af_currsz
+.Va af_currsz
+field
will be set to the current audit log file size.
.It Dv A_GETCWD
.\" [COMMENTED OUT]: Valid description, not yet implemented.
@@ -212,16 +253,24 @@ Return
.Er ENOSYS .
.It Dv A_GETCOND
Return the current auditing condition.
-.Ft *data
-must point to a long value which will be set to
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value which will be set to
the current audit condition, either
.Dv AUC_AUDITING
or
.Dv AUC_NOAUDIT .
.It Dv A_SENDTRIGGER
Send a trigger to the audit daemon.
-.Fr *data
-must point to a long value set to one of the acceptable
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value set to one of the acceptable
trigger values:
.Dv AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
@@ -264,17 +313,26 @@ and Mac OS X implementations, and is not present in Solaris.
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditctl 2 ,
-.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
@@ -284,8 +342,3 @@ This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org ,
and
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
index 05a938c..0592721 100644
--- a/contrib/openbsm/man/getaudit.2
+++ b/contrib/openbsm/man/getaudit.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#7 $
.\"
.Dd April 19, 2005
.Dt GETAUDIT 2
@@ -31,7 +31,7 @@
.Sh NAME
.Nm getaudit ,
.Nm getaudit_addr
-.Nd "Retrieve audit session state"
+.Nd "retrieve audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
@@ -39,42 +39,47 @@
.Ft int
.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
.Sh DESCRIPTION
+The
.Fn getaudit
+system call
retrieves the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
-.Va auditinfo .
+.Fa auditinfo .
+The
.Fn getaudit_addr
+system call
retrieves extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
and
-.Va length .
+.Fa length .
.Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std getaudit getaudit_addr
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr setaudit 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
index 9751da9..2624f1e 100644
--- a/contrib/openbsm/man/getauid.2
+++ b/contrib/openbsm/man/getauid.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,52 +23,55 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#7 $
.\"
.Dd April 19, 2005
.Dt GETAUID 2
.Os
.Sh NAME
.Nm getauid
-.Nd "Retrieve audit session ID"
+.Nd "retrieve audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn getauid "au_id_t *auid"
.Sh DESCRIPTION
-.Nm
+The
+.Fn getauid
+system call
retrieves the active audit session ID for the current process via the
.Vt au_id_t
pointed to by
-.Va auid .
+.Fa auid .
.Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
index 46d9954..22e2192 100644
--- a/contrib/openbsm/man/setaudit.2
+++ b/contrib/openbsm/man/setaudit.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#7 $
.\"
.Dd April 19, 2005
.Dt SETAUDIT 2
@@ -31,51 +31,55 @@
.Sh NAME
.Nm setaudit ,
.Nm setaudit_addr
-.Nd "Set audit session state"
+.Nd "set audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setaudit "auditinfo_t *auditinfo"
.Ft int
-.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
.Sh DESCRIPTION
-.Nm
+The
+.Fn setaudit
+system call
sets the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
-.Va auditinfo .
+.Fa auditinfo .
+The
.Fn setaudit_addr
+system call
sets extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
and
-.Va length .
+.Fa length .
.Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std setaudit setaudit_addr
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getaudit 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
-.Xr getaudit 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
index 4c23ffc..a736a34 100644
--- a/contrib/openbsm/man/setauid.2
+++ b/contrib/openbsm/man/setauid.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,52 +23,55 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#7 $
.\"
.Dd April 19, 2005
.Dt SETAUID 2
.Os
.Sh NAME
.Nm setauid
-.Nd "Set audit session ID"
+.Nd "set audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setauid "au_id_t *auid"
.Sh DESCRIPTION
-.Nm
+The
+.Fn setauid
+system call
sets the active audit session ID for the current process from the
.Vt au_id_t
pointed to by
-.Va auid .
+.Fa auid .
.Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
-.Xr getauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
OpenPOWER on IntegriCloud