diff options
Diffstat (limited to 'contrib/openbsm/man')
| -rw-r--r-- | contrib/openbsm/man/Makefile.am | 24 | ||||
| -rw-r--r-- | contrib/openbsm/man/Makefile.in | 452 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit.2 | 104 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit.log.5 | 678 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit_class.5 | 80 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit_control.5 | 283 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit_event.5 | 84 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit_user.5 | 120 | ||||
| -rw-r--r-- | contrib/openbsm/man/audit_warn.5 | 76 | ||||
| -rw-r--r-- | contrib/openbsm/man/auditctl.2 | 85 | ||||
| -rw-r--r-- | contrib/openbsm/man/auditon.2 | 506 | ||||
| -rw-r--r-- | contrib/openbsm/man/getaudit.2 | 188 | ||||
| -rw-r--r-- | contrib/openbsm/man/getauid.2 | 90 | ||||
| -rw-r--r-- | contrib/openbsm/man/setaudit.2 | 192 | ||||
| -rw-r--r-- | contrib/openbsm/man/setauid.2 | 90 |
15 files changed, 3052 insertions, 0 deletions
diff --git a/contrib/openbsm/man/Makefile.am b/contrib/openbsm/man/Makefile.am new file mode 100644 index 0000000..e65a68c --- /dev/null +++ b/contrib/openbsm/man/Makefile.am @@ -0,0 +1,24 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.am#1 $ +# + +man2_MANS = \ + audit.2 \ + auditctl.2 \ + auditon.2 \ + getaudit.2 \ + getauid.2 \ + setaudit.2 \ + setauid.2 + +man5_MANS = \ + audit.log.5 \ + audit_class.5 \ + audit_control.5 \ + audit_event.5 \ + audit_user.5 \ + audit_warn.5 + +# How to do MLINKS in automake? +# MLINKS= getaudit.2 getaudit_addr.2 \ +# setaudit.2 setaudit_addr.2 diff --git a/contrib/openbsm/man/Makefile.in b/contrib/openbsm/man/Makefile.in new file mode 100644 index 0000000..aeb775a --- /dev/null +++ b/contrib/openbsm/man/Makefile.in @@ -0,0 +1,452 @@ +# Makefile.in generated by automake 1.10.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.in#9 $ +# +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = man +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config/config.h +CONFIG_CLEAN_FILES = +SOURCES = +DIST_SOURCES = +man2dir = $(mandir)/man2 +am__installdirs = "$(DESTDIR)$(man2dir)" "$(DESTDIR)$(man5dir)" +man5dir = $(mandir)/man5 +NROFF = nroff +MANS = $(man2_MANS) $(man5_MANS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MIG = @MIG@ +MKDIR_P = @MKDIR_P@ +NMEDIT = @NMEDIT@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +man2_MANS = \ + audit.2 \ + auditctl.2 \ + auditon.2 \ + getaudit.2 \ + getauid.2 \ + setaudit.2 \ + setauid.2 + +man5_MANS = \ + audit.log.5 \ + audit_class.5 \ + audit_control.5 \ + audit_event.5 \ + audit_user.5 \ + audit_warn.5 + +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign man/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign man/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man2: $(man2_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man2dir)" || $(MKDIR_P) "$(DESTDIR)$(man2dir)" + @list='$(man2_MANS) $(dist_man2_MANS) $(nodist_man2_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.2*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 2*) ;; \ + *) ext='2' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man2dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man2dir)/$$inst"; \ + done +uninstall-man2: + @$(NORMAL_UNINSTALL) + @list='$(man2_MANS) $(dist_man2_MANS) $(nodist_man2_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.2*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 2*) ;; \ + *) ext='2' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man2dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man2dir)/$$inst"; \ + done +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +tags: TAGS +TAGS: + +ctags: CTAGS +CTAGS: + + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(MANS) +installdirs: + for dir in "$(DESTDIR)$(man2dir)" "$(DESTDIR)$(man5dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man2 install-man5 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man + +uninstall-man: uninstall-man2 uninstall-man5 + +.MAKE: install-am install-strip + +.PHONY: all all-am check check-am clean clean-generic clean-libtool \ + distclean distclean-generic distclean-libtool distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-info install-info-am install-man install-man2 \ + install-man5 install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am uninstall uninstall-am uninstall-man uninstall-man2 \ + uninstall-man5 + + +# How to do MLINKS in automake? +# MLINKS= getaudit.2 getaudit_addr.2 \ +# setaudit.2 setaudit_addr.2 +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2 new file mode 100644 index 0000000..1ee61b9 --- /dev/null +++ b/contrib/openbsm/man/audit.2 @@ -0,0 +1,104 @@ +.\"- +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#9 $ +.\" +.Dd April 19, 2005 +.Dt AUDIT 2 +.Os +.Sh NAME +.Nm audit +.Nd "commit BSM audit record to audit log" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn audit "const char *record" "u_int length" +.Sh DESCRIPTION +The +.Fn audit +system call +submits a completed BSM audit record to the system audit log. +.Pp +The +.Fa record +argument +is a pointer to the specific event to be recorded and +.Fa length +is the size in bytes of the data to be written. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn audit +system call will fail and the data never written if: +.Bl -tag -width Er +.It Bq Er EFAULT +The +.Fa record +argument is beyond the allocated address space of the process. +.It Bq Er EINVAL +The token ID is invalid or +.Va length +is larger than +.Dv MAXAUDITDATA . +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getaudit_addr 2 , +.Xr getauid 2 , +.Xr setaudit 2 , +.Xr setaudit_addr 2 , +.Xr setauid 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org . +.Sh BUGS +The +.Fx +kernel does not fully validate that the argument passed is syntactically +valid BSM. +Submitting invalid audit records may corrupt the audit log. diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5 new file mode 100644 index 0000000..143936c --- /dev/null +++ b/contrib/openbsm/man/audit.log.5 @@ -0,0 +1,678 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#23 $ +.\" +.Dd November 5, 2006 +.Dt AUDIT.LOG 5 +.Os +.Sh NAME +.Nm audit +.Nd "Basic Security Module (BSM) file format" +.Sh DESCRIPTION +The +.Nm +file format is based on Sun's Basic Security Module (BSM) file format, a +token-based record stream to represent system audit data. +This file format is both flexible and extensible, able to describe a broad +range of data types, and easily extended to describe new data types in a +moderately backward and forward compatible way. +.Pp +BSM token streams typically begin and end with a +.Dq file +token, which provides time stamp and file name information for the stream; +when processing a BSM token stream from a stream as opposed to a single file +source, file tokens may be seen at any point between ordinary records +identifying when particular parts of the stream begin and end. +All other tokens will appear in the context of a complete BSM audit record, +which begins with a +.Dq header +token, and ends with a +.Dq trailer +token, which describe the audit record. +Between these two tokens will appear a variety of data tokens, such as +process information, file path names, IPC object information, MAC labels, +socket information, and so on. +.Pp +The BSM file format defines specific token orders for each record event type; +however, some variation may occur depending on the operating system in use, +what system options, such as mandatory access control, are present. +.Pp +This manual page documents the common token types and their binary format, and +is intended for reference purposes only. +It is recommended that application programmers use the +.Xr libbsm 3 +interface to read and write tokens, rather than parsing or constructing +records by hand. +.Ss File Token +The +.Dq file +token is used at the beginning and end of an audit log file to indicate +when the audit log begins and ends. +It includes a pathname so that, if concatenated together, original file +boundaries are still observable, and gaps in the audit log can be identified. +A +.Dq file +token can be created using +.Xr au_to_file 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Seconds 4 bytes File time stamp" +.It "Microseconds 4 bytes File time stamp" +.It "File name lengh 2 bytes File name of audit trail" +.It "File pathname N bytes + 1 NUL File name of audit trail" +.El +.Ss Header Token +The +.Dq header +token is used to mark the beginning of a complete audit record, and includes +the length of the total record in bytes, a version number for the record +layout, the event type and subtype, and the time at which the event occurred. +A 32-bit +.Dq header +token can be created using +.Xr au_to_header32 3 ; +a 64-bit +.Dq header +token can be created using +.Xr au_to_header64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Record Byte Count 4 bytes Number of bytes in record" +.It "Version Number 2 bytes Record version number" +.It "Event Type 2 bytes Event type" +.It "Event Modifier 2 bytes Event sub-type" +.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" +.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" +.El +.Ss Expanded Header Token +The +.Dq expanded header +token is an expanded version of the +.Dq header +token, with the addition of a machine IPv4 or IPv6 address. +A 32-bit extended +.Dq header +token can be created using +.Xr au_to_header32_ex 3 ; +a 64-bit extended +.Dq header +token can be created using +.Xr au_to_header64_ex 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Record Byte Count 4 bytes Number of bytes in record" +.It "Version Number 2 bytes Record version number" +.It "Event Type 2 bytes Event type" +.It "Event Modifier 2 bytes Event sub-type" +.It "Address Type/Length 1 byte Host address type and length" +.It "Machine Address 4/16 bytes IPv4 or IPv6 address" +.It "Seconds 4/8 bytes Record time stamp (32/64-bits)" +.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)" +.El +.Ss Trailer Token +The +.Dq trailer +terminates a BSM audit record, and contains a magic number, +.Dv AUT_TRAILER_MAGIC +and length that can be used to validate that the record was read properly. +A +.Dq trailer +token can be created using +.Xr au_to_trailer 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Trailer Magic 2 bytes Trailer magic number" +.It "Record Byte Count 4 bytes Number of bytes in record" +.El +.Ss Arbitrary Data Token +The +.Dq arbitrary data +token contains a byte stream of opaque (untyped) data. +The size of the data is calculated as the size of each unit of data +multipled by the number of units of data. +A +.Dq How to print +field is present to specify how to print the data, but interpretation of +that field is not currently defined. +An +.Dq arbitrary data +token can be created using +.Xr au_to_data 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "How to Print 1 byte User-defined printing information" +.It "Basic Unit 1 byte Size of a unit in bytes" +.It "Unit Count 1 byte Number of units of data present" +.It "Data Items Variable User data" +.El +.Ss in_addr Token +The +.Dq in_addr +token holds a network byte order IPv4 address. +An +.Dq in_addr +token can be created using +.Xr au_to_in_addr 3 +for an IPv4 address. +.Pp +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "IP Address 4 bytes IPv4 address" +.El +.Ss Expanded in_addr Token +The +.Dq in_addr_ex +token holds a network byte order IPv4 or IPv6 address. +An +.Dq in_addr_ex +token can be created using +.Xr au_to_in_addr_ex 3 +for an IPv6 address. +.Pp +See the +.Sx BUGS +section for information on the storage of this token. +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "IP Address Type 1 byte Type of address" +.It "IP Address 4/16 bytes IPv4 or IPv6 address" +.El +.Ss ip Token +The +.Dq ip +token contains an IP packet header in network byte order. +An +.Dq ip +token can be created using +.Xr au_to_ip 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Version and IHL 1 byte Version and IP header length" +.It "Type of Service 1 byte IP TOS field" +.It "Length 2 bytes IP packet length in network byte order" +.It "ID 2 bytes IP header ID for reassembly" +.It "Offset 2 bytes IP fragment offset and flags, network byte order" +.It "TTL 1 byte IP Time-to-Live" +.It "Protocol 1 byte IP protocol number" +.It "Checksum 2 bytes IP header checksum, network byte order" +.It "Source Address 4 bytes IPv4 source address" +.It "Destination Address 4 bytes IPv4 destination address" +.El +.Ss iport Token +The +.Dq iport +token stores an IP port number in network byte order. +An +.Dq iport +token can be created using +.Xr au_to_iport 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Port Number 2 bytes Port number in network byte order" +.El +.Ss Path Token +The +.Dq path +token contains a pathname. +A +.Dq path +token can be created using +.Xr au_to_path 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Path Length 2 bytes Length of path in bytes" +.It "Path N bytes + 1 NUL Path name" +.El +.Ss path_attr Token +The +.Dq path_attr +token contains a set of NUL-terminated path names. +The +.Xr libbsm 3 +API cannot currently create a +.Dq path_attr +token. +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Count 2 bytes Number of NUL-terminated string(s) in token" +.It "Path Variable count NUL-terminated string(s)" +.El +.Ss Process Token +The +.Dq process +token contains a description of the security properties of a process +involved as the target of an auditable event, such as the destination for +signal delivery. +It should not be confused with the +.Dq subject +token, which describes the subject performing an auditable event. +This includes both the traditional +.Ux +security properties, such as user IDs and group IDs, but also audit +information such as the audit user ID and session. +A +.Dq process +token can be created using +.Xr au_to_process32 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Audit ID 4 bytes Audit user ID" +.It "Effective User ID 4 bytes Effective user ID" +.It "Effective Group ID 4 bytes Effective group ID" +.It "Real User ID 4 bytes Real user ID" +.It "Real Group ID 4 bytes Real group ID" +.It "Process ID 4 bytes Process ID" +.It "Session ID 4 bytes Audit session ID" +.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" +.It "Terminal Machine Address 4 bytes IP address of machine" +.El +.Ss Expanded Process Token +The +.Dq expanded process +token contains the contents of the +.Dq process +token, with the addition of a machine address type and variable length +address storage capable of containing IPv6 addresses. +An +.Dq expanded process +token can be created using +.Xr au_to_process32_ex 3 +or +.Xr au_to_process64_ex 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Audit ID 4 bytes Audit user ID" +.It "Effective User ID 4 bytes Effective user ID" +.It "Effective Group ID 4 bytes Effective group ID" +.It "Real User ID 4 bytes Real user ID" +.It "Real Group ID 4 bytes Real group ID" +.It "Process ID 4 bytes Process ID" +.It "Session ID 4 bytes Audit session ID" +.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" +.It "Terminal Address Type/Length 1 byte Length of machine address" +.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" +.El +.Ss Return Token +The +.Dq return +token contains a system call or library function return condition, including +return value and error number associated with the global variable +.Er errno . +A +.Dq return +token can be created using +.Xr au_to_return32 3 +or +.Xr au_to_return64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Error Number 1 byte Errno value, or 0 if undefined" +.It "Return Value 4/8 bytes Return value (32/64-bits)" +.El +.Ss Subject Token +The +.Dq subject +token contains information on the subject performing the operation described +by an audit record, and includes similar information to that found in the +.Dq process +and +.Dq expanded process +tokens. +However, those tokens are used where the process being described is the +target of the operation, not the authorizing party. +A +.Dq subject +token can be created using +.Xr au_to_subject32 3 +and +.Xr au_to_subject64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Audit ID 4 bytes Audit user ID" +.It "Effective User ID 4 bytes Effective user ID" +.It "Effective Group ID 4 bytes Effective group ID" +.It "Real User ID 4 bytes Real user ID" +.It "Real Group ID 4 bytes Real group ID" +.It "Process ID 4 bytes Process ID" +.It "Session ID 4 bytes Audit session ID" +.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" +.It "Terminal Machine Address 4 bytes IP address of machine" +.El +.Ss Expanded Subject Token +The +.Dq expanded subject +token consists of the same elements as the +.Dq subject +token, with the addition of type/length and variable size machine address +information in the terminal ID. +An +.Dq expanded subject +token can be created using +.Xr au_to_subject32_ex 3 +or +.Xr au_to_subject64_ex 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Audit ID 4 bytes Audit user ID" +.It "Effective User ID 4 bytes Effective user ID" +.It "Effective Group ID 4 bytes Effective group ID" +.It "Real User ID 4 bytes Real user ID" +.It "Real Group ID 4 bytes Real group ID" +.It "Process ID 4 bytes Process ID" +.It "Session ID 4 bytes Audit session ID" +.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)" +.It "Terminal Address Type/Length 1 byte Length of machine address" +.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine" +.El +.Ss System V IPC Token +The +.Dq System V IPC +token contains the System V IPC message handle, semaphore handle or shared +memory handle. +A System V IPC token may be created using ++.Xr au_to_ipc 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Object ID type 1 byte Object ID" +.It "Object ID 4 bytes Object ID" +.El +.Ss Text Token +The +.Dq text +token contains a single NUL-terminated text string. +A +.Dq text +token may be created using +.Xr au_to_text 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Text Length 2 bytes Length of text string including NUL" +.It "Text N bytes + 1 NUL Text string including NUL" +.El +.Ss Attribute Token +The +.Dq attribute +token describes the attributes of a file associated with the audit event. +As files may be identified by 0, 1, or many path names, a path name is not +included with the attribute block for a file; optional +.Dq path +tokens may also be present in an audit record indicating which path, if any, +was used to reach the object. +An +.Dq attribute +token can be created using +.Xr au_to_attr32 3 +or +.Xr au_to_attr64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "File Access Mode 1 byte mode_t associated with file" +.It "Owner User ID 4 bytes uid_t associated with file" +.It "Owner Group ID 4 bytes gid_t associated with file" +.It "File System ID 4 bytes fsid_t associated with file" +.It "File System Node ID 8 bytes ino_t associated with file" +.It "Device 4/8 bytes Device major/minor number (32/64-bit)" +.El +.Ss Groups Token +The +.Dq groups +token contains a list of group IDs associated with the audit event. +A +.Dq groups +token can be created using +.Xr au_to_groups 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Number of Groups 2 bytes Number of groups in token" +.It "Group List N * 4 bytes List of N group IDs" +.El +.Ss System V IPC Permission Token +The +.Dq System V IPC permission +token contains a System V IPC access permissions. +A System V IPC permission token may be created using +.Xr au_to_ipc_perm 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner" +.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner" +.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator" +.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator" +.It Li "Access mode" Ta "4 bytes" Ta "Access mode" +.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number" +.It Li "Key" Ta "4 bytes" Ta "IPC key" +.El +.Ss Arg Token +The +.Dq arg +token contains informations about arguments of the system call. +Depending on the size of the desired argument value, an Arg token may be +created using +.Xr au_to_arg32 3 +or +.Xr au_to_arg64 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It Li "Argument ID" Ta "1 byte" Ta "Argument ID" +.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value" +.It Li "Length" Ta "2 bytes" Ta "Length of the text" +.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul" +.El +.Ss exec_args Token +The +.Dq exec_args +token contains informations about arguements of the exec() system call. +An exec_args token may be created using +.Xr au_to_exec_args 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It Li "Count" Ta "4 bytes" Ta "Number of arguments" +.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" +.El +.Ss exec_env Token +The +.Dq exec_env +token contains current eviroment variables to an exec() system call. +An exec_args token may be created using +.Xr au_to_exec_env 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It Li "Count ID" Ta "4 bytes" Ta "Number of variables" +.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings" +.El +.Ss Exit Token +The +.Dq exit +token contains process exit/return code information. +An +.Dq exit +token can be created using +.Xr au_to_exit 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Status 4 bytes Process status on exit" +.It "Return Value 4 bytes Process return value on exit" +.El +.Ss Socket Token +The +.Dq socket +token contains information about UNIX domain and Internet sockets. +Each token has four or eight fields. +Depending on the type of socket, a socket token may be created using +.Xr au_to_sock_unix 3 , +.Xr au_to_sock_inet32 3 +or +.Xr au_to_sock_inet128 3 . +.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Socket family" Ta "2 bytes" Ta "Socket family" +.It Li "Local port" Ta "2 bytes" Ta "Local port" +.It Li "Socket address" Ta "4 bytes" Ta "Socket address" +.El +.Ss Expanded Socket Token +The +.Dq expanded socket +token contains information about IPv4 and IPv6 sockets. +A +.Dq expanded socket +token can be created using +.Xr au_to_socket_ex 3 . +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Socket domain" Ta "2 bytes" Ta "Socket domain" +.It Li "Socket type" Ta "2 bytes" Ta "Socket type" +.It Li "Address type" Ta "2 byte" Ta "Address type (IPv4/IPv6)" +.It Li "Local port" Ta "2 bytes" Ta "Local port" +.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address" +.It Li "Remote port" Ta "2 bytes" Ta "Remote port" +.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address" +.El +.Ss Seq Token +The +.Dq seq +token contains a unique and monotonically increasing audit event sequence ID. +Due to the limited range of 32 bits, serial number arithmetic and caution +should be used when comparing sequence numbers. +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Sequence Number 4 bytes Audit event sequence number" +.El +.Ss privilege Token +The +.Dq privilege +token ... +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It XXXXX +.El +.Ss Use-of-auth Token +The +.Dq use-of-auth +token ... +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It XXXXX +.El +.Ss Command Token +The +.Dq command +token ... +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It XXXXX +.El +.Ss ACL Token +The +.Dq ACL +token ... +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It XXXXX +.El +.Ss Zonename Token +The +.Dq zonename +token holds a NUL-terminated string with the name of the zone or jail from +which the record originated. +A +.Dz zonename +token can be created using +.Xr au_to_zonename 3 . +.Pp +.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL" +.It Sy "Field Bytes Description" +.It "Token ID 1 byte Token ID" +.It "Zonename length 2 bytes Length of zonename string including NUL" +.It "Zonename N bytes + 1 NUL Zonename string including NUL" +.El +.Sh SEE ALSO +.Xr auditreduce 1 , +.Xr praudit 1 , +.Xr libbsm 3 , +.Xr audit 4 , +.Xr auditpipe 4 , +.Xr audit 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh BUGS +The +.Dq How to print +field in the +.Dq arbitrary data +token has undefined values. +.Pp +The +.Dq in_addr +and +.Dq in_addr_ex +token layout documented here appears to be in conflict with the +.Xr libbsm 3 +implementation of +.Xr au_to_in_addr_ex 3 . diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5 new file mode 100644 index 0000000..c92f57f --- /dev/null +++ b/contrib/openbsm/man/audit_class.5 @@ -0,0 +1,80 @@ +.\" Copyright (c) 2004 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#11 $ +.\" +.Dd January 24, 2004 +.Dt AUDIT_CLASS 5 +.Os +.Sh NAME +.Nm audit_class +.Nd "audit event class descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable event classes on the system. +Each auditable event is a member of an event class. +Each line maps an audit event +mask (bitmap) to a class and a description. +Entries are of the form: +.Pp +.D1 Ar classmask Ns : Ns Ar eventclass Ns : Ns Ar description +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0x00000000:no:invalid class +0x00000001:fr:file read +0x00000002:fw:file write +0x00000004:fa:file attribute access +0x00000080:pc:process +0xffffffff:all:all flags set +.Ed +.Sh FILES +.Bl -tag -width ".Pa /etc/security/audit_class" -compact +.It Pa /etc/security/audit_class +.El +.Sh SEE ALSO +.Xr audit 4 , +.Xr audit_control 5 , +.Xr audit_event 5 , +.Xr audit_user 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 new file mode 100644 index 0000000..bed9cd8 --- /dev/null +++ b/contrib/openbsm/man/audit_control.5 @@ -0,0 +1,283 @@ +.\" Copyright (c) 2004-2009 Apple Inc. +.\" Copyright (c) 2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#22 $ +.\" +.Dd January 29, 2009 +.Dt AUDIT_CONTROL 5 +.Os +.Sh NAME +.Nm audit_control +.Nd "audit system parameters" +.Sh DESCRIPTION +The +.Nm +file contains several audit system parameters. +Each line of this file is of the form: +.Pp +.D1 Ar parameter Ns : Ns Ar value +.Pp +The parameters are: +.Bl -tag -width indent +.It Va dir +The directory where audit log files are stored. +There may be more than one of these entries. +Changes to this entry can only be enacted by restarting the +audit system. +See +.Xr audit 8 +for a description of how to restart the audit system. +.It Va flags +Specifies which audit event classes are audited for all users. +.Xr audit_user 5 +describes how to audit events for individual users. +See the information below for the format of the audit flags. +.It Va host +Specify the hostname or IP address to be used when setting the local +systems's audit host information. +This hostname will be converted into an IP or IPv6 address and will +be included in the header of each audit record. +Due to the possibility of transient errors coupled with the +security issues in the DNS protocol itself, the use of DNS +should be avoided. +Instead, it is strongly recommended that the hostname be +specified in the /etc/hosts file. +For more information see +.Xr hosts 5 . +.It Va naflags +Contains the audit flags that define what classes of events are audited when +an action cannot be attributed to a specific user. +.It Va minfree +The minimum free space required on the file system audit logs are being written to. +When the free space falls below this limit a warning will be issued. +If no value for the minimum free space is set, the default of 20 percent is +applied by the kernel. +.It Va policy +A list of global audit policy flags specifying various behaviors, such as +fail stop, auditing of paths and arguments, etc. +.It Va filesz +Maximum trail size in bytes; if set to a non-0 value, the audit daemon will +rotate the audit trail file at around this size. +Sizes less than the minimum trail size (default of 512K) will be rejected as +invalid. +If 0, trail files will not be automatically rotated based on file size. +For convenience, the trail size may be expressed with suffix letters: +B (Bytes), K (Kilobytes), M (Megabytes), or G (Gigabytes). +For example, 2M is the same as 2097152. +.It Va expire-after +Specifies when audit log files will expire and be removed. +This may be after a time period has passed since the file was last +written to or when the aggregate of all the trail files have reached a +specified size or a combination of both. +If no expire-after parameter is given then audit log files with not +expire and be removed by the audit control system. +See the information below for the format of the expiration +specification. +.El +.Sh AUDIT FLAGS +Audit flags are a comma-delimited list of audit classes as defined in the +.Xr audit_class 5 +file. +Event classes may be preceded by a prefix which changes their interpretation. +The following prefixes may be used for each class: +.Pp +.Bl -tag -width indent -compact -offset indent +.It (none) +Record both successful and failed events. +.It Li + +Record successful events. +.It Li - +Record failed events. +.It Li ^ +Record neither successful nor failed events. +.It Li ^+ +Do not record successful events. +.It Li ^- +Do not record failed events. +.El +.Sh AUDIT POLICY FLAGS +The policy flags field is a comma-delimited list of policy flags from the +following list: +.Pp +.Bl -tag -width ".Cm zonename" -compact -offset indent +.It Cm cnt +Allow processes to continue running even though events are not being audited. +If not set, processes will be suspended when the audit store space is +exhausted. +Currently, this is not a recoverable state. +.It Cm ahlt +Fail stop the system if unable to audit an event\[em]this consists of first +draining pending records to disk, and then halting the operating system. +.It Cm argv +Audit command line arguments to +.Xr execve 2 . +.It Cm arge +Audit environmental variable arguments to +.Xr execve 2 . +.It Cm seq +Include a unique audit sequence number token in generated audit records (not +implemented on +.Fx +or Darwin). +.It Cm group +Include supplementary groups list in generated audit records (not implemented +on +.Fx +or Darwin; supplementary groups are never included in records on +these systems). +.It Cm trail +Append a trailer token to each audit record (not implemented on +.Fx +or +Darwin; trailers are always included in records on these systems). +.It Cm path +Include secondary file paths in audit records (not implemented on +.Fx +or +Darwin; secondary paths are never included in records on these systems). +.It Cm zonename +Include a zone ID token with each audit record (not implemented on +.Fx +or +Darwin; +.Fx +audit records do not currently include the jail ID or name). +.It Cm perzone +Enable auditing for each local zone (not implemented on +.Fx +or Darwin; on +.Fx , +audit records are collected from all jails and placed in a single +global trail, and only limited audit controls are permitted within a jail). +.El +.Pp +It is recommended that installations set the +.Cm cnt +flag but not +.Cm ahlt +flag unless it is intended that audit logs exceeding available disk space +halt the system. +.Sh AUDIT LOG EXPIRATION SPECIFICATION +The expiration specification can be one value or two values with the +logical conjunction of AND/OR between them. +Values for the audit log file age are numbers with the following +suffixes: +.Pp +.Bl -tag -width "(space) or" -compact -offset indent +.It Li s +Log file age in seconds. +.It Li h +Log file age in hours. +.It Li d +Log file age in days. +.It Li y +Log file age in years. +.El +.Pp +Values for the disk space used are numbers with the following suffixes: +.Pp +.Bl -tag -width "(space) or" -compact -offset indent +.It (space) or +.It Li B +Disk space used in Bytes. +.It Li K +Disk space used in Kilobytes. +.It Li M +Disk space used in Megabytes. +.It Li G +Disk space used in Gigabytes. +.El +.Pp +The suffixes on the values are case sensitive. +If both an age and disk space value are used they are seperated by +AND or OR and both values are used to determine when audit +log files expire. +In the case of AND, both the age and disk space conditions must be meet +before the log file is removed. +In the case of OR, either condition may expire the log file. +For example: +.Bd -literal -offset indent +expire-after: 60d AND 1G +.Ed +.Pp +will expire files that are older than 60 days but only if 1 +gigabyte of disk space total is being used by the audit logs. +.Sh DEFAULT +The following settings appear in the default +.Nm +file: +.Bd -literal -offset indent +dir:/var/audit +flags:lo +minfree:5 +naflags:lo +policy:cnt,argv +filesz:2097152 +.Ed +.Pp +The +.Va flags +parameter above specifies the system-wide mask corresponding to login/logout +events. +The +.Va policy +parameter specifies that the system should neither fail stop nor suspend +processes when the audit store fills and that command line arguments should +be audited for +.Dv AUE_EXECVE +events. +The trail file will be automatically rotated by the audit daemon when the +file size reaches approximately 2MB. +.Sh FILES +.Bl -tag -width ".Pa /etc/security/audit_control" -compact +.It Pa /etc/security/audit_control +.El +.Sh SEE ALSO +.Xr auditon 2 , +.Xr audit 4 , +.Xr audit_class 5 , +.Xr audit_event 5 , +.Xr audit_user 5 , +.Xr audit 8 , +.Xr auditd 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5 new file mode 100644 index 0000000..184a82d --- /dev/null +++ b/contrib/openbsm/man/audit_event.5 @@ -0,0 +1,84 @@ +.\" Copyright (c) 2004 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#12 $ +.\" +.Dd January 24, 2004 +.Dt AUDIT_EVENT 5 +.Os +.Sh NAME +.Nm audit_event +.Nd "audit event descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable events on the system. +Each line maps an audit event number to a name, a description, and a class. +Entries are of the form: +.Pp +.Sm off +.D1 Ar eventnum : eventname : description : eventclass +.Sm on +.Pp +Each +.Ar eventclass +should have a corresponding entry in the +.Xr audit_class 5 +file. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0:AUE_NULL:indir system call:no +1:AUE_EXIT:exit(2):pc +2:AUE_FORK:fork(2):pc +3:AUE_OPEN:open(2):fa +.Ed +.Sh FILES +.Bl -tag -width ".Pa /etc/security/audit_event" -compact +.It Pa /etc/security/audit_event +.El +.Sh SEE ALSO +.Xr audit 4 , +.Xr audit_class 5 , +.Xr audit_control 5 , +.Xr audit_user 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5 new file mode 100644 index 0000000..5075f4a --- /dev/null +++ b/contrib/openbsm/man/audit_user.5 @@ -0,0 +1,120 @@ +.\" Copyright (c) 2004 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#14 $ +.\" +.Dd January 4, 2008 +.Dt AUDIT_USER 5 +.Os +.Sh NAME +.Nm audit_user +.Nd "events to be audited for given users" +.Sh DESCRIPTION +The +.Nm +file specifies which audit event classes are to be audited for the given users. +If specified, these flags are combined with the system-wide audit flags in the +.Xr audit_control 5 +file to determine which classes of events to audit for that user. +These settings take effect when the user logs in. +.Pp +Each line maps a user name to a list of classes that should be audited and a +list of classes that should not be audited. +Entries are of the form: +.Pp +.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit +.Pp +In the format above, +.Ar alwaysaudit +is a set of event classes that are always audited, and +.Ar neveraudit +is a set of event classes that should not be audited. +These sets can indicate +the inclusion or exclusion of multiple classes, and whether to audit successful +or failed events. +See +.Xr audit_control 5 +for more information about audit flags. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +root:lo,ad:no +jdoe:-fc,ad:+fw +.Ed +.Pp +These settings would cause login/logout and administrative events that +are performed on behalf of user +.Dq Li root +to be audited. +No failure events are audited. +For the user +.Dq Li jdoe , +failed file creation events are audited, administrative events are +audited, and successful file write events are never audited. +.Sh IMPLEMENTATION NOTES +Per-user and global audit preselection configuration are evaluated at time of +login, so users must log out and back in again for audit changes relating to +preselection to take effect. +.Pp +Audit record preselection occurs with respect to the audit identifier +associated with a process, rather than with respect to the UNIX user or group +ID. +The audit identifier is set as part of the user credential context as part of +login, and typically does not change as a result of running setuid or setgid +applications, such as +.Xr su 1 . +This has the advantage that events that occur after running +.Xr su 1 +can be audited to the original authenticated user, as required by CAPP, but +may be surprising if not expected. +.Sh FILES +.Bl -tag -width ".Pa /etc/security/audit_user" -compact +.It Pa /etc/security/audit_user +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr su 1 , +.Xr audit 4 , +.Xr audit_class 5 , +.Xr audit_control 5 , +.Xr audit_event 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5 new file mode 100644 index 0000000..c53f163 --- /dev/null +++ b/contrib/openbsm/man/audit_warn.5 @@ -0,0 +1,76 @@ +.\" Copyright (c) 2004 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#10 $ +.\" +.Dd March 17, 2004 +.Dt AUDIT_WARN 5 +.Os +.Sh NAME +.Nm audit_warn +.Nd "alert when audit daemon issues warnings" +.Sh DESCRIPTION +The +.Nm +script +runs when +.Xr auditd 8 +generates warning messages. +.Pp +The default +.Nm +is a script whose first parameter is the type of warning; the script +appends its arguments to +.Pa /etc/security/audit_messages . +Administrators may replace this script: a more comprehensive one would take +different actions based on the type of warning. +For example, a low-space warning +could result in an email message being sent to the administrator. +.Sh FILES +.Bl -tag -width ".Pa /etc/security/audit_messages" -compact +.It Pa /etc/security/audit_warn +.It Pa /etc/security/audit_messages +.El +.Sh SEE ALSO +.Xr audit 4 , +.Xr auditd 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2 new file mode 100644 index 0000000..a5346fb --- /dev/null +++ b/contrib/openbsm/man/auditctl.2 @@ -0,0 +1,85 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#9 $ +.\" +.Dd April 19, 2005 +.Dt AUDITCTL 2 +.Os +.Sh NAME +.Nm auditctl +.Nd "configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditctl "const char *path" +.Sh DESCRIPTION +The +.Fn auditctl +system call directs the kernel to open a new audit trail log file. +It requires an appropriate privilege. +The +.Fn auditctl +system call +opens new files, but +.Xr auditon 2 +is used to disable the audit log. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn auditctl +system call will fail if: +.Bl -tag -width Er +.It Bq Er EINVAL +The path is invalid. +.It Bq Er EPERM +The process does not have sufficient permission to complete the +operation. +.El +.Sh SEE ALSO +.Xr auditon 2 , +.Xr libbsm 3 , +.Xr auditd 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2 new file mode 100644 index 0000000..e43debb --- /dev/null +++ b/contrib/openbsm/man/auditon.2 @@ -0,0 +1,506 @@ +.\"- +.\" Copyright (c) 2008-2009 Apple Inc. +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Wayne J. Salamon +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#16 $ +.\" +.Dd January 29, 2009 +.Dt AUDITON 2 +.Os +.Sh NAME +.Nm auditon +.Nd "configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "int cmd" "void *data" "u_int length" +.Sh DESCRIPTION +The +.Fn auditon +system call is used to manipulate various audit control operations. +The +.Fa data +argument +should point to a structure whose type depends on the command. +The +.Fa length +argument +specifies the size of +.Fa *data +in bytes. +The +.Fa cmd +argument +may be any of the following: +.Bl -tag -width ".It Dv A_GETPINFO_ADDR" +.It Dv A_SETPOLICY +Set audit policy flags. +The +.Fa data +argument +must point to a +.Vt int +value set to one or more the following audit +policy control values bitwise OR'ed together: +.Dv AUDIT_CNT , +.Dv AUDIT_AHLT , +.Dv AUDIT_ARGV , +and +.Dv AUDIT_ARGE . +If +.Dv AUDIT_CNT is set, the system will continue even if it becomes low +on space and discontinue logging events until the low space condition is +remedied. +If it is not set, audited events will block until the low space +condition is remedied. +Unaudited events, however, are unaffected. +If +.Dv AUDIT_AHLT is set, a +.Xr panic 9 +if it cannot write an event to the global audit log file. +If +.Dv AUDIT_ARGV +is set, then the argument list passed to the +.Xr execve 2 +system call will be audited. If +.Dv AUDIT_ARGE +is set, then the environment variables passed to the +.Xr execve 2 +system call will be audited. The default policy is none of the audit policy +control flags set. +.It Dv A_SETKAUDIT +Set the host information. +The +.Fa data +argument +must point to a +.Vt auditinfo_addr_t +structure containing the host IP address information. +After setting, audit records +that are created as a result of kernel events will contain +this information. +.It Dv A_SETKMASK +Set the kernel preselection masks (success and failure). +The +.Fa data +argument +must point to a +.Vt au_mask_t +structure containing the mask values as defined in +.In bsm/audit.h . +These masks are used for non-attributable audit event preselection. +The field +.Fa am_success +specifies which classes of successful audit events are to be logged to the +audit trail. The field +.Fa am_failure +specifies which classes of failed audit events are to be logged. The value of +both fields is the bitwise OR'ing of the audit event classes specified in +.Fa bsm/audit.h . +The various audit classes are described more fully in +.Xr audit_class 5 . +.It Dv A_SETQCTRL +Set kernel audit queue parameters. +The +.Fa data +argument +must point to a +.Vt au_qctrl_t +structure (defined in +.In bsm/audit.h ) +containing the kernel audit queue control settings: +.Fa aq_hiwater , +.Fa aq_lowater , +.Fa aq_bufsz , +.Fa aq_delay , +and +.Fa aq_minfree . +The field +.Fa aq_hiwater +defines the maximum number of audit record entries in the queue used to store +the audit records ready for delivery to disk. +New records are inserted at the tail of the queue and removed from the head. +For new records which would exceed the +high water mark, the calling thread is inserted into the wait queue, waiting +for the audit queue to have enough space available as defined with the field +.Fa aq_lowater . +The field +.Fa aq_bufsz +defines the maximum length of the audit record that can be supplied with +.Xr audit 2 . +The field +.Fa aq_delay +is unused. +The field +.Fa aq_minfree +specifies the minimum amount of free blocks on the disk device used to store +audit records. +If the value of free blocks falls below the configured +minimum amount, the kernel informs the audit daemon about low disk space. +The value is to be specified in percent of free file system blocks. +A value of 0 results in a disabling of the check. +The default and maximum values (default/maximum) for the +audit queue control parameters are: +.Pp +.Bl -column aq_hiwater -offset indent -compact +.It aq_hiwater Ta 100/10000 (audit records) +.It aq_lowater Ta 10/aq_hiwater (audit records) +.It aq_bufsz Ta 32767/1048576 (bytes) +.It aq_delay Ta (Not currently used.) +.El +.It Dv A_SETSTAT +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_SETUMASK +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_SETSMASK +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_SETCOND +Set the current auditing condition. +The +.Fa data +argument +must point to a +.Vt int +value containing the new +audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT , +or +.Dv AUC_DISABLED . +If +.Dv AUC_NOAUDIT +is set, then auditing is temporarily suspended. If +.Dv AUC_AUDITING +is set, auditing is resumed. If +.Dv AUC_DISABLED +is set, the auditing system will +shutdown, draining all audit records and closing out the audit trail file. +.It Dv A_SETCLASS +Set the event class preselection mask for an audit event. +The +.Fa data +argument +must point to a +.Vt au_evclass_map_t +structure containing the audit event and mask. +The field +.Fa ec_number +is the audit event and +.Fa ec_class +is the audit class mask. See +.Xr audit_event 5 +for more information on audit event to class mapping. +.It Dv A_SETPMASK +Set the preselection masks for a process. +The +.Fa data +argument +must point to a +.Vt auditpinfo_t +structure that contains the given process's audit +preselection masks for both success and failure. +The field +.Fa ap_pid +is the process id of the target process. +The field +.Fa ap_mask +must point to a +.Fa au_mask_t +structure which holds the preselection masks as described in the +.Da A_SETKMASK +section above. +.It Dv A_SETFSIZE +Set the maximum size of the audit log file. +The +.Fa data +argument +must point to a +.Vt au_fstat_t +structure with the +.Va af_filesz +field set to the maximum audit log file size. +A value of 0 +indicates no limit to the size. +.It Dv A_GETCLASS +Return the event to class mapping for the designated audit event. +The +.Fa data +argument +must point to a +.Vt au_evclass_map_t +structure. See the +.Dv A_SETCLASS +section above for more information. +.It Dv A_GETKAUDIT +Get the current host information. +The +.Fa data +argument +must point to a +.Vt auditinfo_addr_t +structure. +.It Dv A_GETPINFO +Return the audit settings for a process. +The +.Fa data +argument +must point to a +.Vt auditpinfo_t +structure which will be set to contain +.Fa ap_auid +(the audit ID), +.Fa ap_mask +(the preselection mask), +.Fa ap_termid +(the terminal ID), and +.Fa ap_asid +(the audit session ID) +of the given target process. +The process ID of the target process is passed +into the kernel using the +.Fa ap_pid +field. +See the section +.Dv A_SETPMASK +above and +.Xr getaudit 2 +for more information. +.It Dv A_GETPINFO_ADDR +Return the extended audit settings for a process. +The +.Fa data +argument +must point to a +.Vt auditpinfo_addr_t +structure which is similar to the +.Vt auditpinfo_addr_t +structure described above. +The exception is the +.Fa ap_termid +(the terminal ID) field which points to a +.Vt au_tid_addr_t +structure can hold much a larger terminal address and an address type. +The process ID of the target process is passed into the kernel using the +.Fa ap_pid +field. +See the section +.Dv A_SETPMASK +above and +.Xr getaudit 2 +for more information. +.It Dv A_GETSINFO_ADDR +Return the extended audit settings for a session. +The +.Fa data +argument +must point to a +.Vt auditinfo_addr_t +structure. +The audit session ID of the target session is passed +into the kernel using the +.Fa ai_asid +field. See +.Xr getaudit_addr 2 +for more information about the +.Vt auditinfo_addr_t +structure. +.It Dv A_GETKMASK +Return the current kernel preselection masks. +The +.Fa data +argument +must point to a +.Vt au_mask_t +structure which will be set to +the current kernel preselection masks for non-attributable events. +.It Dv A_GETPOLICY +Return the current audit policy setting. +The +.Fa data +argument +must point to a +.Vt int +value which will be set to +one of the current audit policy flags. +The audit policy flags are +described in the +.Dv A_SETPOLICY +section above. +.It Dv A_GETQCTRL +Return the current kernel audit queue control parameters. +The +.Fa data +argument +must point to a +.Vt au_qctrl_t +structure which will be set to the current +kernel audit queue control parameters. +See the +.Dv A_SETQCTL +section above for more information. +.It Dv A_GETFSIZE +Returns the maximum size of the audit log file. +The +.Fa data +argument +must point to a +.Vt au_fstat_t +structure. +The +.Va af_filesz +field will be set to the maximum audit log file size. +A value of 0 indicates no limit to the size. +The +.Va af_currsz +field +will be set to the current audit log file size. +.It Dv A_GETCWD +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\" Return the current working directory as stored in the audit subsystem. +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_GETCAR +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Stores and returns the current active root as stored in the audit +.\"subsystem. +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_GETSTAT +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Return the statistics stored in the audit system. +Return +.Er ENOSYS . +(Not implemented.) +.It Dv A_GETCOND +Return the current auditing condition. +The +.Fa data +argument +must point to a +.Vt int +value which will be set to +the current audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT +or +.Dv AUC_DISABLED . +See the +.Dv A_SETCOND +section above for more information. +.It Dv A_SENDTRIGGER +Send a trigger to the audit daemon. +The +.Fa data +argument +must point to a +.Vt int +value set to one of the acceptable +trigger values: +.Dv AUDIT_TRIGGER_LOW_SPACE +(low disk space where the audit log resides), +.Dv AUDIT_TRIGGER_OPEN_NEW +(open a new audit log file), +.Dv AUDIT_TRIGGER_READ_FILE +(read the +.Pa audit_control +file), +.Dv AUDIT_TRIGGER_CLOSE_AND_DIE +(close the current log file and exit), +.Dv AUDIT_TRIGGER_NO_SPACE +(no disk space left for audit log file). +.Dv AUDIT_TRIGGER_ROTATE_USER +(request audit log file rotation). +.Dv AUDIT_TRIGGER_INITIALIZE +(initialize audit subsystem for Mac OS X only). +or +.Dv AUDIT_TRIGGER_EXPIRE_TRAILS +(request audit log file expiration). +.El +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn auditon +function will fail if: +.Bl -tag -width Er +.It Bq Er ENOSYS +Returned by options not yet implemented. +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Pp +The +.Dv A_SENDTRIGGER +command is specific to the +.Fx +and Mac OS X implementations, and is not present in Solaris. +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditctl 2 , +.Xr getaudit 2 , +.Xr getaudit_addr 2 , +.Xr getauid 2 , +.Xr setaudit 2 , +.Xr setaudit_addr 2 , +.Xr setauid 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org , +.An Robert Watson Aq rwatson@FreeBSD.org , +and +.An Wayne Salamon Aq wsalamon@FreeBSD.org . diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2 new file mode 100644 index 0000000..77a0f8e --- /dev/null +++ b/contrib/openbsm/man/getaudit.2 @@ -0,0 +1,188 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#10 $ +.\" +.Dd October 19, 2008 +.Dt GETAUDIT 2 +.Os +.Sh NAME +.Nm getaudit , +.Nm getaudit_addr +.Nd "retrieve audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getaudit "auditinfo_t *auditinfo" +.Ft int +.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length" +.Sh DESCRIPTION +The +.Fn getaudit +system call +retrieves the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Fa auditinfo . +The +.Fn getaudit_addr +system call +retrieves extended state via +.Fa auditinfo_addr +and +.Fa length . +.Pp +The +.Fa auditinfo_t +data structure is defined as follows: +.Bd -literal -offset indent +struct auditinfo { + au_id_t ai_auid; /* Audit user ID */ + au_mask_t ai_mask; /* Audit masks */ + au_tid_t ai_termid; /* Terminal ID */ + au_asid_t ai_asid; /* Audit session ID */ +}; +typedef struct auditinfo auditinfo_t; +.Ed +.Pp +The +.Fa ai_auid +variable contains the audit identifier which is recorded in the audit log for +each event the process caused. +.Pp +The +.Fa au_mask_t +data structure defines the bit mask for auditing successful and failed events +out of the predefined list of event classes. +It is defined as follows: +.Bd -literal -offset indent +struct au_mask { + unsigned int am_success; /* success bits */ + unsigned int am_failure; /* failure bits */ +}; +typedef struct au_mask au_mask_t; +.Ed +.Pp +The +.Fa au_termid_t +data structure defines the Terminal ID recorded with every event caused by the +process. +It is defined as follows: +.Bd -literal -offset indent +struct au_tid { + dev_t port; + u_int32_t machine; +}; +typedef struct au_tid au_tid_t; +.Ed +.Pp +The +.Fa ai_asid +variable contains the audit session ID which is recorded with every event +caused by the process. +.Pp +The +.Fn getaudit_addr +system call +uses the expanded +.Fa auditinfo_addr_t +data structure and supports Terminal IDs with larger addresses +such as those used in IP version 6. +It is defined as follows: +.Bd -literal -offset indent +struct auditinfo_addr { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_addr_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo_addr auditinfo_addr_t; +.Ed +.Pp +The +.Fa au_tid_addr_t +data structure which includes a larger address storage field and an additional +field with the type of address stored: +.Bd -literal -offset indent +struct au_tid_addr { + dev_t at_port; + u_int32_t at_type; + u_int32_t at_addr[4]; +}; +typedef struct au_tid_addr au_tid_addr_t; +.Ed +.Pp +These system calls require an appropriate privilege to complete. +.Sh RETURN VALUES +.Rv -std getaudit getaudit_addr +.Sh ERRORS +The +.Fn getaudit +function will fail if: +.Bl -tag -width Er +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.It Bq Er EOVERFLOW +The +.Fa length +argument indicates an overflow condition will occur. +.It Bq Er E2BIG +The address is too big and, therefore, +.Fn getaudit_addr +should be used instead. +.El +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getauid 2 , +.Xr setaudit 2 , +.Xr setauid 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2 new file mode 100644 index 0000000..dc6ae0a --- /dev/null +++ b/contrib/openbsm/man/getauid.2 @@ -0,0 +1,90 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#9 $ +.\" +.Dd April 19, 2005 +.Dt GETAUID 2 +.Os +.Sh NAME +.Nm getauid +.Nd "retrieve audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getauid "au_id_t *auid" +.Sh DESCRIPTION +The +.Fn getauid +system call +retrieves the active audit session ID for the current process via the +.Vt au_id_t +pointed to by +.Fa auid . +.Pp +This system call requires an appropriate privilege to complete. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn getauid +function will fail if: +.Bl -tag -width Er +.It Bq Er EFAULT +A failure occurred while data transferred from +the kernel failed. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit 2 , +.Xr setaudit_addr 2 , +.Xr setauid 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2 new file mode 100644 index 0000000..5426c87 --- /dev/null +++ b/contrib/openbsm/man/setaudit.2 @@ -0,0 +1,192 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#10 $ +.\" +.Dd April 19, 2005 +.Dt SETAUDIT 2 +.Os +.Sh NAME +.Nm setaudit , +.Nm setaudit_addr +.Nd "set audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setaudit "auditinfo_t *auditinfo" +.Ft int +.Fn setaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length" +.Sh DESCRIPTION +The +.Fn setaudit +system call +sets the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Fa auditinfo . +The +.Fn setaudit_addr +system call +sets extended state via +.Fa auditinfo_addr +and +.Fa length . +.Pp +The +.Fa auditinfo_t +data structure is defined as follows: +.nf +.in +4n + +struct auditinfo { + au_id_t ai_auid; /* Audit user ID */ + au_mask_t ai_mask; /* Audit masks */ + au_tid_t ai_termid; /* Terminal ID */ + au_asid_t ai_asid; /* Audit session ID */ +}; +typedef struct auditinfo auditinfo_t; +.in +.fi +.Pp +The +.Fa ai_auid +variable contains the audit identifier which is recorded in the audit log for +each event the process caused. +.PP + +The +.Fa au_mask_t +data structure defines the bit mask for auditing successful and failed events +out of the predefined list of event classes. It is defined as follows: +.nf +.in +4n + +struct au_mask { + unsigned int am_success; /* success bits */ + unsigned int am_failure; /* failure bits */ +}; +typedef struct au_mask au_mask_t; +.in +.fi +.PP + +The +.Fa au_termid_t +data structure defines the Terminal ID recorded with every event caused by the +process. It is defined as follows: +.nf +.in +4n + +struct au_tid { + dev_t port; + u_int32_t machine; +}; +typedef struct au_tid au_tid_t; + +.in +.fi +.PP +The +.Fa ai_asid +variable contains the audit session ID which is recorded with every event +caused by the process. +.Pp +The +.Fn setaudit_addr +system call +uses the expanded +.Fa auditinfo_addr_t +data structure supports Terminal IDs with larger addresses such as those used +in IP version 6. It is defined as follows: +.nf +.in +4n + +struct auditinfo_addr { + au_id_t ai_auid; /* Audit user ID. */ + au_mask_t ai_mask; /* Audit masks. */ + au_tid_addr_t ai_termid; /* Terminal ID. */ + au_asid_t ai_asid; /* Audit session ID. */ +}; +typedef struct auditinfo_addr auditinfo_addr_t; +.in +.fi +.Pp +The +.Fa au_tid_addr_t +data structure which includes a larger address storage field and an additional +field with the type of address stored: +.nf +.in +4n + +struct au_tid_addr { + dev_t at_port; + u_int32_t at_type; + u_int32_t at_addr[4]; +}; +typedef struct au_tid_addr au_tid_addr_t; +.in +.fi +.Pp +These system calls require an appropriate privilege to complete. +.Sh RETURN VALUES +.Rv -std setaudit setaudit_addr +.Sh ERRORS +.Bl -tag -width Er +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2 new file mode 100644 index 0000000..770c32b --- /dev/null +++ b/contrib/openbsm/man/setauid.2 @@ -0,0 +1,90 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2008 Apple Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#9 $ +.\" +.Dd April 19, 2005 +.Dt SETAUID 2 +.Os +.Sh NAME +.Nm setauid +.Nd "set audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setauid "au_id_t *auid" +.Sh DESCRIPTION +The +.Fn setauid +system call +sets the active audit session ID for the current process from the +.Vt au_id_t +pointed to by +.Fa auid . +.Pp +This system call requires an appropriate privilege to complete. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn setauid +function will fail if: +.Bl -tag -width Er +.It Bq Er EFAULT +A failure occurred while data transferred to +the kernel failed. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getaudit_addr 2 , +.Xr getauid 2 , +.Xr setaudit 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh AUTHORS +.An -nosplit +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . |
