summaryrefslogtreecommitdiffstats
path: root/man
diff options
context:
space:
mode:
Diffstat (limited to 'man')
-rw-r--r--man/Makefile22
-rw-r--r--man/Makefile.in3
-rw-r--r--man/audit.22
-rw-r--r--man/audit.log.576
-rw-r--r--man/audit_class.56
-rw-r--r--man/audit_control.522
-rw-r--r--man/audit_event.56
-rw-r--r--man/audit_user.56
-rw-r--r--man/audit_warn.56
-rw-r--r--man/auditctl.224
-rw-r--r--man/auditon.2205
-rw-r--r--man/getaudit.2107
-rw-r--r--man/getauid.215
-rw-r--r--man/setaudit.2109
-rw-r--r--man/setauid.215
15 files changed, 489 insertions, 135 deletions
diff --git a/man/Makefile b/man/Makefile
deleted file mode 100644
index 1fbbc31..0000000
--- a/man/Makefile
+++ /dev/null
@@ -1,22 +0,0 @@
-#
-# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#7 $
-#
-
-MAN= audit.2 \
- auditctl.2 \
- auditon.2 \
- getaudit.2 \
- getauid.2 \
- setaudit.2 \
- setauid.2 \
- audit.log.5 \
- audit_class.5 \
- audit_control.5 \
- audit_event.5 \
- audit_user.5 \
- audit_warn.5
-
-MLINKS= getaudit.2 getaudit_addr.2 \
- setaudit.2 setaudit_addr.2
-
-.include <bsd.prog.mk>
diff --git a/man/Makefile.in b/man/Makefile.in
index 13a0d76..a24804a 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -15,7 +15,7 @@
@SET_MAKE@
#
-# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.in#4 $
+# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile.in#7 $
#
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
@@ -93,6 +93,7 @@ LN_S = @LN_S@
LTLIBOBJS = @LTLIBOBJS@
MAINT = @MAINT@
MAKEINFO = @MAKEINFO@
+MIG = @MIG@
MKDIR_P = @MKDIR_P@
OBJEXT = @OBJEXT@
PACKAGE = @PACKAGE@
diff --git a/man/audit.2 b/man/audit.2
index a9cd143..1ee61b9 100644
--- a/man/audit.2
+++ b/man/audit.2
@@ -24,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#9 $
.\"
.Dd April 19, 2005
.Dt AUDIT 2
diff --git a/man/audit.log.5 b/man/audit.log.5
index d0f85ff..dac0067 100644
--- a/man/audit.log.5
+++ b/man/audit.log.5
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#19 $
.\"
.Dd November 5, 2006
.Dt AUDIT.LOG 5
@@ -176,29 +176,27 @@ token can be created using
.Ss in_addr Token
The
.Dq in_addr
-token holds a network byte order IPv4 or IPv6 address.
+token holds a network byte order IPv4 address.
An
.Dq in_addr
token can be created using
.Xr au_to_in_addr 3
-for an IPv4 address, or
-.Xr au_to_in_addr_ex 3
-for an IPv6 address.
-.Pp
-See the
-.Sx BUGS
-section for information on the storage of this token.
+for an IPv4 address.
.Pp
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field Bytes Description"
.It "Token ID 1 byte Token ID"
-.It "IP Address Type 1 byte Type of address"
-.It "IP Address 4/16 bytes IPv4 or IPv6 address"
+.It "IP Address 4 bytes IPv4 address"
.El
.Ss Expanded in_addr Token
The
-.Dq expanded in_addr
-token ...
+.Dq in_addr_ex
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dq in_addr_ex
+token can be created using
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
.Pp
See the
.Sx BUGS
@@ -206,7 +204,8 @@ section for information on the storage of this token.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field Bytes Description"
.It "Token ID 1 byte Token ID"
-.It XXXX
+.It "IP Address Type 1 byte Type of address"
+.It "IP Address 4/16 bytes IPv4 or IPv6 address"
.El
.Ss ip Token
The
@@ -230,15 +229,6 @@ token can be created using
.It "Source Address 4 bytes IPv4 source address"
.It "Destination Address 4 bytes IPv4 destination address"
.El
-.Ss Expanded ip Token
-The
-.Dq expanded ip
-token ...
-.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field Bytes Description"
-.It "Token ID 1 byte Token ID"
-.It XXXX
-.El
.Ss iport Token
The
.Dq iport
@@ -556,13 +546,14 @@ token can be created using
.Ss Socket Token
The
.Dq socket
-token contains informations about UNIX domain and Internet sockets.
+token contains information about UNIX domain and Internet sockets.
Each token has four or eight fields.
-Depend on type of socket a socket token may be created using
+Depending on the type of socket, a socket token may be created using
.Xr au_to_sock_unix 3 ,
-.Xr au_to_sock_inet32 3 or
+.Xr au_to_sock_inet32 3
+or
.Xr au_to_sock_inet128 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
@@ -572,18 +563,18 @@ Depend on type of socket a socket token may be created using
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field Bytes Description"
.It "Token ID 1 byte Token ID"
-+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
-+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
-+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
-+.It Li "Local port" Ta "2 bytes" Ta "Local port"
-+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
-+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
-+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
+.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
+.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
+.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
+.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
.El
.Ss Expanded Socket Token
The
.Dq expanded socket
-token ...
+token contains information about IPv4 and IPv6 sockets.
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field Bytes Description"
.It "Token ID 1 byte Token ID"
@@ -639,11 +630,18 @@ token ...
.Ss Zonename Token
The
.Dq zonename
-token ...
+token holds a NUL-terminated string with the name of the zone or jail from
+which the record originated.
+A
+.Dz zonename
+token can be created using
+.Xr au_to_zonename 3 .
+.Pp
.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
.It Sy "Field Bytes Description"
.It "Token ID 1 byte Token ID"
-.It XXXXX
+.It "Zonename length 2 bytes Length of zonename string including NUL"
+.It "Zonename N bytes + 1 NUL Zonename string including NUL"
.El
.Sh SEE ALSO
.Xr auditreduce 1 ,
@@ -676,7 +674,5 @@ and
.Dq in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
-implementations of
-.Xr au_to_in_addr 3
-and
+implementation of
.Xr au_to_in_addr_ex 3 .
diff --git a/man/audit_class.5 b/man/audit_class.5
index cc5b122f..c92f57f 100644
--- a/man/audit_class.5
+++ b/man/audit_class.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#11 $
.\"
.Dd January 24, 2004
.Dt AUDIT_CLASS 5
diff --git a/man/audit_control.5 b/man/audit_control.5
index a91f504..be89a12 100644
--- a/man/audit_control.5
+++ b/man/audit_control.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
.\"
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
@@ -26,7 +26,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#17 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#20 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
@@ -57,13 +57,26 @@ Specifies which audit event classes are audited for all users.
.Xr audit_user 5
describes how to audit events for individual users.
See the information below for the format of the audit flags.
+.It Va host
+Specify the hostname or IP address to be used when setting the local
+systems's audit host information.
+This hostname will be converted into an IP or IPv6 address and will
+be included in the header of each audit record.
+Due to the possibility of transient errors coupled with the
+security issues in the DNS protocol itself, the use of DNS
+should be avoided.
+Instead, it is strongly recommended that the hostname be
+specified in the /etc/hosts file.
+For more information see
+.Xr hosts 5 .
.It Va naflags
Contains the audit flags that define what classes of events are audited when
an action cannot be attributed to a specific user.
.It Va minfree
The minimum free space required on the file system audit logs are being written to.
When the free space falls below this limit a warning will be issued.
-Not currently used as the value of 20 percent is chosen by the kernel.
+If no value for the minimum free space is set, the default of 20 percent is
+applied by the kernel.
.It Va policy
A list of global audit policy flags specifying various behaviors, such as
fail stop, auditing of paths and arguments, etc.
@@ -185,6 +198,7 @@ file size.
.It Pa /etc/security/audit_control
.El
.Sh SEE ALSO
+.Xr auditon 2 ,
.Xr audit 4 ,
.Xr audit_class 5 ,
.Xr audit_event 5 ,
diff --git a/man/audit_event.5 b/man/audit_event.5
index 75e67aa..184a82d 100644
--- a/man/audit_event.5
+++ b/man/audit_event.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#12 $
.\"
.Dd January 24, 2004
.Dt AUDIT_EVENT 5
diff --git a/man/audit_user.5 b/man/audit_user.5
index 1779941..947f5c8 100644
--- a/man/audit_user.5
+++ b/man/audit_user.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#13 $
.\"
.Dd February 5, 2006
.Dt AUDIT_USER 5
diff --git a/man/audit_warn.5 b/man/audit_warn.5
index d7b20b6..c53f163 100644
--- a/man/audit_warn.5
+++ b/man/audit_warn.5
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -9,7 +9,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#10 $
.\"
.Dd March 17, 2004
.Dt AUDIT_WARN 5
diff --git a/man/auditctl.2 b/man/auditctl.2
index ac3c41a..a5346fb 100644
--- a/man/auditctl.2
+++ b/man/auditctl.2
@@ -1,5 +1,6 @@
.\"-
.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#9 $
.\"
.Dd April 19, 2005
.Dt AUDITCTL 2
@@ -40,20 +41,25 @@ The
.Fn auditctl
system call directs the kernel to open a new audit trail log file.
It requires an appropriate privilege.
-In the
-.Fx
-implementation,
+The
.Fn auditctl
+system call
opens new files, but
.Xr auditon 2
is used to disable the audit log.
-In the Mac OS X implementation, passing
-.Dv NULL
-to
-.Fn auditctl
-will disable the audit log.
.Sh RETURN VALUES
.Rv -std
+.Sh ERRORS
+The
+.Fn auditctl
+system call will fail if:
+.Bl -tag -width Er
+.It Bq Er EINVAL
+The path is invalid.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete the
+operation.
+.El
.Sh SEE ALSO
.Xr auditon 2 ,
.Xr libbsm 3 ,
diff --git a/man/auditon.2 b/man/auditon.2
index 953484c..e47bbb8 100644
--- a/man/auditon.2
+++ b/man/auditon.2
@@ -25,9 +25,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#14 $
.\"
-.Dd April 19, 2005
+.Dd July 10, 2008
.Dt AUDITON 2
.Os
.Sh NAME
@@ -63,27 +63,38 @@ The
argument
must point to a
.Vt long
-value set to one of the audit
-policy control values defined in
-.In bsm/audit.h .
-Currently, only
-.Dv AUDIT_CNT
+value set to one or more the following audit
+policy control values bitwise OR'ed together:
+.Dv AUDIT_CNT ,
+.Dv AUDIT_AHLT ,
+.Dv AUDIT_ARGV ,
and
-.Dv AUDIT_AHLT
-are implemented.
-In the
-.Dv AUDIT_CNT
-case, the action will continue regardless if
-an event will not be audited.
-In the
-.Dv AUDIT_AHLT
-case, a
+.Dv AUDIT_ARGE .
+If
+.Dv AUDIT_CNT is set, the system will continue even if it becomes low
+on space and discontinue logging events until the low space condition is
+remedied.
+If it is not set, audited events will block until the low space
+condition is remedied.
+Unaudited events, however, are unaffected.
+If
+.Dv AUDIT_AHLT is set, a
.Xr panic 9
-will result if an event will not be written to the
-audit log file.
+if it cannot write an event to the global audit log file.
+If
+.Dv AUDIT_ARGV
+is set, then the argument list passed to the
+.Xr execve 2
+system call will be audited. If
+.Dv AUDIT_ARGE
+is set, then the environment variables passed to the
+.Xr execve 2
+system call will be audited. The default policy is none of the audit policy
+control flags set.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_SETKMASK
Set the kernel preselection masks (success and failure).
The
@@ -91,8 +102,19 @@ The
argument
must point to a
.Vt au_mask_t
-structure containing the mask values.
-These masks are used for non-attributable audit event preselection.
+structure containing the mask values as defined in
+.In bsm/audit.h .
+These masks are used for non-attributable audit event preselection.
+The field
+.Fa am_success
+specifies which classes of successful audit events are to be logged to the
+audit trail. The field
+.Fa am_failure
+specifies which classes of failed audit events are to be logged. The value of
+both fields is the bitwise OR'ing of the audit event classes specified in
+.Fa bsm/audit.h .
+The various audit classes are described more fully in
+.Xr audit_class 5 .
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
The
@@ -100,24 +122,51 @@ The
argument
must point to a
.Vt au_qctrl_t
-structure containing the
-kernel audit queue control settings:
-.Dq "high water" ,
-.Dq "low water" ,
-.Dq "output buffer size" ,
-.Dq "percent min free disk space" ,
+structure (defined in
+.In bsm/audit.h )
+containing the kernel audit queue control settings:
+.Fa aq_hiwater ,
+.Fa aq_lowater ,
+.Fa aq_bufsz ,
+.Fa aq_delay ,
and
-.Dq delay
-(not currently used).
+.Fa aq_minfree .
+The field
+.Fa aq_hiwater
+defines the maximum number of audit record entries in the queue used to store
+the audit records ready for delivery to disk.
+New records are inserted at the tail of the queue and removed from the head.
+For new records which would exceed the
+high water mark, the calling thread is inserted into the wait queue, waiting
+for the audit queue to have enough space available as defined with the field
+.Fa aq_lowater .
+The field
+.Fa aq_bufsz
+defines the maximum length of the audit record that can be supplied with
+.Xr audit 2 .
+The field
+.Fa aq_delay
+is unused.
+The field
+.Fa aq_minfree
+specifies the minimum amount of free blocks on the disk device used to store
+audit records.
+If the value of free blocks falls below the configured
+minimum amount, the kernel informs the audit daemon about low disk space.
+The value is to be specified in percent of free file system blocks.
+A value of 0 results in a disabling of the check.
.It Dv A_SETSTAT
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_SETUMASK
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_SETSMASK
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_SETCOND
Set the current auditing condition.
The
@@ -131,6 +180,14 @@ audit condition, one of
.Dv AUC_NOAUDIT ,
or
.Dv AUC_DISABLED .
+If
+.Dv AUC_NOAUDIT
+is set, then auditing is temporarily suspended. If
+.Dv AUC_AUDITING
+is set, auditing is resumed. If
+.Dv AUC_DISABLED
+is set, the auditing system will
+shutdown, draining all audit records and closing out the audit trail file.
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
The
@@ -139,6 +196,13 @@ argument
must point to a
.Vt au_evclass_map_t
structure containing the audit event and mask.
+The field
+.Fa ec_number
+is the audit event and
+.Fa ec_class
+is the audit class mask. See
+.Xr audit_event 5
+for more information on audit event to class mapping.
.It Dv A_SETPMASK
Set the preselection masks for a process.
The
@@ -148,6 +212,16 @@ must point to a
.Vt auditpinfo_t
structure that contains the given process's audit
preselection masks for both success and failure.
+The field
+.Fa ap_pid
+is the process id of the target process.
+The field
+.Fa ap_mask
+must point to a
+.Fa au_mask_t
+structure which holds the preselection masks as described in the
+.Da A_SETKMASK
+section above.
.It Dv A_SETFSIZE
Set the maximum size of the audit log file.
The
@@ -163,6 +237,7 @@ indicates no limit to the size.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_GETCLASS
Return the event to class mapping for the designated audit event.
The
@@ -170,10 +245,13 @@ The
argument
must point to a
.Vt au_evclass_map_t
-structure.
+structure. See the
+.Dv A_SETCLASS
+section above for more information.
.It Dv A_GETKAUDIT
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_GETPINFO
Return the audit settings for a process.
The
@@ -182,11 +260,47 @@ argument
must point to a
.Vt auditpinfo_t
structure which will be set to contain
-the audit ID, preselection mask, terminal ID, and audit session
-ID of the given process.
+.Fa ap_auid
+(the audit ID),
+.Fa ap_mask
+(the preselection mask),
+.Fa ap_termid
+(the terminal ID), and
+.Fa ap_asid
+(the audit session ID)
+of the given target process.
+The process ID of the target process is passed
+into the kernel using the
+.Fa ap_pid
+field.
+See the section
+.Dv A_SETPMASK
+above and
+.Xr getaudit 2
+for more information.
.It Dv A_GETPINFO_ADDR
-Return
-.Er ENOSYS .
+Return the extended audit settings for a process.
+The
+.Fa data
+argument
+must point to a
+.Vt auditpinfo_addr_t
+structure which is similar to the
+.Vt auditpinfo_addr_t
+structure described above.
+The exception is the
+.Fa ap_termid
+(the terminal ID) field which points to a
+.Vt au_tid_addr_t
+structure can hold much a larger terminal address and an address type.
+The process ID of the target process is passed into the kernel using the
+.Fa ap_pid
+field.
+See the section
+.Dv A_SETPMASK
+above and
+.Xr getaudit 2
+for more information.
.It Dv A_GETKMASK
Return the current kernel preselection masks.
The
@@ -205,11 +319,10 @@ must point to a
.Vt long
value which will be set to
one of the current audit policy flags.
-Currently, only
-.Dv AUDIT_CNT
-and
-.Dv AUDIT_AHLT
-are implemented.
+The audit policy flags are
+described in the
+.Dv A_SETPOLICY
+section above.
.It Dv A_GETQCTRL
Return the current kernel audit queue control parameters.
The
@@ -219,6 +332,9 @@ must point to a
.Vt au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
+See the
+.Dv A_SETQCTL
+section above for more information.
.It Dv A_GETFSIZE
Returns the maximum size of the audit log file.
The
@@ -240,17 +356,20 @@ will be set to the current audit log file size.
.\" Return the current working directory as stored in the audit subsystem.
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_GETCAR
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Stores and returns the current active root as stored in the audit
.\"subsystem.
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_GETSTAT
.\" [COMMENTED OUT]: Valid description, not yet implemented.
.\"Return the statistics stored in the audit system.
Return
.Er ENOSYS .
+(Not implemented.)
.It Dv A_GETCOND
Return the current auditing condition.
The
@@ -259,10 +378,14 @@ argument
must point to a
.Vt long
value which will be set to
-the current audit condition, either
-.Dv AUC_AUDITING
+the current audit condition, one of
+.Dv AUC_AUDITING ,
+.Dv AUC_NOAUDIT
or
-.Dv AUC_NOAUDIT .
+.Dv AUC_DISABLED .
+See the
+.Dv A_SETCOND
+section above for more information.
.It Dv A_SENDTRIGGER
Send a trigger to the audit daemon.
The
diff --git a/man/getaudit.2 b/man/getaudit.2
index 0592721..77a0f8e 100644
--- a/man/getaudit.2
+++ b/man/getaudit.2
@@ -1,5 +1,6 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,9 +24,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#10 $
.\"
-.Dd April 19, 2005
+.Dd October 19, 2008
.Dt GETAUDIT 2
.Os
.Sh NAME
@@ -54,9 +55,111 @@ retrieves extended state via
and
.Fa length .
.Pp
+The
+.Fa auditinfo_t
+data structure is defined as follows:
+.Bd -literal -offset indent
+struct auditinfo {
+ au_id_t ai_auid; /* Audit user ID */
+ au_mask_t ai_mask; /* Audit masks */
+ au_tid_t ai_termid; /* Terminal ID */
+ au_asid_t ai_asid; /* Audit session ID */
+};
+typedef struct auditinfo auditinfo_t;
+.Ed
+.Pp
+The
+.Fa ai_auid
+variable contains the audit identifier which is recorded in the audit log for
+each event the process caused.
+.Pp
+The
+.Fa au_mask_t
+data structure defines the bit mask for auditing successful and failed events
+out of the predefined list of event classes.
+It is defined as follows:
+.Bd -literal -offset indent
+struct au_mask {
+ unsigned int am_success; /* success bits */
+ unsigned int am_failure; /* failure bits */
+};
+typedef struct au_mask au_mask_t;
+.Ed
+.Pp
+The
+.Fa au_termid_t
+data structure defines the Terminal ID recorded with every event caused by the
+process.
+It is defined as follows:
+.Bd -literal -offset indent
+struct au_tid {
+ dev_t port;
+ u_int32_t machine;
+};
+typedef struct au_tid au_tid_t;
+.Ed
+.Pp
+The
+.Fa ai_asid
+variable contains the audit session ID which is recorded with every event
+caused by the process.
+.Pp
+The
+.Fn getaudit_addr
+system call
+uses the expanded
+.Fa auditinfo_addr_t
+data structure and supports Terminal IDs with larger addresses
+such as those used in IP version 6.
+It is defined as follows:
+.Bd -literal -offset indent
+struct auditinfo_addr {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_addr_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo_addr auditinfo_addr_t;
+.Ed
+.Pp
+The
+.Fa au_tid_addr_t
+data structure which includes a larger address storage field and an additional
+field with the type of address stored:
+.Bd -literal -offset indent
+struct au_tid_addr {
+ dev_t at_port;
+ u_int32_t at_type;
+ u_int32_t at_addr[4];
+};
+typedef struct au_tid_addr au_tid_addr_t;
+.Ed
+.Pp
These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
.Rv -std getaudit getaudit_addr
+.Sh ERRORS
+The
+.Fn getaudit
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.It Bq Er EOVERFLOW
+The
+.Fa length
+argument indicates an overflow condition will occur.
+.It Bq Er E2BIG
+The address is too big and, therefore,
+.Fn getaudit_addr
+should be used instead.
+.El
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
diff --git a/man/getauid.2 b/man/getauid.2
index 2624f1e..dc6ae0a 100644
--- a/man/getauid.2
+++ b/man/getauid.2
@@ -1,5 +1,6 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#9 $
.\"
.Dd April 19, 2005
.Dt GETAUID 2
@@ -47,6 +48,18 @@ pointed to by
This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
.Rv -std
+.Sh ERRORS
+The
+.Fn getauid
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred from
+the kernel failed.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
diff --git a/man/setaudit.2 b/man/setaudit.2
index 22e2192..5426c87 100644
--- a/man/setaudit.2
+++ b/man/setaudit.2
@@ -1,5 +1,6 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#10 $
.\"
.Dd April 19, 2005
.Dt SETAUDIT 2
@@ -54,9 +55,115 @@ sets extended state via
and
.Fa length .
.Pp
+The
+.Fa auditinfo_t
+data structure is defined as follows:
+.nf
+.in +4n
+
+struct auditinfo {
+ au_id_t ai_auid; /* Audit user ID */
+ au_mask_t ai_mask; /* Audit masks */
+ au_tid_t ai_termid; /* Terminal ID */
+ au_asid_t ai_asid; /* Audit session ID */
+};
+typedef struct auditinfo auditinfo_t;
+.in
+.fi
+.Pp
+The
+.Fa ai_auid
+variable contains the audit identifier which is recorded in the audit log for
+each event the process caused.
+.PP
+
+The
+.Fa au_mask_t
+data structure defines the bit mask for auditing successful and failed events
+out of the predefined list of event classes. It is defined as follows:
+.nf
+.in +4n
+
+struct au_mask {
+ unsigned int am_success; /* success bits */
+ unsigned int am_failure; /* failure bits */
+};
+typedef struct au_mask au_mask_t;
+.in
+.fi
+.PP
+
+The
+.Fa au_termid_t
+data structure defines the Terminal ID recorded with every event caused by the
+process. It is defined as follows:
+.nf
+.in +4n
+
+struct au_tid {
+ dev_t port;
+ u_int32_t machine;
+};
+typedef struct au_tid au_tid_t;
+
+.in
+.fi
+.PP
+The
+.Fa ai_asid
+variable contains the audit session ID which is recorded with every event
+caused by the process.
+.Pp
+The
+.Fn setaudit_addr
+system call
+uses the expanded
+.Fa auditinfo_addr_t
+data structure supports Terminal IDs with larger addresses such as those used
+in IP version 6. It is defined as follows:
+.nf
+.in +4n
+
+struct auditinfo_addr {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_addr_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo_addr auditinfo_addr_t;
+.in
+.fi
+.Pp
+The
+.Fa au_tid_addr_t
+data structure which includes a larger address storage field and an additional
+field with the type of address stored:
+.nf
+.in +4n
+
+struct au_tid_addr {
+ dev_t at_port;
+ u_int32_t at_type;
+ u_int32_t at_addr[4];
+};
+typedef struct au_tid_addr au_tid_addr_t;
+.in
+.fi
+.Pp
These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
.Rv -std setaudit setaudit_addr
+.Sh ERRORS
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
diff --git a/man/setauid.2 b/man/setauid.2
index a736a34..770c32b 100644
--- a/man/setauid.2
+++ b/man/setauid.2
@@ -1,5 +1,6 @@
.\"-
.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2008 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +24,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#9 $
.\"
.Dd April 19, 2005
.Dt SETAUID 2
@@ -47,6 +48,18 @@ pointed to by
This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
.Rv -std
+.Sh ERRORS
+The
+.Fn setauid
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+A failure occurred while data transferred to
+the kernel failed.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
OpenPOWER on IntegriCloud