From owner-p4-projects@FreeBSD.ORG Wed Jul 9 20:42:11 2008 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 60E9B1065673; Wed, 9 Jul 2008 20:42:11 +0000 (UTC) Delivered-To: perforce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 251A41065670 for ; Wed, 9 Jul 2008 20:42:11 +0000 (UTC) (envelope-from sson@FreeBSD.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 0B6DF8FC16 for ; Wed, 9 Jul 2008 20:42:11 +0000 (UTC) (envelope-from sson@FreeBSD.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id m69KgAXl037325 for ; Wed, 9 Jul 2008 20:42:10 GMT (envelope-from sson@FreeBSD.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.2/8.14.1/Submit) id m69KgAB7037323 for perforce@freebsd.org; Wed, 9 Jul 2008 20:42:10 GMT (envelope-from sson@FreeBSD.org) Date: Wed, 9 Jul 2008 20:42:10 GMT Message-Id: <200807092042.m69KgAB7037323@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to sson@FreeBSD.org using -f From: Stacey Son To: Perforce Change Reviews Cc: Subject: PERFORCE change 144969 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jul 2008 20:42:11 -0000 http://perforce.freebsd.org/chv.cgi?CH=144969 Change 144969 by sson@sson_amd64 on 2008/07/09 20:41:51 Added missing info on A_GETPINFO_ADDR, AUDIT_ARGV, AUDIT_ARGE, and AUC_DISABLED. Added more detail. Affected files ... .. //depot/projects/trustedbsd/openbsm/man/auditon.2#12 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/man/auditon.2#12 (text+ko) ==== @@ -25,7 +25,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#12 $ .\" .Dd April 19, 2005 .Dt AUDITON 2 @@ -63,14 +63,12 @@ argument must point to a .Vt long -value set to one of the audit -policy control values defined in -.In bsm/audit.h . -Currently, only +value set to one of the following audit +policy control values: +either .Dv AUDIT_CNT -and -.Dv AUDIT_AHLT -are implemented. +or +.Dv AUDIT_AHLT . In the .Dv AUDIT_CNT case, the action will continue regardless if @@ -80,10 +78,21 @@ case, a .Xr panic 9 will result if an event will not be written to the -audit log file. +audit log file. In addition to one of the audit policy control values +defined above, the argument may also include +.Dv AUDIT_ARGV +or +.Dv AUDIT_ARGE +or both. +These flags will audit the argument list and environment variables +passed to the +.Xr execve +system call and are added by bitwise OR'ing to the audit control policy +argument. .It Dv A_SETKAUDIT Return .Er ENOSYS . +(Not implemented.) .It Dv A_SETKMASK Set the kernel preselection masks (success and failure). The @@ -91,8 +100,19 @@ argument must point to a .Vt au_mask_t -structure containing the mask values. -These masks are used for non-attributable audit event preselection. +structure containing the mask values as defined in +.In bsm/audit.h . +These masks are used for non-attributable audit event preselection. +The field +.Fa am_success +specifies which classes of successful audit events are to be logged to the +audit trail. The field +.Fa am_failure +specifies which classes of failed audit events are to be logged. The value of +both fields is the bitwise OR'ing of the audit event classes specified in +.Fa bsm/audit.h . +The various audit classes are described more fully in +.Xr audit_class 5 . .It Dv A_SETQCTRL Set kernel audit queue parameters. The @@ -100,24 +120,49 @@ argument must point to a .Vt au_qctrl_t -structure containing the -kernel audit queue control settings: -.Dq "high water" , -.Dq "low water" , -.Dq "output buffer size" , -.Dq "percent min free disk space" , +structure (defined in +.In bsm/audit.h ) +containing the kernel audit queue control settings: +.Fa aq_hiwater , +.Fa aq_lowater , +.Fa aq_bufsz , +.Fa aq_delay , and -.Dq delay -(not currently used). +.Fa aq_minfree . +The field +.Fa aq_hiwater +defines the maximum number of audit record entries in the queue used to store +the audit records ready for delivery to disk. New records are inserted at the +tail of the queue and removed from the head. New records which would exceed the +high water mark, the calling thread is inserted into the a wait queue, waiting +for the audit queue to have enough space available as defined with the field +.Fa aq_lowater . +The field +.Fa aq_bufsz +defines the maximum length of the audit record that can be supplied with +.Xr audit 2 . +The field +.Fa aq_delay +is unused. +The field +.Fa aq_minfree +specifies the minimum amount of free blocks on the disk device used to store +audit records. If the value of free blocks falls below the configured +minimum amount, the kernel informs the audit daemon about low disk space. The +value is to be specified in percent of free filesystem blocks. A value of 0 +results in a disabling of the check. .It Dv A_SETSTAT Return .Er ENOSYS . +(Not implemented.) .It Dv A_SETUMASK Return .Er ENOSYS . +(Not implemented.) .It Dv A_SETSMASK Return .Er ENOSYS . +(Not implemented.) .It Dv A_SETCOND Set the current auditing condition. The @@ -131,6 +176,14 @@ .Dv AUC_NOAUDIT , or .Dv AUC_DISABLED . +If +.Dv AUC_NOAUDIT +is set, then auditing is temporarily suspended. If +.Dv AUC_AUDITING +is set, auditing is resumed. If +.Dv AUC_DISABLED +is set, the auditing system will +shutdown, draining all audit records and closing out the audit trail file. .It Dv A_SETCLASS Set the event class preselection mask for an audit event. The @@ -139,6 +192,13 @@ must point to a .Vt au_evclass_map_t structure containing the audit event and mask. +The field +.Fa ec_number +is the audit event and +.Fa ec_class +is the audit class mask. See +.Xr audit_event 5 +for more information on audit event to class mapping. .It Dv A_SETPMASK Set the preselection masks for a process. The @@ -147,7 +207,15 @@ must point to a .Vt auditpinfo_t structure that contains the given process's audit -preselection masks for both success and failure. +preselection masks for both success and failure. The field +.Fa ap_pid +is the process id of the target process. The field +.Fa ap_mask +must point to a +.Fa au_mask_t +structure which holds the preselection masks as described in the +.Da A_SETKMASK +section above. .It Dv A_SETFSIZE Set the maximum size of the audit log file. The @@ -163,6 +231,7 @@ .It Dv A_SETKAUDIT Return .Er ENOSYS . +(Not implemented.) .It Dv A_GETCLASS Return the event to class mapping for the designated audit event. The @@ -170,10 +239,13 @@ argument must point to a .Vt au_evclass_map_t -structure. +structure. See the +.Dv A_SETCLASS +section above for more information. .It Dv A_GETKAUDIT Return .Er ENOSYS . +(Not implemented.) .It Dv A_GETPINFO Return the audit settings for a process. The @@ -182,11 +254,44 @@ must point to a .Vt auditpinfo_t structure which will be set to contain -the audit ID, preselection mask, terminal ID, and audit session -ID of the given process. +.Fa ap_auid +(the audit ID), +.Fa ap_mask +(the preselection mask), +.Fa ap_termid +(the terminal ID), and +.Fa ap_asid +(the audit session ID) +of the given target process. The process ID of the target process is passed +into the kernel using the +.Fa ap_pid +field. See the section +.Dv A_SETPMASK +above and +.Xr getaudit 2 +for more information. .It Dv A_GETPINFO_ADDR -Return -.Er ENOSYS . +Return the extended audit settings for a process. +The +.Fa data +argument +must point to a +.Vt auditpinfo_addr_t +structure which is similar to the +.Vt auditpinfo_addr_t +structure described above. +The exception is the +.Fa ap_termid +(the terminal ID) field which points to a +.Vt au_tid_addr_t +structure can hold much a larger terminal address and an address type. +The process ID of the target process is passed into the kernel using the +.Fa ap_pid +field. See the section +.Dv A_SETPMASK +above and +.Xr getaudit 2 +for more information. .It Dv A_GETKMASK Return the current kernel preselection masks. The @@ -204,12 +309,10 @@ must point to a .Vt long value which will be set to -one of the current audit policy flags. -Currently, only -.Dv AUDIT_CNT -and -.Dv AUDIT_AHLT -are implemented. +one of the current audit policy flags. The audit policy flags are +described in the +.Dv A_SETPOLICY +section above. .It Dv A_GETQCTRL Return the current kernel audit queue control parameters. The @@ -218,7 +321,9 @@ must point to a .Vt au_qctrl_t structure which will be set to the current -kernel audit queue control parameters. +kernel audit queue control parameters. See the +.Dv A_SETQCTL +section above for more information. .It Dv A_GETFSIZE Returns the maximum size of the audit log file. The @@ -240,17 +345,20 @@ .\" Return the current working directory as stored in the audit subsystem. Return .Er ENOSYS . +(Not implemented.) .It Dv A_GETCAR .\" [COMMENTED OUT]: Valid description, not yet implemented. .\"Stores and returns the current active root as stored in the audit .\"subsystem. Return .Er ENOSYS . +(Not implemented.) .It Dv A_GETSTAT .\" [COMMENTED OUT]: Valid description, not yet implemented. .\"Return the statistics stored in the audit system. Return .Er ENOSYS . +(Not implemented.) .It Dv A_GETCOND Return the current auditing condition. The @@ -259,10 +367,14 @@ must point to a .Vt long value which will be set to -the current audit condition, either -.Dv AUC_AUDITING +the current audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT or -.Dv AUC_NOAUDIT . +.Dv AUC_DISABLED . +See the +.Dv A_SETCOND +section above for more information. .It Dv A_SENDTRIGGER Send a trigger to the audit daemon. The