Date: Sat, 28 Apr 2007 21:31:56 GMT From: Alexey Mikhailov <karma@FreeBSD.org> To: Perforce Change Reviews <perforce@FreeBSD.org> Subject: PERFORCE change 118918 for review Message-ID: <200704282131.l3SLVuJH044321@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=118918 Change 118918 by karma@karma_ez on 2007/04/28 21:31:30 Sync with main tree. Affected files ... .. //depot/projects/soc2007/karma_audit/contrib/openbsm/HISTORY#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/README#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/TODO#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/VERSION#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/audit/audit.8#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.8#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.8#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditreduce/auditreduce.1#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.1#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/bsm/libbsm.h#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/compat/clock_gettime.h#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/config/config.h#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/configure#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/configure.ac#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/etc/audit_event#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_class.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_control.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_event.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_free_token.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_io.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_mask.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_open.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_token.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_user.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/audit_submit.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_io.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_notify.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_token.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_wrappers.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/libbsm.3#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit.log.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_class.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_control.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_event.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_user.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_warn.5#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/auditctl.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/auditon.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/getaudit.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/getauid.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/setaudit.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/setauid.2#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/bsm/generate.c#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/arg32_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/data_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/file_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/in_addr_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/ip_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/ipc_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/iport_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/opaque_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/path_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record#2 delete .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record-IPv4#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record-IPv6#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token#2 delete .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token-IPv4#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token-IPv6#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64_record#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64_token#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_record-IPv4#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_record-IPv6#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_token-IPv4#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_token-IPv6#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/return32_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/seq_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_token-IPv4#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_token-IPv6#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/text_record#2 integrate .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/zonename_record#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/zonename_token#1 branch .. //depot/projects/soc2007/karma_audit/contrib/openbsm/tools/audump.c#2 integrate Differences ... ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/HISTORY#2 (text) ==== @@ -1,3 +1,23 @@ +OpenBSM 1.0 alpha 14 + +- Fix endian issues when processing IPv6 addresses for extended subject + and process tokens. +- gcc41 warnings clean. +- Teach audit_submit(3) about getaudit_addr(2). +- Add support for zonename tokens. + +OpenBSM 1.0 alpha 13 + +- compat/clock_gettime.h now provides a compatibility implementation of + clock_gettime(), which fixes building on Mac OS X. +- Countless man page improvements, markup fixes, content fixs, etc. +- XML printing support via "praudit -x". +- audit.log.5 expanded to include additional BSM token types. +- Added encoding and decoding routines for process64_ex, process32_ex, + subject32_ex, header64, and attr64 tokens. +- Additional audit event identifiers for listen, mlockall/munlockall, + getpath, POSIX message queues, and mandatory access control. + OpenBSM 1.0 alpha 12 - Correct bug in auditreduce which prevented the -c option from working @@ -264,4 +284,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $ +$P4: //depot/projects/trustedbsd/openbsm/HISTORY#50 $ ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/README#2 (text) ==== @@ -3,11 +3,13 @@ Introduction OpenBSM provides an open source implementation of Sun's BSM Audit API. -Originally created under contract to Apple Computer by McAfee Research, -this implementation is now maintained by volunteers and the generous -contribution of several organizations. Coupled with a kernel audit -implementation, OpenBSM can be used to maintain system audit streams, and -is a foundation for an Audit-enabled system. +Originally created under contract to Apple Computer by McAfee Research, this +implementation is now maintained by volunteers and the generous contribution +of several organizations. Coupled with a kernel audit implementation, +OpenBSM can be used to maintain system audit streams, and is a foundation for +an Audit-enabled system. Portions of OpenBSM, including include files and +token-building routines, are reusable in a kernel audit implementation, and +may be found in the FreeBSD and Mac OS X kernels. Contents @@ -15,13 +17,22 @@ bin/ Audit-related command line tools bsm/ System include files for BSM + compat/ Compatibility code to build on various OS's etc/ Sample /etc/security configuration files libbsm/ Implementation of BSM library interfaces and man pages man/ System call and configuration file man pages + modules/ Directory for auditfilterd module source + test/ Test token sets and geneneration program + tools/ Tool directory, including audump to dump databases -OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment -and minor tweaks, it should build without problems on a broad range of -POSIX-like systems. +The following programs are included with OpenBSM: + + audit Command line audit control tool + auditd Audit management daemon + auditfilterd Experimental event monitoring framework + auditreduce Audit trail reduction tool + audump Debugging tool to parse and print audit databases + praudit Tool to print audit trails Building @@ -29,7 +40,7 @@ for building on a range of operating systems, including FreeBSD, Mac OS X, and Linux. Depending on the availability of audit facilities in the underlying operating system, some components that depend on kernel audit -support are built conditionally. Typically, build will be performed using +support are built conditionally. Typically, build will be performed using: ./configure make @@ -51,13 +62,12 @@ You will need to manually propagate openbsm/etc/* into /etc on your system; this is not done automatically so as to avoid disrupting the current -configuration. Currently, the locations of these files is not -configurable. +configuration. Currently, the locations of these files is not configurable. Credits -The following organizations and individuals have contributed substantially -to the development of OpenBSM: +The following organizations and individuals have contributed substantially to +the development of OpenBSM: Apple Computer, Inc. McAfee Research, McAfee, Inc. @@ -76,6 +86,9 @@ Martin Fong Pawel Worach Martin Englund + Ruslan Ermilov + Martin Voros + Diego Giagio In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel Software's FlexeLint tool were used to identify a number of bugs in the @@ -97,4 +110,4 @@ http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/openbsm/README#19 $ +$P4: //depot/projects/trustedbsd/openbsm/README#23 $ ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/TODO#2 (text) ==== @@ -1,4 +1,3 @@ -- Teach praudit how to general XML format BSM streams. - Teach libbsm about any additional 64-bit token types that are present in more recent Solaris versions. - Build a regression test suite for libbsm that generates each token @@ -20,4 +19,4 @@ - Put hostname in trail file name. - Document audit_warn event arguments. -$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $ +$P4: //depot/projects/trustedbsd/openbsm/TODO#9 $ ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/VERSION#2 (text) ==== @@ -1,1 +1,1 @@ -OPENBSM_1_0_ALPHA_12 +OPENBSM_1_0_ALPHA_14 ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/audit/audit.8#2 (text) ==== @@ -2,20 +2,20 @@ .\" All rights reserved. .\" .\" @APPLE_BSD_LICENSE_HEADER_START@ -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: -.\" +.\" .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -26,32 +26,27 @@ .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#9 $ .\" -.Dd January 24, 2004 +.Dd October 2, 2006 .Dt AUDIT 8 .Os .Sh NAME .Nm audit .Nd audit management utility .Sh SYNOPSIS -.Nm audit -.Op Fl nst -.Op Ar file +.Nm +.Fl n | s | t .Sh DESCRIPTION The -.Nm +.Nm utility controls the state of the audit system. -The optional -.Ar file -operand specifies the location of the audit control input file (default -.Pa /etc/security/audit_control ) . -.Pp -The options are as follows: -.Bl -tag -width Ds +One of the following flags is required as an argument to +.Nm : +.Bl -tag -width indent .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. @@ -69,22 +64,27 @@ .Xr auditd 8 daemon must already be running. .Sh FILES -.Bl -tag -width "/etc/security/audit_control" -compact +.Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_control -Default audit policy file used to configure the auditing system. +Audit policy file used to configure the auditing system. .El .Sh SEE ALSO +.Xr audit 4 , .Xr audit_control 5 , .Xr auditd 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.8#2 (text) ==== @@ -29,46 +29,35 @@ .\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#12 $ .\" -.Dd January 24, 2004 +.Dd October 2, 2006 .Dt AUDITD 8 .Os .Sh NAME .Nm auditd .Nd audit log management daemon .Sh SYNOPSIS -.Nm auditd -.Op Fl dhs +.Nm +.Op Fl d .Sh DESCRIPTION The .Nm -daemon responds to requests from the audit(1) utility and notifications -from the kernel. It manages the resulting audit log files and specified +daemon responds to requests from the +.Xr audit 8 +utility and notifications +from the kernel. +It manages the resulting audit log files and specified log file locations. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent .It Fl d -Starts the daemon in debug mode - it will not daemonize. +Starts the daemon in debug mode \[em] it will not daemonize. .El -.Pp -The historical -.Fl h -and -.Fl s -flags are now configured using -.Xr audit_control 5 -policy flags -.Dv ahlt -and -.Dv cnt , -and are no longer available as arguments to -.Xr auditd 8 . .Sh NOTE -.Pp To assure uninterrupted audit support, the -.Nm auditd +.Nm daemon should not be started and stopped manually. Instead, the .Xr audit 8 @@ -78,28 +67,51 @@ .Pa audit_control file. .Pp -.\" Sending a SIGHUP to a running -.\" .Nm auditd +.\" Sending a +.\" .Dv SIGHUP +.\" to a running +.\" .Nm .\" daemon will force it to exit. -Sending a SIGTERM to a running -.Nm auditd +Sending a +.Dv SIGTERM +to a running +.Nm daemon will force it to exit. .Sh FILES -.Bl -tag -width "/var/audit" -compact +.Bl -tag -width ".Pa /var/audit" -compact .It Pa /var/audit Default directory for storing audit log files. .El +.Sh COMPATIBILITY +The historical +.Fl h +and +.Fl s +flags are now configured using +.Xr audit_control 5 +policy flags +.Cm ahlt +and +.Cm cnt , +and are no longer available as arguments to +.Nm . .Sh SEE ALSO +.Xr audit 4 , +.Xr audit_control 5 , .Xr audit 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.c#2 (text) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#25 $ */ #include <sys/types.h> @@ -865,7 +865,7 @@ syslog(LOG_ERR, "Could not create audit startup event."); else { /* - * XXXCSJP Perhaps we wan't more robust audit records for + * XXXCSJP Perhaps we want more robust audit records for * audit start up and shutdown. This might include capturing * failures to initialize the audit subsystem? */ @@ -896,7 +896,7 @@ int debug = 0; int rc; - while ((ch = getopt(argc, argv, "dhs")) != -1) { + while ((ch = getopt(argc, argv, "d")) != -1) { switch(ch) { case 'd': /* Debug option. */ ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.8#2 (text) ==== @@ -23,18 +23,19 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#2 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#4 $ .\" -.Dd March 27, 2006 +.Dd October 3, 2006 .Dt AUDITFILTERD 8 .Os .Sh NAME .Nm auditfilterd .Nd audit filter daemon .Sh SYNOPSIS -.Nm auditfilterd +.Nm .Op Fl d .Op Fl c Ar conffile +.Op Fl p Ar pipefile .Op Fl t Ar trailfile .Sh DESCRIPTION The @@ -44,18 +45,23 @@ It is configured using the .Xr audit_filter 5 configuration file. +The source can either be a pipe or a file. .Pp The options are as follows: -.Bl -tag -width Ds -.It Fl d -Starts the daemon in debug mode - it will not daemonize. +.Bl -tag -width indent .It Fl c Ar conffile Specify an alternative configuration file. +.It Fl d +Starts the daemon in debug mode \[em] it will not daemonize. +.It Fl p Ar pipefile +Specify a pipe as an alternative source of audit event records. +Default is +.Pa /dev/auditpipe . .It Fl t Ar trailfile -Specify an alternative source of audit event records. +Specify a file as an alternative source of audit event records. .El .Sh FILES -.Bl -tag -width "/etc/security/audit_filterd" -compact +.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact .It Pa /etc/security/audit_filterd Default configuration file for .Nm . @@ -66,12 +72,13 @@ .Sh SEE ALSO .Xr audit 8 , .Xr auditd 8 -.Sh AUTHORS -The -.Nm -daemon and audit filter APIs were created by Robert Watson. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. +.Sh AUTHORS +The +.Nm +daemon and audit filter APIs were created by +.An Robert Watson . ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.c#2 (text) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#11 $ */ /* @@ -48,6 +48,10 @@ #include <compat/queue.h> #endif +#ifndef HAVE_CLOCK_GETTIME +#include <compat/clock_gettime.h> +#endif + #include <bsm/libbsm.h> #include <bsm/audit_filter.h> @@ -76,7 +80,7 @@ usage(void) { - fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]" + fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]" " [-t trailfile]\n"); fprintf(stderr, " -c Specify configuration file (default: %s)\n", AUDITFILTERD_CONFFILE); ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditreduce/auditreduce.1#2 (text) ==== @@ -1,18 +1,18 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -34,44 +34,43 @@ .Nm auditreduce .Nd "select records from audit trail files" .Sh SYNOPSIS -.Nm auditreduce +.Nm .Op Fl A -.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] -.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS +.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS .Op Fl c Ar flags .Op Fl d Ar YYYYMMDD .Op Fl e Ar euid .Op Fl f Ar egid .Op Fl g Ar rgid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object Ns = Ns Ar value .Op Fl r Ar ruid .Op Fl u Ar auid -.Op Fl j Ar id -.Op Fl m Ar event -.Op Fl o Ar object=value -.Op Ar file ... +.Op Ar .Sh DESCRIPTION The -.Nm +.Nm utility selects records from the audit trail files based on the specified criteria. Matching audit records are printed to the standard output in their raw binary form. -If no filename is specified, the standard input is used +If no +.Ar file +argument is specified, the standard input is used by default. -Use the -.Nm praudit +Use the +.Xr praudit 1 utility to print the selected audit records in human-readable form. -See -.Xr praudit 1 -for more information. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent .It Fl A Select all records. -.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred after or on the given datetime. -.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred before the given datetime. .It Fl c Ar flags Select records matching the given audit classes specified as a comma @@ -86,15 +85,11 @@ or .Fl b . .It Fl e Ar euid -Select records with the given effective user id or name. +Select records with the given effective user ID or name. .It Fl f Ar egid -Select records with the given effective group id or name. +Select records with the given effective group ID or name. .It Fl g Ar rgid -Select records with the given real group id or name. -.It Fl r Ar ruid -Select records with the given real user id or name. -.It Fl u Ar auid -Select records with the given audit id. +Select records with the given real group ID or name. .It Fl j Ar id Select records having a subject token with matching ID. .It Fl m Ar event @@ -102,45 +97,53 @@ See .Xr audit_event 5 for a description of audit event names and numbers. -.It Fl o Ar object=value -.Bl -tag -width Ds -.It Nm file +.It Fl o Ar object Ns = Ns Ar value +.Bl -tag -width ".Cm msgqid" +.It Cm file Select records containing path tokens, where the pathname matches one of the comma delimited extended regular expression contained in given specification. -Regular expressions which are prefixed with a tilde (~) are excluded +Regular expressions which are prefixed with a tilde +.Pq Ql ~ +are excluded from the search results. These extended regular expressions are processed from left to right, and a path will either be selected or deslected based on the first match. .Pp -Since commas are used to delimit the regular expressions, a backslash (\\) -character should be used to escape the comma if it's a part of the search +Since commas are used to delimit the regular expressions, a backslash +.Pq Ql \e +character should be used to escape the comma if it is a part of the search pattern. -.It Nm msgqid -Select records containing the given message queue id. -.It Nm pid -Select records containing the given process id. -.It Nm semid -Select records containing the given semaphore id. -.It Nm shmid -Select records containing the given shared memory id. +.It Cm msgqid +Select records containing the given message queue ID. +.It Cm pid +Select records containing the given process ID. +.It Cm semid +Select records containing the given semaphore ID. +.It Cm shmid +Select records containing the given shared memory ID. .El +.It Fl r Ar ruid +Select records with the given real user ID or name. +.It Fl u Ar auid +Select records with the given audit ID. .El -.Sh Examples -.Pp +.Sh EXAMPLES To select all records associated with effective user ID root from the audit log .Pa /var/audit/20031016184719.20031017122634 : +.Bd -literal -offset indent +auditreduce -e root \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp -.Nm --e root /var/audit/20031016184719.20031017122634 -.Pp To select all .Xr setlogin 2 events from that log: -.Pp -.Nm --m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Bd -literal -offset indent +auditreduce -m AUE_SETLOGIN \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Output from the above command lines will typically be piped to a new trail file, or via standard output to the @@ -148,36 +151,43 @@ command. .Pp Select all records containing a path token where the pathname contains -.Pa /etc/master.passwd -.Pp -.Nm --ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pa /etc/master.passwd : +.Bd -literal -offset indent +auditreduce -o file="/etc/master.passwd" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Select all records containing path tokens, where the pathname is a TTY device: +.Bd -literal -offset indent +auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp -.Nm --ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 -.Pp Select all records containing path tokens, where the pathname is a TTY except for -.Pa /dev/ttyp2 -.Pp -.Nm --ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pa /dev/ttyp2 : +.Bd -literal -offset indent +auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , .Xr audit_event 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.1#2 (text) ==== @@ -1,18 +1,18 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,73 +25,94 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $ .\" -.Dd January 24, 2004 +.Dd November 5, 2006 .Dt PRAUDIT 1 .Os .Sh NAME .Nm praudit .Nd "print the contents of audit trail files" .Sh SYNOPSIS -.Nm praudit -.Op Fl lrs +.Nm +.Op Fl lpx +.Op Fl r | s .Op Fl d Ar del -.Op Ar file ... +.Op Ar .Sh DESCRIPTION The -.Nm +.Nm utility prints the contents of the audit trail files to the standard output in human-readable form. -If no filename is specified, the standard input is used +If no +.Ar file +argument is specified, the standard input is used by default. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent +.It Fl d Ar del +Specifies the delimiter. +The default delimiter is the comma. .It Fl l Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line. +.It Fl p +Specify this option if input to +.Nm +is piped from the +.Xr tail 1 +utility. +This causes +.Nm +to sync to the start of the next record. .It Fl r Prints the records in their raw, numeric form. -This option is exclusive from -.Fl s +This option is exclusive from +.Fl s . .It Fl s Prints the tokens in their short form. Short text representations for record and event type are displayed. This option is exclusive from -.Fl r -.It Fl d Ar del -Specifies the delimiter. -The default delimiter is the comma. +.Fl r . +.It Fl x +Print audit records in the XML output format. .El .Pp If the raw or short forms are not specified, the default is to print the tokens in their long form. Events are displayed as per their descriptions given in .Pa /etc/security/audit_event ; -uids and gids are expanded to their names; +UIDs and GIDs are expanded to their names; dates and times are displayed in human-readable format. .Sh FILES -.Bl -tag -width "/etc/security/audit_control" -compact +.Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_class -Descriptions of audit event classes +Descriptions of audit event classes. .It Pa /etc/security/audit_event -Descriptions of audit events +Descriptions of audit events. .El .Sh SEE ALSO +.Xr auditreduce 1 , +.Xr audit 4 , +.Xr auditpipe 4 , .Xr audit_class 5 , .Xr audit_event 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.c#2 (text) ==== >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704282131.l3SLVuJH044321>