Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 28 Apr 2007 21:31:56 GMT
From:      Alexey Mikhailov <karma@FreeBSD.org>
To:        Perforce Change Reviews <perforce@FreeBSD.org>
Subject:   PERFORCE change 118918 for review
Message-ID:  <200704282131.l3SLVuJH044321@repoman.freebsd.org>

next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=118918

Change 118918 by karma@karma_ez on 2007/04/28 21:31:30

	Sync with main tree.

Affected files ...

.. //depot/projects/soc2007/karma_audit/contrib/openbsm/HISTORY#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/README#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/TODO#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/VERSION#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/audit/audit.8#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.8#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.8#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditreduce/auditreduce.1#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.1#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/bsm/libbsm.h#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/compat/clock_gettime.h#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/config/config.h#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/configure#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/configure.ac#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/etc/audit_event#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_class.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_control.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_event.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_free_token.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_io.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_mask.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_open.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_token.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/au_user.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/audit_submit.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_io.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_notify.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_token.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/bsm_wrappers.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/libbsm/libbsm.3#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit.log.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_class.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_control.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_event.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_user.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/audit_warn.5#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/auditctl.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/auditon.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/getaudit.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/getauid.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/setaudit.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/man/setauid.2#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/bsm/generate.c#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/arg32_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/data_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/file_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/in_addr_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/ip_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/ipc_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/iport_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/opaque_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/path_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record#2 delete
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record-IPv4#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_record-IPv6#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token#2 delete
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token-IPv4#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process32ex_token-IPv6#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64_record#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64_token#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_record-IPv4#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_record-IPv6#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_token-IPv4#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/process64ex_token-IPv6#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/return32_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/seq_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_token-IPv4#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/subject32ex_token-IPv6#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/text_record#2 integrate
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/zonename_record#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/test/reference/zonename_token#1 branch
.. //depot/projects/soc2007/karma_audit/contrib/openbsm/tools/audump.c#2 integrate

Differences ...

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/HISTORY#2 (text) ====

@@ -1,3 +1,23 @@
+OpenBSM 1.0 alpha 14
+
+- Fix endian issues when processing IPv6 addresses for extended subject
+  and process tokens.
+- gcc41 warnings clean.
+- Teach audit_submit(3) about getaudit_addr(2).
+- Add support for zonename tokens.
+
+OpenBSM 1.0 alpha 13
+
+- compat/clock_gettime.h now provides a compatibility implementation of
+  clock_gettime(), which fixes building on Mac OS X.
+- Countless man page improvements, markup fixes, content fixs, etc.
+- XML printing support via "praudit -x".
+- audit.log.5 expanded to include additional BSM token types.
+- Added encoding and decoding routines for process64_ex, process32_ex,
+  subject32_ex, header64, and attr64 tokens.
+- Additional audit event identifiers for listen, mlockall/munlockall,
+  getpath, POSIX message queues, and mandatory access control.
+
 OpenBSM 1.0 alpha 12
 
 - Correct bug in auditreduce which prevented the -c option from working
@@ -264,4 +284,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#50 $

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/README#2 (text) ====

@@ -3,11 +3,13 @@
   Introduction
 
 OpenBSM provides an open source implementation of Sun's BSM Audit API. 
-Originally created under contract to Apple Computer by McAfee Research, 
-this implementation is now maintained by volunteers and the generous 
-contribution of several organizations.  Coupled with a kernel audit 
-implementation, OpenBSM can be used to maintain system audit streams, and 
-is a foundation for an Audit-enabled system.
+Originally created under contract to Apple Computer by McAfee Research, this
+implementation is now maintained by volunteers and the generous contribution
+of several organizations.  Coupled with a kernel audit implementation,
+OpenBSM can be used to maintain system audit streams, and is a foundation for
+an Audit-enabled system.  Portions of OpenBSM, including include files and
+token-building routines, are reusable in a kernel audit implementation, and
+may be found in the FreeBSD and Mac OS X kernels.
 
   Contents
 
@@ -15,13 +17,22 @@
 
     bin/           Audit-related command line tools
     bsm/           System include files for BSM
+    compat/        Compatibility code to build on various OS's
     etc/           Sample /etc/security configuration files
     libbsm/        Implementation of BSM library interfaces and man pages
     man/           System call and configuration file man pages
+    modules/       Directory for auditfilterd module source
+    test/          Test token sets and geneneration program
+    tools/         Tool directory, including audump to dump databases
 
-OpenBSM currently builds on FreeBSD and Darwin.  With Makefile adjustment
-and minor tweaks, it should build without problems on a broad range of
-POSIX-like systems.
+The following programs are included with OpenBSM:
+
+    audit          Command line audit control tool
+    auditd         Audit management daemon
+    auditfilterd   Experimental event monitoring framework
+    auditreduce    Audit trail reduction tool
+    audump         Debugging tool to parse and print audit databases
+    praudit        Tool to print audit trails
 
   Building
 
@@ -29,7 +40,7 @@
 for building on a range of operating systems, including FreeBSD, Mac OS X,
 and Linux.  Depending on the availability of audit facilities in the
 underlying operating system, some components that depend on kernel audit
-support are built conditionally.  Typically, build will be performed using
+support are built conditionally.  Typically, build will be performed using:
 
     ./configure
     make
@@ -51,13 +62,12 @@
 
 You will need to manually propagate openbsm/etc/* into /etc on your system;
 this is not done automatically so as to avoid disrupting the current
-configuration.  Currently, the locations of these files is not
-configurable.
+configuration.  Currently, the locations of these files is not configurable.
 
   Credits
 
-The following organizations and individuals have contributed substantially 
-to the development of OpenBSM:
+The following organizations and individuals have contributed substantially to
+the development of OpenBSM:
 
     Apple Computer, Inc.
     McAfee Research, McAfee, Inc.
@@ -76,6 +86,9 @@
     Martin Fong
     Pawel Worach
     Martin Englund
+    Ruslan Ermilov
+    Martin Voros
+    Diego Giagio
 
 In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
 Software's FlexeLint tool were used to identify a number of bugs in the
@@ -97,4 +110,4 @@
 
     http://www.TrustedBSD.org/
 
-$P4: //depot/projects/trustedbsd/openbsm/README#19 $
+$P4: //depot/projects/trustedbsd/openbsm/README#23 $

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/TODO#2 (text) ====

@@ -1,4 +1,3 @@
-- Teach praudit how to general XML format BSM streams.
 - Teach libbsm about any additional 64-bit token types that are present
   in more recent Solaris versions.
 - Build a regression test suite for libbsm that generates each token
@@ -20,4 +19,4 @@
 - Put hostname in trail file name.
 - Document audit_warn event arguments.
 
-$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#9 $

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/VERSION#2 (text) ====

@@ -1,1 +1,1 @@
-OPENBSM_1_0_ALPHA_12
+OPENBSM_1_0_ALPHA_14

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/audit/audit.8#2 (text) ====

@@ -2,20 +2,20 @@
 .\" All rights reserved.
 .\"
 .\" @APPLE_BSD_LICENSE_HEADER_START@
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
-.\" 
+.\"
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
-.\" 
+.\"     from this software without specific prior written permission.
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
 .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -26,32 +26,27 @@
 .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\" 
+.\"
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#9 $
 .\"
-.Dd January 24, 2004
+.Dd October 2, 2006
 .Dt AUDIT 8
 .Os
 .Sh NAME
 .Nm audit
 .Nd audit management utility
 .Sh SYNOPSIS
-.Nm audit
-.Op Fl nst
-.Op Ar file
+.Nm
+.Fl n | s | t
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility controls the state of the audit system.
-The optional
-.Ar file
-operand specifies the location of the audit control input file (default
-.Pa /etc/security/audit_control ) .
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
+One of the following flags is required as an argument to
+.Nm :
+.Bl -tag -width indent
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
@@ -69,22 +64,27 @@
 .Xr auditd 8
 daemon must already be running.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control
-Default audit policy file used to configure the auditing system.
+Audit policy file used to configure the auditing system.
 .El
 .Sh SEE ALSO
+.Xr audit 4 ,
 .Xr audit_control 5 ,
 .Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
 .Sh AUTHORS
+.An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.8#2 (text) ====

@@ -29,46 +29,35 @@
 .\"
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#12 $
 .\"
-.Dd January 24, 2004
+.Dd October 2, 2006
 .Dt AUDITD 8
 .Os
 .Sh NAME
 .Nm auditd
 .Nd audit log management daemon
 .Sh SYNOPSIS
-.Nm auditd
-.Op Fl dhs
+.Nm
+.Op Fl d
 .Sh DESCRIPTION
 The
 .Nm
-daemon responds to requests from the audit(1) utility and notifications
-from the kernel.  It manages the resulting audit log files and specified
+daemon responds to requests from the
+.Xr audit 8
+utility and notifications
+from the kernel.
+It manages the resulting audit log files and specified
 log file locations.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+Starts the daemon in debug mode \[em] it will not daemonize.
 .El
-.Pp
-The historical
-.Fl h
-and
-.Fl s
-flags are now configured using
-.Xr audit_control 5
-policy flags
-.Dv ahlt
-and
-.Dv cnt ,
-and are no longer available as arguments to
-.Xr auditd 8 .
 .Sh NOTE
-.Pp
 To assure uninterrupted audit support, the
-.Nm auditd
+.Nm
 daemon should not be started and stopped manually.
 Instead, the
 .Xr audit 8
@@ -78,28 +67,51 @@
 .Pa audit_control
 file.
 .Pp
-.\" Sending a SIGHUP to a running
-.\" .Nm auditd
+.\" Sending a
+.\" .Dv SIGHUP
+.\" to a running
+.\" .Nm
 .\" daemon will force it to exit.
-Sending a SIGTERM to a running
-.Nm auditd
+Sending a
+.Dv SIGTERM
+to a running
+.Nm
 daemon will force it to exit.
 .Sh FILES
-.Bl -tag -width "/var/audit" -compact
+.Bl -tag -width ".Pa /var/audit" -compact
 .It Pa /var/audit
 Default directory for storing audit log files.
 .El
+.Sh COMPATIBILITY
+The historical
+.Fl h
+and
+.Fl s
+flags are now configured using
+.Xr audit_control 5
+policy flags
+.Cm ahlt
+and
+.Cm cnt ,
+and are no longer available as arguments to
+.Nm .
 .Sh SEE ALSO
+.Xr audit 4 ,
+.Xr audit_control 5 ,
 .Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
 .Sh AUTHORS
+.An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditd/auditd.c#2 (text) ====

@@ -30,7 +30,7 @@
  *
  * @APPLE_BSD_LICENSE_HEADER_END@
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#25 $
  */
 
 #include <sys/types.h>
@@ -865,7 +865,7 @@
 		syslog(LOG_ERR, "Could not create audit startup event.");
 	else {
 		/*
-		 * XXXCSJP Perhaps we wan't more robust audit records for
+		 * XXXCSJP Perhaps we want more robust audit records for
 		 * audit start up and shutdown. This might include capturing
 		 * failures to initialize the audit subsystem?
 		 */
@@ -896,7 +896,7 @@
 	int debug = 0;
 	int rc;
 
-	while ((ch = getopt(argc, argv, "dhs")) != -1) {
+	while ((ch = getopt(argc, argv, "d")) != -1) {
 		switch(ch) {
 		case 'd':
 			/* Debug option. */

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.8#2 (text) ====

@@ -23,18 +23,19 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#4 $
 .\"
-.Dd March 27, 2006
+.Dd October 3, 2006
 .Dt AUDITFILTERD 8
 .Os
 .Sh NAME
 .Nm auditfilterd
 .Nd audit filter daemon
 .Sh SYNOPSIS
-.Nm auditfilterd
+.Nm
 .Op Fl d
 .Op Fl c Ar conffile
+.Op Fl p Ar pipefile
 .Op Fl t Ar trailfile
 .Sh DESCRIPTION
 The
@@ -44,18 +45,23 @@
 It is configured using the
 .Xr audit_filter 5
 configuration file.
+The source can either be a pipe or a file.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
-.It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+.Bl -tag -width indent
 .It Fl c Ar conffile
 Specify an alternative configuration file.
+.It Fl d
+Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl p Ar pipefile
+Specify a pipe as an alternative source of audit event records.
+Default is
+.Pa /dev/auditpipe .
 .It Fl t Ar trailfile
-Specify an alternative source of audit event records.
+Specify a file as an alternative source of audit event records.
 .El
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_filterd" -compact
+.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact
 .It Pa /etc/security/audit_filterd
 Default configuration file for
 .Nm .
@@ -66,12 +72,13 @@
 .Sh SEE ALSO
 .Xr audit 8 ,
 .Xr auditd 8
-.Sh AUTHORS
-The
-.Nm
-daemon and audit filter APIs were created by Robert Watson.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
+.Sh AUTHORS
+The
+.Nm
+daemon and audit filter APIs were created by
+.An Robert Watson .

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditfilterd/auditfilterd.c#2 (text) ====

@@ -25,7 +25,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#11 $
  */
 
 /*
@@ -48,6 +48,10 @@
 #include <compat/queue.h>
 #endif
 
+#ifndef HAVE_CLOCK_GETTIME
+#include <compat/clock_gettime.h>
+#endif
+
 #include <bsm/libbsm.h>
 #include <bsm/audit_filter.h>
 
@@ -76,7 +80,7 @@
 usage(void)
 {
 
-	fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]"
+	fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]"
 	    " [-t trailfile]\n");
 	fprintf(stderr, "  -c    Specify configuration file (default: %s)\n",
 	    AUDITFILTERD_CONFFILE);

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/auditreduce/auditreduce.1#2 (text) ====

@@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
-.\" 
+.\"     from this software without specific prior written permission.
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@@ -34,44 +34,43 @@
 .Nm auditreduce
 .Nd "select records from audit trail files"
 .Sh SYNOPSIS
-.Nm auditreduce
+.Nm
 .Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 .Op Fl c Ar flags
 .Op Fl d Ar YYYYMMDD
 .Op Fl e Ar euid
 .Op Fl f Ar egid
 .Op Fl g Ar rgid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object Ns = Ns Ar value
 .Op Fl r Ar ruid
 .Op Fl u Ar auid
-.Op Fl j Ar id
-.Op Fl m Ar event
-.Op Fl o Ar object=value
-.Op Ar file ...
+.Op Ar
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility selects records from the audit trail files based on the specified
 criteria.
 Matching audit records are printed to the standard output in
 their raw binary form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
 by default.
-Use the 
-.Nm praudit
+Use the
+.Xr praudit 1
 utility to print the selected audit records in human-readable form.
-See
-.Xr praudit 1
-for more information.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl A
 Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred before the given datetime.
 .It Fl c Ar flags
 Select records matching the given audit classes specified as a comma
@@ -86,15 +85,11 @@
 or
 .Fl b .
 .It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
 .It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
 .It Fl g Ar rgid
-Select records with the given real group id or name.
-.It Fl r Ar ruid
-Select records with the given real user id or name.
-.It Fl u Ar auid
-Select records with the given audit id.
+Select records with the given real group ID or name.
 .It Fl j Ar id
 Select records having a subject token with matching ID.
 .It Fl m Ar event
@@ -102,45 +97,53 @@
 See
 .Xr audit_event 5
 for a description of audit event names and numbers.
-.It Fl o Ar object=value
-.Bl -tag -width Ds
-.It Nm file
+.It Fl o Ar object Ns = Ns Ar value
+.Bl -tag -width ".Cm msgqid"
+.It Cm file
 Select records containing path tokens, where the pathname matches
 one of the comma delimited extended regular expression contained in
 given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
+.Pq Ql ~
+are excluded
 from the search results.
 These extended regular expressions are processed from left to right,
 and a path will either be selected or deslected based on the first match.
 .Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
-character should be used to escape the comma if it's a part of the search
+Since commas are used to delimit the regular expressions, a backslash
+.Pq Ql \e
+character should be used to escape the comma if it is a part of the search
 pattern.
-.It Nm msgqid
-Select records containing the given message queue id.
-.It Nm pid
-Select records containing the given process id.
-.It Nm semid
-Select records containing the given semaphore id.
-.It Nm shmid
-Select records containing the given shared memory id.
+.It Cm msgqid
+Select records containing the given message queue ID.
+.It Cm pid
+Select records containing the given process ID.
+.It Cm semid
+Select records containing the given semaphore ID.
+.It Cm shmid
+Select records containing the given shared memory ID.
 .El
+.It Fl r Ar ruid
+Select records with the given real user ID or name.
+.It Fl u Ar auid
+Select records with the given audit ID.
 .El
-.Sh Examples
-.Pp
+.Sh EXAMPLES
 To select all records associated with effective user ID root from the audit
 log
 .Pa /var/audit/20031016184719.20031017122634 :
+.Bd -literal -offset indent
+auditreduce -e root \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
-.Nm
--e root /var/audit/20031016184719.20031017122634
-.Pp
 To select all
 .Xr setlogin 2
 events from that log:
-.Pp
-.Nm
--m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -m AUE_SETLOGIN \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 Output from the above command lines will typically be piped to a new trail
 file, or via standard output to the
@@ -148,36 +151,43 @@
 command.
 .Pp
 Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
-.Pp
-.Nm
--ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pa /etc/master.passwd :
+.Bd -literal -offset indent
+auditreduce -o file="/etc/master.passwd" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 Select all records containing path tokens, where the pathname is a TTY
 device:
+.Bd -literal -offset indent
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
-.Nm
--ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
-.Pp
 Select all records containing path tokens, where the pathname is a TTY
 except for
-.Pa /dev/ttyp2
-.Pp
-.Nm
--ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pa /dev/ttyp2 :
+.Bd -literal -offset indent
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,
 .Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
 .Sh AUTHORS
+.An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.1#2 (text) ====

@@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
-.\" 
+.\"     from this software without specific prior written permission.
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,73 +25,94 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $
 .\"
-.Dd January 24, 2004
+.Dd November 5, 2006
 .Dt PRAUDIT 1
 .Os
 .Sh NAME
 .Nm praudit
 .Nd "print the contents of audit trail files"
 .Sh SYNOPSIS
-.Nm praudit
-.Op Fl lrs
+.Nm
+.Op Fl lpx
+.Op Fl r | s
 .Op Fl d Ar del
-.Op Ar file ...
+.Op Ar
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility prints the contents of the audit trail files to the standard output in
 human-readable form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
 by default.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
+.It Fl d Ar del
+Specifies the delimiter.
+The default delimiter is the comma.
 .It Fl l
 Prints the entire record on the same line.
 If this option is not specified,
 every token is displayed on a different line.
+.It Fl p
+Specify this option if input to
+.Nm
+is piped from the
+.Xr tail 1
+utility.
+This causes
+.Nm
+to sync to the start of the next record.
 .It Fl r
 Prints the records in their raw, numeric form.
-This option is exclusive from 
-.Fl s
+This option is exclusive from
+.Fl s .
 .It Fl s
 Prints the tokens in their short form.
 Short text representations for
 record and event type are displayed.
 This option is exclusive from
-.Fl  r
-.It Fl d Ar del
-Specifies the delimiter.
-The default delimiter is the comma.
+.Fl r .
+.It Fl x
+Print audit records in the XML output format.
 .El
 .Pp
 If the raw or short forms are not specified, the default is to print the tokens
 in their long form.
 Events are displayed as per their descriptions given in
 .Pa /etc/security/audit_event ;
-uids and gids are expanded to their names;
+UIDs and GIDs are expanded to their names;
 dates and times are displayed in human-readable format.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_class
-Descriptions of audit event classes
+Descriptions of audit event classes.
 .It Pa /etc/security/audit_event
-Descriptions of audit events
+Descriptions of audit events.
 .El
 .Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
 .Xr audit_class 5 ,
 .Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
 .Sh AUTHORS
+.An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.

==== //depot/projects/soc2007/karma_audit/contrib/openbsm/bin/praudit/praudit.c#2 (text) ====

>>> TRUNCATED FOR MAIL (1000 lines) <<<



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200704282131.l3SLVuJH044321>