From owner-p4-projects@FreeBSD.ORG Mon Apr 16 09:33:52 2007 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id 85FC516A404; Mon, 16 Apr 2007 09:33:52 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 382DD16A402 for ; Mon, 16 Apr 2007 09:33:52 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (repoman.freebsd.org [69.147.83.41]) by mx1.freebsd.org (Postfix) with ESMTP id 268B213C45E for ; Mon, 16 Apr 2007 09:33:52 +0000 (UTC) (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.8/8.13.8) with ESMTP id l3G9XqRX027414 for ; Mon, 16 Apr 2007 09:33:52 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.8/8.13.8/Submit) id l3G9Xnmt027390 for perforce@freebsd.org; Mon, 16 Apr 2007 09:33:49 GMT (envelope-from bb+lists.freebsd.perforce@cyrus.watson.org) Date: Mon, 16 Apr 2007 09:33:49 GMT Message-Id: <200704160933.l3G9Xnmt027390@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to bb+lists.freebsd.perforce@cyrus.watson.org using -f From: Robert Watson To: Perforce Change Reviews Cc: Subject: PERFORCE change 118218 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Apr 2007 09:33:52 -0000 http://perforce.freebsd.org/chv.cgi?CH=118218 Change 118218 by rwatson@rwatson_cinnamon on 2007/04/16 09:33:14 Integrate OpenBSM 1.0 alphas 13 and 14 (tentative) from OpenBSM branch to Audit3 branch: OpenBSM 1.0 alpha 14 - Fix endian issues when processing IPv6 addresses for extended subject and process tokens. - gcc41 warnings clean. - Teach audit_submit(3) about getaudit_addr(2). - Add support for zonename tokens. OpenBSM 1.0 alpha 13 - compat/clock_gettime.h now provides a compatibility implementation of clock_gettime(), which fixes building on Mac OS X. - Countless man page improvements, markup fixes, content fixs, etc. - XML printing support via "praudit -x". - audit.log.5 expanded to include additional BSM token types. - Added encoding and decoding routines for process64_ex, process32_ex, subject32_ex, header64, and attr64 tokens. - Additional audit event identifiers for listen, mlockall/ munlockall, getpath, POSIX message queues, and mandatory access control. Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#18 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/README#17 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#16 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.8#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#18 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.8#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#10 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.1#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#21 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/clock_gettime.h#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure#16 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/configure.ac#17 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#19 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_class.3#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_event.3#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_free_token.3#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_io.3#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_mask.3#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_open.3#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_token.3#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_user.3#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/audit_submit.3#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#21 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#12 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#14 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit.2#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit.log.5#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_class.5#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#11 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_event.5#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_user.5#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_warn.5#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditctl.2#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditon.2#9 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/getaudit.2#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/getauid.2#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/setaudit.2#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/setauid.2#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/bsm/generate.c#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_record#3 delete .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_record-IPv4#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_record-IPv6#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_token#3 delete .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_token-IPv4#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process32ex_token-IPv6#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64_record#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64_token#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64ex_record-IPv4#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64ex_record-IPv6#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64ex_token-IPv4#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/test/reference/process64ex_token-IPv6#1 branch .. //depot/projects/trustedbsd/audit3/contrib/openbsm/tools/audump.c#10 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#18 (text+ko) ==== @@ -1,3 +1,23 @@ +OpenBSM 1.0 alpha 14 + +- Fix endian issues when processing IPv6 addresses for extended subject + and process tokens. +- gcc41 warnings clean. +- Teach audit_submit(3) about getaudit_addr(2). +- Add support for zonename tokens. + +OpenBSM 1.0 alpha 13 + +- compat/clock_gettime.h now provides a compatibility implementation of + clock_gettime(), which fixes building on Mac OS X. +- Countless man page improvements, markup fixes, content fixs, etc. +- XML printing support via "praudit -x". +- audit.log.5 expanded to include additional BSM token types. +- Added encoding and decoding routines for process64_ex, process32_ex, + subject32_ex, header64, and attr64 tokens. +- Additional audit event identifiers for listen, mlockall/munlockall, + getpath, POSIX message queues, and mandatory access control. + OpenBSM 1.0 alpha 12 - Correct bug in auditreduce which prevented the -c option from working @@ -264,4 +284,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#17 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/HISTORY#18 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/README#17 (text+ko) ==== @@ -76,6 +76,9 @@ Martin Fong Pawel Worach Martin Englund + Ruslan Ermilov + Martin Voros + Diego Giagio In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel Software's FlexeLint tool were used to identify a number of bugs in the @@ -97,4 +100,4 @@ http://www.TrustedBSD.org/ -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#16 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#17 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#13 (text+ko) ==== @@ -1,4 +1,3 @@ -- Teach praudit how to general XML format BSM streams. - Teach libbsm about any additional 64-bit token types that are present in more recent Solaris versions. - Build a regression test suite for libbsm that generates each token @@ -20,4 +19,4 @@ - Put hostname in trail file name. - Document audit_warn event arguments. -$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#12 $ +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#13 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#16 (text+ko) ==== @@ -1,1 +1,1 @@ -OPENBSM_1_0_ALPHA_12 +OPENBSM_1_0_ALPHA_14 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.8#5 (text+ko) ==== @@ -2,20 +2,20 @@ .\" All rights reserved. .\" .\" @APPLE_BSD_LICENSE_HEADER_START@ -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: -.\" +.\" .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -26,32 +26,27 @@ .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" +.\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.8#4 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/audit/audit.8#5 $ .\" -.Dd January 24, 2004 +.Dd October 2, 2006 .Dt AUDIT 8 .Os .Sh NAME .Nm audit .Nd audit management utility .Sh SYNOPSIS -.Nm audit -.Op Fl nst -.Op Ar file +.Nm +.Fl n | s | t .Sh DESCRIPTION The -.Nm +.Nm utility controls the state of the audit system. -The optional -.Ar file -operand specifies the location of the audit control input file (default -.Pa /etc/security/audit_control ) . -.Pp -The options are as follows: -.Bl -tag -width Ds +One of the following flags is required as an argument to +.Nm : +.Bl -tag -width indent .It Fl n Forces the audit system to close the existing audit log file and rotate to a new log file in a location specified in the audit control file. @@ -69,22 +64,27 @@ .Xr auditd 8 daemon must already be running. .Sh FILES -.Bl -tag -width "/etc/security/audit_control" -compact +.Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_control -Default audit policy file used to configure the auditing system. +Audit policy file used to configure the auditing system. .El .Sh SEE ALSO +.Xr audit 4 , .Xr audit_control 5 , .Xr auditd 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#6 (text+ko) ==== @@ -29,46 +29,35 @@ .\" .\" @APPLE_BSD_LICENSE_HEADER_END@ .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#5 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.8#6 $ .\" -.Dd January 24, 2004 +.Dd October 2, 2006 .Dt AUDITD 8 .Os .Sh NAME .Nm auditd .Nd audit log management daemon .Sh SYNOPSIS -.Nm auditd -.Op Fl dhs +.Nm +.Op Fl d .Sh DESCRIPTION The .Nm -daemon responds to requests from the audit(1) utility and notifications -from the kernel. It manages the resulting audit log files and specified +daemon responds to requests from the +.Xr audit 8 +utility and notifications +from the kernel. +It manages the resulting audit log files and specified log file locations. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent .It Fl d -Starts the daemon in debug mode - it will not daemonize. +Starts the daemon in debug mode \[em] it will not daemonize. .El -.Pp -The historical -.Fl h -and -.Fl s -flags are now configured using -.Xr audit_control 5 -policy flags -.Dv ahlt -and -.Dv cnt , -and are no longer available as arguments to -.Xr auditd 8 . .Sh NOTE -.Pp To assure uninterrupted audit support, the -.Nm auditd +.Nm daemon should not be started and stopped manually. Instead, the .Xr audit 8 @@ -78,28 +67,51 @@ .Pa audit_control file. .Pp -.\" Sending a SIGHUP to a running -.\" .Nm auditd +.\" Sending a +.\" .Dv SIGHUP +.\" to a running +.\" .Nm .\" daemon will force it to exit. -Sending a SIGTERM to a running -.Nm auditd +Sending a +.Dv SIGTERM +to a running +.Nm daemon will force it to exit. .Sh FILES -.Bl -tag -width "/var/audit" -compact +.Bl -tag -width ".Pa /var/audit" -compact .It Pa /var/audit Default directory for storing audit log files. .El +.Sh COMPATIBILITY +The historical +.Fl h +and +.Fl s +flags are now configured using +.Xr audit_control 5 +policy flags +.Cm ahlt +and +.Cm cnt , +and are no longer available as arguments to +.Nm . .Sh SEE ALSO +.Xr audit 4 , +.Xr audit_control 5 , .Xr audit 8 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#18 (text+ko) ==== @@ -30,7 +30,7 @@ * * @APPLE_BSD_LICENSE_HEADER_END@ * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#17 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditd/auditd.c#18 $ */ #include @@ -865,7 +865,7 @@ syslog(LOG_ERR, "Could not create audit startup event."); else { /* - * XXXCSJP Perhaps we wan't more robust audit records for + * XXXCSJP Perhaps we want more robust audit records for * audit start up and shutdown. This might include capturing * failures to initialize the audit subsystem? */ @@ -896,7 +896,7 @@ int debug = 0; int rc; - while ((ch = getopt(argc, argv, "dhs")) != -1) { + while ((ch = getopt(argc, argv, "d")) != -1) { switch(ch) { case 'd': /* Debug option. */ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.8#3 (text+ko) ==== @@ -23,18 +23,19 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.8#2 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.8#3 $ .\" -.Dd March 27, 2006 +.Dd October 3, 2006 .Dt AUDITFILTERD 8 .Os .Sh NAME .Nm auditfilterd .Nd audit filter daemon .Sh SYNOPSIS -.Nm auditfilterd +.Nm .Op Fl d .Op Fl c Ar conffile +.Op Fl p Ar pipefile .Op Fl t Ar trailfile .Sh DESCRIPTION The @@ -44,18 +45,23 @@ It is configured using the .Xr audit_filter 5 configuration file. +The source can either be a pipe or a file. .Pp The options are as follows: -.Bl -tag -width Ds -.It Fl d -Starts the daemon in debug mode - it will not daemonize. +.Bl -tag -width indent .It Fl c Ar conffile Specify an alternative configuration file. +.It Fl d +Starts the daemon in debug mode \[em] it will not daemonize. +.It Fl p Ar pipefile +Specify a pipe as an alternative source of audit event records. +Default is +.Pa /dev/auditpipe . .It Fl t Ar trailfile -Specify an alternative source of audit event records. +Specify a file as an alternative source of audit event records. .El .Sh FILES -.Bl -tag -width "/etc/security/audit_filterd" -compact +.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact .It Pa /etc/security/audit_filterd Default configuration file for .Nm . @@ -66,12 +72,13 @@ .Sh SEE ALSO .Xr audit 8 , .Xr auditd 8 -.Sh AUTHORS -The -.Nm -daemon and audit filter APIs were created by Robert Watson. .Sh HISTORY The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. +.Sh AUTHORS +The +.Nm +daemon and audit filter APIs were created by +.An Robert Watson . ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.c#6 (text+ko) ==== @@ -25,7 +25,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.c#5 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditfilterd/auditfilterd.c#6 $ */ /* @@ -48,6 +48,10 @@ #include #endif +#ifndef HAVE_CLOCK_GETTIME +#include +#endif + #include #include @@ -76,7 +80,7 @@ usage(void) { - fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]" + fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]" " [-t trailfile]\n"); fprintf(stderr, " -c Specify configuration file (default: %s)\n", AUDITFILTERD_CONFFILE); ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#10 (text+ko) ==== @@ -1,18 +1,18 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#9 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#10 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -34,44 +34,43 @@ .Nm auditreduce .Nd "select records from audit trail files" .Sh SYNOPSIS -.Nm auditreduce +.Nm .Op Fl A -.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] -.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS +.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS .Op Fl c Ar flags .Op Fl d Ar YYYYMMDD .Op Fl e Ar euid .Op Fl f Ar egid .Op Fl g Ar rgid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object Ns = Ns Ar value .Op Fl r Ar ruid .Op Fl u Ar auid -.Op Fl j Ar id -.Op Fl m Ar event -.Op Fl o Ar object=value -.Op Ar file ... +.Op Ar .Sh DESCRIPTION The -.Nm +.Nm utility selects records from the audit trail files based on the specified criteria. Matching audit records are printed to the standard output in their raw binary form. -If no filename is specified, the standard input is used +If no +.Ar file +argument is specified, the standard input is used by default. -Use the -.Nm praudit +Use the +.Xr praudit 1 utility to print the selected audit records in human-readable form. -See -.Xr praudit 1 -for more information. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent .It Fl A Select all records. -.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred after or on the given datetime. -.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred before the given datetime. .It Fl c Ar flags Select records matching the given audit classes specified as a comma @@ -86,15 +85,11 @@ or .Fl b . .It Fl e Ar euid -Select records with the given effective user id or name. +Select records with the given effective user ID or name. .It Fl f Ar egid -Select records with the given effective group id or name. +Select records with the given effective group ID or name. .It Fl g Ar rgid -Select records with the given real group id or name. -.It Fl r Ar ruid -Select records with the given real user id or name. -.It Fl u Ar auid -Select records with the given audit id. +Select records with the given real group ID or name. .It Fl j Ar id Select records having a subject token with matching ID. .It Fl m Ar event @@ -102,45 +97,53 @@ See .Xr audit_event 5 for a description of audit event names and numbers. -.It Fl o Ar object=value -.Bl -tag -width Ds -.It Nm file +.It Fl o Ar object Ns = Ns Ar value +.Bl -tag -width ".Cm msgqid" +.It Cm file Select records containing path tokens, where the pathname matches one of the comma delimited extended regular expression contained in given specification. -Regular expressions which are prefixed with a tilde (~) are excluded +Regular expressions which are prefixed with a tilde +.Pq Ql ~ +are excluded from the search results. These extended regular expressions are processed from left to right, and a path will either be selected or deslected based on the first match. .Pp -Since commas are used to delimit the regular expressions, a backslash (\\) -character should be used to escape the comma if it's a part of the search +Since commas are used to delimit the regular expressions, a backslash +.Pq Ql \e +character should be used to escape the comma if it is a part of the search pattern. -.It Nm msgqid -Select records containing the given message queue id. -.It Nm pid -Select records containing the given process id. -.It Nm semid -Select records containing the given semaphore id. -.It Nm shmid -Select records containing the given shared memory id. +.It Cm msgqid +Select records containing the given message queue ID. +.It Cm pid +Select records containing the given process ID. +.It Cm semid +Select records containing the given semaphore ID. +.It Cm shmid +Select records containing the given shared memory ID. .El +.It Fl r Ar ruid +Select records with the given real user ID or name. +.It Fl u Ar auid +Select records with the given audit ID. .El -.Sh Examples -.Pp +.Sh EXAMPLES To select all records associated with effective user ID root from the audit log .Pa /var/audit/20031016184719.20031017122634 : +.Bd -literal -offset indent +auditreduce -e root \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp -.Nm --e root /var/audit/20031016184719.20031017122634 -.Pp To select all .Xr setlogin 2 events from that log: -.Pp -.Nm --m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Bd -literal -offset indent +auditreduce -m AUE_SETLOGIN \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Output from the above command lines will typically be piped to a new trail file, or via standard output to the @@ -148,36 +151,43 @@ command. .Pp Select all records containing a path token where the pathname contains -.Pa /etc/master.passwd -.Pp -.Nm --ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pa /etc/master.passwd : +.Bd -literal -offset indent +auditreduce -o file="/etc/master.passwd" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Select all records containing path tokens, where the pathname is a TTY device: +.Bd -literal -offset indent +auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp -.Nm --ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 -.Pp Select all records containing path tokens, where the pathname is a TTY except for -.Pa /dev/ttyp2 -.Pp -.Nm --ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pa /dev/ttyp2 : +.Bd -literal -offset indent +auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , .Xr audit_event 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.1#7 (text+ko) ==== @@ -1,18 +1,18 @@ .\" Copyright (c) 2004 Apple Computer, Inc. .\" All rights reserved. -.\" +.\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions .\" are met: .\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" notice, this list of conditions and the following disclaimer. .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" documentation and/or other materials provided with the distribution. .\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of .\" its contributors may be used to endorse or promote products derived -.\" from this software without specific prior written permission. -.\" +.\" from this software without specific prior written permission. +.\" .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -25,73 +25,94 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.1#6 $ +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.1#7 $ .\" -.Dd January 24, 2004 +.Dd November 5, 2006 .Dt PRAUDIT 1 .Os .Sh NAME .Nm praudit .Nd "print the contents of audit trail files" .Sh SYNOPSIS -.Nm praudit -.Op Fl lrs +.Nm +.Op Fl lpx +.Op Fl r | s .Op Fl d Ar del -.Op Ar file ... +.Op Ar .Sh DESCRIPTION The -.Nm +.Nm utility prints the contents of the audit trail files to the standard output in human-readable form. -If no filename is specified, the standard input is used +If no +.Ar file +argument is specified, the standard input is used by default. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent +.It Fl d Ar del +Specifies the delimiter. +The default delimiter is the comma. .It Fl l Prints the entire record on the same line. If this option is not specified, every token is displayed on a different line. +.It Fl p +Specify this option if input to +.Nm +is piped from the +.Xr tail 1 +utility. +This causes +.Nm +to sync to the start of the next record. .It Fl r Prints the records in their raw, numeric form. -This option is exclusive from -.Fl s +This option is exclusive from +.Fl s . .It Fl s Prints the tokens in their short form. Short text representations for record and event type are displayed. This option is exclusive from -.Fl r -.It Fl d Ar del -Specifies the delimiter. -The default delimiter is the comma. +.Fl r . +.It Fl x +Print audit records in the XML output format. .El .Pp If the raw or short forms are not specified, the default is to print the tokens in their long form. Events are displayed as per their descriptions given in .Pa /etc/security/audit_event ; -uids and gids are expanded to their names; +UIDs and GIDs are expanded to their names; dates and times are displayed in human-readable format. .Sh FILES -.Bl -tag -width "/etc/security/audit_control" -compact +.Bl -tag -width ".Pa /etc/security/audit_control" -compact .It Pa /etc/security/audit_class -Descriptions of audit event classes +Descriptions of audit event classes. .It Pa /etc/security/audit_event -Descriptions of audit events +Descriptions of audit events. .El .Sh SEE ALSO +.Xr auditreduce 1 , +.Xr audit 4 , +.Xr auditpipe 4 , .Xr audit_class 5 , .Xr audit_event 5 +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems. -.Sh HISTORY -The OpenBSM implementation was created by McAfee Research, the security -division of McAfee Inc., under contract to Apple Computer Inc. in 2004. -It was subsequently adopted by the TrustedBSD Project as the foundation for -the OpenBSM distribution. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.c#6 (text+ko) ==== @@ -1,5 +1,6 @@ /* * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) 2006 Martin Voros * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +27,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.c#5 $ + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.c#6 $ */ /* @@ -34,7 +35,7 @@ */ /* - * praudit [-lrs] [-ddel] [filenames] + * praudit [-lpx] [-r | -s] [-d del] [file ...] */ #include @@ -51,12 +52,14 @@ static int raw = 0; static int shortfrm = 0; static int partial = 0; +static int xml = 0; static void -usage() +usage(void) { - fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n"); + fprintf(stderr, "usage: praudit [-lpx] [-r | -s] [-d del] " + "[file ...]\n"); exit(1); } @@ -88,11 +91,17 @@ if (-1 == au_fetch_tok(&tok, buf + bytesread, reclen - bytesread)) break; - au_print_tok(stdout, &tok, del, raw, shortfrm); + if (xml) + au_print_tok_xml(stdout, &tok, del, raw, + shortfrm); + else + au_print_tok(stdout, &tok, del, raw, + shortfrm); bytesread += tok.len; - if (oneline) - printf("%s", del); - else + if (oneline) { + if (!xml) + printf("%s", del); + } else printf("\n"); } free(buf); @@ -109,12 +118,20 @@ int i; FILE *fp; >>> TRUNCATED FOR MAIL (1000 lines) <<<