Initial vendor import of the TrustedBSD OpenBSM distribution, versionvendor/openbsm/1.0-ALPHA-1

1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems.  Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs.  This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>.  The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to:	wsalamon, trhodes
Obtained from:	TrustedBSD Project

72 files changed, 15884 insertions, 0 deletions

diff --git a/contrib/openbsm/CHANGELOG b/contrib/openbsm/CHANGELOG
new file mode 100644
index 000000000000..846cbf98c333
--- /dev/null
+++ b/contrib/openbsm/CHANGELOG
@@ -0,0 +1,69 @@
+OpenBSM 1.0
+
+- Import of Darwin74 BSM drop
+- Use 'syslog' for audit log warnings, rather than echoing to a file in
+  audit_warn.
+- Compile using BSD make infrastructure.
+- Integrate bsm/ include files from Darwin74 XNU drop into OpenBSM.
+- Narrow set of symbols and defines that are exposed in user space: don't
+  compile in code relying on kernel-only types such as 'struct socket'.
+- Add README, including basic build documentation.
+- Compilation of Apple-specific notify and Machroutines now #ifdef __APPLE__.
+- Staticize libbsm global variables to avoid leakage into application.
+- Add free_au_user_ent() so that au_user_ent's don't have to be leaked.
+- Clean up bogus nul-termination checks in libbsm.
+- Add libbsm API man pages: au_class.3 au_control.3 au_event.3
+  au_free_token.3 au_io.3 au_mask.3 au_token.3 au_user.3 libbsm.3.
+- Add man pages for BSM system calls: audit.2 auditctl.2 auditon.2 getaudit.2
+  getauid.2 setaudit.2 setauid.2
+- Modify various libbsm interfaces to more consistently return 'errno' values
+  on failure.
+- Break out au_close() into constituent parts, allowing records to be written
+  to memory as well as files.
+- Prefix various defines with 'BSM_' to reduce name space pollution.
+- Added audit_internal.h, which can be used by a kernel audit implementation
+  wanting to rely on libbsm components.
+- Build with warnings, and eliminate warnings.
+- Make libbsm endian-independent, storing and reading BSM are big endian
+  (network byte order) rather than native byte order.  More consistently
+  print IP addresses using the IP address print routine.  These changes
+  make use of sys/endian.h from *BSD; since this isn't present on Darwin,
+  add it to OpenBSM as compat/endian.h, which is used only on Darwin.
+- Import of Darwin80 BSM drop, including 64-bit file IDs, better
+  documentation of private APIs, and bug fixes.
+- White space cleanup.
+- Add audit.log.5, a first cut at a man page documenting the BSM file format.
+- Teach au_read_rec() to recognize stand-alone file tokens, which are present
+  at the beginning and end of Solaris audit trails.  Technically, these
+  appear to violate the high level BSM spec, which suggests that all tokens
+  are present in records, but need to be supported.
+- Implement HEADER64, ATTR64, SUBJECT64 token types, which make it possible
+  to run praudit(1) on basic Solaris BSM streams.
+- Switched to Solaris spelling of token names; Darwin spellings are now
+  deprecated and will be removed in a future version of OpenBSM.
+- Adopt Solaris model for representing IPv4 and IPv6 addresses.
+- Prefer C99 types.
+- Attempt to universally adopt the BSD style(9) coding style for
+  consistency.
+- auditreduce(1) now has a usage message.
+- Update support for auditctl(2) system call to support FreeBSD.
+- Add support for /dev/audit as the trigger source on FreeBSD.
+- Add additional event types for Darwin, FreeBSD, and Solaris.  Annotate
+  conflicts (there are a few, unfortunately).  Correct spellings, comment,
+  sort, etc.  These include {get,set}res[ug]id(), sendfile(), lchflags(),
+  eaccess(), kqueue(), kevent(), poll(), lchmod().
+- Relicensed under a BSD license, many thanks to Apple, Inc!
+- Many bug fixes, cleanups, thread safety in the class, control, event,
+  and user system audit databases.  Annotate some persisting atomicity
+  bugs associated with the API and implementation.
+- Add audump test tool.
+- Adopt OpenSolaris BSM API memory semantics: caller allocates memory,
+  or static memory is returned for non-_r() versions of API calls.
+  _free() calls dropped as a result, and source code compatibility with
+  OpenSolaris improved significantly.
+- Annotate BSM events with origin OS and compatibility information.
+- auditd(8), audit(8) added to the OpenBSM distribution.  auditd extended
+  to support reloading of kernel event table.
+- Allow comments in /etc/security configuration files.
+
+$P4: //depot/projects/trustedbsd/openbsm/CHANGELOG#6 $
diff --git a/contrib/openbsm/LICENSE b/contrib/openbsm/LICENSE
new file mode 100644
index 000000000000..3b5d8b86706a
--- /dev/null
+++ b/contrib/openbsm/LICENSE
@@ -0,0 +1,33 @@
+OpenBSM is covered by a number of copyrights, with licenses being either two
+or three clause BSD licenses.  Individual file headers should be consulted
+for specific copyrights on specific components.  The TrustedBSD Project would
+appreciate the contribution of fixes and enhancements under identical or
+substantially similar licenses:
+
+ * Copyright (c) <year> <copyright holder>
+ * All rights reserved.
+ *
+ * <any additional comments or credits>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+
+$P4: //depot/projects/trustedbsd/openbsm/LICENSE#4 $
diff --git a/contrib/openbsm/Makefile b/contrib/openbsm/Makefile
new file mode 100644
index 000000000000..b480723c19a8
--- /dev/null
+++ b/contrib/openbsm/Makefile
@@ -0,0 +1,9 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/Makefile#2 $
+#
+
+SUBDIR=	bsm								\
+	libbsm								\
+	bin
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openbsm/README b/contrib/openbsm/README
new file mode 100644
index 000000000000..60877a6fc59d
--- /dev/null
+++ b/contrib/openbsm/README
@@ -0,0 +1,86 @@
+OpenBSM 1.0
+
+  Introduction
+
+OpenBSM provides an open source implementation of Sun's BSM Audit API. 
+Originally created under contract to Apple Computer by McAfee Research, 
+this implementation is now maintained by volunteers and the generous 
+contribution of several organizations.  Coupled with a kernel audit 
+implementation, OpenBSM can be used to maintain system audit streams, and 
+is a foundation for an Audit-enabled system.
+
+  Contents
+
+OpenBSM consists of several directories:
+
+    bin/           Audit-related command line tools
+    bsm/           System include files for BSM
+    etc/           Sample /etc/security configuration files
+    libbsm/        Implementation of BSM library interfaces and man pages
+    man/           System call and configuration file man pages
+
+OpenBSM currently builds on FreeBSD and Darwin.  With Makefile adjustment
+and minor tweaks, it should build without problems on a broad range of
+POSIX-like systems.
+
+  Building
+
+OpenBSM is currently built using a series of BSD make files which should 
+work on both FreeBSD and Darwin.  One known issue is that versions of 
+Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from 
+"sys/proc.h", which can result in type definition conflicts.  If running 
+with include files from an earlier version of Darwin, the nested include 
+must be manually removed in order that libbsm can be built, due to 
+potentially conflicting types resulting from an include of "sys/sysctl.h" 
+by that file.  On Darwin, the use of BSD make must be specified explicitly 
+by using "bsdmake" rather than "make", which on Darwin refers to GNU make.  
+Typical invocations from the OpenBSM tree root:
+
+FreeBSD
+
+    % make
+    # make install
+
+Darwin
+
+    % bsdmake
+    # bsdmake install
+
+  Credits
+
+The following organizations and individuals have contributed substantially 
+to the development of OpenBSM:
+
+    Apple Computer, Inc.
+    McAfee Research, McAfee, Inc.
+    SPARTA, Inc.
+    Robert Watson
+    Wayne Salamon
+    Suresh Krishnaswamy
+    Kevin Van Vechten
+    Tom Rhodes
+    Wojciech Koszek
+    Chunyang Yuan
+    Poul-Henning Kamp
+
+In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
+Software's FlexeLint tool were used to identify a number of bugs in the
+OpenBSM implementation.
+
+  Contributions
+
+The TrustedBSD Project would appreciate the contribution of bug fixes, 
+enhancements, etc, under identically or substantially similar licenses to 
+those present on the remainder of the OpenBSM source code.
+
+  Location
+
+Information on OpenBSM may be found on the OpenBSM home page:
+
+    http://www.OpenBSM.org/
+
+Information on TrustedBSD may be found on the TrustedBSD home page:
+
+    http://www.TrustedBSD.org/
+
+$P4: //depot/projects/trustedbsd/openbsm/README#11 $
diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO
new file mode 100644
index 000000000000..135a26b4f7c3
--- /dev/null
+++ b/contrib/openbsm/TODO
@@ -0,0 +1,12 @@
+- Teach praudit how to general XML format BSM streams.
+- Teach libbsm about any additional 64-bit token types that are present
+  in more recent Solaris versions.
+- Build a regression test suite for libbsm that generates each token
+  type and then compares the results with known good data.  Make sure to
+  test that things work properly with respect to endianness of the local
+  platform.
+- Document contents of libbsm "public" data structures in libbsm man pages.
+- The audit.log.5 man page is incomplete, as it does not describe all
+  token types.
+
+$P4: //depot/projects/trustedbsd/openbsm/TODO#4 $
diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION
new file mode 100644
index 000000000000..d75e15753e1d
--- /dev/null
+++ b/contrib/openbsm/VERSION
@@ -0,0 +1 @@
+OPENBSM_1_0_ALPHA_1
diff --git a/contrib/openbsm/bin/Makefile b/contrib/openbsm/bin/Makefile
new file mode 100644
index 000000000000..3bc4a6c11567
--- /dev/null
+++ b/contrib/openbsm/bin/Makefile
@@ -0,0 +1,10 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/Makefile#4 $
+#
+
+SUBDIR=	audit								\
+	auditd								\
+	auditreduce							\
+	praudit
+
+.include <bsd.subdir.mk>
diff --git a/contrib/openbsm/bin/audit/Makefile b/contrib/openbsm/bin/audit/Makefile
new file mode 100644
index 000000000000..cec37ead6244
--- /dev/null
+++ b/contrib/openbsm/bin/audit/Makefile
@@ -0,0 +1,12 @@
+# 
+# $P4: //depot/projects/trustedbsd/openbsm/bin/audit/Makefile#2 $
+#
+
+CFLAGS+=	-I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG=		audit
+MAN=		audit.8
+DPADD=		/usr/lib/libbsm.a
+LDADD=		-lbsm
+BINDIR=		/usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
new file mode 100644
index 000000000000..419bcf12d80d
--- /dev/null
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -0,0 +1,86 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_START@
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" 
+.\" @APPLE_BSD_LICENSE_HEADER_END@
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#2 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT 8
+.Os
+.Sh NAME
+.Nm audit
+.Nd audit management utility
+.Sh SYNOPSIS
+.Nm audit
+.Op Fl nst
+.Op Ar file
+.Sh DESCRIPTION
+The
+.Nm 
+utility controls the state of auditing system. The optional
+.Ar file
+operand specifies the location of the audit control input file (default
+/etc/security/audit_control).  
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl n
+Forces the audit system to close the existing audit log file and rotate to
+a new log file in a location specified in the audit control file.
+.It Fl s
+Specifies that the audit system should [re]synchronize its
+configuration from the audit control file.  A new log file will be
+created.
+.It Fl t
+Specifies that the audit system should terminate.  Log files are closed
+and renamed to indicate the time of the shutdown.
+.El
+.Sh NOTES
+The auditd(8) daemon must already be running.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_control
+Default audit policy file used to configure the auditing system.
+.El
+.Sh SEE ALSO
+.Xr auditd 8
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/audit/audit.c b/contrib/openbsm/bin/audit/audit.c
new file mode 100644
index 000000000000..7be9c8c4521b
--- /dev/null
+++ b/contrib/openbsm/bin/audit/audit.c
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.c#2 $
+ */
+/*
+ * Program to trigger the audit daemon with a message that is either:
+ *    - Open a new audit log file
+ *    - Read the audit control file and take action on it
+ *    - Close the audit log file and exit
+ *
+ */
+
+#include <sys/queue.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include <bsm/audit.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+static void
+usage(void)
+{
+
+	(void)fprintf(stderr, "Usage: audit -n | -s | -t \n");
+	exit(-1);
+}
+
+/*
+ * Main routine to process command line options.
+ */
+int
+main(int argc, char **argv)
+{
+	char ch;
+	unsigned int trigger = 0;
+
+	if (argc != 2)
+		usage();
+
+	while ((ch = getopt(argc, argv, "nst")) != -1) {
+		switch(ch) {
+
+		case 'n':
+			trigger = AUDIT_TRIGGER_OPEN_NEW;
+			break;
+
+		case 's':
+			trigger = AUDIT_TRIGGER_READ_FILE;
+			break;
+
+		case 't':
+			trigger = AUDIT_TRIGGER_CLOSE_AND_DIE;
+			break;
+
+		case '?':
+		default:
+			usage();
+			break;
+		}
+	}
+	if (auditon(A_SENDTRIGGER, &trigger, sizeof(trigger)) < 0) {
+		perror("Error sending trigger");
+		exit(-1);
+	} else {
+		printf("Trigger sent.\n");
+		exit (0);
+	}
+}
diff --git a/contrib/openbsm/bin/auditd/Makefile b/contrib/openbsm/bin/auditd/Makefile
new file mode 100644
index 000000000000..fbbdc47985a4
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/Makefile
@@ -0,0 +1,13 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/Makefile#2 $
+#
+
+CFLAGS+=	-I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG=		auditd
+SRCS=		audit_warn.c auditd.c
+MAN=		auditd.8
+DPADD=		/usr/lib/libbsm.a
+LDADD=		-lbsm
+BINDIR=		/usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/auditd/audit_warn.c b/contrib/openbsm/bin/auditd/audit_warn.c
new file mode 100644
index 000000000000..4a1998445703
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/audit_warn.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/audit_warn.c#5 $
+ */
+
+#include <sys/types.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#include "auditd.h"
+
+/*
+ * Write an audit-related error to the system log via syslog(3).
+ */
+static int
+auditwarnlog(char *args[])
+{
+	char *loc_args[9];
+	pid_t pid;
+	int i;
+
+	loc_args[0] = AUDITWARN_SCRIPT;
+	for (i = 0; args[i] != NULL && i < 8; i++)
+		loc_args[i+1] = args[i];
+	loc_args[i+1] = NULL;
+
+	pid = fork();
+	if (pid == -1)
+		return (-1);
+	if (pid == 0) {
+		/*
+		 * Child.
+		 */
+		execv(AUDITWARN_SCRIPT, loc_args);
+		syslog(LOG_ERR, "Could not exec %s (%m)\n",
+		    AUDITWARN_SCRIPT);
+		exit(1);
+	}
+	/*
+	 * Parent.
+	 */
+	return (0);
+}
+
+/*
+ * Indicates that the hard limit for all filesystems has been exceeded count
+ * times.
+ */
+int
+audit_warn_allhard(int count)
+{
+	char intstr[12];
+	char *args[3];
+
+	snprintf(intstr, 12, "%d", count);
+
+	args[0] = HARDLIM_ALL_WARN;
+	args[1] = intstr;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the soft limit for all filesystems has been exceeded.
+ */
+int
+audit_warn_allsoft(void)
+{
+	char *args[2];
+
+	args[0] = SOFTLIM_ALL_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that someone other than the audit daemon turned off auditing.
+ * XXX Its not clear at this point how this function will be invoked.
+ *
+ * XXXRW: This function is not used.
+ */
+int
+audit_warn_auditoff(void)
+{
+	char *args[2];
+
+	args[0] = AUDITOFF_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the audit deammn is already running
+ */
+int
+audit_warn_ebusy(void)
+{
+	char *args[2];
+
+	args[0] = EBUSY_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that there is a problem getting the directory from
+ * audit_control.
+ *
+ * XXX Note that we take the filename instead of a count as the argument here
+ * (different from BSM).
+ */
+int
+audit_warn_getacdir(char *filename)
+{
+	char *args[3];
+
+	args[0] = GETACDIR_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the hard limit for this file has been exceeded.
+ */
+int
+audit_warn_hard(char *filename)
+{
+	char *args[3];
+
+	args[0] = HARDLIM_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that auditing could not be started.
+ */
+int
+audit_warn_nostart(void)
+{
+	char *args[2];
+
+	args[0] = NOSTART_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicaes that an error occrred during the orderly shutdown of the audit
+ * daemon.
+ */
+int
+audit_warn_postsigterm(void)
+{
+	char *args[2];
+
+	args[0] = POSTSIGTERM_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the soft limit for this file has been exceeded.
+ */
+int
+audit_warn_soft(char *filename)
+{
+	char *args[3];
+
+	args[0] = SOFTLIM_WARN;
+	args[1] = filename;
+	args[2] = NULL;
+
+	return (auditwarnlog(args));
+}
+
+/*
+ * Indicates that the temporary audit file already exists indicating a fatal
+ * error.
+ */
+int
+audit_warn_tmpfile(void)
+{
+	char *args[2];
+
+	args[0] = TMPFILE_WARN;
+	args[1] = NULL;
+
+	return (auditwarnlog(args));
+}
diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8
new file mode 100644
index 000000000000..18515da7a07d
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.8
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_START@
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer.
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution.
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+.\" DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+.\" DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" @APPLE_BSD_LICENSE_HEADER_END@
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#6 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDITD 8
+.Os
+.Sh NAME
+.Nm auditd
+.Nd audit log management daemon
+.Sh SYNOPSIS
+.Nm auditd
+.Op Fl dhs
+.Sh DESCRIPTION
+The
+.Nm
+daemon responds to requests from the audit(1) utility and notifications
+from the kernel.  It manages the resulting audit log files and specified
+log file locations.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl d
+Starts the daemon in debug mode - it will not daemonize.
+.It Fl h
+Specifies that if auditing cannot be performed as specified, the system should
+halt (panic).  Normally, the system will attempt to proceed - although individual
+processes may be stopped (see the -s option).
+.It Fl s
+Specifies that individual processes should stop rather than perform operations
+that may cause audit records to be lost due to log file full conditions
+.El
+.Sh NOTE
+.Pp
+To assure uninterrupted audit support, the
+.Nm auditd
+daemon should not be started and stopped manually.  Instead, the audit(1) command
+should be used to inform the daemon to change state/configuration after altering
+the audit_control file.
+.Pp
+.\" Sending a SIGHUP to a running
+.\" .Nm auditd
+.\" daemon will force it to exit.
+Sending a SIGTERM to a running
+.Nm auditd
+daemon will force it to exit.
+.Sh FILES
+.Bl -tag -width "/var/audit" -compact
+.It Pa /var/audit
+Default directory for storing audit log files.
+.El
+.Sh SEE ALSO
+.Xr audit 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
new file mode 100644
index 000000000000..b25c9ecc2a44
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -0,0 +1,760 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#8 $
+ */
+
+#include <sys/dirent.h>
+#include <sys/mman.h>
+#include <sys/queue.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_uevents.h>
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <signal.h>
+#include <string.h>
+#include <syslog.h>
+
+#include "auditd.h"
+
+#define	NA_EVENT_STR_SIZE	25
+
+static int	 ret, minval;
+static char	*lastfile = NULL;
+static int	 allhardcount = 0;
+static int	 triggerfd = 0;
+static int	 sighups, sighups_handled;
+static int	 sigterms, sigterms_handled;
+static long	 global_flags;
+
+static TAILQ_HEAD(, dir_ent)	dir_q;
+
+static int	config_audit_controls(void);
+
+/*
+ * Error starting auditd
+ */
+static void
+fail_exit(void)
+{
+
+	audit_warn_nostart();
+	exit(1);
+}
+
+/*
+ * Free our local list of directory names.
+ */
+static void
+free_dir_q()
+{
+	struct dir_ent *dirent;
+
+	while ((dirent = TAILQ_FIRST(&dir_q))) {
+		TAILQ_REMOVE(&dir_q, dirent, dirs);
+		free(dirent->dirname);
+		free(dirent);
+	}
+}
+
+/*
+ * Generate the timestamp string.
+ */
+static int
+getTSstr(char *buf, int len)
+{
+	struct timeval ts;
+	struct timezone tzp;
+	time_t tt;
+
+	if (gettimeofday(&ts, &tzp) != 0)
+		return (-1);
+	tt = (time_t)ts.tv_sec;
+	if (!strftime(buf, len, "%Y%m%d%H%M%S", gmtime(&tt)))
+		return (-1);
+	return (0);
+}
+
+/*
+ * Concat the directory name to the given file name.
+ * XXX We should affix the hostname also
+ */
+static char *
+affixdir(char *name, struct dir_ent *dirent)
+{
+	char *fn;
+	char *curdir;
+	const char *sep = "/";
+
+	curdir = dirent->dirname;
+	syslog(LOG_INFO, "dir = %s\n", dirent->dirname);
+
+	fn = malloc(strlen(curdir) + strlen(sep) + (2 * POSTFIX_LEN) + 1);
+	if (fn == NULL)
+		return (NULL);
+	strcpy(fn, curdir);
+	strcat(fn, sep);
+	strcat(fn, name);
+	return (fn);
+}
+
+/*
+ * Close the previous audit trail file.
+ */
+static int
+close_lastfile(char *TS)
+{
+	char *ptr;
+	char *oldname;
+
+	if (lastfile != NULL) {
+		oldname = (char *)malloc(strlen(lastfile) + 1);
+		if (oldname == NULL)
+			return (-1);
+		strcpy(oldname, lastfile);
+
+		/* Rename the last file -- append timestamp. */
+		if ((ptr = strstr(lastfile, NOT_TERMINATED)) != NULL) {
+			*ptr = '.';
+			strcpy(ptr+1, TS);
+			if (rename(oldname, lastfile) != 0)
+				syslog(LOG_ERR, "Could not rename %s to %s \n",
+				    oldname, lastfile);
+			else
+				syslog(LOG_INFO, "renamed %s to %s \n",
+				    oldname, lastfile);
+		}
+		free(lastfile);
+		free(oldname);
+		lastfile = NULL;
+	}
+	return (0);
+}
+
+/*
+ * Create the new file name, swap with existing audit file.
+ */
+static int
+swap_audit_file(void)
+{
+	char timestr[2 * POSTFIX_LEN];
+	char *fn;
+	char TS[POSTFIX_LEN];
+	struct dir_ent *dirent;
+	int fd;
+
+	if (getTSstr(TS, POSTFIX_LEN) != 0)
+		return (-1);
+
+	strcpy(timestr, TS);
+	strcat(timestr, NOT_TERMINATED);
+
+	/* Try until we succeed. */
+	while ((dirent = TAILQ_FIRST(&dir_q))) {
+		if ((fn = affixdir(timestr, dirent)) == NULL) {
+			syslog(LOG_INFO, "Failed to swap log  at time %s\n",
+				timestr);
+			return (-1);
+		}
+
+		/*
+		 * Create and open the file; then close and pass to the
+		 * kernel if all went well.
+		 */
+		syslog(LOG_INFO, "New audit file is %s\n", fn);
+		fd = open(fn, O_RDONLY | O_CREAT, S_IRUSR | S_IRGRP);
+		if (fd < 0)
+			perror("File open");
+		else if (auditctl(fn) != 0) {
+			syslog(LOG_ERR,
+			    "auditctl failed setting log file! : %s\n",
+			    strerror(errno));
+			close(fd);
+		} else {
+			/* Success. */
+			close_lastfile(TS);
+			lastfile = fn;
+			close(fd);
+			return (0);
+		}
+
+		/*
+		 * Tell the administrator about lack of permissions for dir.
+		 */
+		audit_warn_getacdir(dirent->dirname);
+
+		/* Try again with a different directory. */
+		TAILQ_REMOVE(&dir_q, dirent, dirs);
+		free(dirent->dirname);
+		free(dirent);
+	}
+	syslog(LOG_INFO, "Log directories exhausted\n");
+	return (-1);
+}
+
+/*
+ * Read the audit_control file contents.
+ */
+static int
+read_control_file(void)
+{
+	char cur_dir[MAXNAMLEN];
+	struct dir_ent *dirent;
+	au_qctrl_t qctrl;
+
+	/*
+	 * Clear old values.  Force a re-read of the file the next time.
+	 */
+	free_dir_q();
+	endac();
+
+	/*
+	 * Read the list of directories into a local linked list.
+	 *
+	 * XXX We should use the reentrant interfaces once they are
+	 * available.
+	 */
+	while (getacdir(cur_dir, MAXNAMLEN) >= 0) {
+		dirent = (struct dir_ent *) malloc(sizeof(struct dir_ent));
+		if (dirent == NULL)
+			return (-1);
+		dirent->softlim = 0;
+		dirent->dirname = (char *) malloc(MAXNAMLEN);
+		if (dirent->dirname == NULL) {
+			free(dirent);
+			return (-1);
+		}
+		strcpy(dirent->dirname, cur_dir);
+		TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+	}
+
+	allhardcount = 0;
+	if (swap_audit_file() == -1) {
+		syslog(LOG_ERR, "Could not swap audit file\n");
+		/*
+		 * XXX Faulty directory listing? - user should be given
+		 * XXX an opportunity to change the audit_control file
+		 * XXX switch to a reduced mode of auditing?
+		 */
+		return (-1);
+	}
+
+	/*
+	 * XXX There are synchronization problems here
+ 	 * XXX what should we do if a trigger for the earlier limit
+	 * XXX is generated here?
+	 */
+	if (0 == (ret = getacmin(&minval))) {
+		syslog(LOG_INFO, "min free = %d\n", minval);
+		if (auditon(A_GETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+			syslog(LOG_ERR,
+			    "could not get audit queue settings\n");
+				return (-1);
+		}
+		qctrl.aq_minfree = minval;
+		if (auditon(A_SETQCTRL, &qctrl, sizeof(qctrl)) != 0) {
+			syslog(LOG_ERR,
+			    "could not set audit queue settings\n");
+			return (-1);
+		}
+	}
+
+	return (0);
+}
+
+/*
+ * Close all log files, control files, and tell the audit system.
+ */
+static int
+close_all(void)
+{
+	int err_ret = 0;
+	char TS[POSTFIX_LEN];
+	int aufd;
+	token_t *tok;
+	long cond;
+
+	/* Generate an audit record. */
+	if ((aufd = au_open()) == -1)
+		syslog(LOG_ERR, "Could not create audit shutdown event.\n");
+	else {
+		if ((tok = au_to_text("auditd::Audit shutdown")) != NULL)
+			au_write(aufd, tok);
+		if (au_close(aufd, 1, AUE_audit_shutdown) == -1)
+			syslog(LOG_ERR,
+			    "Could not close audit shutdown event.\n");
+	}
+
+	/* Flush contents. */
+	cond = AUC_DISABLED;
+	err_ret = auditon(A_SETCOND, &cond, sizeof(cond));
+	if (err_ret != 0) {
+		syslog(LOG_ERR, "Disabling audit failed! : %s\n",
+		    strerror(errno));
+		err_ret = 1;
+	}
+	if (getTSstr(TS, POSTFIX_LEN) == 0)
+		close_lastfile(TS);
+	if (lastfile != NULL)
+		free(lastfile);
+
+	free_dir_q();
+	if ((remove(AUDITD_PIDFILE) == -1) || err_ret) {
+		syslog(LOG_ERR, "Could not unregister\n");
+		audit_warn_postsigterm();
+		return (1);
+	}
+	endac();
+
+	if (close(triggerfd) != 0)
+		syslog(LOG_ERR, "Error closing control file\n");
+	syslog(LOG_INFO, "Finished.\n");
+	return (0);
+}
+
+/*
+ * When we get a signal, we are often not at a clean point.  So, little can
+ * be done in the signal handler itself.  Instead,  we send a message to the
+ * main servicing loop to do proper handling from a non-signal-handler
+ * context.
+ */
+static void
+relay_signal(int signal)
+{
+
+	if (signal == SIGHUP)
+		sighups++;
+	if (signal == SIGTERM)
+		sigterms++;
+}
+
+/*
+ * Registering the daemon.
+ */
+static int
+register_daemon(void)
+{
+	FILE * pidfile;
+	int fd;
+	pid_t pid;
+
+	/* Set up the signal hander. */
+	if (signal(SIGTERM, relay_signal) == SIG_ERR) {
+		syslog(LOG_ERR,
+		    "Could not set signal handler for SIGTERM\n");
+		fail_exit();
+	}
+	if (signal(SIGCHLD, relay_signal) == SIG_ERR) {
+		syslog(LOG_ERR,
+		    "Could not set signal handler for SIGCHLD\n");
+		fail_exit();
+	}
+	if (signal(SIGHUP, relay_signal) == SIG_ERR) {
+		syslog(LOG_ERR,
+		    "Could not set signal handler for SIGHUP\n");
+		fail_exit();
+	}
+
+	if ((pidfile = fopen(AUDITD_PIDFILE, "a")) == NULL) {
+		syslog(LOG_ERR,
+		    "Could not open PID file\n");
+		audit_warn_tmpfile();
+		return (-1);
+	}
+
+	/* Attempt to lock the pid file; if a lock is present, exit. */
+	fd = fileno(pidfile);
+	if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
+		syslog(LOG_ERR,
+		    "PID file is locked (is another auditd running?).\n");
+		audit_warn_ebusy();
+		return (-1);
+	}
+
+	pid = getpid();
+	ftruncate(fd, 0);
+	if (fprintf(pidfile, "%u\n", pid) < 0) {
+		/* Should not start the daemon. */
+		fail_exit();
+	}
+
+	fflush(pidfile);
+	return (0);
+}
+
+/*
+ * Suppress duplicate messages within a 30 second interval.   This should be
+ * enough to time to rotate log files without thrashing from soft warnings
+ * generated before the log is actually rotated.
+ */
+#define	DUPLICATE_INTERVAL	30
+static void
+handle_audit_trigger(int trigger)
+{
+	static int last_trigger;
+	static time_t last_time;
+	struct dir_ent *dirent;
+	int rc;
+
+	/*
+	 * Suppres duplicate messages from the kernel within the specified
+	 * interval.
+	 */
+	struct timeval ts;
+	struct timezone tzp;
+	time_t tt;
+
+	if (gettimeofday(&ts, &tzp) == 0) {
+		tt = (time_t)ts.tv_sec;
+		if ((trigger == last_trigger) &&
+		    (tt < (last_time + DUPLICATE_INTERVAL)))
+			return;
+		last_trigger = trigger;
+		last_time = tt;
+	}
+
+	/*
+	 * Message processing is done here.
+ 	 */
+	dirent = TAILQ_FIRST(&dir_q);
+	switch(trigger) {
+
+	case AUDIT_TRIGGER_LOW_SPACE:
+		syslog(LOG_INFO, "Got low space trigger\n");
+		if (dirent && (dirent->softlim != 1)) {
+			TAILQ_REMOVE(&dir_q, dirent, dirs);
+				/* Add this node to the end of the list. */
+				TAILQ_INSERT_TAIL(&dir_q, dirent, dirs);
+				audit_warn_soft(dirent->dirname);
+				dirent->softlim = 1;
+
+			if (TAILQ_NEXT(TAILQ_FIRST(&dir_q), dirs) != NULL &&
+			    swap_audit_file() == -1)
+				syslog(LOG_ERR, "Error swapping audit file\n");
+
+			/*
+			 * Check if the next dir has already reached its soft
+			 * limit.
+			 */
+			dirent = TAILQ_FIRST(&dir_q);
+			if (dirent->softlim == 1)  {
+				/* All dirs have reached their soft limit. */
+				audit_warn_allsoft();
+			}
+		} else {
+			/*
+			 * Continue auditing to the current file.  Also
+			 * generate  an allsoft warning.
+			 * XXX do we want to do this ?
+			 */
+			audit_warn_allsoft();
+		}
+		break;
+
+	case AUDIT_TRIGGER_NO_SPACE:
+		syslog(LOG_INFO, "Got no space trigger\n");
+
+		/* Delete current dir, go on to next. */
+		TAILQ_REMOVE(&dir_q, dirent, dirs);
+		audit_warn_hard(dirent->dirname);
+		free(dirent->dirname);
+		free(dirent);
+
+		if (swap_audit_file() == -1)
+			syslog(LOG_ERR, "Error swapping audit file\n");
+
+		/* We are out of log directories. */
+		audit_warn_allhard(++allhardcount);
+		break;
+
+	case AUDIT_TRIGGER_OPEN_NEW:
+		/*
+		 * Create a new file and swap with the one being used in
+		 * kernel
+		 */
+		syslog(LOG_INFO, "Got open new trigger\n");
+		if (swap_audit_file() == -1)
+			syslog(LOG_ERR, "Error swapping audit file\n");
+		break;
+
+	case AUDIT_TRIGGER_READ_FILE:
+		syslog(LOG_INFO, "Got read file trigger\n");
+		if (read_control_file() == -1)
+			syslog(LOG_ERR, "Error in audit control file\n");
+		if (config_audit_controls() == -1)
+			syslog(LOG_ERR, "Error setting audit controls\n");
+		break;
+
+	default:
+		syslog(LOG_ERR, "Got unknown trigger %d\n", trigger);
+		break;
+	}
+}
+
+static void
+handle_sighup(void)
+{
+
+	sighups_handled = sighups;
+	config_audit_controls();
+}
+
+/*
+ * Read the control file for triggers and handle appropriately.
+ */
+static int
+wait_for_triggers(void)
+{
+	int num;
+	unsigned int trigger;
+
+	for (;;) {
+		num = read(triggerfd, &trigger, sizeof(trigger));
+		if ((num == -1) && (errno != EINTR)) {
+			syslog(LOG_ERR, "%s: error %d\n", __FUNCTION__, errno);
+			return (-1);
+		}
+		if (sigterms != sigterms_handled) {
+			syslog(LOG_INFO, "%s: SIGTERM", __FUNCTION__);
+			break;
+		}
+		if (sighups != sighups_handled) {
+			syslog(LOG_INFO, "%s: SIGHUP", __FUNCTION__);
+			handle_sighup();
+		}
+		if ((num == -1) && (errno == EINTR))
+			continue;
+		if (num == 0) {
+			syslog(LOG_INFO, "%s: read EOF\n", __FUNCTION__);
+			return (-1);
+		}
+		syslog(LOG_INFO, "%s: read %d\n", __FUNCTION__, trigger);
+		if (trigger == AUDIT_TRIGGER_CLOSE_AND_DIE)
+			break;
+		else
+			handle_audit_trigger(trigger);
+	}
+	return (close_all());
+}
+
+/*
+ * Reap our children.
+ */
+static void
+reap_children(void)
+{
+	pid_t child;
+	int wstatus;
+
+	while ((child = waitpid(-1, &wstatus, WNOHANG)) > 0) {
+		if (!wstatus)
+			continue;
+		syslog(LOG_INFO, "warn process [pid=%d] %s %d.\n", child,
+		    ((WIFEXITED(wstatus)) ? "exited with non-zero status" :
+		    "exited as a result of signal"),
+		    ((WIFEXITED(wstatus)) ? WEXITSTATUS(wstatus) :
+		    WTERMSIG(wstatus)));
+	}
+}
+
+/*
+ * Configure the audit controls in the kernel: the event to class mapping,
+ * kernel preselection mask, etc.
+ */
+static int
+config_audit_controls(void)
+{
+	au_event_ent_t ev, *evp;
+	au_evclass_map_t evc_map;
+	au_mask_t aumask;
+	int ctr = 0;
+	char naeventstr[NA_EVENT_STR_SIZE];
+
+	/*
+	 * Process the audit event file, obtaining a class mapping for each
+	 * event, and send that mapping into the kernel.
+	 * XXX There's a risk here that the BSM library will return NULL
+	 * for an event when it can't properly map it to a class. In that
+	 * case, we will not process any events beyond the one that failed,
+	 * but should. We need a way to get a count of the events.
+	*/
+	ev.ae_name = (char *)malloc(AU_EVENT_NAME_MAX);
+	ev.ae_desc = (char *)malloc(AU_EVENT_DESC_MAX);
+	if ((ev.ae_name == NULL) || (ev.ae_desc == NULL)) {
+		syslog(LOG_ERR,
+		    "Memory allocation error when configuring audit controls.");
+		return (-1);
+	}
+	evp = &ev;
+	setauevent();
+	while ((evp = getauevent_r(evp)) != NULL) {
+		evc_map.ec_number = evp->ae_number;
+		evc_map.ec_class = evp->ae_class;
+		if (auditon(A_SETCLASS, &evc_map, sizeof(au_evclass_map_t))
+		    != 0)
+			syslog(LOG_ERR,
+				"Failed to register class mapping for event %s",
+				 evp->ae_name);
+		else
+			ctr++;
+	}
+	endauevent();
+	free(ev.ae_name);
+	free(ev.ae_desc);
+	if (ctr == 0)
+		syslog(LOG_ERR, "No events to class mappings registered.");
+	else
+		syslog(LOG_INFO, "Registered %d event to class mappings.",
+		    ctr);
+
+	/*
+	 * Get the non-attributable event string and set the kernel mask from
+	 * that.
+	 */
+	if ((getacna(naeventstr, NA_EVENT_STR_SIZE) == 0) &&
+	    (getauditflagsbin(naeventstr, &aumask) == 0)) {
+		if (auditon(A_SETKMASK, &aumask, sizeof(au_mask_t)))
+			syslog(LOG_ERR,
+			    "Failed to register non-attributable event mask.");
+		else
+			syslog(LOG_INFO,
+			    "Registered non-attributable event mask.");
+	} else
+		syslog(LOG_ERR,
+		    "Failed to obtain non-attributable event mask.");
+
+	/*
+	 * Set the audit policy flags based on passed in parameter values.
+	 */
+	if (auditon(A_SETPOLICY, &global_flags, sizeof(global_flags)))
+		syslog(LOG_ERR, "Failed to set audit policy.");
+
+	return (0);
+}
+
+static void
+setup(void)
+{
+	int aufd;
+	token_t *tok;
+
+	if ((triggerfd = open(AUDIT_TRIGGER_FILE, O_RDONLY, 0)) < 0) {
+		syslog(LOG_ERR, "Error opening trigger file\n");
+		fail_exit();
+	}
+
+	TAILQ_INIT(&dir_q);
+	if (read_control_file() == -1) {
+		syslog(LOG_ERR, "Error reading control file\n");
+		fail_exit();
+	}
+
+	/* Generate an audit record. */
+	if ((aufd = au_open()) == -1)
+		syslog(LOG_ERR, "Could not create audit startup event.\n");
+	else {
+		if ((tok = au_to_text("auditd::Audit startup")) != NULL)
+			au_write(aufd, tok);
+		if (au_close(aufd, 1, AUE_audit_startup) == -1)
+			syslog(LOG_ERR,
+			    "Could not close audit startup event.\n");
+	}
+
+	if (config_audit_controls() == 0)
+		syslog(LOG_INFO, "Audit controls init successful\n");
+	else
+		syslog(LOG_INFO, "Audit controls init failed\n");
+}
+
+int
+main(int argc, char **argv)
+{
+	char ch;
+	int debug = 0;
+	int rc;
+
+	global_flags |= AUDIT_CNT;
+	while ((ch = getopt(argc, argv, "dhs")) != -1) {
+		switch(ch) {
+		case 'd':
+			/* Debug option. */
+			debug = 1;
+			break;
+
+		case 's':
+			/* Fail-stop option. */
+			global_flags &= ~(AUDIT_CNT);
+			break;
+
+		case 'h':
+			/* Halt-stop option. */
+			global_flags |= AUDIT_AHLT;
+			break;
+
+		case '?':
+		default:
+			(void)fprintf(stderr,
+			    "usage: auditd [-h | -s] [-d] \n");
+			exit(1);
+		}
+	}
+
+	openlog("auditd", LOG_CONS | LOG_PID, LOG_SECURITY);
+	syslog(LOG_INFO, "starting...\n");
+
+	if (debug == 0 && daemon(0, 0) == -1) {
+		syslog(LOG_ERR, "Failed to daemonize\n");
+		exit(1);
+	}
+
+	if (register_daemon() == -1) {
+		syslog(LOG_ERR, "Could not register as daemon\n");
+		exit(1);
+	}
+
+	setup();
+
+	rc = wait_for_triggers();
+	syslog(LOG_INFO, "auditd exiting.\n");
+
+	exit(rc);
+}
diff --git a/contrib/openbsm/bin/auditd/auditd.h b/contrib/openbsm/bin/auditd/auditd.h
new file mode 100644
index 000000000000..e1731d96542a
--- /dev/null
+++ b/contrib/openbsm/bin/auditd/auditd.h
@@ -0,0 +1,80 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#4 $
+ */
+
+#ifndef _AUDITD_H_
+#define	_AUDITD_H_
+
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <syslog.h>
+
+#define	MAX_DIR_SIZE	255
+#define	AUDITD_NAME	"auditd"
+
+#define	POSTFIX_LEN		16
+#define	NOT_TERMINATED	".not_terminated"
+
+struct dir_ent {
+	char			*dirname;
+	char			 softlim;
+	TAILQ_ENTRY(dir_ent)	 dirs;
+};
+
+#define	HARDLIM_ALL_WARN	"allhard"
+#define	SOFTLIM_ALL_WARN	"allsoft"
+#define	AUDITOFF_WARN		"aditoff"
+#define	EBUSY_WARN		"ebusy"
+#define	GETACDIR_WARN		"getacdir"
+#define	HARDLIM_WARN		"hard"
+#define	NOSTART_WARN		"nostart"
+#define	POSTSIGTERM_WARN	"postsigterm"
+#define	SOFTLIM_WARN		"soft"
+#define	TMPFILE_WARN		"tmpfile"
+
+#define	AUDITWARN_SCRIPT	"/etc/security/audit_warn"
+#define	AUDITD_PIDFILE		"/var/run/auditd.pid"
+
+int	audit_warn_allhard(int count);
+int	audit_warn_allsoft(void);
+int	audit_warn_auditoff(void);
+int	audit_warn_ebusy(void);
+int	audit_warn_getacdir(char *filename);
+int	audit_warn_hard(char *filename);
+int	audit_warn_nostart(void);
+int	audit_warn_postsigterm(void);
+int	audit_warn_soft(char *filename);
+int	audit_warn_tmpfile(void);
+
+#endif /* !_AUDITD_H_ */
diff --git a/contrib/openbsm/bin/auditreduce/Makefile b/contrib/openbsm/bin/auditreduce/Makefile
new file mode 100644
index 000000000000..f4c292a3c867
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/Makefile
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/Makefile#4 $
+#
+
+CFLAGS+=	-I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG=		auditreduce
+MAN=		auditreduce.1
+DPADD=		/usr/lib/libbsm.a
+LDADD=		-lbsm
+BINDIR=		/usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
new file mode 100644
index 000000000000..6374e5b91150
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -0,0 +1,153 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDITREDUCE 1
+.Os
+.Sh NAME
+.Nm auditreduce
+.Nd "select records from audit trail files"
+.Sh SYNOPSIS
+.Nm auditreduce
+.Op Fl A
+.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl c Ar flags
+.Op Fl d Ar YYYYMMDD
+.Op Fl e Ar euid
+.Op Fl f Ar egid
+.Op Fl g Ar rgid
+.Op Fl r Ar ruid
+.Op Fl u Ar auid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object=value
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm 
+utility selects records from the audit trail files based on the specified
+criteria.
+Matching audit records are printed to the standard output in
+their raw binary form.
+If no filename is specified, the standard input is used
+by default.
+Use the 
+.Nm praudit
+utility to print the selected audit records in human-readable form.
+See
+.Xr praudit 1
+for more information.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl A
+Select all records.
+.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred after or on the given datetime.
+.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred before the given datetime.
+.It Fl c Ar flags
+Select records matching the given audit classes specified as a comma
+separated list of audit flags.
+See
+.Xr audit_control 5
+for a description of audit flags.
+.It Fl d Ar YYYYMMDD
+Select records that occurred on a given date.
+This option cannot be used with
+.Fl a
+or
+.Fl b
+.It Fl e Ar euid
+Select records with the given effective user id or name.
+.It Fl f Ar egid
+Select records with the given effective group id or name.
+.It Fl g Ar rgid
+Select records with the given real group id or name.
+.It Fl r Ar ruid
+Select records with the given real user id or name.
+.It Fl u Ar auid
+Select records with the given audit id.
+.It Fl j Ar id
+Select records having a subject token with matching ID.
+.It Fl m Ar event
+Select records with the given event name or number.
+See
+.Xr audit_event 5
+for a description of audit event names and numbers.
+.It Fl o Ar object=value
+.Bl -tag -width Ds
+.It Nm file
+Select records containing the given path name.
+file="/usr" matches paths
+starting with
+.Pa usr .
+file="~/usr" matches paths not starting with
+.Pa usr .
+.It Nm msgqid
+Select records containing the given message queue id.
+.It Nm pid
+Select records containing the given process id.
+.It Nm semid
+Select records containing the given semaphore id.
+.It Nm shmid
+Select records containing the given shared memory id.
+.El
+.El
+.Sh Examples
+.Pp
+To select all records associated with effective user ID root from the audit
+log /var/audit/20031016184719.20031017122634:
+.Pp
+.Nm
+-e root /var/audit/20031016184719.20031017122634
+.Pp
+To select all
+.Xr setlogin 2
+events from that log:
+.Pp
+.Nm
+-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Sh SEE ALSO
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr praudit 1
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.c b/contrib/openbsm/bin/auditreduce/auditreduce.c
new file mode 100644
index 000000000000..8e6f2452bc50
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.c
@@ -0,0 +1,699 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer. 
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution. 
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission. 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#11 $
+ */
+
+/* 
+ * Tool used to merge and select audit records from audit trail files 
+ */
+
+/*
+ * XXX Currently we do not support merging of records from multiple
+ * XXX audit trail files
+ * XXX We assume that records are sorted chronologically - both wrt to 
+ * XXX the records present within the file and between the files themselves
+ */ 
+
+#include <bsm/libbsm.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <sysexits.h>
+#include <grp.h>
+#include <pwd.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+
+#include "auditreduce.h"
+
+extern char		*optarg;
+extern int		 optind, optopt, opterr,optreset;
+
+static au_mask_t	 maskp;		/* Class. */
+static time_t		 p_atime;	/* Created after this time. */
+static time_t		 p_btime;	/* Created before this time. */
+static uint16_t		 p_evtype;	/* Event that we are searching for. */
+static int		 p_auid;	/* Audit id. */ 
+static int		 p_euid;	/* Effective user id. */
+static int		 p_egid;	/* Effective group id. */ 
+static int		 p_rgid;	/* Real group id. */ 
+static int		 p_ruid;	/* Real user id. */ 
+static int		 p_subid;	/* Subject id. */
+
+/*
+ * Following are the objects (-o option) that we can select upon.
+ */
+static char	*p_fileobj = NULL;
+static char	*p_msgqobj = NULL;
+static char	*p_pidobj = NULL;
+static char	*p_semobj = NULL;
+static char	*p_shmobj = NULL;
+static char	*p_sockobj = NULL; 
+
+static uint32_t opttochk = 0;
+
+static void
+usage(const char *msg)
+{
+	fprintf(stderr, "%s\n", msg);
+	fprintf(stderr, "Usage: auditreduce [options] audit-trail-file [....] \n");
+	fprintf(stderr, "\tOptions are : \n");
+	fprintf(stderr, "\t-A : all records\n");
+	fprintf(stderr, "\t-a YYYYMMDD[HH[[MM[SS]]] : after date\n");
+	fprintf(stderr, "\t-b YYYYMMDD[HH[[MM[SS]]] : before date\n");
+	fprintf(stderr, "\t-c <flags> : matching class\n");
+	fprintf(stderr, "\t-d YYYYMMDD : on date\n");
+	fprintf(stderr, "\t-e <uid|name>  : effective user\n");
+	fprintf(stderr, "\t-f <gid|group> : effective group\n");
+	fprintf(stderr, "\t-g <gid|group> : real group\n");
+	fprintf(stderr, "\t-j <pid> : subject id \n");
+	fprintf(stderr, "\t-m <evno|evname> : matching event\n");
+	fprintf(stderr, "\t-o objecttype=objectvalue\n");
+	fprintf(stderr, "\t\t file=<pathname>\n");
+	fprintf(stderr, "\t\t msgqid=<ID>\n");
+	fprintf(stderr, "\t\t pid=<ID>\n");
+	fprintf(stderr, "\t\t semid=<ID>\n");
+	fprintf(stderr, "\t\t shmid=<ID>\n");
+	fprintf(stderr, "\t-r <uid|name> : real user\n");
+	fprintf(stderr, "\t-u <uid|name> : audit user\n");
+	exit(EX_USAGE);
+}
+
+/*
+ * Check if the given auid matches the selection criteria.
+ */
+static int
+select_auid(int au)
+{
+
+	/* Check if we want to select on auid. */
+	if (ISOPTSET(opttochk, OPT_u)) {
+		if (au != p_auid)
+			return (0);
+	}
+	return (1);
+}
+
+/*
+ * Check if the given euid matches the selection criteria.
+ */
+static int
+select_euid(int euser)
+{
+
+	/* Check if we want to select on euid. */
+	if (ISOPTSET(opttochk, OPT_e)) {
+		if (euser != p_euid)
+			return (0);
+	}
+	return (1);
+}
+
+/*
+ * Check if the given egid matches the selection criteria.
+ */
+static int
+select_egid(int egrp)
+{
+
+	/* Check if we want to select on egid. */
+	if (ISOPTSET(opttochk, OPT_f)) {
+		if (egrp != p_egid)
+			return (0);
+	}
+	return (1);
+}
+
+/*
+ * Check if the given rgid matches the selection criteria.
+ */
+static int
+select_rgid(int grp)
+{
+
+	/* Check if we want to select on rgid. */
+	if (ISOPTSET(opttochk, OPT_g)) {
+		if (grp != p_rgid)
+			return (0);
+	}
+	return (1);
+}
+
+/*
+ * Check if the given ruid matches the selection criteria.
+ */
+static int
+select_ruid(int user)
+{
+
+	/* Check if we want to select on rgid. */
+	if (ISOPTSET(opttochk, OPT_r)) {
+		if (user != p_ruid)
+			return (0);
+	}
+	return (1);
+}
+
+/*
+ * Check if the given subject id (pid) matches the selection criteria.
+ */
+static int
+select_subid(int subid)
+{
+
+	/* Check if we want to select on subject uid. */
+	if (ISOPTSET(opttochk, OPT_j)) {
+		if (subid != p_subid)
+			return (0);
+	}
+	return (1);
+}
+
+
+/*
+ * Check if object's pid maches the given pid.
+ */ 
+static int
+select_pidobj(uint32_t pid) 
+{
+
+	if (ISOPTSET(opttochk, OPT_op)) {
+		if (pid != strtol(p_pidobj, (char **)NULL, 10))
+			return (0);
+	} 
+	return (1);
+}
+
+/*
+ * Check if the given ipc object with the given type matches the selection
+ * criteria.
+ */
+static int
+select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd)
+{
+
+	if (type == AT_IPC_MSG) {
+		SETOPT((*optchkd), OPT_om);
+		if (ISOPTSET(opttochk, OPT_om)) {
+			if (id != strtol(p_msgqobj, (char **)NULL, 10))
+				return (0);
+		}
+		return (1);
+	} else if (type == AT_IPC_SEM) {
+		SETOPT((*optchkd), OPT_ose);
+		if (ISOPTSET(opttochk, OPT_ose)) {
+			if (id != strtol(p_semobj, (char **)NULL, 10))
+				return (0);
+		}
+		return (1);
+	} else if (type == AT_IPC_SHM) {
+		SETOPT((*optchkd), OPT_osh);
+		if (ISOPTSET(opttochk, OPT_osh)) {
+			if (id != strtol(p_shmobj, (char **)NULL, 10))
+				return (0);
+		}
+		return (1);
+	}
+
+	/* Unknown type -- filter if *any* ipc filtering is required. */
+	if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose)
+	    || ISOPTSET(opttochk, OPT_osh))
+		return (0);
+
+	return (1);
+}
+
+
+/*
+ * Check if the file name matches selection criteria.
+ */
+static int
+select_filepath(char *path, uint32_t *optchkd)
+{
+	char *loc;
+
+	SETOPT((*optchkd), OPT_of);
+	if (ISOPTSET(opttochk, OPT_of)) {
+		if (p_fileobj[0] == '~') {
+			/* Object should not be in path. */
+			loc = strstr(path, p_fileobj + 1);
+			if ((loc != NULL) && (loc == path))
+				return (0);
+		} else {
+			/* Object should be in path. */
+			loc = strstr(path, p_fileobj);
+			if ((loc == NULL) || (loc != path))
+				return (0);
+		}
+	}
+	return (1);
+}
+
+/*
+ * Returns 1 if the following pass the selection rules:
+ *
+ * before-time, 
+ * after time, 
+ * date, 
+ * class, 
+ * event 
+ */
+static int
+select_hdr32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+	SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m));
+
+	/* The A option overrides a, b and d. */
+	if (!ISOPTSET(opttochk, OPT_A)) {
+		if (ISOPTSET(opttochk, OPT_a)) {
+			if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) {
+				/* Record was created before p_atime. */
+				return (0);
+			}
+		}
+
+		if (ISOPTSET(opttochk, OPT_b)) {
+			if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) {
+				/* Record was created after p_btime. */
+				return (0);
+			}
+		}
+	}
+
+	if (ISOPTSET(opttochk, OPT_c)) {
+		/*
+		 * Check if the classes represented by the event matches
+		 * given class.
+		 */
+		if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH,
+		    AU_PRS_USECACHE) != 1)
+			return (0);
+	}
+
+	/* Check if event matches. */
+	if (ISOPTSET(opttochk, OPT_m)) {
+		if (tok.tt.hdr32.e_type != p_evtype)
+			return (0);
+	}
+		
+	return (1);
+}
+
+/*
+ * Return 1 if checks for the the following succeed
+ * auid, 
+ * euid, 
+ * egid, 
+ * rgid, 
+ * ruid, 
+ * process id
+ */
+static int
+select_proc32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+	SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op));
+
+	if (!select_auid(tok.tt.proc32.auid))
+		return (0);
+	if (!select_euid(tok.tt.proc32.euid))
+		return (0);
+	if (!select_egid(tok.tt.proc32.egid))
+		return (0);
+	if (!select_rgid(tok.tt.proc32.rgid))
+		return (0);
+	if (!select_ruid(tok.tt.proc32.ruid))
+		return (0);
+	if (!select_pidobj(tok.tt.proc32.pid))
+		return (0);
+	return (1);
+}
+
+/*
+ * Return 1 if checks for the the following succeed
+ * auid, 
+ * euid, 
+ * egid, 
+ * rgid, 
+ * ruid, 
+ * subject id
+ */
+static int
+select_subj32(tokenstr_t tok, uint32_t *optchkd)
+{
+
+	SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j));
+
+	if (!select_auid(tok.tt.subj32.auid))
+		return (0);
+	if (!select_euid(tok.tt.subj32.euid))
+		return (0);
+	if (!select_egid(tok.tt.subj32.egid))
+		return (0);
+	if (!select_rgid(tok.tt.subj32.rgid))
+		return (0);
+	if (!select_ruid(tok.tt.subj32.ruid))
+		return (0);
+	if (!select_subid(tok.tt.subj32.pid))
+		return (0);
+	return (1);
+}
+
+/*
+ * Read each record from the audit trail.  Check if it is selected after
+ * passing through each of the options 
+ */
+static int
+select_records(FILE *fp)
+{
+	u_char *buf;
+	tokenstr_t tok;
+	int reclen;
+	int bytesread;
+	int selected;
+	uint32_t optchkd;
+
+	int err = 0;
+	while ((reclen = au_read_rec(fp, &buf)) != -1) {
+		optchkd = 0;
+		bytesread = 0;
+		selected = 1;
+		while ((selected == 1) && (bytesread < reclen)) {
+			if (-1 == au_fetch_tok(&tok, buf + bytesread,
+			    reclen - bytesread)) {
+				/* Is this an incomplete record? */
+				err = 1;
+				break;
+			}
+
+			/*
+			 * For each token type we have have different
+			 * selection criteria.
+			 */
+			switch(tok.id) {
+			case AU_HEADER_32_TOKEN:
+					selected = select_hdr32(tok,
+					    &optchkd);
+					break;
+
+			case AU_PROCESS_32_TOKEN:
+					selected = select_proc32(tok,
+					    &optchkd);
+					break;
+
+			case AU_SUBJECT_32_TOKEN:
+					selected = select_subj32(tok,
+					    &optchkd);
+					break;
+
+			case AU_IPC_TOKEN:
+					selected = select_ipcobj(
+					    tok.tt.ipc.type, tok.tt.ipc.id,
+					    &optchkd); 
+					break;
+
+			case AU_FILE_TOKEN:
+					selected = select_filepath(
+					    tok.tt.file.name, &optchkd);
+					break;
+
+			case AU_PATH_TOKEN:
+					selected = select_filepath(
+					    tok.tt.path.path, &optchkd);
+					break;	
+
+			/* 
+			 * The following tokens dont have any relevant
+			 * attributes that we can select upon.
+			 */
+			case AU_TRAILER_TOKEN:
+			case AU_ARG32_TOKEN:
+			case AU_ATTR32_TOKEN:
+			case AU_EXIT_TOKEN:
+			case AU_NEWGROUPS_TOKEN:
+			case AU_IN_ADDR_TOKEN:
+			case AU_IP_TOKEN:
+			case AU_IPCPERM_TOKEN:
+			case AU_IPORT_TOKEN:
+			case AU_OPAQUE_TOKEN:
+			case AU_RETURN_32_TOKEN:
+			case AU_SEQ_TOKEN:
+			case AU_TEXT_TOKEN:
+			case AU_ARB_TOKEN:
+			case AU_SOCK_TOKEN:
+			default:
+				break;
+			}
+			bytesread += tok.len;
+		}
+		if ((selected == 1) && (!err)) {
+			/* Check if all the options were matched. */
+			if (!(opttochk & ~optchkd)) {
+				/* XXX Write this record to the output file. */
+				/* default to stdout */
+				fwrite(buf, 1, reclen, stdout);
+			}
+		}
+		free(buf);
+	}
+	return (0);
+}
+
+/* 
+ * The -o option has the form object_type=object_value.  Identify the object
+ * components.
+ */
+void
+parse_object_type(char *name, char *val)
+{
+	if (val == NULL)
+		return;
+
+	if (!strcmp(name, FILEOBJ)) {
+		p_fileobj = val;
+		SETOPT(opttochk, OPT_of);
+	} else if (!strcmp(name, MSGQIDOBJ)) {
+		p_msgqobj = val;
+		SETOPT(opttochk, OPT_om);
+	} else if (!strcmp(name, PIDOBJ)) {
+		p_pidobj = val;
+		SETOPT(opttochk, OPT_op);
+	} else if (!strcmp(name, SEMIDOBJ)) {
+		p_semobj = val;
+		SETOPT(opttochk, OPT_ose);
+	} else if (!strcmp(name, SHMIDOBJ)) {
+		p_shmobj = val;
+		SETOPT(opttochk, OPT_osh);
+	} else if (!strcmp(name, SOCKOBJ)) {
+		p_sockobj = val;
+		SETOPT(opttochk, OPT_oso);
+	} else
+		usage("unknown value for -o");
+}
+
+int
+main(int argc, char **argv)
+{
+	struct group *grp;
+	struct passwd *pw;
+	struct tm tm;
+	au_event_t *n;
+	FILE *fp;
+	int i;
+	char *objval, *converr;
+	char ch;
+	char timestr[128];
+	char *fname;
+
+	converr = NULL;
+
+	while ((ch = getopt(argc, argv, "Aa:b:c:d:e:f:g:j:m:o:r:u:")) != -1) {
+		switch(ch) {
+		case 'A':
+			SETOPT(opttochk, OPT_A);
+			break;
+
+		case 'a':
+			if (ISOPTSET(opttochk, OPT_a)) {
+				usage("d is exclusive with a and b");
+			}
+			SETOPT(opttochk, OPT_a);
+			strptime(optarg, "%Y%m%d%H%M%S", &tm);
+			strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
+			    &tm);
+			/* fprintf(stderr, "Time converted = %s\n", timestr); */
+			p_atime = mktime(&tm);
+			break; 	
+
+		case 'b':
+			if (ISOPTSET(opttochk, OPT_b)) {
+				usage("d is exclusive with a and b");
+			}
+			SETOPT(opttochk, OPT_b);
+			strptime(optarg, "%Y%m%d%H%M%S", &tm);
+			strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S",
+			    &tm);
+			/* fprintf(stderr, "Time converted = %s\n", timestr); */
+			p_btime = mktime(&tm);
+			break; 	
+
+		case 'c':
+			if (0 != getauditflagsbin(optarg, &maskp)) {
+				/* Incorrect class */
+				usage("Incorrect class");
+			}
+			SETOPT(opttochk, OPT_c);
+			break;
+
+		case 'd':
+			if (ISOPTSET(opttochk, OPT_b) || ISOPTSET(opttochk,
+			    OPT_a))
+				usage("'d' is exclusive with 'a' and 'b'");
+			SETOPT(opttochk, OPT_d);
+			strptime(optarg, "%Y%m%d", &tm);
+			strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
+			/* fprintf(stderr, "Time converted = %s\n", timestr); */
+			p_atime = mktime(&tm);
+			tm.tm_hour = 23;
+			tm.tm_min = 59;
+			tm.tm_sec = 59;
+			strftime(timestr, sizeof(timestr), "%Y%m%d", &tm);
+			/* fprintf(stderr, "Time converted = %s\n", timestr); */
+			p_btime = mktime(&tm);
+			break;
+
+		case 'e':
+			p_euid = strtol(optarg, &converr, 10);
+			if (*converr != '\0') {
+				/* Try the actual name */
+				if ((pw = getpwnam(optarg)) == NULL)
+					break;
+				p_euid = pw->pw_uid;
+			}
+			SETOPT(opttochk, OPT_e);
+			break;
+
+		case 'f':
+			p_egid = strtol(optarg, &converr, 10);
+			if (*converr != '\0') {
+				/* Try actual group name. */
+				if ((grp = getgrnam(optarg)) == NULL)
+					break;
+				p_egid = grp->gr_gid;
+			}
+			SETOPT(opttochk, OPT_f);
+			break;
+
+		case 'g':
+			p_rgid = strtol(optarg, &converr, 10);
+			if (*converr != '\0') {
+				/* Try actual group name. */
+				if ((grp = getgrnam(optarg)) == NULL) 
+					break;
+				p_rgid = grp->gr_gid;
+			}
+			SETOPT(opttochk, OPT_g);
+			break;
+
+		case 'j':
+			p_subid = strtol(optarg, (char **)NULL, 10);
+			SETOPT(opttochk, OPT_j);
+			break;
+
+		case 'm':
+			p_evtype = strtol(optarg, (char **)NULL, 10);
+			if (p_evtype == 0) {
+				/* Could be the string representation. */
+				n = getauevnonam(optarg);
+				if (n == NULL)
+					usage("Incorrect event name");
+				p_evtype = *n;
+				free(n);
+			}
+			SETOPT(opttochk, OPT_m);
+			break;
+
+		case 'o':
+			objval = strchr(optarg, '=');
+			if (objval != NULL) {
+				*objval = '\0';
+				objval += 1;			
+				parse_object_type(optarg, objval);
+			}
+			break;
+
+		case 'r':
+			p_ruid = strtol(optarg, &converr, 10);
+			if (*converr != '\0') {
+				if ((pw = getpwnam(optarg)) == NULL)
+					break;
+				p_ruid = pw->pw_uid;
+			}
+			SETOPT(opttochk, OPT_r);
+			break;
+
+		case 'u':
+			p_auid = strtol(optarg, &converr, 10);
+			if (*converr != '\0') {
+				if ((pw = getpwnam(optarg)) == NULL)
+					break;
+				p_auid = pw->pw_uid;
+			}
+			SETOPT(opttochk, OPT_u);
+			break;
+
+		case '?':
+		default:
+			usage("Unknown option");
+		}
+	}
+	argv += optind;
+	argc -= optind;
+
+	if (argc == 0)
+		usage("Filename needed");
+
+	/*
+	 * XXX: We should actually be merging records here.
+	 */
+	for (i = 0; i < argc; i++) {
+		fname = argv[i];
+		fp = fopen(fname, "r");
+		if (fp == NULL)
+			errx(EXIT_FAILURE, "Couldn't open %s", fname);
+		if (select_records(fp) == -1) {
+			errx(EXIT_FAILURE, "Couldn't select records %s",
+			    fname);
+		}
+		fclose(fp);
+	}
+	exit(EXIT_SUCCESS);
+}
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.h b/contrib/openbsm/bin/auditreduce/auditreduce.h
new file mode 100644
index 000000000000..698e27605b0f
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.h
@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer. 
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution. 
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission. 
+ * 
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ */
+
+#ifndef _AUDITREDUCE_H_
+#define _AUDITREDUCE_H_
+
+
+#define OPT_a	0x00000001
+#define OPT_b	0x00000002
+#define OPT_c	0x00000004
+#define OPT_d 	(OPT_a | OPT_b)	
+#define OPT_e	0x00000010
+#define OPT_f	0x00000020
+#define OPT_g	0x00000040
+#define OPT_j	0x00000080
+#define OPT_m	0x00000100
+#define OPT_of	0x00000200
+#define OPT_om	0x00000400
+#define OPT_op	0x00000800
+#define OPT_ose	0x00001000
+#define OPT_osh	0x00002000
+#define OPT_oso	0x00004000
+#define OPT_r	0x00008000
+#define OPT_u	0x00010000
+#define OPT_A	0x00020000
+
+#define FILEOBJ "file"
+#define MSGQIDOBJ "msgqid"
+#define PIDOBJ "pid"
+#define SEMIDOBJ "semid"
+#define SHMIDOBJ "shmid"
+#define SOCKOBJ "sock"
+
+
+#define SETOPT(optmask, bit)	(optmask |= bit)
+#define ISOPTSET(optmask, bit)	(optmask & bit)
+
+
+#endif /* !_AUDITREDUCE_H_ */
diff --git a/contrib/openbsm/bin/praudit/Makefile b/contrib/openbsm/bin/praudit/Makefile
new file mode 100644
index 000000000000..34e136bd0ee7
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/Makefile
@@ -0,0 +1,12 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/Makefile#4 $
+#
+
+CFLAGS+=	-I- -I ../.. -I ../../libbsm -L ../../libbsm -I.
+PROG=		praudit
+MAN=		praudit.1
+DPADD=		/usr/lib/libbsm.a
+LDADD=		-lbsm
+BINDIR=		/usr/sbin
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1
new file mode 100644
index 000000000000..e99463860407
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/praudit.1
@@ -0,0 +1,97 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#7 $
+.\"
+.Dd Jan 24, 2004
+.Dt PRAUDIT 1
+.Os
+.Sh NAME
+.Nm praudit
+.Nd "print the contents of audit trail files"
+.Sh SYNOPSIS
+.Nm praudit
+.Op Fl lrs
+.Op Fl d Ar del
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm 
+utility prints the contents of the audit trail files to the standard output in
+human-readable form.
+If no filename is specified, the standard input is used
+by default.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl l
+Prints the entire record on the same line.
+If this option is not specified,
+every token is displayed on a different line.
+.It Fl r
+Prints the records in their raw, numeric form.
+This option is exclusive from 
+.Fl s
+.It Fl s
+Prints the tokens in their short form.
+Short text representations for
+record and event type are displayed.
+This option is exclusive from
+.Fl  r
+.It Fl d Ar del
+Specifies the delimiter.
+The default delimiter is the comma.
+.El
+.Pp
+If the raw or short forms are not specified, the default is to print the tokens
+in their long form.
+Events are displayed as per their descriptions given in
+.Pa /etc/security/audit_event ;
+uids and gids are expanded to their names;
+dates and times are displayed in human-readable format.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_class
+Descriptions of audit event classes
+.It Pa /etc/security/audit_event
+Descriptions of audit events
+.El
+.Sh SEE ALSO
+.Xr audit_class 5 ,
+.Xr audit_event 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c
new file mode 100644
index 000000000000..920f6d46b589
--- /dev/null
+++ b/contrib/openbsm/bin/praudit/praudit.c
@@ -0,0 +1,157 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#7 $
+ */
+
+/*
+ * Tool used to parse audit records conforming to the BSM structure.
+ */
+
+/*
+ * praudit [-lrs] [-ddel] [filenames]
+ */
+
+#include <bsm/libbsm.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+extern char	*optarg;
+extern int	 optind, optopt, opterr,optreset;
+
+static char	*del = ",";	/* Default delimiter. */
+static int	 oneline = 0;
+static int	 raw = 0;
+static int	 shortfrm = 0;
+static int	 partial = 0;
+
+static void
+usage()
+{
+
+	fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
+	exit(1);
+}
+
+/*
+ * Token printing for each token type .
+ */
+static int
+print_tokens(FILE *fp)
+{
+	u_char *buf;
+	tokenstr_t tok;
+	int reclen;
+	int bytesread;
+
+	/* Allow tail -f | praudit to work. */
+	if (partial) {
+		u_char type = 0;
+		/* Record must begin with a header token. */
+		do {
+			type = fgetc(fp);
+		} while(type != AU_HEADER_32_TOKEN);
+		ungetc(type, fp);
+	}
+
+	while ((reclen = au_read_rec(fp, &buf)) != -1) {
+		bytesread = 0;
+		while (bytesread < reclen) {
+			/* Is this an incomplete record? */
+			if (-1 == au_fetch_tok(&tok, buf + bytesread,
+			    reclen - bytesread))
+				break;
+			au_print_tok(stdout, &tok, del, raw, shortfrm);
+			bytesread += tok.len;
+			if (oneline)
+				printf("%s", del);
+			else
+				printf("\n");
+		}
+		free(buf);
+		if (oneline)
+			printf("\n");
+	}
+	return (0);
+}
+
+int
+main(int argc, char **argv)
+{
+	char ch;
+	int i;
+	FILE *fp;
+
+	while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
+		switch(ch) {
+		case 'l':
+			oneline = 1;
+			break;
+
+		case 'r':
+			if (shortfrm)
+				usage();	/* Exclusive from shortfrm. */
+			raw = 1;
+			break;
+
+		case 's':
+			if (raw)
+				usage();	/* Exclusive from raw. */
+			shortfrm = 1;
+			break;
+
+		case 'd':
+			del = optarg;
+			break;
+
+		case 'p':
+			partial = 1;
+			break;
+
+		case '?':
+		default:
+			usage();
+		}
+	}
+
+	/* For each of the files passed as arguments dump the contents. */
+	if (optind == argc) {
+		print_tokens(stdin);
+		return (1);
+	}
+	for (i = optind; i < argc; i++) {
+		fp = fopen(argv[i], "r");
+		if ((fp == NULL) || (print_tokens(fp) == -1))
+			perror(argv[i]);
+		if (fp != NULL)
+			fclose(fp);
+	}
+	return (1);
+}
diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile
new file mode 100644
index 000000000000..ba6370123110
--- /dev/null
+++ b/contrib/openbsm/bsm/Makefile
@@ -0,0 +1,22 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $
+#
+
+INCS=	audit.h								\
+	audit_internal.h						\
+	audit_kevents.h							\
+	audit_record.h							\
+	audit_uevents.h							\
+	libbsm.h
+
+TARGET=	${DESTDIR}/usr/include/bsm
+
+all:
+default:
+depend:
+clean:
+
+install:
+	mkdir -p -m 0755 ${TARGET}
+	install -o root -g wheel -m 0644 ${INCS} ${TARGET}
+
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
new file mode 100644
index 000000000000..1d208c1347eb
--- /dev/null
+++ b/contrib/openbsm/bsm/audit.h
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_H
+#define	_BSM_AUDIT_H
+
+#define	AUDIT_RECORD_MAGIC	0x828a0f1b
+#define	MAX_AUDIT_RECORDS	20
+#define	MAX_AUDIT_RECORD_SIZE	4096
+#define	MIN_AUDIT_FILE_SIZE	(512 * 1024)
+
+/*
+ * Triggers for the audit daemon
+ */
+#define	AUDIT_TRIGGER_MIN		1
+#define	AUDIT_TRIGGER_LOW_SPACE		1
+#define	AUDIT_TRIGGER_OPEN_NEW		2
+#define	AUDIT_TRIGGER_READ_FILE		3
+#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4
+#define	AUDIT_TRIGGER_NO_SPACE		5
+#define	AUDIT_TRIGGER_MAX		5
+
+/*
+ * File that will be read for trigger events from the kernel
+ */
+#define	AUDIT_TRIGGER_FILE	"/dev/audit"
+
+/*
+ * Pre-defined audit IDs
+ */
+#define	AU_DEFAUDITID	-1
+
+/*
+ * Define the masks for the classes of audit events.
+ */
+#define	AU_NULL		0x00000000
+#define	AU_FREAD	0x00000001
+#define	AU_FWRITE	0x00000002
+#define	AU_FACCESS	0x00000004
+#define	AU_FMODIFY	0x00000008
+#define	AU_FCREATE	0x00000010
+#define	AU_FDELETE	0x00000020
+#define	AU_CLOSE	0x00000040
+#define	AU_PROCESS	0x00000080
+#define	AU_NET		0x00000100
+#define	AU_IPC		0x00000200
+#define	AU_NONAT	0x00000400
+#define	AU_ADMIN	0x00000800
+#define	AU_LOGIN	0x00001000
+#define	AU_TFM		0x00002000
+#define	AU_APPL		0x00004000
+#define	AU_SETL		0x00008000
+#define	AU_IFLOAT	0x00010000
+#define	AU_PRIV		0x00020000
+#define	AU_MAC_RW	0x00040000
+#define	AU_XCONN	0x00080000
+#define	AU_XCREATE	0x00100000
+#define	AU_XDELETE	0x00200000
+#define	AU_XIFLOAT	0x00400000
+#define	AU_XPRIVS	0x00800000
+#define	AU_XPRIVF	0x01000000
+#define	AU_XMOVE	0x02000000
+#define	AU_XDACF	0x04000000
+#define	AU_XMACF	0x08000000
+#define	AU_XSECATTR	0x10000000
+#define	AU_IOCTL	0x20000000
+#define	AU_EXEC		0x40000000
+#define	AU_OTHER	0x80000000
+#define	AU_ALL		0xffffffff
+
+/*
+ * IPC types
+ */
+#define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */
+#define	AT_IPC_SEM	((u_char)2)	/* Semaphore IPC id. */
+#define	AT_IPC_SHM	((u_char)3)	/* Shared mem IPC id. */
+
+/*
+ * Audit conditions.
+ */
+#define	AUC_UNSET		0
+#define	AUC_AUDITING		1
+#define	AUC_NOAUDIT		2
+#define	AUC_DISABLED		-1
+
+/*
+ * auditon(2) commands.
+ */
+#define	A_GETPOLICY	2
+#define	A_SETPOLICY	3
+#define	A_GETKMASK	4
+#define	A_SETKMASK	5
+#define	A_GETQCTRL	6
+#define	A_SETQCTRL	7
+#define	A_GETCWD	8
+#define	A_GETCAR	9
+#define	A_GETSTAT	12
+#define	A_SETSTAT	13
+#define	A_SETUMASK	14
+#define	A_SETSMASK	15
+#define	A_GETCOND	20
+#define	A_SETCOND	21
+#define	A_GETCLASS	22
+#define	A_SETCLASS	23
+#define	A_GETPINFO	24
+#define	A_SETPMASK	25
+#define	A_SETFSIZE	26
+#define	A_GETFSIZE	27
+#define	A_GETPINFO_ADDR	28
+#define	A_GETKAUDIT	29
+#define	A_SETKAUDIT	30
+#define	A_SENDTRIGGER	31
+
+/*
+ * Audit policy controls.
+ */
+#define	AUDIT_CNT	0x0001
+#define	AUDIT_AHLT	0x0002
+#define	AUDIT_ARGV	0x0004
+#define	AUDIT_ARGE	0x0008
+#define	AUDIT_PASSWD	0x0010
+#define	AUDIT_SEQ	0x0020
+#define	AUDIT_WINDATA	0x0040
+#define	AUDIT_USER	0x0080
+#define	AUDIT_GROUP	0x0100
+#define	AUDIT_TRAIL	0x0200
+#define	AUDIT_PATH	0x0400
+
+/*
+ * Audit queue control parameters
+ */
+#define	AQ_HIWATER	100
+#define	AQ_MAXHIGH	10000
+#define	AQ_LOWATER	10
+#define	AQ_BUFSZ	1024
+#define	AQ_MAXBUFSZ	1048576
+
+/*
+ * Default minimum percentage free space on file system.
+ */
+#define	AU_FS_MINFREE	20
+
+/*
+ * Type definitions used indicating the length of variable length addresses
+ * in tokens containing addresses, such as header fields.
+ */
+#define	AU_IPv4		4
+#define	AU_IPv6		16
+
+__BEGIN_DECLS
+
+typedef	uid_t		au_id_t;
+typedef	pid_t		au_asid_t;
+typedef	u_int16_t	au_event_t;
+typedef	u_int16_t	au_emod_t;
+typedef	u_int32_t	au_class_t;
+
+struct au_tid {
+	dev_t		port;
+	u_int32_t	machine;
+};
+typedef	struct au_tid	au_tid_t;
+
+struct au_tid_addr {
+	dev_t		at_port;
+	u_int32_t	at_type;
+	u_int32_t	at_addr[4];
+};
+typedef	struct au_tid_addr	au_tid_addr_t;
+
+struct au_mask {
+	unsigned int    am_success;     /* Success bits. */
+	unsigned int    am_failure;     /* Failure bits. */
+};
+typedef	struct au_mask	au_mask_t;
+
+struct auditinfo {
+	au_id_t		ai_auid;	/* Audit user ID. */
+	au_mask_t	ai_mask;	/* Audit masks. */
+	au_tid_t	ai_termid;	/* Terminal ID. */
+	au_asid_t	ai_asid;	/* Audit session ID. */
+};
+typedef	struct auditinfo	auditinfo_t;
+
+struct auditinfo_addr {
+	au_id_t		ai_auid;	/* Audit user ID. */
+	au_mask_t	ai_mask;	/* Audit masks. */
+	au_tid_addr_t	ai_termid;	/* Terminal ID. */
+	au_asid_t	ai_asid;	/* Audit session ID. */
+};
+typedef	struct auditinfo_addr	auditinfo_addr_t;
+
+struct auditpinfo {
+	pid_t		ap_pid;		/* ID of target process. */
+	au_id_t		ap_auid;	/* Audit user ID. */
+	au_mask_t	ap_mask;	/* Audit masks. */
+	au_tid_t	ap_termid;	/* Terminal ID. */
+	au_asid_t	ap_asid;	/* Audit session ID. */
+};
+typedef	struct auditpinfo	auditpinfo_t;
+
+struct auditpinfo_addr {
+	pid_t		ap_pid;		/* ID of target process. */
+	au_id_t		ap_auid;	/* Audit user ID. */
+	au_mask_t	ap_mask;	/* Audit masks. */
+	au_tid_addr_t	ap_termid;	/* Terminal ID. */
+	au_asid_t	ap_asid;	/* Audit session ID. */
+};
+typedef	struct auditpinfo_addr	auditpinfo_addr_t;
+
+/* Token and record structures. */
+
+struct au_token {
+	u_char			*t_data;
+	size_t			 len;
+	TAILQ_ENTRY(au_token)	 tokens;
+};
+typedef	struct au_token	token_t;
+
+struct au_record {
+	char			 used;		/* Record currently in use? */
+	int			 desc;		/* Descriptor for record. */
+	TAILQ_HEAD(, au_token)	 token_q;	/* Queue of BSM tokens. */
+	u_char			*data;
+	size_t			 len;
+	LIST_ENTRY(au_record)	 au_rec_q;
+};
+typedef	struct au_record	au_record_t;
+
+/*
+ * Kernel audit queue control parameters.
+ */
+struct au_qctrl {
+	size_t	aq_hiwater;
+	size_t	aq_lowater;
+	size_t	aq_bufsz;
+	clock_t	aq_delay;
+	int	aq_minfree;	/* Minimum filesystem percent free space. */
+};
+typedef	struct au_qctrl	au_qctrl_t;
+
+/*
+ * Structure for the audit statistics.
+ */
+struct audit_stat {
+	unsigned int	as_version;
+	unsigned int	as_numevent;
+	int		as_generated;
+	int		as_nonattring;
+	int		as_kernel;
+	int		as_audit;
+	int		as_auditctl;
+	int		as_enqueu;
+	int		as_written;
+	int		as_wblocked;
+	int		as_rblocked;
+	int		as_dropped;
+	int		as_totalsize;
+	unsigned int	as_memused;
+};
+typedef	struct audit_stat	au_stat_t;
+
+/*
+ * Structure for the audit file statistics.
+ */
+struct audit_fstat {
+	u_quad_t	af_filesz;
+	u_quad_t	af_currsz;
+};
+typedef	struct audit_fstat	au_fstat_t;
+
+/*
+ * Audit to event class mapping.
+ */
+struct au_evclass_map {
+	au_event_t	ec_number;
+	au_class_t	ec_class;
+};
+typedef	struct au_evclass_map	au_evclass_map_t;
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+int	audit(const void *, int);
+int	auditon(int, void *, int);
+int	auditctl(const char *);
+int	getauid(au_id_t *);
+int	setauid(const au_id_t *);
+int	getaudit(struct auditinfo *);
+int	setaudit(const struct auditinfo *);
+int	getaudit_addr(struct auditinfo_addr *, int);
+int	setaudit_addr(const struct auditinfo_addr *, int);
+#endif /* defined(_KERNEL) || defined(KERNEL) */
+
+__END_DECLS
+
+#endif /* !_BSM_AUDIT_H */
diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h
new file mode 100644
index 000000000000..2d98aae5c88f
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_internal.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $
+ */
+
+#ifndef _LIBBSM_INTERNAL_H
+#define	_LIBBSM_INTERNAL_H
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records.  Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+
+/* We could determined the header and trailer sizes by
+ * defining appropriate structures. We hold off that approach
+ * till we have a consistant way of using structures for all tokens.
+ * This is not straightforward since these token structures may
+ * contain pointers of whose contents we dont know the size
+ * (e.g text tokens)
+ */
+#define	BSM_HEADER_SIZE		18
+#define	BSM_TRAILER_SIZE	7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define	ADD_U_CHAR(loc, val)						\
+	do {								\
+		*(loc) = (val);						\
+		(loc) += sizeof(u_char);				\
+	} while(0)
+
+
+#define	ADD_U_INT16(loc, val)						\
+	do {								\
+		be16enc((loc), (val));					\
+		(loc) += sizeof(u_int16_t);				\
+	} while(0)
+
+#define	ADD_U_INT32(loc, val)						\
+	do {								\
+		be32enc((loc), (val));					\
+		(loc) += sizeof(u_int32_t);				\
+	} while(0)
+
+#define	ADD_U_INT64(loc, val)						\
+	do {								\
+		be64enc((loc), (val));					\
+		(loc) += sizeof(u_int64_t); 				\
+	} while(0)
+
+#define	ADD_MEM(loc, data, size)					\
+	do {								\
+		memcpy((loc), (data), (size));				\
+		(loc) += size;						\
+	} while(0)
+
+#define	ADD_STRING(loc, data, size)	ADD_MEM(loc, data, size)
+
+#endif /* !_LIBBSM_INTERNAL_H_ */
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
new file mode 100644
index 000000000000..54cc308fc002
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -0,0 +1,494 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $
+ */
+
+#ifndef _BSM_AUDIT_KEVENTS_H_
+#define	_BSM_AUDIT_KEVENTS_H_
+
+/*
+ * Values marked as AUE_NULL are not required to be audited as per CAPP.
+ *
+ * Some conflicts exist in the assignment of name to event number mappings
+ * between BSM implementations.  In general, we prefer the OpenSolaris
+ * definition as we consider Solaris BSM to be authoritative.  _DARWIN_ has
+ * been inserted for the Darwin variants.  If necessary, other tags will be
+ * added in the future.
+ */
+
+#define	AUE_NULL		0
+#define	AUE_EXIT		1
+#define	AUE_FORK		2
+#define	AUE_OPEN		3
+#define	AUE_CREAT		4
+#define	AUE_LINK		5
+#define	AUE_UNLINK		6
+#define	AUE_DELETE		AUE_UNLINK
+#define	AUE_EXEC		7
+#define	AUE_CHDIR		8
+#define	AUE_MKNOD		9
+#define	AUE_CHMOD		10
+#define	AUE_CHOWN		11
+#define	AUE_UMOUNT		12
+#define	AUE_JUNK		13	/* Solaris-specific. */
+#define	AUE_ACCESS		14
+#define	AUE_CHECKUSERACCESS	AUE_ACCESS
+#define	AUE_KILL		15
+#define	AUE_STAT		16
+#define	AUE_LSTAT		17
+#define	AUE_ACCT		18
+#define	AUE_MCTL		19	/* Solaris-specific. */
+#define	AUE_REBOOT		20	/* XXX: Darwin conflict. */
+#define	AUE_SYMLINK		21
+#define	AUE_READLINK		22
+#define	AUE_EXECVE		23
+#define	AUE_CHROOT		24
+#define	AUE_VFORK		25
+#define	AUE_SETGROUPS		26
+#define	AUE_SETPGRP		27
+#define	AUE_SWAPON		28
+#define	AUE_SETHOSTNAME		29	/* XXX: Darwin conflict. */
+#define	AUE_FCNTL		30
+#define	AUE_SETPRIORITY		31	/* XXX: Darwin conflict. */
+#define	AUE_CONNECT		32
+#define	AUE_ACCEPT		33
+#define	AUE_BIND		34
+#define	AUE_SETSOCKOPT		35
+#define	AUE_VTRACE		36	/* Solaris-specific. */
+#define	AUE_SETTIMEOFDAY	37	/* XXX: Darwin conflict. */
+#define	AUE_FCHOWN		38
+#define	AUE_FCHMOD		39
+#define	AUE_SETREUID		40
+#define	AUE_SETREGID		41
+#define	AUE_RENAME		42
+#define	AUE_TRUNCATE		43	/* XXX: Darwin conflict. */
+#define	AUE_FTRUNCATE		44	/* XXX: Darwin conflict. */
+#define	AUE_FLOCK		45	/* XXX: Darwin conflict. */
+#define	AUE_SHUTDOWN		46
+#define	AUE_MKDIR		47
+#define	AUE_RMDIR		48
+#define	AUE_UTIMES		49
+#define	AUE_ADJTIME		50
+#define	AUE_SETRLIMIT		51
+#define	AUE_KILLPG		52
+#define	AUE_NFS_SVC		53	/* XXX: Darwin conflict. */
+#define	AUE_STATFS		54
+#define	AUE_FSTATFS		55
+#define	AUE_UNMOUNT		56	/* XXX: Darwin conflict. */
+#define	AUE_ASYNC_DAEMON	57
+#define	AUE_NFS_GETFH		58	/* XXX: Darwin conflict. */
+#define	AUE_SETDOMAINNAME	59
+#define	AUE_QUOTACTL		60	/* XXX: Darwin conflict. */
+#define	AUE_EXPORTFS		61
+#define	AUE_MOUNT		62
+#define	AUE_SEMSYS		63
+#define	AUE_MSGSYS		64
+#define	AUE_SHMSYS		65
+#define	AUE_BSMSYS		66	/* Solaris-specific. */
+#define	AUE_RFSSYS		67	/* Solaris-specific. */
+#define	AUE_FCHDIR		68
+#define	AUE_FCHROOT		69
+#define	AUE_VPIXSYS		70	/* Solaris-specific. */
+#define	AUE_PATHCONF		71
+#define	AUE_OPEN_R		72
+#define	AUE_OPEN_RC		73
+#define	AUE_OPEN_RT		74
+#define	AUE_OPEN_RTC		75
+#define	AUE_OPEN_W		76
+#define	AUE_OPEN_WC		77
+#define	AUE_OPEN_WT		78
+#define	AUE_OPEN_WTC		79
+#define	AUE_OPEN_RW		80
+#define	AUE_OPEN_RWC		81
+#define	AUE_OPEN_RWT		82
+#define	AUE_OPEN_RWTC		83
+#define	AUE_MSGCTL		84
+#define	AUE_MSGCTL_RMID		85
+#define	AUE_MSGCTL_SET		86
+#define	AUE_MSGCTL_STAT		87
+#define	AUE_MSGGET		88
+#define	AUE_MSGRCV		89
+#define	AUE_MSGSND		90
+#define	AUE_SHMCTL		91
+#define	AUE_SHMCTL_RMID		92
+#define	AUE_SHMCTL_SET		93
+#define	AUE_SHMCTL_STAT		94
+#define	AUE_SHMGET		95
+#define	AUE_SHMAT		96
+#define	AUE_SHMDT		97
+#define	AUE_SEMCTL		98
+#define	AUE_SEMCTL_RMID		99
+#define	AUE_SEMCTL_SET		100
+#define	AUE_SEMCTL_STAT		101
+#define	AUE_SEMCTL_GETNCNT	102
+#define	AUE_SEMCTL_GETPID	103
+#define	AUE_SEMCTL_GETVAL	104
+#define	AUE_SEMCTL_GETALL	105
+#define	AUE_SEMCTL_GETZCNT	106
+#define	AUE_SEMCTL_SETVAL	107
+#define	AUE_SEMCTL_SETALL	108
+#define	AUE_SEMGET		109
+#define	AUE_SEMOP		110
+#define	AUE_CORE		111	/* Solaris-specific, currently. */
+#define	AUE_CLOSE		112
+#define	AUE_SYSTEMBOOT		113
+#define	AUE_ASYNC_DAEMON_EXIT	114	/* Solaris-specific. */
+#define	AUE_NFSSVC_EXIT		115	/* Solaris-specific. */
+#define	AUE_WRITEL		128	/* Solaris-specific. */
+#define	AUE_WRITEVL		129	/* Solaris-specific. */
+#define	AUE_GETAUID		130
+#define	AUE_SETAUID		131
+#define	AUE_GETAUDIT		132
+#define	AUE_SETAUDIT		133
+#define	AUE_GETUSERAUDIT	134	/* Solaris-specific. */
+#define	AUE_SETUSERAUDIT	135	/* Solaris-specific. */
+#define	AUE_AUDITSVC		136	/* Solaris-specific. */
+#define	AUE_AUDITUSER		137	/* Solaris-specific. */
+#define	AUE_AUDITON		138
+#define	AUE_AUDITON_GTERMID	139	/* Solaris-specific. */
+#define	AUE_AUDITON_STERMID	140	/* Solaris-specific. */
+#define	AUE_AUDITON_GPOLICY	141
+#define	AUE_AUDITON_SPOLICY	142
+#define	AUE_AUDITON_GQCTRL	145
+#define	AUE_AUDITON_SQCTRL	146
+#define	AUE_GETKERNSTATE	147	/* Solaris-specific. */
+#define	AUE_SETKERNSTATE	148	/* Solaris-specific. */
+#define	AUE_GETPORTAUDIT	149	/* Solaris-specific. */
+#define	AUE_AUDISTAT		150	/* Solaris-specific. */
+#define	AUE_ENTERPROM		153	/* Solaris-specific. */
+#define	AUE_EXITPROM		154	/* Solaris-specific. */
+#define	AUE_IOCTL		158
+#define	AUE_SOCKET		183
+#define	AUE_SENDTO		184
+#define	AUE_PIPE		185
+#define	AUE_SOCKETPAIR		186	/* XXX: Darwin conflict. */
+#define	AUE_SEND		187
+#define	AUE_SENDMSG		188
+#define	AUE_RECV		189
+#define	AUE_RECVMSG		190
+#define	AUE_RECVFROM		191
+#define	AUE_READ		192
+#define	AUE_LSEEK		194
+#define	AUE_WRITE		195
+#define	AUE_WRITEV		196
+#define	AUE_NFS			197	/* Solaris-specific. */
+#define	AUE_READV		198
+					/* XXXRW: XXX Solaris old stat()? */
+#define	AUE_SETUID		200	/* XXXRW: Solaris old setuid? */
+#define	AUE_STIME		201	/* XXXRW: Solaris old stime? */
+#define	AUE_UTIME		202	/* XXXRW: Solaris old utime? */
+#define	AUE_NICE		203	/* XXXRW: Solaris old nice? */
+					/* XXXRW: Solaris old setpgrp? */
+#define	AUE_SETGID		205	/* XXXRW: Solaris old setgid? */
+					/* XXXRW: Solaris readl? */
+					/* XXXRW: Solaris readvl()? */
+#define	AUE_DUP2		209
+#define	AUE_MMAP		210
+#define	AUE_AUDIT		211
+#define	AUE_PRIOCNTLSYS		212
+#define	AUE_MUNMAP		213
+#define	AUE_SETEGID		214
+#define	AUE_SETEUID		215
+#define	AUE_PUTMSG		216
+#define	AUE_GETMSG		217	/* Solaris-specific. */
+#define	AUE_PUTPMSG		218	/* Solaris-specific. */
+#define	AUE_GETPMSG		219	/* Solaris-specific. */
+#define	AUE_AUDITSYS		220	/* Solaris-specific. */
+#define	AUE_AUDITON_GETKMASK	221
+#define	AUE_AUDITON_SETKMASK	222
+#define	AUE_AUDITON_GETCWD	223
+#define	AUE_AUDITON_GETCAR	224
+#define	AUE_AUDITON_GETSTAT	225
+#define	AUE_AUDITON_SETSTAT	226
+#define	AUE_AUDITON_SETUMASK	227
+#define	AUE_AUDITON_SETSMASK	228
+#define	AUE_AUDITON_GETCOND	229
+#define	AUE_AUDITON_SETCOND	230
+#define	AUE_AUDITON_GETCLASS	231
+#define	AUE_AUDITON_SETCLASS	232
+#define	AUE_UTSSYS		233	/* Solaris-specific. */
+#define	AUE_STATVFS		234
+#define	AUE_XSTAT		235
+#define	AUE_LXSTAT		236
+#define	AUE_LCHOWN		237
+#define	AUE_MEMCNTL		238	/* Solaris-specific. */
+#define	AUE_SYSINFO		239	/* Solaris-specific. */
+#define	AUE_XMKNOD		240	/* Solaris-specific. */
+#define	AUE_FORK1		241
+					/* XXXRW: Solaris modctl()? */
+#define	AUE_MODLOAD		243
+#define	AUE_MODUNLOAD		244
+#define	AUE_MODCONFIG		245	/* Solaris-specific. */
+#define	AUE_MODADDMAJ		246	/* Solaris-specific. */
+#define	AUE_SOCKACCEPT		247
+#define	AUE_SOCKCONNECT		248
+#define	AUE_SOCKSEND		249
+#define	AUE_SOCKRECEIVE		250
+#define	AUE_ACLSET		251
+#define	AUE_FACLSET		252
+#define	AUE_DOORFS_DOOR_CALL	254	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_RETURN	255	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_CREATE	256	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_REVOKE	257	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_INFO	258	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_CRED	259	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_BIND	260	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_UNBIND	261	/* Solaris-specific. */
+#define	AUE_P_ONLINE		262	/* Solaris-specific. */
+#define	AUE_PROCESSOR_BIND	263	/* Solaris-specific. */
+#define	AUE_INST_SYNC		264	/* Solaris-specific. */
+#define	AUE_SOCK_CONFIG		265	/* Solaris-specific. */
+#define	AUE_SETAUDIT_ADDR	266
+#define	AUE_GETAUDIT_ADDR	267
+#define	AUE_CLOCK_SETTIME	287
+#define	AUE_NTP_ADJTIME		288
+
+/*
+ * Events not present in OpenSolaris BSM, generally derived from Apple Darwin
+ * BSM or added in OpenBSM.  This start a little too close to the top end of
+ * the OpenSolaris event list for my comfort.
+ */
+#define	AUE_GETFSSTAT		301
+#define	AUE_PTRACE		302
+#define	AUE_CHFLAGS		303
+#define	AUE_FCHFLAGS		304
+#define	AUE_PROFILE		305
+#define	AUE_KTRACE		306
+#define	AUE_SETLOGIN		307
+#define	AUE_DARWIN_REBOOT	308	/* XXX: See AUE_REBOOT. */
+#define	AUE_REVOKE		309
+#define	AUE_UMASK		310
+#define	AUE_MPROTECT		311
+#define	AUE_DARWIN_SETPRIORITY	312	/* XXX: See AUE_SETPRIORITY. */
+#define	AUE_DARWIN_SETTIMEOFDAY	313	/* XXX: See AUE_SETTIMEOFDAY. */
+#define	AUE_DARWIN_FLOCK	314	/* XXX: See AUE_FLOCK. */
+#define	AUE_MKFIFO		315
+#define	AUE_POLL		316
+#define	AUE_DARWIN_SOCKETPAIR	317	/* XXXRW: See AUE_SOCKETPAIR. */
+#define	AUE_FUTIMES		318
+#define	AUE_SETSID		319
+#define	AUE_SETPRIVEXEC		320	/* Darwin-specific. */
+#define	AUE_DARWIN_NFSSVC	321	/* XXX: See AUE_NFS_SVC. */
+#define	AUE_DARWIN_GETFH	322	/* XXX: See AUE_NFS_GETFH. */
+#define	AUE_DARWIN_QUOTACTL	323	/* XXX: See AUE_QUOTACTL. */
+#define	AUE_ADDPROFILE		324	/* Darwin-specific. */
+#define	AUE_KDEBUGTRACE		325	/* Darwin-specific. */
+#define	AUE_KDBUGTRACE		AUE_KDEBUGTRACE
+#define	AUE_FSTAT		326
+#define	AUE_FPATHCONF		327
+#define	AUE_GETDIRENTRIES	328
+#define	AUE_DARWIN_TRUNCATE	329	/* XXX: See AUE_TRUNCATE. */
+#define	AUE_DARWIN_FTRUNCATE	330	/* XXX: See AUE_FTRUNCATE. */
+#define	AUE_SYSCTL		331
+#define	AUE_MLOCK		332
+#define	AUE_MUNLOCK		333
+#define	AUE_UNDELETE		334
+#define	AUE_GETATTRLIST		335	/* Darwin-specific. */
+#define	AUE_SETATTRLIST		336	/* Darwin-specific. */
+#define	AUE_GETDIRENTRIESATTR	337	/* Darwin-specific. */
+#define	AUE_EXCHANGEDATA	338	/* Darwin-specific. */
+#define	AUE_SEARCHFS		339	/* Darwin-specific. */
+#define	AUE_MINHERIT		340
+#define	AUE_SEMCONFIG		341
+#define	AUE_SEMOPEN		342
+#define	AUE_SEMCLOSE		343
+#define	AUE_SEMUNLINK		344
+#define	AUE_SHMOPEN		345
+#define	AUE_SHMUNLINK		346
+#define	AUE_LOADSHFILE		347	/* Darwin-specific. */
+#define	AUE_RESETSHFILE		348	/* Darwin-specific. */
+#define	AUE_NEWSYSTEMSHREG	349	/* Darwin-specific. */
+#define	AUE_PTHREADKILL		350	/* Darwin-specific. */
+#define	AUE_PTHREADSIGMASK	351	/* Darwin-specific. */
+#define	AUE_AUDITCTL		352
+#define	AUE_RFORK		353
+#define	AUE_LCHMOD		354
+#define	AUE_SWAPOFF		355
+#define	AUE_INITPROCESS		356	/* Darwin-specific. */
+#define	AUE_MAPFD		357	/* Darwin-specific. */
+#define	AUE_TASKFORPID		358	/* Darwin-specific. */
+#define	AUE_PIDFORTASK		359	/* Darwin-specific. */
+#define	AUE_SYSCTL_NONADMIN	360
+#define	AUE_COPYFILE		361	/* Darwin-specific. */
+#define	AUE_LUTIMES		362
+#define	AUE_LCHFLAGS		363	/* FreeBSD-specific. */
+#define	AUE_SENDFILE		364	/* BSD/Linux-specific. */
+#define	AUE_USELIB		365	/* Linux-specific. */
+#define	AUE_GETRESUID		366
+#define	AUE_SETRESUID		367
+#define	AUE_GETRESGID		368
+#define	AUE_SETRESGID		369
+#define	AUE_WAIT4		370	/* FreeBSD-specific. */
+#define	AUE_LGETFH		371	/* FreeBSD-specific. */
+#define	AUE_FHSTATFS		372	/* FreeBSD-specific. */
+#define	AUE_FHOPEN		373	/* FreeBSD-specific. */
+#define	AUE_FHSTAT		374	/* FreeBSD-specific. */
+#define	AUE_JAIL		375	/* FreeBSD-specific. */
+#define	AUE_EACCESS		376	/* FreeBSD-specific. */
+#define	AUE_KQUEUE		377	/* FreeBSD-specific. */
+#define	AUE_KEVENT		378	/* FreeBSD-specific. */
+#define	AUE_FSYNC		379
+#define AUE_NMOUNT		380	/* FreeBSD-specific. */
+
+/*
+ * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
+ * normal Solaris BSM identifiers.  _O_ refers to it being an old, or compat
+ * interface.  In most cases, Darwin has never implemented these system calls
+ * but picked up the fields in their system call table from their FreeBSD
+ * import.  Happily, these have different names than the AUE_O* definitions
+ * in Solaris BSM.
+ */
+#define	AUE_O_CREAT		AUE_OPEN_RWTC	/* Darwin */
+#define	AUE_O_EXECVE		AUE_NULL	/* Darwin */
+#define	AUE_O_SBREAK		AUE_NULL	/* Darwin */
+#define	AUE_O_LSEEK		AUE_NULL	/* Darwin */
+#define	AUE_O_MOUNT		AUE_NULL	/* Darwin */
+#define	AUE_O_UMOUNT		AUE_NULL	/* Darwin */
+#define	AUE_O_STAT		AUE_STAT	/* Darwin */
+#define	AUE_O_LSTAT		AUE_LSTAT	/* Darwin */
+#define	AUE_O_FSTAT		AUE_FSTAT	/* Darwin */
+#define	AUE_O_GETPAGESIZE	AUE_NULL	/* Darwin */
+#define	AUE_O_VREAD		AUE_NULL	/* Darwin */
+#define	AUE_O_VWRITE		AUE_NULL	/* Darwin */
+#define	AUE_O_MMAP		AUE_MMAP	/* Darwin */
+#define	AUE_O_VADVISE		AUE_NULL	/* Darwin */
+#define	AUE_O_VHANGUP		AUE_NULL	/* Darwin */
+#define	AUE_O_VLIMIT		AUE_NULL	/* Darwin */
+#define	AUE_O_WAIT		AUE_NULL	/* Darwin */
+#define	AUE_O_GETHOSTNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_SETHOSTNAME	AUE_SYSCTL	/* Darwin */
+#define	AUE_O_GETDOPT		AUE_NULL	/* Darwin */
+#define	AUE_O_SETDOPT		AUE_NULL	/* Darwin */
+#define	AUE_O_ACCEPT		AUE_NULL	/* Darwin */
+#define	AUE_O_SEND		AUE_SENDMSG	/* Darwin */
+#define	AUE_O_RECV		AUE_RECVMSG	/* Darwin */
+#define	AUE_O_VTIMES		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGVEC		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGBLOCK		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGSETMASK	AUE_NULL	/* Darwin */
+#define	AUE_O_SIGSTACK		AUE_NULL	/* Darwin */
+#define	AUE_O_RECVMSG		AUE_RECVMSG	/* Darwin */
+#define	AUE_O_SENDMSG		AUE_SENDMSG	/* Darwin */
+#define	AUE_O_VTRACE		AUE_NULL	/* Darwin */
+#define	AUE_O_RESUBA		AUE_NULL	/* Darwin */
+#define	AUE_O_RECVFROM		AUE_RECVFROM	/* Darwin */
+#define	AUE_O_SETREUID		AUE_SETREUID	/* Darwin */
+#define	AUE_O_SETREGID		AUE_SETREGID	/* Darwin */
+#define	AUE_O_TRUNCATE		AUE_TRUNCATE	/* Darwin */
+#define	AUE_O_FTRUNCATE		AUE_FTRUNCATE	/* Darwin */
+#define	AUE_O_GETPEERNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_GETHOSTID		AUE_NULL	/* Darwin */
+#define	AUE_O_SETHOSTID		AUE_NULL	/* Darwin */
+#define	AUE_O_GETRLIMIT		AUE_NULL	/* Darwin */
+#define	AUE_O_SETRLIMIT		AUE_SETRLIMIT	/* Darwin */
+#define	AUE_O_KILLPG		AUE_KILL	/* Darwin */
+#define	AUE_O_SETQUOTA		AUE_NULL	/* Darwin */
+#define	AUE_O_QUOTA		AUE_NULL	/* Darwin */
+#define	AUE_O_GETSOCKNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_GETDIREENTRIES	AUE_GETDIREENTRIES	/* Darwin */
+#define	AUE_O_ASYNCDAEMON	AUE_NULL	/* Darwin */
+#define	AUE_O_GETDOMAINNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_SETDOMAINNAME	AUE_SYSCTL	/* Darwin */
+#define	AUE_O_PCFS_MOUNT	AUE_NULL	/* Darwin */
+#define	AUE_O_EXPORTFS		AUE_NULL	/* Darwin */
+#define	AUE_O_USTATE		AUE_NULL	/* Darwin */
+#define	AUE_O_WAIT3		AUE_NULL	/* Darwin */
+#define	AUE_O_RPAUSE		AUE_NULL	/* Darwin */
+#define	AUE_O_GETDENTS		AUE_NULL	/* Darwin */
+
+/*
+ * Possible desired future values based on review of BSD/Darwin system calls.
+ */
+#define	AUE_DUP			AUE_NULL
+#define	AUE_FSCTL		AUE_NULL
+#define	AUE_FSTATV		AUE_NULL
+#define	AUE_GCCONTROL		AUE_NULL
+#define	AUE_GETDTABLESIZE	AUE_NULL
+#define	AUE_GETEGID		AUE_NULL
+#define	AUE_GETEUID		AUE_NULL
+#define	AUE_GETGID		AUE_NULL
+#define	AUE_GETGROUPS		AUE_NULL
+#define	AUE_GETITIMER		AUE_NULL
+#define	AUE_GETLOGIN		AUE_NULL
+#define	AUE_GETPEERNAME		AUE_NULL
+#define	AUE_GETPGID		AUE_NULL
+#define	AUE_GETPGRP		AUE_NULL
+#define	AUE_GETPID		AUE_NULL
+#define	AUE_GETPPID		AUE_NULL
+#define	AUE_GETPRIORITY		AUE_NULL
+#define	AUE_GETRLIMIT		AUE_NULL
+#define	AUE_GETRUSAGE		AUE_NULL
+#define	AUE_GETSID		AUE_NULL
+#define	AUE_GETSOCKNAME		AUE_NULL
+#define	AUE_GETTIMEOFDAY	AUE_NULL
+#define	AUE_GETUID		AUE_NULL
+#define	AUE_GETSOCKOPT		AUE_NULL
+#define	AUE_GTSOCKOPT		AUE_GETSOCKOPT	/* XXX: Typo in Darwin. */
+#define	AUE_ISSETUGID		AUE_NULL
+#define	AUE_LISTEN		AUE_NULL
+#define	AUE_LSTATV		AUE_NULL
+#define	AUE_MADVISE		AUE_NULL
+#define	AUE_MINCORE		AUE_NULL
+#define	AUE_MKCOMPLEX		AUE_NULL
+#define	AUE_MLOCKALL		AUE_NULL
+#define	AUE_MODWATCH		AUE_NULL
+#define	AUE_MSGCL		AUE_NULL
+#define	AUE_MSYNC		AUE_NULL
+#define	AUE_MUNLOCKALL		AUE_NULL
+#define	AUE_PREAD		AUE_NULL
+#define	AUE_PWRITE		AUE_NULL
+#define	AUE_SBRK		AUE_NULL
+#define	AUE_SELECT		AUE_NULL
+#define	AUE_SEMDESTROY		AUE_NULL
+#define	AUE_SEMGETVALUE		AUE_NULL
+#define	AUE_SEMINIT		AUE_NULL
+#define	AUE_SEMPOST		AUE_NULL
+#define	AUE_SEMTRYWAIT		AUE_NULL
+#define	AUE_SEMWAIT		AUE_NULL
+#define	AUE_SETITIMER		AUE_NULL
+#define	AUE_SIGACTION		AUE_NULL
+#define	AUE_SIGALTSTACK		AUE_NULL
+#define	AUE_SIGPENDING		AUE_NULL
+#define	AUE_SIGPROCMASK		AUE_NULL
+#define	AUE_SIGRETURN		AUE_NULL
+#define	AUE_SIGSUSPEND		AUE_NULL
+#define	AUE_SIGWAIT		AUE_NULL
+#define	AUE_SSTK		AUE_NULL
+#define	AUE_STATV		AUE_NULL
+#define	AUE_SYNC		AUE_NULL
+#define	AUE_SYSCALL		AUE_NULL
+#define	AUE_TABLE		AUE_NULL
+#define	AUE_WAITEVENT		AUE_NULL
+#define	AUE_WATCHEVENT		AUE_NULL
+
+#endif /* !_BSM_AUDIT_KEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
new file mode 100644
index 000000000000..af9ba4d4e76c
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+/* Various token id types */
+
+/*
+ * Values inside the comments are not documented in the BSM pages and
+ * have been picked up from the header files
+ */
+
+/*
+ * Values marked as XXX do not have a value defined in the BSM header files
+ */
+
+#define	AUT_INVALID		0x00
+#define	AUT_OTHER_FILE32	0x11
+#define	AUT_OHEADER		0x12
+#define	AUT_TRAILER		0x13
+#define	AUT_HEADER32		0x14
+#define	AUT_HEADER32_EX		0x15
+#define	AUT_DATA		0x21
+#define	AUT_IPC			0x22
+#define	AUT_PATH		0x23
+#define	AUT_SUBJECT32		0x24
+#define	AUT_SERVER32		0x25
+#define	AUT_PROCESS32		0x26
+#define	AUT_RETURN32		0x27
+#define	AUT_TEXT		0x28
+#define	AUT_OPAQUE		0x29
+#define	AUT_IN_ADDR		0x2a
+#define	AUT_IP			0x2b
+#define	AUT_IPORT		0x2c
+#define	AUT_ARG32		0x2d
+#define	AUT_SOCKET		0x2e
+#define	AUT_SEQ			0x2f
+#define	AUT_ACL			0x30
+#define	AUT_ATTR		0x31
+#define	AUT_IPC_PERM		0x32
+#define	AUT_LABEL		0x33
+#define	AUT_GROUPS		0x34
+#define	AUT_ILABEL		0x35
+#define	AUT_SLABEL		0x36
+#define	AUT_CLEAR		0x37
+#define	AUT_PRIV		0x38
+#define	AUT_UPRIV		0x39
+#define	AUT_LIAISON		0x3a
+#define	AUT_NEWGROUPS		0x3b
+#define	AUT_EXEC_ARGS		0x3c
+#define	AUT_EXEC_ENV		0x3d
+#define	AUT_ATTR32		0x3e
+/* #define	AUT_????	0x3f */
+#define	AUT_XATOM		0x40
+#define	AUT_XOBJ		0x41
+#define	AUT_XPROTO		0x42
+#define	AUT_XSELECT		0x43
+/* XXXRW: Additional X11 tokens not defined? */
+#define	AUT_CMD			0x51
+#define	AUT_EXIT		0x52
+/* XXXRW: OpenBSM AUT_HOST 0x70? */
+#define	AUT_ARG64		0x71
+#define	AUT_RETURN64		0x72
+#define	AUT_ATTR64		0x73
+#define	AUT_HEADER64		0x74
+#define	AUT_SUBJECT64		0x75
+#define	AUT_SERVER64		0x76
+#define	AUT_PROCESS64		0x77
+#define	AUT_OTHER_FILE64	0x78
+#define	AUT_HEADER64_EX		0x79
+#define	AUT_SUBJECT32_EX	0x7a
+#define	AUT_PROCESS32_EX	0x7b
+#define	AUT_SUBJECT64_EX	0x7c
+#define	AUT_PROCESS64_EX	0x7d
+#define	AUT_IN_ADDR_EX		0x7e
+#define	AUT_SOCKET_EX		0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'.  We have
+ * compatibility defines.
+ */
+#define	AUT_HEADER		AUT_HEADER32
+#define	AUT_ARG			AUT_ARG32
+#define	AUT_RETURN		AUT_RETURN32
+#define	AUT_SUBJECT		AUT_SUBJECT32
+#define	AUT_SERVER		AUT_SERVER32
+#define	AUT_PROCESS		AUT_PROCESS32
+#define	AUT_OTHER_FILE		AUT_OTHER_FILE32
+
+/*
+ * Darwin's bsm distribution uses the following non-BSM token name defines.
+ * We provide them for a single OpenBSM release for compatibility reasons.
+ */
+#define	AU_FILE_TOKEN		AUT_OTHER_FILE32
+#define	AU_TRAILER_TOKEN	AUT_TRAILER
+#define	AU_HEADER_32_TOKEN	AUT_HEADER32
+#define	AU_DATA_TOKEN		AUT_DATA
+#define	AU_ARB_TOKEN		AUT_DATA
+#define	AU_IPC_TOKEN		AUT_IPC
+#define	AU_PATH_TOKEN		AUT_PATH
+#define	AU_SUBJECT_32_TOKEN	AUT_SUBJECT32
+#define	AU_PROCESS_32_TOKEN	AUT_PROCESS32
+#define	AU_RETURN_32_TOKEN	AUT_RETURN32
+#define	AU_TEXT_TOKEN		AUT_TEXT
+#define	AU_OPAQUE_TOKEN		AUT_OPAQUE
+#define	AU_IN_ADDR_TOKEN	AUT_IN_ADDR
+#define	AU_IP_TOKEN		AUT_IP
+#define	AU_IPORT_TOKEN		AUT_IPORT
+#define	AU_ARG32_TOKEN		AUT_ARG32
+#define	AU_SOCK_TOKEN		AUT_SOCKET
+#define	AU_SEQ_TOKEN		AUT_SEQ
+#define	AU_ATTR_TOKEN		AUT_ATTR
+#define	AU_IPCPERM_TOKEN	AUT_IPC_PERM
+#define	AU_NEWGROUPS_TOKEN	AUT_NEWGROUPS
+#define	AU_EXEC_ARG_TOKEN	AUT_EXEC_ARGS
+#define	AU_EXEC_ENV_TOKEN	AUT_EXEC_ENV
+#define	AU_ATTR32_TOKEN		AUT_ATTR32
+#define	AU_CMD_TOKEN		AUT_CMD
+#define	AU_EXIT_TOKEN		AUT_EXIT
+#define	AU_ARG64_TOKEN		AUT_ARG64
+#define	AU_RETURN_64_TOKEN	AUT_RETURN64
+#define	AU_ATTR64_TOKEN		AUT_ATTR64
+#define	AU_HEADER_64_TOKEN	AUT_HEADER64
+#define	AU_SUBJECT_64_TOKEN	AUT_SUBJECT64
+#define	AU_PROCESS_64_TOKEN	AUT_PROCESS64
+#define	AU_HEADER_64_EX_TOKEN	AUT_HEADER64_EX
+#define	AU_SUBJECT_32_EX_TOKEN	AUT_SUBJECT32_EX
+#define	AU_PROCESS_32_EX_TOKEN	AUT_PROCESS32_EX
+#define	AU_SUBJECT_64_EX_TOKEN	AUT_SUBJECT64_EX
+#define	AU_PROCESS_64_EX_TOKEN	AUT_PROCESS64_EX
+#define	AU_IN_ADDR_EX_TOKEN	AUT_IN_ADDR_EX
+#define	AU_SOCK_32_EX_TOKEN	AUT_SOCKET_EX
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM.  These originally came from Apple's
+ * BSM.
+ */
+#define	AUT_SOCKINET32		0x80		/* XXX */
+#define	AUT_SOCKINET128		0x81		/* XXX */
+#define	AUT_SOCKUNIX		0x82		/* XXX */
+#define	AU_SOCK_INET_32_TOKEN	AUT_SOCKINET32
+#define	AU_SOCK_INET_128_TOKEN	AUT_SOCKINET128
+#define	AU_SOCK_UNIX_TOKEN	AUT_SOCKUNIX
+
+/* print values for the arbitrary token */
+#define AUP_BINARY      0
+#define AUP_OCTAL       1
+#define AUP_DECIMAL     2
+#define AUP_HEX         3
+#define AUP_STRING      4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE        0
+#define AUR_SHORT       1
+#define AUR_LONG        2
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE       sizeof(u_char)
+#define AUR_SHORT_SIZE      sizeof(uint16_t)
+#define AUR_LONG_SIZE       sizeof(uint32_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR  0x4000   /* nonattributable event */
+#define PAD_FAILURE  0x8000   /* fail audit event */
+
+
+#define BSM_MAX_GROUPS      16
+#define HEADER_VERSION      1
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define	AUT_TRAILER_MAGIC	0xb105
+#define	TRAILER_PAD_MAGIC	AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int	 au_open(void);
+int	 au_write(int d, token_t *m);
+int	 au_close(int d, int keep, short event);
+int	 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t	*au_to_file(char *file, struct timeval tm);
+#else
+token_t	*au_to_file(char *file);
+#endif
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+#else
+token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t	*au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_me(void);
+token_t	*au_to_arg(char n, char *text, uint32_t v);
+token_t	*au_to_arg32(char n, char *text, uint32_t v);
+token_t	*au_to_arg64(char n, char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_attr(struct vnode_au_info *vni);
+token_t	*au_to_attr32(struct vnode_au_info *vni);
+token_t	*au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t	*au_to_data(char unit_print, char unit_type, char unit_count,
+	    char *p);
+token_t	*au_to_exit(int retval, int err);
+token_t	*au_to_groups(int *groups);
+token_t	*au_to_newgroups(uint16_t n, gid_t *groups);
+token_t	*au_to_in_addr(struct in_addr *internet_addr);
+token_t	*au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t	*au_to_ip(struct ip *ip);
+token_t	*au_to_ipc(char type, int id);
+token_t	*au_to_ipc_perm(struct ipc_perm *perm);
+token_t	*au_to_iport(uint16_t iport);
+token_t	*au_to_opaque(char *data, uint16_t bytes);
+token_t	*au_to_path(char *path);
+token_t	*au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+	    uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+	    au_tid_addr_t *tid);
+token_t	*au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_return(char status, uint32_t ret);
+token_t	*au_to_return32(char status, uint32_t ret);
+token_t	*au_to_return64(char status, uint64_t ret);
+token_t	*au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_socket(struct socket *so);
+token_t	*au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+token_t	*au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+#endif
+
+token_t	*au_to_sock_inet(struct sockaddr_in *so);
+token_t	*au_to_sock_inet32(struct sockaddr_in *so);
+token_t	*au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t	*au_to_sock_unix(struct sockaddr_un *so);
+token_t	*au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_exec_args(const char **);
+token_t	*au_to_exec_env(const char **);
+token_t	*au_to_text(char *text);
+token_t	*au_to_kevent(struct kevent *kev);
+token_t	*au_to_trailer(int rec_size);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */
diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h
new file mode 100644
index 000000000000..0493e31272b2
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_uevents.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $
+ */
+
+#ifndef _BSM_AUDIT_UEVENTS_H_
+#define	_BSM_AUDIT_UEVENTS_H_
+
+/*-
+ * User level audit event numbers
+ *
+ * Range of audit event numbers:
+ * 0			Reserved, invalid
+ * 1     - 2047		Reserved for kernel events
+ * 2048  - 32767	Defined by BSM for user events
+ * 32768 - 36864	Reserved for Mac OS-X applications
+ * 36865 - 65535	Reserved for applications
+ *
+ */
+#define	AUE_at_create		6144
+#define	AUE_at_delete		6145
+#define	AUE_at_perm		6146
+#define	AUE_cron_invoke		6147
+#define	AUE_crontab_create	6148
+#define	AUE_crontab_delete	6149
+#define	AUE_crontab_perm	6150
+#define	AUE_inetd_connect	6151
+#define	AUE_login		6152
+#define	AUE_logout		6153
+#define	AUE_telnet		6154
+#define	AUE_rlogin		6155
+#define	AUE_mountd_mount	6156
+#define	AUE_mountd_umount	6157
+#define	AUE_rshd		6158
+#define	AUE_su			6159
+#define	AUE_halt		6160
+#define	AUE_reboot		6161
+#define	AUE_rexecd		6162
+#define	AUE_passwd		6163
+#define	AUE_rexd		6164
+#define	AUE_ftpd		6165
+#define	AUE_init		6166
+#define	AUE_uadmin		6167
+#define	AUE_shutdown		6168
+#define	AUE_poweroff		6169
+#define	AUE_crontab_mod		6170
+#define	AUE_audit_startup	6171
+#define	AUE_audit_shutdown	6172
+#define	AUE_allocate_succ	6200
+#define	AUE_allocate_fail	6201
+#define	AUE_deallocate_succ	6202
+#define	AUE_deallocate_fail	6203
+#define	AUE_listdevice_succ	6205
+#define	AUE_listdevice_fail	6206
+#define	AUE_create_user		6207
+#define	AUE_modify_user		6208
+#define	AUE_delete_user		6209
+#define	AUE_disable_user	6210
+#define	AUE_enable_user		6211
+#define	AUE_sudo		6300
+#define	AUE_modify_password	6501	/* Not assigned by Sun. */
+#define	AUE_create_group	6511	/* Not assigned by Sun. */
+#define	AUE_delete_group	6512	/* Not assigned by Sun. */
+#define	AUE_modify_group	6513	/* Not assigned by Sun. */
+#define	AUE_add_to_group	6514	/* Not assigned by Sun. */
+#define	AUE_remove_from_group	6515	/* Not assigned by Sun. */
+#define	AUE_revoke_obj		6521	/* Not assigned by Sun; not used. */
+#define	AUE_lw_login		6600	/* Not assigned by Sun; tentative. */
+#define	AUE_lw_logout		6601	/* Not assigned by Sun; tentative. */
+#define	AUE_auth_user		7000	/* Not assigned by Sun. */
+#define	AUE_ssconn		7001	/* Not assigned by Sun. */
+#define	AUE_ssauthorize		7002	/* Not assigned by Sun. */
+#define	AUE_ssauthint		7003	/* Not assigned by Sun. */
+#define	AUE_openssh		32800
+
+#endif /* !_BSM_AUDIT_UEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
new file mode 100644
index 000000000000..baf9f1479d07
--- /dev/null
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -0,0 +1,1175 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $
+ */
+
+#ifndef _LIBBSM_H_
+#define	_LIBBSM_H_
+
+/*
+ * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
+ * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
+ */
+
+#define	MAX_ARGS	10
+#define	MAX_ENV		10
+
+#include <sys/types.h>
+#include <sys/cdefs.h>
+#include <sys/queue.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_record.h>
+
+#include <stdio.h>
+#include <stdint.h>
+
+#ifdef __APPLE__
+#include <mach/mach.h>		/* audit_token_t */
+#endif
+
+#define	AU_PRS_SUCCESS	1
+#define	AU_PRS_FAILURE	2
+#define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
+#define	AU_PRS_USECACHE	0
+#define	AU_PRS_REREAD	1
+
+#define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
+#define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
+#define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
+#define	AUDIT_USER_FILE		"/etc/security/audit_user"
+
+#define	DIR_CONTROL_ENTRY	"dir"
+#define	MINFREE_CONTROL_ENTRY	"minfree"
+#define	FLAGS_CONTROL_ENTRY	"flags"
+#define	NA_CONTROL_ENTRY	"naflags"
+
+#define	AU_CLASS_NAME_MAX	8
+#define	AU_CLASS_DESC_MAX	72
+#define	AU_EVENT_NAME_MAX	30
+#define	AU_EVENT_DESC_MAX	50
+#define	AU_USER_NAME_MAX	50
+#define	AU_LINE_MAX		256
+#define	MAX_AUDITSTRING_LEN	256
+#define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
+
+/*
+ * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
+ * Provided for OpenSSH compatibility.
+ */
+#define	AU_TO_NO_WRITE		0
+#define	AU_TO_WRITE		1
+
+__BEGIN_DECLS
+struct au_event_ent {
+	au_event_t	 ae_number;
+	char		*ae_name;
+	char		*ae_desc;
+	au_class_t	 ae_class;
+};
+typedef struct au_event_ent au_event_ent_t;
+
+struct au_class_ent {
+	char		*ac_name;
+	au_class_t	 ac_class;
+	char		*ac_desc;
+};
+typedef struct au_class_ent au_class_ent_t;
+
+struct au_user_ent {
+	char		*au_name;
+	au_mask_t	 au_always;
+	au_mask_t	 au_never;
+};
+typedef struct au_user_ent au_user_ent_t;
+__END_DECLS
+
+#define	ADD_TO_MASK(m, c, sel) do {					\
+	if (sel & AU_PRS_SUCCESS)					\
+		(m)->am_success |= c;					\
+	if (sel & AU_PRS_FAILURE)					\
+		(m)->am_failure |= c;					\
+} while (0)
+
+#define	SUB_FROM_MASK(m, c, sel) do {					\
+	if (sel & AU_PRS_SUCCESS)					\
+		(m)->am_success &= ((m)->am_success ^ c);		\
+	if (sel & AU_PRS_FAILURE)					\
+		(m)->am_failure &= ((m)->am_failure ^ c);		\
+} while (0)
+
+#define	ADDMASK(m, v) do {						\
+	(m)->am_success |= (v)->am_success;				\
+	(m)->am_failure |= (v)->am_failure;				\
+} while(0)
+
+#define	SUBMASK(m, v) do {						\
+	(m)->am_success &= ((m)->am_success ^ (v)->am_success);		\
+	(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure);		\
+} while(0)
+
+__BEGIN_DECLS
+
+/*
+ * Internal representation of audit user in libnsl.
+ */
+typedef struct au_user_str_s {
+	char	*au_name;
+	char	*au_always;
+	char	*au_never;
+} au_user_str_t;
+
+typedef struct au_tid32 {
+	u_int32_t	port;
+	u_int32_t	addr;
+} au_tid32_t;
+
+typedef struct au_tid64 {
+	u_int64_t	port;
+	u_int32_t	addr;
+} au_tid64_t;
+
+typedef struct au_tidaddr32 {
+	u_int32_t	port;
+	u_int32_t	type;
+	u_int32_t	addr[4];
+} au_tidaddr32_t;
+
+/*
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_char		 no;
+	u_int32_t	 val;
+	u_int16_t	 len;
+	char		*text;
+} au_arg32_t;
+
+typedef struct {
+	u_char		 no;
+	u_int64_t	 val;
+	u_int16_t	 len;
+	char		*text;
+} au_arg64_t;
+
+/*
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+typedef struct {
+	u_char	 howtopr;
+	u_char	 bu;
+	u_char	 uc;
+	u_char	*data;
+} au_arb_t;
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+typedef struct {
+	u_int32_t	mode;
+   	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	fsid;
+	u_int64_t	nid;
+	u_int32_t	dev;
+} au_attr32_t;
+
+typedef struct {
+	u_int32_t	mode;
+   	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	fsid;
+	u_int64_t	nid;
+	u_int64_t	dev;
+} au_attr64_t;
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+typedef struct {
+	u_int32_t	 count;
+	char		*text[MAX_ARGS];
+} au_execarg_t;
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+typedef struct {
+	u_int32_t	 count;
+	char		*text[MAX_ENV];
+} au_execenv_t;
+
+/*
+ * status                  4 bytes
+ * return value            4 bytes
+ */
+typedef struct {
+	u_int32_t	status;
+	u_int32_t	ret;
+} au_exit_t;
+
+/*
+ * seconds of time         4 bytes
+ * milliseconds of time    4 bytes
+ * file name length        2 bytes
+ * file pathname           N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int32_t	 s;
+	u_int32_t	 ms;
+	u_int16_t	 len;
+	char		*name;
+} au_file_t;
+
+
+/*
+ * number groups           2 bytes
+ * group list              N * 4 bytes
+ */
+typedef struct {
+	u_int16_t	no;
+	u_int32_t	list[BSM_MAX_GROUPS];
+} au_groups_t;
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	s;
+	u_int32_t	ms;
+} au_header32_t;
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     1 byte (XXX: actually, 4 bytes)
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	ad_type;
+	u_int32_t	addr[4];
+	u_int32_t	s;
+	u_int32_t	ms;
+} au_header32_ex_t;
+
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int64_t	s;
+	u_int64_t	ms;
+} au_header64_t;
+
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	ad_type;
+	u_int32_t	addr[4];
+	u_int64_t	s;
+	u_int64_t	ms;
+} au_header64_ex_t;
+
+/*
+ * internet address        4 bytes
+ */
+typedef struct {
+	u_int32_t	addr;
+} au_inaddr_t;
+
+/*
+ * type                 4 bytes
+ * internet address     16 bytes
+ */
+typedef struct {
+	u_int32_t	type;
+	u_int32_t	addr[4];
+} au_inaddr_ex_t;
+
+/*
+ * version and ihl         1 byte
+ * type of service         1 byte
+ * length                  2 bytes
+ * id                      2 bytes
+ * offset                  2 bytes
+ * ttl                     1 byte
+ * protocol                1 byte
+ * checksum                2 bytes
+ * source address          4 bytes
+ * destination address     4 bytes
+ */
+typedef struct {
+	u_char		version;
+	u_char		tos;
+	u_int16_t	len;
+	u_int16_t	id;
+	u_int16_t	offset;
+	u_char		ttl;
+	u_char		prot;
+	u_int16_t	chksm;
+	u_int32_t	src;
+	u_int32_t	dest;
+} au_ip_t;
+
+/*
+ * object ID type          1 byte
+ * object ID               4 bytes
+ */
+typedef struct {
+	u_char		type;
+	u_int32_t	id;
+} au_ipc_t;
+
+/*
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * creator user ID         4 bytes
+ * creator group ID        4 bytes
+ * access mode             4 bytes
+ * slot sequence #         4 bytes
+ * key                     4 bytes
+ */
+typedef struct {
+	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	puid;
+	u_int32_t	pgid;
+	u_int32_t	mode;
+	u_int32_t	seq;
+	u_int32_t	key;
+} au_ipcperm_t;
+
+/*
+ * port IP address         2 bytes
+ */
+typedef struct {
+	u_int16_t	port;
+} au_iport_t;
+
+/*
+ * length		2 bytes
+ * data			length bytes
+ */
+typedef struct {
+	u_int16_t	 size;
+	char		*data;
+} au_opaque_t;
+
+/*
+ * path length             2 bytes
+ * path                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int16_t	 len;
+	char		*path;
+} au_path_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address       4 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid32_t	tid;
+} au_proc32_t;
+
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid64_t	tid;
+} au_proc64_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * type                  4 bytes
+ * machine address       16 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tidaddr32_t	tid;
+} au_proc32ex_t;
+
+/*
+ * error status            1 byte
+ * return value            4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+	u_char		status;
+	u_int32_t	ret;
+} au_ret32_t;
+
+typedef struct {
+	u_char		err;
+	u_int64_t	val;
+} au_ret64_t;
+
+/*
+ * sequence number         4 bytes
+ */
+typedef struct {
+	u_int32_t	seqno;
+} au_seq_t;
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local Internet address  4 bytes
+ * remote port             2 bytes
+ * remote Internet address 4 bytes
+ */
+typedef struct {
+	u_int16_t	type;
+	u_int16_t	l_port;
+	u_int32_t	l_addr;
+	u_int16_t	r_port;
+	u_int32_t	r_addr;
+} au_socket_t;
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+	u_int16_t	type;
+	u_int16_t	l_port;
+	u_int32_t	l_ad_type;
+	u_int32_t	l_addr;
+	u_int32_t	r_port;
+	u_int32_t	r_ad_type;
+	u_int32_t	r_addr;
+} au_socket_ex32_t;
+
+/*
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+	u_int16_t	family;
+	u_int16_t	port;
+	u_int32_t	addr;
+} au_socketinet32_t;
+
+/*
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+typedef struct {
+	u_int16_t	family;
+	char		path[104];
+} au_socketunix_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * 	port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * 	machine address       4 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid32_t	tid;
+} au_subject32_t;
+
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid64_t	tid;
+} au_subject64_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * type                  4 bytes
+ * machine address       16 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tidaddr32_t	tid;
+} au_subject32ex_t;
+
+/*
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int16_t	 len;
+	char		*text;
+} au_text_t;
+
+typedef struct {
+	u_int32_t	ident;
+	u_int16_t	filter;
+	u_int16_t	flags;
+	u_int32_t	fflags;
+	u_int32_t	data;
+} au_kevent_t;
+
+typedef struct {
+	u_int16_t	 length;
+	char		*data;
+} au_invalid_t;
+
+/*
+ * trailer magic number    2 bytes
+ * record byte count       4 bytes
+ */
+typedef struct {
+	u_int16_t	magic;
+	u_int32_t	count;
+} au_trailer_t;
+
+struct tokenstr {
+	u_char	 id;
+	u_char	*data;
+	size_t	 len;
+	union {
+		au_arg32_t		arg32;
+		au_arg64_t		arg64;
+		au_arb_t		arb;
+		au_attr32_t		attr32;
+		au_attr64_t		attr64;
+		au_execarg_t		execarg;
+		au_execenv_t		execenv;
+		au_exit_t		exit;
+		au_file_t		file;
+		au_groups_t		grps;
+		au_header32_t		hdr32;
+		au_header32_ex_t	hdr32_ex;
+		au_header64_t		hdr64;
+		au_header64_ex_t	hdr64_ex;
+		au_inaddr_t		inaddr;
+		au_inaddr_ex_t		inaddr_ex;
+		au_ip_t			ip;
+		au_ipc_t		ipc;
+		au_ipcperm_t		ipcperm;
+		au_iport_t		iport;
+		au_opaque_t		opaque;
+		au_path_t		path;
+		au_proc32_t		proc32;
+		au_proc64_t		proc64;
+		au_proc32ex_t		proc32_ex;
+		au_ret32_t		ret32;
+		au_ret64_t		ret64;
+		au_seq_t		seq;
+		au_socket_t		socket;
+		au_socket_ex32_t	socket_ex32;
+		au_socketinet32_t	sockinet32;
+		au_socketunix_t		sockunix;
+		au_subject32_t		subj32;
+		au_subject64_t		subj64;
+		au_subject32ex_t	subj32_ex;
+		au_text_t		text;
+		au_kevent_t		kevent;
+		au_invalid_t		invalid;
+		au_trailer_t		trail;
+	} tt; /* The token is one of the above types */
+};
+
+typedef struct tokenstr tokenstr_t;
+
+/*
+ * Functions relating to querying audit class information.
+ */
+void			 setauclass(void);
+void			 endauclass(void);
+struct au_class_ent	*getauclassent(void);
+struct au_class_ent	*getauclassent_r(au_class_ent_t *class_int);
+struct au_class_ent	*getauclassnam(const char *name);
+struct au_class_ent	*getauclassnam_r(au_class_ent_t *class_int,
+			    const char *name);
+struct au_class_ent	*getauclassnum(au_class_t class_number);
+struct au_class_ent	*getauclassnum_r(au_class_ent_t *class_int,
+			    au_class_t class_number);
+
+/*
+ * Functions relating to querying audit control information.
+ */
+void			 setac(void);
+void			 endac(void);
+int			 getacdir(char *name, int len);
+int			 getacmin(int *min_val);
+int			 getacflg(char *auditstr, int len);
+int			 getacna(char *auditstr, int len);
+int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
+int			 getauditflagschar(char *auditstr, au_mask_t *masks,
+			    int verbose);
+int			 au_preselect(au_event_t event, au_mask_t *mask_p,
+			    int sorf, int flag);
+
+/*
+ * Functions relating to querying audit event information.
+ *
+ * XXXRW: getauevnonam() has no _r version?
+ */
+void			 setauevent(void);
+void			 endauevent(void);
+struct au_event_ent	*getauevent(void);
+struct au_event_ent	*getauevent_r(struct au_event_ent *e);
+struct au_event_ent	*getauevnam(const char *name);
+struct au_event_ent	*getauevnam_r(struct au_event_ent *e,
+			    const char *name);
+struct au_event_ent	*getauevnum(au_event_t event_number);
+struct au_event_ent	*getauevnum_r(struct au_event_ent *e,
+			    au_event_t event_number);
+au_event_t		*getauevnonam(const char *event_name);
+au_event_t		*getauevnonam_r(au_event_t *ev,
+			    const char *event_name);
+
+/*
+ * Functions relating to querying audit user information.
+ */
+void			 setauuser(void);
+void			 endauuser(void);
+struct au_user_ent	*getauuserent(void);
+struct au_user_ent	*getauuserent_r(struct au_user_ent *u);
+struct au_user_ent	*getauusernam(const char *name);
+struct au_user_ent	*getauusernam_r(struct au_user_ent *u,
+			    const char *name);
+int			 au_user_mask(char *username, au_mask_t *mask_p);
+int			 getfauditflags(au_mask_t *usremask,
+			    au_mask_t *usrdmask, au_mask_t *lastmask);
+
+/*
+ * Functions for reading and printing records and tokens from audit trails.
+ */
+int			 au_read_rec(FILE *fp, u_char **buf);
+int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
+//XXX The following interface has different prototype from BSM
+void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
+			    char *del, char raw, char sfrm);
+__END_DECLS
+
+#ifdef __APPLE__
+#include <sys/appleapiopts.h>
+
+/**************************************************************************
+ **************************************************************************
+ ** The following definitions, functions, etc., are NOT officially
+ ** supported: they may be changed or removed in the future.  Do not use
+ ** them unless you are prepared to cope with that eventuality.
+ **************************************************************************
+ **************************************************************************/
+
+#ifdef __APPLE_API_PRIVATE
+#define	__BSM_INTERNAL_NOTIFY_KEY	"com.apple.audit.change"
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * au_get_state() return values
+ * XXX  use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
+ * AUDIT_ON are deprecated and WILL be removed.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define	AUDIT_OFF	AUC_NOAUDIT
+#define	AUDIT_ON	AUC_AUDITING
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+/*
+ * Error return codes for audit_set_terminal_id(), audit_write() and its
+ * brethren.  We have 255 (not including kAUNoErr) to play with.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+enum {
+	kAUNoErr			= 0,
+	kAUBadParamErr			= -66049,
+	kAUStatErr,
+	kAUSysctlErr,
+	kAUOpenErr,
+	kAUMakeSubjectTokErr,
+	kAUWriteSubjectTokErr,
+	kAUWriteCallerTokErr,
+	kAUMakeReturnTokErr,
+	kAUWriteReturnTokErr,
+	kAUCloseErr,
+	kAUMakeTextTokErr,
+	kAULastErr
+};
+
+#ifdef __APPLE__
+/*
+ * Error return codes for au_get_state() and/or its private support
+ * functions.  These codes are designed to be compatible with the
+ * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
+ * Any changes to notify(3) may cause these values to change in future.
+ *
+ * AU_UNIMPL should never happen unless you've changed your system software
+ * without rebooting.  Shame on you.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define	AU_UNIMPL	NOTIFY_STATUS_FAILED + 1	/* audit unimplemented */
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+__BEGIN_DECLS
+/*
+ * XXX  This prototype should be in audit_record.h
+ *
+ * au_free_token()
+ *
+ * @summary - au_free_token() deallocates a token_t created by any of
+ * the au_to_*() BSM API functions.
+ *
+ * The BSM API generally manages deallocation of token_t objects.  However,
+ * if au_write() is passed a bad audit descriptor, the token_t * parameter
+ * will be left untouched.  In that case, the caller can deallocate the
+ * token_t using au_free_token() if desired.  This is, in fact, what
+ * audit_write() does, in keeping with the existing memory management model
+ * of the BSM API.
+ *
+ * @param tok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  For convenience, tok may be NULL, in which case
+ * au_free_token() returns immediately.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void	au_free_token(token_t *tok);
+
+/*
+ * Lightweight check to determine if auditing is enabled.  If a client
+ * wants to use this to govern whether an entire series of audit calls
+ * should be made--as in the common case of a caller building a set of
+ * tokens, then writing them--it should cache the audit status in a local
+ * variable.  This call always returns the current state of auditing.
+ *
+ * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
+ * Otherwise the function can return any of the errno values defined for
+ * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
+ * the system.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	au_get_state(void);
+__END_DECLS
+
+/* OpenSSH compatibility */
+#define	cannot_audit(x)	(!(au_get_state() == AUC_AUDITING))
+
+__BEGIN_DECLS
+/*
+ * audit_set_terminal_id()
+ *
+ * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
+ * used in audit session initialization by processes like /usr/bin/login.
+ *
+ * @param tid - A pointer to an au_tid_t struct.
+ *
+ * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
+ * or kAUSysctlErr if one of the underlying system calls fails (a message
+ * is sent to the system log in those cases).
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_set_terminal_id(au_tid_t *tid);
+
+/*
+ * BEGIN au_write() WRAPPERS
+ *
+ * The following calls all wrap the existing BSM API.  They use the
+ * provided subject information, if any, to construct the subject token
+ * required for every log message.  They use the provided return/error
+ * value(s), if any, to construct the success/failure indication required
+ * for every log message.  They only permit one "miscellaneous" token,
+ * which should contain the event-specific logging information mandated by
+ * CAPP.
+ *
+ * All these calls assume the caller has previously determined that
+ * auditing is enabled by calling au_get_state().
+ */
+
+/*
+ * audit_write()
+ *
+ * @summary - audit_write() is the basis for the other audit_write_*()
+ * calls.  Performs a basic write of an audit record (subject, additional
+ * info, success/failure).  Note that this call only permits logging one
+ * caller-specified token; clients needing to log more flexibly must use
+ * the existing BSM API (au_open(), et al.) directly.
+ *
+ * Note on memory management: audit_write() guarantees that the token_t *s
+ * passed to it will be deallocated whether or not the underlying write to
+ * the audit log succeeded.  This addresses an inconsistency in the
+ * underlying BSM API in which token_t *s are usually but not always
+ * deallocated.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param subject - A token_t * generated by au_to_subject(),
+ * au_to_subject32(), au_to_subject64(), or au_to_me().  If no subject is
+ * required, subject should be NULL.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param retval - The return value to be logged for this event.  This
+ * should be 0 (zero) for success, otherwise the value is event-specific.
+ *
+ * @param errcode - Any error code associated with the return value (e.g.,
+ * errno or h_errno).  If there was no error, errcode should be 0 (zero).
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write(short event_code, token_t *subject, token_t *misctok,
+	    char retval, int errcode);
+
+/*
+ * audit_write_success()
+ *
+ * @summary - audit_write_success() records an auditable event that did not
+ * encounter an error.  The interface is designed to require as little
+ * direct use of the au_to_*() API as possible.  It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_success_self().
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_success(short event_code, token_t *misctok, au_id_t auid,
+	    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
+	    au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_success_self()
+ *
+ * @summary - Similar to audit_write_success(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_success_self(short event_code, token_t *misctok);
+
+/*
+ * audit_write_failure()
+ *
+ * @summary - audit_write_failure() records an auditable event that
+ * encountered an error.  The interface is designed to require as little
+ * direct use of the au_to_*() API as possible.  It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_failure_self().
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure(short event_code, char *errmsg, int errret,
+	    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+	    pid_t pid, au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_failure_self()
+ *
+ * @summary - Similar to audit_write_failure(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure_self(short event_code, char *errmsg, int errret);
+
+/*
+ * audit_write_failure_na()
+ *
+ * @summary - audit_write_failure_na() records errors during login.  Such
+ * errors are implicitly non-attributable (i.e., not ascribable to any user).
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure_na(short event_code, char *errmsg, int errret,
+	    uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
+
+/* END au_write() WRAPPERS */
+
+#ifdef  __APPLE__
+/*
+ * audit_token_to_au32()
+ *
+ * @summary - Extract information from an audit_token_t, used to identify
+ * Mach tasks and senders of Mach messages as subjects to the audit system.
+ * audit_tokent_to_au32() is the only method that should be used to parse
+ * an audit_token_t, since its internal representation may change over
+ * time.  A pointer parameter may be NULL if that information is not
+ * needed.
+ *
+ * @param atoken - the audit token containing the desired information
+ *
+ * @param auidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's audit user ID
+ *
+ * @param euidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's effective user ID
+ *
+ * @param egidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's effective group ID
+ *
+ * @param ruidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's real user ID
+ *
+ * @param rgidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's real group ID
+ *
+ * @param pidp - Pointer to a pid_t; on return will be set to the task or
+ * sender's process ID
+ *
+ * @param asidp - Pointer to an au_asid_t; on return will be set to the
+ * task or sender's audit session ID
+ *
+ * @param tidp - Pointer to an au_tid_t; on return will be set to the task
+ * or sender's terminal ID
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void audit_token_to_au32(
+	audit_token_t	 atoken,
+	uid_t		*auidp,
+	uid_t		*euidp,
+	gid_t		*egidp,
+	uid_t		*ruidp,
+	gid_t		*rgidp,
+	pid_t		*pidp,
+	au_asid_t	*asidp,
+	au_tid_t	*tidp);
+#endif /* !__APPLE__ */
+
+__END_DECLS
+
+#endif /* !_LIBBSM_H_ */
diff --git a/contrib/openbsm/compat/endian.h b/contrib/openbsm/compat/endian.h
new file mode 100644
index 000000000000..2517a41adc63
--- /dev/null
+++ b/contrib/openbsm/compat/endian.h
@@ -0,0 +1,264 @@
+/*-
+ * Copyright (c) 2002 Thomas Moestl <tmm@FreeBSD.org>
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * Derived from FreeBSD src/sys/sys/endian.h:1.6.
+ * $P4: //depot/projects/trustedbsd/openbsm/compat/endian.h#5 $
+ */
+
+#ifndef _COMPAT_ENDIAN_H_
+#define _COMPAT_ENDIAN_H_
+
+/*
+ * Pick up value of BYTE_ORDER/_BYTE_ORDER if not yet included.
+ */
+#include <machine/endian.h>
+
+/*
+ * Some systems will have the uint/int types defined here already, others
+ * will need stdint.h.
+ */
+#include <stdint.h>
+
+/*
+ * Some operating systems do not yet have the more recent endian APIs that
+ * permit encoding to and decoding from byte streams.  For those systems, we
+ * implement local non-optimized versions.
+ */
+
+static __inline uint16_t
+bswap16(uint16_t int16)
+{
+	const unsigned char *from;
+	unsigned char *to;
+	uint16_t t;
+
+	from = (const unsigned char *) &int16;
+	to = (unsigned char *) &t;
+
+	to[0] = from[1];
+	to[1] = from[0];
+
+	return (t);
+}
+
+static __inline uint32_t
+bswap32(uint32_t int32)
+{
+	const unsigned char *from;
+	unsigned char *to;
+	uint32_t t;
+
+	from = (const unsigned char *) &int32;
+	to = (unsigned char *) &t;
+
+	to[0] = from[3];
+	to[1] = from[2];
+	to[2] = from[1];
+	to[3] = from[0];
+
+	return (t);
+}
+
+static __inline uint64_t
+bswap64(uint64_t int64)
+{
+	const unsigned char *from;
+	unsigned char *to;
+	uint64_t t;
+
+	from = (const unsigned char *) &int64;
+	to = (unsigned char *) &t;
+
+	to[0] = from[7];
+	to[1] = from[6];
+	to[2] = from[5];
+	to[3] = from[4];
+	to[4] = from[3];
+	to[5] = from[2];
+	to[6] = from[1];
+	to[7] = from[0];
+
+	return (t);
+}
+
+#if defined(BYTE_ORDER) && !defined(_BYTE_ORDER)
+#define	_BYTE_ORDER	BYTE_ORDER
+#endif
+#if !defined(_BYTE_ORDER)
+#error "Neither BYTE_ORDER nor _BYTE_ORDER defined"
+#endif
+
+#if defined(BIG_ENDIAN) && !defined(_BIG_ENDIAN)
+#define	_BIG_ENDIAN	BIG_ENDIAN
+#endif
+
+#if defined(LITTLE_ENDIAN) && !defined(_LITTLE_ENDIAN)
+#define	_LITTLE_ENDIAN	LITTLE_ENDIAN
+#endif
+
+/*
+ * Host to big endian, host to little endian, big endian to host, and little
+ * endian to host byte order functions as detailed in byteorder(9).
+ */
+#if _BYTE_ORDER == _LITTLE_ENDIAN
+#define	htobe16(x)	bswap16((x))
+#define	htobe32(x)	bswap32((x))
+#define	htobe64(x)	bswap64((x))
+#define	htole16(x)	((uint16_t)(x))
+#define	htole32(x)	((uint32_t)(x))
+#define	htole64(x)	((uint64_t)(x))
+
+#define	be16toh(x)	bswap16((x))
+#define	be32toh(x)	bswap32((x))
+#define	be64toh(x)	bswap64((x))
+#define	le16toh(x)	((uint16_t)(x))
+#define	le32toh(x)	((uint32_t)(x))
+#define	le64toh(x)	((uint64_t)(x))
+#else /* _BYTE_ORDER != _LITTLE_ENDIAN */
+#define	htobe16(x)	((uint16_t)(x))
+#define	htobe32(x)	((uint32_t)(x))
+#define	htobe64(x)	((uint64_t)(x))
+#define	htole16(x)	bswap16((x))
+#define	htole32(x)	bswap32((x))
+#define	htole64(x)	bswap64((x))
+
+#define	be16toh(x)	((uint16_t)(x))
+#define	be32toh(x)	((uint32_t)(x))
+#define	be64toh(x)	((uint64_t)(x))
+#define	le16toh(x)	bswap16((x))
+#define	le32toh(x)	bswap32((x))
+#define	le64toh(x)	bswap64((x))
+#endif /* _BYTE_ORDER == _LITTLE_ENDIAN */
+
+/* Alignment-agnostic encode/decode bytestream to/from little/big endian. */
+
+static __inline uint16_t
+be16dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return ((p[0] << 8) | p[1]);
+}
+
+static __inline uint32_t
+be32dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return ((p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3]);
+}
+
+static __inline uint64_t
+be64dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return (((uint64_t)be32dec(p) << 32) | be32dec(p + 4));
+}
+
+static __inline uint16_t
+le16dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return ((p[1] << 8) | p[0]);
+}
+
+static __inline uint32_t
+le32dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return ((p[3] << 24) | (p[2] << 16) | (p[1] << 8) | p[0]);
+}
+
+static __inline uint64_t
+le64dec(const void *pp)
+{
+	unsigned char const *p = (unsigned char const *)pp;
+
+	return (((uint64_t)le32dec(p + 4) << 32) | le32dec(p));
+}
+
+static __inline void
+be16enc(void *pp, uint16_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	p[0] = (u >> 8) & 0xff;
+	p[1] = u & 0xff;
+}
+
+static __inline void
+be32enc(void *pp, uint32_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	p[0] = (u >> 24) & 0xff;
+	p[1] = (u >> 16) & 0xff;
+	p[2] = (u >> 8) & 0xff;
+	p[3] = u & 0xff;
+}
+
+static __inline void
+be64enc(void *pp, uint64_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	be32enc(p, u >> 32);
+	be32enc(p + 4, u & 0xffffffff);
+}
+
+static __inline void
+le16enc(void *pp, uint16_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	p[0] = u & 0xff;
+	p[1] = (u >> 8) & 0xff;
+}
+
+static __inline void
+le32enc(void *pp, uint32_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	p[0] = u & 0xff;
+	p[1] = (u >> 8) & 0xff;
+	p[2] = (u >> 16) & 0xff;
+	p[3] = (u >> 24) & 0xff;
+}
+
+static __inline void
+le64enc(void *pp, uint64_t u)
+{
+	unsigned char *p = (unsigned char *)pp;
+
+	le32enc(p, u & 0xffffffff);
+	le32enc(p + 4, u >> 32);
+}
+
+#endif	/* _COMPAT_ENDIAN_H_ */
diff --git a/contrib/openbsm/etc/audit_class b/contrib/openbsm/etc/audit_class
new file mode 100644
index 000000000000..9f596a276b9d
--- /dev/null
+++ b/contrib/openbsm/etc/audit_class
@@ -0,0 +1,25 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_class#3 $
+#
+# This file must match audit.h
+#
+0x00000000:no:invalid class
+0x00000001:fr:file read
+0x00000002:fw:file write
+0x00000004:fa:file attribute access
+0x00000008:fm:file attribute modify
+0x00000010:fc:file create
+0x00000020:fd:file delete
+0x00000040:cl:file close
+0x00000080:pc:process
+0x00000100:nt:network
+0x00000200:ip:ipc
+0x00000400:na:non attributable
+0x00000800:ad:administrative
+0x00001000:lo:login_logout
+0x00002000:tf:tfm
+0x00004000:ap:application
+0x20000000:io:ioctl
+0x40000000:ex:exec
+0x80000000:ot:miscellaneous
+0xffffffff:all:all flags set
diff --git a/contrib/openbsm/etc/audit_control b/contrib/openbsm/etc/audit_control
new file mode 100644
index 000000000000..f6ca774e6cbd
--- /dev/null
+++ b/contrib/openbsm/etc/audit_control
@@ -0,0 +1,7 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#2 $
+#
+dir:/var/audit
+flags:lo,ad,-all,^-fa,^-fc,^-cl
+minfree:20
+naflags:lo
diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event
new file mode 100644
index 000000000000..01a3a5b6cbd2
--- /dev/null
+++ b/contrib/openbsm/etc/audit_event
@@ -0,0 +1,343 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#10 $
+#
+0:AUE_NULL:indir system call:no
+1:AUE_EXIT:exit(2):pc
+2:AUE_FORK:fork(2):pc
+3:AUE_OPEN:open(2) - attr only:fa
+4:AUE_CREAT:creat(2):fc
+5:AUE_LINK:link(2):fc
+6:AUE_UNLINK:unlink(2):fd
+7:AUE_EXEC:exec(2):pc,ex
+8:AUE_CHDIR:chdir(2):pc
+9:AUE_MKNOD:mknod(2):fc
+10:AUE_CHMOD:chmod(2):fm
+11:AUE_CHOWN:chown(2):fm
+12:AUE_UMOUNT:umount(2) - old version:ad
+13:AUE_JUNK:junk:no
+14:AUE_ACCESS:access(2):fa
+15:AUE_KILL:kill(2):pc
+16:AUE_STAT:stat(2):fa
+17:AUE_LSTAT:lstat(2):fa
+18:AUE_ACCT:acct(2):ad
+19:AUE_MCTL:mctl(2):no
+20:AUE_REBOOT:reboot(2):ad
+21:AUE_SYMLINK:symlink(2):fc
+22:AUE_READLINK:readlink(2):fr
+23:AUE_EXECVE:execve(2):pc,ex
+24:AUE_CHROOT:chroot(2):pc
+25:AUE_VFORK:vfork(2):pc
+26:AUE_SETGROUPS:setgroups(2):pc
+27:AUE_SETPGRP:setpgrp(2):pc
+28:AUE_SWAPON:swapon(2):ad
+29:AUE_SETHOSTNAME:sethostname(2):ad
+30:AUE_FCNTL:fcntl(2):fm
+31:AUE_SETPRIORITY:setpriority(2):pc
+32:AUE_CONNECT:connect(2):nt
+33:AUE_ACCEPT:accept(2):nt
+34:AUE_BIND:bind(2):nt
+35:AUE_SETSOCKOPT:setsockopt(2):nt
+36:AUE_VTRACE:vtrace(2):pc
+37:AUE_SETTIMEOFDAY:settimeofday(2):ad
+38:AUE_FCHOWN:fchown(2):fm
+39:AUE_FCHMOD:fchmod(2):fm
+40:AUE_SETREUID:setreuid(2):pc
+41:AUE_SETREGID:setregid(2):pc
+42:AUE_RENAME:rename(2):fc,fd
+43:AUE_TRUNCATE:truncate(2):fw
+44:AUE_FTRUNCATE:ftruncate(2):fw
+45:AUE_FLOCK:flock(2):fm
+46:AUE_SHUTDOWN:shutdown(2):nt
+47:AUE_MKDIR:mkdir(2):fc
+48:AUE_RMDIR:rmdir(2):fd
+49:AUE_UTIMES:utimes(2):fm
+50:AUE_ADJTIME:adjtime(2):ad
+51:AUE_SETRLIMIT:setrlimit(2):pc
+52:AUE_KILLPG:killpg(2):pc
+53:AUE_NFS_SVC:nfs_svc(2):ad
+54:AUE_STATFS:statfs(2):fa
+55:AUE_FSTATFS:fstatfs(2):fa
+56:AUE_UNMOUNT:unmount(2):ad
+57:AUE_ASYNC_DAEMON:async_daemon(2):ad
+58:AUE_NFS_GETFH:nfs_getfh(2):ad
+59:AUE_SETDOMAINNAME:setdomainname(2):ad
+60:AUE_QUOTACTL:quotactl(2):ad
+61:AUE_EXPORTFS:exportfs(2):ad
+62:AUE_MOUNT:mount(2):ad
+63:AUE_SEMSYS:semsys(2):ip
+64:AUE_MSGSYS:msgsys(2):ip
+65:AUE_SHMSYS:shmsys(2):ip
+66:AUE_BSMSYS:bsmsys(2):ad
+67:AUE_RFSSYS:rfssys(2):ad
+68:AUE_FCHDIR:fchdir(2):pc
+69:AUE_FCHROOT:fchroot(2):pc
+70:AUE_VPIXSYS:vpixsys(2):no
+71:AUE_PATHCONF:pathconf(2):fa
+72:AUE_OPEN_R:open(2) - read:fr
+73:AUE_OPEN_RC:open(2) - read,creat:fc,fr,fa,fm
+74:AUE_OPEN_RT:open(2) - read,trunc:fd,fr,fa,fm
+75:AUE_OPEN_RTC:open(2) - read,creat,trunc:fc,fd,fr,fa,fm
+76:AUE_OPEN_W:open(2) - write:fw
+77:AUE_OPEN_WC:open(2) - write,creat:fc,fw,fa,fm
+78:AUE_OPEN_WT:open(2) - write,trunc:fd,fw,fa,fm
+79:AUE_OPEN_WTC:open(2) - write,creat,trunc:fc,fd,fw,fa,fm
+80:AUE_OPEN_RW:open(2) - read,write:fr,fw
+81:AUE_OPEN_RWC:open(2) - read,write,creat:fc,fw,fr,fa,fm
+82:AUE_OPEN_RWT:open(2) - read,write,trunc:fd,fr,fw,fa,fm
+83:AUE_OPEN_RWTC:open(2) - read,write,creat,trunc:fc,fd,fw,fr,fa,fm
+84:AUE_MSGCTL:msgctl(2) - illegal command:ip
+85:AUE_MSGCTL_RMID:msgctl(2) - IPC_RMID command:ip
+86:AUE_MSGCTL_SET:msgctl(2) - IPC_SET command:ip
+87:AUE_MSGCTL_STAT:msgctl(2) - IPC_STAT command:ip
+88:AUE_MSGGET:msgget(2):ip
+89:AUE_MSGRCV:msgrcv(2):ip
+90:AUE_MSGSND:msgsnd(2):ip
+91:AUE_SHMCTL:shmctl(2) - illegal command:ip
+92:AUE_SHMCTL_RMID:shmctl(2) - IPC_RMID command:ip
+93:AUE_SHMCTL_SET:shmctl(2) - IPC_SET command:ip
+94:AUE_SHMCTL_STAT:shmctl(2) - IPC_STAT command:ip
+95:AUE_SHMGET:shmget(2):ip
+96:AUE_SHMAT:shmat(2):ip
+97:AUE_SHMDT:shmdt(2):ip
+98:AUE_SEMCTL:semctl(2) - illegal command:ip
+99:AUE_SEMCTL_RMID:semctl(2) - IPC_RMID command:ip
+100:AUE_SEMCTL_SET:semctl(2) - IPC_SET command:ip
+101:AUE_SEMCTL_STAT:semctl(2) - IPC_STAT command:ip
+102:AUE_SEMCTL_GETNCNT:semctl(2) - GETNCNT command:ip
+103:AUE_SEMCTL_GETPID:semctl(2) - GETPID command:ip
+104:AUE_SEMCTL_GETVAL:semctl(2) - GETVAL command:ip
+105:AUE_SEMCTL_GETALL:semctl(2) - GETALL command:ip
+106:AUE_SEMCTL_GETZCNT:semctl(2) - GETZCNT command:ip
+107:AUE_SEMCTL_SETVAL:semctl(2) - SETVAL command:ip
+108:AUE_SEMCTL_SETALL:semctl(2) - SETALL command:ip
+109:AUE_SEMGET:semget(2):ip
+110:AUE_SEMOP:semop(2):ip
+111:AUE_CORE:process dumped core:fc
+112:AUE_CLOSE:close(2):cl
+113:AUE_SYSTEMBOOT:system booted:na
+114:AUE_ASYNC_DAEMON_EXIT:async_daemon(2) exited:ad
+115:AUE_NFSSVC_EXIT:nfssvc(2) exited:ad
+128:AUE_WRITEL:writel(2):fw
+129:AUE_WRITEVL:writevl(2):fw
+130:AUE_GETAUID:getauid(2):ad
+131:AUE_SETAUID:setauid(2):ad
+132:AUE_GETAUDIT:getaudit(2):ad
+133:AUE_SETAUDIT:setaudit(2):ad
+134:AUE_GETUSERAUDIT:getuseraudit(2):ad
+135:AUE_SETUSERAUDIT:setuseraudit(2):ad
+136:AUE_AUDITSVC:auditsvc(2):ad
+137:AUE_AUDITUSER:audituser(2):ad
+138:AUE_AUDITON:auditon(2):ad
+139:AUE_AUDITON_GTERMID:auditon(2) - GETTERMID command:ad
+140:AUE_AUDITON_STERMID:auditon(2) - SETTERMID command:ad
+141:AUE_AUDITON_GPOLICY:auditon(2) - GPOLICY command:ad
+142:AUE_AUDITON_SPOLICY:auditon(2) - SPOLICY command:ad
+143:AUE_AUDITON_GESTATE:auditon(2) - GESTATE command:ad
+144:AUE_AUDITON_SESTATE:auditon(2) - SESTATE command:ad
+145:AUE_AUDITON_GQCTRL:auditon(2) - GQCTRL command:ad
+146:AUE_AUDITON_SQCTRL:auditon(2) - SQCTRL command:ad
+147:AUE_GETKERNSTATE:getkernstate(2):ad
+148:AUE_SETKERNSTATE:setkernstate(2):ad
+149:AUE_GETPORTAUDIT:getportaudit(2):ad
+150:AUE_AUDITSTAT:auditstat(2):ad
+153:AUE_ENTERPROM:enter prom:ad
+154:AUE_EXITPROM:exit prom:ad
+158:AUE_IOCTL:ioctl(2):io
+173:AUE_ONESIDE:one-sided session record:nt
+174:AUE_MSGGETL:msggetl(2):ip
+175:AUE_MSGRCVL:msgrcvl(2):ip
+176:AUE_MSGSNDL:msgsndl(2):ip
+177:AUE_SEMGETL:semgetl(2):ip
+178:AUE_SHMGETL:shmgetl(2):ip
+183:AUE_SOCKET:socket(2):nt
+184:AUE_SENDTO:sendto(2):nt
+185:AUE_PIPE:pipe(2):ip
+186:AUE_SOCKETPAIR:socketpair(2):nt
+187:AUE_SEND:send(2):nt
+188:AUE_SENDMSG:sendmsg(2):nt
+189:AUE_RECV:recv(2):nt
+190:AUE_RECVMSG:recvmsg(2):nt
+191:AUE_RECVFROM:recvfrom(2):nt
+192:AUE_READ:read(2):no
+193:AUE_GETDENTS:getdents(2):no
+194:AUE_LSEEK:lseek(2):no
+195:AUE_WRITE:write(2):no
+196:AUE_WRITEV:writev(2):no
+197:AUE_NFS:nfs server:ad
+198:AUE_READV:readv(2):no
+199:AUE_OSTAT:old stat(2):fa
+200:AUE_SETUID:setuid(2):pc
+201:AUE_STIME:old stime(2):ad
+202:AUE_UTIME:old utime(2):fm
+203:AUE_NICE:old nice(2):pc
+204:AUE_OSETPGRP:old setpgrp(2):pc
+205:AUE_SETGID:setgid(2):pc
+206:AUE_READL:readl(2):no
+207:AUE_READVL:readvl(2):no
+209:AUE_DUP2:dup2(2):no
+210:AUE_MMAP:mmap(2):no
+211:AUE_AUDIT:audit(2):ot
+212:AUE_PRIOCNTLSYS:priocntlsys(2):pc
+213:AUE_MUNMAP:munmap(2):cl
+214:AUE_SETEGID:setegid(2):pc
+215:AUE_SETEUID:seteuid(2):pc
+216:AUE_PUTMSG:putmsg(2):nt
+217:AUE_GETMSG:getmsg(2):nt
+218:AUE_PUTPMSG:putpmsg(2):nt
+219:AUE_GETPMSG:getpmsg(2):nt
+220:AUE_AUDITSYS:audit system calls place holder:no
+221:AUE_AUDITON_GETKMASK:auditon(2) - get kernel mask:ad
+222:AUE_AUDITON_SETKMASK:auditon(2) - set kernel mask:ad
+223:AUE_AUDITON_GETCWD:auditon(2) - get cwd:ad
+224:AUE_AUDITON_GETCAR:auditon(2) - get car:ad
+225:AUE_AUDITON_GETSTAT:auditon(2) - get audit statistics:ad
+226:AUE_AUDITON_SETSTAT:auditon(2) - reset audit statistics:ad
+227:AUE_AUDITON_SETUMASK:auditon(2) - set mask per uid:ad
+228:AUE_AUDITON_SETSMASK:auditon(2) - set mask per session ID:ad
+229:AUE_AUDITON_GETCOND:auditon(2) - get audit state:ad
+230:AUE_AUDITON_SETCOND:auditon(2) - set audit state:ad
+231:AUE_AUDITON_GETCLASS:auditon(2) - get event class:ad
+232:AUE_AUDITON_SETCLASS:auditon(2) - set event class:ad
+233:AUE_UTSSYS:utssys(2) - fusers:ad
+234:AUE_STATVFS:statvfs(2):fa
+235:AUE_XSTAT:xstat(2):fa
+236:AUE_LXSTAT:lx6stat(2):fa
+237:AUE_LCHOWN:lchown(2):fm
+238:AUE_MEMCNTL:memcntl(2):ot
+239:AUE_SYSINFO:sysinfo(2):ad
+240:AUE_XMKNOD:xmknod(2):fc
+241:AUE_FORK1:fork1(2):pc
+242:AUE_MODCTL:modctl(2) system call place holder:no
+243:AUE_MODLOAD:modctl(2) - load module:ad
+244:AUE_MODUNLOAD:modctl(2) - unload module:ad
+245:AUE_MODCONFIG:modctl(2) - configure module:ad
+246:AUE_MODADDMAJ:modctl(2) - bind module:ad
+247:AUE_SOCKACCEPT:getmsg-accept:nt
+248:AUE_SOCKCONNECT:putmsg-connect:nt
+249:AUE_SOCKSEND:putmsg-send:nt
+250:AUE_SOCKRECEIVE:getmsg-receive:nt
+251:AUE_ACLSET:acl(2) - SETACL comand:fm
+252:AUE_FACLSET:facl(2) - SETACL command:fm
+253:AUE_DOORFS:doorfs(2) - system call place holder:no
+254:AUE_DOORFS_DOOR_CALL:doorfs(2) - DOOR_CALL:ip
+255:AUE_DOORFS_DOOR_RETURN:doorfs(2) - DOOR_RETURN:ip
+256:AUE_DOORFS_DOOR_CREATE:doorfs(2) - DOOR_CREATE:ip
+257:AUE_DOORFS_DOOR_REVOKE:doorfs(2) - DOOR_REVOKE:ip
+258:AUE_DOORFS_DOOR_INFO:doorfs(2) - DOOR_INFO:ip
+259:AUE_DOORFS_DOOR_CRED:doorfs(2) - DOOR_CRED:ip
+260:AUE_DOORFS_DOOR_BIND:doorfs(2) - DOOR_BIND:ip
+261:AUE_DOORFS_DOOR_UNBIND:doorfs(2) - DOOR_UNBIND:ip
+262:AUE_P_ONLINE:p_online(2):ad
+263:AUE_PROCESSOR_BIND:processor_bind(2):ad
+264:AUE_INST_SYNC:inst_sync(2):ad
+266:AUE_SETAUDIT_ADDR:setaudit_addr(2):ad
+267:AUE_GETAUDIT_ADDR:getaudit_addr(2):ad
+268:AUE_CLOCK_SETTIME:clock_settime(2):ad
+269:AUE_NTP_ADJTIME:ntp_adjtime(2):ad
+301:AUE_GETFSSTAT:getfsstat(2):fa
+302:AUE_PTRACE:ptrace(2):pc
+303:AUE_CHFLAGS:chflags(2):fm
+304:AUE_FCHFLAGS:fchflags(2):fm
+305:AUE_PROFILE:profil(2):pc
+306:AUE_KTRACE:ktrace(2):pc
+307:AUE_SETLOGIN:setlogin(2):pc
+308:AUE_DARWIN_REBOOT:reboot(2):ad
+309:AUE_REVOKE:revoke(2):cl
+310:AUE_UMASK:umask(2):pc
+311:AUE_MPROTECT:mprotect(2):fm
+312:AUE_DARWIN_SETPRIORITY:setpriority(2):pc,ot
+313:AUE_DARWIN_SETTIMEOFDAY:settimeofday(2):ad
+314:AUE_DARWIN_FLOCK:flock(2):fm
+315:AUE_MKFIFO:mkfifo(2):fc
+316:AUE_POLL:poll(2):no
+317:AUE_DARWIN_SOCKETPAIR:socketpair(2):nt
+318:AUE_FUTIMES:futimes(2):fm
+319:AUE_SETSID:setsid(2):pc
+320:AUE_SETPRIVEXEC:setprivexec(2):pc
+321:AUE_DARWIN_NFSSVC:nfssvc(2):ad
+322:AUE_DARWIN_GETFH:getfh(2):fa
+323:AUE_DARWIN_QUOTACTL:quotactl(2):ad
+324:AUE_ADDPROFILE:system call:pc
+325:AUE_KDEBUGTRACE:system call:pc
+326:AUE_FSTAT:fstat(2):fa
+327:AUE_FPATHCONF:fpathconf(2):fa
+328:AUE_GETDIRENTRIES:getdirentries(2):fr
+329:AUE_DARWIN_TRUNCATE:truncate(2):fw
+330:AUE_DARWIN_FTRUNCATE:ftruncate(2):fw
+331:AUE_SYSCTL:sysctl(3):ad
+332:AUE_MLOCK:mlock(2):pc
+333:AUE_MUNLOCK:munlock(2):pc
+334:AUE_UNDELETE:undelete(2):fm
+335:AUE_GETATTRLIST:getattrlist():fa
+336:AUE_SETATTRLIST:setattrlist():fm
+337:AUE_GETDIRENTRIESATTR:getdirentriesattr():fa
+338:AUE_EXCHANGEDATA:exchangedata():fw
+339:AUE_SEARCHFS:searchfs():fa
+340:AUE_MINHERIT:minherit(2):pc
+341:AUE_SEMCONFIG:semconfig():ip
+342:AUE_SEMOPEN:sem_open(2):ip
+343:AUE_SEMCLOSE:sem_close(2):ip
+344:AUE_SEMUNLINK:sem_unlink(2):ip
+345:AUE_SHMOPEN:shm_open(2):ip
+346:AUE_SHMUNLINK:shm_unlink(2):ip
+347:AUE_LOADSHFILE:load_shared_file():fr
+348:AUE_RESETSHFILE:reset_shared_file():ot
+349:AUE_NEWSYSTEMSHREG:new_system_share_regions():ot
+350:AUE_PTHREADKILL:pthread_kill(2):pc
+351:AUE_PTHREADSIGMASK:pthread_sigmask(2):pc
+352:AUE_AUDITCTL:auditctl(2):ad
+353:AUE_RFORK:rfork(2):pc
+354:AUE_LCHMOD:lchmod(2):fm
+355:AUE_SWAPOFF:swapoff():ad
+356:AUE_INITPROCESS:init_process():pc
+357:AUE_MAPFD:map_fd():fa
+358:AUE_TASKFORPID:task_for_pid():pc
+359:AUE_PIDFORTASK:pid_for_task():pc
+360:AUE_SYSCTL_NONADMIN:sysctl() - non-admin:ot
+361:AUE_COPYFILE:copyfile():fr,fw
+362:AUE_LUTIMES:lutimes(2):fm
+363:AUE_LCHFLAGS:lchflags(2):fm
+364:AUE_SENDFILE:sendfile(2):nt
+365:AUE_USELIB:uselib(2):fa
+366:AUE_GETRESUID:getresuid(2):pc
+367:AUE_SETRESUID:setresuid(2):pc
+368:AUE_GETRESGID:getresgid(2):pc
+369:AUE_SETRESGID:setresgid(2):pc
+370:AUE_WAIT4:wait4(2):pc
+371:AUE_LGETFH:lgetfh(2):fa
+372:AUE_FHSTATFS:fhstatfs(2):fa
+373:AUE_FHOPEN:fhopen(2):fa
+374:AUE_FHSTAT:fhstat(2):fa
+375:AUE_JAIL:jail(2):pc
+376:AUE_EACCESS:eaccess(2):fa
+377:AUE_KQUEUE:kqueue(2):no
+378:AUE_KEVENT:kevent(2):no
+379:AUE_FSYNC:fsync(2):fm
+380:AUE_NMOUNT:nmount(2):ad
+6152:AUE_login:login - local:lo
+6153:AUE_logout:logout - local:lo
+6159:AUE_su:su(1):lo
+6160:AUE_halt:system halt:ad
+6168:AUE_shutdown:system shutdown:ad
+6171:AUE_audit_startup:audit startup:ad
+6172:AUE_audit_shutdown:audit shutdown:ad
+6207:AUE_create_user:create user:ad
+6208:AUE_modify_user:modify user:ad
+6209:AUE_delete_user:delete user:ad
+6210:AUE_disable_user:disable user:ad
+6211:AUE_enable_user::ad
+6300:AUE_sudo:sudo(1):ad
+6501:AUE_modify_password:modify password:ad
+6511:AUE_create_group:create group:ad
+6512:AUE_delete_group:delete group:ad
+6513:AUE_modify_group:modify group:ad
+6514:AUE_add_to_group:add to group:ad
+6515:AUE_remove_from_group:remove from group:ad
+6521:AUE_revoke_obj:revoke object priv:fm
+6600:AUE_lw_login:loginwindow login:lo
+6601:AUE_lw_logout:loginwindow logout:lo
+7000:AUE_auth_user:user authentication:ad
+7001:AUE_ssconn:SecSrvr connection setup:ad
+7002:AUE_ssauthorize:SecSrvr AuthEngine:ad
+7003:AUE_ssauthint:SecSrvr authinternal mech:ad
+32800:AUE_openssh:OpenSSH login:lo
diff --git a/contrib/openbsm/etc/audit_user b/contrib/openbsm/etc/audit_user
new file mode 100644
index 000000000000..925729c12c66
--- /dev/null
+++ b/contrib/openbsm/etc/audit_user
@@ -0,0 +1,5 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_user#2 $
+#
+root:lo:no
+audit:fc:no
diff --git a/contrib/openbsm/etc/audit_warn b/contrib/openbsm/etc/audit_warn
new file mode 100644
index 000000000000..3612fc9227e2
--- /dev/null
+++ b/contrib/openbsm/etc/audit_warn
@@ -0,0 +1,5 @@
+#!/bin/sh
+#
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_warn#3 $
+#
+logger -p security.warning "audit warning: $@"
diff --git a/contrib/openbsm/libbsm/Makefile b/contrib/openbsm/libbsm/Makefile
new file mode 100644
index 000000000000..4137f4a3da6b
--- /dev/null
+++ b/contrib/openbsm/libbsm/Makefile
@@ -0,0 +1,119 @@
+#
+# OpenBSM libbsm
+#
+# $P4: //depot/projects/trustedbsd/openbsm/libbsm/Makefile#11 $
+#
+
+LIB=		bsm
+SHLIB_MAJOR=	1
+
+CFLAGS+=-I-								\
+	-I ..								\
+	-Wall
+
+SRCS=	bsm_audit.c							\
+	bsm_class.c							\
+	bsm_control.c							\
+	bsm_event.c							\
+	bsm_flags.c							\
+	bsm_io.c							\
+	bsm_mask.c							\
+	bsm_notify.c							\
+	bsm_token.c							\
+	bsm_user.c							\
+	bsm_wrappers.c
+
+MAN=	libbsm.3							\
+	au_class.3							\
+	au_control.3							\
+	au_event.3							\
+	au_free_token.3							\
+	au_io.3								\
+	au_mask.3							\
+	au_token.3							\
+	au_user.3
+
+MLINKS=	libbsm.3 bsm.3							\
+	au_class.3 getauclassent.3					\
+	au_class.3 getauclassnam.3					\
+	au_class.3 setauclass.3						\
+	au_class.3 endauclass.3						\
+	au_control.3 setac.3						\
+	au_control.3 endac.3						\
+	au_control.3 getacdir.3						\
+	au_control.3 getacmin.3						\
+	au_control.3 getacflg.3						\
+	au_control.3 getacna.3						\
+	au_event.3 setauevent.3						\
+	au_event.3 endauevent.3						\
+	au_event.3 getauevent.3						\
+	au_event.3 getauevnam.3						\
+	au_event.3 getauevnum.3						\
+	au_event.3 getauevnonam.3					\
+	au_io.3	au_fetch_tok.3						\
+	au_io.3	au_print_tok.3						\
+	au_io.3	au_read_rec.3						\
+	au_mask.3 au_preselect.3					\
+	au_mask.3 getauditflagsbin.3					\
+	au_mask.3 getauditflagschar.3					\
+	au_user.3 setauuser.3						\
+	au_user.3 endauuser.3						\
+	au_user.3 getauuserent.3					\
+	au_user.3 getauusernam.3					\
+	au_user.3 au_user_mask.3					\
+	au_user.3 getfauditflags.3					\
+	au_token.3 au_to_arg32.3					\
+	au_token.3 au_to_arg64.3					\
+	au_token.3 au_to_arg.3						\
+	au_token.3 au_to_attr64.3					\
+	au_token.3 au_to_data.3						\
+	au_token.3 au_to_exit.3						\
+	au_token.3 au_to_groups.3					\
+	au_token.3 au_to_newgroups.3					\
+	au_token.3 au_to_in_addr.3					\
+	au_token.3 au_to_in_addr_ex.3					\
+	au_token.3 au_to_ip.3						\
+	au_token.3 au_to_ipc.3						\
+	au_token.3 au_to_ipc_perm.3					\
+	au_token.3 au_to_iport.3					\
+	au_token.3 au_to_opaque.3					\
+	au_token.3 au_to_file.3						\
+	au_token.3 au_to_text.3						\
+	au_token.3 au_to_path.3						\
+	au_token.3 au_to_process32.3					\
+	au_token.3 au_to_process64.3					\
+	au_token.3 au_to_process.3					\
+	au_token.3 au_to_process32_ex.3					\
+	au_token.3 au_to_process64_ex.3					\
+	au_token.3 au_to_process_ex.3					\
+	au_token.3 au_to_return32.3					\
+	au_token.3 au_to_return64.3					\
+	au_token.3 au_to_return.3					\
+	au_token.3 au_to_seq.3						\
+	au_token.3 au_to_socket.3					\
+	au_token.3 au_to_socket_ex_32.3					\
+	au_token.3 au_to_socket_ex_128.3				\
+	au_token.3 au_to_sock_inet32.3					\
+	au_token.3 au_to_sock_inet128.3					\
+	au_token.3 au_to_sock_inet.3					\
+	au_token.3 au_to_subject32.3					\
+	au_token.3 au_to_subject64.3					\
+	au_token.3 au_to_subject.3					\
+	au_token.3 au_to_subject32_ex.3					\
+	au_token.3 au_to_subject64_ex.3					\
+	au_token.3 au_to_subject_ex.3					\
+	au_token.3 au_to_me.3						\
+	au_token.3 au_to_exec_args.3					\
+	au_token.3 au_to_exec_env.3					\
+	au_token.3 au_to_header.3					\
+	au_token.3 au_to_header32.3					\
+	au_token.3 au_to_header64.3					\
+	au_token.3 au_to_trailer.3
+
+beforeinstall:
+	if test -d ${INCSDIR}; then					\
+	else								\
+		mkdir ${INCSDIR};					\
+	fi;
+
+.include <bsd.lib.mk>
diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3
new file mode 100644
index 000000000000..f1cd9e9637f3
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_class.3
@@ -0,0 +1,108 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CLASS 3
+.Os
+.Sh NAME
+.Nm getauclassent ,
+.Nm getauclassent_r ,
+.Nm getauclassnam ,
+.Nm getauclassnam_r ,
+.Nm setauclass ,
+.Nm endauclass
+.Nd "Look up information from the audit_class database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft struct au_class_ent *
+.Fn getauclassent "void"
+.Ft struct au_class_ent *
+.Fn getauclassent_r "struct au_class_ent *e"
+.Ft struct au_class_ent *
+.Fn getauclassnam "const char *name"
+.Ft struct au_class_ent *
+.Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
+.Ft void
+.Fn setauclass "void"
+.Ft void
+.Fn endauclass "void"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_class 5
+database, which describes audit event classes.
+Audit event classes are described by
+.Vt struct au_class_ent .
+.Pp
+.Pp
+.Fn getauclassent
+will return the next class found in the
+.Xr audit_class 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauclassnam
+looks up a class by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauclass
+resets the iterator through the
+.Xr audit_class 5
+database, causing the next call to
+.Fn getauclassent
+to start again from the beginning of the file.
+.Pp
+.Fn endauclass
+closes the
+.Xr audit_class 5
+database, if open.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
new file mode 100644
index 000000000000..915c5211f2d1
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_CONTROL 3
+.Os
+.Sh NAME
+.Nm setac ,
+.Nm endac ,
+.Nm getacdir ,
+.Nm getacmin ,
+.Nm getacflg ,
+.Nm getacna
+.Nd "Look up information from the audit_control database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setac "void"
+.Ft void
+.Fn endac "void"
+.Ft int
+.Fn getacdir "char *name" "int len"
+.Ft int
+.Fn getacmin "int *min_val"
+.Ft int
+.Fn getacflg "char *auditstr" "int len"
+.Ft int
+.Fn getacna "char *auditstr" "int len"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_control 5
+database, which contains various audit-related administrative parameters.
+.Pp
+.Fn setac
+resets the database iterator to the beginning of the database; see the
+BUGS section for more information.
+.Pp
+.Fn sendac
+closes the
+.Xr audit_control 5
+database.
+.Pp
+.Fn getacdir
+Return the name of the directory where log data is stored via the passed
+character buffer
+.Va name
+of length
+.Va len .
+.Pp
+.Fn getacmin
+returns the minimum free disk space for the audit log target file system via
+the passed
+.Va min_val
+variable.
+.Pp
+.Fn getacflg
+returns the audit system flags via the the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Pp
+.Fn getacna
+returns the non-attributable flags via the passed character buffer
+.Va auditstr
+of length
+.Va len .
+.Sh RETURN VALULES
+.Fn getacdir ,
+.Fn getacmin ,
+.Fn getacflg ,
+and
+.Fn getacna
+return 0 on success, or a negative value on failure, along with error
+information in
+.Va errno .
+Functions that return a string value will return a failure if there is
+insufficient room in the passed character buffer for the full string.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
+.Sh BUGS
+There is no reason for the
+.Fn setac
+interface to be exposed as part of the public API, as it is called implicitly
+by other access functions and iteration is not supported.
+.Pp
+These interfaces inconsistently return various negative values depending on
+the failure mode, and do not always set
+.Va errno
+on failure.
diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3
new file mode 100644
index 000000000000..bd021decc2eb
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_event.3
@@ -0,0 +1,153 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_EVENT 3
+.Os
+.Sh NAME
+.Nm free_au_event_ent ,
+.Nm setauevent ,
+.Nm endauevent ,
+.Nm getauevent ,
+.Nm getauevent_r ,
+.Nm getauevnam ,
+.Nm getauevnam_r ,
+.Nm getauevnum ,
+.Nm getauevnum_r ,
+.Nm getauevnonam ,
+.Nm getauevnonam_r ,
+.Nd "Look up information from the audit_event database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauevent "void"
+.Ft void
+.Fn endauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent "void"
+.Ft "struct au_event_ent *"
+.Fn getauevent_r "struct au_event_ent *e"
+.Ft "struct au_event_ent *"
+.Fn getauevnam "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Ft "struct au_event_ent *"
+.Fn getauevnum "au_event_t event_number"
+.Ft "struct au_event_ent *"
+.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
+.Ft "au_event_t *"
+.Fn getauevnonam "char *event_name"
+.Ft "au_event_t *"
+.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_event 5
+database, which describes audit events.
+Entries in the database are described by
+.Vt struct au_event_ent
+entries, which are returned by calls to
+.Fn getauevent ,
+.Fn getauevnam ,
+or
+.Fn getauevnum .
+It is also possible look up an event number via a call to
+.Nm getauevnonam .
+.Pp
+.Fn setauevent
+resets the database access session for
+.Xr audit_event 5 ,
+so that the next call to
+.Fn getauevent
+will start with the first entry in the database.
+.Pp
+.Fn endauevent
+closes the
+.Xr audit_event 5
+database session.
+.Pp
+.Fn getauevent
+returns a reference to the next entry in the
+.Xr audit_event 5
+database.
+.Pp
+.Fn getauevnam
+returns a reference to the entry in the
+.Xr audit_event 5
+database with a name of
+.Va name .
+.Pp
+.Fn getauevnum
+returns a reference to the entry in the
+.Xr audit_event 5
+database with an event number of
+.Va event_number .
+.Pp
+.Fn getauevnonam
+returns a reference to an audit event number using the
+.Xr audit_event 5
+database.
+.Sh RETURN VALUES
+Functions
+.Fn getauevent ,
+.Fn getauevent_r ,
+.Fn getauevnam ,
+.Fn getauevnam_r ,
+.Fn getauevnum ,
+.Fn getauevnum_r ,
+and
+.Fn getauevnuam
+will return a reference to a
+.Dt struct au_event_ent
+or
+.Dt au_event_t
+on success, or
+.Dv NULL on failure, with
+.Va errno
+set to provide further error information.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_event 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+is not always properly set following a failure.
+.Pp
+These routines are thread-safe, but not re-entrant, so simultaneous or
+interleaved use of these functions will affect the iterator.
diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3
new file mode 100644
index 000000000000..fc4ab0bde6c4
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_free_token.3
@@ -0,0 +1,91 @@
+.\"-
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_FREE_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_free_token
+.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn au_free_tokenen "token_t *tok"
+.Sh DESCRIPTION
+The BSM API generally manages deallocation of
+.Vt token_t
+objects.
+However, if
+.Xr au_write 3
+is passed a bad audit descriptor, the
+.Vt token_t *
+parameter will be left untouched.
+In that case, the caller can deallocate the
+.Vt token_t
+using
+.Nm
+if desired.
+.Pp
+The
+.Va tok
+argument is a
+.Vt token_t *
+generated by one of the au_to_*() BSM API calls.
+For convenience,
+.Va tok
+may be
+.Dv NULL ,
+in which case
+.Nm
+returns immediately.
+.Sh IMPLEMENTATION NOTES
+This is, in fact, what
+.Xr audit_write 3
+does, in keeping with the existing memory management model of the BSM API.
+.Sh SEE ALSO
+.Xr au_write 3 ,
+.Xr audit_write 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+
diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3
new file mode 100644
index 000000000000..0c520a1f6eff
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_io.3
@@ -0,0 +1,119 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_IO 3
+.Os
+.Sh NAME
+.Nm au_fetch_tok ,
+.Nm au_print_tok ,
+.Nm au_read_rec
+.Nd "Perform I/O involving an audit record"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
+.Ft void
+.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Ft int
+.Fn au_read_rec "FILE *fp" "u_char **buf"
+.Sh DESCRIPTION
+These interfaces support input and output (I/O) involving audit records,
+internalizing an audit record from a byte stream, converting a token to
+either a raw or default string, and reading a single record from a file.
+.Pp
+.Fn au_fetch_tok
+reads a token from the passed buffer
+.Va buf
+of length
+.Va len
+bytes, and returns a pointer to the token via
+.Va tok .
+.Pp
+.Fn au_print_tok
+prints a string form of the token
+.Va tok
+to the file output stream
+.Va outfp,
+either in default mode, or raw mode if
+.Va raw
+is set non-zero.
+The delimiter
+.Va del
+is used when printing.
+.Pp
+.Fn au_read_rec
+reads an audit record from the file stream
+.Va fp ,
+and returns an allocated memory buffer containing the record via
+.Va *buf ,
+which must be freed by the caller using
+.Xr free 3 .
+.Pp
+A typical use of these routines might open a file with
+.Xr fopen 3 ,
+then read records from the file sequentially by calling
+.Fn au_read_rec .
+Each record would be broken down into components tokens through sequential
+calls to
+.Fn au_fetch_tok
+on the buffer, and then invoking
+.Fn au_print_tok
+to print each token to an output stream such as
+.Dv stdout .
+On completion of the processing of each record, a call to
+.Xr free 3
+would be used to free the record buffer.
+Finally, the source stream would be closed by a call to
+.Xr fclose 3 .
+.Sh RETURN VALUES
+.Fn au_fetch_tok
+and
+.Fn au_read_rec
+return 0 on success, or -1 on failure along with additional error information
+returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr free 3 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3
new file mode 100644
index 000000000000..67bb187a8fae
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_mask.3
@@ -0,0 +1,140 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#2 $
+.\"
+.Dd April 19, 2005
+.Dt AU_MASK 3
+.Os
+.Sh NAME
+.Nm au_preselect ,
+.Nm getauditflagsbin ,
+.Nm getauditflagschar
+.Nd "Convert between string and numeric values of audit masks"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft int
+.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
+.Ft int
+.Fn getauditflagsbin "char *auditstr" "au_mask_t *masks"
+.Ft int
+.Fn getauditflagschar "char *auditstr" "au_mask_t *masks" "int verbose"
+.Sh DESCRIPTION
+These interfaces support processing of an audit mask represented by type
+.Vt au_mask_t ,
+including conversion between numeric and text formats, and computing whether
+or not an event is matched by a mask.
+.Pp
+.Fn au_preselect
+calculates whether or not the audit event passed via
+.Va event
+is matched by the audit mask passed via
+.Va au_mask_t .
+The
+.Va sorf
+argument indicates whether or not to consider the event as a success,
+if the
+.Dv AU_PRS_SUCCESS
+flag is set, or failure, if the
+.Dv AU_PRS_FAILURE
+flag is set.
+The
+.Va flag
+argument accepts additional arguments influencing the behavior of
+.Fn au_preselect ,
+including
+.Dv AU_PRS_REREAD ,
+which causes the event to be re-looked up rather than read from the cache,
+or
+.Dv AU_PRS_USECACHE
+which forces use of the cache.
+.Pp
+.Fn getauditflagsbin
+converts a string representation of an audit mask passed via a character
+string pointed to by
+.Va auditstr ,
+returning the resulting mask, if valid, via
+.Va *masks .
+.Pp
+.Fn getauditflagschar
+converts the audit event mask passed via
+.Va *masks
+and converts it to a character string in a buffer pointed to by
+.Va auditstr .
+See the BUGS section for more information on how to provide a buffer of
+sufficient size.
+If the
+.Va verbose
+flag is set, the class description string retrieved from
+.Xr audit_class 5
+will be used; otherwise, the two-character class name.
+.Sh RETURN VALUES
+.Fn au_preselect
+returns 0 on success, or returns -1 if there is a failure looking up the
+event type or other database access, in which case
+.Va errno
+will be set to indicate the error.
+It returns 1 if the event is matched; 0 if not.
+.Pp
+.Fn getauditflagsbin
+and
+.Fn getauditflagschar
+returns 0 on success, or -1 if there is a failure, in which case
+.Va errno
+will be set to indicate the error.
+.Sh IMPLEMENTATION NOTES
+.Fn au_preselect
+makes implicit use of various audit database routines, and may influence
+the behavior of simultaenous or interleaved processing of those databases by
+other code.
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+.Va errno
+may not always be properly set in the event of an error.
+.Pp
+.Fn getauditflagschar
+does not provide a way to indicate how long the character buffer is, in order
+to detect overflow.
+As a result, the caller must always provide a buffer of sufficient length for
+any possible mask, which may be calculated as three times the number of
+non-zero bits in the mask argument in the event non-verbose class names are
+used, and is not trivially predictable for verbose class names.
+This API should be replaced with a more robust one.
diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3
new file mode 100644
index 000000000000..dd0ce2762238
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_token.3
@@ -0,0 +1,209 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#4 $
+.\"
+.Dd April 19, 2005
+.Dt AU_TOKEN 3
+.Os
+.Sh NAME
+.Nm au_to_arg32 ,
+.Nm au_to_arg64 ,
+.Nm au_to_arg ,
+.Nm au_to_attr64 ,
+.Nm au_to_data ,
+.Nm au_to_exit ,
+.Nm au_to_groups ,
+.Nm au_to_newgroups ,
+.Nm au_to_in_addr ,
+.Nm au_to_in_addr_ex ,  
+.Nm au_to_ip ,
+.Nm au_to_ipc ,
+.Nm au_to_ipc_perm ,
+.Nm au_to_iport ,
+.Nm au_to_opaque ,
+.Nm au_to_file ,
+.Nm au_to_text ,
+.Nm au_to_path ,
+.Nm au_to_process32 ,
+.Nm au_to_process64 ,
+.Nm au_to_process ,
+.Nm au_to_process32_ex ,
+.Nm au_to_process64_ex ,
+.Nm au_to_process_ex ,
+.Nm au_to_return32 ,
+.Nm au_to_return64 ,
+.Nm au_to_return ,
+.Nm au_to_seq ,
+.Nm au_to_socket ,
+.Nm au_to_socket_ex_32 ,
+.Nm au_to_socket_ex_128 ,
+.Nm au_to_sock_inet32 ,
+.Nm au_to_sock_inet128 ,
+.Nm au_to_sock_inet ,
+.Nm au_to_subject32 ,
+.Nm au_to_subject64 ,
+.Nm au_to_subject ,
+.Nm au_to_subject32_ex ,
+.Nm au_to_subject64_ex ,
+.Nm au_to_subject_ex ,
+.Nm au_to_me ,
+.Nm au_to_exec_args ,
+.Nm au_to_exec_env ,
+.Nm au_to_header ,
+.Nm au_to_header32 ,
+.Nm au_to_header64 ,
+.Nm au_to_trailer .
+.Nd "Routines for generating BSM audit tokens"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft token_t *
+.Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
+.Ft token_t *
+.Fn au_to_arg "char n" "char *text" "u_int32_t v"
+.Ft token_t *
+.Fn au_to_attr32 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr64 "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_attr "struct vattr *attr"
+.Ft token_t *
+.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
+.Ft token_t *
+.Fn au_to_exit "int retval" "int err"
+.Ft token_t *
+.Fn au_to_groups "int *groups"
+.Ft token_t *
+.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
+.Ft token_t *
+.Fn au_to_in_addr "struct in_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
+.Ft token_t *
+.Fn au_to_ip "struct ip *ip"
+.Ft token_t *
+.Fn au_to_ipc "char type" "int id"
+.Ft token_t *
+.Fn au_to_ipc_perm "struct ipc_perm *perm"
+.Ft token_t *
+.Fn au_to_iport "u_int16_t iport"
+.Ft token_t *
+.Fn au_to_opaque "char *data" "u_int64_t bytes"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_file "char *file"
+.Ft token_t *
+.Fn au_to_text "char *text"
+.Ft token_t *
+.Fn au_to_path "char *text"
+.Ft token_t *
+.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_return32 "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_return64 "char status" "u_int64_t ret"
+.Ft token_t *
+.Fn au_to_return "char status" "u_int32_t ret"
+.Ft token_t *
+.Fn au_to_seq "long audit_count"
+.Ft token_t *
+.Fn au_to_socket "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_32 "struct socket *so"
+.Ft token_t *
+.Fn au_to_socket_ex_128 "struct socket *so"
+.Ft token_t *
+.Fn au_to_sock_inet32 "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
+.Ft token_t *
+.Fn au_to_sock_int "struct sockaddr_in *so"
+.Ft token_t *
+.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft token_t *
+.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft token_t *
+.Fn au_to_me "void"
+.Ft token_t *
+.Fn au_to_exec_args "const char **args"
+.Ft token_t *
+.Fn au_to_exec_env "const char **env"
+.Ft token_t *
+.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
+.Ft token_t *
+.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
+.Ft token_t *
+.Fn au_to_trailer "int rec_size"
+.Sh DESCRIPTION
+These interfaces support the allocation of BSM audit tokens, represented by
+.Dt token_t ,
+for various data types.
+.Sh RETURN VALUES
+On sucess, a pointer to a
+.Vt token_t
+will be returned; the allocated
+.Vt token_t
+can be freed via a call to
+.Xr au_free_token 3 .
+On failure,
+.Dv NULL
+will be returned, and an error condition returned via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3
new file mode 100644
index 000000000000..e71deae6c7e2
--- /dev/null
+++ b/contrib/openbsm/libbsm/au_user.3
@@ -0,0 +1,136 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt AU_USER 3
+.Os
+.Sh NAME
+.Nm setauuser ,
+.Nm endauuser ,
+.Nm getauuserent ,
+.Nm getauuserent_r ,
+.Nm getauusernam ,
+.Nm getauusernam_r ,
+.Nm au_user_mask ,
+.Nm getfauditflags
+.Nd "Look up information from the audit_user database"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Ft void
+.Fn setauuser "void"
+.Ft void
+.Fn endauuser "void"
+.Ft struct au_user_ent *
+.Fn getauuserent "void"
+.Ft struct au_user_ent *
+.Fn getauuserent_r "struct au_user_ent *u" "void"
+.Ft struct au_user_ent *
+.Fn getauusernam "const char *name"
+.Ft struct au_user_ent *
+.Fn getauusernam_r "struct au_user_ent *u" "const char *name"
+.Ft int
+.Fn au_user_mask "char *username" "au_mask_t *mask_p"
+.Ft int
+.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Sh DESCRIPTION
+These interfaces may be used to look up information from the
+.Xr audit_user 5
+database, which describes per-user audit configuration.
+Audit user entries are described by a
+.Vt au_user_ent ,
+which stores the user's name in
+.Dv au_name ,
+events to always audit in
+.Dv au_always ,
+and events never to audit
+.Dv au_never .
+.Pp
+.Fn getauuserent
+return the next user found in the
+.Xr audit_user 5
+database, or the first if the function has not yet been called.
+.Dv NULL
+will be returned if no further records are available.
+.Pp
+.Fn getauusernam
+looks up a user by name.
+.Dv NULL
+will be returned if no matching class can be found.
+.Pp
+.Fn setauuser
+resets the iterator through the
+.Xr audit_user 5
+database, causing the next call to
+.Fn getauuserent
+to start again from the beginning of the file.
+.Pp
+.Fn endauuser
+closes the
+.Xr audit_user 5
+database, if open.
+.Pp
+.Nm au_user_mask
+calculate a new session audit mask to be returned via
+.Dv mask_p
+for the user identified by
+.Dv username .
+If the user audit configuration is not found, the default system audit
+properties returned by
+.Xr getacflg 3 .
+The resulting mask may be set via a call to
+.Xr setaudit 3
+or related variants.
+.Pp
+.Nm getfauditflags
+XXXXXXXXXXXXXXXXX
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr getacflg 3 ,
+.Xr setaudit 3 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+These routines cannot currently distinguish between an entry not being found
+and an error accessing the database.
+The implementation should be changed to return an error via
+.Va errno
+when
+.Dv NULL
+is returned.
diff --git a/contrib/openbsm/libbsm/bsm_audit.c b/contrib/openbsm/libbsm/bsm_audit.c
new file mode 100644
index 000000000000..c4374cd64eb0
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_audit.c
@@ -0,0 +1,354 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_audit.c#18 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* array of used descriptors */
+static au_record_t	*open_desc_table[MAX_AUDIT_RECORDS];
+
+/* The current number of active record descriptors */
+static int	bsm_rec_count = 0;
+
+/*
+ * Records that can be recycled are maintained in the list given below.  The
+ * maximum number of elements that can be present in this list is bounded by
+ * MAX_AUDIT_RECORDS.  Memory allocated for these records are never freed.
+ */
+static LIST_HEAD(, au_record)	bsm_free_q;
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * This call frees a token_t and its internal data.
+ */
+void
+au_free_token(token_t *tok)
+{
+
+	if (tok != NULL) {
+		if (tok->t_data)
+			free(tok->t_data);
+		free(tok);
+	}
+}
+
+/*
+ * This call reserves memory for the audit record.  Memory must be guaranteed
+ * before any auditable event can be generated.  The au_record_t structure
+ * maintains a reference to the memory allocated above and also the list of
+ * tokens associated with this record.  Descriptors are recyled once the
+ * records are added to the audit trail following au_close().
+ */
+int
+au_open(void)
+{
+	au_record_t *rec = NULL;
+
+	pthread_mutex_lock(&mutex);
+
+	if (bsm_rec_count == 0)
+		LIST_INIT(&bsm_free_q);
+
+	/*
+	 * Find an unused descriptor, remove it from the free list, mark as
+	 * used.
+	 */
+	if (!LIST_EMPTY(&bsm_free_q)) {
+		rec = LIST_FIRST(&bsm_free_q);
+		rec->used = 1;
+		LIST_REMOVE(rec, au_rec_q);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (rec == NULL) {
+		/*
+		 * Create a new au_record_t if no descriptors are available.
+		 */
+		rec = malloc (sizeof(au_record_t));
+		if (rec == NULL)
+			return (-1);
+
+		rec->data = malloc (MAX_AUDIT_RECORD_SIZE * sizeof(u_char));
+		if (rec->data == NULL) {
+			free(rec);
+			errno = ENOMEM;
+			return (-1);
+		}
+
+		pthread_mutex_lock(&mutex);
+
+		if (bsm_rec_count == MAX_AUDIT_RECORDS) {
+			pthread_mutex_unlock(&mutex);
+			free(rec->data);
+			free(rec);
+
+			/* XXX We need to increase size of MAX_AUDIT_RECORDS */
+			errno = ENOMEM;
+			return (-1);
+		}
+		rec->desc = bsm_rec_count;
+		open_desc_table[bsm_rec_count] = rec;
+		bsm_rec_count++;
+
+		pthread_mutex_unlock(&mutex);
+
+	}
+
+	memset(rec->data, 0, MAX_AUDIT_RECORD_SIZE);
+
+	TAILQ_INIT(&rec->token_q);
+	rec->len = 0;
+	rec->used = 1;
+
+	return (rec->desc);
+}
+
+/*
+ * Store the token with the record descriptor.
+ *
+ * Don't permit writing more to the buffer than would let the trailer be
+ * appended later.
+ */
+int
+au_write(int d, token_t *tok)
+{
+	au_record_t *rec;
+
+	if (tok == NULL) {
+		errno = EINVAL;
+		return (-1); /* Invalid Token */
+	}
+
+	/* Write the token to the record descriptor */
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1); /* Invalid descriptor */
+	}
+
+	if (rec->len + tok->len + BSM_TRAILER_SIZE > MAX_AUDIT_RECORD_SIZE) {
+		errno = ENOMEM;
+		return (-1);
+	}
+
+	/* Add the token to the tail */
+	/*
+	 * XXX Not locking here -- we should not be writing to
+	 * XXX the same descriptor from different threads
+	 */
+	TAILQ_INSERT_TAIL(&rec->token_q, tok, tokens);
+
+	rec->len += tok->len; /* grow record length by token size bytes */
+
+	/* Token should not be available after this call */
+	tok = NULL;
+	return (0); /* Success */
+}
+
+/*
+ * Assemble an audit record out of its tokens, including allocating header and
+ * trailer tokens.  Does not free the token chain, which must be done by the
+ * caller if desirable.
+ *
+ * XXX: Assumes there is sufficient space for the header and trailer.
+ */
+static int
+au_assemble(au_record_t *rec, short event)
+{
+	token_t *header, *tok, *trailer;
+	size_t tot_rec_size;
+	u_char *dptr;
+	int error;
+
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+	header = au_to_header32(tot_rec_size, event, 0);
+	if (header == NULL)
+		return (-1);
+
+	trailer = au_to_trailer(tot_rec_size);
+	if (trailer == NULL) {
+		error = errno;
+		au_free_token(header);
+		errno = error;
+		return (-1);
+	}
+
+	TAILQ_INSERT_HEAD(&rec->token_q, header, tokens);
+	TAILQ_INSERT_TAIL(&rec->token_q, trailer, tokens);
+
+	rec->len = tot_rec_size;
+	dptr = rec->data;
+
+	TAILQ_FOREACH(tok, &rec->token_q, tokens) {
+		memcpy(dptr, tok->t_data, tok->len);
+		dptr += tok->len;
+	}
+
+	return (0);
+}
+
+/*
+ * Given a record that is no longer of interest, tear it down and convert to a
+ * free record.
+ */
+static void
+au_teardown(au_record_t *rec)
+{
+	token_t *tok;
+
+	/* Free the token list */
+	while ((tok = TAILQ_FIRST(&rec->token_q)) != NULL) {
+		TAILQ_REMOVE(&rec->token_q, tok, tokens);
+		free(tok->t_data);
+		free(tok);
+	}
+
+	rec->used = 0;
+	rec->len = 0;
+
+	pthread_mutex_lock(&mutex);
+
+	/* Add the record to the freelist tail */
+	LIST_INSERT_HEAD(&bsm_free_q, rec, au_rec_q);
+
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Add the header token, identify any missing tokens.  Write out the tokens to
+ * the record memory and finally, call audit.
+ */
+int au_close(int d, int keep, short event)
+{
+	au_record_t *rec;
+	size_t tot_rec_size;
+	int retval = 0;
+
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1); /* Invalid descriptor */
+	}
+
+	if (!keep) {
+		retval = 0;
+		goto cleanup;
+	}
+
+
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+
+	if (tot_rec_size > MAX_AUDIT_RECORD_SIZE) {
+		/*
+		 * XXXRW: Since au_write() is supposed to prevent this, spew
+		 * an error here.
+		 */
+		fprintf(stderr, "au_close failed");
+		errno = ENOMEM;
+		retval = -1;
+		goto cleanup;
+	}
+
+	if (au_assemble(rec, event) < 0) {
+		/*
+		 * XXXRW: This is also not supposed to happen, but might if we
+		 * are unable to allocate header and trailer memory.
+		 */
+		retval = -1;
+		goto cleanup;
+	}
+
+	/* Call the kernel interface to audit */
+	retval = audit(rec->data, rec->len);
+
+cleanup:
+	/* CLEANUP */
+	au_teardown(rec);
+	return (retval);
+}
+
+/*
+ * au_close(), except onto an in-memory buffer.  Buffer size as an argument,
+ * record size returned via same argument on success.
+ */
+int
+au_close_buffer(int d, short event, u_char *buffer, size_t *buflen)
+{
+	size_t tot_rec_size;
+	au_record_t *rec;
+	int retval;
+
+	rec = open_desc_table[d];
+	if ((rec == NULL) || (rec->used == 0)) {
+		errno = EINVAL;
+		return (-1);
+	}
+
+	retval = 0;
+	tot_rec_size = rec->len + BSM_HEADER_SIZE + BSM_TRAILER_SIZE;
+	if ((tot_rec_size > MAX_AUDIT_RECORD_SIZE) ||
+	    (tot_rec_size > *buflen)) {
+		/*
+		 * XXXRW: See au_close() comment.
+		 */
+		fprintf(stderr, "au_close_buffer failed %zd", tot_rec_size);
+		errno = ENOMEM;
+		retval = -1;
+		goto cleanup;
+	}
+
+	if (au_assemble(rec, event) < 0) {
+		/* XXXRW: See au_close() comment. */
+		retval = -1;
+		goto cleanup;
+	}
+
+	memcpy(buffer, rec->data, rec->len);
+	*buflen = rec->len;
+
+cleanup:
+	au_teardown(rec);
+	return (retval);
+}
diff --git a/contrib/openbsm/libbsm/bsm_class.c b/contrib/openbsm/libbsm/bsm_class.c
new file mode 100644
index 000000000000..5982d7e7c177
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_class.c
@@ -0,0 +1,267 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_class.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_class file to return struct au_class_ent
+ * entries.
+ */
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*classdelim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse a single line from the audit_class file passed in str to the struct
+ * au_class_ent elements; store the result in c.
+ */
+static struct au_class_ent *
+classfromstr(char *str, struct au_class_ent *c)
+{
+	char *classname, *classdesc, *classflag;
+	char *last;
+
+	/* Each line contains flag:name:desc. */
+	classflag = strtok_r(str, classdelim, &last);
+	classname = strtok_r(NULL, classdelim, &last);
+	classdesc = strtok_r(NULL, classdelim, &last);
+
+	if ((classflag == NULL) || (classname == NULL) || (classdesc == NULL))
+		return (NULL);
+
+	/*
+	 * Check for very large classnames.
+	 */
+	if (strlen(classname) >= AU_CLASS_NAME_MAX)
+		return (NULL);
+
+	strcpy(c->ac_name, classname);
+
+	/*
+	 * Check for very large class description.
+	 */
+	if (strlen(classdesc) >= AU_CLASS_DESC_MAX)
+		return (NULL);
+	strcpy(c->ac_desc, classdesc);
+	c->ac_class = strtoul(classflag, (char **) NULL, 0);
+
+	return (c);
+}
+
+/*
+ * Return the next au_class_ent structure from the file setauclass should be
+ * called before invoking this function for the first time.
+ *
+ * Must be called with mutex held.
+ */
+static struct au_class_ent *
+getauclassent_r_locked(struct au_class_ent *c)
+{
+	char *tokptr, *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_CLASS_FILE, "r")) == NULL))
+		return (NULL);
+
+	/*
+	 * Read until next non-comment line is found, or EOF.
+	 */
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Remove trailing new line character. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Parse tokptr to au_class_ent components. */
+		tokptr = linestr;
+		if (classfromstr(tokptr, c) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (c);
+}
+
+struct au_class_ent *
+getauclassent_r(struct au_class_ent *c)
+{
+	struct au_class_ent *cp;
+
+	pthread_mutex_lock(&mutex);
+	cp = getauclassent_r_locked(c);
+	pthread_mutex_unlock(&mutex);
+	return (cp);
+}
+
+struct au_class_ent *
+getauclassent(void)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c, *cp;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	pthread_mutex_lock(&mutex);
+	cp = getauclassent_r_locked(&c);
+	pthread_mutex_unlock(&mutex);
+	return (cp);
+}
+
+/*
+ * Rewind to the beginning of the enumeration.
+ *
+ * Must be called with mutex held.
+ */
+static void
+setauclass_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauclass(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return the next au_class_entry having the given class name.
+ */
+struct au_class_ent *
+getauclassnam_r(struct au_class_ent *c, const char *name)
+{
+	struct au_class_ent *cp;
+
+	if (name == NULL)
+		return (NULL);
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	while ((cp = getauclassent_r_locked(c)) != NULL) {
+		if (strcmp(name, cp->ac_name) == 0) {
+			pthread_mutex_unlock(&mutex);
+			return (cp);
+		}
+	}
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+}
+
+struct au_class_ent *
+getauclassnam(const char *name)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	return (getauclassnam_r(&c, name));
+}
+
+
+/*
+ * Return the next au_class_entry having the given class number.
+ *
+ * OpenBSM extension.
+ */
+struct au_class_ent *
+getauclassnum_r(struct au_class_ent *c, au_class_t class_number)
+{
+	struct au_class_ent *cp;
+
+	pthread_mutex_lock(&mutex);
+	setauclass_locked();
+	while ((cp = getauclassent_r_locked(c)) != NULL) {
+		if (class_number == cp->ac_class)
+			return (cp);
+	}
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+}
+
+struct au_class_ent *
+getauclassnum(au_class_t class_number)
+{
+	static char class_ent_name[AU_CLASS_NAME_MAX];
+	static char class_ent_desc[AU_CLASS_DESC_MAX];
+	static struct au_class_ent c;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	return (getauclassnum_r(&c, class_number));
+}
+
+/*
+ * audit_class processing is complete; close any open files.
+ */
+void
+endauclass(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
diff --git a/contrib/openbsm/libbsm/bsm_control.c b/contrib/openbsm/libbsm/bsm_control.c
new file mode 100644
index 000000000000..438082bca892
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_control.c
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_control.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_control file to return the audit control
+ * parameters.
+ */
+static FILE	*fp = NULL;
+static char	linestr[AU_LINE_MAX];
+static char	*delim = ":";
+
+static char	inacdir = 0;
+static char	ptrmoved = 0;
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Returns the string value corresponding to the given label from the
+ * configuration file.
+ *
+ * Must be called with mutex held.
+ */
+static int
+getstrfromtype_locked(char *name, char **str)
+{
+	char *type, *nl;
+	char *tokptr;
+	char *last;
+
+	*str = NULL;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_CONTROL_FILE, "r")) == NULL))
+		return (-1); /* Error */
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL) {
+			if (ferror(fp))
+				return (-1);
+			return (0);	/* EOF */
+		}
+
+		if (linestr[0] == '#')
+			continue;
+
+		/* Remove trailing new line character. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		tokptr = linestr;
+		if ((type = strtok_r(tokptr, delim, &last)) != NULL) {
+			if (strcmp(name, type) == 0) {
+				/* Found matching name. */
+				*str = strtok_r(NULL, delim, &last);
+				if (*str == NULL) {
+					errno = EINVAL;
+					return (-1); /* Parse error in file */
+				}
+				return (0); /* Success */
+			}
+		}
+	}
+}
+
+/*
+ * Rewind the file pointer to beginning.
+ */
+void
+setac(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	ptrmoved = 1;
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the audit_control file
+ */
+void
+endac(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	ptrmoved = 1;
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Return audit directory information from the audit control file.
+ */
+int
+getacdir(char *name, int len)
+{
+	char *dir;
+	int ret = 0;
+
+	if (name == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	/*
+	 * Check if another function was called between
+	 * successive calls to getacdir
+	 */
+	if (inacdir && ptrmoved) {
+		ptrmoved = 0;
+		if (fp != NULL)
+			fseek(fp, 0, SEEK_SET);
+		ret = 2;
+	}
+
+
+	if (getstrfromtype_locked(DIR_CONTROL_ENTRY, &dir) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (dir == NULL)
+		return (-1);
+
+	if (strlen(dir) >= len)
+		return (-3);
+
+	strcpy(name, dir);
+
+	return (ret);
+}
+
+/*
+ * Return the minimum free diskspace value from the audit control file
+ */
+int
+getacmin(int *min_val)
+{
+	char *min;
+
+	setac();
+
+	if (min_val == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(MINFREE_CONTROL_ENTRY, &min) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (min == NULL)
+		return (1);
+
+	*min_val = atoi(min);
+
+	return (0);
+}
+
+/*
+ * Return the system audit value from the audit contol file.
+ */
+int
+getacflg(char *auditstr, int len)
+{
+	char *str;
+
+	setac();
+
+	if (auditstr == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(FLAGS_CONTROL_ENTRY, &str) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+
+	pthread_mutex_unlock(&mutex);
+
+	if (str == NULL)
+		return (1);
+
+	if (strlen(str) >= len)
+		return (-3);
+
+	strcpy(auditstr, str);
+
+	return (0);
+}
+
+/*
+ * Return the non attributable flags from the audit contol file.
+ */
+int
+getacna(char *auditstr, int len)
+{
+	char *str;
+
+	setac();
+
+	if (auditstr == NULL) {
+		errno = EINVAL;
+		return (-2);
+	}
+
+	pthread_mutex_lock(&mutex);
+
+	if (getstrfromtype_locked(NA_CONTROL_ENTRY, &str) < 0) {
+		pthread_mutex_unlock(&mutex);
+		return (-2);
+	}
+	pthread_mutex_unlock(&mutex);
+
+	if (str == NULL)
+		return (1);
+
+	if (strlen(str) >= len)
+		return (-3);
+
+	strcpy(auditstr, str);
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_event.c b/contrib/openbsm/libbsm/bsm_event.c
new file mode 100644
index 000000000000..6e22e4c15b73
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_event.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_event.c#11 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_event file to return
+ * au_event_ent entries
+ */
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*eventdelim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_event file into the au_event_ent structure.
+ */
+static struct au_event_ent *
+eventfromstr(char *str, struct au_event_ent *e)
+{
+	char *evno, *evname, *evdesc, *evclass;
+	struct au_mask evmask;
+	char *last;
+
+	evno = strtok_r(str, eventdelim, &last);
+	evname = strtok_r(NULL, eventdelim, &last);
+	evdesc = strtok_r(NULL, eventdelim, &last);
+	evclass = strtok_r(NULL, eventdelim, &last);
+
+	if ((evno == NULL) || (evname == NULL) || (evdesc == NULL) ||
+	    (evclass == NULL))
+		return (NULL);
+
+	if (strlen(evname) >= AU_EVENT_NAME_MAX)
+		return (NULL);
+
+	strcpy(e->ae_name, evname);
+	if (strlen(evdesc) >= AU_EVENT_DESC_MAX)
+		return (NULL);
+	strcpy(e->ae_desc, evdesc);
+
+	e->ae_number = atoi(evno);
+
+	/*
+	 * Find out the mask that corresponds to the given list of classes.
+	 */
+	if (getauditflagsbin(evclass, &evmask) != 0)
+		e->ae_class = AU_NULL;
+	else
+		e->ae_class = evmask.am_success;
+
+	return (e);
+}
+
+/*
+ * Rewind the audit_event file.
+ */
+static void
+setauevent_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauevent(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauevent_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the open file pointers.
+ */
+void
+endauevent(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_event_ent entries.
+ */
+static struct au_event_ent *
+getauevent_r_locked(struct au_event_ent *e)
+{
+	char *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Get the next event structure. */
+		if (eventfromstr(linestr, e) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (e);
+}
+
+struct au_event_ent *
+getauevent_r(struct au_event_ent *e)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevent_r_locked(e);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevent(void)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevent_r(&e));
+}
+
+/*
+ * Search for an audit event structure having the given event name.
+ *
+ * XXXRW: Why accept NULL name?
+ */
+static struct au_event_ent *
+getauevnam_r_locked(struct au_event_ent *e, const char *name)
+{
+	char *nl;
+
+	if (name == NULL)
+		return (NULL);
+
+	/* Rewind to beginning of the file. */
+	setauevent_locked();
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		if (eventfromstr(linestr, e) != NULL) {
+			if (strcmp(name, e->ae_name) == 0)
+				return (e);
+		}
+	}
+
+	return (NULL);
+}
+
+struct au_event_ent *
+getauevnam_r(struct au_event_ent *e, const char *name)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevnam_r_locked(e, name);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevnam(const char *name)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevnam_r(&e, name));
+}
+
+/*
+ * Search for an audit event structure having the given event number.
+ */
+static struct au_event_ent *
+getauevnum_r_locked(struct au_event_ent *e, au_event_t event_number)
+{
+	char *nl;
+
+	/* Rewind to beginning of the file. */
+	setauevent_locked();
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_EVENT_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (fgets(linestr, AU_LINE_MAX, fp) != NULL) {
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		if (eventfromstr(linestr, e) != NULL) {
+			if (event_number == e->ae_number)
+				return (e);
+		}
+	}
+
+	return (NULL);
+}
+
+struct au_event_ent *
+getauevnum_r(struct au_event_ent *e, au_event_t event_number)
+{
+	struct au_event_ent *ep;
+
+	pthread_mutex_lock(&mutex);
+	ep = getauevnum_r_locked(e, event_number);
+	pthread_mutex_unlock(&mutex);
+	return (ep);
+}
+
+struct au_event_ent *
+getauevnum(au_event_t event_number)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+	return (getauevnum_r(&e, event_number));
+}
+
+/*
+ * Search for an audit_event entry with a given event_name and returns the
+ * corresponding event number.
+ */
+au_event_t *
+getauevnonam_r(au_event_t *ev, const char *event_name)
+{
+	static char event_ent_name[AU_EVENT_NAME_MAX];
+	static char event_ent_desc[AU_EVENT_DESC_MAX];
+	static struct au_event_ent e, *ep;
+
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	bzero(&e, sizeof(e));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+
+	ep = getauevnam_r(&e, event_name);
+	if (ep == NULL)
+		return (NULL);
+
+	*ev = e.ae_number;
+	return (ev);
+}
+
+au_event_t *
+getauevnonam(const char *event_name)
+{
+	static au_event_t event;
+
+	return (getauevnonam_r(&event, event_name));
+}
diff --git a/contrib/openbsm/libbsm/bsm_flags.c b/contrib/openbsm/libbsm/bsm_flags.c
new file mode 100644
index 000000000000..e514c86080f4
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_flags.c
@@ -0,0 +1,176 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_flags.c#13 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+
+static const char	*flagdelim = ",";
+
+/*
+ * Convert the character representation of audit values into the au_mask_t
+ * field.
+ */
+int
+getauditflagsbin(char *auditstr, au_mask_t *masks)
+{
+	char class_ent_name[AU_CLASS_NAME_MAX];
+	char class_ent_desc[AU_CLASS_DESC_MAX];
+	struct au_class_ent c;
+	char *tok;
+	char sel, sub;
+	char *last;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	masks->am_success = 0;
+	masks->am_failure = 0;
+
+	tok = strtok_r(auditstr, flagdelim, &last);
+	while (tok != NULL) {
+		/* Check for the events that should not be audited. */
+		if (tok[0] == '^') {
+			sub = 1;
+			tok++;
+		} else
+			sub = 0;
+
+		/* Check for the events to be audited for success. */
+		if (tok[0] == '+') {
+			sel = AU_PRS_SUCCESS;
+			tok++;
+		} else if (tok[0] == '-') {
+			sel = AU_PRS_FAILURE;
+			tok++;
+		} else
+			sel = AU_PRS_BOTH;
+
+		if ((getauclassnam_r(&c, tok)) != NULL) {
+			if (sub)
+				SUB_FROM_MASK(masks, c.ac_class, sel);
+			else
+				ADD_TO_MASK(masks, c.ac_class, sel);
+		} else {
+			errno = EINVAL;
+			return (-1);
+		}
+
+		/* Get the next class. */
+		tok = strtok_r(NULL, flagdelim, &last);
+	}
+	return (0);
+}
+
+/*
+ * Convert the au_mask_t fields into a string value.  If verbose is non-zero
+ * the long flag names are used else the short (2-character)flag names are
+ * used.
+ *
+ * XXXRW: If bits are specified that are not matched by any class, they are
+ * omitted rather than rejected with EINVAL.
+ *
+ * XXXRW: This is not thread-safe as it relies on atomicity between
+ * setauclass() and sequential calls to getauclassent().  This could be
+ * fixed by iterating through the bitmask fields rather than iterating
+ * through the classes.
+ */
+int
+getauditflagschar(char *auditstr, au_mask_t *masks, int verbose)
+{
+	char class_ent_name[AU_CLASS_NAME_MAX];
+	char class_ent_desc[AU_CLASS_DESC_MAX];
+	struct au_class_ent c;
+	char *strptr = auditstr;
+	u_char sel;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	/*
+	 * Enumerate the class entries, check if each is selected in either
+	 * the success or failure masks.
+	 */
+	setauclass();
+	while ((getauclassent_r(&c)) != NULL) {
+		sel = 0;
+
+		/* Dont do anything for class = no. */
+		if (c.ac_class == 0)
+			continue;
+
+		sel |= ((c.ac_class & masks->am_success) == c.ac_class) ?
+		    AU_PRS_SUCCESS : 0;
+		sel |= ((c.ac_class & masks->am_failure) == c.ac_class) ?
+		    AU_PRS_FAILURE : 0;
+
+		/*
+		 * No prefix should be attached if both success and failure
+		 * are selected.
+		 */
+		if ((sel & AU_PRS_BOTH) == 0) {
+			if ((sel & AU_PRS_SUCCESS) != 0) {
+				*strptr = '+';
+				strptr = strptr + 1;
+			} else if ((sel & AU_PRS_FAILURE) != 0) {
+				*strptr = '-';
+				strptr = strptr + 1;
+			}
+		}
+
+		if (sel != 0) {
+			if (verbose) {
+				strcpy(strptr, c.ac_desc);
+				strptr += strlen(c.ac_desc);
+			} else {
+				strcpy(strptr, c.ac_name);
+				strptr += strlen(c.ac_name);
+			}
+			*strptr = ','; /* delimiter */
+			strptr = strptr + 1;
+		}
+	}
+
+	/* Overwrite the last delimiter with the string terminator. */
+	if (strptr != auditstr)
+		*(strptr-1) = '\0';
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
new file mode 100644
index 000000000000..bfdd366a994c
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -0,0 +1,2831 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#29 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <time.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <bsm/audit_internal.h>
+
+#define	READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do {	\
+	if (bytesread + size > len) {					\
+		err = 1;						\
+	} else {							\
+		memcpy(dest, buf + bytesread, size);			\
+		bytesread += size;					\
+	}								\
+} while (0)
+
+#define	READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_char) <= len) {			\
+		dest = buf[bytesread];					\
+		bytesread += sizeof(u_char);				\
+	} else								\
+		err = 1;						\
+} while (0)
+
+#define	READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int16_t) <= len) {			\
+		dest = be16dec(buf + bytesread);			\
+		bytesread += sizeof(u_int16_t);				\
+	} else								\
+		err = 1;						\
+} while (0)
+
+#define	READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int32_t) <= len) {			\
+		dest = be32dec(buf + bytesread);			\
+		bytesread += sizeof(u_int32_t);				\
+	} else								\
+		err = 1; 						\
+} while (0)
+
+#define	READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do {		\
+	if (bytesread + sizeof(u_int64_t) <= len) {			\
+		dest = be64dec(buf + bytesread);			\
+		bytesread += sizeof(u_int64_t);				\
+	} else								\
+		err = 1; 						\
+} while (0)
+
+#define	SET_PTR(buf, len, ptr, size, bytesread, err) do {		\
+	if ((bytesread) + (size) > (len))				\
+		(err) = 1;						\
+	else {								\
+		(ptr) = (buf) + (bytesread);				\
+		(bytesread) += (size);					\
+	}								\
+} while (0)
+
+/*
+ * Prints the delimiter string.
+ */
+static void
+print_delim(FILE *fp, const char *del)
+{
+
+	fprintf(fp, "%s", del);
+}
+
+/*
+ * Prints a single byte in the given format.
+ */
+static void
+print_1_byte(FILE *fp, u_char val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Print 2 bytes in the given format.
+ */
+static void
+print_2_bytes(FILE *fp, u_int16_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints 4 bytes in the given format.
+ */
+static void
+print_4_bytes(FILE *fp, u_int32_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints 8 bytes in the given format.
+ */
+static void
+print_8_bytes(FILE *fp, u_int64_t val, const char *format)
+{
+
+	fprintf(fp, format, val);
+}
+
+/*
+ * Prints the given size of data bytes in hex.
+ */
+static void
+print_mem(FILE *fp, u_char *data, size_t len)
+{
+	int i;
+
+	if (len > 0) {
+		fprintf(fp, "0x");
+		for (i = 0; i < len; i++)
+			fprintf(fp, "%x", data[i]);
+	}
+}
+
+/*
+ * Prints the given data bytes as a string.
+ */
+static void
+print_string(FILE *fp, u_char *str, size_t len)
+{
+	int i;
+
+	if (len > 0) {
+		for (i = 0; i < len; i++) {
+			if (str[i] != '\0')
+				fprintf(fp, "%c", str[i]);
+		}
+	}
+}
+
+/*
+ * Prints the token type in either the raw or the default form.
+ */
+static void
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+{
+
+	if (raw)
+		fprintf(fp, "%u", type);
+	else
+		fprintf(fp, "%s", tokname);
+}
+
+/*
+ * Prints a user value.
+ */
+static void
+print_user(FILE *fp, u_int32_t usr, char raw)
+{
+	struct passwd *pwent;
+
+	if (raw)
+		fprintf(fp, "%d", usr);
+	else {
+		pwent = getpwuid(usr);
+		if (pwent != NULL)
+			fprintf(fp, "%s", pwent->pw_name);
+		else
+			fprintf(fp, "%d", usr);
+	}
+}
+
+/*
+ * Prints a group value.
+ */
+static void
+print_group(FILE *fp, u_int32_t grp, char raw)
+{
+	struct group *grpent;
+
+	if (raw)
+		fprintf(fp, "%d", grp);
+	else {
+		grpent = getgrgid(grp);
+		if (grpent != NULL)
+			fprintf(fp, "%s", grpent->gr_name);
+		else
+			fprintf(fp, "%d", grp);
+	}
+}
+
+/*
+ * Prints the event from the header token in either the short, default or raw
+ * form.
+ */
+static void
+print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
+{
+	char event_ent_name[AU_EVENT_NAME_MAX];
+	char event_ent_desc[AU_EVENT_DESC_MAX];
+	struct au_event_ent e, *ep;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+
+	ep = getauevnum_r(&e, ev);
+	if (ep == NULL) {
+		fprintf(fp, "%u", ev);
+		return;
+	}
+
+	if (raw)
+		fprintf(fp, "%u", ev);
+	else if (sfrm)
+		fprintf(fp, "%s", e.ae_name);
+	else
+		fprintf(fp, "%s", e.ae_desc);
+}
+
+
+/*
+ * Prints the event modifier from the header token in either the default or
+ * raw form.
+ */
+static void
+print_evmod(FILE *fp, u_int16_t evmod, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", evmod);
+	else
+		fprintf(fp, "%u", evmod);
+}
+
+/*
+ * Prints seconds in the ctime format.
+ */
+static void
+print_sec32(FILE *fp, u_int32_t sec, char raw)
+{
+	time_t timestamp;
+	char timestr[26];
+
+	if (raw)
+		fprintf(fp, "%u", sec);
+	else {
+		timestamp = (time_t)sec;
+		ctime_r(&timestamp, timestr);
+		timestr[24] = '\0'; /* No new line */
+		fprintf(fp, "%s", timestr);
+	}
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
+ * assume a 32-bit time_t, we simply truncate for now.
+ */
+static void
+print_sec64(FILE *fp, u_int64_t sec, char raw)
+{
+	time_t timestamp;
+	char timestr[26];
+
+	if (raw)
+		fprintf(fp, "%u", (u_int32_t)sec);
+	else {
+		timestamp = (time_t)sec;
+		ctime_r(&timestamp, timestr);
+		timestr[24] = '\0'; /* No new line */
+		fprintf(fp, "%s", timestr);
+	}
+}
+
+/*
+ * Prints the excess milliseconds.
+ */
+static void
+print_msec32(FILE *fp, u_int32_t msec, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", msec);
+	else
+		fprintf(fp, " + %u msec", msec);
+}
+
+/*
+ * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
+ * a 32-bit msec, we simply truncate for now.
+ */
+static void
+print_msec64(FILE *fp, u_int64_t msec, char raw)
+{
+
+	msec &= 0xffffffff;
+	if (raw)
+		fprintf(fp, "%u", (u_int32_t)msec);
+	else
+		fprintf(fp, " + %u msec", (u_int32_t)msec);
+}
+
+/*
+ * Prints a dotted form for the IP address.
+ */
+static void
+print_ip_address(FILE *fp, u_int32_t ip)
+{
+	struct in_addr ipaddr;
+
+	ipaddr.s_addr = ip;
+	fprintf(fp, "%s", inet_ntoa(ipaddr));
+}
+
+/* 
+ * Prints a string value for the given ip address.
+ */
+static void
+print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
+{
+	struct in_addr ipv4;
+	struct in6_addr ipv6;
+	char dst[INET6_ADDRSTRLEN];
+
+	switch (type) {
+	case AU_IPv4:
+		ipv4.s_addr = (in_addr_t)(ipaddr[0]);
+		fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
+		    INET6_ADDRSTRLEN));
+		break;
+
+	case AU_IPv6:
+		ipv6.__u6_addr.__u6_addr32[0] = ipaddr[0];
+		ipv6.__u6_addr.__u6_addr32[1] = ipaddr[1];
+		ipv6.__u6_addr.__u6_addr32[2] = ipaddr[2];
+		ipv6.__u6_addr.__u6_addr32[3] = ipaddr[3];
+		fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
+		    INET6_ADDRSTRLEN));
+		break;
+
+	default:
+		fprintf(fp, "invalid");
+	}
+}
+
+/*
+ * Prints return value as success or failure.
+ */
+static void
+print_retval(FILE *fp, u_char status, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", status);
+	else {
+		if (status == 0)
+			fprintf(fp, "success");
+		else
+			fprintf(fp, "failure : %s", strerror(status));
+	}
+}
+
+/*
+ * Prints the exit value.
+ */
+static void
+print_errval(FILE *fp, u_int32_t val)
+{
+
+	fprintf(fp, "Error %u", val);
+}
+
+/*
+ * Prints IPC type.
+ */
+static void
+print_ipctype(FILE *fp, u_char type, char raw)
+{
+	if (raw)
+		fprintf(fp, "%u", type);
+	else {
+		if (type == AT_IPC_MSG)
+			fprintf(fp, "Message IPC");
+		else if (type == AT_IPC_SEM)
+			fprintf(fp, "Semaphore IPC");
+		else if (type == AT_IPC_SHM)
+			fprintf(fp, "Shared Memory IPC");
+		else
+			fprintf(fp, "%u", type);
+	}
+}
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+static int
+fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr32.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.hdr32.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.hdr32.ms, raw);
+}
+
+/*
+ * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
+ * depending on the bit of the specifications found.  The OpenSolaris source
+ * code uses a 4-byte address length, followed by some number of bytes of
+ * address data.  This contrasts with the Solaris audit.log.5 man page, which
+ * specifies a 1-byte length field.  We use the Solaris 10 definition so that
+ * we can parse audit trails from that system.
+ *
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     4 bytes
+ *   [ Solaris man page: address type/length     1 byte]
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+static int
+fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
+	switch (tok->tt.hdr32_ex.ad_type) {
+	case AU_IPv4:
+		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
+		    sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+		break;
+
+	case AU_IPv6:
+		READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
+		    sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
+		break;
+	}
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header_ex", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+	    tok->tt.hdr32_ex.addr);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+}
+
+/*
+ * record byte count       4 bytes
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ * version #              
+ */
+static int
+fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr64.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+	print_delim(fp, del);
+	print_sec64(fp, tok->tt.hdr64.s, raw);
+	print_delim(fp, del);
+	print_msec64(fp, tok->tt.hdr64.ms, raw);
+}
+/*
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     4 bytes
+ *   [ Solaris man page: address type/length     1 byte]
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ *
+ * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
+ * accuracy of the BSM spec.
+ */
+static int
+fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
+	switch (tok->tt.hdr64_ex.ad_type) {
+	case AU_IPv4:
+		READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
+		    sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+		break;
+
+	case AU_IPv6:
+		READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
+		    sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
+		break;
+	}
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header_ex", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+	    tok->tt.hdr64_ex.addr);
+	print_delim(fp, del);
+	print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+	print_delim(fp, del);
+	print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+}
+
+/*
+ * trailer magic                        2 bytes
+ * record size                          4 bytes
+ */
+static int
+fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "trailer", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.trail.count, "%u");
+}
+
+/*
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "argument", raw);
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.arg32.no, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.arg32.val, "%#x");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+}
+
+static int
+fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "argument", raw);
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.arg64.no, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.arg64.val, "%#llx");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+}
+
+/*
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+static int
+fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int datasize;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
+	if (err)
+		return (-1);
+
+	/*
+	 * Determine the size of the basic unit.
+	 */
+	switch(tok->tt.arb.bu) {
+	case AUR_BYTE:
+		datasize = AUR_BYTE_SIZE;
+		break;
+
+	case AUR_SHORT:
+		datasize = AUR_SHORT_SIZE;
+		break;
+
+	case AUR_LONG:
+		datasize = AUR_LONG_SIZE;
+		break;
+
+	default:
+		return (-1);
+	}
+
+	SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	char *str;
+	char *format;
+	size_t size;
+	int i;
+
+	print_tok_type(fp, tok->id, "arbitrary", raw);
+	print_delim(fp, del);
+
+	switch(tok->tt.arb.howtopr) {
+	case AUP_BINARY:
+		str = "binary";
+		format = " %c";
+		break;
+
+	case AUP_OCTAL:
+		str = "octal";
+		format = " %o";
+		break;
+
+	case AUP_DECIMAL:
+		str = "decimal";
+		format = " %d";
+		break;
+
+	case AUP_HEX:
+		str = "hex";
+		format = " %x";
+		break;
+
+	case AUP_STRING:
+		str = "string";
+		format = "%c";
+		break;
+
+	default:
+		return;
+	}
+
+	print_string(fp, str, strlen(str));
+	print_delim(fp, del);
+	switch(tok->tt.arb.bu) {
+	case AUR_BYTE:
+		str = "byte";
+		size = AUR_BYTE_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
+		break;
+
+	case AUR_SHORT:
+		str = "short";
+		size = AUR_SHORT_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
+			    (size * i))));
+		break;
+
+	case AUR_LONG:
+		str = "int";
+		size = AUR_LONG_SIZE;
+		print_string(fp, str, strlen(str));
+		print_delim(fp, del);
+		print_1_byte(fp, tok->tt.arb.uc, "%u");
+		print_delim(fp, del);
+		for (i = 0; i<tok->tt.arb.uc; i++)
+			fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
+			    (size * i))));
+		break;
+
+	default:
+		return;
+	}
+}
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "attribute", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+	print_delim(fp, del);
+	print_user(fp, tok->tt.attr32.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.attr32.gid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+}
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+static int
+fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "attribute", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+	print_delim(fp, del);
+	print_user(fp, tok->tt.attr64.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.attr64.gid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+}
+
+/*
+ * status                  4 bytes
+ * return value            4 bytes
+ */
+static int
+fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "exit", raw);
+	print_delim(fp, del);
+	print_errval(fp, tok->tt.exit.status);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.exit.ret, "%u");
+}
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+static int
+fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int i;
+	char *bptr;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i < tok->tt.execarg.count; i++) {
+		bptr = buf + tok->len;
+		tok->tt.execarg.text[i] = bptr;
+
+		/* Look for a null terminated string. */
+		while (bptr && (*bptr != '\0')) {
+			if (++tok->len >=len)
+				return (-1);
+			bptr = buf + tok->len;
+		}
+		if (!bptr)
+			return (-1);
+		tok->len++; /* \0 character */
+	}
+
+	return (0);
+}
+
+static void
+print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "exec arg", raw);
+	for (i = 0; i < tok->tt.execarg.count; i++) {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.execarg.text[i],
+		    strlen(tok->tt.execarg.text[i]));
+	}
+}
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+static int
+fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int i;
+	char *bptr;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i< tok->tt.execenv.count; i++) {
+		bptr = buf + tok->len;
+		tok->tt.execenv.text[i] = bptr;
+
+		/* Look for a null terminated string. */
+		while (bptr && (*bptr != '\0')) {
+			if (++tok->len >=len)
+				return (-1);
+			bptr = buf + tok->len;
+		}
+		if (!bptr)
+			return (-1);
+		tok->len++; /* \0 character */
+	}
+
+	return (0);
+}
+
+static void
+print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "exec arg", raw);
+	for (i = 0; i< tok->tt.execenv.count; i++) {
+		print_delim(fp, del);
+		print_string(fp, tok->tt.execenv.text[i],
+		    strlen(tok->tt.execenv.text[i]));
+	}
+}
+
+/*
+ * seconds of time          4 bytes
+ * milliseconds of time     4 bytes
+ * file name len            2 bytes
+ * file pathname            N bytes + 1 terminating NULL byte
+ */
+static int
+fetch_file_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "file", raw);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.file.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.file.ms, raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.file.name, tok->tt.file.len);
+}
+
+/*
+ * number groups           2 bytes
+ * group list              count * 4 bytes
+ */
+static int
+fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int i;
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
+	if (err)
+		return (-1);
+
+	for (i = 0; i<tok->tt.grps.no; i++) {
+		READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
+		    err);
+    		if (err)
+    			return (-1);
+	}
+
+	return (0);
+}
+
+static void
+print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+	int i;
+
+	print_tok_type(fp, tok->id, "group", raw);
+	for (i = 0; i < tok->tt.grps.no; i++) {
+		print_delim(fp, del);
+		print_group(fp, tok->tt.grps.list[i], raw);
+	}
+}
+
+/*
+ * Internet addr 4 bytes
+ */
+static int
+fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr.addr, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+
+}
+
+static void
+print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip addr", raw);
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.inaddr.addr);
+}
+
+/*
+ * type 	4 bytes
+ * address 16 bytes
+ */
+static int
+fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.inaddr_ex.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
+		    sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.inaddr_ex.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
+		    sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip addr ex", raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+	    tok->tt.inaddr_ex.addr);
+}
+
+/*
+ * ip header     20 bytes
+ */
+static int
+fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.id, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.offset, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.ip.chksm, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
+	    tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip", raw);
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.len, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.id, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.offset, "%u");
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+	print_delim(fp, del);
+	print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.ip.chksm, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.ip.src);
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.ip.dest);
+}
+
+/*
+ * object ID type       1 byte
+ * Object ID            4 bytes
+ */
+static int
+fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "IPC", raw);
+	print_delim(fp, del);
+	print_ipctype(fp, tok->tt.ipc.type, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipc.id, "%u");
+}
+
+/*
+ * owner user id        4 bytes
+ * owner group id       4 bytes
+ * creator user id      4 bytes
+ * creator group id     4 bytes
+ * access mode          4 bytes
+ * slot seq                     4 bytes
+ * key                          4 bytes
+ */
+static int
+fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "IPC perm", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.ipcperm.uid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.ipcperm.gid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.ipcperm.puid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.ipcperm.pgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+}
+
+/*
+ * port Ip address  2 bytes
+ */
+static int
+fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.iport.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "ip port", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.iport.port, "%#x");
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "opaque", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.opaque.size, "%u");
+	print_delim(fp, del);
+	print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_path_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "path", raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.path.path, tok->tt.path.len);
+}
+
+/*
+ * token ID                     1 byte
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes
+ *   machine id         4 bytes
+ */
+static int
+fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.addr, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "process", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.proc32.tid.addr);
+}
+
+static int
+fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
+		    sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
+		    sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "process_ex", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32_ex.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.proc32_ex.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.proc32_ex.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+	    tok->tt.proc32_ex.tid.addr);
+}
+
+/*
+ * errno                        1 byte
+ * return value         4 bytes
+ */
+static int
+fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "return", raw);
+	print_delim(fp, del);
+	print_retval(fp, tok->tt.ret32.status, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+}
+
+static int
+fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "return", raw);
+	print_delim(fp, del);
+	print_retval(fp, tok->tt.ret64.err, raw);
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+}
+
+/*
+ * seq                          4 bytes
+ */
+static int
+fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "sequence", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+}
+
+/*
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes
+ */
+static int
+fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
+	    sizeof(tok->tt.sockinet32.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket-inet", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockinet32.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.sockinet32.addr);
+}
+
+/*
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+static int fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket-unix", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+	print_delim(fp, del);
+	print_string(fp, tok->tt.sockunix.path,
+	    strlen(tok->tt.sockunix.path));
+}
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local address           4 bytes
+ * remote port             2 bytes
+ * remote address          4 bytes
+ */
+static int fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.l_port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+	    sizeof(tok->tt.socket.l_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket.r_port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
+	    sizeof(tok->tt.socket.r_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.type, "%u");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.l_port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket.l_addr);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket.r_port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket.r_addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine id         4 bytes
+ */
+static int
+fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
+	    sizeof(tok->tt.subj32.tid.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.subj32.tid.addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine id         4 bytes
+ */
+static int
+fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
+	    sizeof(tok->tt.subj64.tid.addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj64.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj64.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj64.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+	print_delim(fp, del);
+	print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.subj64.tid.addr);
+}
+
+/*
+ * audit ID                     4 bytes
+ * euid                         4 bytes
+ * egid                         4 bytes
+ * ruid                         4 bytes
+ * rgid                         4 bytes
+ * pid                          4 bytes
+ * sessid                       4 bytes
+ * terminal ID
+ *   portid             4 bytes
+ *	 type				4 bytes
+ *   machine id         16 bytes
+ */
+static int
+fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
+		READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
+		    sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
+		if (err)
+			return (-1);
+	} else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
+		READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
+		    sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
+		if (err)
+			return (-1);
+	} else
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "subject_ex", raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.auid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.euid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32_ex.egid, raw);
+	print_delim(fp, del);
+	print_user(fp, tok->tt.subj32_ex.ruid, raw);
+	print_delim(fp, del);
+	print_group(fp, tok->tt.subj32_ex.rgid, raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+	    tok->tt.subj32_ex.tid.addr);
+}
+
+/*
+ * size                         2 bytes
+ * data                         size bytes
+ */
+static int
+fetch_text_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
+	if (err)
+		return (-1);
+
+	SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "text", raw);
+	print_delim(fp, del);
+	print_string(fp, tok->tt.text.text, tok->tt.text.len);
+}
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes
+ */
+static int
+fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.l_port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
+	    sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_port, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
+	    err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
+	    sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "socket", raw);
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+	print_delim(fp, del);
+	print_2_bytes(fp, tok->tt.socket_ex32.l_port, "%#x");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.socket_ex32.r_port, "%#x");
+	print_delim(fp, del);
+	print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+}
+
+static int
+fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+	int recoversize;
+
+	recoversize = len - (tok->len + BSM_TRAILER_SIZE);
+	if (recoversize <= 0)
+		return (-1);
+
+	tok->tt.invalid.length = recoversize;
+
+	SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    __unused char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "unknown", raw);
+	print_delim(fp, del);
+	print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
+}
+
+
+/*
+ * Reads the token beginning at buf into tok.
+ */
+int
+au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+
+	if (len <= 0)
+		return (-1);
+
+	tok->len = 1;
+	tok->data = buf;
+	tok->id = *buf;
+
+	switch(tok->id) {
+	case AUT_HEADER32:
+		return (fetch_header32_tok(tok, buf, len));
+
+	case AUT_HEADER32_EX:
+		return (fetch_header32_ex_tok(tok, buf, len));
+
+	case AUT_HEADER64:
+		return (fetch_header64_tok(tok, buf, len));
+
+	case AUT_HEADER64_EX:
+		return (fetch_header64_ex_tok(tok, buf, len));
+
+	case AUT_TRAILER:
+		return (fetch_trailer_tok(tok, buf, len));
+
+	case AUT_ARG32:
+		return (fetch_arg32_tok(tok, buf, len));
+
+	case AUT_ARG64:
+		return (fetch_arg64_tok(tok, buf, len));
+
+	case AUT_ATTR32:
+		return (fetch_attr32_tok(tok, buf, len));
+
+	case AUT_ATTR64:
+		return (fetch_attr64_tok(tok, buf, len));
+
+	case AUT_EXIT:
+		return (fetch_exit_tok(tok, buf, len));
+
+	case AUT_EXEC_ARGS:
+		return (fetch_execarg_tok(tok, buf, len));
+
+	case AUT_EXEC_ENV:
+		return (fetch_execenv_tok(tok, buf, len));
+
+	case AUT_OTHER_FILE32:
+		return (fetch_file_tok(tok, buf, len));
+
+	case AUT_NEWGROUPS:
+		return (fetch_newgroups_tok(tok, buf, len));
+
+	case AUT_IN_ADDR:
+		return (fetch_inaddr_tok(tok, buf, len));
+
+	case AUT_IN_ADDR_EX:
+		return (fetch_inaddr_ex_tok(tok, buf, len));
+
+	case AUT_IP:
+		return (fetch_ip_tok(tok, buf, len));
+
+	case AUT_IPC:
+		return (fetch_ipc_tok(tok, buf, len));
+
+	case AUT_IPC_PERM:
+		return (fetch_ipcperm_tok(tok, buf, len));
+
+	case AUT_IPORT:
+		return (fetch_iport_tok(tok, buf, len));
+
+	case AUT_OPAQUE:
+		return (fetch_opaque_tok(tok, buf, len));
+
+	case AUT_PATH:
+		return (fetch_path_tok(tok, buf, len));
+
+	case AUT_PROCESS32:
+		return (fetch_process32_tok(tok, buf, len));
+
+	case AUT_PROCESS32_EX:
+		return (fetch_process32ex_tok(tok, buf, len));
+
+	case AUT_RETURN32:
+		return (fetch_return32_tok(tok, buf, len));
+
+	case AUT_RETURN64:
+		return (fetch_return64_tok(tok, buf, len));
+
+	case AUT_SEQ:
+		return (fetch_seq_tok(tok, buf, len));
+
+	case AUT_SOCKET:
+		return (fetch_socket_tok(tok, buf, len));
+
+	case AUT_SOCKINET32:
+		return (fetch_sock_inet32_tok(tok, buf, len));
+
+	case AUT_SOCKUNIX:
+		return (fetch_sock_unix_tok(tok, buf, len));
+
+	case AUT_SUBJECT32:
+		return (fetch_subject32_tok(tok, buf, len));
+
+	case AUT_SUBJECT64:
+		return (fetch_subject64_tok(tok, buf, len));
+
+	case AUT_SUBJECT32_EX:
+		return (fetch_subject32ex_tok(tok, buf, len));
+
+	case AUT_TEXT:
+		return (fetch_text_tok(tok, buf, len));
+
+	case AUT_SOCKET_EX:
+		return (fetch_socketex32_tok(tok, buf, len));
+
+	case AUT_DATA:
+		return (fetch_arb_tok(tok, buf, len));
+
+	default:
+		return (fetch_invalid_tok(tok, buf, len));
+	}
+}
+
+/*
+ * 'prints' the token out to outfp
+ */
+void
+au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
+{
+
+	switch(tok->id) {
+	case AUT_HEADER32:
+		print_header32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER32_EX:
+		print_header32_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER64:
+		print_header64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_HEADER64_EX:
+		print_header64_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_TRAILER:
+		print_trailer_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ARG32:
+		print_arg32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ARG64:
+		print_arg64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_DATA:
+		print_arb_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ATTR32:
+		print_attr32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_ATTR64:
+		print_attr64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXIT:
+		print_exit_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXEC_ARGS:
+		print_execarg_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_EXEC_ENV:
+		print_execenv_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_OTHER_FILE32:
+		print_file_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_NEWGROUPS:
+		print_newgroups_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IN_ADDR:
+		print_inaddr_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IN_ADDR_EX:
+		print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IP:
+		print_ip_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPC:
+		print_ipc_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPC_PERM:
+		print_ipcperm_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_IPORT:
+		print_iport_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_OPAQUE:
+		print_opaque_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PATH:
+		print_path_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PROCESS32:
+		print_process32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_PROCESS32_EX:
+		print_process32ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_RETURN32:
+		print_return32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_RETURN64:
+		print_return64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SEQ:
+		print_seq_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKET:
+		print_socket_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKINET32:
+		print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKUNIX:
+		print_sock_unix_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT32:
+		print_subject32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT64:
+		print_subject64_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SUBJECT32_EX:
+		print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_TEXT:
+		print_text_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	case AUT_SOCKET_EX:
+		print_socketex32_tok(outfp, tok, del, raw, sfrm);
+		return;
+
+	default:
+		print_invalid_tok(outfp, tok, del, raw, sfrm);
+	}
+}
+
+/*
+ * Read a record from the file pointer, store data in buf memory for buf is
+ * also allocated in this function and has to be free'd outside this call.
+ *
+ * au_read_rec() handles two possibilities: a stand-alone file token, or a
+ * complete audit record.
+ *
+ * XXXRW: Note that if we hit an error, we leave the stream in an unusable
+ * state, because it will be partly offset into a record.  We should rewind
+ * or do something more intelligent.  Particularly interesting is the case
+ * where we perform a partial read of a record from a non-blockable file
+ * descriptor.  We should return the partial read and continue...?
+ */
+int
+au_read_rec(FILE *fp, u_char **buf)
+{
+	u_char *bptr;
+	u_int32_t recsize;
+	u_int32_t bytestoread;
+	u_char type;
+
+	u_int32_t sec, msec;
+	u_int16_t filenamelen;
+
+	type = fgetc(fp);
+
+	switch (type) {
+	case AUT_HEADER32:
+	case AUT_HEADER32_EX:
+	case AUT_HEADER64:
+	case AUT_HEADER64_EX:
+		/* read the record size from the token */
+		if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
+		    sizeof(u_int32_t)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		recsize = be32toh(recsize);
+
+		/* Check for recsize sanity */
+		if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
+			errno = EINVAL;
+			return (-1);
+		}
+
+		*buf = malloc(recsize * sizeof(u_char));
+		if (*buf == NULL)
+			return (-1);
+		bptr = *buf;
+		memset(bptr, 0, recsize);
+
+		/* store the token contents already read, back to the buffer*/
+		*bptr = type;
+		bptr++;
+		be32enc(bptr, recsize);
+		bptr += sizeof(u_int32_t);
+
+		/* now read remaining record bytes */
+		bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
+
+		if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
+			free(*buf);
+			errno = EINVAL;
+			return (-1);
+		}
+		break;
+
+	case AUT_OTHER_FILE32:
+		/*
+		 * The file token is variable-length, as it includes a
+		 * pathname.  As a result, we have to read incrementally
+		 * until we know the total length, then allocate space and
+		 * read the rest.
+		 */
+		if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
+		    sizeof(filenamelen)) {
+			errno = EINVAL;
+			return (-1);
+		}
+		recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
+		    sizeof(filenamelen) + ntohs(filenamelen);
+		*buf = malloc(recsize);
+		if (*buf == NULL)
+			return (-1);
+		bptr = *buf;
+
+		bcopy(&type, bptr, sizeof(type));
+		bptr += sizeof(type);
+		bcopy(&sec, bptr, sizeof(sec));
+		bptr += sizeof(sec);
+		bcopy(&msec, bptr, sizeof(msec));
+		bptr += sizeof(msec);
+		bcopy(&filenamelen, bptr, sizeof(filenamelen));
+		bptr += sizeof(filenamelen);
+
+		if (fread(bptr, 1, ntohs(filenamelen), fp) <
+		    ntohs(filenamelen)) {
+			free(buf);
+			errno = EINVAL;
+			return (-1);
+		}
+		break;
+
+	default:
+		errno = EINVAL;
+		return (-1);
+	}
+
+	return (recsize);
+}
diff --git a/contrib/openbsm/libbsm/bsm_mask.c b/contrib/openbsm/libbsm/bsm_mask.c
new file mode 100644
index 000000000000..b575bbcb0b6f
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_mask.c
@@ -0,0 +1,194 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_mask.c#11 $
+ */
+
+#include <sys/types.h>
+#include <sys/queue.h>
+
+#include <bsm/libbsm.h>
+
+#include <pthread.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* MT-Safe */
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+static int		firsttime = 1;
+
+/*
+ * XXX ev_cache, once created, sticks around until the calling program exits.
+ * This may or may not be a problem as far as absolute memory usage goes, but
+ * at least there don't appear to be any leaks in using the cache.
+ *
+ * XXXRW: Note that despite (mutex), load_event_table() could race with
+ * other consumers of the getauevents() API.
+ */
+struct audit_event_map {
+	char				 ev_name[AU_EVENT_NAME_MAX];
+	char				 ev_desc[AU_EVENT_DESC_MAX];
+	struct au_event_ent		 ev;
+	LIST_ENTRY(audit_event_map)	 ev_list;
+};
+static LIST_HEAD(, audit_event_map)	ev_cache;
+
+static struct audit_event_map *
+audit_event_map_alloc(void)
+{
+	struct audit_event_map *aemp;
+
+	aemp = malloc(sizeof(*aemp));
+	if (aemp == NULL)
+		return (aemp);
+	bzero(aemp, sizeof(*aemp));
+	aemp->ev.ae_name = aemp->ev_name;
+	aemp->ev.ae_desc = aemp->ev_desc;
+	return (aemp);
+}
+
+static void
+audit_event_map_free(struct audit_event_map *aemp)
+{
+
+	free(aemp);
+}
+
+/*
+ * When reading into the cache fails, we need to flush the entire cache to
+ * prevent it from containing some but not all records.
+ */
+static void
+flush_cache(void)
+{
+	struct audit_event_map *aemp;
+
+	/* XXX: Would assert 'mutex'. */
+
+	while ((aemp = LIST_FIRST(&ev_cache)) != NULL) {
+		LIST_REMOVE(aemp, ev_list);
+		audit_event_map_free(aemp);
+	}
+}
+
+static int
+load_event_table(void)
+{
+	struct audit_event_map *aemp;
+	struct au_event_ent *ep;
+
+	/*
+	 * XXX: Would assert 'mutex'.
+	 * Loading of the cache happens only once; dont check if cache is
+	 * already loaded.
+	 */
+	LIST_INIT(&ev_cache);
+	setauevent();	/* Rewind to beginning of entries. */
+	do {
+		aemp = audit_event_map_alloc();
+		if (aemp == NULL) {
+			flush_cache();
+			return (-1);
+		}
+		ep = getauevent_r(&aemp->ev);
+		if (ep != NULL)
+			LIST_INSERT_HEAD(&ev_cache, aemp, ev_list);
+		else
+			audit_event_map_free(aemp);
+	} while (ep != NULL);
+	return (1);
+}
+
+/*
+ * Read the event with the matching event number from the cache.
+ */
+static struct au_event_ent *
+read_from_cache(au_event_t event)
+{
+	struct audit_event_map *elem;
+
+	/* XXX: Would assert 'mutex'. */
+
+	LIST_FOREACH(elem, &ev_cache, ev_list) {
+		if (elem->ev.ae_number == event)
+			return (&elem->ev);
+	}
+
+	return (NULL);
+}
+
+/*
+ * Check if the audit event is preselected against the preselection mask.
+ */
+int
+au_preselect(au_event_t event, au_mask_t *mask_p, int sorf, int flag)
+{
+	struct au_event_ent *ev;
+	au_class_t effmask = 0;
+
+	if (mask_p == NULL)
+		return (-1);
+
+
+	pthread_mutex_lock(&mutex);
+	if (firsttime) {
+		firsttime = 0;
+		if ( -1 == load_event_table()) {
+			pthread_mutex_unlock(&mutex);
+			return (-1);
+		}
+	}
+	switch (flag) {
+	case AU_PRS_REREAD:
+		flush_cache();
+		if (load_event_table() == -1) {
+			pthread_mutex_unlock(&mutex);
+			return (-1);
+		}
+		ev = read_from_cache(event);
+		break;
+	case AU_PRS_USECACHE:
+		ev = read_from_cache(event);
+		break;
+	default:
+		ev = NULL;
+	}
+	if (ev == NULL) {
+		pthread_mutex_unlock(&mutex);
+		return (-1);
+	}
+	if (sorf & AU_PRS_SUCCESS)
+		effmask |= (mask_p->am_success & ev->ae_class);
+	if (sorf & AU_PRS_FAILURE)
+		effmask |= (mask_p->am_failure & ev->ae_class);
+	pthread_mutex_unlock(&mutex);
+	if (effmask != 0)
+		return (1);
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c
new file mode 100644
index 000000000000..92f9b504d7fc
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@@ -0,0 +1,149 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#8 $
+ */
+
+#ifdef __APPLE__
+
+/*
+ * Based on sample code from Marc Majka.
+ */
+#include <notify.h>
+#include <string.h>	/* strerror() */
+#include <sys/errno.h>	/* errno */
+#include <bsm/libbsm.h>
+#include <stdint.h>	/* uint32_t */
+#include <syslog.h>	/* syslog() */
+#include <stdarg.h>	/* syslog() */
+
+/* If 1, assumes a kernel that sends the right notification. */
+#define	AUDIT_NOTIFICATION_ENABLED	1
+
+#if AUDIT_NOTIFICATION_ENABLED
+static int	token = 0;
+#endif	/* AUDIT_NOTIFICATION_ENABLED */
+
+static long	au_cond = AUC_UNSET;	/* <bsm/audit.h> */
+
+uint32_t
+au_notify_initialize(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+	uint32_t status, ignore_first;
+
+	status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
+	if (status != NOTIFY_STATUS_OK)
+		return (status);
+	status = notify_check(token, &ignore_first);
+	if (status != NOTIFY_STATUS_OK)
+		return (status);
+#endif
+
+	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+		syslog(LOG_ERR, "Initial audit status check failed (%s)",
+		    strerror(errno));
+		if (errno == ENOSYS)	/* auditon() unimplemented. */
+			return (AU_UNIMPL);
+		return (NOTIFY_STATUS_FAILED);	/* Is there a better code? */
+	}
+	return (NOTIFY_STATUS_OK);
+}
+
+int
+au_notify_terminate(void)
+{
+
+#if AUDIT_NOTIFICATION_ENABLED
+	return ((notify_cancel(token) == NOTIFY_STATUS_OK) ? 0 : -1);
+#else
+	return (0);
+#endif
+}
+
+/*
+ * On error of any notify(3) call, reset 'au_cond' to ensure we re-run
+ * au_notify_initialize() next time 'round--but assume auditing is on.  This
+ * is a slight performance hit if auditing is off, but at least the system
+ * will behave correctly.  The notification calls are unlikely to fail,
+ * anyway.
+ */
+int
+au_get_state(void)
+{
+#if AUDIT_NOTIFICATION_ENABLED
+	uint32_t did_notify;
+#endif
+	int status;
+
+	/*
+	 * Don't make the client initialize this set of routines, but take the
+	 * slight performance hit by checking ourselves every time.
+	 */
+	if (au_cond == AUC_UNSET) {
+		status = au_notify_initialize();
+		if (status != NOTIFY_STATUS_OK) {
+			if (status == AU_UNIMPL)
+				return (AU_UNIMPL);
+			return (AUC_AUDITING);
+		} else
+			return (au_cond);
+	}
+#if AUDIT_NOTIFICATION_ENABLED
+	status = notify_check(token, &did_notify);
+	if (status != NOTIFY_STATUS_OK) {
+		au_cond = AUC_UNSET;
+		return (AUC_AUDITING);
+	}
+
+	if (did_notify == 0)
+		return (au_cond);
+#endif
+
+	if (auditon(A_GETCOND, &au_cond, sizeof(long)) < 0) {
+		/* XXX Reset au_cond to AUC_UNSET? */
+		syslog(LOG_ERR, "Audit status check failed (%s)",
+		    strerror(errno));
+		if (errno == ENOSYS)	/* Function unimplemented. */
+			return (AU_UNIMPL);
+		return (errno);
+	}
+
+	switch (au_cond) {
+	case AUC_NOAUDIT:	/* Auditing suspended. */
+	case AUC_DISABLED:	/* Auditing shut off. */
+		return (AUC_NOAUDIT);
+
+	case AUC_UNSET:		/* Uninitialized; shouldn't get here. */
+	case AUC_AUDITING:	/* Audit on. */
+	default:
+		return (AUC_AUDITING);
+	}
+}
+
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
new file mode 100644
index 000000000000..d7eadb28f808
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -0,0 +1,1219 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#34 $
+ */
+
+#include <sys/types.h>
+#ifdef __APPLE__
+#include <compat/endian.h>
+#else /* !__APPLE__ */
+#include <sys/endian.h>
+#endif /* __APPLE__*/
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/un.h>
+
+#include <sys/ipc.h>
+
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+
+#include <assert.h>
+#include <errno.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/socketvar.h>
+
+#include <bsm/audit_internal.h>
+#include <bsm/libbsm.h>
+
+#define	GET_TOKEN_AREA(t, dptr, length) do {				\
+	(t) = malloc(sizeof(token_t));					\
+	if ((t) != NULL) {						\
+		(t)->len = (length);					\
+		(dptr) = (t->t_data) = malloc((length) * sizeof(u_char)); \
+		if ((dptr) == NULL) {					\
+			free(t);					\
+			(t) = NULL;					\
+		} else							\
+			memset((dptr), 0, (length));			\
+	} else								\
+		(dptr) = NULL;						\
+	assert(t == NULL || dptr != NULL);				\
+} while (0)
+
+/*
+ * token ID                1 byte
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_arg32(char n, char *text, u_int32_t v)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ARG32);
+	ADD_U_CHAR(dptr, n);
+	ADD_U_INT32(dptr, v);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+
+}
+
+token_t *
+au_to_arg64(char n, char *text, u_int64_t v)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t) +
+	    sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ARG64);
+	ADD_U_CHAR(dptr, n);
+	ADD_U_INT64(dptr, v);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+
+}
+
+token_t *
+au_to_arg(char n, char *text, u_int32_t v)
+{
+
+	return (au_to_arg32(n, text, v));
+}
+
+#if defined(_KERNEL) || defined(KERNEL)
+/*
+ * token ID                1 byte
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+token_t *
+au_to_attr32(struct vnode_au_info *vni)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0_16 = 0;
+	u_int16_t pad0_32 = 0;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_ATTR32);
+
+	/*
+	 * Darwin defines the size for the file mode
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0_16);
+	ADD_U_INT16(dptr, vni->vn_mode);
+
+	ADD_U_INT32(dptr, vni->vn_uid);
+	ADD_U_INT32(dptr, vni->vn_gid);
+	ADD_U_INT32(dptr, vni->vn_fsid);
+
+	/*
+	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+	 * Attempt to handle both, and let the compiler sort it out.  If we
+	 * could pick this out at compile-time, it would be better, so as to
+	 * avoid the else case below.
+	 */
+	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+		ADD_U_INT32(dptr, pad0_32);
+		ADD_U_INT32(dptr, vni->vn_fileid);
+	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+		ADD_U_INT64(dptr, vni->vn_fileid);
+	else
+		ADD_U_INT64(dptr, 0LL);
+
+	ADD_U_INT32(dptr, vni->vn_dev);
+
+	return (t);
+}
+
+token_t *
+au_to_attr64(struct vnode_au_info *vni)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_attr(struct vnode_au_info *vni)
+{
+
+	return (au_to_attr32(vni));
+}
+#endif /* !(defined(_KERNEL) || defined(KERNEL) */
+
+/*
+ * token ID                1 byte
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+token_t *
+au_to_data(char unit_print, char unit_type, char unit_count, char *p)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	size_t datasize, totdata;
+
+	/* Determine the size of the basic unit. */
+	switch (unit_type) {
+	case AUR_BYTE:
+		datasize = AUR_BYTE_SIZE;
+		break;
+
+	case AUR_SHORT:
+		datasize = AUR_SHORT_SIZE;
+		break;
+
+	case AUR_LONG:
+		datasize = AUR_LONG_SIZE;
+		break;
+
+	default:
+		errno = EINVAL;
+ 		return (NULL);
+	}
+
+	totdata = datasize * unit_count;
+
+	GET_TOKEN_AREA(t, dptr, totdata + 4 * sizeof(u_char));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_DATA);
+	ADD_U_CHAR(dptr, unit_print);
+	ADD_U_CHAR(dptr, unit_type);
+	ADD_U_CHAR(dptr, unit_count);
+	ADD_MEM(dptr, p, totdata);
+
+	return (t);
+}
+
+
+/*
+ * token ID                1 byte
+ * status		   4 bytes
+ * return value            4 bytes
+ */
+token_t *
+au_to_exit(int retval, int err)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXIT);
+	ADD_U_INT32(dptr, err);
+	ADD_U_INT32(dptr, retval);
+
+	return (t);
+}
+
+/*
+ */
+token_t *
+au_to_groups(int *groups)
+{
+
+	return (au_to_newgroups(BSM_MAX_GROUPS, groups));
+}
+
+/*
+ * token ID                1 byte
+ * number groups           2 bytes
+ * group list              count * 4 bytes
+ */
+token_t *
+au_to_newgroups(u_int16_t n, gid_t *groups)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	int i;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+	    n * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_NEWGROUPS);
+	ADD_U_INT16(dptr, n);
+	for (i = 0; i < n; i++)
+		ADD_U_INT32(dptr, groups[i]);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * internet address        4 bytes
+ */
+token_t *
+au_to_in_addr(struct in_addr *internet_addr)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IN_ADDR);
+	ADD_U_INT32(dptr, internet_addr->s_addr);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * address type/length     4 bytes
+ * Address                16 bytes
+ */
+token_t *
+au_to_in_addr_ex(struct in6_addr *internet_addr)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t type = AF_INET6;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 5 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IN_ADDR_EX);
+	ADD_U_INT32(dptr, type);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[0]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[1]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[2]);
+	ADD_U_INT32(dptr, internet_addr->__u6_addr.__u6_addr32[3]);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * ip header		   20 bytes
+ */
+token_t *
+au_to_ip(struct ip *ip)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(struct ip));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IP);
+	/*
+	 * XXXRW: Any byte order work needed on the IP header before writing?
+	 */
+	ADD_MEM(dptr, ip, sizeof(struct ip));
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * object ID type          1 byte
+ * object ID               4 bytes
+ */
+token_t *
+au_to_ipc(char type, int id)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPC);
+	ADD_U_CHAR(dptr, type);
+	ADD_U_INT32(dptr, id);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * creator user ID         4 bytes
+ * creator group ID        4 bytes
+ * access mode             4 bytes
+ * slot sequence #         4 bytes
+ * key                     4 bytes
+ */
+token_t *
+au_to_ipc_perm(struct ipc_perm *perm)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t pad0 = 0;
+
+	GET_TOKEN_AREA(t, dptr, 12 * sizeof(u_int16_t) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPC_PERM);
+
+	/*
+	 * Darwin defines the sizes for ipc_perm members
+	 * as 2 bytes; BSM defines 4 so pad with 0
+	 */
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->uid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->gid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->cuid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->cgid);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->mode);
+
+	ADD_U_INT16(dptr, pad0);
+	ADD_U_INT16(dptr, perm->seq);
+
+	ADD_U_INT32(dptr, perm->key);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * port IP address         2 bytes
+ */
+token_t *
+au_to_iport(u_int16_t iport)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_IPORT);
+	ADD_U_INT16(dptr, iport);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * size                    2 bytes
+ * data                    size bytes
+ */
+token_t *
+au_to_opaque(char *data, u_int16_t bytes)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + bytes);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_OPAQUE);
+	ADD_U_INT16(dptr, bytes);
+	ADD_MEM(dptr, data, bytes);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * seconds of time         4 bytes
+ * milliseconds of time    4 bytes
+ * file name len           2 bytes
+ * file pathname           N bytes + 1 terminating NULL byte
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_file(char *file, struct timeval tm)
+#else
+au_to_file(char *file)
+#endif
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t filelen;
+	u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+	struct timeval tm;
+	struct timezone tzp;
+
+	if (gettimeofday(&tm, &tzp) == -1)
+		return (NULL);
+#endif
+
+	filelen = strlen(file);
+	filelen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int32_t) +
+	    sizeof(u_int16_t) + filelen);
+	if (t == NULL)
+		return (NULL);
+
+	timems = tm.tv_usec/1000;
+
+	ADD_U_CHAR(dptr, AUT_OTHER_FILE32);
+	ADD_U_INT32(dptr, tm.tv_sec);
+	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+	ADD_U_INT16(dptr, filelen);
+	ADD_STRING(dptr, file, filelen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_text(char *text)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_TEXT);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * path length             2 bytes
+ * path                    N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_path(char *text)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t textlen;
+
+	textlen = strlen(text);
+	textlen += 1;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PATH);
+	ADD_U_INT16(dptr, textlen);
+	ADD_STRING(dptr, text, textlen);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine address       4 bytes
+ */
+token_t *
+au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS32);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->port);
+	ADD_U_INT32(dptr, tid->machine);
+
+	return (t);
+}
+
+token_t *
+au_to_process64(__unused au_id_t auid, __unused uid_t euid,
+    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_process(__unused au_id_t auid, __unused uid_t euid,
+    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+{
+
+	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   address type-len      4 bytes
+ *   machine address      16 bytes
+ */
+token_t *
+au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_PROCESS32_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_U_INT32(dptr, tid->at_addr[1]);
+	ADD_U_INT32(dptr, tid->at_addr[2]);
+	ADD_U_INT32(dptr, tid->at_addr[3]);
+
+	return (t);
+}
+
+token_t *
+au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	return (au_to_process32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * error status            1 byte
+ * return value            4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+au_to_return32(char status, u_int32_t ret)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_RETURN32);
+	ADD_U_CHAR(dptr, status);
+	ADD_U_INT32(dptr, ret);
+
+	return (t);
+}
+
+token_t *
+au_to_return64(char status, u_int64_t ret)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 2 * sizeof(u_char) + sizeof(u_int64_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_RETURN64);
+	ADD_U_CHAR(dptr, status);
+	ADD_U_INT64(dptr, ret);
+
+	return (t);
+}
+
+token_t *
+au_to_return(char status, u_int32_t ret)
+{
+
+	return (au_to_return32(status, ret));
+}
+
+/*
+ * token ID                1 byte
+ * sequence number         4 bytes
+ */
+token_t *
+au_to_seq(long audit_count)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SEQ);
+	ADD_U_INT32(dptr, audit_count);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local Internet address  4 bytes
+ * remote port             2 bytes
+ * remote Internet address 4 bytes
+ */
+token_t *
+au_to_socket(struct socket *so)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+/*
+ * token ID                1 byte
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+token_t *
+au_to_socket_ex_32(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+    struct sockaddr *ra)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_socket_ex_128(u_int16_t lp, u_int16_t rp, struct sockaddr *la,
+    struct sockaddr *ra)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+/*
+ * token ID                1 byte
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+token_t *
+au_to_sock_unix(struct sockaddr_un *so)
+{
+	token_t *t;
+	u_char *dptr;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + strlen(so->sun_path) + 1);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AU_SOCK_UNIX_TOKEN);
+	/* BSM token has two bytes for family */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sun_family);
+	ADD_STRING(dptr, so->sun_path, strlen(so->sun_path) + 1);
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes
+ */
+token_t *
+au_to_sock_inet32(struct sockaddr_in *so)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+	    sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SOCKINET32);
+	/*
+	 * In Darwin, sin_family is one octet, but BSM defines the token
+ 	 * to store two. So we copy in a 0 first.
+ 	 */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sin_family);
+	ADD_U_INT16(dptr, so->sin_port);
+	ADD_U_INT32(dptr, so->sin_addr.s_addr);
+
+	return (t);
+
+}
+
+token_t *
+au_to_sock_inet128(struct sockaddr_in6 *so)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, 3 * sizeof(u_char) + sizeof(u_int16_t) +
+	    4 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SOCKINET128);
+	/*
+	 * In Darwin, sin6_family is one octet, but BSM defines the token
+ 	 * to store two. So we copy in a 0 first.
+ 	 */
+	ADD_U_CHAR(dptr, 0);
+	ADD_U_CHAR(dptr, so->sin6_family);
+
+	ADD_U_INT16(dptr, so->sin6_port);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[0]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[1]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[2]);
+	ADD_U_INT32(dptr, so->sin6_addr.__u6_addr.__u6_addr32[3]);
+
+	return (t);
+
+}
+
+token_t *
+au_to_sock_inet(struct sockaddr_in *so)
+{
+
+	return (au_to_sock_inet32(so));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   machine address       4 bytes
+ */
+token_t *
+au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 9 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT32);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->port);
+	ADD_U_INT32(dptr, tid->machine);
+
+	return (t);
+}
+
+token_t *
+au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
+{
+
+	return (au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+/*
+ * token ID                1 byte
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ *   port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ *   address type/length   4 bytes
+ *   machine address      16 bytes
+ */
+token_t *
+au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 13 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_SUBJECT32_EX);
+	ADD_U_INT32(dptr, auid);
+	ADD_U_INT32(dptr, euid);
+	ADD_U_INT32(dptr, egid);
+	ADD_U_INT32(dptr, ruid);
+	ADD_U_INT32(dptr, rgid);
+	ADD_U_INT32(dptr, pid);
+	ADD_U_INT32(dptr, sid);
+	ADD_U_INT32(dptr, tid->at_port);
+	ADD_U_INT32(dptr, tid->at_type);
+	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_U_INT32(dptr, tid->at_addr[1]);
+	ADD_U_INT32(dptr, tid->at_addr[2]);
+	ADD_U_INT32(dptr, tid->at_addr[3]);
+
+	return (t);
+}
+
+token_t *
+au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
+{
+
+	return (au_to_subject32_ex(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid));
+}
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+/*
+ * Collects audit information for the current process
+ * and creates a subject token from it
+ */
+token_t *
+au_to_me(void)
+{
+	auditinfo_t auinfo;
+
+	if (getaudit(&auinfo) != 0)
+		return (NULL);
+
+	return (au_to_subject32(auinfo.ai_auid, geteuid(), getegid(),
+	    getuid(), getgid(), getpid(), auinfo.ai_asid, &auinfo.ai_termid));
+}
+#endif
+
+/*
+ * token ID				1 byte
+ * count				4 bytes
+ * text					count null-terminated strings
+ */
+token_t *
+au_to_exec_args(const char **args)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	const char *nextarg;
+	int i, count = 0;
+	size_t totlen = 0;
+
+	nextarg = *args;
+
+	while (nextarg != NULL) {
+		int nextlen;
+
+		nextlen = strlen(nextarg);
+		totlen += nextlen + 1;
+		count++;
+		nextarg = *(args + count);
+	}
+
+	totlen += count * sizeof(char);	/* nul terminations. */
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXEC_ARGS);
+	ADD_U_INT32(dptr, count);
+
+	for (i = 0; i < count; i++) {
+		nextarg = *(args + i);
+		ADD_MEM(dptr, nextarg, strlen(nextarg) + 1);
+	}
+
+	return (t);
+}
+
+/*
+ * token ID				1 byte
+ * count				4 bytes
+ * text					count null-terminated strings
+ */
+token_t *
+au_to_exec_env(const char **env)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	int i, count = 0;
+	size_t totlen = 0;
+	const char *nextenv;
+
+	nextenv = *env;
+
+	while (nextenv != NULL) {
+		int nextlen;
+
+		nextlen = strlen(nextenv);
+		totlen += nextlen + 1;
+		count++;
+		nextenv = *(env + count);
+	}
+
+	totlen += sizeof(char) * count;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) + totlen);
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_EXEC_ENV);
+	ADD_U_INT32(dptr, count);
+
+	for (i = 0; i < count; i++) {
+		nextenv = *(env + i);
+		ADD_MEM(dptr, nextenv, strlen(nextenv) + 1);
+	}
+
+	return (t);
+}
+
+/*
+ * token ID                1 byte
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+token_t *
+#if defined(KERNEL) || defined(_KERNEL)
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+    struct timeval tm)
+#else
+au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
+#endif
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int32_t timems;
+#if !defined(KERNEL) && !defined(_KERNEL)
+	struct timeval tm;
+	struct timezone tzp;
+
+	if (gettimeofday(&tm, &tzp) == -1)
+		return (NULL);
+#endif
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_HEADER32);
+	ADD_U_INT32(dptr, rec_size);
+	ADD_U_CHAR(dptr, HEADER_VERSION);
+	ADD_U_INT16(dptr, e_type);
+	ADD_U_INT16(dptr, e_mod);
+
+	timems = tm.tv_usec/1000;
+	/* Add the timestamp */
+	ADD_U_INT32(dptr, tm.tv_sec);
+	ADD_U_INT32(dptr, timems);	/* We need time in ms. */
+
+	return (t);
+}
+
+token_t *
+au_to_header64(__unused int rec_size, __unused au_event_t e_type,
+    __unused au_emod_t e_mod)
+{
+
+	errno = ENOTSUP;
+	return (NULL);
+}
+
+token_t *
+au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod)
+{
+
+	return (au_to_header32(rec_size, e_type, e_mod));
+}
+
+/*
+ * token ID                1 byte
+ * trailer magic number    2 bytes
+ * record byte count       4 bytes
+ */
+token_t *
+au_to_trailer(int rec_size)
+{
+	token_t *t;
+	u_char *dptr = NULL;
+	u_int16_t magic = TRAILER_PAD_MAGIC;
+
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) +
+	    sizeof(u_int32_t));
+	if (t == NULL)
+		return (NULL);
+
+	ADD_U_CHAR(dptr, AUT_TRAILER);
+	ADD_U_INT16(dptr, magic);
+	ADD_U_INT32(dptr, rec_size);
+
+	return (t);
+}
diff --git a/contrib/openbsm/libbsm/bsm_user.c b/contrib/openbsm/libbsm/bsm_user.c
new file mode 100644
index 000000000000..3927423f5119
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_user.c
@@ -0,0 +1,268 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_user.c#14 $
+ */
+
+#include <bsm/libbsm.h>
+
+#include <string.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Parse the contents of the audit_user file into au_user_ent structures.
+ */
+
+static FILE		*fp = NULL;
+static char		 linestr[AU_LINE_MAX];
+static const char	*user_delim = ":";
+
+static pthread_mutex_t	mutex = PTHREAD_MUTEX_INITIALIZER;
+
+/*
+ * Parse one line from the audit_user file into the au_user_ent structure.
+ */
+static struct au_user_ent *
+userfromstr(char *str, struct au_user_ent *u)
+{
+	char *username, *always, *never;
+	char *last;
+
+	username = strtok_r(str, user_delim, &last);
+	always = strtok_r(NULL, user_delim, &last);
+	never = strtok_r(NULL, user_delim, &last);
+
+	if ((username == NULL) || (always == NULL) || (never == NULL))
+		return (NULL);
+
+	if (strlen(username) >= AU_USER_NAME_MAX)
+		return (NULL);
+
+	strcpy(u->au_name, username);
+	if (getauditflagsbin(always, &(u->au_always)) == -1)
+		return (NULL);
+
+	if (getauditflagsbin(never, &(u->au_never)) == -1)
+		return (NULL);
+
+	return (u);
+}
+
+/*
+ * Rewind to beginning of the file
+ */
+static void
+setauuser_locked(void)
+{
+
+	if (fp != NULL)
+		fseek(fp, 0, SEEK_SET);
+}
+
+void
+setauuser(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	setauuser_locked();
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Close the file descriptor
+ */
+void
+endauuser(void)
+{
+
+	pthread_mutex_lock(&mutex);
+	if (fp != NULL) {
+		fclose(fp);
+		fp = NULL;
+	}
+	pthread_mutex_unlock(&mutex);
+}
+
+/*
+ * Enumerate the au_user_ent structures from the file
+ */
+static struct au_user_ent *
+getauuserent_r_locked(struct au_user_ent *u)
+{
+	char *nl;
+
+	if ((fp == NULL) && ((fp = fopen(AUDIT_USER_FILE, "r")) == NULL))
+		return (NULL);
+
+	while (1) {
+		if (fgets(linestr, AU_LINE_MAX, fp) == NULL)
+			return (NULL);
+
+		/* Remove new lines. */
+		if ((nl = strrchr(linestr, '\n')) != NULL)
+			*nl = '\0';
+
+		/* Skip comments. */
+		if (linestr[0] == '#')
+			continue;
+
+		/* Get the next structure. */
+		if (userfromstr(linestr, u) == NULL)
+			return (NULL);
+		break;
+	}
+
+	return (u);
+}
+
+struct au_user_ent *
+getauuserent_r(struct au_user_ent *u)
+{
+	struct au_user_ent *up;
+
+	pthread_mutex_lock(&mutex);
+	up = getauuserent_r_locked(u);
+	pthread_mutex_unlock(&mutex);
+	return (up);
+}
+
+struct au_user_ent *
+getauuserent(void)
+{
+	static char user_ent_name[AU_USER_NAME_MAX];
+	static struct au_user_ent u;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	return (getauuserent_r(&u));
+}
+
+/*
+ * Find a au_user_ent structure matching the given user name.
+ */
+struct au_user_ent *
+getauusernam_r(struct au_user_ent *u, const char *name)
+{
+	struct au_user_ent *up;
+
+	if (name == NULL)
+		return (NULL);
+
+	pthread_mutex_lock(&mutex);
+
+	setauuser_locked();
+	while ((up = getauuserent_r_locked(u)) != NULL) {
+		if (strcmp(name, u->au_name) == 0) {
+			pthread_mutex_unlock(&mutex);
+			return (u);
+		}
+	}
+
+	pthread_mutex_unlock(&mutex);
+	return (NULL);
+
+}
+
+struct au_user_ent *
+getauusernam(const char *name)
+{
+	static char user_ent_name[AU_USER_NAME_MAX];
+	static struct au_user_ent u;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	return (getauusernam_r(&u, name));
+}
+
+/*
+ * Read the default system wide audit classes from audit_control, combine with
+ * the per-user audit class and update the binary preselection mask.
+ */
+int
+au_user_mask(char *username, au_mask_t *mask_p)
+{
+	char auditstring[MAX_AUDITSTRING_LEN + 1];
+	char user_ent_name[AU_USER_NAME_MAX];
+	struct au_user_ent u, *up;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	/* Get user mask. */
+	if ((up = getauusernam_r(&u, username)) != NULL) {
+		if (-1 == getfauditflags(&up->au_always, &up->au_never,
+		    mask_p))
+			return (-1);
+		return (0);
+	}
+
+	/* Read the default system mask. */
+	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+		if (-1 == getauditflagsbin(auditstring, mask_p))
+			return (-1);
+		return (0);
+	}
+
+	/* No masks defined. */
+	return (-1);
+}
+
+/*
+ * Generate the process audit state by combining the audit masks passed as
+ * parameters with the system audit masks.
+ */
+int
+getfauditflags(au_mask_t *usremask, au_mask_t *usrdmask, au_mask_t *lastmask)
+{
+	char auditstring[MAX_AUDITSTRING_LEN + 1];
+
+	if ((usremask == NULL) || (usrdmask == NULL) || (lastmask == NULL))
+		return (-1);
+
+	lastmask->am_success = 0;
+	lastmask->am_failure = 0;
+
+	/* Get the system mask. */
+	if (getacflg(auditstring, MAX_AUDITSTRING_LEN) == 0) {
+		if (getauditflagsbin(auditstring, lastmask) != 0)
+			return (-1);
+	}
+
+	ADDMASK(lastmask, usremask);
+	SUBMASK(lastmask, usrdmask);
+
+	return (0);
+}
diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c
new file mode 100644
index 000000000000..e7600e7f5ee2
--- /dev/null
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#14 $
+ */
+
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/sysctl.h>
+
+#include <bsm/libbsm.h>
+
+#include <unistd.h>
+#include <syslog.h>
+#include <string.h>
+#include <errno.h>
+
+/* These are not advertised in libbsm.h */
+int audit_set_terminal_port(dev_t *p);
+int audit_set_terminal_host(uint32_t *m);
+
+int
+audit_set_terminal_port(dev_t *p)
+{
+	struct stat st;
+
+	if (p == NULL)
+		return (kAUBadParamErr);
+
+	*p = NODEV;
+
+	/* for /usr/bin/login, try fstat() first */
+	if (fstat(STDIN_FILENO, &st) != 0) {
+		if (errno != EBADF) {
+			syslog(LOG_ERR, "fstat() failed (%s)",
+			    strerror(errno));
+			return (kAUStatErr);
+		}
+		if (stat("/dev/console", &st) != 0) {
+			syslog(LOG_ERR, "stat() failed (%s)",
+			    strerror(errno));
+			return (kAUStatErr);
+		}
+	}
+	*p = st.st_rdev;
+	return (kAUNoErr);
+}
+
+int
+audit_set_terminal_host(uint32_t *m)
+{
+	int name[2] = { CTL_KERN, KERN_HOSTID };
+	size_t len;
+
+	if (m == NULL)
+		return (kAUBadParamErr);
+	*m = 0;
+	len = sizeof(*m);
+	if (sysctl(name, 2, m, &len, NULL, 0) != 0) {
+		syslog(LOG_ERR, "sysctl() failed (%s)", strerror(errno));
+		return (kAUSysctlErr);
+	}
+	return (kAUNoErr);
+}
+
+int
+audit_set_terminal_id(au_tid_t *tid)
+{
+	int ret;
+
+	if (tid == NULL)
+		return (kAUBadParamErr);
+	if ((ret = audit_set_terminal_port(&tid->port)) != kAUNoErr)
+		return (ret);
+	return (audit_set_terminal_host(&tid->machine));
+}
+
+/*
+ * This is OK for those callers who have only one token to write.  If you have
+ * multiple tokens that logically form part of the same audit record, you need
+ * to use the existing au_open()/au_write()/au_close() API:
+ *
+ * aufd = au_open();
+ * tok = au_to_random_token_1(...);
+ * au_write(aufd, tok);
+ * tok = au_to_random_token_2(...);
+ * au_write(aufd, tok);
+ * ...
+ * au_close(aufd, 1, AUE_your_event_type);
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ *
+ * XXX: Should be more robust against bad arguments.
+ */
+int
+audit_write(short event_code, token_t *subject, token_t *misctok, char retval,
+    int errcode)
+{
+	int aufd;
+	char *func = "audit_write()";
+	token_t *rettok;
+
+	if ((aufd = au_open()) == -1) {
+		au_free_token(subject);
+		au_free_token(misctok);
+		syslog(LOG_ERR, "%s: au_open() failed", func);
+		return (kAUOpenErr);
+	}
+
+	/* Save subject. */
+	if (subject && au_write(aufd, subject) == -1) {
+		au_free_token(subject);
+		au_free_token(misctok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of subject failed", func);
+		return (kAUWriteSubjectTokErr);
+	}
+
+	/* Save the event-specific token. */
+	if (misctok && au_write(aufd, misctok) == -1) {
+		au_free_token(misctok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of caller token failed", func);
+		return (kAUWriteCallerTokErr);
+	}
+
+	/* Tokenize and save the return value. */
+	if ((rettok = au_to_return32(retval, errcode)) == NULL) {
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: au_to_return32() failed", func);
+		return (kAUMakeReturnTokErr);
+	}
+
+	if (au_write(aufd, rettok) == -1) {
+		au_free_token(rettok);
+		(void)au_close(aufd, 0, event_code);
+		syslog(LOG_ERR, "%s: write of return code failed", func);
+		return (kAUWriteReturnTokErr);
+	}
+
+	/*
+	 * au_close()'s second argument is "keep": if keep == 0, the record is
+	 * discarded.  We assume the caller wouldn't have bothered with this
+	 * function if it hadn't already decided to keep the record.
+	 */
+	if (au_close(aufd, 1, event_code) < 0) {
+		syslog(LOG_ERR, "%s: au_close() failed", func);
+		return (kAUCloseErr);
+	}
+
+	return (kAUNoErr);
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes success; use audit_write_failure() on error.
+ */
+int
+audit_write_success(short event_code, token_t *tok, au_id_t auid, uid_t euid,
+    gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+    au_tid_t *tid)
+{
+	char *func = "audit_write_success()";
+	token_t *subject = NULL;
+
+	/* Tokenize and save subject. */
+	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid,
+	    tid);
+	if (subject == NULL) {
+		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+		return kAUMakeSubjectTokErr;
+	}
+
+	return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes success; use audit_write_failure_self() on error.
+ */
+int
+audit_write_success_self(short event_code, token_t *tok)
+{
+	token_t *subject;
+	char *func = "audit_write_success_self()";
+
+	if ((subject = au_to_me()) == NULL) {
+		syslog(LOG_ERR, "%s: au_to_me() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+
+	return (audit_write(event_code, subject, tok, 0, 0));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes failure; use audit_write_success() otherwise.
+ *
+ * XXX  This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure(short event_code, char *errmsg, int errcode, au_id_t auid,
+    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+    au_tid_t *tid)
+{
+	char *func = "audit_write_failure()";
+	token_t *subject, *errtok;
+
+	subject = au_to_subject32(auid, euid, egid, ruid, rgid, pid, sid, tid);
+	if (subject == NULL) {
+		syslog(LOG_ERR, "%s: au_to_subject32() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+
+	/* tokenize and save the error message */
+	if ((errtok = au_to_text(errmsg)) == NULL) {
+		au_free_token(subject);
+		syslog(LOG_ERR, "%s: au_to_text() failed", func);
+		return (kAUMakeTextTokErr);
+	}
+
+	return (audit_write(event_code, subject, errtok, -1, errcode));
+}
+
+/*
+ * Same caveats as audit_write().  In addition, this function explicitly
+ * assumes failure; use audit_write_success_self() otherwise.
+ *
+ * XXX  This should let the caller pass an error return value rather than
+ * hard-coding -1.
+ */
+int
+audit_write_failure_self(short event_code, char *errmsg, int errret)
+{
+	char *func = "audit_write_failure_self()";
+	token_t *subject, *errtok;
+
+	if ((subject = au_to_me()) == NULL) {
+		syslog(LOG_ERR, "%s: au_to_me() failed", func);
+		return (kAUMakeSubjectTokErr);
+	}
+	/* tokenize and save the error message */
+	if ((errtok = au_to_text(errmsg)) == NULL) {
+		au_free_token(subject);
+		syslog(LOG_ERR, "%s: au_to_text() failed", func);
+		return (kAUMakeTextTokErr);
+	}
+	return (audit_write(event_code, subject, errtok, -1, errret));
+}
+
+/*
+ * For auditing errors during login.  Such errors are implicitly
+ * non-attributable (i.e., not ascribable to any user).
+ *
+ * Assumes, like all wrapper calls, that the caller has previously checked
+ * that auditing is enabled via the audit_get_state() call.
+ */
+int
+audit_write_failure_na(short event_code, char *errmsg, int errret, uid_t euid,
+    uid_t egid, pid_t pid, au_tid_t *tid)
+{
+
+	return (audit_write_failure(event_code, errmsg, errret, -1, euid,
+	    egid, -1, -1, pid, -1, tid));
+}
+
+/* END OF au_write() WRAPPERS */
+
+#ifdef __APPLE__
+void
+audit_token_to_au32(audit_token_t atoken, uid_t *auidp, uid_t *euidp,
+    gid_t *egidp, uid_t *ruidp, gid_t *rgidp, pid_t *pidp, au_asid_t *asidp,
+    au_tid_t *tidp)
+{
+
+	if (auidp != NULL)
+		*auidp = (uid_t)atoken.val[0];
+	if (euidp != NULL)
+		*euidp = (uid_t)atoken.val[1];
+	if (egidp != NULL)
+		*egidp = (gid_t)atoken.val[2];
+	if (ruidp != NULL)
+		*ruidp = (uid_t)atoken.val[3];
+	if (rgidp != NULL)
+		*rgidp = (gid_t)atoken.val[4];
+	if (pidp != NULL)
+		*pidp = (pid_t)atoken.val[5];
+	if (asidp != NULL)
+		*asidp = (au_asid_t)atoken.val[6];
+	if (tidp != NULL) {
+		audit_set_terminal_host(&tidp->machine);
+		tidp->port = (dev_t)atoken.val[7];
+	}
+}
+#endif /* !__APPLE__ */
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
new file mode 100644
index 000000000000..3ec8168435a2
--- /dev/null
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -0,0 +1,220 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#3 $
+.\"
+.Dd April 19, 2005
+.Dt LIBBSM 3
+.Os
+.Sh NAME
+.Nm libbsm
+.Nd "Basic Security Module (BSM) Audit API"
+.Sh LIBRARY
+.Lb libbsm
+.Sh SYNOPSIS
+.In libbsm.h
+.Sh DESCRIPTION
+The
+.Nm
+library routines provide an interface to BSM audit record streams, allowing
+both the parsing of existing audit streams, as well as the creation of new
+audit records and streams.
+.Sh INTERFACES
+.Nm
+provides a large number of Audit programming interfaces in several classes:
+event stream interfaces, class interfaces, control interfaces, event
+interfaces, I/O interfaces, mask interfaces, notification interfaces, token
+interfaces, and user interfaces.
+These are described respectively in the
+.Xr au_stream 3 ,
+.Xr au_class 3 ,
+.Xr au_control 3 ,
+.Xr au_event 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3
+man pages.
+.Ss Audit Event Stream Interfaces
+Audit event stream interfaces support interaction with file-backed audit
+event streams:
+.Xr au_free_token 3 ,
+.Xr au_free_token 3 ,
+.Xr au_open 3 ,
+.Xr au_write 3 ,
+.Xr au_close 3 .
+.Ss Audit Class Interfaces
+Audit class interfaces support the look up of information from the
+.Xr audit_class 5
+database:
+.Xr getauclassent 3 ,
+.Xr getauclassent_r 3 ,
+.Xr getauclassnam 3 ,
+.Xr getauclassnam_r 3 ,
+.Xr setauclass 3 ,
+.Xr endauclass 3 .
+.Ss Audit Control Interfaces
+Audit control interfaces support the look up of information from the
+.Xr audit_control 5
+database:
+.Xr setac 3 ,
+.Xr endac 3 ,
+.Xr getacdir 3 ,
+.Xr getacmin 3 ,
+.Xr getacflg 3 ,
+.Xr getacna 3 .
+.Ss Audit Event Interfaces
+Audit event interfaces support the look up of information from the
+.Xr audit_event 5
+database:
+.Xr setauevent 3 ,
+.Xr endauevent 3 ,
+.Xr getauevent 3 ,
+.Xr getauevent_r 3 ,
+.Xr getauevnam 3 ,
+.Xr getauevnam_r 3 ,
+.Xr getauevnum 3 ,
+.Xr getauevnum_r 3 ,
+.Xr getauevnonam 3 ,
+.Xr getauevnonam_r 3 ,
+.Ss Audit I/O Interfaces
+Audit I/O interfaces support the processing and printing of tokens, as well
+as the reading of audit records:
+.Xr au_fetch_tok 3 ,
+.Xr au_print_tok 3 ,
+.Xr au_read_rec 3 .
+.Ss Audit Mask Interfaces
+Audit mask interfaces convert support the conversion between strings and
+.Vt au_mask_t
+values.
+They may also be used to determine if a particular audit event is matched
+by a mask:
+.Xr au_preselect 3 ,
+.Xr getauditflagsbin 3 ,
+.Xr getauditflagschar 3 .
+.Ss Audit Notification Interfaces
+Audit notification routines track audit state in a form permitting efficient
+update, avoiding frequent system calls to check the kernel audit state:
+.Xr au_notify_initialize 3 ,
+.Xr au_notify_terminate 3 ,
+.Xr au_get_state 3 .
+These interfaces are implemented only for Darwin/Mac OS X.
+.Ss Audit Token Interface
+Audit token interfaces permit the creation of tokens for use in creating
+audit records for submission to event streams.
+Each interface converts a C type to its
+.Vt token_t
+representation.
+.Xr au_to_arg32 3 ,
+.Xr au_to_arg64 3 ,
+.Xr au_to_arg 3 ,
+.Xr au_to_attr64 3 ,
+.Xr au_to_data 3 ,
+.Xr au_to_exit 3 ,
+.Xr au_to_groups 3 ,
+.Xr au_to_newgroups 3 ,
+.Xr au_to_in_addr 3 ,
+.Xr au_to_in_addr_ex 3 ,
+.Xr au_to_ip 3 ,
+.Xr au_to_ipc 3 ,
+.Xr au_to_ipc_perm 3 ,
+.Xr au_to_iport 3 ,
+.Xr au_to_opaque 3 ,
+.Xr au_to_file 3 ,
+.Xr au_to_text 3 ,
+.Xr au_to_path 3 ,
+.Xr au_to_process32 3 ,
+.Xr au_to_process64 3 ,
+.Xr au_to_process 3 ,
+.Xr au_to_process32_ex 3 ,
+.Xr au_to_process64_ex 3 ,
+.Xr au_to_process_ex 3 ,
+.Xr au_to_return32 3 ,
+.Xr au_to_return64 3 ,
+.Xr au_to_return 3 ,
+.Xr au_to_seq 3 ,
+.Xr au_to_socket 3 ,
+.Xr au_to_socket_ex_32 3 ,
+.Xr au_to_socket_ex_128 3 ,
+.Xr au_to_sock_inet32 3 ,
+.Xr au_to_sock_inet128 3 ,
+.Xr au_to_sock_inet 3 ,
+.Xr au_to_subject32 3 ,
+.Xr au_to_subject64 3 ,
+.Xr au_to_subject 3 ,
+.Xr au_to_subject32_ex 3 ,
+.Xr au_to_subject64_ex 3 ,
+.Xr au_to_subject_ex 3 ,
+.Xr au_to_me 3 ,
+.Xr au_to_exec_args 3 ,
+.Xr au_to_exec_env 3 ,
+.Xr au_to_header32 3 ,
+.Xr au_to_header64 3 ,
+.Xr au_to_trailer 3 .
+.Ss Audit User Interfaces
+Audit user interfaces support the look up of information from the
+.Xr audit_user 5
+database:
+.Xr setauuser 3 ,
+.Xr endauuser 3 ,
+.Xr getauuserent 3 ,
+.Xr getauuserent_r 3 ,
+.Xr getauusernam 3 ,
+.Xr getauusernam_r 3 ,
+.Xr au_user_mask 3 ,
+.Xr getfauditflags 3 .
+.Sh SEE ALSO
+.Xr au_class 3 ,
+.Xr au_mask 3 ,
+.Xr au_notify 3 ,
+.Xr au_stream 3 ,
+.Xr au_token 3 ,
+.Xr au_user 3 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by Robert Watson, Wayne Salamon, and Suresh
+Krishnaswamy for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+Bugs would not be unlikely.
+.Pp
+The
+.Nm
+library implementations are generally thread-safe, but not reentrant.
+.Pp
+The assignment of routines to classes could use some work, as it is
+decidely ad hoc.
+For example,
+.Fn au_read_rec
+should probably be considered a stream routine.
diff --git a/contrib/openbsm/man/Makefile b/contrib/openbsm/man/Makefile
new file mode 100644
index 000000000000..fec665106ef0
--- /dev/null
+++ b/contrib/openbsm/man/Makefile
@@ -0,0 +1,19 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $
+#
+
+MAN=	audit.2								\
+	auditctl.2							\
+	auditon.2							\
+	getaudit.2							\
+	getauid.2							\
+	setaudit.2							\
+	setauid.2							\
+	audit.log.5							\
+	audit_class.5							\
+	audit_control.5							\
+	audit_event.5							\
+	audit_user.5							\
+	audit_warn.5
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
new file mode 100644
index 000000000000..6e14899c2ad1
--- /dev/null
+++ b/contrib/openbsm/man/audit.2
@@ -0,0 +1,96 @@
+.\"-
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDIT 2
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Commit a BSM audit record to the audit log"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn audit "const char *record" "u_int length"
+.Sh DESCRIPTION
+.Fn audit
+submits a completed BSM audit record to the system audit log.
+.Pp
+.Fa record
+is a pointer to the the specific event to be recorded and
+.Vt length
+is the size in bytes of the data to be written.
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn audit
+system call will fail and the data never written if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+The
+.Fa record
+argument is beyond the allocated address space of the process.
+.It Bq Er EINVAL
+The token ID is invalid or
+.Vt length
+is larger than
+.Vt MAXAUDITDATA .
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Sh SEE ALSO
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Fx
+kernel does not fully validate that the argument passed is syntactically
+valid BSM.
+Submitting invalid audit records may corrupt the audit log.
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
new file mode 100644
index 000000000000..5d2dec4f91d5
--- /dev/null
+++ b/contrib/openbsm/man/audit.log.5
@@ -0,0 +1,622 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $
+.\"
+.Dd May 1, 2005
+.Dt AUDIT.LOG 5
+.Os
+.Sh NAME
+.Nm audit
+.Nd "Basic Security Module (BSM) File Format"
+.Sh DESCRIPTION
+The
+.Nm
+file format is based on Sun's Basic Security Module (BSM) file format, a
+token-based record stream to represent system audit data.
+This file format is both flexible and extensible, able to describe a broad
+range of data types, and easily extended to describe new data types in a
+moderately backward and forward compatible way.
+.Pp
+BSM token streams typically begin and end with a
+.Dv file
+token, which provides time stamp and file name information for the stream;
+when processing a BSM token stream from a stream as opposed to a single file
+source, file tokens may be seen at any point between ordinary records
+identifying when particular parts of the stream begin and end.
+All other tokens will appear in the context of a complete BSM audit record,
+which begins with a
+.Dv header
+token, and ends with a
+.Dv trailer
+token, which describe the audit record.
+Between these two tokens will appear a variety of data tokens, such as
+process information, file path names, IPC object information, MAC labels,
+socket information, and so on.
+.Pp
+The BSM file format defines specific token orders for each record event type;
+however, some variation may occur depending on the operating system in use,
+what system options, such as mandatory access control, are present.
+.Pp
+This manual page documents the common token types and their binary format, and
+is intended for reference purposes only.
+It is recommended that application programmers use the
+.Xr libbsm 3
+interface to read and write tokens, rather than parsing or constructing
+records by hand.
+.Ss File Token
+The
+.Dv file
+token is used at the beginning and end of an audit log file to indicate
+when the audit log begins and ends.
+It includes a pathname so that, if concatenated together, original file
+boundaries are still observable, and gaps in the audit log can be identified.
+A
+.Dv file
+token can be created using
+.Xr au_to_file 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
+.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
+.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.El
+.Ss Header Token
+The
+.Dv header
+token is used to mark the beginning of a complete audit record, and includes
+the length of the total record in bytes, a version number for the record
+layout, the event type and subtype, and the time at which the event occurred.
+A
+.Dv header
+token can be created using
+.Xr au_to_header32 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Expanded Header Token
+The
+.Dv expanded header
+token is an expanded version of the
+.Dv header
+token, with the addition of a machine IPv4 or IPv6 address.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv expanded header
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
+.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.El
+.Ss Trailer Token
+The
+.Dv trailer
+terminates a BSM audit record, and contains a magic number,
+.Dv TRAILER_PAD_MAGIC
+and length that can be used to validate that the record was read properly.
+A
+.Dv trailer
+token can be created using
+.Xr au_to_trailer 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
+.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.El
+.Ss Arbitrary Data Token
+The
+.Dv arbitrary data
+token contains a byte stream of opaque (untyped) data.
+The size of the data is calculated as the size of each unit of data
+multipled by the number of units of data.
+A
+.Dv How to print
+field is present to specify how to print the data, but interpretation of
+that field is not currently defined.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv arbitrary data
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
+.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
+.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
+.It Li "Data Items" Ta "Variable" Ta "User data"
+.El
+.Ss in_addr Token
+The
+.Dv in_addr
+token holds a network byte order IPv4 or IPv6 address.
+An
+.Dv in_addr
+token can be created using
+.Xr au_to_in_addr 3
+for an IPv4 address, or
+.Xr au_to_in_addr_ex 3
+for an IPv6 address.
+.Pp
+See the BUGS section for information on the storage of this token.
+.Pp
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
+.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.El
+.Ss Expanded in_addr Token
+The
+.Dv expanded in_addr
+token ...
+.Pp
+See the BUGS section for information on the storage of this token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss ip Token
+The
+.Dv ip
+token contains an IP packet header in network byte order.
+An
+.Dv ip
+token can be cread using
+.Xr au_to_ip 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
+.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
+.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
+.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
+.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
+.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
+.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
+.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
+.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
+.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address"
+.El
+.Ss Expanded ip Token
+The
+.Dv expanded ip
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It XXXX
+.El
+.Ss iport Token
+The
+.Dv iport
+token stores an IP port number in network byte order.
+An
+.Dv iport
+token can be created using
+.Xr au_to_iport 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.El
+.Ss Path Token
+The
+.Dv path
+token contains a pathname.
+A
+.Dv path
+token can be created using
+.Xr auto_path 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
+.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.El
+.Ss path_attr Token
+The
+.Dv path_attr
+token contains a set of nul-terminated path names.
+The
+.Xr libbsm 3
+API cannot currently create an
+.Dv path_attr
+token.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
+.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.El
+.Ss Process Token
+The
+.Dv process
+token contains a description of the security properties of a process
+involved as the target of an auditable event, such as the destination for
+signal delivery.
+It should not be confused with the
+.Dv subject
+token, which describes the subject performing an auditable event.
+This includes both the traditional
+.Ux
+security properties, such as user IDs and group IDs, but also audit
+information such as the audit user ID and sesion.
+A
+.Dv process
+token can be created using
+.Xr au_to_process32 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Process Token
+The .Dv expanded process
+token contains the contents of the
+.Dv process
+token, with the addition of a machine address type and variable length
+address storage capable of containing IPv6 addresses.
+A
+.Dv expanded process
+token can be created using
+.Xr au_to_process32_ex 3
+or
+.Xr au_to_process64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss Return Token
+The
+.Dv return
+token contains a system call or library function return condition, including
+return value and error number associated with the global variable
+.Er errno .
+A 
+.Dv return
+token can be created using
+.Xr au_to_return32 3
+or
+.Xr au_to_return64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
+.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.El
+.Ss Subject Token
+The
+.Dv subject
+token contains information on the subject performing the operation described
+by an audit record, and includes similar information to that found in the
+.Dv process
+and
+.Dv expanded process
+tokens.
+However, those tokens are used where the process being described is the
+target of the operation, not the authorizing party.
+A
+.Dv subject
+token can be created using
+.Xr au_to_subject32 3
+and
+.Xr au_to_subject64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.El
+.Ss Expanded Subject Token
+The
+.Dv expanded subject
+token consists of the same elements as the
+.Dv subject
+token, with the addition of type/length and variable size machine address
+information in the terminal ID.
+A
+.Dv expanded subject
+token can be created using
+.Xr au_to_subject32_ex 3
+or
+.Xr au_to_subject64_ex 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.El
+.Ss System V IPC Token
+The
+.Dv System V IPC
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Text Token
+The
+.Dv text
+token contains a single nul-terminated text string.
+A
+.Dv text
+token may be created using
+.Xr au_to_text 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.El
+.Ss Attribute Token
+The
+.Dv attribute
+token describes the attributes of a file associated with the audit event.
+As files may be identified by 0, 1, or many path names, a path name is not
+included with the attribute block for a file; optional
+.Dv path
+tokens may also be present in an audit record indicating which path, if any,
+was used to reach the object.
+A
+.Dv attribute
+token can be created using
+.Xr au_to_attr32 3
+or
+.Xr au_to_attr64 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
+.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
+.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
+.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
+.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
+.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.El
+.Ss Groups Token
+The
+.Dv groups
+token contains a list of group IDs associated with the audit event.
+A
+.Dv groups
+token can be created using
+.Xr au_to_groups 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
+.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.El
+.Ss System V IPC Permission Token
+The
+.Dv System V IPC permission
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Arg Token
+The
+.Dv arg
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_args Token
+The
+.Dv exec_args
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss exec_env Token
+The
+.Dv exec_env
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Exit Token
+The
+.Dv exit
+token contains process exit/return code information.
+An
+.Dv exit
+token can be created using
+.Xr au_to_exit 3 .
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
+.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.El
+.Ss Socket Token
+The
+.Dv socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Expanded Socket Token
+The
+.Dv expanded socket
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Seq Token
+The
+.Dv seq
+token contains a unique and monotonically increasing audit event sequence ID.
+Due to the limited range of 32 bits, serial number arithmetic and caution
+should be used when comparing sequence numbers.
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.El
+.Ss privilege Token
+The
+.Dv privilege
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Use-of-auth Token
+The
+.Dv use-of-auth
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Command Token
+The
+.Dv command
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss ACL Token
+The
+.Dv ACL
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Ss Zonename Token
+The
+.Dv zonename
+token ...
+.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It Li XXXXX
+.El
+.Sh SEE ALSO
+.Xr libbsm 3
+.Sh AUTHORS
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Sh BUGS
+The
+.Dv How to print
+field in the
+.Dv arbitrary data
+token has undefined values.
+.Pp
+The
+.Dv in_addr
+and
+.Dv in_addr_ex
+token layout documented here appears to be in conflict with the
+.Xr libbsm 3
+implementations of
+.Xr au_to_in_addr 3
+and
+.Xr au_to_in_addr_ex 3 .
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
new file mode 100644
index 000000000000..81b60cb5c7ea
--- /dev/null
+++ b/contrib/openbsm/man/audit_class.5
@@ -0,0 +1,70 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CLASS 5
+.Os
+.Sh NAME
+.Nm audit_class
+.Nd "contains audit event class descriptions"
+.Sh DESCRIPTION
+The
+.Nm 
+file contains descriptions of the auditable event classes on the system.
+Each auditable event is a member of an event class.
+Each line maps an audit event 
+mask (bitmap) to a class and a description.
+Entries are of the form 
+.Dl classmask:eventclass:description.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0x00000000:no:invalid class
+0x00000001:fr:file read
+0x00000002:fw:file write
+0x00000004:fa:file attribute access
+0x00000080:pc:process
+0xffffffff:all:all flags set
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_class" -compact
+.It Pa /etc/security/audit_class
+.El
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
new file mode 100644
index 000000000000..d39b68129cff
--- /dev/null
+++ b/contrib/openbsm/man/audit_control.5
@@ -0,0 +1,121 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_CONTROL 5
+.Os
+.Sh NAME
+.Nm audit_control
+.Nd "contains audit system parameters"
+.Sh DESCRIPTION
+The
+.Nm
+file contains several audit system parameters.
+Each line of this file is of the form:
+.Dl parameter:value.
+The parameters are:
+.Bl -tag -width Ds
+.It Pa dir
+The directory where audit log files are stored.
+There may be more than one of these entries.
+Changes to this entry can only be enacted by restarting the
+audit system.
+See
+.Xr audit 1
+for a description of how to restart the audit system.
+.It Va flags
+Specifies which audit event classes are audited for all users.  
+.Xr audit_user 5
+describes how to audit events for individual users.
+See the information below for the format of the audit flags.
+.It Va naflags
+Contains the audit flags that define what classes of events are audited when
+an action cannot be attributed to a specific user.
+.It Va minfree
+The minimum free space required on the file system audit logs are being written to.
+When the free space falls below this limit a warning will be issued.
+Not currently used as the value of 20 percent is chosen by the kernel.
+.El
+.Sh AUDIT FLAGS
+Audit flags are a comma delimited list of audit classes as defined in the
+audit_class file.
+See
+.Xr audit_class 5
+for details.
+Event classes may be preceded by a prefix which changes their interpretation.
+The following prefixes may be used for each class:
+.Bl -tag -width Ds -compact -offset indent
+.It +
+Record successful events
+.It -
+Record failed events
+.It ^
+Record both successful and failed events
+.It ^+
+Don't record successful events
+.It ^-
+Don't record failed events
+.El
+.Sh DEFAULT
+The following settings appear in the default
+.Nm
+file:
+.Bd -literal -offset indent
+dir:/var/audit
+flags:lo,ad,-all,^-fc,^-cl
+minfree:20
+naflags:lo
+.Ed
+.Pp
+The
+.Va flags
+parameter above specifies the system-wide mask corresponding to login/logout
+events, administrative events, and all failures except for failures in creating
+or closing files.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_control" -compact
+.It Pa /etc/security/audit_control
+.El
+.Sh SEE ALSO
+.Xr audit 1 ,
+.Xr auditd 8 ,
+.Xr audit_class 5 ,
+.Xr audit_user 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
new file mode 100644
index 000000000000..36029ef3b90f
--- /dev/null
+++ b/contrib/openbsm/man/audit_event.5
@@ -0,0 +1,74 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_EVENT 5
+.Os
+.Sh NAME
+.Nm audit_event
+.Nd "contains audit event descriptions"
+.Sh DESCRIPTION
+The
+.Nm 
+file contains descriptions of the auditable events on the system.
+Each line maps an audit event number to a name, a description, and a class.
+Entries are of the form
+.Dl eventnum:eventname:description:eventclass .
+Each
+.Vt eventclass
+should have a corresponding entry in the audit_class file.
+See 
+.Xr audit_class 5
+for details.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+0:AUE_NULL:indir system call:no
+1:AUE_EXIT:exit(2):pc
+2:AUE_FORK:fork(2):pc
+3:AUE_OPEN:open(2):fa
+.Ed
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_event" -compact
+.It Pa /etc/security/audit_event
+.El
+.Sh SEE ALSO
+.Xr audit_class 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
new file mode 100644
index 000000000000..abb74a322123
--- /dev/null
+++ b/contrib/openbsm/man/audit_user.5
@@ -0,0 +1,91 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDIT_USER 5
+.Os
+.Sh NAME
+.Nm audit_user
+.Nd "specifies events to be audited for the given users"
+.Sh DESCRIPTION
+The
+.Nm 
+file specifies which audit event classes are to be audited for the given users.
+If specified, these flags are combined with the system-wide audit flags in the
+.Pa audit_control
+file to determine which classes of events to audit for that user.
+These settings take effect when the user logs in.
+.Pp
+Each line maps a user name to a list of classes that should be audited and a
+list of classes that should not be audited. 
+Entries are of the form of
+.Dl username:alwaysaudit:neveraudit ,
+where
+.Vt alwaysaudit
+is a set of event classes that are always audited, and
+.Vt neveraudit
+is a set of event classes that should not be audited.
+These sets can indicate
+the inclusion or exclusion of multiple classes, and whether to audit successful
+or failed events.
+See
+.Xr audit_control 5
+for more information about audit flags.
+.Pp
+Example entries in this file are:
+.Bd -literal -offset indent
+root:lo,ad:no
+jdoe:-fc,ad:+fw
+.Ed
+.Pp
+These settings would cause login and administrative events that succeed on
+behalf of user root to be audited.
+No failure events are audited.
+For the user
+.Em jdoe ,
+failed file creation events are audited, administrative events are
+audited, and successful file write events are never audited.
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_user" -compact
+.It Pa /etc/security/audit_user
+.El
+.Sh SEE ALSO
+.Xr audit_control 5
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
new file mode 100644
index 000000000000..4581d8c87bf6
--- /dev/null
+++ b/contrib/openbsm/man/audit_warn.5
@@ -0,0 +1,69 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $
+.\"
+.Dd Mar 17, 2004
+.Dt AUDIT_WARN 5
+.Os
+.Sh NAME
+.Nm audit_warn
+.Nd "alert when audit daemon issues warnings"
+.Sh DESCRIPTION
+.Nm 
+runs when 
+.Xr auditd 8
+generates warning messages.  
+.Pp
+The default 
+.Nm
+is a script whose first parameter is the type of warning; the script
+appends its arguments to 
+.Pa /etc/security/audit_messages .
+Administrators may replace this script: a more comprehensive one would take
+different actions based on the type of warning.
+For example, a low-space warning
+could result in an email message being sent to the administrator.  
+.Sh FILES
+.Bl -tag -width "/etc/security/audit_warn" -compact
+.It Pa /etc/security/audit_warn
+.It Pa /etc/security/audit_messages
+.El
+.Sh SEE ALSO
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
new file mode 100644
index 000000000000..48bec1cd2cbb
--- /dev/null
+++ b/contrib/openbsm/man/auditctl.2
@@ -0,0 +1,78 @@
+.\"-
+.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITCTL 2
+.Os
+.Sh NAME
+.Nm auditctl
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "const char *path"
+.Sh DESCRIPTION
+The
+.Fn auditctl
+system call directs the kernel to open a new audit trail log file.
+.Fn auditctl
+requires appropriate privilege.
+In the
+.Fx
+implementation,
+.Fn auditctl
+opens new files, but
+.Fn auditon
+is used to disable the audit log.
+In the Mac OS X implementation, passing
+.Va NULL
+to
+.Fn auditctl
+will disable the audit log.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr libbsm 3 ,
+.Xr auditd 8
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
new file mode 100644
index 000000000000..4e38dc4f68fc
--- /dev/null
+++ b/contrib/openbsm/man/auditon.2
@@ -0,0 +1,288 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005 Tom Rhodes
+.\" Copyright (c) 2005 Wayne J. Salamon
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $
+.\"
+.Dd April 19, 2005
+.Dt AUDITON 2
+.Os
+.Sh NAME
+.Nm auditon
+.Nd "Configure system audit parameters"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn auditon "int cmd" "void *data" "u_int length"
+.Sh DESCRIPTION
+The
+.Nm
+system call is used to manipulate various audit control operations.
+.Ft *data
+should point to a structure whose type depends on the command.
+.Ft length
+specifies the size of the 
+.Em data 
+in bytes.
+.Ft cmd
+may be any of the following:
+.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
+.It Dv A_SETPOLICY
+Set audit policy flags.
+.Ft *data
+must point to an long value set to one of the audit 
+policy control values defined in audit.h.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+In the
+.Dv AUDIT_CNT
+case, the action will continue regardless if
+an event will not be audited.
+In the
+.Dv AUDIT_AHLT
+case, a
+.Xr panic 9
+will result if an event will not be written to the
+audit log file.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_SETKMASK
+Set the kernel preselection masks (success and failure).
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure containing the mask values.
+These masks are used for non-attributable audit event preselection.
+.It Dv A_SETQCTRL
+Set kernel audit queue parameters.
+.Ft *data
+must point to a 
+.Ft au_qctrl_t
+structure containing the
+kernel audit queue control settings:
+.Va high water ,
+.Va low water ,
+.Va output buffer size ,
+.Va percent min free disk space ,
+and
+.Em delay
+(not currently used).
+.It Dv A_SETSTAT
+Return
+.Er ENOSYS .
+.It Dv A_SETUMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETSMASK
+Return
+.Er ENOSYS .
+.It Dv A_SETCOND
+Set the current auditing condition.
+.Ft *data
+must point to an long value containing the new
+audit condition, one of
+.Dv AUC_AUDITING ,
+.Dv AUC_NOAUDIT ,
+or
+.Dv AUC_DISABLED .
+.It Dv A_SETCLASS
+Set the event class preselection mask for an audit event.
+.Ft *data
+must point to a 
+.Ft au_evclass_map_t
+structure containing the audit event and mask.
+.It Dv A_SETPMASK
+Set the preselection masks for a process.
+.Ft *data
+must point to a 
+.Ft auditpinfo_t
+structure that contains the given process's audit 
+preselection masks for both success and failure.
+.It Dv A_SETFSIZE
+Set the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure with the
+.Ft af_filesz
+field set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+.It Dv A_SETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETCLASS
+Return the event to class mapping for the designated audit event.
+.Ft *data
+must point to a 
+.Ft au_evclass_map_t
+structure.
+.It Dv A_GETKAUDIT
+Return
+.Er ENOSYS .
+.It Dv A_GETPINFO
+Return the audit settings for a process.
+.Ft *data
+must point to a
+.Ft auditpinfo_t
+structure which will be set to contain
+the audit ID, preselection mask, terminal ID, and audit session
+ID of the given process.
+.It Dv A_GETPINFO_ADDR
+Return
+.Er ENOSYS .
+.It Dv A_GETKMASK
+Return the current kernel preselection masks.
+.Ft *data
+must point to a
+.Ft au_mask_t
+structure which will be set to 
+the current kernel preselection masks for non-attributable events.
+.It Dv A_GETPOLICY
+Return the current audit policy setting.
+.Ft *data
+must point to an long value which will be set to
+one of the current audit policy flags.
+Currently, only
+.Dv AUDIT_CNT
+and
+.Dv AUDIT_AHLT
+are implemented.
+.It Dv A_GETQCTRL
+Return the current kernel audit queue control parameters.
+.Ft *data
+must point to a 
+.Ft au_qctrl_t
+structure which will be set to the current
+kernel audit queue control parameters.
+.It Dv A_GETFSIZE
+Returns the maximum size of the audit log file.
+.Ft *data
+must point to a
+.Ft au_fstat_t
+structure. The
+.Ft af_filesz
+field will set to the maximum audit log file size. A value of 0
+indicates no limit to the size.
+The
+.Ft af_filesz
+will be set to the current audit log file size.
+.It Dv A_GETCWD
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\" Return the current working directory as stored in the audit subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETCAR
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Stores and returns the current active root as stored in the audit
+.\"subsystem.
+Return
+.Er ENOSYS .
+.It Dv A_GETSTAT
+.\" [COMMENTED OUT]: Valid description, not yet implemented.
+.\"Return the statistics stored in the audit system.
+Return
+.Er ENOSYS .
+.It Dv A_GETCOND
+Return the current auditing condition.
+.Ft *data
+must point to a long value which will be set to
+the current audit condition, either
+.Dv AUC_AUDITING
+or
+.Dv AUC_NOAUDIT .
+.It Dv A_SENDTRIGGER
+Send a trigger to the audit daemon.
+.Fr *data
+must point to a long value set to one of the acceptable
+trigger values:
+.Dv AUDIT_TRIGGER_LOW_SPACE
+(low disk space where the audit log resides),
+.Dv AUDIT_TRIGGER_OPEN_NEW
+(open a new audit log file),
+.Dv AUDIT_TRIGGER_READ_FILE
+(read the audit_control file),
+.Dv AUDIT_TRIGGER_CLOSE_AND_DIE
+(close the current log file and exit),
+or
+.Dv AUDIT_TRIGGER_NO_SPACE
+(no disk space left for audit log file).
+.El
+.Sh RETURN VALUES
+.Rv -std
+.Sh ERRORS
+The
+.Fn auditon
+function will fail if:
+.Bl -tag -width Er
+.It Bq Er ENOSYS
+Returned by options not yet implemented.
+.It Bq Er EFAULT
+A failure occurred while data transferred to or from
+the kernel failed.
+.It Bq Er EINVAL
+Illegal argument was passed by a system call.
+.It Bq Er EPERM
+The process does not have sufficient permission to complete
+the operation.
+.El
+.Pp
+The
+.Dv A_SENDTRIGGER
+command is specific to the
+.Fx
+and Mac OS X implementations, and is not present in Solaris.
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditctl 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Tom Rhodes Aq trhodes@FreeBSD.org ,
+.An Robert Watson Aq rwatson@FreeBSD.org ,
+and
+.An Wayne Salamon Aq wsalamon@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
new file mode 100644
index 000000000000..c20aab00073d
--- /dev/null
+++ b/contrib/openbsm/man/getaudit.2
@@ -0,0 +1,80 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUDIT 2
+.Os
+.Sh NAME
+.Nm getaudit ,
+.Nm getaudit_addr
+.Nd "Retrieve audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
+.Sh DESCRIPTION
+.Fn getaudit
+retrieves the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn getaudit_addr
+retrieves extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr setaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
new file mode 100644
index 000000000000..de36f731df3c
--- /dev/null
+++ b/contrib/openbsm/man/getauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt GETAUID 2
+.Os
+.Sh NAME
+.Nm getauid
+.Nd "Retrieve audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn getauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+retrieves the active audit session ID for the current process via the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
new file mode 100644
index 000000000000..2d994ecfb0cf
--- /dev/null
+++ b/contrib/openbsm/man/setaudit.2
@@ -0,0 +1,81 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUDIT 2
+.Os
+.Sh NAME
+.Nm setaudit ,
+.Nm setaudit_addr
+.Nd "Set audit session state"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setaudit "auditinfo_t *auditinfo"
+.Ft int
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session state for the current process via the
+.Vt auditinfo_t
+pointed to by
+.Va auditinfo .
+.Fn setaudit_addr
+sets extended state via
+.Va auditinfo_addr
+and
+.Va length .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getaudit 2 ,
+.Xr getauid 2 ,
+.Xr setauid 2 ,
+.Xr getaudit 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
new file mode 100644
index 000000000000..d03b0d9474e9
--- /dev/null
+++ b/contrib/openbsm/man/setauid.2
@@ -0,0 +1,74 @@
+.\"-
+.\" Copyright (c) 2005 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $
+.\"
+.Dd April 19, 2005
+.Dt SETAUID 2
+.Os
+.Sh NAME
+.Nm setauid
+.Nd "Set audit session ID"
+.Sh SYNOPSIS
+.In bsm/audit.h
+.Ft int
+.Fn setauid "au_id_t *auid"
+.Sh DESCRIPTION
+.Nm
+sets the active audit session ID for the current process from the
+.Vt au_id_t
+pointed to by
+.Va auid .
+.Pp
+This system call required appropriate privilege to complete.
+.Sh RETURN VALUES
+.Nm
+returns 0 on success, or returns -1 on failure, providing additional error
+information via
+.Va errno .
+.Sh SEE ALSO
+.Xr audit 2 ,
+.Xr auditon 2 ,
+.Xr getauid 2 ,
+.Xr getaudit 2 ,
+.Xr setaudit 2 ,
+.Xr getaudit_addr 2 ,
+.Xr setaudit_addr 2 ,
+.Xr libbsm 3
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson@FreeBSD.org .
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
diff --git a/contrib/openbsm/tools/Makefile b/contrib/openbsm/tools/Makefile
new file mode 100644
index 000000000000..79e582d03f1d
--- /dev/null
+++ b/contrib/openbsm/tools/Makefile
@@ -0,0 +1,13 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/tools/Makefile#3 $
+#
+
+CFLAGS+=	-I- -I .. -I ../libbsm -L ../libbsm -I.
+PROG=		audump
+NO_MAN=
+DPADD=		/usr/lib/libbsm.a
+LDADD=		-lbsm
+BINDIR=		/usr/sbin
+WARNS=		3
+
+.include <bsd.prog.mk>
diff --git a/contrib/openbsm/tools/audump.c b/contrib/openbsm/tools/audump.c
new file mode 100644
index 000000000000..f1429b599fef
--- /dev/null
+++ b/contrib/openbsm/tools/audump.c
@@ -0,0 +1,234 @@
+/*-
+ * Copyright (c) 2005 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#4 $
+ */
+
+#include <bsm/libbsm.h>
+#include <string.h>
+#include <err.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/*
+ * Simple tool to dump various /etc/security databases using the defined APIs.
+ */
+
+static void
+usage(void)
+{
+
+	fprintf(stderr, "usage: dump [class|class_r|control|event|event_r|"
+	    "user|user_r]\n");
+	exit(-1);
+}
+
+static void
+audump_class(void)
+{
+	au_class_ent_t *cp;
+
+	while ((cp = getauclassent()) != NULL)
+		printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
+		    cp->ac_desc);
+}
+
+static void
+audump_class_r(void)
+{
+	char class_ent_name[AU_CLASS_NAME_MAX];
+	char class_ent_desc[AU_CLASS_DESC_MAX];
+	au_class_ent_t c, *cp;
+
+	bzero(&c, sizeof(c));
+	bzero(class_ent_name, sizeof(class_ent_name));
+	bzero(class_ent_desc, sizeof(class_ent_desc));
+	c.ac_name = class_ent_name;
+	c.ac_desc = class_ent_desc;
+
+	while ((cp = getauclassent_r(&c)) != NULL)
+		printf("0x%08x:%s:%s\n", cp->ac_class, cp->ac_name,
+		    cp->ac_desc);
+}
+
+static void
+audump_control(void)
+{
+	char string[PATH_MAX];
+	int ret, val;
+
+	ret = getacflg(string, PATH_MAX);
+	if (ret == -2)
+		err(-1, "getacflg");
+	if (ret != 0)
+		errx(-1, "getacflg: %d", ret);
+
+	printf("flags:%s\n", string);
+
+	ret = getacmin(&val);
+	if (ret == -2)
+		err(-1, "getacmin");
+	if (ret != 0)
+		errx(-1, "getacmin: %d", ret);
+
+	printf("min:%d\n", val);
+
+	ret = getacna(string, PATH_MAX);
+	if (ret == -2)
+		err(-1, "getacna");
+	if (ret != 0)
+		errx(-1, "getacna: %d", ret);
+
+	printf("naflags:%s\n", string);
+
+	setac();
+	do {
+		ret = getacdir(string, PATH_MAX);
+		if (ret == -1)
+			break;
+		if (ret == -2)
+			err(-1, "getacdir");
+		if (ret != 0)
+			errx(-1, "getacdir: %d", ret);
+		printf("dir:%s\n", string);
+
+	} while (ret == 0);
+}
+
+static void
+printf_classmask(au_class_t classmask)
+{
+	au_class_ent_t *c;
+	u_int32_t i;
+	int first;
+
+	first = 1;
+	for (i = 0; i < 32; i++) {
+		if (classmask & (2 << i)) {
+			if (first)
+				first = 0;
+			else
+				printf(",");
+			c = getauclassnum(2 << i);
+			if (c != NULL)
+				printf("%s", c->ac_name);
+			else
+				printf("0x%x", 2 << i);
+		}
+	}
+}
+
+static void
+audump_event(void)
+{
+	au_event_ent_t *ep;
+
+	while ((ep = getauevent()) != NULL) {
+		printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
+		printf_classmask(ep->ae_class);
+		printf("\n");
+	}
+}
+
+static void
+audump_event_r(void)
+{
+	char event_ent_name[AU_EVENT_NAME_MAX];
+	char event_ent_desc[AU_EVENT_DESC_MAX];
+	au_event_ent_t e, *ep;
+
+	bzero(&e, sizeof(e));
+	bzero(event_ent_name, sizeof(event_ent_name));
+	bzero(event_ent_desc, sizeof(event_ent_desc));
+	e.ae_name = event_ent_name;
+	e.ae_desc = event_ent_desc;
+
+	while ((ep = getauevent_r(&e)) != NULL) {
+		printf("%d:%s:%s:", ep->ae_number, ep->ae_name, ep->ae_desc);
+		printf_classmask(ep->ae_class);
+		printf("\n");
+	}
+}
+
+static void
+audump_user(void)
+{
+	au_user_ent_t *up;
+
+	while ((up = getauuserent()) != NULL) {
+		printf("%s:", up->au_name);
+		// printf_classmask(up->au_always);
+		printf(":");
+		// printf_classmask(up->au_never);
+		printf("\n");
+	}
+}
+
+static void
+audump_user_r(void)
+{
+	char user_ent_name[AU_USER_NAME_MAX];
+	au_user_ent_t u, *up;
+
+	bzero(&u, sizeof(u));
+	bzero(user_ent_name, sizeof(user_ent_name));
+	u.au_name = user_ent_name;
+
+	while ((up = getauuserent_r(&u)) != NULL) {
+		printf("%s:", up->au_name);
+		// printf_classmask(up->au_always);
+		printf(":");
+		// printf_classmask(up->au_never);
+		printf("\n");
+	}
+}
+
+int
+main(int argc, char *argv[])
+{
+
+	if (argc != 2)
+		usage();
+
+	if (strcmp(argv[1], "class") == 0)
+		audump_class();
+	else if (strcmp(argv[1], "class_r") == 0)
+		audump_class_r();
+	else if (strcmp(argv[1], "control") == 0)
+		audump_control();
+	else if (strcmp(argv[1], "event") == 0)
+		audump_event();
+	else if (strcmp(argv[1], "event_r") == 0)
+		audump_event_r();
+	else if (strcmp(argv[1], "user") == 0)
+		audump_user();
+	else if (strcmp(argv[1], "user_r") == 0)
+		audump_user_r();
+	else
+		usage();
+
+	return (0);
+}