diff options
Diffstat (limited to 'contrib/openbsm/man')
-rw-r--r-- | contrib/openbsm/man/Makefile | 19 | ||||
-rw-r--r-- | contrib/openbsm/man/audit.2 | 96 | ||||
-rw-r--r-- | contrib/openbsm/man/audit.log.5 | 622 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_class.5 | 70 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_control.5 | 121 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_event.5 | 74 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_user.5 | 91 | ||||
-rw-r--r-- | contrib/openbsm/man/audit_warn.5 | 69 | ||||
-rw-r--r-- | contrib/openbsm/man/auditctl.2 | 78 | ||||
-rw-r--r-- | contrib/openbsm/man/auditon.2 | 288 | ||||
-rw-r--r-- | contrib/openbsm/man/getaudit.2 | 80 | ||||
-rw-r--r-- | contrib/openbsm/man/getauid.2 | 74 | ||||
-rw-r--r-- | contrib/openbsm/man/setaudit.2 | 81 | ||||
-rw-r--r-- | contrib/openbsm/man/setauid.2 | 74 |
14 files changed, 1837 insertions, 0 deletions
diff --git a/contrib/openbsm/man/Makefile b/contrib/openbsm/man/Makefile new file mode 100644 index 000000000000..fec665106ef0 --- /dev/null +++ b/contrib/openbsm/man/Makefile @@ -0,0 +1,19 @@ +# +# $P4: //depot/projects/trustedbsd/openbsm/man/Makefile#5 $ +# + +MAN= audit.2 \ + auditctl.2 \ + auditon.2 \ + getaudit.2 \ + getauid.2 \ + setaudit.2 \ + setauid.2 \ + audit.log.5 \ + audit_class.5 \ + audit_control.5 \ + audit_event.5 \ + audit_user.5 \ + audit_warn.5 + +.include <bsd.prog.mk> diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2 new file mode 100644 index 000000000000..6e14899c2ad1 --- /dev/null +++ b/contrib/openbsm/man/audit.2 @@ -0,0 +1,96 @@ +.\"- +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $ +.\" +.Dd April 19, 2005 +.Dt AUDIT 2 +.Os +.Sh NAME +.Nm audit +.Nd "Commit a BSM audit record to the audit log" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn audit "const char *record" "u_int length" +.Sh DESCRIPTION +.Fn audit +submits a completed BSM audit record to the system audit log. +.Pp +.Fa record +is a pointer to the the specific event to be recorded and +.Vt length +is the size in bytes of the data to be written. +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn audit +system call will fail and the data never written if: +.Bl -tag -width Er +.It Bq Er EFAULT +The +.Fa record +argument is beyond the allocated address space of the process. +.It Bq Er EINVAL +The token ID is invalid or +.Vt length +is larger than +.Vt MAXAUDITDATA . +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Sh SEE ALSO +.Xr auditon 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +The +.Fx +kernel does not fully validate that the argument passed is syntactically +valid BSM. +Submitting invalid audit records may corrupt the audit log. diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5 new file mode 100644 index 000000000000..5d2dec4f91d5 --- /dev/null +++ b/contrib/openbsm/man/audit.log.5 @@ -0,0 +1,622 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#6 $ +.\" +.Dd May 1, 2005 +.Dt AUDIT.LOG 5 +.Os +.Sh NAME +.Nm audit +.Nd "Basic Security Module (BSM) File Format" +.Sh DESCRIPTION +The +.Nm +file format is based on Sun's Basic Security Module (BSM) file format, a +token-based record stream to represent system audit data. +This file format is both flexible and extensible, able to describe a broad +range of data types, and easily extended to describe new data types in a +moderately backward and forward compatible way. +.Pp +BSM token streams typically begin and end with a +.Dv file +token, which provides time stamp and file name information for the stream; +when processing a BSM token stream from a stream as opposed to a single file +source, file tokens may be seen at any point between ordinary records +identifying when particular parts of the stream begin and end. +All other tokens will appear in the context of a complete BSM audit record, +which begins with a +.Dv header +token, and ends with a +.Dv trailer +token, which describe the audit record. +Between these two tokens will appear a variety of data tokens, such as +process information, file path names, IPC object information, MAC labels, +socket information, and so on. +.Pp +The BSM file format defines specific token orders for each record event type; +however, some variation may occur depending on the operating system in use, +what system options, such as mandatory access control, are present. +.Pp +This manual page documents the common token types and their binary format, and +is intended for reference purposes only. +It is recommended that application programmers use the +.Xr libbsm 3 +interface to read and write tokens, rather than parsing or constructing +records by hand. +.Ss File Token +The +.Dv file +token is used at the beginning and end of an audit log file to indicate +when the audit log begins and ends. +It includes a pathname so that, if concatenated together, original file +boundaries are still observable, and gaps in the audit log can be identified. +A +.Dv file +token can be created using +.Xr au_to_file 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Seconds" Ta "4 bytes" Ta "File time stamp" +.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp" +.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail" +.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail" +.El +.Ss Header Token +The +.Dv header +token is used to mark the beginning of a complete audit record, and includes +the length of the total record in bytes, a version number for the record +layout, the event type and subtype, and the time at which the event occurred. +A +.Dv header +token can be created using +.Xr au_to_header32 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Expanded Header Token +The +.Dv expanded header +token is an expanded version of the +.Dv header +token, with the addition of a machine IPv4 or IPv6 address. +The +.Xr libbsm 3 +API cannot currently create an +.Dv expanded header +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.It Li "Version Number" Ta "2 bytes" Ta "Record version number" +.It Li "Event Type" Ta "2 bytes" Ta "Event type" +.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type" +.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length" +.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)" +.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)" +.El +.Ss Trailer Token +The +.Dv trailer +terminates a BSM audit record, and contains a magic number, +.Dv TRAILER_PAD_MAGIC +and length that can be used to validate that the record was read properly. +A +.Dv trailer +token can be created using +.Xr au_to_trailer 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number" +.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record" +.El +.Ss Arbitrary Data Token +The +.Dv arbitrary data +token contains a byte stream of opaque (untyped) data. +The size of the data is calculated as the size of each unit of data +multipled by the number of units of data. +A +.Dv How to print +field is present to specify how to print the data, but interpretation of +that field is not currently defined. +The +.Xr libbsm 3 +API cannot currently create an +.Dv arbitrary data +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information" +.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes" +.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present" +.It Li "Data Items" Ta "Variable" Ta "User data" +.El +.Ss in_addr Token +The +.Dv in_addr +token holds a network byte order IPv4 or IPv6 address. +An +.Dv in_addr +token can be created using +.Xr au_to_in_addr 3 +for an IPv4 address, or +.Xr au_to_in_addr_ex 3 +for an IPv6 address. +.Pp +See the BUGS section for information on the storage of this token. +.Pp +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "IP Address Type" Ta "1 byte" Ta "Type of address" +.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address" +.El +.Ss Expanded in_addr Token +The +.Dv expanded in_addr +token ... +.Pp +See the BUGS section for information on the storage of this token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss ip Token +The +.Dv ip +token contains an IP packet header in network byte order. +An +.Dv ip +token can be cread using +.Xr au_to_ip 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length" +.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field" +.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order" +.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly" +.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order" +.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live" +.It Li "Protocol" Ta "1 byte" Ta "IP protocol number" +.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order" +.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address" +.It Li "Desintation Address" Ta "4 bytes" Ta "IPv4 destination address" +.El +.Ss Expanded ip Token +The +.Dv expanded ip +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It XXXX +.El +.Ss iport Token +The +.Dv iport +token stores an IP port number in network byte order. +An +.Dv iport +token can be created using +.Xr au_to_iport 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order" +.El +.Ss Path Token +The +.Dv path +token contains a pathname. +A +.Dv path +token can be created using +.Xr auto_path 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes" +.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name" +.El +.Ss path_attr Token +The +.Dv path_attr +token contains a set of nul-terminated path names. +The +.Xr libbsm 3 +API cannot currently create an +.Dv path_attr +token. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token" +.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)" +.El +.Ss Process Token +The +.Dv process +token contains a description of the security properties of a process +involved as the target of an auditable event, such as the destination for +signal delivery. +It should not be confused with the +.Dv subject +token, which describes the subject performing an auditable event. +This includes both the traditional +.Ux +security properties, such as user IDs and group IDs, but also audit +information such as the audit user ID and sesion. +A +.Dv process +token can be created using +.Xr au_to_process32 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Process Token +The .Dv expanded process +token contains the contents of the +.Dv process +token, with the addition of a machine address type and variable length +address storage capable of containing IPv6 addresses. +A +.Dv expanded process +token can be created using +.Xr au_to_process32_ex 3 +or +.Xr au_to_process64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss Return Token +The +.Dv return +token contains a system call or library function return condition, including +return value and error number associated with the global variable +.Er errno . +A +.Dv return +token can be created using +.Xr au_to_return32 3 +or +.Xr au_to_return64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined" +.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)" +.El +.Ss Subject Token +The +.Dv subject +token contains information on the subject performing the operation described +by an audit record, and includes similar information to that found in the +.Dv process +and +.Dv expanded process +tokens. +However, those tokens are used where the process being described is the +target of the operation, not the authorizing party. +A +.Dv subject +token can be created using +.Xr au_to_subject32 3 +and +.Xr au_to_subject64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine" +.El +.Ss Expanded Subject Token +The +.Dv expanded subject +token consists of the same elements as the +.Dv subject +token, with the addition of type/length and variable size machine address +information in the terminal ID. +A +.Dv expanded subject +token can be created using +.Xr au_to_subject32_ex 3 +or +.Xr au_to_subject64_ex 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID" +.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID" +.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID" +.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID" +.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID" +.It Li "Process ID" Ta "4 bytes" Ta "Process ID" +.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID" +.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)" +.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address" +.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine" +.El +.Ss System V IPC Token +The +.Dv System V IPC +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Text Token +The +.Dv text +token contains a single nul-terminated text string. +A +.Dv text +token may be created using +.Xr au_to_text 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul" +.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul" +.El +.Ss Attribute Token +The +.Dv attribute +token describes the attributes of a file associated with the audit event. +As files may be identified by 0, 1, or many path names, a path name is not +included with the attribute block for a file; optional +.Dv path +tokens may also be present in an audit record indicating which path, if any, +was used to reach the object. +A +.Dv attribute +token can be created using +.Xr au_to_attr32 3 +or +.Xr au_to_attr64 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file" +.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file" +.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file" +.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file" +.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file" +.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)" +.El +.Ss Groups Token +The +.Dv groups +token contains a list of group IDs associated with the audit event. +A +.Dv groups +token can be created using +.Xr au_to_groups 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token" +.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs" +.El +.Ss System V IPC Permission Token +The +.Dv System V IPC permission +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Arg Token +The +.Dv arg +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_args Token +The +.Dv exec_args +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss exec_env Token +The +.Dv exec_env +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Exit Token +The +.Dv exit +token contains process exit/return code information. +An +.Dv exit +token can be created using +.Xr au_to_exit 3 . +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Status" Ta "4 bytes" Ta "Process status on exit" +.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit" +.El +.Ss Socket Token +The +.Dv socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Expanded Socket Token +The +.Dv expanded socket +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Seq Token +The +.Dv seq +token contains a unique and monotonically increasing audit event sequence ID. +Due to the limited range of 32 bits, serial number arithmetic and caution +should be used when comparing sequence numbers. +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number" +.El +.Ss privilege Token +The +.Dv privilege +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Use-of-auth Token +The +.Dv use-of-auth +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Command Token +The +.Dv command +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss ACL Token +The +.Dv ACL +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Ss Zonename Token +The +.Dv zonename +token ... +.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description" +.It Sy "Field" Ta Sy Bytes Ta Sy Description +.It Li "Token ID" Ta "1 byte" Ta "Token ID" +.It Li XXXXX +.El +.Sh SEE ALSO +.Xr libbsm 3 +.Sh AUTHORS +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. +.Sh BUGS +The +.Dv How to print +field in the +.Dv arbitrary data +token has undefined values. +.Pp +The +.Dv in_addr +and +.Dv in_addr_ex +token layout documented here appears to be in conflict with the +.Xr libbsm 3 +implementations of +.Xr au_to_in_addr 3 +and +.Xr au_to_in_addr_ex 3 . diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5 new file mode 100644 index 000000000000..81b60cb5c7ea --- /dev/null +++ b/contrib/openbsm/man/audit_class.5 @@ -0,0 +1,70 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_CLASS 5 +.Os +.Sh NAME +.Nm audit_class +.Nd "contains audit event class descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable event classes on the system. +Each auditable event is a member of an event class. +Each line maps an audit event +mask (bitmap) to a class and a description. +Entries are of the form +.Dl classmask:eventclass:description. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0x00000000:no:invalid class +0x00000001:fr:file read +0x00000002:fw:file write +0x00000004:fa:file attribute access +0x00000080:pc:process +0xffffffff:all:all flags set +.Ed +.Sh FILES +.Bl -tag -width "/etc/security/audit_class" -compact +.It Pa /etc/security/audit_class +.El +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5 new file mode 100644 index 000000000000..d39b68129cff --- /dev/null +++ b/contrib/openbsm/man/audit_control.5 @@ -0,0 +1,121 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_CONTROL 5 +.Os +.Sh NAME +.Nm audit_control +.Nd "contains audit system parameters" +.Sh DESCRIPTION +The +.Nm +file contains several audit system parameters. +Each line of this file is of the form: +.Dl parameter:value. +The parameters are: +.Bl -tag -width Ds +.It Pa dir +The directory where audit log files are stored. +There may be more than one of these entries. +Changes to this entry can only be enacted by restarting the +audit system. +See +.Xr audit 1 +for a description of how to restart the audit system. +.It Va flags +Specifies which audit event classes are audited for all users. +.Xr audit_user 5 +describes how to audit events for individual users. +See the information below for the format of the audit flags. +.It Va naflags +Contains the audit flags that define what classes of events are audited when +an action cannot be attributed to a specific user. +.It Va minfree +The minimum free space required on the file system audit logs are being written to. +When the free space falls below this limit a warning will be issued. +Not currently used as the value of 20 percent is chosen by the kernel. +.El +.Sh AUDIT FLAGS +Audit flags are a comma delimited list of audit classes as defined in the +audit_class file. +See +.Xr audit_class 5 +for details. +Event classes may be preceded by a prefix which changes their interpretation. +The following prefixes may be used for each class: +.Bl -tag -width Ds -compact -offset indent +.It + +Record successful events +.It - +Record failed events +.It ^ +Record both successful and failed events +.It ^+ +Don't record successful events +.It ^- +Don't record failed events +.El +.Sh DEFAULT +The following settings appear in the default +.Nm +file: +.Bd -literal -offset indent +dir:/var/audit +flags:lo,ad,-all,^-fc,^-cl +minfree:20 +naflags:lo +.Ed +.Pp +The +.Va flags +parameter above specifies the system-wide mask corresponding to login/logout +events, administrative events, and all failures except for failures in creating +or closing files. +.Sh FILES +.Bl -tag -width "/etc/security/audit_control" -compact +.It Pa /etc/security/audit_control +.El +.Sh SEE ALSO +.Xr audit 1 , +.Xr auditd 8 , +.Xr audit_class 5 , +.Xr audit_user 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5 new file mode 100644 index 000000000000..36029ef3b90f --- /dev/null +++ b/contrib/openbsm/man/audit_event.5 @@ -0,0 +1,74 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_EVENT 5 +.Os +.Sh NAME +.Nm audit_event +.Nd "contains audit event descriptions" +.Sh DESCRIPTION +The +.Nm +file contains descriptions of the auditable events on the system. +Each line maps an audit event number to a name, a description, and a class. +Entries are of the form +.Dl eventnum:eventname:description:eventclass . +Each +.Vt eventclass +should have a corresponding entry in the audit_class file. +See +.Xr audit_class 5 +for details. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +0:AUE_NULL:indir system call:no +1:AUE_EXIT:exit(2):pc +2:AUE_FORK:fork(2):pc +3:AUE_OPEN:open(2):fa +.Ed +.Sh FILES +.Bl -tag -width "/etc/security/audit_event" -compact +.It Pa /etc/security/audit_event +.El +.Sh SEE ALSO +.Xr audit_class 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5 new file mode 100644 index 000000000000..abb74a322123 --- /dev/null +++ b/contrib/openbsm/man/audit_user.5 @@ -0,0 +1,91 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#5 $ +.\" +.Dd Jan 24, 2004 +.Dt AUDIT_USER 5 +.Os +.Sh NAME +.Nm audit_user +.Nd "specifies events to be audited for the given users" +.Sh DESCRIPTION +The +.Nm +file specifies which audit event classes are to be audited for the given users. +If specified, these flags are combined with the system-wide audit flags in the +.Pa audit_control +file to determine which classes of events to audit for that user. +These settings take effect when the user logs in. +.Pp +Each line maps a user name to a list of classes that should be audited and a +list of classes that should not be audited. +Entries are of the form of +.Dl username:alwaysaudit:neveraudit , +where +.Vt alwaysaudit +is a set of event classes that are always audited, and +.Vt neveraudit +is a set of event classes that should not be audited. +These sets can indicate +the inclusion or exclusion of multiple classes, and whether to audit successful +or failed events. +See +.Xr audit_control 5 +for more information about audit flags. +.Pp +Example entries in this file are: +.Bd -literal -offset indent +root:lo,ad:no +jdoe:-fc,ad:+fw +.Ed +.Pp +These settings would cause login and administrative events that succeed on +behalf of user root to be audited. +No failure events are audited. +For the user +.Em jdoe , +failed file creation events are audited, administrative events are +audited, and successful file write events are never audited. +.Sh FILES +.Bl -tag -width "/etc/security/audit_user" -compact +.It Pa /etc/security/audit_user +.El +.Sh SEE ALSO +.Xr audit_control 5 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5 new file mode 100644 index 000000000000..4581d8c87bf6 --- /dev/null +++ b/contrib/openbsm/man/audit_warn.5 @@ -0,0 +1,69 @@ +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#5 $ +.\" +.Dd Mar 17, 2004 +.Dt AUDIT_WARN 5 +.Os +.Sh NAME +.Nm audit_warn +.Nd "alert when audit daemon issues warnings" +.Sh DESCRIPTION +.Nm +runs when +.Xr auditd 8 +generates warning messages. +.Pp +The default +.Nm +is a script whose first parameter is the type of warning; the script +appends its arguments to +.Pa /etc/security/audit_messages . +Administrators may replace this script: a more comprehensive one would take +different actions based on the type of warning. +For example, a low-space warning +could result in an email message being sent to the administrator. +.Sh FILES +.Bl -tag -width "/etc/security/audit_warn" -compact +.It Pa /etc/security/audit_warn +.It Pa /etc/security/audit_messages +.El +.Sh SEE ALSO +.Xr auditd 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2 new file mode 100644 index 000000000000..48bec1cd2cbb --- /dev/null +++ b/contrib/openbsm/man/auditctl.2 @@ -0,0 +1,78 @@ +.\"- +.\" Copyright (c) 2005-2006 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#4 $ +.\" +.Dd April 19, 2005 +.Dt AUDITCTL 2 +.Os +.Sh NAME +.Nm auditctl +.Nd "Configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "const char *path" +.Sh DESCRIPTION +The +.Fn auditctl +system call directs the kernel to open a new audit trail log file. +.Fn auditctl +requires appropriate privilege. +In the +.Fx +implementation, +.Fn auditctl +opens new files, but +.Fn auditon +is used to disable the audit log. +In the Mac OS X implementation, passing +.Va NULL +to +.Fn auditctl +will disable the audit log. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr libbsm 3 , +.Xr auditd 8 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2 new file mode 100644 index 000000000000..4e38dc4f68fc --- /dev/null +++ b/contrib/openbsm/man/auditon.2 @@ -0,0 +1,288 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" Copyright (c) 2005 Tom Rhodes +.\" Copyright (c) 2005 Wayne J. Salamon +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#6 $ +.\" +.Dd April 19, 2005 +.Dt AUDITON 2 +.Os +.Sh NAME +.Nm auditon +.Nd "Configure system audit parameters" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn auditon "int cmd" "void *data" "u_int length" +.Sh DESCRIPTION +The +.Nm +system call is used to manipulate various audit control operations. +.Ft *data +should point to a structure whose type depends on the command. +.Ft length +specifies the size of the +.Em data +in bytes. +.Ft cmd +may be any of the following: +.Bl -tag -width ".It Dv A_GETPINFO_ADDR" +.It Dv A_SETPOLICY +Set audit policy flags. +.Ft *data +must point to an long value set to one of the audit +policy control values defined in audit.h. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +In the +.Dv AUDIT_CNT +case, the action will continue regardless if +an event will not be audited. +In the +.Dv AUDIT_AHLT +case, a +.Xr panic 9 +will result if an event will not be written to the +audit log file. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_SETKMASK +Set the kernel preselection masks (success and failure). +.Ft *data +must point to a +.Ft au_mask_t +structure containing the mask values. +These masks are used for non-attributable audit event preselection. +.It Dv A_SETQCTRL +Set kernel audit queue parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure containing the +kernel audit queue control settings: +.Va high water , +.Va low water , +.Va output buffer size , +.Va percent min free disk space , +and +.Em delay +(not currently used). +.It Dv A_SETSTAT +Return +.Er ENOSYS . +.It Dv A_SETUMASK +Return +.Er ENOSYS . +.It Dv A_SETSMASK +Return +.Er ENOSYS . +.It Dv A_SETCOND +Set the current auditing condition. +.Ft *data +must point to an long value containing the new +audit condition, one of +.Dv AUC_AUDITING , +.Dv AUC_NOAUDIT , +or +.Dv AUC_DISABLED . +.It Dv A_SETCLASS +Set the event class preselection mask for an audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure containing the audit event and mask. +.It Dv A_SETPMASK +Set the preselection masks for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure that contains the given process's audit +preselection masks for both success and failure. +.It Dv A_SETFSIZE +Set the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure with the +.Ft af_filesz +field set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +.It Dv A_SETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETCLASS +Return the event to class mapping for the designated audit event. +.Ft *data +must point to a +.Ft au_evclass_map_t +structure. +.It Dv A_GETKAUDIT +Return +.Er ENOSYS . +.It Dv A_GETPINFO +Return the audit settings for a process. +.Ft *data +must point to a +.Ft auditpinfo_t +structure which will be set to contain +the audit ID, preselection mask, terminal ID, and audit session +ID of the given process. +.It Dv A_GETPINFO_ADDR +Return +.Er ENOSYS . +.It Dv A_GETKMASK +Return the current kernel preselection masks. +.Ft *data +must point to a +.Ft au_mask_t +structure which will be set to +the current kernel preselection masks for non-attributable events. +.It Dv A_GETPOLICY +Return the current audit policy setting. +.Ft *data +must point to an long value which will be set to +one of the current audit policy flags. +Currently, only +.Dv AUDIT_CNT +and +.Dv AUDIT_AHLT +are implemented. +.It Dv A_GETQCTRL +Return the current kernel audit queue control parameters. +.Ft *data +must point to a +.Ft au_qctrl_t +structure which will be set to the current +kernel audit queue control parameters. +.It Dv A_GETFSIZE +Returns the maximum size of the audit log file. +.Ft *data +must point to a +.Ft au_fstat_t +structure. The +.Ft af_filesz +field will set to the maximum audit log file size. A value of 0 +indicates no limit to the size. +The +.Ft af_filesz +will be set to the current audit log file size. +.It Dv A_GETCWD +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\" Return the current working directory as stored in the audit subsystem. +Return +.Er ENOSYS . +.It Dv A_GETCAR +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Stores and returns the current active root as stored in the audit +.\"subsystem. +Return +.Er ENOSYS . +.It Dv A_GETSTAT +.\" [COMMENTED OUT]: Valid description, not yet implemented. +.\"Return the statistics stored in the audit system. +Return +.Er ENOSYS . +.It Dv A_GETCOND +Return the current auditing condition. +.Ft *data +must point to a long value which will be set to +the current audit condition, either +.Dv AUC_AUDITING +or +.Dv AUC_NOAUDIT . +.It Dv A_SENDTRIGGER +Send a trigger to the audit daemon. +.Fr *data +must point to a long value set to one of the acceptable +trigger values: +.Dv AUDIT_TRIGGER_LOW_SPACE +(low disk space where the audit log resides), +.Dv AUDIT_TRIGGER_OPEN_NEW +(open a new audit log file), +.Dv AUDIT_TRIGGER_READ_FILE +(read the audit_control file), +.Dv AUDIT_TRIGGER_CLOSE_AND_DIE +(close the current log file and exit), +or +.Dv AUDIT_TRIGGER_NO_SPACE +(no disk space left for audit log file). +.El +.Sh RETURN VALUES +.Rv -std +.Sh ERRORS +The +.Fn auditon +function will fail if: +.Bl -tag -width Er +.It Bq Er ENOSYS +Returned by options not yet implemented. +.It Bq Er EFAULT +A failure occurred while data transferred to or from +the kernel failed. +.It Bq Er EINVAL +Illegal argument was passed by a system call. +.It Bq Er EPERM +The process does not have sufficient permission to complete +the operation. +.El +.Pp +The +.Dv A_SENDTRIGGER +command is specific to the +.Fx +and Mac OS X implementations, and is not present in Solaris. +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditctl 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Tom Rhodes Aq trhodes@FreeBSD.org , +.An Robert Watson Aq rwatson@FreeBSD.org , +and +.An Wayne Salamon Aq wsalamon@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2003. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2 new file mode 100644 index 000000000000..c20aab00073d --- /dev/null +++ b/contrib/openbsm/man/getaudit.2 @@ -0,0 +1,80 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#4 $ +.\" +.Dd April 19, 2005 +.Dt GETAUDIT 2 +.Os +.Sh NAME +.Nm getaudit , +.Nm getaudit_addr +.Nd "Retrieve audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getaudit "auditinfo_t *auditinfo" +.Ft int +.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length" +.Sh DESCRIPTION +.Fn getaudit +retrieves the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Va auditinfo . +.Fn getaudit_addr +retrieves extended state via +.Va auditinfo_addr +and +.Va length . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr setaudit 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2 new file mode 100644 index 000000000000..de36f731df3c --- /dev/null +++ b/contrib/openbsm/man/getauid.2 @@ -0,0 +1,74 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#4 $ +.\" +.Dd April 19, 2005 +.Dt GETAUID 2 +.Os +.Sh NAME +.Nm getauid +.Nd "Retrieve audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn getauid "au_id_t *auid" +.Sh DESCRIPTION +.Nm +retrieves the active audit session ID for the current process via the +.Vt au_id_t +pointed to by +.Va auid . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2 new file mode 100644 index 000000000000..2d994ecfb0cf --- /dev/null +++ b/contrib/openbsm/man/setaudit.2 @@ -0,0 +1,81 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#4 $ +.\" +.Dd April 19, 2005 +.Dt SETAUDIT 2 +.Os +.Sh NAME +.Nm setaudit , +.Nm setaudit_addr +.Nd "Set audit session state" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setaudit "auditinfo_t *auditinfo" +.Ft int +.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length" +.Sh DESCRIPTION +.Nm +sets the active audit session state for the current process via the +.Vt auditinfo_t +pointed to by +.Va auditinfo . +.Fn setaudit_addr +sets extended state via +.Va auditinfo_addr +and +.Va length . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr getauid 2 , +.Xr setauid 2 , +.Xr getaudit 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2 new file mode 100644 index 000000000000..d03b0d9474e9 --- /dev/null +++ b/contrib/openbsm/man/setauid.2 @@ -0,0 +1,74 @@ +.\"- +.\" Copyright (c) 2005 Robert N. M. Watson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#4 $ +.\" +.Dd April 19, 2005 +.Dt SETAUID 2 +.Os +.Sh NAME +.Nm setauid +.Nd "Set audit session ID" +.Sh SYNOPSIS +.In bsm/audit.h +.Ft int +.Fn setauid "au_id_t *auid" +.Sh DESCRIPTION +.Nm +sets the active audit session ID for the current process from the +.Vt au_id_t +pointed to by +.Va auid . +.Pp +This system call required appropriate privilege to complete. +.Sh RETURN VALUES +.Nm +returns 0 on success, or returns -1 on failure, providing additional error +information via +.Va errno . +.Sh SEE ALSO +.Xr audit 2 , +.Xr auditon 2 , +.Xr getauid 2 , +.Xr getaudit 2 , +.Xr setaudit 2 , +.Xr getaudit_addr 2 , +.Xr setaudit_addr 2 , +.Xr libbsm 3 +.Sh AUTHORS +This software was created by McAfee Research, the security research division +of McAfee, Inc., under contract to Apple Computer Inc. +Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +.Pp +The Basic Security Module (BSM) interface to audit records and audit event +stream format were defined by Sun Microsystems. +.Pp +This manual page was written by +.An Robert Watson Aq rwatson@FreeBSD.org . +.Sh HISTORY +The OpenBSM implementation was created by McAfee Research, the security +division of McAfee Inc., under contract to Apple Computer Inc. in 2004. +It was subsequently adopted by the TrustedBSD Project as the foundation for +the OpenBSM distribution. |