aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2007-04-16 15:37:10 +0000
committerRobert Watson <rwatson@FreeBSD.org>2007-04-16 15:37:10 +0000
commitbc168a6cdd45ba809a5580b6e67ebc6806b5aeb3 (patch)
tree103f2ad3fab79dfe5e3b4ca02ebf1d9c1e2e4e82
parent4bd0c025f38ae20e2ec54bfbe3f11a0847e87ffb (diff)
downloadsrc-bc168a6cdd45ba809a5580b6e67ebc6806b5aeb3.tar.gz
src-bc168a6cdd45ba809a5580b6e67ebc6806b5aeb3.zip
Vendor import TrustedBSD OpenBSM 1.0 alpha 14, with the following change
history notes since the last import: OpenBSM 1.0 alpha 14 - Fix endian issues when processing IPv6 addresses for extended subject and process tokens. - gcc41 warnings clean. - Teach audit_submit(3) about getaudit_addr(2). - Add support for zonename tokens. OpenBSM 1.0 alpha 13 - compat/clock_gettime.h now provides a compatibility implementation of clock_gettime(), which fixes building on Mac OS X. - Countless man page improvements, markup fixes, content fixs, etc. - XML printing support via "praudit -x". - audit.log.5 expanded to include additional BSM token types. - Added encoding and decoding routines for process64_ex, process32_ex, subject32_ex, header64, and attr64 tokens. - Additional audit event identifiers for listen, mlockall/munlockall, getpath, POSIX message queues, and mandatory access control. Approved by: re (bmah) MFC after: 3 weeks Obtained from: TrustedBSD Project
Notes
Notes: svn path=/vendor/openbsm/dist/; revision=168777
-rw-r--r--contrib/openbsm/HISTORY22
-rw-r--r--contrib/openbsm/README41
-rw-r--r--contrib/openbsm/TODO3
-rw-r--r--contrib/openbsm/VERSION2
-rw-r--r--contrib/openbsm/bin/audit/audit.856
-rw-r--r--contrib/openbsm/bin/auditd/auditd.880
-rw-r--r--contrib/openbsm/bin/auditd/auditd.c6
-rw-r--r--contrib/openbsm/bin/auditfilterd/auditfilterd.833
-rw-r--r--contrib/openbsm/bin/auditfilterd/auditfilterd.c8
-rw-r--r--contrib/openbsm/bin/auditreduce/auditreduce.1148
-rw-r--r--contrib/openbsm/bin/praudit/praudit.179
-rw-r--r--contrib/openbsm/bin/praudit/praudit.c50
-rw-r--r--contrib/openbsm/bsm/audit_kevents.h27
-rw-r--r--contrib/openbsm/bsm/audit_record.h6
-rw-r--r--contrib/openbsm/bsm/libbsm.h54
-rw-r--r--contrib/openbsm/compat/clock_gettime.h54
-rwxr-xr-xcontrib/openbsm/configure22
-rw-r--r--contrib/openbsm/configure.ac4
-rw-r--r--contrib/openbsm/etc/audit_event24
-rw-r--r--contrib/openbsm/libbsm/au_class.352
-rw-r--r--contrib/openbsm/libbsm/au_control.394
-rw-r--r--contrib/openbsm/libbsm/au_event.372
-rw-r--r--contrib/openbsm/libbsm/au_free_token.346
-rw-r--r--contrib/openbsm/libbsm/au_io.361
-rw-r--r--contrib/openbsm/libbsm/au_mask.382
-rw-r--r--contrib/openbsm/libbsm/au_open.345
-rw-r--r--contrib/openbsm/libbsm/au_token.3181
-rw-r--r--contrib/openbsm/libbsm/au_user.384
-rw-r--r--contrib/openbsm/libbsm/audit_submit.328
-rw-r--r--contrib/openbsm/libbsm/bsm_io.c2659
-rw-r--r--contrib/openbsm/libbsm/bsm_notify.c7
-rw-r--r--contrib/openbsm/libbsm/bsm_token.c246
-rw-r--r--contrib/openbsm/libbsm/bsm_wrappers.c29
-rw-r--r--contrib/openbsm/libbsm/libbsm.334
-rw-r--r--contrib/openbsm/man/audit.238
-rw-r--r--contrib/openbsm/man/audit.log.5641
-rw-r--r--contrib/openbsm/man/audit_class.543
-rw-r--r--contrib/openbsm/man/audit_control.5134
-rw-r--r--contrib/openbsm/man/audit_event.550
-rw-r--r--contrib/openbsm/man/audit_user.573
-rw-r--r--contrib/openbsm/man/audit_warn.545
-rw-r--r--contrib/openbsm/man/auditctl.235
-rw-r--r--contrib/openbsm/man/auditon.2177
-rw-r--r--contrib/openbsm/man/getaudit.241
-rw-r--r--contrib/openbsm/man/getauid.239
-rw-r--r--contrib/openbsm/man/setaudit.244
-rw-r--r--contrib/openbsm/man/setauid.239
-rw-r--r--contrib/openbsm/test/bsm/generate.c190
-rw-r--r--contrib/openbsm/test/reference/arg32_recordbin50 -> 50 bytes
-rw-r--r--contrib/openbsm/test/reference/data_recordbin39 -> 39 bytes
-rw-r--r--contrib/openbsm/test/reference/file_recordbin41 -> 41 bytes
-rw-r--r--contrib/openbsm/test/reference/in_addr_recordbin30 -> 30 bytes
-rw-r--r--contrib/openbsm/test/reference/ip_recordbin46 -> 46 bytes
-rw-r--r--contrib/openbsm/test/reference/ipc_recordbin31 -> 31 bytes
-rw-r--r--contrib/openbsm/test/reference/iport_recordbin28 -> 28 bytes
-rw-r--r--contrib/openbsm/test/reference/opaque_recordbin32 -> 32 bytes
-rw-r--r--contrib/openbsm/test/reference/path_recordbin49 -> 49 bytes
-rw-r--r--contrib/openbsm/test/reference/process32_recordbin62 -> 62 bytes
-rw-r--r--contrib/openbsm/test/reference/process32ex_record-IPv4bin0 -> 66 bytes
-rw-r--r--contrib/openbsm/test/reference/process32ex_record-IPv6bin0 -> 78 bytes
-rw-r--r--contrib/openbsm/test/reference/process32ex_token-IPv4bin0 -> 41 bytes
-rw-r--r--contrib/openbsm/test/reference/process32ex_token-IPv6bin0 -> 53 bytes
-rw-r--r--contrib/openbsm/test/reference/process64_recordbin0 -> 66 bytes
-rw-r--r--contrib/openbsm/test/reference/process64_tokenbin0 -> 41 bytes
-rw-r--r--contrib/openbsm/test/reference/process64ex_record-IPv4bin0 -> 70 bytes
-rw-r--r--contrib/openbsm/test/reference/process64ex_record-IPv6bin0 -> 82 bytes
-rw-r--r--contrib/openbsm/test/reference/process64ex_token-IPv4bin0 -> 45 bytes
-rw-r--r--contrib/openbsm/test/reference/process64ex_token-IPv6bin0 -> 57 bytes
-rw-r--r--contrib/openbsm/test/reference/return32_recordbin31 -> 31 bytes
-rw-r--r--contrib/openbsm/test/reference/seq_recordbin30 -> 30 bytes
-rw-r--r--contrib/openbsm/test/reference/subject32_recordbin62 -> 62 bytes
-rw-r--r--contrib/openbsm/test/reference/subject32ex_recordbin78 -> 78 bytes
-rw-r--r--contrib/openbsm/test/reference/subject32ex_token-IPv4bin41 -> 41 bytes
-rw-r--r--contrib/openbsm/test/reference/subject32ex_token-IPv6bin53 -> 53 bytes
-rw-r--r--contrib/openbsm/test/reference/text_recordbin44 -> 44 bytes
-rw-r--r--contrib/openbsm/test/reference/zonename_recordbin0 -> 37 bytes
-rw-r--r--contrib/openbsm/test/reference/zonename_tokenbin0 -> 12 bytes
-rw-r--r--contrib/openbsm/tools/audump.c4
78 files changed, 4325 insertions, 1707 deletions
diff --git a/contrib/openbsm/HISTORY b/contrib/openbsm/HISTORY
index 0b44df261e08..6464a0d85baa 100644
--- a/contrib/openbsm/HISTORY
+++ b/contrib/openbsm/HISTORY
@@ -1,3 +1,23 @@
+OpenBSM 1.0 alpha 14
+
+- Fix endian issues when processing IPv6 addresses for extended subject
+ and process tokens.
+- gcc41 warnings clean.
+- Teach audit_submit(3) about getaudit_addr(2).
+- Add support for zonename tokens.
+
+OpenBSM 1.0 alpha 13
+
+- compat/clock_gettime.h now provides a compatibility implementation of
+ clock_gettime(), which fixes building on Mac OS X.
+- Countless man page improvements, markup fixes, content fixs, etc.
+- XML printing support via "praudit -x".
+- audit.log.5 expanded to include additional BSM token types.
+- Added encoding and decoding routines for process64_ex, process32_ex,
+ subject32_ex, header64, and attr64 tokens.
+- Additional audit event identifiers for listen, mlockall/munlockall,
+ getpath, POSIX message queues, and mandatory access control.
+
OpenBSM 1.0 alpha 12
- Correct bug in auditreduce which prevented the -c option from working
@@ -264,4 +284,4 @@ OpenBSM 1.0 alpha 1
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#50 $
diff --git a/contrib/openbsm/README b/contrib/openbsm/README
index 636dbee9ff5b..2c45da1909c7 100644
--- a/contrib/openbsm/README
+++ b/contrib/openbsm/README
@@ -3,11 +3,13 @@ OpenBSM 1.0
Introduction
OpenBSM provides an open source implementation of Sun's BSM Audit API.
-Originally created under contract to Apple Computer by McAfee Research,
-this implementation is now maintained by volunteers and the generous
-contribution of several organizations. Coupled with a kernel audit
-implementation, OpenBSM can be used to maintain system audit streams, and
-is a foundation for an Audit-enabled system.
+Originally created under contract to Apple Computer by McAfee Research, this
+implementation is now maintained by volunteers and the generous contribution
+of several organizations. Coupled with a kernel audit implementation,
+OpenBSM can be used to maintain system audit streams, and is a foundation for
+an Audit-enabled system. Portions of OpenBSM, including include files and
+token-building routines, are reusable in a kernel audit implementation, and
+may be found in the FreeBSD and Mac OS X kernels.
Contents
@@ -15,13 +17,22 @@ OpenBSM consists of several directories:
bin/ Audit-related command line tools
bsm/ System include files for BSM
+ compat/ Compatibility code to build on various OS's
etc/ Sample /etc/security configuration files
libbsm/ Implementation of BSM library interfaces and man pages
man/ System call and configuration file man pages
+ modules/ Directory for auditfilterd module source
+ test/ Test token sets and geneneration program
+ tools/ Tool directory, including audump to dump databases
-OpenBSM currently builds on FreeBSD and Darwin. With Makefile adjustment
-and minor tweaks, it should build without problems on a broad range of
-POSIX-like systems.
+The following programs are included with OpenBSM:
+
+ audit Command line audit control tool
+ auditd Audit management daemon
+ auditfilterd Experimental event monitoring framework
+ auditreduce Audit trail reduction tool
+ audump Debugging tool to parse and print audit databases
+ praudit Tool to print audit trails
Building
@@ -29,7 +40,7 @@ OpenBSM is currently built using autoconf and automake, which should allow
for building on a range of operating systems, including FreeBSD, Mac OS X,
and Linux. Depending on the availability of audit facilities in the
underlying operating system, some components that depend on kernel audit
-support are built conditionally. Typically, build will be performed using
+support are built conditionally. Typically, build will be performed using:
./configure
make
@@ -51,13 +62,12 @@ directory the correct libbsm is used:
You will need to manually propagate openbsm/etc/* into /etc on your system;
this is not done automatically so as to avoid disrupting the current
-configuration. Currently, the locations of these files is not
-configurable.
+configuration. Currently, the locations of these files is not configurable.
Credits
-The following organizations and individuals have contributed substantially
-to the development of OpenBSM:
+The following organizations and individuals have contributed substantially to
+the development of OpenBSM:
Apple Computer, Inc.
McAfee Research, McAfee, Inc.
@@ -76,6 +86,9 @@ to the development of OpenBSM:
Martin Fong
Pawel Worach
Martin Englund
+ Ruslan Ermilov
+ Martin Voros
+ Diego Giagio
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
@@ -97,4 +110,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
http://www.TrustedBSD.org/
-$P4: //depot/projects/trustedbsd/openbsm/README#19 $
+$P4: //depot/projects/trustedbsd/openbsm/README#23 $
diff --git a/contrib/openbsm/TODO b/contrib/openbsm/TODO
index 696974340819..ce06d5a3ce9c 100644
--- a/contrib/openbsm/TODO
+++ b/contrib/openbsm/TODO
@@ -1,4 +1,3 @@
-- Teach praudit how to general XML format BSM streams.
- Teach libbsm about any additional 64-bit token types that are present
in more recent Solaris versions.
- Build a regression test suite for libbsm that generates each token
@@ -20,4 +19,4 @@
- Put hostname in trail file name.
- Document audit_warn event arguments.
-$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#9 $
diff --git a/contrib/openbsm/VERSION b/contrib/openbsm/VERSION
index b27583b27697..2811a2a0b9d0 100644
--- a/contrib/openbsm/VERSION
+++ b/contrib/openbsm/VERSION
@@ -1 +1 @@
-OPENBSM_1_0_ALPHA_12
+OPENBSM_1_0_ALPHA_14
diff --git a/contrib/openbsm/bin/audit/audit.8 b/contrib/openbsm/bin/audit/audit.8
index 1d490f54e680..5e4d373d63f7 100644
--- a/contrib/openbsm/bin/audit/audit.8
+++ b/contrib/openbsm/bin/audit/audit.8
@@ -2,20 +2,20 @@
.\" All rights reserved.
.\"
.\" @APPLE_BSD_LICENSE_HEADER_START@
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
-.\"
+.\"
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
.\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@@ -26,32 +26,27 @@
.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#9 $
.\"
-.Dd January 24, 2004
+.Dd October 2, 2006
.Dt AUDIT 8
.Os
.Sh NAME
.Nm audit
.Nd audit management utility
.Sh SYNOPSIS
-.Nm audit
-.Op Fl nst
-.Op Ar file
+.Nm
+.Fl n | s | t
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility controls the state of the audit system.
-The optional
-.Ar file
-operand specifies the location of the audit control input file (default
-.Pa /etc/security/audit_control ) .
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
+One of the following flags is required as an argument to
+.Nm :
+.Bl -tag -width indent
.It Fl n
Forces the audit system to close the existing audit log file and rotate to
a new log file in a location specified in the audit control file.
@@ -69,22 +64,27 @@ The
.Xr auditd 8
daemon must already be running.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
-Default audit policy file used to configure the auditing system.
+Audit policy file used to configure the auditing system.
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr audit_control 5 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.8 b/contrib/openbsm/bin/auditd/auditd.8
index 11e45e1496f2..a4e0dbfdf407 100644
--- a/contrib/openbsm/bin/auditd/auditd.8
+++ b/contrib/openbsm/bin/auditd/auditd.8
@@ -29,46 +29,35 @@
.\"
.\" @APPLE_BSD_LICENSE_HEADER_END@
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#12 $
.\"
-.Dd January 24, 2004
+.Dd October 2, 2006
.Dt AUDITD 8
.Os
.Sh NAME
.Nm auditd
.Nd audit log management daemon
.Sh SYNOPSIS
-.Nm auditd
-.Op Fl dhs
+.Nm
+.Op Fl d
.Sh DESCRIPTION
The
.Nm
-daemon responds to requests from the audit(1) utility and notifications
-from the kernel. It manages the resulting audit log files and specified
+daemon responds to requests from the
+.Xr audit 8
+utility and notifications
+from the kernel.
+It manages the resulting audit log files and specified
log file locations.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
.It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+Starts the daemon in debug mode \[em] it will not daemonize.
.El
-.Pp
-The historical
-.Fl h
-and
-.Fl s
-flags are now configured using
-.Xr audit_control 5
-policy flags
-.Dv ahlt
-and
-.Dv cnt ,
-and are no longer available as arguments to
-.Xr auditd 8 .
.Sh NOTE
-.Pp
To assure uninterrupted audit support, the
-.Nm auditd
+.Nm
daemon should not be started and stopped manually.
Instead, the
.Xr audit 8
@@ -78,28 +67,51 @@ the
.Pa audit_control
file.
.Pp
-.\" Sending a SIGHUP to a running
-.\" .Nm auditd
+.\" Sending a
+.\" .Dv SIGHUP
+.\" to a running
+.\" .Nm
.\" daemon will force it to exit.
-Sending a SIGTERM to a running
-.Nm auditd
+Sending a
+.Dv SIGTERM
+to a running
+.Nm
daemon will force it to exit.
.Sh FILES
-.Bl -tag -width "/var/audit" -compact
+.Bl -tag -width ".Pa /var/audit" -compact
.It Pa /var/audit
Default directory for storing audit log files.
.El
+.Sh COMPATIBILITY
+The historical
+.Fl h
+and
+.Fl s
+flags are now configured using
+.Xr audit_control 5
+policy flags
+.Cm ahlt
+and
+.Cm cnt ,
+and are no longer available as arguments to
+.Nm .
.Sh SEE ALSO
+.Xr audit 4 ,
+.Xr audit_control 5 ,
.Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/auditd/auditd.c b/contrib/openbsm/bin/auditd/auditd.c
index 7ca2123bdb56..9b5ba0795d88 100644
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#25 $
*/
#include <sys/types.h>
@@ -865,7 +865,7 @@ setup(void)
syslog(LOG_ERR, "Could not create audit startup event.");
else {
/*
- * XXXCSJP Perhaps we wan't more robust audit records for
+ * XXXCSJP Perhaps we want more robust audit records for
* audit start up and shutdown. This might include capturing
* failures to initialize the audit subsystem?
*/
@@ -896,7 +896,7 @@ main(int argc, char **argv)
int debug = 0;
int rc;
- while ((ch = getopt(argc, argv, "dhs")) != -1) {
+ while ((ch = getopt(argc, argv, "d")) != -1) {
switch(ch) {
case 'd':
/* Debug option. */
diff --git a/contrib/openbsm/bin/auditfilterd/auditfilterd.8 b/contrib/openbsm/bin/auditfilterd/auditfilterd.8
index 0d9d2cbffb0f..ae6ba0b4a707 100644
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.8
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.8
@@ -23,18 +23,19 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#4 $
.\"
-.Dd March 27, 2006
+.Dd October 3, 2006
.Dt AUDITFILTERD 8
.Os
.Sh NAME
.Nm auditfilterd
.Nd audit filter daemon
.Sh SYNOPSIS
-.Nm auditfilterd
+.Nm
.Op Fl d
.Op Fl c Ar conffile
+.Op Fl p Ar pipefile
.Op Fl t Ar trailfile
.Sh DESCRIPTION
The
@@ -44,18 +45,23 @@ modules to track audit events from a live audit source.
It is configured using the
.Xr audit_filter 5
configuration file.
+The source can either be a pipe or a file.
.Pp
The options are as follows:
-.Bl -tag -width Ds
-.It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+.Bl -tag -width indent
.It Fl c Ar conffile
Specify an alternative configuration file.
+.It Fl d
+Starts the daemon in debug mode \[em] it will not daemonize.
+.It Fl p Ar pipefile
+Specify a pipe as an alternative source of audit event records.
+Default is
+.Pa /dev/auditpipe .
.It Fl t Ar trailfile
-Specify an alternative source of audit event records.
+Specify a file as an alternative source of audit event records.
.El
.Sh FILES
-.Bl -tag -width "/etc/security/audit_filterd" -compact
+.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact
.It Pa /etc/security/audit_filterd
Default configuration file for
.Nm .
@@ -66,12 +72,13 @@ Default audit record source for
.Sh SEE ALSO
.Xr audit 8 ,
.Xr auditd 8
-.Sh AUTHORS
-The
-.Nm
-daemon and audit filter APIs were created by Robert Watson.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+The
+.Nm
+daemon and audit filter APIs were created by
+.An Robert Watson .
diff --git a/contrib/openbsm/bin/auditfilterd/auditfilterd.c b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
index 2723a976d333..110b7cf443da 100644
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.c
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
@@ -25,7 +25,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#11 $
*/
/*
@@ -48,6 +48,10 @@
#include <compat/queue.h>
#endif
+#ifndef HAVE_CLOCK_GETTIME
+#include <compat/clock_gettime.h>
+#endif
+
#include <bsm/libbsm.h>
#include <bsm/audit_filter.h>
@@ -76,7 +80,7 @@ static void
usage(void)
{
- fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]"
+ fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]"
" [-t trailfile]\n");
fprintf(stderr, " -c Specify configuration file (default: %s)\n",
AUDITFILTERD_CONFFILE);
diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
index f590e35f0717..1f900f9717c5 100644
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -34,44 +34,43 @@
.Nm auditreduce
.Nd "select records from audit trail files"
.Sh SYNOPSIS
-.Nm auditreduce
+.Nm
.Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
.Op Fl c Ar flags
.Op Fl d Ar YYYYMMDD
.Op Fl e Ar euid
.Op Fl f Ar egid
.Op Fl g Ar rgid
-.Op Fl r Ar ruid
-.Op Fl u Ar auid
.Op Fl j Ar id
.Op Fl m Ar event
-.Op Fl o Ar object=value
-.Op Ar file ...
+.Op Fl o Ar object Ns = Ns Ar value
+.Op Fl r Ar ruid
+.Op Fl u Ar auid
+.Op Ar
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility selects records from the audit trail files based on the specified
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
by default.
-Use the
-.Nm praudit
-utility to print the selected audit records in human-readable form.
-See
+Use the
.Xr praudit 1
-for more information.
+utility to print the selected audit records in human-readable form.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
.It Fl A
Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred before the given datetime.
.It Fl c Ar flags
Select records matching the given audit classes specified as a comma
@@ -86,15 +85,11 @@ This option cannot be used with
or
.Fl b .
.It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
.It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
.It Fl g Ar rgid
-Select records with the given real group id or name.
-.It Fl r Ar ruid
-Select records with the given real user id or name.
-.It Fl u Ar auid
-Select records with the given audit id.
+Select records with the given real group ID or name.
.It Fl j Ar id
Select records having a subject token with matching ID.
.It Fl m Ar event
@@ -102,45 +97,53 @@ Select records with the given event name or number.
See
.Xr audit_event 5
for a description of audit event names and numbers.
-.It Fl o Ar object=value
-.Bl -tag -width Ds
-.It Nm file
+.It Fl o Ar object Ns = Ns Ar value
+.Bl -tag -width ".Cm msgqid"
+.It Cm file
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
+.Pq Ql ~
+are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
-character should be used to escape the comma if it's a part of the search
+Since commas are used to delimit the regular expressions, a backslash
+.Pq Ql \e
+character should be used to escape the comma if it is a part of the search
pattern.
-.It Nm msgqid
-Select records containing the given message queue id.
-.It Nm pid
-Select records containing the given process id.
-.It Nm semid
-Select records containing the given semaphore id.
-.It Nm shmid
-Select records containing the given shared memory id.
+.It Cm msgqid
+Select records containing the given message queue ID.
+.It Cm pid
+Select records containing the given process ID.
+.It Cm semid
+Select records containing the given semaphore ID.
+.It Cm shmid
+Select records containing the given shared memory ID.
.El
+.It Fl r Ar ruid
+Select records with the given real user ID or name.
+.It Fl u Ar auid
+Select records with the given audit ID.
.El
-.Sh Examples
-.Pp
+.Sh EXAMPLES
To select all records associated with effective user ID root from the audit
log
.Pa /var/audit/20031016184719.20031017122634 :
-.Pp
-.Nm
--e root /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -e root \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
To select all
.Xr setlogin 2
events from that log:
-.Pp
-.Nm
--m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -m AUE_SETLOGIN \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
@@ -148,36 +151,43 @@ file, or via standard output to the
command.
.Pp
Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
-.Pp
-.Nm
--ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pa /etc/master.passwd :
+.Bd -literal -offset indent
+auditreduce -o file="/etc/master.passwd" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
-.Pp
-.Nm
--ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
-.Pa /dev/ttyp2
-.Pp
-.Nm
--ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pa /dev/ttyp2 :
+.Bd -literal -offset indent
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.1 b/contrib/openbsm/bin/praudit/praudit.1
index 00cbfcd925ad..c32c37c76f8d 100644
--- a/contrib/openbsm/bin/praudit/praudit.1
+++ b/contrib/openbsm/bin/praudit/praudit.1
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,73 +25,94 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $
.\"
-.Dd January 24, 2004
+.Dd November 5, 2006
.Dt PRAUDIT 1
.Os
.Sh NAME
.Nm praudit
.Nd "print the contents of audit trail files"
.Sh SYNOPSIS
-.Nm praudit
-.Op Fl lrs
+.Nm
+.Op Fl lpx
+.Op Fl r | s
.Op Fl d Ar del
-.Op Ar file ...
+.Op Ar
.Sh DESCRIPTION
The
-.Nm
+.Nm
utility prints the contents of the audit trail files to the standard output in
human-readable form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
by default.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
+.It Fl d Ar del
+Specifies the delimiter.
+The default delimiter is the comma.
.It Fl l
Prints the entire record on the same line.
If this option is not specified,
every token is displayed on a different line.
+.It Fl p
+Specify this option if input to
+.Nm
+is piped from the
+.Xr tail 1
+utility.
+This causes
+.Nm
+to sync to the start of the next record.
.It Fl r
Prints the records in their raw, numeric form.
-This option is exclusive from
-.Fl s
+This option is exclusive from
+.Fl s .
.It Fl s
Prints the tokens in their short form.
Short text representations for
record and event type are displayed.
This option is exclusive from
-.Fl r
-.It Fl d Ar del
-Specifies the delimiter.
-The default delimiter is the comma.
+.Fl r .
+.It Fl x
+Print audit records in the XML output format.
.El
.Pp
If the raw or short forms are not specified, the default is to print the tokens
in their long form.
Events are displayed as per their descriptions given in
.Pa /etc/security/audit_event ;
-uids and gids are expanded to their names;
+UIDs and GIDs are expanded to their names;
dates and times are displayed in human-readable format.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_class
-Descriptions of audit event classes
+Descriptions of audit event classes.
.It Pa /etc/security/audit_event
-Descriptions of audit events
+Descriptions of audit events.
.El
.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
.Xr audit_class 5 ,
.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/bin/praudit/praudit.c b/contrib/openbsm/bin/praudit/praudit.c
index e812f983aa0a..bf3680625cf7 100644
--- a/contrib/openbsm/bin/praudit/praudit.c
+++ b/contrib/openbsm/bin/praudit/praudit.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Martin Voros
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 $
*/
/*
@@ -34,7 +35,7 @@
*/
/*
- * praudit [-lrs] [-ddel] [filenames]
+ * praudit [-lpx] [-r | -s] [-d del] [file ...]
*/
#include <bsm/libbsm.h>
@@ -51,12 +52,14 @@ static int oneline = 0;
static int raw = 0;
static int shortfrm = 0;
static int partial = 0;
+static int xml = 0;
static void
-usage()
+usage(void)
{
- fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
+ fprintf(stderr, "usage: praudit [-lpx] [-r | -s] [-d del] "
+ "[file ...]\n");
exit(1);
}
@@ -88,11 +91,17 @@ print_tokens(FILE *fp)
if (-1 == au_fetch_tok(&tok, buf + bytesread,
reclen - bytesread))
break;
- au_print_tok(stdout, &tok, del, raw, shortfrm);
- bytesread += tok.len;
- if (oneline)
- printf("%s", del);
+ if (xml)
+ au_print_tok_xml(stdout, &tok, del, raw,
+ shortfrm);
else
+ au_print_tok(stdout, &tok, del, raw,
+ shortfrm);
+ bytesread += tok.len;
+ if (oneline) {
+ if (!xml)
+ printf("%s", del);
+ } else
printf("\n");
}
free(buf);
@@ -109,12 +118,20 @@ main(int argc, char **argv)
int i;
FILE *fp;
- while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
+ while ((ch = getopt(argc, argv, "d:lprsx")) != -1) {
switch(ch) {
+ case 'd':
+ del = optarg;
+ break;
+
case 'l':
oneline = 1;
break;
+ case 'p':
+ partial = 1;
+ break;
+
case 'r':
if (shortfrm)
usage(); /* Exclusive from shortfrm. */
@@ -127,12 +144,8 @@ main(int argc, char **argv)
shortfrm = 1;
break;
- case 'd':
- del = optarg;
- break;
-
- case 'p':
- partial = 1;
+ case 'x':
+ xml = 1;
break;
case '?':
@@ -141,6 +154,9 @@ main(int argc, char **argv)
}
}
+ if (xml)
+ au_print_xml_header(stdout);
+
/* For each of the files passed as arguments dump the contents. */
if (optind == argc) {
print_tokens(stdin);
@@ -153,5 +169,9 @@ main(int argc, char **argv)
if (fp != NULL)
fclose(fp);
}
+
+ if (xml)
+ au_print_xml_footer(stdout);
+
return (1);
}
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
index 434452a3091a..eb615d3c157e 100644
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#47 $
*/
#ifndef _BSM_AUDIT_KEVENTS_H_
@@ -474,6 +474,28 @@
#define AUE_READDIR 43118 /* Linux. */
#define AUE_IOPL 43119 /* Linux. */
#define AUE_VM86 43120 /* Linux. */
+#define AUE_MAC_GET_PROC 43121 /* FreeBSD. */
+#define AUE_MAC_SET_PROC 43122 /* FreeBSD. */
+#define AUE_MAC_GET_FD 43123 /* FreeBSD. */
+#define AUE_MAC_GET_FILE 43124 /* FreeBSD. */
+#define AUE_MAC_SET_FD 43125 /* FreeBSD. */
+#define AUE_MAC_SET_FILE 43126 /* FreeBSD. */
+#define AUE_MAC_SYSCALL 43127 /* FreeBSD. */
+#define AUE_MAC_GET_PID 43128 /* FreeBSD. */
+#define AUE_MAC_GET_LINK 43129 /* FreeBSD. */
+#define AUE_MAC_SET_LINK 43130 /* FreeBSD. */
+#define AUE_MAC_EXECVE 43131 /* FreeBSD. */
+#define AUE_GETPATH_FROMFD 43132 /* FreeBSD. */
+#define AUE_GETPATH_FROMADDR 43133 /* FreeBSD. */
+#define AUE_MQ_OPEN 43134 /* FreeBSD. */
+#define AUE_MQ_SETATTR 43135 /* FreeBSD. */
+#define AUE_MQ_TIMEDRECEIVE 43136 /* FreeBSD. */
+#define AUE_MQ_TIMEDSEND 43137 /* FreeBSD. */
+#define AUE_MQ_NOTIFY 43138 /* FreeBSD. */
+#define AUE_MQ_UNLINK 43139 /* FreeBSD. */
+#define AUE_LISTEN 43140 /* FreeBSD/Darwin/Linux. */
+#define AUE_MLOCKALL 43141 /* FreeBSD. */
+#define AUE_MUNLOCKALL 43142 /* FreeBSD. */
/*
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
@@ -571,16 +593,13 @@
#define AUE_GETSOCKOPT AUE_NULL
#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */
#define AUE_ISSETUGID AUE_NULL
-#define AUE_LISTEN AUE_NULL
#define AUE_LSTATV AUE_NULL
#define AUE_MADVISE AUE_NULL
#define AUE_MINCORE AUE_NULL
#define AUE_MKCOMPLEX AUE_NULL
-#define AUE_MLOCKALL AUE_NULL
#define AUE_MODWATCH AUE_NULL
#define AUE_MSGCL AUE_NULL
#define AUE_MSYNC AUE_NULL
-#define AUE_MUNLOCKALL AUE_NULL
#define AUE_PREAD AUE_NULL
#define AUE_PWRITE AUE_NULL
#define AUE_PREADV AUE_NULL
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
index 79d13c3c3c20..c15d620c3b98 100644
--- a/contrib/openbsm/bsm/audit_record.h
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -30,7 +30,7 @@
*
* @APPLE_BSD_LICENSE_HEADER_END@
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#25 $
*/
#ifndef _BSM_AUDIT_RECORD_H_
@@ -85,6 +85,7 @@
/* XXXRW: Additional X11 tokens not defined? */
#define AUT_CMD 0x51
#define AUT_EXIT 0x52
+#define AUT_ZONENAME 0x60
/* XXXRW: OpenBSM AUT_HOST 0x70? */
#define AUT_ARG64 0x71
#define AUT_RETURN64 0x72
@@ -246,6 +247,8 @@ token_t *au_to_file(char *file, struct timeval tm);
token_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
struct timeval tm);
+token_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
#if !defined(KERNEL) && !defined(_KERNEL)
token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
@@ -328,6 +331,7 @@ token_t *au_to_exec_env(char **envp);
token_t *au_to_text(char *text);
token_t *au_to_kevent(struct kevent *kev);
token_t *au_to_trailer(int rec_size);
+token_t *au_to_zonename(char *zonename);
__END_DECLS
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
index 2d76c3993317..b1a9731f2260 100644
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#33 $
*/
#ifndef _LIBBSM_H_
@@ -164,6 +164,12 @@ typedef struct au_tidaddr32 {
u_int32_t addr[4];
} au_tidaddr32_t;
+typedef struct au_tidaddr64 {
+ u_int64_t port;
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_tidaddr64_t;
+
/*
* argument # 1 byte
* argument value 4 bytes/8 bytes (32-bit/64-bit value)
@@ -483,6 +489,17 @@ typedef struct {
au_tidaddr32_t tid;
} au_proc32ex_t;
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr64_t tid;
+} au_proc64ex_t;
+
/*
* error status 1 byte
* return value 4 bytes/8 bytes (32-bit/64-bit value)
@@ -616,6 +633,17 @@ typedef struct {
au_tidaddr32_t tid;
} au_subject32ex_t;
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr64_t tid;
+} au_subject64ex_t;
+
/*
* text length 2 bytes
* text N bytes + 1 terminating NULL byte
@@ -625,6 +653,15 @@ typedef struct {
char *text;
} au_text_t;
+/*
+ * zonename length 2 bytes
+ * zonename text N bytes + 1 NULL terminator
+ */
+typedef struct {
+ u_int16_t len;
+ char *zonename;
+} au_zonename_t;
+
typedef struct {
u_int32_t ident;
u_int16_t filter;
@@ -675,8 +712,9 @@ struct tokenstr {
au_opaque_t opaque;
au_path_t path;
au_proc32_t proc32;
- au_proc64_t proc64;
au_proc32ex_t proc32_ex;
+ au_proc64_t proc64;
+ au_proc64ex_t proc64_ex;
au_ret32_t ret32;
au_ret64_t ret64;
au_seq_t seq;
@@ -685,12 +723,14 @@ struct tokenstr {
au_socketinet32_t sockinet32;
au_socketunix_t sockunix;
au_subject32_t subj32;
- au_subject64_t subj64;
au_subject32ex_t subj32_ex;
+ au_subject64_t subj64;
+ au_subject64ex_t subj64_ex;
au_text_t text;
au_kevent_t kevent;
au_invalid_t invalid;
au_trailer_t trail;
+ au_zonename_t zonename;
} tt; /* The token is one of the above types */
};
@@ -771,6 +811,14 @@ int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
//XXX The following interface has different prototype from BSM
void au_print_tok(FILE *outfp, tokenstr_t *tok,
char *del, char raw, char sfrm);
+void au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
+ char *del, char raw, char sfrm);
+
+/*
+ * Functions relating to XML output.
+ */
+void au_print_xml_header(FILE *outfp);
+void au_print_xml_footer(FILE *outfp);
__END_DECLS
/*
diff --git a/contrib/openbsm/compat/clock_gettime.h b/contrib/openbsm/compat/clock_gettime.h
new file mode 100644
index 000000000000..fe6a80680102
--- /dev/null
+++ b/contrib/openbsm/compat/clock_gettime.h
@@ -0,0 +1,54 @@
+/*-
+ * Copyright (c) 2006 Robert N. M. Watson
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/compat/clock_gettime.h#2 $
+ */
+
+/*
+ * Compatibility routines for clock_gettime(CLOCK_REALTIME, ...) for systems
+ * that don't have it. We don't use clockid_t in order to avoid conflicts
+ * with the native OS if it has one but not clock_gettime(). We also assume
+ * that the sys/time.h include has already happened at this point, so we have
+ * access to gettimeofday().
+ */
+#include <errno.h>
+
+#define CLOCK_REALTIME 0x2d4e1588
+
+static inline int
+clock_gettime(int clock_id, struct timespec *ts)
+{
+ struct timeval tv;
+
+ if (clock_id != CLOCK_REALTIME) {
+ errno = EINVAL;
+ return (-1);
+ }
+ if (gettimeofday(&tv, NULL) < 0)
+ return (-1);
+ ts->tv_sec = tv.tv_sec;
+ ts->tv_nsec = tv.tv_usec * 1000;
+ return (0);
+}
diff --git a/contrib/openbsm/configure b/contrib/openbsm/configure
index d680c434032a..8508c00dd47b 100755
--- a/contrib/openbsm/configure
+++ b/contrib/openbsm/configure
@@ -1,7 +1,7 @@
#! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#33 .
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0alpha14.
#
# Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
#
@@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
# Identity of this package.
PACKAGE_NAME='OpenBSM'
PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a12'
-PACKAGE_STRING='OpenBSM 1.0a12'
+PACKAGE_VERSION='1.0alpha14'
+PACKAGE_STRING='OpenBSM 1.0alpha14'
PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
ac_unique_file="bin/auditreduce/auditreduce.c"
@@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0alpha14 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1021,7 +1021,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
+ short | recursive ) echo "Configuration of OpenBSM 1.0alpha14:";;
esac
cat <<\_ACEOF
@@ -1162,7 +1162,7 @@ fi
test -n "$ac_init_help" && exit 0
if $ac_init_version; then
cat <<\_ACEOF
-OpenBSM configure 1.0a12
+OpenBSM configure 1.0alpha14
generated by GNU Autoconf 2.59
Copyright (C) 2003 Free Software Foundation, Inc.
@@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.0a12, which was
+It was created by OpenBSM $as_me 1.0alpha14, which was
generated by GNU Autoconf 2.59. Invocation command line was
$ $0 $@
@@ -19278,7 +19278,7 @@ fi
# Define the identity of the package.
PACKAGE=OpenBSM
- VERSION=1.0a12
+ VERSION=1.0alpha14
cat >>confdefs.h <<_ACEOF
@@ -23479,7 +23479,7 @@ _ASBOX
} >&5
cat >&5 <<_CSEOF
-This file was extended by OpenBSM $as_me 1.0a12, which was
+This file was extended by OpenBSM $as_me 1.0alpha14, which was
generated by GNU Autoconf 2.59. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -23542,7 +23542,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
ac_cs_version="\\
-OpenBSM config.status 1.0a12
+OpenBSM config.status 1.0alpha14
configured by $0, generated by GNU Autoconf 2.59,
with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
diff --git a/contrib/openbsm/configure.ac b/contrib/openbsm/configure.ac
index a8428f97f282..0d30dcea579c 100644
--- a/contrib/openbsm/configure.ac
+++ b/contrib/openbsm/configure.ac
@@ -2,8 +2,8 @@
# Process this file with autoconf to produce a configure script.
AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
+AC_INIT([OpenBSM], [1.0alpha14], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#34 $])
AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
AC_CONFIG_AUX_DIR(config)
AC_CONFIG_HEADER([config/config.h])
diff --git a/contrib/openbsm/etc/audit_event b/contrib/openbsm/etc/audit_event
index fcc89fca8ec2..6290583b5986 100644
--- a/contrib/openbsm/etc/audit_event
+++ b/contrib/openbsm/etc/audit_event
@@ -1,5 +1,5 @@
#
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#20 $
#
0:AUE_NULL:indir system call:no
1:AUE_EXIT:exit(2):pc
@@ -422,6 +422,28 @@
43118:AUE_READDIR:readdir(3):no
43119:AUE_IOPL:linux iopl:ad
43120:AUE_VM86:linux vm86:pc
+43121:AUE_MAC_GET_PROC:mac_get_proc(2):pc
+43122:AUE_MAC_SET_PROC:mac_set_proc(2):pc
+43123:AUE_MAC_GET_FD:mac_get_fd(2):fa
+43124:AUE_MAC_GET_FILE:mac_get_file(2):fa
+43125:AUE_MAC_SET_FD:mac_set_fd(2):fm
+43126:AUE_MAC_SET_FILE:mac_set_file(2):fm
+43127:AUE_MAC_SYSCALL:mac_syscall(2):ad
+43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
+43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
+43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
+43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
+43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
+43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
+43134:AUE_MQ_OPEN:mq_open(2):ip
+43135:AUE_MQ_SETATTR:mq_setattr(2):ip
+43136:AUE_MQ_TIMEDRECEIVE:mq_timedreceive(2):ip
+43137:AUE_MQ_TIMEDSEND:mq_timedsend(2):ip
+43138:AUE_MQ_NOTIFY:mq_notify(2):ip
+43139:AUE_MQ_UNLINK:mq_unlink(2):ip
+43140:AUE_LISTEN:listen(2):nt
+43141:AUE_MLOCKALL:mlockall(2):pc
+43142:AUE_MUNLOCKALL:munlockall(2):pc
#
# User space system events.
#
diff --git a/contrib/openbsm/libbsm/au_class.3 b/contrib/openbsm/libbsm/au_class.3
index f1cd9e9637f3..d270b5278329 100644
--- a/contrib/openbsm/libbsm/au_class.3
+++ b/contrib/openbsm/libbsm/au_class.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#6 $
.\"
.Dd April 19, 2005
.Dt AU_CLASS 3
@@ -35,69 +35,81 @@
.Nm getauclassnam_r ,
.Nm setauclass ,
.Nm endauclass
-.Nd "Look up information from the audit_class database"
+.Nd "look up information from the audit_class database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
-.Ft struct au_class_ent *
-.Fn getauclassent "void"
-.Ft struct au_class_ent *
+.In bsm/libbsm.h
+.Ft "struct au_class_ent *"
+.Fn getauclassent void
+.Ft "struct au_class_ent *"
.Fn getauclassent_r "struct au_class_ent *e"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
.Fn getauclassnam "const char *name"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
.Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
.Ft void
-.Fn setauclass "void"
+.Fn setauclass void
.Ft void
-.Fn endauclass "void"
+.Fn endauclass void
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_class 5
database, which describes audit event classes.
Audit event classes are described by
-.Vt struct au_class_ent .
-.Pp
+.Vt "struct au_class_ent" .
.Pp
+The
.Fn getauclassent
+function
will return the next class found in the
.Xr audit_class 5
database, or the first if the function has not yet been called.
.Dv NULL
will be returned if no further records are available.
.Pp
+The
.Fn getauclassnam
+function
looks up a class by name.
.Dv NULL
will be returned if no matching class can be found.
.Pp
+The
.Fn setauclass
+function
resets the iterator through the
.Xr audit_class 5
database, causing the next call to
.Fn getauclassent
to start again from the beginning of the file.
.Pp
+The
.Fn endauclass
+function
closes the
.Xr audit_class 5
database, if open.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_class 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/au_control.3 b/contrib/openbsm/libbsm/au_control.3
index 0985825f4113..daf045fcfe4a 100644
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#8 $
.\"
.Dd April 19, 2005
.Dt AU_CONTROL 3
@@ -37,17 +37,17 @@
.Nm getacflg ,
.Nm getacna ,
.Nm getacpol ,
-.Nm au_poltostr
+.Nm au_poltostr ,
.Nm au_strtopol
-.Nd "Look up information from the audit_control database"
+.Nd "look up information from the audit_control database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft void
-.Fn setac "void"
+.Fn setac void
.Ft void
-.Fn endac "void"
+.Fn endac void
.Ft int
.Fn getacdir "char *name" "int len"
.Ft int
@@ -69,64 +69,88 @@ These interfaces may be used to look up information from the
.Xr audit_control 5
database, which contains various audit-related administrative parameters.
.Pp
+The
.Fn setac
+function
resets the database iterator to the beginning of the database; see the
-BUGS section for more information.
+.Sx BUGS
+section for more information.
.Pp
+The
.Fn sendac
+function
closes the
.Xr audit_control 5
database.
.Pp
+The
.Fn getacdir
+function
returns the name of the directory where log data is stored via the passed
character buffer
-.Va name
+.Fa name
of length
-.Va len .
+.Fa len .
.Pp
+The
.Fn getacmin
+function
returns the minimum free disk space for the audit log target file system via
the passed
-.Va min_val
+.Fa min_val
variable.
.Pp
+The
.Fn getacfilesz
-returns the audit trail rotation size in the passed size_t buffer
+function
+returns the audit trail rotation size in the passed
+.Vt size_t
+buffer
.Fa size_val .
.Pp
+The
.Fn getacflg
+function
returns the audit system flags via the the passed character buffer
-.Va auditstr
+.Fa auditstr
of length
-.Va len .
+.Fa len .
.Pp
+The
.Fn getacna
+function
returns the non-attributable flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
of length
-.Va len .
+.Fa len .
.Pp
+The
.Fn getacpol
+function
returns the audit policy flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
of length
-.Va len .
+.Fa len .
.Pp
+The
.Fn au_poltostr
+function
converts a numeric audit policy mask,
-.Va policy ,
-value to a string in the passed character buffer
-.Va buf
+.Fa policy ,
+to a string in the passed character buffer
+.Fa buf
of lenth
-.Va maxsize .
+.Fa maxsize .
.Pp
+The
.Fn au_strtopol
+function
converts an audit policy flags string,
-.Va polstr ,
+.Fa polstr ,
to a numeric audit policy mask returned via
-.Va policy .
+.Fa policy .
.Sh RETURN VALULES
+The
.Fn getacdir ,
.Fn getacmin ,
.Fn getacflg ,
@@ -134,11 +158,14 @@ to a numeric audit policy mask returned via
.Fn getacpol ,
and
.Fn au_strtopol
+functions
return 0 on success, or a negative value on failure, along with error
information in
.Va errno .
.Pp
+The
.Fn au_poltostr
+function
returns a string length of 0 or more on success, or a negative value on
if there is a failure.
.Pp
@@ -147,18 +174,23 @@ insufficient room in the passed character buffer for the full string.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_control 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/au_event.3 b/contrib/openbsm/libbsm/au_event.3
index dfaea022a03e..8abaaa898620 100644
--- a/contrib/openbsm/libbsm/au_event.3
+++ b/contrib/openbsm/libbsm/au_event.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#7 $
.\"
.Dd April 19, 2005
.Dt AU_EVENT 3
@@ -39,76 +39,86 @@
.Nm getauevnum ,
.Nm getauevnum_r ,
.Nm getauevnonam ,
-.Nm getauevnonam_r ,
-.Nd "Look up information from the audit_event database"
+.Nm getauevnonam_r
+.Nd "look up information from the audit_event database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft void
-.Fn setauevent "void"
+.Fn setauevent void
.Ft void
-.Fn endauevent "void"
+.Fn endauevent void
.Ft "struct au_event_ent *"
-.Fn getauevent "void"
+.Fn getauevent void
.Ft "struct au_event_ent *"
.Fn getauevent_r "struct au_event_ent *e"
.Ft "struct au_event_ent *"
-.Fn getauevnam "char *name"
+.Fn getauevnam "const char *name"
.Ft "struct au_event_ent *"
-.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Fn getauevnam_r "struct au_event_ent *e" "const char *name"
.Ft "struct au_event_ent *"
.Fn getauevnum "au_event_t event_number"
.Ft "struct au_event_ent *"
.Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
.Ft "au_event_t *"
-.Fn getauevnonam "char *event_name"
+.Fn getauevnonam "const char *event_name"
.Ft "au_event_t *"
-.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Fn getauevnonam_r "au_event_t *ev" "const char *event_name"
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_event 5
database, which describes audit events.
Entries in the database are described by
-.Vt struct au_event_ent
+.Vt "struct au_event_ent"
entries, which are returned by calls to
.Fn getauevent ,
.Fn getauevnam ,
or
.Fn getauevnum .
-It is also possible look up an event number via a call to
-.Nm getauevnonam .
+It is also possible to look up an event number via a call to
+.Fn getauevnonam .
.Pp
+The
.Fn setauevent
+function
resets the database access session for
.Xr audit_event 5 ,
so that the next call to
.Fn getauevent
will start with the first entry in the database.
.Pp
+The
.Fn endauevent
+function
closes the
.Xr audit_event 5
database session.
.Pp
+The
.Fn getauevent
+function
returns a reference to the next entry in the
.Xr audit_event 5
database.
.Pp
+The
.Fn getauevnam
+function
returns a reference to the entry in the
.Xr audit_event 5
database with a name of
-.Va name .
+.Fa name .
.Pp
.Fn getauevnum
returns a reference to the entry in the
.Xr audit_event 5
database with an event number of
-.Va event_number .
+.Fa event_number .
.Pp
+The
.Fn getauevnonam
+function
returns a reference to an audit event number using the
.Xr audit_event 5
database.
@@ -123,30 +133,38 @@ Functions
and
.Fn getauevnuam
will return a reference to a
-.Ft struct au_event_ent
+.Vt "struct au_event_ent"
or
-.Ft au_event_t
+.Vt au_event_t
on success, or
-.Dv NULL on failure, with
+.Dv NULL
+on failure, with
.Va errno
set to provide further error information.
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_event 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
+The
.Va errno
+variable
is not always properly set following a failure.
.Pp
These routines are thread-safe, but not re-entrant, so simultaneous or
diff --git a/contrib/openbsm/libbsm/au_free_token.3 b/contrib/openbsm/libbsm/au_free_token.3
index 84fa4435948f..7ce109aa7add 100644
--- a/contrib/openbsm/libbsm/au_free_token.3
+++ b/contrib/openbsm/libbsm/au_free_token.3
@@ -13,7 +13,7 @@
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
+.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@@ -27,18 +27,18 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#6 $
.\"
.Dd April 19, 2005
.Dt AU_FREE_TOKEN 3
.Os
.Sh NAME
.Nm au_free_token
-.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Nd "deallocate a token_t created by any of the au_to_*() BSM API functions"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft void
.Fn au_free_token "token_t *tok"
.Sh DESCRIPTION
@@ -48,44 +48,50 @@ objects.
However, if
.Xr au_write 3
is passed a bad audit descriptor, the
-.Vt token_t *
+.Vt "token_t *"
parameter will be left untouched.
In that case, the caller can deallocate the
.Vt token_t
using
-.Nm
+.Fn au_free_token
if desired.
.Pp
The
-.Va tok
+.Fa tok
argument is a
-.Vt token_t *
-generated by one of the au_to_*() BSM API calls.
+.Vt "token_t *"
+generated by one of the
+.Fn au_to_*
+BSM API calls.
For convenience,
-.Va tok
+.Fa tok
may be
.Dv NULL ,
in which case
-.Nm
+.Fn au_free_token
returns immediately.
.Sh IMPLEMENTATION NOTES
This is, in fact, what
.Xr audit_write 3
does, in keeping with the existing memory management model of the BSM API.
.Sh SEE ALSO
-.Xr au_write 3 ,
.Xr audit_write 3 ,
+.Xr au_write 3 ,
.Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
-
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
diff --git a/contrib/openbsm/libbsm/au_io.3 b/contrib/openbsm/libbsm/au_io.3
index 0c520a1f6eff..5e9045f960f6 100644
--- a/contrib/openbsm/libbsm/au_io.3
+++ b/contrib/openbsm/libbsm/au_io.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#5 $
.\"
.Dd April 19, 2005
.Dt AU_IO 3
@@ -32,15 +32,17 @@
.Nm au_fetch_tok ,
.Nm au_print_tok ,
.Nm au_read_rec
-.Nd "Perform I/O involving an audit record"
+.Nd "perform I/O involving an audit record"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft int
.Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
.Ft void
-.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Fo au_print_tok
+.Fa "FILE *outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Fc
.Ft int
.Fn au_read_rec "FILE *fp" "u_char **buf"
.Sh DESCRIPTION
@@ -48,31 +50,37 @@ These interfaces support input and output (I/O) involving audit records,
internalizing an audit record from a byte stream, converting a token to
either a raw or default string, and reading a single record from a file.
.Pp
+The
.Fn au_fetch_tok
+function
reads a token from the passed buffer
-.Va buf
+.Fa buf
of length
-.Va len
+.Fa len
bytes, and returns a pointer to the token via
-.Va tok .
+.Fa tok .
.Pp
+The
.Fn au_print_tok
+function
prints a string form of the token
-.Va tok
+.Fa tok
to the file output stream
-.Va outfp,
+.Fa outfp ,
either in default mode, or raw mode if
-.Va raw
+.Fa raw
is set non-zero.
The delimiter
-.Va del
+.Fa del
is used when printing.
.Pp
+The
.Fn au_read_rec
+function
reads an audit record from the file stream
-.Va fp ,
+.Fa fp ,
and returns an allocated memory buffer containing the record via
-.Va *buf ,
+.Fa *buf ,
which must be freed by the caller using
.Xr free 3 .
.Pp
@@ -93,27 +101,36 @@ would be used to free the record buffer.
Finally, the source stream would be closed by a call to
.Xr fclose 3 .
.Sh RETURN VALUES
+The
.Fn au_fetch_tok
and
.Fn au_read_rec
-return 0 on success, or -1 on failure along with additional error information
+functions
+return 0 on success, or \-1 on failure along with additional error information
returned via
.Va errno .
.Sh SEE ALSO
.Xr free 3 ,
.Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
+The
.Va errno
+variable
may not always be properly set in the event of an error.
diff --git a/contrib/openbsm/libbsm/au_mask.3 b/contrib/openbsm/libbsm/au_mask.3
index 6698ae5a60b8..28452796cb1a 100644
--- a/contrib/openbsm/libbsm/au_mask.3
+++ b/contrib/openbsm/libbsm/au_mask.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#6 $
.\"
.Dd April 19, 2005
.Dt AU_MASK 3
@@ -32,11 +32,11 @@
.Nm au_preselect ,
.Nm getauditflagsbin ,
.Nm getauditflagschar
-.Nd "Convert between string and numeric values of audit masks"
+.Nd "convert between string and numeric values of audit masks"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft int
.Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
.Ft int
@@ -49,13 +49,15 @@ These interfaces support processing of an audit mask represented by type
including conversion between numeric and text formats, and computing whether
or not an event is matched by a mask.
.Pp
+The
.Fn au_preselect
+function
calculates whether or not the audit event passed via
-.Va event
+.Fa event
is matched by the audit mask passed via
-.Va au_mask_t .
+.Fa mask_p .
The
-.Va sorf
+.Fa sorf
argument indicates whether or not to consider the event as a success,
if the
.Dv AU_PRS_SUCCESS
@@ -63,7 +65,7 @@ flag is set, or failure, if the
.Dv AU_PRS_FAILURE
flag is set.
The
-.Va flag
+.Fa flag
argument accepts additional arguments influencing the behavior of
.Fn au_preselect ,
including
@@ -73,64 +75,78 @@ or
.Dv AU_PRS_USECACHE
which forces use of the cache.
.Pp
+The
.Fn getauditflagsbin
+function
converts a string representation of an audit mask passed via a character
string pointed to by
-.Va auditstr ,
+.Fa auditstr ,
returning the resulting mask, if valid, via
-.Va *masks .
+.Fa *masks .
.Pp
+The
.Fn getauditflagschar
+function
converts the audit event mask passed via
-.Va *masks
+.Fa *masks
and converts it to a character string in a buffer pointed to by
-.Va auditstr .
-See the BUGS section for more information on how to provide a buffer of
+.Fa auditstr .
+See the
+.Sx BUGS
+section for more information on how to provide a buffer of
sufficient size.
If the
-.Va verbose
+.Fa verbose
flag is set, the class description string retrieved from
.Xr audit_class 5
will be used; otherwise, the two-character class name.
+.Sh IMPLEMENTATION NOTES
+The
+.Fn au_preselect
+function
+makes implicit use of various audit database routines, and may influence
+the behavior of simultaneous or interleaved processing of those databases by
+other code.
.Sh RETURN VALUES
+The
.Fn au_preselect
-returns 0 on success, or returns -1 if there is a failure looking up the
+function
+returns 0 on success, or returns \-1 if there is a failure looking up the
event type or other database access, in which case
.Va errno
will be set to indicate the error.
It returns 1 if the event is matched; 0 if not.
.Pp
-.Fn getauditflagsbin
-and
-.Fn getauditflagschar
-returns 0 on success, or -1 if there is a failure, in which case
-.Va errno
-will be set to indicate the error.
-.Sh IMPLEMENTATION NOTES
-.Fn au_preselect
-makes implicit use of various audit database routines, and may influence
-the behavior of simultaneous or interleaved processing of those databases by
-other code.
+.Rv -std getauditflagsbin getauditflagschar
.Sh SEE ALSO
.Xr libbsm 3 ,
.Xr audit_class 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
+The
.Va errno
+variable
may not always be properly set in the event of an error.
.Pp
+The
.Fn getauditflagschar
+function
does not provide a way to indicate how long the character buffer is, in order
to detect overflow.
As a result, the caller must always provide a buffer of sufficient length for
diff --git a/contrib/openbsm/libbsm/au_open.3 b/contrib/openbsm/libbsm/au_open.3
index db9e9b3fbc76..bbb0eca8dda9 100644
--- a/contrib/openbsm/libbsm/au_open.3
+++ b/contrib/openbsm/libbsm/au_open.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#8 $
.\"
.Dd March 4, 2006
.Dt AU_OPEN 3
@@ -34,13 +34,13 @@
.Nm au_close_token ,
.Nm au_open ,
.Nm au_write
-.Nd "Create and commit audit records"
+.Nd "create and commit audit records"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft int
-.Fn au_open "void"
+.Fn au_open void
.Ft int
.Fn au_write "int d" "token_t *tok"
.Ft int
@@ -73,7 +73,7 @@ function is used to commit an audit record to the system audit log, or
abandon the record.
In either cases, all resources associated with the record will be released.
The
-.Va keep
+.Fa keep
argument determines the behavior: a value of
.Dv AU_TO_WRITE
causes the record to be committed; a value of
@@ -81,28 +81,30 @@ causes the record to be committed; a value of
causes it to be abandoned.
When the audit record is committed, a BSM header will be inserted before
tokens added to the record, using the event identifier passed via
-.Va event ,
+.Fa event ,
and a trailer added to the end.
Committing a record to the system audit log requires privilege.
.Pp
The
.Fn au_close_buffer
function writes the resulting record to an in-memory buffer of size
-.Va *buflen ;
+.Fa *buflen ;
it will write back the filled buffer length into the same variable.
The argument
-.Va short
+.Fa event
is the event identifier to use in the record header.
.Pp
The
.Fn au_close_token
function generates the BSM stream output for a single token,
-.Va tok ,
+.Fa tok ,
in the passed buffer
-.Va buffer .
+.Fa buffer .
The initial buffer size and resulting data size are passed via
-.Va *buflen .
+.Fa *buflen .
+The
.Fn au_close_token
+function
will free the token before returning.
.Sh RETURN VALUES
The function
@@ -123,18 +125,23 @@ information in
.Sh SEE ALSO
.Xr audit_submit 3 ,
.Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
Currently,
.Fn au_open
diff --git a/contrib/openbsm/libbsm/au_token.3 b/contrib/openbsm/libbsm/au_token.3
index 384a5b8245c0..e4ea65f95734 100644
--- a/contrib/openbsm/libbsm/au_token.3
+++ b/contrib/openbsm/libbsm/au_token.3
@@ -1,5 +1,5 @@
.\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#13 $
.\"
.Dd April 19, 2005
.Dt AU_TOKEN 3
@@ -38,7 +38,7 @@
.Nm au_to_groups ,
.Nm au_to_newgroups ,
.Nm au_to_in_addr ,
-.Nm au_to_in_addr_ex ,
+.Nm au_to_in_addr_ex ,
.Nm au_to_ip ,
.Nm au_to_ipc ,
.Nm au_to_ipc_perm ,
@@ -72,103 +72,136 @@
.Nm au_to_header ,
.Nm au_to_header32 ,
.Nm au_to_header64 ,
-.Nm au_to_trailer .
-.Nd "Routines for generating BSM audit tokens"
+.Nm au_to_trailer ,
+.Nm au_to_zonename
+.Nd "routines for generating BSM audit tokens"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
-.Ft token_t *
+.In bsm/libbsm.h
+.Ft "token_t *"
.Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_arg "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_attr32 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_attr64 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_attr "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_exit "int retval" "int err"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_groups "int *groups"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_in_addr "struct in_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_ip "struct ip *ip"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_ipc "char type" "int id"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_ipc_perm "struct ipc_perm *perm"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_iport "u_int16_t iport"
-.Ft token_t *
-.Fn au_to_opaque "char *data" "u_int64_t bytes"
-.Ft token_t *
+.Ft "token_t *"
+.Fn au_to_opaque "char *data" "u_int16_t bytes"
+.Ft "token_t *"
.Fn au_to_file "char *file" "struct timeval tm"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_text "char *text"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_path "char *text"
-.Ft token_t *
-.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
+.Ft "token_t *"
+.Fo au_to_process32
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process64
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process32_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_process64_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
.Fn au_to_return32 "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_return64 "char status" "u_int64_t ret"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_return "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_seq "long audit_count"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_sock_inet32 "struct sockaddr_in *so"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_sock_int "struct sockaddr_in *so"
-.Ft token_t *
-.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
-.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
-.Ft token_t *
-.Fn au_to_me "void"
-.Ft token_t *
+.Ft "token_t *"
+.Fo au_to_subject32
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject64
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject32_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject64_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fo au_to_subject_ex
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
+.Ft "token_t *"
+.Fn au_to_me void
+.Ft "token_t *"
.Fn au_to_exec_args "char **argv"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_exec_env "char **envp"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
-.Ft token_t *
+.Ft "token_t *"
.Fn au_to_trailer "int rec_size"
+.Ft "token_t *"
+.Fn au_to_zonename "char *zonename"
.Sh DESCRIPTION
These interfaces support the allocation of BSM audit tokens, represented by
-.Ft token_t ,
+.Vt token_t ,
for various data types.
.Sh RETURN VALUES
On success, a pointer to a
@@ -183,16 +216,20 @@ will be returned, and an error condition returned via
.Va errno .
.Sh SEE ALSO
.Xr libbsm 3
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
-.Sh BUGS
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
diff --git a/contrib/openbsm/libbsm/au_user.3 b/contrib/openbsm/libbsm/au_user.3
index c0fab6f9febb..3016f65b10d9 100644
--- a/contrib/openbsm/libbsm/au_user.3
+++ b/contrib/openbsm/libbsm/au_user.3
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#10 $
.\"
.Dd April 19, 2005
.Dt AU_USER 3
@@ -37,27 +37,29 @@
.Nm getauusernam_r ,
.Nm au_user_mask ,
.Nm getfauditflags
-.Nd "Look up information from the audit_user database"
+.Nd "look up information from the audit_user database"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Ft void
-.Fn setauuser "void"
+.Fn setauuser void
.Ft void
-.Fn endauuser "void"
-.Ft struct au_user_ent *
-.Fn getauuserent "void"
-.Ft struct au_user_ent *
-.Fn getauuserent_r "struct au_user_ent *u" "void"
-.Ft struct au_user_ent *
+.Fn endauuser void
+.Ft "struct au_user_ent *"
+.Fn getauuserent void
+.Ft "struct au_user_ent *"
+.Fn getauuserent_r "struct au_user_ent *u"
+.Ft "struct au_user_ent *"
.Fn getauusernam "const char *name"
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
.Fn getauusernam_r "struct au_user_ent *u" "const char *name"
.Ft int
.Fn au_user_mask "char *username" "au_mask_t *mask_p"
.Ft int
-.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Fo getfauditflags
+.Fa "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Fc
.Sh DESCRIPTION
These interfaces may be used to look up information from the
.Xr audit_user 5
@@ -65,67 +67,85 @@ database, which describes per-user audit configuration.
Audit user entries are described by a
.Vt au_user_ent ,
which stores the user's name in
-.Dv au_name ,
+.Va au_name ,
events to always audit in
-.Dv au_always ,
+.Va au_always ,
and events never to audit
-.Dv au_never .
+.Va au_never .
.Pp
+The
.Fn getauuserent
+function
returns the next user found in the
.Xr audit_user 5
database, or the first if the function has not yet been called.
.Dv NULL
will be returned if no further records are available.
.Pp
+The
.Fn getauusernam
+function
looks up a user by name.
.Dv NULL
will be returned if no matching class can be found.
.Pp
+The
.Fn setauuser
+function
resets the iterator through the
.Xr audit_user 5
database, causing the next call to
.Fn getauuserent
to start again from the beginning of the file.
.Pp
+The
.Fn endauuser
+function
closes the
.Xr audit_user 5
database, if open.
.Pp
-.Nm au_user_mask
+The
+.Fn au_user_mask
+function
calculates a new session audit mask to be returned via
-.Dv mask_p
+.Fa mask_p
for the user identified by
-.Dv username .
+.Fa username .
If the user audit configuration is not found, the default system audit
properties returned by
-.Xr getacflg 3 .
+.Xr getacflg 3
+are used.
The resulting mask may be set via a call to
-.Xr setaudit 3
+.Xr setaudit 2
or related variants.
.Pp
-.Nm getfauditflags
-XXXXXXXXXXXXXXXXX
+The
+.Fn getfauditflags
+function generates a new process audit state by combining the audit masks
+passed as parameters with the system audit masks.
.Sh SEE ALSO
-.Xr libbsm 3 ,
+.Xr setaudit 2 ,
.Xr getacflg 3 ,
-.Xr setaudit 3 ,
+.Xr libbsm 3 ,
.Xr audit_user 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
These routines cannot currently distinguish between an entry not being found
and an error accessing the database.
diff --git a/contrib/openbsm/libbsm/audit_submit.3 b/contrib/openbsm/libbsm/audit_submit.3
index 9e4d23008dca..46cb21768ba6 100644
--- a/contrib/openbsm/libbsm/audit_submit.3
+++ b/contrib/openbsm/libbsm/audit_submit.3
@@ -27,23 +27,26 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#11 $
.\"
.Dd May 29, 2006
.Dt audit_submit 3
.Os
.Sh NAME
.Nm audit_submit
-.Nd general purpose audit record submission
+.Nd "general purpose audit record submission"
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In stdio.h
+.In bsm/libbsm.h
.Ft int
-.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ...
+.Fo audit_submit
+.Fa "short au_event" "au_id_t auid" "char status"
+.Fa "int reterr" "const char * restrict format" ...
+.Fc
.Sh DESCRIPTION
The
-.Nm
+.Fn audit_submit
function provides a generic programming interface for audit record submission.
This audit record will contain a header, subject token, an optional text token,
return token, and a trailer.
@@ -66,14 +69,16 @@ variable-length argument facilities of
are converted for output.
If
.Fa format
-is NULL, then no text token is created in the audit record.
+is
+.Dv NULL ,
+then no text token is created in the audit record.
.Pp
It should be noted that
-.Nm
+.Fn audit_submit
assumes that
.Xr setaudit 2 ,
or
-.Xr setaudit_addr 2
+.Xr setaudit_addr 2
has already been called.
As a direct result, the terminal ID for the
subject will be retrieved from the kernel via
@@ -116,11 +121,12 @@ trailer,94
.Xr stdarg 3
.Sh HISTORY
The
-.Nm
+.Fn audit_submit
function first appeared in OpenBSM version 1.0.
-OpenBSM 1.0 was introduced in FreeBSD 7.0.
+OpenBSM 1.0 was introduced in
+.Fx 7.0 .
.Sh AUTHORS
The
-.Nm
+.Fn audit_submit
function was written by
.An Christian S.J. Peron Aq csjp@FreeBSD.org .
diff --git a/contrib/openbsm/libbsm/bsm_io.c b/contrib/openbsm/libbsm/bsm_io.c
index 25877351de1d..afb0fd4c0ad2 100644
--- a/contrib/openbsm/libbsm/bsm_io.c
+++ b/contrib/openbsm/libbsm/bsm_io.c
@@ -2,6 +2,7 @@
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006 Martin Voros
* All rights reserved.
*
* This code was developed in part by Robert N. M. Watson, Senior Principal
@@ -31,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#48 $
*/
#include <sys/types.h>
@@ -126,6 +127,12 @@
} while (0)
/*
+ * XML option.
+ */
+#define AU_PLAIN 0
+#define AU_XML 1
+
+/*
* Prints the delimiter string.
*/
static void
@@ -194,7 +201,7 @@ print_mem(FILE *fp, u_char *data, size_t len)
* Prints the given data bytes as a string.
*/
static void
-print_string(FILE *fp, u_char *str, size_t len)
+print_string(FILE *fp, const char *str, size_t len)
{
int i;
@@ -207,16 +214,366 @@ print_string(FILE *fp, u_char *str, size_t len)
}
/*
+ * Prints the beggining of attribute.
+ */
+static void
+open_attr(FILE *fp, const char *str)
+{
+
+ fprintf(fp,"%s=\"", str);
+}
+
+/*
+ * Prints the end of attribute.
+ */
+static void
+close_attr(FILE *fp)
+{
+
+ fprintf(fp,"\" ");
+}
+
+/*
+ * Prints the end of tag.
+ */
+static void
+close_tag(FILE *fp, u_char type)
+{
+
+ switch(type) {
+ case AUT_HEADER32:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER32_EX:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER64:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER64_EX:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_ARG32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ARG64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ATTR32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ATTR64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_EXIT:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_EXEC_ARGS:
+ fprintf(fp, "</exec_args>");
+ break;
+
+ case AUT_EXEC_ENV:
+ fprintf(fp, "</exec_env>");
+ break;
+
+ case AUT_OTHER_FILE32:
+ fprintf(fp, "</file>");
+ break;
+
+ case AUT_NEWGROUPS:
+ fprintf(fp, "</group>");
+ break;
+
+ case AUT_IN_ADDR:
+ fprintf(fp, "</ip_address>");
+ break;
+
+ case AUT_IN_ADDR_EX:
+ fprintf(fp, "</ip_address>");
+ break;
+
+ case AUT_IP:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPC:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPC_PERM:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPORT:
+ fprintf(fp, "</ip_port>");
+ break;
+
+ case AUT_OPAQUE:
+ fprintf(fp, "</opaque>");
+ break;
+
+ case AUT_PATH:
+ fprintf(fp, "</path>");
+ break;
+
+ case AUT_PROCESS32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_PROCESS32_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_PROCESS64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_PROCESS64_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_RETURN32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_RETURN64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SEQ:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKET:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKINET32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKUNIX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT32_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT64_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_TEXT:
+ fprintf(fp, "</text>");
+ break;
+
+ case AUT_SOCKET_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_DATA:
+ fprintf(fp, "</arbitrary>");
+ break;
+
+ case AUT_ZONENAME:
+ fprintf(fp, "/>");
+ break;
+ }
+}
+
+/*
* Prints the token type in either the raw or the default form.
*/
static void
-print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
{
- if (raw)
- fprintf(fp, "%u", type);
- else
- fprintf(fp, "%s", tokname);
+ if (xml) {
+ switch(type) {
+ case AUT_HEADER32:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER32_EX:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER64:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER64_EX:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_TRAILER:
+ fprintf(fp, "</record>");
+ break;
+
+ case AUT_ARG32:
+ fprintf(fp, "<argument ");
+ break;
+
+ case AUT_ARG64:
+ fprintf(fp, "<argument ");
+ break;
+
+ case AUT_ATTR32:
+ fprintf(fp, "<attribute ");
+ break;
+
+ case AUT_ATTR64:
+ fprintf(fp, "<attribute ");
+ break;
+
+ case AUT_EXIT:
+ fprintf(fp, "<exit ");
+ break;
+
+ case AUT_EXEC_ARGS:
+ fprintf(fp, "<exec_args>");
+ break;
+
+ case AUT_EXEC_ENV:
+ fprintf(fp, "<exec_env>");
+ break;
+
+ case AUT_OTHER_FILE32:
+ fprintf(fp, "<file ");
+ break;
+
+ case AUT_NEWGROUPS:
+ fprintf(fp, "<group>");
+ break;
+
+ case AUT_IN_ADDR:
+ fprintf(fp, "<ip_address>");
+ break;
+
+ case AUT_IN_ADDR_EX:
+ fprintf(fp, "<ip_address>");
+ break;
+
+ case AUT_IP:
+ fprintf(fp, "<ip ");
+ break;
+
+ case AUT_IPC:
+ fprintf(fp, "<IPC");
+ break;
+
+ case AUT_IPC_PERM:
+ fprintf(fp, "<IPC_perm ");
+ break;
+
+ case AUT_IPORT:
+ fprintf(fp, "<ip_port>");
+ break;
+
+ case AUT_OPAQUE:
+ fprintf(fp, "<opaque>");
+ break;
+
+ case AUT_PATH:
+ fprintf(fp, "<path>");
+ break;
+
+ case AUT_PROCESS32:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_PROCESS32_EX:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_PROCESS64:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_PROCESS64_EX:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_RETURN32:
+ fprintf(fp, "<return ");
+ break;
+
+ case AUT_RETURN64:
+ fprintf(fp, "<return ");
+ break;
+
+ case AUT_SEQ:
+ fprintf(fp, "<sequence ");
+ break;
+
+ case AUT_SOCKET:
+ fprintf(fp, "<socket ");
+ break;
+
+ case AUT_SOCKINET32:
+ fprintf(fp, "<old_socket");
+ break;
+
+ case AUT_SOCKUNIX:
+ fprintf(fp, "<old_socket");
+ break;
+
+ case AUT_SUBJECT32:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_SUBJECT64:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_SUBJECT32_EX:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_SUBJECT64_EX:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_TEXT:
+ fprintf(fp, "<text>");
+ break;
+
+ case AUT_SOCKET_EX:
+ fprintf(fp, "<socket ");
+ break;
+
+ case AUT_DATA:
+ fprintf(fp, "<arbitrary ");
+ break;
+
+ case AUT_ZONENAME:
+ fprintf(fp, "<zone ");
+ break;
+ }
+ } else {
+ if (raw)
+ fprintf(fp, "%u", type);
+ else
+ fprintf(fp, "%s", tokname);
+ }
}
/*
@@ -380,7 +737,7 @@ print_ip_address(FILE *fp, u_int32_t ip)
fprintf(fp, "%s", inet_ntoa(ipaddr));
}
-/*
+/*
* Prints a string value for the given ip address.
*/
static void
@@ -455,6 +812,27 @@ print_ipctype(FILE *fp, u_char type, char raw)
}
/*
+ * Print XML header.
+ */
+void
+au_print_xml_header(FILE *outfp)
+{
+
+ fprintf(outfp, "<?xml version='1.0' ?>\n");
+ fprintf(outfp, "<audit>\n");
+}
+
+/*
+ * Print XML footer.
+ */
+void
+au_print_xml_footer(FILE *outfp)
+{
+
+ fprintf(outfp, "</audit>\n");
+}
+
+/*
* record byte count 4 bytes
* version # 1 byte [2]
* event type 2 bytes
@@ -463,7 +841,7 @@ print_ipctype(FILE *fp, u_char type, char raw)
* milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
*/
static int
-fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -495,22 +873,42 @@ fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
}
static void
-print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+ int xml)
{
- print_tok_type(fp, tok->id, "header", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr32.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr32.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr32.e_mod, raw);
- print_delim(fp, del);
- print_sec32(fp, tok->tt.hdr32.s, raw);
- print_delim(fp, del);
- print_msec32(fp, tok->tt.hdr32.ms, raw);
+ print_tok_type(fp, tok->id, "header", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr32.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+ close_attr(fp);
+ open_attr(fp, "time");
+ print_sec32(fp, tok->tt.hdr32.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec32(fp, tok->tt.hdr32.ms, 1);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32.ms, raw);
+ }
}
/*
@@ -532,7 +930,7 @@ print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
* nanoseconds of time 4 bytes/8 bytes (32/64-bits)
*/
static int
-fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -584,25 +982,50 @@ fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
static void
print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- char sfrm)
+ char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "header_ex", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
- tok->tt.hdr32_ex.addr);
- print_delim(fp, del);
- print_sec32(fp, tok->tt.hdr32_ex.s, raw);
- print_delim(fp, del);
- print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ print_tok_type(fp, tok->id, "header_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+ close_attr(fp);
+ /*
+ * No attribute for additional types.
+ *
+ print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+ tok->tt.hdr32_ex.addr);
+ */
+ open_attr(fp, "time");
+ print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+ tok->tt.hdr32_ex.addr);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ }
}
/*
@@ -611,10 +1034,10 @@ print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* event modifier 2 bytes
* seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
* milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
- * version #
+ * version #
*/
static int
-fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -646,23 +1069,44 @@ fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
}
static void
-print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+ int xml)
{
-
- print_tok_type(fp, tok->id, "header", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr64.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr64.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr64.e_mod, raw);
- print_delim(fp, del);
- print_sec64(fp, tok->tt.hdr64.s, raw);
- print_delim(fp, del);
- print_msec64(fp, tok->tt.hdr64.ms, raw);
+
+ print_tok_type(fp, tok->id, "header", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr64.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+ close_attr(fp);
+ open_attr(fp, "time");
+ print_sec64(fp, tok->tt.hdr64.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec64(fp, tok->tt.hdr64.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64.ms, raw);
+ }
}
+
/*
* record byte count 4 bytes
* version # 1 byte [2]
@@ -678,7 +1122,7 @@ print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
* accuracy of the BSM spec.
*/
static int
-fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -729,25 +1173,51 @@ fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
}
static void
-print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "header_ex", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
- tok->tt.hdr64_ex.addr);
- print_delim(fp, del);
- print_sec64(fp, tok->tt.hdr64_ex.s, raw);
- print_delim(fp, del);
- print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ print_tok_type(fp, tok->id, "header_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+ close_attr(fp);
+ /*
+ * No attribute for additional types.
+ *
+ print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+ tok->tt.hdr64_ex.addr);
+ */
+ open_attr(fp, "time");
+ print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+ tok->tt.hdr64_ex.addr);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ }
}
/*
@@ -755,7 +1225,7 @@ print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
* record size 4 bytes
*/
static int
-fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
+fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -772,12 +1242,14 @@ fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
static void
print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "trailer", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.trail.count, "%u");
+ print_tok_type(fp, tok->id, "trailer", raw, xml);
+ if (!xml) {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.trail.count, "%u");
+ }
}
/*
@@ -787,7 +1259,7 @@ print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* text N bytes + 1 terminating NULL byte
*/
static int
-fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -803,8 +1275,8 @@ fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
- err);
+ SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
+ tok->len, err);
if (err)
return (-1);
@@ -813,20 +1285,32 @@ fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "argument", raw);
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arg32.no, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
- print_delim(fp, del);
- print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+ print_tok_type(fp, tok->id, "argument", raw, xml);
+ if (xml) {
+ open_attr(fp, "arg-num");
+ print_1_byte(fp, tok->tt.arg32.no, "%u");
+ close_attr(fp);
+ open_attr(fp, "value");
+ print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+ close_attr(fp);
+ open_attr(fp, "desc");
+ print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg32.no, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+ print_delim(fp, del);
+ }
}
static int
-fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -842,8 +1326,8 @@ fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
- err);
+ SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
+ tok->len, err);
if (err)
return (-1);
@@ -852,16 +1336,29 @@ fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
static void
print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "argument", raw);
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arg64.no, "%u");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
- print_delim(fp, del);
- print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ print_tok_type(fp, tok->id, "argument", raw, xml);
+ if (xml) {
+ open_attr(fp, "arg-num");
+ print_1_byte(fp, tok->tt.arg64.no, "%u");
+ close_attr(fp);
+ open_attr(fp, "value");
+ print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+ close_attr(fp);
+ open_attr(fp, "desc");
+ print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg64.no, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ }
}
/*
@@ -871,7 +1368,7 @@ print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* data items (depends on basic unit)
*/
static int
-fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
+fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
int datasize;
@@ -924,15 +1421,16 @@ fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
static void
print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
char *str;
char *format;
size_t size;
int i;
- print_tok_type(fp, tok->id, "arbitrary", raw);
- print_delim(fp, del);
+ print_tok_type(fp, tok->id, "arbitrary", raw, xml);
+ if (!xml)
+ print_delim(fp, del);
switch(tok->tt.arb.howtopr) {
case AUP_BINARY:
@@ -964,56 +1462,125 @@ print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
return;
}
- print_string(fp, str, strlen(str));
- print_delim(fp, del);
+ if (xml) {
+ open_attr(fp, "print");
+ fprintf(fp, "%s",str);
+ close_attr(fp);
+ } else {
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ }
switch(tok->tt.arb.bu) {
case AUR_BYTE:
/* case AUR_CHAR: */
str = "byte";
size = AUR_BYTE_SIZE;
- print_string(fp, str, strlen(str));
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arb.uc, "%u");
- print_delim(fp, del);
- for (i = 0; i<tok->tt.arb.uc; i++)
- fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
+ if (xml) {
+ open_attr(fp, "type");
+ fprintf(fp, "%u", size);
+ close_attr(fp);
+ open_attr(fp, "count");
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ close_attr(fp);
+ fprintf(fp, ">");
+ for (i = 0; i<tok->tt.arb.uc; i++)
+ fprintf(fp, format, *(tok->tt.arb.data +
+ (size * i)));
+ close_tag(fp, tok->id);
+ } else {
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i<tok->tt.arb.uc; i++)
+ fprintf(fp, format, *(tok->tt.arb.data +
+ (size * i)));
+ }
break;
case AUR_SHORT:
str = "short";
size = AUR_SHORT_SIZE;
- print_string(fp, str, strlen(str));
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arb.uc, "%u");
- print_delim(fp, del);
- for (i = 0; i < tok->tt.arb.uc; i++)
- fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
- (size * i))));
+ if (xml) {
+ open_attr(fp, "type");
+ fprintf(fp, "%u", size);
+ close_attr(fp);
+ open_attr(fp, "count");
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ close_attr(fp);
+ fprintf(fp, ">");
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int16_t *)(tok->tt.arb.data +
+ (size * i))));
+ close_tag(fp, tok->id);
+ } else {
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int16_t *)(tok->tt.arb.data +
+ (size * i))));
+ }
break;
case AUR_INT32:
/* case AUR_INT: */
str = "int";
size = AUR_INT32_SIZE;
- print_string(fp, str, strlen(str));
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arb.uc, "%u");
- print_delim(fp, del);
- for (i = 0; i < tok->tt.arb.uc; i++)
- fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
- (size * i))));
+ if (xml) {
+ open_attr(fp, "type");
+ fprintf(fp, "%u", size);
+ close_attr(fp);
+ open_attr(fp, "count");
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ close_attr(fp);
+ fprintf(fp, ">");
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int32_t *)(tok->tt.arb.data +
+ (size * i))));
+ close_tag(fp, tok->id);
+ } else {
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int32_t *)(tok->tt.arb.data +
+ (size * i))));
+ }
break;
case AUR_INT64:
str = "int64";
size = AUR_INT64_SIZE;
- print_string(fp, str, strlen(str));
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arb.uc, "%u");
- print_delim(fp, del);
- for (i = 0; i < tok->tt.arb.uc; i++)
- fprintf(fp, format, *((u_int64_t *)(tok->tt.arb.data +
- (size * i))));
+ if (xml) {
+ open_attr(fp, "type");
+ fprintf(fp, "%u", size);
+ close_attr(fp);
+ open_attr(fp, "count");
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ close_attr(fp);
+ fprintf(fp, ">");
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int64_t *)(tok->tt.arb.data +
+ (size * i))));
+ close_tag(fp, tok->id);
+ } else {
+ print_string(fp, str, strlen(str));
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arb.uc, "%u");
+ print_delim(fp, del);
+ for (i = 0; i < tok->tt.arb.uc; i++)
+ fprintf(fp, format,
+ *((u_int64_t *)(tok->tt.arb.data +
+ (size * i))));
+ }
break;
default:
@@ -1030,7 +1597,7 @@ print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* device 4 bytes/8 bytes (32-bit/64-bit)
*/
static int
-fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1063,22 +1630,44 @@ fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "attribute", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.attr32.mode, "%o");
- print_delim(fp, del);
- print_user(fp, tok->tt.attr32.uid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.attr32.gid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+ print_tok_type(fp, tok->id, "attribute", raw, xml);
+ if (xml) {
+ open_attr(fp, "mode");
+ print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.attr32.uid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.attr32.gid, raw);
+ close_attr(fp);
+ open_attr(fp, "fsid");
+ print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+ close_attr(fp);
+ open_attr(fp, "nodeid");
+ print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+ close_attr(fp);
+ open_attr(fp, "device");
+ print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.mode, "%o");
+ print_delim(fp, del);
+ print_user(fp, tok->tt.attr32.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.attr32.gid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr32.dev, "%u");
+ }
}
/*
@@ -1090,7 +1679,7 @@ print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* device 4 bytes/8 bytes (32-bit/64-bit)
*/
static int
-fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1123,22 +1712,44 @@ fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
static void
print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "attribute", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.attr64.mode, "%o");
- print_delim(fp, del);
- print_user(fp, tok->tt.attr64.uid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.attr64.gid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+ print_tok_type(fp, tok->id, "attribute", raw, xml);
+ if (xml) {
+ open_attr(fp, "mode");
+ print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.attr64.uid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.attr64.gid, raw);
+ close_attr(fp);
+ open_attr(fp, "fsid");
+ print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+ close_attr(fp);
+ open_attr(fp, "nodeid");
+ print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+ close_attr(fp);
+ open_attr(fp, "device");
+ print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr64.mode, "%o");
+ print_delim(fp, del);
+ print_user(fp, tok->tt.attr64.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.attr64.gid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
+ }
}
/*
@@ -1146,7 +1757,7 @@ print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* return value 4 bytes
*/
static int
-fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
+fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1163,14 +1774,24 @@ fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
static void
print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "exit", raw);
- print_delim(fp, del);
- print_errval(fp, tok->tt.exit.status);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.exit.ret, "%u");
+ print_tok_type(fp, tok->id, "exit", raw, xml);
+ if (xml) {
+ open_attr(fp, "errval");
+ print_errval(fp, tok->tt.exit.status);
+ close_attr(fp);
+ open_attr(fp, "retval");
+ print_4_bytes(fp, tok->tt.exit.ret, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_errval(fp, tok->tt.exit.status);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.exit.ret, "%u");
+ }
}
/*
@@ -1178,11 +1799,11 @@ print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* text count null-terminated string(s)
*/
static int
-fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
+fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
int i;
- char *bptr;
+ u_char *bptr;
READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
if (err)
@@ -1191,7 +1812,7 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
for (i = 0; i < tok->tt.execarg.count; i++) {
bptr = buf + tok->len;
if (i < AUDIT_MAX_ARGS)
- tok->tt.execarg.text[i] = bptr;
+ tok->tt.execarg.text[i] = (char*)bptr;
/* Look for a null terminated string. */
while (bptr && (*bptr != '\0')) {
@@ -1211,16 +1832,25 @@ fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
static void
print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
int i;
- print_tok_type(fp, tok->id, "exec arg", raw);
+ print_tok_type(fp, tok->id, "exec arg", raw, xml);
for (i = 0; i < tok->tt.execarg.count; i++) {
- print_delim(fp, del);
- print_string(fp, tok->tt.execarg.text[i],
- strlen(tok->tt.execarg.text[i]));
+ if (xml) {
+ fprintf(fp, "<arg>");
+ print_string(fp, tok->tt.execarg.text[i],
+ strlen(tok->tt.execarg.text[i]));
+ fprintf(fp, "</arg>");
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.execarg.text[i],
+ strlen(tok->tt.execarg.text[i]));
+ }
}
+ if (xml)
+ close_tag(fp, tok->id);
}
/*
@@ -1228,11 +1858,11 @@ print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* text count null-terminated string(s)
*/
static int
-fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
+fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
int i;
- char *bptr;
+ u_char *bptr;
READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
if (err)
@@ -1241,7 +1871,7 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
for (i = 0; i < tok->tt.execenv.count; i++) {
bptr = buf + tok->len;
if (i < AUDIT_MAX_ENV)
- tok->tt.execenv.text[i] = bptr;
+ tok->tt.execenv.text[i] = (char*)bptr;
/* Look for a null terminated string. */
while (bptr && (*bptr != '\0')) {
@@ -1261,16 +1891,25 @@ fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
static void
print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
int i;
- print_tok_type(fp, tok->id, "exec env", raw);
+ print_tok_type(fp, tok->id, "exec env", raw, xml);
for (i = 0; i< tok->tt.execenv.count; i++) {
- print_delim(fp, del);
- print_string(fp, tok->tt.execenv.text[i],
- strlen(tok->tt.execenv.text[i]));
+ if (xml) {
+ fprintf(fp, "<env>");
+ print_string(fp, tok->tt.execenv.text[i],
+ strlen(tok->tt.execenv.text[i]));
+ fprintf(fp, "</env>");
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.execenv.text[i],
+ strlen(tok->tt.execenv.text[i]));
+ }
}
+ if (xml)
+ close_tag(fp, tok->id);
}
/*
@@ -1280,7 +1919,7 @@ print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* file pathname N bytes + 1 terminating NULL byte
*/
static int
-fetch_file_tok(tokenstr_t *tok, char *buf, int len)
+fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1296,7 +1935,8 @@ fetch_file_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
+ SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
+ err);
if (err)
return (-1);
@@ -1305,16 +1945,28 @@ fetch_file_tok(tokenstr_t *tok, char *buf, int len)
static void
print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "file", raw);
- print_delim(fp, del);
- print_sec32(fp, tok->tt.file.s, raw);
- print_delim(fp, del);
- print_msec32(fp, tok->tt.file.ms, raw);
- print_delim(fp, del);
- print_string(fp, tok->tt.file.name, tok->tt.file.len);
+ print_tok_type(fp, tok->id, "file", raw, xml);
+ if (xml) {
+ open_attr(fp, "time");
+ print_sec32(fp, tok->tt.file.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec32(fp, tok->tt.file.ms, raw);
+ close_attr(fp);
+ fprintf(fp, ">");
+ print_string(fp, tok->tt.file.name, tok->tt.file.len);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.file.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.file.ms, raw);
+ print_delim(fp, del);
+ print_string(fp, tok->tt.file.name, tok->tt.file.len);
+ }
}
/*
@@ -1322,7 +1974,7 @@ print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* group list count * 4 bytes
*/
static int
-fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
+fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
{
int i;
int err = 0;
@@ -1343,14 +1995,21 @@ fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
static void
print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
int i;
- print_tok_type(fp, tok->id, "group", raw);
+ print_tok_type(fp, tok->id, "group", raw, xml);
for (i = 0; i < tok->tt.grps.no; i++) {
- print_delim(fp, del);
- print_group(fp, tok->tt.grps.list[i], raw);
+ if (xml) {
+ fprintf(fp, "<gid>");
+ print_group(fp, tok->tt.grps.list[i], raw);
+ fprintf(fp, "</gid>");
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_group(fp, tok->tt.grps.list[i], raw);
+ }
}
}
@@ -1358,7 +2017,7 @@ print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* Internet addr 4 bytes
*/
static int
-fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
+fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1373,12 +2032,17 @@ fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
static void
print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "ip addr", raw);
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.inaddr.addr);
+ print_tok_type(fp, tok->id, "ip addr", raw, xml);
+ if (xml) {
+ print_ip_address(fp, tok->tt.inaddr.addr);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.inaddr.addr);
+ }
}
/*
@@ -1386,7 +2050,7 @@ print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* address 16 bytes
*/
static int
-fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1412,20 +2076,26 @@ fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
static void
print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "ip addr ex", raw);
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
- tok->tt.inaddr_ex.addr);
+ print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
+ if (xml) {
+ print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+ tok->tt.inaddr_ex.addr);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
+ tok->tt.inaddr_ex.addr);
+ }
}
/*
* ip header 20 bytes
*/
static int
-fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1480,30 +2150,66 @@ fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
static void
print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "ip", raw);
- print_delim(fp, del);
- print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
- print_delim(fp, del);
- print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
- print_delim(fp, del);
- print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
- print_delim(fp, del);
- print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.ip.src);
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.ip.dest);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "ip", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_mem(fp, (u_char *)(&tok->tt.ip.version),
+ sizeof(u_char));
+ close_attr(fp);
+ open_attr(fp, "service_type");
+ print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+ close_attr(fp);
+ open_attr(fp, "len");
+ print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
+ close_attr(fp);
+ open_attr(fp, "id");
+ print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
+ close_attr(fp);
+ open_attr(fp, "offset");
+ print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
+ close_attr(fp);
+ open_attr(fp, "time_to_live");
+ print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+ close_attr(fp);
+ open_attr(fp, "protocol");
+ print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+ close_attr(fp);
+ open_attr(fp, "cksum");
+ print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
+ close_attr(fp);
+ open_attr(fp, "src_addr");
+ print_ip_address(fp, tok->tt.ip.src);
+ close_attr(fp);
+ open_attr(fp, "dest_addr");
+ print_ip_address(fp, tok->tt.ip.dest);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.version),
+ sizeof(u_char));
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
+ print_delim(fp, del);
+ print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.ip.src);
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.ip.dest);
+ }
}
/*
@@ -1511,7 +2217,7 @@ print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* Object ID 4 bytes
*/
static int
-fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1528,14 +2234,24 @@ fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
static void
print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "IPC", raw);
- print_delim(fp, del);
- print_ipctype(fp, tok->tt.ipc.type, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.ipc.id, "%u");
+ print_tok_type(fp, tok->id, "IPC", raw, xml);
+ if (xml) {
+ open_attr(fp, "ipc-type");
+ print_ipctype(fp, tok->tt.ipc.type, raw);
+ close_attr(fp);
+ open_attr(fp, "ipc-id");
+ print_4_bytes(fp, tok->tt.ipc.id, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_ipctype(fp, tok->tt.ipc.type, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipc.id, "%u");
+ }
}
/*
@@ -1548,7 +2264,7 @@ print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* key 4 bytes
*/
static int
-fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
+fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1585,31 +2301,56 @@ fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
static void
print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "IPC perm", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.ipcperm.uid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.ipcperm.gid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.ipcperm.puid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.ipcperm.pgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+ print_tok_type(fp, tok->id, "IPC perm", raw, xml);
+ if (xml) {
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.ipcperm.uid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.ipcperm.gid, raw);
+ close_attr(fp);
+ open_attr(fp, "creator-uid");
+ print_user(fp, tok->tt.ipcperm.puid, raw);
+ close_attr(fp);
+ open_attr(fp, "creator-gid");
+ print_group(fp, tok->tt.ipcperm.pgid, raw);
+ close_attr(fp);
+ open_attr(fp, "mode");
+ print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+ close_attr(fp);
+ open_attr(fp, "seq");
+ print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+ close_attr(fp);
+ open_attr(fp, "key");
+ print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.ipcperm.uid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.ipcperm.gid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.ipcperm.puid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.ipcperm.pgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
+ }
}
/*
* port Ip address 2 bytes
*/
static int
-fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
+fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1623,12 +2364,17 @@ fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
static void
print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "ip port", raw);
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+ print_tok_type(fp, tok->id, "ip port", raw, xml);
+ if (xml) {
+ print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
+ }
}
/*
@@ -1636,7 +2382,7 @@ print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* data size bytes
*/
static int
-fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
+fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1644,8 +2390,8 @@ fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
- err);
+ SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
+ tok->len, err);
if (err)
return (-1);
@@ -1654,14 +2400,21 @@ fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
static void
print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "opaque", raw);
- print_delim(fp, del);
- print_2_bytes(fp, tok->tt.opaque.size, "%u");
- print_delim(fp, del);
- print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
+ print_tok_type(fp, tok->id, "opaque", raw, xml);
+ if (xml) {
+ print_mem(fp, (u_char*)tok->tt.opaque.data,
+ tok->tt.opaque.size);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.opaque.size, "%u");
+ print_delim(fp, del);
+ print_mem(fp, (u_char*)tok->tt.opaque.data,
+ tok->tt.opaque.size);
+ }
}
/*
@@ -1669,7 +2422,7 @@ print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* data size bytes
*/
static int
-fetch_path_tok(tokenstr_t *tok, char *buf, int len)
+fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1677,7 +2430,8 @@ fetch_path_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
+ SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
+ err);
if (err)
return (-1);
@@ -1686,12 +2440,17 @@ fetch_path_tok(tokenstr_t *tok, char *buf, int len)
static void
print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "path", raw);
- print_delim(fp, del);
- print_string(fp, tok->tt.path.path, tok->tt.path.len);
+ print_tok_type(fp, tok->id, "path", raw, xml);
+ if (xml) {
+ print_string(fp, tok->tt.path.path, tok->tt.path.len);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.path.path, tok->tt.path.len);
+ }
}
/*
@@ -1708,7 +2467,7 @@ print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* machine id 4 bytes
*/
static int
-fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1754,32 +2513,187 @@ fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "process", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32.auid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32.euid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.proc32.egid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32.ruid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.proc32.rgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32.pid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32.sid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.proc32.tid.addr);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "process", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.proc32.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.proc32.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.proc32.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.proc32.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.proc32.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+ print_ip_address(fp, tok->tt.proc32.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.proc32.tid.addr);
+ }
}
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 8 bytes
+ * machine id 4 bytes
+ */
static int
-fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
+ sizeof(tok->tt.proc64.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+ print_tok_type(fp, tok->id, "process", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.proc64.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.proc64.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.proc64.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.proc64.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.proc64.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.proc64.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.proc64.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
+ print_ip_address(fp, tok->tt.proc64.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.proc64.tid.addr);
+ }
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes
+ * address type-len 4 bytes
+ * machine address 16 bytes
+ */
+static int
+fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1839,29 +2753,188 @@ fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
static void
print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "process_ex", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32_ex.auid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32_ex.euid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.proc32_ex.egid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.proc32_ex.ruid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.proc32_ex.rgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
- tok->tt.proc32_ex.tid.addr);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "process_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.proc32_ex.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.proc32_ex.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.proc32_ex.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.proc32_ex.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.proc32_ex.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+ print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+ tok->tt.proc32_ex.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc32_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc32_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
+ tok->tt.proc32_ex.tid.addr);
+ }
+}
+
+/*
+ * token ID 1 byte
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 8 bytes
+ * address type-len 4 bytes
+ * machine address 16 bytes
+ */
+static int
+fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
+ sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
+ sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+ print_tok_type(fp, tok->id, "process_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.proc64_ex.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.proc64_ex.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.proc64_ex.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.proc64_ex.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.proc64_ex.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
+ print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
+ tok->tt.proc64_ex.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.proc64_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.proc64_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
+ tok->tt.proc64_ex.tid.addr);
+ }
}
/*
@@ -1869,7 +2942,7 @@ print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* return value 4 bytes
*/
static int
-fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1886,18 +2959,28 @@ fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "return", raw);
- print_delim(fp, del);
- print_retval(fp, tok->tt.ret32.status, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+ print_tok_type(fp, tok->id, "return", raw, xml);
+ if (xml) {
+ open_attr(fp ,"errval");
+ print_retval(fp, tok->tt.ret32.status, raw);
+ close_attr(fp);
+ open_attr(fp, "retval");
+ print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_retval(fp, tok->tt.ret32.status, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.ret32.ret, "%u");
+ }
}
static int
-fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1914,21 +2997,31 @@ fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
static void
print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "return", raw);
- print_delim(fp, del);
- print_retval(fp, tok->tt.ret64.err, raw);
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+ print_tok_type(fp, tok->id, "return", raw, xml);
+ if (xml) {
+ open_attr(fp, "errval");
+ print_retval(fp, tok->tt.ret64.err, raw);
+ close_attr(fp);
+ open_attr(fp, "retval");
+ print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_retval(fp, tok->tt.ret64.err, raw);
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.ret64.val, "%lld");
+ }
}
/*
* seq 4 bytes
*/
static int
-fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
+fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1941,12 +3034,19 @@ fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
static void
print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "sequence", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+ print_tok_type(fp, tok->id, "sequence", raw, xml);
+ if (xml) {
+ open_attr(fp, "seq-num");
+ print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.seq.seqno, "%u");
+ }
}
/*
@@ -1955,7 +3055,7 @@ print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* socket address 4 bytes
*/
static int
-fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -1979,16 +3079,29 @@ fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "socket-inet", raw);
- print_delim(fp, del);
- print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.sockinet32.addr);
+ print_tok_type(fp, tok->id, "socket-inet", raw, xml);
+ if (xml) {
+ open_attr(fp, "type");
+ print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+ close_attr(fp);
+ open_attr(fp, "port");
+ print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
+ close_attr(fp);
+ open_attr(fp, "addr");
+ print_ip_address(fp, tok->tt.sockinet32.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.sockinet32.addr);
+ }
}
/*
@@ -1996,7 +3109,7 @@ print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* path 104 bytes
*/
static int
-fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
+fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2014,15 +3127,28 @@ fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
static void
print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "socket-unix", raw);
- print_delim(fp, del);
- print_2_bytes(fp, tok->tt.sockunix.family, "%u");
- print_delim(fp, del);
- print_string(fp, tok->tt.sockunix.path,
- strlen(tok->tt.sockunix.path));
+ print_tok_type(fp, tok->id, "socket-unix", raw, xml);
+ if (xml) {
+ open_attr(fp, "type");
+ print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+ close_attr(fp);
+ open_attr(fp, "port");
+ close_attr(fp);
+ open_attr(fp, "addr");
+ print_string(fp, tok->tt.sockunix.path,
+ strlen(tok->tt.sockunix.path));
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.sockunix.family, "%u");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.sockunix.path,
+ strlen(tok->tt.sockunix.path));
+ }
}
/*
@@ -2033,7 +3159,7 @@ print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* remote address 4 bytes
*/
static int
-fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
+fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2066,20 +3192,39 @@ fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
static void
print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "socket", raw);
- print_delim(fp, del);
- print_2_bytes(fp, tok->tt.socket.type, "%u");
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket.l_addr);
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket.r_addr);
+ print_tok_type(fp, tok->id, "socket", raw, xml);
+ if (xml) {
+ open_attr(fp, "sock_type");
+ print_2_bytes(fp, tok->tt.socket.type, "%u");
+ close_attr(fp);
+ open_attr(fp, "lport");
+ print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
+ close_attr(fp);
+ open_attr(fp, "laddr");
+ print_ip_address(fp, tok->tt.socket.l_addr);
+ close_attr(fp);
+ open_attr(fp, "fport");
+ print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
+ close_attr(fp);
+ open_attr(fp, "faddr");
+ print_ip_address(fp, tok->tt.socket.r_addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket.type, "%u");
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket.l_addr);
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket.r_addr);
+ }
}
/*
@@ -2095,7 +3240,7 @@ print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* machine id 4 bytes
*/
static int
-fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2141,28 +3286,57 @@ fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "subject", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32.auid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32.euid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj32.egid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32.ruid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj32.rgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32.pid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32.sid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.subj32.tid.addr);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "subject", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.subj32.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.subj32.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.subj32.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.subj32.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.subj32.rgid, raw);
+ close_attr(fp);
+ open_attr(fp,"pid");
+ print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+ close_attr(fp);
+ open_attr(fp,"sid");
+ print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+ close_attr(fp);
+ open_attr(fp,"tid");
+ print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
+ print_ip_address(fp, tok->tt.subj32.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.subj32.tid.addr);
+ }
}
/*
@@ -2178,7 +3352,7 @@ print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* machine id 4 bytes
*/
static int
-fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2224,28 +3398,57 @@ fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
static void
print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "subject", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj64.auid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj64.euid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj64.egid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj64.ruid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj64.rgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj64.pid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj64.sid, "%u");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.subj64.tid.addr);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "subject", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.subj64.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.subj64.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.subj64.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.subj64.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.subj64.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+ print_ip_address(fp, tok->tt.subj64.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.subj64.tid.addr);
+ }
}
/*
@@ -2262,7 +3465,7 @@ print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* machine id 16 bytes
*/
static int
-fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
+fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2322,29 +3525,187 @@ fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
static void
print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
-{
-
- print_tok_type(fp, tok->id, "subject_ex", raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32_ex.auid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32_ex.euid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj32_ex.egid, raw);
- print_delim(fp, del);
- print_user(fp, tok->tt.subj32_ex.ruid, raw);
- print_delim(fp, del);
- print_group(fp, tok->tt.subj32_ex.rgid, raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
- tok->tt.subj32_ex.tid.addr);
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "subject_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.subj32_ex.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.subj32_ex.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.subj32_ex.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.subj32_ex.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.subj32_ex.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+ print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+ tok->tt.subj32_ex.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj32_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj32_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
+ tok->tt.subj32_ex.tid.addr);
+ }
+}
+
+/*
+ * audit ID 4 bytes
+ * euid 4 bytes
+ * egid 4 bytes
+ * ruid 4 bytes
+ * rgid 4 bytes
+ * pid 4 bytes
+ * sessid 4 bytes
+ * terminal ID
+ * portid 8 bytes
+ * type 4 bytes
+ * machine id 16 bytes
+ */
+static int
+fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
+{
+ int err = 0;
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
+ err);
+ if (err)
+ return (-1);
+
+ if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
+ READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
+ sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
+ if (err)
+ return (-1);
+ } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
+ READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
+ sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
+ if (err)
+ return (-1);
+ } else
+ return (-1);
+
+ return (0);
+}
+
+static void
+print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+ print_tok_type(fp, tok->id, "subject_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "audit-uid");
+ print_user(fp, tok->tt.subj64_ex.auid, raw);
+ close_attr(fp);
+ open_attr(fp, "uid");
+ print_user(fp, tok->tt.subj64_ex.euid, raw);
+ close_attr(fp);
+ open_attr(fp, "gid");
+ print_group(fp, tok->tt.subj64_ex.egid, raw);
+ close_attr(fp);
+ open_attr(fp, "ruid");
+ print_user(fp, tok->tt.subj64_ex.ruid, raw);
+ close_attr(fp);
+ open_attr(fp, "rgid");
+ print_group(fp, tok->tt.subj64_ex.rgid, raw);
+ close_attr(fp);
+ open_attr(fp, "pid");
+ print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
+ close_attr(fp);
+ open_attr(fp, "sid");
+ print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
+ close_attr(fp);
+ open_attr(fp, "tid");
+ print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
+ print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
+ tok->tt.subj64_ex.tid.addr);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.auid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.euid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64_ex.egid, raw);
+ print_delim(fp, del);
+ print_user(fp, tok->tt.subj64_ex.ruid, raw);
+ print_delim(fp, del);
+ print_group(fp, tok->tt.subj64_ex.rgid, raw);
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
+ tok->tt.subj64_ex.tid.addr);
+ }
}
/*
@@ -2352,7 +3713,7 @@ print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* data size bytes
*/
static int
-fetch_text_tok(tokenstr_t *tok, char *buf, int len)
+fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2360,7 +3721,7 @@ fetch_text_tok(tokenstr_t *tok, char *buf, int len)
if (err)
return (-1);
- SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
+ SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
err);
if (err)
return (-1);
@@ -2370,12 +3731,17 @@ fetch_text_tok(tokenstr_t *tok, char *buf, int len)
static void
print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "text", raw);
- print_delim(fp, del);
- print_string(fp, tok->tt.text.text, tok->tt.text.len);
+ print_tok_type(fp, tok->id, "text", raw, xml);
+ if (xml) {
+ print_string(fp, tok->tt.text.text, tok->tt.text.len);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.text.text, tok->tt.text.len);
+ }
}
/*
@@ -2388,7 +3754,7 @@ print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
* remote Internet address 4 bytes
*/
static int
-fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
+fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
@@ -2432,24 +3798,43 @@ fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
static void
print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "socket", raw);
- print_delim(fp, del);
- print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
- print_delim(fp, del);
- print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket_ex32.l_addr);
- print_delim(fp, del);
- print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
- print_delim(fp, del);
- print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+ print_tok_type(fp, tok->id, "socket", raw, xml);
+ if (xml) {
+ open_attr(fp, "sock_type");
+ print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+ close_attr(fp);
+ open_attr(fp, "lport");
+ print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
+ close_attr(fp);
+ open_attr(fp, "laddr");
+ print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+ close_attr(fp);
+ open_attr(fp, "faddr");
+ print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+ close_attr(fp);
+ open_attr(fp, "fport");
+ print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
+ print_delim(fp, del);
+ print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket_ex32.l_addr);
+ print_delim(fp, del);
+ print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
+ print_delim(fp, del);
+ print_ip_address(fp, tok->tt.socket_ex32.r_addr);
+ }
}
static int
-fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
+fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
{
int err = 0;
int recoversize;
@@ -2460,7 +3845,8 @@ fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
tok->tt.invalid.length = recoversize;
- SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
+ SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
+ err);
if (err)
return (-1);
@@ -2469,14 +3855,55 @@ fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
static void
print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
+{
+
+ if (!xml) {
+ print_tok_type(fp, tok->id, "unknown", raw, 0);
+ print_delim(fp, del);
+ print_mem(fp, (u_char*)tok->tt.invalid.data,
+ tok->tt.invalid.length);
+ }
+}
+
+
+/*
+ * size 2 bytes;
+ * zonename size bytes;
+ */
+static int
+fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
{
+ int err = 0;
- print_tok_type(fp, tok->id, "unknown", raw);
- print_delim(fp, del);
- print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
+ READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
+ if (err)
+ return (-1);
+ SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
+ tok->len, err);
+ if (err)
+ return (-1);
+ return (0);
}
+static void
+print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ __unused char sfrm, int xml)
+{
+
+ print_tok_type(fp, tok->id, "zone", raw, xml);
+ if (xml) {
+ open_attr(fp, "name");
+ print_string(fp, tok->tt.zonename.zonename,
+ tok->tt.zonename.len);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_string(fp, tok->tt.zonename.zonename,
+ tok->tt.zonename.len);
+ }
+}
/*
* Reads the token beginning at buf into tok.
@@ -2565,6 +3992,12 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
case AUT_PROCESS32_EX:
return (fetch_process32ex_tok(tok, buf, len));
+ case AUT_PROCESS64:
+ return (fetch_process64_tok(tok, buf, len));
+
+ case AUT_PROCESS64_EX:
+ return (fetch_process64ex_tok(tok, buf, len));
+
case AUT_RETURN32:
return (fetch_return32_tok(tok, buf, len));
@@ -2586,11 +4019,14 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
case AUT_SUBJECT32:
return (fetch_subject32_tok(tok, buf, len));
+ case AUT_SUBJECT32_EX:
+ return (fetch_subject32ex_tok(tok, buf, len));
+
case AUT_SUBJECT64:
return (fetch_subject64_tok(tok, buf, len));
- case AUT_SUBJECT32_EX:
- return (fetch_subject32ex_tok(tok, buf, len));
+ case AUT_SUBJECT64_EX:
+ return (fetch_subject64ex_tok(tok, buf, len));
case AUT_TEXT:
return (fetch_text_tok(tok, buf, len));
@@ -2601,13 +4037,16 @@ au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
case AUT_DATA:
return (fetch_arb_tok(tok, buf, len));
+ case AUT_ZONENAME:
+ return (fetch_zonename_tok(tok, buf, len));
+
default:
return (fetch_invalid_tok(tok, buf, len));
}
}
/*
- * 'prints' the token out to outfp
+ * 'prints' the token out to outfp.
*/
void
au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
@@ -2615,151 +4054,341 @@ au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
switch(tok->id) {
case AUT_HEADER32:
- print_header32_tok(outfp, tok, del, raw, sfrm);
+ print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_HEADER32_EX:
- print_header32_ex_tok(outfp, tok, del, raw, sfrm);
+ print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_HEADER64:
- print_header64_tok(outfp, tok, del, raw, sfrm);
+ print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_HEADER64_EX:
- print_header64_ex_tok(outfp, tok, del, raw, sfrm);
+ print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_TRAILER:
- print_trailer_tok(outfp, tok, del, raw, sfrm);
+ print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_ARG32:
- print_arg32_tok(outfp, tok, del, raw, sfrm);
+ print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_ARG64:
- print_arg64_tok(outfp, tok, del, raw, sfrm);
+ print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_DATA:
- print_arb_tok(outfp, tok, del, raw, sfrm);
+ print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_ATTR32:
- print_attr32_tok(outfp, tok, del, raw, sfrm);
+ print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_ATTR64:
- print_attr64_tok(outfp, tok, del, raw, sfrm);
+ print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_EXIT:
- print_exit_tok(outfp, tok, del, raw, sfrm);
+ print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_EXEC_ARGS:
- print_execarg_tok(outfp, tok, del, raw, sfrm);
+ print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_EXEC_ENV:
- print_execenv_tok(outfp, tok, del, raw, sfrm);
+ print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_OTHER_FILE32:
- print_file_tok(outfp, tok, del, raw, sfrm);
+ print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_NEWGROUPS:
- print_newgroups_tok(outfp, tok, del, raw, sfrm);
+ print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IN_ADDR:
- print_inaddr_tok(outfp, tok, del, raw, sfrm);
+ print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IN_ADDR_EX:
- print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
+ print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IP:
- print_ip_tok(outfp, tok, del, raw, sfrm);
+ print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IPC:
- print_ipc_tok(outfp, tok, del, raw, sfrm);
+ print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IPC_PERM:
- print_ipcperm_tok(outfp, tok, del, raw, sfrm);
+ print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_IPORT:
- print_iport_tok(outfp, tok, del, raw, sfrm);
+ print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_OPAQUE:
- print_opaque_tok(outfp, tok, del, raw, sfrm);
+ print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_PATH:
- print_path_tok(outfp, tok, del, raw, sfrm);
+ print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_PROCESS32:
- print_process32_tok(outfp, tok, del, raw, sfrm);
+ print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_PROCESS32_EX:
- print_process32ex_tok(outfp, tok, del, raw, sfrm);
+ print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ case AUT_PROCESS64:
+ print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ case AUT_PROCESS64_EX:
+ print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_RETURN32:
- print_return32_tok(outfp, tok, del, raw, sfrm);
+ print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_RETURN64:
- print_return64_tok(outfp, tok, del, raw, sfrm);
+ print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SEQ:
- print_seq_tok(outfp, tok, del, raw, sfrm);
+ print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SOCKET:
- print_socket_tok(outfp, tok, del, raw, sfrm);
+ print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SOCKINET32:
- print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
+ print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SOCKUNIX:
- print_sock_unix_tok(outfp, tok, del, raw, sfrm);
+ print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SUBJECT32:
- print_subject32_tok(outfp, tok, del, raw, sfrm);
+ print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SUBJECT64:
- print_subject64_tok(outfp, tok, del, raw, sfrm);
+ print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SUBJECT32_EX:
- print_subject32ex_tok(outfp, tok, del, raw, sfrm);
+ print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ case AUT_SUBJECT64_EX:
+ print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_TEXT:
- print_text_tok(outfp, tok, del, raw, sfrm);
+ print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
return;
case AUT_SOCKET_EX:
- print_socketex32_tok(outfp, tok, del, raw, sfrm);
+ print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ case AUT_ZONENAME:
+ print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ return;
+
+ default:
+ print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
+ }
+}
+
+/*
+ * 'prints' the token out to outfp in XML format.
+ */
+void
+au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
+ char sfrm)
+{
+
+ switch(tok->id) {
+ case AUT_HEADER32:
+ print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_HEADER32_EX:
+ print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_HEADER64:
+ print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_HEADER64_EX:
+ print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_TRAILER:
+ print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_ARG32:
+ print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_ARG64:
+ print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_DATA:
+ print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_ATTR32:
+ print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_ATTR64:
+ print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_EXIT:
+ print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_EXEC_ARGS:
+ print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_EXEC_ENV:
+ print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_OTHER_FILE32:
+ print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_NEWGROUPS:
+ print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IN_ADDR:
+ print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IN_ADDR_EX:
+ print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IP:
+ print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IPC:
+ print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IPC_PERM:
+ print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_IPORT:
+ print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_OPAQUE:
+ print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PATH:
+ print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PROCESS32:
+ print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PROCESS32_EX:
+ print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PROCESS64:
+ print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_PROCESS64_EX:
+ print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_RETURN32:
+ print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_RETURN64:
+ print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SEQ:
+ print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SOCKET:
+ print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SOCKINET32:
+ print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SOCKUNIX:
+ print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SUBJECT32:
+ print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SUBJECT64:
+ print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SUBJECT32_EX:
+ print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SUBJECT64_EX:
+ print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_TEXT:
+ print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_SOCKET_EX:
+ print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
+ return;
+
+ case AUT_ZONENAME:
+ print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
return;
default:
- print_invalid_tok(outfp, tok, del, raw, sfrm);
+ print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
}
}
diff --git a/contrib/openbsm/libbsm/bsm_notify.c b/contrib/openbsm/libbsm/bsm_notify.c
index 3ebfb25b5423..e7d3ea2cb13a 100644
--- a/contrib/openbsm/libbsm/bsm_notify.c
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#13 $
*/
/*
@@ -66,7 +66,8 @@ uint32_t
au_notify_initialize(void)
{
#if AUDIT_NOTIFICATION_ENABLED
- uint32_t status, ignore_first;
+ uint32_t status;
+ int ignore_first;
status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
if (status != NOTIFY_STATUS_OK)
@@ -108,7 +109,7 @@ int
au_get_state(void)
{
#if AUDIT_NOTIFICATION_ENABLED
- uint32_t did_notify;
+ int did_notify;
#endif
int status;
diff --git a/contrib/openbsm/libbsm/bsm_token.c b/contrib/openbsm/libbsm/bsm_token.c
index fecbeb84f219..86c1f6048321 100644
--- a/contrib/openbsm/libbsm/bsm_token.c
+++ b/contrib/openbsm/libbsm/bsm_token.c
@@ -30,7 +30,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#52 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#62 $
*/
#include <sys/types.h>
@@ -212,9 +212,46 @@ au_to_attr32(struct vnode_au_info *vni)
token_t *
au_to_attr64(struct vnode_au_info *vni)
{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int16_t pad0_16 = 0;
+ u_int16_t pad0_32 = 0;
- errno = ENOTSUP;
- return (NULL);
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
+ 3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_ATTR64);
+
+ /*
+ * Darwin defines the size for the file mode
+ * as 2 bytes; BSM defines 4 so pad with 0
+ */
+ ADD_U_INT16(dptr, pad0_16);
+ ADD_U_INT16(dptr, vni->vn_mode);
+
+ ADD_U_INT32(dptr, vni->vn_uid);
+ ADD_U_INT32(dptr, vni->vn_gid);
+ ADD_U_INT32(dptr, vni->vn_fsid);
+
+ /*
+ * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
+ * Attempt to handle both, and let the compiler sort it out. If we
+ * could pick this out at compile-time, it would be better, so as to
+ * avoid the else case below.
+ */
+ if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
+ ADD_U_INT32(dptr, pad0_32);
+ ADD_U_INT32(dptr, vni->vn_fileid);
+ } else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
+ ADD_U_INT64(dptr, vni->vn_fileid);
+ else
+ ADD_U_INT64(dptr, 0LL);
+
+ ADD_U_INT64(dptr, vni->vn_dev);
+
+ return (t);
}
token_t *
@@ -308,7 +345,7 @@ token_t *
au_to_groups(int *groups)
{
- return (au_to_newgroups(AUDIT_MAX_GROUPS, groups));
+ return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
}
/*
@@ -382,6 +419,8 @@ au_to_in_addr_ex(struct in6_addr *internet_addr)
/*
* token ID 1 byte
* ip header 20 bytes
+ *
+ * The IP header should be submitted in network byte order.
*/
token_t *
au_to_ip(struct ip *ip)
@@ -394,9 +433,6 @@ au_to_ip(struct ip *ip)
return (NULL);
ADD_U_CHAR(dptr, AUT_IP);
- /*
- * XXXRW: Any byte order work needed on the IP header before writing?
- */
ADD_MEM(dptr, ip, sizeof(struct ip));
return (t);
@@ -650,19 +686,34 @@ au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
}
token_t *
-au_to_process64(__unused au_id_t auid, __unused uid_t euid,
- __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
- __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
+ sizeof(u_int64_t));
+ if (t == NULL)
+ return (NULL);
- errno = ENOTSUP;
- return (NULL);
+ ADD_U_CHAR(dptr, AUT_PROCESS64);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->port);
+ ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+ return (t);
}
token_t *
-au_to_process(__unused au_id_t auid, __unused uid_t euid,
- __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
- __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
+au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid)
{
return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
@@ -713,11 +764,11 @@ au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
- ADD_U_INT32(dptr, tid->at_addr[0]);
+ ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
if (tid->at_type == AU_IPv6) {
- ADD_U_INT32(dptr, tid->at_addr[1]);
- ADD_U_INT32(dptr, tid->at_addr[2]);
- ADD_U_INT32(dptr, tid->at_addr[3]);
+ ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
+ ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
+ ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
}
return (t);
@@ -727,9 +778,42 @@ token_t *
au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
- errno = ENOTSUP;
- return (NULL);
+ if (tid->at_type == AU_IPv4)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 2 * sizeof(u_int32_t));
+ else if (tid->at_type == AU_IPv6)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 5 * sizeof(u_int32_t));
+ else {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+ if (tid->at_type == AU_IPv6) {
+ ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
+ ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
+ ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
+ }
+
+ return (t);
}
token_t *
@@ -944,9 +1028,26 @@ token_t *
au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
pid_t pid, au_asid_t sid, au_tid_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
+ sizeof(u_int64_t) + sizeof(u_int32_t));
+ if (t == NULL)
+ return (NULL);
- errno = ENOTSUP;
- return (NULL);
+ ADD_U_CHAR(dptr, AUT_SUBJECT64);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->port);
+ ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
+
+ return (t);
}
token_t *
@@ -1002,12 +1103,10 @@ au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
ADD_U_INT32(dptr, sid);
ADD_U_INT32(dptr, tid->at_port);
ADD_U_INT32(dptr, tid->at_type);
- ADD_U_INT32(dptr, tid->at_addr[0]);
- if (tid->at_type == AU_IPv6) {
- ADD_U_INT32(dptr, tid->at_addr[1]);
- ADD_U_INT32(dptr, tid->at_addr[2]);
- ADD_U_INT32(dptr, tid->at_addr[3]);
- }
+ if (tid->at_type == AU_IPv6)
+ ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
+ else
+ ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
return (t);
}
@@ -1016,9 +1115,40 @@ token_t *
au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
{
+ token_t *t;
+ u_char *dptr = NULL;
- errno = ENOTSUP;
- return (NULL);
+ if (tid->at_type == AU_IPv4)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 2 * sizeof(u_int32_t));
+ else if (tid->at_type == AU_IPv6)
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
+ 7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
+ 5 * sizeof(u_int32_t));
+ else {
+ errno = EINVAL;
+ return (NULL);
+ }
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
+ ADD_U_INT32(dptr, auid);
+ ADD_U_INT32(dptr, euid);
+ ADD_U_INT32(dptr, egid);
+ ADD_U_INT32(dptr, ruid);
+ ADD_U_INT32(dptr, rgid);
+ ADD_U_INT32(dptr, pid);
+ ADD_U_INT32(dptr, sid);
+ ADD_U_INT64(dptr, tid->at_port);
+ ADD_U_INT32(dptr, tid->at_type);
+ if (tid->at_type == AU_IPv6)
+ ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
+ else
+ ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
+
+ return (t);
}
token_t *
@@ -1090,6 +1220,27 @@ au_to_exec_args(char **argv)
}
/*
+ * token ID 1 byte
+ * zonename length 2 bytes
+ * zonename N bytes + 1 terminating NULL byte
+ */
+token_t *
+au_to_zonename(char *zonename)
+{
+ u_char *dptr = NULL;
+ u_int16_t textlen;
+ token_t *t;
+
+ textlen = strlen(zonename);
+ textlen += 1;
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
+ ADD_U_CHAR(dptr, AUT_ZONENAME);
+ ADD_U_INT16(dptr, textlen);
+ ADD_STRING(dptr, zonename, textlen);
+ return (t);
+}
+
+/*
* token ID 1 byte
* count 4 bytes
* text count null-terminated strings
@@ -1166,6 +1317,33 @@ au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
return (t);
}
+token_t *
+au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm)
+{
+ token_t *t;
+ u_char *dptr = NULL;
+ u_int32_t timems;
+
+ GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
+ sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
+ if (t == NULL)
+ return (NULL);
+
+ ADD_U_CHAR(dptr, AUT_HEADER64);
+ ADD_U_INT32(dptr, rec_size);
+ ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
+ ADD_U_INT16(dptr, e_type);
+ ADD_U_INT16(dptr, e_mod);
+
+ timems = tm.tv_usec/1000;
+ /* Add the timestamp */
+ ADD_U_INT64(dptr, tm.tv_sec);
+ ADD_U_INT64(dptr, timems); /* We need time in ms. */
+
+ return (t);
+}
+
#if !defined(KERNEL) && !defined(_KERNEL)
token_t *
au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
@@ -1181,9 +1359,11 @@ token_t *
au_to_header64(__unused int rec_size, __unused au_event_t e_type,
__unused au_emod_t e_mod)
{
+ struct timeval tm;
- errno = ENOTSUP;
- return (NULL);
+ if (gettimeofday(&tm, NULL) == -1)
+ return (NULL);
+ return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
}
token_t *
diff --git a/contrib/openbsm/libbsm/bsm_wrappers.c b/contrib/openbsm/libbsm/bsm_wrappers.c
index 98f286c66b86..f001e5fe10b0 100644
--- a/contrib/openbsm/libbsm/bsm_wrappers.c
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#24 $
*/
#ifdef __APPLE__
@@ -66,8 +66,9 @@ audit_submit(short au_event, au_id_t auid, char status,
long acond;
va_list ap;
pid_t pid;
- int error, afd;
+ int error, afd, subj_ex;
struct auditinfo ai;
+ struct auditinfo_addr aia;
if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
/*
@@ -84,6 +85,7 @@ audit_submit(short au_event, au_id_t auid, char status,
}
if (acond == AUC_NOAUDIT)
return (0);
+ /* XXXCSJP we should be doing a pre-select here */
afd = au_open();
if (afd < 0) {
error = errno;
@@ -92,7 +94,20 @@ audit_submit(short au_event, au_id_t auid, char status,
errno = error;
return (-1);
}
- if (getaudit(&ai) < 0) {
+ /*
+ * Some operating systems do not have getaudit_addr(2) implemented
+ * yet. So we try to use getaudit(2) first, if the subject is
+ * using IPv6, then we will have to try getaudit_addr(2). Failing
+ * this, we return error.
+ */
+ subj_ex = 0;
+ error = getaudit(&ai);
+ if (error < 0 && errno == E2BIG) {
+ error = getaudit_addr(&aia, sizeof(aia));
+ if (error == 0)
+ subj_ex = 1;
+ }
+ if (error < 0) {
error = errno;
syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
strerror(errno));
@@ -100,8 +115,12 @@ audit_submit(short au_event, au_id_t auid, char status,
return (-1);
}
pid = getpid();
- token = au_to_subject32(auid, geteuid(), getegid(),
- getuid(), getgid(), pid, pid, &ai.ai_termid);
+ if (subj_ex == 0)
+ token = au_to_subject32(auid, geteuid(), getegid(),
+ getuid(), getgid(), pid, pid, &ai.ai_termid);
+ else
+ token = au_to_subject_ex(auid, geteuid(), getegid(),
+ getuid(), getgid(), pid, pid, &aia.ai_termid);
if (token == NULL) {
syslog(LOG_AUTH | LOG_ERR,
"audit: unable to build subject token");
diff --git a/contrib/openbsm/libbsm/libbsm.3 b/contrib/openbsm/libbsm/libbsm.3
index f87cf5574128..e84ea943d684 100644
--- a/contrib/openbsm/libbsm/libbsm.3
+++ b/contrib/openbsm/libbsm/libbsm.3
@@ -1,5 +1,5 @@
.\"-
-.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#13 $
.\"
.Dd April 19, 2005
.Dt LIBBSM 3
@@ -34,7 +34,7 @@
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
.Sh DESCRIPTION
The
.Nm
@@ -42,7 +42,9 @@ library routines provide an interface to BSM audit record streams, allowing
both the parsing of existing audit streams, as well as the creation of new
audit records and streams.
.Sh INTERFACES
+The
.Nm
+library
provides a large number of Audit programming interfaces in several classes:
event stream interfaces, class interfaces, control interfaces, event
interfaces, I/O interfaces, mask interfaces, notification interfaces, token
@@ -132,7 +134,7 @@ Audit token interfaces permit the creation of tokens for use in creating
audit records for submission to event streams.
Each interface converts a C type to its
.Vt token_t
-representation.
+representation:
.Xr au_to_arg 3 ,
.Xr au_to_arg32 3 ,
.Xr au_to_arg64 3 ,
@@ -175,7 +177,8 @@ representation.
.Xr au_to_subject32_ex 3 ,
.Xr au_to_subject64_ex 3 ,
.Xr au_to_text 3 ,
-.Xr au_to_trailer 3 .
+.Xr au_to_trailer 3 ,
+.Xr au_to_zonename 3 .
.Ss Audit User Interfaces
Audit user interfaces support the look up of information from the
.Xr audit_user 5
@@ -190,26 +193,31 @@ database:
.Xr getfauditflags 3 .
.Sh SEE ALSO
.Xr au_class 3 ,
+.Xr audit_submit 3 ,
.Xr au_mask 3 ,
.Xr au_notify 3 ,
.Xr au_stream 3 ,
.Xr au_token 3 ,
.Xr au_user 3 ,
-.Xr audit_submit 3 ,
.Xr audit_class 5 ,
.Xr audit_control 5
-.Sh AUTHORS
-This software was created by Robert Watson, Wayne Salamon, and Suresh
-Krishnaswamy for McAfee Research, the security research division of McAfee,
-Inc., under contract to Apple Computer, Inc.
-.Pp
-The Basic Security Module (BSM) interface to audit records and audit event
-stream format were defined by Sun Microsystems.
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
+.Sh AUTHORS
+.An -nosplit
+This software was created by
+.An Robert Watson ,
+.An Wayne Salamon ,
+and
+.An Suresh Krishnaswamy
+for McAfee Research, the security research division of McAfee,
+Inc., under contract to Apple Computer, Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
.Sh BUGS
Bugs would not be unlikely.
.Pp
diff --git a/contrib/openbsm/man/audit.2 b/contrib/openbsm/man/audit.2
index 6e14899c2ad1..a9cd143cafcc 100644
--- a/contrib/openbsm/man/audit.2
+++ b/contrib/openbsm/man/audit.2
@@ -24,25 +24,29 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#8 $
.\"
.Dd April 19, 2005
.Dt AUDIT 2
.Os
.Sh NAME
.Nm audit
-.Nd "Commit a BSM audit record to the audit log"
+.Nd "commit BSM audit record to audit log"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn audit "const char *record" "u_int length"
.Sh DESCRIPTION
+The
.Fn audit
+system call
submits a completed BSM audit record to the system audit log.
.Pp
+The
.Fa record
-is a pointer to the the specific event to be recorded and
-.Vt length
+argument
+is a pointer to the specific event to be recorded and
+.Fa length
is the size in bytes of the data to be written.
.Sh RETURN VALUES
.Rv -std
@@ -57,37 +61,41 @@ The
argument is beyond the allocated address space of the process.
.It Bq Er EINVAL
The token ID is invalid or
-.Vt length
+.Va length
is larger than
-.Vt MAXAUDITDATA .
+.Dv MAXAUDITDATA .
.It Bq Er EPERM
The process does not have sufficient permission to complete
the operation.
.El
.Sh SEE ALSO
.Xr auditon 2 ,
-.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Tom Rhodes Aq trhodes@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
.Sh BUGS
The
.Fx
diff --git a/contrib/openbsm/man/audit.log.5 b/contrib/openbsm/man/audit.log.5
index f6e28ab07536..d0f85ff282b0 100644
--- a/contrib/openbsm/man/audit.log.5
+++ b/contrib/openbsm/man/audit.log.5
@@ -23,14 +23,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
.\"
-.Dd May 1, 2005
+.Dd November 5, 2006
.Dt AUDIT.LOG 5
.Os
.Sh NAME
.Nm audit
-.Nd "Basic Security Module (BSM) File Format"
+.Nd "Basic Security Module (BSM) file format"
.Sh DESCRIPTION
The
.Nm
@@ -41,16 +41,16 @@ range of data types, and easily extended to describe new data types in a
moderately backward and forward compatible way.
.Pp
BSM token streams typically begin and end with a
-.Dv file
+.Dq file
token, which provides time stamp and file name information for the stream;
when processing a BSM token stream from a stream as opposed to a single file
source, file tokens may be seen at any point between ordinary records
identifying when particular parts of the stream begin and end.
All other tokens will appear in the context of a complete BSM audit record,
which begins with a
-.Dv header
+.Dq header
token, and ends with a
-.Dv trailer
+.Dq trailer
token, which describe the audit record.
Between these two tokens will appear a variety of data tokens, such as
process information, file path names, IPC object information, MAC labels,
@@ -68,561 +68,612 @@ interface to read and write tokens, rather than parsing or constructing
records by hand.
.Ss File Token
The
-.Dv file
+.Dq file
token is used at the beginning and end of an audit log file to indicate
when the audit log begins and ends.
It includes a pathname so that, if concatenated together, original file
boundaries are still observable, and gaps in the audit log can be identified.
A
-.Dv file
+.Dq file
token can be created using
.Xr au_to_file 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
-.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
-.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
-.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Seconds 4 bytes File time stamp"
+.It "Microseconds 4 bytes File time stamp"
+.It "File name lengh 2 bytes File name of audit trail"
+.It "File pathname N bytes + 1 NUL File name of audit trail"
.El
.Ss Header Token
The
-.Dv header
+.Dq header
token is used to mark the beginning of a complete audit record, and includes
the length of the total record in bytes, a version number for the record
layout, the event type and subtype, and the time at which the event occurred.
A 32-bit
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header32 3 ;
a 64-bit
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Record Byte Count 4 bytes Number of bytes in record"
+.It "Version Number 2 bytes Record version number"
+.It "Event Type 2 bytes Event type"
+.It "Event Modifier 2 bytes Event sub-type"
+.It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
+.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
.El
.Ss Expanded Header Token
The
-.Dv expanded header
+.Dq expanded header
token is an expanded version of the
-.Dv header
+.Dq header
token, with the addition of a machine IPv4 or IPv6 address.
A 32-bit extended
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header32_ex 3 ;
a 64-bit extended
-.Dv header
+.Dq header
token can be created using
.Xr au_to_header64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
-.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
-.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Record Byte Count 4 bytes Number of bytes in record"
+.It "Version Number 2 bytes Record version number"
+.It "Event Type 2 bytes Event type"
+.It "Event Modifier 2 bytes Event sub-type"
+.It "Address Type/Length 1 byte Host address type and length"
+.It "Machine Address 4/16 bytes IPv4 or IPv6 address"
+.It "Seconds 4/8 bytes Record time stamp (32/64-bits)"
+.It "Nanoseconds 4/8 bytes Record time stamp (32/64-bits)"
.El
.Ss Trailer Token
The
-.Dv trailer
+.Dq trailer
terminates a BSM audit record, and contains a magic number,
.Dv TRAILER_PAD_MAGIC
and length that can be used to validate that the record was read properly.
A
-.Dv trailer
+.Dq trailer
token can be created using
.Xr au_to_trailer 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Trailer Magic 2 bytes Trailer magic number"
+.It "Record Byte Count 4 bytes Number of bytes in record"
.El
.Ss Arbitrary Data Token
The
-.Dv arbitrary data
+.Dq arbitrary data
token contains a byte stream of opaque (untyped) data.
The size of the data is calculated as the size of each unit of data
multipled by the number of units of data.
A
-.Dv How to print
+.Dq How to print
field is present to specify how to print the data, but interpretation of
that field is not currently defined.
An
-.Dv arbitrary data
+.Dq arbitrary data
token can be created using
.Xr au_to_data 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
-.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
-.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
-.It Li "Data Items" Ta "Variable" Ta "User data"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "How to Print 1 byte User-defined printing information"
+.It "Basic Unit 1 byte Size of a unit in bytes"
+.It "Unit Count 1 byte Number of units of data present"
+.It "Data Items Variable User data"
.El
.Ss in_addr Token
The
-.Dv in_addr
+.Dq in_addr
token holds a network byte order IPv4 or IPv6 address.
An
-.Dv in_addr
+.Dq in_addr
token can be created using
.Xr au_to_in_addr 3
for an IPv4 address, or
.Xr au_to_in_addr_ex 3
for an IPv6 address.
.Pp
-See the BUGS section for information on the storage of this token.
+See the
+.Sx BUGS
+section for information on the storage of this token.
.Pp
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
-.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "IP Address Type 1 byte Type of address"
+.It "IP Address 4/16 bytes IPv4 or IPv6 address"
.El
.Ss Expanded in_addr Token
The
-.Dv expanded in_addr
+.Dq expanded in_addr
token ...
.Pp
-See the BUGS section for information on the storage of this token.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+See the
+.Sx BUGS
+section for information on the storage of this token.
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
.It XXXX
.El
.Ss ip Token
The
-.Dv ip
+.Dq ip
token contains an IP packet header in network byte order.
An
-.Dv ip
+.Dq ip
token can be created using
.Xr au_to_ip 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
-.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
-.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
-.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
-.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
-.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
-.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
-.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
-.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
-.It Li "Destination Address" Ta "4 bytes" Ta "IPv4 destination address"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Version and IHL 1 byte Version and IP header length"
+.It "Type of Service 1 byte IP TOS field"
+.It "Length 2 bytes IP packet length in network byte order"
+.It "ID 2 bytes IP header ID for reassembly"
+.It "Offset 2 bytes IP fragment offset and flags, network byte order"
+.It "TTL 1 byte IP Time-to-Live"
+.It "Protocol 1 byte IP protocol number"
+.It "Checksum 2 bytes IP header checksum, network byte order"
+.It "Source Address 4 bytes IPv4 source address"
+.It "Destination Address 4 bytes IPv4 destination address"
.El
.Ss Expanded ip Token
The
-.Dv expanded ip
+.Dq expanded ip
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
.It XXXX
.El
.Ss iport Token
The
-.Dv iport
+.Dq iport
token stores an IP port number in network byte order.
An
-.Dv iport
+.Dq iport
token can be created using
.Xr au_to_iport 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Port Number 2 bytes Port number in network byte order"
.El
.Ss Path Token
The
-.Dv path
+.Dq path
token contains a pathname.
A
-.Dv path
+.Dq path
token can be created using
.Xr au_to_path 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
-.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Path Length 2 bytes Length of path in bytes"
+.It "Path N bytes + 1 NUL Path name"
.El
.Ss path_attr Token
The
-.Dv path_attr
-token contains a set of nul-terminated path names.
+.Dq path_attr
+token contains a set of NUL-terminated path names.
The
.Xr libbsm 3
API cannot currently create a
-.Dv path_attr
+.Dq path_attr
token.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
-.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Count 2 bytes Number of NUL-terminated string(s) in token"
+.It "Path Variable count NUL-terminated string(s)"
.El
.Ss Process Token
The
-.Dv process
+.Dq process
token contains a description of the security properties of a process
involved as the target of an auditable event, such as the destination for
signal delivery.
It should not be confused with the
-.Dv subject
+.Dq subject
token, which describes the subject performing an auditable event.
This includes both the traditional
.Ux
security properties, such as user IDs and group IDs, but also audit
information such as the audit user ID and session.
A
-.Dv process
+.Dq process
token can be created using
.Xr au_to_process32 3
or
.Xr au_to_process64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address 4 bytes IP address of machine"
.El
.Ss Expanded Process Token
The
-.Dv expanded process
+.Dq expanded process
token contains the contents of the
-.Dv process
+.Dq process
token, with the addition of a machine address type and variable length
address storage capable of containing IPv6 addresses.
An
-.Dv expanded process
+.Dq expanded process
token can be created using
.Xr au_to_process32_ex 3
or
.Xr au_to_process64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length 1 byte Length of machine address"
+.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
.El
.Ss Return Token
The
-.Dv return
+.Dq return
token contains a system call or library function return condition, including
return value and error number associated with the global variable
.Er errno .
-A
-.Dv return
+A
+.Dq return
token can be created using
.Xr au_to_return32 3
or
.Xr au_to_return64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
-.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Error Number 1 byte Errno value, or 0 if undefined"
+.It "Return Value 4/8 bytes Return value (32/64-bits)"
.El
.Ss Subject Token
The
-.Dv subject
+.Dq subject
token contains information on the subject performing the operation described
by an audit record, and includes similar information to that found in the
-.Dv process
+.Dq process
and
-.Dv expanded process
+.Dq expanded process
tokens.
However, those tokens are used where the process being described is the
target of the operation, not the authorizing party.
A
-.Dv subject
+.Dq subject
token can be created using
.Xr au_to_subject32 3
and
.Xr au_to_subject64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Machine Address 4 bytes IP address of machine"
.El
.Ss Expanded Subject Token
The
-.Dv expanded subject
+.Dq expanded subject
token consists of the same elements as the
-.Dv subject
+.Dq subject
token, with the addition of type/length and variable size machine address
information in the terminal ID.
An
-.Dv expanded subject
+.Dq expanded subject
token can be created using
.Xr au_to_subject32_ex 3
or
.Xr au_to_subject64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Audit ID 4 bytes Audit user ID"
+.It "Effective User ID 4 bytes Effective user ID"
+.It "Effective Group ID 4 bytes Effective group ID"
+.It "Real User ID 4 bytes Real user ID"
+.It "Real Group ID 4 bytes Real group ID"
+.It "Process ID 4 bytes Process ID"
+.It "Session ID 4 bytes Audit session ID"
+.It "Terminal Port ID 4/8 bytes Terminal port ID (32/64-bits)"
+.It "Terminal Address Type/Length 1 byte Length of machine address"
+.It "Terminal Machine Address 4 bytes IPv4 or IPv6 address of machine"
.El
.Ss System V IPC Token
The
-.Dv System V IPC
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
-.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
+.Dq System V IPC
+token contains the System V IPC message handle, semaphore handle or shared
+memory handle.
+A System V IPC token may be created using
++.Xr au_to_ipc 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Object ID type 1 byte Object ID"
+.It "Object ID 4 bytes Object ID"
.El
.Ss Text Token
The
-.Dv text
-token contains a single nul-terminated text string.
+.Dq text
+token contains a single NUL-terminated text string.
A
-.Dv text
+.Dq text
token may be created using
.Xr au_to_text 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
-.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Text Length 2 bytes Length of text string including NUL"
+.It "Text N bytes + 1 NUL Text string including NUL"
.El
.Ss Attribute Token
The
-.Dv attribute
+.Dq attribute
token describes the attributes of a file associated with the audit event.
As files may be identified by 0, 1, or many path names, a path name is not
included with the attribute block for a file; optional
-.Dv path
+.Dq path
tokens may also be present in an audit record indicating which path, if any,
was used to reach the object.
An
-.Dv attribute
+.Dq attribute
token can be created using
.Xr au_to_attr32 3
or
.Xr au_to_attr64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
-.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
-.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
-.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
-.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
-.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "File Access Mode 1 byte mode_t associated with file"
+.It "Owner User ID 4 bytes uid_t associated with file"
+.It "Owner Group ID 4 bytes gid_t associated with file"
+.It "File System ID 4 bytes fsid_t associated with file"
+.It "File System Node ID 8 bytes ino_t associated with file"
+.It "Device 4/8 bytes Device major/minor number (32/64-bit)"
.El
.Ss Groups Token
The
-.Dv groups
+.Dq groups
token contains a list of group IDs associated with the audit event.
A
-.Dv groups
+.Dq groups
token can be created using
.Xr au_to_groups 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
-.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Number of Groups 2 bytes Number of groups in token"
+.It "Group List N * 4 bytes List of N group IDs"
.El
.Ss System V IPC Permission Token
The
-.Dv System V IPC permission
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq System V IPC permission
+token contains a System V IPC access permissions.
+A System V IPC permission token may be created using
+.Xr au_to_ipc_perm 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
+.It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
+.It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
+.It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
+.It Li "Access mode" Ta "4 bytes" Ta "Access mode"
+.It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
+.It Li "Key" Ta "4 bytes" Ta "IPC key"
.El
.Ss Arg Token
The
-.Dv arg
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq arg
+token contains informations about arguments of the system call.
+Depending on the size of the desired argument value, an Arg token may be
+created using
+.Xr au_to_arg32 3
+or
+.Xr au_to_arg64 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
+.It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
+.It Li "Length" Ta "2 bytes" Ta "Length of the text"
+.It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
.El
.Ss exec_args Token
The
-.Dv exec_args
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq exec_args
+token contains informations about arguements of the exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_args 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Count" Ta "4 bytes" Ta "Number of arguments"
+.It Li "Text" Ta "* bytes" Ta "Count null-terminated strings"
.El
.Ss exec_env Token
The
-.Dv exec_env
-token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Dq exec_env
+token contains current eviroment variables to an exec() system call.
+An exec_args token may be created using
+.Xr au_to_exec_env 3 .
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
+.It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
.El
.Ss Exit Token
The
-.Dv exit
+.Dq exit
token contains process exit/return code information.
An
-.Dv exit
+.Dq exit
token can be created using
.Xr au_to_exit 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
-.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Status 4 bytes Process status on exit"
+.It "Return Value 4 bytes Process return value on exit"
.El
.Ss Socket Token
The
-.Dv socket
-token ...
+.Dq socket
+token contains informations about UNIX domain and Internet sockets.
+Each token has four or eight fields.
+Depend on type of socket a socket token may be created using
+.Xr au_to_sock_unix 3 ,
+.Xr au_to_sock_inet32 3 or
+.Xr au_to_sock_inet128 3 .
.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
.It Sy "Field" Ta Sy Bytes Ta Sy Description
.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
+.It Li "Local port" Ta "2 bytes" Ta "Local port"
+.It Li "Socket address" Ta "4 bytes" Ta "Socket address"
+.El
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
++.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
++.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
++.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
++.It Li "Local port" Ta "2 bytes" Ta "Local port"
++.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
++.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
++.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
.El
.Ss Expanded Socket Token
The
-.Dv expanded socket
+.Dq expanded socket
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Seq Token
The
-.Dv seq
+.Dq seq
token contains a unique and monotonically increasing audit event sequence ID.
Due to the limited range of 32 bits, serial number arithmetic and caution
should be used when comparing sequence numbers.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It "Sequence Number 4 bytes Audit event sequence number"
.El
.Ss privilege Token
The
-.Dv privilege
+.Dq privilege
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Use-of-auth Token
The
-.Dv use-of-auth
+.Dq use-of-auth
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Command Token
The
-.Dv command
+.Dq command
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss ACL Token
The
-.Dv ACL
+.Dq ACL
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Ss Zonename Token
The
-.Dv zonename
+.Dq zonename
token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
+.It Sy "Field Bytes Description"
+.It "Token ID 1 byte Token ID"
+.It XXXXX
.El
.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr praudit 1 ,
.Xr libbsm 3 ,
+.Xr audit 4 ,
+.Xr auditpipe 4 ,
.Xr audit 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
.Sh BUGS
The
-.Dv How to print
+.Dq How to print
field in the
-.Dv arbitrary data
+.Dq arbitrary data
token has undefined values.
.Pp
The
-.Dv in_addr
+.Dq in_addr
and
-.Dv in_addr_ex
+.Dq in_addr_ex
token layout documented here appears to be in conflict with the
.Xr libbsm 3
implementations of
diff --git a/contrib/openbsm/man/audit_class.5 b/contrib/openbsm/man/audit_class.5
index dfd44a9238d1..cc5b122f4dcf 100644
--- a/contrib/openbsm/man/audit_class.5
+++ b/contrib/openbsm/man/audit_class.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,24 +25,24 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#10 $
.\"
.Dd January 24, 2004
.Dt AUDIT_CLASS 5
.Os
.Sh NAME
.Nm audit_class
-.Nd "contains audit event class descriptions"
+.Nd "audit event class descriptions"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file contains descriptions of the auditable event classes on the system.
Each auditable event is a member of an event class.
-Each line maps an audit event
+Each line maps an audit event
mask (bitmap) to a class and a description.
Entries are of the form:
.Pp
-.Dl classmask:eventclass:description
+.D1 Ar classmask Ns : Ns Ar eventclass Ns : Ns Ar description
.Pp
Example entries in this file are:
.Bd -literal -offset indent
@@ -54,18 +54,27 @@ Example entries in this file are:
0xffffffff:all:all flags set
.Ed
.Sh FILES
-.Bl -tag -width "/etc/security/audit_class" -compact
+.Bl -tag -width ".Pa /etc/security/audit_class" -compact
.It Pa /etc/security/audit_class
.El
+.Sh SEE ALSO
+.Xr audit 4 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr audit_user 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_control.5 b/contrib/openbsm/man/audit_control.5
index 25cb2266822f..a91f5048fe20 100644
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@@ -1,19 +1,19 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" Copyright (c) 2006 Robert N. M. Watson
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -26,34 +26,34 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#17 $
.\"
.Dd January 4, 2006
.Dt AUDIT_CONTROL 5
.Os
.Sh NAME
.Nm audit_control
-.Nd "contains audit system parameters"
+.Nd "audit system parameters"
.Sh DESCRIPTION
The
.Nm
file contains several audit system parameters.
Each line of this file is of the form:
.Pp
-.Dl parameter:value
+.D1 Ar parameter Ns : Ns Ar value
.Pp
The parameters are:
-.Bl -tag -width Ds
-.It Pa dir
+.Bl -tag -width indent
+.It Va dir
The directory where audit log files are stored.
There may be more than one of these entries.
Changes to this entry can only be enacted by restarting the
audit system.
See
-.Xr audit 1
+.Xr audit 8
for a description of how to restart the audit system.
.It Va flags
-Specifies which audit event classes are audited for all users.
+Specifies which audit event classes are audited for all users.
.Xr audit_user 5
describes how to audit events for individual users.
See the information below for the format of the audit flags.
@@ -76,73 +76,85 @@ If 0, trail files will not be automatically rotated based on file size.
.El
.Sh AUDIT FLAGS
Audit flags are a comma-delimited list of audit classes as defined in the
-.Pa audit_class
-file.
-See
.Xr audit_class 5
-for details.
+file.
Event classes may be preceded by a prefix which changes their interpretation.
The following prefixes may be used for each class:
.Pp
-.Bl -tag -width Ds -compact -offset indent
+.Bl -tag -width indent -compact -offset indent
.It (none)
-Record both successful and failed events
-.It +
-Record successful events
-.It -
-Record failed events
-.It ^
-Record neither successful nor failed events
-.It ^+
-Do not record successful events
-.It ^-
-Do not record failed events
+Record both successful and failed events.
+.It Li +
+Record successful events.
+.It Li -
+Record failed events.
+.It Li ^
+Record neither successful nor failed events.
+.It Li ^+
+Do not record successful events.
+.It Li ^-
+Do not record failed events.
.El
.Sh AUDIT POLICY FLAGS
The policy flags field is a comma-delimited list of policy flags from the
following list:
.Pp
-.Bl -tag -width zonename -compact -offset indent
-.It cnt
+.Bl -tag -width ".Cm zonename" -compact -offset indent
+.It Cm cnt
Allow processes to continue running even though events are not being audited.
If not set, processes will be suspended when the audit store space is
exhausted.
Currently, this is not a recoverable state.
-.It ahlt
-Fail stop the system if unable to audit an event--this consists of first
+.It Cm ahlt
+Fail stop the system if unable to audit an event\[em]this consists of first
draining pending records to disk, and then halting the operating system.
-.It argv
+.It Cm argv
Audit command line arguments to
.Xr execve 2 .
-.It arge
+.It Cm arge
Audit environmental variable arguments to
.Xr execve 2 .
-.It seq
+.It Cm seq
Include a unique audit sequence number token in generated audit records (not
-implemented on FreeBSD or Darwin).
-.It group
+implemented on
+.Fx
+or Darwin).
+.It Cm group
Include supplementary groups list in generated audit records (not implemented
-on FreeBSD or Darwin; supplementary groups are never included in records on
+on
+.Fx
+or Darwin; supplementary groups are never included in records on
these systems).
-.It trail
-Append a trailer token to each audit record (not implemented on FreeBSD or
+.It Cm trail
+Append a trailer token to each audit record (not implemented on
+.Fx
+or
Darwin; trailers are always included in records on these systems).
-.It path
-Include secondary file paths in audit records (not implemented on FreeBSD or
+.It Cm path
+Include secondary file paths in audit records (not implemented on
+.Fx
+or
Darwin; secondary paths are never included in records on these systems).
-.It zonename
-Include a zone ID token with each audit record (not implemented on FreeBSD or
-Darwin; FreeBSD audit records do not currently include the jail ID or name.)
-.It perzone
-Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on
-FreeBSD, audit records are collected from all jails and placed in a single
-global trail, and only limited audit controls are permitted within a jail.)
+.It Cm zonename
+Include a zone ID token with each audit record (not implemented on
+.Fx
+or
+Darwin;
+.Fx
+audit records do not currently include the jail ID or name).
+.It Cm perzone
+Enable auditing for each local zone (not implemented on
+.Fx
+or Darwin; on
+.Fx ,
+audit records are collected from all jails and placed in a single
+global trail, and only limited audit controls are permitted within a jail).
.El
.Pp
It is recommended that installations set the
-.Dv cnt
+.Cm cnt
flag but not
-.Dv ahlt
+.Cm ahlt
flag unless it is intended that audit logs exceeding available disk space
halt the system.
.Sh DEFAULT
@@ -169,23 +181,29 @@ processes when the audit store fills.
The trail file will not be automatically rotated by the audit daemon based on
file size.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
.It Pa /etc/security/audit_control
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr audit_class 5 ,
+.Xr audit_event 5 ,
.Xr audit_user 5 ,
.Xr audit 8 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_event.5 b/contrib/openbsm/man/audit_event.5
index cfa81f6272a9..75e67aaed9d7 100644
--- a/contrib/openbsm/man/audit_event.5
+++ b/contrib/openbsm/man/audit_event.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,31 +25,30 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#11 $
.\"
.Dd January 24, 2004
.Dt AUDIT_EVENT 5
.Os
.Sh NAME
.Nm audit_event
-.Nd "contains audit event descriptions"
+.Nd "audit event descriptions"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file contains descriptions of the auditable events on the system.
Each line maps an audit event number to a name, a description, and a class.
Entries are of the form:
.Pp
-.Dl eventnum:eventname:description:eventclass
+.Sm off
+.D1 Ar eventnum : eventname : description : eventclass
+.Sm on
.Pp
Each
-.Vt eventclass
+.Ar eventclass
should have a corresponding entry in the
-.Pa audit_class
-file.
-See
.Xr audit_class 5
-for details.
+file.
.Pp
Example entries in this file are:
.Bd -literal -offset indent
@@ -59,20 +58,27 @@ Example entries in this file are:
3:AUE_OPEN:open(2):fa
.Ed
.Sh FILES
-.Bl -tag -width "/etc/security/audit_event" -compact
+.Bl -tag -width ".Pa /etc/security/audit_event" -compact
.It Pa /etc/security/audit_event
.El
.Sh SEE ALSO
-.Xr audit_class 5
+.Xr audit 4 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_user 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_user.5 b/contrib/openbsm/man/audit_user.5
index 05877d555ce5..1779941ce5ad 100644
--- a/contrib/openbsm/man/audit_user.5
+++ b/contrib/openbsm/man/audit_user.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,33 +25,33 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
.\"
.Dd February 5, 2006
.Dt AUDIT_USER 5
.Os
.Sh NAME
.Nm audit_user
-.Nd "specifies events to be audited for the given users"
+.Nd "events to be audited for given users"
.Sh DESCRIPTION
The
-.Nm
+.Nm
file specifies which audit event classes are to be audited for the given users.
If specified, these flags are combined with the system-wide audit flags in the
-.Pa audit_control
+.Xr audit_control 5
file to determine which classes of events to audit for that user.
These settings take effect when the user logs in.
.Pp
Each line maps a user name to a list of classes that should be audited and a
-list of classes that should not be audited.
+list of classes that should not be audited.
Entries are of the form:
.Pp
-.Dl username:alwaysaudit:neveraudit
+.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit
.Pp
In the format above,
-.Vt alwaysaudit
+.Ar alwaysaudit
is a set of event classes that are always audited, and
-.Vt neveraudit
+.Ar neveraudit
is a set of event classes that should not be audited.
These sets can indicate
the inclusion or exclusion of multiple classes, and whether to audit successful
@@ -67,27 +67,54 @@ jdoe:-fc,ad:+fw
.Ed
.Pp
These settings would cause login/logout and administrative events that
-succeed on behalf of user root to be audited.
+succeed on behalf of user
+.Dq Li root
+to be audited.
No failure events are audited.
For the user
-.Em jdoe ,
+.Dq Li jdoe ,
failed file creation events are audited, administrative events are
audited, and successful file write events are never audited.
+.Sh IMPLEMENTATION NOTES
+Per-user and global audit preselection configuration are evaluated at time of
+login, so users must log out and back in again for audit changes relating to
+preselection to take effect.
+.Pp
+Audit record preselection occurs with respect to the audit identifier
+associated with a process, rather than with respect to the UNIX user or group
+ID.
+The audit identifier is set as part of the user credential context as part of
+login, and typically does not change as a result of running setuid or setgid
+applications, such as
+.Xr su 1 .
+This has the advantage that events that occur after running
+.Xr su 1
+can be audited to the original authenticated user, as required by CAPP, but
+may be surprising if not expected.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_user" -compact
+.Bl -tag -width ".Pa /etc/security/audit_user" -compact
.It Pa /etc/security/audit_user
.El
.Sh SEE ALSO
-.Xr audit_control 5
+.Xr login 1 ,
+.Xr su 1 ,
+.Xr audit 4 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/audit_warn.5 b/contrib/openbsm/man/audit_warn.5
index 18cb74e0996e..d7b20b6c7e6d 100644
--- a/contrib/openbsm/man/audit_warn.5
+++ b/contrib/openbsm/man/audit_warn.5
@@ -1,18 +1,18 @@
.\" Copyright (c) 2004 Apple Computer, Inc.
.\" All rights reserved.
-.\"
+.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
+.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the distribution.
+.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
-.\" from this software without specific prior written permission.
-.\"
+.\" from this software without specific prior written permission.
+.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#9 $
.\"
.Dd March 17, 2004
.Dt AUDIT_WARN 5
@@ -34,36 +34,43 @@
.Nm audit_warn
.Nd "alert when audit daemon issues warnings"
.Sh DESCRIPTION
-.Nm
-runs when
+The
+.Nm
+script
+runs when
.Xr auditd 8
-generates warning messages.
+generates warning messages.
.Pp
-The default
+The default
.Nm
is a script whose first parameter is the type of warning; the script
-appends its arguments to
+appends its arguments to
.Pa /etc/security/audit_messages .
Administrators may replace this script: a more comprehensive one would take
different actions based on the type of warning.
For example, a low-space warning
-could result in an email message being sent to the administrator.
+could result in an email message being sent to the administrator.
.Sh FILES
-.Bl -tag -width "/etc/security/audit_warn" -compact
+.Bl -tag -width ".Pa /etc/security/audit_messages" -compact
.It Pa /etc/security/audit_warn
.It Pa /etc/security/audit_messages
.El
.Sh SEE ALSO
+.Xr audit 4 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditctl.2 b/contrib/openbsm/man/auditctl.2
index afda8e4b1335..ac3c41a15e47 100644
--- a/contrib/openbsm/man/auditctl.2
+++ b/contrib/openbsm/man/auditctl.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,14 +23,14 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#7 $
.\"
.Dd April 19, 2005
.Dt AUDITCTL 2
.Os
.Sh NAME
.Nm auditctl
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
@@ -39,40 +39,41 @@
The
.Fn auditctl
system call directs the kernel to open a new audit trail log file.
-.Fn auditctl
-requires appropriate privilege.
+It requires an appropriate privilege.
In the
.Fx
implementation,
.Fn auditctl
opens new files, but
-.Fn auditon
+.Xr auditon 2
is used to disable the audit log.
In the Mac OS X implementation, passing
-.Va NULL
+.Dv NULL
to
.Fn auditctl
will disable the audit log.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
+.Xr auditon 2 ,
.Xr libbsm 3 ,
.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/auditon.2 b/contrib/openbsm/man/auditon.2
index 04eb775afc85..953484c8e27b 100644
--- a/contrib/openbsm/man/auditon.2
+++ b/contrib/openbsm/man/auditon.2
@@ -25,37 +25,47 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
.\"
.Dd April 19, 2005
.Dt AUDITON 2
.Os
.Sh NAME
.Nm auditon
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn auditon "int cmd" "void *data" "u_int length"
.Sh DESCRIPTION
The
-.Nm
+.Fn auditon
system call is used to manipulate various audit control operations.
-.Ft *data
+The
+.Fa data
+argument
should point to a structure whose type depends on the command.
-.Ft length
-specifies the size of the
-.Em data
+The
+.Fa length
+argument
+specifies the size of
+.Fa *data
in bytes.
-.Ft cmd
+The
+.Fa cmd
+argument
may be any of the following:
.Bl -tag -width ".It Dv A_GETPINFO_ADDR"
.It Dv A_SETPOLICY
Set audit policy flags.
-.Ft *data
-must point to a long value set to one of the audit
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value set to one of the audit
policy control values defined in
-.Pa audit.h .
+.In bsm/audit.h .
Currently, only
.Dv AUDIT_CNT
and
@@ -76,24 +86,28 @@ Return
.Er ENOSYS .
.It Dv A_SETKMASK
Set the kernel preselection masks (success and failure).
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_mask_t
+.Vt au_mask_t
structure containing the mask values.
These masks are used for non-attributable audit event preselection.
.It Dv A_SETQCTRL
Set kernel audit queue parameters.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_qctrl_t
+.Vt au_qctrl_t
structure containing the
kernel audit queue control settings:
-.Va high water ,
-.Va low water ,
-.Va output buffer size ,
-.Va percent min free disk space ,
+.Dq "high water" ,
+.Dq "low water" ,
+.Dq "output buffer size" ,
+.Dq "percent min free disk space" ,
and
-.Em delay
+.Dq delay
(not currently used).
.It Dv A_SETSTAT
Return
@@ -106,8 +120,12 @@ Return
.Er ENOSYS .
.It Dv A_SETCOND
Set the current auditing condition.
-.Ft *data
-must point to a long value containing the new
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value containing the new
audit condition, one of
.Dv AUC_AUDITING ,
.Dv AUC_NOAUDIT ,
@@ -115,43 +133,54 @@ or
.Dv AUC_DISABLED .
.It Dv A_SETCLASS
Set the event class preselection mask for an audit event.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_evclass_map_t
+.Vt au_evclass_map_t
structure containing the audit event and mask.
.It Dv A_SETPMASK
Set the preselection masks for a process.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft auditpinfo_t
-structure that contains the given process's audit
+.Vt auditpinfo_t
+structure that contains the given process's audit
preselection masks for both success and failure.
.It Dv A_SETFSIZE
Set the maximum size of the audit log file.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_fstat_t
+.Vt au_fstat_t
structure with the
-.Ft af_filesz
-field set to the maximum audit log file size. A value of 0
+.Va af_filesz
+field set to the maximum audit log file size.
+A value of 0
indicates no limit to the size.
.It Dv A_SETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETCLASS
Return the event to class mapping for the designated audit event.
-.Ft *data
-must point to a
-.Ft au_evclass_map_t
+The
+.Fa data
+argument
+must point to a
+.Vt au_evclass_map_t
structure.
.It Dv A_GETKAUDIT
Return
.Er ENOSYS .
.It Dv A_GETPINFO
Return the audit settings for a process.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft auditpinfo_t
+.Vt auditpinfo_t
structure which will be set to contain
the audit ID, preselection mask, terminal ID, and audit session
ID of the given process.
@@ -160,15 +189,21 @@ Return
.Er ENOSYS .
.It Dv A_GETKMASK
Return the current kernel preselection masks.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_mask_t
-structure which will be set to
+.Vt au_mask_t
+structure which will be set to
the current kernel preselection masks for non-attributable events.
.It Dv A_GETPOLICY
Return the current audit policy setting.
-.Ft *data
-must point to a long value which will be set to
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value which will be set to
one of the current audit policy flags.
Currently, only
.Dv AUDIT_CNT
@@ -177,22 +212,28 @@ and
are implemented.
.It Dv A_GETQCTRL
Return the current kernel audit queue control parameters.
-.Ft *data
-must point to a
-.Ft au_qctrl_t
+The
+.Fa data
+argument
+must point to a
+.Vt au_qctrl_t
structure which will be set to the current
kernel audit queue control parameters.
.It Dv A_GETFSIZE
Returns the maximum size of the audit log file.
-.Ft *data
+The
+.Fa data
+argument
must point to a
-.Ft au_fstat_t
-structure. The
-.Ft af_filesz
+.Vt au_fstat_t
+structure.
+The
+.Va af_filesz
field will be set to the maximum audit log file size.
A value of 0 indicates no limit to the size.
The
-.Ft af_currsz
+.Va af_currsz
+field
will be set to the current audit log file size.
.It Dv A_GETCWD
.\" [COMMENTED OUT]: Valid description, not yet implemented.
@@ -212,16 +253,24 @@ Return
.Er ENOSYS .
.It Dv A_GETCOND
Return the current auditing condition.
-.Ft *data
-must point to a long value which will be set to
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value which will be set to
the current audit condition, either
.Dv AUC_AUDITING
or
.Dv AUC_NOAUDIT .
.It Dv A_SENDTRIGGER
Send a trigger to the audit daemon.
-.Fr *data
-must point to a long value set to one of the acceptable
+The
+.Fa data
+argument
+must point to a
+.Vt long
+value set to one of the acceptable
trigger values:
.Dv AUDIT_TRIGGER_LOW_SPACE
(low disk space where the audit log resides),
@@ -264,17 +313,26 @@ and Mac OS X implementations, and is not present in Solaris.
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditctl 2 ,
-.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
@@ -284,8 +342,3 @@ This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org ,
and
.An Wayne Salamon Aq wsalamon@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getaudit.2 b/contrib/openbsm/man/getaudit.2
index 05a938c8f9ef..05927215b81d 100644
--- a/contrib/openbsm/man/getaudit.2
+++ b/contrib/openbsm/man/getaudit.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#7 $
.\"
.Dd April 19, 2005
.Dt GETAUDIT 2
@@ -31,7 +31,7 @@
.Sh NAME
.Nm getaudit ,
.Nm getaudit_addr
-.Nd "Retrieve audit session state"
+.Nd "retrieve audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
@@ -39,42 +39,47 @@
.Ft int
.Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
.Sh DESCRIPTION
+The
.Fn getaudit
+system call
retrieves the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
-.Va auditinfo .
+.Fa auditinfo .
+The
.Fn getaudit_addr
+system call
retrieves extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
and
-.Va length .
+.Fa length .
.Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std getaudit getaudit_addr
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getauid 2 ,
-.Xr setauid 2 ,
.Xr setaudit 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/getauid.2 b/contrib/openbsm/man/getauid.2
index 9751da959390..2624f1e833c9 100644
--- a/contrib/openbsm/man/getauid.2
+++ b/contrib/openbsm/man/getauid.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,52 +23,55 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#7 $
.\"
.Dd April 19, 2005
.Dt GETAUID 2
.Os
.Sh NAME
.Nm getauid
-.Nd "Retrieve audit session ID"
+.Nd "retrieve audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn getauid "au_id_t *auid"
.Sh DESCRIPTION
-.Nm
+The
+.Fn getauid
+system call
retrieves the active audit session ID for the current process via the
.Vt au_id_t
pointed to by
-.Va auid .
+.Fa auid .
.Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
-.Xr setauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
+.Xr setauid 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setaudit.2 b/contrib/openbsm/man/setaudit.2
index 46d99546a581..22e2192c671a 100644
--- a/contrib/openbsm/man/setaudit.2
+++ b/contrib/openbsm/man/setaudit.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,7 +23,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#7 $
.\"
.Dd April 19, 2005
.Dt SETAUDIT 2
@@ -31,51 +31,55 @@
.Sh NAME
.Nm setaudit ,
.Nm setaudit_addr
-.Nd "Set audit session state"
+.Nd "set audit session state"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setaudit "auditinfo_t *auditinfo"
.Ft int
-.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
.Sh DESCRIPTION
-.Nm
+The
+.Fn setaudit
+system call
sets the active audit session state for the current process via the
.Vt auditinfo_t
pointed to by
-.Va auditinfo .
+.Fa auditinfo .
+The
.Fn setaudit_addr
+system call
sets extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
and
-.Va length .
+.Fa length .
.Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std setaudit setaudit_addr
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
.Xr getaudit 2 ,
.Xr getauid 2 ,
.Xr setauid 2 ,
-.Xr getaudit 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/man/setauid.2 b/contrib/openbsm/man/setauid.2
index 4c23ffcebf7f..a736a341ebf5 100644
--- a/contrib/openbsm/man/setauid.2
+++ b/contrib/openbsm/man/setauid.2
@@ -10,7 +10,7 @@
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
-.\"
+.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -23,52 +23,55 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#7 $
.\"
.Dd April 19, 2005
.Dt SETAUID 2
.Os
.Sh NAME
.Nm setauid
-.Nd "Set audit session ID"
+.Nd "set audit session ID"
.Sh SYNOPSIS
.In bsm/audit.h
.Ft int
.Fn setauid "au_id_t *auid"
.Sh DESCRIPTION
-.Nm
+The
+.Fn setauid
+system call
sets the active audit session ID for the current process from the
.Vt au_id_t
pointed to by
-.Va auid .
+.Fa auid .
.Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
.Sh RETURN VALUES
-.Nm
-returns 0 on success, or returns -1 on failure, providing additional error
-information via
-.Va errno .
+.Rv -std
.Sh SEE ALSO
.Xr audit 2 ,
.Xr auditon 2 ,
-.Xr getauid 2 ,
.Xr getaudit 2 ,
-.Xr setaudit 2 ,
.Xr getaudit_addr 2 ,
+.Xr getauid 2 ,
+.Xr setaudit 2 ,
.Xr setaudit_addr 2 ,
.Xr libbsm 3
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
.Pp
This manual page was written by
.An Robert Watson Aq rwatson@FreeBSD.org .
-.Sh HISTORY
-The OpenBSM implementation was created by McAfee Research, the security
-division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
-It was subsequently adopted by the TrustedBSD Project as the foundation for
-the OpenBSM distribution.
diff --git a/contrib/openbsm/test/bsm/generate.c b/contrib/openbsm/test/bsm/generate.c
index 3a299b50b8bf..d066246b161c 100644
--- a/contrib/openbsm/test/bsm/generate.c
+++ b/contrib/openbsm/test/bsm/generate.c
@@ -1,5 +1,5 @@
/*-
- * Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006-2007 Robert N. M. Watson
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#5 $
+ * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#9 $
*/
/*
@@ -335,6 +335,7 @@ generate_subject32ex_token(const char *directory, const char *token_filename,
if (subject32ex_token == NULL)
err(EX_UNAVAILABLE, "au_to_subject32_ex");
write_token(directory, buf, subject32ex_token);
+ free(buf);
}
static void
@@ -361,6 +362,7 @@ generate_subject32ex_record(const char *directory, const char *record_filename,
if (subject32ex_token == NULL)
err(EX_UNAVAILABLE, "au_to_subject32_ex");
write_record(directory, record_filename, subject32ex_token, AUE_NULL);
+ free(buf);
}
static au_id_t process32_auid = 0x12345678;
@@ -404,35 +406,151 @@ generate_process32_record(const char *directory, const char *record_filename)
}
static void
-generate_process32ex_token(const char *directory, const char *token_filename)
+generate_process32ex_token(const char *directory, const char *token_filename,
+ u_int32_t type)
{
token_t *process32ex_token;
+ char *buf;
- process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
- process32_tid_addr.at_type = AU_IPv4;
+ buf = (char *)malloc(strlen(token_filename) + 6);
+ if (type == AU_IPv6) {
+ inet_pton(AF_INET6, "fe80::1", process32_tid_addr.at_addr);
+ process32_tid_addr.at_type = AU_IPv6;
+ sprintf(buf, "%s%s", token_filename, "-IPv6");
+ } else {
+ process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+ process32_tid_addr.at_type = AU_IPv4;
+ sprintf(buf, "%s%s", token_filename, "-IPv4");
+ }
process32ex_token = au_to_process32_ex(process32_auid, process32_euid,
process32_egid, process32_ruid, process32_rgid, process32_pid,
process32_sid, &process32_tid_addr);
if (process32ex_token == NULL)
err(EX_UNAVAILABLE, "au_to_process32_ex");
- write_token(directory, token_filename, process32ex_token);
+ write_token(directory, buf, process32ex_token);
+ free(buf);
}
static void
-generate_process32ex_record(const char *directory, const char *record_filename)
+generate_process32ex_record(const char *directory, const char *record_filename,
+ u_int32_t type)
{
token_t *process32ex_token;
+ char *buf;
- process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
- process32_tid_addr.at_type = AU_IPv4;
+ buf = (char *)malloc(strlen(record_filename) + 6);
+ if (type == AU_IPv6) {
+ inet_pton(AF_INET6, "fe80::1", process32_tid_addr.at_addr);
+ process32_tid_addr.at_type = AU_IPv6;
+ sprintf(buf, "%s%s", record_filename, "-IPv6");
+ } else {
+ process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+ process32_tid_addr.at_type = AU_IPv4;
+ sprintf(buf, "%s%s", record_filename, "-IPv4");
+ }
process32ex_token = au_to_process32_ex(process32_auid, process32_euid,
process32_egid, process32_ruid, process32_rgid, process32_pid,
process32_sid, &process32_tid_addr);
if (process32ex_token == NULL)
err(EX_UNAVAILABLE, "au_to_process32_ex");
- write_record(directory, record_filename, process32ex_token, AUE_NULL);
+ write_record(directory, buf, process32ex_token, AUE_NULL);
+ free(buf);
+}
+
+static au_id_t process64_auid = 0x12345678;
+static uid_t process64_euid = 0x01234567;
+static gid_t process64_egid = 0x23456789;
+static uid_t process64_ruid = 0x98765432;
+static gid_t process64_rgid = 0x09876543;
+static pid_t process64_pid = 0x13243546;
+static au_asid_t process64_sid = 0x97867564;
+static au_tid_t process64_tid = { 0x16593746 };
+static au_tid_addr_t process64_tid_addr = { 0x16593746 };
+
+static void
+generate_process64_token(const char *directory, const char *token_filename)
+{
+ token_t *process64_token;
+
+ process64_tid.machine = inet_addr("127.0.0.1");
+
+ process64_token = au_to_process64(process64_auid, process64_euid,
+ process64_egid, process64_ruid, process64_rgid, process64_pid,
+ process64_sid, &process64_tid);
+ if (process64_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_process64");
+ write_token(directory, token_filename, process64_token);
+}
+
+static void
+generate_process64_record(const char *directory, const char *record_filename)
+{
+ token_t *process64_token;
+
+ process64_tid.machine = inet_addr("127.0.0.1");
+
+ process64_token = au_to_process64(process64_auid, process64_euid,
+ process64_egid, process64_ruid, process64_rgid, process64_pid,
+ process64_sid, &process64_tid);
+ if (process64_token == NULL)
+ err(EX_UNAVAILABLE, "au_ti_process64");
+ write_record(directory, record_filename, process64_token, AUE_NULL);
+}
+
+static void
+generate_process64ex_token(const char *directory, const char *token_filename,
+ u_int32_t type)
+{
+ token_t *process64ex_token;
+ char *buf;
+
+ buf = (char *)malloc(strlen(token_filename) + 6);
+ if (type == AU_IPv6) {
+ inet_pton(AF_INET6, "fe80::1", process64_tid_addr.at_addr);
+ process64_tid_addr.at_type = AU_IPv6;
+ sprintf(buf, "%s%s", token_filename, "-IPv6");
+ } else {
+ process64_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+ process64_tid_addr.at_type = AU_IPv4;
+ sprintf(buf, "%s%s", token_filename, "-IPv4");
+ }
+
+ process64ex_token = au_to_process64_ex(process64_auid, process64_euid,
+ process64_egid, process64_ruid, process64_rgid, process64_pid,
+ process64_sid, &process64_tid_addr);
+ if (process64ex_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_process64_ex");
+ write_token(directory, buf, process64ex_token);
+ free(buf);
+}
+
+static void
+generate_process64ex_record(const char *directory, const char *record_filename,
+ u_int32_t type)
+{
+ token_t *process64ex_token;
+ char *buf;
+
+ buf = (char *)malloc(strlen(record_filename) + 6);
+ if (type == AU_IPv6) {
+ inet_pton(AF_INET6, "fe80::1", process64_tid_addr.at_addr);
+ process64_tid_addr.at_type = AU_IPv6;
+ sprintf(buf, "%s%s", record_filename, "-IPv6");
+ } else {
+ process64_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+ process64_tid_addr.at_type = AU_IPv4;
+ sprintf(buf, "%s%s", record_filename, "-IPv4");
+ }
+
+ process64ex_token = au_to_process64_ex(process64_auid, process64_euid,
+ process64_egid, process64_ruid, process64_rgid, process64_pid,
+ process64_sid, &process64_tid_addr);
+ if (process64ex_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_process64_ex");
+ write_record(directory, buf, process64ex_token, AUE_NULL);
+ free(buf);
}
static char return32_status = 0xd7;
@@ -771,6 +889,30 @@ generate_attr32_record(const char *directory, const char *record_filename)
}
+static char *zonename_sample = "testzone";
+
+static void
+generate_zonename_token(const char *directory, const char *token_filename)
+{
+ token_t *zonename_token;
+
+ zonename_token = au_to_zonename(zonename_sample);
+ if (zonename_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_zonename");
+ write_token(directory, token_filename, zonename_token);
+}
+
+static void
+generate_zonename_record(const char *directory, const char *record_filename)
+{
+ token_t *zonename_token;
+
+ zonename_token = au_to_zonename(zonename_sample);
+ if (zonename_token == NULL)
+ err(EX_UNAVAILABLE, "au_to_zonename");
+ write_record(directory, record_filename, zonename_token, AUE_NULL);
+}
+
int
main(int argc, char *argv[])
{
@@ -811,10 +953,20 @@ main(int argc, char *argv[])
generate_ipc_token(directory, "ipc_token");
generate_path_token(directory, "path_token");
generate_subject32_token(directory, "subject32_token");
- generate_subject32ex_token(directory, "subject32ex_token", AU_IPv4);
- generate_subject32ex_token(directory, "subject32ex_token", AU_IPv6);
+ generate_subject32ex_token(directory, "subject32ex_token",
+ AU_IPv4);
+ generate_subject32ex_token(directory, "subject32ex_token",
+ AU_IPv6);
generate_process32_token(directory, "process32_token");
- generate_process32ex_token(directory, "process32ex_token");
+ generate_process32ex_token(directory, "process32ex_token",
+ AU_IPv4);
+ generate_process32ex_token(directory, "process32ex_token",
+ AU_IPv6);
+ generate_process64_token(directory, "process64_token");
+ generate_process64ex_token(directory, "process64ex_token",
+ AU_IPv4);
+ generate_process64ex_token(directory, "process64ex_token",
+ AU_IPv6);
generate_return32_token(directory, "return32_token");
generate_text_token(directory, "text_token");
generate_opaque_token(directory, "opaque_token");
@@ -827,6 +979,7 @@ main(int argc, char *argv[])
generate_ipc_perm_token(directory, "ipc_perm_token");
generate_groups_token(directory, "groups_token");
generate_attr32_token(directory, "attr32_token");
+ generate_zonename_token(directory, "zonename_token");
}
if (do_records) {
@@ -840,7 +993,15 @@ main(int argc, char *argv[])
generate_subject32ex_record(directory, "subject32ex_record",
AU_IPv6);
generate_process32_record(directory, "process32_record");
- generate_process32ex_record(directory, "process32ex_record");
+ generate_process32ex_record(directory, "process32ex_record",
+ AU_IPv4);
+ generate_process32ex_record(directory, "process32ex_record",
+ AU_IPv6);
+ generate_process64_record(directory, "process64_record");
+ generate_process64ex_record(directory, "process64ex_record",
+ AU_IPv4);
+ generate_process64ex_record(directory, "process64ex_record",
+ AU_IPv6);
generate_return32_record(directory, "return32_record");
generate_text_record(directory, "text_record");
generate_opaque_record(directory, "opaque_record");
@@ -853,6 +1014,7 @@ main(int argc, char *argv[])
generate_ipc_perm_record(directory, "ipc_perm_record");
generate_groups_record(directory, "groups_record");
generate_attr32_record(directory, "attr32_record");
+ generate_zonename_record(directory, "zonename_record");
}
return (0);
diff --git a/contrib/openbsm/test/reference/arg32_record b/contrib/openbsm/test/reference/arg32_record
index 744dbcfd4437..2222ed03c2c6 100644
--- a/contrib/openbsm/test/reference/arg32_record
+++ b/contrib/openbsm/test/reference/arg32_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/data_record b/contrib/openbsm/test/reference/data_record
index ffb3ff68647d..8088f4eb37d7 100644
--- a/contrib/openbsm/test/reference/data_record
+++ b/contrib/openbsm/test/reference/data_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/file_record b/contrib/openbsm/test/reference/file_record
index 4be1f40118e3..b56d5cccbb45 100644
--- a/contrib/openbsm/test/reference/file_record
+++ b/contrib/openbsm/test/reference/file_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/in_addr_record b/contrib/openbsm/test/reference/in_addr_record
index 0421f884f939..4f308e068526 100644
--- a/contrib/openbsm/test/reference/in_addr_record
+++ b/contrib/openbsm/test/reference/in_addr_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/ip_record b/contrib/openbsm/test/reference/ip_record
index 22498445fd22..aee40a71153f 100644
--- a/contrib/openbsm/test/reference/ip_record
+++ b/contrib/openbsm/test/reference/ip_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/ipc_record b/contrib/openbsm/test/reference/ipc_record
index 43eabb48d0d4..4510f8819dca 100644
--- a/contrib/openbsm/test/reference/ipc_record
+++ b/contrib/openbsm/test/reference/ipc_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/iport_record b/contrib/openbsm/test/reference/iport_record
index 228e8fe487f3..1375efbf483d 100644
--- a/contrib/openbsm/test/reference/iport_record
+++ b/contrib/openbsm/test/reference/iport_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/opaque_record b/contrib/openbsm/test/reference/opaque_record
index 7763817d26cd..247d6f2733da 100644
--- a/contrib/openbsm/test/reference/opaque_record
+++ b/contrib/openbsm/test/reference/opaque_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/path_record b/contrib/openbsm/test/reference/path_record
index e85e384e0677..0d32b86832a7 100644
--- a/contrib/openbsm/test/reference/path_record
+++ b/contrib/openbsm/test/reference/path_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/process32_record b/contrib/openbsm/test/reference/process32_record
index b6a0a7720154..9a3f7d9de206 100644
--- a/contrib/openbsm/test/reference/process32_record
+++ b/contrib/openbsm/test/reference/process32_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/process32ex_record-IPv4 b/contrib/openbsm/test/reference/process32ex_record-IPv4
new file mode 100644
index 000000000000..6250b9c57ba9
--- /dev/null
+++ b/contrib/openbsm/test/reference/process32ex_record-IPv4
Binary files differ
diff --git a/contrib/openbsm/test/reference/process32ex_record-IPv6 b/contrib/openbsm/test/reference/process32ex_record-IPv6
new file mode 100644
index 000000000000..22a3249258a8
--- /dev/null
+++ b/contrib/openbsm/test/reference/process32ex_record-IPv6
Binary files differ
diff --git a/contrib/openbsm/test/reference/process32ex_token-IPv4 b/contrib/openbsm/test/reference/process32ex_token-IPv4
new file mode 100644
index 000000000000..dd0ae66b12ca
--- /dev/null
+++ b/contrib/openbsm/test/reference/process32ex_token-IPv4
Binary files differ
diff --git a/contrib/openbsm/test/reference/process32ex_token-IPv6 b/contrib/openbsm/test/reference/process32ex_token-IPv6
new file mode 100644
index 000000000000..3442428b2095
--- /dev/null
+++ b/contrib/openbsm/test/reference/process32ex_token-IPv6
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64_record b/contrib/openbsm/test/reference/process64_record
new file mode 100644
index 000000000000..d8fca8eb4e6a
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64_token b/contrib/openbsm/test/reference/process64_token
new file mode 100644
index 000000000000..268b2c3ac752
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64_token
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64ex_record-IPv4 b/contrib/openbsm/test/reference/process64ex_record-IPv4
new file mode 100644
index 000000000000..3b7a728e7250
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64ex_record-IPv4
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64ex_record-IPv6 b/contrib/openbsm/test/reference/process64ex_record-IPv6
new file mode 100644
index 000000000000..6563e25be6cd
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64ex_record-IPv6
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64ex_token-IPv4 b/contrib/openbsm/test/reference/process64ex_token-IPv4
new file mode 100644
index 000000000000..92ae1da98318
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64ex_token-IPv4
Binary files differ
diff --git a/contrib/openbsm/test/reference/process64ex_token-IPv6 b/contrib/openbsm/test/reference/process64ex_token-IPv6
new file mode 100644
index 000000000000..1cbc25930ef5
--- /dev/null
+++ b/contrib/openbsm/test/reference/process64ex_token-IPv6
Binary files differ
diff --git a/contrib/openbsm/test/reference/return32_record b/contrib/openbsm/test/reference/return32_record
index f4a6a5b1d6a1..e57d26c0c74d 100644
--- a/contrib/openbsm/test/reference/return32_record
+++ b/contrib/openbsm/test/reference/return32_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/seq_record b/contrib/openbsm/test/reference/seq_record
index 576c11232c5d..75cea179e2ed 100644
--- a/contrib/openbsm/test/reference/seq_record
+++ b/contrib/openbsm/test/reference/seq_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/subject32_record b/contrib/openbsm/test/reference/subject32_record
index 9978e5dbb15e..f96d84c5e984 100644
--- a/contrib/openbsm/test/reference/subject32_record
+++ b/contrib/openbsm/test/reference/subject32_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/subject32ex_record b/contrib/openbsm/test/reference/subject32ex_record
index ca28be4869ad..1d949a6e9184 100644
--- a/contrib/openbsm/test/reference/subject32ex_record
+++ b/contrib/openbsm/test/reference/subject32ex_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/subject32ex_token-IPv4 b/contrib/openbsm/test/reference/subject32ex_token-IPv4
index 0eaa71bcc76c..a40a3c5850c0 100644
--- a/contrib/openbsm/test/reference/subject32ex_token-IPv4
+++ b/contrib/openbsm/test/reference/subject32ex_token-IPv4
Binary files differ
diff --git a/contrib/openbsm/test/reference/subject32ex_token-IPv6 b/contrib/openbsm/test/reference/subject32ex_token-IPv6
index 99202b15d434..01bbcb60f606 100644
--- a/contrib/openbsm/test/reference/subject32ex_token-IPv6
+++ b/contrib/openbsm/test/reference/subject32ex_token-IPv6
Binary files differ
diff --git a/contrib/openbsm/test/reference/text_record b/contrib/openbsm/test/reference/text_record
index 3bc9db76018b..2f3fce2bc9ab 100644
--- a/contrib/openbsm/test/reference/text_record
+++ b/contrib/openbsm/test/reference/text_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/zonename_record b/contrib/openbsm/test/reference/zonename_record
new file mode 100644
index 000000000000..cfb9e264d6d4
--- /dev/null
+++ b/contrib/openbsm/test/reference/zonename_record
Binary files differ
diff --git a/contrib/openbsm/test/reference/zonename_token b/contrib/openbsm/test/reference/zonename_token
new file mode 100644
index 000000000000..3a3ebdcf7ce8
--- /dev/null
+++ b/contrib/openbsm/test/reference/zonename_token
Binary files differ
diff --git a/contrib/openbsm/tools/audump.c b/contrib/openbsm/tools/audump.c
index c591772c6651..65dc87abba06 100644
--- a/contrib/openbsm/tools/audump.c
+++ b/contrib/openbsm/tools/audump.c
@@ -23,7 +23,7 @@
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#7 $
*/
#include <bsm/libbsm.h>
@@ -123,7 +123,7 @@ audump_control(void)
err(-1, "getacpol");
if (au_strtopol(string, &policy) < 0)
err(-1, "au_strtopol");
- if (au_poltostr(policy, string2, PATH_MAX) < 0)
+ if (au_poltostr(policy, PATH_MAX, string2) < 0)
err(-1, "au_poltostr");
printf("policy:%s\n", string2);
}