Vendor import TrustedBSD OpenBSM 1.0 alpha 14, with the following change

history notes since the last import: OpenBSM 1.0 alpha 14 - Fix endian issues when processing IPv6 addresses for extended subject and process tokens. - gcc41 warnings clean. - Teach audit_submit(3) about getaudit_addr(2). - Add support for zonename tokens. OpenBSM 1.0 alpha 13 - compat/clock_gettime.h now provides a compatibility implementation of clock_gettime(), which fixes building on Mac OS X. - Countless man page improvements, markup fixes, content fixs, etc. - XML printing support via "praudit -x". - audit.log.5 expanded to include additional BSM token types. - Added encoding and decoding routines for process64_ex, process32_ex, subject32_ex, header64, and attr64 tokens. - Additional audit event identifiers for listen, mlockall/munlockall, getpath, POSIX message queues, and mandatory access control. Approved by: re (bmah) MFC after: 3 weeks Obtained from: TrustedBSD Project
svn path=/vendor/openbsm/dist/; revision=168777
2007-04-16 15:37:10 +00:00 · 2007-04-16 15:37:10 +00:00 · bc168a6cdd · 2020-12-20 02:59:44 +00:00
commit bc168a6cdd
parent 4bd0c025f3
78 changed files with 4318 additions and 1700 deletions
--- a/contrib/openbsm/HISTORY
+++ b/contrib/openbsm/HISTORY
@ -1,3 +1,23 @@
 OpenBSM 1.0 alpha 14
 - Fix endian issues when processing IPv6 addresses for extended subject
  and process tokens.
 - gcc41 warnings clean.
 - Teach audit_submit(3) about getaudit_addr(2).
 - Add support for zonename tokens.
 OpenBSM 1.0 alpha 13
 - compat/clock_gettime.h now provides a compatibility implementation of
  clock_gettime(), which fixes building on Mac OS X.
 - Countless man page improvements, markup fixes, content fixs, etc.
 - XML printing support via "praudit -x".
 - audit.log.5 expanded to include additional BSM token types.
 - Added encoding and decoding routines for process64_ex, process32_ex,
  subject32_ex, header64, and attr64 tokens.
 - Additional audit event identifiers for listen, mlockall/munlockall,
  getpath, POSIX message queues, and mandatory access control.
 OpenBSM 1.0 alpha 12
 - Correct bug in auditreduce which prevented the -c option from working
@ -264,4 +284,4 @@ OpenBSM 1.0 alpha 1
  to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#39 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#50 $
--- a/contrib/openbsm/README
+++ b/contrib/openbsm/README
@ -3,11 +3,13 @@ OpenBSM 1.0
  Introduction
 OpenBSM provides an open source implementation of Sun's BSM Audit API. 
-Originally created under contract to Apple Computer by McAfee Research, 
+Originally created under contract to Apple Computer by McAfee Research, this
-this implementation is now maintained by volunteers and the generous 
+implementation is now maintained by volunteers and the generous contribution
-contribution of several organizations.  Coupled with a kernel audit 
+of several organizations.  Coupled with a kernel audit implementation,
-implementation, OpenBSM can be used to maintain system audit streams, and 
+OpenBSM can be used to maintain system audit streams, and is a foundation for
-is a foundation for an Audit-enabled system.
+an Audit-enabled system.  Portions of OpenBSM, including include files and
 token-building routines, are reusable in a kernel audit implementation, and
 may be found in the FreeBSD and Mac OS X kernels.
  Contents
@ -15,13 +17,22 @@ OpenBSM consists of several directories:
    bin/           Audit-related command line tools
    bsm/           System include files for BSM
    compat/        Compatibility code to build on various OS's
    etc/           Sample /etc/security configuration files
    libbsm/        Implementation of BSM library interfaces and man pages
    man/           System call and configuration file man pages
    modules/       Directory for auditfilterd module source
    test/          Test token sets and geneneration program
    tools/         Tool directory, including audump to dump databases
-OpenBSM currently builds on FreeBSD and Darwin.  With Makefile adjustment
+The following programs are included with OpenBSM:
-and minor tweaks, it should build without problems on a broad range of
+
-POSIX-like systems.
+    audit          Command line audit control tool
    auditd         Audit management daemon
    auditfilterd   Experimental event monitoring framework
    auditreduce    Audit trail reduction tool
    audump         Debugging tool to parse and print audit databases
    praudit        Tool to print audit trails
  Building
@ -29,7 +40,7 @@ OpenBSM is currently built using autoconf and automake, which should allow
 for building on a range of operating systems, including FreeBSD, Mac OS X,
 and Linux.  Depending on the availability of audit facilities in the
 underlying operating system, some components that depend on kernel audit
-support are built conditionally.  Typically, build will be performed using
+support are built conditionally.  Typically, build will be performed using:
    ./configure
    make
@ -51,13 +62,12 @@ directory the correct libbsm is used:
 You will need to manually propagate openbsm/etc/* into /etc on your system;
 this is not done automatically so as to avoid disrupting the current
-configuration.  Currently, the locations of these files is not
+configuration.  Currently, the locations of these files is not configurable.
 configurable.
  Credits
-The following organizations and individuals have contributed substantially 
+The following organizations and individuals have contributed substantially to
-to the development of OpenBSM:
+the development of OpenBSM:
    Apple Computer, Inc.
    McAfee Research, McAfee, Inc.
@ -76,6 +86,9 @@ to the development of OpenBSM:
    Martin Fong
    Pawel Worach
    Martin Englund
    Ruslan Ermilov
    Martin Voros
    Diego Giagio
 In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
 Software's FlexeLint tool were used to identify a number of bugs in the
@ -97,4 +110,4 @@ Information on TrustedBSD may be found on the TrustedBSD home page:
    http://www.TrustedBSD.org/
-$P4: //depot/projects/trustedbsd/openbsm/README#19 $
+$P4: //depot/projects/trustedbsd/openbsm/README#23 $
--- a/contrib/openbsm/TODO
+++ b/contrib/openbsm/TODO
@ -1,4 +1,3 @@
 - Teach praudit how to general XML format BSM streams.
 - Teach libbsm about any additional 64-bit token types that are present
  in more recent Solaris versions.
 - Build a regression test suite for libbsm that generates each token
@ -20,4 +19,4 @@
 - Put hostname in trail file name.
 - Document audit_warn event arguments.
-$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#9 $
--- a/contrib/openbsm/VERSION
+++ b/contrib/openbsm/VERSION
@ -1 +1 @@
-OPENBSM_1_0_ALPHA_12
+OPENBSM_1_0_ALPHA_14
--- a/contrib/openbsm/bin/audit/audit.8
+++ b/contrib/openbsm/bin/audit/audit.8
@ -2,20 +2,20 @@
 .\" All rights reserved.
 .\"
 .\" @APPLE_BSD_LICENSE_HEADER_START@
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
-.\" 
+.\"
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
 .\" EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 .\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
@ -26,32 +26,27 @@
 .\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\" 
+.\"
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/audit/audit.8#9 $
 .\"
-.Dd January 24, 2004
+.Dd October 2, 2006
 .Dt AUDIT 8
 .Os
 .Sh NAME
 .Nm audit
 .Nd audit management utility
 .Sh SYNOPSIS
-.Nm audit
+.Nm
-.Op Fl nst
+.Fl n | s | t
 .Op Ar file
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility controls the state of the audit system.
-The optional
+One of the following flags is required as an argument to
-.Ar file
+.Nm :
-operand specifies the location of the audit control input file (default
+.Bl -tag -width indent
 .Pa /etc/security/audit_control ) .
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl n
 Forces the audit system to close the existing audit log file and rotate to
 a new log file in a location specified in the audit control file.
@ -69,22 +64,27 @@ The
 .Xr auditd 8
 daemon must already be running.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control
-Default audit policy file used to configure the auditing system.
+Audit policy file used to configure the auditing system.
 .El
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr audit_control 5 ,
 .Xr auditd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/bin/auditd/auditd.8
+++ b/contrib/openbsm/bin/auditd/auditd.8
@ -29,46 +29,35 @@
 .\"
 .\" @APPLE_BSD_LICENSE_HEADER_END@
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#9 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.8#12 $
 .\"
-.Dd January 24, 2004
+.Dd October 2, 2006
 .Dt AUDITD 8
 .Os
 .Sh NAME
 .Nm auditd
 .Nd audit log management daemon
 .Sh SYNOPSIS
-.Nm auditd
+.Nm
-.Op Fl dhs
+.Op Fl d
 .Sh DESCRIPTION
 The
 .Nm
-daemon responds to requests from the audit(1) utility and notifications
+daemon responds to requests from the
-from the kernel.  It manages the resulting audit log files and specified
+.Xr audit 8
 utility and notifications
 from the kernel.
 It manages the resulting audit log files and specified
 log file locations.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl d
-Starts the daemon in debug mode - it will not daemonize.
+Starts the daemon in debug mode \[em] it will not daemonize.
 .El
 .Pp
 The historical
 .Fl h
 and
 .Fl s
 flags are now configured using
 .Xr audit_control 5
 policy flags
 .Dv ahlt
 and
 .Dv cnt ,
 and are no longer available as arguments to
 .Xr auditd 8 .
 .Sh NOTE
 .Pp
 To assure uninterrupted audit support, the
-.Nm auditd
+.Nm
 daemon should not be started and stopped manually.
 Instead, the
 .Xr audit 8
@ -78,28 +67,51 @@ the
 .Pa audit_control
 file.
 .Pp
-.\" Sending a SIGHUP to a running
+.\" Sending a
-.\" .Nm auditd
+.\" .Dv SIGHUP
 .\" to a running
 .\" .Nm
 .\" daemon will force it to exit.
-Sending a SIGTERM to a running
+Sending a
-.Nm auditd
+.Dv SIGTERM
 to a running
 .Nm
 daemon will force it to exit.
 .Sh FILES
-.Bl -tag -width "/var/audit" -compact
+.Bl -tag -width ".Pa /var/audit" -compact
 .It Pa /var/audit
 Default directory for storing audit log files.
 .El
 .Sh COMPATIBILITY
 The historical
 .Fl h
 and
 .Fl s
 flags are now configured using
 .Xr audit_control 5
 policy flags
 .Cm ahlt
 and
 .Cm cnt ,
 and are no longer available as arguments to
 .Nm .
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr audit_control 5 ,
 .Xr audit 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/bin/auditd/auditd.c
+++ b/contrib/openbsm/bin/auditd/auditd.c
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.c#25 $
 */
 #include <sys/types.h>
@ -865,7 +865,7 @@ setup(void)
 		syslog(LOG_ERR, "Could not create audit startup event.");
 	else {
 		/*
-		 * XXXCSJP Perhaps we wan't more robust audit records for
+		 * XXXCSJP Perhaps we want more robust audit records for
 		 * audit start up and shutdown. This might include capturing
 		 * failures to initialize the audit subsystem?
 		 */
@ -896,7 +896,7 @@ main(int argc, char **argv)
 	int debug = 0;
 	int rc;
-	while ((ch = getopt(argc, argv, "dhs")) != -1) {
+	while ((ch = getopt(argc, argv, "d")) != -1) {
 		switch(ch) {
 		case 'd':
 			/* Debug option. */
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.8
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.8
@ -23,18 +23,19 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.8#4 $
 .\"
-.Dd March 27, 2006
+.Dd October 3, 2006
 .Dt AUDITFILTERD 8
 .Os
 .Sh NAME
 .Nm auditfilterd
 .Nd audit filter daemon
 .Sh SYNOPSIS
-.Nm auditfilterd
+.Nm
 .Op Fl d
 .Op Fl c Ar conffile
 .Op Fl p Ar pipefile
 .Op Fl t Ar trailfile
 .Sh DESCRIPTION
 The
@ -44,18 +45,23 @@ modules to track audit events from a live audit source.
 It is configured using the
 .Xr audit_filter 5
 configuration file.
 The source can either be a pipe or a file.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl d
 Starts the daemon in debug mode - it will not daemonize.
 .It Fl c Ar conffile
 Specify an alternative configuration file.
 .It Fl d
 Starts the daemon in debug mode \[em] it will not daemonize.
 .It Fl p Ar pipefile
 Specify a pipe as an alternative source of audit event records.
 Default is
 .Pa /dev/auditpipe .
 .It Fl t Ar trailfile
-Specify an alternative source of audit event records.
+Specify a file as an alternative source of audit event records.
 .El
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_filterd" -compact
+.Bl -tag -width ".Pa /etc/security/audit_filterd" -compact
 .It Pa /etc/security/audit_filterd
 Default configuration file for
 .Nm .
@ -66,12 +72,13 @@ Default audit record source for
 .Sh SEE ALSO
 .Xr audit 8 ,
 .Xr auditd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 The
 .Nm
-daemon and audit filter APIs were created by Robert Watson.
+daemon and audit filter APIs were created by
-.Sh HISTORY
+.An Robert Watson .
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/bin/auditfilterd/auditfilterd.c
+++ b/contrib/openbsm/bin/auditfilterd/auditfilterd.c
@ -25,7 +25,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditfilterd/auditfilterd.c#11 $
 */
 /*
@ -48,6 +48,10 @@
 #include <compat/queue.h>
 #endif
 #ifndef HAVE_CLOCK_GETTIME
 #include <compat/clock_gettime.h>
 #endif
 #include <bsm/libbsm.h>
 #include <bsm/audit_filter.h>
@ -76,7 +80,7 @@ static void
 usage(void)
 {
-	fprintf(stderr, "auditfilterd [-c conffile] [-d] [-p pipefile]"
+	fprintf(stderr, "auditfilterd [-d] [-c conffile] [-p pipefile]"
 	    " [-t trailfile]\n");
 	fprintf(stderr, "  -c    Specify configuration file (default: %s)\n",
 	    AUDITFILTERD_CONFFILE);
--- a/contrib/openbsm/bin/auditreduce/auditreduce.1
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@ -34,44 +34,43 @@
 .Nm auditreduce
 .Nd "select records from audit trail files"
 .Sh SYNOPSIS
-.Nm auditreduce
+.Nm
 .Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 .Op Fl c Ar flags
 .Op Fl d Ar YYYYMMDD
 .Op Fl e Ar euid
 .Op Fl f Ar egid
 .Op Fl g Ar rgid
 .Op Fl r Ar ruid
 .Op Fl u Ar auid
 .Op Fl j Ar id
 .Op Fl m Ar event
-.Op Fl o Ar object=value
+.Op Fl o Ar object Ns = Ns Ar value
-.Op Ar file ...
+.Op Fl r Ar ruid
 .Op Fl u Ar auid
 .Op Ar
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility selects records from the audit trail files based on the specified
 criteria.
 Matching audit records are printed to the standard output in
 their raw binary form.
-If no filename is specified, the standard input is used
+If no
 .Ar file
 argument is specified, the standard input is used
 by default.
-Use the 
+Use the
 .Nm praudit
 utility to print the selected audit records in human-readable form.
 See
 .Xr praudit 1
-for more information.
+utility to print the selected audit records in human-readable form.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl A
 Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred before the given datetime.
 .It Fl c Ar flags
 Select records matching the given audit classes specified as a comma
@ -86,15 +85,11 @@ This option cannot be used with
 or
 .Fl b .
 .It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
 .It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
 .It Fl g Ar rgid
-Select records with the given real group id or name.
+Select records with the given real group ID or name.
 .It Fl r Ar ruid
 Select records with the given real user id or name.
 .It Fl u Ar auid
 Select records with the given audit id.
 .It Fl j Ar id
 Select records having a subject token with matching ID.
 .It Fl m Ar event
@ -102,45 +97,53 @@ Select records with the given event name or number.
 See
 .Xr audit_event 5
 for a description of audit event names and numbers.
-.It Fl o Ar object=value
+.It Fl o Ar object Ns = Ns Ar value
-.Bl -tag -width Ds
+.Bl -tag -width ".Cm msgqid"
-.It Nm file
+.It Cm file
 Select records containing path tokens, where the pathname matches
 one of the comma delimited extended regular expression contained in
 given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
 .Pq Ql ~
 are excluded
 from the search results.
 These extended regular expressions are processed from left to right,
 and a path will either be selected or deslected based on the first match.
 .Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
+Since commas are used to delimit the regular expressions, a backslash
-character should be used to escape the comma if it's a part of the search
+.Pq Ql \e
 character should be used to escape the comma if it is a part of the search
 pattern.
-.It Nm msgqid
+.It Cm msgqid
-Select records containing the given message queue id.
+Select records containing the given message queue ID.
-.It Nm pid
+.It Cm pid
-Select records containing the given process id.
+Select records containing the given process ID.
-.It Nm semid
+.It Cm semid
-Select records containing the given semaphore id.
+Select records containing the given semaphore ID.
-.It Nm shmid
+.It Cm shmid
-Select records containing the given shared memory id.
+Select records containing the given shared memory ID.
 .El
 .It Fl r Ar ruid
 Select records with the given real user ID or name.
 .It Fl u Ar auid
 Select records with the given audit ID.
 .El
-.Sh Examples
+.Sh EXAMPLES
 .Pp
 To select all records associated with effective user ID root from the audit
 log
 .Pa /var/audit/20031016184719.20031017122634 :
-.Pp
+.Bd -literal -offset indent
-.Nm
+auditreduce -e root \e
-e root /var/audit/20031016184719.20031017122634
+    /var/audit/20031016184719.20031017122634
 .Ed
 .Pp
 To select all
 .Xr setlogin 2
 events from that log:
-.Pp
+.Bd -literal -offset indent
-.Nm
+auditreduce -m AUE_SETLOGIN \e
-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+    /var/audit/20031016184719.20031017122634
 .Ed
 .Pp
 Output from the above command lines will typically be piped to a new trail
 file, or via standard output to the
@ -148,36 +151,43 @@ file, or via standard output to the
 command.
 .Pp
 Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
+.Pa /etc/master.passwd :
-.Pp
+.Bd -literal -offset indent
-.Nm
+auditreduce -o file="/etc/master.passwd" \e
-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+    /var/audit/20031016184719.20031017122634
 .Ed
 .Pp
 Select all records containing path tokens, where the pathname is a TTY
 device:
-.Pp
+.Bd -literal -offset indent
-.Nm
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+    /var/audit/20031016184719.20031017122634
 .Ed
 .Pp
 Select all records containing path tokens, where the pathname is a TTY
 except for
-.Pa /dev/ttyp2
+.Pa /dev/ttyp2 :
-.Pp
+.Bd -literal -offset indent
-.Nm
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+    /var/audit/20031016184719.20031017122634
 .Ed
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,
 .Xr audit_event 5
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/bin/praudit/praudit.1
+++ b/contrib/openbsm/bin/praudit/praudit.1
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,73 +25,94 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $
 .\"
-.Dd January 24, 2004
+.Dd November 5, 2006
 .Dt PRAUDIT 1
 .Os
 .Sh NAME
 .Nm praudit
 .Nd "print the contents of audit trail files"
 .Sh SYNOPSIS
-.Nm praudit
+.Nm
-.Op Fl lrs
+.Op Fl lpx
 .Op Fl r | s
 .Op Fl d Ar del
-.Op Ar file ...
+.Op Ar
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 utility prints the contents of the audit trail files to the standard output in
 human-readable form.
-If no filename is specified, the standard input is used
+If no
 .Ar file
 argument is specified, the standard input is used
 by default.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl d Ar del
 Specifies the delimiter.
 The default delimiter is the comma.
 .It Fl l
 Prints the entire record on the same line.
 If this option is not specified,
 every token is displayed on a different line.
 .It Fl p
 Specify this option if input to
 .Nm
 is piped from the
 .Xr tail 1
 utility.
 This causes
 .Nm
 to sync to the start of the next record.
 .It Fl r
 Prints the records in their raw, numeric form.
-This option is exclusive from 
+This option is exclusive from
-.Fl s
+.Fl s .
 .It Fl s
 Prints the tokens in their short form.
 Short text representations for
 record and event type are displayed.
 This option is exclusive from
-.Fl  r
+.Fl r .
-.It Fl d Ar del
+.It Fl x
-Specifies the delimiter.
+Print audit records in the XML output format.
 The default delimiter is the comma.
 .El
 .Pp
 If the raw or short forms are not specified, the default is to print the tokens
 in their long form.
 Events are displayed as per their descriptions given in
 .Pa /etc/security/audit_event ;
-uids and gids are expanded to their names;
+UIDs and GIDs are expanded to their names;
 dates and times are displayed in human-readable format.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_class
-Descriptions of audit event classes
+Descriptions of audit event classes.
 .It Pa /etc/security/audit_event
-Descriptions of audit events
+Descriptions of audit events.
 .El
 .Sh SEE ALSO
 .Xr auditreduce 1 ,
 .Xr audit 4 ,
 .Xr auditpipe 4 ,
 .Xr audit_class 5 ,
 .Xr audit_event 5
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/bin/praudit/praudit.c
+++ b/contrib/openbsm/bin/praudit/praudit.c
@ -1,5 +1,6 @@
 /*
 * Copyright (c) 2004 Apple Computer, Inc.
 * Copyright (c) 2006 Martin Voros
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -26,7 +27,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 $
 */
 /*
@ -34,7 +35,7 @@
 */
 /*
- * praudit [-lrs] [-ddel] [filenames]
+ * praudit [-lpx] [-r | -s] [-d del] [file ...]
 */
 #include <bsm/libbsm.h>
@ -51,12 +52,14 @@ static int	 oneline = 0;
 static int	 raw = 0;
 static int	 shortfrm = 0;
 static int	 partial = 0;
 static int	 xml = 0;
 static void
-usage()
+usage(void)
 {
-	fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n");
+	fprintf(stderr, "usage: praudit [-lpx] [-r | -s] [-d del] "
 	    "[file ...]\n");
 	exit(1);
 }
@ -88,11 +91,17 @@ print_tokens(FILE *fp)
 			if (-1 == au_fetch_tok(&tok, buf + bytesread,
 			    reclen - bytesread))
 				break;
-			au_print_tok(stdout, &tok, del, raw, shortfrm);
+			if (xml)
-			bytesread += tok.len;
+				au_print_tok_xml(stdout, &tok, del, raw,
-			if (oneline)
+				    shortfrm);
 				printf("%s", del);
 			else
 				au_print_tok(stdout, &tok, del, raw,
 				    shortfrm);
 			bytesread += tok.len;
 			if (oneline) {
 				if (!xml)
 					printf("%s", del);
 			} else
 				printf("\n");
 		}
 		free(buf);
@ -109,12 +118,20 @@ main(int argc, char **argv)
 	int i;
 	FILE *fp;
-	while ((ch = getopt(argc, argv, "lprsd:")) != -1) {
+	while ((ch = getopt(argc, argv, "d:lprsx")) != -1) {
 		switch(ch) {
 		case 'd':
 			del = optarg;
 			break;
 		case 'l':
 			oneline = 1;
 			break;
 		case 'p':
 			partial = 1;
 			break;
 		case 'r':
 			if (shortfrm)
 				usage();	/* Exclusive from shortfrm. */
@ -127,12 +144,8 @@ main(int argc, char **argv)
 			shortfrm = 1;
 			break;
-		case 'd':
+		case 'x':
-			del = optarg;
+			xml = 1;
 			break;
 		case 'p':
 			partial = 1;
 			break;
 		case '?':
@ -141,6 +154,9 @@ main(int argc, char **argv)
 		}
 	}
 	if (xml)
 		au_print_xml_header(stdout);
 	/* For each of the files passed as arguments dump the contents. */
 	if (optind == argc) {
 		print_tokens(stdin);
@ -153,5 +169,9 @@ main(int argc, char **argv)
 		if (fp != NULL)
 			fclose(fp);
 	}
 	if (xml)
 		au_print_xml_footer(stdout);
 	return (1);
 }
--- a/contrib/openbsm/bsm/audit_kevents.h
+++ b/contrib/openbsm/bsm/audit_kevents.h
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#43 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#47 $
 */
 #ifndef _BSM_AUDIT_KEVENTS_H_
@ -474,6 +474,28 @@
 #define	AUE_READDIR		43118	/* Linux. */
 #define	AUE_IOPL		43119	/* Linux. */
 #define	AUE_VM86		43120	/* Linux. */
 #define	AUE_MAC_GET_PROC	43121	/* FreeBSD. */
 #define	AUE_MAC_SET_PROC	43122	/* FreeBSD. */
 #define	AUE_MAC_GET_FD		43123	/* FreeBSD. */
 #define	AUE_MAC_GET_FILE	43124	/* FreeBSD. */
 #define	AUE_MAC_SET_FD		43125	/* FreeBSD. */
 #define	AUE_MAC_SET_FILE	43126	/* FreeBSD. */
 #define	AUE_MAC_SYSCALL		43127	/* FreeBSD. */
 #define	AUE_MAC_GET_PID		43128	/* FreeBSD. */
 #define	AUE_MAC_GET_LINK	43129	/* FreeBSD. */
 #define	AUE_MAC_SET_LINK	43130	/* FreeBSD. */
 #define	AUE_MAC_EXECVE		43131	/* FreeBSD. */
 #define	AUE_GETPATH_FROMFD	43132	/* FreeBSD. */
 #define	AUE_GETPATH_FROMADDR	43133	/* FreeBSD. */
 #define	AUE_MQ_OPEN		43134	/* FreeBSD. */
 #define	AUE_MQ_SETATTR		43135	/* FreeBSD. */
 #define	AUE_MQ_TIMEDRECEIVE	43136	/* FreeBSD. */
 #define	AUE_MQ_TIMEDSEND	43137	/* FreeBSD. */
 #define	AUE_MQ_NOTIFY		43138	/* FreeBSD. */
 #define	AUE_MQ_UNLINK		43139	/* FreeBSD. */
 #define	AUE_LISTEN		43140	/* FreeBSD/Darwin/Linux. */
 #define	AUE_MLOCKALL		43141	/* FreeBSD. */
 #define	AUE_MUNLOCKALL		43142	/* FreeBSD. */
 /*
 * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
@ -571,16 +593,13 @@
 #define	AUE_GETSOCKOPT		AUE_NULL
 #define	AUE_GTSOCKOPT		AUE_GETSOCKOPT	/* XXX: Typo in Darwin. */
 #define	AUE_ISSETUGID		AUE_NULL
 #define	AUE_LISTEN		AUE_NULL
 #define	AUE_LSTATV		AUE_NULL
 #define	AUE_MADVISE		AUE_NULL
 #define	AUE_MINCORE		AUE_NULL
 #define	AUE_MKCOMPLEX		AUE_NULL
 #define	AUE_MLOCKALL		AUE_NULL
 #define	AUE_MODWATCH		AUE_NULL
 #define	AUE_MSGCL		AUE_NULL
 #define	AUE_MSYNC		AUE_NULL
 #define	AUE_MUNLOCKALL		AUE_NULL
 #define	AUE_PREAD		AUE_NULL
 #define	AUE_PWRITE		AUE_NULL
 #define	AUE_PREADV		AUE_NULL
--- a/contrib/openbsm/bsm/audit_record.h
+++ b/contrib/openbsm/bsm/audit_record.h
@ -30,7 +30,7 @@
 *
 * @APPLE_BSD_LICENSE_HEADER_END@
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#25 $
 */
 #ifndef _BSM_AUDIT_RECORD_H_
@ -85,6 +85,7 @@
 /* XXXRW: Additional X11 tokens not defined? */
 #define	AUT_CMD			0x51
 #define	AUT_EXIT		0x52
 #define	AUT_ZONENAME		0x60
 /* XXXRW: OpenBSM AUT_HOST 0x70? */
 #define	AUT_ARG64		0x71
 #define	AUT_RETURN64		0x72
@ -246,6 +247,8 @@ token_t	*au_to_file(char *file, struct timeval tm);
 token_t	*au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	    struct timeval tm);
 token_t	*au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	    struct timeval tm);
 #if !defined(KERNEL) && !defined(_KERNEL)
 token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
 token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
@ -328,6 +331,7 @@ token_t	*au_to_exec_env(char **envp);
 token_t	*au_to_text(char *text);
 token_t	*au_to_kevent(struct kevent *kev);
 token_t	*au_to_trailer(int rec_size);
 token_t	*au_to_zonename(char *zonename);
 __END_DECLS
--- a/contrib/openbsm/bsm/libbsm.h
+++ b/contrib/openbsm/bsm/libbsm.h
@ -26,7 +26,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#33 $
 */
 #ifndef _LIBBSM_H_
@ -164,6 +164,12 @@ typedef struct au_tidaddr32 {
 	u_int32_t	addr[4];
 } au_tidaddr32_t;
 typedef struct au_tidaddr64 {
 	u_int64_t	port;
 	u_int32_t	type;
 	u_int32_t	addr[4];
 } au_tidaddr64_t;
 /*
 * argument #              1 byte
 * argument value          4 bytes/8 bytes (32-bit/64-bit value)
@ -483,6 +489,17 @@ typedef struct {
 	au_tidaddr32_t	tid;
 } au_proc32ex_t;
 typedef struct {
 	u_int32_t	auid;
 	u_int32_t	euid;
 	u_int32_t	egid;
 	u_int32_t	ruid;
 	u_int32_t	rgid;
 	u_int32_t	pid;
 	u_int32_t	sid;
 	au_tidaddr64_t	tid;
 } au_proc64ex_t;
 /*
 * error status            1 byte
 * return value            4 bytes/8 bytes (32-bit/64-bit value)
@ -616,6 +633,17 @@ typedef struct {
 	au_tidaddr32_t	tid;
 } au_subject32ex_t;
 typedef struct {
 	u_int32_t	auid;
 	u_int32_t	euid;
 	u_int32_t	egid;
 	u_int32_t	ruid;
 	u_int32_t	rgid;
 	u_int32_t	pid;
 	u_int32_t	sid;
 	au_tidaddr64_t	tid;
 } au_subject64ex_t;
 /*
 * text length             2 bytes
 * text                    N bytes + 1 terminating NULL byte
@ -625,6 +653,15 @@ typedef struct {
 	char		*text;
 } au_text_t;
 /*
 * zonename length	2 bytes
 * zonename text	N bytes + 1 NULL terminator
 */
 typedef struct {
 	u_int16_t	 len;
 	char		*zonename;
 } au_zonename_t;
 typedef struct {
 	u_int32_t	ident;
 	u_int16_t	filter;
@ -675,8 +712,9 @@ struct tokenstr {
 		au_opaque_t		opaque;
 		au_path_t		path;
 		au_proc32_t		proc32;
 		au_proc64_t		proc64;
 		au_proc32ex_t		proc32_ex;
 		au_proc64_t		proc64;
 		au_proc64ex_t		proc64_ex;
 		au_ret32_t		ret32;
 		au_ret64_t		ret64;
 		au_seq_t		seq;
@ -685,12 +723,14 @@ struct tokenstr {
 		au_socketinet32_t	sockinet32;
 		au_socketunix_t		sockunix;
 		au_subject32_t		subj32;
 		au_subject64_t		subj64;
 		au_subject32ex_t	subj32_ex;
 		au_subject64_t		subj64;
 		au_subject64ex_t	subj64_ex;
 		au_text_t		text;
 		au_kevent_t		kevent;
 		au_invalid_t		invalid;
 		au_trailer_t		trail;
 		au_zonename_t		zonename;
 	} tt; /* The token is one of the above types */
 };
@ -771,6 +811,14 @@ int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
 //XXX The following interface has different prototype from BSM
 void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
 			    char *del, char raw, char sfrm);
 void			 au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
 			    char *del, char raw, char sfrm);
 /* 
 * Functions relating to XML output.
 */
 void			 au_print_xml_header(FILE *outfp);
 void			 au_print_xml_footer(FILE *outfp);
 __END_DECLS
 /*
--- a/contrib/openbsm/compat/clock_gettime.h
+++ b/contrib/openbsm/compat/clock_gettime.h
@ -0,0 +1,54 @@
 /*-
 * Copyright (c) 2006 Robert N. M. Watson
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $P4: //depot/projects/trustedbsd/openbsm/compat/clock_gettime.h#2 $
 */
 /*
 * Compatibility routines for clock_gettime(CLOCK_REALTIME, ...) for systems
 * that don't have it.  We don't use clockid_t in order to avoid conflicts
 * with the native OS if it has one but not clock_gettime().  We also assume
 * that the sys/time.h include has already happened at this point, so we have
 * access to gettimeofday().
 */
 #include <errno.h>
 #define	CLOCK_REALTIME	0x2d4e1588
 static inline int
 clock_gettime(int clock_id, struct timespec *ts)
 {
 	struct timeval tv;
 	if (clock_id != CLOCK_REALTIME) {
 		errno = EINVAL;
 		return (-1);
 	}
 	if (gettimeofday(&tv, NULL) < 0)
 		return (-1);
 	ts->tv_sec = tv.tv_sec;
 	ts->tv_nsec = tv.tv_usec * 1000;
 	return (0);
 }
--- a/contrib/openbsm/configure
+++ b/contrib/openbsm/configure
@ -1,7 +1,7 @@
 #! /bin/sh
-# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 .
+# From configure.ac P4: //depot/projects/trustedbsd/openbsm/configure.ac#33 .
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.59 for OpenBSM 1.0a12.
+# Generated by GNU Autoconf 2.59 for OpenBSM 1.0alpha14.
 #
 # Report bugs to <trustedbsd-audit@TrustesdBSD.org>.
 #
@ -424,8 +424,8 @@ SHELL=${CONFIG_SHELL-/bin/sh}
 # Identity of this package.
 PACKAGE_NAME='OpenBSM'
 PACKAGE_TARNAME='openbsm'
-PACKAGE_VERSION='1.0a12'
+PACKAGE_VERSION='1.0alpha14'
-PACKAGE_STRING='OpenBSM 1.0a12'
+PACKAGE_STRING='OpenBSM 1.0alpha14'
 PACKAGE_BUGREPORT='trustedbsd-audit@TrustesdBSD.org'
 ac_unique_file="bin/auditreduce/auditreduce.c"
@ -955,7 +955,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures OpenBSM 1.0a12 to adapt to many kinds of systems.
+\`configure' configures OpenBSM 1.0alpha14 to adapt to many kinds of systems.
 Usage: $0 [OPTION]... [VAR=VALUE]...
@ -1021,7 +1021,7 @@ fi
 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of OpenBSM 1.0a12:";;
+     short | recursive ) echo "Configuration of OpenBSM 1.0alpha14:";;
   esac
  cat <<\_ACEOF
@ -1162,7 +1162,7 @@ fi
 test -n "$ac_init_help" && exit 0
 if $ac_init_version; then
  cat <<\_ACEOF
-OpenBSM configure 1.0a12
+OpenBSM configure 1.0alpha14
 generated by GNU Autoconf 2.59
 Copyright (C) 2003 Free Software Foundation, Inc.
@ -1176,7 +1176,7 @@ cat >&5 <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
-It was created by OpenBSM $as_me 1.0a12, which was
+It was created by OpenBSM $as_me 1.0alpha14, which was
 generated by GNU Autoconf 2.59.  Invocation command line was
  $ $0 $@
@ -19278,7 +19278,7 @@ fi
 # Define the identity of the package.
 PACKAGE=OpenBSM
- VERSION=1.0a12
+ VERSION=1.0alpha14
 cat >>confdefs.h <<_ACEOF
@ -23479,7 +23479,7 @@ _ASBOX
 } >&5
 cat >&5 <<_CSEOF
-This file was extended by OpenBSM $as_me 1.0a12, which was
+This file was extended by OpenBSM $as_me 1.0alpha14, which was
 generated by GNU Autoconf 2.59.  Invocation command line was
  CONFIG_FILES    = $CONFIG_FILES
@ -23542,7 +23542,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF
 ac_cs_version="\\
-OpenBSM config.status 1.0a12
+OpenBSM config.status 1.0alpha14
 configured by $0, generated by GNU Autoconf 2.59,
  with options \\"`echo "$ac_configure_args" | sed 's/[\\""\`\$]/\\\\&/g'`\\"
--- a/contrib/openbsm/configure.ac
+++ b/contrib/openbsm/configure.ac
@ -2,8 +2,8 @@
 # Process this file with autoconf to produce a configure script.
 AC_PREREQ(2.59)
-AC_INIT([OpenBSM], [1.0a12], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
+AC_INIT([OpenBSM], [1.0alpha14], [trustedbsd-audit@TrustesdBSD.org],[openbsm])
-AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#32 $])
+AC_REVISION([$P4: //depot/projects/trustedbsd/openbsm/configure.ac#34 $])
 AC_CONFIG_SRCDIR([bin/auditreduce/auditreduce.c])
 AC_CONFIG_AUX_DIR(config)
 AC_CONFIG_HEADER([config/config.h])
--- a/contrib/openbsm/etc/audit_event
+++ b/contrib/openbsm/etc/audit_event
@ -1,5 +1,5 @@
 #
-# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#16 $
+# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_event#20 $
 #
 0:AUE_NULL:indir system call:no
 1:AUE_EXIT:exit(2):pc
@ -422,6 +422,28 @@
 43118:AUE_READDIR:readdir(3):no
 43119:AUE_IOPL:linux iopl:ad
 43120:AUE_VM86:linux vm86:pc
 43121:AUE_MAC_GET_PROC:mac_get_proc(2):pc
 43122:AUE_MAC_SET_PROC:mac_set_proc(2):pc
 43123:AUE_MAC_GET_FD:mac_get_fd(2):fa
 43124:AUE_MAC_GET_FILE:mac_get_file(2):fa
 43125:AUE_MAC_SET_FD:mac_set_fd(2):fm
 43126:AUE_MAC_SET_FILE:mac_set_file(2):fm
 43127:AUE_MAC_SYSCALL:mac_syscall(2):ad
 43128:AUE_MAC_GET_PID:mac_get_pid(2):pc
 43129:AUE_MAC_GET_LINK:mac_get_link(2):fa
 43130:AUE_MAC_SET_LINK:mac_set_link(2):fm
 43131:AUE_MAC_EXECVE:mac_exeve(2):ex,pc
 43132:AUE_GETPATH_FROMFD:getpath_fromfd(2):fa
 43133:AUE_GETPATH_FROMADDR:getpath_fromaddr(2):fa
 43134:AUE_MQ_OPEN:mq_open(2):ip
 43135:AUE_MQ_SETATTR:mq_setattr(2):ip
 43136:AUE_MQ_TIMEDRECEIVE:mq_timedreceive(2):ip
 43137:AUE_MQ_TIMEDSEND:mq_timedsend(2):ip
 43138:AUE_MQ_NOTIFY:mq_notify(2):ip
 43139:AUE_MQ_UNLINK:mq_unlink(2):ip
 43140:AUE_LISTEN:listen(2):nt
 43141:AUE_MLOCKALL:mlockall(2):pc
 43142:AUE_MUNLOCKALL:munlockall(2):pc
 #
 # User space system events.
 #
--- a/contrib/openbsm/libbsm/au_class.3
+++ b/contrib/openbsm/libbsm/au_class.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_class.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CLASS 3
@ -35,69 +35,81 @@
 .Nm getauclassnam_r ,
 .Nm setauclass ,
 .Nm endauclass
-.Nd "Look up information from the audit_class database"
+.Nd "look up information from the audit_class database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
-.Fn getauclassent "void"
+.Fn getauclassent void
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
 .Fn getauclassent_r "struct au_class_ent *e"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
 .Fn getauclassnam "const char *name"
-.Ft struct au_class_ent *
+.Ft "struct au_class_ent *"
 .Fn getauclassnam_r "struct au_class_ent *e" "const char *name"
 .Ft void
-.Fn setauclass "void"
+.Fn setauclass void
 .Ft void
-.Fn endauclass "void"
+.Fn endauclass void
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_class 5
 database, which describes audit event classes.
 Audit event classes are described by
-.Vt struct au_class_ent .
+.Vt "struct au_class_ent" .
 .Pp
 .Pp
 The
 .Fn getauclassent
 function
 will return the next class found in the
 .Xr audit_class 5
 database, or the first if the function has not yet been called.
 .Dv NULL
 will be returned if no further records are available.
 .Pp
 The
 .Fn getauclassnam
 function
 looks up a class by name.
 .Dv NULL
 will be returned if no matching class can be found.
 .Pp
 The
 .Fn setauclass
 function
 resets the iterator through the
 .Xr audit_class 5
 database, causing the next call to
 .Fn getauclassent
 to start again from the beginning of the file.
 .Pp
 The
 .Fn endauclass
 function
 closes the
 .Xr audit_class 5
 database, if open.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_class 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
--- a/contrib/openbsm/libbsm/au_control.3
+++ b/contrib/openbsm/libbsm/au_control.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#8 $
 .\"
 .Dd April 19, 2005
 .Dt AU_CONTROL 3
@ -37,17 +37,17 @@
 .Nm getacflg ,
 .Nm getacna ,
 .Nm getacpol ,
-.Nm au_poltostr
+.Nm au_poltostr ,
 .Nm au_strtopol
-.Nd "Look up information from the audit_control database"
+.Nd "look up information from the audit_control database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setac "void"
+.Fn setac void
 .Ft void
-.Fn endac "void"
+.Fn endac void
 .Ft int
 .Fn getacdir "char *name" "int len"
 .Ft int
@ -69,64 +69,88 @@ These interfaces may be used to look up information from the
 .Xr audit_control 5
 database, which contains various audit-related administrative parameters.
 .Pp
 The
 .Fn setac
 function
 resets the database iterator to the beginning of the database; see the
-BUGS section for more information.
+.Sx BUGS
 section for more information.
 .Pp
 The
 .Fn sendac
 function
 closes the
 .Xr audit_control 5
 database.
 .Pp
 The
 .Fn getacdir
 function
 returns the name of the directory where log data is stored via the passed
 character buffer
-.Va name
+.Fa name
 of length
-.Va len .
+.Fa len .
 .Pp
 The
 .Fn getacmin
 function
 returns the minimum free disk space for the audit log target file system via
 the passed
-.Va min_val
+.Fa min_val
 variable.
 .Pp
 The
 .Fn getacfilesz
-returns the audit trail rotation size in the passed size_t buffer
+function
 returns the audit trail rotation size in the passed
 .Vt size_t
 buffer
 .Fa size_val .
 .Pp
 The
 .Fn getacflg
 function
 returns the audit system flags via the the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
 The
 .Fn getacna
 function
 returns the non-attributable flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
 The
 .Fn getacpol
 function
 returns the audit policy flags via the passed character buffer
-.Va auditstr
+.Fa auditstr
 of length
-.Va len .
+.Fa len .
 .Pp
 The
 .Fn au_poltostr
 function
 converts a numeric audit policy mask,
-.Va policy ,
+.Fa policy ,
-value to a string in the passed character buffer
+to a string in the passed character buffer
-.Va buf
+.Fa buf
 of lenth
-.Va maxsize .
+.Fa maxsize .
 .Pp
 The
 .Fn au_strtopol
 function
 converts an audit policy flags string,
-.Va polstr ,
+.Fa polstr ,
 to a numeric audit policy mask returned via
-.Va policy .
+.Fa policy .
 .Sh RETURN VALULES
 The
 .Fn getacdir ,
 .Fn getacmin ,
 .Fn getacflg ,
@ -134,11 +158,14 @@ to a numeric audit policy mask returned via
 .Fn getacpol ,
 and
 .Fn au_strtopol
 functions
 return 0 on success, or a negative value on failure, along with error
 information in
 .Va errno .
 .Pp
 The
 .Fn au_poltostr
 function
 returns a string length of 0 or more on success, or a negative value on
 if there is a failure.
 .Pp
@ -147,18 +174,23 @@ insufficient room in the passed character buffer for the full string.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_control 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
--- a/contrib/openbsm/libbsm/au_event.3
+++ b/contrib/openbsm/libbsm/au_event.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_event.3#7 $
 .\"
 .Dd April 19, 2005
 .Dt AU_EVENT 3
@ -39,76 +39,86 @@
 .Nm getauevnum ,
 .Nm getauevnum_r ,
 .Nm getauevnonam ,
-.Nm getauevnonam_r ,
+.Nm getauevnonam_r
-.Nd "Look up information from the audit_event database"
+.Nd "look up information from the audit_event database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setauevent "void"
+.Fn setauevent void
 .Ft void
-.Fn endauevent "void"
+.Fn endauevent void
 .Ft "struct au_event_ent *"
-.Fn getauevent "void"
+.Fn getauevent void
 .Ft "struct au_event_ent *"
 .Fn getauevent_r "struct au_event_ent *e"
 .Ft "struct au_event_ent *"
-.Fn getauevnam "char *name"
+.Fn getauevnam "const char *name"
 .Ft "struct au_event_ent *"
-.Fn getauevnam_r "struct au_event_ent *e" "char *name"
+.Fn getauevnam_r "struct au_event_ent *e" "const char *name"
 .Ft "struct au_event_ent *"
 .Fn getauevnum "au_event_t event_number"
 .Ft "struct au_event_ent *"
 .Fn getauevnum_r "struct au_event_ent *e" "au_event_t event_number"
 .Ft "au_event_t *"
-.Fn getauevnonam "char *event_name"
+.Fn getauevnonam "const char *event_name"
 .Ft "au_event_t *"
-.Fn getauevnonam_r "au_event_t *ev" "char *event_name"
+.Fn getauevnonam_r "au_event_t *ev" "const char *event_name"
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_event 5
 database, which describes audit events.
 Entries in the database are described by
-.Vt struct au_event_ent
+.Vt "struct au_event_ent"
 entries, which are returned by calls to
 .Fn getauevent ,
 .Fn getauevnam ,
 or
 .Fn getauevnum .
-It is also possible look up an event number via a call to
+It is also possible to look up an event number via a call to
-.Nm getauevnonam .
+.Fn getauevnonam .
 .Pp
 The
 .Fn setauevent
 function
 resets the database access session for
 .Xr audit_event 5 ,
 so that the next call to
 .Fn getauevent
 will start with the first entry in the database.
 .Pp
 The
 .Fn endauevent
 function
 closes the
 .Xr audit_event 5
 database session.
 .Pp
 The
 .Fn getauevent
 function
 returns a reference to the next entry in the
 .Xr audit_event 5
 database.
 .Pp
 The
 .Fn getauevnam
 function
 returns a reference to the entry in the
 .Xr audit_event 5
 database with a name of
-.Va name .
+.Fa name .
 .Pp
 .Fn getauevnum
 returns a reference to the entry in the
 .Xr audit_event 5
 database with an event number of
-.Va event_number .
+.Fa event_number .
 .Pp
 The
 .Fn getauevnonam
 function
 returns a reference to an audit event number using the
 .Xr audit_event 5
 database.
@ -123,30 +133,38 @@ Functions
 and
 .Fn getauevnuam
 will return a reference to a
-.Ft struct au_event_ent
+.Vt "struct au_event_ent"
 or
-.Ft au_event_t
+.Vt au_event_t
 on success, or
-.Dv NULL on failure, with
+.Dv NULL
 on failure, with
 .Va errno
 set to provide further error information.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_event 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 The
 .Va errno
 variable
 is not always properly set following a failure.
 .Pp
 These routines are thread-safe, but not re-entrant, so simultaneous or
--- a/contrib/openbsm/libbsm/au_free_token.3
+++ b/contrib/openbsm/libbsm/au_free_token.3
@ -13,7 +13,7 @@
 .\"    documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
 .\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
@ -27,18 +27,18 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_free_token.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_FREE_TOKEN 3
 .Os
 .Sh NAME
 .Nm au_free_token
-.Nd "Deallocate a token_t created by any of the au_to_*() BSM API functions"
+.Nd "deallocate a token_t created by any of the au_to_*() BSM API functions"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
 .Fn au_free_token "token_t *tok"
 .Sh DESCRIPTION
@ -48,44 +48,50 @@ objects.
 However, if
 .Xr au_write 3
 is passed a bad audit descriptor, the
-.Vt token_t *
+.Vt "token_t *"
 parameter will be left untouched.
 In that case, the caller can deallocate the
 .Vt token_t
 using
-.Nm
+.Fn au_free_token
 if desired.
 .Pp
 The
-.Va tok
+.Fa tok
 argument is a
-.Vt token_t *
+.Vt "token_t *"
-generated by one of the au_to_*() BSM API calls.
+generated by one of the
 .Fn au_to_*
 BSM API calls.
 For convenience,
-.Va tok
+.Fa tok
 may be
 .Dv NULL ,
 in which case
-.Nm
+.Fn au_free_token
 returns immediately.
 .Sh IMPLEMENTATION NOTES
 This is, in fact, what
 .Xr audit_write 3
 does, in keeping with the existing memory management model of the BSM API.
 .Sh SEE ALSO
 .Xr au_write 3 ,
 .Xr audit_write 3 ,
 .Xr au_write 3 ,
 .Xr libbsm 3
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
-
+.Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
--- a/contrib/openbsm/libbsm/au_io.3
+++ b/contrib/openbsm/libbsm/au_io.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#2 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_io.3#5 $
 .\"
 .Dd April 19, 2005
 .Dt AU_IO 3
@ -32,15 +32,17 @@
 .Nm au_fetch_tok ,
 .Nm au_print_tok ,
 .Nm au_read_rec
-.Nd "Perform I/O involving an audit record"
+.Nd "perform I/O involving an audit record"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
 .Fn au_fetch_tok "tokenstr_t *tok" "u_char *buf" "int len"
 .Ft void
-.Fn au_print_tok "FILE outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
+.Fo au_print_tok
 .Fa "FILE *outfp" "tokenstr_t *tok" "char *del" "char raw" "char sfrm"
 .Fc
 .Ft int
 .Fn au_read_rec "FILE *fp" "u_char **buf"
 .Sh DESCRIPTION
@ -48,31 +50,37 @@ These interfaces support input and output (I/O) involving audit records,
 internalizing an audit record from a byte stream, converting a token to
 either a raw or default string, and reading a single record from a file.
 .Pp
 The
 .Fn au_fetch_tok
 function
 reads a token from the passed buffer
-.Va buf
+.Fa buf
 of length
-.Va len
+.Fa len
 bytes, and returns a pointer to the token via
-.Va tok .
+.Fa tok .
 .Pp
 The
 .Fn au_print_tok
 function
 prints a string form of the token
-.Va tok
+.Fa tok
 to the file output stream
-.Va outfp,
+.Fa outfp ,
 either in default mode, or raw mode if
-.Va raw
+.Fa raw
 is set non-zero.
 The delimiter
-.Va del
+.Fa del
 is used when printing.
 .Pp
 The
 .Fn au_read_rec
 function
 reads an audit record from the file stream
-.Va fp ,
+.Fa fp ,
 and returns an allocated memory buffer containing the record via
-.Va *buf ,
+.Fa *buf ,
 which must be freed by the caller using
 .Xr free 3 .
 .Pp
@ -93,27 +101,36 @@ would be used to free the record buffer.
 Finally, the source stream would be closed by a call to
 .Xr fclose 3 .
 .Sh RETURN VALUES
 The
 .Fn au_fetch_tok
 and
 .Fn au_read_rec
-return 0 on success, or -1 on failure along with additional error information
+functions
 return 0 on success, or \-1 on failure along with additional error information
 returned via
 .Va errno .
 .Sh SEE ALSO
 .Xr free 3 ,
 .Xr libbsm 3
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 The
 .Va errno
 variable
 may not always be properly set in the event of an error.
--- a/contrib/openbsm/libbsm/au_mask.3
+++ b/contrib/openbsm/libbsm/au_mask.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#3 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_mask.3#6 $
 .\"
 .Dd April 19, 2005
 .Dt AU_MASK 3
@ -32,11 +32,11 @@
 .Nm au_preselect ,
 .Nm getauditflagsbin ,
 .Nm getauditflagschar
-.Nd "Convert between string and numeric values of audit masks"
+.Nd "convert between string and numeric values of audit masks"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
 .Fn au_preselect "au_event_t event" "au_mask_t *mask_p" "int sorf" "int flag"
 .Ft int
@ -49,13 +49,15 @@ These interfaces support processing of an audit mask represented by type
 including conversion between numeric and text formats, and computing whether
 or not an event is matched by a mask.
 .Pp
 .Fn au_preselect
 calculates whether or not the audit event passed via
 .Va event
 is matched by the audit mask passed via
 .Va au_mask_t .
 The
-.Va sorf
+.Fn au_preselect
 function
 calculates whether or not the audit event passed via
 .Fa event
 is matched by the audit mask passed via
 .Fa mask_p .
 The
 .Fa sorf
 argument indicates whether or not to consider the event as a success,
 if the
 .Dv AU_PRS_SUCCESS
@ -63,7 +65,7 @@ flag is set, or failure, if the
 .Dv AU_PRS_FAILURE
 flag is set.
 The
-.Va flag
+.Fa flag
 argument accepts additional arguments influencing the behavior of
 .Fn au_preselect ,
 including
@ -73,64 +75,78 @@ or
 .Dv AU_PRS_USECACHE
 which forces use of the cache.
 .Pp
 The
 .Fn getauditflagsbin
 function
 converts a string representation of an audit mask passed via a character
 string pointed to by
-.Va auditstr ,
+.Fa auditstr ,
 returning the resulting mask, if valid, via
-.Va *masks .
+.Fa *masks .
 .Pp
 The
 .Fn getauditflagschar
 function
 converts the audit event mask passed via
-.Va *masks
+.Fa *masks
 and converts it to a character string in a buffer pointed to by
-.Va auditstr .
+.Fa auditstr .
-See the BUGS section for more information on how to provide a buffer of
+See the
 .Sx BUGS
 section for more information on how to provide a buffer of
 sufficient size.
 If the
-.Va verbose
+.Fa verbose
 flag is set, the class description string retrieved from
 .Xr audit_class 5
 will be used; otherwise, the two-character class name.
-.Sh RETURN VALUES
+.Sh IMPLEMENTATION NOTES
 The
 .Fn au_preselect
-returns 0 on success, or returns -1 if there is a failure looking up the
+function
 makes implicit use of various audit database routines, and may influence
 the behavior of simultaneous or interleaved processing of those databases by
 other code.
 .Sh RETURN VALUES
 The
 .Fn au_preselect
 function
 returns 0 on success, or returns \-1 if there is a failure looking up the
 event type or other database access, in which case
 .Va errno
 will be set to indicate the error.
 It returns 1 if the event is matched; 0 if not.
 .Pp
-.Fn getauditflagsbin
+.Rv -std getauditflagsbin getauditflagschar
 and
 .Fn getauditflagschar
 returns 0 on success, or -1 if there is a failure, in which case
 .Va errno
 will be set to indicate the error.
 .Sh IMPLEMENTATION NOTES
 .Fn au_preselect
 makes implicit use of various audit database routines, and may influence
 the behavior of simultaneous or interleaved processing of those databases by
 other code.
 .Sh SEE ALSO
 .Xr libbsm 3 ,
 .Xr audit_class 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 The
 .Va errno
 variable
 may not always be properly set in the event of an error.
 .Pp
 The
 .Fn getauditflagschar
 function
 does not provide a way to indicate how long the character buffer is, in order
 to detect overflow.
 As a result, the caller must always provide a buffer of sufficient length for
--- a/contrib/openbsm/libbsm/au_open.3
+++ b/contrib/openbsm/libbsm/au_open.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_open.3#8 $
 .\"
 .Dd March 4, 2006
 .Dt AU_OPEN 3
@ -34,13 +34,13 @@
 .Nm au_close_token ,
 .Nm au_open ,
 .Nm au_write
-.Nd "Create and commit audit records"
+.Nd "create and commit audit records"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft int
-.Fn au_open "void"
+.Fn au_open void
 .Ft int
 .Fn au_write "int d" "token_t *tok"
 .Ft int
@ -73,7 +73,7 @@ function is used to commit an audit record to the system audit log, or
 abandon the record.
 In either cases, all resources associated with the record will be released.
 The
-.Va keep
+.Fa keep
 argument determines the behavior: a value of
 .Dv AU_TO_WRITE
 causes the record to be committed; a value of
@ -81,28 +81,30 @@ causes the record to be committed; a value of
 causes it to be abandoned.
 When the audit record is committed, a BSM header will be inserted before
 tokens added to the record, using the event identifier passed via
-.Va event ,
+.Fa event ,
 and a trailer added to the end.
 Committing a record to the system audit log requires privilege.
 .Pp
 The
 .Fn au_close_buffer
 function writes the resulting record to an in-memory buffer of size
-.Va *buflen ;
+.Fa *buflen ;
 it will write back the filled buffer length into the same variable.
 The argument
-.Va short
+.Fa event
 is the event identifier to use in the record header.
 .Pp
 The
 .Fn au_close_token
 function generates the BSM stream output for a single token,
-.Va tok ,
+.Fa tok ,
 in the passed buffer
-.Va buffer .
+.Fa buffer .
 The initial buffer size and resulting data size are passed via
-.Va *buflen .
+.Fa *buflen .
 The
 .Fn au_close_token
 function
 will free the token before returning.
 .Sh RETURN VALUES
 The function
@ -123,18 +125,23 @@ information in
 .Sh SEE ALSO
 .Xr audit_submit 3 ,
 .Xr libbsm 3
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 Currently,
 .Fn au_open
--- a/contrib/openbsm/libbsm/au_token.3
+++ b/contrib/openbsm/libbsm/au_token.3
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_token.3#13 $
 .\"
 .Dd April 19, 2005
 .Dt AU_TOKEN 3
@ -38,7 +38,7 @@
 .Nm au_to_groups ,
 .Nm au_to_newgroups ,
 .Nm au_to_in_addr ,
-.Nm au_to_in_addr_ex ,  
+.Nm au_to_in_addr_ex ,
 .Nm au_to_ip ,
 .Nm au_to_ipc ,
 .Nm au_to_ipc_perm ,
@ -72,103 +72,136 @@
 .Nm au_to_header ,
 .Nm au_to_header32 ,
 .Nm au_to_header64 ,
-.Nm au_to_trailer .
+.Nm au_to_trailer ,
-.Nd "Routines for generating BSM audit tokens"
+.Nm au_to_zonename
 .Nd "routines for generating BSM audit tokens"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_arg32 "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_arg64 "char n" "char *text" "u_int64_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_arg "char n" "char *text" "u_int32_t v"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr32 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr64 "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_attr "struct vattr *attr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "char *p"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_exit "int retval" "int err"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_groups "int *groups"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_in_addr "struct in_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ip "struct ip *ip"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ipc "char type" "int id"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_ipc_perm "struct ipc_perm *perm"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_iport "u_int16_t iport"
-.Ft token_t *
+.Ft "token_t *"
-.Fn au_to_opaque "char *data" "u_int64_t bytes"
+.Fn au_to_opaque "char *data" "u_int16_t bytes"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_file "char *file" "struct timeval tm"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_text "char *text"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_path "char *text"
-.Ft token_t *
+.Ft "token_t *"
-.Fn au_to_process32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fo au_to_process32
-.Ft token_t *
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
-.Fn au_to_process64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
+.Fc
-.Fn au_to_process32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Ft "token_t *"
-.Ft token_t *
+.Fo au_to_process64
-.Fn au_to_process64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
-.Ft token_t *
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
 .Fc
 .Ft "token_t *"
 .Fo au_to_process32_ex
 .Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
 .Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
 .Fc
 .Ft "token_t *"
 .Fo au_to_process64_ex
 .Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
 .Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
 .Fc
 .Ft "token_t *"
 .Fn au_to_return32 "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_return64 "char status" "u_int64_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_return "char status" "u_int32_t ret"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_seq "long audit_count"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_inet32 "struct sockaddr_in *so"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_sock_int "struct sockaddr_in *so"
-.Ft token_t *
+.Ft "token_t *"
-.Fn au_to_subject32 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fo au_to_subject32
-.Ft token_t *
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
-.Fn au_to_subject64 "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
+.Fc
-.Fn au_to_subject "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Ft "token_t *"
-.Ft token_t *
+.Fo au_to_subject64
-.Fn au_to_subject32_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
-.Ft token_t *
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Fn au_to_subject64_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fc
-.Ft token_t *
+.Ft "token_t *"
-.Fn au_to_subject_ex "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid" "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
+.Fo au_to_subject
-.Ft token_t *
+.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
-.Fn au_to_me "void"
+.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
-.Ft token_t *
+.Fc
 .Ft "token_t *"
 .Fo au_to_subject32_ex
 .Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
 .Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
 .Fc
 .Ft "token_t *"
 .Fo au_to_subject64_ex
 .Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
 .Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
 .Fc
 .Ft "token_t *"
 .Fo au_to_subject_ex
 .Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
 .Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
 .Fc
 .Ft "token_t *"
 .Fn au_to_me void
 .Ft "token_t *"
 .Fn au_to_exec_args "char **argv"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_exec_env "char **envp"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
-.Ft token_t *
+.Ft "token_t *"
 .Fn au_to_trailer "int rec_size"
 .Ft "token_t *"
 .Fn au_to_zonename "char *zonename"
 .Sh DESCRIPTION
 These interfaces support the allocation of BSM audit tokens, represented by
-.Ft token_t ,
+.Vt token_t ,
 for various data types.
 .Sh RETURN VALUES
 On success, a pointer to a
@ -183,16 +216,20 @@ will be returned, and an error condition returned via
 .Va errno .
 .Sh SEE ALSO
 .Xr libbsm 3
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
-.Sh BUGS
+.Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
--- a/contrib/openbsm/libbsm/au_user.3
+++ b/contrib/openbsm/libbsm/au_user.3
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#4 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_user.3#10 $
 .\"
 .Dd April 19, 2005
 .Dt AU_USER 3
@ -37,27 +37,29 @@
 .Nm getauusernam_r ,
 .Nm au_user_mask ,
 .Nm getfauditflags
-.Nd "Look up information from the audit_user database"
+.Nd "look up information from the audit_user database"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Ft void
-.Fn setauuser "void"
+.Fn setauuser void
 .Ft void
-.Fn endauuser "void"
+.Fn endauuser void
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
-.Fn getauuserent "void"
+.Fn getauuserent void
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
-.Fn getauuserent_r "struct au_user_ent *u" "void"
+.Fn getauuserent_r "struct au_user_ent *u"
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
 .Fn getauusernam "const char *name"
-.Ft struct au_user_ent *
+.Ft "struct au_user_ent *"
 .Fn getauusernam_r "struct au_user_ent *u" "const char *name"
 .Ft int
 .Fn au_user_mask "char *username" "au_mask_t *mask_p"
 .Ft int
-.Fn getfauditflags "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
+.Fo getfauditflags
 .Fa "au_mask_t *usremask" "au_mask_t *usrdmask" "au_mask_t *lastmask"
 .Fc
 .Sh DESCRIPTION
 These interfaces may be used to look up information from the
 .Xr audit_user 5
@ -65,67 +67,85 @@ database, which describes per-user audit configuration.
 Audit user entries are described by a
 .Vt au_user_ent ,
 which stores the user's name in
-.Dv au_name ,
+.Va au_name ,
 events to always audit in
-.Dv au_always ,
+.Va au_always ,
 and events never to audit
-.Dv au_never .
+.Va au_never .
 .Pp
 The
 .Fn getauuserent
 function
 returns the next user found in the
 .Xr audit_user 5
 database, or the first if the function has not yet been called.
 .Dv NULL
 will be returned if no further records are available.
 .Pp
 The
 .Fn getauusernam
 function
 looks up a user by name.
 .Dv NULL
 will be returned if no matching class can be found.
 .Pp
 The
 .Fn setauuser
 function
 resets the iterator through the
 .Xr audit_user 5
 database, causing the next call to
 .Fn getauuserent
 to start again from the beginning of the file.
 .Pp
 The
 .Fn endauuser
 function
 closes the
 .Xr audit_user 5
 database, if open.
 .Pp
-.Nm au_user_mask
+The
 .Fn au_user_mask
 function
 calculates a new session audit mask to be returned via
-.Dv mask_p
+.Fa mask_p
 for the user identified by
-.Dv username .
+.Fa username .
 If the user audit configuration is not found, the default system audit
 properties returned by
-.Xr getacflg 3 .
+.Xr getacflg 3
 are used.
 The resulting mask may be set via a call to
-.Xr setaudit 3
+.Xr setaudit 2
 or related variants.
 .Pp
-.Nm getfauditflags
+The
-XXXXXXXXXXXXXXXXX
+.Fn getfauditflags
 function generates a new process audit state by combining the audit masks
 passed as parameters with the system audit masks.
 .Sh SEE ALSO
-.Xr libbsm 3 ,
+.Xr setaudit 2 ,
 .Xr getacflg 3 ,
-.Xr setaudit 3 ,
+.Xr libbsm 3 ,
 .Xr audit_user 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 These routines cannot currently distinguish between an entry not being found
 and an error accessing the database.
--- a/contrib/openbsm/libbsm/audit_submit.3
+++ b/contrib/openbsm/libbsm/audit_submit.3
@ -27,23 +27,26 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#11 $
 .\"
 .Dd May 29, 2006
 .Dt audit_submit 3
 .Os
 .Sh NAME
 .Nm audit_submit
-.Nd general purpose audit record submission
+.Nd "general purpose audit record submission"
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In stdio.h
+.In bsm/libbsm.h
 .Ft int
-.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ...
+.Fo audit_submit
 .Fa "short au_event" "au_id_t auid" "char status"
 .Fa "int reterr" "const char * restrict format" ...
 .Fc
 .Sh DESCRIPTION
 The
-.Nm
+.Fn audit_submit
 function provides a generic programming interface for audit record submission.
 This audit record will contain a header, subject token, an optional text token,
 return token, and a trailer.
@ -66,14 +69,16 @@ variable-length argument facilities of
 are converted for output.
 If
 .Fa format
-is NULL, then no text token is created in the audit record.
+is
 .Dv NULL ,
 then no text token is created in the audit record.
 .Pp
 It should be noted that
-.Nm
+.Fn audit_submit
 assumes that
 .Xr setaudit 2 ,
 or
-.Xr setaudit_addr 2 
+.Xr setaudit_addr 2
 has already been called.
 As a direct result, the terminal ID for the
 subject will be retrieved from the kernel via
@ -116,11 +121,12 @@ trailer,94
 .Xr stdarg 3
 .Sh HISTORY
 The
-.Nm
+.Fn audit_submit
 function first appeared in OpenBSM version 1.0.
-OpenBSM 1.0 was introduced in FreeBSD 7.0.
+OpenBSM 1.0 was introduced in
 .Fx 7.0 .
 .Sh AUTHORS
 The
-.Nm
+.Fn audit_submit
 function was written by
 .An Christian S.J. Peron Aq csjp@FreeBSD.org .
--- a/contrib/openbsm/libbsm/bsm_io.c
+++ b/contrib/openbsm/libbsm/bsm_io.c
--- a/contrib/openbsm/libbsm/bsm_notify.c
+++ b/contrib/openbsm/libbsm/bsm_notify.c
@ -26,7 +26,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#12 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_notify.c#13 $
 */
 /*
@ -66,7 +66,8 @@ uint32_t
 au_notify_initialize(void)
 {
 #if AUDIT_NOTIFICATION_ENABLED
-	uint32_t status, ignore_first;
+	uint32_t status;
 	int ignore_first;
 	status = notify_register_check(__BSM_INTERNAL_NOTIFY_KEY, &token);
 	if (status != NOTIFY_STATUS_OK)
@ -108,7 +109,7 @@ int
 au_get_state(void)
 {
 #if AUDIT_NOTIFICATION_ENABLED
-	uint32_t did_notify;
+	int did_notify;
 #endif
 	int status;
--- a/contrib/openbsm/libbsm/bsm_token.c
+++ b/contrib/openbsm/libbsm/bsm_token.c
@ -30,7 +30,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#52 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_token.c#62 $
 */
 #include <sys/types.h>
@ -212,9 +212,46 @@ au_to_attr32(struct vnode_au_info *vni)
 token_t *
 au_to_attr64(struct vnode_au_info *vni)
 {
 	token_t *t;
 	u_char *dptr = NULL;
 	u_int16_t pad0_16 = 0;
 	u_int16_t pad0_32 = 0;
-	errno = ENOTSUP;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 2 * sizeof(u_int16_t) +
-	return (NULL);
+	    3 * sizeof(u_int32_t) + sizeof(u_int64_t) * 2);
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_ATTR64);
 	/*
 	 * Darwin defines the size for the file mode
 	 * as 2 bytes; BSM defines 4 so pad with 0
 	 */
 	ADD_U_INT16(dptr, pad0_16);
 	ADD_U_INT16(dptr, vni->vn_mode);
 	ADD_U_INT32(dptr, vni->vn_uid);
 	ADD_U_INT32(dptr, vni->vn_gid);
 	ADD_U_INT32(dptr, vni->vn_fsid);
 	/*
 	 * Some systems use 32-bit file ID's, other's use 64-bit file IDs.
 	 * Attempt to handle both, and let the compiler sort it out.  If we
 	 * could pick this out at compile-time, it would be better, so as to
 	 * avoid the else case below.
 	 */
 	if (sizeof(vni->vn_fileid) == sizeof(uint32_t)) {
 		ADD_U_INT32(dptr, pad0_32);
 		ADD_U_INT32(dptr, vni->vn_fileid);
 	} else if (sizeof(vni->vn_fileid) == sizeof(uint64_t))
 		ADD_U_INT64(dptr, vni->vn_fileid);
 	else
 		ADD_U_INT64(dptr, 0LL);
 	ADD_U_INT64(dptr, vni->vn_dev);
 	return (t);
 }
 token_t *
@ -308,7 +345,7 @@ token_t *
 au_to_groups(int *groups)
 {
-	return (au_to_newgroups(AUDIT_MAX_GROUPS, groups));
+	return (au_to_newgroups(AUDIT_MAX_GROUPS, (gid_t*)groups));
 }
 /*
@ -382,6 +419,8 @@ au_to_in_addr_ex(struct in6_addr *internet_addr)
 /*
 * token ID                1 byte
 * ip header		   20 bytes
 *
 * The IP header should be submitted in network byte order.
 */
 token_t *
 au_to_ip(struct ip *ip)
@ -394,9 +433,6 @@ au_to_ip(struct ip *ip)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_IP);
 	/*
 	 * XXXRW: Any byte order work needed on the IP header before writing?
 	 */
 	ADD_MEM(dptr, ip, sizeof(struct ip));
 	return (t);
@ -650,19 +686,34 @@ au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
 }
 token_t *
-au_to_process64(__unused au_id_t auid, __unused uid_t euid,
+au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
-    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
 {
 	token_t *t;
 	u_char *dptr = NULL;
-	errno = ENOTSUP;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 8 * sizeof(u_int32_t) +
-	return (NULL);
+	    sizeof(u_int64_t));
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_PROCESS64);
 	ADD_U_INT32(dptr, auid);
 	ADD_U_INT32(dptr, euid);
 	ADD_U_INT32(dptr, egid);
 	ADD_U_INT32(dptr, ruid);
 	ADD_U_INT32(dptr, rgid);
 	ADD_U_INT32(dptr, pid);
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT64(dptr, tid->port);
 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
 	return (t);
 }
 token_t *
-au_to_process(__unused au_id_t auid, __unused uid_t euid,
+au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
-    __unused gid_t egid, __unused uid_t ruid, __unused gid_t rgid,
+    pid_t pid, au_asid_t sid, au_tid_t *tid)
    __unused pid_t pid, __unused au_asid_t sid, __unused au_tid_t *tid)
 {
 	return (au_to_process32(auid, euid, egid, ruid, rgid, pid, sid,
@ -713,11 +764,11 @@ au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-	ADD_U_INT32(dptr, tid->at_addr[0]);
+	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 	if (tid->at_type == AU_IPv6) {
-		ADD_U_INT32(dptr, tid->at_addr[1]);
+		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
-		ADD_U_INT32(dptr, tid->at_addr[2]);
+		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
-		ADD_U_INT32(dptr, tid->at_addr[3]);
+		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
 	}
 	return (t);
@ -727,9 +778,42 @@ token_t *
 au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
 	token_t *t;
 	u_char *dptr = NULL;
-	errno = ENOTSUP;
+	if (tid->at_type == AU_IPv4)
-	return (NULL);
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    2 * sizeof(u_int32_t));
 	else if (tid->at_type == AU_IPv6)
 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    5 * sizeof(u_int32_t));
 	else {
 		errno = EINVAL;
 		return (NULL);
 	}
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_PROCESS64_EX);
 	ADD_U_INT32(dptr, auid);
 	ADD_U_INT32(dptr, euid);
 	ADD_U_INT32(dptr, egid);
 	ADD_U_INT32(dptr, ruid);
 	ADD_U_INT32(dptr, rgid);
 	ADD_U_INT32(dptr, pid);
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT64(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
 	ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 	if (tid->at_type == AU_IPv6) {
 		ADD_MEM(dptr, &tid->at_addr[1], sizeof(u_int32_t));
 		ADD_MEM(dptr, &tid->at_addr[2], sizeof(u_int32_t));
 		ADD_MEM(dptr, &tid->at_addr[3], sizeof(u_int32_t));
 	}
 	return (t);
 }
 token_t *
@ -944,9 +1028,26 @@ token_t *
 au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
    pid_t pid, au_asid_t sid, au_tid_t *tid)
 {
 	token_t *t;
 	u_char *dptr = NULL;
-	errno = ENOTSUP;
+	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + 7 * sizeof(u_int32_t) +
-	return (NULL);
+	    sizeof(u_int64_t) + sizeof(u_int32_t));
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_SUBJECT64);
 	ADD_U_INT32(dptr, auid);
 	ADD_U_INT32(dptr, euid);
 	ADD_U_INT32(dptr, egid);
 	ADD_U_INT32(dptr, ruid);
 	ADD_U_INT32(dptr, rgid);
 	ADD_U_INT32(dptr, pid);
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT64(dptr, tid->port);
 	ADD_MEM(dptr, &tid->machine, sizeof(u_int32_t));
 	return (t);
 }
 token_t *
@ -1002,12 +1103,10 @@ au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT32(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
-	ADD_U_INT32(dptr, tid->at_addr[0]);
+	if (tid->at_type == AU_IPv6)
-	if (tid->at_type == AU_IPv6) {
+		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
-		ADD_U_INT32(dptr, tid->at_addr[1]);
+	else
-		ADD_U_INT32(dptr, tid->at_addr[2]);
+		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 		ADD_U_INT32(dptr, tid->at_addr[3]);
 	}
 	return (t);
 }
@ -1016,9 +1115,40 @@ token_t *
 au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid)
 {
 	token_t *t;
 	u_char *dptr = NULL;
-	errno = ENOTSUP;
+	if (tid->at_type == AU_IPv4)
-	return (NULL);
+		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    2 * sizeof(u_int32_t));
 	else if (tid->at_type == AU_IPv6)
 		GET_TOKEN_AREA(t, dptr, sizeof(u_char) +
 		    7 * sizeof(u_int32_t) + sizeof(u_int64_t) +
 		    5 * sizeof(u_int32_t));
 	else {
 		errno = EINVAL;
 		return (NULL);
 	}
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_SUBJECT64_EX);
 	ADD_U_INT32(dptr, auid);
 	ADD_U_INT32(dptr, euid);
 	ADD_U_INT32(dptr, egid);
 	ADD_U_INT32(dptr, ruid);
 	ADD_U_INT32(dptr, rgid);
 	ADD_U_INT32(dptr, pid);
 	ADD_U_INT32(dptr, sid);
 	ADD_U_INT64(dptr, tid->at_port);
 	ADD_U_INT32(dptr, tid->at_type);
 	if (tid->at_type == AU_IPv6)
 		ADD_MEM(dptr, &tid->at_addr[0], 4 * sizeof(u_int32_t));
 	else
 		ADD_MEM(dptr, &tid->at_addr[0], sizeof(u_int32_t));
 	return (t);
 }
 token_t *
@ -1089,6 +1219,27 @@ au_to_exec_args(char **argv)
 	return (t);
 }
 /*
 * token ID                1 byte
 * zonename length         2 bytes
 * zonename                N bytes + 1 terminating NULL byte
 */
 token_t *
 au_to_zonename(char *zonename)
 {
 	u_char *dptr = NULL;
 	u_int16_t textlen;
 	token_t *t;
 	textlen = strlen(zonename);
 	textlen += 1;
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int16_t) + textlen);
 	ADD_U_CHAR(dptr, AUT_ZONENAME);
 	ADD_U_INT16(dptr, textlen);
 	ADD_STRING(dptr, zonename, textlen);
 	return (t);
 }
 /*
 * token ID				1 byte
 * count				4 bytes
@ -1166,6 +1317,33 @@ au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
 	return (t);
 }
 token_t *
 au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
    struct timeval tm)
 {
 	token_t *t;
 	u_char *dptr = NULL;
 	u_int32_t timems;
 	GET_TOKEN_AREA(t, dptr, sizeof(u_char) + sizeof(u_int32_t) +
 	    sizeof(u_char) + 2 * sizeof(u_int16_t) + 2 * sizeof(u_int64_t));
 	if (t == NULL)
 		return (NULL);
 	ADD_U_CHAR(dptr, AUT_HEADER64);
 	ADD_U_INT32(dptr, rec_size);
 	ADD_U_CHAR(dptr, AUDIT_HEADER_VERSION_OPENBSM);
 	ADD_U_INT16(dptr, e_type);
 	ADD_U_INT16(dptr, e_mod);
 	timems = tm.tv_usec/1000;
 	/* Add the timestamp */
 	ADD_U_INT64(dptr, tm.tv_sec);
 	ADD_U_INT64(dptr, timems);	/* We need time in ms. */
 	return (t);
 }
 #if !defined(KERNEL) && !defined(_KERNEL)
 token_t *
 au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod)
@ -1181,9 +1359,11 @@ token_t *
 au_to_header64(__unused int rec_size, __unused au_event_t e_type,
    __unused au_emod_t e_mod)
 {
 	struct timeval tm;
-	errno = ENOTSUP;
+	if (gettimeofday(&tm, NULL) == -1)
-	return (NULL);
+		return (NULL);
 	return (au_to_header64_tm(rec_size, e_type, e_mod, tm));
 }
 token_t *
--- a/contrib/openbsm/libbsm/bsm_wrappers.c
+++ b/contrib/openbsm/libbsm/bsm_wrappers.c
@ -26,7 +26,7 @@
 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#23 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_wrappers.c#24 $
 */
 #ifdef __APPLE__
@ -66,8 +66,9 @@ audit_submit(short au_event, au_id_t auid, char status,
 	long acond;
 	va_list ap;
 	pid_t pid;
-	int error, afd;
+	int error, afd, subj_ex;
 	struct auditinfo ai;
 	struct auditinfo_addr aia;
 	if (auditon(A_GETCOND, &acond, sizeof(acond)) < 0) {
 		/*
@ -84,6 +85,7 @@ audit_submit(short au_event, au_id_t auid, char status,
 	}
 	if (acond == AUC_NOAUDIT)
 		return (0);
 	/* XXXCSJP we should be doing a pre-select here */
 	afd = au_open();
 	if (afd < 0) {
 		error = errno;
@ -92,7 +94,20 @@ audit_submit(short au_event, au_id_t auid, char status,
 		errno = error;
 		return (-1);
 	}
-	if (getaudit(&ai) < 0) {
+	/*
 	 * Some operating systems do not have getaudit_addr(2) implemented
 	 * yet.  So we try to use getaudit(2) first, if the subject is
 	 * using IPv6, then we will have to try getaudit_addr(2).  Failing
 	 * this, we return error.
 	 */
 	subj_ex = 0;
 	error = getaudit(&ai);
 	if (error < 0 && errno == E2BIG) {
 		error = getaudit_addr(&aia, sizeof(aia));
 		if (error == 0)
 			subj_ex = 1;
 	}
 	if (error < 0) {
 		error = errno;
 		syslog(LOG_AUTH | LOG_ERR, "audit: getaudit failed: %s",
 		    strerror(errno));
@ -100,8 +115,12 @@ audit_submit(short au_event, au_id_t auid, char status,
 		return (-1);
 	}
 	pid = getpid();
-	token = au_to_subject32(auid, geteuid(), getegid(),
+	if (subj_ex == 0)
-	    getuid(), getgid(), pid, pid, &ai.ai_termid);
+		token = au_to_subject32(auid, geteuid(), getegid(),
 		    getuid(), getgid(), pid, pid, &ai.ai_termid);
 	else
 		token = au_to_subject_ex(auid, geteuid(), getegid(),
 		    getuid(), getgid(), pid, pid, &aia.ai_termid);
 	if (token == NULL) {
 		syslog(LOG_AUTH | LOG_ERR,
 		    "audit: unable to build subject token");
--- a/contrib/openbsm/libbsm/libbsm.3
+++ b/contrib/openbsm/libbsm/libbsm.3
@ -1,5 +1,5 @@
 .\"-
-.\" Copyright (c) 2005-2006 Robert N. M. Watson
+.\" Copyright (c) 2005-2007 Robert N. M. Watson
 .\" All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/libbsm.3#13 $
 .\"
 .Dd April 19, 2005
 .Dt LIBBSM 3
@ -34,7 +34,7 @@
 .Sh LIBRARY
 .Lb libbsm
 .Sh SYNOPSIS
-.In libbsm.h
+.In bsm/libbsm.h
 .Sh DESCRIPTION
 The
 .Nm
@ -42,7 +42,9 @@ library routines provide an interface to BSM audit record streams, allowing
 both the parsing of existing audit streams, as well as the creation of new
 audit records and streams.
 .Sh INTERFACES
 The
 .Nm
 library
 provides a large number of Audit programming interfaces in several classes:
 event stream interfaces, class interfaces, control interfaces, event
 interfaces, I/O interfaces, mask interfaces, notification interfaces, token
@ -132,7 +134,7 @@ Audit token interfaces permit the creation of tokens for use in creating
 audit records for submission to event streams.
 Each interface converts a C type to its
 .Vt token_t
-representation.
+representation:
 .Xr au_to_arg 3 ,
 .Xr au_to_arg32 3 ,
 .Xr au_to_arg64 3 ,
@ -175,7 +177,8 @@ representation.
 .Xr au_to_subject32_ex 3 ,
 .Xr au_to_subject64_ex 3 ,
 .Xr au_to_text 3 ,
-.Xr au_to_trailer 3 .
+.Xr au_to_trailer 3 ,
 .Xr au_to_zonename 3 .
 .Ss Audit User Interfaces
 Audit user interfaces support the look up of information from the
 .Xr audit_user 5
@ -190,26 +193,31 @@ database:
 .Xr getfauditflags 3 .
 .Sh SEE ALSO
 .Xr au_class 3 ,
 .Xr audit_submit 3 ,
 .Xr au_mask 3 ,
 .Xr au_notify 3 ,
 .Xr au_stream 3 ,
 .Xr au_token 3 ,
 .Xr au_user 3 ,
 .Xr audit_submit 3 ,
 .Xr audit_class 5 ,
 .Xr audit_control 5
 .Sh AUTHORS
 This software was created by Robert Watson, Wayne Salamon, and Suresh
 Krishnaswamy for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by
 .An Robert Watson ,
 .An Wayne Salamon ,
 and
 .An Suresh Krishnaswamy
 for McAfee Research, the security research division of McAfee,
 Inc., under contract to Apple Computer, Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh BUGS
 Bugs would not be unlikely.
 .Pp
--- a/contrib/openbsm/man/audit.2
+++ b/contrib/openbsm/man/audit.2
@ -24,25 +24,29 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.2#8 $
 .\"
 .Dd April 19, 2005
 .Dt AUDIT 2
 .Os
 .Sh NAME
 .Nm audit
-.Nd "Commit a BSM audit record to the audit log"
+.Nd "commit BSM audit record to audit log"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
 .Fn audit "const char *record" "u_int length"
 .Sh DESCRIPTION
 The
 .Fn audit
 system call
 submits a completed BSM audit record to the system audit log.
 .Pp
 The
 .Fa record
-is a pointer to the the specific event to be recorded and
+argument
-.Vt length
+is a pointer to the specific event to be recorded and
 .Fa length
 is the size in bytes of the data to be written.
 .Sh RETURN VALUES
 .Rv -std
@ -57,37 +61,41 @@ The
 argument is beyond the allocated address space of the process.
 .It Bq Er EINVAL
 The token ID is invalid or
-.Vt length
+.Va length
 is larger than
-.Vt MAXAUDITDATA .
+.Dv MAXAUDITDATA .
 .It Bq Er EPERM
 The process does not have sufficient permission to complete
 the operation.
 .El
 .Sh SEE ALSO
 .Xr auditon 2 ,
 .Xr getauid 2 ,
 .Xr setauid 2 ,
 .Xr getaudit 2 ,
 .Xr setaudit 2 ,
 .Xr getaudit_addr 2 ,
 .Xr getauid 2 ,
 .Xr setaudit 2 ,
 .Xr setaudit_addr 2 ,
 .Xr setauid 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Tom Rhodes Aq trhodes@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh BUGS
 The
 .Fx
--- a/contrib/openbsm/man/audit.log.5
+++ b/contrib/openbsm/man/audit.log.5
@ -23,14 +23,14 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#10 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit.log.5#16 $
 .\"
-.Dd May 1, 2005
+.Dd November 5, 2006
 .Dt AUDIT.LOG 5
 .Os
 .Sh NAME
 .Nm audit
-.Nd "Basic Security Module (BSM) File Format"
+.Nd "Basic Security Module (BSM) file format"
 .Sh DESCRIPTION
 The
 .Nm
@ -41,16 +41,16 @@ range of data types, and easily extended to describe new data types in a
 moderately backward and forward compatible way.
 .Pp
 BSM token streams typically begin and end with a
-.Dv file
+.Dq file
 token, which provides time stamp and file name information for the stream;
 when processing a BSM token stream from a stream as opposed to a single file
 source, file tokens may be seen at any point between ordinary records
 identifying when particular parts of the stream begin and end.
 All other tokens will appear in the context of a complete BSM audit record,
 which begins with a
-.Dv header
+.Dq header
 token, and ends with a
-.Dv trailer
+.Dq trailer
 token, which describe the audit record.
 Between these two tokens will appear a variety of data tokens, such as
 process information, file path names, IPC object information, MAC labels,
@ -68,561 +68,612 @@ interface to read and write tokens, rather than parsing or constructing
 records by hand.
 .Ss File Token
 The
-.Dv file
+.Dq file
 token is used at the beginning and end of an audit log file to indicate
 when the audit log begins and ends.
 It includes a pathname so that, if concatenated together, original file
 boundaries are still observable, and gaps in the audit log can be identified.
 A
-.Dv file
+.Dq file
 token can be created using
 .Xr au_to_file 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Seconds" Ta "4 bytes" Ta "File time stamp"
+.It "Seconds	4 bytes	File time stamp"
-.It Li "Microseconds" Ta "4 bytes" Ta "File time stamp"
+.It "Microseconds	4 bytes	File time stamp"
-.It Li "File name lengh" Ta "2 bytes" Ta "File name of audit trail"
+.It "File name lengh	2 bytes	File name of audit trail"
-.It Li "File pathname" Ta "N bytes + 1 nul" Ta "File name of audit trail"
+.It "File pathname	N bytes + 1 NUL	File name of audit trail"
 .El
 .Ss Header Token
 The
-.Dv header
+.Dq header
 token is used to mark the beginning of a complete audit record, and includes
 the length of the total record in bytes, a version number for the record
 layout, the event type and subtype, and the time at which the event occurred.
 A 32-bit
-.Dv header
+.Dq header
 token can be created using
 .Xr au_to_header32 3 ;
 a 64-bit
-.Dv header
+.Dq header
 token can be created using
 .Xr au_to_header64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It "Version Number	2 bytes	Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It "Event Type	2 bytes	Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It "Event Modifier	2 bytes	Event sub-type"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
 .El
 .Ss Expanded Header Token
 The
-.Dv expanded header
+.Dq expanded header
 token is an expanded version of the
-.Dv header
+.Dq header
 token, with the addition of a machine IPv4 or IPv6 address.
 A 32-bit extended
-.Dv header
+.Dq header
 token can be created using
 .Xr au_to_header32_ex 3 ;
 a 64-bit extended
-.Dv header
+.Dq header
 token can be created using
 .Xr au_to_header64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
-.It Li "Version Number" Ta "2 bytes" Ta "Record version number"
+.It "Version Number	2 bytes	Record version number"
-.It Li "Event Type" Ta "2 bytes" Ta "Event type"
+.It "Event Type	2 bytes	Event type"
-.It Li "Event Modifier" Ta "2 bytes" Ta "Event sub-type"
+.It "Event Modifier	2 bytes	Event sub-type"
-.It Li "Address Type/Length" Ta "1 byte" Ta "Host address type and length"
+.It "Address Type/Length	1 byte	Host address type and length"
-.It Li "Machine Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.It "Machine Address	4/16 bytes	IPv4 or IPv6 address"
-.It Li "Seconds" Ta "4/8 bytes" Ta "Record time stamp (32/64-bits)"
+.It "Seconds	4/8 bytes	Record time stamp (32/64-bits)"
-.It Li "Nanoseconds" Ta "4/8 byets" Ta "Record time stamp (32/64-bits)"
+.It "Nanoseconds	4/8 bytes	Record time stamp (32/64-bits)"
 .El
 .Ss Trailer Token
 The
-.Dv trailer
+.Dq trailer
 terminates a BSM audit record, and contains a magic number,
 .Dv TRAILER_PAD_MAGIC
 and length that can be used to validate that the record was read properly.
 A
-.Dv trailer
+.Dq trailer
 token can be created using
 .Xr au_to_trailer 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Trailer Magic" Ta "2 bytes" Ta "Trailer magic number"
+.It "Trailer Magic	2 bytes	Trailer magic number"
-.It Li "Record Byte Count" Ta "4 bytes" Ta "Number of bytes in record"
+.It "Record Byte Count	4 bytes	Number of bytes in record"
 .El
 .Ss Arbitrary Data Token
 The
-.Dv arbitrary data
+.Dq arbitrary data
 token contains a byte stream of opaque (untyped) data.
 The size of the data is calculated as the size of each unit of data
 multipled by the number of units of data.
 A
-.Dv How to print
+.Dq How to print
 field is present to specify how to print the data, but interpretation of
 that field is not currently defined.
 An
-.Dv arbitrary data
+.Dq arbitrary data
 token can be created using
 .Xr au_to_data 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "How to Print" Ta "1 byte" Ta "User-defined printing information"
+.It "How to Print	1 byte	User-defined printing information"
-.It Li "Basic Unit" Ta "1 byte" Ta "Size of a unit in bytes"
+.It "Basic Unit	1 byte	Size of a unit in bytes"
-.It Li "Unit Count" Ta "1 byte" Ta "Number of units of data present"
+.It "Unit Count	1 byte	Number of units of data present"
-.It Li "Data Items" Ta "Variable" Ta "User data"
+.It "Data Items	Variable	User data"
 .El
 .Ss in_addr Token
 The
-.Dv in_addr
+.Dq in_addr
 token holds a network byte order IPv4 or IPv6 address.
 An
-.Dv in_addr
+.Dq in_addr
 token can be created using
 .Xr au_to_in_addr 3
 for an IPv4 address, or
 .Xr au_to_in_addr_ex 3
 for an IPv6 address.
 .Pp
-See the BUGS section for information on the storage of this token.
+See the
 .Sx BUGS
 section for information on the storage of this token.
 .Pp
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "IP Address Type" Ta "1 byte" Ta "Type of address"
+.It "IP Address Type	1 byte	Type of address"
-.It Li "IP Address" Ta "4/16 bytes" Ta "IPv4 or IPv6 address"
+.It "IP Address	4/16 bytes	IPv4 or IPv6 address"
 .El
 .Ss Expanded in_addr Token
 The
-.Dv expanded in_addr
+.Dq expanded in_addr
 token ...
 .Pp
-See the BUGS section for information on the storage of this token.
+See the
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Sx BUGS
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+section for information on the storage of this token.
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It XXXX
 .El
 .Ss ip Token
 The
-.Dv ip
+.Dq ip
 token contains an IP packet header in network byte order.
 An
-.Dv ip
+.Dq ip
 token can be created using
 .Xr au_to_ip 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Version and IHL" Ta "1 byte" Ta "Version and IP header length"
+.It "Version and IHL	1 byte	Version and IP header length"
-.It Li "Type of Service" Ta "1 byte" Ta "IP TOS field"
+.It "Type of Service	1 byte	IP TOS field"
-.It Li "Length" Ta "2 bytes" Ta "IP packet length in network byte order"
+.It "Length	2 bytes	IP packet length in network byte order"
-.It Li "ID" Ta "2 bytes" Ta "IP header ID for reassembly"
+.It "ID	2 bytes	IP header ID for reassembly"
-.It Li "Offset" Ta "2 bytes" Ta "IP fragment offset and flags, network byte order"
+.It "Offset	2 bytes	IP fragment offset and flags, network byte order"
-.It Li "TTL" Ta "1 byte" Ta "IP Time-to-Live"
+.It "TTL	1 byte	IP Time-to-Live"
-.It Li "Protocol" Ta "1 byte" Ta "IP protocol number"
+.It "Protocol	1 byte	IP protocol number"
-.It Li "Checksum" Ta "2 bytes" Ta "IP header checksum, network byte order"
+.It "Checksum	2 bytes	IP header checksum, network byte order"
-.It Li "Source Address" Ta "4 bytes" Ta "IPv4 source address"
+.It "Source Address	4 bytes	IPv4 source address"
-.It Li "Destination Address" Ta "4 bytes" Ta "IPv4 destination address"
+.It "Destination Address	4 bytes	IPv4 destination address"
 .El
 .Ss Expanded ip Token
 The
-.Dv expanded ip
+.Dq expanded ip
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
 .It XXXX
 .El
 .Ss iport Token
 The
-.Dv iport
+.Dq iport
 token stores an IP port number in network byte order.
 An
-.Dv iport
+.Dq iport
 token can be created using
 .Xr au_to_iport 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Port Number" Ta "2 bytes" Ta "Port number in network byte order"
+.It "Port Number	2 bytes	Port number in network byte order"
 .El
 .Ss Path Token
 The
-.Dv path
+.Dq path
 token contains a pathname.
 A
-.Dv path
+.Dq path
 token can be created using
 .Xr au_to_path 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Path Length" Ta "2 bytes" Ta "Length of path in bytes"
+.It "Path Length	2 bytes	Length of path in bytes"
-.It Li "Path" Ta "N bytes + 1 nul" Ta "Path name"
+.It "Path	N bytes + 1 NUL	Path name"
 .El
 .Ss path_attr Token
 The
-.Dv path_attr
+.Dq path_attr
-token contains a set of nul-terminated path names.
+token contains a set of NUL-terminated path names.
 The
 .Xr libbsm 3
 API cannot currently create a
-.Dv path_attr
+.Dq path_attr
 token.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Count" Ta "2 bytes" Ta "Number of nul-terminated string(s) in token"
+.It "Count	2 bytes	Number of NUL-terminated string(s) in token"
-.It Li "Path" Ta "Variable" Ta "count nul-terminated string(s)"
+.It "Path	Variable	count NUL-terminated string(s)"
 .El
 .Ss Process Token
 The
-.Dv process
+.Dq process
 token contains a description of the security properties of a process
 involved as the target of an auditable event, such as the destination for
 signal delivery.
 It should not be confused with the
-.Dv subject
+.Dq subject
 token, which describes the subject performing an auditable event.
 This includes both the traditional
 .Ux
 security properties, such as user IDs and group IDs, but also audit
 information such as the audit user ID and session.
 A
-.Dv process
+.Dq process
 token can be created using
 .Xr au_to_process32 3
 or
 .Xr au_to_process64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It "Audit ID	4 bytes	Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It "Real User ID	4 bytes	Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It "Real Group ID	4 bytes	Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It "Process ID	4 bytes	Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It "Session ID	4 bytes	Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.It "Terminal Machine Address	4 bytes	IP address of machine"
 .El
 .Ss Expanded Process Token
 The
-.Dv expanded process
+.Dq expanded process
 token contains the contents of the
-.Dv process
+.Dq process
 token, with the addition of a machine address type and variable length
 address storage capable of containing IPv6 addresses.
 An
-.Dv expanded process
+.Dq expanded process
 token can be created using
 .Xr au_to_process32_ex 3
 or
 .Xr au_to_process64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It "Audit ID	4 bytes	Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It "Real User ID	4 bytes	Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It "Real Group ID	4 bytes	Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It "Process ID	4 bytes	Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It "Session ID	4 bytes	Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It "Terminal Address Type/Length	1 byte	Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
 .El
 .Ss Return Token
 The
-.Dv return
+.Dq return
 token contains a system call or library function return condition, including
 return value and error number associated with the global variable
 .Er errno .
-A 
+A
-.Dv return
+.Dq return
 token can be created using
 .Xr au_to_return32 3
 or
 .Xr au_to_return64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Error Number" Ta "1 byte" Ta "Errno value, or 0 if undefined"
+.It "Error Number	1 byte	Errno value, or 0 if undefined"
-.It Li "Return Value" Ta "4/8 bytes" Ta "Return value (32/64-bits)"
+.It "Return Value	4/8 bytes	Return value (32/64-bits)"
 .El
 .Ss Subject Token
 The
-.Dv subject
+.Dq subject
 token contains information on the subject performing the operation described
 by an audit record, and includes similar information to that found in the
-.Dv process
+.Dq process
 and
-.Dv expanded process
+.Dq expanded process
 tokens.
 However, those tokens are used where the process being described is the
 target of the operation, not the authorizing party.
 A
-.Dv subject
+.Dq subject
 token can be created using
 .Xr au_to_subject32 3
 and
 .Xr au_to_subject64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It "Audit ID	4 bytes	Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It "Real User ID	4 bytes	Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It "Real Group ID	4 bytes	Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It "Process ID	4 bytes	Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It "Session ID	4 bytes	Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IP address of machine"
+.It "Terminal Machine Address	4 bytes	IP address of machine"
 .El
 .Ss Expanded Subject Token
 The
-.Dv expanded subject
+.Dq expanded subject
 token consists of the same elements as the
-.Dv subject
+.Dq subject
 token, with the addition of type/length and variable size machine address
 information in the terminal ID.
 An
-.Dv expanded subject
+.Dq expanded subject
 token can be created using
 .Xr au_to_subject32_ex 3
 or
 .Xr au_to_subject64_ex 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Audit ID" Ta "4 bytes" Ta "Audit user ID"
+.It "Audit ID	4 bytes	Audit user ID"
-.It Li "Effective User ID" Ta "4 bytes" Ta "Effective user ID"
+.It "Effective User ID	4 bytes	Effective user ID"
-.It Li "Effective Group ID "Ta "4 bytes" Ta "Effective group ID"
+.It "Effective Group ID	4 bytes	Effective group ID"
-.It Li "Real User ID" Ta "4 bytes" Ta "Real user ID"
+.It "Real User ID	4 bytes	Real user ID"
-.It Li "Real Group ID" Ta "4 bytes" Ta "Real group ID"
+.It "Real Group ID	4 bytes	Real group ID"
-.It Li "Process ID" Ta "4 bytes" Ta "Process ID"
+.It "Process ID	4 bytes	Process ID"
-.It Li "Session ID" Ta "4 bytes" Ta "Audit session ID"
+.It "Session ID	4 bytes	Audit session ID"
-.It Li "Terminal Port ID" Ta "4/8 bytes" Ta "Terminal port ID (32/64-bits)"
+.It "Terminal Port ID	4/8 bytes	Terminal port ID (32/64-bits)"
-.It Li "Terminal Address Type/Length" Ta "1 byte" "Length of machine address"
+.It "Terminal Address Type/Length	1 byte	Length of machine address"
-.It Li "Terminal Machine Address" Ta "4 bytes" Ta "IPv4 or IPv6 address of machine"
+.It "Terminal Machine Address	4 bytes	IPv4 or IPv6 address of machine"
 .El
 .Ss System V IPC Token
 The
-.Dv System V IPC
+.Dq System V IPC
-token ...
+token contains the System V IPC message handle, semaphore handle or shared
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+memory handle.
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+A System V IPC token may be created using
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Xr au_to_ipc 3 .
-.It Li "Object ID type" Ta "1 byte" Ta "Object ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Li "Object ID" Ta "4 bytes" Ta "Object ID"
+.It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It "Object ID type	1 byte	Object ID"
 .It "Object ID	4 bytes	Object ID"
 .El
 .Ss Text Token
 The
-.Dv text
+.Dq text
-token contains a single nul-terminated text string.
+token contains a single NUL-terminated text string.
 A
-.Dv text
+.Dq text
 token may be created using
 .Xr au_to_text 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Text Length" Ta "2 bytes" Ta "Length of text string including nul"
+.It "Text Length	2 bytes	Length of text string including NUL"
-.It Li "Text" Ta "N bytes + 1 nul" Ta "Text string including nul"
+.It "Text	N bytes + 1 NUL	Text string including NUL"
 .El
 .Ss Attribute Token
 The
-.Dv attribute
+.Dq attribute
 token describes the attributes of a file associated with the audit event.
 As files may be identified by 0, 1, or many path names, a path name is not
 included with the attribute block for a file; optional
-.Dv path
+.Dq path
 tokens may also be present in an audit record indicating which path, if any,
 was used to reach the object.
 An
-.Dv attribute
+.Dq attribute
 token can be created using
 .Xr au_to_attr32 3
 or
 .Xr au_to_attr64 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "File Access Mode" Ta "1 byte" Ta "mode_t associated with file"
+.It "File Access Mode	1 byte	mode_t associated with file"
-.It Li "Owner User ID" Ta "4 bytes" Ta "uid_t associated with file"
+.It "Owner User ID	4 bytes	uid_t associated with file"
-.It Li "Owner Group ID" Ta "4 bytes" Ta "gid_t associated with file"
+.It "Owner Group ID	4 bytes	gid_t associated with file"
-.It Li "File System ID" Ta "4 bytes" Ta "fsid_t associated with file"
+.It "File System ID	4 bytes	fsid_t associated with file"
-.It Li "File System Node ID" Ta "8 bytes" Ta "ino_t associated with file"
+.It "File System Node ID	8 bytes	ino_t associated with file"
-.It Li "Device" Ta "4/8 bytes" Ta "Device major/minor number (32/64-bit)"
+.It "Device	4/8 bytes	Device major/minor number (32/64-bit)"
 .El
 .Ss Groups Token
 The
-.Dv groups
+.Dq groups
 token contains a list of group IDs associated with the audit event.
 A
-.Dv groups
+.Dq groups
 token can be created using
 .Xr au_to_groups 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Number of Groups" Ta "2 bytes" Ta "Number of groups in token"
+.It "Number of Groups	2 bytes	Number of groups in token"
-.It Li "Group List" Ta "N * 4 bytes" Ta "List of N group IDs"
+.It "Group List	N * 4 bytes	List of N group IDs"
 .El
 .Ss System V IPC Permission Token
 The
-.Dv System V IPC permission
+.Dq System V IPC permission
-token ...
+token contains a System V IPC access permissions.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+A System V IPC permission token may be created using
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.Xr au_to_ipc_perm 3 .
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Li XXXXX
+.It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It Li "Owner user ID" Ta "4 bytes" Ta "User ID of IPC owner"
 .It Li "Owner group ID" Ta "4 bytes" Ta "Group ID of IPC owner"
 .It Li "Creator user ID" Ta "4 bytes" Ta "User ID of IPC creator"
 .It Li "Creator group ID" Ta "4 bytes" Ta "Group ID of IPC creator"
 .It Li "Access mode" Ta "4 bytes" Ta "Access mode"
 .It Li "Sequnce number" Ta "4 bytes" Ta "Sequnce number"
 .It Li "Key" Ta "4 bytes" Ta "IPC key"
 .El
 .Ss Arg Token
 The
-.Dv arg
+.Dq arg
-token ...
+token contains informations about arguments of the system call.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+Depending on the size of the desired argument value, an Arg token may be
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+created using
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Xr au_to_arg32 3
-.It Li XXXXX
+or
 .Xr au_to_arg64 3 .
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It Li "Argument ID" Ta "1 byte" Ta "Argument ID"
 .It Li "Argument value" Ta "4/8 bytes" Ta "Argument value"
 .It Li "Length" Ta "2 bytes" Ta "Length of the text"
 .It Li "Text" Ta "N bytes + 1 nul" Ta "The string including nul"
 .El
 .Ss exec_args Token
 The
-.Dv exec_args
+.Dq exec_args
-token ...
+token contains informations about arguements of the exec() system call.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+An exec_args token may be created using
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.Xr au_to_exec_args 3 .
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Li XXXXX
+.It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It Li "Count" Ta "4 bytes" Ta "Number of arguments"
 .It Li "Text" Ta "* bytes" Ta "Count null-terminated strings"
 .El
 .Ss exec_env Token
 The
-.Dv exec_env
+.Dq exec_env
-token ...
+token contains current eviroment variables to an exec() system call.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+An exec_args token may be created using
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.Xr au_to_exec_env 3 .
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Li XXXXX
+.It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 .It Li "Count ID" Ta "4 bytes" Ta "Number of variables"
 .It Li "Text" Ta "* bytes" Ta "Count nul-terminated strings"
 .El
 .Ss Exit Token
 The
-.Dv exit
+.Dq exit
 token contains process exit/return code information.
 An
-.Dv exit
+.Dq exit
 token can be created using
 .Xr au_to_exit 3 .
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Status" Ta "4 bytes" Ta "Process status on exit"
+.It "Status	4 bytes	Process status on exit"
-.It Li "Return Value" ta "4 bytes" Ta "Process return value on exit"
+.It "Return Value	4 bytes	Process return value on exit"
 .El
 .Ss Socket Token
 The
-.Dv socket
+.Dq socket
-token ...
+token contains informations about UNIX domain and Internet sockets.
 Each token has four or eight fields.
 Depend on type of socket a socket token may be created using
 .Xr au_to_sock_unix 3 ,
 .Xr au_to_sock_inet32 3 or
 .Xr au_to_sock_inet128 3 .
 .Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
 .It Sy "Field" Ta Sy Bytes Ta Sy Description
 .It Li "Token ID" Ta "1 byte" Ta "Token ID"
-.It Li XXXXX
+.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
 .It Li "Local port" Ta "2 bytes" Ta "Local port"
 .It Li "Socket address" Ta "4 bytes" Ta "Socket address"
 .El
 .Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
 .It Sy "Field	Bytes	Description"
 .It "Token ID	1 byte	Token ID"
 +.It Li "Socket domain" Ta "4 bytes" Ta "Socket domain"
 +.It Li "Socket family" Ta "2 bytes" Ta "Socket family"
 +.It Li "Address type" Ta "1 byte" Ta "Address type (IPv4/IPv6)"
 +.It Li "Local port" Ta "2 bytes" Ta "Local port"
 +.It Li "Local IP address" Ta "4/16 bytes" Ta "Local IP address"
 +.It Li "Remote port" Ta "2 bytes" Ta "Remote port"
 +.It Li "Remote IP address" Ta "4/16 bytes" Ta "Remote IP address"
 .El
 .Ss Expanded Socket Token
 The
-.Dv expanded socket
+.Dq expanded socket
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Ss Seq Token
 The
-.Dv seq
+.Dq seq
 token contains a unique and monotonically increasing audit event sequence ID.
 Due to the limited range of 32 bits, serial number arithmetic and caution
 should be used when comparing sequence numbers.
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li "Sequence Number" Ta "4 bytes" Ta "Audit event sequence number"
+.It "Sequence Number	4 bytes	Audit event sequence number"
 .El
 .Ss privilege Token
 The
-.Dv privilege
+.Dq privilege
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Ss Use-of-auth Token
 The
-.Dv use-of-auth
+.Dq use-of-auth
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Ss Command Token
 The
-.Dv command
+.Dq command
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Ss ACL Token
 The
-.Dv ACL
+.Dq ACL
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Ss Zonename Token
 The
-.Dv zonename
+.Dq zonename
 token ...
-.Bl -column -offset ind ".Sy Field Name Width XX" ".Sy XX Bytes XXXX" ".Sy Description"
+.Bl -column -offset 3n ".No Terminal Address Type/Length" ".No N bytes + 1 NUL"
-.It Sy "Field" Ta Sy Bytes Ta Sy Description
+.It Sy "Field	Bytes	Description"
-.It Li "Token ID" Ta "1 byte" Ta "Token ID"
+.It "Token ID	1 byte	Token ID"
-.It Li XXXXX
+.It XXXXX
 .El
 .Sh SEE ALSO
 .Xr auditreduce 1 ,
 .Xr praudit 1 ,
 .Xr libbsm 3 ,
 .Xr audit 4 ,
 .Xr auditpipe 4 ,
 .Xr audit 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh BUGS
 The
-.Dv How to print
+.Dq How to print
 field in the
-.Dv arbitrary data
+.Dq arbitrary data
 token has undefined values.
 .Pp
 The
-.Dv in_addr
+.Dq in_addr
 and
-.Dv in_addr_ex
+.Dq in_addr_ex
 token layout documented here appears to be in conflict with the
 .Xr libbsm 3
 implementations of
--- a/contrib/openbsm/man/audit_class.5
+++ b/contrib/openbsm/man/audit_class.5
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,24 +25,24 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_class.5#10 $
 .\"
 .Dd January 24, 2004
 .Dt AUDIT_CLASS 5
 .Os
 .Sh NAME
 .Nm audit_class
-.Nd "contains audit event class descriptions"
+.Nd "audit event class descriptions"
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 file contains descriptions of the auditable event classes on the system.
 Each auditable event is a member of an event class.
-Each line maps an audit event 
+Each line maps an audit event
 mask (bitmap) to a class and a description.
 Entries are of the form:
 .Pp
-.Dl classmask:eventclass:description
+.D1 Ar classmask Ns : Ns Ar eventclass Ns : Ns Ar description
 .Pp
 Example entries in this file are:
 .Bd -literal -offset indent
@ -54,18 +54,27 @@ Example entries in this file are:
 0xffffffff:all:all flags set
 .Ed
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_class" -compact
+.Bl -tag -width ".Pa /etc/security/audit_class" -compact
 .It Pa /etc/security/audit_class
 .El
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr audit_control 5 ,
 .Xr audit_event 5 ,
 .Xr audit_user 5
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/audit_control.5
+++ b/contrib/openbsm/man/audit_control.5
@ -1,19 +1,19 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" Copyright (c) 2006 Robert N. M. Watson
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -26,34 +26,34 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_control.5#17 $
 .\"
 .Dd January 4, 2006
 .Dt AUDIT_CONTROL 5
 .Os
 .Sh NAME
 .Nm audit_control
-.Nd "contains audit system parameters"
+.Nd "audit system parameters"
 .Sh DESCRIPTION
 The
 .Nm
 file contains several audit system parameters.
 Each line of this file is of the form:
 .Pp
-.Dl parameter:value
+.D1 Ar parameter Ns : Ns Ar value
 .Pp
 The parameters are:
-.Bl -tag -width Ds
+.Bl -tag -width indent
-.It Pa dir
+.It Va dir
 The directory where audit log files are stored.
 There may be more than one of these entries.
 Changes to this entry can only be enacted by restarting the
 audit system.
 See
-.Xr audit 1
+.Xr audit 8
 for a description of how to restart the audit system.
 .It Va flags
-Specifies which audit event classes are audited for all users.  
+Specifies which audit event classes are audited for all users.
 .Xr audit_user 5
 describes how to audit events for individual users.
 See the information below for the format of the audit flags.
@ -76,73 +76,85 @@ If 0, trail files will not be automatically rotated based on file size.
 .El
 .Sh AUDIT FLAGS
 Audit flags are a comma-delimited list of audit classes as defined in the
 .Pa audit_class
 file.
 See
 .Xr audit_class 5
-for details.
+file.
 Event classes may be preceded by a prefix which changes their interpretation.
 The following prefixes may be used for each class:
 .Pp
-.Bl -tag -width Ds -compact -offset indent
+.Bl -tag -width indent -compact -offset indent
 .It (none)
-Record both successful and failed events
+Record both successful and failed events.
-.It +
+.It Li +
-Record successful events
+Record successful events.
-.It -
+.It Li -
-Record failed events
+Record failed events.
-.It ^
+.It Li ^
-Record neither successful nor failed events
+Record neither successful nor failed events.
-.It ^+
+.It Li ^+
-Do not record successful events
+Do not record successful events.
-.It ^-
+.It Li ^-
-Do not record failed events
+Do not record failed events.
 .El
 .Sh AUDIT POLICY FLAGS
 The policy flags field is a comma-delimited list of policy flags from the
 following list:
 .Pp
-.Bl -tag -width zonename -compact -offset indent
+.Bl -tag -width ".Cm zonename" -compact -offset indent
-.It cnt
+.It Cm cnt
 Allow processes to continue running even though events are not being audited.
 If not set, processes will be suspended when the audit store space is
 exhausted.
 Currently, this is not a recoverable state.
-.It ahlt
+.It Cm ahlt
-Fail stop the system if unable to audit an event--this consists of first
+Fail stop the system if unable to audit an event\[em]this consists of first
 draining pending records to disk, and then halting the operating system.
-.It argv
+.It Cm argv
 Audit command line arguments to
 .Xr execve 2 .
-.It arge
+.It Cm arge
 Audit environmental variable arguments to
 .Xr execve 2 .
-.It seq
+.It Cm seq
 Include a unique audit sequence number token in generated audit records (not
-implemented on FreeBSD or Darwin).
+implemented on
-.It group
+.Fx
 or Darwin).
 .It Cm group
 Include supplementary groups list in generated audit records (not implemented
-on FreeBSD or Darwin; supplementary groups are never included in records on
+on
 .Fx
 or Darwin; supplementary groups are never included in records on
 these systems).
-.It trail
+.It Cm trail
-Append a trailer token to each audit record (not implemented on FreeBSD or
+Append a trailer token to each audit record (not implemented on
 .Fx
 or
 Darwin; trailers are always included in records on these systems).
-.It path
+.It Cm path
-Include secondary file paths in audit records (not implemented on FreeBSD or
+Include secondary file paths in audit records (not implemented on
 .Fx
 or
 Darwin; secondary paths are never included in records on these systems).
-.It zonename
+.It Cm zonename
-Include a zone ID token with each audit record (not implemented on FreeBSD or
+Include a zone ID token with each audit record (not implemented on
-Darwin; FreeBSD audit records do not currently include the jail ID or name.)
+.Fx
-.It perzone
+or
-Enable auditing for each local zone (not implemented on FreeBSD or Darwin; on
+Darwin;
-FreeBSD, audit records are collected from all jails and placed in a single
+.Fx
-global trail, and only limited audit controls are permitted within a jail.)
+audit records do not currently include the jail ID or name).
 .It Cm perzone
 Enable auditing for each local zone (not implemented on
 .Fx
 or Darwin; on
 .Fx ,
 audit records are collected from all jails and placed in a single
 global trail, and only limited audit controls are permitted within a jail).
 .El
 .Pp
 It is recommended that installations set the
-.Dv cnt
+.Cm cnt
 flag but not
-.Dv ahlt
+.Cm ahlt
 flag unless it is intended that audit logs exceeding available disk space
 halt the system.
 .Sh DEFAULT
@ -169,23 +181,29 @@ processes when the audit store fills.
 The trail file will not be automatically rotated by the audit daemon based on
 file size.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_control" -compact
+.Bl -tag -width ".Pa /etc/security/audit_control" -compact
 .It Pa /etc/security/audit_control
 .El
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr audit_class 5 ,
 .Xr audit_event 5 ,
 .Xr audit_user 5 ,
 .Xr audit 8 ,
 .Xr auditd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/audit_event.5
+++ b/contrib/openbsm/man/audit_event.5
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,31 +25,30 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_event.5#11 $
 .\"
 .Dd January 24, 2004
 .Dt AUDIT_EVENT 5
 .Os
 .Sh NAME
 .Nm audit_event
-.Nd "contains audit event descriptions"
+.Nd "audit event descriptions"
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 file contains descriptions of the auditable events on the system.
 Each line maps an audit event number to a name, a description, and a class.
 Entries are of the form:
 .Pp
-.Dl eventnum:eventname:description:eventclass
+.Sm off
 .D1 Ar eventnum : eventname : description : eventclass
 .Sm on
 .Pp
 Each
-.Vt eventclass
+.Ar eventclass
 should have a corresponding entry in the
 .Pa audit_class
 file.
 See 
 .Xr audit_class 5
-for details.
+file.
 .Pp
 Example entries in this file are:
 .Bd -literal -offset indent
@ -59,20 +58,27 @@ Example entries in this file are:
 3:AUE_OPEN:open(2):fa
 .Ed
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_event" -compact
+.Bl -tag -width ".Pa /etc/security/audit_event" -compact
 .It Pa /etc/security/audit_event
 .El
 .Sh SEE ALSO
-.Xr audit_class 5
+.Xr audit 4 ,
 .Xr audit_class 5 ,
 .Xr audit_control 5 ,
 .Xr audit_user 5
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/audit_user.5
+++ b/contrib/openbsm/man/audit_user.5
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,33 +25,33 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#7 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_user.5#12 $
 .\"
 .Dd February 5, 2006
 .Dt AUDIT_USER 5
 .Os
 .Sh NAME
 .Nm audit_user
-.Nd "specifies events to be audited for the given users"
+.Nd "events to be audited for given users"
 .Sh DESCRIPTION
 The
-.Nm 
+.Nm
 file specifies which audit event classes are to be audited for the given users.
 If specified, these flags are combined with the system-wide audit flags in the
-.Pa audit_control
+.Xr audit_control 5
 file to determine which classes of events to audit for that user.
 These settings take effect when the user logs in.
 .Pp
 Each line maps a user name to a list of classes that should be audited and a
-list of classes that should not be audited. 
+list of classes that should not be audited.
 Entries are of the form:
 .Pp
-.Dl username:alwaysaudit:neveraudit
+.D1 Ar username Ns : Ns Ar alwaysaudit Ns : Ns Ar neveraudit
 .Pp
 In the format above,
-.Vt alwaysaudit
+.Ar alwaysaudit
 is a set of event classes that are always audited, and
-.Vt neveraudit
+.Ar neveraudit
 is a set of event classes that should not be audited.
 These sets can indicate
 the inclusion or exclusion of multiple classes, and whether to audit successful
@ -67,27 +67,54 @@ jdoe:-fc,ad:+fw
 .Ed
 .Pp
 These settings would cause login/logout and administrative events that
-succeed on behalf of user root to be audited.
+succeed on behalf of user
 .Dq Li root
 to be audited.
 No failure events are audited.
 For the user
-.Em jdoe ,
+.Dq Li jdoe ,
 failed file creation events are audited, administrative events are
 audited, and successful file write events are never audited.
 .Sh IMPLEMENTATION NOTES
 Per-user and global audit preselection configuration are evaluated at time of
 login, so users must log out and back in again for audit changes relating to
 preselection to take effect.
 .Pp
 Audit record preselection occurs with respect to the audit identifier
 associated with a process, rather than with respect to the UNIX user or group
 ID.
 The audit identifier is set as part of the user credential context as part of
 login, and typically does not change as a result of running setuid or setgid
 applications, such as
 .Xr su 1 .
 This has the advantage that events that occur after running
 .Xr su 1
 can be audited to the original authenticated user, as required by CAPP, but
 may be surprising if not expected.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_user" -compact
+.Bl -tag -width ".Pa /etc/security/audit_user" -compact
 .It Pa /etc/security/audit_user
 .El
 .Sh SEE ALSO
-.Xr audit_control 5
+.Xr login 1 ,
 .Xr su 1 ,
 .Xr audit 4 ,
 .Xr audit_class 5 ,
 .Xr audit_control 5 ,
 .Xr audit_event 5
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/audit_warn.5
+++ b/contrib/openbsm/man/audit_warn.5
@ -1,18 +1,18 @@
 .\" Copyright (c) 2004 Apple Computer, Inc.
 .\" All rights reserved.
-.\" 
+.\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1.  Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer. 
+.\"     notice, this list of conditions and the following disclaimer.
 .\" 2.  Redistributions in binary form must reproduce the above copyright
 .\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution. 
+.\"     documentation and/or other materials provided with the distribution.
 .\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
 .\"     its contributors may be used to endorse or promote products derived
-.\"     from this software without specific prior written permission. 
+.\"     from this software without specific prior written permission.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#6 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/audit_warn.5#9 $
 .\"
 .Dd March 17, 2004
 .Dt AUDIT_WARN 5
@ -34,36 +34,43 @@
 .Nm audit_warn
 .Nd "alert when audit daemon issues warnings"
 .Sh DESCRIPTION
-.Nm 
+The
-runs when 
+.Nm
 script
 runs when
 .Xr auditd 8
-generates warning messages.  
+generates warning messages.
 .Pp
-The default 
+The default
 .Nm
 is a script whose first parameter is the type of warning; the script
-appends its arguments to 
+appends its arguments to
 .Pa /etc/security/audit_messages .
 Administrators may replace this script: a more comprehensive one would take
 different actions based on the type of warning.
 For example, a low-space warning
-could result in an email message being sent to the administrator.  
+could result in an email message being sent to the administrator.
 .Sh FILES
-.Bl -tag -width "/etc/security/audit_warn" -compact
+.Bl -tag -width ".Pa /etc/security/audit_messages" -compact
 .It Pa /etc/security/audit_warn
 .It Pa /etc/security/audit_messages
 .El
 .Sh SEE ALSO
 .Xr audit 4 ,
 .Xr auditd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/auditctl.2
+++ b/contrib/openbsm/man/auditctl.2
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,14 +23,14 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditctl.2#7 $
 .\"
 .Dd April 19, 2005
 .Dt AUDITCTL 2
 .Os
 .Sh NAME
 .Nm auditctl
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
@ -39,40 +39,41 @@
 The
 .Fn auditctl
 system call directs the kernel to open a new audit trail log file.
-.Fn auditctl
+It requires an appropriate privilege.
 requires appropriate privilege.
 In the
 .Fx
 implementation,
 .Fn auditctl
 opens new files, but
-.Fn auditon
+.Xr auditon 2
 is used to disable the audit log.
 In the Mac OS X implementation, passing
-.Va NULL
+.Dv NULL
 to
 .Fn auditctl
 will disable the audit log.
 .Sh RETURN VALUES
-.Nm
+.Rv -std
 returns 0 on success, or returns -1 on failure, providing additional error
 information via
 .Va errno .
 .Sh SEE ALSO
 .Xr auditon 2 ,
 .Xr libbsm 3 ,
 .Xr auditd 8
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/auditon.2
+++ b/contrib/openbsm/man/auditon.2
@ -25,37 +25,47 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#8 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/auditon.2#11 $
 .\"
 .Dd April 19, 2005
 .Dt AUDITON 2
 .Os
 .Sh NAME
 .Nm auditon
-.Nd "Configure system audit parameters"
+.Nd "configure system audit parameters"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
 .Fn auditon "int cmd" "void *data" "u_int length"
 .Sh DESCRIPTION
 The
-.Nm
+.Fn auditon
 system call is used to manipulate various audit control operations.
-.Ft *data
+The
 .Fa data
 argument
 should point to a structure whose type depends on the command.
-.Ft length
+The
-specifies the size of the 
+.Fa length
-.Em data 
+argument
 specifies the size of
 .Fa *data
 in bytes.
-.Ft cmd
+The
 .Fa cmd
 argument
 may be any of the following:
 .Bl -tag -width ".It Dv A_GETPINFO_ADDR"
 .It Dv A_SETPOLICY
 Set audit policy flags.
-.Ft *data
+The
-must point to a long value set to one of the audit 
+.Fa data
 argument
 must point to a
 .Vt long
 value set to one of the audit
 policy control values defined in
-.Pa audit.h .
+.In bsm/audit.h .
 Currently, only
 .Dv AUDIT_CNT
 and
@ -76,24 +86,28 @@ Return
 .Er ENOSYS .
 .It Dv A_SETKMASK
 Set the kernel preselection masks (success and failure).
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_mask_t
+.Vt au_mask_t
 structure containing the mask values.
 These masks are used for non-attributable audit event preselection.
 .It Dv A_SETQCTRL
 Set kernel audit queue parameters.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_qctrl_t
+.Vt au_qctrl_t
 structure containing the
 kernel audit queue control settings:
-.Va high water ,
+.Dq "high water" ,
-.Va low water ,
+.Dq "low water" ,
-.Va output buffer size ,
+.Dq "output buffer size" ,
-.Va percent min free disk space ,
+.Dq "percent min free disk space" ,
 and
-.Em delay
+.Dq delay
 (not currently used).
 .It Dv A_SETSTAT
 Return
@ -106,8 +120,12 @@ Return
 .Er ENOSYS .
 .It Dv A_SETCOND
 Set the current auditing condition.
-.Ft *data
+The
-must point to a long value containing the new
+.Fa data
 argument
 must point to a
 .Vt long
 value containing the new
 audit condition, one of
 .Dv AUC_AUDITING ,
 .Dv AUC_NOAUDIT ,
@ -115,43 +133,54 @@ or
 .Dv AUC_DISABLED .
 .It Dv A_SETCLASS
 Set the event class preselection mask for an audit event.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_evclass_map_t
+.Vt au_evclass_map_t
 structure containing the audit event and mask.
 .It Dv A_SETPMASK
 Set the preselection masks for a process.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft auditpinfo_t
+.Vt auditpinfo_t
-structure that contains the given process's audit 
+structure that contains the given process's audit
 preselection masks for both success and failure.
 .It Dv A_SETFSIZE
 Set the maximum size of the audit log file.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_fstat_t
+.Vt au_fstat_t
 structure with the
-.Ft af_filesz
+.Va af_filesz
-field set to the maximum audit log file size. A value of 0
+field set to the maximum audit log file size.
 A value of 0
 indicates no limit to the size.
 .It Dv A_SETKAUDIT
 Return
 .Er ENOSYS .
 .It Dv A_GETCLASS
 Return the event to class mapping for the designated audit event.
-.Ft *data
+The
-must point to a 
+.Fa data
-.Ft au_evclass_map_t
+argument
 must point to a
 .Vt au_evclass_map_t
 structure.
 .It Dv A_GETKAUDIT
 Return
 .Er ENOSYS .
 .It Dv A_GETPINFO
 Return the audit settings for a process.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft auditpinfo_t
+.Vt auditpinfo_t
 structure which will be set to contain
 the audit ID, preselection mask, terminal ID, and audit session
 ID of the given process.
@ -160,15 +189,21 @@ Return
 .Er ENOSYS .
 .It Dv A_GETKMASK
 Return the current kernel preselection masks.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_mask_t
+.Vt au_mask_t
-structure which will be set to 
+structure which will be set to
 the current kernel preselection masks for non-attributable events.
 .It Dv A_GETPOLICY
 Return the current audit policy setting.
-.Ft *data
+The
-must point to a long value which will be set to
+.Fa data
 argument
 must point to a
 .Vt long
 value which will be set to
 one of the current audit policy flags.
 Currently, only
 .Dv AUDIT_CNT
@ -177,22 +212,28 @@ and
 are implemented.
 .It Dv A_GETQCTRL
 Return the current kernel audit queue control parameters.
-.Ft *data
+The
-must point to a 
+.Fa data
-.Ft au_qctrl_t
+argument
 must point to a
 .Vt au_qctrl_t
 structure which will be set to the current
 kernel audit queue control parameters.
 .It Dv A_GETFSIZE
 Returns the maximum size of the audit log file.
-.Ft *data
+The
 .Fa data
 argument
 must point to a
-.Ft au_fstat_t
+.Vt au_fstat_t
-structure. The
+structure.
-.Ft af_filesz
+The
 .Va af_filesz
 field will be set to the maximum audit log file size.
 A value of 0 indicates no limit to the size.
 The
-.Ft af_currsz
+.Va af_currsz
 field
 will be set to the current audit log file size.
 .It Dv A_GETCWD
 .\" [COMMENTED OUT]: Valid description, not yet implemented.
@ -212,16 +253,24 @@ Return
 .Er ENOSYS .
 .It Dv A_GETCOND
 Return the current auditing condition.
-.Ft *data
+The
-must point to a long value which will be set to
+.Fa data
 argument
 must point to a
 .Vt long
 value which will be set to
 the current audit condition, either
 .Dv AUC_AUDITING
 or
 .Dv AUC_NOAUDIT .
 .It Dv A_SENDTRIGGER
 Send a trigger to the audit daemon.
-.Fr *data
+The
-must point to a long value set to one of the acceptable
+.Fa data
 argument
 must point to a
 .Vt long
 value set to one of the acceptable
 trigger values:
 .Dv AUDIT_TRIGGER_LOW_SPACE
 (low disk space where the audit log resides),
@ -264,17 +313,26 @@ and Mac OS X implementations, and is not present in Solaris.
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditctl 2 ,
 .Xr getauid 2 ,
 .Xr setauid 2 ,
 .Xr getaudit 2 ,
 .Xr setaudit 2 ,
 .Xr getaudit_addr 2 ,
 .Xr getauid 2 ,
 .Xr setaudit 2 ,
 .Xr setaudit_addr 2 ,
 .Xr setauid 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
@ -284,8 +342,3 @@ This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org ,
 and
 .An Wayne Salamon Aq wsalamon@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2003.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/getaudit.2
+++ b/contrib/openbsm/man/getaudit.2
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getaudit.2#7 $
 .\"
 .Dd April 19, 2005
 .Dt GETAUDIT 2
@ -31,7 +31,7 @@
 .Sh NAME
 .Nm getaudit ,
 .Nm getaudit_addr
-.Nd "Retrieve audit session state"
+.Nd "retrieve audit session state"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
@ -39,42 +39,47 @@
 .Ft int
 .Fn getaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
 .Sh DESCRIPTION
 The
 .Fn getaudit
 system call
 retrieves the active audit session state for the current process via the
 .Vt auditinfo_t
 pointed to by
-.Va auditinfo .
+.Fa auditinfo .
 The
 .Fn getaudit_addr
 system call
 retrieves extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
 and
-.Va length .
+.Fa length .
 .Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
 .Sh RETURN VALUES
-.Nm
+.Rv -std getaudit getaudit_addr
 returns 0 on success, or returns -1 on failure, providing additional error
 information via
 .Va errno .
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
 .Xr getauid 2 ,
 .Xr setauid 2 ,
 .Xr setaudit 2 ,
 .Xr setauid 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/getauid.2
+++ b/contrib/openbsm/man/getauid.2
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,52 +23,55 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/getauid.2#7 $
 .\"
 .Dd April 19, 2005
 .Dt GETAUID 2
 .Os
 .Sh NAME
 .Nm getauid
-.Nd "Retrieve audit session ID"
+.Nd "retrieve audit session ID"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
 .Fn getauid "au_id_t *auid"
 .Sh DESCRIPTION
-.Nm
+The
 .Fn getauid
 system call
 retrieves the active audit session ID for the current process via the
 .Vt au_id_t
 pointed to by
-.Va auid .
+.Fa auid .
 .Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
 .Sh RETURN VALUES
-.Nm
+.Rv -std
 returns 0 on success, or returns -1 on failure, providing additional error
 information via
 .Va errno .
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
 .Xr setauid 2 ,
 .Xr getaudit 2 ,
 .Xr setaudit 2 ,
 .Xr getaudit_addr 2 ,
 .Xr setaudit 2 ,
 .Xr setaudit_addr 2 ,
 .Xr setauid 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/setaudit.2
+++ b/contrib/openbsm/man/setaudit.2
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,7 +23,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setaudit.2#7 $
 .\"
 .Dd April 19, 2005
 .Dt SETAUDIT 2
@ -31,51 +31,55 @@
 .Sh NAME
 .Nm setaudit ,
 .Nm setaudit_addr
-.Nd "Set audit session state"
+.Nd "set audit session state"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
 .Fn setaudit "auditinfo_t *auditinfo"
 .Ft int
-.Fn setaudit_addr "auditinfo_addr_t *auditinfo" "u_int length"
+.Fn setaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
 .Sh DESCRIPTION
-.Nm
+The
 .Fn setaudit
 system call
 sets the active audit session state for the current process via the
 .Vt auditinfo_t
 pointed to by
-.Va auditinfo .
+.Fa auditinfo .
 The
 .Fn setaudit_addr
 system call
 sets extended state via
-.Va auditinfo_addr
+.Fa auditinfo_addr
 and
-.Va length .
+.Fa length .
 .Pp
-This system call requires appropriate privilege to complete.
+These system calls require an appropriate privilege to complete.
 .Sh RETURN VALUES
-.Nm
+.Rv -std setaudit setaudit_addr
 returns 0 on success, or returns -1 on failure, providing additional error
 information via
 .Va errno .
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
 .Xr getaudit 2 ,
 .Xr getauid 2 ,
 .Xr setauid 2 ,
 .Xr getaudit 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/man/setauid.2
+++ b/contrib/openbsm/man/setauid.2
@ -10,7 +10,7 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 
+.\"
 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@ -23,52 +23,55 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#5 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/man/setauid.2#7 $
 .\"
 .Dd April 19, 2005
 .Dt SETAUID 2
 .Os
 .Sh NAME
 .Nm setauid
-.Nd "Set audit session ID"
+.Nd "set audit session ID"
 .Sh SYNOPSIS
 .In bsm/audit.h
 .Ft int
 .Fn setauid "au_id_t *auid"
 .Sh DESCRIPTION
-.Nm
+The
 .Fn setauid
 system call
 sets the active audit session ID for the current process from the
 .Vt au_id_t
 pointed to by
-.Va auid .
+.Fa auid .
 .Pp
-This system call requires appropriate privilege to complete.
+This system call requires an appropriate privilege to complete.
 .Sh RETURN VALUES
-.Nm
+.Rv -std
 returns 0 on success, or returns -1 on failure, providing additional error
 information via
 .Va errno .
 .Sh SEE ALSO
 .Xr audit 2 ,
 .Xr auditon 2 ,
 .Xr getauid 2 ,
 .Xr getaudit 2 ,
 .Xr setaudit 2 ,
 .Xr getaudit_addr 2 ,
 .Xr getauid 2 ,
 .Xr setaudit 2 ,
 .Xr setaudit_addr 2 ,
 .Xr libbsm 3
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
 .An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
 .An Wayne Salamon ,
 .An Robert Watson ,
 and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.
 .Pp
 This manual page was written by
 .An Robert Watson Aq rwatson@FreeBSD.org .
 .Sh HISTORY
 The OpenBSM implementation was created by McAfee Research, the security
 division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
--- a/contrib/openbsm/test/bsm/generate.c
+++ b/contrib/openbsm/test/bsm/generate.c
@ -1,5 +1,5 @@
 /*-
- * Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006-2007 Robert N. M. Watson
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
@ -23,7 +23,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#5 $
+ * $P4: //depot/projects/trustedbsd/openbsm/test/bsm/generate.c#9 $
 */
 /*
@ -335,6 +335,7 @@ generate_subject32ex_token(const char *directory, const char *token_filename,
 	if (subject32ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_subject32_ex");
 	write_token(directory, buf, subject32ex_token);
 	free(buf);
 }
 static void
@ -361,6 +362,7 @@ generate_subject32ex_record(const char *directory, const char *record_filename,
 	if (subject32ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_subject32_ex");
 	write_record(directory, record_filename, subject32ex_token, AUE_NULL);
 	free(buf);
 }
 static au_id_t		 process32_auid = 0x12345678;
@ -404,35 +406,151 @@ generate_process32_record(const char *directory, const char *record_filename)
 }
 static void
-generate_process32ex_token(const char *directory, const char *token_filename)
+generate_process32ex_token(const char *directory, const char *token_filename,
    u_int32_t type)
 {
 	token_t *process32ex_token;
 	char *buf;
-	process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+	buf = (char *)malloc(strlen(token_filename) + 6);
-	process32_tid_addr.at_type = AU_IPv4;
+	if (type == AU_IPv6) {
 		inet_pton(AF_INET6, "fe80::1", process32_tid_addr.at_addr);
 		process32_tid_addr.at_type = AU_IPv6;
 		sprintf(buf, "%s%s", token_filename, "-IPv6");
 	} else {
 		process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
 		process32_tid_addr.at_type = AU_IPv4;
 		sprintf(buf, "%s%s", token_filename, "-IPv4");
 	}
 	process32ex_token = au_to_process32_ex(process32_auid, process32_euid,
 	    process32_egid, process32_ruid, process32_rgid, process32_pid,
 	    process32_sid, &process32_tid_addr);
 	if (process32ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_process32_ex");
-	write_token(directory, token_filename, process32ex_token);
+	write_token(directory, buf, process32ex_token);
 	free(buf);
 }
 static void
-generate_process32ex_record(const char *directory, const char *record_filename)
+generate_process32ex_record(const char *directory, const char *record_filename,
    u_int32_t type)
 {
 	token_t *process32ex_token;
 	char *buf;
-	process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
+	buf = (char *)malloc(strlen(record_filename) + 6);
-	process32_tid_addr.at_type = AU_IPv4;
+	if (type == AU_IPv6) {
 		inet_pton(AF_INET6, "fe80::1", process32_tid_addr.at_addr);
 		process32_tid_addr.at_type = AU_IPv6;
 		sprintf(buf, "%s%s", record_filename, "-IPv6");
 	} else {
 		process32_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
 		process32_tid_addr.at_type = AU_IPv4;
 		sprintf(buf, "%s%s", record_filename, "-IPv4");
 	}
 	process32ex_token = au_to_process32_ex(process32_auid, process32_euid,
 	    process32_egid, process32_ruid, process32_rgid, process32_pid,
 	    process32_sid, &process32_tid_addr);
 	if (process32ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_process32_ex");
-	write_record(directory, record_filename, process32ex_token, AUE_NULL);
+	write_record(directory, buf, process32ex_token, AUE_NULL);
 	free(buf);
 }
 static au_id_t		 process64_auid = 0x12345678;
 static uid_t		 process64_euid = 0x01234567;
 static gid_t		 process64_egid = 0x23456789;
 static uid_t		 process64_ruid = 0x98765432;
 static gid_t		 process64_rgid = 0x09876543;
 static pid_t		 process64_pid = 0x13243546;
 static au_asid_t	 process64_sid = 0x97867564;
 static au_tid_t		 process64_tid = { 0x16593746 };
 static au_tid_addr_t	 process64_tid_addr = { 0x16593746 };
 static void
 generate_process64_token(const char *directory, const char *token_filename)
 {
 	token_t *process64_token;
 	process64_tid.machine = inet_addr("127.0.0.1");
 	process64_token = au_to_process64(process64_auid, process64_euid,
 	    process64_egid, process64_ruid, process64_rgid, process64_pid,
 	    process64_sid, &process64_tid);
 	if (process64_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_process64");
 	write_token(directory, token_filename, process64_token);
 }
 static void
 generate_process64_record(const char *directory, const char *record_filename)
 {
 	token_t *process64_token;
 	process64_tid.machine = inet_addr("127.0.0.1");
 	process64_token = au_to_process64(process64_auid, process64_euid,
 	    process64_egid, process64_ruid, process64_rgid, process64_pid,
 	    process64_sid, &process64_tid);
 	if (process64_token == NULL)
 		err(EX_UNAVAILABLE, "au_ti_process64");
 	write_record(directory, record_filename, process64_token, AUE_NULL);
 }
 static void
 generate_process64ex_token(const char *directory, const char *token_filename,
    u_int32_t type)
 {
 	token_t *process64ex_token;
 	char *buf;
 	buf = (char *)malloc(strlen(token_filename) + 6);
 	if (type == AU_IPv6) {
 		inet_pton(AF_INET6, "fe80::1", process64_tid_addr.at_addr);
 		process64_tid_addr.at_type = AU_IPv6;
 		sprintf(buf, "%s%s", token_filename, "-IPv6");
 	} else {
 		process64_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
 		process64_tid_addr.at_type = AU_IPv4;
 		sprintf(buf, "%s%s", token_filename, "-IPv4");
 	}
 	process64ex_token = au_to_process64_ex(process64_auid, process64_euid,
 	    process64_egid, process64_ruid, process64_rgid, process64_pid,
 	    process64_sid, &process64_tid_addr);
 	if (process64ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_process64_ex");
 	write_token(directory, buf, process64ex_token);
 	free(buf);
 }
 static void
 generate_process64ex_record(const char *directory, const char *record_filename,
    u_int32_t type)
 {
 	token_t *process64ex_token;
 	char *buf;
 	buf = (char *)malloc(strlen(record_filename) + 6);
 	if (type == AU_IPv6) {
 		inet_pton(AF_INET6, "fe80::1", process64_tid_addr.at_addr);
 		process64_tid_addr.at_type = AU_IPv6;
 		sprintf(buf, "%s%s", record_filename, "-IPv6");
 	} else {
 		process64_tid_addr.at_addr[0] = inet_addr("127.0.0.1");
 		process64_tid_addr.at_type = AU_IPv4;
 		sprintf(buf, "%s%s", record_filename, "-IPv4");
 	}
 	process64ex_token = au_to_process64_ex(process64_auid, process64_euid,
 	    process64_egid, process64_ruid, process64_rgid, process64_pid,
 	    process64_sid, &process64_tid_addr);
 	if (process64ex_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_process64_ex");
 	write_record(directory, buf, process64ex_token, AUE_NULL);
 	free(buf);
 }
 static char		 return32_status = 0xd7;
@ -771,6 +889,30 @@ generate_attr32_record(const char *directory, const char *record_filename)
 }
 static char	*zonename_sample = "testzone";
 static void
 generate_zonename_token(const char *directory, const char *token_filename)
 {
 	token_t *zonename_token;
 	zonename_token = au_to_zonename(zonename_sample);
 	if (zonename_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_zonename");
 	write_token(directory, token_filename, zonename_token);
 }
 static void
 generate_zonename_record(const char *directory, const char *record_filename)
 {
 	token_t *zonename_token;
 	zonename_token = au_to_zonename(zonename_sample);
 	if (zonename_token == NULL)
 		err(EX_UNAVAILABLE, "au_to_zonename");
 	write_record(directory, record_filename, zonename_token, AUE_NULL);
 }
 int
 main(int argc, char *argv[])
 {
@ -811,10 +953,20 @@ main(int argc, char *argv[])
 		generate_ipc_token(directory, "ipc_token");
 		generate_path_token(directory, "path_token");
 		generate_subject32_token(directory, "subject32_token");
-		generate_subject32ex_token(directory, "subject32ex_token", AU_IPv4);
+		generate_subject32ex_token(directory, "subject32ex_token",
-		generate_subject32ex_token(directory, "subject32ex_token", AU_IPv6);
+		    AU_IPv4);
 		generate_subject32ex_token(directory, "subject32ex_token",
 		    AU_IPv6);
 		generate_process32_token(directory, "process32_token");
-		generate_process32ex_token(directory, "process32ex_token");
+		generate_process32ex_token(directory, "process32ex_token",
 		    AU_IPv4);
 		generate_process32ex_token(directory, "process32ex_token",
 		    AU_IPv6);
 		generate_process64_token(directory, "process64_token");
 		generate_process64ex_token(directory, "process64ex_token",
 		    AU_IPv4);
 		generate_process64ex_token(directory, "process64ex_token",
 		    AU_IPv6);
 		generate_return32_token(directory, "return32_token");
 		generate_text_token(directory, "text_token");
 		generate_opaque_token(directory, "opaque_token");
@ -827,6 +979,7 @@ main(int argc, char *argv[])
 		generate_ipc_perm_token(directory, "ipc_perm_token");
 		generate_groups_token(directory, "groups_token");
 		generate_attr32_token(directory, "attr32_token");
 		generate_zonename_token(directory, "zonename_token");
 	}
 	if (do_records) {
@ -840,7 +993,15 @@ main(int argc, char *argv[])
 		generate_subject32ex_record(directory, "subject32ex_record",
 		    AU_IPv6);
 		generate_process32_record(directory, "process32_record");
-		generate_process32ex_record(directory, "process32ex_record");
+		generate_process32ex_record(directory, "process32ex_record",
 		    AU_IPv4);
 		generate_process32ex_record(directory, "process32ex_record",
 		    AU_IPv6);
 		generate_process64_record(directory, "process64_record");
 		generate_process64ex_record(directory, "process64ex_record",
 		    AU_IPv4);
 		generate_process64ex_record(directory, "process64ex_record",
 		    AU_IPv6);
 		generate_return32_record(directory, "return32_record");
 		generate_text_record(directory, "text_record");
 		generate_opaque_record(directory, "opaque_record");
@ -853,6 +1014,7 @@ main(int argc, char *argv[])
 		generate_ipc_perm_record(directory, "ipc_perm_record");
 		generate_groups_record(directory, "groups_record");
 		generate_attr32_record(directory, "attr32_record");
 		generate_zonename_record(directory, "zonename_record");
 	}
 	return (0);
--- a/contrib/openbsm/test/reference/arg32_record
+++ b/contrib/openbsm/test/reference/arg32_record
--- a/contrib/openbsm/test/reference/data_record
+++ b/contrib/openbsm/test/reference/data_record
--- a/contrib/openbsm/test/reference/file_record
+++ b/contrib/openbsm/test/reference/file_record
--- a/contrib/openbsm/test/reference/in_addr_record
+++ b/contrib/openbsm/test/reference/in_addr_record
--- a/contrib/openbsm/test/reference/ip_record
+++ b/contrib/openbsm/test/reference/ip_record
--- a/contrib/openbsm/test/reference/ipc_record
+++ b/contrib/openbsm/test/reference/ipc_record
--- a/contrib/openbsm/test/reference/iport_record
+++ b/contrib/openbsm/test/reference/iport_record
--- a/contrib/openbsm/test/reference/opaque_record
+++ b/contrib/openbsm/test/reference/opaque_record
--- a/contrib/openbsm/test/reference/path_record
+++ b/contrib/openbsm/test/reference/path_record
--- a/contrib/openbsm/test/reference/process32_record
+++ b/contrib/openbsm/test/reference/process32_record
--- a/contrib/openbsm/test/reference/process32ex_record-IPv4
+++ b/contrib/openbsm/test/reference/process32ex_record-IPv4
--- a/contrib/openbsm/test/reference/process32ex_record-IPv6
+++ b/contrib/openbsm/test/reference/process32ex_record-IPv6
--- a/contrib/openbsm/test/reference/process32ex_token-IPv4
+++ b/contrib/openbsm/test/reference/process32ex_token-IPv4
--- a/contrib/openbsm/test/reference/process32ex_token-IPv6
+++ b/contrib/openbsm/test/reference/process32ex_token-IPv6
--- a/contrib/openbsm/test/reference/process64_record
+++ b/contrib/openbsm/test/reference/process64_record
--- a/contrib/openbsm/test/reference/process64_token
+++ b/contrib/openbsm/test/reference/process64_token
--- a/contrib/openbsm/test/reference/process64ex_record-IPv4
+++ b/contrib/openbsm/test/reference/process64ex_record-IPv4
--- a/contrib/openbsm/test/reference/process64ex_record-IPv6
+++ b/contrib/openbsm/test/reference/process64ex_record-IPv6
--- a/contrib/openbsm/test/reference/process64ex_token-IPv4
+++ b/contrib/openbsm/test/reference/process64ex_token-IPv4
--- a/contrib/openbsm/test/reference/process64ex_token-IPv6
+++ b/contrib/openbsm/test/reference/process64ex_token-IPv6
--- a/contrib/openbsm/test/reference/return32_record
+++ b/contrib/openbsm/test/reference/return32_record
--- a/contrib/openbsm/test/reference/seq_record
+++ b/contrib/openbsm/test/reference/seq_record
--- a/contrib/openbsm/test/reference/subject32_record
+++ b/contrib/openbsm/test/reference/subject32_record
--- a/contrib/openbsm/test/reference/subject32ex_record
+++ b/contrib/openbsm/test/reference/subject32ex_record
--- a/contrib/openbsm/test/reference/subject32ex_token-IPv4
+++ b/contrib/openbsm/test/reference/subject32ex_token-IPv4
--- a/contrib/openbsm/test/reference/subject32ex_token-IPv6
+++ b/contrib/openbsm/test/reference/subject32ex_token-IPv6
--- a/contrib/openbsm/test/reference/text_record
+++ b/contrib/openbsm/test/reference/text_record
--- a/contrib/openbsm/test/reference/zonename_record
+++ b/contrib/openbsm/test/reference/zonename_record
--- a/contrib/openbsm/test/reference/zonename_token
+++ b/contrib/openbsm/test/reference/zonename_token
--- a/contrib/openbsm/tools/audump.c
+++ b/contrib/openbsm/tools/audump.c
@ -23,7 +23,7 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
- * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#6 $
+ * $P4: //depot/projects/trustedbsd/openbsm/tools/audump.c#7 $
 */
 #include <bsm/libbsm.h>
@ -123,7 +123,7 @@ audump_control(void)
 		err(-1, "getacpol");
 	if (au_strtopol(string, &policy) < 0)
 		err(-1, "au_strtopol");
-	if (au_poltostr(policy, string2, PATH_MAX) < 0)
+	if (au_poltostr(policy, PATH_MAX, string2) < 0)
 		err(-1, "au_poltostr");
 	printf("policy:%s\n", string2);
 }