bb97b41819
notes since the last import: OpenBSM 1.0 alpha 11 - Reclassify certain read/write operations as having no class rather than the fr/fw class; our default classes audit intent (open) not operations (read, write). - Introduce AUE_SYSCTL_WRITE event so that BSD/Darwin systems can audit reads and writes of sysctls as separate events. Add additional kernel environment and jail events for FreeBSD. - Break AUDIT_TRIGGER_OPEN_NEW into two events, AUDIT_TRIGGER_ROTATE_USER (issued by the user audit(8) tool) and AUDIT_TRIGGER_ROTATE_KERNEL (issued by the kernel audit implementation) so that they can be distinguished. - Disable rate limiting of rotate requests; as the kernel doesn't retransmit a dropped request, the log file will otherwise grow indefinitely if the trigger is dropped. - Improve auditd debugging output. - Fix a number of threading related bugs in audit_control file reading routines. - Add APIs au_poltostr() and au_strtopol() to convert between text representations of audit_control policy flags and the flags passed to auditon(A_SETPOLICY) and retrieved from auditon(A_GETPOLICY). - Add API getacpol() to return the 'policy:' entry from audit_control, an extension to the Solaris file format to allow specification of policy persistent flags. - Update audump to print the audit_control policy field. - Update auditd to read the audit_control policy field and set the kernel policy to match it when configuring/reconfiguring. Remove the -s and -h arguments as these policies are now set via the configuration file. If a policy line is not found in the configuration file, continue with the current default of setting AUDIT_CNT. - Fix bugs in the parsing of large execve(2) arguments and environmental variable tokens; increase maximum parsed argument and variable count. - configure now detects strlcat(), used by policy-related functions. - Reference token and record sample files added to test tree. Obtained from: TrustedBSD Project
173 lines
4.9 KiB
Groff
173 lines
4.9 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005 Robert N. M. Watson
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#4 $
|
|
.\"
|
|
.Dd April 19, 2005
|
|
.Dt AU_CONTROL 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm setac ,
|
|
.Nm endac ,
|
|
.Nm getacdir ,
|
|
.Nm getacmin ,
|
|
.Nm getacflg ,
|
|
.Nm getacna ,
|
|
.Nm getacpol ,
|
|
.Nm au_poltostr
|
|
.Nm au_strtopol
|
|
.Nd "Look up information from the audit_control database"
|
|
.Sh LIBRARY
|
|
.Lb libbsm
|
|
.Sh SYNOPSIS
|
|
.In libbsm.h
|
|
.Ft void
|
|
.Fn setac "void"
|
|
.Ft void
|
|
.Fn endac "void"
|
|
.Ft int
|
|
.Fn getacdir "char *name" "int len"
|
|
.Ft int
|
|
.Fn getacmin "int *min_val"
|
|
.Ft int
|
|
.Fn getacflg "char *auditstr" "int len"
|
|
.Ft int
|
|
.Fn getacna "char *auditstr" "int len"
|
|
.Ft int
|
|
.Fn getacpol "char *auditstr" "size_t len"
|
|
.Ft ssize_t
|
|
.Fn au_poltostr "long policy" "size_t maxsize" "char *buf"
|
|
.Ft int
|
|
.Fn au_strtopol "const char *polstr" "long *policy"
|
|
.Sh DESCRIPTION
|
|
These interfaces may be used to look up information from the
|
|
.Xr audit_control 5
|
|
database, which contains various audit-related administrative parameters.
|
|
.Pp
|
|
.Fn setac
|
|
resets the database iterator to the beginning of the database; see the
|
|
BUGS section for more information.
|
|
.Pp
|
|
.Fn sendac
|
|
closes the
|
|
.Xr audit_control 5
|
|
database.
|
|
.Pp
|
|
.Fn getacdir
|
|
returns the name of the directory where log data is stored via the passed
|
|
character buffer
|
|
.Va name
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacmin
|
|
returns the minimum free disk space for the audit log target file system via
|
|
the passed
|
|
.Va min_val
|
|
variable.
|
|
.Pp
|
|
.Fn getacflg
|
|
returns the audit system flags via the the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacna
|
|
returns the non-attributable flags via the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacpol
|
|
returns the audit policy flags via the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn au_poltostr
|
|
converts a numeric audit policy mask,
|
|
.Va policy ,
|
|
value to a string in the passed character buffer
|
|
.Va buf
|
|
of lenth
|
|
.Va maxsize .
|
|
.Pp
|
|
.Fn au_strtopol
|
|
converts an audit policy flags string,
|
|
.Va polstr ,
|
|
to a numeric audit policy mask returned via
|
|
.Va policy .
|
|
.Sh RETURN VALULES
|
|
.Fn getacdir ,
|
|
.Fn getacmin ,
|
|
.Fn getacflg ,
|
|
.Fn getacna ,
|
|
.Fn getacpol ,
|
|
and
|
|
.Fn au_strtopol
|
|
return 0 on success, or a negative value on failure, along with error
|
|
information in
|
|
.Va errno .
|
|
.Pp
|
|
.Fn au_poltostr
|
|
returns a string length of 0 or more on success, or a negative value on
|
|
if there is a failure.
|
|
.Pp
|
|
Functions that return a string value will return a failure if there is
|
|
insufficient room in the passed character buffer for the full string.
|
|
.Sh SEE ALSO
|
|
.Xr libbsm 3 ,
|
|
.Xr audit_control 5
|
|
.Sh AUTHORS
|
|
This software was created by Robert Watson, Wayne Salamon, and Suresh
|
|
Krishnaswamy for McAfee Research, the security research division of McAfee,
|
|
Inc., under contract to Apple Computer, Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|
|
.Sh BUGS
|
|
These routines cannot currently distinguish between an entry not being found
|
|
and an error accessing the database.
|
|
The implementation should be changed to return an error via
|
|
.Va errno
|
|
when
|
|
.Dv NULL
|
|
is returned.
|
|
.Sh BUGS
|
|
There is no reason for the
|
|
.Fn setac
|
|
interface to be exposed as part of the public API, as it is called implicitly
|
|
by other access functions and iteration is not supported.
|
|
.Pp
|
|
These interfaces inconsistently return various negative values depending on
|
|
the failure mode, and do not always set
|
|
.Va errno
|
|
on failure.
|