freebsd-skq/contrib/openbsm/libbsm/audit_submit.3

.\"
.\" Copyright (c) 2006 Christian S.J. Peron
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\"
.\" 1.  Redistributions of source code must retain the above copyright
.\"     notice, this list of conditions and the following disclaimer.
.\" 2.  Redistributions in binary form must reproduce the above copyright
.\"     notice, this list of conditions and the following disclaimer in the
.\"     documentation and/or other materials provided with the distribution.
.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
.\"     its contributors may be used to endorse or promote products derived
.\"     from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $
.\"
.Dd May 29, 2006
.Dt audit_submit 3
.Os
.Sh NAME
.Nm audit_submit
.Nd general purpose audit record submission
.Sh LIBRARY
.Lb libbsm
.Sh SYNOPSIS
.In stdio.h
.Ft int
.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ...
.Sh DESCRIPTION
The
.Nm
function provides a generic programming interface for audit record submission.
This audit record will contain a header, subject token, an optional text token,
return token, and a trailer.
The header will contain the event class specified by
.Fa au_event .
The subject token will be generated based on
.Fa au_ctx .
The return token is dependant on the
.Fa status
and
.Fa reterr
arguments.
Optionally, a text token will be created as a part of this record.
.Pp
Text token output is under the control of a
.Fa format
string that specifies how subsequent arguments (or arguments accessed via the
variable-length argument facilities of
.Xr stdarg 3 )
are converted for output.
If
.Fa format
is NULL, then no text token is created in the audit record.
.Pp
It should be noted that
.Nm
assumes that
.Xr setaudit 2 ,
or
.Xr setaudit_addr 2 
has already been called.
As a direct result, the terminal ID for the
subject will be retrieved from the kernel via
.Xr getaudit 2 ,
or
.Xr getaudit_addr 2 .
.Sh EXAMPLES
.Bd -literal -offset indent
#include <bsm/audit.h>
#include <bsm/libbsm.h>
#include <bsm/audit_uevents.h>

#include <stdio.h>
#include <stdarg.h>
#include <errno.h>

int
audit_bad_su(char *from_login, char *to_login)
{
	int error;

	error = audit_submit(AUE_su, getuid(), 1, EPERM,
	    "bad su from %s to %s", from_login, to_login);
	return (error);
}
.Ed
.Pp
Will generate the following audit record:
.Bd -literal -offset indent
header,94,1,su(1),0,Mon Apr 17 23:23:59 2006, + 271 msec
subject,root,root,wheel,root,wheel,652,652,0,0.0.0.0
text,bad su from from csjp to root
return,failure : Operation not permitted,1
trailer,94
.Ed
.Sh SEE ALSO
.Xr auditon 2 ,
.Xr getaudit 2 ,
.Xr libbsm 3 ,
.Xr stdarg 3
.Sh HISTORY
The
.Nm
function first appeared in OpenBSM version 1.0.
OpenBSM 1.0 was introduced in FreeBSD 7.0.
.Sh AUTHORS
The
.Nm
function was written by
.An Christian S.J. Peron Aq csjp@FreeBSD.org .
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6: - Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close(); previously we used hard-coded 0 and 1 values. - Add man page for au_open(), au_write(), au_close(), and au_close_buffer(). - Support a more complete range of data types for the arbitrary data token: add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias to AUR_INT), add AUR_INT64. - Add au_close_token(), which allows writing a single token_t to a memory buffer. Not likely to be used much by applications, but useful for writing test tools. - Modify au_to_file() so that it accepts a timeval in user space, not just kernel -- this is not a Solaris BSM API so can be modified without causing compatibility issues. - Define a new API, au_to_header32_tm(), which adds a struct timeval argument to the ordinary au_to_header32(), which is now implemented by wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL the APIs that invoke gettimeofday(), rather than having a variable definition. Don't try to retrieve time zone information using gettimeofday(), as it's not needed, and introduces possible failure modes. - Don't perform byte order transformations on the addr/machine fields of the terminal ID that appears in the process32/subject32 tokens. These are assumed to be IP addresses, and as such, to be in network byte order. - Universally, APIs now assume that IP addresses and ports are provided in network byte order. APIs now generally provide these types in network byte order when decoding. - Beginnings of an OpenBSM test framework can now be found in openbsm/test. This code is not built or installed by default. - auditd now assigns more appropriate syslog levels to its debugging and error information. - Support for audit filters introduced: audit filters are dynamically loaded shared objects that run in the context of a new daemon, auditfilterd. The daemon reads from an audit pipe and feeds both BSM and parsed versions of records to shared objects using a module API. This will provide a framework for the writing of intrusion detection services. - New utility API, audit_submit(), added to capture common elements of audit record submission for many applications. Obtained from: TrustedBSD Project 2006-06-05 10:52:12 +00:00			`.\"`
			`.\" Copyright (c) 2006 Christian S.J. Peron`
			`.\" All rights reserved.`
			`.\"`
			`.\" Redistribution and use in source and binary forms, with or without`
			`.\" modification, are permitted provided that the following conditions`
			`.\" are met:`
			`.\"`
			`.\" 1. Redistributions of source code must retain the above copyright`
			`.\" notice, this list of conditions and the following disclaimer.`
			`.\" 2. Redistributions in binary form must reproduce the above copyright`
			`.\" notice, this list of conditions and the following disclaimer in the`
			`.\" documentation and/or other materials provided with the distribution.`
			`.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of`
			`.\" its contributors may be used to endorse or promote products derived`
			`.\" from this software without specific prior written permission.`
			`.\"`
			`.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND`
			`.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE`
			`.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE`
			`.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR`
			`.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL`
			`.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS`
			`.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)`
			`.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,`
			`.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING`
			`.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`.\" POSSIBILITY OF SUCH DAMAGE.`
			`.\"`
			`.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $`
			`.\"`
			`.Dd May 29, 2006`
			`.Dt audit_submit 3`
			`.Os`
			`.Sh NAME`
			`.Nm audit_submit`
			`.Nd general purpose audit record submission`
			`.Sh LIBRARY`
			`.Lb libbsm`
			`.Sh SYNOPSIS`
			`.In stdio.h`
			`.Ft int`
			`.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ...`
			`.Sh DESCRIPTION`
			`The`
			`.Nm`
			`function provides a generic programming interface for audit record submission.`
			`This audit record will contain a header, subject token, an optional text token,`
			`return token, and a trailer.`
			`The header will contain the event class specified by`
			`.Fa au_event .`
			`The subject token will be generated based on`
			`.Fa au_ctx .`
			`The return token is dependant on the`
			`.Fa status`
			`and`
			`.Fa reterr`
			`arguments.`
			`Optionally, a text token will be created as a part of this record.`
			`.Pp`
			`Text token output is under the control of a`
			`.Fa format`
			`string that specifies how subsequent arguments (or arguments accessed via the`
			`variable-length argument facilities of`
			`.Xr stdarg 3 )`
			`are converted for output.`
			`If`
			`.Fa format`
			`is NULL, then no text token is created in the audit record.`
			`.Pp`
			`It should be noted that`
			`.Nm`
			`assumes that`
			`.Xr setaudit 2 ,`
			`or`
			`.Xr setaudit_addr 2`
			`has already been called.`
			`As a direct result, the terminal ID for the`
			`subject will be retrieved from the kernel via`
			`.Xr getaudit 2 ,`
			`or`
			`.Xr getaudit_addr 2 .`
			`.Sh EXAMPLES`
			`.Bd -literal -offset indent`
			`#include <bsm/audit.h>`
			`#include <bsm/libbsm.h>`
			`#include <bsm/audit_uevents.h>`

			`#include <stdio.h>`
			`#include <stdarg.h>`
			`#include <errno.h>`

			`int`
			`audit_bad_su(char from_login, char to_login)`
			`{`
			`int error;`

			`error = audit_submit(AUE_su, getuid(), 1, EPERM,`
			`"bad su from %s to %s", from_login, to_login);`
			`return (error);`
			`}`
			`.Ed`
			`.Pp`
			`Will generate the following audit record:`
			`.Bd -literal -offset indent`
			`header,94,1,su(1),0,Mon Apr 17 23:23:59 2006, + 271 msec`
			`subject,root,root,wheel,root,wheel,652,652,0,0.0.0.0`
			`text,bad su from from csjp to root`
			`return,failure : Operation not permitted,1`
			`trailer,94`
			`.Ed`
			`.Sh SEE ALSO`
			`.Xr auditon 2 ,`
			`.Xr getaudit 2 ,`
			`.Xr libbsm 3 ,`
			`.Xr stdarg 3`
			`.Sh HISTORY`
			`The`
			`.Nm`
			`function first appeared in OpenBSM version 1.0.`
			`OpenBSM 1.0 was introduced in FreeBSD 7.0.`
			`.Sh AUTHORS`
			`The`
			`.Nm`
			`function was written by`
			`.An Christian S.J. Peron Aq csjp@FreeBSD.org .`