84f8c77a42
- Add a new "qsize" parameter in audit_control and the getacqsize(3) API to query it, allowing to set the kernel's maximum audit queue length. - Add support to push a mapping between audit event names and event numbers into the kernel (where supported) using new A_GETEVENT and A_SETEVENT auditon(2) operations. - Add audit event identifiers for a number of new (and not-so-new) FreeBSD system calls including those for asynchronous I/O, thread management, SCTP, jails, multi-FIB support, and misc. POSIX interfaces such as posix_fallocate(2) and posix_fadvise(2). - On operating systems supporting Capsicum, auditreduce(1) and praudit(1) now run sandboxed. - Empty "flags" and "naflags" fields are now permitted in audit_control(5). Many thanks to Christian Brueffer for producing the OpenBSM release and importing/tagging it in the vendor branch. This release will allow improved auditing of a range of new FreeBSD functionality, as well as non-traditional events (e.g., fine-grained I/O auditing) not required by the Orange Book or Common Criteria. Obtained from: TrustedBSD Project Sponsored by: DARPA, AFRL MFC after: 3 weeks
258 lines
7.9 KiB
Groff
258 lines
7.9 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005-2007, 2016 Robert N. M. Watson
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Portions of this software were developed by BAE Systems, the University of
|
|
.\" Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
|
|
.\" contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
|
|
.\" Computing (TC) research program.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.Dd April 19, 2005
|
|
.Dt AU_TOKEN 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm au_to_arg32 ,
|
|
.Nm au_to_arg64 ,
|
|
.Nm au_to_arg ,
|
|
.Nm au_to_attr64 ,
|
|
.Nm au_to_data ,
|
|
.Nm au_to_exit ,
|
|
.Nm au_to_groups ,
|
|
.Nm au_to_newgroups ,
|
|
.Nm au_to_in_addr ,
|
|
.Nm au_to_in_addr_ex ,
|
|
.Nm au_to_ip ,
|
|
.Nm au_to_ipc ,
|
|
.Nm au_to_ipc_perm ,
|
|
.Nm au_to_iport ,
|
|
.Nm au_to_opaque ,
|
|
.Nm au_to_file ,
|
|
.Nm au_to_text ,
|
|
.Nm au_to_path ,
|
|
.Nm au_to_process32 ,
|
|
.Nm au_to_process64 ,
|
|
.Nm au_to_process ,
|
|
.Nm au_to_process32_ex ,
|
|
.Nm au_to_process64_ex ,
|
|
.Nm au_to_process_ex ,
|
|
.Nm au_to_return32 ,
|
|
.Nm au_to_return64 ,
|
|
.Nm au_to_return ,
|
|
.Nm au_to_seq ,
|
|
.Nm au_to_sock_inet32 ,
|
|
.Nm au_to_sock_inet128 ,
|
|
.Nm au_to_sock_inet ,
|
|
.Nm au_to_socket_ex ,
|
|
.Nm au_to_subject32 ,
|
|
.Nm au_to_subject64 ,
|
|
.Nm au_to_subject ,
|
|
.Nm au_to_subject32_ex ,
|
|
.Nm au_to_subject64_ex ,
|
|
.Nm au_to_subject_ex ,
|
|
.Nm au_to_me ,
|
|
.Nm au_to_exec_args ,
|
|
.Nm au_to_exec_env ,
|
|
.Nm au_to_header ,
|
|
.Nm au_to_header32 ,
|
|
.Nm au_to_header64 ,
|
|
.Nm au_to_header_ex ,
|
|
.Nm au_to_header32_ex ,
|
|
.Nm au_to_trailer ,
|
|
.Nm au_to_zonename
|
|
.Nd "routines for generating BSM audit tokens"
|
|
.Sh LIBRARY
|
|
.Lb libbsm
|
|
.Sh SYNOPSIS
|
|
.In bsm/libbsm.h
|
|
.Ft "token_t *"
|
|
.Fn au_to_arg32 "char n" "const char *text" "u_int32_t v"
|
|
.Ft "token_t *"
|
|
.Fn au_to_arg64 "char n" "const char *text" "u_int64_t v"
|
|
.Ft "token_t *"
|
|
.Fn au_to_arg "char n" "const char *text" "u_int32_t v"
|
|
.Ft "token_t *"
|
|
.Fn au_to_attr32 "struct vattr *attr"
|
|
.Ft "token_t *"
|
|
.Fn au_to_attr64 "struct vattr *attr"
|
|
.Ft "token_t *"
|
|
.Fn au_to_attr "struct vattr *attr"
|
|
.Ft "token_t *"
|
|
.Fn au_to_data "char unit_print" "char unit_type" "char unit_count" "const char *p"
|
|
.Ft "token_t *"
|
|
.Fn au_to_exit "int retval" "int err"
|
|
.Ft "token_t *"
|
|
.Fn au_to_groups "int *groups"
|
|
.Ft "token_t *"
|
|
.Fn au_to_newgroups "u_int16_t n" "gid_t *groups"
|
|
.Ft "token_t *"
|
|
.Fn au_to_in_addr "struct in_addr *internet_addr"
|
|
.Ft "token_t *"
|
|
.Fn au_to_in_addr_ex "struct in6_addr *internet_addr"
|
|
.Ft "token_t *"
|
|
.Fn au_to_ip "struct ip *ip"
|
|
.Ft "token_t *"
|
|
.Fn au_to_ipc "char type" "int id"
|
|
.Ft "token_t *"
|
|
.Fn au_to_ipc_perm "struct ipc_perm *perm"
|
|
.Ft "token_t *"
|
|
.Fn au_to_iport "u_int16_t iport"
|
|
.Ft "token_t *"
|
|
.Fn au_to_opaque "const char *data" "u_int16_t bytes"
|
|
.Ft "token_t *"
|
|
.Fn au_to_file "const char *file" "struct timeval tm"
|
|
.Ft "token_t *"
|
|
.Fn au_to_text "const char *text"
|
|
.Ft "token_t *"
|
|
.Fn au_to_path "const char *text"
|
|
.Ft "token_t *"
|
|
.Fo au_to_process32
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_process64
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_process32_ex
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_process64_ex
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fn au_to_return32 "char status" "u_int32_t ret"
|
|
.Ft "token_t *"
|
|
.Fn au_to_return64 "char status" "u_int64_t ret"
|
|
.Ft "token_t *"
|
|
.Fn au_to_return "char status" "u_int32_t ret"
|
|
.Ft "token_t *"
|
|
.Fn au_to_seq "long audit_count"
|
|
.Ft "token_t *"
|
|
.Fn au_to_sock_inet32 "struct sockaddr_in *so"
|
|
.Ft "token_t *"
|
|
.Fn au_to_sock_inet128 "struct sockaddr_in6 *so"
|
|
.Ft "token_t *"
|
|
.Fn au_to_sock_int "struct sockaddr_in *so"
|
|
.Ft "token_t *"
|
|
.Fn au_to_socket_ex "u_short so_domain" "u_short so_type" "struct sockaddr *sa_local" "struct sockaddr *sa_remote"
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject32
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject64
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject32_ex
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject64_ex
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fo au_to_subject_ex
|
|
.Fa "au_id_t auid" "uid_t euid" "gid_t egid" "uid_t ruid"
|
|
.Fa "gid_t rgid" "pid_t pid" "au_asid_t sid" "au_tid_addr_t *tid"
|
|
.Fc
|
|
.Ft "token_t *"
|
|
.Fn au_to_me void
|
|
.Ft "token_t *"
|
|
.Fn au_to_exec_args "char **argv"
|
|
.Ft "token_t *"
|
|
.Fn au_to_exec_env "char **envp"
|
|
.Ft "token_t *"
|
|
.Fn au_to_header "int rec_size" "au_event_t e_type" "au_emod_t emod"
|
|
.Ft "token_t *"
|
|
.Fn au_to_header32 "int rec_size" "au_event_t e_type" "au_emod_t emod"
|
|
.Ft "token_t *"
|
|
.Fn au_to_header64 "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
|
|
.Ft "token_t *"
|
|
.Fn au_to_header_ex "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
|
|
.Ft "token_t *"
|
|
.Fn au_to_header32_ex "int rec_size" "au_event_t e_type" "au_emod_t e_mod"
|
|
.Ft "token_t *"
|
|
.Fn au_to_trailer "int rec_size"
|
|
.Ft "token_t *"
|
|
.Fn au_to_zonename "const char *zonename"
|
|
.Sh DESCRIPTION
|
|
These interfaces support the allocation of BSM audit tokens, represented by
|
|
.Vt token_t ,
|
|
for various data types.
|
|
.Pp
|
|
.Xr au_errno_to_bsm 3
|
|
must be used to convert local
|
|
.Xr errno 2
|
|
errors to BSM error numbers before they are passed to
|
|
.Fn au_to_return ,
|
|
.Fn au_to_return32 ,
|
|
and
|
|
.Fn au_to_return64 .
|
|
.Sh RETURN VALUES
|
|
On success, a pointer to a
|
|
.Vt token_t
|
|
will be returned; the allocated
|
|
.Vt token_t
|
|
can be freed via a call to
|
|
.Xr au_free_token 3 .
|
|
On failure,
|
|
.Dv NULL
|
|
will be returned, and an error condition returned via
|
|
.Va errno .
|
|
.Sh SEE ALSO
|
|
.Xr au_errno_to_bsm 3 ,
|
|
.Xr libbsm 3
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|
|
.Sh AUTHORS
|
|
.An -nosplit
|
|
This software was created by
|
|
.An Robert Watson ,
|
|
.An Wayne Salamon ,
|
|
and
|
|
.An Suresh Krishnaswamy
|
|
for McAfee Research, the security research division of McAfee,
|
|
Inc., under contract to Apple Computer, Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|