4bd0c025f3
history notes since the last import: OpenBSM 1.0 alpha 12 - Correct bug in auditreduce which prevented the -c option from working correctly when the user specifies to process successful or failed events. The problem stemmed from not having access to the return token at the time the initial preselection occurred, but now a second preselection process occurs while processing the return token. - getacfilesz(3) API added to read new audit_control(5) filesz setting, which auditd(8) now sets the kernel audit trail rotation size to. - auditreduce(1) now uses stdin if no file names are specified on the command line; this was the documented behavior previously, but it was not implemented. Be more specific in auditreduce(1)'s examples section about what might be done with the output of auditreduce. - Add audit_warn(5) closefile event so that administrators can hook termination of an audit trail file. For example, this might be used to compress the trail file after it is closed. - auditreduce(1) now uses regular expressions for pathname matching. Users can now supply one or more (comma delimited) regular expressions for searching the pathnames. If one of the regular expressions is prefixed with a tilde (~), and a path matches, it will be excluded from the search results. MFC after: 3 days Obtained from: TrustedBSD Project
180 lines
5.1 KiB
Groff
180 lines
5.1 KiB
Groff
.\"-
|
|
.\" Copyright (c) 2005-2006 Robert N. M. Watson
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/au_control.3#5 $
|
|
.\"
|
|
.Dd April 19, 2005
|
|
.Dt AU_CONTROL 3
|
|
.Os
|
|
.Sh NAME
|
|
.Nm setac ,
|
|
.Nm endac ,
|
|
.Nm getacdir ,
|
|
.Nm getacmin ,
|
|
.Nm getacfilesz ,
|
|
.Nm getacflg ,
|
|
.Nm getacna ,
|
|
.Nm getacpol ,
|
|
.Nm au_poltostr
|
|
.Nm au_strtopol
|
|
.Nd "Look up information from the audit_control database"
|
|
.Sh LIBRARY
|
|
.Lb libbsm
|
|
.Sh SYNOPSIS
|
|
.In libbsm.h
|
|
.Ft void
|
|
.Fn setac "void"
|
|
.Ft void
|
|
.Fn endac "void"
|
|
.Ft int
|
|
.Fn getacdir "char *name" "int len"
|
|
.Ft int
|
|
.Fn getacmin "int *min_val"
|
|
.Ft int
|
|
.Fn getacfilesz "size_t *size_val"
|
|
.Ft int
|
|
.Fn getacflg "char *auditstr" "int len"
|
|
.Ft int
|
|
.Fn getacna "char *auditstr" "int len"
|
|
.Ft int
|
|
.Fn getacpol "char *auditstr" "size_t len"
|
|
.Ft ssize_t
|
|
.Fn au_poltostr "long policy" "size_t maxsize" "char *buf"
|
|
.Ft int
|
|
.Fn au_strtopol "const char *polstr" "long *policy"
|
|
.Sh DESCRIPTION
|
|
These interfaces may be used to look up information from the
|
|
.Xr audit_control 5
|
|
database, which contains various audit-related administrative parameters.
|
|
.Pp
|
|
.Fn setac
|
|
resets the database iterator to the beginning of the database; see the
|
|
BUGS section for more information.
|
|
.Pp
|
|
.Fn sendac
|
|
closes the
|
|
.Xr audit_control 5
|
|
database.
|
|
.Pp
|
|
.Fn getacdir
|
|
returns the name of the directory where log data is stored via the passed
|
|
character buffer
|
|
.Va name
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacmin
|
|
returns the minimum free disk space for the audit log target file system via
|
|
the passed
|
|
.Va min_val
|
|
variable.
|
|
.Pp
|
|
.Fn getacfilesz
|
|
returns the audit trail rotation size in the passed size_t buffer
|
|
.Fa size_val .
|
|
.Pp
|
|
.Fn getacflg
|
|
returns the audit system flags via the the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacna
|
|
returns the non-attributable flags via the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn getacpol
|
|
returns the audit policy flags via the passed character buffer
|
|
.Va auditstr
|
|
of length
|
|
.Va len .
|
|
.Pp
|
|
.Fn au_poltostr
|
|
converts a numeric audit policy mask,
|
|
.Va policy ,
|
|
value to a string in the passed character buffer
|
|
.Va buf
|
|
of lenth
|
|
.Va maxsize .
|
|
.Pp
|
|
.Fn au_strtopol
|
|
converts an audit policy flags string,
|
|
.Va polstr ,
|
|
to a numeric audit policy mask returned via
|
|
.Va policy .
|
|
.Sh RETURN VALULES
|
|
.Fn getacdir ,
|
|
.Fn getacmin ,
|
|
.Fn getacflg ,
|
|
.Fn getacna ,
|
|
.Fn getacpol ,
|
|
and
|
|
.Fn au_strtopol
|
|
return 0 on success, or a negative value on failure, along with error
|
|
information in
|
|
.Va errno .
|
|
.Pp
|
|
.Fn au_poltostr
|
|
returns a string length of 0 or more on success, or a negative value on
|
|
if there is a failure.
|
|
.Pp
|
|
Functions that return a string value will return a failure if there is
|
|
insufficient room in the passed character buffer for the full string.
|
|
.Sh SEE ALSO
|
|
.Xr libbsm 3 ,
|
|
.Xr audit_control 5
|
|
.Sh AUTHORS
|
|
This software was created by Robert Watson, Wayne Salamon, and Suresh
|
|
Krishnaswamy for McAfee Research, the security research division of McAfee,
|
|
Inc., under contract to Apple Computer, Inc.
|
|
.Pp
|
|
The Basic Security Module (BSM) interface to audit records and audit event
|
|
stream format were defined by Sun Microsystems.
|
|
.Sh HISTORY
|
|
The OpenBSM implementation was created by McAfee Research, the security
|
|
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
|
|
It was subsequently adopted by the TrustedBSD Project as the foundation for
|
|
the OpenBSM distribution.
|
|
.Sh BUGS
|
|
These routines cannot currently distinguish between an entry not being found
|
|
and an error accessing the database.
|
|
The implementation should be changed to return an error via
|
|
.Va errno
|
|
when
|
|
.Dv NULL
|
|
is returned.
|
|
.Sh BUGS
|
|
There is no reason for the
|
|
.Fn setac
|
|
interface to be exposed as part of the public API, as it is called implicitly
|
|
by other access functions and iteration is not supported.
|
|
.Pp
|
|
These interfaces inconsistently return various negative values depending on
|
|
the failure mode, and do not always set
|
|
.Va errno
|
|
on failure.
|