[Midnightbsd-cvs] src: man/man4: add man pages for audit(4) and auditpipe(4)

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Sun Mar 29 12:22:41 EDT 2009


Log Message:
-----------
add man pages for audit(4) and auditpipe(4)

Modified Files:
--------------
    src/share/man/man4:
        Makefile (r1.12 -> r1.13)

Added Files:
-----------
    src/share/man/man4:
        audit.4 (r1.1)
        auditpipe.4 (r1.1)

-------------- next part --------------
--- /dev/null
+++ share/man/man4/auditpipe.4
@@ -0,0 +1,256 @@
+.\" Copyright (c) 2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/share/man/man4/auditpipe.4,v 1.5 2006/12/14 16:40:57 mpp Exp $
+.\"
+.Dd May 5, 2006
+.Os
+.Dt AUDITPIPE 4
+.Sh NAME
+.Nm auditpipe
+.Nd "pseudo-device for live audit event tracking"
+.Sh SYNOPSIS
+.Cd "options AUDIT"
+.Sh DESCRIPTION
+While audit trail files
+generated with
+.Xr audit 4
+and maintained by
+.Xr auditd 8
+provide a reliable long-term store for audit log information, current log
+files are owned by the audit daemon until terminated making them somewhat
+unwieldy for live monitoring applications such as host-based intrusion
+detection.
+For example, the log may be cycled and new records written to a new file
+without notice to applications that may be accessing the file.
+.Pp
+The audit facility provides an audit pipe facility for applications requiring
+direct access to live BSM audit data for the purposes of real-time
+monitoring.
+Audit pipes are available via a clonable special device,
+.Pa /dev/auditpipe ,
+subject to the permissions on the device node, and provide a
+.Qq tee
+of the audit event stream.
+As the device is clonable, more than one instance of the device may be opened
+at a time; each device instance will provide independent access to all
+records.
+.Pp
+The audit pipe device provides discrete BSM audit records; if the read buffer
+passed by the application is too small to hold the next record in the
+sequence, it will be dropped.
+Unlike audit data written to the audit trail, the reliability of record
+delivery is not guaranteed.
+In particular, when an audit pipe queue fills, records will be dropped.
+Audit pipe devices are blocking by default, but support non-blocking I/O,
+asynchronous I/O using
+.Dv SIGIO ,
+and polled operation via
+.Xr select 2
+and
+.Xr poll 2 .
+.Pp
+Applications may choose to track the global audit trail, or configure local
+preselection parameters independent of the global audit trail parameters.
+.Ss Audit Pipe Queue Ioctls
+The following ioctls retrieve and set various audit pipe record queue
+properties:
+.Bl -tag -width ".Dv AUDITPIPE_GET_MAXAUDITDATA"
+.It Dv AUDITPIPE_GET_QLEN
+Query the current number of records available for reading on the pipe.
+.It Dv AUDITPIPE_GET_QLIMIT
+Retrieve the current maximum number of records that may be queued for reading
+on the pipe.
+.It Dv AUDITPIPE_SET_QLIMIT
+Set the current maximum number of records that may be queued for reading on
+the pipe.
+The new limit must fall between the queue limit minimum and queue limit
+maximum queryable using the following two ioctls.
+.It Dv AUDITPIPE_GET_QLIMIT_MIN
+Query the lowest possible maximum number of records that may be queued for
+reading on the pipe.
+.It Dv AUDITPIPE_GET_QLIMIT_MAX
+Query the highest possible maximum number of records that may be queued for
+reading on the pipe.
+.It Dv AUDITPIPE_FLUSH
+Flush all outstanding records on the audit pipe; useful after setting initial
+preselection properties to delete records queued during the configuration
+process which may not match the interests of the user process.
+.It Dv AUDITPIPE_GET_MAXAUDITDATA
+Query the maximum size of an audit record, which is a useful minimum size for
+a user space buffer intended to hold audit records read from the audit pipe.
+.El
+.Ss Audit Pipe Preselection Mode Ioctls
+By default, the audit pipe facility configures pipes to present records
+matched by the system-wide audit trail, configured by
+.Xr auditd 8 .
+However, the preselection mechanism for audit pipes can be configured using
+alternative criteria, including pipe-local flags and naflags settings, as
+well as auid-specific selection masks.
+This allows applications to track events not captured in the global audit
+trail, as well as limit records presented to those of specific interest to
+the application.
+.Pp
+The following ioctls configure the preselection mode on an audit pipe:
+.Bl -tag -width ".Dv AUDITPIPE_GET_PRESELECT_MODE"
+.It Dv AUDITPIPE_GET_PRESELECT_MODE
+Return the current preselect mode on the audit pipe.
+The ioctl argument should be of type
+.Vt int .
+.It Dv AUDITPIPE_SET_PRESELECT_MODE
+Set the current preselection mode on the audit pipe.
+The ioctl argument should be of type
+.Vt int .
+.El
+.Pp
+Possible preselection mode values are:
+.Bl -tag -width ".Dv AUDITPIPE_PRESELECT_MODE_TRAIL"
+.It Dv AUDITPIPE_PRESELECT_MODE_TRAIL
+Use the global audit trail preselection parameters to select records for the
+audit pipe.
+.It Dv AUDITPIPE_PRESELECT_MODE_LOCAL
+Use local audit pipe preselection; this model is similar to the global audit
+trail configuration model, consisting of global flags and naflags parameters,
+as well as a set of per-auid masks.
+These parameters are configured using further ioctls.
+.El
+.Pp
+After changing the audit pipe preselection mode, records selected under
+earlier preselection configuration may still be in the audit pipe queue.
+The application may flush the current record queue after changing the
+configuration to remove possibly undesired records.
+.Ss Audit Pipe Local Preselection Mode Ioctls
+The following ioctls configure the preselection parameters used when an audit
+pipe is configured for the
+.Dv AUDITPIPE_PRESELECT_MODE_LOCAL
+preselection mode.
+.Bl -tag -width ".Dv AUDITPIPE_GET_PRESELECT_NAFLAGS"
+.It Dv AUDITPIPE_GET_PRESELECT_FLAGS
+Retrieve the current default preselection flags for attributable events on
+the pipe.
+These flags correspond to the
+.Va flags
+field in
+.Xr audit_control 5 .
+The ioctl argument should be of type
+.Vt u_int .
+.It Dv AUDITPIPE_SET_PRESELECT_FLAGS
+Set the current default preselection flags for attributable events on the
+pipe.
+These flags correspond to the
+.Va flags
+field in
+.Xr audit_control 5 .
+The ioctl argument should be of type
+.Vt u_int .
+.It Dv AUDITPIPE_GET_PRESELECT_NAFLAGS
+Retrieve the current default preselection flags for non-attributable events
+on the pipe.
+These flags correspond to the
+.Va naflags
+field in
+.Xr audit_control 5 .
+The ioctl argument should be of type
+.Vt u_int .
+.It Dv AUDITPIPE_SET_PRESELECT_NAFLAGS
+Set the current default preselection flags for non-attributable events on the
+pipe.
+These flags correspond to the
+.Va naflags
+field in
+.Xr audit_control 5 .
+The ioctl argument should be of type
+.Vt u_int .
+.It Dv AUDITPIPE_GET_PRESELECT_AUID
+Query the current preselection masks for a specific auid on the pipe.
+The ioctl argument should be of type
+.Vt "struct auditpipe_preselect" .
+The auid to query is specified via the
+.Va ap_auid
+field of type
+.Vt au_id_t ;
+the mask will be returned via
+.Va ap_mask
+of type
+.Vt au_mask_t .
+.It Dv AUDITPIPE_SET_PRESELECT_AUID
+Set the current preselection masks for a specific auid on the pipe.
+Arguments are identical to
+.Dv AUDITPIPE_GET_PRESELECT_AUID ,
+except that the caller should properly initialize the
+.Va ap_mask
+field to hold the desired preselection mask.
+.It Dv AUDITPIPE_DELETE_PRESELECT_AUID
+Delete the current preselection mask for a specific auid on the pipe.
+Once called, events associated with the specified auid will use the default
+flags mask.
+The ioctl argument should be of type
+.Vt au_id_t .
+.It Dv AUDITPIPE_FLUSH_PRESELECT_AUID
+Delete all auid specific preselection specifications.
+.El
+.Sh EXAMPLES
+The
+.Xr praudit 1
+utility
+may be directly executed on
+.Pa /dev/auditpipe
+to review the default audit trail.
+.Sh SEE ALSO
+.Xr poll 2 ,
+.Xr select 2 ,
+.Xr audit 4 ,
+.Xr audit_control 5 ,
+.Xr audit 8 ,
+.Xr auditd 8
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Pp
+Support for kernel audit first appeared in
+.Fx 6.2 .
+.Sh AUTHORS
+The audit pipe facility was designed and implemented by
+.An Robert Watson Aq rwatson at FreeBSD.org .
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh BUGS
+See the
+.Xr audit 4
+manual page for information on audit-related bugs and limitations.
+.Pp
+The configurable preselection mechanism mirrors the selection model present
+for the global audit trail.
+It might be desirable to provided a more flexible selection model.
+.Pp
+The per-pipe audit event queue is fifo, with drops occurring if either the
+user thread provides in sufficient for the record on the queue head, or on
+enqueue if there is insufficient room.
+It might be desirable to support partial reads of records, which would be
+more compatible with buffered I/O as implemented in system libraries, and to
+allow applications to select which records are dropped, possibly in the style
+of preselection.
--- /dev/null
+++ share/man/man4/audit.4
@@ -0,0 +1,146 @@
+.\" Copyright (c) 2006 Robert N. M. Watson
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/share/man/man4/audit.4,v 1.10 2006/12/14 16:40:57 mpp Exp $
+.\"
+.Dd May 5, 2006
+.Os
+.Dt AUDIT 4
+.Sh NAME
+.Nm audit
+.Nd Security Event Audit
+.Sh SYNOPSIS
+.Cd "options AUDIT"
+.Sh DESCRIPTION
+Security Event Audit is a facility to provide fine-grained, configurable
+logging of security-relevant events, and is intended to meet the requirements
+of the Common Criteria (CC) Common Access Protection Profile (CAPP)
+evaluation.
+The
+.Fx
+.Nm
+facility implements the de facto industry standard BSM API, file
+formats, and command line interface, first found in the Solaris operating
+system.
+Information on the user space implementation can be found in
+.Xr libbsm 3 .
+.Pp
+Audit support is enabled at boot, if present in the kernel, using an
+.Xr rc.conf 5
+flag.
+The audit daemon,
+.Xr auditd 8 ,
+is responsible for configuring the kernel to perform
+.Nm ,
+pushing
+configuration data from the various audit configuration files into the
+kernel.
+.Ss Audit Special Device
+The kernel
+.Nm
+facility provides a special device,
+.Pa /dev/audit ,
+which is used by
+.Xr auditd 8
+to monitor for
+.Nm
+events, such as requests to cycle the log, low disk
+space conditions, and requests to terminate auditing.
+This device is not intended for use by applications.
+.Ss Audit Pipe Special Devices
+Audit pipe special devices, discussed in
+.Xr auditpipe 4 ,
+provide a configurable live tracking mechanism to allow applications to
+tee the audit trail, as well as to configure custom preselection parameters
+to track users and events in a fine-grained manner.
+.Sh SEE ALSO
+.Xr auditreduce 1 ,
+.Xr praudit 1 ,
+.Xr audit 2 ,
+.Xr auditctl 2 ,
+.Xr auditon 2 ,
+.Xr getaudit 2 ,
+.Xr getauid 2 ,
+.Xr poll 2 ,
+.Xr select 2 ,
+.Xr setaudit 2 ,
+.Xr setauid 2 ,
+.Xr libbsm 3 ,
+.Xr auditpipe 4 ,
+.Xr audit_class 5 ,
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr audit.log 5 ,
+.Xr audit_user 5 ,
+.Xr audit_warn 5 ,
+.Xr rc.conf 5 ,
+.Xr audit 8 ,
+.Xr auditd 8
+.Sh HISTORY
+The
+.Tn OpenBSM
+implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.
+.Pp
+Support for kernel
+.Nm
+first appeared in
+.Fx 6.2 .
+.Sh AUTHORS
+.An -nosplit
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Pp
+This manual page was written by
+.An Robert Watson Aq rwatson at FreeBSD.org .
+.Sh BUGS
+The
+.Nm
+facility in
+.Fx
+is considered experimental, and production deployment should occur only after
+careful consideration of the risks of deploying experimental software.
+.Pp
+The
+.Fx
+kernel does not fully validate that audit records submitted by user
+applications are syntactically valid BSM; as submission of records is limited
+to privileged processes, this is not a critical bug.
+.Pp
+Instrumentation of auditable events in the kernel is not complete, as some
+system calls do not generate audit records, or generate audit records with
+incomplete argument information.
+.Pp
+Mandatory Access Control (MAC) labels, as provided by the
+.Xr mac 4
+facility, are not audited as part of records involving MAC decisions.
Index: Makefile
===================================================================
RCS file: /home/cvs/src/share/man/man4/Makefile,v
retrieving revision 1.12
retrieving revision 1.13
diff -L share/man/man4/Makefile -L share/man/man4/Makefile -u -r1.12 -r1.13
--- share/man/man4/Makefile
+++ share/man/man4/Makefile
@@ -28,6 +28,8 @@
 	ath_hal.4 \
 	atkbd.4 \
 	atkbdc.4 \
+	audit.4 \
+	auditpipe.4 \
 	aue.4 \
 	awi.4 \
 	axe.4 \


More information about the Midnightbsd-cvs mailing list