diff options
author | Robert Watson <rwatson@FreeBSD.org> | 2006-06-05 10:52:12 +0000 |
---|---|---|
committer | Robert Watson <rwatson@FreeBSD.org> | 2006-06-05 10:52:12 +0000 |
commit | 506764c6f65f497f91be0d771f4ae9fb3b9131aa (patch) | |
tree | 2d2171f90c9151a544718a2e3551008dff00b9ed /contrib/openbsm/libbsm/audit_submit.3 | |
parent | 3b97a967e1e992eaa2010e8a42f23f51760bc8cb (diff) | |
download | src-506764c6f65f497f91be0d771f4ae9fb3b9131aa.tar.gz src-506764c6f65f497f91be0d771f4ae9fb3b9131aa.zip |
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6:
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
buffer. Not likely to be used much by applications, but useful for
writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
kernel -- this is not a Solaris BSM API so can be modified without
causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
argument to the ordinary au_to_header32(), which is now implemented by
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
the APIs that invoke gettimeofday(), rather than having a variable
definition. Don't try to retrieve time zone information using
gettimeofday(), as it's not needed, and introduces possible failure
modes.
- Don't perform byte order transformations on the addr/machine fields of
the terminal ID that appears in the process32/subject32 tokens. These
are assumed to be IP addresses, and as such, to be in network byte
order.
- Universally, APIs now assume that IP addresses and ports are provided
in network byte order. APIs now generally provide these types in
network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
error information.
- Support for audit filters introduced: audit filters are dynamically
loaded shared objects that run in the context of a new daemon,
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
parsed versions of records to shared objects using a module API. This
will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
record submission for many applications.
Obtained from: TrustedBSD Project
Notes
Notes:
svn path=/vendor/openbsm/dist/; revision=159248
Diffstat (limited to 'contrib/openbsm/libbsm/audit_submit.3')
-rw-r--r-- | contrib/openbsm/libbsm/audit_submit.3 | 126 |
1 files changed, 126 insertions, 0 deletions
diff --git a/contrib/openbsm/libbsm/audit_submit.3 b/contrib/openbsm/libbsm/audit_submit.3 new file mode 100644 index 000000000000..9e4d23008dca --- /dev/null +++ b/contrib/openbsm/libbsm/audit_submit.3 @@ -0,0 +1,126 @@ +.\" +.\" Copyright (c) 2006 Christian S.J. Peron +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of +.\" its contributors may be used to endorse or promote products derived +.\" from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR +.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING +.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $P4: //depot/projects/trustedbsd/openbsm/libbsm/audit_submit.3#8 $ +.\" +.Dd May 29, 2006 +.Dt audit_submit 3 +.Os +.Sh NAME +.Nm audit_submit +.Nd general purpose audit record submission +.Sh LIBRARY +.Lb libbsm +.Sh SYNOPSIS +.In stdio.h +.Ft int +.Fn audit_submit "short au_event" "au_id_t auid" "char status" "int reterr" "const char * restrict format" ... +.Sh DESCRIPTION +The +.Nm +function provides a generic programming interface for audit record submission. +This audit record will contain a header, subject token, an optional text token, +return token, and a trailer. +The header will contain the event class specified by +.Fa au_event . +The subject token will be generated based on +.Fa au_ctx . +The return token is dependant on the +.Fa status +and +.Fa reterr +arguments. +Optionally, a text token will be created as a part of this record. +.Pp +Text token output is under the control of a +.Fa format +string that specifies how subsequent arguments (or arguments accessed via the +variable-length argument facilities of +.Xr stdarg 3 ) +are converted for output. +If +.Fa format +is NULL, then no text token is created in the audit record. +.Pp +It should be noted that +.Nm +assumes that +.Xr setaudit 2 , +or +.Xr setaudit_addr 2 +has already been called. +As a direct result, the terminal ID for the +subject will be retrieved from the kernel via +.Xr getaudit 2 , +or +.Xr getaudit_addr 2 . +.Sh EXAMPLES +.Bd -literal -offset indent +#include <bsm/audit.h> +#include <bsm/libbsm.h> +#include <bsm/audit_uevents.h> + +#include <stdio.h> +#include <stdarg.h> +#include <errno.h> + +int +audit_bad_su(char *from_login, char *to_login) +{ + int error; + + error = audit_submit(AUE_su, getuid(), 1, EPERM, + "bad su from %s to %s", from_login, to_login); + return (error); +} +.Ed +.Pp +Will generate the following audit record: +.Bd -literal -offset indent +header,94,1,su(1),0,Mon Apr 17 23:23:59 2006, + 271 msec +subject,root,root,wheel,root,wheel,652,652,0,0.0.0.0 +text,bad su from from csjp to root +return,failure : Operation not permitted,1 +trailer,94 +.Ed +.Sh SEE ALSO +.Xr auditon 2 , +.Xr getaudit 2 , +.Xr libbsm 3 , +.Xr stdarg 3 +.Sh HISTORY +The +.Nm +function first appeared in OpenBSM version 1.0. +OpenBSM 1.0 was introduced in FreeBSD 7.0. +.Sh AUTHORS +The +.Nm +function was written by +.An Christian S.J. Peron Aq csjp@FreeBSD.org . |