upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-04-26 16:47:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/contrib/openbsm/bin/auditreduce/auditreduce.1
Robert Watson 52267f7411 Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both 
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).

- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
  audit_bsm_token.c.
- Synchronize bsm includes and definitions.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

--

OpenBSM 1.1 alpha 2

- Include files in OpenBSM are now broken out into two parts: library builds
  required solely for user space, and system includes, which may also be
  required for use in the kernels of systems integrating OpenBSM.  Submitted
  by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
  include for system includes, rather than the versions bundled with OpenBSM.
  This is intended specifically for platforms that ship OpenBSM, have adapted
  versions of the system includes in a kernel source tree, and will use the
  OpenBSM build infrastructure with an unmodified OpenBSM distribution,
  allowing the customized system includes to be used with the OpenBSM build.
  Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
  or asprintf().  Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
  BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
  on the host generating the record.
- Add support for setting extended host information in the kernel, which is
  used for setting host information in extended header tokens.  The
  audit_control file now supports a "host" parameter which can be used by
  auditd to set the information; if not present, the kernel parameters won't
  be set and auditd uses unextended headers for records that it generates.

OpenBSM 1.1 alpha 1

- Add option to auditreduce(1) which allows users to invert sense of
  matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
  event there is an error writing the subject token.  This was submitted
  by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
  that const strings can be passed as arguments to tokens.  This patch was
  submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
2008-12-02 23:26:43 +00:00

197 lines
6.5 KiB
Groff
Raw Blame History

.\" Copyright (c) 2004 Apple Inc.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. Neither the name of Apple Inc. ("Apple") nor the names of
.\" its contributors may be used to endorse or promote products derived
.\" from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#17 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
.Os
.Sh NAME
.Nm auditreduce
.Nd "select records from audit trail files"
.Sh SYNOPSIS
.Nm
.Op Fl A
.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
.Op Fl c Ar flags
.Op Fl d Ar YYYYMMDD
.Op Fl e Ar euid
.Op Fl f Ar egid
.Op Fl g Ar rgid
.Op Fl j Ar id
.Op Fl m Ar event
.Op Fl o Ar object Ns = Ns Ar value
.Op Fl r Ar ruid
.Op Fl u Ar auid
.Op Fl v
.Op Ar
.Sh DESCRIPTION
The
.Nm
utility selects records from the audit trail files based on the specified
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
If no
.Ar file
argument is specified, the standard input is used
by default.
Use the
.Xr praudit 1
utility to print the selected audit records in human-readable form.
.Pp
The options are as follows:
.Bl -tag -width indent
.It Fl A
Select all records.
.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred after or on the given datetime.
.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred before the given datetime.
.It Fl c Ar flags
Select records matching the given audit classes specified as a comma
separated list of audit flags.
See
.Xr audit_control 5
for a description of audit flags.
.It Fl d Ar YYYYMMDD
Select records that occurred on a given date.
This option cannot be used with
.Fl a
or
.Fl b .
.It Fl e Ar euid
Select records with the given effective user ID or name.
.It Fl f Ar egid
Select records with the given effective group ID or name.
.It Fl g Ar rgid
Select records with the given real group ID or name.
.It Fl j Ar id
Select records having a subject token with matching ID.
.It Fl m Ar event
Select records with the given event name or number. This option can
be used more then once to select records of multiple event types.
See
.Xr audit_event 5
for a description of audit event names and numbers.
.It Fl o Ar object Ns = Ns Ar value
.Bl -tag -width ".Cm msgqid"
.It Cm file
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
Regular expressions which are prefixed with a tilde
.Pq Ql ~
are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
Since commas are used to delimit the regular expressions, a backslash
.Pq Ql \e
character should be used to escape the comma if it is a part of the search
pattern.
.It Cm msgqid
Select records containing the given message queue ID.
.It Cm pid
Select records containing the given process ID.
.It Cm semid
Select records containing the given semaphore ID.
.It Cm shmid
Select records containing the given shared memory ID.
.El
.It Fl r Ar ruid
Select records with the given real user ID or name.
.It Fl u Ar auid
Select records with the given audit ID.
.It Fl v
Invert sense of matching, to select records that do not match.
.El
.Sh EXAMPLES
To select all records associated with effective user ID root from the audit
log
.Pa /var/audit/20031016184719.20031017122634 :
.Bd -literal -offset indent
auditreduce -e root \e
/var/audit/20031016184719.20031017122634
.Ed
.Pp
To select all
.Xr setlogin 2
events from that log:
.Bd -literal -offset indent
auditreduce -m AUE_SETLOGIN \e
/var/audit/20031016184719.20031017122634
.Ed
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
.Xr praudit 1
command.
.Pp
Select all records containing a path token where the pathname contains
.Pa /etc/master.passwd :
.Bd -literal -offset indent
auditreduce -o file="/etc/master.passwd" \e
/var/audit/20031016184719.20031017122634
.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
.Bd -literal -offset indent
auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
/var/audit/20031016184719.20031017122634
.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
.Pa /dev/ttyp2 :
.Bd -literal -offset indent
auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
/var/audit/20031016184719.20031017122634
.Ed
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
.Xr audit_event 5
.Sh HISTORY
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh AUTHORS
.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
Additional authors include
.An Wayne Salamon ,
.An Robert Watson ,
and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
Reference in a new issue View git blame Copy permalink