vendor/openbsm/1.0-ALPHA-1

1 files changed, 153 insertions, 0 deletions

diff --git a/contrib/openbsm/bin/auditreduce/auditreduce.1 b/contrib/openbsm/bin/auditreduce/auditreduce.1
new file mode 100644
index 0000000000000..6374e5b911508
--- /dev/null
+++ b/contrib/openbsm/bin/auditreduce/auditreduce.1
@@ -0,0 +1,153 @@
+.\" Copyright (c) 2004 Apple Computer, Inc.
+.\" All rights reserved.
+.\" 
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1.  Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer. 
+.\" 2.  Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution. 
+.\" 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+.\"     its contributors may be used to endorse or promote products derived
+.\"     from this software without specific prior written permission. 
+.\" 
+.\" THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#6 $
+.\"
+.Dd Jan 24, 2004
+.Dt AUDITREDUCE 1
+.Os
+.Sh NAME
+.Nm auditreduce
+.Nd "select records from audit trail files"
+.Sh SYNOPSIS
+.Nm auditreduce
+.Op Fl A
+.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl c Ar flags
+.Op Fl d Ar YYYYMMDD
+.Op Fl e Ar euid
+.Op Fl f Ar egid
+.Op Fl g Ar rgid
+.Op Fl r Ar ruid
+.Op Fl u Ar auid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object=value
+.Op Ar file ...
+.Sh DESCRIPTION
+The
+.Nm 
+utility selects records from the audit trail files based on the specified
+criteria.
+Matching audit records are printed to the standard output in
+their raw binary form.
+If no filename is specified, the standard input is used
+by default.
+Use the 
+.Nm praudit
+utility to print the selected audit records in human-readable form.
+See
+.Xr praudit 1
+for more information.
+.Pp
+The options are as follows:
+.Bl -tag -width Ds
+.It Fl A
+Select all records.
+.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred after or on the given datetime.
+.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+Select records that occurred before the given datetime.
+.It Fl c Ar flags
+Select records matching the given audit classes specified as a comma
+separated list of audit flags.
+See
+.Xr audit_control 5
+for a description of audit flags.
+.It Fl d Ar YYYYMMDD
+Select records that occurred on a given date.
+This option cannot be used with
+.Fl a
+or
+.Fl b
+.It Fl e Ar euid
+Select records with the given effective user id or name.
+.It Fl f Ar egid
+Select records with the given effective group id or name.
+.It Fl g Ar rgid
+Select records with the given real group id or name.
+.It Fl r Ar ruid
+Select records with the given real user id or name.
+.It Fl u Ar auid
+Select records with the given audit id.
+.It Fl j Ar id
+Select records having a subject token with matching ID.
+.It Fl m Ar event
+Select records with the given event name or number.
+See
+.Xr audit_event 5
+for a description of audit event names and numbers.
+.It Fl o Ar object=value
+.Bl -tag -width Ds
+.It Nm file
+Select records containing the given path name.
+file="/usr" matches paths
+starting with
+.Pa usr .
+file="~/usr" matches paths not starting with
+.Pa usr .
+.It Nm msgqid
+Select records containing the given message queue id.
+.It Nm pid
+Select records containing the given process id.
+.It Nm semid
+Select records containing the given semaphore id.
+.It Nm shmid
+Select records containing the given shared memory id.
+.El
+.El
+.Sh Examples
+.Pp
+To select all records associated with effective user ID root from the audit
+log /var/audit/20031016184719.20031017122634:
+.Pp
+.Nm
+-e root /var/audit/20031016184719.20031017122634
+.Pp
+To select all
+.Xr setlogin 2
+events from that log:
+.Pp
+.Nm
+-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Sh SEE ALSO
+.Xr audit_control 5 ,
+.Xr audit_event 5 ,
+.Xr praudit 1
+.Sh AUTHORS
+This software was created by McAfee Research, the security research division
+of McAfee, Inc., under contract to Apple Computer Inc.
+Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+.Pp
+The Basic Security Module (BSM) interface to audit records and audit event
+stream format were defined by Sun Microsystems.
+.Sh HISTORY
+The OpenBSM implementation was created by McAfee Research, the security
+division of McAfee Inc., under contract to Apple Computer Inc. in 2004.
+It was subsequently adopted by the TrustedBSD Project as the foundation for
+the OpenBSM distribution.