From owner-p4-projects@FreeBSD.ORG Tue Oct 3 14:11:39 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id CEBB416A5C8; Tue, 3 Oct 2006 14:11:38 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BCEF16A4F6 for ; Tue, 3 Oct 2006 14:11:38 +0000 (UTC) (envelope-from ru@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F37F43D55 for ; Tue, 3 Oct 2006 14:11:37 +0000 (GMT) (envelope-from ru@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k93EBbPw012129 for ; Tue, 3 Oct 2006 14:11:37 GMT (envelope-from ru@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k93EBamY012126 for perforce@freebsd.org; Tue, 3 Oct 2006 14:11:36 GMT (envelope-from ru@freebsd.org) Date: Tue, 3 Oct 2006 14:11:36 GMT Message-Id: <200610031411.k93EBamY012126@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to ru@freebsd.org using -f From: Ruslan Ermilov To: Perforce Change Reviews Cc: Subject: PERFORCE change 107171 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Oct 2006 14:11:39 -0000 http://perforce.freebsd.org/chv.cgi?CH=107171 Change 107171 by ru@ru_edoofus on 2006/10/03 14:11:12 - Sort options. - Fix markup. Affected files ... .. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 (text+ko) ==== @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#13 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -34,21 +34,21 @@ .Nm auditreduce .Nd "select records from audit trail files" .Sh SYNOPSIS -.Nm auditreduce +.Nm .Op Fl A -.Op Fl a Ar YYYYMMDD[HH[MM[SS]]] -.Op Fl b Ar YYYYMMDD[HH[MM[SS]]] +.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS +.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS .Op Fl c Ar flags .Op Fl d Ar YYYYMMDD .Op Fl e Ar euid .Op Fl f Ar egid .Op Fl g Ar rgid +.Op Fl j Ar id +.Op Fl m Ar event +.Op Fl o Ar object Ns = Ns Ar value .Op Fl r Ar ruid .Op Fl u Ar auid -.Op Fl j Ar id -.Op Fl m Ar event -.Op Fl o Ar object=value -.Op Ar file ... +.Op Ar .Sh DESCRIPTION The .Nm @@ -56,22 +56,21 @@ criteria. Matching audit records are printed to the standard output in their raw binary form. -If no filename is specified, the standard input is used +If no +.Ar file +argument is specified, the standard input is used by default. Use the -.Nm praudit +.Xr praudit 1 utility to print the selected audit records in human-readable form. -See -.Xr praudit 1 -for more information. .Pp The options are as follows: -.Bl -tag -width Ds +.Bl -tag -width indent .It Fl A Select all records. -.It Fl a Ar YYYYMMDD[HH[MM[SS]]] +.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred after or on the given datetime. -.It Fl b Ar YYYYMMDD[HH[MM[SS]]] +.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS Select records that occurred before the given datetime. .It Fl c Ar flags Select records matching the given audit classes specified as a comma @@ -86,15 +85,11 @@ or .Fl b . .It Fl e Ar euid -Select records with the given effective user id or name. +Select records with the given effective user ID or name. .It Fl f Ar egid -Select records with the given effective group id or name. +Select records with the given effective group ID or name. .It Fl g Ar rgid -Select records with the given real group id or name. -.It Fl r Ar ruid -Select records with the given real user id or name. -.It Fl u Ar auid -Select records with the given audit id. +Select records with the given real group ID or name. .It Fl j Ar id Select records having a subject token with matching ID. .It Fl m Ar event @@ -102,45 +97,53 @@ See .Xr audit_event 5 for a description of audit event names and numbers. -.It Fl o Ar object=value -.Bl -tag -width Ds -.It Nm file +.It Fl o Ar object Ns = Ns Ar value +.Bl -tag -width ".Cm msgqid" +.It Cm file Select records containing path tokens, where the pathname matches one of the comma delimited extended regular expression contained in given specification. -Regular expressions which are prefixed with a tilde (~) are excluded +Regular expressions which are prefixed with a tilde +.Pq Ql ~ +are excluded from the search results. These extended regular expressions are processed from left to right, and a path will either be selected or deslected based on the first match. .Pp -Since commas are used to delimit the regular expressions, a backslash (\\) -character should be used to escape the comma if it's a part of the search +Since commas are used to delimit the regular expressions, a backslash +.Pq Ql \e +character should be used to escape the comma if it is a part of the search pattern. -.It Nm msgqid -Select records containing the given message queue id. -.It Nm pid -Select records containing the given process id. -.It Nm semid -Select records containing the given semaphore id. -.It Nm shmid -Select records containing the given shared memory id. +.It Cm msgqid +Select records containing the given message queue ID. +.It Cm pid +Select records containing the given process ID. +.It Cm semid +Select records containing the given semaphore ID. +.It Cm shmid +Select records containing the given shared memory ID. .El +.It Fl r Ar ruid +Select records with the given real user ID or name. +.It Fl u Ar auid +Select records with the given audit ID. .El -.Sh Examples -.Pp +.Sh EXAMPLES To select all records associated with effective user ID root from the audit log .Pa /var/audit/20031016184719.20031017122634 : -.Pp -.Nm --e root /var/audit/20031016184719.20031017122634 +.Bd -literal -offset indent +auditreduce -e root \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp To select all .Xr setlogin 2 events from that log: -.Pp -.Nm --m AUE_SETLOGIN /var/audit/20031016184719.20031017122634 +.Bd -literal -offset indent +auditreduce -m AUE_SETLOGIN \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Output from the above command lines will typically be piped to a new trail file, or via standard output to the @@ -148,23 +151,26 @@ command. .Pp Select all records containing a path token where the pathname contains -.Pa /etc/master.passwd -.Pp -.Nm --ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 +.Pa /etc/master.passwd : +.Bd -literal -offset indent +auditreduce -o file="/etc/master.passwd" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Select all records containing path tokens, where the pathname is a TTY device: -.Pp -.Nm --ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Bd -literal -offset indent +auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Pp Select all records containing path tokens, where the pathname is a TTY except for -.Pa /dev/ttyp2 -.Pp -.Nm --ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 +.Pa /dev/ttyp2 : +.Bd -literal -offset indent +auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e + /var/audit/20031016184719.20031017122634 +.Ed .Sh SEE ALSO .Xr praudit 1 , .Xr audit_control 5 , @@ -175,9 +181,13 @@ It was subsequently adopted by the TrustedBSD Project as the foundation for the OpenBSM distribution. .Sh AUTHORS +.An -nosplit This software was created by McAfee Research, the security research division of McAfee, Inc., under contract to Apple Computer Inc. -Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. +Additional authors include +.An Wayne Salamon , +.An Robert Watson , +and SPARTA Inc. .Pp The Basic Security Module (BSM) interface to audit records and audit event stream format were defined by Sun Microsystems.