diff options
Diffstat (limited to 'framework/src/audit/docs')
84 files changed, 0 insertions, 4320 deletions
diff --git a/framework/src/audit/docs/Makefile.am b/framework/src/audit/docs/Makefile.am deleted file mode 100644 index 3f748806..00000000 --- a/framework/src/audit/docs/Makefile.am +++ /dev/null @@ -1,59 +0,0 @@ -# Makefile.am -- -# Copyright 2004-09,2012,2014 Red Hat Inc., Durham, North Carolina. -# All Rights Reserved. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA -# -# Authors: -# Steve Grubb <sgrubb@redhat.com> -# - -CONFIG_CLEAN_FILES = *.rej *.orig - -EXTRA_DIST = $(man_MANS) - -man_MANS = audit_add_rule_data.3 audit_add_watch.3 auditctl.8 auditd.8 \ -auditd.conf.5 audit_delete_rule_data.3 audit_detect_machine.3 \ -audit_encode_nv_string.3 audit_getloginuid.3 \ -audit_get_reply.3 auparse_goto_record_num.3 \ -audit_log_acct_message.3 audit_log_user_avc_message.3 \ -audit_log_user_command.3 audit_log_user_comm_message.3 \ -audit_log_user_message.3 audit_log_semanage_message.3 \ -audit_open.3 audit_request_rules_list_data.3 \ -audit_request_signal_info.3 audit_request_status.3 audit.rules.7 \ -audit_set_backlog_limit.3 audit_set_enabled.3 audit_set_failure.3 \ -audit_setloginuid.3 audit_set_pid.3 audit_set_rate_limit.3 \ -audit_update_watch_perms.3 auparse_add_callback.3 \ -auparse_destroy.3 auparse_feed.3 auparse_feed_has_data.3 auparse_find_field.3 \ -auparse_find_field_next.3 auparse_first_field.3 auparse_first_record.3 \ -auparse_flush_feed.3 auparse_get_field_int.3 auparse_get_field_name.3 \ -auparse_get_field_str.3 auparse_get_field_type.3 auparse_get_filename.3 \ -auparse_get_line_number.3 auparse_get_milli.3 \ -auparse_get_node.3 auparse_get_num_fields.3 \ -auparse_get_num_records.3 auparse_get_record_text.3 \ -auparse_get_serial.3 auparse_get_time.3 auparse_get_timestamp.3 \ -auparse_get_type.3 auparse_init.3 auparse_interpret_field.3 \ -auparse_next_event.3 auparse_next_field.3 auparse_next_record.3 \ -auparse_node_compare.3 auparse_reset.3 auparse_timestamp_compare.3 \ -ausearch-expression.5 \ -aureport.8 ausearch.8 ausearch_add_item.3 ausearch_add_interpreted_item.3 \ -ausearch_add_expression.3 ausearch_add_timestamp_item.3 ausearch_add_regex.3 \ -ausearch_add_timestamp_item_ex.3 ausearch_clear.3 \ -ausearch_next_event.3 ausearch_set_stop.3 \ -autrace.8 get_auditfail_action.3 set_aumessage_mode.3 \ -audispd.8 audispd.conf.5 audispd-zos-remote.8 libaudit.conf.5 \ -augenrules.8 audit_set_backlog_wait_time.3 \ -zos-remote.conf.5 - diff --git a/framework/src/audit/docs/audispd-zos-remote.8 b/framework/src/audit/docs/audispd-zos-remote.8 deleted file mode 100644 index b6a742d5..00000000 --- a/framework/src/audit/docs/audispd-zos-remote.8 +++ /dev/null @@ -1,241 +0,0 @@ -.\" Copyright (c) International Business Machines Corp., 2007 -.\" -.\" This program is free software; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See -.\" the GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program; if not, write to the Free Software -.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, -.\" MA 02111-1307 USA -.\" -.\" Changelog: -.\" 2007-10-06, created by Klaus Heinrich Kiwi <klausk@br.ibm.com> -.\" -.TH AUDISP-RACF 8 "Oct 2007" "IBM" "System Administration Utilities" -.SH NAME -audispd\-zos\-remote \- z/OS Remote-services Audit dispatcher plugin -.SH SYNOPSIS -.B audispd\-zos\-remote [ -.I config-file -.B ] -.SH DESCRIPTION -.B audispd\-zos\-remote -is a remote-auditing plugin for the Audit subsystem. It should be started by the -.BR audispd (8) -daemon and will forward all incoming audit events, as they happen, to a configured z/OS SMF (Service Management Facility) database, through an IBM Tivoli Directory Server (ITDS) set for Remote Audit service. -See -.B SMF MAPPING -section below for more information about the resulting SMF record format. - -.BR audispd (8) -must be configured to start the plugin. This is done by a configuration file usually located at -.IR /etc/audisp/plugins.d/audispd\-zos\-remote.conf , -but multiple instances can be spawned by having multiple configuration files in -.I /etc/audisp/plugins.d -for the same plugin executable (see -.BR audispd (8)). - -Each instance needs a configuration file, located by default at -.IR /etc/audisp/zos\-remote.conf . -Check -.BR zos\-remote.conf (5) -for details about the plugin configuration. - -.SH OPTIONS -.IP config-file -Use an alternate configuration file instead of -.IR /etc/audisp/zos\-remote.conf . - -.SH SIGNALS -.B audispd\-zos\-remote -reacts to SIGTERM and SIGHUP signals (according to the -.BR audispd (8) -specification): -.TP -.B SIGHUP -Instructs the -.B audispd\-zos\-remote -plugin to re-read it's configuration and flush existing network connections. -.TP -.B SIGTERM -Performs a clean exit. -.B audispd\-zos\-remote -will wait up to 10 seconds if there are queued events to be delivered, dropping any remaining queued events after that time. - -.SH IBM z/OS ITDS Server and RACF configuration -In order to use this plugin, you must have an IBM z/OS v1R8 (or higher) server with IBM Tivoli Directory Server (ITDS) configured for Remote Audit service. For more detailed information about how to configure the z/OS server for Remote Auditing, refer to -.B z/OS V1R8.0-9.0 Intergrated Security Services Enterprise Identity Mapping (EIM) Guide and Reference -.nf -.RI ( http://publibz.boulder.ibm.com/cgi\-bin/bookmgr_OS390/FRAMESET/EIMA1140/CCONTENTS?DT=20070827115119 ), -chapter "2.0 - Working with remote services". -.fi - -.SS Enable ITDS to process Remote Audit requests -To enable ITSD to process Remote Audit requests, the user ID associated with ITDS must be granted READ access to the IRR.AUDITX FACILITY Class profile (the profile used to protect the R_Auditx service). This user ID can usually be found in the STARTED Class profile for the ITDS started procedure. If the identity associated with ITDS is -.IR ITDSUSER , -the administrator can configure RACF to grant Remote Auditing processing to ITDS with the following TSO commands: -.TP -.I TSO Commands: Grant ITDSUSER READ access to IRR.AUDITX FACILITY Class profile -.nf -rdefine FACILITY IRR.RAUDITX uacc(none) -permit IRR.RAUDITX class(FACILITY) id(ITDSUSER) access(READ) -.fi - -.SS Create/enable RACF user ID to perform Remote Audit requests -A z/OS RACF user ID is needed by the plugin - Every Audit request performed by the plugin will use a RACF user ID, as configured in the plugin configuration -.BR zos\-remote.conf (5). -This user ID needs READ access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT. If the user ID is -.IR BINDUSER , -the administrator can configure RACF to enable this user to perform Remote Auditing requests with the following TSO commands: -.TP -.I TSO Commands: Enable BINDUSER to perform Remote Audit requests -.nf -rdefine FACILITY IRR.LDAP.REMOTE.AUDIT uacc(none) -permit IRR.LDAP.REMOTE.AUDIT class(FACILITY) id(BINDUSER) access(READ) -.fi - -.SS Add @LINUX Class to RACF -When performing remote auditing requests, the -.B audispd\-zos\-remote -plugin will use the special -.B @LINUX -.I CDT Class -and the audit record type (eg.: -.BR SYSCALL , -.BR AVC , -.BR PATH ...) -as the -.I CDT Resource Class -for all events processed. -To make sure events are logged, the RACF server must be configured with a Dynamic CDT Class named -.B @LINUX -with correct sizes and attributes. The following TSO commands can be used to add this class: -.TP -.I TSO Commands: Add @LINUX CDT Class -.nf -rdefine cdt @LINUX cdtinfo(posit(493) FIRST(alpha,national,numeric,special) OTHER(alpha,national,numeric,special) RACLIST(REQUIRED) case(asis) generic(allowed) defaultuacc(none) maxlength(246)) -setr classact(cdt) -setr raclist(cdt) -setr raclist(cdt) refresh -setr classact(@LINUX) -setr raclist(@LINUX) -setr generic(@LINUX) -.fi - -.SS Add profiles to the @LINUX Class -Once the CDT Class has been defined, you can add profiles to it, specifying resources (wildcards allowed) to log or ignore. The following are examples: -.TP -.I TSO Commands: Log only AVC records (One generic and one discrete profile): -.nf -rdefine @LINUX * uacc(none) audit(none(read)) -rdefine @LINUX AVC uacc(none) audit(all(read)) -setr raclist(@LINUX) refresh -.fi - -.TP -.I TSO Commands: Log everything (One generic profile): -.nf -rdefine @LINUX * uacc(none) audit(all(read)) -setr raclist(@LINUX) refresh -.fi - -.P -Resources always match the single profile with the -.I best -match. - -There are many other ways to define logging in RACF. Please refer to the server documentation for more details. - -.SH SMF Mapping -The ITDS Remote Audit service will cut SMF records of type 83 subtype 4 everytime it processes a request. This plugin will issue a remote audit request for every incoming Linux Audit record (meaning that one Linux record will map to one SMF record), and fill this type's records with the following: -.SS Link Value -The Linux event serial number, encoded in network-byte order hexadecimal representation. Records within the same Event share the same Link Value. -.SS Violation -Always zero (0) - -.I False -.SS Event Code -Always two (2) - -.I Authorization -event -.SS Event Qualifier -Zero (0) - -.IR Success , -if the event reported -.B success=yes -or -.BR res=success , -Three (3) - -.IR Fail , -if the event reported -.B success=no -or -.BR res=failed , -or One (1) - -.I Info -otherwise. -.SS Class -Always -.I @LINUX -.SS Resource -The Linux record type for the processed record. e.g.: -.IR SYSCALL , AVC , PATH , CWD -etc. -.SS Log String -Textual message bringing the RACF user ID used to perform the request, plus the Linux hostname and the record type for the first record in the processed event. e.g.: -.I Remote audit request from RACFUSER. Linux (hostname.localdomain):USER_AUTH -.SS Data Field List -Also known as -.IR relocates , -this list will bring all the field names and values in a -.B fieldname=value -format, as a type 114 -.RB ( "Appication specific Data" ) -relocate. The plug-in will try to interpret those fields (i.e.: use human-readable username -.B root -instead of numeric userid -.BR 0 ) -whenever possible. Currently, this plugin will also add a relocate type 113 -.RB ( "Date And Time Security Event Occurred" ) -with the Event Timestamp in the format as returned by -.BR ctime (3). - -.SH ERRORS -Errors and warnings are reported to syslog (under DAEMON facility). In situations where the event was submitted but the z/OS server returned an error condition, the logged message brings a name followed by a human-readable description. Below are some common errors conditions: - -.TP -.B NOTREQ - No logging required -Resource (audit record type) is not set to be logged in the RACF server - The @LINUX Class profile governing this audit record type is set to ignore. See -.B IBM z/OS RACF Server configuration -.TP -.B UNDETERMINED - Undetermined result -No profile found for specified resource. There is no @LINUX Class configured or no @LINUX Class profile associated with this audit record type. See -.B IBM z/OS RACF Server configuration -.TP -.B UNAUTHORIZED - The user does not have authority the R_auditx service -The user ID associated with the ITDS doesn't have READ access to the IRR.AUDITX FACILITY Class profile. See -.B IBM z/OS RACF Server configuration -.TP -.B UNSUF_AUTH - The user has unsuficient authority for the requested function -The RACF user ID used to perform Remote Audit requests (as configured in -.BR zos-remote.conf (5)) -don't have access to the IRR.LDAP.REMOTE.AUDIT FACILITY Class profile. See -.B IBM z/OS RACF Server configuration - -.SH BUGS -The plugin currently does remote auditing in a best-effort basis, and will dischard events in case the z/OS server cannot be contacted (network failures) or in any other case that event submission fails. - -.SH FILES -/etc/audisp/plugins.d/audispd\-zos\-remote.conf -/etc/audisp/zos\-remote.conf -.SH "SEE ALSO" -.BR auditd (8), -.BR zos\-remote.conf (5). -.SH AUTHOR -Klaus Heinrich Kiwi <klausk@br.ibm.com> diff --git a/framework/src/audit/docs/audispd.8 b/framework/src/audit/docs/audispd.8 deleted file mode 100644 index e4333248..00000000 --- a/framework/src/audit/docs/audispd.8 +++ /dev/null @@ -1,60 +0,0 @@ -.TH AUDISPD: "8" "Sept 2007" "Red Hat" "System Administration Utilities" -.SH NAME -audispd \- an event multiplexor -.SH SYNOPSIS -.B audispd -.SH DESCRIPTION -\fBaudispd\fP is an audit event multiplexor. It has to be started by the audit daemon in order to get events. It takes audit events and distributes them to child programs that want to analyze events in realtime. When the audit daemon receives a SIGTERM or SIGHUP, it passes that signal to the dispatcher, too. The dispatcher in turn passes those signals to its child processes. - -The child programs install a configuration file in a plugins directory, \fI/etc/audisp/plugins.d\fP. Filenames are not allowed to have more than one '.' in the name or it will be treated as a backup copy and skipped. Options are given one per line with an equal sign between the keyword and its value. The available options are as follows: - -.TP -.I active -The options for this are -.IR yes -or -.IR no. -.TP -.I direction -The option is dictated by the plugin. -.IR In -or -.IR out -are the only choices. You cannot make a plugin operate in a way it wasn't designed just by changing this option.This option is to give a clue to the event dispatcher about which direction events flow. NOTE: inbound events are not supported yet. -.TP -.I path -This is the absolute path to the plugin executable. In the case of internal plugins, it would be the name of the plugin. -.TP -.I type -This tells the dispatcher how the plugin wants to be run. Choices are -.IR builtin -and -.IR always. -.IR Builtin -should always be given for plugins that are internal to the audit event dispatcher. These are af_unix and syslog. The option -.IR always -should be given for most if not all plugins. The default setting is -.IR always. -.TP -.I args -This allows you to pass arguments to the child program. Generally plugins do not take arguments and have their own config file that instructs them how they should be configured. At the moment, there is a limit of 2 args. -.TP -.I format -The valid options for this are -.IR binary -and -.IR string. -.IR Binary -passes the data exactly as the audit event dispatcher gets it from the audit daemon. The -.IR string -option tells the dispatcher to completely change the event into a string suitable for parsing with the audit parsing library. The default value is -.IR string. - -.SH FILES -/etc/audisp/audispd.conf -/etc/audisp/plugins.d -.SH "SEE ALSO" -.BR audispd.conf (5), -.BR auditd (8). -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audispd.conf.5 b/framework/src/audit/docs/audispd.conf.5 deleted file mode 100644 index 5955a8fe..00000000 --- a/framework/src/audit/docs/audispd.conf.5 +++ /dev/null @@ -1,50 +0,0 @@ -.TH AUDISPD.CONF: "5" "March 2014" "Red Hat" "System Administration Utilities" -.SH NAME -audispd.conf \- the audit event dispatcher configuration file -.SH DESCRIPTION -\fBaudispd.conf\fP is the file that controls the configuration of the audit event dispatcher. Each line should contain one configuration keyword, an equal sign, and then followed by appropriate configuration information. All option names and values are case insensitive. The keywords recognized are listed and described below. Each line should be limited to 160 characters or the line will be skipped. You may add comments to the file by starting the line with a '#' character. - -.TP -.I q_depth -This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 80. -.TP -.I overflow_action -This option determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events are being received than it can get rid of. This error means that it is going to lose the current event its trying to dispatch. It has the following choices: -.IR ignore ", " syslog ", " suspend ", " single ", and " halt ". -If set to -.IR ignore , -the audisp daemon does nothing. -.I syslog -means that it will issue a warning to syslog. -.I suspend -will cause the audisp daemon to stop processing events. The daemon will still be alive. The -.I single -option will cause the audisp daemon to put the computer system in single user mode. -.I halt -option will cause the audisp daemon to shutdown the computer system. -.TP -.I priority_boost -This is a non-negative number that tells the audit event dispatcher how much of a priority boost it should take. This boost is in addition to the boost provided from the audit daemon. The default is 4. No change is 0. -.TP -.I max_restarts -This is a non-negative number that tells the audit event dispatcher how many times it can try to restart a crashed plugin. The default is 10. -.TP -.I name_format -This option controls how computer node names are inserted into the audit event stream. It has the following choices: -.IR none ", " hostname ", " fqd ", " numeric ", and " user ". -.IR None -means that no computer name is inserted into the audit event. -.IR hostname -is the name returned by the gethostname syscall. The -.IR fqd -means that it takes the hostname and resolves it with dns for a fully qualified domain name of that machine. -.IR Numeric -is similar to fqd except it resolves the IP address of the machine. -.IR User -is an admin defined string from the name option. The default value is -.IR none ". -.TP -.I name -This is the admin defined string that identifies the machine if user is given as the name_format option. -.SH "SEE ALSO" -.BR audispd (8) diff --git a/framework/src/audit/docs/audit.rules.7 b/framework/src/audit/docs/audit.rules.7 deleted file mode 100644 index 24e467c9..00000000 --- a/framework/src/audit/docs/audit.rules.7 +++ /dev/null @@ -1,171 +0,0 @@ -.TH AUDIT.RULES: "7" "Aug 2014" "Red Hat" "System Administration Utilities" -.SH NAME -audit.rules \- a set of rules loaded in the kernel audit system -.SH DESCRIPTION -\fBaudit.rules\fP is a file containing audit rules that will be loaded by the audit daemon's init script whenever the daemon is started. The auditctl program is used by the initscripts to perform this operation. The syntax for the rules is essentially the same as when typing in an auditctl command at a shell prompt except you do not need to type the auditctl command name since that is implied. The audit rules come in 3 varieties: -.IR control ", " file ", and " syscall ". - -.SS Control -Control commands generally involve configuring the audit system rather than telling it what to watch for. These commands typically include deleting all rules, setting the size of the kernel's backlog queue, setting the failure mode, setting the event rate limit, or to tell auditctl to ignore syntax errors in the rules and continue loading. Generally, these rules are at the top of the rules file. - -.SS File System -File System rules are sometimes called watches. These rules are used to audit access to particular files or directories that you may be interested in. If the path given in the rule is a directory, then the rule used is recursive to the bottom of the directory tree excluding any directories that may be mount points. The syntax of these rules generally follow this format: - -.nf -.B \-w path-to-file \-p permissions \-k keyname -.fi - -where the permission are any one of the following: - -.RS -.TP 2 -.B r -- read of the file -.TP -.B w -- write to the file -.TP -.B x -- execute the file -.TP -.B a -- change in the file's attribute -.RE -.SS System Call -The system call rules are loaded into a matching engine that intercepts each syscall that all programs on the system makes. Therefore it is very important to only use syscall rules when you have to since these affect performance. The more rules, the bigger the performance hit. You can help the performance, though, by combining syscalls into one rule whenever possible. - -The Linux kernel has 4 rule matching lists or filters as they are sometimes called. They are: task, exit, user, and exclude. The task list is checked only during the fork or clone syscalls. It is rarely used in practice. - -The exit filter is the place where all syscall and file system audit requests are evaluated. - -The user filter is used to filter (remove) some events that originate in user space. By default, any event originating in user space is allowed. So, if there are some events that you do not want to see, then this is a place where some can be removed. See auditctl(8) for fields that are valid. - -The exclude filter is used to exclude certain events from being emitted. The msgtype field is used to tell the kernel which message types you do not want to record. This filter can remove the event as a whole and is not selective about any other attribute. The user and exit filters are better suited to selectively auditing events. - -Syscall rules take the general form of: - -.nf -.B \-a action,list \-S syscall \-F field=value \-k keyname -.fi - -The -.B \-a -option tells the kernel's rule matching engine that we want to append a rule at the end of the rule list. But we need to specify which rule list it goes on and what action to take when it triggers. Valid actions are: - -.RS -.TP 7 -.B always -- always create an event -.TP -.B never -- never create an event -.RE - -The action and list are separated by a comma but no space in between. Valid lists are: -.IR task ", " exit ", " user ", and " exclude ". Their meaning was explained earlier. - -Next in the rule would normally be the -.B \-S -option. This field can either be the syscall name or number. For readability, the name is almost always used. You may give more than one syscall in a rule by specifying another -.B \-S -option. When sent into the kernel, all syscall fields are put into a mask so that one compare can determine if the syscall is of interest. So, adding multiple syscalls in one rule is very efficient. When you specify a syscall name, auditctl will look up the name and get its syscall number. This leads to some problems on bi-arch machines. The 32 and 64 bit syscall numbers sometimes, but not always, line up. So, to solve this problem, you would generally need to break the rule into 2 with one specifying \-F arch=b32 and the other specifying \-F arch=b64. This needs to go in front of the -.B \-S -option so that auditctl looks at the right lookup table when returning the number. - -After the syscall is specified, you would normally have one or more -.B \-F -options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things. - -The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule: - -.nf -\-F auid>=500 \-F auid!=4294967295 -.fi - -These individual checks are "anded" and both have to be true. - -The last thing to know about syscall rules is that you can add a key field which is a free form text string that you want inserted into the event to help identify its meaning. This is discussed in more detail in the NOTES section. - -.SH NOTES -The purpose of auditing is to be able to do an investigation periodically or whenever an incident occurs. A few simple steps in planning up front will make this job easier. The best advice is to use keys in both the watches and system call rules to give the rule a meaning. If rules are related or together meet a specific requirement, then give them a common key name. You can use this during your investigation to select only results with a specific meaning. - -When doing an investigation, you would normally start off with the main aureport output to just get an idea about what is happening on the system. This report mostly tells you about events that are hard coded by the audit system such as login/out, uses of authentication, system anomalies, how many users have been on the machine, and if SE Linux has detected any AVCs. - -.nf -aureport \-\-start this-week -.fi - -After looking at the report, you probably want to get a second view about what rules you loaded that have been triggering. This is where keys become important. You would generally run the key summary report like this: - -.nf -aureport \-\-start this-week \-\-key \-\-summary -.fi - -This will give an ordered listing of the keys associated with rules that have been triggering. If, for example, you had a syscall audit rule that triggered on the failure to open files with EPERM that had a key field of access like this: - -.nf -\-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access -.fi - -Then you can isolate these failures with ausearch and pipe the results to aureport for display. Suppose your investigation noticed a lot of the access denied events. If you wanted to see the files that unauthorized access has been attempted, you could run the following command: - -.nf -ausearch \-\-start this-week \-k access \-\-raw | aureport \-\-file \-\-summary -.fi - -This will give an ordered list showing which files are being accessed with the EPERM failure. Suppose you wanted to see which users might be having failed access, you would run the following command: - -.nf -ausearch \-\-start this-week \-k access \-\-raw | aureport \-\-user \-\-summary -.fi - -If your investigation showed a lot of failed accesses to a particular file, you could run the following report to see who is doing it: - -.fi -ausearch \-\-start this-week \-k access \-f /path-to/file \-\-raw | aureport \-\-user \-i -.fi - -This report will give you the individual access attempts by person. If you needed to see the actual audit event that is being reported, you would look at the date, time, and event columns. Assuming the event was 822 and it occurred at 2:30 on 09/01/2009 and you use the en_US.utf8 locale, the command would look something like this: - -.nf -ausearch \-\-start 09/01/2009 02:30 \-a 822 \-i \-\-just\-one -.fi - -This will select the first event from that day and time with the matching event id and interpret the numeric values into human readable values. - -The most important step in being able to do this kind of analysis is setting up key fields when the rules were originally written. It should also be pointed out that you can have more than one key field associated with any given rule. - -.SH TROUBLESHOOTING -If you are not getting events on syscall rules that you think you should, try running a test program under strace so that you can see the syscalls. There is a chance that you might have identified the wrong syscall. - -If you get a warning from auditctl saying, "32/64 bit syscall mismatch in line XX, you should specify an arch". This means that you specified a syscall rule on a bi-arch system where the syscall has a different syscall number for the 32 and 64 bit interfaces. This means that on one of those interfaces you are likely auditing the wrong syscall. To solve the problem, re-write the rule as two rules specifying the intended arch for each rule. For example, - -.nf -\-always,exit \-S openat \-k access -.fi - -would be rewritten as - -.nf -\-always,exit \-F arch=b32 \-S openat \-k access -\-always,exit \-F arch=b64 \-S openat \-k access -.fi - -If you get a warning that says, "entry rules deprecated, changing to exit rule". This means that you have a rule intended for the entry filter, but that filter is no longer available. Auditctl moved your rule to the exit filter so that it's not lost. But to solve this so that you do not get the warning any more, you need to change the offending rule from entry to exit. - -.SH EXAMPLES -The following rule shows how to audit failed access to files due to permission problems. Note that it takes two rules for each arch ABI to audit this since file access can fail with two different failure codes indicating permission problems. - -.nf -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b32 \-S open \-S openat \-F exit=\-EPERM \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EACCES \-k access -.B \-a always,exit \-F arch=b64 \-S open \-S openat \-F exit=\-EPERM \-k access -.fi - -.SH "SEE ALSO" -.BR auditctl (8), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_add_rule_data.3 b/framework/src/audit/docs/audit_add_rule_data.3 deleted file mode 100644 index 2321f391..00000000 --- a/framework/src/audit/docs/audit_add_rule_data.3 +++ /dev/null @@ -1,49 +0,0 @@ -.TH "AUDIT_ADD_RULE_DATA" "3" "Aug 2009" "Red Hat" "Linux Audit API" -.SH NAME -audit_add_rule_data \- Add new audit rule -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); - -.SH "DESCRIPTION" - -audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are: - -.TP 3 -\(bu -AUDIT_FILTER_USER - Apply rule to userspace generated messages. -.TP -\(bu -AUDIT_FILTER_TASK - Apply rule at task creation (not syscall). -.TP -\(bu -AUDIT_FILTER_EXIT - Apply rule at syscall exit. -.TP -\(bu -AUDIT_FILTER_TYPE - Apply rule at audit_log_start. -.LP - -.PP -The rule's action has two possible values: - -.TP 3 -\(bu -AUDIT_NEVER - Do not build context if rule matches. -.TP -\(bu -AUDIT_ALWAYS - Generate audit record if rule matches. -.LP - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_rule_fieldpair_data(3), -.BR audit_delete_rule_data (3), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb. diff --git a/framework/src/audit/docs/audit_add_watch.3 b/framework/src/audit/docs/audit_add_watch.3 deleted file mode 100644 index 66616e76..00000000 --- a/framework/src/audit/docs/audit_add_watch.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUDIT_ADD_WATCH" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -audit_add_watch \- create a rule layout for a watch -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_add_watch(struct audit_rule_data **rulep, const char *path); - -.SH "DESCRIPTION" - -audit_add_watch will create a watch rule in the pointer to a pointer rulep. All that you need to pass it is the full path to a file and it will initialize the audit_rule_data structure for a watch. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR audit_add_rule_data (3), -.BR audit_delete_rule_data (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_delete_rule_data.3 b/framework/src/audit/docs/audit_delete_rule_data.3 deleted file mode 100644 index 20c8e131..00000000 --- a/framework/src/audit/docs/audit_delete_rule_data.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUDIT_DELETE_RULE_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_delete_rule_data \- Delete audit rule -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_delete_rule_data (int fd, struct audit_rule_data *rule, int flags, int action); - -.SH "DESCRIPTION" - -audit_delete_rule_data is used to delete rules that are currently loaded in the kernel. To delete a rule, you must set up the rules identical to the one being deleted. See audit_add_rule_data for flag and action definitions. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_add_rule_data (3), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_detect_machine.3 b/framework/src/audit/docs/audit_detect_machine.3 deleted file mode 100644 index e6c55b36..00000000 --- a/framework/src/audit/docs/audit_detect_machine.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUDIT_DETECT_MACHINE" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_detect_machine \- Detects the current machine type -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_detect_machine (void); - -.SH "DESCRIPTION" - -audit_detect_machine queries uname and converts the kernel machine string to an enum value defined in machine_t. The machine type is needed for any use of the audit_name_to_syscall function. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, the return value is the machine's type. - -.SH "SEE ALSO" - -.BR uname (3), -.BR audit_name_to_syscall (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_encode_nv_string.3 b/framework/src/audit/docs/audit_encode_nv_string.3 deleted file mode 100644 index 3449786a..00000000 --- a/framework/src/audit/docs/audit_encode_nv_string.3 +++ /dev/null @@ -1,26 +0,0 @@ -.TH "AUDIT_ENCODE_NV_STRING" "3" "Oct 2010" "Red Hat" "Linux Audit API" -.SH NAME -audit_encode_nv_string \- encode a name/value pair in a string -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B char *audit_encode_nv_string(const char *name, const char *value, unsigned int vlen) - -.SH DESCRIPTION -This function is used to encode a name/value pair. This should be used on any field being logged that potentially contains a space, a double-quote, or a control character. Any value containing those have to be specially encoded for the auparse library to correctly handle the value. The encoding method is designed to prevent log injection attacks where malicious values could cause parsing errors. - -To use this function, pass the name string and value strings on their respective arguments. If the value is likely to have a NUL value embedded within it, you will need to pass a value length that tells in bytes how big the value is. Otherwise, you can pass a 0 for vlen and the function will simply use strlen against the value pointer. Also be aware that the name of the field will cause auparse to do certain things when interpretting the value. If the name is uid, a user id value in decimal is expected. Make sure that well known names are used for their intended purpose or that there is no chance of name collision with something new. - -.SH "RETURN VALUE" - -Returns a freshly malloc'ed string that the caller must free or NULL on error. - -.SH "SEE ALSO" - -.BR audit_log_user_message (3), -.BR audit_log_user_comm_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_get_reply.3 b/framework/src/audit/docs/audit_get_reply.3 deleted file mode 100644 index da3e4c8e..00000000 --- a/framework/src/audit/docs/audit_get_reply.3 +++ /dev/null @@ -1,21 +0,0 @@ -.TH "AUDIT_GET_REPLY" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_get_reply \- Get the audit system's reply -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -int audit_get_reply(int fd, struct audit_reply *rep, reply_t block, int peek); - -.SH "DESCRIPTION" -This function gets the next data packet sent on the audit netlink socket. This function is usually called after sending a command to the audit system. fd should be an open file descriptor returned by audit_open. rep should be a data structure to put the reply in. block is of type reply_t which is either: GET_REPLY_BLOCKING and GET_REPLY_NONBLOCKING. peek, if non-zero, gets the data without dequeueing it from the netlink socket. - -.SH "RETURN VALUE" - -This function returns \-1 on error, 0 if error response received, and positive value on success. - -.SH "SEE ALSO" - -.BR audit_open (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_getloginuid.3 b/framework/src/audit/docs/audit_getloginuid.3 deleted file mode 100644 index 6a2b4ee8..00000000 --- a/framework/src/audit/docs/audit_getloginuid.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUDIT_GETLOGINUID" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_getloginuid \- Get a program's loginuid value -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -uid_t audit_getloginuid(void); - -.SH DESCRIPTION -This function returns the task attribute loginuid. - -.SH "RETURN VALUE" - -This function returns the loginuid value if it was set. It will return a \-1 if loginuid was unset. However, since uid_t is an unsigned type, you will see the converted value instead of \-1. - -.SH "ERRORS" - -This function returns \-1 on failure. However, in the event of a real error, errno would be set. The function can set errno based on failures of open, read, or strtoul. - -.SH "SEE ALSO" - -.BR audit_setloginuid (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_acct_message.3 b/framework/src/audit/docs/audit_log_acct_message.3 deleted file mode 100644 index 2ea6289b..00000000 --- a/framework/src/audit/docs/audit_log_acct_message.3 +++ /dev/null @@ -1,44 +0,0 @@ -.TH "AUDIT_LOG_ACCT_MESSAGE" "3" "Oct 2010" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_acct_message \- log a user account message -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_acct_message(int audit_fd, int type, const char *pgname, -const char *op, const char *name, unsigned int id, const char *host, -const char *addr, const char *tty, int result) - -.SH DESCRIPTION -This function will log a message to the audit system using a predefined message format. It should be used for all account manipulation operations. The function -parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message: AUDIT_USER_CHAUTHTOK for changing any account attributes. -pgname - program's name, if NULL will attempt to figure out -op - operation. Ex: "adding user", "changing finger info", "deleting group" -name - user's account or group name. If not available use NULL. -id - uid or gid that the operation is being performed on. If the user is unknown, pass a \-1 and fill in the name parameter. This is used only when user is NULL. -host - The hostname if known. If not available pass a NULL. -addr - The network address of the user. If not available pass a NULL. -tty - The tty of the user, if NULL will attempt to figure out -result - 1 is "success" and 0 is "failed" -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" - -.BR audit_log_user_message (3), -.BR audit_log_user_comm_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_semanage_message.3 b/framework/src/audit/docs/audit_log_semanage_message.3 deleted file mode 100644 index 7a6a6849..00000000 --- a/framework/src/audit/docs/audit_log_semanage_message.3 +++ /dev/null @@ -1,53 +0,0 @@ -.TH "AUDIT_LOG_SEMANAGE_MESSAGE" "3" "Jan 2012" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_semanage_message \- log a semanage message -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_semanage_message(int audit_fd, int type, -.B const char *pgname, const char *op, const char *name, unsigned int id, -.B const char *new_seuser, const char *new_role, const char *new_range, -.B const char *old_seuser, const char *old_role, const char *old_range, -.B const char *host, const char *addr, const char *tty, int result) - -.SH DESCRIPTION - -This function will log a message to the audit system using a predefined -message format. It should be used for all SE linux user and role -manipulation operations. The function parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message: AUDIT_ROLE_ASSIGN/REMOVE for changing any SE Linux user or role attributes. -pgname - program's name -op - operation. "adding-user", "adding-role", "deleting-user", "deleting-role" -name - user's account. If not available use NULL. -id - uid that the operation is being performed on. This is used only when name is NULL. -new_seuser - the new seuser that the login user is getting -new_role - the new_role that the login user is getting -new_range - the new mls range that the login user is getting -old_seuser - the old seuser that the login usr had -old_role - the old role that the login user had -old_range - the old mls range that the login usr had -host - The hostname if known -addr - The network address of the user -tty - The tty of the user -result - 1 is "success" and 0 is "failed" -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" -.BR audit_log_user_message (3), -.BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_user_comm_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_user_avc_message.3 b/framework/src/audit/docs/audit_log_user_avc_message.3 deleted file mode 100644 index 1a101950..00000000 --- a/framework/src/audit/docs/audit_log_user_avc_message.3 +++ /dev/null @@ -1,40 +0,0 @@ -.TH "AUDIT_LOG_USER_AVC_MESSAGE" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_user_avc_message \- log a user avc message -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_user_avc_message(int audit_fd, int type, const char *message, -const char *hostname, const char *addr, const char *tty, uid_t uid) - -.SH DESCRIPTION - -This function will log a message to the audit system using a predefined message format. This function should be used by all apps that are SE Linux object managers. The function parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message, ex: AUDIT_USER_AVC -message - the message being sent -hostname - the hostname if known -addr - The network address of the user -tty - The tty of the user, if NULL will attempt to figure out -uid - The auid of the person related to the avc message -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" - -.BR audit_log_user_message (3), -.BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_user_comm_message.3 b/framework/src/audit/docs/audit_log_user_comm_message.3 deleted file mode 100644 index fb4912d9..00000000 --- a/framework/src/audit/docs/audit_log_user_comm_message.3 +++ /dev/null @@ -1,45 +0,0 @@ -.TH "AUDIT_LOG_USER_COMM_MESSAGE" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_user_comm_message \- log a user message from a console app -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_user_comm_message(int audit_fd, int type, const char *message, -const char *comm, const char *hostname, const char *addr, const char *tty, -int result) - -.SH DESCRIPTION -This function will log a message to the audit system using a predefined -message format. This function should be used by all console apps that do -not manipulate accounts or groups and are executing a script. An example -would be python or crond wanting to say what they are executing. The function -parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message, ex: AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN -message - the message text being sent -comm - the program command line name -hostname - the hostname if known, NULL if unknown -addr - The network address of the user, NULL if unknown -tty - The tty of the user, if NULL will attempt to figure out -result - 1 is "success" and 0 is "failed" -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" - -.BR audit_log_user_message (3), -.BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_user_command.3 b/framework/src/audit/docs/audit_log_user_command.3 deleted file mode 100644 index 39e67560..00000000 --- a/framework/src/audit/docs/audit_log_user_command.3 +++ /dev/null @@ -1,37 +0,0 @@ -.TH "AUDIT_LOG_USER_COMMAND" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_user_command \- log a user command -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_user_command(int audit_fd, int type, const char *command, const char *tty, int result); - -.SH DESCRIPTION -This function will log a command to the audit system using a predefined message format. It encodes the command as the audit system expects for untrusted strings. This function should be used by all apps need to record commands. The function parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message, ex: AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN -command - the command being logged -tty - The tty of the user, if NULL will attempt to figure out -result - 1 is "success" and 0 is "failed" -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" - -.BR audit_log_user_message (3), -.BR audit_log_user_comm_message (3), -.BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_log_user_message.3 b/framework/src/audit/docs/audit_log_user_message.3 deleted file mode 100644 index 2954c400..00000000 --- a/framework/src/audit/docs/audit_log_user_message.3 +++ /dev/null @@ -1,42 +0,0 @@ -.TH "AUDIT_LOG_USER_MESSAGE" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_log_user_message \- log a general user message -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -.B int audit_log_user_message(int audit_fd, int type, const char *message, -const char *hostname, const char *addr, const char *tty, -int result) - -.SH DESCRIPTION -This function will log a message to the audit system using a predefined -message format. This function should be used by all console apps that do -not manipulate accounts or groups. The function parameters are as follows: - -.nf -audit_fd - The fd returned by audit_open -type - type of message, ex: AUDIT_USYS_CONFIG, AUDIT_USER_LOGIN -message - the message text being sent -hostname - the hostname if known, NULL if unknown -addr - The network address of the user, NULL if unknown -tty - The tty of the user, if NULL will attempt to figure out -result - 1 is "success" and 0 is "failed" -.fi - -.SH "RETURN VALUE" - -It returns the sequence number which is > 0 on success or <= 0 on error. - -.SH "ERRORS" - -This function returns \-1 on failure. Examine errno for more info. - -.SH "SEE ALSO" - -.BR audit_log_user_comm_message (3), -.BR audit_log_acct_message (3), -.BR audit_log_user_avc_message (3), -.BR audit_log_semanage_message (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_open.3 b/framework/src/audit/docs/audit_open.3 deleted file mode 100644 index 6ec8eb0a..00000000 --- a/framework/src/audit/docs/audit_open.3 +++ /dev/null @@ -1,34 +0,0 @@ -.TH "AUDIT_OPEN" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_open \- Open a audit netlink socket connection -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_open (void); - -.SH "DESCRIPTION" - -audit_open creates a NETLINK_AUDIT socket for communication with the kernel part of the Linux Audit Subsystem. The audit system uses the ACK feature of netlink. This means that every message to the kernel will return a netlink status packet even if the operation succeeds. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, the return value is a descriptor referencing the socket. - -.SH ERRORS - -The -.BR audit_open () -function may fail and set -.I errno -for any of the errors specified for the -.BR socket (2) -and -.BR fcntl (2) -routines. - -.SH "SEE ALSO" - -.BR netlink (7). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_request_rules_list_data.3 b/framework/src/audit/docs/audit_request_rules_list_data.3 deleted file mode 100644 index f524ea90..00000000 --- a/framework/src/audit/docs/audit_request_rules_list_data.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUDIT_REQUEST_LIST_DATA" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_request_rules_list_data \- Request list of current audit rules -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_request_rules_list_data (int fd); - -.SH "DESCRIPTION" - -audit_request_rules_list_data sends a request to the kernel to list the current audit rules. The rules are sent back one after another after this request is issued. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_add_rule_data (3), -.BR audit_delete_rule_data (3), -.BR audit_open (3), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_request_signal_info.3 b/framework/src/audit/docs/audit_request_signal_info.3 deleted file mode 100644 index 873deb58..00000000 --- a/framework/src/audit/docs/audit_request_signal_info.3 +++ /dev/null @@ -1,33 +0,0 @@ -.TH "AUDIT_" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -audit_request_signal_info \- Request signal info for the audit system -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_request_signal_info(int fd); - -.SH "DESCRIPTION" - -audit_request_signal_info requests that the kernel send information about the sender of a signal to the audit daemon. The sinal info structure is as follows: - -.nf -struct audit_sig_info { - uid_t uid; - pid_t pid; - char ctx[0]; -}; -.fi - -This function is likely to be used only by audit daemons and shouldn't be called by any other kind of program. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_open (3), -.BR audit_get_reply (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_request_status.3 b/framework/src/audit/docs/audit_request_status.3 deleted file mode 100644 index bb872196..00000000 --- a/framework/src/audit/docs/audit_request_status.3 +++ /dev/null @@ -1,44 +0,0 @@ -.TH "AUDIT_REQUEST_STATUS" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_request_status \- Request status of the audit system -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_request_status (int fd); - -.SH "DESCRIPTION" - -.PP -audit_request_status requests that the kernel send status structure describing various settings. The audit_status structure is as follows: - -.RS -.ta 4n 10n 24n -.nf - -struct audit_status { - __u32 mask; /* Bit mask for valid entries */ - __u32 enabled; /* 1 = enabled, 0 = disabled */ - __u32 failure; /* Failure-to-log action */ - __u32 pid; /* pid of auditd process */ - __u32 rate_limit; /* messages rate limit (per second) */ - __u32 backlog_limit; /* waiting messages limit */ - __u32 lost; /* messages lost */ - __u32 backlog; /* messages waiting in queue */ -}; -.fi -.ta -.RE - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_open (3), -.BR audit_get_reply (3), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_backlog_limit.3 b/framework/src/audit/docs/audit_set_backlog_limit.3 deleted file mode 100644 index 18c52448..00000000 --- a/framework/src/audit/docs/audit_set_backlog_limit.3 +++ /dev/null @@ -1,26 +0,0 @@ -.TH "AUDIT_SET_BACKLOG_LIMIT" "3" "Oct 2006" "Linux Audit API" -.SH NAME -audit_set_backlog_limit \- Set the audit backlog limit -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_backlog_limit (int fd, int limit); - -.SH "DESCRIPTION" - -audit_set_backlog_limit sets the queue length for audit events awaiting transfer to the audit daemon. The default value is 64 which can potentially be overrun by bursts of activity. When the backlog limit is reached, the kernel consults the failure_flag to see what action to take. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_set_failure (3), -.BR audit_open (3), -.BR auditd (8), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_backlog_wait_time.3 b/framework/src/audit/docs/audit_set_backlog_wait_time.3 deleted file mode 100644 index 4a7b9aee..00000000 --- a/framework/src/audit/docs/audit_set_backlog_wait_time.3 +++ /dev/null @@ -1,26 +0,0 @@ -.TH "AUDIT_SET_BACKLOG_WAIT_TIME" "3" "Oct 2014" "Linux Audit API" -.SH NAME -audit_set_backlog_wait_time \- Set the audit backlog wait time -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_backlog_wait_time (int fd, int wait_time); - -.SH "DESCRIPTION" - -audit_set_backlog_wait_time sets the time that the kernel will wait before attempting to send more audit events to be transferred to the audit daemon when the backlog_limit is reached. This gives the audit daemon a chance to drain the kernel queue. The default value is 60000 or 60 * HZ setting in the kernel. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_set_backlog_limit (3), -.BR audit_open (3), -.BR auditd (8), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_enabled.3 b/framework/src/audit/docs/audit_set_enabled.3 deleted file mode 100644 index 331f1ce6..00000000 --- a/framework/src/audit/docs/audit_set_enabled.3 +++ /dev/null @@ -1,27 +0,0 @@ -.TH "AUDIT_SET_ENABLED" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_set_enabled \- Enable or disable auditing -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_enabled (int fd, int enabled); - -.SH "DESCRIPTION" - -.PP -audit_set_enabled is used to control whether or not the audit system is active. When the audit system is enabled (enabled set to 1), every syscall will pass through the audit system to collect information and potentially trigger an event. - -If the audit system is disabled (enabled set to 0), syscalls do not enter the audit system and no data is collected. There may be some events generated by MAC subsystems like SE Linux even though the audit system is disabled. It is possible to suppress those events, too, by adding an audit rule with flags set to AUDIT_FILTER_TYPE. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_add_rule_data (3), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_failure.3 b/framework/src/audit/docs/audit_set_failure.3 deleted file mode 100644 index cf526f03..00000000 --- a/framework/src/audit/docs/audit_set_failure.3 +++ /dev/null @@ -1,38 +0,0 @@ -.TH "AUDIT_SET_FAILURE" "3" "June 2015" "Red Hat" "Linux Audit API" -.SH NAME -audit_set_failure \- Set audit failure flag -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_failure(int fd, int failure); - -.SH "DESCRIPTION" - -audit_set_failure sets the action that the kernel will perform when the backlog limit is reached or when it encounters an error and cannot proceed. Possible values are: - -.TP -0 - AUDIT_FAIL_SILENT -Do nothing, report nothing, skip logging the record and continue. - -.TP -1 - AUDIT_FAIL_PRINTK [default] -Log the audit record using printk which will cause subsequent events to get written to syslog. - -.TP -2 - AUDIT_FAIL_PANIC -Call the panic function. This would be used to prevent use of the machine upon loss of audit events. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_set_backlog (3), -.BR audit_open (3), -.BR auditd (8), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_pid.3 b/framework/src/audit/docs/audit_set_pid.3 deleted file mode 100644 index d2b33db8..00000000 --- a/framework/src/audit/docs/audit_set_pid.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUDIT_SET_PID" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_set_pid \- Set audit daemon process ID -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_pid (int fd, int pid); - -.SH "DESCRIPTION" - -audit_set_pid tells the kernel what the pid is of the audit daemon. When the pid is set to 0, the kernel will log all events to syslog. Otherwise it will try to send events to the netlink connection that has the same pid given by this function. If for some reason the process goes away, the kernel will automatically set the value to 0 itself. Usually this function is called by the audit daemon and not an external program. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_open (3), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_set_rate_limit.3 b/framework/src/audit/docs/audit_set_rate_limit.3 deleted file mode 100644 index 90300eaf..00000000 --- a/framework/src/audit/docs/audit_set_rate_limit.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUDIT_SET_RATE_LIMIT" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_set_rate_limit \- Set audit rate limit -.SH "SYNOPSIS" - -.B #include <libaudit.h> -.sp -int audit_set_rate_limit (int fd, int limit); - -.SH "DESCRIPTION" - -audit_set_rate_limit will set the maximum number of messages that the kernel will send per second. This can be used to throttle the rate if systems become unresponsive. Of course the trade off is that events will be dropped. The default value is 0, meaning no limit. - -.SH "RETURN VALUE" - -The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter. - -.SH "SEE ALSO" - -.BR audit_open (3), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_setloginuid.3 b/framework/src/audit/docs/audit_setloginuid.3 deleted file mode 100644 index c1a71e31..00000000 --- a/framework/src/audit/docs/audit_setloginuid.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUDIT_SETLOGINUID" "3" "Oct 2006" "Red Hat" "Linux Audit API" -.SH NAME -audit_setloginuid \- Set a program's loginuid value -.SH SYNOPSIS -.B #include <libaudit.h> -.sp -int audit_setloginuid(uid_t uid); - -.SH "DESCRIPTION" - -This function sets the task attribute loginuid with the value of uid. The loginuid value may only be set by programs with the CAP_AUDIT_CONTROL capability. This normally means the root account. -.sp -The loginuid value is part of the task structure and is inheritted by child processes. It is used to track what account a user gained system access with. All system entry point programs should set this value right before changing to the uid of the user granted access so that audit events are properly attributed to the that user. - -.SH "RETURN VALUE" - -This function returns 0 on success and non-zero otherwise. - -.SH "SEE ALSO" - -.BR audit_getloginuid (3), -.BR pam_loginuid (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/audit_update_watch_perms.3 b/framework/src/audit/docs/audit_update_watch_perms.3 deleted file mode 100644 index 5b1e9ee9..00000000 --- a/framework/src/audit/docs/audit_update_watch_perms.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUDIT_UPDATE_WATCH_PERMS" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -audit_update_watch_perms \- update permissions field of watch command -.SH "SYNOPSIS" -.B #include <libaudit.h> -.sp -int audit_update_watch_perms(struct audit_rule_data *rule, int perms); - -.SH "DESCRIPTION" - -audit_update_watch_perms adds the permission checks to a watch command that is being built. The perms are a bitwise or'ing of: AUDIT_PERM_EXEC, AUDIT_PERM_WRITE, AUDIT_PERM_READ, AUDIT_PERM_ATTR. - -.SH "RETURN VALUE" - -Returns a number < 0 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR audit_add_rule_data (3), -.BR audit_add_watch (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auditctl.8 b/framework/src/audit/docs/auditctl.8 deleted file mode 100644 index ceb6c40b..00000000 --- a/framework/src/audit/docs/auditctl.8 +++ /dev/null @@ -1,315 +0,0 @@ -.TH AUDITCTL: "8" "Aug 2014" "Red Hat" "System Administration Utilities" -.SH NAME -auditctl \- a utility to assist controlling the kernel's audit system -.SH SYNOPSIS -\fBauditctl\fP [\fIoptions\fP] -.SH DESCRIPTION -The \fBauditctl\fP program is used to configure kernel options related to auditing, to see status of the configuration, and to load discretionary audit rules. -.SH CONFIGURATION OPTIONS -.TP -.BI \-b\ backlog -Set max number of outstanding audit buffers allowed (Kernel Default=64) If all buffers are full, the failure flag is consulted by the kernel for action. -.TP -.BI \-\-backlog_wait_time \ \fIwait_time\fP -Set the time for the kernel to wait (Kernel Default 60*HZ) when the backlog_limit is reached before queuing more audit events to be transferred to auditd. The number must be greater than or equal to zero and less that 10 times the default value. -.TP -.B \-c -Continue loading rules in spite of an error. This summarizes the results of loading the rules. The exit code will not be success if any rule fails to load. -.TP -.B \-D -Delete all rules and watches. This can take a key option (\-k), too. -.TP -\fB\-e\fP [\fB0\fP..\fB2\fP] -Set enabled flag. When \fB0\fP is passed, this can be used to temporarily disable auditing. When \fB1\fP is passed as an argument, it will enable auditing. To lock the audit configuration so that it can't be changed, pass a \fB2\fP as the argument. Locking the configuration is intended to be the last command in audit.rules for anyone wishing this feature to be active. Any attempt to change the configuration in this mode will be audited and denied. The configuration can only be changed by rebooting the machine. -.TP -\fB\-f\fP [\fB0\fP..\fB2\fP] -Set failure mode -\fB0\fP=silent \fB1\fP=printk \fB2\fP=panic. This option lets you determine how you want the kernel to handle critical errors. Example conditions where this mode may have an effect includes: transmission errors to userspace audit daemon, backlog limit exceeded, out of kernel memory, and rate limit exceeded. The default value is \fB1\fP. Secure environments will probably want to set this to \fB2\fP. -.TP -.B \-h -Help -.TP -.B \-i -Ignore errors when reading rules from a file. This causes auditctl to always return a success exit code. -.TP -.BI \-\-loginuid-immutable -This option tells the kernel to make loginuids unchangeable once they are set. Changing loginuids requires CAP_AUDIT_CONTROL. So, its not something that can be done by unprivileged users. Setting this makes loginuid tamper-proof, but can cause some problems in certain kinds of containers. -.TP -.BI \-q\ mount-point,subtree -If you have an existing directory watch and bind or move mount another subtree in the watched subtree, you need to tell the kernel to make the subtree being mounted equivalent to the directory being watched. If the subtree is already mounted at the time the directory watch is issued, the subtree is automatically tagged for watching. Please note the comma separating the two values. Omitting it will cause errors. -.TP -.BI \-r\ rate -Set limit in messages/sec (\fB0\fP=none). If this \fIrate\fP is non-zero and is exceeded, the failure flag is consulted by the kernel for action. The default value is \fB0\fP. -.TP -.BI \-R\ file -Read rules from a \fIfile\fP. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash. -.TP -.BI \-t -Trim the subtrees after a mount command. -.SH STATUS OPTIONS -.TP -.B \-l -List all rules 1 per line. Two more options may be given to this command. You can give either a key option (\-k) to list rules that match a key or a (\-i) to have a0 through a3 interpretted to help determine the syscall argument values are correct . -.TP -.BI \-m\ text -Send a user space message into the audit system. This can only be done if you have CAP_AUDIT_WRITE capability (normally the root user has this). The resulting event will be the USER type. -.TP -.B \-s -Report the kernel's audit subsystem status. It will tell you the in-kernel values that can be set by \fB-e\fP, \fB-f\fP, \fB-r\fP, and \fB-b\fP options. The pid value is the process number of the audit daemon. Note that a pid of 0 indicates that the audit daemon is not running. The lost entry will tell you how many event records that have been discarded due to the kernel audit queue overflowing. The backlog field tells how many event records are currently queued waiting for auditd to read them. This option can be followed by the \fB-i\fP to get a couple fields interpreted. -.TP -.BI \-v -Print the version of auditctl. - -.SH RULE OPTIONS -.TP -.BI \-a\ [ list,action | action,list ] -Append rule to the end of \fIlist\fP with \fIaction\fP. Please note the comma separating the two values. Omitting it will cause errors. The fields may be in either order. It could be list,action or action,list. The following describes the valid \fIlist\fP names: -.RS -.TP 12 -.B task -Add a rule to the per task list. This rule list is used only at the time a task is created -- when fork() or clone() are called by the parent task. When using this list, you should only use fields that are known at task creation time, such as the uid, gid, etc. -.TP -.B exit -Add a rule to the syscall exit list. This list is used upon exit from a system call to determine if an audit event should be created. -.TP -.B user -Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded. -.TP -.B exclude -Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. -.RE - -The following describes the valid \fIactions\fP for the rule: -.RS -.TP 12 -.B never -No audit records will be generated. This can be used to suppress event generation. In general, you want suppressions at the top of the list instead of the bottom. This is because the event triggers on the first matching rule. -.TP -.B always -Allocate an audit context, always fill it in at syscall entry time, and always write out a record at syscall exit time. -.RE -.TP -.BI \-A\ list , action -Add rule to the beginning \fIlist\fP with \fIaction\fP. -.TP -\fB\-C\fP [\fIf\fP\fB=\fP\fIf\fP | \fIf\fP\fB!=\fP\fIf\fP] -Build an inter-field comparison rule: field, operation, field. You may pass multiple comparisons on a single command line. Each one must start with \fB\-C\fP. Each inter-field equation is anded with each other as well as equations starting with \fB\-F\fP to trigger an audit record. There are 2 operators supported - equal, and not equal. Valid fields are: -.RS -.TP 12 -.B auid, uid, euid, suid, fsuid, obj_uid; and gid, egid, sgid, fsgid, obj_gid -.RE - -.RS -The two groups of uid and gid cannot be mixed. But any comparison within the group can be made. The obj_uid/gid fields are collected from the object of the event such as a file or directory. -.RE - -.TP -.BI \-d\ list , action -Delete rule from \fIlist\fP with \fIaction\fP. The rule is deleted only if it exactly matches syscall name(s) and every field name and value. -.TP -\fB\-F\fP [\fIn\fP\fB=\fP\fIv\fP | \fIn\fP\fB!=\fP\fIv\fP | \fIn\fP\fB<\fP\fIv\fP | \fIn\fP\fB>\fP\fIv\fP | \fIn\fP\fB<=\fP\fIv\fP | \fIn\fP\fB>=\fP\fIv\fP | \fIn\fP\fB&\fP\fIv\fP | \fIn\fP\fB&=\fP\fIv\fP] -Build a rule field: name, operation, value. You may have up to 64 fields passed on a single command line. Each one must start with \fB\-F\fP. Each field equation is anded with each other (as well as equations starting with \fB\-C\fP) to trigger an audit record. There are 8 operators supported - equal, not equal, less than, greater than, less than or equal, and greater than or equal, bit mask, and bit test respectively. Bit test will "and" the values and check that they are equal, bit mask just "ands" the values. Fields that take a user ID may instead have the user's name; the program will convert the name to user ID. The same is true of group names. Valid fields are: -.RS -.TP 12 -.B a0, a1, a2, a3 -Respectively, the first 4 arguments to a syscall. Note that string arguments are not supported. This is because the kernel is passed a pointer to the string. Triggering on a pointer address value is not likely to work. So, when using this, you should only use on numeric values. This is most likely to be used on platforms that multiplex socket or IPC operations. -.TP -.B arch -The CPU architecture of the syscall. The arch can be found doing 'uname \-m'. If you do not know the arch of your machine but you want to use the 32 bit syscall table and your machine supports 32 bit, you can also use -.B b32 -for the arch. The same applies to the 64 bit syscall table, you can use -.B b64. -In this way, you can write rules that are somewhat arch independent because the family type will be auto detected. However, syscalls can be arch specific and what is available on x86_64, may not be available on ppc. The arch directive should precede the \-S option so that auditctl knows which internal table to use to look up the syscall numbers. -.TP -.B auid -The original ID the user logged in with. Its an abbreviation of audit uid. Sometimes its referred to as loginuid. Either the user account text or number may be used. -.TP -.B devmajor -Device Major Number -.TP -.B devminor -Device Minor Number -.TP -.B dir -Full Path of Directory to watch. This will place a recursive watch on the directory and its whole subtree. It can only be used on exit list. See "\fB\-w\fP". -.TP -.B egid -Effective Group ID. May be numeric or the groups name. -.TP -.B euid -Effective User ID. May be numeric or the user account name. -.TP -.B exit -Exit value from a syscall. If the exit code is an errno, you may use the text representation, too. -.TP -.B fsgid -Filesystem Group ID. May be numeric or the groups name. -.TP -.B fsuid -Filesystem User ID. May be numeric or the user account name. -.TP -.B filetype -The target file's type. Can be either file, dir, socket, link, character, block, or fifo. -.TP -.B gid -Group ID. May be numeric or the groups name. -.TP -.B inode -Inode Number -.TP -.B key -This is another way of setting a filter key. See discussion above for \fB\-k\fP option. -.TP -.B msgtype -This is used to match the event's record type. It should only be used on the exclude or user filter lists. -.TP -.B obj_uid -Object's UID -.TP -.B obj_gid -Object's GID -.TP -.B obj_user -Resource's SE Linux User -.TP -.B obj_role -Resource's SE Linux Role -.TP -.B obj_type -Resource's SE Linux Type -.TP -.B obj_lev_low -Resource's SE Linux Low Level -.TP -.B obj_lev_high -Resource's SE Linux High Level -.TP -.B path -Full Path of File to watch. It can only be used on exit list. -.TP -.B perm -Permission filter for file operations. See "\fB\-p\fP". It can only be used on exit list. You can use this without specifying a syscall and the kernel will select the syscalls that satisfy the permissions being requested. -.TP -.B pers -OS Personality Number -.TP -.B pid -Process ID -.TP -.B ppid -Parent's Process ID -.TP -.B subj_user -Program's SE Linux User -.TP -.B subj_role -Program's SE Linux Role -.TP -.B subj_type -Program's SE Linux Type -.TP -.B subj_sen -Program's SE Linux Sensitivity -.TP -.B subj_clr -Program's SE Linux Clearance -.TP -.B sgid -Saved Group ID. See getresgid(2) man page. -.TP -.B success -If the exit value is >= 0 this is true/yes otherwise its false/no. When writing a rule, use a 1 for true/yes and a 0 for false/no -.TP -.B suid -Saved User ID. See getresuid(2) man page. -.TP -.B uid -User ID. May be numeric or the user account name. -.RE -.TP -.BI \-k\ key -Set a filter key on an audit rule. The filter key is an arbitrary string of text that can be up to 31 bytes long. It can uniquely identify the audit records produced by a rule. Typical use is for when you have several rules that together satisfy a security requirement. The key value can be searched on with ausearch so that no matter which rule triggered the event, you can find its results. The key can also be used on delete all (\-D) and list rules (\-l) to select rules with a specific key. You may have more than one key on a rule if you want to be able to search logged events in multiple ways or if you have an audispd plugin that uses a key to aid its analysis. -.TP -\fB\-p\fP [\fBr\fP|\fBw\fP|\fBx\fP|\fBa\fP] -Describe the permission access type that a file system watch will trigger on. \fBr\fP=read, \fBw\fP=write, \fBx\fP=execute, \fBa\fP=attribute change. These permissions are not the standard file permissions, but rather the kind of syscall that would do this kind of thing. The read & write syscalls are omitted from this set since they would overwhelm the logs. But rather for reads or writes, the open flags are looked at to see what permission was requested. -.TP -\fB\-S\fP [\fISyscall name or number\fP|\fBall\fP] -Any \fIsyscall name\fP or \fInumber\fP may be used. The word '\fBall\fP' may also be used. If the given syscall is made by a program, then start an audit record. If a field rule is given and no syscall is specified, it will default to all syscalls. You may also specify multiple syscalls in the same rule by using multiple \-S options in the same rule. Doing so improves performance since fewer rules need to be evaluated. Alternatively, you may pass a comma separated list of syscall names. If you are on a bi-arch system, like x86_64, you should be aware that auditctl simply takes the text, looks it up for the native arch (in this case b64) and sends that rule to the kernel. If there are no additional arch directives, IT WILL APPLY TO BOTH 32 & 64 BIT SYSCALLS. This can have undesirable effects since there is no guarantee that any syscall has the same number on both 32 and 64 bit interfaces. You will likely want to control this and write 2 rules, one with arch equal to b32 and one with b64 to make sure the kernel finds the events that you intend. See the arch field discussion for more info. -.TP -.BI \-w\ path -Insert a watch for the file system object at \fIpath\fP. You cannot insert a watch to the top level directory. This is prohibited by the kernel. Wildcards are not supported either and will generate a warning. The way that watches work is by tracking the inode internally. If you place a watch on a file, its the same as using the \-F path option on a syscall rule. If you place a watch on a directory, its the same as using the \-F dir option on a syscall rule. The \-w form of writing watches is for backwards compatibility and the syscall based form is more expressive. Unlike most syscall auditing rules, watches do not impact performance based on the number of rules sent to the kernel. The only valid options when using a watch are the \-p and \-k. If you need to anything fancy like audit a specific user accessing a file, then use the syscall auditing form with the path or dir fields. See the EXAMPLES section for an example of converting one form to another. -.TP -.BI \-W\ path -Remove a watch for the file system object at \fIpath\fP. The rule must match exactly. See \fB-d\fP discussion for more info. -.SH "PERFORMANCE TIPS" -Syscall rules get evaluated for each syscall for every program. If you have 10 syscall rules, every program on your system will delay during a syscall while the audit system evaluates each rule. Too many syscall rules will hurt performance. Try to combine as many as you can whenever the filter, action, key, and fields are identical. For example: - -.nf -.B auditctl \-a always,exit \-S openat \-F success=0 -.fi -.nf -.B auditctl \-a always,exit \-S truncate \-F success=0 -.fi - -could be re-written as one rule: - -.nf -.B auditctl \-a always,exit \-S openat \-S truncate \-F success=0 -.fi - -Also, try to use file system auditing wherever practical. This improves performance. For example, if you were wanting to capture all failed opens & truncates like above, but were only concerned about files in /etc and didn't care about /usr or /sbin, its possible to use this rule: - -.nf -.B auditctl \-a always,exit \-S openat \-S truncate \-F dir=/etc \-F success=0 -.fi - -This will be higher performance since the kernel will not evaluate it each and every syscall. It will be handled by the filesystem auditing code and only checked on filesystem related syscalls. -.SH "EXAMPLES" -To see all syscalls made by a specific program: - -.nf -.B auditctl \-a always,exit \-S all \-F pid=1005 -.fi - -To see files opened by a specific user: - -.nf -.B auditctl \-a always,exit \-S openat \-F auid=510 -.fi - -To see unsuccessful openat calls: - -.nf -.B auditctl \-a always,exit \-S openat \-F success=0 -.fi - -To watch a file for changes (2 ways to express): - -.nf -.B auditctl \-w /etc/shadow \-p wa -.B auditctl \-a always,exit \-F path=/etc/shadow \-F perm=wa -.fi - -To recursively watch a directory for changes (2 ways to express): - -.nf -.B auditctl \-w /etc/ \-p wa -.B auditctl \-a always,exit \-F dir=/etc/ \-F perm=wa -.fi - -To see if an admin is accessing other user's files: - -.nf -.B auditctl \-a always,exit \-F dir=/home/ \-F uid=0 \-C auid!=obj_uid -.fi - -.SH FILES -.TP -.I /etc/audit/audit.rules - -.SH "SEE ALSO" -.BR audit.rules (7), -.BR auditd (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auditd.8 b/framework/src/audit/docs/auditd.8 deleted file mode 100644 index ed026439..00000000 --- a/framework/src/audit/docs/auditd.8 +++ /dev/null @@ -1,74 +0,0 @@ -.TH "AUDITD" "8" "Sept 2013" "Red Hat" "System Administration Utilities" -.SH NAME -auditd \- The Linux Audit daemon -.SH SYNOPSIS -.B auditd -.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ] -.SH DESCRIPTION -\fBauditd\fP is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the -.B ausearch -or -.B aureport -utilities. Configuring the audit system or loading rules is done with the -.B auditctl -utility. During startup, the rules in \fI/etc/audit/audit.rules\fP are read by \fBauditctl\fP and loaded into the kernel. Alternately, there is also an -.B augenrules -program that reads rules located in \fI/etc/audit/rules.d/\fP and compiles them into an audit.rules file. The audit daemon itself has some configuration options that the admin may wish to customize. They are found in the -.B auditd.conf -file. -.SH OPTIONS -.TP -.B \-f -leave the audit daemon in the foreground for debugging. Messages also go to stderr rather than the audit log. -.TP -.B \-l -allow the audit daemon to follow symlinks for config files. -.TP -.B \-n -no fork. This is useful for running off of inittab or systemd. -.TP -.B \-s=\fIENABLE_STATE\fR -specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be changed during the lifetime of auditd using 'auditctl \-e'. -.SH SIGNALS -.TP -SIGHUP -causes auditd to reconfigure. This means that auditd re-reads the configuration file. If there are no syntax errors, it will proceed to implement the requested changes. If the reconfigure is successful, a DAEMON_CONFIG event is recorded in the logs. If not successful, error handling is controlled by space_left_action, admin_space_left_action, disk_full_action, and disk_error_action parameters in auditd.conf. - -.TP -SIGTERM -caused auditd to discontinue processing audit events, write a shutdown audit event, and exit. - -.TP -SIGUSR1 -causes auditd to immediately rotate the logs. It will consult the max_log_size_action to see if it should keep the logs or not. - -.TP -SIGUSR2 -causes auditd to attempt to resume logging. This is usually needed after logging has been suspended. - -.SH FILES -.B /etc/audit/auditd.conf -- configuration file for audit daemon -.P -.B /etc/audit/audit.rules -- audit rules to be loaded at startup -.P -.B /etc/audit/rules.d/ -- directory holding individual sets of rules to be compiled into one file by augenrules. - -.SH NOTES -A boot param of audit=1 should be added to ensure that all processes that run before the audit daemon starts is marked as auditable by the kernel. Not doing that will make a few processes impossible to properly audit. - -The audit daemon can receive audit events from other audit daemons via the audisp\-remote audispd plugin. The audit daemon may be linked with tcp_wrappers to control which machines can connect. If this is the case, you can add an entry to hosts.allow and deny. - -.SH "SEE ALSO" -.BR auditd.conf (5), -.BR audispd (8), -.BR ausearch (8), -.BR aureport (8), -.BR auditctl (8), -.BR augenrules (8), -.BR audit.rules (7). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auditd.conf.5 b/framework/src/audit/docs/auditd.conf.5 deleted file mode 100644 index 6bb6633c..00000000 --- a/framework/src/audit/docs/auditd.conf.5 +++ /dev/null @@ -1,304 +0,0 @@ -.TH AUDITD.CONF: "5" "March 2014" "Red Hat" "System Administration Utilities" -.SH NAME -auditd.conf \- audit daemon configuration file -.SH DESCRIPTION -The file -.I /etc/audit/auditd.conf -contains configuration information specific to the audit daemon. Each line should contain one configuration keyword, an equal sign, and then followed by appropriate configuration information. All option names and values are case insensitive. The keywords recognized are listed and described below. Each line should be limited to 160 characters or the line will be skipped. You may add comments to the file by starting the line with a '#' character. - -.TP -.I log_file -This keyword specifies the full path name to the log file where audit records -will be stored. It must be a regular file. -.TP -.I log_format -The log format describes how the information should be stored on disk. There are 2 options: raw and nolog. -If set to -.IR RAW , -the audit records will be stored in a format exactly as the kernel sends it. If this option is set to -.I NOLOG -then all audit information is discarded instead of writing to disk. This mode does not affect data sent to the audit event dispatcher. -.TP -.I log_group -This keyword specifies the group that is applied to the log file's permissions. The default is root. The group name can be either numeric or spelled out. -.TP -.I priority_boost -This is a non-negative number that tells the audit daemon how much of a priority boost it should take. The default is 4. No change is 0. -.TP -.I flush -Valid values are -.IR none ", " incremental ", " data ", and " sync ". -If set to -.IR none , -no special effort is made to flush the audit records to disk. If set to -.IR incremental , -Then the -.I freq -parameter is used to determine how often an explicit flush to disk is issued. -The -.I data -parameter tells the audit daemon to keep the data portion of the disk file -sync'd at all times. The -.I sync -option tells the audit daemon to keep both the data and meta-data fully -sync'd with every write to disk. -.TP -.I freq -This is a non-negative number that tells the audit daemon how many records to -write before issuing an explicit flush to disk command. This value is only -valid when the -.I flush -keyword is set to -.IR incremental . -.TP -.I num_logs -This keyword specifies the number of log files to keep if rotate is given -as the -.I max_log_file_action. -If the number is < 2, logs are not rotated. This number must be 99 or less. -The default is 0 - which means no rotation. As you increase the number of log files being rotated, you may need to adjust the kernel backlog setting upwards since it takes more time to rotate the files. This is typically done in /etc/audit/audit.rules. If log rotation is configured to occur, the daemon will check for excess logs and remove them in effort to keep disk space available. The excess log check is only done on startup and when a reconfigure results in a space check. -.TP -.I disp_qos -This option controls whether you want blocking/lossless or non-blocking/lossy communication between the audit daemon and the dispatcher. There is a 128k buffer between the audit daemon and dispatcher. This is good enogh for most uses. If lossy is chosen, incoming events going to the dispatcher are discarded when this queue is full. (Events are still written to disk if log_format is not nolog.) Otherwise the auditd daemon will wait for the queue to have an empty spot before logging to disk. The risk is that while the daemon is waiting for network IO, an event is not being recorded to disk. Valid values are: lossy and lossless. Lossy is the default value. -.TP -.I dispatcher -The dispatcher is a program that is started by the audit daemon when it starts up. It will pass a copy of all audit events to that application's stdin. Make sure you trust the application that you add to this line since it runs with root privileges. -.TP -.I name_format -This option controls how computer node names are inserted into the audit event stream. It has the following choices: -.IR none ", " hostname ", " fqd ", " numeric ", and " user ". -.IR None -means that no computer name is inserted into the audit event. -.IR hostname -is the name returned by the gethostname syscall. The -.IR fqd -means that it takes the hostname and resolves it with dns for a fully qualified -domain name of that machine. -.IR Numeric -is similar to fqd except it resolves the IP address of the machine. In order to use this option, you might want to test that 'hostname \-i' or 'domainname \-i' returns a numeric address. Also, this option is not recommended if dhcp is used because you could have different addresses over time for the same machine. -.IR User -is an admin defined string from the name option. The default value is -.IR none ". -.TP -.I name -This is the admin defined string that identifies the machine if -.IR user -is given as the -.IR name_format -option. -.TP -.I max_log_file -This keyword specifies the maximum file size in megabytes. When this limit -is reached, it will trigger a configurable action. The value given must be numeric. -.TP -.I max_log_file_action -This parameter tells the system what action to take when the system has -detected that the max file size limit has been reached. Valid values are -.IR ignore ", " syslog ", " suspend ", " rotate " and "keep_logs. -If set to -.IR ignore , -the audit daemon does nothing. -.IR syslog -means that it will issue a warning to syslog. -.IR suspend -will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The -.IR rotate -option will cause the audit daemon to rotate the logs. It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. The -.IR keep_logs -option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten. The effect is that logs accumulate and are not deleted \- which will trigger the -.I space_left_action -if the volume fills up. This is best used in combination with an external script used to archive logs on a periodic basis. -.TP -.I action_mail_acct -This option should contain a valid email address or alias. The default address is root. If the email address is not local to the machine, you must make sure you have email properly configured on your machine and network. Also, this option requires that /usr/lib/sendmail exists on the machine. -.TP -.I space_left -This is a numeric value in megabytes that tells the audit daemon when -to perform a configurable action because the system is starting to run low on disk space. -.TP -.I space_left_action -This parameter tells the system what action to take when the system has -detected that it is starting to get low on disk space. -Valid values are -.IR ignore ", " syslog ", " rotate ", " email ", " exec ", " suspend ", " single ", and " halt . -If set to -.IR ignore , -the audit daemon does nothing. -.I syslog -means that it will issue a warning to syslog. -.I rotate -will rotate logs, losing the oldest to free up space. -.I Email -means that it will send a warning to the email account specified in -.I action_mail_acct -as well as sending the message to syslog. -.I exec -/path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action. This can be done by adding service auditd resume to the script. -.I suspend -will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The -.I single -option will cause the audit daemon to put the computer system in single user mode. The -.I halt -option will cause the audit daemon to shutdown the computer system. -.TP -.I admin_space_left -This is a numeric value in megabytes that tells the audit daemon when -to perform a configurable action because the system -.B is running low -on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for space_left. -.TP -.I admin_space_left_action -This parameter tells the system what action to take when the system has -detected that it -.B is low on disk space. -Valid values are -.IR ignore ", " syslog ", "rotate ", " email ", " exec ", " suspend ", " single ", and " halt . -If set to -.IR ignore , -the audit daemon does nothing. -.I Syslog -means that it will issue a warning to syslog. -.I rotate -will rotate logs, losing the oldest to free up space. -.I Email -means that it will send a warning to the email account specified in -.I action_mail_acct -as well as sending the message to syslog. -.I exec -/path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action. This can be done by adding service auditd resume to the script. -.I Suspend -will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The -.I single -option will cause the audit daemon to put the computer system in single user mode. The -.I halt -option will cause the audit daemon to shutdown the computer system. -.TP -.I disk_full_action -This parameter tells the system what action to take when the system has -detected that the partition to which log files are written has become full. Valid values are -.IR ignore ", " syslog ", " rotate ", " exec ", " suspend ", " single ", and " halt . -If set to -.IR ignore , -the audit daemon will issue a syslog message but no other action is taken. -.I Syslog -means that it will issue a warning to syslog. -.I rotate -will rotate logs, losing the oldest to free up space. -.I exec -/path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume loggin -g once its completed its action. This can be done by adding service auditd resume to the script. -.I Suspend -will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The -.I single -option will cause the audit daemon to put the computer system in single user mode. -.I halt -option will cause the audit daemon to shutdown the computer system. -.TP -.I disk_error_action -This parameter tells the system what action to take whenever there is an error -detected when writing audit events to disk or rotating logs. Valid values are -.IR ignore ", " syslog ", " exec ", " suspend ", " single ", and " halt . -If set to -.IR ignore , -the audit daemon will not take any action. -.I Syslog -means that it will issue no more than 5 consecutive warnings to syslog. -.I exec -/path-to-script will execute the script. You cannot pass parameters to the script. -.I Suspend -will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. The -.I single -option will cause the audit daemon to put the computer system in single user mode. -.I halt -option will cause the audit daemon to shutdown the computer system. -.TP -.I tcp_listen_port -This is a numeric value in the range 1..65535 which, if specified, -causes auditd to listen on the corresponding TCP port for audit -records from remote systems. The audit daemon may be linked with -tcp_wrappers. You may want to control access with an entry in the -hosts.allow and deny files. -.TP -.I tcp_listen_queue -This is a numeric value which indicates how many pending (requested -but unaccepted) connections are allowed. The default is 5. Setting -this too small may cause connections to be rejected if too many hosts -start up at exactly the same time, such as after a power failure. -.TP -.I tcp_max_per_addr -This is a numeric value which indicates how many concurrent connections from -one IP address is allowed. The default is 1 and the maximum is 1024. Setting -this too large may allow for a Denial of Service attack on the logging -server. Also note that the kernel has an internal maximum that will eventually -prevent this even if auditd allows it by config. The default should be adequate -in most cases unless a custom written recovery script runs to forward unsent -events. In this case you would increase the number only large enough to let it -in too. -.TP -.I use_libwrap -This setting determines whether or not to use tcp_wrappers to discern connection attempts that are from allowed machines. Legal values are either -.IR yes ", or " no " -The default value is yes. -.TP -.I tcp_client_ports -This parameter may be a single numeric value or two values separated -by a dash (no spaces allowed). It indicates which client ports are -allowed for incoming connections. If not specified, any port is -allowed. Allowed values are 1..65535. For example, to require the -client use a priviledged port, specify -.I 1\-1023 -for this parameter. You will also need to set the local_port option in the audisp-remote.conf file. Making sure that clients send from a privileged port is a security feature to prevent log injection attacks by untrusted users. -.TP -.I tcp_client_max_idle -This parameter indicates the number of seconds that a client may be idle (i.e. no data from them at all) before auditd complains. This is used to close inactive connections if the client machine has a problem where it cannot shutdown the connection cleanly. Note that this is a global setting, and must be higher than any individual client heartbeat_timeout setting, preferably by a factor of two. The default is zero, which disables this check. -.TP -.I enable_krb5 -If set to "yes", Kerberos 5 will be used for authentication and -encryption. The default is "no". -.TP -.I krb5_principal -This is the principal for this server. The default is "auditd". -Given this default, the server will look for a key named like -.I auditd/hostname@EXAMPLE.COM -stored in -.I /etc/audit/audit.key -to authenticate itself, where hostname is the canonical name for the -server's host, as returned by a DNS lookup of its IP address. -.TP -.I krb5_key_file -Location of the key for this client's principal. -Note that the key file must be owned by root and mode 0400. -The default is -.I /etc/audit/audit.key - -.SH NOTES -In a CAPP environment, the audit trail is considered so important that access to system resources must be denied if an audit trail cannot be created. In this environment, it would be suggested that /var/log/audit be on its own partition. This is to ensure that space detection is accurate and that no other process comes along and consumes part of it. -.PP -The flush parameter should be set to sync or data. -.PP -Max_log_file and num_logs need to be adjusted so that you get complete use of your partition. It should be noted that the more files that have to be rotated, the longer it takes to get back to receiving audit events. Max_log_file_action should be set to keep_logs. -.PP -Space_left should be set to a number that gives the admin enough time to react to any alert message and perform some maintenance to free up disk space. This would typically involve running the \fBaureport \-t\fP report and moving the oldest logs to an archive area. The value of space_left is site dependent since the rate at which events are generated varies with each deployment. The space_left_action is recommended to be set to email. If you need something like an snmp trap, you can use the exec option to send one. -.PP -Admin_space_left should be set to the amount of disk space on the audit partition needed for admin actions to be recorded. Admin_space_left_action would be set to single so that use of the machine is restricted to just the console. -.PP -The disk_full_action is triggered when no more room exists on the partition. All access should be terminated since no more audit capability exists. This can be set to either single or halt. -.PP -The disk_error_action should be set to syslog, single, or halt depending on your local policies regarding handling of hardware malfunctions. -.PP -Specifying a single allowed client port may make it difficult for the -client to restart their audit subsystem, as it will be unable to -recreate a connection with the same host addresses and ports until the -connection closure TIME_WAIT state times out. - -.SH FILES -.TP -.I /etc/audit/auditd.conf -Audit daemon configuration file - -.SH "SEE ALSO" -.BR auditd (8), -.BR audisp\-remote.conf (5). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/augenrules.8 b/framework/src/audit/docs/augenrules.8 deleted file mode 100644 index e667bc20..00000000 --- a/framework/src/audit/docs/augenrules.8 +++ /dev/null @@ -1,41 +0,0 @@ -.TH AUGENRULES: "8" "Apr 2013" "Red Hat" "System Administration Utilities" -.SH NAME -augenrules \- a script that merges component audit rule files -.SH SYNOPSIS -.B augenrules -.RI [ \-\-check ]\ [ \-\-load ] -.SH DESCRIPTION -\fBaugenrules\fP is a script that merges all component audit rules files, -found in the audit rules directory, \fI/etc/audit/rules.d\fP, placing the -merged file in \fI/etc/audit/audit.rules\fP. Component audit rule files, must -end in \fI.rules\fP in order to be processed. All other files in -\fI/etc/audit/rules.d\fP are ignored. -.P -The files are concatenated in order, based on their natural sort (see -v option of ls(1)) and stripped of empty and comment (#) lines. -.P -The last processed -\fID\fP directive without an option, if present, is always -emitted as the first line in the resultant file. Those with an option are -replicated in place. -The last processed -\fIb\fP directive, if present, is always -emitted as the second line in the resultant file. -The last processed -\fIf\fP directive, if present, is always -emitted as the third line in the resultant file. -The last processed -\fIe\fP directive, if present, is always -emitted as the last line in the resultant file. -.P -The generated file is only copied to \fI/etc/audit/audit.rules\fP, if it differs. -.SH OPTIONS -.TP -.B \-\-check -test if rules have changed and need updating without overwriting audit.rules. -.TP -.B \-\-load -load old or newly built rules into the kernel. - -.SH FILES -/etc/audit/rules.d/ -/etc/audit/audit.rules -.SH "SEE ALSO" -.BR audit.rules (8), -.BR auditctl (8), -.BR auditd (8). diff --git a/framework/src/audit/docs/auparse_add_callback.3 b/framework/src/audit/docs/auparse_add_callback.3 deleted file mode 100644 index 82a03f28..00000000 --- a/framework/src/audit/docs/auparse_add_callback.3 +++ /dev/null @@ -1,69 +0,0 @@ -.TH "AUPARSE_ADD_CALLBACK" "3" "May 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_add_callback \- add a callback handler for notifications -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -.nf -.B void -auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback, - void *user_data, user_destroy user_destroy_func); -.fi -.SH "DESCRIPTION" -auparse_add_callback adds a callback function to the parse state which is invoked to notify the application of parsing events. This is part of the event feed API. - -The signature of the callback is: - -.nf -void -auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, - void *user_data); -.fi - -When the callback is invoked it is passed: - -.TP -.I au - a pointer to the parse_state -.TP -.I cb_event_type -enumerated value indicating the reason why the callback was invoked -.TP -.I user_data -pointer to user supplied private data. May be NULL. -. -.TP -.I user_destroy_func -pointer to function called when user_data is destroyed. May be NULL. -The signature is: -.br -.sp -.nf -void destroy(void *user_data); -.fi -.br -.sp -The destroy() function should be prepared to accept user_data possibly being NULL. -.PP -The -.I cb_event_type -argument indicates why the callback was invoked. It's possible values are: -.br -.TP -.B AUPARSE_CB_EVENT_READY -A complete event has been parsed and is ready to be examined. This is logically equivalent to the parse state immediately following -.I auparse_next_event() -.PP -See auparse_feed(3) for a complete code example. -. -.SH "RETURN VALUE" - -Returns the previous callback pointer. - -.SH "SEE ALSO" - -.BR auparse_feed (3), -.BR auparse_flush_feed (3). - -.SH AUTHOR -John Dennis diff --git a/framework/src/audit/docs/auparse_destroy.3 b/framework/src/audit/docs/auparse_destroy.3 deleted file mode 100644 index e5a82c75..00000000 --- a/framework/src/audit/docs/auparse_destroy.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUPARSE_DESTROY" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_destroy \- release instance of parser -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -void auparse_destroy (auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_destroy frees all data structures and closes file descriptors. - -.SH "RETURN VALUE" - -None. - -.SH "SEE ALSO" - -.BR auparse_init (3), -.BR auparse_reset (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_feed.3 b/framework/src/audit/docs/auparse_feed.3 deleted file mode 100644 index f3310e1b..00000000 --- a/framework/src/audit/docs/auparse_feed.3 +++ /dev/null @@ -1,111 +0,0 @@ -.TH "AUPARSE_FEED" "3" "May 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_feed \- feed data into parser -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -.nf -int auparse_feed(auparse_state_t *au, const char *data, size_t data_len); -.fi - -.TP -.I au -The audit parse state -.TP -.I data -a buffer of data to feed into the parser, it is -.I data_len -bytes long. The data is copied in the parser, upon return the caller may free or reuse the data buffer. -.TP -.I data_len -number of bytes in -.I data - -.SH "DESCRIPTION" - -.I auparse_feed -supplies new data for the parser to consume. -.I auparse_init() -must have been called with a source type of AUSOURCE_FEED and a NULL pointer. -.br -.sp -The parser consumes as much data -as it can invoking a user supplied callback specified with -.I auparse_add_callback -with a cb_event_type of -.I AUPARSE_CB_EVENT_READY -each time the parser recognizes a complete event in the data stream. Data not fully parsed will persist and be -prepended to the next feed data. After all data has been feed to the parser -.I auparse_flush_feed -should be called to signal the end of input data and flush any pending parse data through the parsing system. - -.SH "EXAMPLE" -.nf -void -auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, - void *user_data) -{ - int *event_cnt = (int *)user_data; - - if (cb_event_type == AUPARSE_CB_EVENT_READY) { - if (auparse_first_record(au) <= 0) return; - printf("event: %d\\n", *event_cnt); - printf("records:%d\\n", auparse_get_num_records(au)); - do { - printf("fields:%d\\n", auparse_get_num_fields(au)); - printf("type=%d ", auparse_get_type(au)); - const au_event_t *e = auparse_get_timestamp(au); - if (e == NULL) return; - printf("event time: %u.%u:%lu\\n", - (unsigned)e\->sec, e\->milli, e\->serial); - auparse_first_field(au); - do { - printf("%s=%s (%s)\\n", auparse_get_field_name(au), - auparse_get_field_str(au), - auparse_interpret_field(au)); - } while (auparse_next_field(au) > 0); - printf("\\n"); - - } while(auparse_next_record(au) > 0); - (*event_cnt)++; - } -} - -main(int argc, char **argv) -{ - char *filename = argv[1]; - FILE *fp; - char buf[256]; - size_t len; - int *event_cnt = malloc(sizeof(int)); - - au = auparse_init(AUSOURCE_FEED, 0); - - *event_cnt = 1; - auparse_add_callback(au, auparse_callback, event_cnt, free); - - if ((fp = fopen(filename, "r")) == NULL) { - fprintf(stderr, "could not open '%s', %s\\n", filename, strerror(errno)); - return 1; - } - - while ((len = fread(buf, 1, sizeof(buf), fp))) { - auparse_feed(au, buf, len); - } - auparse_flush_feed(au); -} -.fi - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR auparse_add_callback (3), -.BR auparse_flush_feed (3), -.BR auparse_feed_has_data (3) - - -.SH AUTHOR -John Dennis diff --git a/framework/src/audit/docs/auparse_feed_has_data.3 b/framework/src/audit/docs/auparse_feed_has_data.3 deleted file mode 100644 index d048ab21..00000000 --- a/framework/src/audit/docs/auparse_feed_has_data.3 +++ /dev/null @@ -1,29 +0,0 @@ -.TH "AUPARSE_FEED_HAS_DATA" "3" "Sept 2012" "Red Hat" "Linux Audit API" -.SH NAME -auparse_feed_has_data \- check if there is any data accumulating that might need flushing. -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -.nf -int auparse_feed_has_data(const auparse_state_t *au); -.fi - -.TP -.I au -The audit parse state -.SH "DESCRIPTION" - -.I auparse_feed_has_data -may be called to determine if there is any records that are accumulating but not yet ready to emit. - -.SH "RETURN VALUE" - -Returns 1 if any records are accumulating otherwise 0 if empty. - -.SH "SEE ALSO" - -.BR auparse_feed (3) - - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_find_field.3 b/framework/src/audit/docs/auparse_find_field.3 deleted file mode 100644 index 4062588f..00000000 --- a/framework/src/audit/docs/auparse_find_field.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUPARSE_FIND_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_find_field \- search for field name -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_find_field(auparse_state_t *au, const char *name); - -.SH "DESCRIPTION" - -auparse_find_field will scan all records in an event to find the first occurance of the field name passed to it. Searching begins from the cursor's current position. The field name is stored for subsequent searching. - -.SH "RETURN VALUE" - -Returns NULL field not found. If an error occurs errno will be set. Otherwise, it returns a pointer to the text value associated with the field. - -.SH "SEE ALSO" - -.BR auparse_first_record (3), -.BR auparse_find_field_next (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_find_field_next.3 b/framework/src/audit/docs/auparse_find_field_next.3 deleted file mode 100644 index f072fe71..00000000 --- a/framework/src/audit/docs/auparse_find_field_next.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUPARSE_FIND_FIELD_NEXT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_find_field_next \- find next occurrance of field name -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_find_field_next(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_find_field_next finds the next occurrance of the previously stored field name. It will scan until it reaches the last record of the current event. - -.SH "RETURN VALUE" - -Returns NULL field not found. If an error occurs errno will be set. Otherwise, it returns a pointer to the text value associated with the field. - -.SH "SEE ALSO" - -.BR auparse_first_record (3), -.BR auparse_next_event (3), -.BR auparse_find_field (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_first_field.3 b/framework/src/audit/docs/auparse_first_field.3 deleted file mode 100644 index b57277eb..00000000 --- a/framework/src/audit/docs/auparse_first_field.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_FIRST_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_first_field \- reposition field cursor -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_first_field(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_first_field repositions the library's internal cursor to point to the first field of the current record in the current event. - -.SH "RETURN VALUE" - -Returns 0 if there is no event data; otherwise, 1 for success. - -.SH "SEE ALSO" - -.BR auparse_next_field (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_first_record.3 b/framework/src/audit/docs/auparse_first_record.3 deleted file mode 100644 index 2cdbc9c9..00000000 --- a/framework/src/audit/docs/auparse_first_record.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_FIRST_RECORD" "3" "Sep 2014" "Red Hat" "Linux Audit API" -.SH NAME -auparse_first_record \- reposition record cursor -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_first_record(auparse_state_t *au); - -.SH "DESCRIPTION" -auparse_first_record repositions the internal cursors of the parsing library to point to the first field of the first record in the current event. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs, 0 if there is no event data, or 1 for success. - -.SH "SEE ALSO" - -.BR auparse_next_event (3), -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_flush_feed.3 b/framework/src/audit/docs/auparse_flush_feed.3 deleted file mode 100644 index 905f2e9e..00000000 --- a/framework/src/audit/docs/auparse_flush_feed.3 +++ /dev/null @@ -1,30 +0,0 @@ -.TH "AUPARSE_FLUSH_FEED" "3" "Sept 2012" "Red Hat" "Linux Audit API" -.SH NAME -auparse_flush_feed \- flush any unconsumed feed data through parser. -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -.nf -int auparse_feed(auparse_state_t *au); -.fi - -.TP -.I au -The audit parse state -.SH "DESCRIPTION" - -.I auparse_flush_feed -should be called to signal the end of feed input data and flush any pending parse data through the parsing system. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR auparse_feed (3), -.BR auparse_feed_has_data (3) - - -.SH AUTHOR -John Dennis diff --git a/framework/src/audit/docs/auparse_get_field_int.3 b/framework/src/audit/docs/auparse_get_field_int.3 deleted file mode 100644 index a7464c2c..00000000 --- a/framework/src/audit/docs/auparse_get_field_int.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_GET_FIELD_INT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_field_int \- get current field's value as an int -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_get_field_int(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_field_int allows access to the value as an int of the current field of the current record in the current event. - -.SH "RETURN VALUE" - -Returns \-1 if there is an error with errno set appropriately or the value if errno is zero. - -.SH "SEE ALSO" - -.BR auparse_get_field_str (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_field_name.3 b/framework/src/audit/docs/auparse_get_field_name.3 deleted file mode 100644 index e1f68b3f..00000000 --- a/framework/src/audit/docs/auparse_get_field_name.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUPARSE_GET_FIELD_NAME" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_field_name \- get current field's name -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_get_field_name(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_field_name allows access to the current field name of the current record in the current event. - -.SH "RETURN VALUE" - -Returns NULL if an error occurs; otherwise, a pointer to the field's name. - -.SH "SEE ALSO" - -.BR auparse_get_field_str (3), -.BR auparse_interpret_field (3), -.BR auparse_next_field (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_field_str.3 b/framework/src/audit/docs/auparse_get_field_str.3 deleted file mode 100644 index e1ebfced..00000000 --- a/framework/src/audit/docs/auparse_get_field_str.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUPARSE_GET_FIELD_STR" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_field_str \- get current field's value -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_get_field_str(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_field_str allows access to the value in the current field of the current record in the current event. - -.SH "RETURN VALUE" - -Returns NULL if an error occurs; otherwise, a pointer to the field's value. - -.SH "SEE ALSO" - -.BR auparse_get_field_name (3), -.BR auparse_interpret_field (3), -.BR auparse_next_field (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_field_type.3 b/framework/src/audit/docs/auparse_get_field_type.3 deleted file mode 100644 index 53fec8d0..00000000 --- a/framework/src/audit/docs/auparse_get_field_type.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_GET_FIELD_TYPE" "3" "Sept 2008" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_field_type \- get current field's data type -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_get_field_type(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_field_type returns a value from the auparse_type_t enum that describes the kind of data in the current field of the current record in the current event. - -.SH "RETURN VALUE" - -Returns AUPARSE_TYPE_UNCLASSIFIED if the field's data type has no known description or is an integer. Otherwise it returns another enum. Fields with the type AUPARSE_TYPE_ESCAPED must be interpretted to access their value since those field's raw value is encoded. - -.SH "SEE ALSO" - -.BR auparse_get_field_name (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_filename.3 b/framework/src/audit/docs/auparse_get_filename.3 deleted file mode 100644 index 259a8e25..00000000 --- a/framework/src/audit/docs/auparse_get_filename.3 +++ /dev/null @@ -1,26 +0,0 @@ -.TH "AUPARSE_GET_FILENAME" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_filename \- get the filename where record was found -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_get_filename(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_filename will return the name of the source file where the -record was found if the source type is AUSOURCE_FILE or -AUSOURCE_FILE_ARRAY. For other source types the return value will be -NULL. - -.SH "RETURN VALUE" - -Returns pointer to a filename or NULL if unavailable. - -.SH "SEE ALSO" - -.BR auparse_get_line_number (3). -.BR auparse_next_record (3). - -.SH AUTHOR -John Dennis diff --git a/framework/src/audit/docs/auparse_get_line_number.3 b/framework/src/audit/docs/auparse_get_line_number.3 deleted file mode 100644 index bd0c4177..00000000 --- a/framework/src/audit/docs/auparse_get_line_number.3 +++ /dev/null @@ -1,27 +0,0 @@ -.TH "AUPARSE_GET_LINE_NUMBER" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_line_number \- get line number where record was found -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -unsigned int auparse_get_line_number(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_line_number will return the source input line number for -the current record of the current event. Line numbers start at 1. If -the source input type is AUSOURCE_FILE_ARRAY the line numbering will -reset back to 1 each time a new life in the file array is opened. - -.SH "RETURN VALUE" - -Returns the line number. Line numbers are 1 based, a zero value -indicates the line number information is unavailable. - -.SH "SEE ALSO" - -.BR auparse_get_filename (3). -.BR auparse_next_record (3). - -.SH AUTHOR -John Dennis diff --git a/framework/src/audit/docs/auparse_get_milli.3 b/framework/src/audit/docs/auparse_get_milli.3 deleted file mode 100644 index 3000988e..00000000 --- a/framework/src/audit/docs/auparse_get_milli.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUPARSE_GET_MILLI" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_milli \- get the millisecond value of the event -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -unsigned int auparse_get_milli(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_milli gets the millisecond value of the current event. - -.SH "RETURN VALUE" - -Returns 0 if an error occurs; otherwise, the value of the millisecond portion of the timestamp. - -.SH "SEE ALSO" - -.BR auparse_get_timestamp (3), -.BR auparse_get_time (3). -.BR auparse_get_milli (3). -.BR auparse_get_node (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_node.3 b/framework/src/audit/docs/auparse_get_node.3 deleted file mode 100644 index 41731406..00000000 --- a/framework/src/audit/docs/auparse_get_node.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUPARSE_GET_NODE" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_node \- get the event's machine node name -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_get_node(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_node gets the machine's node name if it exists in the audit event from the current event's timestamp data structure. Not all records have node names since its an admin configurable option. - -.SH "RETURN VALUE" - -Returns a copy of the node name or NULL if it does not exist or there was an error. The caller must free the string. - -.SH "SEE ALSO" - -.BR auparse_get_timestamp (3), -.BR auparse_get_time (3), -.BR auparse_get_milli (3). -.BR auparse_get_serial (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_num_fields.3 b/framework/src/audit/docs/auparse_get_num_fields.3 deleted file mode 100644 index 595fa56b..00000000 --- a/framework/src/audit/docs/auparse_get_num_fields.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_GET_NUM_FIELDS" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_num_fields \- get the number of fields -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -unsigned int auparse_get_num_fields(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_num_fields gets the number of fields in the current record of the current event. - -.SH "RETURN VALUE" - -Returns 0 if an error occurs; otherwise, the number of fields. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_num_records.3 b/framework/src/audit/docs/auparse_get_num_records.3 deleted file mode 100644 index b1d3f3a2..00000000 --- a/framework/src/audit/docs/auparse_get_num_records.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_GET_NUM_RECORDS" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_num_records \- get the number of records -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -unsigned int auparse_get_num_records(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_num_records gets the number of records in the current event. - -.SH "RETURN VALUE" - -Returns 0 if an error occurs; otherwise, the number of records. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_record_text.3 b/framework/src/audit/docs/auparse_get_record_text.3 deleted file mode 100644 index 06f5bde9..00000000 --- a/framework/src/audit/docs/auparse_get_record_text.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_GET_RECORD_TEXT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_record_text \- access unparsed record data -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_get_record_text(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_record_text returns a pointer to the full unparsed record. - -.SH "RETURN VALUE" - -Returns NULL if an error occurs; otherwise, a pointer to the record. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_serial.3 b/framework/src/audit/docs/auparse_get_serial.3 deleted file mode 100644 index e22b80e5..00000000 --- a/framework/src/audit/docs/auparse_get_serial.3 +++ /dev/null @@ -1,25 +0,0 @@ -.TH "AUPARSE_GET_SERIAL" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_serial \- get the event's serial number -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -unsigned long auparse_get_serial(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_serial gets the serial number value from the current event's timestamp data structure. - -.SH "RETURN VALUE" - -Returns 0 if an error occurs; otherwise, the serial number for the event. - -.SH "SEE ALSO" - -.BR auparse_get_timestamp (3), -.BR auparse_get_time (3), -.BR auparse_get_milli (3). -.BR auparse_get_node (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_time.3 b/framework/src/audit/docs/auparse_get_time.3 deleted file mode 100644 index 227ef127..00000000 --- a/framework/src/audit/docs/auparse_get_time.3 +++ /dev/null @@ -1,26 +0,0 @@ -.TH "AUPARSE_GET_TIME" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_time \- get event's time -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -time_t auparse_get_time(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_time will access just the time portion of the timestamp data structure for the current event. - -.SH "RETURN VALUE" - -Returns 0 if an error occurs; otherwise, the valid time value in time_t format. - -.SH "SEE ALSO" - -.BR time (3), -.BR auparse_get_timestamp (3), -.BR auparse_get_milli (3). -.BR auparse_get_serial (3). -.BR auparse_get_node (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_timestamp.3 b/framework/src/audit/docs/auparse_get_timestamp.3 deleted file mode 100644 index 71a66136..00000000 --- a/framework/src/audit/docs/auparse_get_timestamp.3 +++ /dev/null @@ -1,36 +0,0 @@ -.TH "AUPARSE_GET_TIMESTAMP" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_timestamp \- access timestamp of the event -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const au_event_t *auparse_get_timestamp(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_timestamp provides an accessor function for the event's timestamp data structure. The data structure is as follows: - -.nf -typedef struct -{ - time_t sec; // Event seconds - unsigned int milli; // millisecond of the timestamp - unsigned long serial; // Serial number of the event - const char *host; // Machine's node name -} au_event_t; -.fi - -.SH "RETURN VALUE" - -Returns NULL if an error occurs; otherwise, a valid pointer to the data. - -.SH "SEE ALSO" - -.BR auparse_get_time (3), -.BR auparse_get_milli (3), -.BR auparse_get_serial (3), -.BR auparse_get_node (3), -.BR auparse_timestamp_compare (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_get_type.3 b/framework/src/audit/docs/auparse_get_type.3 deleted file mode 100644 index c278e914..00000000 --- a/framework/src/audit/docs/auparse_get_type.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUPARSE_GET_TYPE" "3" "Jan 2014" "Red Hat" "Linux Audit API" -.SH NAME -auparse_get_type \- get record's type -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_get_type(auparse_state_t *au); -const char *auparse_get_type_name(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_get_type will return the integer value for the current record of the current event. The auparse_get_type_name function will return the text representation of the name of the current record type. - -.SH "RETURN VALUE" - -auparse_get_type returns 0 if an error occurs; otherwise, the record's type. The auparse_get_type_name function returns NULL on error; otherwise a pointer to a string. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_goto_record_num.3 b/framework/src/audit/docs/auparse_goto_record_num.3 deleted file mode 100644 index 0688d969..00000000 --- a/framework/src/audit/docs/auparse_goto_record_num.3 +++ /dev/null @@ -1,21 +0,0 @@ -.TH "AUPARSE_GOTO_RECORD_NUM" "3" "May 2008" "Red Hat" "Linux Audit API" -.SH NAME -auparse_goto_record_num \- move record cursor to specific record -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_goto_record_num(auparse_state_t *au, unsigned int num); - -.SH "DESCRIPTION" -auparse_goto_record_num will move the internal library cursors to point to a specific physical record number. Records within the same event are numbered starting from 0. This is generally not needed but there are some cases where one may want precise control over the exact record being looked at. - -.SH "RETURN VALUE" - -Returns 0 on error or 1 for success. - -.SH "SEE ALSO" - -.BR auparse_get_num_records (3), auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_init.3 b/framework/src/audit/docs/auparse_init.3 deleted file mode 100644 index 7dd2b521..00000000 --- a/framework/src/audit/docs/auparse_init.3 +++ /dev/null @@ -1,37 +0,0 @@ -.TH "AUPARSE_INIT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_init \- initialize an instance of the audit parsing library -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -auparse_state_t *auparse_init(ausource_t source, const void *b); - -.SH "DESCRIPTION" - -auparse_init initializes an instance of the audit parsing library. The function returns an opaque pointer to the parser's internal state. It is used in subsequent calls to the library so. The source variable determines where the library looks for data. Legal values can be: - -.nf - AUSOURCE_LOGS - use audit logs - AUSOURCE_FILE - use a file - AUSOURCE_FILE_ARRAY - use several files - AUSOURCE_BUFFER - use a buffer - AUSOURCE_BUFFER_ARRAY - use an array of buffers - AUSOURCE_DESCRIPTOR - use a particular descriptor - AUSOURCE_FILE_POINTER - use a stdio FILE pointer - AUSOURCE_FEED - feed data to parser with auparse_feed() -.fi - -The pointer 'b' is used to set the file name, array of filenames, the buffer address, or an array of pointers to buffers, or the descriptor number based on what source is given. When the data source is an array of files or buffers, you would create an array of pointers with the last one being a NULL pointer. Buffers should be NUL terminated. - -.SH "RETURN VALUE" - -Returns a NULL pointer if an error occurs; otherwise, the return value is an opaque pointer to the parser's internal state. - -.SH "SEE ALSO" - -.BR auparse_reset (3), -.BR auparse_destroy (3). -.BR auparse_feed (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_interpret_field.3 b/framework/src/audit/docs/auparse_interpret_field.3 deleted file mode 100644 index 2ff5297b..00000000 --- a/framework/src/audit/docs/auparse_interpret_field.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUPARSE_INTERPRET_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_interpret_field \- get current field's value interpreted -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -const char *auparse_interpret_field(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_interpret_field allows access to the interpreted value in the current field of the current record in the current event. The returned value will be destroyed if you call this function again. If you need to interpret another field and keep this value, you will have to copy it for later use. - -Examples of things that could be interpreted are: uid, gid, syscall numbers, exit codes, file paths, socket addresses, permissions, modes, and capabilities. There are likely to be more in the future. If a value cannot be interpreted, its original value is returned. - -.SH "RETURN VALUE" - -Returns NULL if there is an error otherwise a pointer to the interpreted value. - -.SH "SEE ALSO" - -.BR auparse_get_field_str (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_next_event.3 b/framework/src/audit/docs/auparse_next_event.3 deleted file mode 100644 index b5a66e94..00000000 --- a/framework/src/audit/docs/auparse_next_event.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_NEXT_EVENT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_next_event \- get the next event -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_next_event(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_next_event will position the cursors at the first field of the first record of the next event in a file or buffer. It does not skip events or honor any search criteria that may be stored. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs, 0 if there's no data, 1 for success. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_next_field.3 b/framework/src/audit/docs/auparse_next_field.3 deleted file mode 100644 index 17b0c216..00000000 --- a/framework/src/audit/docs/auparse_next_field.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_NEXT_FIELD" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_next_field \- move field cursor -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_next_field(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_next_field moves the library's internal cursor to point to the next field in the current record of the current event. - -.SH "RETURN VALUE" - -Returns 0 if no more fields exist and 1 for success. - -.SH "SEE ALSO" - -.BR auparse_next_record (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_next_record.3 b/framework/src/audit/docs/auparse_next_record.3 deleted file mode 100644 index a26a9573..00000000 --- a/framework/src/audit/docs/auparse_next_record.3 +++ /dev/null @@ -1,21 +0,0 @@ -.TH "AUPARSE_NEXT_RECORD" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_next_record \- move record cursor -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_next_record(auparse_state_t *au); - -.SH "DESCRIPTION" -auparse_next_record will move the internal library cursors to point to the next record of the current event. You should not call this function from a feed interface callback function. Doing so will deadlock the code. In that scenario, you should check the number of records in the current event with auparse_get_num_records and only call this if there are more records. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs, 0 if no more records in current event, or 1 for success. - -.SH "SEE ALSO" - -.BR auparse_next_event (3), auparse_get_num_records (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_node_compare.3 b/framework/src/audit/docs/auparse_node_compare.3 deleted file mode 100644 index 869f9454..00000000 --- a/framework/src/audit/docs/auparse_node_compare.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_NODE_COMPARE" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_node_compare \- compares node name values -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_node_compare(au_event_t *e1, au_event_t *e2); - -.SH "DESCRIPTION" - -auparse_node_compare compares the node name values of 2 events. - -.SH "RETURN VALUE" - -Returns \-1, 0, or 1 respectively depending on whether e2 is less than, equal to, or greater than e1. Since this is a string compare, it probably only matter that they are equal or not equal. - -.SH "SEE ALSO" - -.BR auparse_get_timestamp (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_reset.3 b/framework/src/audit/docs/auparse_reset.3 deleted file mode 100644 index 943fb962..00000000 --- a/framework/src/audit/docs/auparse_reset.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUPARSE_RESET" "3" "Sep 2014" "Red Hat" "Linux Audit API" -.SH NAME -auparse_reset \- reset audit parser instance -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_reset(auparse_state_t *au); - -.SH "DESCRIPTION" - -auparse_reset resets all internal cursors to the beginning. It closes files, descriptors, and frees memory buffers. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR auparse_init (3), -.BR auparse_destroy (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/auparse_timestamp_compare.3 b/framework/src/audit/docs/auparse_timestamp_compare.3 deleted file mode 100644 index 8f71749d..00000000 --- a/framework/src/audit/docs/auparse_timestamp_compare.3 +++ /dev/null @@ -1,22 +0,0 @@ -.TH "AUPARSE_TIMESTAMP_COMPARE" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -auparse_timestamp_compare \- compares timestamp values -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2); - -.SH "DESCRIPTION" - -auparse_timestamp_compare compares the values of 2 timestamps. - -.SH "RETURN VALUE" - -Returns \-1, 0, or 1 respectively depending on whether e2 is less than, equal to, or greater than e1. - -.SH "SEE ALSO" - -.BR auparse_get_timestamp (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/aureport.8 b/framework/src/audit/docs/aureport.8 deleted file mode 100644 index 365f4188..00000000 --- a/framework/src/audit/docs/aureport.8 +++ /dev/null @@ -1,131 +0,0 @@ -.TH AUREPORT: "8" "Sept 2014" "Red Hat" "System Administration Utilities" -.SH NAME -aureport \- a tool that produces summary reports of audit daemon logs -.SH SYNOPSIS -.B aureport -.RI [ options ] -.SH DESCRIPTION -\fBaureport\fP is a tool that produces summary reports of the audit system logs. The aureport utility can also take input from stdin as long as the input is the raw log data. The reports have a column label at the top to help with interpretation of the various fields. Except for the main summary report, all reports have the audit event number. You can subsequently lookup the full event with ausearch \fB\-a\fP \fIevent number\fP. You may need to specify start & stop times if you get multiple hits. The reports produced by aureport can be used as building blocks for more complicated analysis. - -.SH OPTIONS -.TP -.BR \-au ,\ \-\-auth -Report about authentication attempts -.TP -.BR \-a ,\ \-\-avc -Report about avc messages -.TP -.BR \-\-comm -Report about commands run -.TP -.BR \-c ,\ \-\-config -Report about config changes -.TP -.BR \-cr ,\ \-\-crypto -Report about crypto events -.TP -.BR \-e ,\ \-\-event -Report about events -.TP -.BR \-f ,\ \-\-file -Report about files -.TP -.B \-\-failed -Only select failed events for processing in the reports. The default is both success and failed events. -.TP -.BR \-h ,\ \-\-host -Report about hosts -.TP -.BR \-\-help -Print brief command summary -.TP -.BR \-i ,\ \-\-interpret -Interpret numeric entities into text. For example, uid is converted to account name. The conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. -.TP -.BR \-if ,\ \-\-input \ \fIfile\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. -.TP -.B \-\-input\-logs -Use the log file location from auditd.conf as input for analysis. This is needed if you are using aureport from a cron job. -.TP -.BR \-\-integrity -Report about integrity events -.TP -.BR \-k ,\ \-\-key -Report about audit rule keys -.TP -.BR \-l ,\ \-\-login -Report about logins -.TP -.BR \-m ,\ \-\-mods -Report about account modifications -.TP -.BR \-ma ,\ \-\-mac -Report about Mandatory Access Control (MAC) events -.TP -.BR \-n ,\ \-\-anomaly -Report about anomaly events. These events include NIC going into promiscuous mode and programs segfaulting. -.TP -.BR \-\-node \ \fInode-name\fP -Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes. Multiple nodes are allowed. -.TP -.BR \-nc ,\ \-\-no-config -Do not include the CONFIG_CHANGE event. This is particularly useful for the key report because audit rules have key labels in many cases. Using this option gets rid of these false positives. -.TP -.BR \-p ,\ \-\-pid -Report about processes -.TP -.BR \-r ,\ \-\-response -Report about responses to anomaly events -.TP -.BR \-s ,\ \-\-syscall -Report about syscalls -.TP -.B \-\-success -Only select successful events for processing in the reports. The default is both success and failed events. -.TP -.B \-\-summary -Run the summary report that gives a total of the elements of the main report. Not all reports have a summary. -.TP -.BR \-t ,\ \-\-log -This option will output a report of the start and end times for each log. -.TP -.BR \-\-tty -Report about tty keystrokes -.TP -.BR \-te ,\ \-\-end \ [\fIend-date\fP]\ [\fIend-time\fP] -Search for events with time stamps equal to or before the given end time. The format of end time depends on your locale. If the date is omitted, -.B today -is assumed. If the time is omitted, -.B now -is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. - -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBToday\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. -.TP -.BR \-tm ,\ \-\-terminal -Report about terminals -.TP -.BR \-ts ,\ \-\-start \ [\fIstart-date\fP]\ [\fIstart-time\fP] -Search for events with time stamps equal to or after the given end time. The format of end time depends on your locale. If the date is omitted, -.B today -is assumed. If the time is omitted, -.B midnight -is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. - -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. -.TP -.BR \-u ,\ \-\-user -Report about users -.TP -.BR \-v ,\ \-\-version -Print the version and exit -.TP -.BR \-\-virt -Report about Virtualization events -.TP -.BR \-x ,\ \-\-executable -Report about executables - -.SH "SEE ALSO" -.BR ausearch (8), -.BR auditd (8). diff --git a/framework/src/audit/docs/ausearch-expression.5 b/framework/src/audit/docs/ausearch-expression.5 deleted file mode 100644 index 73549239..00000000 --- a/framework/src/audit/docs/ausearch-expression.5 +++ /dev/null @@ -1,241 +0,0 @@ -.TH "AUSEARCH-EXPRESSION" "5" "Feb 2008" "Red Hat" "Linux Audit" -.SH NAME -ausearch-expression \- audit search expression format - -.SH OVERVIEW -This man page describes the format of "ausearch expressions". -Parsing and evaluation of these expressions is provided by libauparse -and is common to applications that use this library. - -.SH LEXICAL STRUCTURE - -White space (ASCII space, tab and new-line characters) between tokens is -ignored. -The following tokens are recognized: - -.TP -Punctuation -.B ( ) \e - -.TP -Logical operators -.B ! && || - -.TP -Comparison operators -.B < <= == > >= !== i= i!= r= r!= - -.TP -Unquoted strings -Any non-empty sequence of ASCII letters, digits, and the -.B _ -symbol. - -.TP -Quoted strings -A sequence of characters surrounded by the -.B \(dq -quotes. -The -.B \e -character starts an escape sequence. -The only defined escape sequences are -.B \e\e -and \fB\e\(dq\fR. -The semantics of other escape sequences is undefined. - -.TP -Regexps -A sequence of characters surrounded by the -.B / -characters. -The -.B \e -character starts an escape sequence. -The only defined escape sequences are -.B \e\e -and \fB\e/\fR. -The semantics of other escape sequences is undefined. - -.PP -Anywhere an unquoted string is valid, a quoted string is valid as well, -and vice versa. -In particular, field names may be specified using quoted strings, -and field values may be specified using unquoted strings. - -.SH EXPRESSION SYNTAX - -The primary expression has one of the following forms: -.IP -.I field comparison-operator value - -.B \eregexp -.I string-or-regexp -.PP - -.I field -is either a string, -which specifies the first field with that name within the current audit record, -or the -.B \e -escape character followed by a string, -which specifies a virtual field with the specified name -(virtual fields are defined in a later section). - -.I field -is a string. -.I operator -specifies the comparison to perform - -.TP -.B r= r!= -Get the "raw" string of \fIfield\fR, -and compare it to \fIvalue\fR. -For fields in audit records, -the "raw" string is the exact string stored in the audit record -(with all escaping and unprintable character encoding left alone); -applications can read the "raw" string using -.BR auparse_get_field_str (3). -Each virtual field may define a "raw" string. -If -.I field -is not present or does not define a "raw" string, -the result of the comparison is -.B false -(regardless of the operator). - -.TP -.B i= i!= -Get the "interpreted" string of \fIfield\fR, -and compare it to \fIvalue\fR. -For fields in audit records, -the "interpreted" string is an "user-readable" interpretation of the field -value; -applications can read the "interpreted" string using -.BR auparse_interpret_field (3). -Each virtual field may define an "interpreted" string. -If -.I field -is not present or does not define an "interpreted" string, -the result of the comparison is -.B false -(regardless of the operator). - -.TP -.B < <= == > >= !== -Evaluate the "value" of \fIfield\fR, and compare it to \fIvalue\fR. -A "value" may be defined for any field or virtual field, -but no "value" is currently defined for any audit record field. -The rules of parsing \fIvalue\fR for comparing it with the "value" of -.I field -are specific for each \fIfield\fR. -If -.I field -is not present, -the result of the comparison is -.B false -(regardless of the operator). -If -.I field -does not define a "value", an error is reported when parsing the expression. -.PP - -In the special case of -.B \eregexp -\fIregexp-or-string\fR, -the current audit record is taken as a string -(without interpreting field values), -and matched against \fIregexp-or-string\fR. -.I regexp-or-string -is an extended regular expression, using a string or regexp token -(in other words, delimited by -.B \(dq -or \fB/\fR). - -If -.I E1 -and -.I E2 -are valid expressions, -then -.B ! -\fIE1\fR, -.I E1 -.B && -\fIE2\fR, and -.I E1 -.B || -.I E2 -are valid expressions as well, with the usual C semantics and evaluation -priorities. -Note that -.B ! -.I field op value -is interpreted as \fB!(\fIfield op value\fB)\fR, not as -\fB(!\fIfield\fB)\fI op value\fR. - -.SH VIRTUAL FIELDS - -The following virtual fields are defined: - -.TP -.B \etimestamp -The value is the timestamp of the current event. -.I value -must have the \fBts:\fIseconds\fR.\fImilli\fR format, where -.I seconds -and -.I milli -are decimal numbers specifying the seconds and milliseconds part of the -timestamp, respectively. - -.TP -.B \erecord_type -The value is the type of the current record. -.I value -is either the record type name, or a decimal number specifying the type. - -.SH SEMANTICS -The expression as a whole applies to a single record. -The expression is -.B true -for a specified event if it is -.B true -for any record associated with the event. - -.SH EXAMPLES - -As a demonstration of the semantics of handling missing fields, the following -expression is -.B true -if -.I field -is present: -.IP -.B (\fIfield\fB r= \(dq\(dq) || (\fIfield\fB r!= \(dq\(dq) -.PP -and the same expression surrounded by -.B !( -and -.B ) -is -.B true -if -.I field -is not present. - -.SH FUTURE DIRECTIONS -New escape sequences for quoted strings may be defined. - -For currently defined virtual fields that do not define a "raw" or -"interpreted" string, the definition may be added. -Therefore, don't rely on the fact -that comparing the "raw" or "interpreted" string of the field with any value -is \fBfalse\fR. - -New formats of value constants for the -.B \etimestamp -virtual field may be added. - -.SH AUTHOR -Miloslav Trmac diff --git a/framework/src/audit/docs/ausearch.8 b/framework/src/audit/docs/ausearch.8 deleted file mode 100644 index c7b30314..00000000 --- a/framework/src/audit/docs/ausearch.8 +++ /dev/null @@ -1,208 +0,0 @@ -.TH AUSEARCH: "8" "Sept 2009" "Red Hat" "System Administration Utilities" -.SH NAME -ausearch \- a tool to query audit daemon logs -.SH SYNOPSIS -.B ausearch -.RI [ options ] -.SH DESCRIPTION -\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-n\fP option; multiple nodes are allowed in a search which will return any matching node. - -It should also be noted that each syscall excursion from user space into the kernel and back into user space has one event ID that is unique. Any auditable event that is triggered during this trip share this ID so that they may be correlated. - -Different parts of the kernel may add supplemental records. For example, an audit event on the syscall "open" will also cause the kernel to emit a PATH record with the file name. The ausearch utility will present all records that make up one event together. This could mean that even though you search for a specific kind of record, the resulting events may contain SYSCALL records. - -Also be aware that not all record types have the requested information. For example, a PATH record does not have a hostname or a loginuid. - -.SH OPTIONS -.TP -.BR \-a ,\ \-\-event \ \fIaudit-event-id\fP -Search for an event based on the given \fIevent ID\fP. Messages always start with something like msg=audit(1116360555.329:2401771). The event ID is the number after the ':'. All audit events that are recorded from one application's syscall have the same audit event ID. A second syscall made by the same application will have a different event ID. This way they are unique. -.TP -.BR \-\-arch \ \fICPU\fP -Search for events based on a specific CPU architecture. If you do not know the arch of your machine but you want to use the 32 bit syscall table and your machine supports 32 bits, you can also use -.B b32 -for the arch. The same applies to the 64 bit syscall table, you can use -.B b64. -The arch of your machine can be found by doing 'uname -m'. -.TP -.BR \-c ,\ \-\-comm \ \fIcomm-name\fP -Search for an event based on the given \fIcomm name\fP. The comm name is the executable's name from the task structure. -.TP -.BR \-\-debug -Write malformed events that are skipped to stderr. -.TP -.BR \-\-checkpoint \ \fIcheckpoint-file\fP -Checkpoint the output between successive invocations of ausearch such that only events not -previously output will print in subsequent invocations. - -An auditd event is made up of one or more records. When processing events, ausearch defines -events as either complete or in-complete. A complete event is either a single record event or -one whose event time occurred 2 seconds in the past compared to the event being currently -processed. - -A checkpoint is achieved by recording the last completed event output along with the device -number and inode of the file the last completed event appeared in \fIcheckpoint-file\fP. On a subsequent invocation, -ausearch will load this checkpoint data and as it processes the log files, it will discard all -complete events until it matches the checkpointed one. At this point, it will start -outputting complete events. - -Should the file or the last checkpointed event not be found, one of a number of errors will result and ausearch will terminate. See \fBEXIT STATUS\fP for detail. - -.TP -.BR \-e,\ \-\-exit \ \fIexit-code-or-errno\fP -Search for an event based on the given syscall \fIexit code or errno\fP. -.TP -.BR \-f ,\ \-\-file \ \fIfile-name\fP -Search for an event based on the given \fIfilename\fP. -.TP -.BR \-ga ,\ \-\-gid\-all \ \fIall-group-id\fP -Search for an event with either effective group ID or group ID matching the given \fIgroup ID\fP. -.TP -.BR \-ge ,\ \-\-gid\-effective \ \fIeffective-group-id\fP -Search for an event with the given \fIeffective group ID\fP or group name. -.TP -.BR \-gi ,\ \-\-gid \ \fIgroup-id\fP -Search for an event with the given \fIgroup ID\fP or group name. -.TP -.BR \-h ,\ \-\-help -Help -.TP -.BR \-hn ,\ \-\-host \ \fIhost-name\fP -Search for an event with the given \fIhost name\fP. The hostname can be either a hostname, fully qualified domain name, or numeric network address. No attempt is made to resolve numeric addresses to domain names or aliases. -.TP -.BR \-i ,\ \-\-interpret -Interpret numeric entities into text. For example, uid is converted to account name. The conversion is done using the current resources of the machine where the search is being run. If you have renamed the accounts, or don't have the same accounts on your machine, you could get misleading results. -.TP -.BR \-if ,\ \-\-input \ \fIfile-name\fP\ |\ \fIdirectory\fP -Use the given \fIfile\fP or \fIdirectory\fP instead of the logs. This is to aid analysis where the logs have been moved to another machine or only part of a log was saved. -.TP -.BR \-\-input\-logs -Use the log file location from auditd.conf as input for searching. This is needed if you are using ausearch from a cron job. -.TP -.BR \-\-just\-one -Stop after emitting the first event that matches the search criteria. -.TP -.BR \-k ,\ \-\-key \ \fIkey-string\fP -Search for an event based on the given \fIkey string\fP. -.TP -.BR \-l ,\ \-\-line\-buffered -Flush output on every line. Most useful when stdout is connected to a pipe and the default block buffering strategy is undesirable. May impose a performance penalty. -.TP -.BR \-m ,\ \-\-message \ \fImessage-type\fP\ |\ \fIcomma-sep-message-type-list\fP -Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list. -.TP -.BR \-n ,\ \-\-node \ \fInode-name\fP -Search for events originating from \fInode name\fP string. Multiple nodes are allowed, and if any nodes match, the event is matched. -.TP -.BR \-o ,\ \-\-object \ \fISE-Linux-context-string\fP -Search for event with \fItcontext\fP (object) matching the string. -.TP -.BR \-p ,\ \-\-pid \ \fIprocess-id\fP -Search for an event matching the given \fIprocess ID\fP. -.TP -.BR \-pp ,\ \-\-ppid \ \fIparent-process-id\fP -Search for an event matching the given \fIparent process ID\fP. -.TP -.BR \-r ,\ \-\-raw -Output is completely unformatted. This is useful for extracting records that can still be interpreted by audit tools. -.TP -.BR \-sc ,\ \-\-syscall \ \fIsyscall-name-or-value\fP -Search for an event matching the given \fIsyscall\fP. You may either give the numeric syscall value or the syscall name. If you give the syscall name, it will use the syscall table for the machine that you are using. -.TP -.BR \-se ,\ \-\-context \ \fISE-Linux-context-string\fP -Search for event with either \fIscontext\fP/subject or \fItcontext\fP/object matching the string. -.TP -.BR \-\-session \ \fILogin-Session-ID\fP -Search for events matching the given Login Session ID. This process attribute is set when a user logs in and can tie any process to a particular user login. -.TP -.BR \-su ,\ \-\-subject \ \fISE-Linux-context-string\fP -Search for event with \fIscontext\fP (subject) matching the string. -.TP -.BR \-sv ,\ \-\-success \ \fIsuccess-value\fP -Search for an event matching the given \fIsuccess value\fP. Legal values are -.B yes -and -.BR no . -.TP -.BR \-te ,\ \-\-end \ [\fIend-date\fP]\ [\fIend-time\fP] -Search for events with time stamps equal to or before the given end time. The format of end time depends on your locale. If the date is omitted, -.B today -is assumed. If the time is omitted, -.B now -is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. - -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, or \fBthis\-year\fP. \fBToday\fP means starting now. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. -.TP -.BR \-ts ,\ \-\-start \ [\fIstart-date\fP]\ [\fIstart-time\fP] -Search for events with time stamps equal to or after the given start time. The format of start time depends on your locale. If the date is omitted, -.B today -is assumed. If the time is omitted, -.B midnight -is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date using the en_US.utf8 locale is 09/03/2009. An example of time is 18:00:00. The date format accepted is influenced by the LC_TIME environmental variable. - -You may also use the word: \fBnow\fP, \fBrecent\fP, \fBtoday\fP, \fByesterday\fP, \fBthis\-week\fP, \fBweek\-ago\fP, \fBthis\-month\fP, \fBthis\-year\fP, or \fBcheckpoint\fP. \fBToday\fP means starting at 1 second after midnight. \fBRecent\fP is 10 minutes ago. \fBYesterday\fP is 1 second after midnight the previous day. \fBThis\-week\fP means starting 1 second after midnight on day 0 of the week determined by your locale (see \fBlocaltime\fP). \fBWeek\-ago\fP means starting 1 second after midnight exactly 7 days ago. \fBThis\-month\fP means 1 second after midnight on day 1 of the month. \fBThis\-year\fP means the 1 second after midnight on the first day of the first month. -.sp -\fBcheckpoint\fP means \fIausearch\fP will use the timestamp found within a valid checkpoint file ignoring the recorded inode, device, serial, node and event type also found within a checkpoint file. Essentially, this is the recovery action should an invocation of \fIausearch\fP with a checkpoint option fail with an exit status of 10, 11 or 12. It could be used in a shell script something like: -.sp -.in +5 -.nf -.na -ausearch --checkpoint /etc/audit/auditd_checkpoint.txt -i -_au_status=$? -if test ${_au_status} eq 10 -o ${_au_status} eq 11 -o ${_au_status} eq 12 -then - ausearch --checkpoint /etc/audit/auditd_checkpoint.txt --start checkpoint -i -fi -.ad -.fi -.in -5 -.TP -.BR \-tm ,\ \-\-terminal \ \fIterminal\fP -Search for an event matching the given \fIterminal\fP value. Some daemons such as cron and atd use the daemon name for the terminal. -.TP -.BR \-ua ,\ \-\-uid\-all \ \fIall-user-id\fP -Search for an event with either user ID, effective user ID, or login user ID (auid) matching the given \fIuser ID\fP. -.TP -.BR \-ue ,\ \-\-uid\-effective \ \fIeffective-user-id\fP -Search for an event with the given \fIeffective user ID\fP. -.TP -.BR \-ui ,\ \-\-uid \ \fIuser-id\fP -Search for an event with the given \fIuser ID\fP. -.TP -.BR \-ul ,\ \-\-loginuid \ \fIlogin-id\fP -Search for an event with the given \fIlogin user ID\fP. All entry point programs that are pamified need to be configured with pam_loginuid required for the session for searching on loginuid (auid) to be accurate. -.TP -.BR \-uu ,\ \-\-uuid \ \fIguest-uuid\fP -Search for an event with the given \fIguest UUID\fP. -.TP -.BR \-v ,\ \-\-version -Print the version and exit -.TP -.BR \-vm ,\ \-\-vm-name \ \fIguest-name\fP -Search for an event with the given \fIguest name\fP. -.TP -.BR \-w ,\ \-\-word -String based matches must match the whole word. This category of matches include: filename, hostname, terminal, and SE Linux context. -.TP -.BR \-x ,\ \-\-executable \ \fIexecutable\fP -Search for an event matching the given \fIexecutable\fP name. - -.SH "EXIT STATUS" -.TP 5 -0 -if OK, -.TP -1 -if nothing found, or argument errors or minor file acces/read errors, -.TP -10 -invalid checkpoint data found in checkpoint file, -.TP -11 -checkpoint processing error -.TP -12 -checkpoint event not found in matching log file -.SH "SEE ALSO" -.BR auditd (8), -.BR pam_loginuid (8). diff --git a/framework/src/audit/docs/ausearch_add_expression.3 b/framework/src/audit/docs/ausearch_add_expression.3 deleted file mode 100644 index c3c17c9d..00000000 --- a/framework/src/audit/docs/ausearch_add_expression.3 +++ /dev/null @@ -1,71 +0,0 @@ -.TH "AUSEARCH_ADD_expression" "3" "Feb 2008" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_expression \- build up search expression -.SH "SYNOPSIS" -.B #include <auparse.h> - -\fBint ausearch_add_expression(auparse_state_t *\fIau\fB, -const char *\fIexpression\fB, char **\fIerror\fB, ausearch_rule_t \fIhow\fB);\fR - -.SH "DESCRIPTION" - -.B ausearch_add_item -adds an expression to the current audit search expression. -The search conditions can then be used to scan logs, files, or buffers -for something of interest. -The -.I expression -parameter contains an expression, as specified in -.BR ausearch\-expression (5). - -The -.I how -parameter determines -how this search expression will affect the existing search expression, -if one is already defined. -The possible values are: -.RS -.TP -.I AUSEARCH_RULE_CLEAR -Clear the current search expression, if any, -and use only this search expression. -.TP -.I AUSEARCH_RULE_OR -If a search expression -.I E -is already configured, -replace it by \fB(\fIE\fB || \fIthis_search_expression\fB)\fR. -.TP -.I AUSEARCH_RULE_AND -If a search expression -.I E -is already configured, -replace it by \fB(\fIE\fB && \fIthis_search_expression\fB)\fR. -.RE - -.SH "RETURN VALUE" - -If successful, -.B ausearch_add_expression -returns 0. -Otherwise, it returns \-1, sets -.B errno -and it may set \fB*\fIerror\fR to an error message; -the caller must free the error message using -.BR free (3). -If an error message is not available or can not be allocated, \fB*\fIerror\fR -is set to \fBNULL\fR. - -.SH "SEE ALSO" - -.BR ausearch_add_item (3), -.BR ausearch_add_interpreted_item (3), -.BR ausearch_add_timestamp_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR ausearch\-expression (5). - -.SH AUTHOR -Miloslav Trmac diff --git a/framework/src/audit/docs/ausearch_add_interpreted_item.3 b/framework/src/audit/docs/ausearch_add_interpreted_item.3 deleted file mode 100644 index 217ab707..00000000 --- a/framework/src/audit/docs/ausearch_add_interpreted_item.3 +++ /dev/null @@ -1,60 +0,0 @@ -.TH "AUSEARCH_ADD_INTERPRETED_ITEM" "3" "Nov 2007" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_interpreted_item \- build up search rule -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_add_interpreted_item(auparse_state_t *au, const char *field, const char *op, const char *value, ausearch_rule_t how); - -.SH "DESCRIPTION" - -ausearch_add_interpreted_item adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: - -.RS -.TP -.I "exists" - just check that a field name exists -.TP -.I "=" - locate the field name and check that the value associated with it is equal to the value given in this rule. -.TP -.I "!=" - locate the field name and check that the value associated with it is NOT equal to the value given in this rule. -.RE - -The value parameter is compared to the interpreted field value (the value that would be returned by \fBauparse_interpret_field\fR(3)). - -The how value determines how this search condition will affect the existing search expression if one is already defined. The possible values are: -.RS -.TP -.I AUSEARCH_RULE_CLEAR -Clear the current search expression, if any, and use only this search condition. -.TP -.I AUSEARCH_RULE_OR -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB || \fIthis_search_condition\fB)\fR. -.TP -.I AUSEARCH_RULE_AND -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB && \fIthis_search_condition\fB)\fR. -.RE - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR ausearch_add_expression (3), -.BR ausearch_add_item (3), -.BR ausearch_add_timestamp_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR ausearch\-expression (5). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/ausearch_add_item.3 b/framework/src/audit/docs/ausearch_add_item.3 deleted file mode 100644 index 9193267c..00000000 --- a/framework/src/audit/docs/ausearch_add_item.3 +++ /dev/null @@ -1,60 +0,0 @@ -.TH "AUSEARCH_ADD_ITEM" "3" "Feb 2012" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_item \- build up search rule -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_add_item(auparse_state_t *au, const char *field, const char *op, const char *value, ausearch_rule_t how); - -.SH "DESCRIPTION" - -ausearch_add_item adds one search condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The field value is the field name that the value will be checked for. The op variable describes what kind of check is to be done. Legal op values are: - -.RS -.TP -.I "exists" - just check that a field name exists -.TP -.I "=" - locate the field name and check that the value associated with it is equal to the value given in this rule. -.TP -.I "!=" - locate the field name and check that the value associated with it is NOT equal to the value given in this rule. -.RE - -The value parameter is compared to the uninterpreted field value. If you are trying to match against a field who's type is AUPARSE_TYPE_ESCAPED, you will want to use the ausearch_add_interpreted_item() function instead. - -The how value determines how this search condition will affect the existing search expression if one is already defined. The possible values are: -.RS -.TP -.I AUSEARCH_RULE_CLEAR -Clear the current search expression, if any, and use only this search condition. -.TP -.I AUSEARCH_RULE_OR -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB || \fIthis_search_condition\fB)\fR. -.TP -.I AUSEARCH_RULE_AND -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB && \fIthis_search_condition\fB)\fR. -.RE - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR ausearch_add_expression (3), -.BR ausearch_add_interpreted_item (3), -.BR ausearch_add_timestamp_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR ausearch\-expression (5). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/ausearch_add_regex.3 b/framework/src/audit/docs/ausearch_add_regex.3 deleted file mode 100644 index b37b6571..00000000 --- a/framework/src/audit/docs/ausearch_add_regex.3 +++ /dev/null @@ -1,31 +0,0 @@ -.TH "AUSEARCH_ADD_REGEX" "3" "Sept 2007" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_regex \- use regular expression search rule -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_add_regex(auparse_state_t *au, const char *expr); - -.SH "DESCRIPTION" - -ausearch_add_regex adds one search condition based on a regular expression to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The regular expression follows the posix extended regular expression conventions, and is matched against the full record (without interpreting field values). - -If an existing search expression -.I E -is already defined, -this function replaces it by \fB(\fIE\fB && \fIthis_regexp\fB)\fR. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR ausearch_add_expression (3), -.BR ausearch_add_item (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR regcomp (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/ausearch_add_timestamp_item.3 b/framework/src/audit/docs/ausearch_add_timestamp_item.3 deleted file mode 100644 index 091d4262..00000000 --- a/framework/src/audit/docs/ausearch_add_timestamp_item.3 +++ /dev/null @@ -1,57 +0,0 @@ -.TH "AUSEARCH_ADD_TIMESTAMP_ITEM" "3" "Aug 2014" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_timestamp_item \- build up search rule -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec, unsigned milli, ausearch_rule_t how) - -.SH "DESCRIPTION" - -ausearch_add_timestamp_item adds an event time condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The op parameter specifies the desired comparison. Legal op values are \fI<\fR, \fI<=\fR, \fI>=\fR, \fI>\fR and \fI=\fR. The left operand of the comparison operator is the timestamp of the examined event, the right operand is specified by the sec and milli parameters. - -The how value determines how this search condition will affect the existing search expression if one is already defined. The possible values are: -.RS -.TP -.I AUSEARCH_RULE_CLEAR -Clear the current search expression, if any, and use only this search condition. -.TP -.I AUSEARCH_RULE_OR -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB || \fIthis_search_condition\fB)\fR. -.TP -.I AUSEARCH_RULE_AND -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB && \fIthis_search_condition\fB)\fR. -.RE - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH APPLICATION USAGE - -Use -.BR ausearch_add_item (3) -and -.BR ausearch_add_interpreted_item (3) -to add conditions that check audit record fields. -Use -.BR ausearch_add_expression (3) -to add complex search expressions using a single function call. - -.SH "SEE ALSO" - -.BR ausearch_add_expression (3), -.BR ausearch_add_item (3), -.BR ausearch_add_interpreted_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR ausearch\-expression (5). - -.SH AUTHOR -Miloslav Trmac diff --git a/framework/src/audit/docs/ausearch_add_timestamp_item_ex.3 b/framework/src/audit/docs/ausearch_add_timestamp_item_ex.3 deleted file mode 100644 index caa0114a..00000000 --- a/framework/src/audit/docs/ausearch_add_timestamp_item_ex.3 +++ /dev/null @@ -1,57 +0,0 @@ -.TH "AUSEARCH_ADD_TIMESTAMP_ITEM_EX" "3" "Aug 2014" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_add_timestamp_item_ex \- build up search rule -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op, time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how) - -.SH "DESCRIPTION" - -ausearch_add_timestamp_item adds an event time condition to the current audit search expression. The search conditions can then be used to scan logs, files, or buffers for something of interest. The op parameter specifies the desired comparison. Legal op values are \fI<\fR, \fI<=\fR, \fI>=\fR, \fI>\fR and \fI=\fR. The left operand of the comparison operator is the timestamp of the examined event, the right operand is specified by the sec, milli, and serial parameters. - -The how value determines how this search condition will affect the existing search expression if one is already defined. The possible values are: -.RS -.TP -.I AUSEARCH_RULE_CLEAR -Clear the current search expression, if any, and use only this search condition. -.TP -.I AUSEARCH_RULE_OR -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB || \fIthis_search_condition\fB)\fR. -.TP -.I AUSEARCH_RULE_AND -If a search expression -.I E -is already configured, replace it by \fB(\fIE\fB && \fIthis_search_condition\fB)\fR. -.RE - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH APPLICATION USAGE - -Use -.BR ausearch_add_item (3) -and -.BR ausearch_add_interpreted_item (3) -to add conditions that check audit record fields. -Use -.BR ausearch_add_expression (3) -to add complex search expressions using a single function call. - -.SH "SEE ALSO" - -.BR ausearch_add_expression (3), -.BR ausearch_add_item (3), -.BR ausearch_add_interpreted_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3), -.BR ausearch\-expression (5). - -.SH AUTHOR -Miloslav Trmac diff --git a/framework/src/audit/docs/ausearch_clear.3 b/framework/src/audit/docs/ausearch_clear.3 deleted file mode 100644 index 1f8ad20a..00000000 --- a/framework/src/audit/docs/ausearch_clear.3 +++ /dev/null @@ -1,23 +0,0 @@ -.TH "AUSEARCH_CLEAR" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_clear \- clear search parameters -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -void ausearch_clear(auparse_state_t *au); - -.SH "DESCRIPTION" - -ausearch_clear clears any search parameters stored in the parser instance and frees memory associated with it. - -.SH "RETURN VALUE" - -None. - -.SH "SEE ALSO" - -.BR ausearch_add_item (3), -.BR ausearch_add_regex (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/ausearch_next_event.3 b/framework/src/audit/docs/ausearch_next_event.3 deleted file mode 100644 index 57f11efd..00000000 --- a/framework/src/audit/docs/ausearch_next_event.3 +++ /dev/null @@ -1,24 +0,0 @@ -.TH "AUSEARCH_NEXT_EVENT" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME -ausearch_next_event \- find the next event that meets search criteria -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_next_event(auparse_state_t *au); - -.SH "DESCRIPTION" - -ausearch_next_event will scan the input source and evaluate whether any record in an event contains the data being searched for. Evaluation is done at the record level. - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs, 0 if no matches, and 1 for success. - -.SH "SEE ALSO" - -.BR ausearch_add_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_set_stop (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/ausearch_set_stop.3 b/framework/src/audit/docs/ausearch_set_stop.3 deleted file mode 100644 index 627bb822..00000000 --- a/framework/src/audit/docs/ausearch_set_stop.3 +++ /dev/null @@ -1,37 +0,0 @@ -.TH "AUSEARCH_SET_STOP" "3" "Feb 2007" "Red Hat" "Linux Audit API" -.SH NAME - ausearch_set_stop \- set the cursor position -.SH "SYNOPSIS" -.B #include <auparse.h> -.sp -int ausearch_set_stop(auparse_state_t *au, austop_t where); - -.SH "DESCRIPTION" - -ausearch_set_stop determines where the internal cursor will stop when a search condition is met. The possible values are: - -.RS -.TP -.I AUSEARCH_STOP_EVENT -This one repositions the cursors to the first field of the first record of the event containing the items searched for. -.TP -.I AUSEARCH_STOP_RECORD -This one repositions the cursors to the first field of the record containing the items searched for. -.TP -.I AUSEARCH_STOP_FIELD -This one simply stops on the current field when the evaluation of the rules becomes true. -.RE - -.SH "RETURN VALUE" - -Returns \-1 if an error occurs; otherwise, 0 for success. - -.SH "SEE ALSO" - -.BR ausearch_add_item (3), -.BR ausearch_add_regex (3), -.BR ausearch_clear (3), -.BR ausearch_next_event (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/autrace.8 b/framework/src/audit/docs/autrace.8 deleted file mode 100644 index 36a62248..00000000 --- a/framework/src/audit/docs/autrace.8 +++ /dev/null @@ -1,38 +0,0 @@ -.TH AUTRACE: "8" "Jan 2007" "Red Hat" "System Administration Utilities" -.SH NAME -autrace \- a program similar to strace -.SH SYNOPSIS -.B autrace -.I program -.RB [ \-r ] -.RI [ program-args ]... -.SH DESCRIPTION -\fBautrace\fP is a program that will add the audit rules to trace a process similar to strace. It will then execute the \fIprogram\fP passing \fIarguments\fP to it. The resulting audit information will be in the audit logs if the audit daemon is running or syslog. This command deletes all audit rules prior to executing the target program and after executing it. As a safety precaution, it will not run unless all rules are deleted with -.B auditctl -prior to use. -.SH OPTIONS -.TP -.B \-r -Limit syscalls collected to ones needed for analyzing resource usage. This could help people doing threat modeling. This saves space in logs. -.SH "EXAMPLES" -The following illustrates a typical session: - -.nf -.B autrace /bin/ls /tmp -.B ausearch \-\-start recent \-p 2442 \-i -.fi - -and for resource usage mode: - -.nf -.B autrace \-r /bin/ls -.B ausearch \-\-start recent \-p 2450 \-\-raw | aureport \-\-file \-\-summary -.B ausearch \-\-start recent \-p 2450 \-\-raw | aureport \-\-host \-\-summary -.fi - -.SH "SEE ALSO" -.BR ausearch (8), -.BR auditctl (8). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/get_auditfail_action.3 b/framework/src/audit/docs/get_auditfail_action.3 deleted file mode 100644 index ee6df4d2..00000000 --- a/framework/src/audit/docs/get_auditfail_action.3 +++ /dev/null @@ -1,79 +0,0 @@ -.\" Copyright (C) 2006 HP -.\" This file is distributed according to the GNU General Public License. -.\" See the file COPYING in the top level source directory for details. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "GET_AUDITFAIL_ACTION" 3 "2006-7-10" "Linux 2.7" "Linux Programmer's Manual" -.SH NAME -get_auditfail_action \- Get failure_action tunable value -.SH "SYNOPSIS" -.ad l -.hy 0 - -#include <libaudit.h> -.sp -.HP 19 -int\ \fBget_auditfail_action\fR\ (int *\fIfailmode\fR); -.ad -.hy - -.SH "DESCRIPTION" - -.PP -This function gets the failure_action tunable value stored in \fB/etc/libaudit.conf\fR. \fBget_auditfail_action\fR should be called after an \fBaudit_open\fR call returns an error to see what action the admin prefers. - -.PP -The failure_action value found in \fB/etc/libaudit.conf\fR is copied into the \fIfailmode\fR argument upon function return. This value should then be used by the calling application to determine what action should be taken when the audit subsystem is unavailable. - -.SH "RETURN VALUE" - -.PP -Upon success, \fBget_auditfail_action\fR returns a zero, and the \fIfailmode\fR argument will hold the failure_action value. The possible values for failure_action are: FAIL_IGNORE (0), FAIL_LOG (1), and FAIL_TERMINATE (2). Upon failure, \fBget_auditfail_action\fR returns a return code of one. - -.SH "ERRORS" - -.PP -An error is returned if there is an error reading \fB/etc/libaudit.conf\fR or if the failure_action tunable is not found in the file. - -.SH "EXAMPLES" - -.PP - /* Sample code */ - auditfail_t failmode; - - if ((fd = audit_open() ) < 0 ) { - fprintf (stderr, "Cannot open netlink audit socket"); - - /* Get the failure_action */ - if ((rc = get_auditfail_action(&failmode)) == 0) { - if (failmode == FAIL_LOG) - fprintf (stderr, "Audit subsystem unavailable"); - else if (failmode == FAIL_TERMINATE) - exit (1); - /* If failmode == FAIL_IGNORE, do nothing */ - } - } - -.SH "SEE ALSO" - -.BR audit_open (3), -.BR auditd (8). - -.SH AUTHOR -Lisa M. Smith. diff --git a/framework/src/audit/docs/libaudit.conf.5 b/framework/src/audit/docs/libaudit.conf.5 deleted file mode 100644 index 945f8145..00000000 --- a/framework/src/audit/docs/libaudit.conf.5 +++ /dev/null @@ -1,25 +0,0 @@ -.TH LIBAUDIT.CONF: "5" "Oct 2009" "Red Hat" "System Administration Utilities" -.SH NAME -libaudit.conf \- libaudit configuration file -.SH DESCRIPTION -The file -.I /etc/libaudit.conf -contains configuration information for user space applications that link to libaudit. The applications are responsible for querrying the settings in this file and obeying the admin's preferences. This file contains one configuration keyword per line, an equal sign, and then followed by appropriate configuration information. The keywords recognized are: -.IR failure_action ". -These keywords are described below. - -.TP -.I failure_action -This keyword specifies what action the admin wishes a user space application to take when there is a failure to send an audit event to the kernel. The possible values are: -.IR IGNORE - - meaning do nothing, -.IR LOG -- write to syslog the inability to send an audit event, and -.I TERMINATE -- the user space application should exit. - -.SH "SEE ALSO" -.BR get_auditfail_action (3). - -.SH AUTHOR -Steve Grubb diff --git a/framework/src/audit/docs/set_aumessage_mode.3 b/framework/src/audit/docs/set_aumessage_mode.3 deleted file mode 100644 index abeafc75..00000000 --- a/framework/src/audit/docs/set_aumessage_mode.3 +++ /dev/null @@ -1,56 +0,0 @@ -.\" Copyright (C) 2004 IBM -.\" This file is distributed according to the GNU General Public License. -.\" See the file COPYING in the top level source directory for details. -.de Sh \" Subsection -.br -.if t .Sp -.ne 5 -.PP -\fB\\$1\fR -.PP -.. -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Ip \" List item -.br -.ie \\n(.$>=3 .ne \\$3 -.el .ne 3 -.IP "\\$1" \\$2 -.. -.TH "SET_MESSAGE_MODE" 3 "2004-12-01" "Linux 2.6" "Linux Programmer's Manual" -.SH NAME -set_message_mode \- Sets the message mode -.SH "SYNOPSIS" -.ad l -.hy 0 - -#include <libaudit.h> -.sp -.HP 23 -void\ \fBset_message_mode\fR\ (message_t\ \fImode\fR); -.ad -.hy - -.SH "DESCRIPTION" - -.PP -\fBset_message_mode\fR sets the location where informational messages are sent. If \fImode\fR=0 (default), then informational messages are sent to stderr. If \fImode\fR=1, then informational messages are sent to syslog. - -.SH "EXAMPLE" - -.nf - -/* Sample code */ -set_message_mode(MSG_SYSLOG) - -.fi - -.SH "SEE ALSO" - -.BR auditd (8), -.BR audit_open (3). - -.SH AUTHOR -Debora Velarde. diff --git a/framework/src/audit/docs/zos-remote.conf.5 b/framework/src/audit/docs/zos-remote.conf.5 deleted file mode 100644 index 2ffd5b85..00000000 --- a/framework/src/audit/docs/zos-remote.conf.5 +++ /dev/null @@ -1,69 +0,0 @@ -.\" Copyright (c) International Business Machines Corp., 2007 -.\" -.\" This program is free software; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" This program is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See -.\" the GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public License -.\" along with this program; if not, write to the Free Software -.\" Foundation, Inc., 59 Temple Place, Suite 330, Boston, -.\" MA 02111-1307 USA -.\" -.\" Changelog: -.\" 2007-10-06, created by Klaus Heinrich Kiwi <klausk@br.ibm.com> -.\" -.TH ZOS\-REMOTE.CONF 5 "Oct 2007" "IBM" "System Administration Utilities" -.SH NAME -zos\-remote.conf \- the audisp-racf plugin configuration file -.SH DESCRIPTION -.B zos\-remote.conf -controls the configuration for the -.BR audispd\-zos\-remote (8) -Audit dispatcher plugin. The default location for this file is -.IR /etc/audisp/zos\-remote.conf , -however, a different file can be specified as the first argument to the -.B audispd\-zos\-remote -plugin. See -.BR audispd\-zos\-remote (8) -and -.BR auditd (8). -The options available are as follows: -.TP -.I server -This is the IBM z/OS ITDS server hostname or IP address -.TP -.I port -The port number where ITDS is running on the z/OS server. Default is 389 (ldap port) -.TP -.I user -The z/OS RACF user ID which the audispd\-zos\-remote plugin will use to perform Remote Audit requests. This user needs READ access to FACILITY Class resource IRR.LDAP.REMOTE.AUDIT (See -.BR audispd\-zos\-remote (8)). -.TP -.I password -The password associated the the z/OS user ID configured above. -.TP -.I timeout -The number in seconds that -.B audispd\-zos\-remote -plugin will wait before giving up in connection attempts and event submissions. The default value is 15 -.TP -.I q_depth -The -.B audispd\-zos\-remote -plugin will queue inputed events to the maximum of -.I q_depth -events while trying to submit those remotely. This can handle burst of events or in case of a slow network connection. However, the -.B audispd\-zos\-remote -plugin will drop events in case the queue is full. The default queue depth is 64 - Increase this value in case you are experiencing event drop due to full queue -.RB ( audispd\-zos\-remote -will log this to syslog). -.SH "SEE ALSO" -.BR audispd\-zos\-remote (8) -.SH AUTHOR -Klaus Heinrich Kiwi <klausk@br.ibm.com> |