head	1.7;
access;
symbols
	RELENG_8_4:1.7.0.2
	RELENG_9_1_0_RELEASE:1.6
	RELENG_9_1:1.6.0.16
	RELENG_9_1_BP:1.6
	RELENG_8_3_0_RELEASE:1.6
	RELENG_8_3:1.6.0.14
	RELENG_8_3_BP:1.6
	RELENG_9_0_0_RELEASE:1.6
	RELENG_9_0:1.6.0.12
	RELENG_9_0_BP:1.6
	RELENG_9:1.6.0.10
	RELENG_9_BP:1.6
	RELENG_7_4_0_RELEASE:1.1.1.8
	RELENG_8_2_0_RELEASE:1.6
	RELENG_7_4:1.1.1.8.0.12
	RELENG_7_4_BP:1.1.1.8
	RELENG_8_2:1.6.0.8
	RELENG_8_2_BP:1.6
	RELENG_8_1_0_RELEASE:1.6
	RELENG_8_1:1.6.0.6
	RELENG_8_1_BP:1.6
	RELENG_7_3_0_RELEASE:1.1.1.8
	RELENG_7_3:1.1.1.8.0.10
	RELENG_7_3_BP:1.1.1.8
	RELENG_8_0_0_RELEASE:1.6
	RELENG_8_0:1.6.0.4
	RELENG_8_0_BP:1.6
	RELENG_8:1.6.0.2
	RELENG_8_BP:1.6
	RELENG_7_2_0_RELEASE:1.1.1.8
	RELENG_7_2:1.1.1.8.0.8
	RELENG_7_2_BP:1.1.1.8
	RELENG_7_1_0_RELEASE:1.1.1.8
	RELENG_6_4_0_RELEASE:1.1.1.6.2.2
	RELENG_7_1:1.1.1.8.0.6
	RELENG_7_1_BP:1.1.1.8
	RELENG_6_4:1.1.1.6.2.2.0.4
	RELENG_6_4_BP:1.1.1.6.2.2
	RELENG_7_0_0_RELEASE:1.1.1.8
	RELENG_6_3_0_RELEASE:1.1.1.6.2.2
	RELENG_7_0:1.1.1.8.0.4
	RELENG_7_0_BP:1.1.1.8
	RELENG_6_3:1.1.1.6.2.2.0.2
	RELENG_6_3_BP:1.1.1.6.2.2
	OPENBSM_1_0:1.1.1.8
	RELENG_7:1.1.1.8.0.2
	RELENG_7_BP:1.1.1.8
	OPENBSM_1_0_ALPHA_15:1.1.1.8
	OPENBSM_1_0_ALPHA_14:1.1.1.7
	RELENG_6_2_0_RELEASE:1.1.1.6.2.1
	RELENG_6_2:1.1.1.6.2.1.0.2
	RELENG_6_2_BP:1.1.1.6.2.1
	OPENBSM_1_0_ALPHA_12:1.1.1.6
	OPENBSM_1_0_ALPHA_11:1.1.1.6
	RELENG_6:1.1.1.6.0.2
	OPENBSM_1_0_ALPHA_10:1.1.1.6
	OPENBSM_1_0_ALPHA_9:1.1.1.6
	OPENBSM_1_0_ALPHA_7:1.1.1.5
	OPENBSM_1_0_ALPHA_6:1.1.1.5
	OPENBSM_1_0_ALPHA_5:1.1.1.4
	OPENBSM_1_0_ALPHA_4:1.1.1.3
	OPENBSM_1_0_ALPHA_3:1.1.1.2
	OPENBSM_1_0_ALPHA_2:1.1.1.1
	OPENBSM_1_0_ALPHA_1:1.1.1.1
	TrustedBSD:1.1.1;
locks; strict;
comment	@# @;


1.7
date	2012.12.01.12.01.17;	author svnexp;	state Exp;
branches
	1.7.2.1;
next	1.6;

1.6
date	2009.08.02.10.27.54;	author rwatson;	state Exp;
branches
	1.6.10.1;
next	1.5;

1.5
date	2009.04.19.16.17.13;	author rwatson;	state Exp;
branches;
next	1.4;

1.4
date	2009.03.02.13.29.18;	author rwatson;	state Exp;
branches;
next	1.3;

1.3
date	2008.12.31.11.12.24;	author rwatson;	state Exp;
branches;
next	1.2;

1.2
date	2008.12.02.23.26.43;	author rwatson;	state Exp;
branches;
next	1.1;

1.1
date	2006.01.31.19.40.10;	author rwatson;	state Exp;
branches
	1.1.1.1;
next	;

1.7.2.1
date	2012.12.01.12.01.17;	author svnexp;	state dead;
branches;
next	1.7.2.2;

1.7.2.2
date	2013.03.28.13.01.52;	author svnexp;	state Exp;
branches;
next	;

1.6.10.1
date	2012.12.18.09.35.26;	author svnexp;	state Exp;
branches;
next	;

1.1.1.1
date	2006.01.31.19.40.10;	author rwatson;	state Exp;
branches;
next	1.1.1.2;

1.1.1.2
date	2006.02.06.00.06.03;	author rwatson;	state Exp;
branches;
next	1.1.1.3;

1.1.1.3
date	2006.02.11.00.39.19;	author rwatson;	state Exp;
branches;
next	1.1.1.4;

1.1.1.4
date	2006.03.04.16.45.44;	author rwatson;	state Exp;
branches;
next	1.1.1.5;

1.1.1.5
date	2006.06.05.10.52.06;	author rwatson;	state Exp;
branches;
next	1.1.1.6;

1.1.1.6
date	2006.08.26.08.04.07;	author rwatson;	state Exp;
branches
	1.1.1.6.2.1;
next	1.1.1.7;

1.1.1.7
date	2007.04.16.15.36.39;	author rwatson;	state Exp;
branches;
next	1.1.1.8;

1.1.1.8
date	2007.07.22.12.18.22;	author rwatson;	state Exp;
branches;
next	;

1.1.1.6.2.1
date	2006.09.02.10.45.57;	author rwatson;	state Exp;
branches;
next	1.1.1.6.2.2;

1.1.1.6.2.2
date	2007.11.15.19.27.07;	author rwatson;	state Exp;
branches;
next	;


desc
@@


1.7
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/243750
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@OpenBSM 1.2a2

  Introduction

OpenBSM is an open source implementation of Sun's BSM event auditing file
format and API.  Originally created for Apple Computer by McAfee Research,
OpenBSM is now maintained by volunteers and through the generous contribution
of several organizations.

OpenBSM includes several command line tools, including auditreduce(8) and
praudit(8) for reducing and printing audit trails, as well as the libbsm(3)
library to manage configuration files, generate audit records, and parse and
print audit trils.

Coupled with a kernel audit implementation, OpenBSM can be used to maintain
system audit streams, and is a foundation for a full audit-enabled system.
Portions of OpenBSM, including include files and token-building routines, are
reusable in a kernel audit implementation, and may be found in the FreeBSD
and Mac OS X kernels.

  Contents

OpenBSM consists of several directories:

    bin/           Audit-related command line tools
    bsm/           Library include files for BSM
    compat/        Compatibility code to build on various operating systems
    etc/           Sample /etc/security configuration files
    libauditd      Common audit management functions for auditd and launchd
    libbsm/        Implementation of BSM library interfaces and man pages
    man/           System call and configuration file man pages
    modules/       Directory for auditfilterd module source
    sys/           System include files for BSM
    test/          Test token sets and geneneration program
    tools/         Tool directory, including audump to dump databases

The following programs are included with OpenBSM:

    audit          Command line audit control tool
    auditd         Audit management daemon
    auditdistd     Audit trail distribution daemon
    auditfilterd   Experimental event monitoring framework
    auditreduce    Audit trail reduction tool
    audump         Debugging tool to parse and print audit databases
    praudit        Tool to print audit trails

  Build and Installation

Please see the file INSTALL for build and installation instructions.

  Contributions

The TrustedBSD Project would appreciate the contribution of bug fixes, 
enhancements, etc, under identically or substantially similar licenses to 
those present on the remainder of the OpenBSM source code.  Please see the
file CREDITS to learn more about who has contributed to the project.

  Location

Information on OpenBSM may be found on the OpenBSM home page:

    http://www.OpenBSM.org/

Information on TrustedBSD may be found on the TrustedBSD home page:

    http://www.TrustedBSD.org/

$P4: //depot/projects/trustedbsd/openbsm/README#41 $
@


1.7.2.1
log
@file README was added on branch RELENG_8_4 on 2013-03-28 13:01:52 +0000
@
text
@d1 68
@


1.7.2.2
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/248810
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
@
text
@a0 67
OpenBSM 1.1p2

  Introduction

OpenBSM is an open source implementation of Sun's BSM event auditing file
format and API.  Originally created for Apple Computer by McAfee Research,
OpenBSM is now maintained by volunteers and through the generous contribution
of several organizations.

OpenBSM includes several command line tools, including auditreduce(8) and
praudit(8) for reducing and printing audit trails, as well as the libbsm(3)
library to manage configuration files, generate audit records, and parse and
print audit trils.

Coupled with a kernel audit implementation, OpenBSM can be used to maintain
system audit streams, and is a foundation for a full audit-enabled system.
Portions of OpenBSM, including include files and token-building routines, are
reusable in a kernel audit implementation, and may be found in the FreeBSD
and Mac OS X kernels.

  Contents

OpenBSM consists of several directories:

    bin/           Audit-related command line tools
    bsm/           Library include files for BSM
    compat/        Compatibility code to build on various operating systems
    etc/           Sample /etc/security configuration files
    libauditd      Common audit management functions for auditd and launchd
    libbsm/        Implementation of BSM library interfaces and man pages
    man/           System call and configuration file man pages
    modules/       Directory for auditfilterd module source
    sys/           System include files for BSM
    test/          Test token sets and geneneration program
    tools/         Tool directory, including audump to dump databases

The following programs are included with OpenBSM:

    audit          Command line audit control tool
    auditd         Audit management daemon
    auditfilterd   Experimental event monitoring framework
    auditreduce    Audit trail reduction tool
    audump         Debugging tool to parse and print audit databases
    praudit        Tool to print audit trails

  Build and Installation

Please see the file INSTALL for build and installation instructions.

  Contributions

The TrustedBSD Project would appreciate the contribution of bug fixes, 
enhancements, etc, under identically or substantially similar licenses to 
those present on the remainder of the OpenBSM source code.  Please see the
file CREDITS to learn more about who has contributed to the project.

  Location

Information on OpenBSM may be found on the OpenBSM home page:

    http://www.OpenBSM.org/

Information on TrustedBSD may be found on the TrustedBSD home page:

    http://www.TrustedBSD.org/

$P4: //depot/projects/trustedbsd/openbsm/README#37 $
@


1.6
log
@SVN rev 196031 on 2009-08-02 10:27:54Z by rwatson

Import OpenBSM 1.1p2 from vendor branch to 8-CURRENT.  This patch release
addresses several minor issues:

- Fix audit_event definitions of AUE_OPENAT_RWT and AUE_OPENAT_RWTC.
- Fix build on Linux.
- Fix printing of class masks in the audump tool.

MFC after:	3 weeks
Obtained from:	TrustedBSD Project
Approved by:	re (kib)
@
text
@d1 1
a1 1
OpenBSM 1.1p2
d41 1
d68 1
a68 1
$P4: //depot/projects/trustedbsd/openbsm/README#37 $
@


1.6.10.1
log
@## SVN ## Exported commit - http://svnweb.freebsd.org/changeset/base/244390
## SVN ## CVS IS DEPRECATED: http://wiki.freebsd.org/CvsIsDeprecated
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ## r244390 | rwatson | 2012-12-18 09:32:44 +0000 (Tue, 18 Dec 2012) | 39 lines
## SVN ##
## SVN ## Merge OpenBSM 1.2-alpha3 from head to stable/9, upgrading from the previous
## SVN ## OpenBSM 1.1p2:
## SVN ##
## SVN ## OpenBSM 1.2 alpha 3
## SVN ##
## SVN ## - Various minor tweaks to the auditdistd build to make it fit the FreeBSD
## SVN ##   build environment better.
## SVN ## - AUE_WAIT6 merged from FreeBSD 9.
## SVN ##
## SVN ## OpenBSM 1.2 alpha 2
## SVN ##
## SVN ## - auditdistd, a distributed audit trail management daemon, has now been
## SVN ##   merged.  This allows trail files to be securely and reliably synced from
## SVN ##   audited hosts to an audit server, and employs TLS encryption.  Where
## SVN ##   available, it uses Capsicum to sandbox the service.  This work was
## SVN ##   contributed by Pawel Jakub Dawidek under sponsorship from the FreeBSD
## SVN ##   Foundation.
## SVN ##
## SVN ## OpenBSM 1.2 alpha 1
## SVN ##
## SVN ## - Add Capsicum-related error numbers for FreeBSD: ENOTCAPABLE, ECAPMODE.
## SVN ## - Add Capsicum, process descriptor audit events for FreeBSD.
## SVN ## - Allow 0% minspace.
## SVN ## - Fixes from the clang static analyser.
## SVN ## - Fix expiration of trail files when the host parameter is used.
## SVN ## - Various typo fixes.
## SVN ## - Support for Solaris privilege and privilege set tokens.
## SVN ## - Documentation for getachost(), improvements for getacfilesz().
## SVN ## - Fix a directory descriptor leak that happened when audit trail partitions
## SVN ##   filled.
## SVN ## - Support for more Linux distributions with a partial contemporary endian.h.
## SVN ## - Improved escaping of XML-encapsulated BSM.
## SVN ## - A variety of minor documentation, style, and functional.
## SVN ##
## SVN ## A separate commit will merge build changes to enable auditdistd, etc.
## SVN ##
## SVN ## Obtained from:	TrustedBSD Project
## SVN ## Sponsored by:	The FreeBSD Foundation (auditdistd)
## SVN ##
## SVN ## ------------------------------------------------------------------------
## SVN ##
@
text
@d1 1
a1 1
OpenBSM 1.2a2
a40 1
    auditdistd     Audit trail distribution daemon
d67 1
a67 1
$P4: //depot/projects/trustedbsd/openbsm/README#41 $
@


1.5
log
@SVN rev 191273 on 2009-04-19 16:17:13Z by rwatson

Merge OpenBSM 1.1 from OpenBSM vendor branch to head.

OpenBSM history for imported revision below for reference.

MFC after:      2 weeks
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1

- Change auditon(2) parameters and data structures to be 32/64-bit architecture
  independent.  Add more information to man page about auditon(2) parameters.
- Add wrapper functions for auditon(2) to use legacy commands when the new
  commands are not supported.
- Add default for 'expire-after' in audit_control to expire trail files when
  the audit directory is more than 10 megabytes ('10M').
- Interface to convert between local and BSM fcntl(2) command values has been
  added:  au_bsm_to_fcntl_cmd(3) and au_fcntl_cmd_to_bsm(3), along with
  definitions of constants in audit_fcntl.h.
- A bug, introduced in OpenBSM 1.1 alpha 4, in which AUT_RETURN32 tokens
  generated by audit_submit(3) were improperly encoded has been fixed.
- Fix example in audit_submit(3) man page.  Also, make it clear that we want
  the audit ID as the argument.
- A new audit event class 'aa', for post-login authentication and
  authorization events, has been added.
@
text
@d1 1
a1 1
OpenBSM 1.1
d67 1
a67 1
$P4: //depot/projects/trustedbsd/openbsm/README#36 $
@


1.4
log
@SVN rev 189279 on 2009-03-02 13:29:18Z by rwatson

Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
@
text
@d1 1
a1 1
OpenBSM 1.1 beta 1
d5 15
a19 8
OpenBSM provides an open source implementation of Sun's BSM Audit API. 
Originally created under contract to Apple Computer by McAfee Research, this
implementation is now maintained by volunteers and the generous contribution
of several organizations.  Coupled with a kernel audit implementation,
OpenBSM can be used to maintain system audit streams, and is a foundation for
an Audit-enabled system.  Portions of OpenBSM, including include files and
token-building routines, are reusable in a kernel audit implementation, and
may be found in the FreeBSD and Mac OS X kernels.
d27 1
a27 1
    compat/        Compatibility code to build on various OS's
d54 2
a55 1
those present on the remainder of the OpenBSM source code.
d67 1
a67 1
$P4: //depot/projects/trustedbsd/openbsm/README#35 $
@


1.3
log
@SVN rev 186647 on 2008-12-31 11:12:24Z by rwatson

Merge OpenBSM alpha 4 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).  Add libauditd build parts and add to auditd's linkage;
force libbsm to build before libauditd.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 alpha 4

- With the addition of BSM error number mapping, we also need to map the
  local error number passed to audit_submit(3) to a BSM error number,
  rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
  more formal allocation scheme, and add some events allocated in Solaris
  that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
  directly, rather than requiring applications to map to the local error
  space, which might not be able to entirely represent the BSM error
  number space.
- Major auditd rewrite for launchd(8) support.  Add libauditd library
  that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
  (re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
  startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
  has been recovered from not being properly terminated.  This event is
  stored in the new audit trail file and includes the path of recovered
  audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
  auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
  calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.

OpenBSM 1.1 alpha 3

- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
  between BSM error numbers (largely the Solaris definitions) and local
  errno(2) values for 32-bit and 64-bit return tokens.  This is required
  as operating systems don't agree on some of the values of more recent
  error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
  total size for the token.  This buge.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
@
text
@d1 1
a1 1
OpenBSM 1.1 alpha 4
d59 1
a59 1
$P4: //depot/projects/trustedbsd/openbsm/README#34 $
@


1.2
log
@SVN rev 185573 on 2008-12-02 23:26:43Z by rwatson

Merge OpenBSM 1.1 alpha 2 from the OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).

- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
  audit_bsm_token.c.
- Synchronize bsm includes and definitions.

OpenBSM history for imported revisions below for reference.

MFC after:      1 month
Sponsored by:   Apple Inc.
Obtained from:  TrustedBSD Project

--

OpenBSM 1.1 alpha 2

- Include files in OpenBSM are now broken out into two parts: library builds
  required solely for user space, and system includes, which may also be
  required for use in the kernels of systems integrating OpenBSM.  Submitted
  by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
  include for system includes, rather than the versions bundled with OpenBSM.
  This is intended specifically for platforms that ship OpenBSM, have adapted
  versions of the system includes in a kernel source tree, and will use the
  OpenBSM build infrastructure with an unmodified OpenBSM distribution,
  allowing the customized system includes to be used with the OpenBSM build.
  Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
  or asprintf().  Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
  BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
  on the host generating the record.
- Add support for setting extended host information in the kernel, which is
  used for setting host information in extended header tokens.  The
  audit_control file now supports a "host" parameter which can be used by
  auditd to set the information; if not present, the kernel parameters won't
  be set and auditd uses unextended headers for records that it generates.

OpenBSM 1.1 alpha 1

- Add option to auditreduce(1) which allows users to invert sense of
  matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
  event there is an error writing the subject token.  This was submitted
  by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
  that const strings can be passed as arguments to tokens.  This patch was
  submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
@
text
@d1 1
a1 1
OpenBSM 1.1 alpha 1
d22 1
d59 1
a59 1
$P4: //depot/projects/trustedbsd/openbsm/README#32 $
@


1.1
log
@Initial revision
@
text
@d1 1
a1 1
OpenBSM 1.0
d6 7
a12 5
Originally created under contract to Apple Computer by McAfee Research, 
this implementation is now maintained by volunteers and the generous 
contribution of several organizations.  Coupled with a kernel audit 
implementation, OpenBSM can be used to maintain system audit streams, and 
is a foundation for an Audit-enabled system.
d19 2
a20 1
    bsm/           System include files for BSM
d24 13
d38 3
a40 47
OpenBSM currently builds on FreeBSD and Darwin.  With Makefile adjustment
and minor tweaks, it should build without problems on a broad range of
POSIX-like systems.

  Building

OpenBSM is currently built using a series of BSD make files which should 
work on both FreeBSD and Darwin.  One known issue is that versions of 
Darwin prior to 10.3.8 have a nested include of "sys/audit.h" from 
"sys/proc.h", which can result in type definition conflicts.  If running 
with include files from an earlier version of Darwin, the nested include 
must be manually removed in order that libbsm can be built, due to 
potentially conflicting types resulting from an include of "sys/sysctl.h" 
by that file.  On Darwin, the use of BSD make must be specified explicitly 
by using "bsdmake" rather than "make", which on Darwin refers to GNU make.  
Typical invocations from the OpenBSM tree root:

FreeBSD

    % make
    # make install

Darwin

    % bsdmake
    # bsdmake install

  Credits

The following organizations and individuals have contributed substantially 
to the development of OpenBSM:

    Apple Computer, Inc.
    McAfee Research, McAfee, Inc.
    SPARTA, Inc.
    Robert Watson
    Wayne Salamon
    Suresh Krishnaswamy
    Kevin Van Vechten
    Tom Rhodes
    Wojciech Koszek
    Chunyang Yuan
    Poul-Henning Kamp

In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
OpenBSM implementation.
d58 1
a58 1
$P4: //depot/projects/trustedbsd/openbsm/README#11 $
@


1.1.1.1
log
@Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems.  Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs.  This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>.  The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to:	wsalamon, trhodes
Obtained from:	TrustedBSD Project
@
text
@@


1.1.1.2
log
@Vendor branch import of OpenBSM 1.0 alpha 3:

- Man page formatting, cross reference, mlinks, and accuracy improvements.
- auditd and tools now compile and run on FreeBSD/arm.
- auditd will now fchown() the trail file to the audit review group, if
  defined at compile-time.
- Added AUE_SYSARCH for FreeBSD.
- Definition of AUE_SETFSGID fixed for Linux.

Many thanks to:	brueffer, cognet
Obtained from:	TrustedBSD Project
@
text
@a64 2
    Christian Brueffer
    Olivier Houchard
d86 1
a86 1
$P4: //depot/projects/trustedbsd/openbsm/README#13 $
@


1.1.1.3
log
@CVS import OpenBSM 1.0 alpha 4:

- Remove "audit" user example from audit_user, as it's not present on most
  systems.
- Add cannot_audit() function non-Darwin systems that wraps auditon();
  required by OpenSSH BSM support.  Convert Darwin cannot_audit() into a
  function rather than a macro.
- Library build fixed on Darwin following include file tweaks.  The native
  Darwin sys/audit.h conflicts with bsm/audit.h due to duplicate types, so
  for now we force bsm_wrappers.c to not perform a nested include of
  sys/audit.h.

Obtained from:	TrustedBSD Project
@
text
@a66 1
    Christian Peron
d88 1
a88 1
$P4: //depot/projects/trustedbsd/openbsm/README#14 $
@


1.1.1.4
log
@Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 5:

- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
  BSD-specific) build infrastructure, and more easy conditional building of
  components.  Currently, the primary feature loss is that automake does
  not have native support for manual symlinks.  This will be addressed in a
  future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
  (as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
  existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
  prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
  bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
  struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
  bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
  those system calls.
- au_close() is not implemented on systems that don't have audit system
  calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
  picks up the necessary definitions.

Obtained from:	TrustedBSD Project
@
text
@d28 20
a47 28
OpenBSM is currently built using autoconf and automake, which should allow
for building on a range of operating systems, including FreeBSD, Mac OS X,
and Linux.  Depending on the availability of audit facailities in the
underlying operating system, some components that depend on kernel audit
support are built conditionally.  Typically, build will be performed using

    ./configure
    make

To install, use:

    make install

You may wish to specify that the OpenBSM components not be installed in the
base system, rather in a specific directory.  This may be done using the
--prefix argument to configure.  If installing to a specific directory,
remember to update your library path so that running tools from that
directory the correct libbsm is used:

    ./configure --prefix=/home/rwatson/openbsm
    make
    make install
    LD_LIBRARY_PATH=/home/rwatson/openbsm/libbsm ; export LD_LIBRARY_PATH

You will need to manually propagate openbsm/etc/* into /etc on your system;
this is not done automatically so as to avoid disrupting the current
configuration.  Currently, the locations of these files is not
configurable.
a67 1
    Martin Fong
d89 1
a89 1
$P4: //depot/projects/trustedbsd/openbsm/README#16 $
@


1.1.1.5
log
@Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6:

- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
  previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
  au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
  add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
  to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
  buffer.  Not likely to be used much by applications, but useful for
  writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
  kernel -- this is not a Solaris BSM API so can be modified without
  causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
  argument to the ordinary au_to_header32(), which is now implemented by
  wrapping au_to_header32_tm() and calling gettimeofday().  #ifndef KERNEL
  the APIs that invoke gettimeofday(), rather than having a variable
  definition.  Don't try to retrieve time zone information using
  gettimeofday(), as it's not needed, and introduces possible failure
  modes.
- Don't perform byte order transformations on the addr/machine fields of
  the terminal ID that appears in the process32/subject32 tokens.  These
  are assumed to be IP addresses, and as such, to be in network byte
  order.
- Universally, APIs now assume that IP addresses and ports are provided
  in network byte order.  APIs now generally provide these types in
  network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
  This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
  error information.
- Support for audit filters introduced: audit filters are dynamically
  loaded shared objects that run in the context of a new daemon,
  auditfilterd.  The daemon reads from an audit pipe and feeds both BSM and
  parsed versions of records to shared objects using a module API.  This
  will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
  record submission for many applications.

Obtained from:	TrustedBSD Project
@
text
@d30 1
a30 1
and Linux.  Depending on the availability of audit facilities in the
d98 1
a98 1
$P4: //depot/projects/trustedbsd/openbsm/README#17 $
@


1.1.1.6
log
@Vendor import of OpenBSM 1.0 alpha 9, with the following change history
notes since the last import:

OpenBSM 1.0 alpha 9

- Rename many OpenBSM-specific constants and API elements containing the
  strings "BSM" and "bsm" to "AUDIT" and "audit", observing that this is true
  for almost all existing constants and APIs.
- Instead of passing a per-instance cookie directly into all audit filter
  APIs, pass in the audit filter daemon state pointer, which is then used by
  the module using an audit_filter_{get,set}cookie() API.  This will allow
  future service APIs provided by the filter daemon to maintain their own
  state -- for example, per-module preselection state.

OpenBSM 1.0 alpha 8

- Correct typo in definition of AUR_INT.
- Adopt OpenSolaris constant values for AUDIT_* configuration flags.
- Arguments to au_to_exec_args() and au_to_exec_env() no longer const.
- Add kernel versions of au_to_exec_args() and au_to_exec_env().
- Fix exec argument type that is printed for env strings from 'arg' to 'env'.
- New OpenBSM token version number assigned, constants added for other
  commonly seen version numbers.
- OpenBSM-specific events assigned numbers in the 43xxx range to avoid future
  collisions with Solaris.  Darwin events renamed to AUE_DARWIN_foo, as they
  are now deprecated numberings.
- autoconf now detects clock_gettime(), which is not available on Darwin.
- praudit output fixes relating to arg32 and arg64 tokens.
- Maximum record size updated to 64k-1 to match Solaris record size limit.
- Various style and comment cleanups in include files.

This is an MFC candidate to RELENG_6.

Obtained from:	TrustedBSD Project
@
text
@a76 2
    Pawel Worach
    Martin Englund
d98 1
a98 1
$P4: //depot/projects/trustedbsd/openbsm/README#19 $
@


1.1.1.7
log
@Vendor import TrustedBSD OpenBSM 1.0 alpha 14, with the following change
history notes since the last import:

OpenBSM 1.0 alpha 14

- Fix endian issues when processing IPv6 addresses for extended subject
  and process tokens.
- gcc41 warnings clean.
- Teach audit_submit(3) about getaudit_addr(2).
- Add support for zonename tokens.

OpenBSM 1.0 alpha 13

- compat/clock_gettime.h now provides a compatibility implementation of
  clock_gettime(), which fixes building on Mac OS X.
- Countless man page improvements, markup fixes, content fixs, etc.
- XML printing support via "praudit -x".
- audit.log.5 expanded to include additional BSM token types.
- Added encoding and decoding routines for process64_ex, process32_ex,
  subject32_ex, header64, and attr64 tokens.
- Additional audit event identifiers for listen, mlockall/munlockall,
  getpath, POSIX message queues, and mandatory access control.

Approved by:	re (bmah)
MFC after:	3 weeks
Obtained from:	TrustedBSD Project
@
text
@d6 5
a10 7
Originally created under contract to Apple Computer by McAfee Research, this
implementation is now maintained by volunteers and the generous contribution
of several organizations.  Coupled with a kernel audit implementation,
OpenBSM can be used to maintain system audit streams, and is a foundation for
an Audit-enabled system.  Portions of OpenBSM, including include files and
token-building routines, are reusable in a kernel audit implementation, and
may be found in the FreeBSD and Mac OS X kernels.
a17 1
    compat/        Compatibility code to build on various OS's
d21 4
a24 12
    modules/       Directory for auditfilterd module source
    test/          Test token sets and geneneration program
    tools/         Tool directory, including audump to dump databases

The following programs are included with OpenBSM:

    audit          Command line audit control tool
    auditd         Audit management daemon
    auditfilterd   Experimental event monitoring framework
    auditreduce    Audit trail reduction tool
    audump         Debugging tool to parse and print audit databases
    praudit        Tool to print audit trails
d32 1
a32 1
support are built conditionally.  Typically, build will be performed using:
d54 2
a55 1
configuration.  Currently, the locations of these files is not configurable.
d59 2
a60 2
The following organizations and individuals have contributed substantially to
the development of OpenBSM:
a78 3
    Ruslan Ermilov
    Martin Voros
    Diego Giagio
d100 1
a100 1
$P4: //depot/projects/trustedbsd/openbsm/README#23 $
@


1.1.1.8
log
@Vendor import TrustedBSD OpenBSM 1.0 alpha 15, with the following change
history since the last import:

OpenBSM 1.0 alpha 15

- Fix bug when processing in_addr_ex tokens.
- Restore the behavior of printing the string/text specified while
  auditing arg32 tokens.
- Synchronized audit event list to Solaris, picking up the *at(2) system call
  definitions, now required for FreeBSD and Linux.  Added additional events
  for *at(2) system calls not present in Solaris.
- Bugs in auditreduce(8) fixed allowing partial date strings to be used in
  filtering events.

Approved by:	re (hrs)
MFC after:	3 weeks
Obtained from:	TrustedBSD Project
@
text
@a91 1
    Alex Samorukov
d113 1
a113 1
$P4: //depot/projects/trustedbsd/openbsm/README#24 $
@


1.1.1.6.2.1
log
@MFC OpenBSM 1.0 alpha 10 from HEAD to RELENG_6; OpenBSM is the user space
portion of the TrustedBSD audit implementation, which has now been
settling in 7-CURRENT for several months, and is intended to provide a
Common Criteria/CAPP-compliant fine-grained security event log subsystem.
OpenBSM includes libraries, documentation, configuration files, and audit
audit trail printing and audit trail reduction tools.

This code drop is based on Apple's BSM implementation, implemented by
McAfee Research, and has been substantially enhanced by the TrustedBSD
Project.

Audit support will be considered "experimental" for 6.2-RELEASE.

Obtained from:	TrustedBSD Project
@
text
@@


1.1.1.6.2.2
log
@Merge OpenBSM 1.0 from HEAD to RELENG_6:

  OpenBSM 1.0

  - Fix bug in auditreduce(8) which resulted in a memory fault/crash when
    the user specified an event name with -m.
  - Remove AU_.* hard-coded audit class constants, as udit classes are now
    entirely dynamically configured using /etc/security/audit_class.

  OpenBSM 1.0 alpha 15

  - Fix bug when processing in_addr_ex tokens.
  - Restore the behavior of printing the string/text specified while
    auditing arg32 tokens.
  - Synchronized audit event list to Solaris, picking up the *at(2) system call
    definitions, now required for FreeBSD and Linux.  Added additional events
    for *at(2) system calls not present in Solaris.
  - Bugs in auditreduce(8) fixed allowing partial date strings to be used in
    filtering events.

  OpenBSM 1.0 alpha 14

  - Fix endian issues when processing IPv6 addresses for extended subject
    and process tokens.
  - gcc41 warnings clean.
  - Teach audit_submit(3) about getaudit_addr(2).
  - Add support for zonename tokens.

  OpenBSM 1.0 alpha 13

  - compat/clock_gettime.h now provides a compatibility implementation of
    clock_gettime(), which fixes building on Mac OS X.
  - Countless man page improvements, markup fixes, content fixs, etc.
  - XML printing support via "praudit -x".
  - audit.log.5 expanded to include additional BSM token types.
  - Added encoding and decoding routines for process64_ex, process32_ex,
    subject32_ex, header64, and attr64 tokens.
  - Additional audit event identifiers for listen, mlockall/munlockall,
    getpath, POSIX message queues, and mandatory access control.
@
text
@d6 5
a10 7
Originally created under contract to Apple Computer by McAfee Research, this
implementation is now maintained by volunteers and the generous contribution
of several organizations.  Coupled with a kernel audit implementation,
OpenBSM can be used to maintain system audit streams, and is a foundation for
an Audit-enabled system.  Portions of OpenBSM, including include files and
token-building routines, are reusable in a kernel audit implementation, and
may be found in the FreeBSD and Mac OS X kernels.
a17 1
    compat/        Compatibility code to build on various OS's
d21 4
a24 12
    modules/       Directory for auditfilterd module source
    test/          Test token sets and geneneration program
    tools/         Tool directory, including audump to dump databases

The following programs are included with OpenBSM:

    audit          Command line audit control tool
    auditd         Audit management daemon
    auditfilterd   Experimental event monitoring framework
    auditreduce    Audit trail reduction tool
    audump         Debugging tool to parse and print audit databases
    praudit        Tool to print audit trails
d32 1
a32 1
support are built conditionally.  Typically, build will be performed using:
d54 2
a55 1
configuration.  Currently, the locations of these files is not configurable.
d59 2
a60 2
The following organizations and individuals have contributed substantially to
the development of OpenBSM:
a78 4
    Ruslan Ermilov
    Martin Voros
    Diego Giagio
    Alex Samorukov
d100 1
a100 1
$P4: //depot/projects/trustedbsd/openbsm/README#24 $
@


