The
library routines provide an interface to BSM audit record streams, allowing
both the parsing of existing audit streams, as well as the creation of new
audit records and streams.
INTERFACES
The
library
provides a large number of Audit programming interfaces in several classes:
event stream interfaces, class interfaces, control interfaces, event
interfaces, I/O interfaces, mask interfaces, notification interfaces, token
interfaces, and user interfaces.
These are described respectively in the
au_class3,
au_control3,
au_event3,
au_mask3,
au_notify3,
au_stream3,
au_token3,
and
au_user3
manual pages.
Audit Event Stream Interfaces
Audit event stream interfaces support interaction with file-backed audit
event streams:
au_close3,
au_close_buffer3,
au_free_token3,
au_open3,
au_write3,
audit_submit3.
Audit Class Interfaces
Audit class interfaces support the look up of information from the
audit_class5
database:
endauclass(3),
getauclassent(3),
getauclassent_r3,
getauclassnam(3),
getauclassnam_r3,
setauclass(3).
Audit I/O interfaces support the processing and printing of tokens, as well
as the reading of audit records:
au_fetch_tok3,
au_print_tok3,
au_read_rec3.
Audit Mask Interfaces
Audit mask interfaces convert support the conversion between strings and
Vt au_mask_t
values.
They may also be used to determine if a particular audit event is matched
by a mask:
au_preselect3,
getauditflagsbin(3),
getauditflagschar(3).
Audit Notification Interfaces
Audit notification routines track audit state in a form permitting efficient
update, avoiding frequent system calls to check the kernel audit state:
au_get_state3,
au_notify_initialize3,
au_notify_terminate3.
These interfaces are implemented only for Darwin/Mac OS X.
Audit Token Interface
Audit token interfaces permit the creation of tokens for use in creating
audit records for submission to event streams.
Each interface converts a C type to its
Vt token_t
representation:
au_to_arg3,
au_to_arg323,
au_to_arg643,
au_to_attr643,
au_to_data3,
au_to_exec_args3,
au_to_exec_env3,
au_to_exit3,
au_to_file3,
au_to_groups3,
au_to_header323,
au_to_header643,
au_to_in_addr3,
au_to_in_addr_ex3,
au_to_ip3,
au_to_ipc3,
au_to_ipc_perm3,
au_to_iport3,
au_to_me3,
au_to_newgroups3,
au_to_opaque3,
au_to_path3,
au_to_process3,
au_to_process323,
au_to_process643,
au_to_process_ex3,
au_to_process32_ex3,
au_to_process64_ex3,
au_to_return3,
au_to_return323,
au_to_return643,
au_to_seq3,
au_to_sock_inet3,
au_to_sock_inet323,
au_to_sock_inet1283,
au_to_subject3,
au_to_subject323,
au_to_subject643,
au_to_subject_ex3,
au_to_subject32_ex3,
au_to_subject64_ex3,
au_to_text3,
au_to_trailer3,
au_to_zonename3.
The OpenBSM implementation was created by McAfee Research, the security
division of McAfee Inc., under contract to Apple Computer, Inc., in 2004.
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
AUTHORS
An -nosplit
This software was created by
An Robert Watson ,
An Wayne Salamon ,
and
An Suresh Krishnaswamy
for McAfee Research, the security research division of McAfee,
Inc., under contract to Apple Computer, Inc.
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
BUGS
Bugs would not be unlikely.
The
library implementations are generally thread-safe, but not reentrant.
The assignment of routines to classes could use some work, as it is
decidely ad hoc.
For example,
au_read_rec ();
should probably be considered a stream routine.
