PERFORCE change 107171 for review

Ruslan Ermilov ru at FreeBSD.org
Tue Oct 3 07:12:03 PDT 2006 

http://perforce.freebsd.org/chv.cgi?CH=107171

Change 107171 by ru at ru_edoofus on 2006/10/03 14:11:12

	- Sort options.
	- Fix markup.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 (text+ko) ====

@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@@ -34,21 +34,21 @@
 .Nm auditreduce
 .Nd "select records from audit trail files"
 .Sh SYNOPSIS
-.Nm auditreduce
+.Nm
 .Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 .Op Fl c Ar flags
 .Op Fl d Ar YYYYMMDD
 .Op Fl e Ar euid
 .Op Fl f Ar egid
 .Op Fl g Ar rgid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object Ns = Ns Ar value
 .Op Fl r Ar ruid
 .Op Fl u Ar auid
-.Op Fl j Ar id
-.Op Fl m Ar event
-.Op Fl o Ar object=value
-.Op Ar file ...
+.Op Ar
 .Sh DESCRIPTION
 The
 .Nm
@@ -56,22 +56,21 @@
 criteria.
 Matching audit records are printed to the standard output in
 their raw binary form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
 by default.
 Use the
-.Nm praudit
+.Xr praudit 1
 utility to print the selected audit records in human-readable form.
-See
-.Xr praudit 1
-for more information.
 .Pp
 The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
 .It Fl A
 Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
 Select records that occurred before the given datetime.
 .It Fl c Ar flags
 Select records matching the given audit classes specified as a comma
@@ -86,15 +85,11 @@
 or
 .Fl b .
 .It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
 .It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
 .It Fl g Ar rgid
-Select records with the given real group id or name.
-.It Fl r Ar ruid
-Select records with the given real user id or name.
-.It Fl u Ar auid
-Select records with the given audit id.
+Select records with the given real group ID or name.
 .It Fl j Ar id
 Select records having a subject token with matching ID.
 .It Fl m Ar event
@@ -102,45 +97,53 @@
 See
 .Xr audit_event 5
 for a description of audit event names and numbers.
-.It Fl o Ar object=value
-.Bl -tag -width Ds
-.It Nm file
+.It Fl o Ar object Ns = Ns Ar value
+.Bl -tag -width ".Cm msgqid"
+.It Cm file
 Select records containing path tokens, where the pathname matches
 one of the comma delimited extended regular expression contained in
 given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
+.Pq Ql ~
+are excluded
 from the search results.
 These extended regular expressions are processed from left to right,
 and a path will either be selected or deslected based on the first match.
 .Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
-character should be used to escape the comma if it's a part of the search
+Since commas are used to delimit the regular expressions, a backslash
+.Pq Ql \e
+character should be used to escape the comma if it is a part of the search
 pattern.
-.It Nm msgqid
-Select records containing the given message queue id.
-.It Nm pid
-Select records containing the given process id.
-.It Nm semid
-Select records containing the given semaphore id.
-.It Nm shmid
-Select records containing the given shared memory id.
+.It Cm msgqid
+Select records containing the given message queue ID.
+.It Cm pid
+Select records containing the given process ID.
+.It Cm semid
+Select records containing the given semaphore ID.
+.It Cm shmid
+Select records containing the given shared memory ID.
 .El
+.It Fl r Ar ruid
+Select records with the given real user ID or name.
+.It Fl u Ar auid
+Select records with the given audit ID.
 .El
-.Sh Examples
-.Pp
+.Sh EXAMPLES
 To select all records associated with effective user ID root from the audit
 log
 .Pa /var/audit/20031016184719.20031017122634 :
-.Pp
-.Nm
--e root /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -e root \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 To select all
 .Xr setlogin 2
 events from that log:
-.Pp
-.Nm
--m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -m AUE_SETLOGIN \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 Output from the above command lines will typically be piped to a new trail
 file, or via standard output to the
@@ -148,23 +151,26 @@
 command.
 .Pp
 Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
-.Pp
-.Nm
--ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pa /etc/master.passwd :
+.Bd -literal -offset indent
+auditreduce -o file="/etc/master.passwd" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 Select all records containing path tokens, where the pathname is a TTY
 device:
-.Pp
-.Nm
--ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Pp
 Select all records containing path tokens, where the pathname is a TTY
 except for
-.Pa /dev/ttyp2
-.Pp
-.Nm
--ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pa /dev/ttyp2 :
+.Bd -literal -offset indent
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
+    /var/audit/20031016184719.20031017122634
+.Ed
 .Sh SEE ALSO
 .Xr praudit 1 ,
 .Xr audit_control 5 ,
@@ -175,9 +181,13 @@
 It was subsequently adopted by the TrustedBSD Project as the foundation for
 the OpenBSM distribution.
 .Sh AUTHORS
+.An -nosplit
 This software was created by McAfee Research, the security research division
 of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
 .Pp
 The Basic Security Module (BSM) interface to audit records and audit event
 stream format were defined by Sun Microsystems.

More information about the trustedbsd-cvs mailing list