PERFORCE change 107171 for review
Ruslan Ermilov
ru at FreeBSD.org
Tue Oct 3 07:12:03 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=107171
Change 107171 by ru at ru_edoofus on 2006/10/03 14:11:12
- Sort options.
- Fix markup.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 (text+ko) ====
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#13 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#14 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -34,21 +34,21 @@
.Nm auditreduce
.Nd "select records from audit trail files"
.Sh SYNOPSIS
-.Nm auditreduce
+.Nm
.Op Fl A
-.Op Fl a Ar YYYYMMDD[HH[MM[SS]]]
-.Op Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.Op Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
+.Op Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
.Op Fl c Ar flags
.Op Fl d Ar YYYYMMDD
.Op Fl e Ar euid
.Op Fl f Ar egid
.Op Fl g Ar rgid
+.Op Fl j Ar id
+.Op Fl m Ar event
+.Op Fl o Ar object Ns = Ns Ar value
.Op Fl r Ar ruid
.Op Fl u Ar auid
-.Op Fl j Ar id
-.Op Fl m Ar event
-.Op Fl o Ar object=value
-.Op Ar file ...
+.Op Ar
.Sh DESCRIPTION
The
.Nm
@@ -56,22 +56,21 @@
criteria.
Matching audit records are printed to the standard output in
their raw binary form.
-If no filename is specified, the standard input is used
+If no
+.Ar file
+argument is specified, the standard input is used
by default.
Use the
-.Nm praudit
+.Xr praudit 1
utility to print the selected audit records in human-readable form.
-See
-.Xr praudit 1
-for more information.
.Pp
The options are as follows:
-.Bl -tag -width Ds
+.Bl -tag -width indent
.It Fl A
Select all records.
-.It Fl a Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl a Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred after or on the given datetime.
-.It Fl b Ar YYYYMMDD[HH[MM[SS]]]
+.It Fl b Ar YYYYMMDD Ns Op Ar HH Ns Op Ar MM Ns Op Ar SS
Select records that occurred before the given datetime.
.It Fl c Ar flags
Select records matching the given audit classes specified as a comma
@@ -86,15 +85,11 @@
or
.Fl b .
.It Fl e Ar euid
-Select records with the given effective user id or name.
+Select records with the given effective user ID or name.
.It Fl f Ar egid
-Select records with the given effective group id or name.
+Select records with the given effective group ID or name.
.It Fl g Ar rgid
-Select records with the given real group id or name.
-.It Fl r Ar ruid
-Select records with the given real user id or name.
-.It Fl u Ar auid
-Select records with the given audit id.
+Select records with the given real group ID or name.
.It Fl j Ar id
Select records having a subject token with matching ID.
.It Fl m Ar event
@@ -102,45 +97,53 @@
See
.Xr audit_event 5
for a description of audit event names and numbers.
-.It Fl o Ar object=value
-.Bl -tag -width Ds
-.It Nm file
+.It Fl o Ar object Ns = Ns Ar value
+.Bl -tag -width ".Cm msgqid"
+.It Cm file
Select records containing path tokens, where the pathname matches
one of the comma delimited extended regular expression contained in
given specification.
-Regular expressions which are prefixed with a tilde (~) are excluded
+Regular expressions which are prefixed with a tilde
+.Pq Ql ~
+are excluded
from the search results.
These extended regular expressions are processed from left to right,
and a path will either be selected or deslected based on the first match.
.Pp
-Since commas are used to delimit the regular expressions, a backslash (\\)
-character should be used to escape the comma if it's a part of the search
+Since commas are used to delimit the regular expressions, a backslash
+.Pq Ql \e
+character should be used to escape the comma if it is a part of the search
pattern.
-.It Nm msgqid
-Select records containing the given message queue id.
-.It Nm pid
-Select records containing the given process id.
-.It Nm semid
-Select records containing the given semaphore id.
-.It Nm shmid
-Select records containing the given shared memory id.
+.It Cm msgqid
+Select records containing the given message queue ID.
+.It Cm pid
+Select records containing the given process ID.
+.It Cm semid
+Select records containing the given semaphore ID.
+.It Cm shmid
+Select records containing the given shared memory ID.
.El
+.It Fl r Ar ruid
+Select records with the given real user ID or name.
+.It Fl u Ar auid
+Select records with the given audit ID.
.El
-.Sh Examples
-.Pp
+.Sh EXAMPLES
To select all records associated with effective user ID root from the audit
log
.Pa /var/audit/20031016184719.20031017122634 :
-.Pp
-.Nm
--e root /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -e root \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
To select all
.Xr setlogin 2
events from that log:
-.Pp
-.Nm
--m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -m AUE_SETLOGIN \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Output from the above command lines will typically be piped to a new trail
file, or via standard output to the
@@ -148,23 +151,26 @@
command.
.Pp
Select all records containing a path token where the pathname contains
-.Pa /etc/master.passwd
-.Pp
-.Nm
--ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pa /etc/master.passwd :
+.Bd -literal -offset indent
+auditreduce -o file="/etc/master.passwd" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
device:
-.Pp
-.Nm
--ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Bd -literal -offset indent
+auditreduce -o file="/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Pp
Select all records containing path tokens, where the pathname is a TTY
except for
-.Pa /dev/ttyp2
-.Pp
-.Nm
--ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pa /dev/ttyp2 :
+.Bd -literal -offset indent
+auditreduce -o file="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" \e
+ /var/audit/20031016184719.20031017122634
+.Ed
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
@@ -175,9 +181,13 @@
It was subsequently adopted by the TrustedBSD Project as the foundation for
the OpenBSM distribution.
.Sh AUTHORS
+.An -nosplit
This software was created by McAfee Research, the security research division
of McAfee, Inc., under contract to Apple Computer Inc.
-Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc.
+Additional authors include
+.An Wayne Salamon ,
+.An Robert Watson ,
+and SPARTA Inc.
.Pp
The Basic Security Module (BSM) interface to audit records and audit event
stream format were defined by Sun Microsystems.
More information about the trustedbsd-cvs
mailing list