25c25
< .\" $FreeBSD: head/share/man/man4/audit.4 155314 2006-02-04 21:10:48Z brueffer $
---
> .\" $FreeBSD: head/share/man/man4/audit.4 155392 2006-02-06 18:41:00Z rwatson $
27c27
< .Dd February 2, 2006
---
> .Dd February 6, 2006
55a56,87
> .Ss Audit Special Device
> The kernel audit facility provides a special device,
> .Pa /dev/audit ,
> which is used by
> .Xr auditd 8
> to monitor for audit events, such as requests to cycle the log, low disk
> space conditions, and requests to terminate auditing.
> This device is not intended for use by applications.
> .Ss Audit Pipe Special Devices
> The kernel audit facility also a clonable special device,
> .Pa /dev/auditpipe ,
> which allows appropriately privileged applications to gain direct access to
> the BSM audit stream without accessing audit trail files.
> As audit trail files are owned by the audit daemon until terminated, they
> are an unreliable way for applications to access live audit data; this
> special device inserts a "tee" in the audit event stream.
> This facility is appropriate for use by live monitoring tools, including
> intrusion detection.
> As the device is clonable, more than one instance of the device may be opened
> at a time; each device instance will provide access to all records.
> .Pp
> The audit pipe device provides discreet BSM audit records; if the read buffer
> passed by the application is too small to hold the next record in the
> sequence, it will be dropped.
> Unlike audit data written to the audit trail, the reliability of record
> delivery is not guaranteed.
> In particular, when an audit pipe queue fills, records will be dropped.
> Audit pipe devices are blocking by default, but support non-blocking I/O,
> asynchronous I/O using SIGIO, and support for polled operation via
> .Xr select 2
> and
> .Xr poll 2 .
63a96,97
> .Xr poll 2 ,
> .Xr select 2 ,
< .\" $FreeBSD: head/share/man/man4/audit.4 155314 2006-02-04 21:10:48Z brueffer $
---
> .\" $FreeBSD: head/share/man/man4/audit.4 155392 2006-02-06 18:41:00Z rwatson $
27c27
< .Dd February 2, 2006
---
> .Dd February 6, 2006
55a56,87
> .Ss Audit Special Device
> The kernel audit facility provides a special device,
> .Pa /dev/audit ,
> which is used by
> .Xr auditd 8
> to monitor for audit events, such as requests to cycle the log, low disk
> space conditions, and requests to terminate auditing.
> This device is not intended for use by applications.
> .Ss Audit Pipe Special Devices
> The kernel audit facility also a clonable special device,
> .Pa /dev/auditpipe ,
> which allows appropriately privileged applications to gain direct access to
> the BSM audit stream without accessing audit trail files.
> As audit trail files are owned by the audit daemon until terminated, they
> are an unreliable way for applications to access live audit data; this
> special device inserts a "tee" in the audit event stream.
> This facility is appropriate for use by live monitoring tools, including
> intrusion detection.
> As the device is clonable, more than one instance of the device may be opened
> at a time; each device instance will provide access to all records.
> .Pp
> The audit pipe device provides discreet BSM audit records; if the read buffer
> passed by the application is too small to hold the next record in the
> sequence, it will be dropped.
> Unlike audit data written to the audit trail, the reliability of record
> delivery is not guaranteed.
> In particular, when an audit pipe queue fills, records will be dropped.
> Audit pipe devices are blocking by default, but support non-blocking I/O,
> asynchronous I/O using SIGIO, and support for polled operation via
> .Xr select 2
> and
> .Xr poll 2 .
63a96,97
> .Xr poll 2 ,
> .Xr select 2 ,