1.\" Copyright (c) 2006 Robert N. M. Watson 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" |
25.\" $FreeBSD: head/share/man/man4/auditpipe.4 159282 2006-06-05 16:31:57Z joel $ |
26.\" 27.Dd May 5, 2006 28.Os 29.Dt AUDITPIPE 4 30.Sh NAME 31.Nm auditpipe 32.Nd Pseudo-device for live audit event tracking 33.Sh SYNOPSIS 34.Cd "options AUDIT" 35.Sh DESCRIPTION 36While audit trail files 37generated with 38.Xr audit 4 39and maintained by 40.Xr auditd 8 41provide a reliable long-term store for audit log information, current log 42files are owned by the audit daemon until terminated making them somewhat |
43unwieldy for live monitoring applications such as host-based intrusion |
44detection. 45For example, the log may be cycled and new records written to a new file 46without notice to applications that may be accessing the file. 47.Pp 48The audit facility provides an audit pipe facility for applications requiring 49direct access to live BSM audit data for the purposes of real-time 50monitoring. 51Audit pipes are available via a clonable special device, --- 69 unchanged lines hidden (view full) --- 121.Pp 122Possible preselection mode values are: 123.Bl -tag -width AUDITPIPE_PRESELECT_MODE_TRAIL 124.It AUDITPIPE_PRESELECT_MODE_TRAIL 125Use the global audit trail preselection parameters to select records for the 126audit pipe. 127.It AUDITPIPE_PRESELECT_MODE_LOCAL 128Use local audit pipe preselection; this model is similar to the global audit |
129trail configuration model, consisting of global flags and naflags parameters, |
130as well as a set of per-auid masks. 131These parameters are configured using further ioctls. 132.El 133.Pp 134After changing the audit pipe preselection mode, records selected under 135earlier preselection configuration may still be in the audit pipe queue. 136The application may flush the current record queue after changing the 137configuration to remove possibly undesired records. 138.Ss Audit Pipe Local Preselection Mode Ioctls |
139The following ioctls configure the preselection parameters used when an audit |
140pipe is configured for the 141.Dv AUDITPIPE_PRESELECT_MODE_LOCAL 142preselection mode. 143.Bl -tag -width AUDITPIPE_GET_PRESELECT_NAFLAGS 144.It AUDITPIPE_GET_PRESELECT_FLAGS 145Retrieve the current default preselection flags for attributable events on 146the pipe. 147These flags correspond to the --- 102 unchanged lines hidden --- |