Cross Reference: /freebsd-11.0-release/contrib/openbsm/bin/auditreduce/auditreduce.1

Deleted Added

sdiff udiff text old ( 155364 ) new ( 162621 )

full compact

auditreduce.1 (155364)	auditreduce.1 (162621)
1.\" Copyright (c) 2004 Apple Computer, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26.\" POSSIBILITY OF SUCH DAMAGE. 27.\"	1.\" Copyright (c) 2004 Apple Computer, Inc. 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 11 unchanged lines hidden (view full) --- 20.\" ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 21.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 22.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 23.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 24.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 25.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26.\" POSSIBILITY OF SUCH DAMAGE. 27.\"
28.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#10 $	28.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
29.\" 30.Dd January 24, 2004 31.Dt AUDITREDUCE 1 32.Os 33.Sh NAME 34.Nm auditreduce 35.Nd "select records from audit trail files" 36.Sh SYNOPSIS --- 63 unchanged lines hidden (view full) --- 100.It Fl m Ar event 101Select records with the given event name or number. 102See 103.Xr audit_event 5 104for a description of audit event names and numbers. 105.It Fl o Ar object=value 106.Bl -tag -width Ds 107.It Nm file	29.\" 30.Dd January 24, 2004 31.Dt AUDITREDUCE 1 32.Os 33.Sh NAME 34.Nm auditreduce 35.Nd "select records from audit trail files" 36.Sh SYNOPSIS --- 63 unchanged lines hidden (view full) --- 100.It Fl m Ar event 101Select records with the given event name or number. 102See 103.Xr audit_event 5 104for a description of audit event names and numbers. 105.It Fl o Ar object=value 106.Bl -tag -width Ds 107.It Nm file
108Select records containing the given path name. 109file="/usr" matches paths 110starting with 111.Pa usr . 112file="~/usr" matches paths not starting with 113.Pa usr .	108Select records containing path tokens, where the pathname matches 109one of the comma delimited extended regular expression contained in 110given specification. 111Regular expressions which are prefixed with a tilde (~) are excluded 112from the search results. 113These extended regular expressions are processed from left to right, 114and a path will either be selected or deslected based on the first match. 115.Pp 116Since commas are used to delimit the regular expressions, a backslash (\\) 117character should be used to escape the comma if it's a part of the search 118pattern.
114.It Nm msgqid 115Select records containing the given message queue id. 116.It Nm pid 117Select records containing the given process id. 118.It Nm semid 119Select records containing the given semaphore id. 120.It Nm shmid 121Select records containing the given shared memory id. --- 9 unchanged lines hidden (view full) --- 131-e root /var/audit/20031016184719.20031017122634 132.Pp 133To select all 134.Xr setlogin 2 135events from that log: 136.Pp 137.Nm 138-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634	119.It Nm msgqid 120Select records containing the given message queue id. 121.It Nm pid 122Select records containing the given process id. 123.It Nm semid 124Select records containing the given semaphore id. 125.It Nm shmid 126Select records containing the given shared memory id. --- 9 unchanged lines hidden (view full) --- 136-e root /var/audit/20031016184719.20031017122634 137.Pp 138To select all 139.Xr setlogin 2 140events from that log: 141.Pp 142.Nm 143-m AUE_SETLOGIN /var/audit/20031016184719.20031017122634
	144.Pp 145Output from the above command lines will typically be piped to a new trail 146file, or via standard output to the 147.Xr praudit 1 148command. 149.Pp 150Select all records containing a path token where the pathname contains 151.Pa /etc/master.passwd 152.Pp 153.Nm 154-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634 155.Pp 156Select all records containing path tokens, where the pathname is a TTY 157device: 158.Pp 159.Nm 160-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634 161.Pp 162Select all records containing path tokens, where the pathname is a TTY 163except for 164.Pa /dev/ttyp2 165.Pp 166.Nm 167-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
139.Sh SEE ALSO 140.Xr praudit 1 , 141.Xr audit_control 5 , 142.Xr audit_event 5 143.Sh AUTHORS 144This software was created by McAfee Research, the security research division 145of McAfee, Inc., under contract to Apple Computer Inc. 146Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 147.Pp 148The Basic Security Module (BSM) interface to audit records and audit event 149stream format were defined by Sun Microsystems. 150.Sh HISTORY 151The OpenBSM implementation was created by McAfee Research, the security 152division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 153It was subsequently adopted by the TrustedBSD Project as the foundation for 154the OpenBSM distribution.	168.Sh SEE ALSO 169.Xr praudit 1 , 170.Xr audit_control 5 , 171.Xr audit_event 5 172.Sh AUTHORS 173This software was created by McAfee Research, the security research division 174of McAfee, Inc., under contract to Apple Computer Inc. 175Additional authors include Wayne Salamon, Robert Watson, and SPARTA Inc. 176.Pp 177The Basic Security Module (BSM) interface to audit records and audit event 178stream format were defined by Sun Microsystems. 179.Sh HISTORY 180The OpenBSM implementation was created by McAfee Research, the security 181division of McAfee Inc., under contract to Apple Computer Inc. in 2004. 182It was subsequently adopted by the TrustedBSD Project as the foundation for 183the OpenBSM distribution.