auditpipe.4 - OpenGrok cross reference for /freebsd/share/man/man4/auditpipe.4

Lines Matching +full:in +full:- +full:masks
4 .\" Redistribution and use in source and binary forms, with or without
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\"    notice, this list of conditions and the following disclaimer in the
16 .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE
20 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 .Nd "pseudo-device for live audit event tracking"
39 provide a reliable long-term store for audit log information, current log
41 unwieldy for live monitoring applications such as host-based intrusion
47 direct access to live BSM audit data for the purposes of real-time
59 passed by the application is too small to hold the next record in the
64 Audit pipe devices are blocking by default, but support non-blocking I/O,
77 .Bl -tag -width ".Dv AUDITPIPE_GET_MAXAUDITDATA"
104 matched by the system-wide audit trail, configured by
107 alternative criteria, including pipe-local flags and naflags settings, as
108 well as auid-specific selection masks.
109 This allows applications to track events not captured in the global audit
114 .Bl -tag -width ".Dv AUDITPIPE_GET_PRESELECT_MODE"
126 .Bl -tag -width ".Dv AUDITPIPE_PRESELECT_MODE_TRAIL"
133 as well as a set of per-auid masks.
138 earlier preselection configuration may still be in the audit pipe queue.
146 .Bl -tag -width ".Dv AUDITPIPE_GET_PRESELECT_NAFLAGS"
152 field in
161 field in
166 Retrieve the current default preselection flags for non-attributable events
170 field in
175 Set the current default preselection flags for non-attributable events on the
179 field in
184 Query the current preselection masks for a specific auid on the pipe.
196 Set the current preselection masks for a specific auid on the pipe.
228 division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
232 Support for kernel audit first appeared in
243 manual page for information on audit-related bugs and limitations.
249 The per-pipe audit event queue is fifo, with drops occurring if either the
250 user thread provides in sufficient for the record on the queue head, or on
253 more compatible with buffered I/O as implemented in system libraries, and to
254 allow applications to select which records are dropped, possibly in the style