add the new man pages

Author: stevegrubb

docs/audit_can_read.3

@@ -0,0 +1,30 @@
+.TH "AUDIT_CAN_CONTROL" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_can_control, audit_can_write, audit_can_read \- test audit related capabilities
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "int audit_can_control(void);"
+.br
+.BI "int audit_can_write(void);"
+.br
+.BI "int audit_can_read(void);"
+.SH DESCRIPTION
+.BR audit_can_control ()
+returns 1 if the calling process possesses the
+.BR CAP_AUDIT_CONTROL
+capability, otherwise 0.
+.BR audit_can_write ()
+returns 1 if
+.BR CAP_AUDIT_WRITE
+is available.  
+.BR audit_can_read ()
+returns 1 if
+.BR CAP_AUDIT_READ
+is present.  When libcap-ng support is not available these functions return 1 only when the effective UID is 0.
+.SH RETURN VALUE
+These functions return 1 when the capability is present and 0 otherwise.
+.SH SEE ALSO
+.BR audit_open (3).
+.SH AUTHOR
+Steve Grubb

docs/audit_get_features.3

@@ -0,0 +1,57 @@
+.TH "AUDIT_GET_FEATURES" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_get_features, audit_set_feature \- query or change kernel audit features
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "uint32_t audit_get_features(void);"
+.br
+.BI "int audit_set_feature(int " fd ", unsigned " feature ", unsigned " value ", unsigned " lock );"
+.SH DESCRIPTION
+.BR audit_get_features ()
+returns a bitmap describing which kernel audit features are supported.  The bitmap is cached internally and retrieved from the kernel on the first call.
+.PP
+.BR audit_set_feature ()
+changes a feature bit for the kernel using the descriptor
+.I fd
+which must be an open audit netlink socket.
+.I feature
+selects the bit to modify.  If
+.I value
+is nonzero the feature is enabled, otherwise it is disabled.  If
+.I lock
+is nonzero the feature setting is locked until reboot.
+.PP
+The feature bits currently defined are:
+.TP
+.B AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
+Kernel supports changing the backlog queue depth.
+.TP
+.B AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
+Kernel supports delaying syscalls when the queue is full.
+.TP
+.B AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
+Kernel will include the executable path on EXECVE records.
+.TP
+.B AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
+Exclude rules may be used with more fields than just message type.
+.TP
+.B AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
+Session identifier filtering is supported.
+.TP
+.B AUDIT_FEATURE_BITMAP_LOST_RESET
+Allows resetting the lost event counter.
+.TP
+.B AUDIT_FEATURE_BITMAP_FILTER_FS
+Kernel supports file system field filtering.
+.SH RETURN VALUE
+.BR audit_get_features
+returns the feature bitmap or 0 if feature queries are unsupported.  
+.BR audit_set_feature
+returns \<= 0 on error, otherwise it is the netlink sequence id number.
+.SH SEE ALSO
+.BR audit_request_features (3),
+.BR audit_reset_lost (3),
+.BR audit_open (3).
+.SH AUTHOR
+Steve Grubb

docs/audit_request_features.3

@@ -0,0 +1,22 @@
+.TH "AUDIT_REQUEST_FEATURES" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_request_features \- request audit feature bitmap
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "int audit_request_features(int " fd ");"
+.SH DESCRIPTION
+.BR audit_request_features ()
+requests that the kernel send a structure describing supported audit features on
+.I fd
+which must be an open audit netlink socket.
+.SH RETURN VALUE
+The return value is <= 0 on error, otherwise it is the netlink sequence id number.  This function can have any error that
+.BR sendto (2)
+would encounter.
+.SH SEE ALSO
+.BR audit_get_features (3),
+.BR audit_open (3),
+.BR auditd (8).
+.SH AUTHOR
+Steve Grubb

docs/audit_reset_backlog_wait_time_actual.3

@@ -0,0 +1,28 @@
+.TH "AUDIT_RESET_BACKLOG_WAIT_TIME_ACTUAL" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_reset_backlog_wait_time_actual \- reset backlog wait time actual counter
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "int audit_reset_backlog_wait_time_actual(int " fd ");"
+.SH DESCRIPTION
+.BR audit_reset_backlog_wait_time_actual ()
+resets the kernel's running total of how long system calls have waited for
+space in the audit event queue.  The
+.I fd
+must be an open audit netlink socket.  This call is useful when administrators
+enable backlog waiting via the
+.BR audit_set_backlog_wait_time (3)
+option to preserve events in tight memory situations.  Periodically clearing
+the counter allows detection of renewed backlog waiting after changing the
+queue size or wait time.  The kernel must support the
+.BR AUDIT_STATUS_BACKLOG_WAIT_TIME_ACTUAL
+field for this call to succeed.
+.SH RETURN VALUE
+The return value is <= 0 on error, otherwise it is the netlink sequence id number.
+.SH SEE ALSO
+.BR audit_set_backlog_wait_time (3),
+.BR audit_open (3),
+.BR auditctl (8).
+.SH AUTHOR
+Steve Grubb

docs/audit_reset_lost.3

@@ -0,0 +1,22 @@
+.TH "AUDIT_RESET_LOST" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_reset_lost \- reset lost event counter
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "int audit_reset_lost(int " fd ");"
+.SH DESCRIPTION
+.BR audit_reset_lost ()
+resets the kernel's lost event counter using the descriptor
+.I fd
+which must be an open audit netlink socket.  This call requires that the kernel
+support
+.BR AUDIT_FEATURE_BITMAP_LOST_RESET .
+.SH RETURN VALUE
+The return value is <= 0 on error, otherwise it is the netlink sequence id number.
+.SH SEE ALSO
+.BR audit_get_features (3),
+.BR audit_open (3),
+.BR auditctl (8).
+.SH AUTHOR
+Steve Grubb

docs/audit_set_feature.3

@@ -0,0 +1 @@
+.so man3/audit_get_features.3

docs/audit_set_loginuid_immutable.3

@@ -0,0 +1,23 @@
+.TH "AUDIT_SET_LOGINUID_IMMUTABLE" "3" "July 2025" "Red Hat" "Linux Audit API"
+.SH NAME
+audit_set_loginuid_immutable \- make loginuid value immutable
+.SH SYNOPSIS
+.B #include <libaudit.h>
+.sp
+.BI "int audit_set_loginuid_immutable(int " fd );"
+.SH DESCRIPTION
+.BR audit_set_loginuid_immutable ()
+locks the loginuid so that it can no longer be changed.  The descriptor
+.I fd
+must be an open audit netlink socket.  This call is equivalent to using
+.BR audit_set_feature ()
+to enable and lock the
+.BR AUDIT_FEATURE_LOGINUID_IMMUTABLE
+bit.
+.SH RETURN VALUE
+The return value is <= 0 on error, otherwise it is the netlink sequence id number.
+.SH SEE ALSO
+.BR audit_set_feature (3),
+.BR audit_open (3).
+.SH AUTHOR
+Steve Grubb