ORT-AUDIT(1) General Commands Manual ORT-AUDIT(1)

ort-auditaudit ort role access

ort-audit [-v] [-r role] [config...]

Accepts ort(5) config files, defaulting to standard input, and generates an audit report on standard output. Its arguments are as follows:

Instead of printing once whether a structure is reachable, print for each query and path to the reachable structure.
Audit the named role.

By default, the all role is audited.

Output consists of three space-separated columns. The first column is the type of operation, the second is the component accessable along with extra information, and the third is the location in the configuration where the component was parsed.

The types of operation are count, delete, insert, iterate, list, read, readwrite, search, and update. All of these correspond to operations except for read and readwrite, which refer to whether a structure is reachable through a query (read); and if so (readwrite), whether it may be exported. If -v is used, reachable structures are shown for each query and path possible.

The component (and source) depends upon the operation:

The position is listed as the originating file, line, and column.

The ort-audit utility exits 0 on success, and >0 if an error occurs.

Consider the following db.ort:

roles {
        role foo;
        role bar;
struct baz {
        field id int rowid;
struct bar {
	field baz struct bazid;
	field bazid:baz.id int;
        field id int rowid;
        iterate: name id;
        roles foo { insert; };
        roles bar { iterate id; };

When audited, this produces the following:

% ort-audit -r foo db.ort
insert      bar  db.ort:8:7
% ort-audit -vr bar db.ort
iterate     bar:id              db.ort:13:15
readwrite   bar:iterate:id:-    db.ort:13:15
readwrite   baz:iterate:id:baz  db.ort:13:15

From this, it's clear that the "foo" role has no access to the "baz" or "bar" structures at all, and can only insert.


April 28, 2021 OpenBSD 6.7