1/*
2 * Copyright (c) 2004 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
| 1/*
2 * Copyright (c) 2004 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
|
29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $
| 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#16 $
|
30 */
31
32#ifndef _LIBBSM_H_
33#define _LIBBSM_H_
34
35/*
36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
38 */
39
40#define MAX_ARGS 10
41#define MAX_ENV 10
42
43#include <sys/types.h>
44#include <sys/cdefs.h>
45#include <sys/queue.h>
46
| 30 */
31
32#ifndef _LIBBSM_H_
33#define _LIBBSM_H_
34
35/*
36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
38 */
39
40#define MAX_ARGS 10
41#define MAX_ENV 10
42
43#include <sys/types.h>
44#include <sys/cdefs.h>
45#include <sys/queue.h>
46
|
| 47#include <stdint.h> /* Required for audit.h. */
48
|
47#include <bsm/audit.h>
48#include <bsm/audit_record.h>
49
50#include <stdio.h>
| 49#include <bsm/audit.h>
50#include <bsm/audit_record.h>
51
52#include <stdio.h>
|
51#include <stdint.h>
| |
52
53#ifdef __APPLE__
54#include <mach/mach.h> /* audit_token_t */
55#endif
56
57#define AU_PRS_SUCCESS 1
58#define AU_PRS_FAILURE 2
59#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
60
61#define AU_PRS_USECACHE 0
62#define AU_PRS_REREAD 1
63
64#define AUDIT_EVENT_FILE "/etc/security/audit_event"
65#define AUDIT_CLASS_FILE "/etc/security/audit_class"
66#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
67#define AUDIT_USER_FILE "/etc/security/audit_user"
68
69#define DIR_CONTROL_ENTRY "dir"
70#define MINFREE_CONTROL_ENTRY "minfree"
71#define FLAGS_CONTROL_ENTRY "flags"
72#define NA_CONTROL_ENTRY "naflags"
73
74#define AU_CLASS_NAME_MAX 8
75#define AU_CLASS_DESC_MAX 72
76#define AU_EVENT_NAME_MAX 30
77#define AU_EVENT_DESC_MAX 50
78#define AU_USER_NAME_MAX 50
79#define AU_LINE_MAX 256
80#define MAX_AUDITSTRING_LEN 256
81#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
82
83/*
84 * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
85 * Provided for OpenSSH compatibility.
86 */
87#define AU_TO_NO_WRITE 0
88#define AU_TO_WRITE 1
89
90__BEGIN_DECLS
91struct au_event_ent {
92 au_event_t ae_number;
93 char *ae_name;
94 char *ae_desc;
95 au_class_t ae_class;
96};
97typedef struct au_event_ent au_event_ent_t;
98
99struct au_class_ent {
100 char *ac_name;
101 au_class_t ac_class;
102 char *ac_desc;
103};
104typedef struct au_class_ent au_class_ent_t;
105
106struct au_user_ent {
107 char *au_name;
108 au_mask_t au_always;
109 au_mask_t au_never;
110};
111typedef struct au_user_ent au_user_ent_t;
112__END_DECLS
113
114#define ADD_TO_MASK(m, c, sel) do { \
115 if (sel & AU_PRS_SUCCESS) \
116 (m)->am_success |= c; \
117 if (sel & AU_PRS_FAILURE) \
118 (m)->am_failure |= c; \
119} while (0)
120
121#define SUB_FROM_MASK(m, c, sel) do { \
122 if (sel & AU_PRS_SUCCESS) \
123 (m)->am_success &= ((m)->am_success ^ c); \
124 if (sel & AU_PRS_FAILURE) \
125 (m)->am_failure &= ((m)->am_failure ^ c); \
126} while (0)
127
128#define ADDMASK(m, v) do { \
129 (m)->am_success |= (v)->am_success; \
130 (m)->am_failure |= (v)->am_failure; \
131} while(0)
132
133#define SUBMASK(m, v) do { \
134 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
135 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
136} while(0)
137
138__BEGIN_DECLS
139
140/*
141 * Internal representation of audit user in libnsl.
142 */
143typedef struct au_user_str_s {
144 char *au_name;
145 char *au_always;
146 char *au_never;
147} au_user_str_t;
148
149typedef struct au_tid32 {
150 u_int32_t port;
151 u_int32_t addr;
152} au_tid32_t;
153
154typedef struct au_tid64 {
155 u_int64_t port;
156 u_int32_t addr;
157} au_tid64_t;
158
159typedef struct au_tidaddr32 {
160 u_int32_t port;
161 u_int32_t type;
162 u_int32_t addr[4];
163} au_tidaddr32_t;
164
165/*
166 * argument # 1 byte
167 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
168 * text length 2 bytes
169 * text N bytes + 1 terminating NULL byte
170 */
171typedef struct {
172 u_char no;
173 u_int32_t val;
174 u_int16_t len;
175 char *text;
176} au_arg32_t;
177
178typedef struct {
179 u_char no;
180 u_int64_t val;
181 u_int16_t len;
182 char *text;
183} au_arg64_t;
184
185/*
186 * how to print 1 byte
187 * basic unit 1 byte
188 * unit count 1 byte
189 * data items (depends on basic unit)
190 */
191typedef struct {
192 u_char howtopr;
193 u_char bu;
194 u_char uc;
195 u_char *data;
196} au_arb_t;
197
198/*
199 * file access mode 4 bytes
200 * owner user ID 4 bytes
201 * owner group ID 4 bytes
202 * file system ID 4 bytes
203 * node ID 8 bytes
204 * device 4 bytes/8 bytes (32-bit/64-bit)
205 */
206typedef struct {
207 u_int32_t mode;
208 u_int32_t uid;
209 u_int32_t gid;
210 u_int32_t fsid;
211 u_int64_t nid;
212 u_int32_t dev;
213} au_attr32_t;
214
215typedef struct {
216 u_int32_t mode;
217 u_int32_t uid;
218 u_int32_t gid;
219 u_int32_t fsid;
220 u_int64_t nid;
221 u_int64_t dev;
222} au_attr64_t;
223
224/*
225 * count 4 bytes
226 * text count null-terminated string(s)
227 */
228typedef struct {
229 u_int32_t count;
230 char *text[MAX_ARGS];
231} au_execarg_t;
232
233/*
234 * count 4 bytes
235 * text count null-terminated string(s)
236 */
237typedef struct {
238 u_int32_t count;
239 char *text[MAX_ENV];
240} au_execenv_t;
241
242/*
243 * status 4 bytes
244 * return value 4 bytes
245 */
246typedef struct {
247 u_int32_t status;
248 u_int32_t ret;
249} au_exit_t;
250
251/*
252 * seconds of time 4 bytes
253 * milliseconds of time 4 bytes
254 * file name length 2 bytes
255 * file pathname N bytes + 1 terminating NULL byte
256 */
257typedef struct {
258 u_int32_t s;
259 u_int32_t ms;
260 u_int16_t len;
261 char *name;
262} au_file_t;
263
264
265/*
266 * number groups 2 bytes
267 * group list N * 4 bytes
268 */
269typedef struct {
270 u_int16_t no;
271 u_int32_t list[BSM_MAX_GROUPS];
272} au_groups_t;
273
274/*
275 * record byte count 4 bytes
276 * version # 1 byte [2]
277 * event type 2 bytes
278 * event modifier 2 bytes
279 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
280 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
281 */
282typedef struct {
283 u_int32_t size;
284 u_char version;
285 u_int16_t e_type;
286 u_int16_t e_mod;
287 u_int32_t s;
288 u_int32_t ms;
289} au_header32_t;
290
291/*
292 * record byte count 4 bytes
293 * version # 1 byte [2]
294 * event type 2 bytes
295 * event modifier 2 bytes
296 * address type/length 1 byte (XXX: actually, 4 bytes)
297 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
298 * seconds of time 4 bytes/8 bytes (32/64-bits)
299 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
300 */
301typedef struct {
302 u_int32_t size;
303 u_char version;
304 u_int16_t e_type;
305 u_int16_t e_mod;
306 u_int32_t ad_type;
307 u_int32_t addr[4];
308 u_int32_t s;
309 u_int32_t ms;
310} au_header32_ex_t;
311
312typedef struct {
313 u_int32_t size;
314 u_char version;
315 u_int16_t e_type;
316 u_int16_t e_mod;
317 u_int64_t s;
318 u_int64_t ms;
319} au_header64_t;
320
321typedef struct {
322 u_int32_t size;
323 u_char version;
324 u_int16_t e_type;
325 u_int16_t e_mod;
326 u_int32_t ad_type;
327 u_int32_t addr[4];
328 u_int64_t s;
329 u_int64_t ms;
330} au_header64_ex_t;
331
332/*
333 * internet address 4 bytes
334 */
335typedef struct {
336 u_int32_t addr;
337} au_inaddr_t;
338
339/*
340 * type 4 bytes
341 * internet address 16 bytes
342 */
343typedef struct {
344 u_int32_t type;
345 u_int32_t addr[4];
346} au_inaddr_ex_t;
347
348/*
349 * version and ihl 1 byte
350 * type of service 1 byte
351 * length 2 bytes
352 * id 2 bytes
353 * offset 2 bytes
354 * ttl 1 byte
355 * protocol 1 byte
356 * checksum 2 bytes
357 * source address 4 bytes
358 * destination address 4 bytes
359 */
360typedef struct {
361 u_char version;
362 u_char tos;
363 u_int16_t len;
364 u_int16_t id;
365 u_int16_t offset;
366 u_char ttl;
367 u_char prot;
368 u_int16_t chksm;
369 u_int32_t src;
370 u_int32_t dest;
371} au_ip_t;
372
373/*
374 * object ID type 1 byte
375 * object ID 4 bytes
376 */
377typedef struct {
378 u_char type;
379 u_int32_t id;
380} au_ipc_t;
381
382/*
383 * owner user ID 4 bytes
384 * owner group ID 4 bytes
385 * creator user ID 4 bytes
386 * creator group ID 4 bytes
387 * access mode 4 bytes
388 * slot sequence # 4 bytes
389 * key 4 bytes
390 */
391typedef struct {
392 u_int32_t uid;
393 u_int32_t gid;
394 u_int32_t puid;
395 u_int32_t pgid;
396 u_int32_t mode;
397 u_int32_t seq;
398 u_int32_t key;
399} au_ipcperm_t;
400
401/*
402 * port IP address 2 bytes
403 */
404typedef struct {
405 u_int16_t port;
406} au_iport_t;
407
408/*
409 * length 2 bytes
410 * data length bytes
411 */
412typedef struct {
413 u_int16_t size;
414 char *data;
415} au_opaque_t;
416
417/*
418 * path length 2 bytes
419 * path N bytes + 1 terminating NULL byte
420 */
421typedef struct {
422 u_int16_t len;
423 char *path;
424} au_path_t;
425
426/*
427 * audit ID 4 bytes
428 * effective user ID 4 bytes
429 * effective group ID 4 bytes
430 * real user ID 4 bytes
431 * real group ID 4 bytes
432 * process ID 4 bytes
433 * session ID 4 bytes
434 * terminal ID
435 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
436 * machine address 4 bytes
437 */
438typedef struct {
439 u_int32_t auid;
440 u_int32_t euid;
441 u_int32_t egid;
442 u_int32_t ruid;
443 u_int32_t rgid;
444 u_int32_t pid;
445 u_int32_t sid;
446 au_tid32_t tid;
447} au_proc32_t;
448
449typedef struct {
450 u_int32_t auid;
451 u_int32_t euid;
452 u_int32_t egid;
453 u_int32_t ruid;
454 u_int32_t rgid;
455 u_int32_t pid;
456 u_int32_t sid;
457 au_tid64_t tid;
458} au_proc64_t;
459
460/*
461 * audit ID 4 bytes
462 * effective user ID 4 bytes
463 * effective group ID 4 bytes
464 * real user ID 4 bytes
465 * real group ID 4 bytes
466 * process ID 4 bytes
467 * session ID 4 bytes
468 * terminal ID
469 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
470 * type 4 bytes
471 * machine address 16 bytes
472 */
473typedef struct {
474 u_int32_t auid;
475 u_int32_t euid;
476 u_int32_t egid;
477 u_int32_t ruid;
478 u_int32_t rgid;
479 u_int32_t pid;
480 u_int32_t sid;
481 au_tidaddr32_t tid;
482} au_proc32ex_t;
483
484/*
485 * error status 1 byte
486 * return value 4 bytes/8 bytes (32-bit/64-bit value)
487 */
488typedef struct {
489 u_char status;
490 u_int32_t ret;
491} au_ret32_t;
492
493typedef struct {
494 u_char err;
495 u_int64_t val;
496} au_ret64_t;
497
498/*
499 * sequence number 4 bytes
500 */
501typedef struct {
502 u_int32_t seqno;
503} au_seq_t;
504
505/*
506 * socket type 2 bytes
507 * local port 2 bytes
508 * local Internet address 4 bytes
509 * remote port 2 bytes
510 * remote Internet address 4 bytes
511 */
512typedef struct {
513 u_int16_t type;
514 u_int16_t l_port;
515 u_int32_t l_addr;
516 u_int16_t r_port;
517 u_int32_t r_addr;
518} au_socket_t;
519
520/*
521 * socket type 2 bytes
522 * local port 2 bytes
523 * address type/length 4 bytes
524 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
525 * remote port 4 bytes
526 * address type/length 4 bytes
527 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
528 */
529typedef struct {
530 u_int16_t type;
531 u_int16_t l_port;
532 u_int32_t l_ad_type;
533 u_int32_t l_addr;
534 u_int32_t r_port;
535 u_int32_t r_ad_type;
536 u_int32_t r_addr;
537} au_socket_ex32_t;
538
539/*
540 * socket family 2 bytes
541 * local port 2 bytes
542 * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
543 */
544typedef struct {
545 u_int16_t family;
546 u_int16_t port;
547 u_int32_t addr;
548} au_socketinet32_t;
549
550/*
551 * socket family 2 bytes
552 * path 104 bytes
553 */
554typedef struct {
555 u_int16_t family;
556 char path[104];
557} au_socketunix_t;
558
559/*
560 * audit ID 4 bytes
561 * effective user ID 4 bytes
562 * effective group ID 4 bytes
563 * real user ID 4 bytes
564 * real group ID 4 bytes
565 * process ID 4 bytes
566 * session ID 4 bytes
567 * terminal ID
568 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
569 * machine address 4 bytes
570 */
571typedef struct {
572 u_int32_t auid;
573 u_int32_t euid;
574 u_int32_t egid;
575 u_int32_t ruid;
576 u_int32_t rgid;
577 u_int32_t pid;
578 u_int32_t sid;
579 au_tid32_t tid;
580} au_subject32_t;
581
582typedef struct {
583 u_int32_t auid;
584 u_int32_t euid;
585 u_int32_t egid;
586 u_int32_t ruid;
587 u_int32_t rgid;
588 u_int32_t pid;
589 u_int32_t sid;
590 au_tid64_t tid;
591} au_subject64_t;
592
593/*
594 * audit ID 4 bytes
595 * effective user ID 4 bytes
596 * effective group ID 4 bytes
597 * real user ID 4 bytes
598 * real group ID 4 bytes
599 * process ID 4 bytes
600 * session ID 4 bytes
601 * terminal ID
602 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
603 * type 4 bytes
604 * machine address 16 bytes
605 */
606typedef struct {
607 u_int32_t auid;
608 u_int32_t euid;
609 u_int32_t egid;
610 u_int32_t ruid;
611 u_int32_t rgid;
612 u_int32_t pid;
613 u_int32_t sid;
614 au_tidaddr32_t tid;
615} au_subject32ex_t;
616
617/*
618 * text length 2 bytes
619 * text N bytes + 1 terminating NULL byte
620 */
621typedef struct {
622 u_int16_t len;
623 char *text;
624} au_text_t;
625
626typedef struct {
627 u_int32_t ident;
628 u_int16_t filter;
629 u_int16_t flags;
630 u_int32_t fflags;
631 u_int32_t data;
632} au_kevent_t;
633
634typedef struct {
635 u_int16_t length;
636 char *data;
637} au_invalid_t;
638
639/*
640 * trailer magic number 2 bytes
641 * record byte count 4 bytes
642 */
643typedef struct {
644 u_int16_t magic;
645 u_int32_t count;
646} au_trailer_t;
647
648struct tokenstr {
649 u_char id;
650 u_char *data;
651 size_t len;
652 union {
653 au_arg32_t arg32;
654 au_arg64_t arg64;
655 au_arb_t arb;
656 au_attr32_t attr32;
657 au_attr64_t attr64;
658 au_execarg_t execarg;
659 au_execenv_t execenv;
660 au_exit_t exit;
661 au_file_t file;
662 au_groups_t grps;
663 au_header32_t hdr32;
664 au_header32_ex_t hdr32_ex;
665 au_header64_t hdr64;
666 au_header64_ex_t hdr64_ex;
667 au_inaddr_t inaddr;
668 au_inaddr_ex_t inaddr_ex;
669 au_ip_t ip;
670 au_ipc_t ipc;
671 au_ipcperm_t ipcperm;
672 au_iport_t iport;
673 au_opaque_t opaque;
674 au_path_t path;
675 au_proc32_t proc32;
676 au_proc64_t proc64;
677 au_proc32ex_t proc32_ex;
678 au_ret32_t ret32;
679 au_ret64_t ret64;
680 au_seq_t seq;
681 au_socket_t socket;
682 au_socket_ex32_t socket_ex32;
683 au_socketinet32_t sockinet32;
684 au_socketunix_t sockunix;
685 au_subject32_t subj32;
686 au_subject64_t subj64;
687 au_subject32ex_t subj32_ex;
688 au_text_t text;
689 au_kevent_t kevent;
690 au_invalid_t invalid;
691 au_trailer_t trail;
692 } tt; /* The token is one of the above types */
693};
694
695typedef struct tokenstr tokenstr_t;
696
697/*
698 * Functions relating to querying audit class information.
699 */
700void setauclass(void);
701void endauclass(void);
702struct au_class_ent *getauclassent(void);
703struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
704struct au_class_ent *getauclassnam(const char *name);
705struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
706 const char *name);
707struct au_class_ent *getauclassnum(au_class_t class_number);
708struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
709 au_class_t class_number);
710
711/*
712 * Functions relating to querying audit control information.
713 */
714void setac(void);
715void endac(void);
716int getacdir(char *name, int len);
717int getacmin(int *min_val);
718int getacflg(char *auditstr, int len);
719int getacna(char *auditstr, int len);
720int getauditflagsbin(char *auditstr, au_mask_t *masks);
721int getauditflagschar(char *auditstr, au_mask_t *masks,
722 int verbose);
723int au_preselect(au_event_t event, au_mask_t *mask_p,
724 int sorf, int flag);
725
726/*
727 * Functions relating to querying audit event information.
728 *
729 * XXXRW: getauevnonam() has no _r version?
730 */
731void setauevent(void);
732void endauevent(void);
733struct au_event_ent *getauevent(void);
734struct au_event_ent *getauevent_r(struct au_event_ent *e);
735struct au_event_ent *getauevnam(const char *name);
736struct au_event_ent *getauevnam_r(struct au_event_ent *e,
737 const char *name);
738struct au_event_ent *getauevnum(au_event_t event_number);
739struct au_event_ent *getauevnum_r(struct au_event_ent *e,
740 au_event_t event_number);
741au_event_t *getauevnonam(const char *event_name);
742au_event_t *getauevnonam_r(au_event_t *ev,
743 const char *event_name);
744
745/*
746 * Functions relating to querying audit user information.
747 */
748void setauuser(void);
749void endauuser(void);
750struct au_user_ent *getauuserent(void);
751struct au_user_ent *getauuserent_r(struct au_user_ent *u);
752struct au_user_ent *getauusernam(const char *name);
753struct au_user_ent *getauusernam_r(struct au_user_ent *u,
754 const char *name);
755int au_user_mask(char *username, au_mask_t *mask_p);
756int getfauditflags(au_mask_t *usremask,
757 au_mask_t *usrdmask, au_mask_t *lastmask);
758
759/*
760 * Functions for reading and printing records and tokens from audit trails.
761 */
762int au_read_rec(FILE *fp, u_char **buf);
763int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
764//XXX The following interface has different prototype from BSM
765void au_print_tok(FILE *outfp, tokenstr_t *tok,
766 char *del, char raw, char sfrm);
767__END_DECLS
768
769#ifdef __APPLE__
770#include <sys/appleapiopts.h>
771
772/**************************************************************************
773 **************************************************************************
774 ** The following definitions, functions, etc., are NOT officially
775 ** supported: they may be changed or removed in the future. Do not use
776 ** them unless you are prepared to cope with that eventuality.
777 **************************************************************************
778 **************************************************************************/
779
780#ifdef __APPLE_API_PRIVATE
781#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
782#endif /* __APPLE_API_PRIVATE */
783
784/*
785 * au_get_state() return values
786 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
787 * AUDIT_ON are deprecated and WILL be removed.
788 */
789#ifdef __APPLE_API_PRIVATE
790#define AUDIT_OFF AUC_NOAUDIT
791#define AUDIT_ON AUC_AUDITING
792#endif /* __APPLE_API_PRIVATE */
793#endif /* !__APPLE__ */
794
795/*
796 * Error return codes for audit_set_terminal_id(), audit_write() and its
797 * brethren. We have 255 (not including kAUNoErr) to play with.
798 *
799 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
800 */
801enum {
802 kAUNoErr = 0,
803 kAUBadParamErr = -66049,
804 kAUStatErr,
805 kAUSysctlErr,
806 kAUOpenErr,
807 kAUMakeSubjectTokErr,
808 kAUWriteSubjectTokErr,
809 kAUWriteCallerTokErr,
810 kAUMakeReturnTokErr,
811 kAUWriteReturnTokErr,
812 kAUCloseErr,
813 kAUMakeTextTokErr,
814 kAULastErr
815};
816
817#ifdef __APPLE__
818/*
819 * Error return codes for au_get_state() and/or its private support
820 * functions. These codes are designed to be compatible with the
821 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
822 * Any changes to notify(3) may cause these values to change in future.
823 *
824 * AU_UNIMPL should never happen unless you've changed your system software
825 * without rebooting. Shame on you.
826 */
827#ifdef __APPLE_API_PRIVATE
828#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
829#endif /* __APPLE_API_PRIVATE */
830#endif /* !__APPLE__ */
831
832__BEGIN_DECLS
833/*
834 * XXX This prototype should be in audit_record.h
835 *
836 * au_free_token()
837 *
838 * @summary - au_free_token() deallocates a token_t created by any of
839 * the au_to_*() BSM API functions.
840 *
841 * The BSM API generally manages deallocation of token_t objects. However,
842 * if au_write() is passed a bad audit descriptor, the token_t * parameter
843 * will be left untouched. In that case, the caller can deallocate the
844 * token_t using au_free_token() if desired. This is, in fact, what
845 * audit_write() does, in keeping with the existing memory management model
846 * of the BSM API.
847 *
848 * @param tok - A token_t * generated by one of the au_to_*() BSM API
849 * calls. For convenience, tok may be NULL, in which case
850 * au_free_token() returns immediately.
851 *
852 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
853 */
854void au_free_token(token_t *tok);
855
856/*
857 * Lightweight check to determine if auditing is enabled. If a client
858 * wants to use this to govern whether an entire series of audit calls
859 * should be made--as in the common case of a caller building a set of
860 * tokens, then writing them--it should cache the audit status in a local
861 * variable. This call always returns the current state of auditing.
862 *
863 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
864 * Otherwise the function can return any of the errno values defined for
865 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
866 * the system.
867 *
868 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
869 */
870int au_get_state(void);
871__END_DECLS
872
873/* OpenSSH compatibility */
| 53
54#ifdef __APPLE__
55#include <mach/mach.h> /* audit_token_t */
56#endif
57
58#define AU_PRS_SUCCESS 1
59#define AU_PRS_FAILURE 2
60#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
61
62#define AU_PRS_USECACHE 0
63#define AU_PRS_REREAD 1
64
65#define AUDIT_EVENT_FILE "/etc/security/audit_event"
66#define AUDIT_CLASS_FILE "/etc/security/audit_class"
67#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
68#define AUDIT_USER_FILE "/etc/security/audit_user"
69
70#define DIR_CONTROL_ENTRY "dir"
71#define MINFREE_CONTROL_ENTRY "minfree"
72#define FLAGS_CONTROL_ENTRY "flags"
73#define NA_CONTROL_ENTRY "naflags"
74
75#define AU_CLASS_NAME_MAX 8
76#define AU_CLASS_DESC_MAX 72
77#define AU_EVENT_NAME_MAX 30
78#define AU_EVENT_DESC_MAX 50
79#define AU_USER_NAME_MAX 50
80#define AU_LINE_MAX 256
81#define MAX_AUDITSTRING_LEN 256
82#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
83
84/*
85 * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
86 * Provided for OpenSSH compatibility.
87 */
88#define AU_TO_NO_WRITE 0
89#define AU_TO_WRITE 1
90
91__BEGIN_DECLS
92struct au_event_ent {
93 au_event_t ae_number;
94 char *ae_name;
95 char *ae_desc;
96 au_class_t ae_class;
97};
98typedef struct au_event_ent au_event_ent_t;
99
100struct au_class_ent {
101 char *ac_name;
102 au_class_t ac_class;
103 char *ac_desc;
104};
105typedef struct au_class_ent au_class_ent_t;
106
107struct au_user_ent {
108 char *au_name;
109 au_mask_t au_always;
110 au_mask_t au_never;
111};
112typedef struct au_user_ent au_user_ent_t;
113__END_DECLS
114
115#define ADD_TO_MASK(m, c, sel) do { \
116 if (sel & AU_PRS_SUCCESS) \
117 (m)->am_success |= c; \
118 if (sel & AU_PRS_FAILURE) \
119 (m)->am_failure |= c; \
120} while (0)
121
122#define SUB_FROM_MASK(m, c, sel) do { \
123 if (sel & AU_PRS_SUCCESS) \
124 (m)->am_success &= ((m)->am_success ^ c); \
125 if (sel & AU_PRS_FAILURE) \
126 (m)->am_failure &= ((m)->am_failure ^ c); \
127} while (0)
128
129#define ADDMASK(m, v) do { \
130 (m)->am_success |= (v)->am_success; \
131 (m)->am_failure |= (v)->am_failure; \
132} while(0)
133
134#define SUBMASK(m, v) do { \
135 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
136 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
137} while(0)
138
139__BEGIN_DECLS
140
141/*
142 * Internal representation of audit user in libnsl.
143 */
144typedef struct au_user_str_s {
145 char *au_name;
146 char *au_always;
147 char *au_never;
148} au_user_str_t;
149
150typedef struct au_tid32 {
151 u_int32_t port;
152 u_int32_t addr;
153} au_tid32_t;
154
155typedef struct au_tid64 {
156 u_int64_t port;
157 u_int32_t addr;
158} au_tid64_t;
159
160typedef struct au_tidaddr32 {
161 u_int32_t port;
162 u_int32_t type;
163 u_int32_t addr[4];
164} au_tidaddr32_t;
165
166/*
167 * argument # 1 byte
168 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
169 * text length 2 bytes
170 * text N bytes + 1 terminating NULL byte
171 */
172typedef struct {
173 u_char no;
174 u_int32_t val;
175 u_int16_t len;
176 char *text;
177} au_arg32_t;
178
179typedef struct {
180 u_char no;
181 u_int64_t val;
182 u_int16_t len;
183 char *text;
184} au_arg64_t;
185
186/*
187 * how to print 1 byte
188 * basic unit 1 byte
189 * unit count 1 byte
190 * data items (depends on basic unit)
191 */
192typedef struct {
193 u_char howtopr;
194 u_char bu;
195 u_char uc;
196 u_char *data;
197} au_arb_t;
198
199/*
200 * file access mode 4 bytes
201 * owner user ID 4 bytes
202 * owner group ID 4 bytes
203 * file system ID 4 bytes
204 * node ID 8 bytes
205 * device 4 bytes/8 bytes (32-bit/64-bit)
206 */
207typedef struct {
208 u_int32_t mode;
209 u_int32_t uid;
210 u_int32_t gid;
211 u_int32_t fsid;
212 u_int64_t nid;
213 u_int32_t dev;
214} au_attr32_t;
215
216typedef struct {
217 u_int32_t mode;
218 u_int32_t uid;
219 u_int32_t gid;
220 u_int32_t fsid;
221 u_int64_t nid;
222 u_int64_t dev;
223} au_attr64_t;
224
225/*
226 * count 4 bytes
227 * text count null-terminated string(s)
228 */
229typedef struct {
230 u_int32_t count;
231 char *text[MAX_ARGS];
232} au_execarg_t;
233
234/*
235 * count 4 bytes
236 * text count null-terminated string(s)
237 */
238typedef struct {
239 u_int32_t count;
240 char *text[MAX_ENV];
241} au_execenv_t;
242
243/*
244 * status 4 bytes
245 * return value 4 bytes
246 */
247typedef struct {
248 u_int32_t status;
249 u_int32_t ret;
250} au_exit_t;
251
252/*
253 * seconds of time 4 bytes
254 * milliseconds of time 4 bytes
255 * file name length 2 bytes
256 * file pathname N bytes + 1 terminating NULL byte
257 */
258typedef struct {
259 u_int32_t s;
260 u_int32_t ms;
261 u_int16_t len;
262 char *name;
263} au_file_t;
264
265
266/*
267 * number groups 2 bytes
268 * group list N * 4 bytes
269 */
270typedef struct {
271 u_int16_t no;
272 u_int32_t list[BSM_MAX_GROUPS];
273} au_groups_t;
274
275/*
276 * record byte count 4 bytes
277 * version # 1 byte [2]
278 * event type 2 bytes
279 * event modifier 2 bytes
280 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
281 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
282 */
283typedef struct {
284 u_int32_t size;
285 u_char version;
286 u_int16_t e_type;
287 u_int16_t e_mod;
288 u_int32_t s;
289 u_int32_t ms;
290} au_header32_t;
291
292/*
293 * record byte count 4 bytes
294 * version # 1 byte [2]
295 * event type 2 bytes
296 * event modifier 2 bytes
297 * address type/length 1 byte (XXX: actually, 4 bytes)
298 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
299 * seconds of time 4 bytes/8 bytes (32/64-bits)
300 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
301 */
302typedef struct {
303 u_int32_t size;
304 u_char version;
305 u_int16_t e_type;
306 u_int16_t e_mod;
307 u_int32_t ad_type;
308 u_int32_t addr[4];
309 u_int32_t s;
310 u_int32_t ms;
311} au_header32_ex_t;
312
313typedef struct {
314 u_int32_t size;
315 u_char version;
316 u_int16_t e_type;
317 u_int16_t e_mod;
318 u_int64_t s;
319 u_int64_t ms;
320} au_header64_t;
321
322typedef struct {
323 u_int32_t size;
324 u_char version;
325 u_int16_t e_type;
326 u_int16_t e_mod;
327 u_int32_t ad_type;
328 u_int32_t addr[4];
329 u_int64_t s;
330 u_int64_t ms;
331} au_header64_ex_t;
332
333/*
334 * internet address 4 bytes
335 */
336typedef struct {
337 u_int32_t addr;
338} au_inaddr_t;
339
340/*
341 * type 4 bytes
342 * internet address 16 bytes
343 */
344typedef struct {
345 u_int32_t type;
346 u_int32_t addr[4];
347} au_inaddr_ex_t;
348
349/*
350 * version and ihl 1 byte
351 * type of service 1 byte
352 * length 2 bytes
353 * id 2 bytes
354 * offset 2 bytes
355 * ttl 1 byte
356 * protocol 1 byte
357 * checksum 2 bytes
358 * source address 4 bytes
359 * destination address 4 bytes
360 */
361typedef struct {
362 u_char version;
363 u_char tos;
364 u_int16_t len;
365 u_int16_t id;
366 u_int16_t offset;
367 u_char ttl;
368 u_char prot;
369 u_int16_t chksm;
370 u_int32_t src;
371 u_int32_t dest;
372} au_ip_t;
373
374/*
375 * object ID type 1 byte
376 * object ID 4 bytes
377 */
378typedef struct {
379 u_char type;
380 u_int32_t id;
381} au_ipc_t;
382
383/*
384 * owner user ID 4 bytes
385 * owner group ID 4 bytes
386 * creator user ID 4 bytes
387 * creator group ID 4 bytes
388 * access mode 4 bytes
389 * slot sequence # 4 bytes
390 * key 4 bytes
391 */
392typedef struct {
393 u_int32_t uid;
394 u_int32_t gid;
395 u_int32_t puid;
396 u_int32_t pgid;
397 u_int32_t mode;
398 u_int32_t seq;
399 u_int32_t key;
400} au_ipcperm_t;
401
402/*
403 * port IP address 2 bytes
404 */
405typedef struct {
406 u_int16_t port;
407} au_iport_t;
408
409/*
410 * length 2 bytes
411 * data length bytes
412 */
413typedef struct {
414 u_int16_t size;
415 char *data;
416} au_opaque_t;
417
418/*
419 * path length 2 bytes
420 * path N bytes + 1 terminating NULL byte
421 */
422typedef struct {
423 u_int16_t len;
424 char *path;
425} au_path_t;
426
427/*
428 * audit ID 4 bytes
429 * effective user ID 4 bytes
430 * effective group ID 4 bytes
431 * real user ID 4 bytes
432 * real group ID 4 bytes
433 * process ID 4 bytes
434 * session ID 4 bytes
435 * terminal ID
436 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
437 * machine address 4 bytes
438 */
439typedef struct {
440 u_int32_t auid;
441 u_int32_t euid;
442 u_int32_t egid;
443 u_int32_t ruid;
444 u_int32_t rgid;
445 u_int32_t pid;
446 u_int32_t sid;
447 au_tid32_t tid;
448} au_proc32_t;
449
450typedef struct {
451 u_int32_t auid;
452 u_int32_t euid;
453 u_int32_t egid;
454 u_int32_t ruid;
455 u_int32_t rgid;
456 u_int32_t pid;
457 u_int32_t sid;
458 au_tid64_t tid;
459} au_proc64_t;
460
461/*
462 * audit ID 4 bytes
463 * effective user ID 4 bytes
464 * effective group ID 4 bytes
465 * real user ID 4 bytes
466 * real group ID 4 bytes
467 * process ID 4 bytes
468 * session ID 4 bytes
469 * terminal ID
470 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
471 * type 4 bytes
472 * machine address 16 bytes
473 */
474typedef struct {
475 u_int32_t auid;
476 u_int32_t euid;
477 u_int32_t egid;
478 u_int32_t ruid;
479 u_int32_t rgid;
480 u_int32_t pid;
481 u_int32_t sid;
482 au_tidaddr32_t tid;
483} au_proc32ex_t;
484
485/*
486 * error status 1 byte
487 * return value 4 bytes/8 bytes (32-bit/64-bit value)
488 */
489typedef struct {
490 u_char status;
491 u_int32_t ret;
492} au_ret32_t;
493
494typedef struct {
495 u_char err;
496 u_int64_t val;
497} au_ret64_t;
498
499/*
500 * sequence number 4 bytes
501 */
502typedef struct {
503 u_int32_t seqno;
504} au_seq_t;
505
506/*
507 * socket type 2 bytes
508 * local port 2 bytes
509 * local Internet address 4 bytes
510 * remote port 2 bytes
511 * remote Internet address 4 bytes
512 */
513typedef struct {
514 u_int16_t type;
515 u_int16_t l_port;
516 u_int32_t l_addr;
517 u_int16_t r_port;
518 u_int32_t r_addr;
519} au_socket_t;
520
521/*
522 * socket type 2 bytes
523 * local port 2 bytes
524 * address type/length 4 bytes
525 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
526 * remote port 4 bytes
527 * address type/length 4 bytes
528 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
529 */
530typedef struct {
531 u_int16_t type;
532 u_int16_t l_port;
533 u_int32_t l_ad_type;
534 u_int32_t l_addr;
535 u_int32_t r_port;
536 u_int32_t r_ad_type;
537 u_int32_t r_addr;
538} au_socket_ex32_t;
539
540/*
541 * socket family 2 bytes
542 * local port 2 bytes
543 * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
544 */
545typedef struct {
546 u_int16_t family;
547 u_int16_t port;
548 u_int32_t addr;
549} au_socketinet32_t;
550
551/*
552 * socket family 2 bytes
553 * path 104 bytes
554 */
555typedef struct {
556 u_int16_t family;
557 char path[104];
558} au_socketunix_t;
559
560/*
561 * audit ID 4 bytes
562 * effective user ID 4 bytes
563 * effective group ID 4 bytes
564 * real user ID 4 bytes
565 * real group ID 4 bytes
566 * process ID 4 bytes
567 * session ID 4 bytes
568 * terminal ID
569 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
570 * machine address 4 bytes
571 */
572typedef struct {
573 u_int32_t auid;
574 u_int32_t euid;
575 u_int32_t egid;
576 u_int32_t ruid;
577 u_int32_t rgid;
578 u_int32_t pid;
579 u_int32_t sid;
580 au_tid32_t tid;
581} au_subject32_t;
582
583typedef struct {
584 u_int32_t auid;
585 u_int32_t euid;
586 u_int32_t egid;
587 u_int32_t ruid;
588 u_int32_t rgid;
589 u_int32_t pid;
590 u_int32_t sid;
591 au_tid64_t tid;
592} au_subject64_t;
593
594/*
595 * audit ID 4 bytes
596 * effective user ID 4 bytes
597 * effective group ID 4 bytes
598 * real user ID 4 bytes
599 * real group ID 4 bytes
600 * process ID 4 bytes
601 * session ID 4 bytes
602 * terminal ID
603 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
604 * type 4 bytes
605 * machine address 16 bytes
606 */
607typedef struct {
608 u_int32_t auid;
609 u_int32_t euid;
610 u_int32_t egid;
611 u_int32_t ruid;
612 u_int32_t rgid;
613 u_int32_t pid;
614 u_int32_t sid;
615 au_tidaddr32_t tid;
616} au_subject32ex_t;
617
618/*
619 * text length 2 bytes
620 * text N bytes + 1 terminating NULL byte
621 */
622typedef struct {
623 u_int16_t len;
624 char *text;
625} au_text_t;
626
627typedef struct {
628 u_int32_t ident;
629 u_int16_t filter;
630 u_int16_t flags;
631 u_int32_t fflags;
632 u_int32_t data;
633} au_kevent_t;
634
635typedef struct {
636 u_int16_t length;
637 char *data;
638} au_invalid_t;
639
640/*
641 * trailer magic number 2 bytes
642 * record byte count 4 bytes
643 */
644typedef struct {
645 u_int16_t magic;
646 u_int32_t count;
647} au_trailer_t;
648
649struct tokenstr {
650 u_char id;
651 u_char *data;
652 size_t len;
653 union {
654 au_arg32_t arg32;
655 au_arg64_t arg64;
656 au_arb_t arb;
657 au_attr32_t attr32;
658 au_attr64_t attr64;
659 au_execarg_t execarg;
660 au_execenv_t execenv;
661 au_exit_t exit;
662 au_file_t file;
663 au_groups_t grps;
664 au_header32_t hdr32;
665 au_header32_ex_t hdr32_ex;
666 au_header64_t hdr64;
667 au_header64_ex_t hdr64_ex;
668 au_inaddr_t inaddr;
669 au_inaddr_ex_t inaddr_ex;
670 au_ip_t ip;
671 au_ipc_t ipc;
672 au_ipcperm_t ipcperm;
673 au_iport_t iport;
674 au_opaque_t opaque;
675 au_path_t path;
676 au_proc32_t proc32;
677 au_proc64_t proc64;
678 au_proc32ex_t proc32_ex;
679 au_ret32_t ret32;
680 au_ret64_t ret64;
681 au_seq_t seq;
682 au_socket_t socket;
683 au_socket_ex32_t socket_ex32;
684 au_socketinet32_t sockinet32;
685 au_socketunix_t sockunix;
686 au_subject32_t subj32;
687 au_subject64_t subj64;
688 au_subject32ex_t subj32_ex;
689 au_text_t text;
690 au_kevent_t kevent;
691 au_invalid_t invalid;
692 au_trailer_t trail;
693 } tt; /* The token is one of the above types */
694};
695
696typedef struct tokenstr tokenstr_t;
697
698/*
699 * Functions relating to querying audit class information.
700 */
701void setauclass(void);
702void endauclass(void);
703struct au_class_ent *getauclassent(void);
704struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
705struct au_class_ent *getauclassnam(const char *name);
706struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
707 const char *name);
708struct au_class_ent *getauclassnum(au_class_t class_number);
709struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
710 au_class_t class_number);
711
712/*
713 * Functions relating to querying audit control information.
714 */
715void setac(void);
716void endac(void);
717int getacdir(char *name, int len);
718int getacmin(int *min_val);
719int getacflg(char *auditstr, int len);
720int getacna(char *auditstr, int len);
721int getauditflagsbin(char *auditstr, au_mask_t *masks);
722int getauditflagschar(char *auditstr, au_mask_t *masks,
723 int verbose);
724int au_preselect(au_event_t event, au_mask_t *mask_p,
725 int sorf, int flag);
726
727/*
728 * Functions relating to querying audit event information.
729 *
730 * XXXRW: getauevnonam() has no _r version?
731 */
732void setauevent(void);
733void endauevent(void);
734struct au_event_ent *getauevent(void);
735struct au_event_ent *getauevent_r(struct au_event_ent *e);
736struct au_event_ent *getauevnam(const char *name);
737struct au_event_ent *getauevnam_r(struct au_event_ent *e,
738 const char *name);
739struct au_event_ent *getauevnum(au_event_t event_number);
740struct au_event_ent *getauevnum_r(struct au_event_ent *e,
741 au_event_t event_number);
742au_event_t *getauevnonam(const char *event_name);
743au_event_t *getauevnonam_r(au_event_t *ev,
744 const char *event_name);
745
746/*
747 * Functions relating to querying audit user information.
748 */
749void setauuser(void);
750void endauuser(void);
751struct au_user_ent *getauuserent(void);
752struct au_user_ent *getauuserent_r(struct au_user_ent *u);
753struct au_user_ent *getauusernam(const char *name);
754struct au_user_ent *getauusernam_r(struct au_user_ent *u,
755 const char *name);
756int au_user_mask(char *username, au_mask_t *mask_p);
757int getfauditflags(au_mask_t *usremask,
758 au_mask_t *usrdmask, au_mask_t *lastmask);
759
760/*
761 * Functions for reading and printing records and tokens from audit trails.
762 */
763int au_read_rec(FILE *fp, u_char **buf);
764int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
765//XXX The following interface has different prototype from BSM
766void au_print_tok(FILE *outfp, tokenstr_t *tok,
767 char *del, char raw, char sfrm);
768__END_DECLS
769
770#ifdef __APPLE__
771#include <sys/appleapiopts.h>
772
773/**************************************************************************
774 **************************************************************************
775 ** The following definitions, functions, etc., are NOT officially
776 ** supported: they may be changed or removed in the future. Do not use
777 ** them unless you are prepared to cope with that eventuality.
778 **************************************************************************
779 **************************************************************************/
780
781#ifdef __APPLE_API_PRIVATE
782#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
783#endif /* __APPLE_API_PRIVATE */
784
785/*
786 * au_get_state() return values
787 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
788 * AUDIT_ON are deprecated and WILL be removed.
789 */
790#ifdef __APPLE_API_PRIVATE
791#define AUDIT_OFF AUC_NOAUDIT
792#define AUDIT_ON AUC_AUDITING
793#endif /* __APPLE_API_PRIVATE */
794#endif /* !__APPLE__ */
795
796/*
797 * Error return codes for audit_set_terminal_id(), audit_write() and its
798 * brethren. We have 255 (not including kAUNoErr) to play with.
799 *
800 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
801 */
802enum {
803 kAUNoErr = 0,
804 kAUBadParamErr = -66049,
805 kAUStatErr,
806 kAUSysctlErr,
807 kAUOpenErr,
808 kAUMakeSubjectTokErr,
809 kAUWriteSubjectTokErr,
810 kAUWriteCallerTokErr,
811 kAUMakeReturnTokErr,
812 kAUWriteReturnTokErr,
813 kAUCloseErr,
814 kAUMakeTextTokErr,
815 kAULastErr
816};
817
818#ifdef __APPLE__
819/*
820 * Error return codes for au_get_state() and/or its private support
821 * functions. These codes are designed to be compatible with the
822 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
823 * Any changes to notify(3) may cause these values to change in future.
824 *
825 * AU_UNIMPL should never happen unless you've changed your system software
826 * without rebooting. Shame on you.
827 */
828#ifdef __APPLE_API_PRIVATE
829#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
830#endif /* __APPLE_API_PRIVATE */
831#endif /* !__APPLE__ */
832
833__BEGIN_DECLS
834/*
835 * XXX This prototype should be in audit_record.h
836 *
837 * au_free_token()
838 *
839 * @summary - au_free_token() deallocates a token_t created by any of
840 * the au_to_*() BSM API functions.
841 *
842 * The BSM API generally manages deallocation of token_t objects. However,
843 * if au_write() is passed a bad audit descriptor, the token_t * parameter
844 * will be left untouched. In that case, the caller can deallocate the
845 * token_t using au_free_token() if desired. This is, in fact, what
846 * audit_write() does, in keeping with the existing memory management model
847 * of the BSM API.
848 *
849 * @param tok - A token_t * generated by one of the au_to_*() BSM API
850 * calls. For convenience, tok may be NULL, in which case
851 * au_free_token() returns immediately.
852 *
853 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
854 */
855void au_free_token(token_t *tok);
856
857/*
858 * Lightweight check to determine if auditing is enabled. If a client
859 * wants to use this to govern whether an entire series of audit calls
860 * should be made--as in the common case of a caller building a set of
861 * tokens, then writing them--it should cache the audit status in a local
862 * variable. This call always returns the current state of auditing.
863 *
864 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
865 * Otherwise the function can return any of the errno values defined for
866 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
867 * the system.
868 *
869 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
870 */
871int au_get_state(void);
872__END_DECLS
873
874/* OpenSSH compatibility */
|
874#define cannot_audit(x) (!(au_get_state() == AUC_AUDITING))
| 875int cannot_audit(int);
|
875
876__BEGIN_DECLS
877/*
878 * audit_set_terminal_id()
879 *
880 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
881 * used in audit session initialization by processes like /usr/bin/login.
882 *
883 * @param tid - A pointer to an au_tid_t struct.
884 *
885 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
886 * or kAUSysctlErr if one of the underlying system calls fails (a message
887 * is sent to the system log in those cases).
888 *
889 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
890 */
891int audit_set_terminal_id(au_tid_t *tid);
892
893/*
894 * BEGIN au_write() WRAPPERS
895 *
896 * The following calls all wrap the existing BSM API. They use the
897 * provided subject information, if any, to construct the subject token
898 * required for every log message. They use the provided return/error
899 * value(s), if any, to construct the success/failure indication required
900 * for every log message. They only permit one "miscellaneous" token,
901 * which should contain the event-specific logging information mandated by
902 * CAPP.
903 *
904 * All these calls assume the caller has previously determined that
905 * auditing is enabled by calling au_get_state().
906 */
907
908/*
909 * audit_write()
910 *
911 * @summary - audit_write() is the basis for the other audit_write_*()
912 * calls. Performs a basic write of an audit record (subject, additional
913 * info, success/failure). Note that this call only permits logging one
914 * caller-specified token; clients needing to log more flexibly must use
915 * the existing BSM API (au_open(), et al.) directly.
916 *
917 * Note on memory management: audit_write() guarantees that the token_t *s
918 * passed to it will be deallocated whether or not the underlying write to
919 * the audit log succeeded. This addresses an inconsistency in the
920 * underlying BSM API in which token_t *s are usually but not always
921 * deallocated.
922 *
923 * @param event_code - The code for the event being logged. This should
924 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
925 *
926 * @param subject - A token_t * generated by au_to_subject(),
927 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
928 * required, subject should be NULL.
929 *
930 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
931 * calls. This should correspond to the additional information required by
932 * CAPP for the event being audited. If no additional information is
933 * required, misctok should be NULL.
934 *
935 * @param retval - The return value to be logged for this event. This
936 * should be 0 (zero) for success, otherwise the value is event-specific.
937 *
938 * @param errcode - Any error code associated with the return value (e.g.,
939 * errno or h_errno). If there was no error, errcode should be 0 (zero).
940 *
941 * @return - The status of the call: 0 (zero) on success, else one of the
942 * kAU*Err values defined above.
943 *
944 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
945 */
946int audit_write(short event_code, token_t *subject, token_t *misctok,
947 char retval, int errcode);
948
949/*
950 * audit_write_success()
951 *
952 * @summary - audit_write_success() records an auditable event that did not
953 * encounter an error. The interface is designed to require as little
954 * direct use of the au_to_*() API as possible. It builds a subject token
955 * from the information passed in and uses that to invoke audit_write().
956 * A subject, as defined by CAPP, is a process acting on the user's behalf.
957 *
958 * If the subject information is the same as the current process, use
959 * au_write_success_self().
960 *
961 * @param event_code - The code for the event being logged. This should
962 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
963 *
964 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
965 * calls. This should correspond to the additional information required by
966 * CAPP for the event being audited. If no additional information is
967 * required, misctok should be NULL.
968 *
969 * @param auid - The subject's audit ID.
970 *
971 * @param euid - The subject's effective user ID.
972 *
973 * @param egid - The subject's effective group ID.
974 *
975 * @param ruid - The subject's real user ID.
976 *
977 * @param rgid - The subject's real group ID.
978 *
979 * @param pid - The subject's process ID.
980 *
981 * @param sid - The subject's session ID.
982 *
983 * @param tid - The subject's terminal ID.
984 *
985 * @return - The status of the call: 0 (zero) on success, else one of the
986 * kAU*Err values defined above.
987 *
988 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
989 */
990int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
991 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
992 au_asid_t sid, au_tid_t *tid);
993
994/*
995 * audit_write_success_self()
996 *
997 * @summary - Similar to audit_write_success(), but used when the subject
998 * (process) is owned and operated by the auditable user him/herself.
999 *
1000 * @param event_code - The code for the event being logged. This should
1001 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1002 *
1003 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1004 * calls. This should correspond to the additional information required by
1005 * CAPP for the event being audited. If no additional information is
1006 * required, misctok should be NULL.
1007 *
1008 * @return - The status of the call: 0 (zero) on success, else one of the
1009 * kAU*Err values defined above.
1010 *
1011 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1012 */
1013int audit_write_success_self(short event_code, token_t *misctok);
1014
1015/*
1016 * audit_write_failure()
1017 *
1018 * @summary - audit_write_failure() records an auditable event that
1019 * encountered an error. The interface is designed to require as little
1020 * direct use of the au_to_*() API as possible. It builds a subject token
1021 * from the information passed in and uses that to invoke audit_write().
1022 * A subject, as defined by CAPP, is a process acting on the user's behalf.
1023 *
1024 * If the subject information is the same as the current process, use
1025 * au_write_failure_self().
1026 *
1027 * @param event_code - The code for the event being logged. This should
1028 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1029 *
1030 * @param errmsg - A text message providing additional information about
1031 * the event being audited.
1032 *
1033 * @param errret - A numerical value providing additional information about
1034 * the error. This is intended to store the value of errno or h_errno if
1035 * it's relevant. This can be 0 (zero) if no additional information is
1036 * available.
1037 *
1038 * @param auid - The subject's audit ID.
1039 *
1040 * @param euid - The subject's effective user ID.
1041 *
1042 * @param egid - The subject's effective group ID.
1043 *
1044 * @param ruid - The subject's real user ID.
1045 *
1046 * @param rgid - The subject's real group ID.
1047 *
1048 * @param pid - The subject's process ID.
1049 *
1050 * @param sid - The subject's session ID.
1051 *
1052 * @param tid - The subject's terminal ID.
1053 *
1054 * @return - The status of the call: 0 (zero) on success, else one of the
1055 * kAU*Err values defined above.
1056 *
1057 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1058 */
1059int audit_write_failure(short event_code, char *errmsg, int errret,
1060 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1061 pid_t pid, au_asid_t sid, au_tid_t *tid);
1062
1063/*
1064 * audit_write_failure_self()
1065 *
1066 * @summary - Similar to audit_write_failure(), but used when the subject
1067 * (process) is owned and operated by the auditable user him/herself.
1068 *
1069 * @param event_code - The code for the event being logged. This should
1070 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1071 *
1072 * @param errmsg - A text message providing additional information about
1073 * the event being audited.
1074 *
1075 * @param errret - A numerical value providing additional information about
1076 * the error. This is intended to store the value of errno or h_errno if
1077 * it's relevant. This can be 0 (zero) if no additional information is
1078 * available.
1079 *
1080 * @return - The status of the call: 0 (zero) on success, else one of the
1081 * kAU*Err values defined above.
1082 *
1083 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1084 */
1085int audit_write_failure_self(short event_code, char *errmsg, int errret);
1086
1087/*
1088 * audit_write_failure_na()
1089 *
1090 * @summary - audit_write_failure_na() records errors during login. Such
1091 * errors are implicitly non-attributable (i.e., not ascribable to any user).
1092 *
1093 * @param event_code - The code for the event being logged. This should
1094 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1095 *
1096 * @param errmsg - A text message providing additional information about
1097 * the event being audited.
1098 *
1099 * @param errret - A numerical value providing additional information about
1100 * the error. This is intended to store the value of errno or h_errno if
1101 * it's relevant. This can be 0 (zero) if no additional information is
1102 * available.
1103 *
1104 * @param euid - The subject's effective user ID.
1105 *
1106 * @param egid - The subject's effective group ID.
1107 *
1108 * @param pid - The subject's process ID.
1109 *
1110 * @param tid - The subject's terminal ID.
1111 *
1112 * @return - The status of the call: 0 (zero) on success, else one of the
1113 * kAU*Err values defined above.
1114 *
1115 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1116 */
1117int audit_write_failure_na(short event_code, char *errmsg, int errret,
1118 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1119
1120/* END au_write() WRAPPERS */
1121
1122#ifdef __APPLE__
1123/*
1124 * audit_token_to_au32()
1125 *
1126 * @summary - Extract information from an audit_token_t, used to identify
1127 * Mach tasks and senders of Mach messages as subjects to the audit system.
1128 * audit_tokent_to_au32() is the only method that should be used to parse
1129 * an audit_token_t, since its internal representation may change over
1130 * time. A pointer parameter may be NULL if that information is not
1131 * needed.
1132 *
1133 * @param atoken - the audit token containing the desired information
1134 *
1135 * @param auidp - Pointer to a uid_t; on return will be set to the task or
1136 * sender's audit user ID
1137 *
1138 * @param euidp - Pointer to a uid_t; on return will be set to the task or
1139 * sender's effective user ID
1140 *
1141 * @param egidp - Pointer to a gid_t; on return will be set to the task or
1142 * sender's effective group ID
1143 *
1144 * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1145 * sender's real user ID
1146 *
1147 * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1148 * sender's real group ID
1149 *
1150 * @param pidp - Pointer to a pid_t; on return will be set to the task or
1151 * sender's process ID
1152 *
1153 * @param asidp - Pointer to an au_asid_t; on return will be set to the
1154 * task or sender's audit session ID
1155 *
1156 * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1157 * or sender's terminal ID
1158 *
1159 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1160 */
1161void audit_token_to_au32(
1162 audit_token_t atoken,
1163 uid_t *auidp,
1164 uid_t *euidp,
1165 gid_t *egidp,
1166 uid_t *ruidp,
1167 gid_t *rgidp,
1168 pid_t *pidp,
1169 au_asid_t *asidp,
1170 au_tid_t *tidp);
1171#endif /* !__APPLE__ */
1172
1173__END_DECLS
1174
1175#endif /* !_LIBBSM_H_ */
| 876
877__BEGIN_DECLS
878/*
879 * audit_set_terminal_id()
880 *
881 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
882 * used in audit session initialization by processes like /usr/bin/login.
883 *
884 * @param tid - A pointer to an au_tid_t struct.
885 *
886 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
887 * or kAUSysctlErr if one of the underlying system calls fails (a message
888 * is sent to the system log in those cases).
889 *
890 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
891 */
892int audit_set_terminal_id(au_tid_t *tid);
893
894/*
895 * BEGIN au_write() WRAPPERS
896 *
897 * The following calls all wrap the existing BSM API. They use the
898 * provided subject information, if any, to construct the subject token
899 * required for every log message. They use the provided return/error
900 * value(s), if any, to construct the success/failure indication required
901 * for every log message. They only permit one "miscellaneous" token,
902 * which should contain the event-specific logging information mandated by
903 * CAPP.
904 *
905 * All these calls assume the caller has previously determined that
906 * auditing is enabled by calling au_get_state().
907 */
908
909/*
910 * audit_write()
911 *
912 * @summary - audit_write() is the basis for the other audit_write_*()
913 * calls. Performs a basic write of an audit record (subject, additional
914 * info, success/failure). Note that this call only permits logging one
915 * caller-specified token; clients needing to log more flexibly must use
916 * the existing BSM API (au_open(), et al.) directly.
917 *
918 * Note on memory management: audit_write() guarantees that the token_t *s
919 * passed to it will be deallocated whether or not the underlying write to
920 * the audit log succeeded. This addresses an inconsistency in the
921 * underlying BSM API in which token_t *s are usually but not always
922 * deallocated.
923 *
924 * @param event_code - The code for the event being logged. This should
925 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
926 *
927 * @param subject - A token_t * generated by au_to_subject(),
928 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
929 * required, subject should be NULL.
930 *
931 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
932 * calls. This should correspond to the additional information required by
933 * CAPP for the event being audited. If no additional information is
934 * required, misctok should be NULL.
935 *
936 * @param retval - The return value to be logged for this event. This
937 * should be 0 (zero) for success, otherwise the value is event-specific.
938 *
939 * @param errcode - Any error code associated with the return value (e.g.,
940 * errno or h_errno). If there was no error, errcode should be 0 (zero).
941 *
942 * @return - The status of the call: 0 (zero) on success, else one of the
943 * kAU*Err values defined above.
944 *
945 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
946 */
947int audit_write(short event_code, token_t *subject, token_t *misctok,
948 char retval, int errcode);
949
950/*
951 * audit_write_success()
952 *
953 * @summary - audit_write_success() records an auditable event that did not
954 * encounter an error. The interface is designed to require as little
955 * direct use of the au_to_*() API as possible. It builds a subject token
956 * from the information passed in and uses that to invoke audit_write().
957 * A subject, as defined by CAPP, is a process acting on the user's behalf.
958 *
959 * If the subject information is the same as the current process, use
960 * au_write_success_self().
961 *
962 * @param event_code - The code for the event being logged. This should
963 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
964 *
965 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
966 * calls. This should correspond to the additional information required by
967 * CAPP for the event being audited. If no additional information is
968 * required, misctok should be NULL.
969 *
970 * @param auid - The subject's audit ID.
971 *
972 * @param euid - The subject's effective user ID.
973 *
974 * @param egid - The subject's effective group ID.
975 *
976 * @param ruid - The subject's real user ID.
977 *
978 * @param rgid - The subject's real group ID.
979 *
980 * @param pid - The subject's process ID.
981 *
982 * @param sid - The subject's session ID.
983 *
984 * @param tid - The subject's terminal ID.
985 *
986 * @return - The status of the call: 0 (zero) on success, else one of the
987 * kAU*Err values defined above.
988 *
989 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
990 */
991int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
992 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
993 au_asid_t sid, au_tid_t *tid);
994
995/*
996 * audit_write_success_self()
997 *
998 * @summary - Similar to audit_write_success(), but used when the subject
999 * (process) is owned and operated by the auditable user him/herself.
1000 *
1001 * @param event_code - The code for the event being logged. This should
1002 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1003 *
1004 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1005 * calls. This should correspond to the additional information required by
1006 * CAPP for the event being audited. If no additional information is
1007 * required, misctok should be NULL.
1008 *
1009 * @return - The status of the call: 0 (zero) on success, else one of the
1010 * kAU*Err values defined above.
1011 *
1012 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1013 */
1014int audit_write_success_self(short event_code, token_t *misctok);
1015
1016/*
1017 * audit_write_failure()
1018 *
1019 * @summary - audit_write_failure() records an auditable event that
1020 * encountered an error. The interface is designed to require as little
1021 * direct use of the au_to_*() API as possible. It builds a subject token
1022 * from the information passed in and uses that to invoke audit_write().
1023 * A subject, as defined by CAPP, is a process acting on the user's behalf.
1024 *
1025 * If the subject information is the same as the current process, use
1026 * au_write_failure_self().
1027 *
1028 * @param event_code - The code for the event being logged. This should
1029 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1030 *
1031 * @param errmsg - A text message providing additional information about
1032 * the event being audited.
1033 *
1034 * @param errret - A numerical value providing additional information about
1035 * the error. This is intended to store the value of errno or h_errno if
1036 * it's relevant. This can be 0 (zero) if no additional information is
1037 * available.
1038 *
1039 * @param auid - The subject's audit ID.
1040 *
1041 * @param euid - The subject's effective user ID.
1042 *
1043 * @param egid - The subject's effective group ID.
1044 *
1045 * @param ruid - The subject's real user ID.
1046 *
1047 * @param rgid - The subject's real group ID.
1048 *
1049 * @param pid - The subject's process ID.
1050 *
1051 * @param sid - The subject's session ID.
1052 *
1053 * @param tid - The subject's terminal ID.
1054 *
1055 * @return - The status of the call: 0 (zero) on success, else one of the
1056 * kAU*Err values defined above.
1057 *
1058 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1059 */
1060int audit_write_failure(short event_code, char *errmsg, int errret,
1061 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1062 pid_t pid, au_asid_t sid, au_tid_t *tid);
1063
1064/*
1065 * audit_write_failure_self()
1066 *
1067 * @summary - Similar to audit_write_failure(), but used when the subject
1068 * (process) is owned and operated by the auditable user him/herself.
1069 *
1070 * @param event_code - The code for the event being logged. This should
1071 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1072 *
1073 * @param errmsg - A text message providing additional information about
1074 * the event being audited.
1075 *
1076 * @param errret - A numerical value providing additional information about
1077 * the error. This is intended to store the value of errno or h_errno if
1078 * it's relevant. This can be 0 (zero) if no additional information is
1079 * available.
1080 *
1081 * @return - The status of the call: 0 (zero) on success, else one of the
1082 * kAU*Err values defined above.
1083 *
1084 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1085 */
1086int audit_write_failure_self(short event_code, char *errmsg, int errret);
1087
1088/*
1089 * audit_write_failure_na()
1090 *
1091 * @summary - audit_write_failure_na() records errors during login. Such
1092 * errors are implicitly non-attributable (i.e., not ascribable to any user).
1093 *
1094 * @param event_code - The code for the event being logged. This should
1095 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1096 *
1097 * @param errmsg - A text message providing additional information about
1098 * the event being audited.
1099 *
1100 * @param errret - A numerical value providing additional information about
1101 * the error. This is intended to store the value of errno or h_errno if
1102 * it's relevant. This can be 0 (zero) if no additional information is
1103 * available.
1104 *
1105 * @param euid - The subject's effective user ID.
1106 *
1107 * @param egid - The subject's effective group ID.
1108 *
1109 * @param pid - The subject's process ID.
1110 *
1111 * @param tid - The subject's terminal ID.
1112 *
1113 * @return - The status of the call: 0 (zero) on success, else one of the
1114 * kAU*Err values defined above.
1115 *
1116 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1117 */
1118int audit_write_failure_na(short event_code, char *errmsg, int errret,
1119 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1120
1121/* END au_write() WRAPPERS */
1122
1123#ifdef __APPLE__
1124/*
1125 * audit_token_to_au32()
1126 *
1127 * @summary - Extract information from an audit_token_t, used to identify
1128 * Mach tasks and senders of Mach messages as subjects to the audit system.
1129 * audit_tokent_to_au32() is the only method that should be used to parse
1130 * an audit_token_t, since its internal representation may change over
1131 * time. A pointer parameter may be NULL if that information is not
1132 * needed.
1133 *
1134 * @param atoken - the audit token containing the desired information
1135 *
1136 * @param auidp - Pointer to a uid_t; on return will be set to the task or
1137 * sender's audit user ID
1138 *
1139 * @param euidp - Pointer to a uid_t; on return will be set to the task or
1140 * sender's effective user ID
1141 *
1142 * @param egidp - Pointer to a gid_t; on return will be set to the task or
1143 * sender's effective group ID
1144 *
1145 * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1146 * sender's real user ID
1147 *
1148 * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1149 * sender's real group ID
1150 *
1151 * @param pidp - Pointer to a pid_t; on return will be set to the task or
1152 * sender's process ID
1153 *
1154 * @param asidp - Pointer to an au_asid_t; on return will be set to the
1155 * task or sender's audit session ID
1156 *
1157 * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1158 * or sender's terminal ID
1159 *
1160 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1161 */
1162void audit_token_to_au32(
1163 audit_token_t atoken,
1164 uid_t *auidp,
1165 uid_t *euidp,
1166 gid_t *egidp,
1167 uid_t *ruidp,
1168 gid_t *rgidp,
1169 pid_t *pidp,
1170 au_asid_t *asidp,
1171 au_tid_t *tidp);
1172#endif /* !__APPLE__ */
1173
1174__END_DECLS
1175
1176#endif /* !_LIBBSM_H_ */
|