64 #include <bsm/audit.h>
68 #include <security/audit/audit.h>
69 #include <security/audit/audit_bsd.h>
70 #include <security/audit/audit_private.h>
97  * Define the audit control flags.
120  * Global audit statistics.
136  * Queue of audit records ready for delivery to disk.  We insert new records
159  * Condition variable to signal when the worker is done draining the audit
181  * Kernel audit information.  This will store the current audit address
183  * audit records.  This data is modified by the A_GET{SET}KAUDIT auditon(2)
223  * Construct an audit record for the passed thread.
329 	/* Init audit session subsystem. */
332 	/* Initialize the BSM audit subsystem. */
337 	/* Start audit worker thread. */
340 	/* Start audit worker thread. */
345  * Drain the audit queue and close the log at shutdown.  Note that this can
346  * be called both from the system shutdown path and also from audit
357  * Return the current thread's audit record, if any.
386 	 * interface so if other things that use the audit subsystem in the
400 	 * Initialize the audit record header.
403 	 * Note: the number of outstanding uncommitted audit records is
456 	 * Decide whether to commit the audit record by checking the error
457 	 * value from the system call and using the appropriate audit mask.
543 	 * Note: it could be that some records initiated while audit was
555 	 * Constrain the number of committed audit records based on the
570  * responsible for deciding whether or not to audit the call (preselection),
571  * and if so, allocating a per-thread audit record.  audit_new() will fill in
585 	 * mapping of system call codes to audit events.  Convert the code to
586 	 * an audit event identifier using the process system call table
588 	 * symbol for the system call table.  No audit record is generated
591 	 * In Mac OS X, the audit events are stored in a table seperate from
605 	 * Check which audit mask to use; either the kernel non-attributable
606 	 * event mask or the process audit mask.
616 	 * Allocate an audit record, if preselection allows it, and store in
623 	 * memory for the audit record (uu_ar).
632 		 * another audit record.
638 		 * audit record is still required for this event by
660  * for committing the audit record, if any, along with return condition.
677 	 * Commit the audit record as desired; once we pass the record into
678 	 * audit_commit(), the memory is owned by the audit subsystem.  The
699  * Calls to set up and tear down audit structures used during Mach system
730 	 * Check which audit mask to use; either the kernel non-attributable
731 	 * event mask or the process audit mask.
739 	 * Allocate an audit record, if desired, and store in the BSD thread
767  * if an audit record will be stored, reducing wasted memory allocation
814 	 * If we are interested in seeing this audit record, allocate it.

Indexes created Wed Sep 11 23:09:49 MDT 2024