Lines Matching defs:audit
60 #include <bsm/audit.h>
96 * to churn a lot whenever the audit record flow gets high.
118 * Define the audit control flags.
133 * Queue of audit records ready for delivery to disk. We insert new
159 * The audit worker thread (which is lazy started when we first
160 * rotate the audit log.
165 * When an audit log is rotated, the actual rotation must be performed
166 * by the audit worker thread, as it may have outstanding writes on the
167 * current audit log. audit_replacement_vp holds the vnode replacing
171 * a thread tries to replace the audit vnode and discovers a replacement
176 * We also store a credential to perform audit log write operations with.
186 * Wait queue for auditing threads that cannot commit the audit
196 * Flags to use on audit files when opening and closing.
202 * Global audit statistiscs.
282 /* Free the audit data from the MAC policies. */
303 * Converts an audit record into the BSM format before writing out to the
304 * audit logfile. Will perform it's own vnode iocounting.
308 * EINVAL if the kaudit_record ar is not a valid audit record.
324 * First, gather statistics on the audit log file and file system
339 * Send a message to the audit daemon when disk space is getting
341 * XXX Need to decide what to do if the trigger to the audit daemon
346 printf("Cannot get audit control port\n");
353 * audit daemon to do something about it.
390 * If the estimated amount of audit data in the audit event queue
393 * audit fail stop state, in which we do not permit the
394 * allocation/committing of any new audit records. We continue to
406 "audit_worker: free space below size of audit queue, failing stop\n");
411 * If there is a user audit record attached to the kernel record,
414 /* XXX Need to decide a few things here: IF the user audit
501 * First priority: replace the audit log target if requested.
524 AUDIT_PRINTF(("Closing old audit file vnode %p\n", old_vp));
531 printf("audit_worker(): Couldn't close audit file.\n");
536 AUDIT_PRINTF(("Opening new audit file\n"));
678 audit_grp = lck_grp_alloc_init("audit", audit_grp_attr);
688 /* Assume 3 MAC labels for each audit record: two for vnodes,
697 /* Initialize the BSM audit subsystem. */
734 * Start or wake up the audit worker to perform the exchange.
768 * Drain the audit queue and close the log at shutdown.
793 * System call to allow a user space application to submit a BSM audit
794 * record to the kernel for inclusion in the audit log. This function
795 * does little verification on the audit record that is submitted.
799 * not the event type submitted as part of the user audit data.
803 audit(proc_t p, struct audit_args *uap, __unused register_t *retval)
823 /* If there's no current audit record (audit() itself not audited)
824 * commit the user audit record.
832 * a complete kernel audit record just so the user record
862 /* Attach the user audit record to the kernel audit record. Because
864 * record along with the record for this audit event.
872 /* audit_syscall_exit() will free the audit record on the thread
1060 * we are modifying the audit info in a credential so we need a new
1062 * matches our new one). We must do this because the audit info in the
1156 * System calls to manage the user audit information.
1201 * we are modifying the audit info in a credential so we need a new
1203 * matches our new one). We must do this because the audit info in the
1251 * System calls to get and set process audit information.
1253 * audit information. Otherwise, the real audit mask is
1311 * we are modifying the audit info in a credential so we need a new
1313 * matches our new one). We must do this because the audit info in the
1380 * Syscall to manage audit files.
1424 * storing audit data, or that the caller was
1427 * ensure that audit files are always high
1478 * we will audit regardless of the audit state at the time
1480 * correspond to changes in the audit state. The dummy
1497 * Initialize the audit record header.
1499 * XXX: The number of outstanding uncommitted audit records is
1597 * Decide whether to commit the audit record by checking the
1599 * audit mask.
1657 * Note: it could be that some records initiated while audit was
1668 * Constrain the number of committed audit records based on
1696 * another audit record.
1715 * Calls to set up and tear down audit structures associated with
1732 /* Check which audit mask to use; either the kernel non-attributable
1733 * event mask or the process audit mask.
1743 * Allocate an audit record, if preselection allows it, and store
1793 * Commit the audit record as desired; once we pass the record
1794 * into audit_commit(), the memory is owned by the audit
1816 * point result in the audit record being committed.
1836 AUDIT_PRINTF(("audit record committed by pid %d\n", proc->p_pid));
1847 * Calls to set up and tear down audit structures used during Mach
1873 /* Check which audit mask to use; either the kernel non-attributable
1874 * event mask or the process audit mask.
1884 * Allocate an audit record, if desired, and store in the BSD
1908 * Calls to manipulate elements of the audit record structure from system
1911 * check the thread audit record pointer anyway, as the audit condition
1912 * could change, and pre-selection may not have allocated an audit
2176 * Note that the current working directory vp must be supplied at the audit
2180 * in the audit record.
2404 * Store a path as given by the user process for auditing into the audit
2407 * freed when the audit record is freed. Note that the current working
2408 * directory vp must be supplied at the audit call site to permit per thread
2411 * real (non-chroot) path being recorded in the audit record.
2456 * Function to save the path and vnode attr information into the audit
2523 * attached to the audit record, and set a flag indicating
2616 * The close() system call uses it's own audit call to capture the
2637 * This function is called by the MAC Framework to add audit data
2638 * from a policy to the current audit record.
2658 * XXX: Note that we silently drop the audit data if this
2660 * audit implementation.
2692 * rest of audit, just return (may need to panic if required to for audit6).
2706 * if an audit record will be stored, reducing wasted memory allocation
2732 audit(proc_t p, struct audit_args *uap, register_t *retval)