/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 1988 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" /* * Audit trail structures; */ #ifndef _sys_audit_h #define _sys_audit_h /* * Maximum size for audit data passed from the audit system call * This value is arbitrary, so offers of better numbers are invited. */ #define AUP_USER (0x8000) #define MAXAUDITDATA (AUP_USER - 1) #define AUDITMAGIC 0x00070009 /* * Audit conditions, statements reguarding what's to be done with * audit records. */ #define AUC_UNSET 0 /* on/off hasn't been decided */ #define AUC_AUDITING 1 /* auditing is being done */ #define AUC_NOAUDIT 2 /* auditing is not being done */ #define AUC_FCHDONE 3 /* no auditing, and you never can */ /* * Minimum and maximum record type values. Change AUR_MAXRECTYPE when * adding new record types. */ #define AUR_MINRECTYPE 1 #define AUR_MAXRECTYPE 63 /* * Audit record type codes */ #define AUR_ACCESS 1 #define AUR_CHMOD 2 #define AUR_CHOWN 3 #define AUR_CREAT 4 #define AUR_FCHMOD 5 #define AUR_FCHOWN 6 #define AUR_FTRUNCATE 7 #define AUR_LINK 8 #define AUR_MKDIR 9 #define AUR_MKNOD 10 #define AUR_OPEN 11 #define AUR_RMDIR 12 #define AUR_RENAME 13 #define AUR_STAT 14 #define AUR_SYMLINK 15 #define AUR_TRUNCATE 16 #define AUR_UNLINK 17 #define AUR_UTIMES 18 #define AUR_EXECV 19 #define AUR_MSGCONV 20 #define AUR_MSGCTL 21 #define AUR_MSGGET 22 #define AUR_MSGRCV 23 #define AUR_MSGSND 24 #define AUR_SEMCTL 25 #define AUR_SEMGET 26 #define AUR_SEMOP 27 #define AUR_SHMAT 28 #define AUR_SHMCTL 29 #define AUR_SHMDT 30 #define AUR_SHMGET 31 #define AUR_SOCKET 32 #define AUR_PTRACE 33 #define AUR_KILL 34 #define AUR_KILLPG 35 #define AUR_EXECVE 36 #define AUR_CORE 37 #define AUR_ADJTIME 38 #define AUR_SETTIMEOFDAY 39 #define AUR_SETHOSTNAME 40 #define AUR_SETDOMAINNAME 41 #define AUR_REBOOT 42 #define AUR_REBOOTFAIL 43 #define AUR_SYSACCT 44 #define AUR_MOUNT_UFS 45 #define AUR_MOUNT_NFS 46 #define AUR_MOUNT 47 #define AUR_UNMOUNT 48 #define AUR_READLINK 49 #define AUR_QUOTA_ON 50 #define AUR_QUOTA_OFF 51 #define AUR_QUOTA_SET 52 #define AUR_QUOTA_LIM 53 #define AUR_QUOTA_SYNC 54 #define AUR_QUOTA 55 #define AUR_STATFS 56 #define AUR_CHROOT 57 #define AUR_TEXT 58 #define AUR_CHDIR 59 #define AUR_MSGCTLRMID 60 #define AUR_SEMCTL3 61 #define AUR_SEMCTLALL 62 #define AUR_SHMCTLRMID 63 #define AUR_TRAILER 1000 /* * The classes of audit events */ #define AU_DREAD 0x00000001 #define AU_DWRITE 0x00000002 #define AU_DACCESS 0x00000004 #define AU_DCREATE 0x00000008 #define AU_LOGIN 0x00000010 #define AU_SREAD 0x00000020 #define AU_SCTL 0x00000040 #define AU_MINPRIV 0x00000080 #define AU_MAJPRIV 0x00000100 #define AU_ADMIN 0x00000200 #define AU_ASSIGN 0x00000400 /* * Success and failure are defined here because not everyone agrees on * which values rate success and which failure. */ #define AU_EITHER -1 #define AU_SUCCESS 0 #define AU_FAILURE 1 /* * The user id -2(0xfffe) is never audited - in fact, a setauid(AU_NOAUDITID) * will turn off auditing. */ #define AU_NOAUDITID -2 /* * The sturcture of the audit state */ struct audit_state { unsigned int as_success; /* success bits */ unsigned int as_failure; /* failure bits */ }; typedef struct audit_state audit_state_t; /* * The audit file header structure. * In the file it will be followed by a path name, the length of which is * kept in the ah_namelen field. */ struct audit_header { int ah_magic; /* magic number */ time_t ah_time; /* the time */ short ah_namelen; /* length of file name */ }; typedef struct audit_header audit_header_t; /* * The audit file trailer record structure. * In the file it will be followed by a path name, the length of which is * kept in the at_namelen field. */ struct audit_trailer { short at_record_size; /* size of this */ short at_record_type; /* its type, a trailer */ time_t at_time; /* the time */ short at_namelen; /* length of file name */ }; typedef struct audit_trailer audit_trailer_t; /* * The audit file record structure. * au_record_size is the size of the entire record. * au_param_count is the number of data items which follow the record. * There is a short ( 16 bit ) length for each of the following * parameters, then the parameters themselves. There is no way to know * what the parameters are from the data, unless the au_record_type * is understood. * The first parameter is the group list, hence au_param_count will * always be at least one. */ struct audit_record { short au_record_size; /* size of this */ short au_record_type; /* its type */ unsigned int au_event; /* the event */ time_t au_time; /* the time */ uid_t au_uid; /* real uid */ uid_t au_auid; /* audit uid */ uid_t au_euid; /* effective */ gid_t au_gid; /* real group */ short au_pid; /* process id */ int au_errno; /* error code */ int au_return; /* a return value */ blabel_t au_label; /* also ... */ short au_param_count; /* # of parameters */ }; typedef struct audit_record audit_record_t; /* * This structure controls a buffer for generating full pathnames * for filenames. */ struct au_path_s { u_int ap_size; /* Size of buffer */ caddr_t ap_buf; /* Address of buffer */ caddr_t ap_ptr; /* Current position */ }; typedef struct au_path_s au_path_t; #define AU_ALIGN(x) (((x) + 1) & ~1) #endif /*!_sys_audit_h*/