1185573Srwatson/*- 2189279Srwatson * Copyright (c) 2004-2009 Apple Inc. 3155131Srwatson * All rights reserved. 4155131Srwatson * 5155131Srwatson * Redistribution and use in source and binary forms, with or without 6155131Srwatson * modification, are permitted provided that the following conditions 7155131Srwatson * are met: 8155131Srwatson * 1. Redistributions of source code must retain the above copyright 9155131Srwatson * notice, this list of conditions and the following disclaimer. 10155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 11155131Srwatson * notice, this list of conditions and the following disclaimer in the 12155131Srwatson * documentation and/or other materials provided with the distribution. 13185573Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14155131Srwatson * its contributors may be used to endorse or promote products derived 15155131Srwatson * from this software without specific prior written permission. 16155131Srwatson * 17155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 28155131Srwatson */ 29155131Srwatson 30155131Srwatson#ifndef _LIBBSM_H_ 31155131Srwatson#define _LIBBSM_H_ 32155131Srwatson 33155131Srwatson/* 34155131Srwatson * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 35155131Srwatson * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 36155131Srwatson */ 37155131Srwatson 38155131Srwatson#include <sys/types.h> 39155131Srwatson#include <sys/cdefs.h> 40155131Srwatson 41159985Srwatson#include <inttypes.h> /* Required for audit.h. */ 42156283Srwatson#include <time.h> /* Required for clock_t on Linux. */ 43155518Srwatson 44155131Srwatson#include <bsm/audit.h> 45155131Srwatson#include <bsm/audit_record.h> 46155131Srwatson 47155131Srwatson#include <stdio.h> 48155131Srwatson 49155131Srwatson#ifdef __APPLE__ 50155131Srwatson#include <mach/mach.h> /* audit_token_t */ 51155131Srwatson#endif 52155131Srwatson 53162503Srwatson/* 54162503Srwatson * Size parsed token vectors for execve(2) arguments and environmental 55162503Srwatson * variables. Note: changing these sizes affects the ABI of the token 56162503Srwatson * structure, and as the token structure is often placed in the caller stack, 57162503Srwatson * this is undesirable. 58162503Srwatson */ 59162503Srwatson#define AUDIT_MAX_ARGS 128 60162503Srwatson#define AUDIT_MAX_ENV 128 61162503Srwatson 62162503Srwatson/* 63162503Srwatson * Arguments to au_preselect(3). 64162503Srwatson */ 65162503Srwatson#define AU_PRS_USECACHE 0 66162503Srwatson#define AU_PRS_REREAD 1 67162503Srwatson 68155131Srwatson#define AU_PRS_SUCCESS 1 69155131Srwatson#define AU_PRS_FAILURE 2 70155131Srwatson#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 71155131Srwatson 72155131Srwatson#define AUDIT_EVENT_FILE "/etc/security/audit_event" 73155131Srwatson#define AUDIT_CLASS_FILE "/etc/security/audit_class" 74155131Srwatson#define AUDIT_CONTROL_FILE "/etc/security/audit_control" 75155131Srwatson#define AUDIT_USER_FILE "/etc/security/audit_user" 76155131Srwatson 77189279Srwatson#define DIR_CONTROL_ENTRY "dir" 78243750Srwatson#define DIST_CONTROL_ENTRY "dist" 79189279Srwatson#define FILESZ_CONTROL_ENTRY "filesz" 80189279Srwatson#define FLAGS_CONTROL_ENTRY "flags" 81243750Srwatson#define HOST_CONTROL_ENTRY "host" 82243750Srwatson#define MINFREE_CONTROL_ENTRY "minfree" 83189279Srwatson#define NA_CONTROL_ENTRY "naflags" 84189279Srwatson#define POLICY_CONTROL_ENTRY "policy" 85189279Srwatson#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 86155131Srwatson 87155131Srwatson#define AU_CLASS_NAME_MAX 8 88155131Srwatson#define AU_CLASS_DESC_MAX 72 89155131Srwatson#define AU_EVENT_NAME_MAX 30 90155131Srwatson#define AU_EVENT_DESC_MAX 50 91155131Srwatson#define AU_USER_NAME_MAX 50 92155131Srwatson#define AU_LINE_MAX 256 93155131Srwatson#define MAX_AUDITSTRING_LEN 256 94155131Srwatson#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 95155131Srwatson 96155131Srwatson/* 97161630Srwatson * Arguments to au_close(3). 98155131Srwatson */ 99161630Srwatson#define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 100161630Srwatson#define AU_TO_WRITE 1 /* Commit audit record. */ 101155131Srwatson 102243750Srwatson/* 103243750Srwatson * Output format flags for au_print_flags_tok(). 104243750Srwatson */ 105243750Srwatson#define AU_OFLAG_NONE 0x0000 /* Default form. */ 106243750Srwatson#define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 107243750Srwatson#define AU_OFLAG_SHORT 0x0002 /* Short form. */ 108243750Srwatson#define AU_OFLAG_XML 0x0004 /* XML form. */ 109243750Srwatson#define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 110243750Srwatson 111155131Srwatson__BEGIN_DECLS 112155131Srwatsonstruct au_event_ent { 113155131Srwatson au_event_t ae_number; 114155131Srwatson char *ae_name; 115155131Srwatson char *ae_desc; 116155131Srwatson au_class_t ae_class; 117155131Srwatson}; 118155131Srwatsontypedef struct au_event_ent au_event_ent_t; 119155131Srwatson 120155131Srwatsonstruct au_class_ent { 121155131Srwatson char *ac_name; 122155131Srwatson au_class_t ac_class; 123155131Srwatson char *ac_desc; 124155131Srwatson}; 125155131Srwatsontypedef struct au_class_ent au_class_ent_t; 126155131Srwatson 127155131Srwatsonstruct au_user_ent { 128155131Srwatson char *au_name; 129155131Srwatson au_mask_t au_always; 130155131Srwatson au_mask_t au_never; 131155131Srwatson}; 132155131Srwatsontypedef struct au_user_ent au_user_ent_t; 133155131Srwatson__END_DECLS 134155131Srwatson 135155131Srwatson#define ADD_TO_MASK(m, c, sel) do { \ 136155131Srwatson if (sel & AU_PRS_SUCCESS) \ 137155131Srwatson (m)->am_success |= c; \ 138155131Srwatson if (sel & AU_PRS_FAILURE) \ 139155131Srwatson (m)->am_failure |= c; \ 140155131Srwatson} while (0) 141155131Srwatson 142155131Srwatson#define SUB_FROM_MASK(m, c, sel) do { \ 143155131Srwatson if (sel & AU_PRS_SUCCESS) \ 144155131Srwatson (m)->am_success &= ((m)->am_success ^ c); \ 145155131Srwatson if (sel & AU_PRS_FAILURE) \ 146155131Srwatson (m)->am_failure &= ((m)->am_failure ^ c); \ 147155131Srwatson} while (0) 148155131Srwatson 149155131Srwatson#define ADDMASK(m, v) do { \ 150155131Srwatson (m)->am_success |= (v)->am_success; \ 151155131Srwatson (m)->am_failure |= (v)->am_failure; \ 152155131Srwatson} while(0) 153155131Srwatson 154155131Srwatson#define SUBMASK(m, v) do { \ 155155131Srwatson (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 156155131Srwatson (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 157155131Srwatson} while(0) 158155131Srwatson 159155131Srwatson__BEGIN_DECLS 160155131Srwatson 161155131Srwatsontypedef struct au_tid32 { 162155131Srwatson u_int32_t port; 163155131Srwatson u_int32_t addr; 164155131Srwatson} au_tid32_t; 165155131Srwatson 166155131Srwatsontypedef struct au_tid64 { 167155131Srwatson u_int64_t port; 168155131Srwatson u_int32_t addr; 169155131Srwatson} au_tid64_t; 170155131Srwatson 171155131Srwatsontypedef struct au_tidaddr32 { 172155131Srwatson u_int32_t port; 173155131Srwatson u_int32_t type; 174155131Srwatson u_int32_t addr[4]; 175155131Srwatson} au_tidaddr32_t; 176155131Srwatson 177168777Srwatsontypedef struct au_tidaddr64 { 178168777Srwatson u_int64_t port; 179168777Srwatson u_int32_t type; 180168777Srwatson u_int32_t addr[4]; 181168777Srwatson} au_tidaddr64_t; 182168777Srwatson 183155131Srwatson/* 184155131Srwatson * argument # 1 byte 185155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 186155131Srwatson * text length 2 bytes 187155131Srwatson * text N bytes + 1 terminating NULL byte 188155131Srwatson */ 189155131Srwatsontypedef struct { 190155131Srwatson u_char no; 191155131Srwatson u_int32_t val; 192155131Srwatson u_int16_t len; 193155131Srwatson char *text; 194155131Srwatson} au_arg32_t; 195155131Srwatson 196155131Srwatsontypedef struct { 197155131Srwatson u_char no; 198155131Srwatson u_int64_t val; 199155131Srwatson u_int16_t len; 200155131Srwatson char *text; 201155131Srwatson} au_arg64_t; 202155131Srwatson 203155131Srwatson/* 204155131Srwatson * how to print 1 byte 205155131Srwatson * basic unit 1 byte 206155131Srwatson * unit count 1 byte 207155131Srwatson * data items (depends on basic unit) 208155131Srwatson */ 209155131Srwatsontypedef struct { 210155131Srwatson u_char howtopr; 211155131Srwatson u_char bu; 212155131Srwatson u_char uc; 213155131Srwatson u_char *data; 214155131Srwatson} au_arb_t; 215155131Srwatson 216155131Srwatson/* 217155131Srwatson * file access mode 4 bytes 218155131Srwatson * owner user ID 4 bytes 219155131Srwatson * owner group ID 4 bytes 220155131Srwatson * file system ID 4 bytes 221155131Srwatson * node ID 8 bytes 222155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 223155131Srwatson */ 224155131Srwatsontypedef struct { 225155131Srwatson u_int32_t mode; 226243750Srwatson u_int32_t uid; 227155131Srwatson u_int32_t gid; 228155131Srwatson u_int32_t fsid; 229155131Srwatson u_int64_t nid; 230155131Srwatson u_int32_t dev; 231155131Srwatson} au_attr32_t; 232155131Srwatson 233155131Srwatsontypedef struct { 234155131Srwatson u_int32_t mode; 235243750Srwatson u_int32_t uid; 236155131Srwatson u_int32_t gid; 237155131Srwatson u_int32_t fsid; 238155131Srwatson u_int64_t nid; 239155131Srwatson u_int64_t dev; 240155131Srwatson} au_attr64_t; 241155131Srwatson 242155131Srwatson/* 243155131Srwatson * count 4 bytes 244155131Srwatson * text count null-terminated string(s) 245155131Srwatson */ 246155131Srwatsontypedef struct { 247155131Srwatson u_int32_t count; 248161630Srwatson char *text[AUDIT_MAX_ARGS]; 249155131Srwatson} au_execarg_t; 250155131Srwatson 251155131Srwatson/* 252155131Srwatson * count 4 bytes 253155131Srwatson * text count null-terminated string(s) 254155131Srwatson */ 255155131Srwatsontypedef struct { 256155131Srwatson u_int32_t count; 257161630Srwatson char *text[AUDIT_MAX_ENV]; 258155131Srwatson} au_execenv_t; 259155131Srwatson 260155131Srwatson/* 261155131Srwatson * status 4 bytes 262155131Srwatson * return value 4 bytes 263155131Srwatson */ 264155131Srwatsontypedef struct { 265155131Srwatson u_int32_t status; 266155131Srwatson u_int32_t ret; 267155131Srwatson} au_exit_t; 268155131Srwatson 269155131Srwatson/* 270155131Srwatson * seconds of time 4 bytes 271155131Srwatson * milliseconds of time 4 bytes 272155131Srwatson * file name length 2 bytes 273155131Srwatson * file pathname N bytes + 1 terminating NULL byte 274155131Srwatson */ 275155131Srwatsontypedef struct { 276155131Srwatson u_int32_t s; 277155131Srwatson u_int32_t ms; 278155131Srwatson u_int16_t len; 279155131Srwatson char *name; 280155131Srwatson} au_file_t; 281155131Srwatson 282155131Srwatson 283155131Srwatson/* 284155131Srwatson * number groups 2 bytes 285155131Srwatson * group list N * 4 bytes 286155131Srwatson */ 287155131Srwatsontypedef struct { 288155131Srwatson u_int16_t no; 289161630Srwatson u_int32_t list[AUDIT_MAX_GROUPS]; 290155131Srwatson} au_groups_t; 291155131Srwatson 292155131Srwatson/* 293155131Srwatson * record byte count 4 bytes 294155131Srwatson * version # 1 byte [2] 295155131Srwatson * event type 2 bytes 296155131Srwatson * event modifier 2 bytes 297155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 298155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 299155131Srwatson */ 300155131Srwatsontypedef struct { 301155131Srwatson u_int32_t size; 302155131Srwatson u_char version; 303155131Srwatson u_int16_t e_type; 304155131Srwatson u_int16_t e_mod; 305155131Srwatson u_int32_t s; 306155131Srwatson u_int32_t ms; 307155131Srwatson} au_header32_t; 308155131Srwatson 309155131Srwatson/* 310155131Srwatson * record byte count 4 bytes 311155131Srwatson * version # 1 byte [2] 312155131Srwatson * event type 2 bytes 313155131Srwatson * event modifier 2 bytes 314155131Srwatson * address type/length 1 byte (XXX: actually, 4 bytes) 315155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 316155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 317155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 318155131Srwatson */ 319155131Srwatsontypedef struct { 320155131Srwatson u_int32_t size; 321155131Srwatson u_char version; 322155131Srwatson u_int16_t e_type; 323155131Srwatson u_int16_t e_mod; 324155131Srwatson u_int32_t ad_type; 325155131Srwatson u_int32_t addr[4]; 326155131Srwatson u_int32_t s; 327155131Srwatson u_int32_t ms; 328155131Srwatson} au_header32_ex_t; 329155131Srwatson 330155131Srwatsontypedef struct { 331155131Srwatson u_int32_t size; 332155131Srwatson u_char version; 333155131Srwatson u_int16_t e_type; 334155131Srwatson u_int16_t e_mod; 335155131Srwatson u_int64_t s; 336155131Srwatson u_int64_t ms; 337155131Srwatson} au_header64_t; 338155131Srwatson 339155131Srwatsontypedef struct { 340155131Srwatson u_int32_t size; 341155131Srwatson u_char version; 342155131Srwatson u_int16_t e_type; 343155131Srwatson u_int16_t e_mod; 344155131Srwatson u_int32_t ad_type; 345155131Srwatson u_int32_t addr[4]; 346155131Srwatson u_int64_t s; 347155131Srwatson u_int64_t ms; 348155131Srwatson} au_header64_ex_t; 349155131Srwatson 350155131Srwatson/* 351155131Srwatson * internet address 4 bytes 352155131Srwatson */ 353155131Srwatsontypedef struct { 354155131Srwatson u_int32_t addr; 355155131Srwatson} au_inaddr_t; 356155131Srwatson 357155131Srwatson/* 358155131Srwatson * type 4 bytes 359155131Srwatson * internet address 16 bytes 360155131Srwatson */ 361155131Srwatsontypedef struct { 362155131Srwatson u_int32_t type; 363155131Srwatson u_int32_t addr[4]; 364155131Srwatson} au_inaddr_ex_t; 365155131Srwatson 366155131Srwatson/* 367155131Srwatson * version and ihl 1 byte 368155131Srwatson * type of service 1 byte 369155131Srwatson * length 2 bytes 370155131Srwatson * id 2 bytes 371155131Srwatson * offset 2 bytes 372155131Srwatson * ttl 1 byte 373155131Srwatson * protocol 1 byte 374155131Srwatson * checksum 2 bytes 375155131Srwatson * source address 4 bytes 376155131Srwatson * destination address 4 bytes 377155131Srwatson */ 378155131Srwatsontypedef struct { 379155131Srwatson u_char version; 380155131Srwatson u_char tos; 381155131Srwatson u_int16_t len; 382155131Srwatson u_int16_t id; 383155131Srwatson u_int16_t offset; 384155131Srwatson u_char ttl; 385155131Srwatson u_char prot; 386155131Srwatson u_int16_t chksm; 387155131Srwatson u_int32_t src; 388155131Srwatson u_int32_t dest; 389155131Srwatson} au_ip_t; 390155131Srwatson 391155131Srwatson/* 392155131Srwatson * object ID type 1 byte 393155131Srwatson * object ID 4 bytes 394155131Srwatson */ 395155131Srwatsontypedef struct { 396155131Srwatson u_char type; 397155131Srwatson u_int32_t id; 398155131Srwatson} au_ipc_t; 399155131Srwatson 400155131Srwatson/* 401155131Srwatson * owner user ID 4 bytes 402155131Srwatson * owner group ID 4 bytes 403155131Srwatson * creator user ID 4 bytes 404155131Srwatson * creator group ID 4 bytes 405155131Srwatson * access mode 4 bytes 406155131Srwatson * slot sequence # 4 bytes 407155131Srwatson * key 4 bytes 408155131Srwatson */ 409155131Srwatsontypedef struct { 410155131Srwatson u_int32_t uid; 411155131Srwatson u_int32_t gid; 412155131Srwatson u_int32_t puid; 413155131Srwatson u_int32_t pgid; 414155131Srwatson u_int32_t mode; 415155131Srwatson u_int32_t seq; 416155131Srwatson u_int32_t key; 417155131Srwatson} au_ipcperm_t; 418155131Srwatson 419155131Srwatson/* 420155131Srwatson * port IP address 2 bytes 421155131Srwatson */ 422155131Srwatsontypedef struct { 423155131Srwatson u_int16_t port; 424155131Srwatson} au_iport_t; 425155131Srwatson 426155131Srwatson/* 427155131Srwatson * length 2 bytes 428155131Srwatson * data length bytes 429155131Srwatson */ 430155131Srwatsontypedef struct { 431155131Srwatson u_int16_t size; 432155131Srwatson char *data; 433155131Srwatson} au_opaque_t; 434155131Srwatson 435155131Srwatson/* 436155131Srwatson * path length 2 bytes 437155131Srwatson * path N bytes + 1 terminating NULL byte 438155131Srwatson */ 439155131Srwatsontypedef struct { 440155131Srwatson u_int16_t len; 441155131Srwatson char *path; 442155131Srwatson} au_path_t; 443155131Srwatson 444155131Srwatson/* 445155131Srwatson * audit ID 4 bytes 446155131Srwatson * effective user ID 4 bytes 447155131Srwatson * effective group ID 4 bytes 448155131Srwatson * real user ID 4 bytes 449155131Srwatson * real group ID 4 bytes 450155131Srwatson * process ID 4 bytes 451155131Srwatson * session ID 4 bytes 452155131Srwatson * terminal ID 453155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 454155131Srwatson * machine address 4 bytes 455155131Srwatson */ 456155131Srwatsontypedef struct { 457155131Srwatson u_int32_t auid; 458155131Srwatson u_int32_t euid; 459155131Srwatson u_int32_t egid; 460155131Srwatson u_int32_t ruid; 461155131Srwatson u_int32_t rgid; 462155131Srwatson u_int32_t pid; 463155131Srwatson u_int32_t sid; 464155131Srwatson au_tid32_t tid; 465155131Srwatson} au_proc32_t; 466155131Srwatson 467155131Srwatsontypedef struct { 468155131Srwatson u_int32_t auid; 469155131Srwatson u_int32_t euid; 470155131Srwatson u_int32_t egid; 471155131Srwatson u_int32_t ruid; 472155131Srwatson u_int32_t rgid; 473155131Srwatson u_int32_t pid; 474155131Srwatson u_int32_t sid; 475155131Srwatson au_tid64_t tid; 476155131Srwatson} au_proc64_t; 477155131Srwatson 478155131Srwatson/* 479155131Srwatson * audit ID 4 bytes 480155131Srwatson * effective user ID 4 bytes 481155131Srwatson * effective group ID 4 bytes 482155131Srwatson * real user ID 4 bytes 483155131Srwatson * real group ID 4 bytes 484155131Srwatson * process ID 4 bytes 485155131Srwatson * session ID 4 bytes 486155131Srwatson * terminal ID 487155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 488155131Srwatson * type 4 bytes 489155131Srwatson * machine address 16 bytes 490155131Srwatson */ 491155131Srwatsontypedef struct { 492155131Srwatson u_int32_t auid; 493155131Srwatson u_int32_t euid; 494155131Srwatson u_int32_t egid; 495155131Srwatson u_int32_t ruid; 496155131Srwatson u_int32_t rgid; 497155131Srwatson u_int32_t pid; 498155131Srwatson u_int32_t sid; 499155131Srwatson au_tidaddr32_t tid; 500155131Srwatson} au_proc32ex_t; 501155131Srwatson 502168777Srwatsontypedef struct { 503168777Srwatson u_int32_t auid; 504168777Srwatson u_int32_t euid; 505168777Srwatson u_int32_t egid; 506168777Srwatson u_int32_t ruid; 507168777Srwatson u_int32_t rgid; 508168777Srwatson u_int32_t pid; 509168777Srwatson u_int32_t sid; 510168777Srwatson au_tidaddr64_t tid; 511168777Srwatson} au_proc64ex_t; 512168777Srwatson 513155131Srwatson/* 514155131Srwatson * error status 1 byte 515155131Srwatson * return value 4 bytes/8 bytes (32-bit/64-bit value) 516155131Srwatson */ 517155131Srwatsontypedef struct { 518155131Srwatson u_char status; 519155131Srwatson u_int32_t ret; 520155131Srwatson} au_ret32_t; 521155131Srwatson 522155131Srwatsontypedef struct { 523155131Srwatson u_char err; 524155131Srwatson u_int64_t val; 525155131Srwatson} au_ret64_t; 526155131Srwatson 527155131Srwatson/* 528155131Srwatson * sequence number 4 bytes 529155131Srwatson */ 530155131Srwatsontypedef struct { 531155131Srwatson u_int32_t seqno; 532155131Srwatson} au_seq_t; 533155131Srwatson 534155131Srwatson/* 535155131Srwatson * socket type 2 bytes 536155131Srwatson * local port 2 bytes 537155131Srwatson * local Internet address 4 bytes 538155131Srwatson * remote port 2 bytes 539155131Srwatson * remote Internet address 4 bytes 540155131Srwatson */ 541155131Srwatsontypedef struct { 542155131Srwatson u_int16_t type; 543155131Srwatson u_int16_t l_port; 544155131Srwatson u_int32_t l_addr; 545155131Srwatson u_int16_t r_port; 546155131Srwatson u_int32_t r_addr; 547155131Srwatson} au_socket_t; 548155131Srwatson 549155131Srwatson/* 550155131Srwatson * socket type 2 bytes 551155131Srwatson * local port 2 bytes 552155131Srwatson * address type/length 4 bytes 553155131Srwatson * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 554155131Srwatson * remote port 4 bytes 555155131Srwatson * address type/length 4 bytes 556155131Srwatson * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 557155131Srwatson */ 558155131Srwatsontypedef struct { 559186647Srwatson u_int16_t domain; 560155131Srwatson u_int16_t type; 561186647Srwatson u_int16_t atype; 562155131Srwatson u_int16_t l_port; 563186647Srwatson u_int32_t l_addr[4]; 564155131Srwatson u_int32_t r_port; 565186647Srwatson u_int32_t r_addr[4]; 566155131Srwatson} au_socket_ex32_t; 567155131Srwatson 568155131Srwatson/* 569155131Srwatson * socket family 2 bytes 570155131Srwatson * local port 2 bytes 571155131Srwatson * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 572155131Srwatson */ 573155131Srwatsontypedef struct { 574155131Srwatson u_int16_t family; 575155131Srwatson u_int16_t port; 576191273Srwatson u_int32_t addr[4]; 577191273Srwatson} au_socketinet_ex32_t; 578191273Srwatson 579191273Srwatsontypedef struct { 580191273Srwatson u_int16_t family; 581191273Srwatson u_int16_t port; 582155131Srwatson u_int32_t addr; 583155131Srwatson} au_socketinet32_t; 584155131Srwatson 585155131Srwatson/* 586155131Srwatson * socket family 2 bytes 587155131Srwatson * path 104 bytes 588155131Srwatson */ 589155131Srwatsontypedef struct { 590155131Srwatson u_int16_t family; 591155131Srwatson char path[104]; 592155131Srwatson} au_socketunix_t; 593155131Srwatson 594155131Srwatson/* 595155131Srwatson * audit ID 4 bytes 596155131Srwatson * effective user ID 4 bytes 597155131Srwatson * effective group ID 4 bytes 598155131Srwatson * real user ID 4 bytes 599155131Srwatson * real group ID 4 bytes 600155131Srwatson * process ID 4 bytes 601155131Srwatson * session ID 4 bytes 602155131Srwatson * terminal ID 603155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 604155131Srwatson * machine address 4 bytes 605155131Srwatson */ 606155131Srwatsontypedef struct { 607155131Srwatson u_int32_t auid; 608155131Srwatson u_int32_t euid; 609155131Srwatson u_int32_t egid; 610155131Srwatson u_int32_t ruid; 611155131Srwatson u_int32_t rgid; 612155131Srwatson u_int32_t pid; 613155131Srwatson u_int32_t sid; 614155131Srwatson au_tid32_t tid; 615155131Srwatson} au_subject32_t; 616155131Srwatson 617155131Srwatsontypedef struct { 618155131Srwatson u_int32_t auid; 619155131Srwatson u_int32_t euid; 620155131Srwatson u_int32_t egid; 621155131Srwatson u_int32_t ruid; 622155131Srwatson u_int32_t rgid; 623155131Srwatson u_int32_t pid; 624155131Srwatson u_int32_t sid; 625155131Srwatson au_tid64_t tid; 626155131Srwatson} au_subject64_t; 627155131Srwatson 628155131Srwatson/* 629155131Srwatson * audit ID 4 bytes 630155131Srwatson * effective user ID 4 bytes 631155131Srwatson * effective group ID 4 bytes 632155131Srwatson * real user ID 4 bytes 633155131Srwatson * real group ID 4 bytes 634155131Srwatson * process ID 4 bytes 635155131Srwatson * session ID 4 bytes 636155131Srwatson * terminal ID 637155131Srwatson * port ID 4 bytes/8 bytes (32-bit/64-bit value) 638155131Srwatson * type 4 bytes 639155131Srwatson * machine address 16 bytes 640155131Srwatson */ 641155131Srwatsontypedef struct { 642155131Srwatson u_int32_t auid; 643155131Srwatson u_int32_t euid; 644155131Srwatson u_int32_t egid; 645155131Srwatson u_int32_t ruid; 646155131Srwatson u_int32_t rgid; 647155131Srwatson u_int32_t pid; 648155131Srwatson u_int32_t sid; 649155131Srwatson au_tidaddr32_t tid; 650155131Srwatson} au_subject32ex_t; 651155131Srwatson 652168777Srwatsontypedef struct { 653168777Srwatson u_int32_t auid; 654168777Srwatson u_int32_t euid; 655168777Srwatson u_int32_t egid; 656168777Srwatson u_int32_t ruid; 657168777Srwatson u_int32_t rgid; 658168777Srwatson u_int32_t pid; 659168777Srwatson u_int32_t sid; 660168777Srwatson au_tidaddr64_t tid; 661168777Srwatson} au_subject64ex_t; 662168777Srwatson 663155131Srwatson/* 664155131Srwatson * text length 2 bytes 665155131Srwatson * text N bytes + 1 terminating NULL byte 666155131Srwatson */ 667155131Srwatsontypedef struct { 668155131Srwatson u_int16_t len; 669155131Srwatson char *text; 670155131Srwatson} au_text_t; 671155131Srwatson 672168777Srwatson/* 673243750Srwatson * upriv status 1 byte 674243750Srwatson * privstr len 2 bytes 675243750Srwatson * privstr N bytes + 1 (\0 byte) 676243750Srwatson */ 677243750Srwatsontypedef struct { 678243750Srwatson u_int8_t sorf; 679243750Srwatson u_int16_t privstrlen; 680243750Srwatson char *priv; 681243750Srwatson} au_priv_t; 682243750Srwatson 683243750Srwatson/* 684243750Srwatson* privset 685243750Srwatson* privtstrlen 2 bytes 686243750Srwatson* privtstr N Bytes + 1 687243750Srwatson* privstrlen 2 bytes 688243750Srwatson* privstr N Bytes + 1 689243750Srwatson*/ 690243750Srwatsontypedef struct { 691243750Srwatson u_int16_t privtstrlen; 692243750Srwatson char *privtstr; 693243750Srwatson u_int16_t privstrlen; 694243750Srwatson char *privstr; 695243750Srwatson} au_privset_t; 696243750Srwatson 697243750Srwatson/* 698168777Srwatson * zonename length 2 bytes 699168777Srwatson * zonename text N bytes + 1 NULL terminator 700168777Srwatson */ 701155131Srwatsontypedef struct { 702168777Srwatson u_int16_t len; 703168777Srwatson char *zonename; 704168777Srwatson} au_zonename_t; 705168777Srwatson 706168777Srwatsontypedef struct { 707155131Srwatson u_int32_t ident; 708155131Srwatson u_int16_t filter; 709155131Srwatson u_int16_t flags; 710155131Srwatson u_int32_t fflags; 711155131Srwatson u_int32_t data; 712155131Srwatson} au_kevent_t; 713155131Srwatson 714155131Srwatsontypedef struct { 715155131Srwatson u_int16_t length; 716155131Srwatson char *data; 717155131Srwatson} au_invalid_t; 718155131Srwatson 719155131Srwatson/* 720155131Srwatson * trailer magic number 2 bytes 721155131Srwatson * record byte count 4 bytes 722155131Srwatson */ 723155131Srwatsontypedef struct { 724155131Srwatson u_int16_t magic; 725155131Srwatson u_int32_t count; 726155131Srwatson} au_trailer_t; 727155131Srwatson 728155131Srwatsonstruct tokenstr { 729155131Srwatson u_char id; 730155131Srwatson u_char *data; 731155131Srwatson size_t len; 732155131Srwatson union { 733155131Srwatson au_arg32_t arg32; 734155131Srwatson au_arg64_t arg64; 735155131Srwatson au_arb_t arb; 736155131Srwatson au_attr32_t attr32; 737155131Srwatson au_attr64_t attr64; 738155131Srwatson au_execarg_t execarg; 739155131Srwatson au_execenv_t execenv; 740155131Srwatson au_exit_t exit; 741155131Srwatson au_file_t file; 742155131Srwatson au_groups_t grps; 743155131Srwatson au_header32_t hdr32; 744155131Srwatson au_header32_ex_t hdr32_ex; 745155131Srwatson au_header64_t hdr64; 746155131Srwatson au_header64_ex_t hdr64_ex; 747155131Srwatson au_inaddr_t inaddr; 748155131Srwatson au_inaddr_ex_t inaddr_ex; 749155131Srwatson au_ip_t ip; 750155131Srwatson au_ipc_t ipc; 751155131Srwatson au_ipcperm_t ipcperm; 752155131Srwatson au_iport_t iport; 753155131Srwatson au_opaque_t opaque; 754155131Srwatson au_path_t path; 755155131Srwatson au_proc32_t proc32; 756168777Srwatson au_proc32ex_t proc32_ex; 757155131Srwatson au_proc64_t proc64; 758168777Srwatson au_proc64ex_t proc64_ex; 759155131Srwatson au_ret32_t ret32; 760155131Srwatson au_ret64_t ret64; 761155131Srwatson au_seq_t seq; 762155131Srwatson au_socket_t socket; 763155131Srwatson au_socket_ex32_t socket_ex32; 764191273Srwatson au_socketinet_ex32_t sockinet_ex32; 765155131Srwatson au_socketunix_t sockunix; 766155131Srwatson au_subject32_t subj32; 767168777Srwatson au_subject32ex_t subj32_ex; 768155131Srwatson au_subject64_t subj64; 769168777Srwatson au_subject64ex_t subj64_ex; 770155131Srwatson au_text_t text; 771155131Srwatson au_kevent_t kevent; 772155131Srwatson au_invalid_t invalid; 773155131Srwatson au_trailer_t trail; 774168777Srwatson au_zonename_t zonename; 775243750Srwatson au_priv_t priv; 776243750Srwatson au_privset_t privset; 777155131Srwatson } tt; /* The token is one of the above types */ 778155131Srwatson}; 779155131Srwatson 780155131Srwatsontypedef struct tokenstr tokenstr_t; 781155131Srwatson 782159248Srwatsonint audit_submit(short au_event, au_id_t auid, 783159248Srwatson char status, int reterr, const char *fmt, ...); 784159248Srwatson 785155131Srwatson/* 786155131Srwatson * Functions relating to querying audit class information. 787155131Srwatson */ 788155131Srwatsonvoid setauclass(void); 789155131Srwatsonvoid endauclass(void); 790155131Srwatsonstruct au_class_ent *getauclassent(void); 791155131Srwatsonstruct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 792155131Srwatsonstruct au_class_ent *getauclassnam(const char *name); 793155131Srwatsonstruct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 794155131Srwatson const char *name); 795155131Srwatsonstruct au_class_ent *getauclassnum(au_class_t class_number); 796155131Srwatsonstruct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 797155131Srwatson au_class_t class_number); 798155131Srwatson 799155131Srwatson/* 800155131Srwatson * Functions relating to querying audit control information. 801155131Srwatson */ 802155131Srwatsonvoid setac(void); 803155131Srwatsonvoid endac(void); 804155131Srwatsonint getacdir(char *name, int len); 805243750Srwatsonint getacdist(void); 806243750Srwatsonint getacexpire(int *andflg, time_t *age, size_t *size); 807162621Srwatsonint getacfilesz(size_t *size_val); 808155131Srwatsonint getacflg(char *auditstr, int len); 809243750Srwatsonint getachost(char *auditstr, size_t len); 810243750Srwatsonint getacmin(int *min_val); 811155131Srwatsonint getacna(char *auditstr, int len); 812162503Srwatsonint getacpol(char *auditstr, size_t len); 813155131Srwatsonint getauditflagsbin(char *auditstr, au_mask_t *masks); 814155131Srwatsonint getauditflagschar(char *auditstr, au_mask_t *masks, 815155131Srwatson int verbose); 816155131Srwatsonint au_preselect(au_event_t event, au_mask_t *mask_p, 817155131Srwatson int sorf, int flag); 818191273Srwatsonssize_t au_poltostr(int policy, size_t maxsize, char *buf); 819191273Srwatsonint au_strtopol(const char *polstr, int *policy); 820155131Srwatson 821155131Srwatson/* 822155131Srwatson * Functions relating to querying audit event information. 823155131Srwatson */ 824155131Srwatsonvoid setauevent(void); 825155131Srwatsonvoid endauevent(void); 826155131Srwatsonstruct au_event_ent *getauevent(void); 827155131Srwatsonstruct au_event_ent *getauevent_r(struct au_event_ent *e); 828155131Srwatsonstruct au_event_ent *getauevnam(const char *name); 829155131Srwatsonstruct au_event_ent *getauevnam_r(struct au_event_ent *e, 830155131Srwatson const char *name); 831155131Srwatsonstruct au_event_ent *getauevnum(au_event_t event_number); 832155131Srwatsonstruct au_event_ent *getauevnum_r(struct au_event_ent *e, 833155131Srwatson au_event_t event_number); 834155131Srwatsonau_event_t *getauevnonam(const char *event_name); 835155131Srwatsonau_event_t *getauevnonam_r(au_event_t *ev, 836155131Srwatson const char *event_name); 837155131Srwatson 838155131Srwatson/* 839155131Srwatson * Functions relating to querying audit user information. 840155131Srwatson */ 841155131Srwatsonvoid setauuser(void); 842155131Srwatsonvoid endauuser(void); 843155131Srwatsonstruct au_user_ent *getauuserent(void); 844155131Srwatsonstruct au_user_ent *getauuserent_r(struct au_user_ent *u); 845155131Srwatsonstruct au_user_ent *getauusernam(const char *name); 846155131Srwatsonstruct au_user_ent *getauusernam_r(struct au_user_ent *u, 847155131Srwatson const char *name); 848155131Srwatsonint au_user_mask(char *username, au_mask_t *mask_p); 849155131Srwatsonint getfauditflags(au_mask_t *usremask, 850155131Srwatson au_mask_t *usrdmask, au_mask_t *lastmask); 851155131Srwatson 852155131Srwatson/* 853155131Srwatson * Functions for reading and printing records and tokens from audit trails. 854155131Srwatson */ 855155131Srwatsonint au_read_rec(FILE *fp, u_char **buf); 856155131Srwatsonint au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 857155131Srwatson//XXX The following interface has different prototype from BSM 858155131Srwatsonvoid au_print_tok(FILE *outfp, tokenstr_t *tok, 859155131Srwatson char *del, char raw, char sfrm); 860243750Srwatsonvoid au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 861243750Srwatson char *del, int oflags); 862168777Srwatsonvoid au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 863168777Srwatson char *del, char raw, char sfrm); 864168777Srwatson 865168777Srwatson/* 866168777Srwatson * Functions relating to XML output. 867168777Srwatson */ 868168777Srwatsonvoid au_print_xml_header(FILE *outfp); 869168777Srwatsonvoid au_print_xml_footer(FILE *outfp); 870155131Srwatson 871161630Srwatson/* 872187214Srwatson * BSM library routines for converting between local and BSM constant spaces. 873187214Srwatson * (Note: some of these are replicated in audit_record.h for the benefit of 874187214Srwatson * the FreeBSD and Mac OS X kernels) 875186647Srwatson */ 876187214Srwatsonint au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 877187214Srwatsonint au_bsm_to_errno(u_char bsm_error, int *errorp); 878191273Srwatsonint au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 879187214Srwatsonint au_bsm_to_socket_type(u_short bsm_socket_type, 880187214Srwatson int *local_socket_typep); 881187214Srwatsonu_short au_domain_to_bsm(int local_domain); 882187214Srwatsonu_char au_errno_to_bsm(int local_errno); 883243750Srwatsonu_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 884187214Srwatsonu_short au_socket_type_to_bsm(int local_socket_type); 885186647Srwatson 886187214Srwatsonconst char *au_strerror(u_char bsm_error); 887187214Srwatson__END_DECLS 888187214Srwatson 889186647Srwatson/* 890161630Srwatson * The remaining APIs are associated with Apple's BSM implementation, in 891161630Srwatson * particular as relates to Mach IPC auditing and triggers passed via Mach 892161630Srwatson * IPC. 893161630Srwatson */ 894155131Srwatson#ifdef __APPLE__ 895155131Srwatson#include <sys/appleapiopts.h> 896155131Srwatson 897155131Srwatson/************************************************************************** 898155131Srwatson ************************************************************************** 899155131Srwatson ** The following definitions, functions, etc., are NOT officially 900155131Srwatson ** supported: they may be changed or removed in the future. Do not use 901155131Srwatson ** them unless you are prepared to cope with that eventuality. 902155131Srwatson ************************************************************************** 903155131Srwatson **************************************************************************/ 904155131Srwatson 905155131Srwatson#ifdef __APPLE_API_PRIVATE 906155131Srwatson#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 907155131Srwatson#endif /* __APPLE_API_PRIVATE */ 908155131Srwatson 909155131Srwatson/* 910155131Srwatson * au_get_state() return values 911155131Srwatson * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 912155131Srwatson * AUDIT_ON are deprecated and WILL be removed. 913155131Srwatson */ 914155131Srwatson#ifdef __APPLE_API_PRIVATE 915155131Srwatson#define AUDIT_OFF AUC_NOAUDIT 916155131Srwatson#define AUDIT_ON AUC_AUDITING 917155131Srwatson#endif /* __APPLE_API_PRIVATE */ 918155131Srwatson#endif /* !__APPLE__ */ 919155131Srwatson 920155131Srwatson/* 921155131Srwatson * Error return codes for audit_set_terminal_id(), audit_write() and its 922155131Srwatson * brethren. We have 255 (not including kAUNoErr) to play with. 923155131Srwatson * 924155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 925155131Srwatson */ 926155131Srwatsonenum { 927155131Srwatson kAUNoErr = 0, 928155131Srwatson kAUBadParamErr = -66049, 929155131Srwatson kAUStatErr, 930155131Srwatson kAUSysctlErr, 931155131Srwatson kAUOpenErr, 932155131Srwatson kAUMakeSubjectTokErr, 933155131Srwatson kAUWriteSubjectTokErr, 934155131Srwatson kAUWriteCallerTokErr, 935155131Srwatson kAUMakeReturnTokErr, 936155131Srwatson kAUWriteReturnTokErr, 937155131Srwatson kAUCloseErr, 938155131Srwatson kAUMakeTextTokErr, 939155131Srwatson kAULastErr 940155131Srwatson}; 941155131Srwatson 942155131Srwatson#ifdef __APPLE__ 943155131Srwatson/* 944155131Srwatson * Error return codes for au_get_state() and/or its private support 945155131Srwatson * functions. These codes are designed to be compatible with the 946155131Srwatson * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 947155131Srwatson * Any changes to notify(3) may cause these values to change in future. 948155131Srwatson * 949155131Srwatson * AU_UNIMPL should never happen unless you've changed your system software 950155131Srwatson * without rebooting. Shame on you. 951155131Srwatson */ 952155131Srwatson#ifdef __APPLE_API_PRIVATE 953155131Srwatson#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 954155131Srwatson#endif /* __APPLE_API_PRIVATE */ 955155131Srwatson#endif /* !__APPLE__ */ 956155131Srwatson 957155131Srwatson__BEGIN_DECLS 958155131Srwatson/* 959155131Srwatson * XXX This prototype should be in audit_record.h 960155131Srwatson * 961155131Srwatson * au_free_token() 962155131Srwatson * 963155131Srwatson * @summary - au_free_token() deallocates a token_t created by any of 964155131Srwatson * the au_to_*() BSM API functions. 965155131Srwatson * 966155131Srwatson * The BSM API generally manages deallocation of token_t objects. However, 967155131Srwatson * if au_write() is passed a bad audit descriptor, the token_t * parameter 968155131Srwatson * will be left untouched. In that case, the caller can deallocate the 969155131Srwatson * token_t using au_free_token() if desired. This is, in fact, what 970155131Srwatson * audit_write() does, in keeping with the existing memory management model 971155131Srwatson * of the BSM API. 972155131Srwatson * 973155131Srwatson * @param tok - A token_t * generated by one of the au_to_*() BSM API 974155131Srwatson * calls. For convenience, tok may be NULL, in which case 975155131Srwatson * au_free_token() returns immediately. 976155131Srwatson * 977155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 978155131Srwatson */ 979155131Srwatsonvoid au_free_token(token_t *tok); 980155131Srwatson 981155131Srwatson/* 982155131Srwatson * Lightweight check to determine if auditing is enabled. If a client 983155131Srwatson * wants to use this to govern whether an entire series of audit calls 984155131Srwatson * should be made--as in the common case of a caller building a set of 985155131Srwatson * tokens, then writing them--it should cache the audit status in a local 986155131Srwatson * variable. This call always returns the current state of auditing. 987155131Srwatson * 988155131Srwatson * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 989155131Srwatson * Otherwise the function can return any of the errno values defined for 990155131Srwatson * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 991155131Srwatson * the system. 992155131Srwatson * 993155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 994155131Srwatson */ 995155131Srwatsonint au_get_state(void); 996186647Srwatson 997186647Srwatson/* 998186647Srwatson * Initialize the audit notification. If it has not already been initialized 999186647Srwatson * it will automatically on the first call of au_get_state(). 1000186647Srwatson */ 1001186647Srwatsonuint32_t au_notify_initialize(void); 1002186647Srwatson 1003186647Srwatson/* 1004186647Srwatson * Cancel audit notification and free the resources associated with it. 1005186647Srwatson * Responsible code that no longer needs to use au_get_state() should call 1006186647Srwatson * this. 1007186647Srwatson */ 1008186647Srwatsonint au_notify_terminate(void); 1009155131Srwatson__END_DECLS 1010155131Srwatson 1011155131Srwatson/* OpenSSH compatibility */ 1012155518Srwatsonint cannot_audit(int); 1013155131Srwatson 1014155131Srwatson__BEGIN_DECLS 1015155131Srwatson/* 1016155131Srwatson * audit_set_terminal_id() 1017155131Srwatson * 1018155131Srwatson * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1019155131Srwatson * used in audit session initialization by processes like /usr/bin/login. 1020155131Srwatson * 1021155131Srwatson * @param tid - A pointer to an au_tid_t struct. 1022155131Srwatson * 1023155131Srwatson * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1024155131Srwatson * or kAUSysctlErr if one of the underlying system calls fails (a message 1025155131Srwatson * is sent to the system log in those cases). 1026155131Srwatson * 1027155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1028155131Srwatson */ 1029155131Srwatsonint audit_set_terminal_id(au_tid_t *tid); 1030155131Srwatson 1031155131Srwatson/* 1032155131Srwatson * BEGIN au_write() WRAPPERS 1033155131Srwatson * 1034155131Srwatson * The following calls all wrap the existing BSM API. They use the 1035155131Srwatson * provided subject information, if any, to construct the subject token 1036155131Srwatson * required for every log message. They use the provided return/error 1037155131Srwatson * value(s), if any, to construct the success/failure indication required 1038155131Srwatson * for every log message. They only permit one "miscellaneous" token, 1039155131Srwatson * which should contain the event-specific logging information mandated by 1040155131Srwatson * CAPP. 1041155131Srwatson * 1042155131Srwatson * All these calls assume the caller has previously determined that 1043155131Srwatson * auditing is enabled by calling au_get_state(). 1044155131Srwatson */ 1045155131Srwatson 1046155131Srwatson/* 1047155131Srwatson * audit_write() 1048155131Srwatson * 1049155131Srwatson * @summary - audit_write() is the basis for the other audit_write_*() 1050155131Srwatson * calls. Performs a basic write of an audit record (subject, additional 1051155131Srwatson * info, success/failure). Note that this call only permits logging one 1052155131Srwatson * caller-specified token; clients needing to log more flexibly must use 1053155131Srwatson * the existing BSM API (au_open(), et al.) directly. 1054155131Srwatson * 1055155131Srwatson * Note on memory management: audit_write() guarantees that the token_t *s 1056155131Srwatson * passed to it will be deallocated whether or not the underlying write to 1057155131Srwatson * the audit log succeeded. This addresses an inconsistency in the 1058155131Srwatson * underlying BSM API in which token_t *s are usually but not always 1059155131Srwatson * deallocated. 1060155131Srwatson * 1061155131Srwatson * @param event_code - The code for the event being logged. This should 1062155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1063155131Srwatson * 1064155131Srwatson * @param subject - A token_t * generated by au_to_subject(), 1065155131Srwatson * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1066155131Srwatson * required, subject should be NULL. 1067155131Srwatson * 1068155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1069155131Srwatson * calls. This should correspond to the additional information required by 1070155131Srwatson * CAPP for the event being audited. If no additional information is 1071155131Srwatson * required, misctok should be NULL. 1072155131Srwatson * 1073155131Srwatson * @param retval - The return value to be logged for this event. This 1074155131Srwatson * should be 0 (zero) for success, otherwise the value is event-specific. 1075155131Srwatson * 1076155131Srwatson * @param errcode - Any error code associated with the return value (e.g., 1077155131Srwatson * errno or h_errno). If there was no error, errcode should be 0 (zero). 1078155131Srwatson * 1079155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1080155131Srwatson * kAU*Err values defined above. 1081155131Srwatson * 1082155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1083155131Srwatson */ 1084155131Srwatsonint audit_write(short event_code, token_t *subject, token_t *misctok, 1085155131Srwatson char retval, int errcode); 1086155131Srwatson 1087155131Srwatson/* 1088155131Srwatson * audit_write_success() 1089155131Srwatson * 1090155131Srwatson * @summary - audit_write_success() records an auditable event that did not 1091155131Srwatson * encounter an error. The interface is designed to require as little 1092155131Srwatson * direct use of the au_to_*() API as possible. It builds a subject token 1093155131Srwatson * from the information passed in and uses that to invoke audit_write(). 1094155131Srwatson * A subject, as defined by CAPP, is a process acting on the user's behalf. 1095155131Srwatson * 1096155131Srwatson * If the subject information is the same as the current process, use 1097155131Srwatson * au_write_success_self(). 1098155131Srwatson * 1099155131Srwatson * @param event_code - The code for the event being logged. This should 1100155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1101155131Srwatson * 1102155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1103155131Srwatson * calls. This should correspond to the additional information required by 1104155131Srwatson * CAPP for the event being audited. If no additional information is 1105155131Srwatson * required, misctok should be NULL. 1106155131Srwatson * 1107155131Srwatson * @param auid - The subject's audit ID. 1108155131Srwatson * 1109155131Srwatson * @param euid - The subject's effective user ID. 1110155131Srwatson * 1111155131Srwatson * @param egid - The subject's effective group ID. 1112155131Srwatson * 1113155131Srwatson * @param ruid - The subject's real user ID. 1114155131Srwatson * 1115155131Srwatson * @param rgid - The subject's real group ID. 1116155131Srwatson * 1117155131Srwatson * @param pid - The subject's process ID. 1118155131Srwatson * 1119155131Srwatson * @param sid - The subject's session ID. 1120155131Srwatson * 1121155131Srwatson * @param tid - The subject's terminal ID. 1122155131Srwatson * 1123155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1124155131Srwatson * kAU*Err values defined above. 1125155131Srwatson * 1126155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1127155131Srwatson */ 1128155131Srwatsonint audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1129155131Srwatson uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1130155131Srwatson au_asid_t sid, au_tid_t *tid); 1131155131Srwatson 1132155131Srwatson/* 1133155131Srwatson * audit_write_success_self() 1134155131Srwatson * 1135155131Srwatson * @summary - Similar to audit_write_success(), but used when the subject 1136155131Srwatson * (process) is owned and operated by the auditable user him/herself. 1137155131Srwatson * 1138155131Srwatson * @param event_code - The code for the event being logged. This should 1139155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1140155131Srwatson * 1141155131Srwatson * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1142155131Srwatson * calls. This should correspond to the additional information required by 1143155131Srwatson * CAPP for the event being audited. If no additional information is 1144155131Srwatson * required, misctok should be NULL. 1145155131Srwatson * 1146155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1147155131Srwatson * kAU*Err values defined above. 1148155131Srwatson * 1149155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1150155131Srwatson */ 1151155131Srwatsonint audit_write_success_self(short event_code, token_t *misctok); 1152155131Srwatson 1153155131Srwatson/* 1154155131Srwatson * audit_write_failure() 1155155131Srwatson * 1156155131Srwatson * @summary - audit_write_failure() records an auditable event that 1157155131Srwatson * encountered an error. The interface is designed to require as little 1158155131Srwatson * direct use of the au_to_*() API as possible. It builds a subject token 1159155131Srwatson * from the information passed in and uses that to invoke audit_write(). 1160155131Srwatson * A subject, as defined by CAPP, is a process acting on the user's behalf. 1161155131Srwatson * 1162155131Srwatson * If the subject information is the same as the current process, use 1163155131Srwatson * au_write_failure_self(). 1164155131Srwatson * 1165155131Srwatson * @param event_code - The code for the event being logged. This should 1166155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1167155131Srwatson * 1168155131Srwatson * @param errmsg - A text message providing additional information about 1169155131Srwatson * the event being audited. 1170155131Srwatson * 1171155131Srwatson * @param errret - A numerical value providing additional information about 1172155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1173155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1174155131Srwatson * available. 1175155131Srwatson * 1176155131Srwatson * @param auid - The subject's audit ID. 1177155131Srwatson * 1178155131Srwatson * @param euid - The subject's effective user ID. 1179155131Srwatson * 1180155131Srwatson * @param egid - The subject's effective group ID. 1181155131Srwatson * 1182155131Srwatson * @param ruid - The subject's real user ID. 1183155131Srwatson * 1184155131Srwatson * @param rgid - The subject's real group ID. 1185155131Srwatson * 1186155131Srwatson * @param pid - The subject's process ID. 1187155131Srwatson * 1188155131Srwatson * @param sid - The subject's session ID. 1189155131Srwatson * 1190155131Srwatson * @param tid - The subject's terminal ID. 1191155131Srwatson * 1192155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1193155131Srwatson * kAU*Err values defined above. 1194155131Srwatson * 1195155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1196155131Srwatson */ 1197155131Srwatsonint audit_write_failure(short event_code, char *errmsg, int errret, 1198155131Srwatson au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1199155131Srwatson pid_t pid, au_asid_t sid, au_tid_t *tid); 1200155131Srwatson 1201155131Srwatson/* 1202155131Srwatson * audit_write_failure_self() 1203155131Srwatson * 1204155131Srwatson * @summary - Similar to audit_write_failure(), but used when the subject 1205155131Srwatson * (process) is owned and operated by the auditable user him/herself. 1206155131Srwatson * 1207155131Srwatson * @param event_code - The code for the event being logged. This should 1208155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1209155131Srwatson * 1210155131Srwatson * @param errmsg - A text message providing additional information about 1211155131Srwatson * the event being audited. 1212155131Srwatson * 1213155131Srwatson * @param errret - A numerical value providing additional information about 1214155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1215155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1216155131Srwatson * available. 1217155131Srwatson * 1218155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1219155131Srwatson * kAU*Err values defined above. 1220155131Srwatson * 1221155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1222155131Srwatson */ 1223155131Srwatsonint audit_write_failure_self(short event_code, char *errmsg, int errret); 1224155131Srwatson 1225155131Srwatson/* 1226155131Srwatson * audit_write_failure_na() 1227155131Srwatson * 1228155131Srwatson * @summary - audit_write_failure_na() records errors during login. Such 1229155131Srwatson * errors are implicitly non-attributable (i.e., not ascribable to any user). 1230155131Srwatson * 1231155131Srwatson * @param event_code - The code for the event being logged. This should 1232155131Srwatson * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1233155131Srwatson * 1234155131Srwatson * @param errmsg - A text message providing additional information about 1235155131Srwatson * the event being audited. 1236155131Srwatson * 1237155131Srwatson * @param errret - A numerical value providing additional information about 1238155131Srwatson * the error. This is intended to store the value of errno or h_errno if 1239155131Srwatson * it's relevant. This can be 0 (zero) if no additional information is 1240155131Srwatson * available. 1241155131Srwatson * 1242155131Srwatson * @param euid - The subject's effective user ID. 1243155131Srwatson * 1244155131Srwatson * @param egid - The subject's effective group ID. 1245155131Srwatson * 1246155131Srwatson * @param pid - The subject's process ID. 1247155131Srwatson * 1248155131Srwatson * @param tid - The subject's terminal ID. 1249155131Srwatson * 1250155131Srwatson * @return - The status of the call: 0 (zero) on success, else one of the 1251155131Srwatson * kAU*Err values defined above. 1252155131Srwatson * 1253155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1254155131Srwatson */ 1255155131Srwatsonint audit_write_failure_na(short event_code, char *errmsg, int errret, 1256155131Srwatson uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1257155131Srwatson 1258155131Srwatson/* END au_write() WRAPPERS */ 1259155131Srwatson 1260155131Srwatson#ifdef __APPLE__ 1261155131Srwatson/* 1262155131Srwatson * audit_token_to_au32() 1263155131Srwatson * 1264155131Srwatson * @summary - Extract information from an audit_token_t, used to identify 1265155131Srwatson * Mach tasks and senders of Mach messages as subjects to the audit system. 1266155131Srwatson * audit_tokent_to_au32() is the only method that should be used to parse 1267155131Srwatson * an audit_token_t, since its internal representation may change over 1268155131Srwatson * time. A pointer parameter may be NULL if that information is not 1269155131Srwatson * needed. 1270155131Srwatson * 1271155131Srwatson * @param atoken - the audit token containing the desired information 1272155131Srwatson * 1273155131Srwatson * @param auidp - Pointer to a uid_t; on return will be set to the task or 1274155131Srwatson * sender's audit user ID 1275155131Srwatson * 1276155131Srwatson * @param euidp - Pointer to a uid_t; on return will be set to the task or 1277155131Srwatson * sender's effective user ID 1278155131Srwatson * 1279155131Srwatson * @param egidp - Pointer to a gid_t; on return will be set to the task or 1280155131Srwatson * sender's effective group ID 1281155131Srwatson * 1282155131Srwatson * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1283155131Srwatson * sender's real user ID 1284155131Srwatson * 1285155131Srwatson * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1286155131Srwatson * sender's real group ID 1287155131Srwatson * 1288155131Srwatson * @param pidp - Pointer to a pid_t; on return will be set to the task or 1289155131Srwatson * sender's process ID 1290155131Srwatson * 1291155131Srwatson * @param asidp - Pointer to an au_asid_t; on return will be set to the 1292155131Srwatson * task or sender's audit session ID 1293155131Srwatson * 1294155131Srwatson * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1295155131Srwatson * or sender's terminal ID 1296155131Srwatson * 1297155131Srwatson * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1298155131Srwatson */ 1299155131Srwatsonvoid audit_token_to_au32( 1300155131Srwatson audit_token_t atoken, 1301155131Srwatson uid_t *auidp, 1302155131Srwatson uid_t *euidp, 1303155131Srwatson gid_t *egidp, 1304155131Srwatson uid_t *ruidp, 1305155131Srwatson gid_t *rgidp, 1306155131Srwatson pid_t *pidp, 1307155131Srwatson au_asid_t *asidp, 1308155131Srwatson au_tid_t *tidp); 1309155131Srwatson#endif /* !__APPLE__ */ 1310155131Srwatson 1311191273Srwatson/* 1312191273Srwatson * Wrapper functions to auditon(2). 1313191273Srwatson */ 1314191273Srwatsonint audit_get_car(char *path, size_t sz); 1315191273Srwatsonint audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1316191273Srwatsonint audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1317191273Srwatsonint audit_get_cond(int *cond); 1318191273Srwatsonint audit_set_cond(int *cond); 1319191273Srwatsonint audit_get_cwd(char *path, size_t sz); 1320191273Srwatsonint audit_get_fsize(au_fstat_t *fstat, size_t sz); 1321191273Srwatsonint audit_set_fsize(au_fstat_t *fstat, size_t sz); 1322191273Srwatsonint audit_get_kmask(au_mask_t *kmask, size_t sz); 1323191273Srwatsonint audit_set_kmask(au_mask_t *kmask, size_t sz); 1324191273Srwatsonint audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1325191273Srwatsonint audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1326191273Srwatsonint audit_set_pmask(auditpinfo_t *api, size_t sz); 1327191273Srwatsonint audit_get_pinfo(auditpinfo_t *api, size_t sz); 1328191273Srwatsonint audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1329191273Srwatsonint audit_get_policy(int *policy); 1330191273Srwatsonint audit_set_policy(int *policy); 1331191273Srwatsonint audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1332191273Srwatsonint audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1333191273Srwatsonint audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1334191273Srwatsonint audit_get_stat(au_stat_t *stats, size_t sz); 1335191273Srwatsonint audit_set_stat(au_stat_t *stats, size_t sz); 1336191273Srwatsonint audit_send_trigger(int *trigger); 1337191273Srwatson 1338155131Srwatson__END_DECLS 1339155131Srwatson 1340155131Srwatson#endif /* !_LIBBSM_H_ */ 1341