1185573Srwatson/*- 2189279Srwatson * Copyright (c) 2005-2009 Apple Inc. 3155131Srwatson * All rights reserved. 4155131Srwatson * 5155131Srwatson * Redistribution and use in source and binary forms, with or without 6155131Srwatson * modification, are permitted provided that the following conditions 7155131Srwatson * are met: 8155131Srwatson * 9155131Srwatson * 1. Redistributions of source code must retain the above copyright 10155131Srwatson * notice, this list of conditions and the following disclaimer. 11155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 12155131Srwatson * notice, this list of conditions and the following disclaimer in the 13155131Srwatson * documentation and/or other materials provided with the distribution. 14185573Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15155131Srwatson * its contributors may be used to endorse or promote products derived 16155131Srwatson * from this software without specific prior written permission. 17155131Srwatson * 18155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19155131Srwatson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20155131Srwatson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21155131Srwatson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22155131Srwatson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23155131Srwatson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24155131Srwatson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25155131Srwatson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26155131Srwatson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27155131Srwatson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28155131Srwatson * 29189279Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#13 $ 30155131Srwatson */ 31155131Srwatson 32155131Srwatson#ifndef _AUDITD_H_ 33155131Srwatson#define _AUDITD_H_ 34155131Srwatson 35155131Srwatson#include <sys/types.h> 36155131Srwatson#include <sys/queue.h> 37155131Srwatson#include <syslog.h> 38155131Srwatson 39155131Srwatson#define MAX_DIR_SIZE 255 40155131Srwatson#define AUDITD_NAME "auditd" 41155131Srwatson 42155364Srwatson/* 43155364Srwatson * If defined, then the audit daemon will attempt to chown newly created logs 44155364Srwatson * to this group. Otherwise, they will be the default for the user running 45155364Srwatson * auditd, likely the audit group. 46155364Srwatson */ 47155364Srwatson#define AUDIT_REVIEW_GROUP "audit" 48155364Srwatson 49155131Srwatson#define HARDLIM_ALL_WARN "allhard" 50155131Srwatson#define SOFTLIM_ALL_WARN "allsoft" 51162503Srwatson#define AUDITOFF_WARN "auditoff" 52162621Srwatson#define CLOSEFILE_WARN "closefile" 53155131Srwatson#define EBUSY_WARN "ebusy" 54155131Srwatson#define GETACDIR_WARN "getacdir" 55155131Srwatson#define HARDLIM_WARN "hard" 56155131Srwatson#define NOSTART_WARN "nostart" 57155131Srwatson#define POSTSIGTERM_WARN "postsigterm" 58155131Srwatson#define SOFTLIM_WARN "soft" 59155131Srwatson#define TMPFILE_WARN "tmpfile" 60189279Srwatson#define EXPIRED_WARN "expired" 61155131Srwatson 62155131Srwatson#define AUDITWARN_SCRIPT "/etc/security/audit_warn" 63155131Srwatson#define AUDITD_PIDFILE "/var/run/auditd.pid" 64155131Srwatson 65186647Srwatson#define AUD_STATE_INIT -1 66186647Srwatson#define AUD_STATE_DISABLED 0 67186647Srwatson#define AUD_STATE_ENABLED 1 68186647Srwatson 69186647Srwatsonint audit_warn_allhard(void); 70155131Srwatsonint audit_warn_allsoft(void); 71155131Srwatsonint audit_warn_auditoff(void); 72162621Srwatsonint audit_warn_closefile(char *filename); 73155131Srwatsonint audit_warn_ebusy(void); 74155131Srwatsonint audit_warn_getacdir(char *filename); 75155131Srwatsonint audit_warn_hard(char *filename); 76155131Srwatsonint audit_warn_nostart(void); 77155131Srwatsonint audit_warn_postsigterm(void); 78155131Srwatsonint audit_warn_soft(char *filename); 79155131Srwatsonint audit_warn_tmpfile(void); 80189279Srwatsonint audit_warn_expired(char *filename); 81155131Srwatson 82186647Srwatsonvoid auditd_openlog(int debug, gid_t gid); 83186647Srwatsonvoid auditd_log_err(const char *fmt, ...); 84186647Srwatsonvoid auditd_log_debug(const char *fmt, ...); 85186647Srwatsonvoid auditd_log_info(const char *fmt, ...); 86186647Srwatsonvoid auditd_log_notice(const char *fmt, ...); 87186647Srwatson 88186647Srwatsonvoid auditd_set_state(int state); 89186647Srwatsonint auditd_get_state(void); 90186647Srwatson 91186647Srwatsonint auditd_open_trigger(int launchd_flag); 92186647Srwatsonint auditd_close_trigger(void); 93186647Srwatsonvoid auditd_handle_trigger(int trigger); 94186647Srwatson 95186647Srwatsonvoid auditd_wait_for_events(void); 96186647Srwatsonvoid auditd_relay_signal(int signal); 97186647Srwatsonvoid auditd_terminate(void); 98186647Srwatsonint auditd_config_controls(void); 99186647Srwatsonvoid auditd_reap_children(void); 100186647Srwatson 101186647Srwatson 102155131Srwatson#endif /* !_AUDITD_H_ */ 103