auditd.h revision 155364 
1/*
2 * Copyright (c) 2005 Apple Computer, Inc.
3 * All rights reserved.
4 *
5 * @APPLE_BSD_LICENSE_HEADER_START@
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 * 1.  Redistributions of source code must retain the above copyright
12 *     notice, this list of conditions and the following disclaimer.
13 * 2.  Redistributions in binary form must reproduce the above copyright
14 *     notice, this list of conditions and the following disclaimer in the
15 *     documentation and/or other materials provided with the distribution.
16 * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
17 *     its contributors may be used to endorse or promote products derived
18 *     from this software without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
21 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
22 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
23 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
24 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
25 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
27 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
28 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
29 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
30 *
31 * @APPLE_BSD_LICENSE_HEADER_END@
32 *
33 * $P4: //depot/projects/trustedbsd/openbsm/bin/auditd/auditd.h#5 $
34 */
35
36#ifndef _AUDITD_H_
37#define	_AUDITD_H_
38
39#include <sys/types.h>
40#include <sys/queue.h>
41#include <syslog.h>
42
43#define	MAX_DIR_SIZE	255
44#define	AUDITD_NAME	"auditd"
45
46/*
47 * If defined, then the audit daemon will attempt to chown newly created logs
48 * to this group.  Otherwise, they will be the default for the user running
49 * auditd, likely the audit group.
50 */
51#define	AUDIT_REVIEW_GROUP	"audit"
52
53#define	POSTFIX_LEN		16
54#define	NOT_TERMINATED	".not_terminated"
55
56struct dir_ent {
57	char			*dirname;
58	char			 softlim;
59	TAILQ_ENTRY(dir_ent)	 dirs;
60};
61
62#define	HARDLIM_ALL_WARN	"allhard"
63#define	SOFTLIM_ALL_WARN	"allsoft"
64#define	AUDITOFF_WARN		"aditoff"
65#define	EBUSY_WARN		"ebusy"
66#define	GETACDIR_WARN		"getacdir"
67#define	HARDLIM_WARN		"hard"
68#define	NOSTART_WARN		"nostart"
69#define	POSTSIGTERM_WARN	"postsigterm"
70#define	SOFTLIM_WARN		"soft"
71#define	TMPFILE_WARN		"tmpfile"
72
73#define	AUDITWARN_SCRIPT	"/etc/security/audit_warn"
74#define	AUDITD_PIDFILE		"/var/run/auditd.pid"
75
76int	audit_warn_allhard(int count);
77int	audit_warn_allsoft(void);
78int	audit_warn_auditoff(void);
79int	audit_warn_ebusy(void);
80int	audit_warn_getacdir(char *filename);
81int	audit_warn_hard(char *filename);
82int	audit_warn_nostart(void);
83int	audit_warn_postsigterm(void);
84int	audit_warn_soft(char *filename);
85int	audit_warn_tmpfile(void);
86
87#endif /* !_AUDITD_H_ */
88