audit.h revision 161635
1155191Srwatson/* 2155191Srwatson * Copyright (c) 2005 Apple Computer, Inc. 3146759Srwatson * All rights reserved. 4146759Srwatson * 5155191Srwatson * @APPLE_BSD_LICENSE_HEADER_START@ 6155191Srwatson * 7146759Srwatson * Redistribution and use in source and binary forms, with or without 8146759Srwatson * modification, are permitted provided that the following conditions 9146759Srwatson * are met: 10146759Srwatson * 11155191Srwatson * 1. Redistributions of source code must retain the above copyright 12155191Srwatson * notice, this list of conditions and the following disclaimer. 13155191Srwatson * 2. Redistributions in binary form must reproduce the above copyright 14155191Srwatson * notice, this list of conditions and the following disclaimer in the 15155191Srwatson * documentation and/or other materials provided with the distribution. 16155191Srwatson * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 17155191Srwatson * its contributors may be used to endorse or promote products derived 18155191Srwatson * from this software without specific prior written permission. 19146759Srwatson * 20155191Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 21155191Srwatson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 22155191Srwatson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23155191Srwatson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 24155191Srwatson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 25155191Srwatson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26155191Srwatson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 27155191Srwatson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 28155191Srwatson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 29155191Srwatson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30155191Srwatson * 31155191Srwatson * @APPLE_BSD_LICENSE_HEADER_END@ 32155191Srwatson * 33161635Srwatson * $P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#31 $ 34146759Srwatson * $FreeBSD: head/sys/bsm/audit.h 161635 2006-08-26 08:17:58Z rwatson $ 35146759Srwatson */ 36146759Srwatson 37155191Srwatson#ifndef _BSM_AUDIT_H 38155191Srwatson#define _BSM_AUDIT_H 39146759Srwatson 40155191Srwatson#include <sys/param.h> 41155191Srwatson#include <sys/cdefs.h> 42155191Srwatson#include <sys/queue.h> 43155191Srwatson 44155191Srwatson#define AUDIT_RECORD_MAGIC 0x828a0f1b 45155191Srwatson#define MAX_AUDIT_RECORDS 20 46161635Srwatson#define MAXAUDITDATA (0x8000 - 1) 47161635Srwatson#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 48155191Srwatson#define MIN_AUDIT_FILE_SIZE (512 * 1024) 49155191Srwatson 50146759Srwatson/* 51155191Srwatson * Minimum noumber of free blocks on the filesystem containing the audit 52155191Srwatson * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 53155191Srwatson * as the kernel does an unsigned compare, plus we want to leave a few blocks 54155191Srwatson * free so userspace can terminate the log, etc. 55146759Srwatson */ 56155191Srwatson#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 57155191Srwatson 58155191Srwatson/* 59161635Srwatson * Triggers for the audit daemon. 60155191Srwatson */ 61155191Srwatson#define AUDIT_TRIGGER_MIN 1 62155191Srwatson#define AUDIT_TRIGGER_LOW_SPACE 1 63155191Srwatson#define AUDIT_TRIGGER_OPEN_NEW 2 64155191Srwatson#define AUDIT_TRIGGER_READ_FILE 3 65155191Srwatson#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 66155191Srwatson#define AUDIT_TRIGGER_NO_SPACE 5 67155191Srwatson#define AUDIT_TRIGGER_MAX 5 68155191Srwatson 69155191Srwatson/* 70161635Srwatson * Special file that will be read for trigger events from the kernel 71161635Srwatson * (FreeBSD). 72155191Srwatson */ 73155191Srwatson#define AUDIT_TRIGGER_FILE "/dev/audit" 74155191Srwatson 75155191Srwatson/* 76155191Srwatson * The special device filename. 77155191Srwatson */ 78155191Srwatson#define AUDITDEV_FILENAME "audit" 79155191Srwatson 80155191Srwatson/* 81155191Srwatson * Pre-defined audit IDs 82155191Srwatson */ 83155191Srwatson#define AU_DEFAUDITID -1 84155191Srwatson 85155191Srwatson/* 86155191Srwatson * Define the masks for the classes of audit events. 87155191Srwatson */ 88155191Srwatson#define AU_NULL 0x00000000 89155191Srwatson#define AU_FREAD 0x00000001 90155191Srwatson#define AU_FWRITE 0x00000002 91155191Srwatson#define AU_FACCESS 0x00000004 92155191Srwatson#define AU_FMODIFY 0x00000008 93155191Srwatson#define AU_FCREATE 0x00000010 94155191Srwatson#define AU_FDELETE 0x00000020 95155191Srwatson#define AU_CLOSE 0x00000040 96155191Srwatson#define AU_PROCESS 0x00000080 97155191Srwatson#define AU_NET 0x00000100 98155191Srwatson#define AU_IPC 0x00000200 99155191Srwatson#define AU_NONAT 0x00000400 100155191Srwatson#define AU_ADMIN 0x00000800 101155191Srwatson#define AU_LOGIN 0x00001000 102155191Srwatson#define AU_TFM 0x00002000 103155191Srwatson#define AU_APPL 0x00004000 104155191Srwatson#define AU_SETL 0x00008000 105155191Srwatson#define AU_IFLOAT 0x00010000 106155191Srwatson#define AU_PRIV 0x00020000 107155191Srwatson#define AU_MAC_RW 0x00040000 108155191Srwatson#define AU_XCONN 0x00080000 109155191Srwatson#define AU_XCREATE 0x00100000 110155191Srwatson#define AU_XDELETE 0x00200000 111155191Srwatson#define AU_XIFLOAT 0x00400000 112155191Srwatson#define AU_XPRIVS 0x00800000 113155191Srwatson#define AU_XPRIVF 0x01000000 114155191Srwatson#define AU_XMOVE 0x02000000 115155191Srwatson#define AU_XDACF 0x04000000 116155191Srwatson#define AU_XMACF 0x08000000 117155191Srwatson#define AU_XSECATTR 0x10000000 118155191Srwatson#define AU_IOCTL 0x20000000 119155191Srwatson#define AU_EXEC 0x40000000 120155191Srwatson#define AU_OTHER 0x80000000 121155191Srwatson#define AU_ALL 0xffffffff 122155191Srwatson 123155191Srwatson/* 124161635Srwatson * IPC types. 125155191Srwatson */ 126155191Srwatson#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 127155191Srwatson#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 128155191Srwatson#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 129155191Srwatson 130155191Srwatson/* 131155191Srwatson * Audit conditions. 132155191Srwatson */ 133155191Srwatson#define AUC_UNSET 0 134155191Srwatson#define AUC_AUDITING 1 135155191Srwatson#define AUC_NOAUDIT 2 136155191Srwatson#define AUC_DISABLED -1 137155191Srwatson 138155191Srwatson/* 139155191Srwatson * auditon(2) commands. 140155191Srwatson */ 141155191Srwatson#define A_GETPOLICY 2 142155191Srwatson#define A_SETPOLICY 3 143155191Srwatson#define A_GETKMASK 4 144155191Srwatson#define A_SETKMASK 5 145155191Srwatson#define A_GETQCTRL 6 146155191Srwatson#define A_SETQCTRL 7 147155191Srwatson#define A_GETCWD 8 148155191Srwatson#define A_GETCAR 9 149155191Srwatson#define A_GETSTAT 12 150155191Srwatson#define A_SETSTAT 13 151155191Srwatson#define A_SETUMASK 14 152155191Srwatson#define A_SETSMASK 15 153155191Srwatson#define A_GETCOND 20 154155191Srwatson#define A_SETCOND 21 155155191Srwatson#define A_GETCLASS 22 156155191Srwatson#define A_SETCLASS 23 157155191Srwatson#define A_GETPINFO 24 158155191Srwatson#define A_SETPMASK 25 159155191Srwatson#define A_SETFSIZE 26 160155191Srwatson#define A_GETFSIZE 27 161155191Srwatson#define A_GETPINFO_ADDR 28 162155191Srwatson#define A_GETKAUDIT 29 163155191Srwatson#define A_SETKAUDIT 30 164155191Srwatson#define A_SENDTRIGGER 31 165155191Srwatson 166155191Srwatson/* 167155191Srwatson * Audit policy controls. 168155191Srwatson */ 169155191Srwatson#define AUDIT_CNT 0x0001 170155191Srwatson#define AUDIT_AHLT 0x0002 171155191Srwatson#define AUDIT_ARGV 0x0004 172155191Srwatson#define AUDIT_ARGE 0x0008 173161635Srwatson#define AUDIT_SEQ 0x0010 174161635Srwatson#define AUDIT_WINDATA 0x0020 175161635Srwatson#define AUDIT_USER 0x0040 176161635Srwatson#define AUDIT_GROUP 0x0080 177161635Srwatson#define AUDIT_TRAIL 0x0100 178161635Srwatson#define AUDIT_PATH 0x0200 179161635Srwatson#define AUDIT_SCNT 0x0400 180161635Srwatson#define AUDIT_PUBLIC 0x0800 181161635Srwatson#define AUDIT_ZONENAME 0x1000 182161635Srwatson#define AUDIT_PERZONE 0x2000 183155191Srwatson 184155191Srwatson/* 185161635Srwatson * Audit queue control parameters. 186155191Srwatson */ 187155191Srwatson#define AQ_HIWATER 100 188155191Srwatson#define AQ_MAXHIGH 10000 189155191Srwatson#define AQ_LOWATER 10 190155191Srwatson#define AQ_BUFSZ 1024 191155191Srwatson#define AQ_MAXBUFSZ 1048576 192155191Srwatson 193155191Srwatson/* 194155191Srwatson * Default minimum percentage free space on file system. 195155191Srwatson */ 196155191Srwatson#define AU_FS_MINFREE 20 197155191Srwatson 198155191Srwatson/* 199155191Srwatson * Type definitions used indicating the length of variable length addresses 200155191Srwatson * in tokens containing addresses, such as header fields. 201155191Srwatson */ 202155191Srwatson#define AU_IPv4 4 203155191Srwatson#define AU_IPv6 16 204155191Srwatson 205155191Srwatson__BEGIN_DECLS 206155191Srwatson 207155191Srwatsontypedef uid_t au_id_t; 208155191Srwatsontypedef pid_t au_asid_t; 209146759Srwatsontypedef u_int16_t au_event_t; 210155191Srwatsontypedef u_int16_t au_emod_t; 211155191Srwatsontypedef u_int32_t au_class_t; 212146759Srwatson 213155191Srwatsonstruct au_tid { 214155191Srwatson dev_t port; 215155191Srwatson u_int32_t machine; 216155191Srwatson}; 217155191Srwatsontypedef struct au_tid au_tid_t; 218155191Srwatson 219155191Srwatsonstruct au_tid_addr { 220155191Srwatson dev_t at_port; 221155191Srwatson u_int32_t at_type; 222155191Srwatson u_int32_t at_addr[4]; 223155191Srwatson}; 224155191Srwatsontypedef struct au_tid_addr au_tid_addr_t; 225155191Srwatson 226155191Srwatsonstruct au_mask { 227155191Srwatson unsigned int am_success; /* Success bits. */ 228155191Srwatson unsigned int am_failure; /* Failure bits. */ 229155191Srwatson}; 230155191Srwatsontypedef struct au_mask au_mask_t; 231155191Srwatson 232155191Srwatsonstruct auditinfo { 233155191Srwatson au_id_t ai_auid; /* Audit user ID. */ 234155191Srwatson au_mask_t ai_mask; /* Audit masks. */ 235155191Srwatson au_tid_t ai_termid; /* Terminal ID. */ 236155191Srwatson au_asid_t ai_asid; /* Audit session ID. */ 237155191Srwatson}; 238155191Srwatsontypedef struct auditinfo auditinfo_t; 239155191Srwatson 240155191Srwatsonstruct auditinfo_addr { 241155191Srwatson au_id_t ai_auid; /* Audit user ID. */ 242155191Srwatson au_mask_t ai_mask; /* Audit masks. */ 243155191Srwatson au_tid_addr_t ai_termid; /* Terminal ID. */ 244155191Srwatson au_asid_t ai_asid; /* Audit session ID. */ 245155191Srwatson}; 246155191Srwatsontypedef struct auditinfo_addr auditinfo_addr_t; 247155191Srwatson 248155191Srwatsonstruct auditpinfo { 249155191Srwatson pid_t ap_pid; /* ID of target process. */ 250155191Srwatson au_id_t ap_auid; /* Audit user ID. */ 251155191Srwatson au_mask_t ap_mask; /* Audit masks. */ 252155191Srwatson au_tid_t ap_termid; /* Terminal ID. */ 253155191Srwatson au_asid_t ap_asid; /* Audit session ID. */ 254155191Srwatson}; 255155191Srwatsontypedef struct auditpinfo auditpinfo_t; 256155191Srwatson 257155191Srwatsonstruct auditpinfo_addr { 258155191Srwatson pid_t ap_pid; /* ID of target process. */ 259155191Srwatson au_id_t ap_auid; /* Audit user ID. */ 260155191Srwatson au_mask_t ap_mask; /* Audit masks. */ 261155191Srwatson au_tid_addr_t ap_termid; /* Terminal ID. */ 262155191Srwatson au_asid_t ap_asid; /* Audit session ID. */ 263155191Srwatson}; 264155191Srwatsontypedef struct auditpinfo_addr auditpinfo_addr_t; 265155191Srwatson 266156289Srwatson/* 267156289Srwatson * Contents of token_t are opaque outside of libbsm. 268156289Srwatson */ 269155191Srwatsontypedef struct au_token token_t; 270155191Srwatson 271155191Srwatson/* 272155191Srwatson * Kernel audit queue control parameters. 273155191Srwatson */ 274155191Srwatsonstruct au_qctrl { 275155191Srwatson size_t aq_hiwater; 276155191Srwatson size_t aq_lowater; 277155191Srwatson size_t aq_bufsz; 278155191Srwatson clock_t aq_delay; 279155191Srwatson int aq_minfree; /* Minimum filesystem percent free space. */ 280155191Srwatson}; 281155191Srwatsontypedef struct au_qctrl au_qctrl_t; 282155191Srwatson 283155191Srwatson/* 284155191Srwatson * Structure for the audit statistics. 285155191Srwatson */ 286155191Srwatsonstruct audit_stat { 287155191Srwatson unsigned int as_version; 288155191Srwatson unsigned int as_numevent; 289155191Srwatson int as_generated; 290159256Srwatson int as_nonattrib; 291155191Srwatson int as_kernel; 292155191Srwatson int as_audit; 293155191Srwatson int as_auditctl; 294159256Srwatson int as_enqueue; 295155191Srwatson int as_written; 296155191Srwatson int as_wblocked; 297155191Srwatson int as_rblocked; 298155191Srwatson int as_dropped; 299155191Srwatson int as_totalsize; 300155191Srwatson unsigned int as_memused; 301155191Srwatson}; 302155191Srwatsontypedef struct audit_stat au_stat_t; 303155191Srwatson 304155191Srwatson/* 305155191Srwatson * Structure for the audit file statistics. 306155191Srwatson */ 307155191Srwatsonstruct audit_fstat { 308155191Srwatson u_quad_t af_filesz; 309155191Srwatson u_quad_t af_currsz; 310155191Srwatson}; 311155191Srwatsontypedef struct audit_fstat au_fstat_t; 312155191Srwatson 313155191Srwatson/* 314155191Srwatson * Audit to event class mapping. 315155191Srwatson */ 316155191Srwatsonstruct au_evclass_map { 317155191Srwatson au_event_t ec_number; 318155191Srwatson au_class_t ec_class; 319155191Srwatson}; 320155191Srwatsontypedef struct au_evclass_map au_evclass_map_t; 321155191Srwatson 322156289Srwatson/* 323156289Srwatson * Audit system calls. 324156289Srwatson */ 325155191Srwatson#if !defined(_KERNEL) && !defined(KERNEL) 326155191Srwatsonint audit(const void *, int); 327155191Srwatsonint auditon(int, void *, int); 328155191Srwatsonint auditctl(const char *); 329155191Srwatsonint getauid(au_id_t *); 330155191Srwatsonint setauid(const au_id_t *); 331155191Srwatsonint getaudit(struct auditinfo *); 332155191Srwatsonint setaudit(const struct auditinfo *); 333155191Srwatsonint getaudit_addr(struct auditinfo_addr *, int); 334155191Srwatsonint setaudit_addr(const struct auditinfo_addr *, int); 335155191Srwatson#endif /* defined(_KERNEL) || defined(KERNEL) */ 336155191Srwatson 337155191Srwatson__END_DECLS 338155191Srwatson 339155191Srwatson#endif /* !_BSM_AUDIT_H */ 340