openbsm/bsm/auditd_lib.h

186545Srwatson/*-
186545Srwatson * Copyright (c) 2008 Apple Inc.
186545Srwatson * All rights reserved.
186545Srwatson *
186545Srwatson * Redistribution and use in source and binary forms, with or without
186545Srwatson * modification, are permitted provided that the following conditions
186545Srwatson * are met:
186545Srwatson * 1.  Redistributions of source code must retain the above copyright
186545Srwatson *     notice, this list of conditions and the following disclaimer.
186545Srwatson * 2.  Redistributions in binary form must reproduce the above copyright
186545Srwatson *     notice, this list of conditions and the following disclaimer in the
186545Srwatson *     documentation and/or other materials provided with the distribution.
186545Srwatson * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
186545Srwatson *     its contributors may be used to endorse or promote products derived
186545Srwatson *     from this software without specific prior written permission.
186545Srwatson *
186545Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
186545Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
186545Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
186545Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
186545Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
186545Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
186545Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
186545Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
186545Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
186545Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
186545Srwatson * POSSIBILITY OF SUCH DAMAGE.
186545Srwatson *
243750Srwatson * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#5 $
186545Srwatson */
186545Srwatson
186545Srwatson#ifndef _BSM_AUDITD_LIB_H_
186545Srwatson#define	_BSM_AUDITD_LIB_H_
186545Srwatson
186545Srwatson/*
186545Srwatson * Lengths for audit trail file components.
186545Srwatson */
186545Srwatson#define	NOT_TERMINATED		"not_terminated"
186545Srwatson#define	CRASH_RECOVERY		"crash_recovery"
243750Srwatson#define	PREFIX_LEN	(sizeof("YYYYMMDDhhmmss") - 1)
243750Srwatson#define	POSTFIX_LEN	PREFIX_LEN
243750Srwatson#define	FILENAME_LEN	(PREFIX_LEN + 1 + POSTFIX_LEN)
243750Srwatson#define	TIMESTAMP_LEN	POSTFIX_LEN
186545Srwatson
186545Srwatson/*
186545Srwatson * Macro to generate the timestamp string for trail file.
186545Srwatson */
186545Srwatson#define	getTSstr(t, b, l)						\
186545Srwatson	( (((t) = time(0)) == (time_t)-1 ) ||				\
186545Srwatson	    !strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0
186545Srwatson
186545Srwatson/*
186545Srwatson * The symbolic link to the currently active audit trail file.
186545Srwatson */
186545Srwatson#define	AUDIT_CURRENT_LINK	"/var/audit/current"
186545Srwatson
186545Srwatson/*
186545Srwatson * Path of auditd plist file for launchd.
186545Srwatson */
186545Srwatson#define	AUDITD_PLIST_FILE 	\
187214Srwatson	    "/System/Library/LaunchDaemons/com.apple.auditd.plist"
186545Srwatson
186545Srwatson/*
186545Srwatson * Error return codes for auditd_lib functions.
186545Srwatson */
186545Srwatson#define	ADE_NOERR	  0	/* No Error or Success. */
186545Srwatson#define	ADE_PARSE	 -1	/* Error parsing audit_control(5). */
186545Srwatson#define	ADE_AUDITON	 -2	/* auditon(2) call failed. */
186545Srwatson#define	ADE_NOMEM	 -3	/* Error allocating memory. */
186545Srwatson#define	ADE_SOFTLIM	 -4	/* All audit log directories over soft limit. */
186545Srwatson#define	ADE_HARDLIM	 -5	/* All audit log directories over hard limit. */
186545Srwatson#define	ADE_STRERR	 -6	/* Error creating file name string. */
186545Srwatson#define	ADE_AU_OPEN	 -7	/* au_open(3) failed. */
186545Srwatson#define	ADE_AU_CLOSE	 -8	/* au_close(3) failed. */
186545Srwatson#define	ADE_SETAUDIT	 -9	/* setaudit(2) or setaudit_addr(2) failed. */
186545Srwatson#define	ADE_ACTL	-10	/* "Soft" error with auditctl(2). */
186545Srwatson#define	ADE_ACTLERR	-11	/* "Hard" error with auditctl(2). */
186545Srwatson#define	ADE_SWAPERR	-12	/* The audit trail file could not be swap. */
186545Srwatson#define	ADE_RENAME	-13	/* Error renaming crash recovery file. */
186545Srwatson#define	ADE_READLINK	-14	/* Error reading 'current' link. */
186545Srwatson#define	ADE_SYMLINK	-15	/* Error creating 'current' link. */
186545Srwatson#define	ADE_INVAL	-16	/* Invalid argument. */
186545Srwatson#define	ADE_GETADDR	-17	/* Error resolving address from hostname. */
186545Srwatson#define	ADE_ADDRFAM	-18	/* Address family not supported. */
189279Srwatson#define	ADE_EXPIRE	-19	/* Error expiring audit trail files. */
186545Srwatson
186545Srwatson/*
186545Srwatson * auditd_lib functions.
186545Srwatson */
186545Srwatsonconst char *auditd_strerror(int errcode);
186545Srwatsonint auditd_set_minfree(void);
189279Srwatsonint auditd_expire_trails(int (*warn_expired)(char *));
186545Srwatsonint auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
186545Srwatsonvoid auditd_close_dirs(void);
243750Srwatsonint auditd_set_dist(void);
186545Srwatsonint auditd_set_evcmap(void);
186545Srwatsonint auditd_set_namask(void);
186545Srwatsonint auditd_set_policy(void);
186545Srwatsonint auditd_set_fsize(void);
186545Srwatsonint auditd_set_host(void);
186545Srwatsonint auditd_swap_trail(char *TS, char **newfile, gid_t gid,
186545Srwatson    int (*warn_getacdir)(char *));
186545Srwatsonint auditd_prevent_audit(void);
186545Srwatsonint auditd_gen_record(int event, char *path);
186545Srwatsonint auditd_new_curlink(char *curfile);
243750Srwatsonint auditd_rename(const char *fromname, const char *toname);
186545Srwatsonint audit_quick_start(void);
186545Srwatsonint audit_quick_stop(void);
186545Srwatson
186545Srwatson#endif /* !_BSM_AUDITD_LIB_H_ */