111891Speter/*- 29Sjkh * Copyright (c) 2004-2009 Apple Inc. 311891Speter * All rights reserved. 49Sjkh * 59Sjkh * Redistribution and use in source and binary forms, with or without 69Sjkh * modification, are permitted provided that the following conditions 79Sjkh * are met: 89Sjkh * 1. Redistributions of source code must retain the above copyright 99Sjkh * notice, this list of conditions and the following disclaimer. 109Sjkh * 2. Redistributions in binary form must reproduce the above copyright 119Sjkh * notice, this list of conditions and the following disclaimer in the 129Sjkh * documentation and/or other materials provided with the distribution. 139Sjkh * 3. Neither the name of Apple Inc. ("Apple") nor the names of 149Sjkh * its contributors may be used to endorse or promote products derived 159Sjkh * from this software without specific prior written permission. 169Sjkh * 179Sjkh * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 189Sjkh * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1911891Speter * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2011891Speter * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 2111891Speter * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 229Sjkh * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 239Sjkh * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 249Sjkh * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 259Sjkh * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 269Sjkh * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 279Sjkh * POSSIBILITY OF SUCH DAMAGE. 289Sjkh * 299Sjkh * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#50 $ 309Sjkh */ 319Sjkh 329Sjkh#ifndef _LIBBSM_H_ 339Sjkh#define _LIBBSM_H_ 349Sjkh 359Sjkh/* 369Sjkh * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 379Sjkh * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 389Sjkh */ 399Sjkh 409Sjkh#include <sys/types.h> 4150472Speter#include <sys/cdefs.h> 429Sjkh 439Sjkh#include <inttypes.h> /* Required for audit.h. */ 4411891Speter#include <time.h> /* Required for clock_t on Linux. */ 459Sjkh 469Sjkh#include <bsm/audit.h> 479Sjkh#include <bsm/audit_record.h> 489Sjkh 499Sjkh#include <stdio.h> 5011891Speter 5111891Speter#ifdef __APPLE__ 529Sjkh#include <mach/mach.h> /* audit_token_t */ 539Sjkh#endif 549Sjkh 559Sjkh/* 569Sjkh * Size parsed token vectors for execve(2) arguments and environmental 579Sjkh * variables. Note: changing these sizes affects the ABI of the token 589Sjkh * structure, and as the token structure is often placed in the caller stack, 5911891Speter * this is undesirable. 609Sjkh */ 619Sjkh#define AUDIT_MAX_ARGS 128 629Sjkh#define AUDIT_MAX_ENV 128 6311891Speter 649Sjkh/* 659Sjkh * Arguments to au_preselect(3). 669Sjkh */ 679Sjkh#define AU_PRS_USECACHE 0 6811891Speter#define AU_PRS_REREAD 1 699Sjkh 709Sjkh#define AU_PRS_SUCCESS 1 719Sjkh#define AU_PRS_FAILURE 2 729Sjkh#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 739Sjkh 7411891Speter#define AUDIT_EVENT_FILE "/etc/security/audit_event" 759Sjkh#define AUDIT_CLASS_FILE "/etc/security/audit_class" 769Sjkh#define AUDIT_CONTROL_FILE "/etc/security/audit_control" 779Sjkh#define AUDIT_USER_FILE "/etc/security/audit_user" 7811891Speter 799Sjkh#define DIR_CONTROL_ENTRY "dir" 809Sjkh#define DIST_CONTROL_ENTRY "dist" 819Sjkh#define FILESZ_CONTROL_ENTRY "filesz" 829Sjkh#define FLAGS_CONTROL_ENTRY "flags" 839Sjkh#define HOST_CONTROL_ENTRY "host" 849Sjkh#define MINFREE_CONTROL_ENTRY "minfree" 859Sjkh#define NA_CONTROL_ENTRY "naflags" 869Sjkh#define POLICY_CONTROL_ENTRY "policy" 879Sjkh#define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 889Sjkh 899Sjkh#define AU_CLASS_NAME_MAX 8 909Sjkh#define AU_CLASS_DESC_MAX 72 919Sjkh#define AU_EVENT_NAME_MAX 30 929Sjkh#define AU_EVENT_DESC_MAX 50 939Sjkh#define AU_USER_NAME_MAX 50 949Sjkh#define AU_LINE_MAX 256 959Sjkh#define MAX_AUDITSTRING_LEN 256 969Sjkh#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 979Sjkh 989Sjkh/* 999Sjkh * Arguments to au_close(3). 1009Sjkh */ 1019Sjkh#define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 1029Sjkh#define AU_TO_WRITE 1 /* Commit audit record. */ 1039Sjkh 10411891Speter/* 10511891Speter * Output format flags for au_print_flags_tok(). 10611891Speter */ 10711891Speter#define AU_OFLAG_NONE 0x0000 /* Default form. */ 10811891Speter#define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 10911891Speter#define AU_OFLAG_SHORT 0x0002 /* Short form. */ 1109Sjkh#define AU_OFLAG_XML 0x0004 /* XML form. */ 1119Sjkh#define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 1129Sjkh 1139Sjkh__BEGIN_DECLS 1149Sjkhstruct au_event_ent { 1159Sjkh au_event_t ae_number; 1169Sjkh char *ae_name; 1179Sjkh char *ae_desc; 1189Sjkh au_class_t ae_class; 1199Sjkh}; 1209Sjkhtypedef struct au_event_ent au_event_ent_t; 1219Sjkh 12211891Speterstruct au_class_ent { 12311891Speter char *ac_name; 12411891Speter au_class_t ac_class; 12511891Speter char *ac_desc; 1269Sjkh}; 1279Sjkhtypedef struct au_class_ent au_class_ent_t; 12811891Speter 1299Sjkhstruct au_user_ent { 1309Sjkh char *au_name; 1319Sjkh au_mask_t au_always; 13211891Speter au_mask_t au_never; 13311891Speter}; 13411891Spetertypedef struct au_user_ent au_user_ent_t; 13511891Speter__END_DECLS 13611891Speter 13711891Speter#define ADD_TO_MASK(m, c, sel) do { \ 13811891Speter if (sel & AU_PRS_SUCCESS) \ 1399Sjkh (m)->am_success |= c; \ 1409Sjkh if (sel & AU_PRS_FAILURE) \ 1419Sjkh (m)->am_failure |= c; \ 14211891Speter} while (0) 1439Sjkh 14411891Speter#define SUB_FROM_MASK(m, c, sel) do { \ 1459Sjkh if (sel & AU_PRS_SUCCESS) \ 1469Sjkh (m)->am_success &= ((m)->am_success ^ c); \ 14711891Speter if (sel & AU_PRS_FAILURE) \ 1489Sjkh (m)->am_failure &= ((m)->am_failure ^ c); \ 1499Sjkh} while (0) 1509Sjkh 15111891Speter#define ADDMASK(m, v) do { \ 15211891Speter (m)->am_success |= (v)->am_success; \ 15311891Speter (m)->am_failure |= (v)->am_failure; \ 15411891Speter} while(0) 15511891Speter 15611891Speter#define SUBMASK(m, v) do { \ 15711891Speter (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 1589Sjkh (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 1599Sjkh} while(0) 1609Sjkh 1619Sjkh__BEGIN_DECLS 1629Sjkh 1639Sjkhtypedef struct au_tid32 { 1649Sjkh u_int32_t port; 1659Sjkh u_int32_t addr; 1669Sjkh} au_tid32_t; 1679Sjkh 1689Sjkhtypedef struct au_tid64 { 1699Sjkh u_int64_t port; 1709Sjkh u_int32_t addr; 1719Sjkh} au_tid64_t; 1729Sjkh 1739Sjkhtypedef struct au_tidaddr32 { 1749Sjkh u_int32_t port; 1759Sjkh u_int32_t type; 1769Sjkh u_int32_t addr[4]; 1779Sjkh} au_tidaddr32_t; 1789Sjkh 1799Sjkhtypedef struct au_tidaddr64 { 1809Sjkh u_int64_t port; 1819Sjkh u_int32_t type; 1829Sjkh u_int32_t addr[4]; 1839Sjkh} au_tidaddr64_t; 1849Sjkh 1859Sjkh/* 1869Sjkh * argument # 1 byte 18711891Speter * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1889Sjkh * text length 2 bytes 1899Sjkh * text N bytes + 1 terminating NULL byte 19011891Speter */ 19111891Spetertypedef struct { 19211891Speter u_char no; 1939Sjkh u_int32_t val; 1949Sjkh u_int16_t len; 1959Sjkh char *text; 1969Sjkh} au_arg32_t; 1979Sjkh 1989Sjkhtypedef struct { 1999Sjkh u_char no; 2009Sjkh u_int64_t val; 2019Sjkh u_int16_t len; 2029Sjkh char *text; 2039Sjkh} au_arg64_t; 2049Sjkh 20511891Speter/* 2069Sjkh * how to print 1 byte 20711891Speter * basic unit 1 byte 20811891Speter * unit count 1 byte 20911891Speter * data items (depends on basic unit) 2109Sjkh */ 2119Sjkhtypedef struct { 2129Sjkh u_char howtopr; 2139Sjkh u_char bu; 2149Sjkh u_char uc; 21511891Speter u_char *data; 2169Sjkh} au_arb_t; 21711891Speter 21811891Speter/* 21911891Speter * file access mode 4 bytes 22011891Speter * owner user ID 4 bytes 22111891Speter * owner group ID 4 bytes 22211891Speter * file system ID 4 bytes 22311891Speter * node ID 8 bytes 2249Sjkh * device 4 bytes/8 bytes (32-bit/64-bit) 2259Sjkh */ 22611891Spetertypedef struct { 2279Sjkh u_int32_t mode; 22811891Speter u_int32_t uid; 22911891Speter u_int32_t gid; 2309Sjkh u_int32_t fsid; 23111891Speter u_int64_t nid; 2329Sjkh u_int32_t dev; 2339Sjkh} au_attr32_t; 2349Sjkh 2359Sjkhtypedef struct { 2369Sjkh u_int32_t mode; 2379Sjkh u_int32_t uid; 2389Sjkh u_int32_t gid; 2399Sjkh u_int32_t fsid; 2409Sjkh u_int64_t nid; 2419Sjkh u_int64_t dev; 2429Sjkh} au_attr64_t; 2439Sjkh 2449Sjkh/* 2459Sjkh * count 4 bytes 24611891Speter * text count null-terminated string(s) 2479Sjkh */ 2489Sjkhtypedef struct { 2499Sjkh u_int32_t count; 25011891Speter char *text[AUDIT_MAX_ARGS]; 25111891Speter} au_execarg_t; 2529Sjkh 25311891Speter/* 2549Sjkh * count 4 bytes 2559Sjkh * text count null-terminated string(s) 25611891Speter */ 2579Sjkhtypedef struct { 2589Sjkh u_int32_t count; 2599Sjkh char *text[AUDIT_MAX_ENV]; 2609Sjkh} au_execenv_t; 2619Sjkh 2629Sjkh/* 2639Sjkh * status 4 bytes 2649Sjkh * return value 4 bytes 2659Sjkh */ 26611891Spetertypedef struct { 2679Sjkh u_int32_t status; 2689Sjkh u_int32_t ret; 2699Sjkh} au_exit_t; 2709Sjkh 2719Sjkh/* 2729Sjkh * seconds of time 4 bytes 2739Sjkh * milliseconds of time 4 bytes 2749Sjkh * file name length 2 bytes 2759Sjkh * file pathname N bytes + 1 terminating NULL byte 2769Sjkh */ 2779Sjkhtypedef struct { 2789Sjkh u_int32_t s; 2799Sjkh u_int32_t ms; 2809Sjkh u_int16_t len; 2819Sjkh char *name; 2829Sjkh} au_file_t; 2839Sjkh 2849Sjkh 2859Sjkh/* 2869Sjkh * number groups 2 bytes 2879Sjkh * group list N * 4 bytes 2889Sjkh */ 2899Sjkhtypedef struct { 2909Sjkh u_int16_t no; 2919Sjkh u_int32_t list[AUDIT_MAX_GROUPS]; 2929Sjkh} au_groups_t; 2939Sjkh 2949Sjkh/* 2959Sjkh * record byte count 4 bytes 2969Sjkh * version # 1 byte [2] 2979Sjkh * event type 2 bytes 2989Sjkh * event modifier 2 bytes 2999Sjkh * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 3009Sjkh * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 3019Sjkh */ 3029Sjkhtypedef struct { 30311891Speter u_int32_t size; 3049Sjkh u_char version; 3059Sjkh u_int16_t e_type; 3069Sjkh u_int16_t e_mod; 3079Sjkh u_int32_t s; 3089Sjkh u_int32_t ms; 3099Sjkh} au_header32_t; 3109Sjkh 3119Sjkh/* 3129Sjkh * record byte count 4 bytes 3139Sjkh * version # 1 byte [2] 3149Sjkh * event type 2 bytes 31511891Speter * event modifier 2 bytes 31611891Speter * address type/length 1 byte (XXX: actually, 4 bytes) 31711891Speter * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 31811891Speter * seconds of time 4 bytes/8 bytes (32/64-bits) 31911891Speter * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 32011891Speter */ 3219Sjkhtypedef struct { 3229Sjkh u_int32_t size; 3239Sjkh u_char version; 3249Sjkh u_int16_t e_type; 3259Sjkh u_int16_t e_mod; 3269Sjkh u_int32_t ad_type; 3279Sjkh u_int32_t addr[4]; 3289Sjkh u_int32_t s; 3299Sjkh u_int32_t ms; 3309Sjkh} au_header32_ex_t; 3319Sjkh 3329Sjkhtypedef struct { 3339Sjkh u_int32_t size; 334 u_char version; 335 u_int16_t e_type; 336 u_int16_t e_mod; 337 u_int64_t s; 338 u_int64_t ms; 339} au_header64_t; 340 341typedef struct { 342 u_int32_t size; 343 u_char version; 344 u_int16_t e_type; 345 u_int16_t e_mod; 346 u_int32_t ad_type; 347 u_int32_t addr[4]; 348 u_int64_t s; 349 u_int64_t ms; 350} au_header64_ex_t; 351 352/* 353 * internet address 4 bytes 354 */ 355typedef struct { 356 u_int32_t addr; 357} au_inaddr_t; 358 359/* 360 * type 4 bytes 361 * internet address 16 bytes 362 */ 363typedef struct { 364 u_int32_t type; 365 u_int32_t addr[4]; 366} au_inaddr_ex_t; 367 368/* 369 * version and ihl 1 byte 370 * type of service 1 byte 371 * length 2 bytes 372 * id 2 bytes 373 * offset 2 bytes 374 * ttl 1 byte 375 * protocol 1 byte 376 * checksum 2 bytes 377 * source address 4 bytes 378 * destination address 4 bytes 379 */ 380typedef struct { 381 u_char version; 382 u_char tos; 383 u_int16_t len; 384 u_int16_t id; 385 u_int16_t offset; 386 u_char ttl; 387 u_char prot; 388 u_int16_t chksm; 389 u_int32_t src; 390 u_int32_t dest; 391} au_ip_t; 392 393/* 394 * object ID type 1 byte 395 * object ID 4 bytes 396 */ 397typedef struct { 398 u_char type; 399 u_int32_t id; 400} au_ipc_t; 401 402/* 403 * owner user ID 4 bytes 404 * owner group ID 4 bytes 405 * creator user ID 4 bytes 406 * creator group ID 4 bytes 407 * access mode 4 bytes 408 * slot sequence # 4 bytes 409 * key 4 bytes 410 */ 411typedef struct { 412 u_int32_t uid; 413 u_int32_t gid; 414 u_int32_t puid; 415 u_int32_t pgid; 416 u_int32_t mode; 417 u_int32_t seq; 418 u_int32_t key; 419} au_ipcperm_t; 420 421/* 422 * port IP address 2 bytes 423 */ 424typedef struct { 425 u_int16_t port; 426} au_iport_t; 427 428/* 429 * length 2 bytes 430 * data length bytes 431 */ 432typedef struct { 433 u_int16_t size; 434 char *data; 435} au_opaque_t; 436 437/* 438 * path length 2 bytes 439 * path N bytes + 1 terminating NULL byte 440 */ 441typedef struct { 442 u_int16_t len; 443 char *path; 444} au_path_t; 445 446/* 447 * audit ID 4 bytes 448 * effective user ID 4 bytes 449 * effective group ID 4 bytes 450 * real user ID 4 bytes 451 * real group ID 4 bytes 452 * process ID 4 bytes 453 * session ID 4 bytes 454 * terminal ID 455 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 456 * machine address 4 bytes 457 */ 458typedef struct { 459 u_int32_t auid; 460 u_int32_t euid; 461 u_int32_t egid; 462 u_int32_t ruid; 463 u_int32_t rgid; 464 u_int32_t pid; 465 u_int32_t sid; 466 au_tid32_t tid; 467} au_proc32_t; 468 469typedef struct { 470 u_int32_t auid; 471 u_int32_t euid; 472 u_int32_t egid; 473 u_int32_t ruid; 474 u_int32_t rgid; 475 u_int32_t pid; 476 u_int32_t sid; 477 au_tid64_t tid; 478} au_proc64_t; 479 480/* 481 * audit ID 4 bytes 482 * effective user ID 4 bytes 483 * effective group ID 4 bytes 484 * real user ID 4 bytes 485 * real group ID 4 bytes 486 * process ID 4 bytes 487 * session ID 4 bytes 488 * terminal ID 489 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 490 * type 4 bytes 491 * machine address 16 bytes 492 */ 493typedef struct { 494 u_int32_t auid; 495 u_int32_t euid; 496 u_int32_t egid; 497 u_int32_t ruid; 498 u_int32_t rgid; 499 u_int32_t pid; 500 u_int32_t sid; 501 au_tidaddr32_t tid; 502} au_proc32ex_t; 503 504typedef struct { 505 u_int32_t auid; 506 u_int32_t euid; 507 u_int32_t egid; 508 u_int32_t ruid; 509 u_int32_t rgid; 510 u_int32_t pid; 511 u_int32_t sid; 512 au_tidaddr64_t tid; 513} au_proc64ex_t; 514 515/* 516 * error status 1 byte 517 * return value 4 bytes/8 bytes (32-bit/64-bit value) 518 */ 519typedef struct { 520 u_char status; 521 u_int32_t ret; 522} au_ret32_t; 523 524typedef struct { 525 u_char err; 526 u_int64_t val; 527} au_ret64_t; 528 529/* 530 * sequence number 4 bytes 531 */ 532typedef struct { 533 u_int32_t seqno; 534} au_seq_t; 535 536/* 537 * socket type 2 bytes 538 * local port 2 bytes 539 * local Internet address 4 bytes 540 * remote port 2 bytes 541 * remote Internet address 4 bytes 542 */ 543typedef struct { 544 u_int16_t type; 545 u_int16_t l_port; 546 u_int32_t l_addr; 547 u_int16_t r_port; 548 u_int32_t r_addr; 549} au_socket_t; 550 551/* 552 * socket type 2 bytes 553 * local port 2 bytes 554 * address type/length 4 bytes 555 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 556 * remote port 4 bytes 557 * address type/length 4 bytes 558 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 559 */ 560typedef struct { 561 u_int16_t domain; 562 u_int16_t type; 563 u_int16_t atype; 564 u_int16_t l_port; 565 u_int32_t l_addr[4]; 566 u_int32_t r_port; 567 u_int32_t r_addr[4]; 568} au_socket_ex32_t; 569 570/* 571 * socket family 2 bytes 572 * local port 2 bytes 573 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 574 */ 575typedef struct { 576 u_int16_t family; 577 u_int16_t port; 578 u_int32_t addr[4]; 579} au_socketinet_ex32_t; 580 581typedef struct { 582 u_int16_t family; 583 u_int16_t port; 584 u_int32_t addr; 585} au_socketinet32_t; 586 587/* 588 * socket family 2 bytes 589 * path 104 bytes 590 */ 591typedef struct { 592 u_int16_t family; 593 char path[104]; 594} au_socketunix_t; 595 596/* 597 * audit ID 4 bytes 598 * effective user ID 4 bytes 599 * effective group ID 4 bytes 600 * real user ID 4 bytes 601 * real group ID 4 bytes 602 * process ID 4 bytes 603 * session ID 4 bytes 604 * terminal ID 605 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 606 * machine address 4 bytes 607 */ 608typedef struct { 609 u_int32_t auid; 610 u_int32_t euid; 611 u_int32_t egid; 612 u_int32_t ruid; 613 u_int32_t rgid; 614 u_int32_t pid; 615 u_int32_t sid; 616 au_tid32_t tid; 617} au_subject32_t; 618 619typedef struct { 620 u_int32_t auid; 621 u_int32_t euid; 622 u_int32_t egid; 623 u_int32_t ruid; 624 u_int32_t rgid; 625 u_int32_t pid; 626 u_int32_t sid; 627 au_tid64_t tid; 628} au_subject64_t; 629 630/* 631 * audit ID 4 bytes 632 * effective user ID 4 bytes 633 * effective group ID 4 bytes 634 * real user ID 4 bytes 635 * real group ID 4 bytes 636 * process ID 4 bytes 637 * session ID 4 bytes 638 * terminal ID 639 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 640 * type 4 bytes 641 * machine address 16 bytes 642 */ 643typedef struct { 644 u_int32_t auid; 645 u_int32_t euid; 646 u_int32_t egid; 647 u_int32_t ruid; 648 u_int32_t rgid; 649 u_int32_t pid; 650 u_int32_t sid; 651 au_tidaddr32_t tid; 652} au_subject32ex_t; 653 654typedef struct { 655 u_int32_t auid; 656 u_int32_t euid; 657 u_int32_t egid; 658 u_int32_t ruid; 659 u_int32_t rgid; 660 u_int32_t pid; 661 u_int32_t sid; 662 au_tidaddr64_t tid; 663} au_subject64ex_t; 664 665/* 666 * text length 2 bytes 667 * text N bytes + 1 terminating NULL byte 668 */ 669typedef struct { 670 u_int16_t len; 671 char *text; 672} au_text_t; 673 674/* 675 * upriv status 1 byte 676 * privstr len 2 bytes 677 * privstr N bytes + 1 (\0 byte) 678 */ 679typedef struct { 680 u_int8_t sorf; 681 u_int16_t privstrlen; 682 char *priv; 683} au_priv_t; 684 685/* 686* privset 687* privtstrlen 2 bytes 688* privtstr N Bytes + 1 689* privstrlen 2 bytes 690* privstr N Bytes + 1 691*/ 692typedef struct { 693 u_int16_t privtstrlen; 694 char *privtstr; 695 u_int16_t privstrlen; 696 char *privstr; 697} au_privset_t; 698 699/* 700 * zonename length 2 bytes 701 * zonename text N bytes + 1 NULL terminator 702 */ 703typedef struct { 704 u_int16_t len; 705 char *zonename; 706} au_zonename_t; 707 708typedef struct { 709 u_int32_t ident; 710 u_int16_t filter; 711 u_int16_t flags; 712 u_int32_t fflags; 713 u_int32_t data; 714} au_kevent_t; 715 716typedef struct { 717 u_int16_t length; 718 char *data; 719} au_invalid_t; 720 721/* 722 * trailer magic number 2 bytes 723 * record byte count 4 bytes 724 */ 725typedef struct { 726 u_int16_t magic; 727 u_int32_t count; 728} au_trailer_t; 729 730struct tokenstr { 731 u_char id; 732 u_char *data; 733 size_t len; 734 union { 735 au_arg32_t arg32; 736 au_arg64_t arg64; 737 au_arb_t arb; 738 au_attr32_t attr32; 739 au_attr64_t attr64; 740 au_execarg_t execarg; 741 au_execenv_t execenv; 742 au_exit_t exit; 743 au_file_t file; 744 au_groups_t grps; 745 au_header32_t hdr32; 746 au_header32_ex_t hdr32_ex; 747 au_header64_t hdr64; 748 au_header64_ex_t hdr64_ex; 749 au_inaddr_t inaddr; 750 au_inaddr_ex_t inaddr_ex; 751 au_ip_t ip; 752 au_ipc_t ipc; 753 au_ipcperm_t ipcperm; 754 au_iport_t iport; 755 au_opaque_t opaque; 756 au_path_t path; 757 au_proc32_t proc32; 758 au_proc32ex_t proc32_ex; 759 au_proc64_t proc64; 760 au_proc64ex_t proc64_ex; 761 au_ret32_t ret32; 762 au_ret64_t ret64; 763 au_seq_t seq; 764 au_socket_t socket; 765 au_socket_ex32_t socket_ex32; 766 au_socketinet_ex32_t sockinet_ex32; 767 au_socketunix_t sockunix; 768 au_subject32_t subj32; 769 au_subject32ex_t subj32_ex; 770 au_subject64_t subj64; 771 au_subject64ex_t subj64_ex; 772 au_text_t text; 773 au_kevent_t kevent; 774 au_invalid_t invalid; 775 au_trailer_t trail; 776 au_zonename_t zonename; 777 au_priv_t priv; 778 au_privset_t privset; 779 } tt; /* The token is one of the above types */ 780}; 781 782typedef struct tokenstr tokenstr_t; 783 784int audit_submit(short au_event, au_id_t auid, 785 char status, int reterr, const char *fmt, ...); 786 787/* 788 * Functions relating to querying audit class information. 789 */ 790void setauclass(void); 791void endauclass(void); 792struct au_class_ent *getauclassent(void); 793struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 794struct au_class_ent *getauclassnam(const char *name); 795struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 796 const char *name); 797struct au_class_ent *getauclassnum(au_class_t class_number); 798struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 799 au_class_t class_number); 800 801/* 802 * Functions relating to querying audit control information. 803 */ 804void setac(void); 805void endac(void); 806int getacdir(char *name, int len); 807int getacdist(void); 808int getacexpire(int *andflg, time_t *age, size_t *size); 809int getacfilesz(size_t *size_val); 810int getacflg(char *auditstr, int len); 811int getachost(char *auditstr, size_t len); 812int getacmin(int *min_val); 813int getacna(char *auditstr, int len); 814int getacpol(char *auditstr, size_t len); 815int getauditflagsbin(char *auditstr, au_mask_t *masks); 816int getauditflagschar(char *auditstr, au_mask_t *masks, 817 int verbose); 818int au_preselect(au_event_t event, au_mask_t *mask_p, 819 int sorf, int flag); 820ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 821int au_strtopol(const char *polstr, int *policy); 822 823/* 824 * Functions relating to querying audit event information. 825 */ 826void setauevent(void); 827void endauevent(void); 828struct au_event_ent *getauevent(void); 829struct au_event_ent *getauevent_r(struct au_event_ent *e); 830struct au_event_ent *getauevnam(const char *name); 831struct au_event_ent *getauevnam_r(struct au_event_ent *e, 832 const char *name); 833struct au_event_ent *getauevnum(au_event_t event_number); 834struct au_event_ent *getauevnum_r(struct au_event_ent *e, 835 au_event_t event_number); 836au_event_t *getauevnonam(const char *event_name); 837au_event_t *getauevnonam_r(au_event_t *ev, 838 const char *event_name); 839 840/* 841 * Functions relating to querying audit user information. 842 */ 843void setauuser(void); 844void endauuser(void); 845struct au_user_ent *getauuserent(void); 846struct au_user_ent *getauuserent_r(struct au_user_ent *u); 847struct au_user_ent *getauusernam(const char *name); 848struct au_user_ent *getauusernam_r(struct au_user_ent *u, 849 const char *name); 850int au_user_mask(char *username, au_mask_t *mask_p); 851int getfauditflags(au_mask_t *usremask, 852 au_mask_t *usrdmask, au_mask_t *lastmask); 853 854/* 855 * Functions for reading and printing records and tokens from audit trails. 856 */ 857int au_read_rec(FILE *fp, u_char **buf); 858int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 859//XXX The following interface has different prototype from BSM 860void au_print_tok(FILE *outfp, tokenstr_t *tok, 861 char *del, char raw, char sfrm); 862void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 863 char *del, int oflags); 864void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 865 char *del, char raw, char sfrm); 866 867/* 868 * Functions relating to XML output. 869 */ 870void au_print_xml_header(FILE *outfp); 871void au_print_xml_footer(FILE *outfp); 872 873/* 874 * BSM library routines for converting between local and BSM constant spaces. 875 * (Note: some of these are replicated in audit_record.h for the benefit of 876 * the FreeBSD and Mac OS X kernels) 877 */ 878int au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 879int au_bsm_to_errno(u_char bsm_error, int *errorp); 880int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 881int au_bsm_to_socket_type(u_short bsm_socket_type, 882 int *local_socket_typep); 883u_short au_domain_to_bsm(int local_domain); 884u_char au_errno_to_bsm(int local_errno); 885u_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 886u_short au_socket_type_to_bsm(int local_socket_type); 887 888const char *au_strerror(u_char bsm_error); 889__END_DECLS 890 891/* 892 * The remaining APIs are associated with Apple's BSM implementation, in 893 * particular as relates to Mach IPC auditing and triggers passed via Mach 894 * IPC. 895 */ 896#ifdef __APPLE__ 897#include <sys/appleapiopts.h> 898 899/************************************************************************** 900 ************************************************************************** 901 ** The following definitions, functions, etc., are NOT officially 902 ** supported: they may be changed or removed in the future. Do not use 903 ** them unless you are prepared to cope with that eventuality. 904 ************************************************************************** 905 **************************************************************************/ 906 907#ifdef __APPLE_API_PRIVATE 908#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 909#endif /* __APPLE_API_PRIVATE */ 910 911/* 912 * au_get_state() return values 913 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 914 * AUDIT_ON are deprecated and WILL be removed. 915 */ 916#ifdef __APPLE_API_PRIVATE 917#define AUDIT_OFF AUC_NOAUDIT 918#define AUDIT_ON AUC_AUDITING 919#endif /* __APPLE_API_PRIVATE */ 920#endif /* !__APPLE__ */ 921 922/* 923 * Error return codes for audit_set_terminal_id(), audit_write() and its 924 * brethren. We have 255 (not including kAUNoErr) to play with. 925 * 926 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 927 */ 928enum { 929 kAUNoErr = 0, 930 kAUBadParamErr = -66049, 931 kAUStatErr, 932 kAUSysctlErr, 933 kAUOpenErr, 934 kAUMakeSubjectTokErr, 935 kAUWriteSubjectTokErr, 936 kAUWriteCallerTokErr, 937 kAUMakeReturnTokErr, 938 kAUWriteReturnTokErr, 939 kAUCloseErr, 940 kAUMakeTextTokErr, 941 kAULastErr 942}; 943 944#ifdef __APPLE__ 945/* 946 * Error return codes for au_get_state() and/or its private support 947 * functions. These codes are designed to be compatible with the 948 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 949 * Any changes to notify(3) may cause these values to change in future. 950 * 951 * AU_UNIMPL should never happen unless you've changed your system software 952 * without rebooting. Shame on you. 953 */ 954#ifdef __APPLE_API_PRIVATE 955#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 956#endif /* __APPLE_API_PRIVATE */ 957#endif /* !__APPLE__ */ 958 959__BEGIN_DECLS 960/* 961 * XXX This prototype should be in audit_record.h 962 * 963 * au_free_token() 964 * 965 * @summary - au_free_token() deallocates a token_t created by any of 966 * the au_to_*() BSM API functions. 967 * 968 * The BSM API generally manages deallocation of token_t objects. However, 969 * if au_write() is passed a bad audit descriptor, the token_t * parameter 970 * will be left untouched. In that case, the caller can deallocate the 971 * token_t using au_free_token() if desired. This is, in fact, what 972 * audit_write() does, in keeping with the existing memory management model 973 * of the BSM API. 974 * 975 * @param tok - A token_t * generated by one of the au_to_*() BSM API 976 * calls. For convenience, tok may be NULL, in which case 977 * au_free_token() returns immediately. 978 * 979 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 980 */ 981void au_free_token(token_t *tok); 982 983/* 984 * Lightweight check to determine if auditing is enabled. If a client 985 * wants to use this to govern whether an entire series of audit calls 986 * should be made--as in the common case of a caller building a set of 987 * tokens, then writing them--it should cache the audit status in a local 988 * variable. This call always returns the current state of auditing. 989 * 990 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 991 * Otherwise the function can return any of the errno values defined for 992 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 993 * the system. 994 * 995 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 996 */ 997int au_get_state(void); 998 999/* 1000 * Initialize the audit notification. If it has not already been initialized 1001 * it will automatically on the first call of au_get_state(). 1002 */ 1003uint32_t au_notify_initialize(void); 1004 1005/* 1006 * Cancel audit notification and free the resources associated with it. 1007 * Responsible code that no longer needs to use au_get_state() should call 1008 * this. 1009 */ 1010int au_notify_terminate(void); 1011__END_DECLS 1012 1013/* OpenSSH compatibility */ 1014int cannot_audit(int); 1015 1016__BEGIN_DECLS 1017/* 1018 * audit_set_terminal_id() 1019 * 1020 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1021 * used in audit session initialization by processes like /usr/bin/login. 1022 * 1023 * @param tid - A pointer to an au_tid_t struct. 1024 * 1025 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1026 * or kAUSysctlErr if one of the underlying system calls fails (a message 1027 * is sent to the system log in those cases). 1028 * 1029 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1030 */ 1031int audit_set_terminal_id(au_tid_t *tid); 1032 1033/* 1034 * BEGIN au_write() WRAPPERS 1035 * 1036 * The following calls all wrap the existing BSM API. They use the 1037 * provided subject information, if any, to construct the subject token 1038 * required for every log message. They use the provided return/error 1039 * value(s), if any, to construct the success/failure indication required 1040 * for every log message. They only permit one "miscellaneous" token, 1041 * which should contain the event-specific logging information mandated by 1042 * CAPP. 1043 * 1044 * All these calls assume the caller has previously determined that 1045 * auditing is enabled by calling au_get_state(). 1046 */ 1047 1048/* 1049 * audit_write() 1050 * 1051 * @summary - audit_write() is the basis for the other audit_write_*() 1052 * calls. Performs a basic write of an audit record (subject, additional 1053 * info, success/failure). Note that this call only permits logging one 1054 * caller-specified token; clients needing to log more flexibly must use 1055 * the existing BSM API (au_open(), et al.) directly. 1056 * 1057 * Note on memory management: audit_write() guarantees that the token_t *s 1058 * passed to it will be deallocated whether or not the underlying write to 1059 * the audit log succeeded. This addresses an inconsistency in the 1060 * underlying BSM API in which token_t *s are usually but not always 1061 * deallocated. 1062 * 1063 * @param event_code - The code for the event being logged. This should 1064 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1065 * 1066 * @param subject - A token_t * generated by au_to_subject(), 1067 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1068 * required, subject should be NULL. 1069 * 1070 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1071 * calls. This should correspond to the additional information required by 1072 * CAPP for the event being audited. If no additional information is 1073 * required, misctok should be NULL. 1074 * 1075 * @param retval - The return value to be logged for this event. This 1076 * should be 0 (zero) for success, otherwise the value is event-specific. 1077 * 1078 * @param errcode - Any error code associated with the return value (e.g., 1079 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1080 * 1081 * @return - The status of the call: 0 (zero) on success, else one of the 1082 * kAU*Err values defined above. 1083 * 1084 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1085 */ 1086int audit_write(short event_code, token_t *subject, token_t *misctok, 1087 char retval, int errcode); 1088 1089/* 1090 * audit_write_success() 1091 * 1092 * @summary - audit_write_success() records an auditable event that did not 1093 * encounter an error. The interface is designed to require as little 1094 * direct use of the au_to_*() API as possible. It builds a subject token 1095 * from the information passed in and uses that to invoke audit_write(). 1096 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1097 * 1098 * If the subject information is the same as the current process, use 1099 * au_write_success_self(). 1100 * 1101 * @param event_code - The code for the event being logged. This should 1102 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1103 * 1104 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1105 * calls. This should correspond to the additional information required by 1106 * CAPP for the event being audited. If no additional information is 1107 * required, misctok should be NULL. 1108 * 1109 * @param auid - The subject's audit ID. 1110 * 1111 * @param euid - The subject's effective user ID. 1112 * 1113 * @param egid - The subject's effective group ID. 1114 * 1115 * @param ruid - The subject's real user ID. 1116 * 1117 * @param rgid - The subject's real group ID. 1118 * 1119 * @param pid - The subject's process ID. 1120 * 1121 * @param sid - The subject's session ID. 1122 * 1123 * @param tid - The subject's terminal ID. 1124 * 1125 * @return - The status of the call: 0 (zero) on success, else one of the 1126 * kAU*Err values defined above. 1127 * 1128 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1129 */ 1130int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1131 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1132 au_asid_t sid, au_tid_t *tid); 1133 1134/* 1135 * audit_write_success_self() 1136 * 1137 * @summary - Similar to audit_write_success(), but used when the subject 1138 * (process) is owned and operated by the auditable user him/herself. 1139 * 1140 * @param event_code - The code for the event being logged. This should 1141 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1142 * 1143 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1144 * calls. This should correspond to the additional information required by 1145 * CAPP for the event being audited. If no additional information is 1146 * required, misctok should be NULL. 1147 * 1148 * @return - The status of the call: 0 (zero) on success, else one of the 1149 * kAU*Err values defined above. 1150 * 1151 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1152 */ 1153int audit_write_success_self(short event_code, token_t *misctok); 1154 1155/* 1156 * audit_write_failure() 1157 * 1158 * @summary - audit_write_failure() records an auditable event that 1159 * encountered an error. The interface is designed to require as little 1160 * direct use of the au_to_*() API as possible. It builds a subject token 1161 * from the information passed in and uses that to invoke audit_write(). 1162 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1163 * 1164 * If the subject information is the same as the current process, use 1165 * au_write_failure_self(). 1166 * 1167 * @param event_code - The code for the event being logged. This should 1168 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1169 * 1170 * @param errmsg - A text message providing additional information about 1171 * the event being audited. 1172 * 1173 * @param errret - A numerical value providing additional information about 1174 * the error. This is intended to store the value of errno or h_errno if 1175 * it's relevant. This can be 0 (zero) if no additional information is 1176 * available. 1177 * 1178 * @param auid - The subject's audit ID. 1179 * 1180 * @param euid - The subject's effective user ID. 1181 * 1182 * @param egid - The subject's effective group ID. 1183 * 1184 * @param ruid - The subject's real user ID. 1185 * 1186 * @param rgid - The subject's real group ID. 1187 * 1188 * @param pid - The subject's process ID. 1189 * 1190 * @param sid - The subject's session ID. 1191 * 1192 * @param tid - The subject's terminal ID. 1193 * 1194 * @return - The status of the call: 0 (zero) on success, else one of the 1195 * kAU*Err values defined above. 1196 * 1197 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1198 */ 1199int audit_write_failure(short event_code, char *errmsg, int errret, 1200 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1201 pid_t pid, au_asid_t sid, au_tid_t *tid); 1202 1203/* 1204 * audit_write_failure_self() 1205 * 1206 * @summary - Similar to audit_write_failure(), but used when the subject 1207 * (process) is owned and operated by the auditable user him/herself. 1208 * 1209 * @param event_code - The code for the event being logged. This should 1210 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1211 * 1212 * @param errmsg - A text message providing additional information about 1213 * the event being audited. 1214 * 1215 * @param errret - A numerical value providing additional information about 1216 * the error. This is intended to store the value of errno or h_errno if 1217 * it's relevant. This can be 0 (zero) if no additional information is 1218 * available. 1219 * 1220 * @return - The status of the call: 0 (zero) on success, else one of the 1221 * kAU*Err values defined above. 1222 * 1223 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1224 */ 1225int audit_write_failure_self(short event_code, char *errmsg, int errret); 1226 1227/* 1228 * audit_write_failure_na() 1229 * 1230 * @summary - audit_write_failure_na() records errors during login. Such 1231 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1232 * 1233 * @param event_code - The code for the event being logged. This should 1234 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1235 * 1236 * @param errmsg - A text message providing additional information about 1237 * the event being audited. 1238 * 1239 * @param errret - A numerical value providing additional information about 1240 * the error. This is intended to store the value of errno or h_errno if 1241 * it's relevant. This can be 0 (zero) if no additional information is 1242 * available. 1243 * 1244 * @param euid - The subject's effective user ID. 1245 * 1246 * @param egid - The subject's effective group ID. 1247 * 1248 * @param pid - The subject's process ID. 1249 * 1250 * @param tid - The subject's terminal ID. 1251 * 1252 * @return - The status of the call: 0 (zero) on success, else one of the 1253 * kAU*Err values defined above. 1254 * 1255 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1256 */ 1257int audit_write_failure_na(short event_code, char *errmsg, int errret, 1258 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1259 1260/* END au_write() WRAPPERS */ 1261 1262#ifdef __APPLE__ 1263/* 1264 * audit_token_to_au32() 1265 * 1266 * @summary - Extract information from an audit_token_t, used to identify 1267 * Mach tasks and senders of Mach messages as subjects to the audit system. 1268 * audit_tokent_to_au32() is the only method that should be used to parse 1269 * an audit_token_t, since its internal representation may change over 1270 * time. A pointer parameter may be NULL if that information is not 1271 * needed. 1272 * 1273 * @param atoken - the audit token containing the desired information 1274 * 1275 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1276 * sender's audit user ID 1277 * 1278 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1279 * sender's effective user ID 1280 * 1281 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1282 * sender's effective group ID 1283 * 1284 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1285 * sender's real user ID 1286 * 1287 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1288 * sender's real group ID 1289 * 1290 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1291 * sender's process ID 1292 * 1293 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1294 * task or sender's audit session ID 1295 * 1296 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1297 * or sender's terminal ID 1298 * 1299 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1300 */ 1301void audit_token_to_au32( 1302 audit_token_t atoken, 1303 uid_t *auidp, 1304 uid_t *euidp, 1305 gid_t *egidp, 1306 uid_t *ruidp, 1307 gid_t *rgidp, 1308 pid_t *pidp, 1309 au_asid_t *asidp, 1310 au_tid_t *tidp); 1311#endif /* !__APPLE__ */ 1312 1313/* 1314 * Wrapper functions to auditon(2). 1315 */ 1316int audit_get_car(char *path, size_t sz); 1317int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1318int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1319int audit_get_cond(int *cond); 1320int audit_set_cond(int *cond); 1321int audit_get_cwd(char *path, size_t sz); 1322int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1323int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1324int audit_get_kmask(au_mask_t *kmask, size_t sz); 1325int audit_set_kmask(au_mask_t *kmask, size_t sz); 1326int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1327int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1328int audit_set_pmask(auditpinfo_t *api, size_t sz); 1329int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1330int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1331int audit_get_policy(int *policy); 1332int audit_set_policy(int *policy); 1333int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1334int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1335int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1336int audit_get_stat(au_stat_t *stats, size_t sz); 1337int audit_set_stat(au_stat_t *stats, size_t sz); 1338int audit_send_trigger(int *trigger); 1339 1340__END_DECLS 1341 1342#endif /* !_LIBBSM_H_ */ 1343