audit.h revision 195740
1139747Simp/*- 24Srgrimes * Copyright (c) 2005-2009 Apple Inc. 34Srgrimes * All rights reserved. 44Srgrimes * 58876Srgrimes * Redistribution and use in source and binary forms, with or without 64Srgrimes * modification, are permitted provided that the following conditions 74Srgrimes * are met: 84Srgrimes * 94Srgrimes * 1. Redistributions of source code must retain the above copyright 104Srgrimes * notice, this list of conditions and the following disclaimer. 118876Srgrimes * 2. Redistributions in binary form must reproduce the above copyright 128876Srgrimes * notice, this list of conditions and the following disclaimer in the 134Srgrimes * documentation and/or other materials provided with the distribution. 144Srgrimes * 3. Neither the name of Apple Inc. ("Apple") nor the names of 158876Srgrimes * its contributors may be used to endorse or promote products derived 164Srgrimes * from this software without specific prior written permission. 178876Srgrimes * 184Srgrimes * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 194Srgrimes * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 204Srgrimes * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 214Srgrimes * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 228876Srgrimes * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 234Srgrimes * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 244Srgrimes * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 254Srgrimes * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 264Srgrimes * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 274Srgrimes * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 284Srgrimes * 294Srgrimes * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 30116176Sobrien * $FreeBSD: head/sys/bsm/audit.h 195740 2009-07-17 14:02:20Z rwatson $ 31116176Sobrien */ 32116176Sobrien 33116176Sobrien#ifndef _BSM_AUDIT_H 342056Swollman#define _BSM_AUDIT_H 35196019Srwatson 36195699Srwatson#include <sys/param.h> 372056Swollman#include <sys/types.h> 3812734Sbde 39195699Srwatson#define AUDIT_RECORD_MAGIC 0x828a0f1b 40195699Srwatson#define MAX_AUDIT_RECORDS 20 412056Swollman#define MAXAUDITDATA (0x8000 - 1) 424Srgrimes#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 43195699Srwatson#define MIN_AUDIT_FILE_SIZE (512 * 1024) 444Srgrimes 45126204Sphk/* 46126204Sphk * Minimum noumber of free blocks on the filesystem containing the audit 474Srgrimes * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 484Srgrimes * as the kernel does an unsigned compare, plus we want to leave a few blocks 494Srgrimes * free so userspace can terminate the log, etc. 50923Sdg */ 514Srgrimes#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 52923Sdg 534Srgrimes/* 5412515Sphk * Triggers for the audit daemon. 5512515Sphk */ 564Srgrimes#define AUDIT_TRIGGER_MIN 1 5727122Sbde#define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 584Srgrimes#define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 5992756Salfred#define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 6092756Salfred#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 6192756Salfred#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 6292756Salfred#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 634Srgrimes#define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 64195699Srwatson#define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 65195699Srwatson#define AUDIT_TRIGGER_MAX 8 66195699Srwatson 67195699Srwatson/* 68195699Srwatson * The special device filename (FreeBSD). 69195699Srwatson */ 704Srgrimes#define AUDITDEV_FILENAME "audit" 71195699Srwatson#define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 72195699Srwatson 73195699Srwatson/* 74195699Srwatson * Pre-defined audit IDs 75195699Srwatson */ 76195699Srwatson#define AU_DEFAUDITID (uid_t)(-1) 77195699Srwatson#define AU_DEFAUDITSID 0 78195699Srwatson#define AU_ASSIGN_ASID -1 79195699Srwatson 80195699Srwatson/* 81195699Srwatson * IPC types. 82195699Srwatson */ 83195699Srwatson#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 84195699Srwatson#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 85195699Srwatson#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 86195699Srwatson 87195699Srwatson/* 88195699Srwatson * Audit conditions. 89195699Srwatson */ 90195699Srwatson#define AUC_UNSET 0 91195699Srwatson#define AUC_AUDITING 1 92195699Srwatson#define AUC_NOAUDIT 2 93195699Srwatson#define AUC_DISABLED -1 94195699Srwatson 95195699Srwatson/* 96195699Srwatson * auditon(2) commands. 97195699Srwatson */ 98195699Srwatson#define A_OLDGETPOLICY 2 99195699Srwatson#define A_OLDSETPOLICY 3 100195699Srwatson#define A_GETKMASK 4 101195699Srwatson#define A_SETKMASK 5 102195699Srwatson#define A_OLDGETQCTRL 6 103195699Srwatson#define A_OLDSETQCTRL 7 104195699Srwatson#define A_GETCWD 8 105195699Srwatson#define A_GETCAR 9 106195699Srwatson#define A_GETSTAT 12 107195699Srwatson#define A_SETSTAT 13 108195699Srwatson#define A_SETUMASK 14 109195699Srwatson#define A_SETSMASK 15 110195699Srwatson#define A_OLDGETCOND 20 111195699Srwatson#define A_OLDSETCOND 21 112195699Srwatson#define A_GETCLASS 22 113195699Srwatson#define A_SETCLASS 23 114195699Srwatson#define A_GETPINFO 24 115195699Srwatson#define A_SETPMASK 25 116195699Srwatson#define A_SETFSIZE 26 117195699Srwatson#define A_GETFSIZE 27 118195699Srwatson#define A_GETPINFO_ADDR 28 119195699Srwatson#define A_GETKAUDIT 29 120195699Srwatson#define A_SETKAUDIT 30 121195699Srwatson#define A_SENDTRIGGER 31 122195699Srwatson#define A_GETSINFO_ADDR 32 123195699Srwatson#define A_GETPOLICY 33 124195699Srwatson#define A_SETPOLICY 34 125195699Srwatson#define A_GETQCTRL 35 126195699Srwatson#define A_SETQCTRL 36 127195699Srwatson#define A_GETCOND 37 128195699Srwatson#define A_SETCOND 38 129195699Srwatson 130195699Srwatson/* 131195699Srwatson * Audit policy controls. 132195699Srwatson */ 133195699Srwatson#define AUDIT_CNT 0x0001 134195699Srwatson#define AUDIT_AHLT 0x0002 135195699Srwatson#define AUDIT_ARGV 0x0004 136195699Srwatson#define AUDIT_ARGE 0x0008 137195699Srwatson#define AUDIT_SEQ 0x0010 138195699Srwatson#define AUDIT_WINDATA 0x0020 139195699Srwatson#define AUDIT_USER 0x0040 140195699Srwatson#define AUDIT_GROUP 0x0080 141195699Srwatson#define AUDIT_TRAIL 0x0100 142195699Srwatson#define AUDIT_PATH 0x0200 143195699Srwatson#define AUDIT_SCNT 0x0400 144195699Srwatson#define AUDIT_PUBLIC 0x0800 145195699Srwatson#define AUDIT_ZONENAME 0x1000 146195699Srwatson#define AUDIT_PERZONE 0x2000 147195699Srwatson 148195699Srwatson/* 149195699Srwatson * Default audit queue control parameters. 150195699Srwatson */ 151195699Srwatson#define AQ_HIWATER 100 152195699Srwatson#define AQ_MAXHIGH 10000 153195699Srwatson#define AQ_LOWATER 10 154195699Srwatson#define AQ_BUFSZ MAXAUDITDATA 155195699Srwatson#define AQ_MAXBUFSZ 1048576 156195699Srwatson 157195699Srwatson/* 158195699Srwatson * Default minimum percentage free space on file system. 159195699Srwatson */ 160195699Srwatson#define AU_FS_MINFREE 20 161195699Srwatson 162195699Srwatson/* 163195699Srwatson * Type definitions used indicating the length of variable length addresses 164195699Srwatson * in tokens containing addresses, such as header fields. 165195699Srwatson */ 166195699Srwatson#define AU_IPv4 4 167195699Srwatson#define AU_IPv6 16 168195699Srwatson 169195699Srwatson__BEGIN_DECLS 1704Srgrimes 1714Srgrimestypedef uid_t au_id_t; 1724Srgrimestypedef pid_t au_asid_t; 1734Srgrimestypedef u_int16_t au_event_t; 1744Srgrimestypedef u_int16_t au_emod_t; 1754Srgrimestypedef u_int32_t au_class_t; 1764Srgrimestypedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); 1774Srgrimes 1784Srgrimesstruct au_tid { 1794Srgrimes dev_t port; 1804Srgrimes u_int32_t machine; 1814Srgrimes}; 1824Srgrimestypedef struct au_tid au_tid_t; 1834Srgrimes 1844Srgrimesstruct au_tid_addr { 1854Srgrimes dev_t at_port; 1864Srgrimes u_int32_t at_type; 1874Srgrimes u_int32_t at_addr[4]; 1884Srgrimes}; 1894Srgrimestypedef struct au_tid_addr au_tid_addr_t; 1904Srgrimes 1914Srgrimesstruct au_mask { 1924Srgrimes unsigned int am_success; /* Success bits. */ 1934Srgrimes unsigned int am_failure; /* Failure bits. */ 1944Srgrimes}; 1954Srgrimestypedef struct au_mask au_mask_t; 1964Srgrimes 1974Srgrimesstruct auditinfo { 1984Srgrimes au_id_t ai_auid; /* Audit user ID. */ 19943309Sdillon au_mask_t ai_mask; /* Audit masks. */ 2004Srgrimes au_tid_t ai_termid; /* Terminal ID. */ 2014Srgrimes au_asid_t ai_asid; /* Audit session ID. */ 20243289Sdillon}; 2034Srgrimestypedef struct auditinfo auditinfo_t; 2044Srgrimes 2054Srgrimesstruct auditinfo_addr { 20641514Sarchie au_id_t ai_auid; /* Audit user ID. */ 2074Srgrimes au_mask_t ai_mask; /* Audit masks. */ 2084Srgrimes au_tid_addr_t ai_termid; /* Terminal ID. */ 2094Srgrimes au_asid_t ai_asid; /* Audit session ID. */ 2104Srgrimes au_asflgs_t ai_flags; /* Audit session flags. */ 2114Srgrimes}; 2124Srgrimestypedef struct auditinfo_addr auditinfo_addr_t; 21343926Sbde 21443926Sbdestruct auditpinfo { 21527121Sbde pid_t ap_pid; /* ID of target process. */ 2164Srgrimes au_id_t ap_auid; /* Audit user ID. */ 2174Srgrimes au_mask_t ap_mask; /* Audit masks. */ 2184Srgrimes au_tid_t ap_termid; /* Terminal ID. */ 2194Srgrimes au_asid_t ap_asid; /* Audit session ID. */ 2204Srgrimes}; 2214Srgrimestypedef struct auditpinfo auditpinfo_t; 2224Srgrimes 2234Srgrimesstruct auditpinfo_addr { 2244Srgrimes pid_t ap_pid; /* ID of target process. */ 2254Srgrimes au_id_t ap_auid; /* Audit user ID. */ 22643289Sdillon au_mask_t ap_mask; /* Audit masks. */ 2274Srgrimes au_tid_addr_t ap_termid; /* Terminal ID. */ 2284Srgrimes au_asid_t ap_asid; /* Audit session ID. */ 22943309Sdillon au_asflgs_t ap_flags; /* Audit session flags. */ 2304Srgrimes}; 2314Srgrimestypedef struct auditpinfo_addr auditpinfo_addr_t; 23243309Sdillon 2334Srgrimesstruct au_session { 2344Srgrimes auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 2354Srgrimes au_mask_t as_mask; /* Process Audit Masks. */ 2364Srgrimes}; 2374Srgrimestypedef struct au_session au_session_t; 238195699Srwatson 239195699Srwatson/* 240195699Srwatson * Contents of token_t are opaque outside of libbsm. 241195699Srwatson */ 242195699Srwatsontypedef struct au_token token_t; 243195699Srwatson 244195699Srwatson/* 245195699Srwatson * Kernel audit queue control parameters: 246195699Srwatson * Default: Maximum: 2474Srgrimes * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 248195699Srwatson * aq_lowater: AQ_LOWATER (10) <aq_hiwater 249195699Srwatson * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 250195699Srwatson * aq_delay: 20 20000 (not used) 251195699Srwatson */ 252195699Srwatsonstruct au_qctrl { 253195699Srwatson int aq_hiwater; /* Max # of audit recs in queue when */ 254195699Srwatson /* threads with new ARs get blocked. */ 255195699Srwatson 256195699Srwatson int aq_lowater; /* # of audit recs in queue when */ 257195699Srwatson /* blocked threads get unblocked. */ 258195699Srwatson 259195699Srwatson int aq_bufsz; /* Max size of audit record for audit(2). */ 260195699Srwatson int aq_delay; /* Queue delay (not used). */ 261195699Srwatson int aq_minfree; /* Minimum filesystem percent free space. */ 262195699Srwatson}; 263195699Srwatsontypedef struct au_qctrl au_qctrl_t; 264195699Srwatson 265195699Srwatson/* 266195699Srwatson * Structure for the audit statistics. 267195699Srwatson */ 268195699Srwatsonstruct audit_stat { 269195699Srwatson unsigned int as_version; 270195699Srwatson unsigned int as_numevent; 271195699Srwatson int as_generated; 272195699Srwatson int as_nonattrib; 273195699Srwatson int as_kernel; 274195699Srwatson int as_audit; 275195699Srwatson int as_auditctl; 276195699Srwatson int as_enqueue; 277195699Srwatson int as_written; 278195699Srwatson int as_wblocked; 279195699Srwatson int as_rblocked; 280195699Srwatson int as_dropped; 281195699Srwatson int as_totalsize; 282195699Srwatson unsigned int as_memused; 283195699Srwatson}; 284195699Srwatsontypedef struct audit_stat au_stat_t; 285195699Srwatson 286195699Srwatson/* 287195699Srwatson * Structure for the audit file statistics. 288195699Srwatson */ 289195699Srwatsonstruct audit_fstat { 290195699Srwatson u_int64_t af_filesz; 291195699Srwatson u_int64_t af_currsz; 2924Srgrimes}; 2934Srgrimestypedef struct audit_fstat au_fstat_t; 2944Srgrimes 2954Srgrimes/* 2964Srgrimes * Audit to event class mapping. 2974Srgrimes */ 29843309Sdillonstruct au_evclass_map { 2994Srgrimes au_event_t ec_number; 30043289Sdillon au_class_t ec_class; 3014Srgrimes}; 30243309Sdillontypedef struct au_evclass_map au_evclass_map_t; 3034Srgrimes 3044Srgrimes/* 3054Srgrimes * Audit system calls. 30643289Sdillon */ 3074Srgrimes#if !defined(_KERNEL) && !defined(KERNEL) 3084Srgrimesint audit(const void *, int); 3094Srgrimesint auditon(int, void *, int); 3104Srgrimesint auditctl(const char *); 3114Srgrimesint getauid(au_id_t *); 3124Srgrimesint setauid(const au_id_t *); 3134Srgrimesint getaudit(struct auditinfo *); 31443289Sdillonint setaudit(const struct auditinfo *); 31543289Sdillonint getaudit_addr(struct auditinfo_addr *, int); 31643289Sdillonint setaudit_addr(const struct auditinfo_addr *, int); 31743289Sdillon 31843289Sdillon#ifdef __APPLE_API_PRIVATE 31943289Sdillon#include <mach/port.h> 3204Srgrimesmach_port_name_t audit_session_self(void); 3214Srgrimesau_asid_t audit_session_join(mach_port_name_t port); 3224Srgrimes#endif /* __APPLE_API_PRIVATE */ 3234Srgrimes 3244Srgrimes#endif /* defined(_KERNEL) || defined(KERNEL) */ 3254Srgrimes 3264Srgrimes__END_DECLS 3274Srgrimes 3284Srgrimes#endif /* !_BSM_AUDIT_H */ 3294Srgrimes