1/* 2 * Copyright (c) 1999-2007 Apple Inc. All Rights Reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29#ifndef _BSM_AUDIT_H 30#define _BSM_AUDIT_H 31 32#include <sys/queue.h> 33#include <sys/types.h> 34#include <sys/param.h> 35#include <sys/socket.h> 36#include <sys/cdefs.h> 37 38#define AUDIT_RECORD_MAGIC 0x828a0f1b 39#define MAX_AUDIT_RECORDS 20 40#define MAX_AUDIT_RECORD_SIZE 4096 41#define MIN_AUDIT_FILE_SIZE 512 * 1024 42 43/* 44 * Triggers for the audit daemon 45 */ 46#define AUDIT_TRIGGER_LOW_SPACE 1 47#define AUDIT_TRIGGER_FILE_FULL 2 48 49/* 50 * Pre-defined audit IDs 51 */ 52#define AU_DEFAUDITID ((uid_t)-1) 53 54/* 55 * Define the masks for the classes of audit events. 56 */ 57#define AU_NULL 0x00000000 58#define AU_FREAD 0x00000001 59#define AU_FWRITE 0x00000002 60#define AU_FACCESS 0x00000004 61#define AU_FMODIFY 0x00000008 62#define AU_FCREATE 0x00000010 63#define AU_FDELETE 0x00000020 64#define AU_CLOSE 0x00000040 65#define AU_PROCESS 0x00000080 66#define AU_NET 0x00000100 67#define AU_IPC 0x00000200 68#define AU_NONAT 0x00000400 69#define AU_ADMIN 0x00000800 70#define AU_LOGIN 0x00001000 71#define AU_TFM 0x00002000 72#define AU_APPL 0x00004000 73#define AU_SETL 0x00008000 74#define AU_IFLOAT 0x00010000 75#define AU_PRIV 0x00020000 76#define AU_MAC_RW 0x00040000 77#define AU_XCONN 0x00080000 78#define AU_XCREATE 0x00100000 79#define AU_XDELETE 0x00200000 80#define AU_XIFLOAT 0x00400000 81#define AU_XPRIVS 0x00800000 82#define AU_XPRIVF 0x01000000 83#define AU_XMOVE 0x02000000 84#define AU_XDACF 0x04000000 85#define AU_XMACF 0x08000000 86#define AU_XSECATTR 0x10000000 87#define AU_IOCTL 0x20000000 88#define AU_EXEC 0x40000000 89#define AU_OTHER 0x80000000 90#define AU_ALL 0xffffffff 91 92/* 93 * IPC types 94 */ 95#define AT_IPC_MSG ((u_char)1) /* message IPC id */ 96#define AT_IPC_SEM ((u_char)2) /* semaphore IPC id */ 97#define AT_IPC_SHM ((u_char)3) /* shared mem IPC id */ 98 99/* 100 * Audit conditions. 101 */ 102#define AUC_UNSET 0 103#define AUC_AUDITING 1 104#define AUC_NOAUDIT 2 105#define AUC_DISABLED -1 106 107/* 108 * auditon(2) commands. 109 */ 110#define A_GETPOLICY 2 111#define A_SETPOLICY 3 112#define A_GETKMASK 4 113#define A_SETKMASK 5 114#define A_GETQCTRL 6 115#define A_SETQCTRL 7 116#define A_GETCWD 8 117#define A_GETCAR 9 118#define A_GETSTAT 12 119#define A_SETSTAT 13 120#define A_SETUMASK 14 121#define A_SETSMASK 15 122#define A_GETCOND 20 123#define A_SETCOND 21 124#define A_GETCLASS 22 125#define A_SETCLASS 23 126#define A_GETPINFO 24 127#define A_SETPMASK 25 128#define A_SETFSIZE 26 129#define A_GETFSIZE 27 130#define A_GETPINFO_ADDR 28 131#define A_GETKAUDIT 29 132#define A_SETKAUDIT 30 133 134/* 135 * Audit policy controls. 136 */ 137#define AUDIT_CNT 0x0001 138#define AUDIT_AHLT 0x0002 139#define AUDIT_ARGV 0x0004 140#define AUDIT_ARGE 0x0008 141#define AUDIT_PASSWD 0x0010 142#define AUDIT_SEQ 0x0020 143#define AUDIT_WINDATA 0x0040 144#define AUDIT_USER 0x0080 145#define AUDIT_GROUP 0x0100 146#define AUDIT_TRAIL 0x0200 147#define AUDIT_PATH 0x0400 148 149/* 150 * Audit queue control parameters 151 */ 152#define AQ_HIWATER 100 153#define AQ_MAXHIGH 10000 154#define AQ_LOWATER 10 155#define AQ_BUFSZ 1024 156#define AQ_MAXBUFSZ 1048576 157 158#define AU_FS_MINFREE 20 /* default min filesystem freespace, in percent */ 159 160__BEGIN_DECLS 161 162typedef uid_t au_id_t; 163typedef pid_t au_asid_t; 164typedef u_int16_t au_event_t; 165typedef u_int16_t au_emod_t; 166typedef u_int32_t au_class_t; 167 168struct au_tid { 169 dev_t port; 170 u_int32_t machine; 171}; 172typedef struct au_tid au_tid_t; 173 174struct au_tid_addr { 175 dev_t at_port; 176 u_int32_t at_type; 177 u_int32_t at_addr[4]; 178}; 179typedef struct au_tid_addr au_tid_addr_t; 180 181struct au_mask { 182 unsigned int am_success; /* success bits */ 183 unsigned int am_failure; /* failure bits */ 184}; 185typedef struct au_mask au_mask_t; 186 187struct auditinfo { 188 au_id_t ai_auid; /* Audit user ID */ 189 au_mask_t ai_mask; /* Audit masks */ 190 au_tid_t ai_termid; /* Terminal ID */ 191 au_asid_t ai_asid; /* Audit session ID */ 192}; 193typedef struct auditinfo auditinfo_t; 194 195struct auditinfo_addr { 196 au_id_t ai_auid; /* Audit user ID */ 197 au_mask_t ai_mask; /* Audit masks */ 198 au_tid_addr_t ai_termid; /* Terminal ID */ 199 au_asid_t ai_asid; /* Audit session ID */ 200}; 201typedef struct auditinfo_addr auditinfo_addr_t; 202 203struct auditpinfo { 204 pid_t ap_pid; /* ID of target process */ 205 au_id_t ap_auid; /* Audit user ID */ 206 au_mask_t ap_mask; /* Audit masks */ 207 au_tid_t ap_termid; /* Terminal ID */ 208 au_asid_t ap_asid; /* Audit session ID */ 209}; 210typedef struct auditpinfo auditpinfo_t; 211 212struct auditpinfo_addr { 213 pid_t ap_pid; /* ID of target process */ 214 au_id_t ap_auid; /* Audit user ID */ 215 au_mask_t ap_mask; /* Audit masks */ 216 au_tid_addr_t ap_termid; /* Terminal ID */ 217 au_asid_t ap_asid; /* Audit session ID */ 218}; 219typedef struct auditpinfo_addr auditpinfo_addr_t; 220 221/* Token and record structures */ 222 223struct au_token { 224 u_char *t_data; 225 size_t len; 226 TAILQ_ENTRY(au_token) tokens; 227}; 228typedef struct au_token token_t; 229 230struct au_record { 231 char used; /* Is this record currently being used */ 232 int desc; /* The descriptor associated with this record */ 233 TAILQ_HEAD(, au_token) token_q; /* queue of BSM tokens */ 234 u_char *data; 235 size_t len; 236 LIST_ENTRY(au_record) au_rec_q; 237}; 238typedef struct au_record au_record_t; 239 240/* 241 * Kernel audit queue control parameters. 242 */ 243struct au_qctrl { 244 size_t aq_hiwater; 245 size_t aq_lowater; 246 size_t aq_bufsz; 247 clock_t aq_delay; 248 int aq_minfree; /* minimum filesystem percent free space */ 249}; 250typedef struct au_qctrl au_qctrl_t; 251 252/* 253 * Structure for the audit statistics. 254 */ 255struct audit_stat { 256 unsigned int as_version; 257 unsigned int as_numevent; 258 int as_generated; 259 int as_nonattring; 260 int as_kernel; 261 int as_audit; 262 int as_auditctl; 263 int as_enqueu; 264 int as_written; 265 int as_wblocked; 266 int as_rblocked; 267 int as_dropped; 268 int as_totalsize; 269 unsigned int as_memused; 270}; 271typedef struct audit_stat au_stat_t; 272 273/* 274 * Structure for the audit file statistics. 275 */ 276struct audit_fstat { 277 u_quad_t af_filesz; 278 u_quad_t af_currsz; 279}; 280typedef struct audit_fstat au_fstat_t; 281 282/* 283 * Audit to event class mapping. 284 */ 285struct au_evclass_map { 286 au_event_t ec_number; 287 au_class_t ec_class; 288}; 289typedef struct au_evclass_map au_evclass_map_t; 290 291#ifndef KERNEL 292 293int audit (const void *, int); 294int auditon (int, void *, int); 295int auditctl (const char *); 296int getauid (au_id_t *); 297int setauid (const au_id_t *); 298int getaudit (struct auditinfo *); 299int setaudit (const struct auditinfo *); 300int getaudit_addr (struct auditinfo_addr *, int); 301int setaudit_addr (const struct auditinfo_addr *, int); 302#endif /* !KERNEL */ 303 304__END_DECLS 305 306#endif /* !_BSM_AUDIT_H */ 307