1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #ifndef _LIBBSM_H_ 31 #define _LIBBSM_H_ 32 33 /* 34 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 35 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 36 */ 37 38 #include <sys/types.h> 39 #include <sys/cdefs.h> 40 41 #include <inttypes.h> /* Required for audit.h. */ 42 #include <time.h> /* Required for clock_t on Linux. */ 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_record.h> 46 47 #include <stdio.h> 48 49 #ifdef __APPLE__ 50 #include <mach/mach.h> /* audit_token_t */ 51 #endif 52 53 /* 54 * Size parsed token vectors for execve(2) arguments and environmental 55 * variables. Note: changing these sizes affects the ABI of the token 56 * structure, and as the token structure is often placed in the caller stack, 57 * this is undesirable. 58 */ 59 #define AUDIT_MAX_ARGS 128 60 #define AUDIT_MAX_ENV 128 61 62 /* 63 * Arguments to au_preselect(3). 64 */ 65 #define AU_PRS_USECACHE 0 66 #define AU_PRS_REREAD 1 67 68 #define AU_PRS_SUCCESS 1 69 #define AU_PRS_FAILURE 2 70 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 71 72 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 73 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 74 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 75 #define AUDIT_USER_FILE "/etc/security/audit_user" 76 77 #define DIR_CONTROL_ENTRY "dir" 78 #define DIST_CONTROL_ENTRY "dist" 79 #define FILESZ_CONTROL_ENTRY "filesz" 80 #define FLAGS_CONTROL_ENTRY "flags" 81 #define HOST_CONTROL_ENTRY "host" 82 #define MINFREE_CONTROL_ENTRY "minfree" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 86 #define QSZ_CONTROL_ENTRY "qsize" 87 88 #define AU_CLASS_NAME_MAX 8 89 #define AU_CLASS_DESC_MAX 72 90 #define AU_EVENT_NAME_MAX 30 91 #define AU_EVENT_DESC_MAX 50 92 #define AU_USER_NAME_MAX 50 93 #define AU_LINE_MAX 256 94 #define MAX_AUDITSTRING_LEN 256 95 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 96 97 #define USE_DEFAULT_QSZ -1 /* Use system default queue size */ 98 99 /* 100 * Arguments to au_close(3). 101 */ 102 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 103 #define AU_TO_WRITE 1 /* Commit audit record. */ 104 105 /* 106 * Output format flags for au_print_flags_tok(). 107 */ 108 #define AU_OFLAG_NONE 0x0000 /* Default form. */ 109 #define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 110 #define AU_OFLAG_SHORT 0x0002 /* Short form. */ 111 #define AU_OFLAG_XML 0x0004 /* XML form. */ 112 #define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 113 114 __BEGIN_DECLS 115 struct au_event_ent { 116 au_event_t ae_number; 117 char *ae_name; 118 char *ae_desc; 119 au_class_t ae_class; 120 }; 121 typedef struct au_event_ent au_event_ent_t; 122 123 struct au_class_ent { 124 char *ac_name; 125 au_class_t ac_class; 126 char *ac_desc; 127 }; 128 typedef struct au_class_ent au_class_ent_t; 129 130 struct au_user_ent { 131 char *au_name; 132 au_mask_t au_always; 133 au_mask_t au_never; 134 }; 135 typedef struct au_user_ent au_user_ent_t; 136 __END_DECLS 137 138 #define ADD_TO_MASK(m, c, sel) do { \ 139 if (sel & AU_PRS_SUCCESS) \ 140 (m)->am_success |= c; \ 141 if (sel & AU_PRS_FAILURE) \ 142 (m)->am_failure |= c; \ 143 } while (0) 144 145 #define SUB_FROM_MASK(m, c, sel) do { \ 146 if (sel & AU_PRS_SUCCESS) \ 147 (m)->am_success &= ((m)->am_success ^ c); \ 148 if (sel & AU_PRS_FAILURE) \ 149 (m)->am_failure &= ((m)->am_failure ^ c); \ 150 } while (0) 151 152 #define ADDMASK(m, v) do { \ 153 (m)->am_success |= (v)->am_success; \ 154 (m)->am_failure |= (v)->am_failure; \ 155 } while(0) 156 157 #define SUBMASK(m, v) do { \ 158 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 159 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 160 } while(0) 161 162 __BEGIN_DECLS 163 164 typedef struct au_tid32 { 165 u_int32_t port; 166 u_int32_t addr; 167 } au_tid32_t; 168 169 typedef struct au_tid64 { 170 u_int64_t port; 171 u_int32_t addr; 172 } au_tid64_t; 173 174 typedef struct au_tidaddr32 { 175 u_int32_t port; 176 u_int32_t type; 177 u_int32_t addr[4]; 178 } au_tidaddr32_t; 179 180 typedef struct au_tidaddr64 { 181 u_int64_t port; 182 u_int32_t type; 183 u_int32_t addr[4]; 184 } au_tidaddr64_t; 185 186 /* 187 * argument # 1 byte 188 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 189 * text length 2 bytes 190 * text N bytes + 1 terminating NULL byte 191 */ 192 typedef struct { 193 u_char no; 194 u_int32_t val; 195 u_int16_t len; 196 char *text; 197 } au_arg32_t; 198 199 typedef struct { 200 u_char no; 201 u_int64_t val; 202 u_int16_t len; 203 char *text; 204 } au_arg64_t; 205 206 /* 207 * how to print 1 byte 208 * basic unit 1 byte 209 * unit count 1 byte 210 * data items (depends on basic unit) 211 */ 212 typedef struct { 213 u_char howtopr; 214 u_char bu; 215 u_char uc; 216 u_char *data; 217 } au_arb_t; 218 219 /* 220 * file access mode 4 bytes 221 * owner user ID 4 bytes 222 * owner group ID 4 bytes 223 * file system ID 4 bytes 224 * node ID 8 bytes 225 * device 4 bytes/8 bytes (32-bit/64-bit) 226 */ 227 typedef struct { 228 u_int32_t mode; 229 u_int32_t uid; 230 u_int32_t gid; 231 u_int32_t fsid; 232 u_int64_t nid; 233 u_int32_t dev; 234 } au_attr32_t; 235 236 typedef struct { 237 u_int32_t mode; 238 u_int32_t uid; 239 u_int32_t gid; 240 u_int32_t fsid; 241 u_int64_t nid; 242 u_int64_t dev; 243 } au_attr64_t; 244 245 /* 246 * count 4 bytes 247 * text count null-terminated string(s) 248 */ 249 typedef struct { 250 u_int32_t count; 251 char *text[AUDIT_MAX_ARGS]; 252 } au_execarg_t; 253 254 /* 255 * count 4 bytes 256 * text count null-terminated string(s) 257 */ 258 typedef struct { 259 u_int32_t count; 260 char *text[AUDIT_MAX_ENV]; 261 } au_execenv_t; 262 263 /* 264 * status 4 bytes 265 * return value 4 bytes 266 */ 267 typedef struct { 268 u_int32_t status; 269 u_int32_t ret; 270 } au_exit_t; 271 272 /* 273 * seconds of time 4 bytes 274 * milliseconds of time 4 bytes 275 * file name length 2 bytes 276 * file pathname N bytes + 1 terminating NULL byte 277 */ 278 typedef struct { 279 u_int32_t s; 280 u_int32_t ms; 281 u_int16_t len; 282 char *name; 283 } au_file_t; 284 285 286 /* 287 * number groups 2 bytes 288 * group list N * 4 bytes 289 */ 290 typedef struct { 291 u_int16_t no; 292 u_int32_t list[AUDIT_MAX_GROUPS]; 293 } au_groups_t; 294 295 /* 296 * record byte count 4 bytes 297 * version # 1 byte [2] 298 * event type 2 bytes 299 * event modifier 2 bytes 300 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 301 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 302 */ 303 typedef struct { 304 u_int32_t size; 305 u_char version; 306 u_int16_t e_type; 307 u_int16_t e_mod; 308 u_int32_t s; 309 u_int32_t ms; 310 } au_header32_t; 311 312 /* 313 * record byte count 4 bytes 314 * version # 1 byte [2] 315 * event type 2 bytes 316 * event modifier 2 bytes 317 * address type/length 1 byte (XXX: actually, 4 bytes) 318 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 319 * seconds of time 4 bytes/8 bytes (32/64-bits) 320 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 321 */ 322 typedef struct { 323 u_int32_t size; 324 u_char version; 325 u_int16_t e_type; 326 u_int16_t e_mod; 327 u_int32_t ad_type; 328 u_int32_t addr[4]; 329 u_int32_t s; 330 u_int32_t ms; 331 } au_header32_ex_t; 332 333 typedef struct { 334 u_int32_t size; 335 u_char version; 336 u_int16_t e_type; 337 u_int16_t e_mod; 338 u_int64_t s; 339 u_int64_t ms; 340 } au_header64_t; 341 342 typedef struct { 343 u_int32_t size; 344 u_char version; 345 u_int16_t e_type; 346 u_int16_t e_mod; 347 u_int32_t ad_type; 348 u_int32_t addr[4]; 349 u_int64_t s; 350 u_int64_t ms; 351 } au_header64_ex_t; 352 353 /* 354 * internet address 4 bytes 355 */ 356 typedef struct { 357 u_int32_t addr; 358 } au_inaddr_t; 359 360 /* 361 * type 4 bytes 362 * internet address 16 bytes 363 */ 364 typedef struct { 365 u_int32_t type; 366 u_int32_t addr[4]; 367 } au_inaddr_ex_t; 368 369 /* 370 * version and ihl 1 byte 371 * type of service 1 byte 372 * length 2 bytes 373 * id 2 bytes 374 * offset 2 bytes 375 * ttl 1 byte 376 * protocol 1 byte 377 * checksum 2 bytes 378 * source address 4 bytes 379 * destination address 4 bytes 380 */ 381 typedef struct { 382 u_char version; 383 u_char tos; 384 u_int16_t len; 385 u_int16_t id; 386 u_int16_t offset; 387 u_char ttl; 388 u_char prot; 389 u_int16_t chksm; 390 u_int32_t src; 391 u_int32_t dest; 392 } au_ip_t; 393 394 /* 395 * object ID type 1 byte 396 * object ID 4 bytes 397 */ 398 typedef struct { 399 u_char type; 400 u_int32_t id; 401 } au_ipc_t; 402 403 /* 404 * owner user ID 4 bytes 405 * owner group ID 4 bytes 406 * creator user ID 4 bytes 407 * creator group ID 4 bytes 408 * access mode 4 bytes 409 * slot sequence # 4 bytes 410 * key 4 bytes 411 */ 412 typedef struct { 413 u_int32_t uid; 414 u_int32_t gid; 415 u_int32_t puid; 416 u_int32_t pgid; 417 u_int32_t mode; 418 u_int32_t seq; 419 u_int32_t key; 420 } au_ipcperm_t; 421 422 /* 423 * port IP address 2 bytes 424 */ 425 typedef struct { 426 u_int16_t port; 427 } au_iport_t; 428 429 /* 430 * length 2 bytes 431 * data length bytes 432 */ 433 typedef struct { 434 u_int16_t size; 435 char *data; 436 } au_opaque_t; 437 438 /* 439 * path length 2 bytes 440 * path N bytes + 1 terminating NULL byte 441 */ 442 typedef struct { 443 u_int16_t len; 444 char *path; 445 } au_path_t; 446 447 /* 448 * audit ID 4 bytes 449 * effective user ID 4 bytes 450 * effective group ID 4 bytes 451 * real user ID 4 bytes 452 * real group ID 4 bytes 453 * process ID 4 bytes 454 * session ID 4 bytes 455 * terminal ID 456 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 457 * machine address 4 bytes 458 */ 459 typedef struct { 460 u_int32_t auid; 461 u_int32_t euid; 462 u_int32_t egid; 463 u_int32_t ruid; 464 u_int32_t rgid; 465 u_int32_t pid; 466 u_int32_t sid; 467 au_tid32_t tid; 468 } au_proc32_t; 469 470 typedef struct { 471 u_int32_t auid; 472 u_int32_t euid; 473 u_int32_t egid; 474 u_int32_t ruid; 475 u_int32_t rgid; 476 u_int32_t pid; 477 u_int32_t sid; 478 au_tid64_t tid; 479 } au_proc64_t; 480 481 /* 482 * audit ID 4 bytes 483 * effective user ID 4 bytes 484 * effective group ID 4 bytes 485 * real user ID 4 bytes 486 * real group ID 4 bytes 487 * process ID 4 bytes 488 * session ID 4 bytes 489 * terminal ID 490 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 491 * type 4 bytes 492 * machine address 16 bytes 493 */ 494 typedef struct { 495 u_int32_t auid; 496 u_int32_t euid; 497 u_int32_t egid; 498 u_int32_t ruid; 499 u_int32_t rgid; 500 u_int32_t pid; 501 u_int32_t sid; 502 au_tidaddr32_t tid; 503 } au_proc32ex_t; 504 505 typedef struct { 506 u_int32_t auid; 507 u_int32_t euid; 508 u_int32_t egid; 509 u_int32_t ruid; 510 u_int32_t rgid; 511 u_int32_t pid; 512 u_int32_t sid; 513 au_tidaddr64_t tid; 514 } au_proc64ex_t; 515 516 /* 517 * error status 1 byte 518 * return value 4 bytes/8 bytes (32-bit/64-bit value) 519 */ 520 typedef struct { 521 u_char status; 522 u_int32_t ret; 523 } au_ret32_t; 524 525 typedef struct { 526 u_char err; 527 u_int64_t val; 528 } au_ret64_t; 529 530 /* 531 * sequence number 4 bytes 532 */ 533 typedef struct { 534 u_int32_t seqno; 535 } au_seq_t; 536 537 /* 538 * socket type 2 bytes 539 * local port 2 bytes 540 * local Internet address 4 bytes 541 * remote port 2 bytes 542 * remote Internet address 4 bytes 543 */ 544 typedef struct { 545 u_int16_t type; 546 u_int16_t l_port; 547 u_int32_t l_addr; 548 u_int16_t r_port; 549 u_int32_t r_addr; 550 } au_socket_t; 551 552 /* 553 * socket type 2 bytes 554 * local port 2 bytes 555 * address type/length 4 bytes 556 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 557 * remote port 4 bytes 558 * address type/length 4 bytes 559 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 560 */ 561 typedef struct { 562 u_int16_t domain; 563 u_int16_t type; 564 u_int16_t atype; 565 u_int16_t l_port; 566 u_int32_t l_addr[4]; 567 u_int32_t r_port; 568 u_int32_t r_addr[4]; 569 } au_socket_ex32_t; 570 571 /* 572 * socket family 2 bytes 573 * local port 2 bytes 574 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 575 */ 576 typedef struct { 577 u_int16_t family; 578 u_int16_t port; 579 u_int32_t addr[4]; 580 } au_socketinet_ex32_t; 581 582 typedef struct { 583 u_int16_t family; 584 u_int16_t port; 585 u_int32_t addr; 586 } au_socketinet32_t; 587 588 /* 589 * socket family 2 bytes 590 * path 104 bytes 591 */ 592 typedef struct { 593 u_int16_t family; 594 char path[104]; 595 } au_socketunix_t; 596 597 /* 598 * audit ID 4 bytes 599 * effective user ID 4 bytes 600 * effective group ID 4 bytes 601 * real user ID 4 bytes 602 * real group ID 4 bytes 603 * process ID 4 bytes 604 * session ID 4 bytes 605 * terminal ID 606 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 607 * machine address 4 bytes 608 */ 609 typedef struct { 610 u_int32_t auid; 611 u_int32_t euid; 612 u_int32_t egid; 613 u_int32_t ruid; 614 u_int32_t rgid; 615 u_int32_t pid; 616 u_int32_t sid; 617 au_tid32_t tid; 618 } au_subject32_t; 619 620 typedef struct { 621 u_int32_t auid; 622 u_int32_t euid; 623 u_int32_t egid; 624 u_int32_t ruid; 625 u_int32_t rgid; 626 u_int32_t pid; 627 u_int32_t sid; 628 au_tid64_t tid; 629 } au_subject64_t; 630 631 /* 632 * audit ID 4 bytes 633 * effective user ID 4 bytes 634 * effective group ID 4 bytes 635 * real user ID 4 bytes 636 * real group ID 4 bytes 637 * process ID 4 bytes 638 * session ID 4 bytes 639 * terminal ID 640 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 641 * type 4 bytes 642 * machine address 16 bytes 643 */ 644 typedef struct { 645 u_int32_t auid; 646 u_int32_t euid; 647 u_int32_t egid; 648 u_int32_t ruid; 649 u_int32_t rgid; 650 u_int32_t pid; 651 u_int32_t sid; 652 au_tidaddr32_t tid; 653 } au_subject32ex_t; 654 655 typedef struct { 656 u_int32_t auid; 657 u_int32_t euid; 658 u_int32_t egid; 659 u_int32_t ruid; 660 u_int32_t rgid; 661 u_int32_t pid; 662 u_int32_t sid; 663 au_tidaddr64_t tid; 664 } au_subject64ex_t; 665 666 /* 667 * text length 2 bytes 668 * text N bytes + 1 terminating NULL byte 669 */ 670 typedef struct { 671 u_int16_t len; 672 char *text; 673 } au_text_t; 674 675 /* 676 * upriv status 1 byte 677 * privstr len 2 bytes 678 * privstr N bytes + 1 (\0 byte) 679 */ 680 typedef struct { 681 u_int8_t sorf; 682 u_int16_t privstrlen; 683 char *priv; 684 } au_priv_t; 685 686 /* 687 * privset 688 * privtstrlen 2 bytes 689 * privtstr N Bytes + 1 690 * privstrlen 2 bytes 691 * privstr N Bytes + 1 692 */ 693 typedef struct { 694 u_int16_t privtstrlen; 695 char *privtstr; 696 u_int16_t privstrlen; 697 char *privstr; 698 } au_privset_t; 699 700 /* 701 * zonename length 2 bytes 702 * zonename text N bytes + 1 NULL terminator 703 */ 704 typedef struct { 705 u_int16_t len; 706 char *zonename; 707 } au_zonename_t; 708 709 typedef struct { 710 u_int32_t ident; 711 u_int16_t filter; 712 u_int16_t flags; 713 u_int32_t fflags; 714 u_int32_t data; 715 } au_kevent_t; 716 717 typedef struct { 718 u_int16_t length; 719 char *data; 720 } au_invalid_t; 721 722 /* 723 * trailer magic number 2 bytes 724 * record byte count 4 bytes 725 */ 726 typedef struct { 727 u_int16_t magic; 728 u_int32_t count; 729 } au_trailer_t; 730 731 struct tokenstr { 732 u_char id; 733 u_char *data; 734 size_t len; 735 union { 736 au_arg32_t arg32; 737 au_arg64_t arg64; 738 au_arb_t arb; 739 au_attr32_t attr32; 740 au_attr64_t attr64; 741 au_execarg_t execarg; 742 au_execenv_t execenv; 743 au_exit_t exit; 744 au_file_t file; 745 au_groups_t grps; 746 au_header32_t hdr32; 747 au_header32_ex_t hdr32_ex; 748 au_header64_t hdr64; 749 au_header64_ex_t hdr64_ex; 750 au_inaddr_t inaddr; 751 au_inaddr_ex_t inaddr_ex; 752 au_ip_t ip; 753 au_ipc_t ipc; 754 au_ipcperm_t ipcperm; 755 au_iport_t iport; 756 au_opaque_t opaque; 757 au_path_t path; 758 au_proc32_t proc32; 759 au_proc32ex_t proc32_ex; 760 au_proc64_t proc64; 761 au_proc64ex_t proc64_ex; 762 au_ret32_t ret32; 763 au_ret64_t ret64; 764 au_seq_t seq; 765 au_socket_t socket; 766 au_socket_ex32_t socket_ex32; 767 au_socketinet_ex32_t sockinet_ex32; 768 au_socketunix_t sockunix; 769 au_subject32_t subj32; 770 au_subject32ex_t subj32_ex; 771 au_subject64_t subj64; 772 au_subject64ex_t subj64_ex; 773 au_text_t text; 774 au_kevent_t kevent; 775 au_invalid_t invalid; 776 au_trailer_t trail; 777 au_zonename_t zonename; 778 au_priv_t priv; 779 au_privset_t privset; 780 } tt; /* The token is one of the above types */ 781 }; 782 783 typedef struct tokenstr tokenstr_t; 784 785 int audit_submit(short au_event, au_id_t auid, 786 char status, int reterr, const char *fmt, ...); 787 788 /* 789 * Functions relating to querying audit class information. 790 */ 791 void setauclass(void); 792 void endauclass(void); 793 struct au_class_ent *getauclassent(void); 794 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 795 struct au_class_ent *getauclassnam(const char *name); 796 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 797 const char *name); 798 struct au_class_ent *getauclassnum(au_class_t class_number); 799 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 800 au_class_t class_number); 801 802 /* 803 * Functions relating to querying audit control information. 804 */ 805 void setac(void); 806 void endac(void); 807 int getacdir(char *name, int len); 808 int getacdist(void); 809 int getacexpire(int *andflg, time_t *age, size_t *size); 810 int getacfilesz(size_t *size_val); 811 int getacqsize(int *size_val); 812 int getacflg(char *auditstr, int len); 813 int getachost(char *auditstr, size_t len); 814 int getacmin(int *min_val); 815 int getacna(char *auditstr, int len); 816 int getacpol(char *auditstr, size_t len); 817 int getauditflagsbin(char *auditstr, au_mask_t *masks); 818 int getauditflagschar(char *auditstr, au_mask_t *masks, 819 int verbose); 820 int au_preselect(au_event_t event, au_mask_t *mask_p, 821 int sorf, int flag); 822 ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 823 int au_strtopol(const char *polstr, int *policy); 824 825 /* 826 * Functions relating to querying audit event information. 827 */ 828 void setauevent(void); 829 void endauevent(void); 830 struct au_event_ent *getauevent(void); 831 struct au_event_ent *getauevent_r(struct au_event_ent *e); 832 struct au_event_ent *getauevnam(const char *name); 833 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 834 const char *name); 835 struct au_event_ent *getauevnum(au_event_t event_number); 836 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 837 au_event_t event_number); 838 au_event_t *getauevnonam(const char *event_name); 839 au_event_t *getauevnonam_r(au_event_t *ev, 840 const char *event_name); 841 842 /* 843 * Functions relating to querying audit user information. 844 */ 845 void setauuser(void); 846 void endauuser(void); 847 struct au_user_ent *getauuserent(void); 848 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 849 struct au_user_ent *getauusernam(const char *name); 850 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 851 const char *name); 852 int au_user_mask(char *username, au_mask_t *mask_p); 853 int getfauditflags(au_mask_t *usremask, 854 au_mask_t *usrdmask, au_mask_t *lastmask); 855 856 /* 857 * Functions for reading and printing records and tokens from audit trails. 858 */ 859 int au_read_rec(FILE *fp, u_char **buf); 860 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 861 //XXX The following interface has different prototype from BSM 862 void au_print_tok(FILE *outfp, tokenstr_t *tok, 863 char *del, char raw, char sfrm); 864 void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 865 char *del, int oflags); 866 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 867 char *del, char raw, char sfrm); 868 869 /* 870 * Functions relating to XML output. 871 */ 872 void au_print_xml_header(FILE *outfp); 873 void au_print_xml_footer(FILE *outfp); 874 875 const char *au_strerror(u_char bsm_error); 876 __END_DECLS 877 878 /* 879 * The remaining APIs are associated with Apple's BSM implementation, in 880 * particular as relates to Mach IPC auditing and triggers passed via Mach 881 * IPC. 882 */ 883 #ifdef __APPLE__ 884 #include <sys/appleapiopts.h> 885 886 /************************************************************************** 887 ************************************************************************** 888 ** The following definitions, functions, etc., are NOT officially 889 ** supported: they may be changed or removed in the future. Do not use 890 ** them unless you are prepared to cope with that eventuality. 891 ************************************************************************** 892 **************************************************************************/ 893 894 #ifdef __APPLE_API_PRIVATE 895 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 896 #endif /* __APPLE_API_PRIVATE */ 897 898 /* 899 * au_get_state() return values 900 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 901 * AUDIT_ON are deprecated and WILL be removed. 902 */ 903 #ifdef __APPLE_API_PRIVATE 904 #define AUDIT_OFF AUC_NOAUDIT 905 #define AUDIT_ON AUC_AUDITING 906 #endif /* __APPLE_API_PRIVATE */ 907 #endif /* !__APPLE__ */ 908 909 /* 910 * Error return codes for audit_set_terminal_id(), audit_write() and its 911 * brethren. We have 255 (not including kAUNoErr) to play with. 912 * 913 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 914 */ 915 enum { 916 kAUNoErr = 0, 917 kAUBadParamErr = -66049, 918 kAUStatErr, 919 kAUSysctlErr, 920 kAUOpenErr, 921 kAUMakeSubjectTokErr, 922 kAUWriteSubjectTokErr, 923 kAUWriteCallerTokErr, 924 kAUMakeReturnTokErr, 925 kAUWriteReturnTokErr, 926 kAUCloseErr, 927 kAUMakeTextTokErr, 928 kAULastErr 929 }; 930 931 #ifdef __APPLE__ 932 /* 933 * Error return codes for au_get_state() and/or its private support 934 * functions. These codes are designed to be compatible with the 935 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 936 * Any changes to notify(3) may cause these values to change in future. 937 * 938 * AU_UNIMPL should never happen unless you've changed your system software 939 * without rebooting. Shame on you. 940 */ 941 #ifdef __APPLE_API_PRIVATE 942 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 943 #endif /* __APPLE_API_PRIVATE */ 944 #endif /* !__APPLE__ */ 945 946 __BEGIN_DECLS 947 /* 948 * XXX This prototype should be in audit_record.h 949 * 950 * au_free_token() 951 * 952 * @summary - au_free_token() deallocates a token_t created by any of 953 * the au_to_*() BSM API functions. 954 * 955 * The BSM API generally manages deallocation of token_t objects. However, 956 * if au_write() is passed a bad audit descriptor, the token_t * parameter 957 * will be left untouched. In that case, the caller can deallocate the 958 * token_t using au_free_token() if desired. This is, in fact, what 959 * audit_write() does, in keeping with the existing memory management model 960 * of the BSM API. 961 * 962 * @param tok - A token_t * generated by one of the au_to_*() BSM API 963 * calls. For convenience, tok may be NULL, in which case 964 * au_free_token() returns immediately. 965 * 966 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 967 */ 968 void au_free_token(token_t *tok); 969 970 /* 971 * Lightweight check to determine if auditing is enabled. If a client 972 * wants to use this to govern whether an entire series of audit calls 973 * should be made--as in the common case of a caller building a set of 974 * tokens, then writing them--it should cache the audit status in a local 975 * variable. This call always returns the current state of auditing. 976 * 977 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 978 * Otherwise the function can return any of the errno values defined for 979 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 980 * the system. 981 * 982 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 983 */ 984 int au_get_state(void); 985 986 /* 987 * Initialize the audit notification. If it has not already been initialized 988 * it will automatically on the first call of au_get_state(). 989 */ 990 uint32_t au_notify_initialize(void); 991 992 /* 993 * Cancel audit notification and free the resources associated with it. 994 * Responsible code that no longer needs to use au_get_state() should call 995 * this. 996 */ 997 int au_notify_terminate(void); 998 __END_DECLS 999 1000 /* OpenSSH compatibility */ 1001 int cannot_audit(int); 1002 1003 __BEGIN_DECLS 1004 /* 1005 * audit_set_terminal_id() 1006 * 1007 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1008 * used in audit session initialization by processes like /usr/bin/login. 1009 * 1010 * @param tid - A pointer to an au_tid_t struct. 1011 * 1012 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1013 * or kAUSysctlErr if one of the underlying system calls fails (a message 1014 * is sent to the system log in those cases). 1015 * 1016 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1017 */ 1018 int audit_set_terminal_id(au_tid_t *tid); 1019 1020 /* 1021 * BEGIN au_write() WRAPPERS 1022 * 1023 * The following calls all wrap the existing BSM API. They use the 1024 * provided subject information, if any, to construct the subject token 1025 * required for every log message. They use the provided return/error 1026 * value(s), if any, to construct the success/failure indication required 1027 * for every log message. They only permit one "miscellaneous" token, 1028 * which should contain the event-specific logging information mandated by 1029 * CAPP. 1030 * 1031 * All these calls assume the caller has previously determined that 1032 * auditing is enabled by calling au_get_state(). 1033 */ 1034 1035 /* 1036 * audit_write() 1037 * 1038 * @summary - audit_write() is the basis for the other audit_write_*() 1039 * calls. Performs a basic write of an audit record (subject, additional 1040 * info, success/failure). Note that this call only permits logging one 1041 * caller-specified token; clients needing to log more flexibly must use 1042 * the existing BSM API (au_open(), et al.) directly. 1043 * 1044 * Note on memory management: audit_write() guarantees that the token_t *s 1045 * passed to it will be deallocated whether or not the underlying write to 1046 * the audit log succeeded. This addresses an inconsistency in the 1047 * underlying BSM API in which token_t *s are usually but not always 1048 * deallocated. 1049 * 1050 * @param event_code - The code for the event being logged. This should 1051 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1052 * 1053 * @param subject - A token_t * generated by au_to_subject(), 1054 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1055 * required, subject should be NULL. 1056 * 1057 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1058 * calls. This should correspond to the additional information required by 1059 * CAPP for the event being audited. If no additional information is 1060 * required, misctok should be NULL. 1061 * 1062 * @param retval - The return value to be logged for this event. This 1063 * should be 0 (zero) for success, otherwise the value is event-specific. 1064 * 1065 * @param errcode - Any error code associated with the return value (e.g., 1066 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1067 * 1068 * @return - The status of the call: 0 (zero) on success, else one of the 1069 * kAU*Err values defined above. 1070 * 1071 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1072 */ 1073 int audit_write(short event_code, token_t *subject, token_t *misctok, 1074 char retval, int errcode); 1075 1076 /* 1077 * audit_write_success() 1078 * 1079 * @summary - audit_write_success() records an auditable event that did not 1080 * encounter an error. The interface is designed to require as little 1081 * direct use of the au_to_*() API as possible. It builds a subject token 1082 * from the information passed in and uses that to invoke audit_write(). 1083 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1084 * 1085 * If the subject information is the same as the current process, use 1086 * au_write_success_self(). 1087 * 1088 * @param event_code - The code for the event being logged. This should 1089 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1090 * 1091 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1092 * calls. This should correspond to the additional information required by 1093 * CAPP for the event being audited. If no additional information is 1094 * required, misctok should be NULL. 1095 * 1096 * @param auid - The subject's audit ID. 1097 * 1098 * @param euid - The subject's effective user ID. 1099 * 1100 * @param egid - The subject's effective group ID. 1101 * 1102 * @param ruid - The subject's real user ID. 1103 * 1104 * @param rgid - The subject's real group ID. 1105 * 1106 * @param pid - The subject's process ID. 1107 * 1108 * @param sid - The subject's session ID. 1109 * 1110 * @param tid - The subject's terminal ID. 1111 * 1112 * @return - The status of the call: 0 (zero) on success, else one of the 1113 * kAU*Err values defined above. 1114 * 1115 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1116 */ 1117 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1118 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1119 au_asid_t sid, au_tid_t *tid); 1120 1121 /* 1122 * audit_write_success_self() 1123 * 1124 * @summary - Similar to audit_write_success(), but used when the subject 1125 * (process) is owned and operated by the auditable user him/herself. 1126 * 1127 * @param event_code - The code for the event being logged. This should 1128 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1129 * 1130 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1131 * calls. This should correspond to the additional information required by 1132 * CAPP for the event being audited. If no additional information is 1133 * required, misctok should be NULL. 1134 * 1135 * @return - The status of the call: 0 (zero) on success, else one of the 1136 * kAU*Err values defined above. 1137 * 1138 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1139 */ 1140 int audit_write_success_self(short event_code, token_t *misctok); 1141 1142 /* 1143 * audit_write_failure() 1144 * 1145 * @summary - audit_write_failure() records an auditable event that 1146 * encountered an error. The interface is designed to require as little 1147 * direct use of the au_to_*() API as possible. It builds a subject token 1148 * from the information passed in and uses that to invoke audit_write(). 1149 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1150 * 1151 * If the subject information is the same as the current process, use 1152 * au_write_failure_self(). 1153 * 1154 * @param event_code - The code for the event being logged. This should 1155 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1156 * 1157 * @param errmsg - A text message providing additional information about 1158 * the event being audited. 1159 * 1160 * @param errret - A numerical value providing additional information about 1161 * the error. This is intended to store the value of errno or h_errno if 1162 * it's relevant. This can be 0 (zero) if no additional information is 1163 * available. 1164 * 1165 * @param auid - The subject's audit ID. 1166 * 1167 * @param euid - The subject's effective user ID. 1168 * 1169 * @param egid - The subject's effective group ID. 1170 * 1171 * @param ruid - The subject's real user ID. 1172 * 1173 * @param rgid - The subject's real group ID. 1174 * 1175 * @param pid - The subject's process ID. 1176 * 1177 * @param sid - The subject's session ID. 1178 * 1179 * @param tid - The subject's terminal ID. 1180 * 1181 * @return - The status of the call: 0 (zero) on success, else one of the 1182 * kAU*Err values defined above. 1183 * 1184 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1185 */ 1186 int audit_write_failure(short event_code, char *errmsg, int errret, 1187 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1188 pid_t pid, au_asid_t sid, au_tid_t *tid); 1189 1190 /* 1191 * audit_write_failure_self() 1192 * 1193 * @summary - Similar to audit_write_failure(), but used when the subject 1194 * (process) is owned and operated by the auditable user him/herself. 1195 * 1196 * @param event_code - The code for the event being logged. This should 1197 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1198 * 1199 * @param errmsg - A text message providing additional information about 1200 * the event being audited. 1201 * 1202 * @param errret - A numerical value providing additional information about 1203 * the error. This is intended to store the value of errno or h_errno if 1204 * it's relevant. This can be 0 (zero) if no additional information is 1205 * available. 1206 * 1207 * @return - The status of the call: 0 (zero) on success, else one of the 1208 * kAU*Err values defined above. 1209 * 1210 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1211 */ 1212 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1213 1214 /* 1215 * audit_write_failure_na() 1216 * 1217 * @summary - audit_write_failure_na() records errors during login. Such 1218 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1219 * 1220 * @param event_code - The code for the event being logged. This should 1221 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1222 * 1223 * @param errmsg - A text message providing additional information about 1224 * the event being audited. 1225 * 1226 * @param errret - A numerical value providing additional information about 1227 * the error. This is intended to store the value of errno or h_errno if 1228 * it's relevant. This can be 0 (zero) if no additional information is 1229 * available. 1230 * 1231 * @param euid - The subject's effective user ID. 1232 * 1233 * @param egid - The subject's effective group ID. 1234 * 1235 * @param pid - The subject's process ID. 1236 * 1237 * @param tid - The subject's terminal ID. 1238 * 1239 * @return - The status of the call: 0 (zero) on success, else one of the 1240 * kAU*Err values defined above. 1241 * 1242 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1243 */ 1244 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1245 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1246 1247 /* END au_write() WRAPPERS */ 1248 1249 #ifdef __APPLE__ 1250 /* 1251 * audit_token_to_au32() 1252 * 1253 * @summary - Extract information from an audit_token_t, used to identify 1254 * Mach tasks and senders of Mach messages as subjects to the audit system. 1255 * audit_tokent_to_au32() is the only method that should be used to parse 1256 * an audit_token_t, since its internal representation may change over 1257 * time. A pointer parameter may be NULL if that information is not 1258 * needed. 1259 * 1260 * @param atoken - the audit token containing the desired information 1261 * 1262 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1263 * sender's audit user ID 1264 * 1265 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1266 * sender's effective user ID 1267 * 1268 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1269 * sender's effective group ID 1270 * 1271 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1272 * sender's real user ID 1273 * 1274 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1275 * sender's real group ID 1276 * 1277 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1278 * sender's process ID 1279 * 1280 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1281 * task or sender's audit session ID 1282 * 1283 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1284 * or sender's terminal ID 1285 * 1286 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1287 */ 1288 void audit_token_to_au32( 1289 audit_token_t atoken, 1290 uid_t *auidp, 1291 uid_t *euidp, 1292 gid_t *egidp, 1293 uid_t *ruidp, 1294 gid_t *rgidp, 1295 pid_t *pidp, 1296 au_asid_t *asidp, 1297 au_tid_t *tidp); 1298 #endif /* !__APPLE__ */ 1299 1300 /* 1301 * Wrapper functions to auditon(2). 1302 */ 1303 int audit_get_car(char *path, size_t sz); 1304 int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1305 int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1306 int audit_get_event(au_evname_map_t *evn_map, size_t sz); 1307 int audit_set_event(au_evname_map_t *evn_map, size_t sz); 1308 int audit_get_cond(int *cond); 1309 int audit_set_cond(int *cond); 1310 int audit_get_cwd(char *path, size_t sz); 1311 int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1312 int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1313 int audit_get_kmask(au_mask_t *kmask, size_t sz); 1314 int audit_set_kmask(au_mask_t *kmask, size_t sz); 1315 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1316 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1317 int audit_set_pmask(auditpinfo_t *api, size_t sz); 1318 int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1319 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1320 int audit_get_policy(int *policy); 1321 int audit_set_policy(int *policy); 1322 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1323 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1324 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1325 int audit_get_stat(au_stat_t *stats, size_t sz); 1326 int audit_set_stat(au_stat_t *stats, size_t sz); 1327 int audit_send_trigger(int *trigger); 1328 1329 __END_DECLS 1330 1331 #endif /* !_LIBBSM_H_ */ 1332