1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #ifndef _LIBBSM_H_ 31 #define _LIBBSM_H_ 32 33 /* 34 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 35 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 36 */ 37 38 #include <sys/types.h> 39 #include <sys/cdefs.h> 40 41 #include <inttypes.h> /* Required for audit.h. */ 42 #include <time.h> /* Required for clock_t on Linux. */ 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_record.h> 46 47 #include <stdio.h> 48 49 #ifdef __APPLE__ 50 #include <mach/mach.h> /* audit_token_t */ 51 #endif 52 53 /* 54 * Size parsed token vectors for execve(2) arguments and environmental 55 * variables. Note: changing these sizes affects the ABI of the token 56 * structure, and as the token structure is often placed in the caller stack, 57 * this is undesirable. 58 */ 59 #define AUDIT_MAX_ARGS 128 60 #define AUDIT_MAX_ENV 128 61 62 /* 63 * Arguments to au_preselect(3). 64 */ 65 #define AU_PRS_USECACHE 0 66 #define AU_PRS_REREAD 1 67 68 #define AU_PRS_SUCCESS 1 69 #define AU_PRS_FAILURE 2 70 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 71 72 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 73 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 74 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 75 #define AUDIT_USER_FILE "/etc/security/audit_user" 76 77 #define DIR_CONTROL_ENTRY "dir" 78 #define DIST_CONTROL_ENTRY "dist" 79 #define FILESZ_CONTROL_ENTRY "filesz" 80 #define FLAGS_CONTROL_ENTRY "flags" 81 #define HOST_CONTROL_ENTRY "host" 82 #define MINFREE_CONTROL_ENTRY "minfree" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 86 #define QSZ_CONTROL_ENTRY "qsize" 87 88 #define AU_CLASS_NAME_MAX 8 89 #define AU_CLASS_DESC_MAX 72 90 #define AU_EVENT_NAME_MAX 30 91 #define AU_EVENT_DESC_MAX 50 92 #define AU_USER_NAME_MAX 50 93 #define AU_LINE_MAX 256 94 #define MAX_AUDITSTRING_LEN 256 95 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 96 97 #define USE_DEFAULT_QSZ -1 /* Use system default queue size */ 98 99 /* 100 * Arguments to au_close(3). 101 */ 102 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 103 #define AU_TO_WRITE 1 /* Commit audit record. */ 104 105 /* 106 * Output format flags for au_print_flags_tok(). 107 */ 108 #define AU_OFLAG_NONE 0x0000 /* Default form. */ 109 #define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 110 #define AU_OFLAG_SHORT 0x0002 /* Short form. */ 111 #define AU_OFLAG_XML 0x0004 /* XML form. */ 112 #define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 113 114 __BEGIN_DECLS 115 struct au_event_ent { 116 au_event_t ae_number; 117 char *ae_name; 118 char *ae_desc; 119 au_class_t ae_class; 120 }; 121 typedef struct au_event_ent au_event_ent_t; 122 123 struct au_class_ent { 124 char *ac_name; 125 au_class_t ac_class; 126 char *ac_desc; 127 }; 128 typedef struct au_class_ent au_class_ent_t; 129 130 struct au_user_ent { 131 char *au_name; 132 au_mask_t au_always; 133 au_mask_t au_never; 134 }; 135 typedef struct au_user_ent au_user_ent_t; 136 __END_DECLS 137 138 #define ADD_TO_MASK(m, c, sel) do { \ 139 if (sel & AU_PRS_SUCCESS) \ 140 (m)->am_success |= c; \ 141 if (sel & AU_PRS_FAILURE) \ 142 (m)->am_failure |= c; \ 143 } while (0) 144 145 #define SUB_FROM_MASK(m, c, sel) do { \ 146 if (sel & AU_PRS_SUCCESS) \ 147 (m)->am_success &= ((m)->am_success ^ c); \ 148 if (sel & AU_PRS_FAILURE) \ 149 (m)->am_failure &= ((m)->am_failure ^ c); \ 150 } while (0) 151 152 #define ADDMASK(m, v) do { \ 153 (m)->am_success |= (v)->am_success; \ 154 (m)->am_failure |= (v)->am_failure; \ 155 } while(0) 156 157 #define SUBMASK(m, v) do { \ 158 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 159 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 160 } while(0) 161 162 __BEGIN_DECLS 163 164 typedef struct au_tid32 { 165 u_int32_t port; 166 u_int32_t addr; 167 } au_tid32_t; 168 169 typedef struct au_tid64 { 170 u_int64_t port; 171 u_int32_t addr; 172 } au_tid64_t; 173 174 typedef struct au_tidaddr32 { 175 u_int32_t port; 176 u_int32_t type; 177 u_int32_t addr[4]; 178 } au_tidaddr32_t; 179 180 typedef struct au_tidaddr64 { 181 u_int64_t port; 182 u_int32_t type; 183 u_int32_t addr[4]; 184 } au_tidaddr64_t; 185 186 /* 187 * argument # 1 byte 188 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 189 * text length 2 bytes 190 * text N bytes + 1 terminating NULL byte 191 */ 192 typedef struct { 193 u_char no; 194 u_int32_t val; 195 u_int16_t len; 196 char *text; 197 } au_arg32_t; 198 199 typedef struct { 200 u_char no; 201 u_int64_t val; 202 u_int16_t len; 203 char *text; 204 } au_arg64_t; 205 206 /* 207 * how to print 1 byte 208 * basic unit 1 byte 209 * unit count 1 byte 210 * data items (depends on basic unit) 211 */ 212 typedef struct { 213 u_char howtopr; 214 u_char bu; 215 u_char uc; 216 u_char *data; 217 } au_arb_t; 218 219 /* 220 * file access mode 4 bytes 221 * owner user ID 4 bytes 222 * owner group ID 4 bytes 223 * file system ID 4 bytes 224 * node ID 8 bytes 225 * device 4 bytes/8 bytes (32-bit/64-bit) 226 */ 227 typedef struct { 228 u_int32_t mode; 229 u_int32_t uid; 230 u_int32_t gid; 231 u_int32_t fsid; 232 u_int64_t nid; 233 u_int32_t dev; 234 } au_attr32_t; 235 236 typedef struct { 237 u_int32_t mode; 238 u_int32_t uid; 239 u_int32_t gid; 240 u_int32_t fsid; 241 u_int64_t nid; 242 u_int64_t dev; 243 } au_attr64_t; 244 245 /* 246 * count 4 bytes 247 * text count null-terminated string(s) 248 */ 249 typedef struct { 250 u_int32_t count; 251 char *text[AUDIT_MAX_ARGS]; 252 } au_execarg_t; 253 254 /* 255 * count 4 bytes 256 * text count null-terminated string(s) 257 */ 258 typedef struct { 259 u_int32_t count; 260 char *text[AUDIT_MAX_ENV]; 261 } au_execenv_t; 262 263 /* 264 * status 4 bytes 265 * return value 4 bytes 266 */ 267 typedef struct { 268 u_int32_t status; 269 u_int32_t ret; 270 } au_exit_t; 271 272 /* 273 * seconds of time 4 bytes 274 * milliseconds of time 4 bytes 275 * file name length 2 bytes 276 * file pathname N bytes + 1 terminating NULL byte 277 */ 278 typedef struct { 279 u_int32_t s; 280 u_int32_t ms; 281 u_int16_t len; 282 char *name; 283 } au_file_t; 284 285 286 /* 287 * number groups 2 bytes 288 * group list N * 4 bytes 289 */ 290 typedef struct { 291 u_int16_t no; 292 u_int32_t list[AUDIT_MAX_GROUPS]; 293 } au_groups_t; 294 295 /* 296 * record byte count 4 bytes 297 * version # 1 byte [2] 298 * event type 2 bytes 299 * event modifier 2 bytes 300 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 301 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 302 */ 303 typedef struct { 304 u_int32_t size; 305 u_char version; 306 u_int16_t e_type; 307 u_int16_t e_mod; 308 u_int32_t s; 309 u_int32_t ms; 310 } au_header32_t; 311 312 /* 313 * record byte count 4 bytes 314 * version # 1 byte [2] 315 * event type 2 bytes 316 * event modifier 2 bytes 317 * address type/length 1 byte (XXX: actually, 4 bytes) 318 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 319 * seconds of time 4 bytes/8 bytes (32/64-bits) 320 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 321 */ 322 typedef struct { 323 u_int32_t size; 324 u_char version; 325 u_int16_t e_type; 326 u_int16_t e_mod; 327 u_int32_t ad_type; 328 u_int32_t addr[4]; 329 u_int32_t s; 330 u_int32_t ms; 331 } au_header32_ex_t; 332 333 typedef struct { 334 u_int32_t size; 335 u_char version; 336 u_int16_t e_type; 337 u_int16_t e_mod; 338 u_int64_t s; 339 u_int64_t ms; 340 } au_header64_t; 341 342 typedef struct { 343 u_int32_t size; 344 u_char version; 345 u_int16_t e_type; 346 u_int16_t e_mod; 347 u_int32_t ad_type; 348 u_int32_t addr[4]; 349 u_int64_t s; 350 u_int64_t ms; 351 } au_header64_ex_t; 352 353 /* 354 * internet address 4 bytes 355 */ 356 typedef struct { 357 u_int32_t addr; 358 } au_inaddr_t; 359 360 /* 361 * type 4 bytes 362 * internet address 16 bytes 363 */ 364 typedef struct { 365 u_int32_t type; 366 u_int32_t addr[4]; 367 } au_inaddr_ex_t; 368 369 /* 370 * version and ihl 1 byte 371 * type of service 1 byte 372 * length 2 bytes 373 * id 2 bytes 374 * offset 2 bytes 375 * ttl 1 byte 376 * protocol 1 byte 377 * checksum 2 bytes 378 * source address 4 bytes 379 * destination address 4 bytes 380 */ 381 typedef struct { 382 u_char version; 383 u_char tos; 384 u_int16_t len; 385 u_int16_t id; 386 u_int16_t offset; 387 u_char ttl; 388 u_char prot; 389 u_int16_t chksm; 390 u_int32_t src; 391 u_int32_t dest; 392 } au_ip_t; 393 394 /* 395 * object ID type 1 byte 396 * object ID 4 bytes 397 */ 398 typedef struct { 399 u_char type; 400 u_int32_t id; 401 } au_ipc_t; 402 403 /* 404 * owner user ID 4 bytes 405 * owner group ID 4 bytes 406 * creator user ID 4 bytes 407 * creator group ID 4 bytes 408 * access mode 4 bytes 409 * slot sequence # 4 bytes 410 * key 4 bytes 411 */ 412 typedef struct { 413 u_int32_t uid; 414 u_int32_t gid; 415 u_int32_t puid; 416 u_int32_t pgid; 417 u_int32_t mode; 418 u_int32_t seq; 419 u_int32_t key; 420 } au_ipcperm_t; 421 422 /* 423 * port IP address 2 bytes 424 */ 425 typedef struct { 426 u_int16_t port; 427 } au_iport_t; 428 429 /* 430 * length 2 bytes 431 * data length bytes 432 */ 433 typedef struct { 434 u_int16_t size; 435 char *data; 436 } au_opaque_t; 437 438 /* 439 * path length 2 bytes 440 * path N bytes + 1 terminating NULL byte 441 */ 442 typedef struct { 443 u_int16_t len; 444 char *path; 445 } au_path_t; 446 447 /* 448 * audit ID 4 bytes 449 * effective user ID 4 bytes 450 * effective group ID 4 bytes 451 * real user ID 4 bytes 452 * real group ID 4 bytes 453 * process ID 4 bytes 454 * session ID 4 bytes 455 * terminal ID 456 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 457 * machine address 4 bytes 458 */ 459 typedef struct { 460 u_int32_t auid; 461 u_int32_t euid; 462 u_int32_t egid; 463 u_int32_t ruid; 464 u_int32_t rgid; 465 u_int32_t pid; 466 u_int32_t sid; 467 au_tid32_t tid; 468 } au_proc32_t; 469 470 typedef struct { 471 u_int32_t auid; 472 u_int32_t euid; 473 u_int32_t egid; 474 u_int32_t ruid; 475 u_int32_t rgid; 476 u_int32_t pid; 477 u_int32_t sid; 478 au_tid64_t tid; 479 } au_proc64_t; 480 481 /* 482 * audit ID 4 bytes 483 * effective user ID 4 bytes 484 * effective group ID 4 bytes 485 * real user ID 4 bytes 486 * real group ID 4 bytes 487 * process ID 4 bytes 488 * session ID 4 bytes 489 * terminal ID 490 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 491 * type 4 bytes 492 * machine address 16 bytes 493 */ 494 typedef struct { 495 u_int32_t auid; 496 u_int32_t euid; 497 u_int32_t egid; 498 u_int32_t ruid; 499 u_int32_t rgid; 500 u_int32_t pid; 501 u_int32_t sid; 502 au_tidaddr32_t tid; 503 } au_proc32ex_t; 504 505 typedef struct { 506 u_int32_t auid; 507 u_int32_t euid; 508 u_int32_t egid; 509 u_int32_t ruid; 510 u_int32_t rgid; 511 u_int32_t pid; 512 u_int32_t sid; 513 au_tidaddr64_t tid; 514 } au_proc64ex_t; 515 516 /* 517 * error status 1 byte 518 * return value 4 bytes/8 bytes (32-bit/64-bit value) 519 */ 520 typedef struct { 521 u_char status; 522 u_int32_t ret; 523 } au_ret32_t; 524 525 typedef struct { 526 u_char err; 527 u_int64_t val; 528 } au_ret64_t; 529 530 /* 531 * sequence number 4 bytes 532 */ 533 typedef struct { 534 u_int32_t seqno; 535 } au_seq_t; 536 537 /* 538 * socket type 2 bytes 539 * local port 2 bytes 540 * local Internet address 4 bytes 541 * remote port 2 bytes 542 * remote Internet address 4 bytes 543 */ 544 typedef struct { 545 u_int16_t type; 546 u_int16_t l_port; 547 u_int32_t l_addr; 548 u_int16_t r_port; 549 u_int32_t r_addr; 550 } au_socket_t; 551 552 /* 553 * socket type 2 bytes 554 * local port 2 bytes 555 * address type/length 4 bytes 556 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 557 * remote port 4 bytes 558 * address type/length 4 bytes 559 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 560 */ 561 typedef struct { 562 u_int16_t domain; 563 u_int16_t type; 564 u_int16_t atype; 565 u_int16_t l_port; 566 u_int32_t l_addr[4]; 567 u_int32_t r_port; 568 u_int32_t r_addr[4]; 569 } au_socket_ex32_t; 570 571 /* 572 * socket family 2 bytes 573 * local port 2 bytes 574 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 575 */ 576 typedef struct { 577 u_int16_t family; 578 u_int16_t port; 579 u_int32_t addr[4]; 580 } au_socketinet_ex32_t; 581 582 typedef struct { 583 u_int16_t family; 584 u_int16_t port; 585 u_int32_t addr; 586 } au_socketinet32_t; 587 588 /* 589 * Largest sun_path across all supported platforms (Linux and Solaris use 108, 590 * macOS and FreeBSD use 104). 591 */ 592 #define AU_UNIX_PATH_MAX 108 593 594 /* 595 * socket family 2 bytes 596 * path up to AU_UNIX_PATH_MAX bytes (NUL terminated) 597 */ 598 typedef struct { 599 u_int16_t family; 600 char path[AU_UNIX_PATH_MAX]; 601 } au_socketunix_t; 602 603 /* 604 * audit ID 4 bytes 605 * effective user ID 4 bytes 606 * effective group ID 4 bytes 607 * real user ID 4 bytes 608 * real group ID 4 bytes 609 * process ID 4 bytes 610 * session ID 4 bytes 611 * terminal ID 612 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 613 * machine address 4 bytes 614 */ 615 typedef struct { 616 u_int32_t auid; 617 u_int32_t euid; 618 u_int32_t egid; 619 u_int32_t ruid; 620 u_int32_t rgid; 621 u_int32_t pid; 622 u_int32_t sid; 623 au_tid32_t tid; 624 } au_subject32_t; 625 626 typedef struct { 627 u_int32_t auid; 628 u_int32_t euid; 629 u_int32_t egid; 630 u_int32_t ruid; 631 u_int32_t rgid; 632 u_int32_t pid; 633 u_int32_t sid; 634 au_tid64_t tid; 635 } au_subject64_t; 636 637 /* 638 * audit ID 4 bytes 639 * effective user ID 4 bytes 640 * effective group ID 4 bytes 641 * real user ID 4 bytes 642 * real group ID 4 bytes 643 * process ID 4 bytes 644 * session ID 4 bytes 645 * terminal ID 646 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 647 * type 4 bytes 648 * machine address 16 bytes 649 */ 650 typedef struct { 651 u_int32_t auid; 652 u_int32_t euid; 653 u_int32_t egid; 654 u_int32_t ruid; 655 u_int32_t rgid; 656 u_int32_t pid; 657 u_int32_t sid; 658 au_tidaddr32_t tid; 659 } au_subject32ex_t; 660 661 typedef struct { 662 u_int32_t auid; 663 u_int32_t euid; 664 u_int32_t egid; 665 u_int32_t ruid; 666 u_int32_t rgid; 667 u_int32_t pid; 668 u_int32_t sid; 669 au_tidaddr64_t tid; 670 } au_subject64ex_t; 671 672 /* 673 * text length 2 bytes 674 * text N bytes + 1 terminating NULL byte 675 */ 676 typedef struct { 677 u_int16_t len; 678 char *text; 679 } au_text_t; 680 681 /* 682 * upriv status 1 byte 683 * privstr len 2 bytes 684 * privstr N bytes + 1 (\0 byte) 685 */ 686 typedef struct { 687 u_int8_t sorf; 688 u_int16_t privstrlen; 689 char *priv; 690 } au_priv_t; 691 692 /* 693 * privset 694 * privtstrlen 2 bytes 695 * privtstr N Bytes + 1 696 * privstrlen 2 bytes 697 * privstr N Bytes + 1 698 */ 699 typedef struct { 700 u_int16_t privtstrlen; 701 char *privtstr; 702 u_int16_t privstrlen; 703 char *privstr; 704 } au_privset_t; 705 706 /* 707 * zonename length 2 bytes 708 * zonename text N bytes + 1 NULL terminator 709 */ 710 typedef struct { 711 u_int16_t len; 712 char *zonename; 713 } au_zonename_t; 714 715 typedef struct { 716 u_int32_t ident; 717 u_int16_t filter; 718 u_int16_t flags; 719 u_int32_t fflags; 720 u_int32_t data; 721 } au_kevent_t; 722 723 typedef struct { 724 u_int16_t length; 725 char *data; 726 } au_invalid_t; 727 728 /* 729 * trailer magic number 2 bytes 730 * record byte count 4 bytes 731 */ 732 typedef struct { 733 u_int16_t magic; 734 u_int32_t count; 735 } au_trailer_t; 736 737 struct tokenstr { 738 u_char id; 739 u_char *data; 740 size_t len; 741 union { 742 au_arg32_t arg32; 743 au_arg64_t arg64; 744 au_arb_t arb; 745 au_attr32_t attr32; 746 au_attr64_t attr64; 747 au_execarg_t execarg; 748 au_execenv_t execenv; 749 au_exit_t exit; 750 au_file_t file; 751 au_groups_t grps; 752 au_header32_t hdr32; 753 au_header32_ex_t hdr32_ex; 754 au_header64_t hdr64; 755 au_header64_ex_t hdr64_ex; 756 au_inaddr_t inaddr; 757 au_inaddr_ex_t inaddr_ex; 758 au_ip_t ip; 759 au_ipc_t ipc; 760 au_ipcperm_t ipcperm; 761 au_iport_t iport; 762 au_opaque_t opaque; 763 au_path_t path; 764 au_proc32_t proc32; 765 au_proc32ex_t proc32_ex; 766 au_proc64_t proc64; 767 au_proc64ex_t proc64_ex; 768 au_ret32_t ret32; 769 au_ret64_t ret64; 770 au_seq_t seq; 771 au_socket_t socket; 772 au_socket_ex32_t socket_ex32; 773 au_socketinet_ex32_t sockinet_ex32; 774 au_socketunix_t sockunix; 775 au_subject32_t subj32; 776 au_subject32ex_t subj32_ex; 777 au_subject64_t subj64; 778 au_subject64ex_t subj64_ex; 779 au_text_t text; 780 au_kevent_t kevent; 781 au_invalid_t invalid; 782 au_trailer_t trail; 783 au_zonename_t zonename; 784 au_priv_t priv; 785 au_privset_t privset; 786 } tt; /* The token is one of the above types */ 787 }; 788 789 typedef struct tokenstr tokenstr_t; 790 791 int audit_submit(short au_event, au_id_t auid, 792 char status, int reterr, const char *fmt, ...); 793 794 /* 795 * Functions relating to querying audit class information. 796 */ 797 void setauclass(void); 798 void endauclass(void); 799 struct au_class_ent *getauclassent(void); 800 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 801 struct au_class_ent *getauclassnam(const char *name); 802 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 803 const char *name); 804 struct au_class_ent *getauclassnum(au_class_t class_number); 805 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 806 au_class_t class_number); 807 808 /* 809 * Functions relating to querying audit control information. 810 */ 811 void setac(void); 812 void endac(void); 813 int getacdir(char *name, int len); 814 int getacdist(void); 815 int getacexpire(int *andflg, time_t *age, size_t *size); 816 int getacfilesz(size_t *size_val); 817 int getacqsize(int *size_val); 818 int getacflg(char *auditstr, int len); 819 int getachost(char *auditstr, size_t len); 820 int getacmin(int *min_val); 821 int getacna(char *auditstr, int len); 822 int getacpol(char *auditstr, size_t len); 823 int getauditflagsbin(char *auditstr, au_mask_t *masks); 824 int getauditflagschar(char *auditstr, au_mask_t *masks, 825 int verbose); 826 int au_preselect(au_event_t event, au_mask_t *mask_p, 827 int sorf, int flag); 828 ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 829 int au_strtopol(const char *polstr, int *policy); 830 831 /* 832 * Functions relating to querying audit event information. 833 */ 834 void setauevent(void); 835 void endauevent(void); 836 struct au_event_ent *getauevent(void); 837 struct au_event_ent *getauevent_r(struct au_event_ent *e); 838 struct au_event_ent *getauevnam(const char *name); 839 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 840 const char *name); 841 struct au_event_ent *getauevnum(au_event_t event_number); 842 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 843 au_event_t event_number); 844 au_event_t *getauevnonam(const char *event_name); 845 au_event_t *getauevnonam_r(au_event_t *ev, 846 const char *event_name); 847 848 /* 849 * Functions relating to querying audit user information. 850 */ 851 void setauuser(void); 852 void endauuser(void); 853 struct au_user_ent *getauuserent(void); 854 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 855 struct au_user_ent *getauusernam(const char *name); 856 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 857 const char *name); 858 int au_user_mask(char *username, au_mask_t *mask_p); 859 int getfauditflags(au_mask_t *usremask, 860 au_mask_t *usrdmask, au_mask_t *lastmask); 861 862 /* 863 * Functions for reading and printing records and tokens from audit trails. 864 */ 865 int au_read_rec(FILE *fp, u_char **buf); 866 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 867 //XXX The following interface has different prototype from BSM 868 void au_print_tok(FILE *outfp, tokenstr_t *tok, 869 char *del, char raw, char sfrm); 870 void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 871 char *del, int oflags); 872 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 873 char *del, char raw, char sfrm); 874 875 /* 876 * Functions relating to XML output. 877 */ 878 void au_print_xml_header(FILE *outfp); 879 void au_print_xml_footer(FILE *outfp); 880 881 const char *au_strerror(u_char bsm_error); 882 __END_DECLS 883 884 /* 885 * The remaining APIs are associated with Apple's BSM implementation, in 886 * particular as relates to Mach IPC auditing and triggers passed via Mach 887 * IPC. 888 */ 889 #ifdef __APPLE__ 890 #include <sys/appleapiopts.h> 891 892 /************************************************************************** 893 ************************************************************************** 894 ** The following definitions, functions, etc., are NOT officially 895 ** supported: they may be changed or removed in the future. Do not use 896 ** them unless you are prepared to cope with that eventuality. 897 ************************************************************************** 898 **************************************************************************/ 899 900 #ifdef __APPLE_API_PRIVATE 901 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 902 #endif /* __APPLE_API_PRIVATE */ 903 904 /* 905 * au_get_state() return values 906 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 907 * AUDIT_ON are deprecated and WILL be removed. 908 */ 909 #ifdef __APPLE_API_PRIVATE 910 #define AUDIT_OFF AUC_NOAUDIT 911 #define AUDIT_ON AUC_AUDITING 912 #endif /* __APPLE_API_PRIVATE */ 913 #endif /* !__APPLE__ */ 914 915 /* 916 * Error return codes for audit_set_terminal_id(), audit_write() and its 917 * brethren. We have 255 (not including kAUNoErr) to play with. 918 * 919 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 920 */ 921 enum { 922 kAUNoErr = 0, 923 kAUBadParamErr = -66049, 924 kAUStatErr, 925 kAUSysctlErr, 926 kAUOpenErr, 927 kAUMakeSubjectTokErr, 928 kAUWriteSubjectTokErr, 929 kAUWriteCallerTokErr, 930 kAUMakeReturnTokErr, 931 kAUWriteReturnTokErr, 932 kAUCloseErr, 933 kAUMakeTextTokErr, 934 kAULastErr 935 }; 936 937 #ifdef __APPLE__ 938 /* 939 * Error return codes for au_get_state() and/or its private support 940 * functions. These codes are designed to be compatible with the 941 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 942 * Any changes to notify(3) may cause these values to change in future. 943 * 944 * AU_UNIMPL should never happen unless you've changed your system software 945 * without rebooting. Shame on you. 946 */ 947 #ifdef __APPLE_API_PRIVATE 948 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 949 #endif /* __APPLE_API_PRIVATE */ 950 #endif /* !__APPLE__ */ 951 952 __BEGIN_DECLS 953 /* 954 * XXX This prototype should be in audit_record.h 955 * 956 * au_free_token() 957 * 958 * @summary - au_free_token() deallocates a token_t created by any of 959 * the au_to_*() BSM API functions. 960 * 961 * The BSM API generally manages deallocation of token_t objects. However, 962 * if au_write() is passed a bad audit descriptor, the token_t * parameter 963 * will be left untouched. In that case, the caller can deallocate the 964 * token_t using au_free_token() if desired. This is, in fact, what 965 * audit_write() does, in keeping with the existing memory management model 966 * of the BSM API. 967 * 968 * @param tok - A token_t * generated by one of the au_to_*() BSM API 969 * calls. For convenience, tok may be NULL, in which case 970 * au_free_token() returns immediately. 971 * 972 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 973 */ 974 void au_free_token(token_t *tok); 975 976 /* 977 * Lightweight check to determine if auditing is enabled. If a client 978 * wants to use this to govern whether an entire series of audit calls 979 * should be made--as in the common case of a caller building a set of 980 * tokens, then writing them--it should cache the audit status in a local 981 * variable. This call always returns the current state of auditing. 982 * 983 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 984 * Otherwise the function can return any of the errno values defined for 985 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 986 * the system. 987 * 988 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 989 */ 990 int au_get_state(void); 991 992 /* 993 * Initialize the audit notification. If it has not already been initialized 994 * it will automatically on the first call of au_get_state(). 995 */ 996 uint32_t au_notify_initialize(void); 997 998 /* 999 * Cancel audit notification and free the resources associated with it. 1000 * Responsible code that no longer needs to use au_get_state() should call 1001 * this. 1002 */ 1003 int au_notify_terminate(void); 1004 __END_DECLS 1005 1006 /* OpenSSH compatibility */ 1007 int cannot_audit(int); 1008 1009 __BEGIN_DECLS 1010 /* 1011 * audit_set_terminal_id() 1012 * 1013 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1014 * used in audit session initialization by processes like /usr/bin/login. 1015 * 1016 * @param tid - A pointer to an au_tid_t struct. 1017 * 1018 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1019 * or kAUSysctlErr if one of the underlying system calls fails (a message 1020 * is sent to the system log in those cases). 1021 * 1022 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1023 */ 1024 int audit_set_terminal_id(au_tid_t *tid); 1025 1026 /* 1027 * BEGIN au_write() WRAPPERS 1028 * 1029 * The following calls all wrap the existing BSM API. They use the 1030 * provided subject information, if any, to construct the subject token 1031 * required for every log message. They use the provided return/error 1032 * value(s), if any, to construct the success/failure indication required 1033 * for every log message. They only permit one "miscellaneous" token, 1034 * which should contain the event-specific logging information mandated by 1035 * CAPP. 1036 * 1037 * All these calls assume the caller has previously determined that 1038 * auditing is enabled by calling au_get_state(). 1039 */ 1040 1041 /* 1042 * audit_write() 1043 * 1044 * @summary - audit_write() is the basis for the other audit_write_*() 1045 * calls. Performs a basic write of an audit record (subject, additional 1046 * info, success/failure). Note that this call only permits logging one 1047 * caller-specified token; clients needing to log more flexibly must use 1048 * the existing BSM API (au_open(), et al.) directly. 1049 * 1050 * Note on memory management: audit_write() guarantees that the token_t *s 1051 * passed to it will be deallocated whether or not the underlying write to 1052 * the audit log succeeded. This addresses an inconsistency in the 1053 * underlying BSM API in which token_t *s are usually but not always 1054 * deallocated. 1055 * 1056 * @param event_code - The code for the event being logged. This should 1057 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1058 * 1059 * @param subject - A token_t * generated by au_to_subject(), 1060 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1061 * required, subject should be NULL. 1062 * 1063 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1064 * calls. This should correspond to the additional information required by 1065 * CAPP for the event being audited. If no additional information is 1066 * required, misctok should be NULL. 1067 * 1068 * @param retval - The return value to be logged for this event. This 1069 * should be 0 (zero) for success, otherwise the value is event-specific. 1070 * 1071 * @param errcode - Any error code associated with the return value (e.g., 1072 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1073 * 1074 * @return - The status of the call: 0 (zero) on success, else one of the 1075 * kAU*Err values defined above. 1076 * 1077 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1078 */ 1079 int audit_write(short event_code, token_t *subject, token_t *misctok, 1080 char retval, int errcode); 1081 1082 /* 1083 * audit_write_success() 1084 * 1085 * @summary - audit_write_success() records an auditable event that did not 1086 * encounter an error. The interface is designed to require as little 1087 * direct use of the au_to_*() API as possible. It builds a subject token 1088 * from the information passed in and uses that to invoke audit_write(). 1089 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1090 * 1091 * If the subject information is the same as the current process, use 1092 * au_write_success_self(). 1093 * 1094 * @param event_code - The code for the event being logged. This should 1095 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1096 * 1097 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1098 * calls. This should correspond to the additional information required by 1099 * CAPP for the event being audited. If no additional information is 1100 * required, misctok should be NULL. 1101 * 1102 * @param auid - The subject's audit ID. 1103 * 1104 * @param euid - The subject's effective user ID. 1105 * 1106 * @param egid - The subject's effective group ID. 1107 * 1108 * @param ruid - The subject's real user ID. 1109 * 1110 * @param rgid - The subject's real group ID. 1111 * 1112 * @param pid - The subject's process ID. 1113 * 1114 * @param sid - The subject's session ID. 1115 * 1116 * @param tid - The subject's terminal ID. 1117 * 1118 * @return - The status of the call: 0 (zero) on success, else one of the 1119 * kAU*Err values defined above. 1120 * 1121 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1122 */ 1123 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1124 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1125 au_asid_t sid, au_tid_t *tid); 1126 1127 /* 1128 * audit_write_success_self() 1129 * 1130 * @summary - Similar to audit_write_success(), but used when the subject 1131 * (process) is owned and operated by the auditable user him/herself. 1132 * 1133 * @param event_code - The code for the event being logged. This should 1134 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1135 * 1136 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1137 * calls. This should correspond to the additional information required by 1138 * CAPP for the event being audited. If no additional information is 1139 * required, misctok should be NULL. 1140 * 1141 * @return - The status of the call: 0 (zero) on success, else one of the 1142 * kAU*Err values defined above. 1143 * 1144 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1145 */ 1146 int audit_write_success_self(short event_code, token_t *misctok); 1147 1148 /* 1149 * audit_write_failure() 1150 * 1151 * @summary - audit_write_failure() records an auditable event that 1152 * encountered an error. The interface is designed to require as little 1153 * direct use of the au_to_*() API as possible. It builds a subject token 1154 * from the information passed in and uses that to invoke audit_write(). 1155 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1156 * 1157 * If the subject information is the same as the current process, use 1158 * au_write_failure_self(). 1159 * 1160 * @param event_code - The code for the event being logged. This should 1161 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1162 * 1163 * @param errmsg - A text message providing additional information about 1164 * the event being audited. 1165 * 1166 * @param errret - A numerical value providing additional information about 1167 * the error. This is intended to store the value of errno or h_errno if 1168 * it's relevant. This can be 0 (zero) if no additional information is 1169 * available. 1170 * 1171 * @param auid - The subject's audit ID. 1172 * 1173 * @param euid - The subject's effective user ID. 1174 * 1175 * @param egid - The subject's effective group ID. 1176 * 1177 * @param ruid - The subject's real user ID. 1178 * 1179 * @param rgid - The subject's real group ID. 1180 * 1181 * @param pid - The subject's process ID. 1182 * 1183 * @param sid - The subject's session ID. 1184 * 1185 * @param tid - The subject's terminal ID. 1186 * 1187 * @return - The status of the call: 0 (zero) on success, else one of the 1188 * kAU*Err values defined above. 1189 * 1190 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1191 */ 1192 int audit_write_failure(short event_code, char *errmsg, int errret, 1193 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1194 pid_t pid, au_asid_t sid, au_tid_t *tid); 1195 1196 /* 1197 * audit_write_failure_self() 1198 * 1199 * @summary - Similar to audit_write_failure(), but used when the subject 1200 * (process) is owned and operated by the auditable user him/herself. 1201 * 1202 * @param event_code - The code for the event being logged. This should 1203 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1204 * 1205 * @param errmsg - A text message providing additional information about 1206 * the event being audited. 1207 * 1208 * @param errret - A numerical value providing additional information about 1209 * the error. This is intended to store the value of errno or h_errno if 1210 * it's relevant. This can be 0 (zero) if no additional information is 1211 * available. 1212 * 1213 * @return - The status of the call: 0 (zero) on success, else one of the 1214 * kAU*Err values defined above. 1215 * 1216 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1217 */ 1218 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1219 1220 /* 1221 * audit_write_failure_na() 1222 * 1223 * @summary - audit_write_failure_na() records errors during login. Such 1224 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1225 * 1226 * @param event_code - The code for the event being logged. This should 1227 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1228 * 1229 * @param errmsg - A text message providing additional information about 1230 * the event being audited. 1231 * 1232 * @param errret - A numerical value providing additional information about 1233 * the error. This is intended to store the value of errno or h_errno if 1234 * it's relevant. This can be 0 (zero) if no additional information is 1235 * available. 1236 * 1237 * @param euid - The subject's effective user ID. 1238 * 1239 * @param egid - The subject's effective group ID. 1240 * 1241 * @param pid - The subject's process ID. 1242 * 1243 * @param tid - The subject's terminal ID. 1244 * 1245 * @return - The status of the call: 0 (zero) on success, else one of the 1246 * kAU*Err values defined above. 1247 * 1248 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1249 */ 1250 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1251 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1252 1253 /* END au_write() WRAPPERS */ 1254 1255 #ifdef __APPLE__ 1256 /* 1257 * audit_token_to_au32() 1258 * 1259 * @summary - Extract information from an audit_token_t, used to identify 1260 * Mach tasks and senders of Mach messages as subjects to the audit system. 1261 * audit_tokent_to_au32() is the only method that should be used to parse 1262 * an audit_token_t, since its internal representation may change over 1263 * time. A pointer parameter may be NULL if that information is not 1264 * needed. 1265 * 1266 * @param atoken - the audit token containing the desired information 1267 * 1268 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1269 * sender's audit user ID 1270 * 1271 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1272 * sender's effective user ID 1273 * 1274 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1275 * sender's effective group ID 1276 * 1277 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1278 * sender's real user ID 1279 * 1280 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1281 * sender's real group ID 1282 * 1283 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1284 * sender's process ID 1285 * 1286 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1287 * task or sender's audit session ID 1288 * 1289 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1290 * or sender's terminal ID 1291 * 1292 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1293 */ 1294 void audit_token_to_au32( 1295 audit_token_t atoken, 1296 uid_t *auidp, 1297 uid_t *euidp, 1298 gid_t *egidp, 1299 uid_t *ruidp, 1300 gid_t *rgidp, 1301 pid_t *pidp, 1302 au_asid_t *asidp, 1303 au_tid_t *tidp); 1304 #endif /* !__APPLE__ */ 1305 1306 /* 1307 * Wrapper functions to auditon(2). 1308 */ 1309 int audit_get_car(char *path, size_t sz); 1310 int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1311 int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1312 int audit_get_event(au_evname_map_t *evn_map, size_t sz); 1313 int audit_set_event(au_evname_map_t *evn_map, size_t sz); 1314 int audit_get_cond(int *cond); 1315 int audit_set_cond(int *cond); 1316 int audit_get_cwd(char *path, size_t sz); 1317 int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1318 int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1319 int audit_get_kmask(au_mask_t *kmask, size_t sz); 1320 int audit_set_kmask(au_mask_t *kmask, size_t sz); 1321 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1322 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1323 int audit_set_pmask(auditpinfo_t *api, size_t sz); 1324 int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1325 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1326 int audit_get_policy(int *policy); 1327 int audit_set_policy(int *policy); 1328 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1329 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1330 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1331 int audit_get_stat(au_stat_t *stats, size_t sz); 1332 int audit_set_stat(au_stat_t *stats, size_t sz); 1333 int audit_send_trigger(int *trigger); 1334 1335 __END_DECLS 1336 1337 #endif /* !_LIBBSM_H_ */ 1338