152267f74SRobert Watson /*- 206edd2f1SRobert Watson * Copyright (c) 2005-2009 Apple Inc. 3ca0716f5SRobert Watson * All rights reserved. 4ca0716f5SRobert Watson * 5ca0716f5SRobert Watson * Redistribution and use in source and binary forms, with or without 6ca0716f5SRobert Watson * modification, are permitted provided that the following conditions 7ca0716f5SRobert Watson * are met: 8ca0716f5SRobert Watson * 9ca0716f5SRobert Watson * 1. Redistributions of source code must retain the above copyright 10ca0716f5SRobert Watson * notice, this list of conditions and the following disclaimer. 11ca0716f5SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 12ca0716f5SRobert Watson * notice, this list of conditions and the following disclaimer in the 13ca0716f5SRobert Watson * documentation and/or other materials provided with the distribution. 1452267f74SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15ca0716f5SRobert Watson * its contributors may be used to endorse or promote products derived 16ca0716f5SRobert Watson * from this software without specific prior written permission. 17ca0716f5SRobert Watson * 18ca0716f5SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19ca0716f5SRobert Watson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20ca0716f5SRobert Watson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21ca0716f5SRobert Watson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22ca0716f5SRobert Watson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23ca0716f5SRobert Watson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24ca0716f5SRobert Watson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25ca0716f5SRobert Watson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26ca0716f5SRobert Watson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27ca0716f5SRobert Watson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28ca0716f5SRobert Watson */ 29ca0716f5SRobert Watson 30ca0716f5SRobert Watson #ifndef _AUDITD_H_ 31ca0716f5SRobert Watson #define _AUDITD_H_ 32ca0716f5SRobert Watson 33ca0716f5SRobert Watson #include <sys/types.h> 34ca0716f5SRobert Watson #include <sys/queue.h> 35ca0716f5SRobert Watson #include <syslog.h> 36ca0716f5SRobert Watson 37ca0716f5SRobert Watson #define MAX_DIR_SIZE 255 38ca0716f5SRobert Watson #define AUDITD_NAME "auditd" 39ca0716f5SRobert Watson 4023bf6e20SRobert Watson /* 4123bf6e20SRobert Watson * If defined, then the audit daemon will attempt to chown newly created logs 4223bf6e20SRobert Watson * to this group. Otherwise, they will be the default for the user running 4323bf6e20SRobert Watson * auditd, likely the audit group. 4423bf6e20SRobert Watson */ 4523bf6e20SRobert Watson #define AUDIT_REVIEW_GROUP "audit" 4623bf6e20SRobert Watson 47ca0716f5SRobert Watson #define HARDLIM_ALL_WARN "allhard" 48ca0716f5SRobert Watson #define SOFTLIM_ALL_WARN "allsoft" 49bb97b418SRobert Watson #define AUDITOFF_WARN "auditoff" 504bd0c025SRobert Watson #define CLOSEFILE_WARN "closefile" 51ca0716f5SRobert Watson #define EBUSY_WARN "ebusy" 52ca0716f5SRobert Watson #define GETACDIR_WARN "getacdir" 53ca0716f5SRobert Watson #define HARDLIM_WARN "hard" 54ca0716f5SRobert Watson #define NOSTART_WARN "nostart" 55ca0716f5SRobert Watson #define POSTSIGTERM_WARN "postsigterm" 56ca0716f5SRobert Watson #define SOFTLIM_WARN "soft" 57ca0716f5SRobert Watson #define TMPFILE_WARN "tmpfile" 5806edd2f1SRobert Watson #define EXPIRED_WARN "expired" 59ca0716f5SRobert Watson 60ca0716f5SRobert Watson #define AUDITWARN_SCRIPT "/etc/security/audit_warn" 61ca0716f5SRobert Watson #define AUDITD_PIDFILE "/var/run/auditd.pid" 62ca0716f5SRobert Watson 637a0a89d2SRobert Watson #define AUD_STATE_INIT -1 647a0a89d2SRobert Watson #define AUD_STATE_DISABLED 0 657a0a89d2SRobert Watson #define AUD_STATE_ENABLED 1 667a0a89d2SRobert Watson 677a0a89d2SRobert Watson int audit_warn_allhard(void); 68ca0716f5SRobert Watson int audit_warn_allsoft(void); 69ca0716f5SRobert Watson int audit_warn_auditoff(void); 704bd0c025SRobert Watson int audit_warn_closefile(char *filename); 71ca0716f5SRobert Watson int audit_warn_ebusy(void); 72ca0716f5SRobert Watson int audit_warn_getacdir(char *filename); 73ca0716f5SRobert Watson int audit_warn_hard(char *filename); 74ca0716f5SRobert Watson int audit_warn_nostart(void); 75ca0716f5SRobert Watson int audit_warn_postsigterm(void); 76ca0716f5SRobert Watson int audit_warn_soft(char *filename); 77ca0716f5SRobert Watson int audit_warn_tmpfile(void); 7806edd2f1SRobert Watson int audit_warn_expired(char *filename); 79ca0716f5SRobert Watson 807a0a89d2SRobert Watson void auditd_openlog(int debug, gid_t gid); 817a0a89d2SRobert Watson void auditd_log_err(const char *fmt, ...); 827a0a89d2SRobert Watson void auditd_log_debug(const char *fmt, ...); 837a0a89d2SRobert Watson void auditd_log_info(const char *fmt, ...); 847a0a89d2SRobert Watson void auditd_log_notice(const char *fmt, ...); 857a0a89d2SRobert Watson 867a0a89d2SRobert Watson void auditd_set_state(int state); 877a0a89d2SRobert Watson int auditd_get_state(void); 887a0a89d2SRobert Watson 897a0a89d2SRobert Watson int auditd_open_trigger(int launchd_flag); 907a0a89d2SRobert Watson int auditd_close_trigger(void); 917a0a89d2SRobert Watson void auditd_handle_trigger(int trigger); 927a0a89d2SRobert Watson 937a0a89d2SRobert Watson void auditd_wait_for_events(void); 947a0a89d2SRobert Watson void auditd_relay_signal(int signal); 957a0a89d2SRobert Watson void auditd_terminate(void); 967a0a89d2SRobert Watson int auditd_config_controls(void); 977a0a89d2SRobert Watson void auditd_reap_children(void); 987a0a89d2SRobert Watson 997a0a89d2SRobert Watson 100ca0716f5SRobert Watson #endif /* !_AUDITD_H_ */ 101