17a0a89d2SRobert Watson /*- 27a0a89d2SRobert Watson * Copyright (c) 2008 Apple Inc. 37a0a89d2SRobert Watson * All rights reserved. 47a0a89d2SRobert Watson * 57a0a89d2SRobert Watson * Redistribution and use in source and binary forms, with or without 67a0a89d2SRobert Watson * modification, are permitted provided that the following conditions 77a0a89d2SRobert Watson * are met: 87a0a89d2SRobert Watson * 1. Redistributions of source code must retain the above copyright 97a0a89d2SRobert Watson * notice, this list of conditions and the following disclaimer. 107a0a89d2SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 117a0a89d2SRobert Watson * notice, this list of conditions and the following disclaimer in the 127a0a89d2SRobert Watson * documentation and/or other materials provided with the distribution. 137a0a89d2SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 147a0a89d2SRobert Watson * its contributors may be used to endorse or promote products derived 157a0a89d2SRobert Watson * from this software without specific prior written permission. 167a0a89d2SRobert Watson * 177a0a89d2SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 187a0a89d2SRobert Watson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 197a0a89d2SRobert Watson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 207a0a89d2SRobert Watson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 217a0a89d2SRobert Watson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 227a0a89d2SRobert Watson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 237a0a89d2SRobert Watson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 247a0a89d2SRobert Watson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 257a0a89d2SRobert Watson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 267a0a89d2SRobert Watson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 277a0a89d2SRobert Watson * POSSIBILITY OF SUCH DAMAGE. 287a0a89d2SRobert Watson */ 297a0a89d2SRobert Watson 307a0a89d2SRobert Watson #ifndef _BSM_AUDITD_LIB_H_ 317a0a89d2SRobert Watson #define _BSM_AUDITD_LIB_H_ 327a0a89d2SRobert Watson 337a0a89d2SRobert Watson /* 347a0a89d2SRobert Watson * Lengths for audit trail file components. 357a0a89d2SRobert Watson */ 367a0a89d2SRobert Watson #define NOT_TERMINATED "not_terminated" 377a0a89d2SRobert Watson #define CRASH_RECOVERY "crash_recovery" 38aa772005SRobert Watson #define PREFIX_LEN (sizeof("YYYYMMDDhhmmss") - 1) 39aa772005SRobert Watson #define POSTFIX_LEN PREFIX_LEN 40aa772005SRobert Watson #define FILENAME_LEN (PREFIX_LEN + 1 + POSTFIX_LEN) 41aa772005SRobert Watson #define TIMESTAMP_LEN POSTFIX_LEN 427a0a89d2SRobert Watson 437a0a89d2SRobert Watson /* 447a0a89d2SRobert Watson * Macro to generate the timestamp string for trail file. 457a0a89d2SRobert Watson */ 467a0a89d2SRobert Watson #define getTSstr(t, b, l) \ 477a0a89d2SRobert Watson ( (((t) = time(0)) == (time_t)-1 ) || \ 487a0a89d2SRobert Watson !strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0 497a0a89d2SRobert Watson 507a0a89d2SRobert Watson /* 517a0a89d2SRobert Watson * The symbolic link to the currently active audit trail file. 527a0a89d2SRobert Watson */ 537a0a89d2SRobert Watson #define AUDIT_CURRENT_LINK "/var/audit/current" 547a0a89d2SRobert Watson 557a0a89d2SRobert Watson /* 567a0a89d2SRobert Watson * Path of auditd plist file for launchd. 577a0a89d2SRobert Watson */ 587a0a89d2SRobert Watson #define AUDITD_PLIST_FILE \ 59c74c7b73SRobert Watson "/System/Library/LaunchDaemons/com.apple.auditd.plist" 607a0a89d2SRobert Watson 617a0a89d2SRobert Watson /* 627a0a89d2SRobert Watson * Error return codes for auditd_lib functions. 637a0a89d2SRobert Watson */ 647a0a89d2SRobert Watson #define ADE_NOERR 0 /* No Error or Success. */ 657a0a89d2SRobert Watson #define ADE_PARSE -1 /* Error parsing audit_control(5). */ 667a0a89d2SRobert Watson #define ADE_AUDITON -2 /* auditon(2) call failed. */ 677a0a89d2SRobert Watson #define ADE_NOMEM -3 /* Error allocating memory. */ 687a0a89d2SRobert Watson #define ADE_SOFTLIM -4 /* All audit log directories over soft limit. */ 697a0a89d2SRobert Watson #define ADE_HARDLIM -5 /* All audit log directories over hard limit. */ 707a0a89d2SRobert Watson #define ADE_STRERR -6 /* Error creating file name string. */ 717a0a89d2SRobert Watson #define ADE_AU_OPEN -7 /* au_open(3) failed. */ 727a0a89d2SRobert Watson #define ADE_AU_CLOSE -8 /* au_close(3) failed. */ 737a0a89d2SRobert Watson #define ADE_SETAUDIT -9 /* setaudit(2) or setaudit_addr(2) failed. */ 747a0a89d2SRobert Watson #define ADE_ACTL -10 /* "Soft" error with auditctl(2). */ 757a0a89d2SRobert Watson #define ADE_ACTLERR -11 /* "Hard" error with auditctl(2). */ 767a0a89d2SRobert Watson #define ADE_SWAPERR -12 /* The audit trail file could not be swap. */ 777a0a89d2SRobert Watson #define ADE_RENAME -13 /* Error renaming crash recovery file. */ 787a0a89d2SRobert Watson #define ADE_READLINK -14 /* Error reading 'current' link. */ 797a0a89d2SRobert Watson #define ADE_SYMLINK -15 /* Error creating 'current' link. */ 807a0a89d2SRobert Watson #define ADE_INVAL -16 /* Invalid argument. */ 817a0a89d2SRobert Watson #define ADE_GETADDR -17 /* Error resolving address from hostname. */ 827a0a89d2SRobert Watson #define ADE_ADDRFAM -18 /* Address family not supported. */ 8306edd2f1SRobert Watson #define ADE_EXPIRE -19 /* Error expiring audit trail files. */ 847a0a89d2SRobert Watson 857a0a89d2SRobert Watson /* 867a0a89d2SRobert Watson * auditd_lib functions. 877a0a89d2SRobert Watson */ 887a0a89d2SRobert Watson const char *auditd_strerror(int errcode); 897a0a89d2SRobert Watson int auditd_set_minfree(void); 9006edd2f1SRobert Watson int auditd_expire_trails(int (*warn_expired)(char *)); 917a0a89d2SRobert Watson int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)); 927a0a89d2SRobert Watson void auditd_close_dirs(void); 93aa772005SRobert Watson int auditd_set_dist(void); 947a0a89d2SRobert Watson int auditd_set_evcmap(void); 957a0a89d2SRobert Watson int auditd_set_namask(void); 967a0a89d2SRobert Watson int auditd_set_policy(void); 977a0a89d2SRobert Watson int auditd_set_fsize(void); 98*5e386598SRobert Watson int auditd_set_qsize(void); 997a0a89d2SRobert Watson int auditd_set_host(void); 1007a0a89d2SRobert Watson int auditd_swap_trail(char *TS, char **newfile, gid_t gid, 1017a0a89d2SRobert Watson int (*warn_getacdir)(char *)); 1027a0a89d2SRobert Watson int auditd_prevent_audit(void); 1037a0a89d2SRobert Watson int auditd_gen_record(int event, char *path); 1047a0a89d2SRobert Watson int auditd_new_curlink(char *curfile); 105aa772005SRobert Watson int auditd_rename(const char *fromname, const char *toname); 1067a0a89d2SRobert Watson int audit_quick_start(void); 1077a0a89d2SRobert Watson int audit_quick_stop(void); 1087a0a89d2SRobert Watson 1097a0a89d2SRobert Watson #endif /* !_BSM_AUDITD_LIB_H_ */ 110