1 /*- 2 * Copyright (c) 2008 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $ 30 */ 31 32 #ifndef _BSM_AUDITD_LIB_H_ 33 #define _BSM_AUDITD_LIB_H_ 34 35 /* 36 * Lengths for audit trail file components. 37 */ 38 #define NOT_TERMINATED "not_terminated" 39 #define CRASH_RECOVERY "crash_recovery" 40 #define POSTFIX_LEN (sizeof("YYYYMMDDhhmmss") - 1) 41 #define FILENAME_LEN ((2 * POSTFIX_LEN) + 2) 42 #define TIMESTAMP_LEN (POSTFIX_LEN + 1) 43 44 /* 45 * Macro to generate the timestamp string for trail file. 46 */ 47 #define getTSstr(t, b, l) \ 48 ( (((t) = time(0)) == (time_t)-1 ) || \ 49 !strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0 50 51 /* 52 * The symbolic link to the currently active audit trail file. 53 */ 54 #define AUDIT_CURRENT_LINK "/var/audit/current" 55 56 /* 57 * Path of auditd plist file for launchd. 58 */ 59 #define AUDITD_PLIST_FILE \ 60 "/System/Library/LaunchDaemons/com.apple.auditd.plist" 61 62 /* 63 * Error return codes for auditd_lib functions. 64 */ 65 #define ADE_NOERR 0 /* No Error or Success. */ 66 #define ADE_PARSE -1 /* Error parsing audit_control(5). */ 67 #define ADE_AUDITON -2 /* auditon(2) call failed. */ 68 #define ADE_NOMEM -3 /* Error allocating memory. */ 69 #define ADE_SOFTLIM -4 /* All audit log directories over soft limit. */ 70 #define ADE_HARDLIM -5 /* All audit log directories over hard limit. */ 71 #define ADE_STRERR -6 /* Error creating file name string. */ 72 #define ADE_AU_OPEN -7 /* au_open(3) failed. */ 73 #define ADE_AU_CLOSE -8 /* au_close(3) failed. */ 74 #define ADE_SETAUDIT -9 /* setaudit(2) or setaudit_addr(2) failed. */ 75 #define ADE_ACTL -10 /* "Soft" error with auditctl(2). */ 76 #define ADE_ACTLERR -11 /* "Hard" error with auditctl(2). */ 77 #define ADE_SWAPERR -12 /* The audit trail file could not be swap. */ 78 #define ADE_RENAME -13 /* Error renaming crash recovery file. */ 79 #define ADE_READLINK -14 /* Error reading 'current' link. */ 80 #define ADE_SYMLINK -15 /* Error creating 'current' link. */ 81 #define ADE_INVAL -16 /* Invalid argument. */ 82 #define ADE_GETADDR -17 /* Error resolving address from hostname. */ 83 #define ADE_ADDRFAM -18 /* Address family not supported. */ 84 #define ADE_EXPIRE -19 /* Error expiring audit trail files. */ 85 86 /* 87 * auditd_lib functions. 88 */ 89 const char *auditd_strerror(int errcode); 90 int auditd_set_minfree(void); 91 int auditd_expire_trails(int (*warn_expired)(char *)); 92 int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)); 93 void auditd_close_dirs(void); 94 int auditd_set_evcmap(void); 95 int auditd_set_namask(void); 96 int auditd_set_policy(void); 97 int auditd_set_fsize(void); 98 int auditd_set_host(void); 99 int auditd_swap_trail(char *TS, char **newfile, gid_t gid, 100 int (*warn_getacdir)(char *)); 101 int auditd_prevent_audit(void); 102 int auditd_gen_record(int event, char *path); 103 int auditd_new_curlink(char *curfile); 104 int audit_quick_start(void); 105 int audit_quick_stop(void); 106 107 #endif /* !_BSM_AUDITD_LIB_H_ */ 108