1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#33 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #include <sys/types.h> 41 #include <sys/cdefs.h> 42 43 #include <inttypes.h> /* Required for audit.h. */ 44 #include <time.h> /* Required for clock_t on Linux. */ 45 46 #include <bsm/audit.h> 47 #include <bsm/audit_record.h> 48 49 #include <stdio.h> 50 51 #ifdef __APPLE__ 52 #include <mach/mach.h> /* audit_token_t */ 53 #endif 54 55 /* 56 * Size parsed token vectors for execve(2) arguments and environmental 57 * variables. Note: changing these sizes affects the ABI of the token 58 * structure, and as the token structure is often placed in the caller stack, 59 * this is undesirable. 60 */ 61 #define AUDIT_MAX_ARGS 128 62 #define AUDIT_MAX_ENV 128 63 64 /* 65 * Arguments to au_preselect(3). 66 */ 67 #define AU_PRS_USECACHE 0 68 #define AU_PRS_REREAD 1 69 70 #define AU_PRS_SUCCESS 1 71 #define AU_PRS_FAILURE 2 72 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 73 74 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 75 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 76 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 77 #define AUDIT_USER_FILE "/etc/security/audit_user" 78 79 #define DIR_CONTROL_ENTRY "dir" 80 #define MINFREE_CONTROL_ENTRY "minfree" 81 #define FILESZ_CONTROL_ENTRY "filesz" 82 #define FLAGS_CONTROL_ENTRY "flags" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 86 #define AU_CLASS_NAME_MAX 8 87 #define AU_CLASS_DESC_MAX 72 88 #define AU_EVENT_NAME_MAX 30 89 #define AU_EVENT_DESC_MAX 50 90 #define AU_USER_NAME_MAX 50 91 #define AU_LINE_MAX 256 92 #define MAX_AUDITSTRING_LEN 256 93 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 94 95 /* 96 * Arguments to au_close(3). 97 */ 98 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 99 #define AU_TO_WRITE 1 /* Commit audit record. */ 100 101 __BEGIN_DECLS 102 struct au_event_ent { 103 au_event_t ae_number; 104 char *ae_name; 105 char *ae_desc; 106 au_class_t ae_class; 107 }; 108 typedef struct au_event_ent au_event_ent_t; 109 110 struct au_class_ent { 111 char *ac_name; 112 au_class_t ac_class; 113 char *ac_desc; 114 }; 115 typedef struct au_class_ent au_class_ent_t; 116 117 struct au_user_ent { 118 char *au_name; 119 au_mask_t au_always; 120 au_mask_t au_never; 121 }; 122 typedef struct au_user_ent au_user_ent_t; 123 __END_DECLS 124 125 #define ADD_TO_MASK(m, c, sel) do { \ 126 if (sel & AU_PRS_SUCCESS) \ 127 (m)->am_success |= c; \ 128 if (sel & AU_PRS_FAILURE) \ 129 (m)->am_failure |= c; \ 130 } while (0) 131 132 #define SUB_FROM_MASK(m, c, sel) do { \ 133 if (sel & AU_PRS_SUCCESS) \ 134 (m)->am_success &= ((m)->am_success ^ c); \ 135 if (sel & AU_PRS_FAILURE) \ 136 (m)->am_failure &= ((m)->am_failure ^ c); \ 137 } while (0) 138 139 #define ADDMASK(m, v) do { \ 140 (m)->am_success |= (v)->am_success; \ 141 (m)->am_failure |= (v)->am_failure; \ 142 } while(0) 143 144 #define SUBMASK(m, v) do { \ 145 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 146 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 147 } while(0) 148 149 __BEGIN_DECLS 150 151 typedef struct au_tid32 { 152 u_int32_t port; 153 u_int32_t addr; 154 } au_tid32_t; 155 156 typedef struct au_tid64 { 157 u_int64_t port; 158 u_int32_t addr; 159 } au_tid64_t; 160 161 typedef struct au_tidaddr32 { 162 u_int32_t port; 163 u_int32_t type; 164 u_int32_t addr[4]; 165 } au_tidaddr32_t; 166 167 typedef struct au_tidaddr64 { 168 u_int64_t port; 169 u_int32_t type; 170 u_int32_t addr[4]; 171 } au_tidaddr64_t; 172 173 /* 174 * argument # 1 byte 175 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 176 * text length 2 bytes 177 * text N bytes + 1 terminating NULL byte 178 */ 179 typedef struct { 180 u_char no; 181 u_int32_t val; 182 u_int16_t len; 183 char *text; 184 } au_arg32_t; 185 186 typedef struct { 187 u_char no; 188 u_int64_t val; 189 u_int16_t len; 190 char *text; 191 } au_arg64_t; 192 193 /* 194 * how to print 1 byte 195 * basic unit 1 byte 196 * unit count 1 byte 197 * data items (depends on basic unit) 198 */ 199 typedef struct { 200 u_char howtopr; 201 u_char bu; 202 u_char uc; 203 u_char *data; 204 } au_arb_t; 205 206 /* 207 * file access mode 4 bytes 208 * owner user ID 4 bytes 209 * owner group ID 4 bytes 210 * file system ID 4 bytes 211 * node ID 8 bytes 212 * device 4 bytes/8 bytes (32-bit/64-bit) 213 */ 214 typedef struct { 215 u_int32_t mode; 216 u_int32_t uid; 217 u_int32_t gid; 218 u_int32_t fsid; 219 u_int64_t nid; 220 u_int32_t dev; 221 } au_attr32_t; 222 223 typedef struct { 224 u_int32_t mode; 225 u_int32_t uid; 226 u_int32_t gid; 227 u_int32_t fsid; 228 u_int64_t nid; 229 u_int64_t dev; 230 } au_attr64_t; 231 232 /* 233 * count 4 bytes 234 * text count null-terminated string(s) 235 */ 236 typedef struct { 237 u_int32_t count; 238 char *text[AUDIT_MAX_ARGS]; 239 } au_execarg_t; 240 241 /* 242 * count 4 bytes 243 * text count null-terminated string(s) 244 */ 245 typedef struct { 246 u_int32_t count; 247 char *text[AUDIT_MAX_ENV]; 248 } au_execenv_t; 249 250 /* 251 * status 4 bytes 252 * return value 4 bytes 253 */ 254 typedef struct { 255 u_int32_t status; 256 u_int32_t ret; 257 } au_exit_t; 258 259 /* 260 * seconds of time 4 bytes 261 * milliseconds of time 4 bytes 262 * file name length 2 bytes 263 * file pathname N bytes + 1 terminating NULL byte 264 */ 265 typedef struct { 266 u_int32_t s; 267 u_int32_t ms; 268 u_int16_t len; 269 char *name; 270 } au_file_t; 271 272 273 /* 274 * number groups 2 bytes 275 * group list N * 4 bytes 276 */ 277 typedef struct { 278 u_int16_t no; 279 u_int32_t list[AUDIT_MAX_GROUPS]; 280 } au_groups_t; 281 282 /* 283 * record byte count 4 bytes 284 * version # 1 byte [2] 285 * event type 2 bytes 286 * event modifier 2 bytes 287 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 288 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 289 */ 290 typedef struct { 291 u_int32_t size; 292 u_char version; 293 u_int16_t e_type; 294 u_int16_t e_mod; 295 u_int32_t s; 296 u_int32_t ms; 297 } au_header32_t; 298 299 /* 300 * record byte count 4 bytes 301 * version # 1 byte [2] 302 * event type 2 bytes 303 * event modifier 2 bytes 304 * address type/length 1 byte (XXX: actually, 4 bytes) 305 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 306 * seconds of time 4 bytes/8 bytes (32/64-bits) 307 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 308 */ 309 typedef struct { 310 u_int32_t size; 311 u_char version; 312 u_int16_t e_type; 313 u_int16_t e_mod; 314 u_int32_t ad_type; 315 u_int32_t addr[4]; 316 u_int32_t s; 317 u_int32_t ms; 318 } au_header32_ex_t; 319 320 typedef struct { 321 u_int32_t size; 322 u_char version; 323 u_int16_t e_type; 324 u_int16_t e_mod; 325 u_int64_t s; 326 u_int64_t ms; 327 } au_header64_t; 328 329 typedef struct { 330 u_int32_t size; 331 u_char version; 332 u_int16_t e_type; 333 u_int16_t e_mod; 334 u_int32_t ad_type; 335 u_int32_t addr[4]; 336 u_int64_t s; 337 u_int64_t ms; 338 } au_header64_ex_t; 339 340 /* 341 * internet address 4 bytes 342 */ 343 typedef struct { 344 u_int32_t addr; 345 } au_inaddr_t; 346 347 /* 348 * type 4 bytes 349 * internet address 16 bytes 350 */ 351 typedef struct { 352 u_int32_t type; 353 u_int32_t addr[4]; 354 } au_inaddr_ex_t; 355 356 /* 357 * version and ihl 1 byte 358 * type of service 1 byte 359 * length 2 bytes 360 * id 2 bytes 361 * offset 2 bytes 362 * ttl 1 byte 363 * protocol 1 byte 364 * checksum 2 bytes 365 * source address 4 bytes 366 * destination address 4 bytes 367 */ 368 typedef struct { 369 u_char version; 370 u_char tos; 371 u_int16_t len; 372 u_int16_t id; 373 u_int16_t offset; 374 u_char ttl; 375 u_char prot; 376 u_int16_t chksm; 377 u_int32_t src; 378 u_int32_t dest; 379 } au_ip_t; 380 381 /* 382 * object ID type 1 byte 383 * object ID 4 bytes 384 */ 385 typedef struct { 386 u_char type; 387 u_int32_t id; 388 } au_ipc_t; 389 390 /* 391 * owner user ID 4 bytes 392 * owner group ID 4 bytes 393 * creator user ID 4 bytes 394 * creator group ID 4 bytes 395 * access mode 4 bytes 396 * slot sequence # 4 bytes 397 * key 4 bytes 398 */ 399 typedef struct { 400 u_int32_t uid; 401 u_int32_t gid; 402 u_int32_t puid; 403 u_int32_t pgid; 404 u_int32_t mode; 405 u_int32_t seq; 406 u_int32_t key; 407 } au_ipcperm_t; 408 409 /* 410 * port IP address 2 bytes 411 */ 412 typedef struct { 413 u_int16_t port; 414 } au_iport_t; 415 416 /* 417 * length 2 bytes 418 * data length bytes 419 */ 420 typedef struct { 421 u_int16_t size; 422 char *data; 423 } au_opaque_t; 424 425 /* 426 * path length 2 bytes 427 * path N bytes + 1 terminating NULL byte 428 */ 429 typedef struct { 430 u_int16_t len; 431 char *path; 432 } au_path_t; 433 434 /* 435 * audit ID 4 bytes 436 * effective user ID 4 bytes 437 * effective group ID 4 bytes 438 * real user ID 4 bytes 439 * real group ID 4 bytes 440 * process ID 4 bytes 441 * session ID 4 bytes 442 * terminal ID 443 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 444 * machine address 4 bytes 445 */ 446 typedef struct { 447 u_int32_t auid; 448 u_int32_t euid; 449 u_int32_t egid; 450 u_int32_t ruid; 451 u_int32_t rgid; 452 u_int32_t pid; 453 u_int32_t sid; 454 au_tid32_t tid; 455 } au_proc32_t; 456 457 typedef struct { 458 u_int32_t auid; 459 u_int32_t euid; 460 u_int32_t egid; 461 u_int32_t ruid; 462 u_int32_t rgid; 463 u_int32_t pid; 464 u_int32_t sid; 465 au_tid64_t tid; 466 } au_proc64_t; 467 468 /* 469 * audit ID 4 bytes 470 * effective user ID 4 bytes 471 * effective group ID 4 bytes 472 * real user ID 4 bytes 473 * real group ID 4 bytes 474 * process ID 4 bytes 475 * session ID 4 bytes 476 * terminal ID 477 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 478 * type 4 bytes 479 * machine address 16 bytes 480 */ 481 typedef struct { 482 u_int32_t auid; 483 u_int32_t euid; 484 u_int32_t egid; 485 u_int32_t ruid; 486 u_int32_t rgid; 487 u_int32_t pid; 488 u_int32_t sid; 489 au_tidaddr32_t tid; 490 } au_proc32ex_t; 491 492 typedef struct { 493 u_int32_t auid; 494 u_int32_t euid; 495 u_int32_t egid; 496 u_int32_t ruid; 497 u_int32_t rgid; 498 u_int32_t pid; 499 u_int32_t sid; 500 au_tidaddr64_t tid; 501 } au_proc64ex_t; 502 503 /* 504 * error status 1 byte 505 * return value 4 bytes/8 bytes (32-bit/64-bit value) 506 */ 507 typedef struct { 508 u_char status; 509 u_int32_t ret; 510 } au_ret32_t; 511 512 typedef struct { 513 u_char err; 514 u_int64_t val; 515 } au_ret64_t; 516 517 /* 518 * sequence number 4 bytes 519 */ 520 typedef struct { 521 u_int32_t seqno; 522 } au_seq_t; 523 524 /* 525 * socket type 2 bytes 526 * local port 2 bytes 527 * local Internet address 4 bytes 528 * remote port 2 bytes 529 * remote Internet address 4 bytes 530 */ 531 typedef struct { 532 u_int16_t type; 533 u_int16_t l_port; 534 u_int32_t l_addr; 535 u_int16_t r_port; 536 u_int32_t r_addr; 537 } au_socket_t; 538 539 /* 540 * socket type 2 bytes 541 * local port 2 bytes 542 * address type/length 4 bytes 543 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 544 * remote port 4 bytes 545 * address type/length 4 bytes 546 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 547 */ 548 typedef struct { 549 u_int16_t type; 550 u_int16_t l_port; 551 u_int32_t l_ad_type; 552 u_int32_t l_addr; 553 u_int32_t r_port; 554 u_int32_t r_ad_type; 555 u_int32_t r_addr; 556 } au_socket_ex32_t; 557 558 /* 559 * socket family 2 bytes 560 * local port 2 bytes 561 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 562 */ 563 typedef struct { 564 u_int16_t family; 565 u_int16_t port; 566 u_int32_t addr; 567 } au_socketinet32_t; 568 569 /* 570 * socket family 2 bytes 571 * path 104 bytes 572 */ 573 typedef struct { 574 u_int16_t family; 575 char path[104]; 576 } au_socketunix_t; 577 578 /* 579 * audit ID 4 bytes 580 * effective user ID 4 bytes 581 * effective group ID 4 bytes 582 * real user ID 4 bytes 583 * real group ID 4 bytes 584 * process ID 4 bytes 585 * session ID 4 bytes 586 * terminal ID 587 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 588 * machine address 4 bytes 589 */ 590 typedef struct { 591 u_int32_t auid; 592 u_int32_t euid; 593 u_int32_t egid; 594 u_int32_t ruid; 595 u_int32_t rgid; 596 u_int32_t pid; 597 u_int32_t sid; 598 au_tid32_t tid; 599 } au_subject32_t; 600 601 typedef struct { 602 u_int32_t auid; 603 u_int32_t euid; 604 u_int32_t egid; 605 u_int32_t ruid; 606 u_int32_t rgid; 607 u_int32_t pid; 608 u_int32_t sid; 609 au_tid64_t tid; 610 } au_subject64_t; 611 612 /* 613 * audit ID 4 bytes 614 * effective user ID 4 bytes 615 * effective group ID 4 bytes 616 * real user ID 4 bytes 617 * real group ID 4 bytes 618 * process ID 4 bytes 619 * session ID 4 bytes 620 * terminal ID 621 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 622 * type 4 bytes 623 * machine address 16 bytes 624 */ 625 typedef struct { 626 u_int32_t auid; 627 u_int32_t euid; 628 u_int32_t egid; 629 u_int32_t ruid; 630 u_int32_t rgid; 631 u_int32_t pid; 632 u_int32_t sid; 633 au_tidaddr32_t tid; 634 } au_subject32ex_t; 635 636 typedef struct { 637 u_int32_t auid; 638 u_int32_t euid; 639 u_int32_t egid; 640 u_int32_t ruid; 641 u_int32_t rgid; 642 u_int32_t pid; 643 u_int32_t sid; 644 au_tidaddr64_t tid; 645 } au_subject64ex_t; 646 647 /* 648 * text length 2 bytes 649 * text N bytes + 1 terminating NULL byte 650 */ 651 typedef struct { 652 u_int16_t len; 653 char *text; 654 } au_text_t; 655 656 /* 657 * zonename length 2 bytes 658 * zonename text N bytes + 1 NULL terminator 659 */ 660 typedef struct { 661 u_int16_t len; 662 char *zonename; 663 } au_zonename_t; 664 665 typedef struct { 666 u_int32_t ident; 667 u_int16_t filter; 668 u_int16_t flags; 669 u_int32_t fflags; 670 u_int32_t data; 671 } au_kevent_t; 672 673 typedef struct { 674 u_int16_t length; 675 char *data; 676 } au_invalid_t; 677 678 /* 679 * trailer magic number 2 bytes 680 * record byte count 4 bytes 681 */ 682 typedef struct { 683 u_int16_t magic; 684 u_int32_t count; 685 } au_trailer_t; 686 687 struct tokenstr { 688 u_char id; 689 u_char *data; 690 size_t len; 691 union { 692 au_arg32_t arg32; 693 au_arg64_t arg64; 694 au_arb_t arb; 695 au_attr32_t attr32; 696 au_attr64_t attr64; 697 au_execarg_t execarg; 698 au_execenv_t execenv; 699 au_exit_t exit; 700 au_file_t file; 701 au_groups_t grps; 702 au_header32_t hdr32; 703 au_header32_ex_t hdr32_ex; 704 au_header64_t hdr64; 705 au_header64_ex_t hdr64_ex; 706 au_inaddr_t inaddr; 707 au_inaddr_ex_t inaddr_ex; 708 au_ip_t ip; 709 au_ipc_t ipc; 710 au_ipcperm_t ipcperm; 711 au_iport_t iport; 712 au_opaque_t opaque; 713 au_path_t path; 714 au_proc32_t proc32; 715 au_proc32ex_t proc32_ex; 716 au_proc64_t proc64; 717 au_proc64ex_t proc64_ex; 718 au_ret32_t ret32; 719 au_ret64_t ret64; 720 au_seq_t seq; 721 au_socket_t socket; 722 au_socket_ex32_t socket_ex32; 723 au_socketinet32_t sockinet32; 724 au_socketunix_t sockunix; 725 au_subject32_t subj32; 726 au_subject32ex_t subj32_ex; 727 au_subject64_t subj64; 728 au_subject64ex_t subj64_ex; 729 au_text_t text; 730 au_kevent_t kevent; 731 au_invalid_t invalid; 732 au_trailer_t trail; 733 au_zonename_t zonename; 734 } tt; /* The token is one of the above types */ 735 }; 736 737 typedef struct tokenstr tokenstr_t; 738 739 int audit_submit(short au_event, au_id_t auid, 740 char status, int reterr, const char *fmt, ...); 741 742 /* 743 * Functions relating to querying audit class information. 744 */ 745 void setauclass(void); 746 void endauclass(void); 747 struct au_class_ent *getauclassent(void); 748 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 749 struct au_class_ent *getauclassnam(const char *name); 750 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 751 const char *name); 752 struct au_class_ent *getauclassnum(au_class_t class_number); 753 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 754 au_class_t class_number); 755 756 /* 757 * Functions relating to querying audit control information. 758 */ 759 void setac(void); 760 void endac(void); 761 int getacdir(char *name, int len); 762 int getacmin(int *min_val); 763 int getacfilesz(size_t *size_val); 764 int getacflg(char *auditstr, int len); 765 int getacna(char *auditstr, int len); 766 int getacpol(char *auditstr, size_t len); 767 int getauditflagsbin(char *auditstr, au_mask_t *masks); 768 int getauditflagschar(char *auditstr, au_mask_t *masks, 769 int verbose); 770 int au_preselect(au_event_t event, au_mask_t *mask_p, 771 int sorf, int flag); 772 ssize_t au_poltostr(long policy, size_t maxsize, char *buf); 773 int au_strtopol(const char *polstr, long *policy); 774 775 /* 776 * Functions relating to querying audit event information. 777 */ 778 void setauevent(void); 779 void endauevent(void); 780 struct au_event_ent *getauevent(void); 781 struct au_event_ent *getauevent_r(struct au_event_ent *e); 782 struct au_event_ent *getauevnam(const char *name); 783 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 784 const char *name); 785 struct au_event_ent *getauevnum(au_event_t event_number); 786 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 787 au_event_t event_number); 788 au_event_t *getauevnonam(const char *event_name); 789 au_event_t *getauevnonam_r(au_event_t *ev, 790 const char *event_name); 791 792 /* 793 * Functions relating to querying audit user information. 794 */ 795 void setauuser(void); 796 void endauuser(void); 797 struct au_user_ent *getauuserent(void); 798 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 799 struct au_user_ent *getauusernam(const char *name); 800 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 801 const char *name); 802 int au_user_mask(char *username, au_mask_t *mask_p); 803 int getfauditflags(au_mask_t *usremask, 804 au_mask_t *usrdmask, au_mask_t *lastmask); 805 806 /* 807 * Functions for reading and printing records and tokens from audit trails. 808 */ 809 int au_read_rec(FILE *fp, u_char **buf); 810 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 811 //XXX The following interface has different prototype from BSM 812 void au_print_tok(FILE *outfp, tokenstr_t *tok, 813 char *del, char raw, char sfrm); 814 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 815 char *del, char raw, char sfrm); 816 817 /* 818 * Functions relating to XML output. 819 */ 820 void au_print_xml_header(FILE *outfp); 821 void au_print_xml_footer(FILE *outfp); 822 __END_DECLS 823 824 /* 825 * The remaining APIs are associated with Apple's BSM implementation, in 826 * particular as relates to Mach IPC auditing and triggers passed via Mach 827 * IPC. 828 */ 829 #ifdef __APPLE__ 830 #include <sys/appleapiopts.h> 831 832 /************************************************************************** 833 ************************************************************************** 834 ** The following definitions, functions, etc., are NOT officially 835 ** supported: they may be changed or removed in the future. Do not use 836 ** them unless you are prepared to cope with that eventuality. 837 ************************************************************************** 838 **************************************************************************/ 839 840 #ifdef __APPLE_API_PRIVATE 841 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 842 #endif /* __APPLE_API_PRIVATE */ 843 844 /* 845 * au_get_state() return values 846 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 847 * AUDIT_ON are deprecated and WILL be removed. 848 */ 849 #ifdef __APPLE_API_PRIVATE 850 #define AUDIT_OFF AUC_NOAUDIT 851 #define AUDIT_ON AUC_AUDITING 852 #endif /* __APPLE_API_PRIVATE */ 853 #endif /* !__APPLE__ */ 854 855 /* 856 * Error return codes for audit_set_terminal_id(), audit_write() and its 857 * brethren. We have 255 (not including kAUNoErr) to play with. 858 * 859 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 860 */ 861 enum { 862 kAUNoErr = 0, 863 kAUBadParamErr = -66049, 864 kAUStatErr, 865 kAUSysctlErr, 866 kAUOpenErr, 867 kAUMakeSubjectTokErr, 868 kAUWriteSubjectTokErr, 869 kAUWriteCallerTokErr, 870 kAUMakeReturnTokErr, 871 kAUWriteReturnTokErr, 872 kAUCloseErr, 873 kAUMakeTextTokErr, 874 kAULastErr 875 }; 876 877 #ifdef __APPLE__ 878 /* 879 * Error return codes for au_get_state() and/or its private support 880 * functions. These codes are designed to be compatible with the 881 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 882 * Any changes to notify(3) may cause these values to change in future. 883 * 884 * AU_UNIMPL should never happen unless you've changed your system software 885 * without rebooting. Shame on you. 886 */ 887 #ifdef __APPLE_API_PRIVATE 888 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 889 #endif /* __APPLE_API_PRIVATE */ 890 #endif /* !__APPLE__ */ 891 892 __BEGIN_DECLS 893 /* 894 * XXX This prototype should be in audit_record.h 895 * 896 * au_free_token() 897 * 898 * @summary - au_free_token() deallocates a token_t created by any of 899 * the au_to_*() BSM API functions. 900 * 901 * The BSM API generally manages deallocation of token_t objects. However, 902 * if au_write() is passed a bad audit descriptor, the token_t * parameter 903 * will be left untouched. In that case, the caller can deallocate the 904 * token_t using au_free_token() if desired. This is, in fact, what 905 * audit_write() does, in keeping with the existing memory management model 906 * of the BSM API. 907 * 908 * @param tok - A token_t * generated by one of the au_to_*() BSM API 909 * calls. For convenience, tok may be NULL, in which case 910 * au_free_token() returns immediately. 911 * 912 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 913 */ 914 void au_free_token(token_t *tok); 915 916 /* 917 * Lightweight check to determine if auditing is enabled. If a client 918 * wants to use this to govern whether an entire series of audit calls 919 * should be made--as in the common case of a caller building a set of 920 * tokens, then writing them--it should cache the audit status in a local 921 * variable. This call always returns the current state of auditing. 922 * 923 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 924 * Otherwise the function can return any of the errno values defined for 925 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 926 * the system. 927 * 928 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 929 */ 930 int au_get_state(void); 931 __END_DECLS 932 933 /* OpenSSH compatibility */ 934 int cannot_audit(int); 935 936 __BEGIN_DECLS 937 /* 938 * audit_set_terminal_id() 939 * 940 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 941 * used in audit session initialization by processes like /usr/bin/login. 942 * 943 * @param tid - A pointer to an au_tid_t struct. 944 * 945 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 946 * or kAUSysctlErr if one of the underlying system calls fails (a message 947 * is sent to the system log in those cases). 948 * 949 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 950 */ 951 int audit_set_terminal_id(au_tid_t *tid); 952 953 /* 954 * BEGIN au_write() WRAPPERS 955 * 956 * The following calls all wrap the existing BSM API. They use the 957 * provided subject information, if any, to construct the subject token 958 * required for every log message. They use the provided return/error 959 * value(s), if any, to construct the success/failure indication required 960 * for every log message. They only permit one "miscellaneous" token, 961 * which should contain the event-specific logging information mandated by 962 * CAPP. 963 * 964 * All these calls assume the caller has previously determined that 965 * auditing is enabled by calling au_get_state(). 966 */ 967 968 /* 969 * audit_write() 970 * 971 * @summary - audit_write() is the basis for the other audit_write_*() 972 * calls. Performs a basic write of an audit record (subject, additional 973 * info, success/failure). Note that this call only permits logging one 974 * caller-specified token; clients needing to log more flexibly must use 975 * the existing BSM API (au_open(), et al.) directly. 976 * 977 * Note on memory management: audit_write() guarantees that the token_t *s 978 * passed to it will be deallocated whether or not the underlying write to 979 * the audit log succeeded. This addresses an inconsistency in the 980 * underlying BSM API in which token_t *s are usually but not always 981 * deallocated. 982 * 983 * @param event_code - The code for the event being logged. This should 984 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 985 * 986 * @param subject - A token_t * generated by au_to_subject(), 987 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 988 * required, subject should be NULL. 989 * 990 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 991 * calls. This should correspond to the additional information required by 992 * CAPP for the event being audited. If no additional information is 993 * required, misctok should be NULL. 994 * 995 * @param retval - The return value to be logged for this event. This 996 * should be 0 (zero) for success, otherwise the value is event-specific. 997 * 998 * @param errcode - Any error code associated with the return value (e.g., 999 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1000 * 1001 * @return - The status of the call: 0 (zero) on success, else one of the 1002 * kAU*Err values defined above. 1003 * 1004 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1005 */ 1006 int audit_write(short event_code, token_t *subject, token_t *misctok, 1007 char retval, int errcode); 1008 1009 /* 1010 * audit_write_success() 1011 * 1012 * @summary - audit_write_success() records an auditable event that did not 1013 * encounter an error. The interface is designed to require as little 1014 * direct use of the au_to_*() API as possible. It builds a subject token 1015 * from the information passed in and uses that to invoke audit_write(). 1016 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1017 * 1018 * If the subject information is the same as the current process, use 1019 * au_write_success_self(). 1020 * 1021 * @param event_code - The code for the event being logged. This should 1022 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1023 * 1024 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1025 * calls. This should correspond to the additional information required by 1026 * CAPP for the event being audited. If no additional information is 1027 * required, misctok should be NULL. 1028 * 1029 * @param auid - The subject's audit ID. 1030 * 1031 * @param euid - The subject's effective user ID. 1032 * 1033 * @param egid - The subject's effective group ID. 1034 * 1035 * @param ruid - The subject's real user ID. 1036 * 1037 * @param rgid - The subject's real group ID. 1038 * 1039 * @param pid - The subject's process ID. 1040 * 1041 * @param sid - The subject's session ID. 1042 * 1043 * @param tid - The subject's terminal ID. 1044 * 1045 * @return - The status of the call: 0 (zero) on success, else one of the 1046 * kAU*Err values defined above. 1047 * 1048 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1049 */ 1050 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1051 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1052 au_asid_t sid, au_tid_t *tid); 1053 1054 /* 1055 * audit_write_success_self() 1056 * 1057 * @summary - Similar to audit_write_success(), but used when the subject 1058 * (process) is owned and operated by the auditable user him/herself. 1059 * 1060 * @param event_code - The code for the event being logged. This should 1061 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1062 * 1063 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1064 * calls. This should correspond to the additional information required by 1065 * CAPP for the event being audited. If no additional information is 1066 * required, misctok should be NULL. 1067 * 1068 * @return - The status of the call: 0 (zero) on success, else one of the 1069 * kAU*Err values defined above. 1070 * 1071 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1072 */ 1073 int audit_write_success_self(short event_code, token_t *misctok); 1074 1075 /* 1076 * audit_write_failure() 1077 * 1078 * @summary - audit_write_failure() records an auditable event that 1079 * encountered an error. The interface is designed to require as little 1080 * direct use of the au_to_*() API as possible. It builds a subject token 1081 * from the information passed in and uses that to invoke audit_write(). 1082 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1083 * 1084 * If the subject information is the same as the current process, use 1085 * au_write_failure_self(). 1086 * 1087 * @param event_code - The code for the event being logged. This should 1088 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1089 * 1090 * @param errmsg - A text message providing additional information about 1091 * the event being audited. 1092 * 1093 * @param errret - A numerical value providing additional information about 1094 * the error. This is intended to store the value of errno or h_errno if 1095 * it's relevant. This can be 0 (zero) if no additional information is 1096 * available. 1097 * 1098 * @param auid - The subject's audit ID. 1099 * 1100 * @param euid - The subject's effective user ID. 1101 * 1102 * @param egid - The subject's effective group ID. 1103 * 1104 * @param ruid - The subject's real user ID. 1105 * 1106 * @param rgid - The subject's real group ID. 1107 * 1108 * @param pid - The subject's process ID. 1109 * 1110 * @param sid - The subject's session ID. 1111 * 1112 * @param tid - The subject's terminal ID. 1113 * 1114 * @return - The status of the call: 0 (zero) on success, else one of the 1115 * kAU*Err values defined above. 1116 * 1117 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1118 */ 1119 int audit_write_failure(short event_code, char *errmsg, int errret, 1120 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1121 pid_t pid, au_asid_t sid, au_tid_t *tid); 1122 1123 /* 1124 * audit_write_failure_self() 1125 * 1126 * @summary - Similar to audit_write_failure(), but used when the subject 1127 * (process) is owned and operated by the auditable user him/herself. 1128 * 1129 * @param event_code - The code for the event being logged. This should 1130 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1131 * 1132 * @param errmsg - A text message providing additional information about 1133 * the event being audited. 1134 * 1135 * @param errret - A numerical value providing additional information about 1136 * the error. This is intended to store the value of errno or h_errno if 1137 * it's relevant. This can be 0 (zero) if no additional information is 1138 * available. 1139 * 1140 * @return - The status of the call: 0 (zero) on success, else one of the 1141 * kAU*Err values defined above. 1142 * 1143 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1144 */ 1145 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1146 1147 /* 1148 * audit_write_failure_na() 1149 * 1150 * @summary - audit_write_failure_na() records errors during login. Such 1151 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1152 * 1153 * @param event_code - The code for the event being logged. This should 1154 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1155 * 1156 * @param errmsg - A text message providing additional information about 1157 * the event being audited. 1158 * 1159 * @param errret - A numerical value providing additional information about 1160 * the error. This is intended to store the value of errno or h_errno if 1161 * it's relevant. This can be 0 (zero) if no additional information is 1162 * available. 1163 * 1164 * @param euid - The subject's effective user ID. 1165 * 1166 * @param egid - The subject's effective group ID. 1167 * 1168 * @param pid - The subject's process ID. 1169 * 1170 * @param tid - The subject's terminal ID. 1171 * 1172 * @return - The status of the call: 0 (zero) on success, else one of the 1173 * kAU*Err values defined above. 1174 * 1175 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1176 */ 1177 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1178 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1179 1180 /* END au_write() WRAPPERS */ 1181 1182 #ifdef __APPLE__ 1183 /* 1184 * audit_token_to_au32() 1185 * 1186 * @summary - Extract information from an audit_token_t, used to identify 1187 * Mach tasks and senders of Mach messages as subjects to the audit system. 1188 * audit_tokent_to_au32() is the only method that should be used to parse 1189 * an audit_token_t, since its internal representation may change over 1190 * time. A pointer parameter may be NULL if that information is not 1191 * needed. 1192 * 1193 * @param atoken - the audit token containing the desired information 1194 * 1195 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1196 * sender's audit user ID 1197 * 1198 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1199 * sender's effective user ID 1200 * 1201 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1202 * sender's effective group ID 1203 * 1204 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1205 * sender's real user ID 1206 * 1207 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1208 * sender's real group ID 1209 * 1210 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1211 * sender's process ID 1212 * 1213 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1214 * task or sender's audit session ID 1215 * 1216 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1217 * or sender's terminal ID 1218 * 1219 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1220 */ 1221 void audit_token_to_au32( 1222 audit_token_t atoken, 1223 uid_t *auidp, 1224 uid_t *euidp, 1225 gid_t *egidp, 1226 uid_t *ruidp, 1227 gid_t *rgidp, 1228 pid_t *pidp, 1229 au_asid_t *asidp, 1230 au_tid_t *tidp); 1231 #endif /* !__APPLE__ */ 1232 1233 __END_DECLS 1234 1235 #endif /* !_LIBBSM_H_ */ 1236