1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 #ifndef _LIBBSM_H_ 31 #define _LIBBSM_H_ 32 33 /* 34 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 35 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 36 */ 37 38 #include <sys/types.h> 39 #include <sys/cdefs.h> 40 41 #include <inttypes.h> /* Required for audit.h. */ 42 #include <time.h> /* Required for clock_t on Linux. */ 43 44 #include <bsm/audit.h> 45 #include <bsm/audit_record.h> 46 47 #include <stdio.h> 48 49 #ifdef __APPLE__ 50 #include <mach/mach.h> /* audit_token_t */ 51 #endif 52 53 /* 54 * Size parsed token vectors for execve(2) arguments and environmental 55 * variables. Note: changing these sizes affects the ABI of the token 56 * structure, and as the token structure is often placed in the caller stack, 57 * this is undesirable. 58 */ 59 #define AUDIT_MAX_ARGS 128 60 #define AUDIT_MAX_ENV 128 61 62 /* 63 * Arguments to au_preselect(3). 64 */ 65 #define AU_PRS_USECACHE 0 66 #define AU_PRS_REREAD 1 67 68 #define AU_PRS_SUCCESS 1 69 #define AU_PRS_FAILURE 2 70 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 71 72 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 73 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 74 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 75 #define AUDIT_USER_FILE "/etc/security/audit_user" 76 77 #define DIR_CONTROL_ENTRY "dir" 78 #define DIST_CONTROL_ENTRY "dist" 79 #define FILESZ_CONTROL_ENTRY "filesz" 80 #define FLAGS_CONTROL_ENTRY "flags" 81 #define HOST_CONTROL_ENTRY "host" 82 #define MINFREE_CONTROL_ENTRY "minfree" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 86 87 #define AU_CLASS_NAME_MAX 8 88 #define AU_CLASS_DESC_MAX 72 89 #define AU_EVENT_NAME_MAX 30 90 #define AU_EVENT_DESC_MAX 50 91 #define AU_USER_NAME_MAX 50 92 #define AU_LINE_MAX 256 93 #define MAX_AUDITSTRING_LEN 256 94 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 95 96 /* 97 * Arguments to au_close(3). 98 */ 99 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 100 #define AU_TO_WRITE 1 /* Commit audit record. */ 101 102 /* 103 * Output format flags for au_print_flags_tok(). 104 */ 105 #define AU_OFLAG_NONE 0x0000 /* Default form. */ 106 #define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 107 #define AU_OFLAG_SHORT 0x0002 /* Short form. */ 108 #define AU_OFLAG_XML 0x0004 /* XML form. */ 109 #define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 110 111 __BEGIN_DECLS 112 struct au_event_ent { 113 au_event_t ae_number; 114 char *ae_name; 115 char *ae_desc; 116 au_class_t ae_class; 117 }; 118 typedef struct au_event_ent au_event_ent_t; 119 120 struct au_class_ent { 121 char *ac_name; 122 au_class_t ac_class; 123 char *ac_desc; 124 }; 125 typedef struct au_class_ent au_class_ent_t; 126 127 struct au_user_ent { 128 char *au_name; 129 au_mask_t au_always; 130 au_mask_t au_never; 131 }; 132 typedef struct au_user_ent au_user_ent_t; 133 __END_DECLS 134 135 #define ADD_TO_MASK(m, c, sel) do { \ 136 if (sel & AU_PRS_SUCCESS) \ 137 (m)->am_success |= c; \ 138 if (sel & AU_PRS_FAILURE) \ 139 (m)->am_failure |= c; \ 140 } while (0) 141 142 #define SUB_FROM_MASK(m, c, sel) do { \ 143 if (sel & AU_PRS_SUCCESS) \ 144 (m)->am_success &= ((m)->am_success ^ c); \ 145 if (sel & AU_PRS_FAILURE) \ 146 (m)->am_failure &= ((m)->am_failure ^ c); \ 147 } while (0) 148 149 #define ADDMASK(m, v) do { \ 150 (m)->am_success |= (v)->am_success; \ 151 (m)->am_failure |= (v)->am_failure; \ 152 } while(0) 153 154 #define SUBMASK(m, v) do { \ 155 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 156 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 157 } while(0) 158 159 __BEGIN_DECLS 160 161 typedef struct au_tid32 { 162 u_int32_t port; 163 u_int32_t addr; 164 } au_tid32_t; 165 166 typedef struct au_tid64 { 167 u_int64_t port; 168 u_int32_t addr; 169 } au_tid64_t; 170 171 typedef struct au_tidaddr32 { 172 u_int32_t port; 173 u_int32_t type; 174 u_int32_t addr[4]; 175 } au_tidaddr32_t; 176 177 typedef struct au_tidaddr64 { 178 u_int64_t port; 179 u_int32_t type; 180 u_int32_t addr[4]; 181 } au_tidaddr64_t; 182 183 /* 184 * argument # 1 byte 185 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 186 * text length 2 bytes 187 * text N bytes + 1 terminating NULL byte 188 */ 189 typedef struct { 190 u_char no; 191 u_int32_t val; 192 u_int16_t len; 193 char *text; 194 } au_arg32_t; 195 196 typedef struct { 197 u_char no; 198 u_int64_t val; 199 u_int16_t len; 200 char *text; 201 } au_arg64_t; 202 203 /* 204 * how to print 1 byte 205 * basic unit 1 byte 206 * unit count 1 byte 207 * data items (depends on basic unit) 208 */ 209 typedef struct { 210 u_char howtopr; 211 u_char bu; 212 u_char uc; 213 u_char *data; 214 } au_arb_t; 215 216 /* 217 * file access mode 4 bytes 218 * owner user ID 4 bytes 219 * owner group ID 4 bytes 220 * file system ID 4 bytes 221 * node ID 8 bytes 222 * device 4 bytes/8 bytes (32-bit/64-bit) 223 */ 224 typedef struct { 225 u_int32_t mode; 226 u_int32_t uid; 227 u_int32_t gid; 228 u_int32_t fsid; 229 u_int64_t nid; 230 u_int32_t dev; 231 } au_attr32_t; 232 233 typedef struct { 234 u_int32_t mode; 235 u_int32_t uid; 236 u_int32_t gid; 237 u_int32_t fsid; 238 u_int64_t nid; 239 u_int64_t dev; 240 } au_attr64_t; 241 242 /* 243 * count 4 bytes 244 * text count null-terminated string(s) 245 */ 246 typedef struct { 247 u_int32_t count; 248 char *text[AUDIT_MAX_ARGS]; 249 } au_execarg_t; 250 251 /* 252 * count 4 bytes 253 * text count null-terminated string(s) 254 */ 255 typedef struct { 256 u_int32_t count; 257 char *text[AUDIT_MAX_ENV]; 258 } au_execenv_t; 259 260 /* 261 * status 4 bytes 262 * return value 4 bytes 263 */ 264 typedef struct { 265 u_int32_t status; 266 u_int32_t ret; 267 } au_exit_t; 268 269 /* 270 * seconds of time 4 bytes 271 * milliseconds of time 4 bytes 272 * file name length 2 bytes 273 * file pathname N bytes + 1 terminating NULL byte 274 */ 275 typedef struct { 276 u_int32_t s; 277 u_int32_t ms; 278 u_int16_t len; 279 char *name; 280 } au_file_t; 281 282 283 /* 284 * number groups 2 bytes 285 * group list N * 4 bytes 286 */ 287 typedef struct { 288 u_int16_t no; 289 u_int32_t list[AUDIT_MAX_GROUPS]; 290 } au_groups_t; 291 292 /* 293 * record byte count 4 bytes 294 * version # 1 byte [2] 295 * event type 2 bytes 296 * event modifier 2 bytes 297 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 298 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 299 */ 300 typedef struct { 301 u_int32_t size; 302 u_char version; 303 u_int16_t e_type; 304 u_int16_t e_mod; 305 u_int32_t s; 306 u_int32_t ms; 307 } au_header32_t; 308 309 /* 310 * record byte count 4 bytes 311 * version # 1 byte [2] 312 * event type 2 bytes 313 * event modifier 2 bytes 314 * address type/length 1 byte (XXX: actually, 4 bytes) 315 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 316 * seconds of time 4 bytes/8 bytes (32/64-bits) 317 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 318 */ 319 typedef struct { 320 u_int32_t size; 321 u_char version; 322 u_int16_t e_type; 323 u_int16_t e_mod; 324 u_int32_t ad_type; 325 u_int32_t addr[4]; 326 u_int32_t s; 327 u_int32_t ms; 328 } au_header32_ex_t; 329 330 typedef struct { 331 u_int32_t size; 332 u_char version; 333 u_int16_t e_type; 334 u_int16_t e_mod; 335 u_int64_t s; 336 u_int64_t ms; 337 } au_header64_t; 338 339 typedef struct { 340 u_int32_t size; 341 u_char version; 342 u_int16_t e_type; 343 u_int16_t e_mod; 344 u_int32_t ad_type; 345 u_int32_t addr[4]; 346 u_int64_t s; 347 u_int64_t ms; 348 } au_header64_ex_t; 349 350 /* 351 * internet address 4 bytes 352 */ 353 typedef struct { 354 u_int32_t addr; 355 } au_inaddr_t; 356 357 /* 358 * type 4 bytes 359 * internet address 16 bytes 360 */ 361 typedef struct { 362 u_int32_t type; 363 u_int32_t addr[4]; 364 } au_inaddr_ex_t; 365 366 /* 367 * version and ihl 1 byte 368 * type of service 1 byte 369 * length 2 bytes 370 * id 2 bytes 371 * offset 2 bytes 372 * ttl 1 byte 373 * protocol 1 byte 374 * checksum 2 bytes 375 * source address 4 bytes 376 * destination address 4 bytes 377 */ 378 typedef struct { 379 u_char version; 380 u_char tos; 381 u_int16_t len; 382 u_int16_t id; 383 u_int16_t offset; 384 u_char ttl; 385 u_char prot; 386 u_int16_t chksm; 387 u_int32_t src; 388 u_int32_t dest; 389 } au_ip_t; 390 391 /* 392 * object ID type 1 byte 393 * object ID 4 bytes 394 */ 395 typedef struct { 396 u_char type; 397 u_int32_t id; 398 } au_ipc_t; 399 400 /* 401 * owner user ID 4 bytes 402 * owner group ID 4 bytes 403 * creator user ID 4 bytes 404 * creator group ID 4 bytes 405 * access mode 4 bytes 406 * slot sequence # 4 bytes 407 * key 4 bytes 408 */ 409 typedef struct { 410 u_int32_t uid; 411 u_int32_t gid; 412 u_int32_t puid; 413 u_int32_t pgid; 414 u_int32_t mode; 415 u_int32_t seq; 416 u_int32_t key; 417 } au_ipcperm_t; 418 419 /* 420 * port IP address 2 bytes 421 */ 422 typedef struct { 423 u_int16_t port; 424 } au_iport_t; 425 426 /* 427 * length 2 bytes 428 * data length bytes 429 */ 430 typedef struct { 431 u_int16_t size; 432 char *data; 433 } au_opaque_t; 434 435 /* 436 * path length 2 bytes 437 * path N bytes + 1 terminating NULL byte 438 */ 439 typedef struct { 440 u_int16_t len; 441 char *path; 442 } au_path_t; 443 444 /* 445 * audit ID 4 bytes 446 * effective user ID 4 bytes 447 * effective group ID 4 bytes 448 * real user ID 4 bytes 449 * real group ID 4 bytes 450 * process ID 4 bytes 451 * session ID 4 bytes 452 * terminal ID 453 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 454 * machine address 4 bytes 455 */ 456 typedef struct { 457 u_int32_t auid; 458 u_int32_t euid; 459 u_int32_t egid; 460 u_int32_t ruid; 461 u_int32_t rgid; 462 u_int32_t pid; 463 u_int32_t sid; 464 au_tid32_t tid; 465 } au_proc32_t; 466 467 typedef struct { 468 u_int32_t auid; 469 u_int32_t euid; 470 u_int32_t egid; 471 u_int32_t ruid; 472 u_int32_t rgid; 473 u_int32_t pid; 474 u_int32_t sid; 475 au_tid64_t tid; 476 } au_proc64_t; 477 478 /* 479 * audit ID 4 bytes 480 * effective user ID 4 bytes 481 * effective group ID 4 bytes 482 * real user ID 4 bytes 483 * real group ID 4 bytes 484 * process ID 4 bytes 485 * session ID 4 bytes 486 * terminal ID 487 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 488 * type 4 bytes 489 * machine address 16 bytes 490 */ 491 typedef struct { 492 u_int32_t auid; 493 u_int32_t euid; 494 u_int32_t egid; 495 u_int32_t ruid; 496 u_int32_t rgid; 497 u_int32_t pid; 498 u_int32_t sid; 499 au_tidaddr32_t tid; 500 } au_proc32ex_t; 501 502 typedef struct { 503 u_int32_t auid; 504 u_int32_t euid; 505 u_int32_t egid; 506 u_int32_t ruid; 507 u_int32_t rgid; 508 u_int32_t pid; 509 u_int32_t sid; 510 au_tidaddr64_t tid; 511 } au_proc64ex_t; 512 513 /* 514 * error status 1 byte 515 * return value 4 bytes/8 bytes (32-bit/64-bit value) 516 */ 517 typedef struct { 518 u_char status; 519 u_int32_t ret; 520 } au_ret32_t; 521 522 typedef struct { 523 u_char err; 524 u_int64_t val; 525 } au_ret64_t; 526 527 /* 528 * sequence number 4 bytes 529 */ 530 typedef struct { 531 u_int32_t seqno; 532 } au_seq_t; 533 534 /* 535 * socket type 2 bytes 536 * local port 2 bytes 537 * local Internet address 4 bytes 538 * remote port 2 bytes 539 * remote Internet address 4 bytes 540 */ 541 typedef struct { 542 u_int16_t type; 543 u_int16_t l_port; 544 u_int32_t l_addr; 545 u_int16_t r_port; 546 u_int32_t r_addr; 547 } au_socket_t; 548 549 /* 550 * socket type 2 bytes 551 * local port 2 bytes 552 * address type/length 4 bytes 553 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 554 * remote port 4 bytes 555 * address type/length 4 bytes 556 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 557 */ 558 typedef struct { 559 u_int16_t domain; 560 u_int16_t type; 561 u_int16_t atype; 562 u_int16_t l_port; 563 u_int32_t l_addr[4]; 564 u_int32_t r_port; 565 u_int32_t r_addr[4]; 566 } au_socket_ex32_t; 567 568 /* 569 * socket family 2 bytes 570 * local port 2 bytes 571 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 572 */ 573 typedef struct { 574 u_int16_t family; 575 u_int16_t port; 576 u_int32_t addr[4]; 577 } au_socketinet_ex32_t; 578 579 typedef struct { 580 u_int16_t family; 581 u_int16_t port; 582 u_int32_t addr; 583 } au_socketinet32_t; 584 585 /* 586 * socket family 2 bytes 587 * path 104 bytes 588 */ 589 typedef struct { 590 u_int16_t family; 591 char path[104]; 592 } au_socketunix_t; 593 594 /* 595 * audit ID 4 bytes 596 * effective user ID 4 bytes 597 * effective group ID 4 bytes 598 * real user ID 4 bytes 599 * real group ID 4 bytes 600 * process ID 4 bytes 601 * session ID 4 bytes 602 * terminal ID 603 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 604 * machine address 4 bytes 605 */ 606 typedef struct { 607 u_int32_t auid; 608 u_int32_t euid; 609 u_int32_t egid; 610 u_int32_t ruid; 611 u_int32_t rgid; 612 u_int32_t pid; 613 u_int32_t sid; 614 au_tid32_t tid; 615 } au_subject32_t; 616 617 typedef struct { 618 u_int32_t auid; 619 u_int32_t euid; 620 u_int32_t egid; 621 u_int32_t ruid; 622 u_int32_t rgid; 623 u_int32_t pid; 624 u_int32_t sid; 625 au_tid64_t tid; 626 } au_subject64_t; 627 628 /* 629 * audit ID 4 bytes 630 * effective user ID 4 bytes 631 * effective group ID 4 bytes 632 * real user ID 4 bytes 633 * real group ID 4 bytes 634 * process ID 4 bytes 635 * session ID 4 bytes 636 * terminal ID 637 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 638 * type 4 bytes 639 * machine address 16 bytes 640 */ 641 typedef struct { 642 u_int32_t auid; 643 u_int32_t euid; 644 u_int32_t egid; 645 u_int32_t ruid; 646 u_int32_t rgid; 647 u_int32_t pid; 648 u_int32_t sid; 649 au_tidaddr32_t tid; 650 } au_subject32ex_t; 651 652 typedef struct { 653 u_int32_t auid; 654 u_int32_t euid; 655 u_int32_t egid; 656 u_int32_t ruid; 657 u_int32_t rgid; 658 u_int32_t pid; 659 u_int32_t sid; 660 au_tidaddr64_t tid; 661 } au_subject64ex_t; 662 663 /* 664 * text length 2 bytes 665 * text N bytes + 1 terminating NULL byte 666 */ 667 typedef struct { 668 u_int16_t len; 669 char *text; 670 } au_text_t; 671 672 /* 673 * upriv status 1 byte 674 * privstr len 2 bytes 675 * privstr N bytes + 1 (\0 byte) 676 */ 677 typedef struct { 678 u_int8_t sorf; 679 u_int16_t privstrlen; 680 char *priv; 681 } au_priv_t; 682 683 /* 684 * privset 685 * privtstrlen 2 bytes 686 * privtstr N Bytes + 1 687 * privstrlen 2 bytes 688 * privstr N Bytes + 1 689 */ 690 typedef struct { 691 u_int16_t privtstrlen; 692 char *privtstr; 693 u_int16_t privstrlen; 694 char *privstr; 695 } au_privset_t; 696 697 /* 698 * zonename length 2 bytes 699 * zonename text N bytes + 1 NULL terminator 700 */ 701 typedef struct { 702 u_int16_t len; 703 char *zonename; 704 } au_zonename_t; 705 706 typedef struct { 707 u_int32_t ident; 708 u_int16_t filter; 709 u_int16_t flags; 710 u_int32_t fflags; 711 u_int32_t data; 712 } au_kevent_t; 713 714 typedef struct { 715 u_int16_t length; 716 char *data; 717 } au_invalid_t; 718 719 /* 720 * trailer magic number 2 bytes 721 * record byte count 4 bytes 722 */ 723 typedef struct { 724 u_int16_t magic; 725 u_int32_t count; 726 } au_trailer_t; 727 728 struct tokenstr { 729 u_char id; 730 u_char *data; 731 size_t len; 732 union { 733 au_arg32_t arg32; 734 au_arg64_t arg64; 735 au_arb_t arb; 736 au_attr32_t attr32; 737 au_attr64_t attr64; 738 au_execarg_t execarg; 739 au_execenv_t execenv; 740 au_exit_t exit; 741 au_file_t file; 742 au_groups_t grps; 743 au_header32_t hdr32; 744 au_header32_ex_t hdr32_ex; 745 au_header64_t hdr64; 746 au_header64_ex_t hdr64_ex; 747 au_inaddr_t inaddr; 748 au_inaddr_ex_t inaddr_ex; 749 au_ip_t ip; 750 au_ipc_t ipc; 751 au_ipcperm_t ipcperm; 752 au_iport_t iport; 753 au_opaque_t opaque; 754 au_path_t path; 755 au_proc32_t proc32; 756 au_proc32ex_t proc32_ex; 757 au_proc64_t proc64; 758 au_proc64ex_t proc64_ex; 759 au_ret32_t ret32; 760 au_ret64_t ret64; 761 au_seq_t seq; 762 au_socket_t socket; 763 au_socket_ex32_t socket_ex32; 764 au_socketinet_ex32_t sockinet_ex32; 765 au_socketunix_t sockunix; 766 au_subject32_t subj32; 767 au_subject32ex_t subj32_ex; 768 au_subject64_t subj64; 769 au_subject64ex_t subj64_ex; 770 au_text_t text; 771 au_kevent_t kevent; 772 au_invalid_t invalid; 773 au_trailer_t trail; 774 au_zonename_t zonename; 775 au_priv_t priv; 776 au_privset_t privset; 777 } tt; /* The token is one of the above types */ 778 }; 779 780 typedef struct tokenstr tokenstr_t; 781 782 int audit_submit(short au_event, au_id_t auid, 783 char status, int reterr, const char *fmt, ...); 784 785 /* 786 * Functions relating to querying audit class information. 787 */ 788 void setauclass(void); 789 void endauclass(void); 790 struct au_class_ent *getauclassent(void); 791 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 792 struct au_class_ent *getauclassnam(const char *name); 793 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 794 const char *name); 795 struct au_class_ent *getauclassnum(au_class_t class_number); 796 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 797 au_class_t class_number); 798 799 /* 800 * Functions relating to querying audit control information. 801 */ 802 void setac(void); 803 void endac(void); 804 int getacdir(char *name, int len); 805 int getacdist(void); 806 int getacexpire(int *andflg, time_t *age, size_t *size); 807 int getacfilesz(size_t *size_val); 808 int getacflg(char *auditstr, int len); 809 int getachost(char *auditstr, size_t len); 810 int getacmin(int *min_val); 811 int getacna(char *auditstr, int len); 812 int getacpol(char *auditstr, size_t len); 813 int getauditflagsbin(char *auditstr, au_mask_t *masks); 814 int getauditflagschar(char *auditstr, au_mask_t *masks, 815 int verbose); 816 int au_preselect(au_event_t event, au_mask_t *mask_p, 817 int sorf, int flag); 818 ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 819 int au_strtopol(const char *polstr, int *policy); 820 821 /* 822 * Functions relating to querying audit event information. 823 */ 824 void setauevent(void); 825 void endauevent(void); 826 struct au_event_ent *getauevent(void); 827 struct au_event_ent *getauevent_r(struct au_event_ent *e); 828 struct au_event_ent *getauevnam(const char *name); 829 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 830 const char *name); 831 struct au_event_ent *getauevnum(au_event_t event_number); 832 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 833 au_event_t event_number); 834 au_event_t *getauevnonam(const char *event_name); 835 au_event_t *getauevnonam_r(au_event_t *ev, 836 const char *event_name); 837 838 /* 839 * Functions relating to querying audit user information. 840 */ 841 void setauuser(void); 842 void endauuser(void); 843 struct au_user_ent *getauuserent(void); 844 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 845 struct au_user_ent *getauusernam(const char *name); 846 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 847 const char *name); 848 int au_user_mask(char *username, au_mask_t *mask_p); 849 int getfauditflags(au_mask_t *usremask, 850 au_mask_t *usrdmask, au_mask_t *lastmask); 851 852 /* 853 * Functions for reading and printing records and tokens from audit trails. 854 */ 855 int au_read_rec(FILE *fp, u_char **buf); 856 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 857 //XXX The following interface has different prototype from BSM 858 void au_print_tok(FILE *outfp, tokenstr_t *tok, 859 char *del, char raw, char sfrm); 860 void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 861 char *del, int oflags); 862 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 863 char *del, char raw, char sfrm); 864 865 /* 866 * Functions relating to XML output. 867 */ 868 void au_print_xml_header(FILE *outfp); 869 void au_print_xml_footer(FILE *outfp); 870 871 /* 872 * BSM library routines for converting between local and BSM constant spaces. 873 * (Note: some of these are replicated in audit_record.h for the benefit of 874 * the FreeBSD and Mac OS X kernels) 875 */ 876 int au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 877 int au_bsm_to_errno(u_char bsm_error, int *errorp); 878 int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 879 int au_bsm_to_socket_type(u_short bsm_socket_type, 880 int *local_socket_typep); 881 u_short au_domain_to_bsm(int local_domain); 882 u_char au_errno_to_bsm(int local_errno); 883 u_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 884 u_short au_socket_type_to_bsm(int local_socket_type); 885 886 const char *au_strerror(u_char bsm_error); 887 __END_DECLS 888 889 /* 890 * The remaining APIs are associated with Apple's BSM implementation, in 891 * particular as relates to Mach IPC auditing and triggers passed via Mach 892 * IPC. 893 */ 894 #ifdef __APPLE__ 895 #include <sys/appleapiopts.h> 896 897 /************************************************************************** 898 ************************************************************************** 899 ** The following definitions, functions, etc., are NOT officially 900 ** supported: they may be changed or removed in the future. Do not use 901 ** them unless you are prepared to cope with that eventuality. 902 ************************************************************************** 903 **************************************************************************/ 904 905 #ifdef __APPLE_API_PRIVATE 906 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 907 #endif /* __APPLE_API_PRIVATE */ 908 909 /* 910 * au_get_state() return values 911 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 912 * AUDIT_ON are deprecated and WILL be removed. 913 */ 914 #ifdef __APPLE_API_PRIVATE 915 #define AUDIT_OFF AUC_NOAUDIT 916 #define AUDIT_ON AUC_AUDITING 917 #endif /* __APPLE_API_PRIVATE */ 918 #endif /* !__APPLE__ */ 919 920 /* 921 * Error return codes for audit_set_terminal_id(), audit_write() and its 922 * brethren. We have 255 (not including kAUNoErr) to play with. 923 * 924 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 925 */ 926 enum { 927 kAUNoErr = 0, 928 kAUBadParamErr = -66049, 929 kAUStatErr, 930 kAUSysctlErr, 931 kAUOpenErr, 932 kAUMakeSubjectTokErr, 933 kAUWriteSubjectTokErr, 934 kAUWriteCallerTokErr, 935 kAUMakeReturnTokErr, 936 kAUWriteReturnTokErr, 937 kAUCloseErr, 938 kAUMakeTextTokErr, 939 kAULastErr 940 }; 941 942 #ifdef __APPLE__ 943 /* 944 * Error return codes for au_get_state() and/or its private support 945 * functions. These codes are designed to be compatible with the 946 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 947 * Any changes to notify(3) may cause these values to change in future. 948 * 949 * AU_UNIMPL should never happen unless you've changed your system software 950 * without rebooting. Shame on you. 951 */ 952 #ifdef __APPLE_API_PRIVATE 953 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 954 #endif /* __APPLE_API_PRIVATE */ 955 #endif /* !__APPLE__ */ 956 957 __BEGIN_DECLS 958 /* 959 * XXX This prototype should be in audit_record.h 960 * 961 * au_free_token() 962 * 963 * @summary - au_free_token() deallocates a token_t created by any of 964 * the au_to_*() BSM API functions. 965 * 966 * The BSM API generally manages deallocation of token_t objects. However, 967 * if au_write() is passed a bad audit descriptor, the token_t * parameter 968 * will be left untouched. In that case, the caller can deallocate the 969 * token_t using au_free_token() if desired. This is, in fact, what 970 * audit_write() does, in keeping with the existing memory management model 971 * of the BSM API. 972 * 973 * @param tok - A token_t * generated by one of the au_to_*() BSM API 974 * calls. For convenience, tok may be NULL, in which case 975 * au_free_token() returns immediately. 976 * 977 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 978 */ 979 void au_free_token(token_t *tok); 980 981 /* 982 * Lightweight check to determine if auditing is enabled. If a client 983 * wants to use this to govern whether an entire series of audit calls 984 * should be made--as in the common case of a caller building a set of 985 * tokens, then writing them--it should cache the audit status in a local 986 * variable. This call always returns the current state of auditing. 987 * 988 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 989 * Otherwise the function can return any of the errno values defined for 990 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 991 * the system. 992 * 993 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 994 */ 995 int au_get_state(void); 996 997 /* 998 * Initialize the audit notification. If it has not already been initialized 999 * it will automatically on the first call of au_get_state(). 1000 */ 1001 uint32_t au_notify_initialize(void); 1002 1003 /* 1004 * Cancel audit notification and free the resources associated with it. 1005 * Responsible code that no longer needs to use au_get_state() should call 1006 * this. 1007 */ 1008 int au_notify_terminate(void); 1009 __END_DECLS 1010 1011 /* OpenSSH compatibility */ 1012 int cannot_audit(int); 1013 1014 __BEGIN_DECLS 1015 /* 1016 * audit_set_terminal_id() 1017 * 1018 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1019 * used in audit session initialization by processes like /usr/bin/login. 1020 * 1021 * @param tid - A pointer to an au_tid_t struct. 1022 * 1023 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1024 * or kAUSysctlErr if one of the underlying system calls fails (a message 1025 * is sent to the system log in those cases). 1026 * 1027 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1028 */ 1029 int audit_set_terminal_id(au_tid_t *tid); 1030 1031 /* 1032 * BEGIN au_write() WRAPPERS 1033 * 1034 * The following calls all wrap the existing BSM API. They use the 1035 * provided subject information, if any, to construct the subject token 1036 * required for every log message. They use the provided return/error 1037 * value(s), if any, to construct the success/failure indication required 1038 * for every log message. They only permit one "miscellaneous" token, 1039 * which should contain the event-specific logging information mandated by 1040 * CAPP. 1041 * 1042 * All these calls assume the caller has previously determined that 1043 * auditing is enabled by calling au_get_state(). 1044 */ 1045 1046 /* 1047 * audit_write() 1048 * 1049 * @summary - audit_write() is the basis for the other audit_write_*() 1050 * calls. Performs a basic write of an audit record (subject, additional 1051 * info, success/failure). Note that this call only permits logging one 1052 * caller-specified token; clients needing to log more flexibly must use 1053 * the existing BSM API (au_open(), et al.) directly. 1054 * 1055 * Note on memory management: audit_write() guarantees that the token_t *s 1056 * passed to it will be deallocated whether or not the underlying write to 1057 * the audit log succeeded. This addresses an inconsistency in the 1058 * underlying BSM API in which token_t *s are usually but not always 1059 * deallocated. 1060 * 1061 * @param event_code - The code for the event being logged. This should 1062 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1063 * 1064 * @param subject - A token_t * generated by au_to_subject(), 1065 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1066 * required, subject should be NULL. 1067 * 1068 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1069 * calls. This should correspond to the additional information required by 1070 * CAPP for the event being audited. If no additional information is 1071 * required, misctok should be NULL. 1072 * 1073 * @param retval - The return value to be logged for this event. This 1074 * should be 0 (zero) for success, otherwise the value is event-specific. 1075 * 1076 * @param errcode - Any error code associated with the return value (e.g., 1077 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1078 * 1079 * @return - The status of the call: 0 (zero) on success, else one of the 1080 * kAU*Err values defined above. 1081 * 1082 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1083 */ 1084 int audit_write(short event_code, token_t *subject, token_t *misctok, 1085 char retval, int errcode); 1086 1087 /* 1088 * audit_write_success() 1089 * 1090 * @summary - audit_write_success() records an auditable event that did not 1091 * encounter an error. The interface is designed to require as little 1092 * direct use of the au_to_*() API as possible. It builds a subject token 1093 * from the information passed in and uses that to invoke audit_write(). 1094 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1095 * 1096 * If the subject information is the same as the current process, use 1097 * au_write_success_self(). 1098 * 1099 * @param event_code - The code for the event being logged. This should 1100 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1101 * 1102 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1103 * calls. This should correspond to the additional information required by 1104 * CAPP for the event being audited. If no additional information is 1105 * required, misctok should be NULL. 1106 * 1107 * @param auid - The subject's audit ID. 1108 * 1109 * @param euid - The subject's effective user ID. 1110 * 1111 * @param egid - The subject's effective group ID. 1112 * 1113 * @param ruid - The subject's real user ID. 1114 * 1115 * @param rgid - The subject's real group ID. 1116 * 1117 * @param pid - The subject's process ID. 1118 * 1119 * @param sid - The subject's session ID. 1120 * 1121 * @param tid - The subject's terminal ID. 1122 * 1123 * @return - The status of the call: 0 (zero) on success, else one of the 1124 * kAU*Err values defined above. 1125 * 1126 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1127 */ 1128 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1129 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1130 au_asid_t sid, au_tid_t *tid); 1131 1132 /* 1133 * audit_write_success_self() 1134 * 1135 * @summary - Similar to audit_write_success(), but used when the subject 1136 * (process) is owned and operated by the auditable user him/herself. 1137 * 1138 * @param event_code - The code for the event being logged. This should 1139 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1140 * 1141 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1142 * calls. This should correspond to the additional information required by 1143 * CAPP for the event being audited. If no additional information is 1144 * required, misctok should be NULL. 1145 * 1146 * @return - The status of the call: 0 (zero) on success, else one of the 1147 * kAU*Err values defined above. 1148 * 1149 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1150 */ 1151 int audit_write_success_self(short event_code, token_t *misctok); 1152 1153 /* 1154 * audit_write_failure() 1155 * 1156 * @summary - audit_write_failure() records an auditable event that 1157 * encountered an error. The interface is designed to require as little 1158 * direct use of the au_to_*() API as possible. It builds a subject token 1159 * from the information passed in and uses that to invoke audit_write(). 1160 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1161 * 1162 * If the subject information is the same as the current process, use 1163 * au_write_failure_self(). 1164 * 1165 * @param event_code - The code for the event being logged. This should 1166 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1167 * 1168 * @param errmsg - A text message providing additional information about 1169 * the event being audited. 1170 * 1171 * @param errret - A numerical value providing additional information about 1172 * the error. This is intended to store the value of errno or h_errno if 1173 * it's relevant. This can be 0 (zero) if no additional information is 1174 * available. 1175 * 1176 * @param auid - The subject's audit ID. 1177 * 1178 * @param euid - The subject's effective user ID. 1179 * 1180 * @param egid - The subject's effective group ID. 1181 * 1182 * @param ruid - The subject's real user ID. 1183 * 1184 * @param rgid - The subject's real group ID. 1185 * 1186 * @param pid - The subject's process ID. 1187 * 1188 * @param sid - The subject's session ID. 1189 * 1190 * @param tid - The subject's terminal ID. 1191 * 1192 * @return - The status of the call: 0 (zero) on success, else one of the 1193 * kAU*Err values defined above. 1194 * 1195 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1196 */ 1197 int audit_write_failure(short event_code, char *errmsg, int errret, 1198 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1199 pid_t pid, au_asid_t sid, au_tid_t *tid); 1200 1201 /* 1202 * audit_write_failure_self() 1203 * 1204 * @summary - Similar to audit_write_failure(), but used when the subject 1205 * (process) is owned and operated by the auditable user him/herself. 1206 * 1207 * @param event_code - The code for the event being logged. This should 1208 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1209 * 1210 * @param errmsg - A text message providing additional information about 1211 * the event being audited. 1212 * 1213 * @param errret - A numerical value providing additional information about 1214 * the error. This is intended to store the value of errno or h_errno if 1215 * it's relevant. This can be 0 (zero) if no additional information is 1216 * available. 1217 * 1218 * @return - The status of the call: 0 (zero) on success, else one of the 1219 * kAU*Err values defined above. 1220 * 1221 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1222 */ 1223 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1224 1225 /* 1226 * audit_write_failure_na() 1227 * 1228 * @summary - audit_write_failure_na() records errors during login. Such 1229 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1230 * 1231 * @param event_code - The code for the event being logged. This should 1232 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1233 * 1234 * @param errmsg - A text message providing additional information about 1235 * the event being audited. 1236 * 1237 * @param errret - A numerical value providing additional information about 1238 * the error. This is intended to store the value of errno or h_errno if 1239 * it's relevant. This can be 0 (zero) if no additional information is 1240 * available. 1241 * 1242 * @param euid - The subject's effective user ID. 1243 * 1244 * @param egid - The subject's effective group ID. 1245 * 1246 * @param pid - The subject's process ID. 1247 * 1248 * @param tid - The subject's terminal ID. 1249 * 1250 * @return - The status of the call: 0 (zero) on success, else one of the 1251 * kAU*Err values defined above. 1252 * 1253 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1254 */ 1255 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1256 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1257 1258 /* END au_write() WRAPPERS */ 1259 1260 #ifdef __APPLE__ 1261 /* 1262 * audit_token_to_au32() 1263 * 1264 * @summary - Extract information from an audit_token_t, used to identify 1265 * Mach tasks and senders of Mach messages as subjects to the audit system. 1266 * audit_tokent_to_au32() is the only method that should be used to parse 1267 * an audit_token_t, since its internal representation may change over 1268 * time. A pointer parameter may be NULL if that information is not 1269 * needed. 1270 * 1271 * @param atoken - the audit token containing the desired information 1272 * 1273 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1274 * sender's audit user ID 1275 * 1276 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1277 * sender's effective user ID 1278 * 1279 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1280 * sender's effective group ID 1281 * 1282 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1283 * sender's real user ID 1284 * 1285 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1286 * sender's real group ID 1287 * 1288 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1289 * sender's process ID 1290 * 1291 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1292 * task or sender's audit session ID 1293 * 1294 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1295 * or sender's terminal ID 1296 * 1297 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1298 */ 1299 void audit_token_to_au32( 1300 audit_token_t atoken, 1301 uid_t *auidp, 1302 uid_t *euidp, 1303 gid_t *egidp, 1304 uid_t *ruidp, 1305 gid_t *rgidp, 1306 pid_t *pidp, 1307 au_asid_t *asidp, 1308 au_tid_t *tidp); 1309 #endif /* !__APPLE__ */ 1310 1311 /* 1312 * Wrapper functions to auditon(2). 1313 */ 1314 int audit_get_car(char *path, size_t sz); 1315 int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1316 int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1317 int audit_get_cond(int *cond); 1318 int audit_set_cond(int *cond); 1319 int audit_get_cwd(char *path, size_t sz); 1320 int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1321 int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1322 int audit_get_kmask(au_mask_t *kmask, size_t sz); 1323 int audit_set_kmask(au_mask_t *kmask, size_t sz); 1324 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1325 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1326 int audit_set_pmask(auditpinfo_t *api, size_t sz); 1327 int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1328 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1329 int audit_get_policy(int *policy); 1330 int audit_set_policy(int *policy); 1331 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1332 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1333 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1334 int audit_get_stat(au_stat_t *stats, size_t sz); 1335 int audit_set_stat(au_stat_t *stats, size_t sz); 1336 int audit_send_trigger(int *trigger); 1337 1338 __END_DECLS 1339 1340 #endif /* !_LIBBSM_H_ */ 1341