1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#45 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #include <sys/types.h> 41 #include <sys/cdefs.h> 42 43 #include <inttypes.h> /* Required for audit.h. */ 44 #include <time.h> /* Required for clock_t on Linux. */ 45 46 #include <bsm/audit.h> 47 #include <bsm/audit_record.h> 48 49 #include <stdio.h> 50 51 #ifdef __APPLE__ 52 #include <mach/mach.h> /* audit_token_t */ 53 #endif 54 55 /* 56 * Size parsed token vectors for execve(2) arguments and environmental 57 * variables. Note: changing these sizes affects the ABI of the token 58 * structure, and as the token structure is often placed in the caller stack, 59 * this is undesirable. 60 */ 61 #define AUDIT_MAX_ARGS 128 62 #define AUDIT_MAX_ENV 128 63 64 /* 65 * Arguments to au_preselect(3). 66 */ 67 #define AU_PRS_USECACHE 0 68 #define AU_PRS_REREAD 1 69 70 #define AU_PRS_SUCCESS 1 71 #define AU_PRS_FAILURE 2 72 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 73 74 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 75 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 76 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 77 #define AUDIT_USER_FILE "/etc/security/audit_user" 78 79 #define DIR_CONTROL_ENTRY "dir" 80 #define MINFREE_CONTROL_ENTRY "minfree" 81 #define FILESZ_CONTROL_ENTRY "filesz" 82 #define FLAGS_CONTROL_ENTRY "flags" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 #define AUDIT_HOST_CONTROL_ENTRY "host" 86 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 87 88 #define AU_CLASS_NAME_MAX 8 89 #define AU_CLASS_DESC_MAX 72 90 #define AU_EVENT_NAME_MAX 30 91 #define AU_EVENT_DESC_MAX 50 92 #define AU_USER_NAME_MAX 50 93 #define AU_LINE_MAX 256 94 #define MAX_AUDITSTRING_LEN 256 95 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 96 97 /* 98 * Arguments to au_close(3). 99 */ 100 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 101 #define AU_TO_WRITE 1 /* Commit audit record. */ 102 103 __BEGIN_DECLS 104 struct au_event_ent { 105 au_event_t ae_number; 106 char *ae_name; 107 char *ae_desc; 108 au_class_t ae_class; 109 }; 110 typedef struct au_event_ent au_event_ent_t; 111 112 struct au_class_ent { 113 char *ac_name; 114 au_class_t ac_class; 115 char *ac_desc; 116 }; 117 typedef struct au_class_ent au_class_ent_t; 118 119 struct au_user_ent { 120 char *au_name; 121 au_mask_t au_always; 122 au_mask_t au_never; 123 }; 124 typedef struct au_user_ent au_user_ent_t; 125 __END_DECLS 126 127 #define ADD_TO_MASK(m, c, sel) do { \ 128 if (sel & AU_PRS_SUCCESS) \ 129 (m)->am_success |= c; \ 130 if (sel & AU_PRS_FAILURE) \ 131 (m)->am_failure |= c; \ 132 } while (0) 133 134 #define SUB_FROM_MASK(m, c, sel) do { \ 135 if (sel & AU_PRS_SUCCESS) \ 136 (m)->am_success &= ((m)->am_success ^ c); \ 137 if (sel & AU_PRS_FAILURE) \ 138 (m)->am_failure &= ((m)->am_failure ^ c); \ 139 } while (0) 140 141 #define ADDMASK(m, v) do { \ 142 (m)->am_success |= (v)->am_success; \ 143 (m)->am_failure |= (v)->am_failure; \ 144 } while(0) 145 146 #define SUBMASK(m, v) do { \ 147 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 148 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 149 } while(0) 150 151 __BEGIN_DECLS 152 153 typedef struct au_tid32 { 154 u_int32_t port; 155 u_int32_t addr; 156 } au_tid32_t; 157 158 typedef struct au_tid64 { 159 u_int64_t port; 160 u_int32_t addr; 161 } au_tid64_t; 162 163 typedef struct au_tidaddr32 { 164 u_int32_t port; 165 u_int32_t type; 166 u_int32_t addr[4]; 167 } au_tidaddr32_t; 168 169 typedef struct au_tidaddr64 { 170 u_int64_t port; 171 u_int32_t type; 172 u_int32_t addr[4]; 173 } au_tidaddr64_t; 174 175 /* 176 * argument # 1 byte 177 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 178 * text length 2 bytes 179 * text N bytes + 1 terminating NULL byte 180 */ 181 typedef struct { 182 u_char no; 183 u_int32_t val; 184 u_int16_t len; 185 char *text; 186 } au_arg32_t; 187 188 typedef struct { 189 u_char no; 190 u_int64_t val; 191 u_int16_t len; 192 char *text; 193 } au_arg64_t; 194 195 /* 196 * how to print 1 byte 197 * basic unit 1 byte 198 * unit count 1 byte 199 * data items (depends on basic unit) 200 */ 201 typedef struct { 202 u_char howtopr; 203 u_char bu; 204 u_char uc; 205 u_char *data; 206 } au_arb_t; 207 208 /* 209 * file access mode 4 bytes 210 * owner user ID 4 bytes 211 * owner group ID 4 bytes 212 * file system ID 4 bytes 213 * node ID 8 bytes 214 * device 4 bytes/8 bytes (32-bit/64-bit) 215 */ 216 typedef struct { 217 u_int32_t mode; 218 u_int32_t uid; 219 u_int32_t gid; 220 u_int32_t fsid; 221 u_int64_t nid; 222 u_int32_t dev; 223 } au_attr32_t; 224 225 typedef struct { 226 u_int32_t mode; 227 u_int32_t uid; 228 u_int32_t gid; 229 u_int32_t fsid; 230 u_int64_t nid; 231 u_int64_t dev; 232 } au_attr64_t; 233 234 /* 235 * count 4 bytes 236 * text count null-terminated string(s) 237 */ 238 typedef struct { 239 u_int32_t count; 240 char *text[AUDIT_MAX_ARGS]; 241 } au_execarg_t; 242 243 /* 244 * count 4 bytes 245 * text count null-terminated string(s) 246 */ 247 typedef struct { 248 u_int32_t count; 249 char *text[AUDIT_MAX_ENV]; 250 } au_execenv_t; 251 252 /* 253 * status 4 bytes 254 * return value 4 bytes 255 */ 256 typedef struct { 257 u_int32_t status; 258 u_int32_t ret; 259 } au_exit_t; 260 261 /* 262 * seconds of time 4 bytes 263 * milliseconds of time 4 bytes 264 * file name length 2 bytes 265 * file pathname N bytes + 1 terminating NULL byte 266 */ 267 typedef struct { 268 u_int32_t s; 269 u_int32_t ms; 270 u_int16_t len; 271 char *name; 272 } au_file_t; 273 274 275 /* 276 * number groups 2 bytes 277 * group list N * 4 bytes 278 */ 279 typedef struct { 280 u_int16_t no; 281 u_int32_t list[AUDIT_MAX_GROUPS]; 282 } au_groups_t; 283 284 /* 285 * record byte count 4 bytes 286 * version # 1 byte [2] 287 * event type 2 bytes 288 * event modifier 2 bytes 289 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 290 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 291 */ 292 typedef struct { 293 u_int32_t size; 294 u_char version; 295 u_int16_t e_type; 296 u_int16_t e_mod; 297 u_int32_t s; 298 u_int32_t ms; 299 } au_header32_t; 300 301 /* 302 * record byte count 4 bytes 303 * version # 1 byte [2] 304 * event type 2 bytes 305 * event modifier 2 bytes 306 * address type/length 1 byte (XXX: actually, 4 bytes) 307 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 308 * seconds of time 4 bytes/8 bytes (32/64-bits) 309 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 310 */ 311 typedef struct { 312 u_int32_t size; 313 u_char version; 314 u_int16_t e_type; 315 u_int16_t e_mod; 316 u_int32_t ad_type; 317 u_int32_t addr[4]; 318 u_int32_t s; 319 u_int32_t ms; 320 } au_header32_ex_t; 321 322 typedef struct { 323 u_int32_t size; 324 u_char version; 325 u_int16_t e_type; 326 u_int16_t e_mod; 327 u_int64_t s; 328 u_int64_t ms; 329 } au_header64_t; 330 331 typedef struct { 332 u_int32_t size; 333 u_char version; 334 u_int16_t e_type; 335 u_int16_t e_mod; 336 u_int32_t ad_type; 337 u_int32_t addr[4]; 338 u_int64_t s; 339 u_int64_t ms; 340 } au_header64_ex_t; 341 342 /* 343 * internet address 4 bytes 344 */ 345 typedef struct { 346 u_int32_t addr; 347 } au_inaddr_t; 348 349 /* 350 * type 4 bytes 351 * internet address 16 bytes 352 */ 353 typedef struct { 354 u_int32_t type; 355 u_int32_t addr[4]; 356 } au_inaddr_ex_t; 357 358 /* 359 * version and ihl 1 byte 360 * type of service 1 byte 361 * length 2 bytes 362 * id 2 bytes 363 * offset 2 bytes 364 * ttl 1 byte 365 * protocol 1 byte 366 * checksum 2 bytes 367 * source address 4 bytes 368 * destination address 4 bytes 369 */ 370 typedef struct { 371 u_char version; 372 u_char tos; 373 u_int16_t len; 374 u_int16_t id; 375 u_int16_t offset; 376 u_char ttl; 377 u_char prot; 378 u_int16_t chksm; 379 u_int32_t src; 380 u_int32_t dest; 381 } au_ip_t; 382 383 /* 384 * object ID type 1 byte 385 * object ID 4 bytes 386 */ 387 typedef struct { 388 u_char type; 389 u_int32_t id; 390 } au_ipc_t; 391 392 /* 393 * owner user ID 4 bytes 394 * owner group ID 4 bytes 395 * creator user ID 4 bytes 396 * creator group ID 4 bytes 397 * access mode 4 bytes 398 * slot sequence # 4 bytes 399 * key 4 bytes 400 */ 401 typedef struct { 402 u_int32_t uid; 403 u_int32_t gid; 404 u_int32_t puid; 405 u_int32_t pgid; 406 u_int32_t mode; 407 u_int32_t seq; 408 u_int32_t key; 409 } au_ipcperm_t; 410 411 /* 412 * port IP address 2 bytes 413 */ 414 typedef struct { 415 u_int16_t port; 416 } au_iport_t; 417 418 /* 419 * length 2 bytes 420 * data length bytes 421 */ 422 typedef struct { 423 u_int16_t size; 424 char *data; 425 } au_opaque_t; 426 427 /* 428 * path length 2 bytes 429 * path N bytes + 1 terminating NULL byte 430 */ 431 typedef struct { 432 u_int16_t len; 433 char *path; 434 } au_path_t; 435 436 /* 437 * audit ID 4 bytes 438 * effective user ID 4 bytes 439 * effective group ID 4 bytes 440 * real user ID 4 bytes 441 * real group ID 4 bytes 442 * process ID 4 bytes 443 * session ID 4 bytes 444 * terminal ID 445 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 446 * machine address 4 bytes 447 */ 448 typedef struct { 449 u_int32_t auid; 450 u_int32_t euid; 451 u_int32_t egid; 452 u_int32_t ruid; 453 u_int32_t rgid; 454 u_int32_t pid; 455 u_int32_t sid; 456 au_tid32_t tid; 457 } au_proc32_t; 458 459 typedef struct { 460 u_int32_t auid; 461 u_int32_t euid; 462 u_int32_t egid; 463 u_int32_t ruid; 464 u_int32_t rgid; 465 u_int32_t pid; 466 u_int32_t sid; 467 au_tid64_t tid; 468 } au_proc64_t; 469 470 /* 471 * audit ID 4 bytes 472 * effective user ID 4 bytes 473 * effective group ID 4 bytes 474 * real user ID 4 bytes 475 * real group ID 4 bytes 476 * process ID 4 bytes 477 * session ID 4 bytes 478 * terminal ID 479 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 480 * type 4 bytes 481 * machine address 16 bytes 482 */ 483 typedef struct { 484 u_int32_t auid; 485 u_int32_t euid; 486 u_int32_t egid; 487 u_int32_t ruid; 488 u_int32_t rgid; 489 u_int32_t pid; 490 u_int32_t sid; 491 au_tidaddr32_t tid; 492 } au_proc32ex_t; 493 494 typedef struct { 495 u_int32_t auid; 496 u_int32_t euid; 497 u_int32_t egid; 498 u_int32_t ruid; 499 u_int32_t rgid; 500 u_int32_t pid; 501 u_int32_t sid; 502 au_tidaddr64_t tid; 503 } au_proc64ex_t; 504 505 /* 506 * error status 1 byte 507 * return value 4 bytes/8 bytes (32-bit/64-bit value) 508 */ 509 typedef struct { 510 u_char status; 511 u_int32_t ret; 512 } au_ret32_t; 513 514 typedef struct { 515 u_char err; 516 u_int64_t val; 517 } au_ret64_t; 518 519 /* 520 * sequence number 4 bytes 521 */ 522 typedef struct { 523 u_int32_t seqno; 524 } au_seq_t; 525 526 /* 527 * socket type 2 bytes 528 * local port 2 bytes 529 * local Internet address 4 bytes 530 * remote port 2 bytes 531 * remote Internet address 4 bytes 532 */ 533 typedef struct { 534 u_int16_t type; 535 u_int16_t l_port; 536 u_int32_t l_addr; 537 u_int16_t r_port; 538 u_int32_t r_addr; 539 } au_socket_t; 540 541 /* 542 * socket type 2 bytes 543 * local port 2 bytes 544 * address type/length 4 bytes 545 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 546 * remote port 4 bytes 547 * address type/length 4 bytes 548 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 549 */ 550 typedef struct { 551 u_int16_t domain; 552 u_int16_t type; 553 u_int16_t atype; 554 u_int16_t l_port; 555 u_int32_t l_addr[4]; 556 u_int32_t r_port; 557 u_int32_t r_addr[4]; 558 } au_socket_ex32_t; 559 560 /* 561 * socket family 2 bytes 562 * local port 2 bytes 563 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 564 */ 565 typedef struct { 566 u_int16_t family; 567 u_int16_t port; 568 u_int32_t addr[4]; 569 } au_socketinet_ex32_t; 570 571 typedef struct { 572 u_int16_t family; 573 u_int16_t port; 574 u_int32_t addr; 575 } au_socketinet32_t; 576 577 /* 578 * socket family 2 bytes 579 * path 104 bytes 580 */ 581 typedef struct { 582 u_int16_t family; 583 char path[104]; 584 } au_socketunix_t; 585 586 /* 587 * audit ID 4 bytes 588 * effective user ID 4 bytes 589 * effective group ID 4 bytes 590 * real user ID 4 bytes 591 * real group ID 4 bytes 592 * process ID 4 bytes 593 * session ID 4 bytes 594 * terminal ID 595 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 596 * machine address 4 bytes 597 */ 598 typedef struct { 599 u_int32_t auid; 600 u_int32_t euid; 601 u_int32_t egid; 602 u_int32_t ruid; 603 u_int32_t rgid; 604 u_int32_t pid; 605 u_int32_t sid; 606 au_tid32_t tid; 607 } au_subject32_t; 608 609 typedef struct { 610 u_int32_t auid; 611 u_int32_t euid; 612 u_int32_t egid; 613 u_int32_t ruid; 614 u_int32_t rgid; 615 u_int32_t pid; 616 u_int32_t sid; 617 au_tid64_t tid; 618 } au_subject64_t; 619 620 /* 621 * audit ID 4 bytes 622 * effective user ID 4 bytes 623 * effective group ID 4 bytes 624 * real user ID 4 bytes 625 * real group ID 4 bytes 626 * process ID 4 bytes 627 * session ID 4 bytes 628 * terminal ID 629 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 630 * type 4 bytes 631 * machine address 16 bytes 632 */ 633 typedef struct { 634 u_int32_t auid; 635 u_int32_t euid; 636 u_int32_t egid; 637 u_int32_t ruid; 638 u_int32_t rgid; 639 u_int32_t pid; 640 u_int32_t sid; 641 au_tidaddr32_t tid; 642 } au_subject32ex_t; 643 644 typedef struct { 645 u_int32_t auid; 646 u_int32_t euid; 647 u_int32_t egid; 648 u_int32_t ruid; 649 u_int32_t rgid; 650 u_int32_t pid; 651 u_int32_t sid; 652 au_tidaddr64_t tid; 653 } au_subject64ex_t; 654 655 /* 656 * text length 2 bytes 657 * text N bytes + 1 terminating NULL byte 658 */ 659 typedef struct { 660 u_int16_t len; 661 char *text; 662 } au_text_t; 663 664 /* 665 * zonename length 2 bytes 666 * zonename text N bytes + 1 NULL terminator 667 */ 668 typedef struct { 669 u_int16_t len; 670 char *zonename; 671 } au_zonename_t; 672 673 typedef struct { 674 u_int32_t ident; 675 u_int16_t filter; 676 u_int16_t flags; 677 u_int32_t fflags; 678 u_int32_t data; 679 } au_kevent_t; 680 681 typedef struct { 682 u_int16_t length; 683 char *data; 684 } au_invalid_t; 685 686 /* 687 * trailer magic number 2 bytes 688 * record byte count 4 bytes 689 */ 690 typedef struct { 691 u_int16_t magic; 692 u_int32_t count; 693 } au_trailer_t; 694 695 struct tokenstr { 696 u_char id; 697 u_char *data; 698 size_t len; 699 union { 700 au_arg32_t arg32; 701 au_arg64_t arg64; 702 au_arb_t arb; 703 au_attr32_t attr32; 704 au_attr64_t attr64; 705 au_execarg_t execarg; 706 au_execenv_t execenv; 707 au_exit_t exit; 708 au_file_t file; 709 au_groups_t grps; 710 au_header32_t hdr32; 711 au_header32_ex_t hdr32_ex; 712 au_header64_t hdr64; 713 au_header64_ex_t hdr64_ex; 714 au_inaddr_t inaddr; 715 au_inaddr_ex_t inaddr_ex; 716 au_ip_t ip; 717 au_ipc_t ipc; 718 au_ipcperm_t ipcperm; 719 au_iport_t iport; 720 au_opaque_t opaque; 721 au_path_t path; 722 au_proc32_t proc32; 723 au_proc32ex_t proc32_ex; 724 au_proc64_t proc64; 725 au_proc64ex_t proc64_ex; 726 au_ret32_t ret32; 727 au_ret64_t ret64; 728 au_seq_t seq; 729 au_socket_t socket; 730 au_socket_ex32_t socket_ex32; 731 au_socketinet_ex32_t sockinet_ex32; 732 au_socketunix_t sockunix; 733 au_subject32_t subj32; 734 au_subject32ex_t subj32_ex; 735 au_subject64_t subj64; 736 au_subject64ex_t subj64_ex; 737 au_text_t text; 738 au_kevent_t kevent; 739 au_invalid_t invalid; 740 au_trailer_t trail; 741 au_zonename_t zonename; 742 } tt; /* The token is one of the above types */ 743 }; 744 745 typedef struct tokenstr tokenstr_t; 746 747 int audit_submit(short au_event, au_id_t auid, 748 char status, int reterr, const char *fmt, ...); 749 750 /* 751 * Functions relating to querying audit class information. 752 */ 753 void setauclass(void); 754 void endauclass(void); 755 struct au_class_ent *getauclassent(void); 756 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 757 struct au_class_ent *getauclassnam(const char *name); 758 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 759 const char *name); 760 struct au_class_ent *getauclassnum(au_class_t class_number); 761 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 762 au_class_t class_number); 763 764 /* 765 * Functions relating to querying audit control information. 766 */ 767 void setac(void); 768 void endac(void); 769 int getacdir(char *name, int len); 770 int getacmin(int *min_val); 771 int getacfilesz(size_t *size_val); 772 int getacflg(char *auditstr, int len); 773 int getacna(char *auditstr, int len); 774 int getacpol(char *auditstr, size_t len); 775 int getachost(char *auditstr, size_t len); 776 int getacexpire(int *andflg, time_t *age, size_t *size); 777 int getauditflagsbin(char *auditstr, au_mask_t *masks); 778 int getauditflagschar(char *auditstr, au_mask_t *masks, 779 int verbose); 780 int au_preselect(au_event_t event, au_mask_t *mask_p, 781 int sorf, int flag); 782 ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 783 int au_strtopol(const char *polstr, int *policy); 784 785 /* 786 * Functions relating to querying audit event information. 787 */ 788 void setauevent(void); 789 void endauevent(void); 790 struct au_event_ent *getauevent(void); 791 struct au_event_ent *getauevent_r(struct au_event_ent *e); 792 struct au_event_ent *getauevnam(const char *name); 793 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 794 const char *name); 795 struct au_event_ent *getauevnum(au_event_t event_number); 796 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 797 au_event_t event_number); 798 au_event_t *getauevnonam(const char *event_name); 799 au_event_t *getauevnonam_r(au_event_t *ev, 800 const char *event_name); 801 802 /* 803 * Functions relating to querying audit user information. 804 */ 805 void setauuser(void); 806 void endauuser(void); 807 struct au_user_ent *getauuserent(void); 808 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 809 struct au_user_ent *getauusernam(const char *name); 810 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 811 const char *name); 812 int au_user_mask(char *username, au_mask_t *mask_p); 813 int getfauditflags(au_mask_t *usremask, 814 au_mask_t *usrdmask, au_mask_t *lastmask); 815 816 /* 817 * Functions for reading and printing records and tokens from audit trails. 818 */ 819 int au_read_rec(FILE *fp, u_char **buf); 820 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 821 //XXX The following interface has different prototype from BSM 822 void au_print_tok(FILE *outfp, tokenstr_t *tok, 823 char *del, char raw, char sfrm); 824 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 825 char *del, char raw, char sfrm); 826 827 /* 828 * Functions relating to XML output. 829 */ 830 void au_print_xml_header(FILE *outfp); 831 void au_print_xml_footer(FILE *outfp); 832 833 /* 834 * BSM library routines for converting between local and BSM constant spaces. 835 * (Note: some of these are replicated in audit_record.h for the benefit of 836 * the FreeBSD and Mac OS X kernels) 837 */ 838 int au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 839 int au_bsm_to_errno(u_char bsm_error, int *errorp); 840 int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 841 int au_bsm_to_socket_type(u_short bsm_socket_type, 842 int *local_socket_typep); 843 u_short au_domain_to_bsm(int local_domain); 844 u_char au_errno_to_bsm(int local_errno); 845 u_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 846 u_short au_socket_type_to_bsm(int local_socket_type); 847 848 const char *au_strerror(u_char bsm_error); 849 __END_DECLS 850 851 /* 852 * The remaining APIs are associated with Apple's BSM implementation, in 853 * particular as relates to Mach IPC auditing and triggers passed via Mach 854 * IPC. 855 */ 856 #ifdef __APPLE__ 857 #include <sys/appleapiopts.h> 858 859 /************************************************************************** 860 ************************************************************************** 861 ** The following definitions, functions, etc., are NOT officially 862 ** supported: they may be changed or removed in the future. Do not use 863 ** them unless you are prepared to cope with that eventuality. 864 ************************************************************************** 865 **************************************************************************/ 866 867 #ifdef __APPLE_API_PRIVATE 868 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 869 #endif /* __APPLE_API_PRIVATE */ 870 871 /* 872 * au_get_state() return values 873 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 874 * AUDIT_ON are deprecated and WILL be removed. 875 */ 876 #ifdef __APPLE_API_PRIVATE 877 #define AUDIT_OFF AUC_NOAUDIT 878 #define AUDIT_ON AUC_AUDITING 879 #endif /* __APPLE_API_PRIVATE */ 880 #endif /* !__APPLE__ */ 881 882 /* 883 * Error return codes for audit_set_terminal_id(), audit_write() and its 884 * brethren. We have 255 (not including kAUNoErr) to play with. 885 * 886 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 887 */ 888 enum { 889 kAUNoErr = 0, 890 kAUBadParamErr = -66049, 891 kAUStatErr, 892 kAUSysctlErr, 893 kAUOpenErr, 894 kAUMakeSubjectTokErr, 895 kAUWriteSubjectTokErr, 896 kAUWriteCallerTokErr, 897 kAUMakeReturnTokErr, 898 kAUWriteReturnTokErr, 899 kAUCloseErr, 900 kAUMakeTextTokErr, 901 kAULastErr 902 }; 903 904 #ifdef __APPLE__ 905 /* 906 * Error return codes for au_get_state() and/or its private support 907 * functions. These codes are designed to be compatible with the 908 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 909 * Any changes to notify(3) may cause these values to change in future. 910 * 911 * AU_UNIMPL should never happen unless you've changed your system software 912 * without rebooting. Shame on you. 913 */ 914 #ifdef __APPLE_API_PRIVATE 915 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 916 #endif /* __APPLE_API_PRIVATE */ 917 #endif /* !__APPLE__ */ 918 919 __BEGIN_DECLS 920 /* 921 * XXX This prototype should be in audit_record.h 922 * 923 * au_free_token() 924 * 925 * @summary - au_free_token() deallocates a token_t created by any of 926 * the au_to_*() BSM API functions. 927 * 928 * The BSM API generally manages deallocation of token_t objects. However, 929 * if au_write() is passed a bad audit descriptor, the token_t * parameter 930 * will be left untouched. In that case, the caller can deallocate the 931 * token_t using au_free_token() if desired. This is, in fact, what 932 * audit_write() does, in keeping with the existing memory management model 933 * of the BSM API. 934 * 935 * @param tok - A token_t * generated by one of the au_to_*() BSM API 936 * calls. For convenience, tok may be NULL, in which case 937 * au_free_token() returns immediately. 938 * 939 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 940 */ 941 void au_free_token(token_t *tok); 942 943 /* 944 * Lightweight check to determine if auditing is enabled. If a client 945 * wants to use this to govern whether an entire series of audit calls 946 * should be made--as in the common case of a caller building a set of 947 * tokens, then writing them--it should cache the audit status in a local 948 * variable. This call always returns the current state of auditing. 949 * 950 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 951 * Otherwise the function can return any of the errno values defined for 952 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 953 * the system. 954 * 955 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 956 */ 957 int au_get_state(void); 958 959 /* 960 * Initialize the audit notification. If it has not already been initialized 961 * it will automatically on the first call of au_get_state(). 962 */ 963 uint32_t au_notify_initialize(void); 964 965 /* 966 * Cancel audit notification and free the resources associated with it. 967 * Responsible code that no longer needs to use au_get_state() should call 968 * this. 969 */ 970 int au_notify_terminate(void); 971 __END_DECLS 972 973 /* OpenSSH compatibility */ 974 int cannot_audit(int); 975 976 __BEGIN_DECLS 977 /* 978 * audit_set_terminal_id() 979 * 980 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 981 * used in audit session initialization by processes like /usr/bin/login. 982 * 983 * @param tid - A pointer to an au_tid_t struct. 984 * 985 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 986 * or kAUSysctlErr if one of the underlying system calls fails (a message 987 * is sent to the system log in those cases). 988 * 989 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 990 */ 991 int audit_set_terminal_id(au_tid_t *tid); 992 993 /* 994 * BEGIN au_write() WRAPPERS 995 * 996 * The following calls all wrap the existing BSM API. They use the 997 * provided subject information, if any, to construct the subject token 998 * required for every log message. They use the provided return/error 999 * value(s), if any, to construct the success/failure indication required 1000 * for every log message. They only permit one "miscellaneous" token, 1001 * which should contain the event-specific logging information mandated by 1002 * CAPP. 1003 * 1004 * All these calls assume the caller has previously determined that 1005 * auditing is enabled by calling au_get_state(). 1006 */ 1007 1008 /* 1009 * audit_write() 1010 * 1011 * @summary - audit_write() is the basis for the other audit_write_*() 1012 * calls. Performs a basic write of an audit record (subject, additional 1013 * info, success/failure). Note that this call only permits logging one 1014 * caller-specified token; clients needing to log more flexibly must use 1015 * the existing BSM API (au_open(), et al.) directly. 1016 * 1017 * Note on memory management: audit_write() guarantees that the token_t *s 1018 * passed to it will be deallocated whether or not the underlying write to 1019 * the audit log succeeded. This addresses an inconsistency in the 1020 * underlying BSM API in which token_t *s are usually but not always 1021 * deallocated. 1022 * 1023 * @param event_code - The code for the event being logged. This should 1024 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1025 * 1026 * @param subject - A token_t * generated by au_to_subject(), 1027 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1028 * required, subject should be NULL. 1029 * 1030 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1031 * calls. This should correspond to the additional information required by 1032 * CAPP for the event being audited. If no additional information is 1033 * required, misctok should be NULL. 1034 * 1035 * @param retval - The return value to be logged for this event. This 1036 * should be 0 (zero) for success, otherwise the value is event-specific. 1037 * 1038 * @param errcode - Any error code associated with the return value (e.g., 1039 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1040 * 1041 * @return - The status of the call: 0 (zero) on success, else one of the 1042 * kAU*Err values defined above. 1043 * 1044 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1045 */ 1046 int audit_write(short event_code, token_t *subject, token_t *misctok, 1047 char retval, int errcode); 1048 1049 /* 1050 * audit_write_success() 1051 * 1052 * @summary - audit_write_success() records an auditable event that did not 1053 * encounter an error. The interface is designed to require as little 1054 * direct use of the au_to_*() API as possible. It builds a subject token 1055 * from the information passed in and uses that to invoke audit_write(). 1056 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1057 * 1058 * If the subject information is the same as the current process, use 1059 * au_write_success_self(). 1060 * 1061 * @param event_code - The code for the event being logged. This should 1062 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1063 * 1064 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1065 * calls. This should correspond to the additional information required by 1066 * CAPP for the event being audited. If no additional information is 1067 * required, misctok should be NULL. 1068 * 1069 * @param auid - The subject's audit ID. 1070 * 1071 * @param euid - The subject's effective user ID. 1072 * 1073 * @param egid - The subject's effective group ID. 1074 * 1075 * @param ruid - The subject's real user ID. 1076 * 1077 * @param rgid - The subject's real group ID. 1078 * 1079 * @param pid - The subject's process ID. 1080 * 1081 * @param sid - The subject's session ID. 1082 * 1083 * @param tid - The subject's terminal ID. 1084 * 1085 * @return - The status of the call: 0 (zero) on success, else one of the 1086 * kAU*Err values defined above. 1087 * 1088 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1089 */ 1090 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1091 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1092 au_asid_t sid, au_tid_t *tid); 1093 1094 /* 1095 * audit_write_success_self() 1096 * 1097 * @summary - Similar to audit_write_success(), but used when the subject 1098 * (process) is owned and operated by the auditable user him/herself. 1099 * 1100 * @param event_code - The code for the event being logged. This should 1101 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1102 * 1103 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1104 * calls. This should correspond to the additional information required by 1105 * CAPP for the event being audited. If no additional information is 1106 * required, misctok should be NULL. 1107 * 1108 * @return - The status of the call: 0 (zero) on success, else one of the 1109 * kAU*Err values defined above. 1110 * 1111 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1112 */ 1113 int audit_write_success_self(short event_code, token_t *misctok); 1114 1115 /* 1116 * audit_write_failure() 1117 * 1118 * @summary - audit_write_failure() records an auditable event that 1119 * encountered an error. The interface is designed to require as little 1120 * direct use of the au_to_*() API as possible. It builds a subject token 1121 * from the information passed in and uses that to invoke audit_write(). 1122 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1123 * 1124 * If the subject information is the same as the current process, use 1125 * au_write_failure_self(). 1126 * 1127 * @param event_code - The code for the event being logged. This should 1128 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1129 * 1130 * @param errmsg - A text message providing additional information about 1131 * the event being audited. 1132 * 1133 * @param errret - A numerical value providing additional information about 1134 * the error. This is intended to store the value of errno or h_errno if 1135 * it's relevant. This can be 0 (zero) if no additional information is 1136 * available. 1137 * 1138 * @param auid - The subject's audit ID. 1139 * 1140 * @param euid - The subject's effective user ID. 1141 * 1142 * @param egid - The subject's effective group ID. 1143 * 1144 * @param ruid - The subject's real user ID. 1145 * 1146 * @param rgid - The subject's real group ID. 1147 * 1148 * @param pid - The subject's process ID. 1149 * 1150 * @param sid - The subject's session ID. 1151 * 1152 * @param tid - The subject's terminal ID. 1153 * 1154 * @return - The status of the call: 0 (zero) on success, else one of the 1155 * kAU*Err values defined above. 1156 * 1157 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1158 */ 1159 int audit_write_failure(short event_code, char *errmsg, int errret, 1160 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1161 pid_t pid, au_asid_t sid, au_tid_t *tid); 1162 1163 /* 1164 * audit_write_failure_self() 1165 * 1166 * @summary - Similar to audit_write_failure(), but used when the subject 1167 * (process) is owned and operated by the auditable user him/herself. 1168 * 1169 * @param event_code - The code for the event being logged. This should 1170 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1171 * 1172 * @param errmsg - A text message providing additional information about 1173 * the event being audited. 1174 * 1175 * @param errret - A numerical value providing additional information about 1176 * the error. This is intended to store the value of errno or h_errno if 1177 * it's relevant. This can be 0 (zero) if no additional information is 1178 * available. 1179 * 1180 * @return - The status of the call: 0 (zero) on success, else one of the 1181 * kAU*Err values defined above. 1182 * 1183 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1184 */ 1185 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1186 1187 /* 1188 * audit_write_failure_na() 1189 * 1190 * @summary - audit_write_failure_na() records errors during login. Such 1191 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1192 * 1193 * @param event_code - The code for the event being logged. This should 1194 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1195 * 1196 * @param errmsg - A text message providing additional information about 1197 * the event being audited. 1198 * 1199 * @param errret - A numerical value providing additional information about 1200 * the error. This is intended to store the value of errno or h_errno if 1201 * it's relevant. This can be 0 (zero) if no additional information is 1202 * available. 1203 * 1204 * @param euid - The subject's effective user ID. 1205 * 1206 * @param egid - The subject's effective group ID. 1207 * 1208 * @param pid - The subject's process ID. 1209 * 1210 * @param tid - The subject's terminal ID. 1211 * 1212 * @return - The status of the call: 0 (zero) on success, else one of the 1213 * kAU*Err values defined above. 1214 * 1215 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1216 */ 1217 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1218 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1219 1220 /* END au_write() WRAPPERS */ 1221 1222 #ifdef __APPLE__ 1223 /* 1224 * audit_token_to_au32() 1225 * 1226 * @summary - Extract information from an audit_token_t, used to identify 1227 * Mach tasks and senders of Mach messages as subjects to the audit system. 1228 * audit_tokent_to_au32() is the only method that should be used to parse 1229 * an audit_token_t, since its internal representation may change over 1230 * time. A pointer parameter may be NULL if that information is not 1231 * needed. 1232 * 1233 * @param atoken - the audit token containing the desired information 1234 * 1235 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1236 * sender's audit user ID 1237 * 1238 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1239 * sender's effective user ID 1240 * 1241 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1242 * sender's effective group ID 1243 * 1244 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1245 * sender's real user ID 1246 * 1247 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1248 * sender's real group ID 1249 * 1250 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1251 * sender's process ID 1252 * 1253 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1254 * task or sender's audit session ID 1255 * 1256 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1257 * or sender's terminal ID 1258 * 1259 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1260 */ 1261 void audit_token_to_au32( 1262 audit_token_t atoken, 1263 uid_t *auidp, 1264 uid_t *euidp, 1265 gid_t *egidp, 1266 uid_t *ruidp, 1267 gid_t *rgidp, 1268 pid_t *pidp, 1269 au_asid_t *asidp, 1270 au_tid_t *tidp); 1271 #endif /* !__APPLE__ */ 1272 1273 /* 1274 * Wrapper functions to auditon(2). 1275 */ 1276 int audit_get_car(char *path, size_t sz); 1277 int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1278 int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1279 int audit_get_cond(int *cond); 1280 int audit_set_cond(int *cond); 1281 int audit_get_cwd(char *path, size_t sz); 1282 int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1283 int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1284 int audit_get_kmask(au_mask_t *kmask, size_t sz); 1285 int audit_set_kmask(au_mask_t *kmask, size_t sz); 1286 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1287 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1288 int audit_set_pmask(auditpinfo_t *api, size_t sz); 1289 int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1290 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1291 int audit_get_policy(int *policy); 1292 int audit_set_policy(int *policy); 1293 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1294 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1295 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1296 int audit_get_stat(au_stat_t *stats, size_t sz); 1297 int audit_set_stat(au_stat_t *stats, size_t sz); 1298 int audit_send_trigger(int *trigger); 1299 1300 __END_DECLS 1301 1302 #endif /* !_LIBBSM_H_ */ 1303