1 /*- 2 * Copyright (c) 2004-2008 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#41 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #include <sys/types.h> 41 #include <sys/cdefs.h> 42 43 #include <inttypes.h> /* Required for audit.h. */ 44 #include <time.h> /* Required for clock_t on Linux. */ 45 46 #include <bsm/audit.h> 47 #include <bsm/audit_record.h> 48 49 #include <stdio.h> 50 51 #ifdef __APPLE__ 52 #include <mach/mach.h> /* audit_token_t */ 53 #endif 54 55 /* 56 * Size parsed token vectors for execve(2) arguments and environmental 57 * variables. Note: changing these sizes affects the ABI of the token 58 * structure, and as the token structure is often placed in the caller stack, 59 * this is undesirable. 60 */ 61 #define AUDIT_MAX_ARGS 128 62 #define AUDIT_MAX_ENV 128 63 64 /* 65 * Arguments to au_preselect(3). 66 */ 67 #define AU_PRS_USECACHE 0 68 #define AU_PRS_REREAD 1 69 70 #define AU_PRS_SUCCESS 1 71 #define AU_PRS_FAILURE 2 72 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 73 74 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 75 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 76 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 77 #define AUDIT_USER_FILE "/etc/security/audit_user" 78 79 #define DIR_CONTROL_ENTRY "dir" 80 #define MINFREE_CONTROL_ENTRY "minfree" 81 #define FILESZ_CONTROL_ENTRY "filesz" 82 #define FLAGS_CONTROL_ENTRY "flags" 83 #define NA_CONTROL_ENTRY "naflags" 84 #define POLICY_CONTROL_ENTRY "policy" 85 #define AUDIT_HOST_CONTROL_ENTRY "host" 86 87 #define AU_CLASS_NAME_MAX 8 88 #define AU_CLASS_DESC_MAX 72 89 #define AU_EVENT_NAME_MAX 30 90 #define AU_EVENT_DESC_MAX 50 91 #define AU_USER_NAME_MAX 50 92 #define AU_LINE_MAX 256 93 #define MAX_AUDITSTRING_LEN 256 94 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 95 96 /* 97 * Arguments to au_close(3). 98 */ 99 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 100 #define AU_TO_WRITE 1 /* Commit audit record. */ 101 102 __BEGIN_DECLS 103 struct au_event_ent { 104 au_event_t ae_number; 105 char *ae_name; 106 char *ae_desc; 107 au_class_t ae_class; 108 }; 109 typedef struct au_event_ent au_event_ent_t; 110 111 struct au_class_ent { 112 char *ac_name; 113 au_class_t ac_class; 114 char *ac_desc; 115 }; 116 typedef struct au_class_ent au_class_ent_t; 117 118 struct au_user_ent { 119 char *au_name; 120 au_mask_t au_always; 121 au_mask_t au_never; 122 }; 123 typedef struct au_user_ent au_user_ent_t; 124 __END_DECLS 125 126 #define ADD_TO_MASK(m, c, sel) do { \ 127 if (sel & AU_PRS_SUCCESS) \ 128 (m)->am_success |= c; \ 129 if (sel & AU_PRS_FAILURE) \ 130 (m)->am_failure |= c; \ 131 } while (0) 132 133 #define SUB_FROM_MASK(m, c, sel) do { \ 134 if (sel & AU_PRS_SUCCESS) \ 135 (m)->am_success &= ((m)->am_success ^ c); \ 136 if (sel & AU_PRS_FAILURE) \ 137 (m)->am_failure &= ((m)->am_failure ^ c); \ 138 } while (0) 139 140 #define ADDMASK(m, v) do { \ 141 (m)->am_success |= (v)->am_success; \ 142 (m)->am_failure |= (v)->am_failure; \ 143 } while(0) 144 145 #define SUBMASK(m, v) do { \ 146 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 147 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 148 } while(0) 149 150 __BEGIN_DECLS 151 152 typedef struct au_tid32 { 153 u_int32_t port; 154 u_int32_t addr; 155 } au_tid32_t; 156 157 typedef struct au_tid64 { 158 u_int64_t port; 159 u_int32_t addr; 160 } au_tid64_t; 161 162 typedef struct au_tidaddr32 { 163 u_int32_t port; 164 u_int32_t type; 165 u_int32_t addr[4]; 166 } au_tidaddr32_t; 167 168 typedef struct au_tidaddr64 { 169 u_int64_t port; 170 u_int32_t type; 171 u_int32_t addr[4]; 172 } au_tidaddr64_t; 173 174 /* 175 * argument # 1 byte 176 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 177 * text length 2 bytes 178 * text N bytes + 1 terminating NULL byte 179 */ 180 typedef struct { 181 u_char no; 182 u_int32_t val; 183 u_int16_t len; 184 char *text; 185 } au_arg32_t; 186 187 typedef struct { 188 u_char no; 189 u_int64_t val; 190 u_int16_t len; 191 char *text; 192 } au_arg64_t; 193 194 /* 195 * how to print 1 byte 196 * basic unit 1 byte 197 * unit count 1 byte 198 * data items (depends on basic unit) 199 */ 200 typedef struct { 201 u_char howtopr; 202 u_char bu; 203 u_char uc; 204 u_char *data; 205 } au_arb_t; 206 207 /* 208 * file access mode 4 bytes 209 * owner user ID 4 bytes 210 * owner group ID 4 bytes 211 * file system ID 4 bytes 212 * node ID 8 bytes 213 * device 4 bytes/8 bytes (32-bit/64-bit) 214 */ 215 typedef struct { 216 u_int32_t mode; 217 u_int32_t uid; 218 u_int32_t gid; 219 u_int32_t fsid; 220 u_int64_t nid; 221 u_int32_t dev; 222 } au_attr32_t; 223 224 typedef struct { 225 u_int32_t mode; 226 u_int32_t uid; 227 u_int32_t gid; 228 u_int32_t fsid; 229 u_int64_t nid; 230 u_int64_t dev; 231 } au_attr64_t; 232 233 /* 234 * count 4 bytes 235 * text count null-terminated string(s) 236 */ 237 typedef struct { 238 u_int32_t count; 239 char *text[AUDIT_MAX_ARGS]; 240 } au_execarg_t; 241 242 /* 243 * count 4 bytes 244 * text count null-terminated string(s) 245 */ 246 typedef struct { 247 u_int32_t count; 248 char *text[AUDIT_MAX_ENV]; 249 } au_execenv_t; 250 251 /* 252 * status 4 bytes 253 * return value 4 bytes 254 */ 255 typedef struct { 256 u_int32_t status; 257 u_int32_t ret; 258 } au_exit_t; 259 260 /* 261 * seconds of time 4 bytes 262 * milliseconds of time 4 bytes 263 * file name length 2 bytes 264 * file pathname N bytes + 1 terminating NULL byte 265 */ 266 typedef struct { 267 u_int32_t s; 268 u_int32_t ms; 269 u_int16_t len; 270 char *name; 271 } au_file_t; 272 273 274 /* 275 * number groups 2 bytes 276 * group list N * 4 bytes 277 */ 278 typedef struct { 279 u_int16_t no; 280 u_int32_t list[AUDIT_MAX_GROUPS]; 281 } au_groups_t; 282 283 /* 284 * record byte count 4 bytes 285 * version # 1 byte [2] 286 * event type 2 bytes 287 * event modifier 2 bytes 288 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 289 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 290 */ 291 typedef struct { 292 u_int32_t size; 293 u_char version; 294 u_int16_t e_type; 295 u_int16_t e_mod; 296 u_int32_t s; 297 u_int32_t ms; 298 } au_header32_t; 299 300 /* 301 * record byte count 4 bytes 302 * version # 1 byte [2] 303 * event type 2 bytes 304 * event modifier 2 bytes 305 * address type/length 1 byte (XXX: actually, 4 bytes) 306 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 307 * seconds of time 4 bytes/8 bytes (32/64-bits) 308 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 309 */ 310 typedef struct { 311 u_int32_t size; 312 u_char version; 313 u_int16_t e_type; 314 u_int16_t e_mod; 315 u_int32_t ad_type; 316 u_int32_t addr[4]; 317 u_int32_t s; 318 u_int32_t ms; 319 } au_header32_ex_t; 320 321 typedef struct { 322 u_int32_t size; 323 u_char version; 324 u_int16_t e_type; 325 u_int16_t e_mod; 326 u_int64_t s; 327 u_int64_t ms; 328 } au_header64_t; 329 330 typedef struct { 331 u_int32_t size; 332 u_char version; 333 u_int16_t e_type; 334 u_int16_t e_mod; 335 u_int32_t ad_type; 336 u_int32_t addr[4]; 337 u_int64_t s; 338 u_int64_t ms; 339 } au_header64_ex_t; 340 341 /* 342 * internet address 4 bytes 343 */ 344 typedef struct { 345 u_int32_t addr; 346 } au_inaddr_t; 347 348 /* 349 * type 4 bytes 350 * internet address 16 bytes 351 */ 352 typedef struct { 353 u_int32_t type; 354 u_int32_t addr[4]; 355 } au_inaddr_ex_t; 356 357 /* 358 * version and ihl 1 byte 359 * type of service 1 byte 360 * length 2 bytes 361 * id 2 bytes 362 * offset 2 bytes 363 * ttl 1 byte 364 * protocol 1 byte 365 * checksum 2 bytes 366 * source address 4 bytes 367 * destination address 4 bytes 368 */ 369 typedef struct { 370 u_char version; 371 u_char tos; 372 u_int16_t len; 373 u_int16_t id; 374 u_int16_t offset; 375 u_char ttl; 376 u_char prot; 377 u_int16_t chksm; 378 u_int32_t src; 379 u_int32_t dest; 380 } au_ip_t; 381 382 /* 383 * object ID type 1 byte 384 * object ID 4 bytes 385 */ 386 typedef struct { 387 u_char type; 388 u_int32_t id; 389 } au_ipc_t; 390 391 /* 392 * owner user ID 4 bytes 393 * owner group ID 4 bytes 394 * creator user ID 4 bytes 395 * creator group ID 4 bytes 396 * access mode 4 bytes 397 * slot sequence # 4 bytes 398 * key 4 bytes 399 */ 400 typedef struct { 401 u_int32_t uid; 402 u_int32_t gid; 403 u_int32_t puid; 404 u_int32_t pgid; 405 u_int32_t mode; 406 u_int32_t seq; 407 u_int32_t key; 408 } au_ipcperm_t; 409 410 /* 411 * port IP address 2 bytes 412 */ 413 typedef struct { 414 u_int16_t port; 415 } au_iport_t; 416 417 /* 418 * length 2 bytes 419 * data length bytes 420 */ 421 typedef struct { 422 u_int16_t size; 423 char *data; 424 } au_opaque_t; 425 426 /* 427 * path length 2 bytes 428 * path N bytes + 1 terminating NULL byte 429 */ 430 typedef struct { 431 u_int16_t len; 432 char *path; 433 } au_path_t; 434 435 /* 436 * audit ID 4 bytes 437 * effective user ID 4 bytes 438 * effective group ID 4 bytes 439 * real user ID 4 bytes 440 * real group ID 4 bytes 441 * process ID 4 bytes 442 * session ID 4 bytes 443 * terminal ID 444 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 445 * machine address 4 bytes 446 */ 447 typedef struct { 448 u_int32_t auid; 449 u_int32_t euid; 450 u_int32_t egid; 451 u_int32_t ruid; 452 u_int32_t rgid; 453 u_int32_t pid; 454 u_int32_t sid; 455 au_tid32_t tid; 456 } au_proc32_t; 457 458 typedef struct { 459 u_int32_t auid; 460 u_int32_t euid; 461 u_int32_t egid; 462 u_int32_t ruid; 463 u_int32_t rgid; 464 u_int32_t pid; 465 u_int32_t sid; 466 au_tid64_t tid; 467 } au_proc64_t; 468 469 /* 470 * audit ID 4 bytes 471 * effective user ID 4 bytes 472 * effective group ID 4 bytes 473 * real user ID 4 bytes 474 * real group ID 4 bytes 475 * process ID 4 bytes 476 * session ID 4 bytes 477 * terminal ID 478 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 479 * type 4 bytes 480 * machine address 16 bytes 481 */ 482 typedef struct { 483 u_int32_t auid; 484 u_int32_t euid; 485 u_int32_t egid; 486 u_int32_t ruid; 487 u_int32_t rgid; 488 u_int32_t pid; 489 u_int32_t sid; 490 au_tidaddr32_t tid; 491 } au_proc32ex_t; 492 493 typedef struct { 494 u_int32_t auid; 495 u_int32_t euid; 496 u_int32_t egid; 497 u_int32_t ruid; 498 u_int32_t rgid; 499 u_int32_t pid; 500 u_int32_t sid; 501 au_tidaddr64_t tid; 502 } au_proc64ex_t; 503 504 /* 505 * error status 1 byte 506 * return value 4 bytes/8 bytes (32-bit/64-bit value) 507 */ 508 typedef struct { 509 u_char status; 510 u_int32_t ret; 511 } au_ret32_t; 512 513 typedef struct { 514 u_char err; 515 u_int64_t val; 516 } au_ret64_t; 517 518 /* 519 * sequence number 4 bytes 520 */ 521 typedef struct { 522 u_int32_t seqno; 523 } au_seq_t; 524 525 /* 526 * socket type 2 bytes 527 * local port 2 bytes 528 * local Internet address 4 bytes 529 * remote port 2 bytes 530 * remote Internet address 4 bytes 531 */ 532 typedef struct { 533 u_int16_t type; 534 u_int16_t l_port; 535 u_int32_t l_addr; 536 u_int16_t r_port; 537 u_int32_t r_addr; 538 } au_socket_t; 539 540 /* 541 * socket type 2 bytes 542 * local port 2 bytes 543 * address type/length 4 bytes 544 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 545 * remote port 4 bytes 546 * address type/length 4 bytes 547 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 548 */ 549 typedef struct { 550 u_int16_t domain; 551 u_int16_t type; 552 u_int16_t atype; 553 u_int16_t l_port; 554 u_int32_t l_addr[4]; 555 u_int32_t r_port; 556 u_int32_t r_addr[4]; 557 } au_socket_ex32_t; 558 559 /* 560 * socket family 2 bytes 561 * local port 2 bytes 562 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 563 */ 564 typedef struct { 565 u_int16_t family; 566 u_int16_t port; 567 u_int32_t addr; 568 } au_socketinet32_t; 569 570 /* 571 * socket family 2 bytes 572 * path 104 bytes 573 */ 574 typedef struct { 575 u_int16_t family; 576 char path[104]; 577 } au_socketunix_t; 578 579 /* 580 * audit ID 4 bytes 581 * effective user ID 4 bytes 582 * effective group ID 4 bytes 583 * real user ID 4 bytes 584 * real group ID 4 bytes 585 * process ID 4 bytes 586 * session ID 4 bytes 587 * terminal ID 588 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 589 * machine address 4 bytes 590 */ 591 typedef struct { 592 u_int32_t auid; 593 u_int32_t euid; 594 u_int32_t egid; 595 u_int32_t ruid; 596 u_int32_t rgid; 597 u_int32_t pid; 598 u_int32_t sid; 599 au_tid32_t tid; 600 } au_subject32_t; 601 602 typedef struct { 603 u_int32_t auid; 604 u_int32_t euid; 605 u_int32_t egid; 606 u_int32_t ruid; 607 u_int32_t rgid; 608 u_int32_t pid; 609 u_int32_t sid; 610 au_tid64_t tid; 611 } au_subject64_t; 612 613 /* 614 * audit ID 4 bytes 615 * effective user ID 4 bytes 616 * effective group ID 4 bytes 617 * real user ID 4 bytes 618 * real group ID 4 bytes 619 * process ID 4 bytes 620 * session ID 4 bytes 621 * terminal ID 622 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 623 * type 4 bytes 624 * machine address 16 bytes 625 */ 626 typedef struct { 627 u_int32_t auid; 628 u_int32_t euid; 629 u_int32_t egid; 630 u_int32_t ruid; 631 u_int32_t rgid; 632 u_int32_t pid; 633 u_int32_t sid; 634 au_tidaddr32_t tid; 635 } au_subject32ex_t; 636 637 typedef struct { 638 u_int32_t auid; 639 u_int32_t euid; 640 u_int32_t egid; 641 u_int32_t ruid; 642 u_int32_t rgid; 643 u_int32_t pid; 644 u_int32_t sid; 645 au_tidaddr64_t tid; 646 } au_subject64ex_t; 647 648 /* 649 * text length 2 bytes 650 * text N bytes + 1 terminating NULL byte 651 */ 652 typedef struct { 653 u_int16_t len; 654 char *text; 655 } au_text_t; 656 657 /* 658 * zonename length 2 bytes 659 * zonename text N bytes + 1 NULL terminator 660 */ 661 typedef struct { 662 u_int16_t len; 663 char *zonename; 664 } au_zonename_t; 665 666 typedef struct { 667 u_int32_t ident; 668 u_int16_t filter; 669 u_int16_t flags; 670 u_int32_t fflags; 671 u_int32_t data; 672 } au_kevent_t; 673 674 typedef struct { 675 u_int16_t length; 676 char *data; 677 } au_invalid_t; 678 679 /* 680 * trailer magic number 2 bytes 681 * record byte count 4 bytes 682 */ 683 typedef struct { 684 u_int16_t magic; 685 u_int32_t count; 686 } au_trailer_t; 687 688 struct tokenstr { 689 u_char id; 690 u_char *data; 691 size_t len; 692 union { 693 au_arg32_t arg32; 694 au_arg64_t arg64; 695 au_arb_t arb; 696 au_attr32_t attr32; 697 au_attr64_t attr64; 698 au_execarg_t execarg; 699 au_execenv_t execenv; 700 au_exit_t exit; 701 au_file_t file; 702 au_groups_t grps; 703 au_header32_t hdr32; 704 au_header32_ex_t hdr32_ex; 705 au_header64_t hdr64; 706 au_header64_ex_t hdr64_ex; 707 au_inaddr_t inaddr; 708 au_inaddr_ex_t inaddr_ex; 709 au_ip_t ip; 710 au_ipc_t ipc; 711 au_ipcperm_t ipcperm; 712 au_iport_t iport; 713 au_opaque_t opaque; 714 au_path_t path; 715 au_proc32_t proc32; 716 au_proc32ex_t proc32_ex; 717 au_proc64_t proc64; 718 au_proc64ex_t proc64_ex; 719 au_ret32_t ret32; 720 au_ret64_t ret64; 721 au_seq_t seq; 722 au_socket_t socket; 723 au_socket_ex32_t socket_ex32; 724 au_socketinet32_t sockinet32; 725 au_socketunix_t sockunix; 726 au_subject32_t subj32; 727 au_subject32ex_t subj32_ex; 728 au_subject64_t subj64; 729 au_subject64ex_t subj64_ex; 730 au_text_t text; 731 au_kevent_t kevent; 732 au_invalid_t invalid; 733 au_trailer_t trail; 734 au_zonename_t zonename; 735 } tt; /* The token is one of the above types */ 736 }; 737 738 typedef struct tokenstr tokenstr_t; 739 740 int audit_submit(short au_event, au_id_t auid, 741 char status, int reterr, const char *fmt, ...); 742 743 /* 744 * Functions relating to querying audit class information. 745 */ 746 void setauclass(void); 747 void endauclass(void); 748 struct au_class_ent *getauclassent(void); 749 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 750 struct au_class_ent *getauclassnam(const char *name); 751 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 752 const char *name); 753 struct au_class_ent *getauclassnum(au_class_t class_number); 754 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 755 au_class_t class_number); 756 757 /* 758 * Functions relating to querying audit control information. 759 */ 760 void setac(void); 761 void endac(void); 762 int getacdir(char *name, int len); 763 int getacmin(int *min_val); 764 int getacfilesz(size_t *size_val); 765 int getacflg(char *auditstr, int len); 766 int getacna(char *auditstr, int len); 767 int getacpol(char *auditstr, size_t len); 768 int getachost(char *auditstr, size_t len); 769 int getauditflagsbin(char *auditstr, au_mask_t *masks); 770 int getauditflagschar(char *auditstr, au_mask_t *masks, 771 int verbose); 772 int au_preselect(au_event_t event, au_mask_t *mask_p, 773 int sorf, int flag); 774 ssize_t au_poltostr(long policy, size_t maxsize, char *buf); 775 int au_strtopol(const char *polstr, long *policy); 776 777 /* 778 * Functions relating to querying audit event information. 779 */ 780 void setauevent(void); 781 void endauevent(void); 782 struct au_event_ent *getauevent(void); 783 struct au_event_ent *getauevent_r(struct au_event_ent *e); 784 struct au_event_ent *getauevnam(const char *name); 785 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 786 const char *name); 787 struct au_event_ent *getauevnum(au_event_t event_number); 788 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 789 au_event_t event_number); 790 au_event_t *getauevnonam(const char *event_name); 791 au_event_t *getauevnonam_r(au_event_t *ev, 792 const char *event_name); 793 794 /* 795 * Functions relating to querying audit user information. 796 */ 797 void setauuser(void); 798 void endauuser(void); 799 struct au_user_ent *getauuserent(void); 800 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 801 struct au_user_ent *getauusernam(const char *name); 802 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 803 const char *name); 804 int au_user_mask(char *username, au_mask_t *mask_p); 805 int getfauditflags(au_mask_t *usremask, 806 au_mask_t *usrdmask, au_mask_t *lastmask); 807 808 /* 809 * Functions for reading and printing records and tokens from audit trails. 810 */ 811 int au_read_rec(FILE *fp, u_char **buf); 812 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 813 //XXX The following interface has different prototype from BSM 814 void au_print_tok(FILE *outfp, tokenstr_t *tok, 815 char *del, char raw, char sfrm); 816 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 817 char *del, char raw, char sfrm); 818 819 /* 820 * Functions relating to XML output. 821 */ 822 void au_print_xml_header(FILE *outfp); 823 void au_print_xml_footer(FILE *outfp); 824 825 /* 826 * BSM library routines for converting between local and BSM constant spaces. 827 * (Note: some of these are replicated in audit_record.h for the benefit of 828 * the FreeBSD and Mac OS X kernels) 829 */ 830 int au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 831 int au_bsm_to_errno(u_char bsm_error, int *errorp); 832 int au_bsm_to_socket_type(u_short bsm_socket_type, 833 int *local_socket_typep); 834 u_short au_domain_to_bsm(int local_domain); 835 u_char au_errno_to_bsm(int local_errno); 836 u_short au_socket_type_to_bsm(int local_socket_type); 837 838 const char *au_strerror(u_char bsm_error); 839 __END_DECLS 840 841 /* 842 * The remaining APIs are associated with Apple's BSM implementation, in 843 * particular as relates to Mach IPC auditing and triggers passed via Mach 844 * IPC. 845 */ 846 #ifdef __APPLE__ 847 #include <sys/appleapiopts.h> 848 849 /************************************************************************** 850 ************************************************************************** 851 ** The following definitions, functions, etc., are NOT officially 852 ** supported: they may be changed or removed in the future. Do not use 853 ** them unless you are prepared to cope with that eventuality. 854 ************************************************************************** 855 **************************************************************************/ 856 857 #ifdef __APPLE_API_PRIVATE 858 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 859 #endif /* __APPLE_API_PRIVATE */ 860 861 /* 862 * au_get_state() return values 863 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 864 * AUDIT_ON are deprecated and WILL be removed. 865 */ 866 #ifdef __APPLE_API_PRIVATE 867 #define AUDIT_OFF AUC_NOAUDIT 868 #define AUDIT_ON AUC_AUDITING 869 #endif /* __APPLE_API_PRIVATE */ 870 #endif /* !__APPLE__ */ 871 872 /* 873 * Error return codes for audit_set_terminal_id(), audit_write() and its 874 * brethren. We have 255 (not including kAUNoErr) to play with. 875 * 876 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 877 */ 878 enum { 879 kAUNoErr = 0, 880 kAUBadParamErr = -66049, 881 kAUStatErr, 882 kAUSysctlErr, 883 kAUOpenErr, 884 kAUMakeSubjectTokErr, 885 kAUWriteSubjectTokErr, 886 kAUWriteCallerTokErr, 887 kAUMakeReturnTokErr, 888 kAUWriteReturnTokErr, 889 kAUCloseErr, 890 kAUMakeTextTokErr, 891 kAULastErr 892 }; 893 894 #ifdef __APPLE__ 895 /* 896 * Error return codes for au_get_state() and/or its private support 897 * functions. These codes are designed to be compatible with the 898 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 899 * Any changes to notify(3) may cause these values to change in future. 900 * 901 * AU_UNIMPL should never happen unless you've changed your system software 902 * without rebooting. Shame on you. 903 */ 904 #ifdef __APPLE_API_PRIVATE 905 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 906 #endif /* __APPLE_API_PRIVATE */ 907 #endif /* !__APPLE__ */ 908 909 __BEGIN_DECLS 910 /* 911 * XXX This prototype should be in audit_record.h 912 * 913 * au_free_token() 914 * 915 * @summary - au_free_token() deallocates a token_t created by any of 916 * the au_to_*() BSM API functions. 917 * 918 * The BSM API generally manages deallocation of token_t objects. However, 919 * if au_write() is passed a bad audit descriptor, the token_t * parameter 920 * will be left untouched. In that case, the caller can deallocate the 921 * token_t using au_free_token() if desired. This is, in fact, what 922 * audit_write() does, in keeping with the existing memory management model 923 * of the BSM API. 924 * 925 * @param tok - A token_t * generated by one of the au_to_*() BSM API 926 * calls. For convenience, tok may be NULL, in which case 927 * au_free_token() returns immediately. 928 * 929 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 930 */ 931 void au_free_token(token_t *tok); 932 933 /* 934 * Lightweight check to determine if auditing is enabled. If a client 935 * wants to use this to govern whether an entire series of audit calls 936 * should be made--as in the common case of a caller building a set of 937 * tokens, then writing them--it should cache the audit status in a local 938 * variable. This call always returns the current state of auditing. 939 * 940 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 941 * Otherwise the function can return any of the errno values defined for 942 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 943 * the system. 944 * 945 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 946 */ 947 int au_get_state(void); 948 949 /* 950 * Initialize the audit notification. If it has not already been initialized 951 * it will automatically on the first call of au_get_state(). 952 */ 953 uint32_t au_notify_initialize(void); 954 955 /* 956 * Cancel audit notification and free the resources associated with it. 957 * Responsible code that no longer needs to use au_get_state() should call 958 * this. 959 */ 960 int au_notify_terminate(void); 961 __END_DECLS 962 963 /* OpenSSH compatibility */ 964 int cannot_audit(int); 965 966 __BEGIN_DECLS 967 /* 968 * audit_set_terminal_id() 969 * 970 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 971 * used in audit session initialization by processes like /usr/bin/login. 972 * 973 * @param tid - A pointer to an au_tid_t struct. 974 * 975 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 976 * or kAUSysctlErr if one of the underlying system calls fails (a message 977 * is sent to the system log in those cases). 978 * 979 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 980 */ 981 int audit_set_terminal_id(au_tid_t *tid); 982 983 /* 984 * BEGIN au_write() WRAPPERS 985 * 986 * The following calls all wrap the existing BSM API. They use the 987 * provided subject information, if any, to construct the subject token 988 * required for every log message. They use the provided return/error 989 * value(s), if any, to construct the success/failure indication required 990 * for every log message. They only permit one "miscellaneous" token, 991 * which should contain the event-specific logging information mandated by 992 * CAPP. 993 * 994 * All these calls assume the caller has previously determined that 995 * auditing is enabled by calling au_get_state(). 996 */ 997 998 /* 999 * audit_write() 1000 * 1001 * @summary - audit_write() is the basis for the other audit_write_*() 1002 * calls. Performs a basic write of an audit record (subject, additional 1003 * info, success/failure). Note that this call only permits logging one 1004 * caller-specified token; clients needing to log more flexibly must use 1005 * the existing BSM API (au_open(), et al.) directly. 1006 * 1007 * Note on memory management: audit_write() guarantees that the token_t *s 1008 * passed to it will be deallocated whether or not the underlying write to 1009 * the audit log succeeded. This addresses an inconsistency in the 1010 * underlying BSM API in which token_t *s are usually but not always 1011 * deallocated. 1012 * 1013 * @param event_code - The code for the event being logged. This should 1014 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1015 * 1016 * @param subject - A token_t * generated by au_to_subject(), 1017 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1018 * required, subject should be NULL. 1019 * 1020 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1021 * calls. This should correspond to the additional information required by 1022 * CAPP for the event being audited. If no additional information is 1023 * required, misctok should be NULL. 1024 * 1025 * @param retval - The return value to be logged for this event. This 1026 * should be 0 (zero) for success, otherwise the value is event-specific. 1027 * 1028 * @param errcode - Any error code associated with the return value (e.g., 1029 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1030 * 1031 * @return - The status of the call: 0 (zero) on success, else one of the 1032 * kAU*Err values defined above. 1033 * 1034 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1035 */ 1036 int audit_write(short event_code, token_t *subject, token_t *misctok, 1037 char retval, int errcode); 1038 1039 /* 1040 * audit_write_success() 1041 * 1042 * @summary - audit_write_success() records an auditable event that did not 1043 * encounter an error. The interface is designed to require as little 1044 * direct use of the au_to_*() API as possible. It builds a subject token 1045 * from the information passed in and uses that to invoke audit_write(). 1046 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1047 * 1048 * If the subject information is the same as the current process, use 1049 * au_write_success_self(). 1050 * 1051 * @param event_code - The code for the event being logged. This should 1052 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1053 * 1054 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1055 * calls. This should correspond to the additional information required by 1056 * CAPP for the event being audited. If no additional information is 1057 * required, misctok should be NULL. 1058 * 1059 * @param auid - The subject's audit ID. 1060 * 1061 * @param euid - The subject's effective user ID. 1062 * 1063 * @param egid - The subject's effective group ID. 1064 * 1065 * @param ruid - The subject's real user ID. 1066 * 1067 * @param rgid - The subject's real group ID. 1068 * 1069 * @param pid - The subject's process ID. 1070 * 1071 * @param sid - The subject's session ID. 1072 * 1073 * @param tid - The subject's terminal ID. 1074 * 1075 * @return - The status of the call: 0 (zero) on success, else one of the 1076 * kAU*Err values defined above. 1077 * 1078 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1079 */ 1080 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1081 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1082 au_asid_t sid, au_tid_t *tid); 1083 1084 /* 1085 * audit_write_success_self() 1086 * 1087 * @summary - Similar to audit_write_success(), but used when the subject 1088 * (process) is owned and operated by the auditable user him/herself. 1089 * 1090 * @param event_code - The code for the event being logged. This should 1091 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1092 * 1093 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1094 * calls. This should correspond to the additional information required by 1095 * CAPP for the event being audited. If no additional information is 1096 * required, misctok should be NULL. 1097 * 1098 * @return - The status of the call: 0 (zero) on success, else one of the 1099 * kAU*Err values defined above. 1100 * 1101 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1102 */ 1103 int audit_write_success_self(short event_code, token_t *misctok); 1104 1105 /* 1106 * audit_write_failure() 1107 * 1108 * @summary - audit_write_failure() records an auditable event that 1109 * encountered an error. The interface is designed to require as little 1110 * direct use of the au_to_*() API as possible. It builds a subject token 1111 * from the information passed in and uses that to invoke audit_write(). 1112 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1113 * 1114 * If the subject information is the same as the current process, use 1115 * au_write_failure_self(). 1116 * 1117 * @param event_code - The code for the event being logged. This should 1118 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1119 * 1120 * @param errmsg - A text message providing additional information about 1121 * the event being audited. 1122 * 1123 * @param errret - A numerical value providing additional information about 1124 * the error. This is intended to store the value of errno or h_errno if 1125 * it's relevant. This can be 0 (zero) if no additional information is 1126 * available. 1127 * 1128 * @param auid - The subject's audit ID. 1129 * 1130 * @param euid - The subject's effective user ID. 1131 * 1132 * @param egid - The subject's effective group ID. 1133 * 1134 * @param ruid - The subject's real user ID. 1135 * 1136 * @param rgid - The subject's real group ID. 1137 * 1138 * @param pid - The subject's process ID. 1139 * 1140 * @param sid - The subject's session ID. 1141 * 1142 * @param tid - The subject's terminal ID. 1143 * 1144 * @return - The status of the call: 0 (zero) on success, else one of the 1145 * kAU*Err values defined above. 1146 * 1147 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1148 */ 1149 int audit_write_failure(short event_code, char *errmsg, int errret, 1150 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1151 pid_t pid, au_asid_t sid, au_tid_t *tid); 1152 1153 /* 1154 * audit_write_failure_self() 1155 * 1156 * @summary - Similar to audit_write_failure(), but used when the subject 1157 * (process) is owned and operated by the auditable user him/herself. 1158 * 1159 * @param event_code - The code for the event being logged. This should 1160 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1161 * 1162 * @param errmsg - A text message providing additional information about 1163 * the event being audited. 1164 * 1165 * @param errret - A numerical value providing additional information about 1166 * the error. This is intended to store the value of errno or h_errno if 1167 * it's relevant. This can be 0 (zero) if no additional information is 1168 * available. 1169 * 1170 * @return - The status of the call: 0 (zero) on success, else one of the 1171 * kAU*Err values defined above. 1172 * 1173 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1174 */ 1175 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1176 1177 /* 1178 * audit_write_failure_na() 1179 * 1180 * @summary - audit_write_failure_na() records errors during login. Such 1181 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1182 * 1183 * @param event_code - The code for the event being logged. This should 1184 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1185 * 1186 * @param errmsg - A text message providing additional information about 1187 * the event being audited. 1188 * 1189 * @param errret - A numerical value providing additional information about 1190 * the error. This is intended to store the value of errno or h_errno if 1191 * it's relevant. This can be 0 (zero) if no additional information is 1192 * available. 1193 * 1194 * @param euid - The subject's effective user ID. 1195 * 1196 * @param egid - The subject's effective group ID. 1197 * 1198 * @param pid - The subject's process ID. 1199 * 1200 * @param tid - The subject's terminal ID. 1201 * 1202 * @return - The status of the call: 0 (zero) on success, else one of the 1203 * kAU*Err values defined above. 1204 * 1205 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1206 */ 1207 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1208 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1209 1210 /* END au_write() WRAPPERS */ 1211 1212 #ifdef __APPLE__ 1213 /* 1214 * audit_token_to_au32() 1215 * 1216 * @summary - Extract information from an audit_token_t, used to identify 1217 * Mach tasks and senders of Mach messages as subjects to the audit system. 1218 * audit_tokent_to_au32() is the only method that should be used to parse 1219 * an audit_token_t, since its internal representation may change over 1220 * time. A pointer parameter may be NULL if that information is not 1221 * needed. 1222 * 1223 * @param atoken - the audit token containing the desired information 1224 * 1225 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1226 * sender's audit user ID 1227 * 1228 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1229 * sender's effective user ID 1230 * 1231 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1232 * sender's effective group ID 1233 * 1234 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1235 * sender's real user ID 1236 * 1237 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1238 * sender's real group ID 1239 * 1240 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1241 * sender's process ID 1242 * 1243 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1244 * task or sender's audit session ID 1245 * 1246 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1247 * or sender's terminal ID 1248 * 1249 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1250 */ 1251 void audit_token_to_au32( 1252 audit_token_t atoken, 1253 uid_t *auidp, 1254 uid_t *euidp, 1255 gid_t *egidp, 1256 uid_t *ruidp, 1257 gid_t *rgidp, 1258 pid_t *pidp, 1259 au_asid_t *asidp, 1260 au_tid_t *tidp); 1261 #endif /* !__APPLE__ */ 1262 1263 __END_DECLS 1264 1265 #endif /* !_LIBBSM_H_ */ 1266