1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #define MAX_ARGS 10 41 #define MAX_ENV 10 42 43 #include <sys/types.h> 44 #include <sys/cdefs.h> 45 #include <sys/queue.h> 46 47 #include <bsm/audit.h> 48 #include <bsm/audit_record.h> 49 50 #include <stdio.h> 51 #include <stdint.h> 52 53 #ifdef __APPLE__ 54 #include <mach/mach.h> /* audit_token_t */ 55 #endif 56 57 #define AU_PRS_SUCCESS 1 58 #define AU_PRS_FAILURE 2 59 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 60 61 #define AU_PRS_USECACHE 0 62 #define AU_PRS_REREAD 1 63 64 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 65 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 66 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 67 #define AUDIT_USER_FILE "/etc/security/audit_user" 68 69 #define DIR_CONTROL_ENTRY "dir" 70 #define MINFREE_CONTROL_ENTRY "minfree" 71 #define FLAGS_CONTROL_ENTRY "flags" 72 #define NA_CONTROL_ENTRY "naflags" 73 74 #define AU_CLASS_NAME_MAX 8 75 #define AU_CLASS_DESC_MAX 72 76 #define AU_EVENT_NAME_MAX 30 77 #define AU_EVENT_DESC_MAX 50 78 #define AU_USER_NAME_MAX 50 79 #define AU_LINE_MAX 256 80 #define MAX_AUDITSTRING_LEN 256 81 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 82 83 /* 84 * These are referenced in Solaris 9 au_open(3BSM); values are guesses. 85 * Provided for OpenSSH compatibility. 86 */ 87 #define AU_TO_NO_WRITE 0 88 #define AU_TO_WRITE 1 89 90 __BEGIN_DECLS 91 struct au_event_ent { 92 au_event_t ae_number; 93 char *ae_name; 94 char *ae_desc; 95 au_class_t ae_class; 96 }; 97 typedef struct au_event_ent au_event_ent_t; 98 99 struct au_class_ent { 100 char *ac_name; 101 au_class_t ac_class; 102 char *ac_desc; 103 }; 104 typedef struct au_class_ent au_class_ent_t; 105 106 struct au_user_ent { 107 char *au_name; 108 au_mask_t au_always; 109 au_mask_t au_never; 110 }; 111 typedef struct au_user_ent au_user_ent_t; 112 __END_DECLS 113 114 #define ADD_TO_MASK(m, c, sel) do { \ 115 if (sel & AU_PRS_SUCCESS) \ 116 (m)->am_success |= c; \ 117 if (sel & AU_PRS_FAILURE) \ 118 (m)->am_failure |= c; \ 119 } while (0) 120 121 #define SUB_FROM_MASK(m, c, sel) do { \ 122 if (sel & AU_PRS_SUCCESS) \ 123 (m)->am_success &= ((m)->am_success ^ c); \ 124 if (sel & AU_PRS_FAILURE) \ 125 (m)->am_failure &= ((m)->am_failure ^ c); \ 126 } while (0) 127 128 #define ADDMASK(m, v) do { \ 129 (m)->am_success |= (v)->am_success; \ 130 (m)->am_failure |= (v)->am_failure; \ 131 } while(0) 132 133 #define SUBMASK(m, v) do { \ 134 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 135 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 136 } while(0) 137 138 __BEGIN_DECLS 139 140 /* 141 * Internal representation of audit user in libnsl. 142 */ 143 typedef struct au_user_str_s { 144 char *au_name; 145 char *au_always; 146 char *au_never; 147 } au_user_str_t; 148 149 typedef struct au_tid32 { 150 u_int32_t port; 151 u_int32_t addr; 152 } au_tid32_t; 153 154 typedef struct au_tid64 { 155 u_int64_t port; 156 u_int32_t addr; 157 } au_tid64_t; 158 159 typedef struct au_tidaddr32 { 160 u_int32_t port; 161 u_int32_t type; 162 u_int32_t addr[4]; 163 } au_tidaddr32_t; 164 165 /* 166 * argument # 1 byte 167 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 168 * text length 2 bytes 169 * text N bytes + 1 terminating NULL byte 170 */ 171 typedef struct { 172 u_char no; 173 u_int32_t val; 174 u_int16_t len; 175 char *text; 176 } au_arg32_t; 177 178 typedef struct { 179 u_char no; 180 u_int64_t val; 181 u_int16_t len; 182 char *text; 183 } au_arg64_t; 184 185 /* 186 * how to print 1 byte 187 * basic unit 1 byte 188 * unit count 1 byte 189 * data items (depends on basic unit) 190 */ 191 typedef struct { 192 u_char howtopr; 193 u_char bu; 194 u_char uc; 195 u_char *data; 196 } au_arb_t; 197 198 /* 199 * file access mode 4 bytes 200 * owner user ID 4 bytes 201 * owner group ID 4 bytes 202 * file system ID 4 bytes 203 * node ID 8 bytes 204 * device 4 bytes/8 bytes (32-bit/64-bit) 205 */ 206 typedef struct { 207 u_int32_t mode; 208 u_int32_t uid; 209 u_int32_t gid; 210 u_int32_t fsid; 211 u_int64_t nid; 212 u_int32_t dev; 213 } au_attr32_t; 214 215 typedef struct { 216 u_int32_t mode; 217 u_int32_t uid; 218 u_int32_t gid; 219 u_int32_t fsid; 220 u_int64_t nid; 221 u_int64_t dev; 222 } au_attr64_t; 223 224 /* 225 * count 4 bytes 226 * text count null-terminated string(s) 227 */ 228 typedef struct { 229 u_int32_t count; 230 char *text[MAX_ARGS]; 231 } au_execarg_t; 232 233 /* 234 * count 4 bytes 235 * text count null-terminated string(s) 236 */ 237 typedef struct { 238 u_int32_t count; 239 char *text[MAX_ENV]; 240 } au_execenv_t; 241 242 /* 243 * status 4 bytes 244 * return value 4 bytes 245 */ 246 typedef struct { 247 u_int32_t status; 248 u_int32_t ret; 249 } au_exit_t; 250 251 /* 252 * seconds of time 4 bytes 253 * milliseconds of time 4 bytes 254 * file name length 2 bytes 255 * file pathname N bytes + 1 terminating NULL byte 256 */ 257 typedef struct { 258 u_int32_t s; 259 u_int32_t ms; 260 u_int16_t len; 261 char *name; 262 } au_file_t; 263 264 265 /* 266 * number groups 2 bytes 267 * group list N * 4 bytes 268 */ 269 typedef struct { 270 u_int16_t no; 271 u_int32_t list[BSM_MAX_GROUPS]; 272 } au_groups_t; 273 274 /* 275 * record byte count 4 bytes 276 * version # 1 byte [2] 277 * event type 2 bytes 278 * event modifier 2 bytes 279 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 280 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 281 */ 282 typedef struct { 283 u_int32_t size; 284 u_char version; 285 u_int16_t e_type; 286 u_int16_t e_mod; 287 u_int32_t s; 288 u_int32_t ms; 289 } au_header32_t; 290 291 /* 292 * record byte count 4 bytes 293 * version # 1 byte [2] 294 * event type 2 bytes 295 * event modifier 2 bytes 296 * address type/length 1 byte (XXX: actually, 4 bytes) 297 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 298 * seconds of time 4 bytes/8 bytes (32/64-bits) 299 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 300 */ 301 typedef struct { 302 u_int32_t size; 303 u_char version; 304 u_int16_t e_type; 305 u_int16_t e_mod; 306 u_int32_t ad_type; 307 u_int32_t addr[4]; 308 u_int32_t s; 309 u_int32_t ms; 310 } au_header32_ex_t; 311 312 typedef struct { 313 u_int32_t size; 314 u_char version; 315 u_int16_t e_type; 316 u_int16_t e_mod; 317 u_int64_t s; 318 u_int64_t ms; 319 } au_header64_t; 320 321 typedef struct { 322 u_int32_t size; 323 u_char version; 324 u_int16_t e_type; 325 u_int16_t e_mod; 326 u_int32_t ad_type; 327 u_int32_t addr[4]; 328 u_int64_t s; 329 u_int64_t ms; 330 } au_header64_ex_t; 331 332 /* 333 * internet address 4 bytes 334 */ 335 typedef struct { 336 u_int32_t addr; 337 } au_inaddr_t; 338 339 /* 340 * type 4 bytes 341 * internet address 16 bytes 342 */ 343 typedef struct { 344 u_int32_t type; 345 u_int32_t addr[4]; 346 } au_inaddr_ex_t; 347 348 /* 349 * version and ihl 1 byte 350 * type of service 1 byte 351 * length 2 bytes 352 * id 2 bytes 353 * offset 2 bytes 354 * ttl 1 byte 355 * protocol 1 byte 356 * checksum 2 bytes 357 * source address 4 bytes 358 * destination address 4 bytes 359 */ 360 typedef struct { 361 u_char version; 362 u_char tos; 363 u_int16_t len; 364 u_int16_t id; 365 u_int16_t offset; 366 u_char ttl; 367 u_char prot; 368 u_int16_t chksm; 369 u_int32_t src; 370 u_int32_t dest; 371 } au_ip_t; 372 373 /* 374 * object ID type 1 byte 375 * object ID 4 bytes 376 */ 377 typedef struct { 378 u_char type; 379 u_int32_t id; 380 } au_ipc_t; 381 382 /* 383 * owner user ID 4 bytes 384 * owner group ID 4 bytes 385 * creator user ID 4 bytes 386 * creator group ID 4 bytes 387 * access mode 4 bytes 388 * slot sequence # 4 bytes 389 * key 4 bytes 390 */ 391 typedef struct { 392 u_int32_t uid; 393 u_int32_t gid; 394 u_int32_t puid; 395 u_int32_t pgid; 396 u_int32_t mode; 397 u_int32_t seq; 398 u_int32_t key; 399 } au_ipcperm_t; 400 401 /* 402 * port IP address 2 bytes 403 */ 404 typedef struct { 405 u_int16_t port; 406 } au_iport_t; 407 408 /* 409 * length 2 bytes 410 * data length bytes 411 */ 412 typedef struct { 413 u_int16_t size; 414 char *data; 415 } au_opaque_t; 416 417 /* 418 * path length 2 bytes 419 * path N bytes + 1 terminating NULL byte 420 */ 421 typedef struct { 422 u_int16_t len; 423 char *path; 424 } au_path_t; 425 426 /* 427 * audit ID 4 bytes 428 * effective user ID 4 bytes 429 * effective group ID 4 bytes 430 * real user ID 4 bytes 431 * real group ID 4 bytes 432 * process ID 4 bytes 433 * session ID 4 bytes 434 * terminal ID 435 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 436 * machine address 4 bytes 437 */ 438 typedef struct { 439 u_int32_t auid; 440 u_int32_t euid; 441 u_int32_t egid; 442 u_int32_t ruid; 443 u_int32_t rgid; 444 u_int32_t pid; 445 u_int32_t sid; 446 au_tid32_t tid; 447 } au_proc32_t; 448 449 typedef struct { 450 u_int32_t auid; 451 u_int32_t euid; 452 u_int32_t egid; 453 u_int32_t ruid; 454 u_int32_t rgid; 455 u_int32_t pid; 456 u_int32_t sid; 457 au_tid64_t tid; 458 } au_proc64_t; 459 460 /* 461 * audit ID 4 bytes 462 * effective user ID 4 bytes 463 * effective group ID 4 bytes 464 * real user ID 4 bytes 465 * real group ID 4 bytes 466 * process ID 4 bytes 467 * session ID 4 bytes 468 * terminal ID 469 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 470 * type 4 bytes 471 * machine address 16 bytes 472 */ 473 typedef struct { 474 u_int32_t auid; 475 u_int32_t euid; 476 u_int32_t egid; 477 u_int32_t ruid; 478 u_int32_t rgid; 479 u_int32_t pid; 480 u_int32_t sid; 481 au_tidaddr32_t tid; 482 } au_proc32ex_t; 483 484 /* 485 * error status 1 byte 486 * return value 4 bytes/8 bytes (32-bit/64-bit value) 487 */ 488 typedef struct { 489 u_char status; 490 u_int32_t ret; 491 } au_ret32_t; 492 493 typedef struct { 494 u_char err; 495 u_int64_t val; 496 } au_ret64_t; 497 498 /* 499 * sequence number 4 bytes 500 */ 501 typedef struct { 502 u_int32_t seqno; 503 } au_seq_t; 504 505 /* 506 * socket type 2 bytes 507 * local port 2 bytes 508 * local Internet address 4 bytes 509 * remote port 2 bytes 510 * remote Internet address 4 bytes 511 */ 512 typedef struct { 513 u_int16_t type; 514 u_int16_t l_port; 515 u_int32_t l_addr; 516 u_int16_t r_port; 517 u_int32_t r_addr; 518 } au_socket_t; 519 520 /* 521 * socket type 2 bytes 522 * local port 2 bytes 523 * address type/length 4 bytes 524 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 525 * remote port 4 bytes 526 * address type/length 4 bytes 527 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 528 */ 529 typedef struct { 530 u_int16_t type; 531 u_int16_t l_port; 532 u_int32_t l_ad_type; 533 u_int32_t l_addr; 534 u_int32_t r_port; 535 u_int32_t r_ad_type; 536 u_int32_t r_addr; 537 } au_socket_ex32_t; 538 539 /* 540 * socket family 2 bytes 541 * local port 2 bytes 542 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 543 */ 544 typedef struct { 545 u_int16_t family; 546 u_int16_t port; 547 u_int32_t addr; 548 } au_socketinet32_t; 549 550 /* 551 * socket family 2 bytes 552 * path 104 bytes 553 */ 554 typedef struct { 555 u_int16_t family; 556 char path[104]; 557 } au_socketunix_t; 558 559 /* 560 * audit ID 4 bytes 561 * effective user ID 4 bytes 562 * effective group ID 4 bytes 563 * real user ID 4 bytes 564 * real group ID 4 bytes 565 * process ID 4 bytes 566 * session ID 4 bytes 567 * terminal ID 568 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 569 * machine address 4 bytes 570 */ 571 typedef struct { 572 u_int32_t auid; 573 u_int32_t euid; 574 u_int32_t egid; 575 u_int32_t ruid; 576 u_int32_t rgid; 577 u_int32_t pid; 578 u_int32_t sid; 579 au_tid32_t tid; 580 } au_subject32_t; 581 582 typedef struct { 583 u_int32_t auid; 584 u_int32_t euid; 585 u_int32_t egid; 586 u_int32_t ruid; 587 u_int32_t rgid; 588 u_int32_t pid; 589 u_int32_t sid; 590 au_tid64_t tid; 591 } au_subject64_t; 592 593 /* 594 * audit ID 4 bytes 595 * effective user ID 4 bytes 596 * effective group ID 4 bytes 597 * real user ID 4 bytes 598 * real group ID 4 bytes 599 * process ID 4 bytes 600 * session ID 4 bytes 601 * terminal ID 602 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 603 * type 4 bytes 604 * machine address 16 bytes 605 */ 606 typedef struct { 607 u_int32_t auid; 608 u_int32_t euid; 609 u_int32_t egid; 610 u_int32_t ruid; 611 u_int32_t rgid; 612 u_int32_t pid; 613 u_int32_t sid; 614 au_tidaddr32_t tid; 615 } au_subject32ex_t; 616 617 /* 618 * text length 2 bytes 619 * text N bytes + 1 terminating NULL byte 620 */ 621 typedef struct { 622 u_int16_t len; 623 char *text; 624 } au_text_t; 625 626 typedef struct { 627 u_int32_t ident; 628 u_int16_t filter; 629 u_int16_t flags; 630 u_int32_t fflags; 631 u_int32_t data; 632 } au_kevent_t; 633 634 typedef struct { 635 u_int16_t length; 636 char *data; 637 } au_invalid_t; 638 639 /* 640 * trailer magic number 2 bytes 641 * record byte count 4 bytes 642 */ 643 typedef struct { 644 u_int16_t magic; 645 u_int32_t count; 646 } au_trailer_t; 647 648 struct tokenstr { 649 u_char id; 650 u_char *data; 651 size_t len; 652 union { 653 au_arg32_t arg32; 654 au_arg64_t arg64; 655 au_arb_t arb; 656 au_attr32_t attr32; 657 au_attr64_t attr64; 658 au_execarg_t execarg; 659 au_execenv_t execenv; 660 au_exit_t exit; 661 au_file_t file; 662 au_groups_t grps; 663 au_header32_t hdr32; 664 au_header32_ex_t hdr32_ex; 665 au_header64_t hdr64; 666 au_header64_ex_t hdr64_ex; 667 au_inaddr_t inaddr; 668 au_inaddr_ex_t inaddr_ex; 669 au_ip_t ip; 670 au_ipc_t ipc; 671 au_ipcperm_t ipcperm; 672 au_iport_t iport; 673 au_opaque_t opaque; 674 au_path_t path; 675 au_proc32_t proc32; 676 au_proc64_t proc64; 677 au_proc32ex_t proc32_ex; 678 au_ret32_t ret32; 679 au_ret64_t ret64; 680 au_seq_t seq; 681 au_socket_t socket; 682 au_socket_ex32_t socket_ex32; 683 au_socketinet32_t sockinet32; 684 au_socketunix_t sockunix; 685 au_subject32_t subj32; 686 au_subject64_t subj64; 687 au_subject32ex_t subj32_ex; 688 au_text_t text; 689 au_kevent_t kevent; 690 au_invalid_t invalid; 691 au_trailer_t trail; 692 } tt; /* The token is one of the above types */ 693 }; 694 695 typedef struct tokenstr tokenstr_t; 696 697 /* 698 * Functions relating to querying audit class information. 699 */ 700 void setauclass(void); 701 void endauclass(void); 702 struct au_class_ent *getauclassent(void); 703 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 704 struct au_class_ent *getauclassnam(const char *name); 705 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 706 const char *name); 707 struct au_class_ent *getauclassnum(au_class_t class_number); 708 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 709 au_class_t class_number); 710 711 /* 712 * Functions relating to querying audit control information. 713 */ 714 void setac(void); 715 void endac(void); 716 int getacdir(char *name, int len); 717 int getacmin(int *min_val); 718 int getacflg(char *auditstr, int len); 719 int getacna(char *auditstr, int len); 720 int getauditflagsbin(char *auditstr, au_mask_t *masks); 721 int getauditflagschar(char *auditstr, au_mask_t *masks, 722 int verbose); 723 int au_preselect(au_event_t event, au_mask_t *mask_p, 724 int sorf, int flag); 725 726 /* 727 * Functions relating to querying audit event information. 728 * 729 * XXXRW: getauevnonam() has no _r version? 730 */ 731 void setauevent(void); 732 void endauevent(void); 733 struct au_event_ent *getauevent(void); 734 struct au_event_ent *getauevent_r(struct au_event_ent *e); 735 struct au_event_ent *getauevnam(const char *name); 736 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 737 const char *name); 738 struct au_event_ent *getauevnum(au_event_t event_number); 739 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 740 au_event_t event_number); 741 au_event_t *getauevnonam(const char *event_name); 742 au_event_t *getauevnonam_r(au_event_t *ev, 743 const char *event_name); 744 745 /* 746 * Functions relating to querying audit user information. 747 */ 748 void setauuser(void); 749 void endauuser(void); 750 struct au_user_ent *getauuserent(void); 751 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 752 struct au_user_ent *getauusernam(const char *name); 753 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 754 const char *name); 755 int au_user_mask(char *username, au_mask_t *mask_p); 756 int getfauditflags(au_mask_t *usremask, 757 au_mask_t *usrdmask, au_mask_t *lastmask); 758 759 /* 760 * Functions for reading and printing records and tokens from audit trails. 761 */ 762 int au_read_rec(FILE *fp, u_char **buf); 763 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 764 //XXX The following interface has different prototype from BSM 765 void au_print_tok(FILE *outfp, tokenstr_t *tok, 766 char *del, char raw, char sfrm); 767 __END_DECLS 768 769 #ifdef __APPLE__ 770 #include <sys/appleapiopts.h> 771 772 /************************************************************************** 773 ************************************************************************** 774 ** The following definitions, functions, etc., are NOT officially 775 ** supported: they may be changed or removed in the future. Do not use 776 ** them unless you are prepared to cope with that eventuality. 777 ************************************************************************** 778 **************************************************************************/ 779 780 #ifdef __APPLE_API_PRIVATE 781 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 782 #endif /* __APPLE_API_PRIVATE */ 783 784 /* 785 * au_get_state() return values 786 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 787 * AUDIT_ON are deprecated and WILL be removed. 788 */ 789 #ifdef __APPLE_API_PRIVATE 790 #define AUDIT_OFF AUC_NOAUDIT 791 #define AUDIT_ON AUC_AUDITING 792 #endif /* __APPLE_API_PRIVATE */ 793 #endif /* !__APPLE__ */ 794 795 /* 796 * Error return codes for audit_set_terminal_id(), audit_write() and its 797 * brethren. We have 255 (not including kAUNoErr) to play with. 798 * 799 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 800 */ 801 enum { 802 kAUNoErr = 0, 803 kAUBadParamErr = -66049, 804 kAUStatErr, 805 kAUSysctlErr, 806 kAUOpenErr, 807 kAUMakeSubjectTokErr, 808 kAUWriteSubjectTokErr, 809 kAUWriteCallerTokErr, 810 kAUMakeReturnTokErr, 811 kAUWriteReturnTokErr, 812 kAUCloseErr, 813 kAUMakeTextTokErr, 814 kAULastErr 815 }; 816 817 #ifdef __APPLE__ 818 /* 819 * Error return codes for au_get_state() and/or its private support 820 * functions. These codes are designed to be compatible with the 821 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 822 * Any changes to notify(3) may cause these values to change in future. 823 * 824 * AU_UNIMPL should never happen unless you've changed your system software 825 * without rebooting. Shame on you. 826 */ 827 #ifdef __APPLE_API_PRIVATE 828 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 829 #endif /* __APPLE_API_PRIVATE */ 830 #endif /* !__APPLE__ */ 831 832 __BEGIN_DECLS 833 /* 834 * XXX This prototype should be in audit_record.h 835 * 836 * au_free_token() 837 * 838 * @summary - au_free_token() deallocates a token_t created by any of 839 * the au_to_*() BSM API functions. 840 * 841 * The BSM API generally manages deallocation of token_t objects. However, 842 * if au_write() is passed a bad audit descriptor, the token_t * parameter 843 * will be left untouched. In that case, the caller can deallocate the 844 * token_t using au_free_token() if desired. This is, in fact, what 845 * audit_write() does, in keeping with the existing memory management model 846 * of the BSM API. 847 * 848 * @param tok - A token_t * generated by one of the au_to_*() BSM API 849 * calls. For convenience, tok may be NULL, in which case 850 * au_free_token() returns immediately. 851 * 852 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 853 */ 854 void au_free_token(token_t *tok); 855 856 /* 857 * Lightweight check to determine if auditing is enabled. If a client 858 * wants to use this to govern whether an entire series of audit calls 859 * should be made--as in the common case of a caller building a set of 860 * tokens, then writing them--it should cache the audit status in a local 861 * variable. This call always returns the current state of auditing. 862 * 863 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 864 * Otherwise the function can return any of the errno values defined for 865 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 866 * the system. 867 * 868 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 869 */ 870 int au_get_state(void); 871 __END_DECLS 872 873 /* OpenSSH compatibility */ 874 #define cannot_audit(x) (!(au_get_state() == AUC_AUDITING)) 875 876 __BEGIN_DECLS 877 /* 878 * audit_set_terminal_id() 879 * 880 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 881 * used in audit session initialization by processes like /usr/bin/login. 882 * 883 * @param tid - A pointer to an au_tid_t struct. 884 * 885 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 886 * or kAUSysctlErr if one of the underlying system calls fails (a message 887 * is sent to the system log in those cases). 888 * 889 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 890 */ 891 int audit_set_terminal_id(au_tid_t *tid); 892 893 /* 894 * BEGIN au_write() WRAPPERS 895 * 896 * The following calls all wrap the existing BSM API. They use the 897 * provided subject information, if any, to construct the subject token 898 * required for every log message. They use the provided return/error 899 * value(s), if any, to construct the success/failure indication required 900 * for every log message. They only permit one "miscellaneous" token, 901 * which should contain the event-specific logging information mandated by 902 * CAPP. 903 * 904 * All these calls assume the caller has previously determined that 905 * auditing is enabled by calling au_get_state(). 906 */ 907 908 /* 909 * audit_write() 910 * 911 * @summary - audit_write() is the basis for the other audit_write_*() 912 * calls. Performs a basic write of an audit record (subject, additional 913 * info, success/failure). Note that this call only permits logging one 914 * caller-specified token; clients needing to log more flexibly must use 915 * the existing BSM API (au_open(), et al.) directly. 916 * 917 * Note on memory management: audit_write() guarantees that the token_t *s 918 * passed to it will be deallocated whether or not the underlying write to 919 * the audit log succeeded. This addresses an inconsistency in the 920 * underlying BSM API in which token_t *s are usually but not always 921 * deallocated. 922 * 923 * @param event_code - The code for the event being logged. This should 924 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 925 * 926 * @param subject - A token_t * generated by au_to_subject(), 927 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 928 * required, subject should be NULL. 929 * 930 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 931 * calls. This should correspond to the additional information required by 932 * CAPP for the event being audited. If no additional information is 933 * required, misctok should be NULL. 934 * 935 * @param retval - The return value to be logged for this event. This 936 * should be 0 (zero) for success, otherwise the value is event-specific. 937 * 938 * @param errcode - Any error code associated with the return value (e.g., 939 * errno or h_errno). If there was no error, errcode should be 0 (zero). 940 * 941 * @return - The status of the call: 0 (zero) on success, else one of the 942 * kAU*Err values defined above. 943 * 944 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 945 */ 946 int audit_write(short event_code, token_t *subject, token_t *misctok, 947 char retval, int errcode); 948 949 /* 950 * audit_write_success() 951 * 952 * @summary - audit_write_success() records an auditable event that did not 953 * encounter an error. The interface is designed to require as little 954 * direct use of the au_to_*() API as possible. It builds a subject token 955 * from the information passed in and uses that to invoke audit_write(). 956 * A subject, as defined by CAPP, is a process acting on the user's behalf. 957 * 958 * If the subject information is the same as the current process, use 959 * au_write_success_self(). 960 * 961 * @param event_code - The code for the event being logged. This should 962 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 963 * 964 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 965 * calls. This should correspond to the additional information required by 966 * CAPP for the event being audited. If no additional information is 967 * required, misctok should be NULL. 968 * 969 * @param auid - The subject's audit ID. 970 * 971 * @param euid - The subject's effective user ID. 972 * 973 * @param egid - The subject's effective group ID. 974 * 975 * @param ruid - The subject's real user ID. 976 * 977 * @param rgid - The subject's real group ID. 978 * 979 * @param pid - The subject's process ID. 980 * 981 * @param sid - The subject's session ID. 982 * 983 * @param tid - The subject's terminal ID. 984 * 985 * @return - The status of the call: 0 (zero) on success, else one of the 986 * kAU*Err values defined above. 987 * 988 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 989 */ 990 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 991 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 992 au_asid_t sid, au_tid_t *tid); 993 994 /* 995 * audit_write_success_self() 996 * 997 * @summary - Similar to audit_write_success(), but used when the subject 998 * (process) is owned and operated by the auditable user him/herself. 999 * 1000 * @param event_code - The code for the event being logged. This should 1001 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1002 * 1003 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1004 * calls. This should correspond to the additional information required by 1005 * CAPP for the event being audited. If no additional information is 1006 * required, misctok should be NULL. 1007 * 1008 * @return - The status of the call: 0 (zero) on success, else one of the 1009 * kAU*Err values defined above. 1010 * 1011 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1012 */ 1013 int audit_write_success_self(short event_code, token_t *misctok); 1014 1015 /* 1016 * audit_write_failure() 1017 * 1018 * @summary - audit_write_failure() records an auditable event that 1019 * encountered an error. The interface is designed to require as little 1020 * direct use of the au_to_*() API as possible. It builds a subject token 1021 * from the information passed in and uses that to invoke audit_write(). 1022 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1023 * 1024 * If the subject information is the same as the current process, use 1025 * au_write_failure_self(). 1026 * 1027 * @param event_code - The code for the event being logged. This should 1028 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1029 * 1030 * @param errmsg - A text message providing additional information about 1031 * the event being audited. 1032 * 1033 * @param errret - A numerical value providing additional information about 1034 * the error. This is intended to store the value of errno or h_errno if 1035 * it's relevant. This can be 0 (zero) if no additional information is 1036 * available. 1037 * 1038 * @param auid - The subject's audit ID. 1039 * 1040 * @param euid - The subject's effective user ID. 1041 * 1042 * @param egid - The subject's effective group ID. 1043 * 1044 * @param ruid - The subject's real user ID. 1045 * 1046 * @param rgid - The subject's real group ID. 1047 * 1048 * @param pid - The subject's process ID. 1049 * 1050 * @param sid - The subject's session ID. 1051 * 1052 * @param tid - The subject's terminal ID. 1053 * 1054 * @return - The status of the call: 0 (zero) on success, else one of the 1055 * kAU*Err values defined above. 1056 * 1057 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1058 */ 1059 int audit_write_failure(short event_code, char *errmsg, int errret, 1060 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1061 pid_t pid, au_asid_t sid, au_tid_t *tid); 1062 1063 /* 1064 * audit_write_failure_self() 1065 * 1066 * @summary - Similar to audit_write_failure(), but used when the subject 1067 * (process) is owned and operated by the auditable user him/herself. 1068 * 1069 * @param event_code - The code for the event being logged. This should 1070 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1071 * 1072 * @param errmsg - A text message providing additional information about 1073 * the event being audited. 1074 * 1075 * @param errret - A numerical value providing additional information about 1076 * the error. This is intended to store the value of errno or h_errno if 1077 * it's relevant. This can be 0 (zero) if no additional information is 1078 * available. 1079 * 1080 * @return - The status of the call: 0 (zero) on success, else one of the 1081 * kAU*Err values defined above. 1082 * 1083 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1084 */ 1085 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1086 1087 /* 1088 * audit_write_failure_na() 1089 * 1090 * @summary - audit_write_failure_na() records errors during login. Such 1091 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1092 * 1093 * @param event_code - The code for the event being logged. This should 1094 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1095 * 1096 * @param errmsg - A text message providing additional information about 1097 * the event being audited. 1098 * 1099 * @param errret - A numerical value providing additional information about 1100 * the error. This is intended to store the value of errno or h_errno if 1101 * it's relevant. This can be 0 (zero) if no additional information is 1102 * available. 1103 * 1104 * @param euid - The subject's effective user ID. 1105 * 1106 * @param egid - The subject's effective group ID. 1107 * 1108 * @param pid - The subject's process ID. 1109 * 1110 * @param tid - The subject's terminal ID. 1111 * 1112 * @return - The status of the call: 0 (zero) on success, else one of the 1113 * kAU*Err values defined above. 1114 * 1115 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1116 */ 1117 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1118 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1119 1120 /* END au_write() WRAPPERS */ 1121 1122 #ifdef __APPLE__ 1123 /* 1124 * audit_token_to_au32() 1125 * 1126 * @summary - Extract information from an audit_token_t, used to identify 1127 * Mach tasks and senders of Mach messages as subjects to the audit system. 1128 * audit_tokent_to_au32() is the only method that should be used to parse 1129 * an audit_token_t, since its internal representation may change over 1130 * time. A pointer parameter may be NULL if that information is not 1131 * needed. 1132 * 1133 * @param atoken - the audit token containing the desired information 1134 * 1135 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1136 * sender's audit user ID 1137 * 1138 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1139 * sender's effective user ID 1140 * 1141 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1142 * sender's effective group ID 1143 * 1144 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1145 * sender's real user ID 1146 * 1147 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1148 * sender's real group ID 1149 * 1150 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1151 * sender's process ID 1152 * 1153 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1154 * task or sender's audit session ID 1155 * 1156 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1157 * or sender's terminal ID 1158 * 1159 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1160 */ 1161 void audit_token_to_au32( 1162 audit_token_t atoken, 1163 uid_t *auidp, 1164 uid_t *euidp, 1165 gid_t *egidp, 1166 uid_t *ruidp, 1167 gid_t *rgidp, 1168 pid_t *pidp, 1169 au_asid_t *asidp, 1170 au_tid_t *tidp); 1171 #endif /* !__APPLE__ */ 1172 1173 __END_DECLS 1174 1175 #endif /* !_LIBBSM_H_ */ 1176