1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#21 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #define MAX_ARGS 10 41 #define MAX_ENV 10 42 43 #include <sys/types.h> 44 #include <sys/cdefs.h> 45 46 #include <inttypes.h> /* Required for audit.h. */ 47 #include <time.h> /* Required for clock_t on Linux. */ 48 49 #include <bsm/audit.h> 50 #include <bsm/audit_record.h> 51 52 #include <stdio.h> 53 54 #ifdef __APPLE__ 55 #include <mach/mach.h> /* audit_token_t */ 56 #endif 57 58 #define AU_PRS_SUCCESS 1 59 #define AU_PRS_FAILURE 2 60 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 61 62 #define AU_PRS_USECACHE 0 63 #define AU_PRS_REREAD 1 64 65 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 66 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 67 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 68 #define AUDIT_USER_FILE "/etc/security/audit_user" 69 70 #define DIR_CONTROL_ENTRY "dir" 71 #define MINFREE_CONTROL_ENTRY "minfree" 72 #define FLAGS_CONTROL_ENTRY "flags" 73 #define NA_CONTROL_ENTRY "naflags" 74 75 #define AU_CLASS_NAME_MAX 8 76 #define AU_CLASS_DESC_MAX 72 77 #define AU_EVENT_NAME_MAX 30 78 #define AU_EVENT_DESC_MAX 50 79 #define AU_USER_NAME_MAX 50 80 #define AU_LINE_MAX 256 81 #define MAX_AUDITSTRING_LEN 256 82 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 83 84 /* 85 * These are referenced in Solaris 9 au_open(3BSM); values are guesses. 86 * Provided for OpenSSH compatibility. 87 */ 88 #define AU_TO_NO_WRITE 0 89 #define AU_TO_WRITE 1 90 91 __BEGIN_DECLS 92 struct au_event_ent { 93 au_event_t ae_number; 94 char *ae_name; 95 char *ae_desc; 96 au_class_t ae_class; 97 }; 98 typedef struct au_event_ent au_event_ent_t; 99 100 struct au_class_ent { 101 char *ac_name; 102 au_class_t ac_class; 103 char *ac_desc; 104 }; 105 typedef struct au_class_ent au_class_ent_t; 106 107 struct au_user_ent { 108 char *au_name; 109 au_mask_t au_always; 110 au_mask_t au_never; 111 }; 112 typedef struct au_user_ent au_user_ent_t; 113 __END_DECLS 114 115 #define ADD_TO_MASK(m, c, sel) do { \ 116 if (sel & AU_PRS_SUCCESS) \ 117 (m)->am_success |= c; \ 118 if (sel & AU_PRS_FAILURE) \ 119 (m)->am_failure |= c; \ 120 } while (0) 121 122 #define SUB_FROM_MASK(m, c, sel) do { \ 123 if (sel & AU_PRS_SUCCESS) \ 124 (m)->am_success &= ((m)->am_success ^ c); \ 125 if (sel & AU_PRS_FAILURE) \ 126 (m)->am_failure &= ((m)->am_failure ^ c); \ 127 } while (0) 128 129 #define ADDMASK(m, v) do { \ 130 (m)->am_success |= (v)->am_success; \ 131 (m)->am_failure |= (v)->am_failure; \ 132 } while(0) 133 134 #define SUBMASK(m, v) do { \ 135 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 136 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 137 } while(0) 138 139 __BEGIN_DECLS 140 141 /* 142 * Internal representation of audit user in libnsl. 143 */ 144 typedef struct au_user_str_s { 145 char *au_name; 146 char *au_always; 147 char *au_never; 148 } au_user_str_t; 149 150 typedef struct au_tid32 { 151 u_int32_t port; 152 u_int32_t addr; 153 } au_tid32_t; 154 155 typedef struct au_tid64 { 156 u_int64_t port; 157 u_int32_t addr; 158 } au_tid64_t; 159 160 typedef struct au_tidaddr32 { 161 u_int32_t port; 162 u_int32_t type; 163 u_int32_t addr[4]; 164 } au_tidaddr32_t; 165 166 /* 167 * argument # 1 byte 168 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 169 * text length 2 bytes 170 * text N bytes + 1 terminating NULL byte 171 */ 172 typedef struct { 173 u_char no; 174 u_int32_t val; 175 u_int16_t len; 176 char *text; 177 } au_arg32_t; 178 179 typedef struct { 180 u_char no; 181 u_int64_t val; 182 u_int16_t len; 183 char *text; 184 } au_arg64_t; 185 186 /* 187 * how to print 1 byte 188 * basic unit 1 byte 189 * unit count 1 byte 190 * data items (depends on basic unit) 191 */ 192 typedef struct { 193 u_char howtopr; 194 u_char bu; 195 u_char uc; 196 u_char *data; 197 } au_arb_t; 198 199 /* 200 * file access mode 4 bytes 201 * owner user ID 4 bytes 202 * owner group ID 4 bytes 203 * file system ID 4 bytes 204 * node ID 8 bytes 205 * device 4 bytes/8 bytes (32-bit/64-bit) 206 */ 207 typedef struct { 208 u_int32_t mode; 209 u_int32_t uid; 210 u_int32_t gid; 211 u_int32_t fsid; 212 u_int64_t nid; 213 u_int32_t dev; 214 } au_attr32_t; 215 216 typedef struct { 217 u_int32_t mode; 218 u_int32_t uid; 219 u_int32_t gid; 220 u_int32_t fsid; 221 u_int64_t nid; 222 u_int64_t dev; 223 } au_attr64_t; 224 225 /* 226 * count 4 bytes 227 * text count null-terminated string(s) 228 */ 229 typedef struct { 230 u_int32_t count; 231 char *text[MAX_ARGS]; 232 } au_execarg_t; 233 234 /* 235 * count 4 bytes 236 * text count null-terminated string(s) 237 */ 238 typedef struct { 239 u_int32_t count; 240 char *text[MAX_ENV]; 241 } au_execenv_t; 242 243 /* 244 * status 4 bytes 245 * return value 4 bytes 246 */ 247 typedef struct { 248 u_int32_t status; 249 u_int32_t ret; 250 } au_exit_t; 251 252 /* 253 * seconds of time 4 bytes 254 * milliseconds of time 4 bytes 255 * file name length 2 bytes 256 * file pathname N bytes + 1 terminating NULL byte 257 */ 258 typedef struct { 259 u_int32_t s; 260 u_int32_t ms; 261 u_int16_t len; 262 char *name; 263 } au_file_t; 264 265 266 /* 267 * number groups 2 bytes 268 * group list N * 4 bytes 269 */ 270 typedef struct { 271 u_int16_t no; 272 u_int32_t list[BSM_MAX_GROUPS]; 273 } au_groups_t; 274 275 /* 276 * record byte count 4 bytes 277 * version # 1 byte [2] 278 * event type 2 bytes 279 * event modifier 2 bytes 280 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 281 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 282 */ 283 typedef struct { 284 u_int32_t size; 285 u_char version; 286 u_int16_t e_type; 287 u_int16_t e_mod; 288 u_int32_t s; 289 u_int32_t ms; 290 } au_header32_t; 291 292 /* 293 * record byte count 4 bytes 294 * version # 1 byte [2] 295 * event type 2 bytes 296 * event modifier 2 bytes 297 * address type/length 1 byte (XXX: actually, 4 bytes) 298 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 299 * seconds of time 4 bytes/8 bytes (32/64-bits) 300 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 301 */ 302 typedef struct { 303 u_int32_t size; 304 u_char version; 305 u_int16_t e_type; 306 u_int16_t e_mod; 307 u_int32_t ad_type; 308 u_int32_t addr[4]; 309 u_int32_t s; 310 u_int32_t ms; 311 } au_header32_ex_t; 312 313 typedef struct { 314 u_int32_t size; 315 u_char version; 316 u_int16_t e_type; 317 u_int16_t e_mod; 318 u_int64_t s; 319 u_int64_t ms; 320 } au_header64_t; 321 322 typedef struct { 323 u_int32_t size; 324 u_char version; 325 u_int16_t e_type; 326 u_int16_t e_mod; 327 u_int32_t ad_type; 328 u_int32_t addr[4]; 329 u_int64_t s; 330 u_int64_t ms; 331 } au_header64_ex_t; 332 333 /* 334 * internet address 4 bytes 335 */ 336 typedef struct { 337 u_int32_t addr; 338 } au_inaddr_t; 339 340 /* 341 * type 4 bytes 342 * internet address 16 bytes 343 */ 344 typedef struct { 345 u_int32_t type; 346 u_int32_t addr[4]; 347 } au_inaddr_ex_t; 348 349 /* 350 * version and ihl 1 byte 351 * type of service 1 byte 352 * length 2 bytes 353 * id 2 bytes 354 * offset 2 bytes 355 * ttl 1 byte 356 * protocol 1 byte 357 * checksum 2 bytes 358 * source address 4 bytes 359 * destination address 4 bytes 360 */ 361 typedef struct { 362 u_char version; 363 u_char tos; 364 u_int16_t len; 365 u_int16_t id; 366 u_int16_t offset; 367 u_char ttl; 368 u_char prot; 369 u_int16_t chksm; 370 u_int32_t src; 371 u_int32_t dest; 372 } au_ip_t; 373 374 /* 375 * object ID type 1 byte 376 * object ID 4 bytes 377 */ 378 typedef struct { 379 u_char type; 380 u_int32_t id; 381 } au_ipc_t; 382 383 /* 384 * owner user ID 4 bytes 385 * owner group ID 4 bytes 386 * creator user ID 4 bytes 387 * creator group ID 4 bytes 388 * access mode 4 bytes 389 * slot sequence # 4 bytes 390 * key 4 bytes 391 */ 392 typedef struct { 393 u_int32_t uid; 394 u_int32_t gid; 395 u_int32_t puid; 396 u_int32_t pgid; 397 u_int32_t mode; 398 u_int32_t seq; 399 u_int32_t key; 400 } au_ipcperm_t; 401 402 /* 403 * port IP address 2 bytes 404 */ 405 typedef struct { 406 u_int16_t port; 407 } au_iport_t; 408 409 /* 410 * length 2 bytes 411 * data length bytes 412 */ 413 typedef struct { 414 u_int16_t size; 415 char *data; 416 } au_opaque_t; 417 418 /* 419 * path length 2 bytes 420 * path N bytes + 1 terminating NULL byte 421 */ 422 typedef struct { 423 u_int16_t len; 424 char *path; 425 } au_path_t; 426 427 /* 428 * audit ID 4 bytes 429 * effective user ID 4 bytes 430 * effective group ID 4 bytes 431 * real user ID 4 bytes 432 * real group ID 4 bytes 433 * process ID 4 bytes 434 * session ID 4 bytes 435 * terminal ID 436 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 437 * machine address 4 bytes 438 */ 439 typedef struct { 440 u_int32_t auid; 441 u_int32_t euid; 442 u_int32_t egid; 443 u_int32_t ruid; 444 u_int32_t rgid; 445 u_int32_t pid; 446 u_int32_t sid; 447 au_tid32_t tid; 448 } au_proc32_t; 449 450 typedef struct { 451 u_int32_t auid; 452 u_int32_t euid; 453 u_int32_t egid; 454 u_int32_t ruid; 455 u_int32_t rgid; 456 u_int32_t pid; 457 u_int32_t sid; 458 au_tid64_t tid; 459 } au_proc64_t; 460 461 /* 462 * audit ID 4 bytes 463 * effective user ID 4 bytes 464 * effective group ID 4 bytes 465 * real user ID 4 bytes 466 * real group ID 4 bytes 467 * process ID 4 bytes 468 * session ID 4 bytes 469 * terminal ID 470 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 471 * type 4 bytes 472 * machine address 16 bytes 473 */ 474 typedef struct { 475 u_int32_t auid; 476 u_int32_t euid; 477 u_int32_t egid; 478 u_int32_t ruid; 479 u_int32_t rgid; 480 u_int32_t pid; 481 u_int32_t sid; 482 au_tidaddr32_t tid; 483 } au_proc32ex_t; 484 485 /* 486 * error status 1 byte 487 * return value 4 bytes/8 bytes (32-bit/64-bit value) 488 */ 489 typedef struct { 490 u_char status; 491 u_int32_t ret; 492 } au_ret32_t; 493 494 typedef struct { 495 u_char err; 496 u_int64_t val; 497 } au_ret64_t; 498 499 /* 500 * sequence number 4 bytes 501 */ 502 typedef struct { 503 u_int32_t seqno; 504 } au_seq_t; 505 506 /* 507 * socket type 2 bytes 508 * local port 2 bytes 509 * local Internet address 4 bytes 510 * remote port 2 bytes 511 * remote Internet address 4 bytes 512 */ 513 typedef struct { 514 u_int16_t type; 515 u_int16_t l_port; 516 u_int32_t l_addr; 517 u_int16_t r_port; 518 u_int32_t r_addr; 519 } au_socket_t; 520 521 /* 522 * socket type 2 bytes 523 * local port 2 bytes 524 * address type/length 4 bytes 525 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 526 * remote port 4 bytes 527 * address type/length 4 bytes 528 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 529 */ 530 typedef struct { 531 u_int16_t type; 532 u_int16_t l_port; 533 u_int32_t l_ad_type; 534 u_int32_t l_addr; 535 u_int32_t r_port; 536 u_int32_t r_ad_type; 537 u_int32_t r_addr; 538 } au_socket_ex32_t; 539 540 /* 541 * socket family 2 bytes 542 * local port 2 bytes 543 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 544 */ 545 typedef struct { 546 u_int16_t family; 547 u_int16_t port; 548 u_int32_t addr; 549 } au_socketinet32_t; 550 551 /* 552 * socket family 2 bytes 553 * path 104 bytes 554 */ 555 typedef struct { 556 u_int16_t family; 557 char path[104]; 558 } au_socketunix_t; 559 560 /* 561 * audit ID 4 bytes 562 * effective user ID 4 bytes 563 * effective group ID 4 bytes 564 * real user ID 4 bytes 565 * real group ID 4 bytes 566 * process ID 4 bytes 567 * session ID 4 bytes 568 * terminal ID 569 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 570 * machine address 4 bytes 571 */ 572 typedef struct { 573 u_int32_t auid; 574 u_int32_t euid; 575 u_int32_t egid; 576 u_int32_t ruid; 577 u_int32_t rgid; 578 u_int32_t pid; 579 u_int32_t sid; 580 au_tid32_t tid; 581 } au_subject32_t; 582 583 typedef struct { 584 u_int32_t auid; 585 u_int32_t euid; 586 u_int32_t egid; 587 u_int32_t ruid; 588 u_int32_t rgid; 589 u_int32_t pid; 590 u_int32_t sid; 591 au_tid64_t tid; 592 } au_subject64_t; 593 594 /* 595 * audit ID 4 bytes 596 * effective user ID 4 bytes 597 * effective group ID 4 bytes 598 * real user ID 4 bytes 599 * real group ID 4 bytes 600 * process ID 4 bytes 601 * session ID 4 bytes 602 * terminal ID 603 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 604 * type 4 bytes 605 * machine address 16 bytes 606 */ 607 typedef struct { 608 u_int32_t auid; 609 u_int32_t euid; 610 u_int32_t egid; 611 u_int32_t ruid; 612 u_int32_t rgid; 613 u_int32_t pid; 614 u_int32_t sid; 615 au_tidaddr32_t tid; 616 } au_subject32ex_t; 617 618 /* 619 * text length 2 bytes 620 * text N bytes + 1 terminating NULL byte 621 */ 622 typedef struct { 623 u_int16_t len; 624 char *text; 625 } au_text_t; 626 627 typedef struct { 628 u_int32_t ident; 629 u_int16_t filter; 630 u_int16_t flags; 631 u_int32_t fflags; 632 u_int32_t data; 633 } au_kevent_t; 634 635 typedef struct { 636 u_int16_t length; 637 char *data; 638 } au_invalid_t; 639 640 /* 641 * trailer magic number 2 bytes 642 * record byte count 4 bytes 643 */ 644 typedef struct { 645 u_int16_t magic; 646 u_int32_t count; 647 } au_trailer_t; 648 649 struct tokenstr { 650 u_char id; 651 u_char *data; 652 size_t len; 653 union { 654 au_arg32_t arg32; 655 au_arg64_t arg64; 656 au_arb_t arb; 657 au_attr32_t attr32; 658 au_attr64_t attr64; 659 au_execarg_t execarg; 660 au_execenv_t execenv; 661 au_exit_t exit; 662 au_file_t file; 663 au_groups_t grps; 664 au_header32_t hdr32; 665 au_header32_ex_t hdr32_ex; 666 au_header64_t hdr64; 667 au_header64_ex_t hdr64_ex; 668 au_inaddr_t inaddr; 669 au_inaddr_ex_t inaddr_ex; 670 au_ip_t ip; 671 au_ipc_t ipc; 672 au_ipcperm_t ipcperm; 673 au_iport_t iport; 674 au_opaque_t opaque; 675 au_path_t path; 676 au_proc32_t proc32; 677 au_proc64_t proc64; 678 au_proc32ex_t proc32_ex; 679 au_ret32_t ret32; 680 au_ret64_t ret64; 681 au_seq_t seq; 682 au_socket_t socket; 683 au_socket_ex32_t socket_ex32; 684 au_socketinet32_t sockinet32; 685 au_socketunix_t sockunix; 686 au_subject32_t subj32; 687 au_subject64_t subj64; 688 au_subject32ex_t subj32_ex; 689 au_text_t text; 690 au_kevent_t kevent; 691 au_invalid_t invalid; 692 au_trailer_t trail; 693 } tt; /* The token is one of the above types */ 694 }; 695 696 typedef struct tokenstr tokenstr_t; 697 698 int audit_submit(short au_event, au_id_t auid, 699 char status, int reterr, const char *fmt, ...); 700 701 /* 702 * Functions relating to querying audit class information. 703 */ 704 void setauclass(void); 705 void endauclass(void); 706 struct au_class_ent *getauclassent(void); 707 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 708 struct au_class_ent *getauclassnam(const char *name); 709 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 710 const char *name); 711 struct au_class_ent *getauclassnum(au_class_t class_number); 712 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 713 au_class_t class_number); 714 715 /* 716 * Functions relating to querying audit control information. 717 */ 718 void setac(void); 719 void endac(void); 720 int getacdir(char *name, int len); 721 int getacmin(int *min_val); 722 int getacflg(char *auditstr, int len); 723 int getacna(char *auditstr, int len); 724 int getauditflagsbin(char *auditstr, au_mask_t *masks); 725 int getauditflagschar(char *auditstr, au_mask_t *masks, 726 int verbose); 727 int au_preselect(au_event_t event, au_mask_t *mask_p, 728 int sorf, int flag); 729 730 /* 731 * Functions relating to querying audit event information. 732 * 733 * XXXRW: getauevnonam() has no _r version? 734 */ 735 void setauevent(void); 736 void endauevent(void); 737 struct au_event_ent *getauevent(void); 738 struct au_event_ent *getauevent_r(struct au_event_ent *e); 739 struct au_event_ent *getauevnam(const char *name); 740 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 741 const char *name); 742 struct au_event_ent *getauevnum(au_event_t event_number); 743 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 744 au_event_t event_number); 745 au_event_t *getauevnonam(const char *event_name); 746 au_event_t *getauevnonam_r(au_event_t *ev, 747 const char *event_name); 748 749 /* 750 * Functions relating to querying audit user information. 751 */ 752 void setauuser(void); 753 void endauuser(void); 754 struct au_user_ent *getauuserent(void); 755 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 756 struct au_user_ent *getauusernam(const char *name); 757 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 758 const char *name); 759 int au_user_mask(char *username, au_mask_t *mask_p); 760 int getfauditflags(au_mask_t *usremask, 761 au_mask_t *usrdmask, au_mask_t *lastmask); 762 763 /* 764 * Functions for reading and printing records and tokens from audit trails. 765 */ 766 int au_read_rec(FILE *fp, u_char **buf); 767 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 768 //XXX The following interface has different prototype from BSM 769 void au_print_tok(FILE *outfp, tokenstr_t *tok, 770 char *del, char raw, char sfrm); 771 __END_DECLS 772 773 #ifdef __APPLE__ 774 #include <sys/appleapiopts.h> 775 776 /************************************************************************** 777 ************************************************************************** 778 ** The following definitions, functions, etc., are NOT officially 779 ** supported: they may be changed or removed in the future. Do not use 780 ** them unless you are prepared to cope with that eventuality. 781 ************************************************************************** 782 **************************************************************************/ 783 784 #ifdef __APPLE_API_PRIVATE 785 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 786 #endif /* __APPLE_API_PRIVATE */ 787 788 /* 789 * au_get_state() return values 790 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 791 * AUDIT_ON are deprecated and WILL be removed. 792 */ 793 #ifdef __APPLE_API_PRIVATE 794 #define AUDIT_OFF AUC_NOAUDIT 795 #define AUDIT_ON AUC_AUDITING 796 #endif /* __APPLE_API_PRIVATE */ 797 #endif /* !__APPLE__ */ 798 799 /* 800 * Error return codes for audit_set_terminal_id(), audit_write() and its 801 * brethren. We have 255 (not including kAUNoErr) to play with. 802 * 803 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 804 */ 805 enum { 806 kAUNoErr = 0, 807 kAUBadParamErr = -66049, 808 kAUStatErr, 809 kAUSysctlErr, 810 kAUOpenErr, 811 kAUMakeSubjectTokErr, 812 kAUWriteSubjectTokErr, 813 kAUWriteCallerTokErr, 814 kAUMakeReturnTokErr, 815 kAUWriteReturnTokErr, 816 kAUCloseErr, 817 kAUMakeTextTokErr, 818 kAULastErr 819 }; 820 821 #ifdef __APPLE__ 822 /* 823 * Error return codes for au_get_state() and/or its private support 824 * functions. These codes are designed to be compatible with the 825 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 826 * Any changes to notify(3) may cause these values to change in future. 827 * 828 * AU_UNIMPL should never happen unless you've changed your system software 829 * without rebooting. Shame on you. 830 */ 831 #ifdef __APPLE_API_PRIVATE 832 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 833 #endif /* __APPLE_API_PRIVATE */ 834 #endif /* !__APPLE__ */ 835 836 __BEGIN_DECLS 837 /* 838 * XXX This prototype should be in audit_record.h 839 * 840 * au_free_token() 841 * 842 * @summary - au_free_token() deallocates a token_t created by any of 843 * the au_to_*() BSM API functions. 844 * 845 * The BSM API generally manages deallocation of token_t objects. However, 846 * if au_write() is passed a bad audit descriptor, the token_t * parameter 847 * will be left untouched. In that case, the caller can deallocate the 848 * token_t using au_free_token() if desired. This is, in fact, what 849 * audit_write() does, in keeping with the existing memory management model 850 * of the BSM API. 851 * 852 * @param tok - A token_t * generated by one of the au_to_*() BSM API 853 * calls. For convenience, tok may be NULL, in which case 854 * au_free_token() returns immediately. 855 * 856 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 857 */ 858 void au_free_token(token_t *tok); 859 860 /* 861 * Lightweight check to determine if auditing is enabled. If a client 862 * wants to use this to govern whether an entire series of audit calls 863 * should be made--as in the common case of a caller building a set of 864 * tokens, then writing them--it should cache the audit status in a local 865 * variable. This call always returns the current state of auditing. 866 * 867 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 868 * Otherwise the function can return any of the errno values defined for 869 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 870 * the system. 871 * 872 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 873 */ 874 int au_get_state(void); 875 __END_DECLS 876 877 /* OpenSSH compatibility */ 878 int cannot_audit(int); 879 880 __BEGIN_DECLS 881 /* 882 * audit_set_terminal_id() 883 * 884 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 885 * used in audit session initialization by processes like /usr/bin/login. 886 * 887 * @param tid - A pointer to an au_tid_t struct. 888 * 889 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 890 * or kAUSysctlErr if one of the underlying system calls fails (a message 891 * is sent to the system log in those cases). 892 * 893 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 894 */ 895 int audit_set_terminal_id(au_tid_t *tid); 896 897 /* 898 * BEGIN au_write() WRAPPERS 899 * 900 * The following calls all wrap the existing BSM API. They use the 901 * provided subject information, if any, to construct the subject token 902 * required for every log message. They use the provided return/error 903 * value(s), if any, to construct the success/failure indication required 904 * for every log message. They only permit one "miscellaneous" token, 905 * which should contain the event-specific logging information mandated by 906 * CAPP. 907 * 908 * All these calls assume the caller has previously determined that 909 * auditing is enabled by calling au_get_state(). 910 */ 911 912 /* 913 * audit_write() 914 * 915 * @summary - audit_write() is the basis for the other audit_write_*() 916 * calls. Performs a basic write of an audit record (subject, additional 917 * info, success/failure). Note that this call only permits logging one 918 * caller-specified token; clients needing to log more flexibly must use 919 * the existing BSM API (au_open(), et al.) directly. 920 * 921 * Note on memory management: audit_write() guarantees that the token_t *s 922 * passed to it will be deallocated whether or not the underlying write to 923 * the audit log succeeded. This addresses an inconsistency in the 924 * underlying BSM API in which token_t *s are usually but not always 925 * deallocated. 926 * 927 * @param event_code - The code for the event being logged. This should 928 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 929 * 930 * @param subject - A token_t * generated by au_to_subject(), 931 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 932 * required, subject should be NULL. 933 * 934 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 935 * calls. This should correspond to the additional information required by 936 * CAPP for the event being audited. If no additional information is 937 * required, misctok should be NULL. 938 * 939 * @param retval - The return value to be logged for this event. This 940 * should be 0 (zero) for success, otherwise the value is event-specific. 941 * 942 * @param errcode - Any error code associated with the return value (e.g., 943 * errno or h_errno). If there was no error, errcode should be 0 (zero). 944 * 945 * @return - The status of the call: 0 (zero) on success, else one of the 946 * kAU*Err values defined above. 947 * 948 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 949 */ 950 int audit_write(short event_code, token_t *subject, token_t *misctok, 951 char retval, int errcode); 952 953 /* 954 * audit_write_success() 955 * 956 * @summary - audit_write_success() records an auditable event that did not 957 * encounter an error. The interface is designed to require as little 958 * direct use of the au_to_*() API as possible. It builds a subject token 959 * from the information passed in and uses that to invoke audit_write(). 960 * A subject, as defined by CAPP, is a process acting on the user's behalf. 961 * 962 * If the subject information is the same as the current process, use 963 * au_write_success_self(). 964 * 965 * @param event_code - The code for the event being logged. This should 966 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 967 * 968 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 969 * calls. This should correspond to the additional information required by 970 * CAPP for the event being audited. If no additional information is 971 * required, misctok should be NULL. 972 * 973 * @param auid - The subject's audit ID. 974 * 975 * @param euid - The subject's effective user ID. 976 * 977 * @param egid - The subject's effective group ID. 978 * 979 * @param ruid - The subject's real user ID. 980 * 981 * @param rgid - The subject's real group ID. 982 * 983 * @param pid - The subject's process ID. 984 * 985 * @param sid - The subject's session ID. 986 * 987 * @param tid - The subject's terminal ID. 988 * 989 * @return - The status of the call: 0 (zero) on success, else one of the 990 * kAU*Err values defined above. 991 * 992 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 993 */ 994 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 995 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 996 au_asid_t sid, au_tid_t *tid); 997 998 /* 999 * audit_write_success_self() 1000 * 1001 * @summary - Similar to audit_write_success(), but used when the subject 1002 * (process) is owned and operated by the auditable user him/herself. 1003 * 1004 * @param event_code - The code for the event being logged. This should 1005 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1006 * 1007 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1008 * calls. This should correspond to the additional information required by 1009 * CAPP for the event being audited. If no additional information is 1010 * required, misctok should be NULL. 1011 * 1012 * @return - The status of the call: 0 (zero) on success, else one of the 1013 * kAU*Err values defined above. 1014 * 1015 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1016 */ 1017 int audit_write_success_self(short event_code, token_t *misctok); 1018 1019 /* 1020 * audit_write_failure() 1021 * 1022 * @summary - audit_write_failure() records an auditable event that 1023 * encountered an error. The interface is designed to require as little 1024 * direct use of the au_to_*() API as possible. It builds a subject token 1025 * from the information passed in and uses that to invoke audit_write(). 1026 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1027 * 1028 * If the subject information is the same as the current process, use 1029 * au_write_failure_self(). 1030 * 1031 * @param event_code - The code for the event being logged. This should 1032 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1033 * 1034 * @param errmsg - A text message providing additional information about 1035 * the event being audited. 1036 * 1037 * @param errret - A numerical value providing additional information about 1038 * the error. This is intended to store the value of errno or h_errno if 1039 * it's relevant. This can be 0 (zero) if no additional information is 1040 * available. 1041 * 1042 * @param auid - The subject's audit ID. 1043 * 1044 * @param euid - The subject's effective user ID. 1045 * 1046 * @param egid - The subject's effective group ID. 1047 * 1048 * @param ruid - The subject's real user ID. 1049 * 1050 * @param rgid - The subject's real group ID. 1051 * 1052 * @param pid - The subject's process ID. 1053 * 1054 * @param sid - The subject's session ID. 1055 * 1056 * @param tid - The subject's terminal ID. 1057 * 1058 * @return - The status of the call: 0 (zero) on success, else one of the 1059 * kAU*Err values defined above. 1060 * 1061 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1062 */ 1063 int audit_write_failure(short event_code, char *errmsg, int errret, 1064 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1065 pid_t pid, au_asid_t sid, au_tid_t *tid); 1066 1067 /* 1068 * audit_write_failure_self() 1069 * 1070 * @summary - Similar to audit_write_failure(), but used when the subject 1071 * (process) is owned and operated by the auditable user him/herself. 1072 * 1073 * @param event_code - The code for the event being logged. This should 1074 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1075 * 1076 * @param errmsg - A text message providing additional information about 1077 * the event being audited. 1078 * 1079 * @param errret - A numerical value providing additional information about 1080 * the error. This is intended to store the value of errno or h_errno if 1081 * it's relevant. This can be 0 (zero) if no additional information is 1082 * available. 1083 * 1084 * @return - The status of the call: 0 (zero) on success, else one of the 1085 * kAU*Err values defined above. 1086 * 1087 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1088 */ 1089 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1090 1091 /* 1092 * audit_write_failure_na() 1093 * 1094 * @summary - audit_write_failure_na() records errors during login. Such 1095 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1096 * 1097 * @param event_code - The code for the event being logged. This should 1098 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1099 * 1100 * @param errmsg - A text message providing additional information about 1101 * the event being audited. 1102 * 1103 * @param errret - A numerical value providing additional information about 1104 * the error. This is intended to store the value of errno or h_errno if 1105 * it's relevant. This can be 0 (zero) if no additional information is 1106 * available. 1107 * 1108 * @param euid - The subject's effective user ID. 1109 * 1110 * @param egid - The subject's effective group ID. 1111 * 1112 * @param pid - The subject's process ID. 1113 * 1114 * @param tid - The subject's terminal ID. 1115 * 1116 * @return - The status of the call: 0 (zero) on success, else one of the 1117 * kAU*Err values defined above. 1118 * 1119 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1120 */ 1121 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1122 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1123 1124 /* END au_write() WRAPPERS */ 1125 1126 #ifdef __APPLE__ 1127 /* 1128 * audit_token_to_au32() 1129 * 1130 * @summary - Extract information from an audit_token_t, used to identify 1131 * Mach tasks and senders of Mach messages as subjects to the audit system. 1132 * audit_tokent_to_au32() is the only method that should be used to parse 1133 * an audit_token_t, since its internal representation may change over 1134 * time. A pointer parameter may be NULL if that information is not 1135 * needed. 1136 * 1137 * @param atoken - the audit token containing the desired information 1138 * 1139 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1140 * sender's audit user ID 1141 * 1142 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1143 * sender's effective user ID 1144 * 1145 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1146 * sender's effective group ID 1147 * 1148 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1149 * sender's real user ID 1150 * 1151 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1152 * sender's real group ID 1153 * 1154 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1155 * sender's process ID 1156 * 1157 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1158 * task or sender's audit session ID 1159 * 1160 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1161 * or sender's terminal ID 1162 * 1163 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1164 */ 1165 void audit_token_to_au32( 1166 audit_token_t atoken, 1167 uid_t *auidp, 1168 uid_t *euidp, 1169 gid_t *egidp, 1170 uid_t *ruidp, 1171 gid_t *rgidp, 1172 pid_t *pidp, 1173 au_asid_t *asidp, 1174 au_tid_t *tidp); 1175 #endif /* !__APPLE__ */ 1176 1177 __END_DECLS 1178 1179 #endif /* !_LIBBSM_H_ */ 1180