xref: /freebsd/contrib/openbsm/bsm/libbsm.h (revision d9f0ce31900a48d1a2bfc1c8c86f79d1e831451a)
1 /*-
2  * Copyright (c) 2004-2009 Apple Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1.  Redistributions of source code must retain the above copyright
9  *     notice, this list of conditions and the following disclaimer.
10  * 2.  Redistributions in binary form must reproduce the above copyright
11  *     notice, this list of conditions and the following disclaimer in the
12  *     documentation and/or other materials provided with the distribution.
13  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
14  *     its contributors may be used to endorse or promote products derived
15  *     from this software without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21  * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 #ifndef _LIBBSM_H_
31 #define	_LIBBSM_H_
32 
33 /*
34  * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
35  * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
36  */
37 
38 #include <sys/types.h>
39 #include <sys/cdefs.h>
40 
41 #include <inttypes.h>		/* Required for audit.h. */
42 #include <time.h>		/* Required for clock_t on Linux. */
43 
44 #include <bsm/audit.h>
45 #include <bsm/audit_record.h>
46 
47 #include <stdio.h>
48 
49 #ifdef __APPLE__
50 #include <mach/mach.h>		/* audit_token_t */
51 #endif
52 
53 /*
54  * Size parsed token vectors for execve(2) arguments and environmental
55  * variables.  Note: changing these sizes affects the ABI of the token
56  * structure, and as the token structure is often placed in the caller stack,
57  * this is undesirable.
58  */
59 #define	AUDIT_MAX_ARGS	128
60 #define	AUDIT_MAX_ENV	128
61 
62 /*
63  * Arguments to au_preselect(3).
64  */
65 #define	AU_PRS_USECACHE	0
66 #define	AU_PRS_REREAD	1
67 
68 #define	AU_PRS_SUCCESS	1
69 #define	AU_PRS_FAILURE	2
70 #define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
71 
72 #define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
73 #define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
74 #define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
75 #define	AUDIT_USER_FILE		"/etc/security/audit_user"
76 
77 #define	DIR_CONTROL_ENTRY		"dir"
78 #define	DIST_CONTROL_ENTRY		"dist"
79 #define	FILESZ_CONTROL_ENTRY		"filesz"
80 #define	FLAGS_CONTROL_ENTRY		"flags"
81 #define	HOST_CONTROL_ENTRY		"host"
82 #define	MINFREE_CONTROL_ENTRY		"minfree"
83 #define	NA_CONTROL_ENTRY		"naflags"
84 #define	POLICY_CONTROL_ENTRY		"policy"
85 #define	EXPIRE_AFTER_CONTROL_ENTRY	"expire-after"
86 
87 #define	AU_CLASS_NAME_MAX	8
88 #define	AU_CLASS_DESC_MAX	72
89 #define	AU_EVENT_NAME_MAX	30
90 #define	AU_EVENT_DESC_MAX	50
91 #define	AU_USER_NAME_MAX	50
92 #define	AU_LINE_MAX		256
93 #define	MAX_AUDITSTRING_LEN	256
94 #define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
95 
96 /*
97  * Arguments to au_close(3).
98  */
99 #define	AU_TO_NO_WRITE		0	/* Abandon audit record. */
100 #define	AU_TO_WRITE		1	/* Commit audit record. */
101 
102 /*
103  * Output format flags for au_print_flags_tok().
104  */
105 #define	AU_OFLAG_NONE		0x0000	/* Default form. */
106 #define	AU_OFLAG_RAW		0x0001	/* Raw, numeric form. */
107 #define	AU_OFLAG_SHORT		0x0002	/* Short form. */
108 #define	AU_OFLAG_XML		0x0004	/* XML form. */
109 #define	AU_OFLAG_NORESOLVE	0x0008	/* No user/group name resolution. */
110 
111 __BEGIN_DECLS
112 struct au_event_ent {
113 	au_event_t	 ae_number;
114 	char		*ae_name;
115 	char		*ae_desc;
116 	au_class_t	 ae_class;
117 };
118 typedef struct au_event_ent au_event_ent_t;
119 
120 struct au_class_ent {
121 	char		*ac_name;
122 	au_class_t	 ac_class;
123 	char		*ac_desc;
124 };
125 typedef struct au_class_ent au_class_ent_t;
126 
127 struct au_user_ent {
128 	char		*au_name;
129 	au_mask_t	 au_always;
130 	au_mask_t	 au_never;
131 };
132 typedef struct au_user_ent au_user_ent_t;
133 __END_DECLS
134 
135 #define	ADD_TO_MASK(m, c, sel) do {					\
136 	if (sel & AU_PRS_SUCCESS)					\
137 		(m)->am_success |= c;					\
138 	if (sel & AU_PRS_FAILURE)					\
139 		(m)->am_failure |= c;					\
140 } while (0)
141 
142 #define	SUB_FROM_MASK(m, c, sel) do {					\
143 	if (sel & AU_PRS_SUCCESS)					\
144 		(m)->am_success &= ((m)->am_success ^ c);		\
145 	if (sel & AU_PRS_FAILURE)					\
146 		(m)->am_failure &= ((m)->am_failure ^ c);		\
147 } while (0)
148 
149 #define	ADDMASK(m, v) do {						\
150 	(m)->am_success |= (v)->am_success;				\
151 	(m)->am_failure |= (v)->am_failure;				\
152 } while(0)
153 
154 #define	SUBMASK(m, v) do {						\
155 	(m)->am_success &= ((m)->am_success ^ (v)->am_success);		\
156 	(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure);		\
157 } while(0)
158 
159 __BEGIN_DECLS
160 
161 typedef struct au_tid32 {
162 	u_int32_t	port;
163 	u_int32_t	addr;
164 } au_tid32_t;
165 
166 typedef struct au_tid64 {
167 	u_int64_t	port;
168 	u_int32_t	addr;
169 } au_tid64_t;
170 
171 typedef struct au_tidaddr32 {
172 	u_int32_t	port;
173 	u_int32_t	type;
174 	u_int32_t	addr[4];
175 } au_tidaddr32_t;
176 
177 typedef struct au_tidaddr64 {
178 	u_int64_t	port;
179 	u_int32_t	type;
180 	u_int32_t	addr[4];
181 } au_tidaddr64_t;
182 
183 /*
184  * argument #              1 byte
185  * argument value          4 bytes/8 bytes (32-bit/64-bit value)
186  * text length             2 bytes
187  * text                    N bytes + 1 terminating NULL byte
188  */
189 typedef struct {
190 	u_char		 no;
191 	u_int32_t	 val;
192 	u_int16_t	 len;
193 	char		*text;
194 } au_arg32_t;
195 
196 typedef struct {
197 	u_char		 no;
198 	u_int64_t	 val;
199 	u_int16_t	 len;
200 	char		*text;
201 } au_arg64_t;
202 
203 /*
204  * how to print            1 byte
205  * basic unit              1 byte
206  * unit count              1 byte
207  * data items              (depends on basic unit)
208  */
209 typedef struct {
210 	u_char	 howtopr;
211 	u_char	 bu;
212 	u_char	 uc;
213 	u_char	*data;
214 } au_arb_t;
215 
216 /*
217  * file access mode        4 bytes
218  * owner user ID           4 bytes
219  * owner group ID          4 bytes
220  * file system ID          4 bytes
221  * node ID                 8 bytes
222  * device                  4 bytes/8 bytes (32-bit/64-bit)
223  */
224 typedef struct {
225 	u_int32_t	mode;
226 	u_int32_t	uid;
227 	u_int32_t	gid;
228 	u_int32_t	fsid;
229 	u_int64_t	nid;
230 	u_int32_t	dev;
231 } au_attr32_t;
232 
233 typedef struct {
234 	u_int32_t	mode;
235 	u_int32_t	uid;
236 	u_int32_t	gid;
237 	u_int32_t	fsid;
238 	u_int64_t	nid;
239 	u_int64_t	dev;
240 } au_attr64_t;
241 
242 /*
243  * count                   4 bytes
244  * text                    count null-terminated string(s)
245  */
246 typedef struct {
247 	u_int32_t	 count;
248 	char		*text[AUDIT_MAX_ARGS];
249 } au_execarg_t;
250 
251 /*
252  * count                   4 bytes
253  * text                    count null-terminated string(s)
254  */
255 typedef struct {
256 	u_int32_t	 count;
257 	char		*text[AUDIT_MAX_ENV];
258 } au_execenv_t;
259 
260 /*
261  * status                  4 bytes
262  * return value            4 bytes
263  */
264 typedef struct {
265 	u_int32_t	status;
266 	u_int32_t	ret;
267 } au_exit_t;
268 
269 /*
270  * seconds of time         4 bytes
271  * milliseconds of time    4 bytes
272  * file name length        2 bytes
273  * file pathname           N bytes + 1 terminating NULL byte
274  */
275 typedef struct {
276 	u_int32_t	 s;
277 	u_int32_t	 ms;
278 	u_int16_t	 len;
279 	char		*name;
280 } au_file_t;
281 
282 
283 /*
284  * number groups           2 bytes
285  * group list              N * 4 bytes
286  */
287 typedef struct {
288 	u_int16_t	no;
289 	u_int32_t	list[AUDIT_MAX_GROUPS];
290 } au_groups_t;
291 
292 /*
293  * record byte count       4 bytes
294  * version #               1 byte    [2]
295  * event type              2 bytes
296  * event modifier          2 bytes
297  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
298  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
299  */
300 typedef struct {
301 	u_int32_t	size;
302 	u_char		version;
303 	u_int16_t	e_type;
304 	u_int16_t	e_mod;
305 	u_int32_t	s;
306 	u_int32_t	ms;
307 } au_header32_t;
308 
309 /*
310  * record byte count       4 bytes
311  * version #               1 byte     [2]
312  * event type              2 bytes
313  * event modifier          2 bytes
314  * address type/length     1 byte (XXX: actually, 4 bytes)
315  * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
316  * seconds of time         4 bytes/8 bytes  (32/64-bits)
317  * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
318  */
319 typedef struct {
320 	u_int32_t	size;
321 	u_char		version;
322 	u_int16_t	e_type;
323 	u_int16_t	e_mod;
324 	u_int32_t	ad_type;
325 	u_int32_t	addr[4];
326 	u_int32_t	s;
327 	u_int32_t	ms;
328 } au_header32_ex_t;
329 
330 typedef struct {
331 	u_int32_t	size;
332 	u_char		version;
333 	u_int16_t	e_type;
334 	u_int16_t	e_mod;
335 	u_int64_t	s;
336 	u_int64_t	ms;
337 } au_header64_t;
338 
339 typedef struct {
340 	u_int32_t	size;
341 	u_char		version;
342 	u_int16_t	e_type;
343 	u_int16_t	e_mod;
344 	u_int32_t	ad_type;
345 	u_int32_t	addr[4];
346 	u_int64_t	s;
347 	u_int64_t	ms;
348 } au_header64_ex_t;
349 
350 /*
351  * internet address        4 bytes
352  */
353 typedef struct {
354 	u_int32_t	addr;
355 } au_inaddr_t;
356 
357 /*
358  * type                 4 bytes
359  * internet address     16 bytes
360  */
361 typedef struct {
362 	u_int32_t	type;
363 	u_int32_t	addr[4];
364 } au_inaddr_ex_t;
365 
366 /*
367  * version and ihl         1 byte
368  * type of service         1 byte
369  * length                  2 bytes
370  * id                      2 bytes
371  * offset                  2 bytes
372  * ttl                     1 byte
373  * protocol                1 byte
374  * checksum                2 bytes
375  * source address          4 bytes
376  * destination address     4 bytes
377  */
378 typedef struct {
379 	u_char		version;
380 	u_char		tos;
381 	u_int16_t	len;
382 	u_int16_t	id;
383 	u_int16_t	offset;
384 	u_char		ttl;
385 	u_char		prot;
386 	u_int16_t	chksm;
387 	u_int32_t	src;
388 	u_int32_t	dest;
389 } au_ip_t;
390 
391 /*
392  * object ID type          1 byte
393  * object ID               4 bytes
394  */
395 typedef struct {
396 	u_char		type;
397 	u_int32_t	id;
398 } au_ipc_t;
399 
400 /*
401  * owner user ID           4 bytes
402  * owner group ID          4 bytes
403  * creator user ID         4 bytes
404  * creator group ID        4 bytes
405  * access mode             4 bytes
406  * slot sequence #         4 bytes
407  * key                     4 bytes
408  */
409 typedef struct {
410 	u_int32_t	uid;
411 	u_int32_t	gid;
412 	u_int32_t	puid;
413 	u_int32_t	pgid;
414 	u_int32_t	mode;
415 	u_int32_t	seq;
416 	u_int32_t	key;
417 } au_ipcperm_t;
418 
419 /*
420  * port IP address         2 bytes
421  */
422 typedef struct {
423 	u_int16_t	port;
424 } au_iport_t;
425 
426 /*
427  * length		2 bytes
428  * data			length bytes
429  */
430 typedef struct {
431 	u_int16_t	 size;
432 	char		*data;
433 } au_opaque_t;
434 
435 /*
436  * path length             2 bytes
437  * path                    N bytes + 1 terminating NULL byte
438  */
439 typedef struct {
440 	u_int16_t	 len;
441 	char		*path;
442 } au_path_t;
443 
444 /*
445  * audit ID                4 bytes
446  * effective user ID       4 bytes
447  * effective group ID      4 bytes
448  * real user ID            4 bytes
449  * real group ID           4 bytes
450  * process ID              4 bytes
451  * session ID              4 bytes
452  * terminal ID
453  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
454  * machine address       4 bytes
455  */
456 typedef struct {
457 	u_int32_t	auid;
458 	u_int32_t	euid;
459 	u_int32_t	egid;
460 	u_int32_t	ruid;
461 	u_int32_t	rgid;
462 	u_int32_t	pid;
463 	u_int32_t	sid;
464 	au_tid32_t	tid;
465 } au_proc32_t;
466 
467 typedef struct {
468 	u_int32_t	auid;
469 	u_int32_t	euid;
470 	u_int32_t	egid;
471 	u_int32_t	ruid;
472 	u_int32_t	rgid;
473 	u_int32_t	pid;
474 	u_int32_t	sid;
475 	au_tid64_t	tid;
476 } au_proc64_t;
477 
478 /*
479  * audit ID                4 bytes
480  * effective user ID       4 bytes
481  * effective group ID      4 bytes
482  * real user ID            4 bytes
483  * real group ID           4 bytes
484  * process ID              4 bytes
485  * session ID              4 bytes
486  * terminal ID
487  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
488  * type                  4 bytes
489  * machine address       16 bytes
490  */
491 typedef struct {
492 	u_int32_t	auid;
493 	u_int32_t	euid;
494 	u_int32_t	egid;
495 	u_int32_t	ruid;
496 	u_int32_t	rgid;
497 	u_int32_t	pid;
498 	u_int32_t	sid;
499 	au_tidaddr32_t	tid;
500 } au_proc32ex_t;
501 
502 typedef struct {
503 	u_int32_t	auid;
504 	u_int32_t	euid;
505 	u_int32_t	egid;
506 	u_int32_t	ruid;
507 	u_int32_t	rgid;
508 	u_int32_t	pid;
509 	u_int32_t	sid;
510 	au_tidaddr64_t	tid;
511 } au_proc64ex_t;
512 
513 /*
514  * error status            1 byte
515  * return value            4 bytes/8 bytes (32-bit/64-bit value)
516  */
517 typedef struct {
518 	u_char		status;
519 	u_int32_t	ret;
520 } au_ret32_t;
521 
522 typedef struct {
523 	u_char		err;
524 	u_int64_t	val;
525 } au_ret64_t;
526 
527 /*
528  * sequence number         4 bytes
529  */
530 typedef struct {
531 	u_int32_t	seqno;
532 } au_seq_t;
533 
534 /*
535  * socket type             2 bytes
536  * local port              2 bytes
537  * local Internet address  4 bytes
538  * remote port             2 bytes
539  * remote Internet address 4 bytes
540  */
541 typedef struct {
542 	u_int16_t	type;
543 	u_int16_t	l_port;
544 	u_int32_t	l_addr;
545 	u_int16_t	r_port;
546 	u_int32_t	r_addr;
547 } au_socket_t;
548 
549 /*
550  * socket type             2 bytes
551  * local port              2 bytes
552  * address type/length     4 bytes
553  * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
554  * remote port             4 bytes
555  * address type/length     4 bytes
556  * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
557  */
558 typedef struct {
559 	u_int16_t	domain;
560 	u_int16_t	type;
561 	u_int16_t	atype;
562 	u_int16_t	l_port;
563 	u_int32_t	l_addr[4];
564 	u_int32_t	r_port;
565 	u_int32_t	r_addr[4];
566 } au_socket_ex32_t;
567 
568 /*
569  * socket family           2 bytes
570  * local port              2 bytes
571  * socket address          4 bytes/16 bytes (IPv4/IPv6 address)
572  */
573 typedef struct {
574 	u_int16_t	family;
575 	u_int16_t	port;
576 	u_int32_t	addr[4];
577 } au_socketinet_ex32_t;
578 
579 typedef struct {
580 	u_int16_t	family;
581 	u_int16_t	port;
582 	u_int32_t	addr;
583 } au_socketinet32_t;
584 
585 /*
586  * socket family           2 bytes
587  * path                    104 bytes
588  */
589 typedef struct {
590 	u_int16_t	family;
591 	char		path[104];
592 } au_socketunix_t;
593 
594 /*
595  * audit ID                4 bytes
596  * effective user ID       4 bytes
597  * effective group ID      4 bytes
598  * real user ID            4 bytes
599  * real group ID           4 bytes
600  * process ID              4 bytes
601  * session ID              4 bytes
602  * terminal ID
603  * 	port ID               4 bytes/8 bytes (32-bit/64-bit value)
604  * 	machine address       4 bytes
605  */
606 typedef struct {
607 	u_int32_t	auid;
608 	u_int32_t	euid;
609 	u_int32_t	egid;
610 	u_int32_t	ruid;
611 	u_int32_t	rgid;
612 	u_int32_t	pid;
613 	u_int32_t	sid;
614 	au_tid32_t	tid;
615 } au_subject32_t;
616 
617 typedef struct {
618 	u_int32_t	auid;
619 	u_int32_t	euid;
620 	u_int32_t	egid;
621 	u_int32_t	ruid;
622 	u_int32_t	rgid;
623 	u_int32_t	pid;
624 	u_int32_t	sid;
625 	au_tid64_t	tid;
626 } au_subject64_t;
627 
628 /*
629  * audit ID                4 bytes
630  * effective user ID       4 bytes
631  * effective group ID      4 bytes
632  * real user ID            4 bytes
633  * real group ID           4 bytes
634  * process ID              4 bytes
635  * session ID              4 bytes
636  * terminal ID
637  * port ID               4 bytes/8 bytes (32-bit/64-bit value)
638  * type                  4 bytes
639  * machine address       16 bytes
640  */
641 typedef struct {
642 	u_int32_t	auid;
643 	u_int32_t	euid;
644 	u_int32_t	egid;
645 	u_int32_t	ruid;
646 	u_int32_t	rgid;
647 	u_int32_t	pid;
648 	u_int32_t	sid;
649 	au_tidaddr32_t	tid;
650 } au_subject32ex_t;
651 
652 typedef struct {
653 	u_int32_t	auid;
654 	u_int32_t	euid;
655 	u_int32_t	egid;
656 	u_int32_t	ruid;
657 	u_int32_t	rgid;
658 	u_int32_t	pid;
659 	u_int32_t	sid;
660 	au_tidaddr64_t	tid;
661 } au_subject64ex_t;
662 
663 /*
664  * text length             2 bytes
665  * text                    N bytes + 1 terminating NULL byte
666  */
667 typedef struct {
668 	u_int16_t	 len;
669 	char		*text;
670 } au_text_t;
671 
672 /*
673  * upriv status         1 byte
674  * privstr len          2 bytes
675  * privstr              N bytes + 1 (\0 byte)
676  */
677 typedef struct {
678 	u_int8_t	 sorf;
679 	u_int16_t	 privstrlen;
680 	char		*priv;
681 } au_priv_t;
682 
683 /*
684 * privset
685 * privtstrlen		2 bytes
686 * privtstr		N Bytes + 1
687 * privstrlen		2 bytes
688 * privstr		N Bytes + 1
689 */
690 typedef struct {
691 	u_int16_t	 privtstrlen;
692 	char		*privtstr;
693 	u_int16_t	 privstrlen;
694 	char		*privstr;
695 } au_privset_t;
696 
697 /*
698  * zonename length	2 bytes
699  * zonename text	N bytes + 1 NULL terminator
700  */
701 typedef struct {
702 	u_int16_t	 len;
703 	char		*zonename;
704 } au_zonename_t;
705 
706 typedef struct {
707 	u_int32_t	ident;
708 	u_int16_t	filter;
709 	u_int16_t	flags;
710 	u_int32_t	fflags;
711 	u_int32_t	data;
712 } au_kevent_t;
713 
714 typedef struct {
715 	u_int16_t	 length;
716 	char		*data;
717 } au_invalid_t;
718 
719 /*
720  * trailer magic number    2 bytes
721  * record byte count       4 bytes
722  */
723 typedef struct {
724 	u_int16_t	magic;
725 	u_int32_t	count;
726 } au_trailer_t;
727 
728 struct tokenstr {
729 	u_char	 id;
730 	u_char	*data;
731 	size_t	 len;
732 	union {
733 		au_arg32_t		arg32;
734 		au_arg64_t		arg64;
735 		au_arb_t		arb;
736 		au_attr32_t		attr32;
737 		au_attr64_t		attr64;
738 		au_execarg_t		execarg;
739 		au_execenv_t		execenv;
740 		au_exit_t		exit;
741 		au_file_t		file;
742 		au_groups_t		grps;
743 		au_header32_t		hdr32;
744 		au_header32_ex_t	hdr32_ex;
745 		au_header64_t		hdr64;
746 		au_header64_ex_t	hdr64_ex;
747 		au_inaddr_t		inaddr;
748 		au_inaddr_ex_t		inaddr_ex;
749 		au_ip_t			ip;
750 		au_ipc_t		ipc;
751 		au_ipcperm_t		ipcperm;
752 		au_iport_t		iport;
753 		au_opaque_t		opaque;
754 		au_path_t		path;
755 		au_proc32_t		proc32;
756 		au_proc32ex_t		proc32_ex;
757 		au_proc64_t		proc64;
758 		au_proc64ex_t		proc64_ex;
759 		au_ret32_t		ret32;
760 		au_ret64_t		ret64;
761 		au_seq_t		seq;
762 		au_socket_t		socket;
763 		au_socket_ex32_t	socket_ex32;
764 		au_socketinet_ex32_t	sockinet_ex32;
765 		au_socketunix_t		sockunix;
766 		au_subject32_t		subj32;
767 		au_subject32ex_t	subj32_ex;
768 		au_subject64_t		subj64;
769 		au_subject64ex_t	subj64_ex;
770 		au_text_t		text;
771 		au_kevent_t		kevent;
772 		au_invalid_t		invalid;
773 		au_trailer_t		trail;
774 		au_zonename_t		zonename;
775 		au_priv_t		priv;
776 		au_privset_t		privset;
777 	} tt; /* The token is one of the above types */
778 };
779 
780 typedef struct tokenstr tokenstr_t;
781 
782 int			 audit_submit(short au_event, au_id_t auid,
783 			    char status, int reterr, const char *fmt, ...);
784 
785 /*
786  * Functions relating to querying audit class information.
787  */
788 void			 setauclass(void);
789 void			 endauclass(void);
790 struct au_class_ent	*getauclassent(void);
791 struct au_class_ent	*getauclassent_r(au_class_ent_t *class_int);
792 struct au_class_ent	*getauclassnam(const char *name);
793 struct au_class_ent	*getauclassnam_r(au_class_ent_t *class_int,
794 			    const char *name);
795 struct au_class_ent	*getauclassnum(au_class_t class_number);
796 struct au_class_ent	*getauclassnum_r(au_class_ent_t *class_int,
797 			    au_class_t class_number);
798 
799 /*
800  * Functions relating to querying audit control information.
801  */
802 void			 setac(void);
803 void			 endac(void);
804 int			 getacdir(char *name, int len);
805 int			 getacdist(void);
806 int			 getacexpire(int *andflg, time_t *age, size_t *size);
807 int			 getacfilesz(size_t *size_val);
808 int			 getacflg(char *auditstr, int len);
809 int			 getachost(char *auditstr, size_t len);
810 int			 getacmin(int *min_val);
811 int			 getacna(char *auditstr, int len);
812 int			 getacpol(char *auditstr, size_t len);
813 int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
814 int			 getauditflagschar(char *auditstr, au_mask_t *masks,
815 			    int verbose);
816 int			 au_preselect(au_event_t event, au_mask_t *mask_p,
817 			    int sorf, int flag);
818 ssize_t			 au_poltostr(int policy, size_t maxsize, char *buf);
819 int			 au_strtopol(const char *polstr, int *policy);
820 
821 /*
822  * Functions relating to querying audit event information.
823  */
824 void			 setauevent(void);
825 void			 endauevent(void);
826 struct au_event_ent	*getauevent(void);
827 struct au_event_ent	*getauevent_r(struct au_event_ent *e);
828 struct au_event_ent	*getauevnam(const char *name);
829 struct au_event_ent	*getauevnam_r(struct au_event_ent *e,
830 			    const char *name);
831 struct au_event_ent	*getauevnum(au_event_t event_number);
832 struct au_event_ent	*getauevnum_r(struct au_event_ent *e,
833 			    au_event_t event_number);
834 au_event_t		*getauevnonam(const char *event_name);
835 au_event_t		*getauevnonam_r(au_event_t *ev,
836 			    const char *event_name);
837 
838 /*
839  * Functions relating to querying audit user information.
840  */
841 void			 setauuser(void);
842 void			 endauuser(void);
843 struct au_user_ent	*getauuserent(void);
844 struct au_user_ent	*getauuserent_r(struct au_user_ent *u);
845 struct au_user_ent	*getauusernam(const char *name);
846 struct au_user_ent	*getauusernam_r(struct au_user_ent *u,
847 			    const char *name);
848 int			 au_user_mask(char *username, au_mask_t *mask_p);
849 int			 getfauditflags(au_mask_t *usremask,
850 			    au_mask_t *usrdmask, au_mask_t *lastmask);
851 
852 /*
853  * Functions for reading and printing records and tokens from audit trails.
854  */
855 int			 au_read_rec(FILE *fp, u_char **buf);
856 int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
857 //XXX The following interface has different prototype from BSM
858 void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
859 			    char *del, char raw, char sfrm);
860 void			 au_print_flags_tok(FILE *outfp, tokenstr_t *tok,
861 			    char *del, int oflags);
862 void			 au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
863 			    char *del, char raw, char sfrm);
864 
865 /*
866  * Functions relating to XML output.
867  */
868 void			 au_print_xml_header(FILE *outfp);
869 void			 au_print_xml_footer(FILE *outfp);
870 
871 /*
872  * BSM library routines for converting between local and BSM constant spaces.
873  * (Note: some of these are replicated in audit_record.h for the benefit of
874  * the FreeBSD and Mac OS X kernels)
875  */
876 int	 au_bsm_to_domain(u_short bsm_domain, int *local_domainp);
877 int	 au_bsm_to_errno(u_char bsm_error, int *errorp);
878 int	 au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp);
879 int	 au_bsm_to_socket_type(u_short bsm_socket_type,
880 	    int *local_socket_typep);
881 u_short	 au_domain_to_bsm(int local_domain);
882 u_char	 au_errno_to_bsm(int local_errno);
883 u_short	 au_fcntl_cmd_to_bsm(int local_fcntl_command);
884 u_short	 au_socket_type_to_bsm(int local_socket_type);
885 
886 const char	 *au_strerror(u_char bsm_error);
887 __END_DECLS
888 
889 /*
890  * The remaining APIs are associated with Apple's BSM implementation, in
891  * particular as relates to Mach IPC auditing and triggers passed via Mach
892  * IPC.
893  */
894 #ifdef __APPLE__
895 #include <sys/appleapiopts.h>
896 
897 /**************************************************************************
898  **************************************************************************
899  ** The following definitions, functions, etc., are NOT officially
900  ** supported: they may be changed or removed in the future.  Do not use
901  ** them unless you are prepared to cope with that eventuality.
902  **************************************************************************
903  **************************************************************************/
904 
905 #ifdef __APPLE_API_PRIVATE
906 #define	__BSM_INTERNAL_NOTIFY_KEY	"com.apple.audit.change"
907 #endif /* __APPLE_API_PRIVATE */
908 
909 /*
910  * au_get_state() return values
911  * XXX  use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
912  * AUDIT_ON are deprecated and WILL be removed.
913  */
914 #ifdef __APPLE_API_PRIVATE
915 #define	AUDIT_OFF	AUC_NOAUDIT
916 #define	AUDIT_ON	AUC_AUDITING
917 #endif /* __APPLE_API_PRIVATE */
918 #endif /* !__APPLE__ */
919 
920 /*
921  * Error return codes for audit_set_terminal_id(), audit_write() and its
922  * brethren.  We have 255 (not including kAUNoErr) to play with.
923  *
924  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
925  */
926 enum {
927 	kAUNoErr			= 0,
928 	kAUBadParamErr			= -66049,
929 	kAUStatErr,
930 	kAUSysctlErr,
931 	kAUOpenErr,
932 	kAUMakeSubjectTokErr,
933 	kAUWriteSubjectTokErr,
934 	kAUWriteCallerTokErr,
935 	kAUMakeReturnTokErr,
936 	kAUWriteReturnTokErr,
937 	kAUCloseErr,
938 	kAUMakeTextTokErr,
939 	kAULastErr
940 };
941 
942 #ifdef __APPLE__
943 /*
944  * Error return codes for au_get_state() and/or its private support
945  * functions.  These codes are designed to be compatible with the
946  * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
947  * Any changes to notify(3) may cause these values to change in future.
948  *
949  * AU_UNIMPL should never happen unless you've changed your system software
950  * without rebooting.  Shame on you.
951  */
952 #ifdef __APPLE_API_PRIVATE
953 #define	AU_UNIMPL	NOTIFY_STATUS_FAILED + 1	/* audit unimplemented */
954 #endif /* __APPLE_API_PRIVATE */
955 #endif /* !__APPLE__ */
956 
957 __BEGIN_DECLS
958 /*
959  * XXX  This prototype should be in audit_record.h
960  *
961  * au_free_token()
962  *
963  * @summary - au_free_token() deallocates a token_t created by any of
964  * the au_to_*() BSM API functions.
965  *
966  * The BSM API generally manages deallocation of token_t objects.  However,
967  * if au_write() is passed a bad audit descriptor, the token_t * parameter
968  * will be left untouched.  In that case, the caller can deallocate the
969  * token_t using au_free_token() if desired.  This is, in fact, what
970  * audit_write() does, in keeping with the existing memory management model
971  * of the BSM API.
972  *
973  * @param tok - A token_t * generated by one of the au_to_*() BSM API
974  * calls.  For convenience, tok may be NULL, in which case
975  * au_free_token() returns immediately.
976  *
977  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
978  */
979 void	au_free_token(token_t *tok);
980 
981 /*
982  * Lightweight check to determine if auditing is enabled.  If a client
983  * wants to use this to govern whether an entire series of audit calls
984  * should be made--as in the common case of a caller building a set of
985  * tokens, then writing them--it should cache the audit status in a local
986  * variable.  This call always returns the current state of auditing.
987  *
988  * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
989  * Otherwise the function can return any of the errno values defined for
990  * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
991  * the system.
992  *
993  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
994  */
995 int	au_get_state(void);
996 
997 /*
998  * Initialize the audit notification.  If it has not already been initialized
999  * it will automatically on the first call of au_get_state().
1000  */
1001 uint32_t	au_notify_initialize(void);
1002 
1003 /*
1004  * Cancel audit notification and free the resources associated with it.
1005  * Responsible code that no longer needs to use au_get_state() should call
1006  * this.
1007  */
1008 int		au_notify_terminate(void);
1009 __END_DECLS
1010 
1011 /* OpenSSH compatibility */
1012 int	cannot_audit(int);
1013 
1014 __BEGIN_DECLS
1015 /*
1016  * audit_set_terminal_id()
1017  *
1018  * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
1019  * used in audit session initialization by processes like /usr/bin/login.
1020  *
1021  * @param tid - A pointer to an au_tid_t struct.
1022  *
1023  * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
1024  * or kAUSysctlErr if one of the underlying system calls fails (a message
1025  * is sent to the system log in those cases).
1026  *
1027  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1028  */
1029 int	audit_set_terminal_id(au_tid_t *tid);
1030 
1031 /*
1032  * BEGIN au_write() WRAPPERS
1033  *
1034  * The following calls all wrap the existing BSM API.  They use the
1035  * provided subject information, if any, to construct the subject token
1036  * required for every log message.  They use the provided return/error
1037  * value(s), if any, to construct the success/failure indication required
1038  * for every log message.  They only permit one "miscellaneous" token,
1039  * which should contain the event-specific logging information mandated by
1040  * CAPP.
1041  *
1042  * All these calls assume the caller has previously determined that
1043  * auditing is enabled by calling au_get_state().
1044  */
1045 
1046 /*
1047  * audit_write()
1048  *
1049  * @summary - audit_write() is the basis for the other audit_write_*()
1050  * calls.  Performs a basic write of an audit record (subject, additional
1051  * info, success/failure).  Note that this call only permits logging one
1052  * caller-specified token; clients needing to log more flexibly must use
1053  * the existing BSM API (au_open(), et al.) directly.
1054  *
1055  * Note on memory management: audit_write() guarantees that the token_t *s
1056  * passed to it will be deallocated whether or not the underlying write to
1057  * the audit log succeeded.  This addresses an inconsistency in the
1058  * underlying BSM API in which token_t *s are usually but not always
1059  * deallocated.
1060  *
1061  * @param event_code - The code for the event being logged.  This should
1062  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1063  *
1064  * @param subject - A token_t * generated by au_to_subject(),
1065  * au_to_subject32(), au_to_subject64(), or au_to_me().  If no subject is
1066  * required, subject should be NULL.
1067  *
1068  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1069  * calls.  This should correspond to the additional information required by
1070  * CAPP for the event being audited.  If no additional information is
1071  * required, misctok should be NULL.
1072  *
1073  * @param retval - The return value to be logged for this event.  This
1074  * should be 0 (zero) for success, otherwise the value is event-specific.
1075  *
1076  * @param errcode - Any error code associated with the return value (e.g.,
1077  * errno or h_errno).  If there was no error, errcode should be 0 (zero).
1078  *
1079  * @return - The status of the call: 0 (zero) on success, else one of the
1080  * kAU*Err values defined above.
1081  *
1082  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1083  */
1084 int	audit_write(short event_code, token_t *subject, token_t *misctok,
1085 	    char retval, int errcode);
1086 
1087 /*
1088  * audit_write_success()
1089  *
1090  * @summary - audit_write_success() records an auditable event that did not
1091  * encounter an error.  The interface is designed to require as little
1092  * direct use of the au_to_*() API as possible.  It builds a subject token
1093  * from the information passed in and uses that to invoke audit_write().
1094  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1095  *
1096  * If the subject information is the same as the current process, use
1097  * au_write_success_self().
1098  *
1099  * @param event_code - The code for the event being logged.  This should
1100  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1101  *
1102  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1103  * calls.  This should correspond to the additional information required by
1104  * CAPP for the event being audited.  If no additional information is
1105  * required, misctok should be NULL.
1106  *
1107  * @param auid - The subject's audit ID.
1108  *
1109  * @param euid - The subject's effective user ID.
1110  *
1111  * @param egid - The subject's effective group ID.
1112  *
1113  * @param ruid - The subject's real user ID.
1114  *
1115  * @param rgid - The subject's real group ID.
1116  *
1117  * @param pid - The subject's process ID.
1118  *
1119  * @param sid - The subject's session ID.
1120  *
1121  * @param tid - The subject's terminal ID.
1122  *
1123  * @return - The status of the call: 0 (zero) on success, else one of the
1124  * kAU*Err values defined above.
1125  *
1126  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1127  */
1128 int	audit_write_success(short event_code, token_t *misctok, au_id_t auid,
1129 	    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1130 	    au_asid_t sid, au_tid_t *tid);
1131 
1132 /*
1133  * audit_write_success_self()
1134  *
1135  * @summary - Similar to audit_write_success(), but used when the subject
1136  * (process) is owned and operated by the auditable user him/herself.
1137  *
1138  * @param event_code - The code for the event being logged.  This should
1139  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1140  *
1141  * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1142  * calls.  This should correspond to the additional information required by
1143  * CAPP for the event being audited.  If no additional information is
1144  * required, misctok should be NULL.
1145  *
1146  * @return - The status of the call: 0 (zero) on success, else one of the
1147  * kAU*Err values defined above.
1148  *
1149  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1150  */
1151 int	audit_write_success_self(short event_code, token_t *misctok);
1152 
1153 /*
1154  * audit_write_failure()
1155  *
1156  * @summary - audit_write_failure() records an auditable event that
1157  * encountered an error.  The interface is designed to require as little
1158  * direct use of the au_to_*() API as possible.  It builds a subject token
1159  * from the information passed in and uses that to invoke audit_write().
1160  * A subject, as defined by CAPP, is a process acting on the user's behalf.
1161  *
1162  * If the subject information is the same as the current process, use
1163  * au_write_failure_self().
1164  *
1165  * @param event_code - The code for the event being logged.  This should
1166  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1167  *
1168  * @param errmsg - A text message providing additional information about
1169  * the event being audited.
1170  *
1171  * @param errret - A numerical value providing additional information about
1172  * the error.  This is intended to store the value of errno or h_errno if
1173  * it's relevant.  This can be 0 (zero) if no additional information is
1174  * available.
1175  *
1176  * @param auid - The subject's audit ID.
1177  *
1178  * @param euid - The subject's effective user ID.
1179  *
1180  * @param egid - The subject's effective group ID.
1181  *
1182  * @param ruid - The subject's real user ID.
1183  *
1184  * @param rgid - The subject's real group ID.
1185  *
1186  * @param pid - The subject's process ID.
1187  *
1188  * @param sid - The subject's session ID.
1189  *
1190  * @param tid - The subject's terminal ID.
1191  *
1192  * @return - The status of the call: 0 (zero) on success, else one of the
1193  * kAU*Err values defined above.
1194  *
1195  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1196  */
1197 int	audit_write_failure(short event_code, char *errmsg, int errret,
1198 	    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1199 	    pid_t pid, au_asid_t sid, au_tid_t *tid);
1200 
1201 /*
1202  * audit_write_failure_self()
1203  *
1204  * @summary - Similar to audit_write_failure(), but used when the subject
1205  * (process) is owned and operated by the auditable user him/herself.
1206  *
1207  * @param event_code - The code for the event being logged.  This should
1208  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1209  *
1210  * @param errmsg - A text message providing additional information about
1211  * the event being audited.
1212  *
1213  * @param errret - A numerical value providing additional information about
1214  * the error.  This is intended to store the value of errno or h_errno if
1215  * it's relevant.  This can be 0 (zero) if no additional information is
1216  * available.
1217  *
1218  * @return - The status of the call: 0 (zero) on success, else one of the
1219  * kAU*Err values defined above.
1220  *
1221  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1222  */
1223 int	audit_write_failure_self(short event_code, char *errmsg, int errret);
1224 
1225 /*
1226  * audit_write_failure_na()
1227  *
1228  * @summary - audit_write_failure_na() records errors during login.  Such
1229  * errors are implicitly non-attributable (i.e., not ascribable to any user).
1230  *
1231  * @param event_code - The code for the event being logged.  This should
1232  * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1233  *
1234  * @param errmsg - A text message providing additional information about
1235  * the event being audited.
1236  *
1237  * @param errret - A numerical value providing additional information about
1238  * the error.  This is intended to store the value of errno or h_errno if
1239  * it's relevant.  This can be 0 (zero) if no additional information is
1240  * available.
1241  *
1242  * @param euid - The subject's effective user ID.
1243  *
1244  * @param egid - The subject's effective group ID.
1245  *
1246  * @param pid - The subject's process ID.
1247  *
1248  * @param tid - The subject's terminal ID.
1249  *
1250  * @return - The status of the call: 0 (zero) on success, else one of the
1251  * kAU*Err values defined above.
1252  *
1253  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1254  */
1255 int	audit_write_failure_na(short event_code, char *errmsg, int errret,
1256 	    uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1257 
1258 /* END au_write() WRAPPERS */
1259 
1260 #ifdef  __APPLE__
1261 /*
1262  * audit_token_to_au32()
1263  *
1264  * @summary - Extract information from an audit_token_t, used to identify
1265  * Mach tasks and senders of Mach messages as subjects to the audit system.
1266  * audit_tokent_to_au32() is the only method that should be used to parse
1267  * an audit_token_t, since its internal representation may change over
1268  * time.  A pointer parameter may be NULL if that information is not
1269  * needed.
1270  *
1271  * @param atoken - the audit token containing the desired information
1272  *
1273  * @param auidp - Pointer to a uid_t; on return will be set to the task or
1274  * sender's audit user ID
1275  *
1276  * @param euidp - Pointer to a uid_t; on return will be set to the task or
1277  * sender's effective user ID
1278  *
1279  * @param egidp - Pointer to a gid_t; on return will be set to the task or
1280  * sender's effective group ID
1281  *
1282  * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1283  * sender's real user ID
1284  *
1285  * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1286  * sender's real group ID
1287  *
1288  * @param pidp - Pointer to a pid_t; on return will be set to the task or
1289  * sender's process ID
1290  *
1291  * @param asidp - Pointer to an au_asid_t; on return will be set to the
1292  * task or sender's audit session ID
1293  *
1294  * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1295  * or sender's terminal ID
1296  *
1297  * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1298  */
1299 void audit_token_to_au32(
1300 	audit_token_t	 atoken,
1301 	uid_t		*auidp,
1302 	uid_t		*euidp,
1303 	gid_t		*egidp,
1304 	uid_t		*ruidp,
1305 	gid_t		*rgidp,
1306 	pid_t		*pidp,
1307 	au_asid_t	*asidp,
1308 	au_tid_t	*tidp);
1309 #endif /* !__APPLE__ */
1310 
1311 /*
1312  * Wrapper functions to auditon(2).
1313  */
1314 int audit_get_car(char *path, size_t sz);
1315 int audit_get_class(au_evclass_map_t *evc_map, size_t sz);
1316 int audit_set_class(au_evclass_map_t *evc_map, size_t sz);
1317 int audit_get_cond(int *cond);
1318 int audit_set_cond(int *cond);
1319 int audit_get_cwd(char *path, size_t sz);
1320 int audit_get_fsize(au_fstat_t *fstat, size_t sz);
1321 int audit_set_fsize(au_fstat_t *fstat, size_t sz);
1322 int audit_get_kmask(au_mask_t *kmask, size_t sz);
1323 int audit_set_kmask(au_mask_t *kmask, size_t sz);
1324 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz);
1325 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz);
1326 int audit_set_pmask(auditpinfo_t *api, size_t sz);
1327 int audit_get_pinfo(auditpinfo_t *api, size_t sz);
1328 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz);
1329 int audit_get_policy(int *policy);
1330 int audit_set_policy(int *policy);
1331 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz);
1332 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz);
1333 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz);
1334 int audit_get_stat(au_stat_t *stats, size_t sz);
1335 int audit_set_stat(au_stat_t *stats, size_t sz);
1336 int audit_send_trigger(int *trigger);
1337 
1338 __END_DECLS
1339 
1340 #endif /* !_LIBBSM_H_ */
1341