1 /*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#50 $ 30 */ 31 32 #ifndef _LIBBSM_H_ 33 #define _LIBBSM_H_ 34 35 /* 36 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced 37 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them. 38 */ 39 40 #include <sys/types.h> 41 #include <sys/cdefs.h> 42 43 #include <inttypes.h> /* Required for audit.h. */ 44 #include <time.h> /* Required for clock_t on Linux. */ 45 46 #include <bsm/audit.h> 47 #include <bsm/audit_record.h> 48 49 #include <stdio.h> 50 51 #ifdef __APPLE__ 52 #include <mach/mach.h> /* audit_token_t */ 53 #endif 54 55 /* 56 * Size parsed token vectors for execve(2) arguments and environmental 57 * variables. Note: changing these sizes affects the ABI of the token 58 * structure, and as the token structure is often placed in the caller stack, 59 * this is undesirable. 60 */ 61 #define AUDIT_MAX_ARGS 128 62 #define AUDIT_MAX_ENV 128 63 64 /* 65 * Arguments to au_preselect(3). 66 */ 67 #define AU_PRS_USECACHE 0 68 #define AU_PRS_REREAD 1 69 70 #define AU_PRS_SUCCESS 1 71 #define AU_PRS_FAILURE 2 72 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE) 73 74 #define AUDIT_EVENT_FILE "/etc/security/audit_event" 75 #define AUDIT_CLASS_FILE "/etc/security/audit_class" 76 #define AUDIT_CONTROL_FILE "/etc/security/audit_control" 77 #define AUDIT_USER_FILE "/etc/security/audit_user" 78 79 #define DIR_CONTROL_ENTRY "dir" 80 #define DIST_CONTROL_ENTRY "dist" 81 #define FILESZ_CONTROL_ENTRY "filesz" 82 #define FLAGS_CONTROL_ENTRY "flags" 83 #define HOST_CONTROL_ENTRY "host" 84 #define MINFREE_CONTROL_ENTRY "minfree" 85 #define NA_CONTROL_ENTRY "naflags" 86 #define POLICY_CONTROL_ENTRY "policy" 87 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after" 88 89 #define AU_CLASS_NAME_MAX 8 90 #define AU_CLASS_DESC_MAX 72 91 #define AU_EVENT_NAME_MAX 30 92 #define AU_EVENT_DESC_MAX 50 93 #define AU_USER_NAME_MAX 50 94 #define AU_LINE_MAX 256 95 #define MAX_AUDITSTRING_LEN 256 96 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */ 97 98 /* 99 * Arguments to au_close(3). 100 */ 101 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */ 102 #define AU_TO_WRITE 1 /* Commit audit record. */ 103 104 /* 105 * Output format flags for au_print_flags_tok(). 106 */ 107 #define AU_OFLAG_NONE 0x0000 /* Default form. */ 108 #define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */ 109 #define AU_OFLAG_SHORT 0x0002 /* Short form. */ 110 #define AU_OFLAG_XML 0x0004 /* XML form. */ 111 #define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */ 112 113 __BEGIN_DECLS 114 struct au_event_ent { 115 au_event_t ae_number; 116 char *ae_name; 117 char *ae_desc; 118 au_class_t ae_class; 119 }; 120 typedef struct au_event_ent au_event_ent_t; 121 122 struct au_class_ent { 123 char *ac_name; 124 au_class_t ac_class; 125 char *ac_desc; 126 }; 127 typedef struct au_class_ent au_class_ent_t; 128 129 struct au_user_ent { 130 char *au_name; 131 au_mask_t au_always; 132 au_mask_t au_never; 133 }; 134 typedef struct au_user_ent au_user_ent_t; 135 __END_DECLS 136 137 #define ADD_TO_MASK(m, c, sel) do { \ 138 if (sel & AU_PRS_SUCCESS) \ 139 (m)->am_success |= c; \ 140 if (sel & AU_PRS_FAILURE) \ 141 (m)->am_failure |= c; \ 142 } while (0) 143 144 #define SUB_FROM_MASK(m, c, sel) do { \ 145 if (sel & AU_PRS_SUCCESS) \ 146 (m)->am_success &= ((m)->am_success ^ c); \ 147 if (sel & AU_PRS_FAILURE) \ 148 (m)->am_failure &= ((m)->am_failure ^ c); \ 149 } while (0) 150 151 #define ADDMASK(m, v) do { \ 152 (m)->am_success |= (v)->am_success; \ 153 (m)->am_failure |= (v)->am_failure; \ 154 } while(0) 155 156 #define SUBMASK(m, v) do { \ 157 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \ 158 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \ 159 } while(0) 160 161 __BEGIN_DECLS 162 163 typedef struct au_tid32 { 164 u_int32_t port; 165 u_int32_t addr; 166 } au_tid32_t; 167 168 typedef struct au_tid64 { 169 u_int64_t port; 170 u_int32_t addr; 171 } au_tid64_t; 172 173 typedef struct au_tidaddr32 { 174 u_int32_t port; 175 u_int32_t type; 176 u_int32_t addr[4]; 177 } au_tidaddr32_t; 178 179 typedef struct au_tidaddr64 { 180 u_int64_t port; 181 u_int32_t type; 182 u_int32_t addr[4]; 183 } au_tidaddr64_t; 184 185 /* 186 * argument # 1 byte 187 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 188 * text length 2 bytes 189 * text N bytes + 1 terminating NULL byte 190 */ 191 typedef struct { 192 u_char no; 193 u_int32_t val; 194 u_int16_t len; 195 char *text; 196 } au_arg32_t; 197 198 typedef struct { 199 u_char no; 200 u_int64_t val; 201 u_int16_t len; 202 char *text; 203 } au_arg64_t; 204 205 /* 206 * how to print 1 byte 207 * basic unit 1 byte 208 * unit count 1 byte 209 * data items (depends on basic unit) 210 */ 211 typedef struct { 212 u_char howtopr; 213 u_char bu; 214 u_char uc; 215 u_char *data; 216 } au_arb_t; 217 218 /* 219 * file access mode 4 bytes 220 * owner user ID 4 bytes 221 * owner group ID 4 bytes 222 * file system ID 4 bytes 223 * node ID 8 bytes 224 * device 4 bytes/8 bytes (32-bit/64-bit) 225 */ 226 typedef struct { 227 u_int32_t mode; 228 u_int32_t uid; 229 u_int32_t gid; 230 u_int32_t fsid; 231 u_int64_t nid; 232 u_int32_t dev; 233 } au_attr32_t; 234 235 typedef struct { 236 u_int32_t mode; 237 u_int32_t uid; 238 u_int32_t gid; 239 u_int32_t fsid; 240 u_int64_t nid; 241 u_int64_t dev; 242 } au_attr64_t; 243 244 /* 245 * count 4 bytes 246 * text count null-terminated string(s) 247 */ 248 typedef struct { 249 u_int32_t count; 250 char *text[AUDIT_MAX_ARGS]; 251 } au_execarg_t; 252 253 /* 254 * count 4 bytes 255 * text count null-terminated string(s) 256 */ 257 typedef struct { 258 u_int32_t count; 259 char *text[AUDIT_MAX_ENV]; 260 } au_execenv_t; 261 262 /* 263 * status 4 bytes 264 * return value 4 bytes 265 */ 266 typedef struct { 267 u_int32_t status; 268 u_int32_t ret; 269 } au_exit_t; 270 271 /* 272 * seconds of time 4 bytes 273 * milliseconds of time 4 bytes 274 * file name length 2 bytes 275 * file pathname N bytes + 1 terminating NULL byte 276 */ 277 typedef struct { 278 u_int32_t s; 279 u_int32_t ms; 280 u_int16_t len; 281 char *name; 282 } au_file_t; 283 284 285 /* 286 * number groups 2 bytes 287 * group list N * 4 bytes 288 */ 289 typedef struct { 290 u_int16_t no; 291 u_int32_t list[AUDIT_MAX_GROUPS]; 292 } au_groups_t; 293 294 /* 295 * record byte count 4 bytes 296 * version # 1 byte [2] 297 * event type 2 bytes 298 * event modifier 2 bytes 299 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 300 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 301 */ 302 typedef struct { 303 u_int32_t size; 304 u_char version; 305 u_int16_t e_type; 306 u_int16_t e_mod; 307 u_int32_t s; 308 u_int32_t ms; 309 } au_header32_t; 310 311 /* 312 * record byte count 4 bytes 313 * version # 1 byte [2] 314 * event type 2 bytes 315 * event modifier 2 bytes 316 * address type/length 1 byte (XXX: actually, 4 bytes) 317 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 318 * seconds of time 4 bytes/8 bytes (32/64-bits) 319 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 320 */ 321 typedef struct { 322 u_int32_t size; 323 u_char version; 324 u_int16_t e_type; 325 u_int16_t e_mod; 326 u_int32_t ad_type; 327 u_int32_t addr[4]; 328 u_int32_t s; 329 u_int32_t ms; 330 } au_header32_ex_t; 331 332 typedef struct { 333 u_int32_t size; 334 u_char version; 335 u_int16_t e_type; 336 u_int16_t e_mod; 337 u_int64_t s; 338 u_int64_t ms; 339 } au_header64_t; 340 341 typedef struct { 342 u_int32_t size; 343 u_char version; 344 u_int16_t e_type; 345 u_int16_t e_mod; 346 u_int32_t ad_type; 347 u_int32_t addr[4]; 348 u_int64_t s; 349 u_int64_t ms; 350 } au_header64_ex_t; 351 352 /* 353 * internet address 4 bytes 354 */ 355 typedef struct { 356 u_int32_t addr; 357 } au_inaddr_t; 358 359 /* 360 * type 4 bytes 361 * internet address 16 bytes 362 */ 363 typedef struct { 364 u_int32_t type; 365 u_int32_t addr[4]; 366 } au_inaddr_ex_t; 367 368 /* 369 * version and ihl 1 byte 370 * type of service 1 byte 371 * length 2 bytes 372 * id 2 bytes 373 * offset 2 bytes 374 * ttl 1 byte 375 * protocol 1 byte 376 * checksum 2 bytes 377 * source address 4 bytes 378 * destination address 4 bytes 379 */ 380 typedef struct { 381 u_char version; 382 u_char tos; 383 u_int16_t len; 384 u_int16_t id; 385 u_int16_t offset; 386 u_char ttl; 387 u_char prot; 388 u_int16_t chksm; 389 u_int32_t src; 390 u_int32_t dest; 391 } au_ip_t; 392 393 /* 394 * object ID type 1 byte 395 * object ID 4 bytes 396 */ 397 typedef struct { 398 u_char type; 399 u_int32_t id; 400 } au_ipc_t; 401 402 /* 403 * owner user ID 4 bytes 404 * owner group ID 4 bytes 405 * creator user ID 4 bytes 406 * creator group ID 4 bytes 407 * access mode 4 bytes 408 * slot sequence # 4 bytes 409 * key 4 bytes 410 */ 411 typedef struct { 412 u_int32_t uid; 413 u_int32_t gid; 414 u_int32_t puid; 415 u_int32_t pgid; 416 u_int32_t mode; 417 u_int32_t seq; 418 u_int32_t key; 419 } au_ipcperm_t; 420 421 /* 422 * port IP address 2 bytes 423 */ 424 typedef struct { 425 u_int16_t port; 426 } au_iport_t; 427 428 /* 429 * length 2 bytes 430 * data length bytes 431 */ 432 typedef struct { 433 u_int16_t size; 434 char *data; 435 } au_opaque_t; 436 437 /* 438 * path length 2 bytes 439 * path N bytes + 1 terminating NULL byte 440 */ 441 typedef struct { 442 u_int16_t len; 443 char *path; 444 } au_path_t; 445 446 /* 447 * audit ID 4 bytes 448 * effective user ID 4 bytes 449 * effective group ID 4 bytes 450 * real user ID 4 bytes 451 * real group ID 4 bytes 452 * process ID 4 bytes 453 * session ID 4 bytes 454 * terminal ID 455 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 456 * machine address 4 bytes 457 */ 458 typedef struct { 459 u_int32_t auid; 460 u_int32_t euid; 461 u_int32_t egid; 462 u_int32_t ruid; 463 u_int32_t rgid; 464 u_int32_t pid; 465 u_int32_t sid; 466 au_tid32_t tid; 467 } au_proc32_t; 468 469 typedef struct { 470 u_int32_t auid; 471 u_int32_t euid; 472 u_int32_t egid; 473 u_int32_t ruid; 474 u_int32_t rgid; 475 u_int32_t pid; 476 u_int32_t sid; 477 au_tid64_t tid; 478 } au_proc64_t; 479 480 /* 481 * audit ID 4 bytes 482 * effective user ID 4 bytes 483 * effective group ID 4 bytes 484 * real user ID 4 bytes 485 * real group ID 4 bytes 486 * process ID 4 bytes 487 * session ID 4 bytes 488 * terminal ID 489 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 490 * type 4 bytes 491 * machine address 16 bytes 492 */ 493 typedef struct { 494 u_int32_t auid; 495 u_int32_t euid; 496 u_int32_t egid; 497 u_int32_t ruid; 498 u_int32_t rgid; 499 u_int32_t pid; 500 u_int32_t sid; 501 au_tidaddr32_t tid; 502 } au_proc32ex_t; 503 504 typedef struct { 505 u_int32_t auid; 506 u_int32_t euid; 507 u_int32_t egid; 508 u_int32_t ruid; 509 u_int32_t rgid; 510 u_int32_t pid; 511 u_int32_t sid; 512 au_tidaddr64_t tid; 513 } au_proc64ex_t; 514 515 /* 516 * error status 1 byte 517 * return value 4 bytes/8 bytes (32-bit/64-bit value) 518 */ 519 typedef struct { 520 u_char status; 521 u_int32_t ret; 522 } au_ret32_t; 523 524 typedef struct { 525 u_char err; 526 u_int64_t val; 527 } au_ret64_t; 528 529 /* 530 * sequence number 4 bytes 531 */ 532 typedef struct { 533 u_int32_t seqno; 534 } au_seq_t; 535 536 /* 537 * socket type 2 bytes 538 * local port 2 bytes 539 * local Internet address 4 bytes 540 * remote port 2 bytes 541 * remote Internet address 4 bytes 542 */ 543 typedef struct { 544 u_int16_t type; 545 u_int16_t l_port; 546 u_int32_t l_addr; 547 u_int16_t r_port; 548 u_int32_t r_addr; 549 } au_socket_t; 550 551 /* 552 * socket type 2 bytes 553 * local port 2 bytes 554 * address type/length 4 bytes 555 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 556 * remote port 4 bytes 557 * address type/length 4 bytes 558 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) 559 */ 560 typedef struct { 561 u_int16_t domain; 562 u_int16_t type; 563 u_int16_t atype; 564 u_int16_t l_port; 565 u_int32_t l_addr[4]; 566 u_int32_t r_port; 567 u_int32_t r_addr[4]; 568 } au_socket_ex32_t; 569 570 /* 571 * socket family 2 bytes 572 * local port 2 bytes 573 * socket address 4 bytes/16 bytes (IPv4/IPv6 address) 574 */ 575 typedef struct { 576 u_int16_t family; 577 u_int16_t port; 578 u_int32_t addr[4]; 579 } au_socketinet_ex32_t; 580 581 typedef struct { 582 u_int16_t family; 583 u_int16_t port; 584 u_int32_t addr; 585 } au_socketinet32_t; 586 587 /* 588 * socket family 2 bytes 589 * path 104 bytes 590 */ 591 typedef struct { 592 u_int16_t family; 593 char path[104]; 594 } au_socketunix_t; 595 596 /* 597 * audit ID 4 bytes 598 * effective user ID 4 bytes 599 * effective group ID 4 bytes 600 * real user ID 4 bytes 601 * real group ID 4 bytes 602 * process ID 4 bytes 603 * session ID 4 bytes 604 * terminal ID 605 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 606 * machine address 4 bytes 607 */ 608 typedef struct { 609 u_int32_t auid; 610 u_int32_t euid; 611 u_int32_t egid; 612 u_int32_t ruid; 613 u_int32_t rgid; 614 u_int32_t pid; 615 u_int32_t sid; 616 au_tid32_t tid; 617 } au_subject32_t; 618 619 typedef struct { 620 u_int32_t auid; 621 u_int32_t euid; 622 u_int32_t egid; 623 u_int32_t ruid; 624 u_int32_t rgid; 625 u_int32_t pid; 626 u_int32_t sid; 627 au_tid64_t tid; 628 } au_subject64_t; 629 630 /* 631 * audit ID 4 bytes 632 * effective user ID 4 bytes 633 * effective group ID 4 bytes 634 * real user ID 4 bytes 635 * real group ID 4 bytes 636 * process ID 4 bytes 637 * session ID 4 bytes 638 * terminal ID 639 * port ID 4 bytes/8 bytes (32-bit/64-bit value) 640 * type 4 bytes 641 * machine address 16 bytes 642 */ 643 typedef struct { 644 u_int32_t auid; 645 u_int32_t euid; 646 u_int32_t egid; 647 u_int32_t ruid; 648 u_int32_t rgid; 649 u_int32_t pid; 650 u_int32_t sid; 651 au_tidaddr32_t tid; 652 } au_subject32ex_t; 653 654 typedef struct { 655 u_int32_t auid; 656 u_int32_t euid; 657 u_int32_t egid; 658 u_int32_t ruid; 659 u_int32_t rgid; 660 u_int32_t pid; 661 u_int32_t sid; 662 au_tidaddr64_t tid; 663 } au_subject64ex_t; 664 665 /* 666 * text length 2 bytes 667 * text N bytes + 1 terminating NULL byte 668 */ 669 typedef struct { 670 u_int16_t len; 671 char *text; 672 } au_text_t; 673 674 /* 675 * upriv status 1 byte 676 * privstr len 2 bytes 677 * privstr N bytes + 1 (\0 byte) 678 */ 679 typedef struct { 680 u_int8_t sorf; 681 u_int16_t privstrlen; 682 char *priv; 683 } au_priv_t; 684 685 /* 686 * privset 687 * privtstrlen 2 bytes 688 * privtstr N Bytes + 1 689 * privstrlen 2 bytes 690 * privstr N Bytes + 1 691 */ 692 typedef struct { 693 u_int16_t privtstrlen; 694 char *privtstr; 695 u_int16_t privstrlen; 696 char *privstr; 697 } au_privset_t; 698 699 /* 700 * zonename length 2 bytes 701 * zonename text N bytes + 1 NULL terminator 702 */ 703 typedef struct { 704 u_int16_t len; 705 char *zonename; 706 } au_zonename_t; 707 708 typedef struct { 709 u_int32_t ident; 710 u_int16_t filter; 711 u_int16_t flags; 712 u_int32_t fflags; 713 u_int32_t data; 714 } au_kevent_t; 715 716 typedef struct { 717 u_int16_t length; 718 char *data; 719 } au_invalid_t; 720 721 /* 722 * trailer magic number 2 bytes 723 * record byte count 4 bytes 724 */ 725 typedef struct { 726 u_int16_t magic; 727 u_int32_t count; 728 } au_trailer_t; 729 730 struct tokenstr { 731 u_char id; 732 u_char *data; 733 size_t len; 734 union { 735 au_arg32_t arg32; 736 au_arg64_t arg64; 737 au_arb_t arb; 738 au_attr32_t attr32; 739 au_attr64_t attr64; 740 au_execarg_t execarg; 741 au_execenv_t execenv; 742 au_exit_t exit; 743 au_file_t file; 744 au_groups_t grps; 745 au_header32_t hdr32; 746 au_header32_ex_t hdr32_ex; 747 au_header64_t hdr64; 748 au_header64_ex_t hdr64_ex; 749 au_inaddr_t inaddr; 750 au_inaddr_ex_t inaddr_ex; 751 au_ip_t ip; 752 au_ipc_t ipc; 753 au_ipcperm_t ipcperm; 754 au_iport_t iport; 755 au_opaque_t opaque; 756 au_path_t path; 757 au_proc32_t proc32; 758 au_proc32ex_t proc32_ex; 759 au_proc64_t proc64; 760 au_proc64ex_t proc64_ex; 761 au_ret32_t ret32; 762 au_ret64_t ret64; 763 au_seq_t seq; 764 au_socket_t socket; 765 au_socket_ex32_t socket_ex32; 766 au_socketinet_ex32_t sockinet_ex32; 767 au_socketunix_t sockunix; 768 au_subject32_t subj32; 769 au_subject32ex_t subj32_ex; 770 au_subject64_t subj64; 771 au_subject64ex_t subj64_ex; 772 au_text_t text; 773 au_kevent_t kevent; 774 au_invalid_t invalid; 775 au_trailer_t trail; 776 au_zonename_t zonename; 777 au_priv_t priv; 778 au_privset_t privset; 779 } tt; /* The token is one of the above types */ 780 }; 781 782 typedef struct tokenstr tokenstr_t; 783 784 int audit_submit(short au_event, au_id_t auid, 785 char status, int reterr, const char *fmt, ...); 786 787 /* 788 * Functions relating to querying audit class information. 789 */ 790 void setauclass(void); 791 void endauclass(void); 792 struct au_class_ent *getauclassent(void); 793 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int); 794 struct au_class_ent *getauclassnam(const char *name); 795 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int, 796 const char *name); 797 struct au_class_ent *getauclassnum(au_class_t class_number); 798 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int, 799 au_class_t class_number); 800 801 /* 802 * Functions relating to querying audit control information. 803 */ 804 void setac(void); 805 void endac(void); 806 int getacdir(char *name, int len); 807 int getacdist(void); 808 int getacexpire(int *andflg, time_t *age, size_t *size); 809 int getacfilesz(size_t *size_val); 810 int getacflg(char *auditstr, int len); 811 int getachost(char *auditstr, size_t len); 812 int getacmin(int *min_val); 813 int getacna(char *auditstr, int len); 814 int getacpol(char *auditstr, size_t len); 815 int getauditflagsbin(char *auditstr, au_mask_t *masks); 816 int getauditflagschar(char *auditstr, au_mask_t *masks, 817 int verbose); 818 int au_preselect(au_event_t event, au_mask_t *mask_p, 819 int sorf, int flag); 820 ssize_t au_poltostr(int policy, size_t maxsize, char *buf); 821 int au_strtopol(const char *polstr, int *policy); 822 823 /* 824 * Functions relating to querying audit event information. 825 */ 826 void setauevent(void); 827 void endauevent(void); 828 struct au_event_ent *getauevent(void); 829 struct au_event_ent *getauevent_r(struct au_event_ent *e); 830 struct au_event_ent *getauevnam(const char *name); 831 struct au_event_ent *getauevnam_r(struct au_event_ent *e, 832 const char *name); 833 struct au_event_ent *getauevnum(au_event_t event_number); 834 struct au_event_ent *getauevnum_r(struct au_event_ent *e, 835 au_event_t event_number); 836 au_event_t *getauevnonam(const char *event_name); 837 au_event_t *getauevnonam_r(au_event_t *ev, 838 const char *event_name); 839 840 /* 841 * Functions relating to querying audit user information. 842 */ 843 void setauuser(void); 844 void endauuser(void); 845 struct au_user_ent *getauuserent(void); 846 struct au_user_ent *getauuserent_r(struct au_user_ent *u); 847 struct au_user_ent *getauusernam(const char *name); 848 struct au_user_ent *getauusernam_r(struct au_user_ent *u, 849 const char *name); 850 int au_user_mask(char *username, au_mask_t *mask_p); 851 int getfauditflags(au_mask_t *usremask, 852 au_mask_t *usrdmask, au_mask_t *lastmask); 853 854 /* 855 * Functions for reading and printing records and tokens from audit trails. 856 */ 857 int au_read_rec(FILE *fp, u_char **buf); 858 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len); 859 //XXX The following interface has different prototype from BSM 860 void au_print_tok(FILE *outfp, tokenstr_t *tok, 861 char *del, char raw, char sfrm); 862 void au_print_flags_tok(FILE *outfp, tokenstr_t *tok, 863 char *del, int oflags); 864 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok, 865 char *del, char raw, char sfrm); 866 867 /* 868 * Functions relating to XML output. 869 */ 870 void au_print_xml_header(FILE *outfp); 871 void au_print_xml_footer(FILE *outfp); 872 873 /* 874 * BSM library routines for converting between local and BSM constant spaces. 875 * (Note: some of these are replicated in audit_record.h for the benefit of 876 * the FreeBSD and Mac OS X kernels) 877 */ 878 int au_bsm_to_domain(u_short bsm_domain, int *local_domainp); 879 int au_bsm_to_errno(u_char bsm_error, int *errorp); 880 int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp); 881 int au_bsm_to_socket_type(u_short bsm_socket_type, 882 int *local_socket_typep); 883 u_short au_domain_to_bsm(int local_domain); 884 u_char au_errno_to_bsm(int local_errno); 885 u_short au_fcntl_cmd_to_bsm(int local_fcntl_command); 886 u_short au_socket_type_to_bsm(int local_socket_type); 887 888 const char *au_strerror(u_char bsm_error); 889 __END_DECLS 890 891 /* 892 * The remaining APIs are associated with Apple's BSM implementation, in 893 * particular as relates to Mach IPC auditing and triggers passed via Mach 894 * IPC. 895 */ 896 #ifdef __APPLE__ 897 #include <sys/appleapiopts.h> 898 899 /************************************************************************** 900 ************************************************************************** 901 ** The following definitions, functions, etc., are NOT officially 902 ** supported: they may be changed or removed in the future. Do not use 903 ** them unless you are prepared to cope with that eventuality. 904 ************************************************************************** 905 **************************************************************************/ 906 907 #ifdef __APPLE_API_PRIVATE 908 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change" 909 #endif /* __APPLE_API_PRIVATE */ 910 911 /* 912 * au_get_state() return values 913 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and 914 * AUDIT_ON are deprecated and WILL be removed. 915 */ 916 #ifdef __APPLE_API_PRIVATE 917 #define AUDIT_OFF AUC_NOAUDIT 918 #define AUDIT_ON AUC_AUDITING 919 #endif /* __APPLE_API_PRIVATE */ 920 #endif /* !__APPLE__ */ 921 922 /* 923 * Error return codes for audit_set_terminal_id(), audit_write() and its 924 * brethren. We have 255 (not including kAUNoErr) to play with. 925 * 926 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 927 */ 928 enum { 929 kAUNoErr = 0, 930 kAUBadParamErr = -66049, 931 kAUStatErr, 932 kAUSysctlErr, 933 kAUOpenErr, 934 kAUMakeSubjectTokErr, 935 kAUWriteSubjectTokErr, 936 kAUWriteCallerTokErr, 937 kAUMakeReturnTokErr, 938 kAUWriteReturnTokErr, 939 kAUCloseErr, 940 kAUMakeTextTokErr, 941 kAULastErr 942 }; 943 944 #ifdef __APPLE__ 945 /* 946 * Error return codes for au_get_state() and/or its private support 947 * functions. These codes are designed to be compatible with the 948 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping. 949 * Any changes to notify(3) may cause these values to change in future. 950 * 951 * AU_UNIMPL should never happen unless you've changed your system software 952 * without rebooting. Shame on you. 953 */ 954 #ifdef __APPLE_API_PRIVATE 955 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */ 956 #endif /* __APPLE_API_PRIVATE */ 957 #endif /* !__APPLE__ */ 958 959 __BEGIN_DECLS 960 /* 961 * XXX This prototype should be in audit_record.h 962 * 963 * au_free_token() 964 * 965 * @summary - au_free_token() deallocates a token_t created by any of 966 * the au_to_*() BSM API functions. 967 * 968 * The BSM API generally manages deallocation of token_t objects. However, 969 * if au_write() is passed a bad audit descriptor, the token_t * parameter 970 * will be left untouched. In that case, the caller can deallocate the 971 * token_t using au_free_token() if desired. This is, in fact, what 972 * audit_write() does, in keeping with the existing memory management model 973 * of the BSM API. 974 * 975 * @param tok - A token_t * generated by one of the au_to_*() BSM API 976 * calls. For convenience, tok may be NULL, in which case 977 * au_free_token() returns immediately. 978 * 979 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 980 */ 981 void au_free_token(token_t *tok); 982 983 /* 984 * Lightweight check to determine if auditing is enabled. If a client 985 * wants to use this to govern whether an entire series of audit calls 986 * should be made--as in the common case of a caller building a set of 987 * tokens, then writing them--it should cache the audit status in a local 988 * variable. This call always returns the current state of auditing. 989 * 990 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred. 991 * Otherwise the function can return any of the errno values defined for 992 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by 993 * the system. 994 * 995 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 996 */ 997 int au_get_state(void); 998 999 /* 1000 * Initialize the audit notification. If it has not already been initialized 1001 * it will automatically on the first call of au_get_state(). 1002 */ 1003 uint32_t au_notify_initialize(void); 1004 1005 /* 1006 * Cancel audit notification and free the resources associated with it. 1007 * Responsible code that no longer needs to use au_get_state() should call 1008 * this. 1009 */ 1010 int au_notify_terminate(void); 1011 __END_DECLS 1012 1013 /* OpenSSH compatibility */ 1014 int cannot_audit(int); 1015 1016 __BEGIN_DECLS 1017 /* 1018 * audit_set_terminal_id() 1019 * 1020 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is 1021 * used in audit session initialization by processes like /usr/bin/login. 1022 * 1023 * @param tid - A pointer to an au_tid_t struct. 1024 * 1025 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr 1026 * or kAUSysctlErr if one of the underlying system calls fails (a message 1027 * is sent to the system log in those cases). 1028 * 1029 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1030 */ 1031 int audit_set_terminal_id(au_tid_t *tid); 1032 1033 /* 1034 * BEGIN au_write() WRAPPERS 1035 * 1036 * The following calls all wrap the existing BSM API. They use the 1037 * provided subject information, if any, to construct the subject token 1038 * required for every log message. They use the provided return/error 1039 * value(s), if any, to construct the success/failure indication required 1040 * for every log message. They only permit one "miscellaneous" token, 1041 * which should contain the event-specific logging information mandated by 1042 * CAPP. 1043 * 1044 * All these calls assume the caller has previously determined that 1045 * auditing is enabled by calling au_get_state(). 1046 */ 1047 1048 /* 1049 * audit_write() 1050 * 1051 * @summary - audit_write() is the basis for the other audit_write_*() 1052 * calls. Performs a basic write of an audit record (subject, additional 1053 * info, success/failure). Note that this call only permits logging one 1054 * caller-specified token; clients needing to log more flexibly must use 1055 * the existing BSM API (au_open(), et al.) directly. 1056 * 1057 * Note on memory management: audit_write() guarantees that the token_t *s 1058 * passed to it will be deallocated whether or not the underlying write to 1059 * the audit log succeeded. This addresses an inconsistency in the 1060 * underlying BSM API in which token_t *s are usually but not always 1061 * deallocated. 1062 * 1063 * @param event_code - The code for the event being logged. This should 1064 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1065 * 1066 * @param subject - A token_t * generated by au_to_subject(), 1067 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is 1068 * required, subject should be NULL. 1069 * 1070 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1071 * calls. This should correspond to the additional information required by 1072 * CAPP for the event being audited. If no additional information is 1073 * required, misctok should be NULL. 1074 * 1075 * @param retval - The return value to be logged for this event. This 1076 * should be 0 (zero) for success, otherwise the value is event-specific. 1077 * 1078 * @param errcode - Any error code associated with the return value (e.g., 1079 * errno or h_errno). If there was no error, errcode should be 0 (zero). 1080 * 1081 * @return - The status of the call: 0 (zero) on success, else one of the 1082 * kAU*Err values defined above. 1083 * 1084 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1085 */ 1086 int audit_write(short event_code, token_t *subject, token_t *misctok, 1087 char retval, int errcode); 1088 1089 /* 1090 * audit_write_success() 1091 * 1092 * @summary - audit_write_success() records an auditable event that did not 1093 * encounter an error. The interface is designed to require as little 1094 * direct use of the au_to_*() API as possible. It builds a subject token 1095 * from the information passed in and uses that to invoke audit_write(). 1096 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1097 * 1098 * If the subject information is the same as the current process, use 1099 * au_write_success_self(). 1100 * 1101 * @param event_code - The code for the event being logged. This should 1102 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1103 * 1104 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1105 * calls. This should correspond to the additional information required by 1106 * CAPP for the event being audited. If no additional information is 1107 * required, misctok should be NULL. 1108 * 1109 * @param auid - The subject's audit ID. 1110 * 1111 * @param euid - The subject's effective user ID. 1112 * 1113 * @param egid - The subject's effective group ID. 1114 * 1115 * @param ruid - The subject's real user ID. 1116 * 1117 * @param rgid - The subject's real group ID. 1118 * 1119 * @param pid - The subject's process ID. 1120 * 1121 * @param sid - The subject's session ID. 1122 * 1123 * @param tid - The subject's terminal ID. 1124 * 1125 * @return - The status of the call: 0 (zero) on success, else one of the 1126 * kAU*Err values defined above. 1127 * 1128 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1129 */ 1130 int audit_write_success(short event_code, token_t *misctok, au_id_t auid, 1131 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid, 1132 au_asid_t sid, au_tid_t *tid); 1133 1134 /* 1135 * audit_write_success_self() 1136 * 1137 * @summary - Similar to audit_write_success(), but used when the subject 1138 * (process) is owned and operated by the auditable user him/herself. 1139 * 1140 * @param event_code - The code for the event being logged. This should 1141 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1142 * 1143 * @param misctok - A token_t * generated by one of the au_to_*() BSM API 1144 * calls. This should correspond to the additional information required by 1145 * CAPP for the event being audited. If no additional information is 1146 * required, misctok should be NULL. 1147 * 1148 * @return - The status of the call: 0 (zero) on success, else one of the 1149 * kAU*Err values defined above. 1150 * 1151 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1152 */ 1153 int audit_write_success_self(short event_code, token_t *misctok); 1154 1155 /* 1156 * audit_write_failure() 1157 * 1158 * @summary - audit_write_failure() records an auditable event that 1159 * encountered an error. The interface is designed to require as little 1160 * direct use of the au_to_*() API as possible. It builds a subject token 1161 * from the information passed in and uses that to invoke audit_write(). 1162 * A subject, as defined by CAPP, is a process acting on the user's behalf. 1163 * 1164 * If the subject information is the same as the current process, use 1165 * au_write_failure_self(). 1166 * 1167 * @param event_code - The code for the event being logged. This should 1168 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1169 * 1170 * @param errmsg - A text message providing additional information about 1171 * the event being audited. 1172 * 1173 * @param errret - A numerical value providing additional information about 1174 * the error. This is intended to store the value of errno or h_errno if 1175 * it's relevant. This can be 0 (zero) if no additional information is 1176 * available. 1177 * 1178 * @param auid - The subject's audit ID. 1179 * 1180 * @param euid - The subject's effective user ID. 1181 * 1182 * @param egid - The subject's effective group ID. 1183 * 1184 * @param ruid - The subject's real user ID. 1185 * 1186 * @param rgid - The subject's real group ID. 1187 * 1188 * @param pid - The subject's process ID. 1189 * 1190 * @param sid - The subject's session ID. 1191 * 1192 * @param tid - The subject's terminal ID. 1193 * 1194 * @return - The status of the call: 0 (zero) on success, else one of the 1195 * kAU*Err values defined above. 1196 * 1197 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1198 */ 1199 int audit_write_failure(short event_code, char *errmsg, int errret, 1200 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, 1201 pid_t pid, au_asid_t sid, au_tid_t *tid); 1202 1203 /* 1204 * audit_write_failure_self() 1205 * 1206 * @summary - Similar to audit_write_failure(), but used when the subject 1207 * (process) is owned and operated by the auditable user him/herself. 1208 * 1209 * @param event_code - The code for the event being logged. This should 1210 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1211 * 1212 * @param errmsg - A text message providing additional information about 1213 * the event being audited. 1214 * 1215 * @param errret - A numerical value providing additional information about 1216 * the error. This is intended to store the value of errno or h_errno if 1217 * it's relevant. This can be 0 (zero) if no additional information is 1218 * available. 1219 * 1220 * @return - The status of the call: 0 (zero) on success, else one of the 1221 * kAU*Err values defined above. 1222 * 1223 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1224 */ 1225 int audit_write_failure_self(short event_code, char *errmsg, int errret); 1226 1227 /* 1228 * audit_write_failure_na() 1229 * 1230 * @summary - audit_write_failure_na() records errors during login. Such 1231 * errors are implicitly non-attributable (i.e., not ascribable to any user). 1232 * 1233 * @param event_code - The code for the event being logged. This should 1234 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h. 1235 * 1236 * @param errmsg - A text message providing additional information about 1237 * the event being audited. 1238 * 1239 * @param errret - A numerical value providing additional information about 1240 * the error. This is intended to store the value of errno or h_errno if 1241 * it's relevant. This can be 0 (zero) if no additional information is 1242 * available. 1243 * 1244 * @param euid - The subject's effective user ID. 1245 * 1246 * @param egid - The subject's effective group ID. 1247 * 1248 * @param pid - The subject's process ID. 1249 * 1250 * @param tid - The subject's terminal ID. 1251 * 1252 * @return - The status of the call: 0 (zero) on success, else one of the 1253 * kAU*Err values defined above. 1254 * 1255 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1256 */ 1257 int audit_write_failure_na(short event_code, char *errmsg, int errret, 1258 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid); 1259 1260 /* END au_write() WRAPPERS */ 1261 1262 #ifdef __APPLE__ 1263 /* 1264 * audit_token_to_au32() 1265 * 1266 * @summary - Extract information from an audit_token_t, used to identify 1267 * Mach tasks and senders of Mach messages as subjects to the audit system. 1268 * audit_tokent_to_au32() is the only method that should be used to parse 1269 * an audit_token_t, since its internal representation may change over 1270 * time. A pointer parameter may be NULL if that information is not 1271 * needed. 1272 * 1273 * @param atoken - the audit token containing the desired information 1274 * 1275 * @param auidp - Pointer to a uid_t; on return will be set to the task or 1276 * sender's audit user ID 1277 * 1278 * @param euidp - Pointer to a uid_t; on return will be set to the task or 1279 * sender's effective user ID 1280 * 1281 * @param egidp - Pointer to a gid_t; on return will be set to the task or 1282 * sender's effective group ID 1283 * 1284 * @param ruidp - Pointer to a uid_t; on return will be set to the task or 1285 * sender's real user ID 1286 * 1287 * @param rgidp - Pointer to a gid_t; on return will be set to the task or 1288 * sender's real group ID 1289 * 1290 * @param pidp - Pointer to a pid_t; on return will be set to the task or 1291 * sender's process ID 1292 * 1293 * @param asidp - Pointer to an au_asid_t; on return will be set to the 1294 * task or sender's audit session ID 1295 * 1296 * @param tidp - Pointer to an au_tid_t; on return will be set to the task 1297 * or sender's terminal ID 1298 * 1299 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. 1300 */ 1301 void audit_token_to_au32( 1302 audit_token_t atoken, 1303 uid_t *auidp, 1304 uid_t *euidp, 1305 gid_t *egidp, 1306 uid_t *ruidp, 1307 gid_t *rgidp, 1308 pid_t *pidp, 1309 au_asid_t *asidp, 1310 au_tid_t *tidp); 1311 #endif /* !__APPLE__ */ 1312 1313 /* 1314 * Wrapper functions to auditon(2). 1315 */ 1316 int audit_get_car(char *path, size_t sz); 1317 int audit_get_class(au_evclass_map_t *evc_map, size_t sz); 1318 int audit_set_class(au_evclass_map_t *evc_map, size_t sz); 1319 int audit_get_cond(int *cond); 1320 int audit_set_cond(int *cond); 1321 int audit_get_cwd(char *path, size_t sz); 1322 int audit_get_fsize(au_fstat_t *fstat, size_t sz); 1323 int audit_set_fsize(au_fstat_t *fstat, size_t sz); 1324 int audit_get_kmask(au_mask_t *kmask, size_t sz); 1325 int audit_set_kmask(au_mask_t *kmask, size_t sz); 1326 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz); 1327 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz); 1328 int audit_set_pmask(auditpinfo_t *api, size_t sz); 1329 int audit_get_pinfo(auditpinfo_t *api, size_t sz); 1330 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz); 1331 int audit_get_policy(int *policy); 1332 int audit_set_policy(int *policy); 1333 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz); 1334 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz); 1335 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz); 1336 int audit_get_stat(au_stat_t *stats, size_t sz); 1337 int audit_set_stat(au_stat_t *stats, size_t sz); 1338 int audit_send_trigger(int *trigger); 1339 1340 __END_DECLS 1341 1342 #endif /* !_LIBBSM_H_ */ 1343