152267f74SRobert Watson /*- 252267f74SRobert Watson * Copyright (c) 2005 Apple Inc. 352267f74SRobert Watson * All rights reserved. 452267f74SRobert Watson * 552267f74SRobert Watson * Redistribution and use in source and binary forms, with or without 652267f74SRobert Watson * modification, are permitted provided that the following conditions 752267f74SRobert Watson * are met: 852267f74SRobert Watson * 952267f74SRobert Watson * 1. Redistributions of source code must retain the above copyright 1052267f74SRobert Watson * notice, this list of conditions and the following disclaimer. 1152267f74SRobert Watson * 2. Redistributions in binary form must reproduce the above copyright 1252267f74SRobert Watson * notice, this list of conditions and the following disclaimer in the 1352267f74SRobert Watson * documentation and/or other materials provided with the distribution. 1452267f74SRobert Watson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 1552267f74SRobert Watson * its contributors may be used to endorse or promote products derived 1652267f74SRobert Watson * from this software without specific prior written permission. 1752267f74SRobert Watson * 1852267f74SRobert Watson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 1952267f74SRobert Watson * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 2052267f74SRobert Watson * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 2152267f74SRobert Watson * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 2252267f74SRobert Watson * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 2352267f74SRobert Watson * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 2452267f74SRobert Watson * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 2552267f74SRobert Watson * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 2652267f74SRobert Watson * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 2752267f74SRobert Watson * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 2852267f74SRobert Watson * 297a0a89d2SRobert Watson * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#2 $ 3052267f74SRobert Watson */ 3152267f74SRobert Watson 3252267f74SRobert Watson #ifndef _BSM_AUDIT_H 3352267f74SRobert Watson #define _BSM_AUDIT_H 3452267f74SRobert Watson 357a0a89d2SRobert Watson #ifdef __APPLE__ 367a0a89d2SRobert Watson /* Temporary until rdar://problem/6133383 is resolved. */ 377a0a89d2SRobert Watson #include <sys/types.h> 387a0a89d2SRobert Watson #include <sys/param.h> 397a0a89d2SRobert Watson #include <sys/socket.h> 407a0a89d2SRobert Watson #include <sys/cdefs.h> 417a0a89d2SRobert Watson #include <sys/queue.h> 427a0a89d2SRobert Watson #endif /* __APPLE__ */ 437a0a89d2SRobert Watson 4452267f74SRobert Watson #define AUDIT_RECORD_MAGIC 0x828a0f1b 4552267f74SRobert Watson #define MAX_AUDIT_RECORDS 20 4652267f74SRobert Watson #define MAXAUDITDATA (0x8000 - 1) 4752267f74SRobert Watson #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 4852267f74SRobert Watson #define MIN_AUDIT_FILE_SIZE (512 * 1024) 4952267f74SRobert Watson 5052267f74SRobert Watson /* 517a0a89d2SRobert Watson * Minimum noumber of free blocks on the filesystem containing the audit 527a0a89d2SRobert Watson * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 537a0a89d2SRobert Watson * as the kernel does an unsigned compare, plus we want to leave a few blocks 547a0a89d2SRobert Watson * free so userspace can terminate the log, etc. 557a0a89d2SRobert Watson */ 567a0a89d2SRobert Watson #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 577a0a89d2SRobert Watson 587a0a89d2SRobert Watson /* 5952267f74SRobert Watson * Triggers for the audit daemon. 6052267f74SRobert Watson */ 6152267f74SRobert Watson #define AUDIT_TRIGGER_MIN 1 6252267f74SRobert Watson #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 6352267f74SRobert Watson #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 6452267f74SRobert Watson #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 6552267f74SRobert Watson #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 6652267f74SRobert Watson #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 677a0a89d2SRobert Watson #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 687a0a89d2SRobert Watson #define AUDIT_TRIGGER_INITIALIZE 7 /* Initialize audit. */ 697a0a89d2SRobert Watson #define AUDIT_TRIGGER_MAX 7 7052267f74SRobert Watson 7152267f74SRobert Watson /* 7252267f74SRobert Watson * The special device filename (FreeBSD). 7352267f74SRobert Watson */ 7452267f74SRobert Watson #define AUDITDEV_FILENAME "audit" 7552267f74SRobert Watson #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 7652267f74SRobert Watson 7752267f74SRobert Watson /* 7852267f74SRobert Watson * Pre-defined audit IDs 7952267f74SRobert Watson */ 807a0a89d2SRobert Watson #define AU_DEFAUDITID (uid_t)(-1) 817a0a89d2SRobert Watson #define AU_DEFAUDITSID 0 827a0a89d2SRobert Watson #define AU_ASSIGN_ASID -1 8352267f74SRobert Watson 8452267f74SRobert Watson /* 8552267f74SRobert Watson * IPC types. 8652267f74SRobert Watson */ 8752267f74SRobert Watson #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 8852267f74SRobert Watson #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 8952267f74SRobert Watson #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 9052267f74SRobert Watson 9152267f74SRobert Watson /* 9252267f74SRobert Watson * Audit conditions. 9352267f74SRobert Watson */ 9452267f74SRobert Watson #define AUC_UNSET 0 9552267f74SRobert Watson #define AUC_AUDITING 1 9652267f74SRobert Watson #define AUC_NOAUDIT 2 9752267f74SRobert Watson #define AUC_DISABLED -1 9852267f74SRobert Watson 9952267f74SRobert Watson /* 10052267f74SRobert Watson * auditon(2) commands. 10152267f74SRobert Watson */ 10252267f74SRobert Watson #define A_GETPOLICY 2 10352267f74SRobert Watson #define A_SETPOLICY 3 10452267f74SRobert Watson #define A_GETKMASK 4 10552267f74SRobert Watson #define A_SETKMASK 5 10652267f74SRobert Watson #define A_GETQCTRL 6 10752267f74SRobert Watson #define A_SETQCTRL 7 10852267f74SRobert Watson #define A_GETCWD 8 10952267f74SRobert Watson #define A_GETCAR 9 11052267f74SRobert Watson #define A_GETSTAT 12 11152267f74SRobert Watson #define A_SETSTAT 13 11252267f74SRobert Watson #define A_SETUMASK 14 11352267f74SRobert Watson #define A_SETSMASK 15 11452267f74SRobert Watson #define A_GETCOND 20 11552267f74SRobert Watson #define A_SETCOND 21 11652267f74SRobert Watson #define A_GETCLASS 22 11752267f74SRobert Watson #define A_SETCLASS 23 11852267f74SRobert Watson #define A_GETPINFO 24 11952267f74SRobert Watson #define A_SETPMASK 25 12052267f74SRobert Watson #define A_SETFSIZE 26 12152267f74SRobert Watson #define A_GETFSIZE 27 12252267f74SRobert Watson #define A_GETPINFO_ADDR 28 12352267f74SRobert Watson #define A_GETKAUDIT 29 12452267f74SRobert Watson #define A_SETKAUDIT 30 12552267f74SRobert Watson #define A_SENDTRIGGER 31 1267a0a89d2SRobert Watson #define A_GETSINFO_ADDR 32 12752267f74SRobert Watson 12852267f74SRobert Watson /* 12952267f74SRobert Watson * Audit policy controls. 13052267f74SRobert Watson */ 13152267f74SRobert Watson #define AUDIT_CNT 0x0001 13252267f74SRobert Watson #define AUDIT_AHLT 0x0002 13352267f74SRobert Watson #define AUDIT_ARGV 0x0004 13452267f74SRobert Watson #define AUDIT_ARGE 0x0008 13552267f74SRobert Watson #define AUDIT_SEQ 0x0010 13652267f74SRobert Watson #define AUDIT_WINDATA 0x0020 13752267f74SRobert Watson #define AUDIT_USER 0x0040 13852267f74SRobert Watson #define AUDIT_GROUP 0x0080 13952267f74SRobert Watson #define AUDIT_TRAIL 0x0100 14052267f74SRobert Watson #define AUDIT_PATH 0x0200 14152267f74SRobert Watson #define AUDIT_SCNT 0x0400 14252267f74SRobert Watson #define AUDIT_PUBLIC 0x0800 14352267f74SRobert Watson #define AUDIT_ZONENAME 0x1000 14452267f74SRobert Watson #define AUDIT_PERZONE 0x2000 14552267f74SRobert Watson 14652267f74SRobert Watson /* 14752267f74SRobert Watson * Default audit queue control parameters. 14852267f74SRobert Watson */ 14952267f74SRobert Watson #define AQ_HIWATER 100 15052267f74SRobert Watson #define AQ_MAXHIGH 10000 15152267f74SRobert Watson #define AQ_LOWATER 10 15252267f74SRobert Watson #define AQ_BUFSZ MAXAUDITDATA 15352267f74SRobert Watson #define AQ_MAXBUFSZ 1048576 15452267f74SRobert Watson 15552267f74SRobert Watson /* 15652267f74SRobert Watson * Default minimum percentage free space on file system. 15752267f74SRobert Watson */ 15852267f74SRobert Watson #define AU_FS_MINFREE 20 15952267f74SRobert Watson 16052267f74SRobert Watson /* 16152267f74SRobert Watson * Type definitions used indicating the length of variable length addresses 16252267f74SRobert Watson * in tokens containing addresses, such as header fields. 16352267f74SRobert Watson */ 16452267f74SRobert Watson #define AU_IPv4 4 16552267f74SRobert Watson #define AU_IPv6 16 16652267f74SRobert Watson 16752267f74SRobert Watson __BEGIN_DECLS 16852267f74SRobert Watson 16952267f74SRobert Watson typedef uid_t au_id_t; 17052267f74SRobert Watson typedef pid_t au_asid_t; 17152267f74SRobert Watson typedef u_int16_t au_event_t; 17252267f74SRobert Watson typedef u_int16_t au_emod_t; 17352267f74SRobert Watson typedef u_int32_t au_class_t; 17452267f74SRobert Watson 17552267f74SRobert Watson struct au_tid { 17652267f74SRobert Watson dev_t port; 17752267f74SRobert Watson u_int32_t machine; 17852267f74SRobert Watson }; 17952267f74SRobert Watson typedef struct au_tid au_tid_t; 18052267f74SRobert Watson 18152267f74SRobert Watson struct au_tid_addr { 18252267f74SRobert Watson dev_t at_port; 18352267f74SRobert Watson u_int32_t at_type; 18452267f74SRobert Watson u_int32_t at_addr[4]; 18552267f74SRobert Watson }; 18652267f74SRobert Watson typedef struct au_tid_addr au_tid_addr_t; 18752267f74SRobert Watson 18852267f74SRobert Watson struct au_mask { 18952267f74SRobert Watson unsigned int am_success; /* Success bits. */ 19052267f74SRobert Watson unsigned int am_failure; /* Failure bits. */ 19152267f74SRobert Watson }; 19252267f74SRobert Watson typedef struct au_mask au_mask_t; 19352267f74SRobert Watson 19452267f74SRobert Watson struct auditinfo { 19552267f74SRobert Watson au_id_t ai_auid; /* Audit user ID. */ 19652267f74SRobert Watson au_mask_t ai_mask; /* Audit masks. */ 19752267f74SRobert Watson au_tid_t ai_termid; /* Terminal ID. */ 19852267f74SRobert Watson au_asid_t ai_asid; /* Audit session ID. */ 19952267f74SRobert Watson }; 20052267f74SRobert Watson typedef struct auditinfo auditinfo_t; 20152267f74SRobert Watson 20252267f74SRobert Watson struct auditinfo_addr { 20352267f74SRobert Watson au_id_t ai_auid; /* Audit user ID. */ 20452267f74SRobert Watson au_mask_t ai_mask; /* Audit masks. */ 20552267f74SRobert Watson au_tid_addr_t ai_termid; /* Terminal ID. */ 20652267f74SRobert Watson au_asid_t ai_asid; /* Audit session ID. */ 2077a0a89d2SRobert Watson u_int64_t ai_flags; /* Audit session flags. */ 20852267f74SRobert Watson }; 20952267f74SRobert Watson typedef struct auditinfo_addr auditinfo_addr_t; 21052267f74SRobert Watson 21152267f74SRobert Watson struct auditpinfo { 21252267f74SRobert Watson pid_t ap_pid; /* ID of target process. */ 21352267f74SRobert Watson au_id_t ap_auid; /* Audit user ID. */ 21452267f74SRobert Watson au_mask_t ap_mask; /* Audit masks. */ 21552267f74SRobert Watson au_tid_t ap_termid; /* Terminal ID. */ 21652267f74SRobert Watson au_asid_t ap_asid; /* Audit session ID. */ 2177a0a89d2SRobert Watson u_int64_t ap_flags; /* Audit session flags. */ 21852267f74SRobert Watson }; 21952267f74SRobert Watson typedef struct auditpinfo auditpinfo_t; 22052267f74SRobert Watson 22152267f74SRobert Watson struct auditpinfo_addr { 22252267f74SRobert Watson pid_t ap_pid; /* ID of target process. */ 22352267f74SRobert Watson au_id_t ap_auid; /* Audit user ID. */ 22452267f74SRobert Watson au_mask_t ap_mask; /* Audit masks. */ 22552267f74SRobert Watson au_tid_addr_t ap_termid; /* Terminal ID. */ 22652267f74SRobert Watson au_asid_t ap_asid; /* Audit session ID. */ 22752267f74SRobert Watson }; 22852267f74SRobert Watson typedef struct auditpinfo_addr auditpinfo_addr_t; 22952267f74SRobert Watson 2307a0a89d2SRobert Watson struct au_session { 2317a0a89d2SRobert Watson auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 2327a0a89d2SRobert Watson #define as_asid as_aia_p->ai_asid 2337a0a89d2SRobert Watson #define as_auid as_aia_p->ai_auid 2347a0a89d2SRobert Watson #define as_termid as_aia_p->ai_termid 2357a0a89d2SRobert Watson 2367a0a89d2SRobert Watson au_mask_t as_mask; /* Process Audit Masks. */ 2377a0a89d2SRobert Watson }; 2387a0a89d2SRobert Watson typedef struct au_session au_session_t; 2397a0a89d2SRobert Watson 24052267f74SRobert Watson /* 24152267f74SRobert Watson * Contents of token_t are opaque outside of libbsm. 24252267f74SRobert Watson */ 24352267f74SRobert Watson typedef struct au_token token_t; 24452267f74SRobert Watson 24552267f74SRobert Watson /* 24652267f74SRobert Watson * Kernel audit queue control parameters. 24752267f74SRobert Watson */ 24852267f74SRobert Watson struct au_qctrl { 24952267f74SRobert Watson size_t aq_hiwater; 25052267f74SRobert Watson size_t aq_lowater; 25152267f74SRobert Watson size_t aq_bufsz; 25252267f74SRobert Watson clock_t aq_delay; 25352267f74SRobert Watson int aq_minfree; /* Minimum filesystem percent free space. */ 25452267f74SRobert Watson }; 25552267f74SRobert Watson typedef struct au_qctrl au_qctrl_t; 25652267f74SRobert Watson 25752267f74SRobert Watson /* 25852267f74SRobert Watson * Structure for the audit statistics. 25952267f74SRobert Watson */ 26052267f74SRobert Watson struct audit_stat { 26152267f74SRobert Watson unsigned int as_version; 26252267f74SRobert Watson unsigned int as_numevent; 26352267f74SRobert Watson int as_generated; 26452267f74SRobert Watson int as_nonattrib; 26552267f74SRobert Watson int as_kernel; 26652267f74SRobert Watson int as_audit; 26752267f74SRobert Watson int as_auditctl; 26852267f74SRobert Watson int as_enqueue; 26952267f74SRobert Watson int as_written; 27052267f74SRobert Watson int as_wblocked; 27152267f74SRobert Watson int as_rblocked; 27252267f74SRobert Watson int as_dropped; 27352267f74SRobert Watson int as_totalsize; 27452267f74SRobert Watson unsigned int as_memused; 27552267f74SRobert Watson }; 27652267f74SRobert Watson typedef struct audit_stat au_stat_t; 27752267f74SRobert Watson 27852267f74SRobert Watson /* 27952267f74SRobert Watson * Structure for the audit file statistics. 28052267f74SRobert Watson */ 28152267f74SRobert Watson struct audit_fstat { 28252267f74SRobert Watson u_quad_t af_filesz; 28352267f74SRobert Watson u_quad_t af_currsz; 28452267f74SRobert Watson }; 28552267f74SRobert Watson typedef struct audit_fstat au_fstat_t; 28652267f74SRobert Watson 28752267f74SRobert Watson /* 28852267f74SRobert Watson * Audit to event class mapping. 28952267f74SRobert Watson */ 29052267f74SRobert Watson struct au_evclass_map { 29152267f74SRobert Watson au_event_t ec_number; 29252267f74SRobert Watson au_class_t ec_class; 29352267f74SRobert Watson }; 29452267f74SRobert Watson typedef struct au_evclass_map au_evclass_map_t; 29552267f74SRobert Watson 29652267f74SRobert Watson /* 29752267f74SRobert Watson * Audit system calls. 29852267f74SRobert Watson */ 29952267f74SRobert Watson #if !defined(_KERNEL) && !defined(KERNEL) 30052267f74SRobert Watson int audit(const void *, int); 30152267f74SRobert Watson int auditon(int, void *, int); 30252267f74SRobert Watson int auditctl(const char *); 30352267f74SRobert Watson int getauid(au_id_t *); 30452267f74SRobert Watson int setauid(const au_id_t *); 30552267f74SRobert Watson int getaudit(struct auditinfo *); 30652267f74SRobert Watson int setaudit(const struct auditinfo *); 30752267f74SRobert Watson int getaudit_addr(struct auditinfo_addr *, int); 30852267f74SRobert Watson int setaudit_addr(const struct auditinfo_addr *, int); 30952267f74SRobert Watson #endif /* defined(_KERNEL) || defined(KERNEL) */ 31052267f74SRobert Watson 31152267f74SRobert Watson __END_DECLS 31252267f74SRobert Watson 31352267f74SRobert Watson #endif /* !_BSM_AUDIT_H */ 314