1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * Copyright (c) 2016 Robert N. M. Watson 4 * All rights reserved. 5 * 6 * Portions of this software were developed by BAE Systems, the University of 7 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL 8 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent 9 * Computing (TC) research program. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 21 * its contributors may be used to endorse or promote products derived 22 * from this software without specific prior written permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 25 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 26 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 27 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 28 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 29 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 30 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 31 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 32 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 33 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 #ifndef _BSM_AUDIT_H 37 #define _BSM_AUDIT_H 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 42 #define AUDIT_RECORD_MAGIC 0x828a0f1b 43 #define MAX_AUDIT_RECORDS 20 44 #define MAXAUDITDATA (0x8000 - 1) 45 #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 46 #define MIN_AUDIT_FILE_SIZE (512 * 1024) 47 48 /* 49 * Minimum noumber of free blocks on the filesystem containing the audit 50 * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 51 * as the kernel does an unsigned compare, plus we want to leave a few blocks 52 * free so userspace can terminate the log, etc. 53 */ 54 #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 55 56 /* 57 * Triggers for the audit daemon. 58 */ 59 #define AUDIT_TRIGGER_MIN 1 60 #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 61 #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 62 #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 63 #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 64 #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 65 #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 66 #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 67 #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 68 #define AUDIT_TRIGGER_MAX 8 69 70 /* 71 * The special device filename (FreeBSD). 72 */ 73 #define AUDITDEV_FILENAME "audit" 74 #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 75 76 /* 77 * Pre-defined audit IDs 78 */ 79 #define AU_DEFAUDITID (uid_t)(-1) 80 #define AU_DEFAUDITSID 0 81 #define AU_ASSIGN_ASID -1 82 83 /* 84 * IPC types. 85 */ 86 #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 87 #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 88 #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 89 90 /* 91 * Audit conditions. 92 */ 93 #define AUC_UNSET 0 94 #define AUC_AUDITING 1 95 #define AUC_NOAUDIT 2 96 #define AUC_DISABLED -1 97 98 /* 99 * auditon(2) commands. 100 */ 101 #define A_OLDGETPOLICY 2 102 #define A_OLDSETPOLICY 3 103 #define A_GETKMASK 4 104 #define A_SETKMASK 5 105 #define A_OLDGETQCTRL 6 106 #define A_OLDSETQCTRL 7 107 #define A_GETCWD 8 108 #define A_GETCAR 9 109 #define A_GETSTAT 12 110 #define A_SETSTAT 13 111 #define A_SETUMASK 14 112 #define A_SETSMASK 15 113 #define A_OLDGETCOND 20 114 #define A_OLDSETCOND 21 115 #define A_GETCLASS 22 116 #define A_SETCLASS 23 117 #define A_GETPINFO 24 118 #define A_SETPMASK 25 119 #define A_SETFSIZE 26 120 #define A_GETFSIZE 27 121 #define A_GETPINFO_ADDR 28 122 #define A_GETKAUDIT 29 123 #define A_SETKAUDIT 30 124 #define A_SENDTRIGGER 31 125 #define A_GETSINFO_ADDR 32 126 #define A_GETPOLICY 33 127 #define A_SETPOLICY 34 128 #define A_GETQCTRL 35 129 #define A_SETQCTRL 36 130 #define A_GETCOND 37 131 #define A_SETCOND 38 132 #define A_GETEVENT 39 /* Get audit event-to-name mapping. */ 133 #define A_SETEVENT 40 /* Set audit event-to-name mapping. */ 134 135 /* 136 * Audit policy controls. 137 */ 138 #define AUDIT_CNT 0x0001 139 #define AUDIT_AHLT 0x0002 140 #define AUDIT_ARGV 0x0004 141 #define AUDIT_ARGE 0x0008 142 #define AUDIT_SEQ 0x0010 143 #define AUDIT_WINDATA 0x0020 144 #define AUDIT_USER 0x0040 145 #define AUDIT_GROUP 0x0080 146 #define AUDIT_TRAIL 0x0100 147 #define AUDIT_PATH 0x0200 148 #define AUDIT_SCNT 0x0400 149 #define AUDIT_PUBLIC 0x0800 150 #define AUDIT_ZONENAME 0x1000 151 #define AUDIT_PERZONE 0x2000 152 153 /* 154 * Default audit queue control parameters. 155 */ 156 #define AQ_HIWATER 100 157 #define AQ_MAXHIGH 10000 158 #define AQ_LOWATER 10 159 #define AQ_BUFSZ MAXAUDITDATA 160 #define AQ_MAXBUFSZ 1048576 161 162 /* 163 * Default minimum percentage free space on file system. 164 */ 165 #define AU_FS_MINFREE 20 166 167 /* 168 * Type definitions used indicating the length of variable length addresses 169 * in tokens containing addresses, such as header fields. 170 */ 171 #define AU_IPv4 4 172 #define AU_IPv6 16 173 174 __BEGIN_DECLS 175 176 typedef uid_t au_id_t; 177 typedef pid_t au_asid_t; 178 typedef u_int16_t au_event_t; 179 typedef u_int16_t au_emod_t; 180 typedef u_int32_t au_class_t; 181 typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); 182 183 struct au_tid { 184 dev_t port; 185 u_int32_t machine; 186 }; 187 typedef struct au_tid au_tid_t; 188 189 struct au_tid_addr { 190 dev_t at_port; 191 u_int32_t at_type; 192 u_int32_t at_addr[4]; 193 }; 194 typedef struct au_tid_addr au_tid_addr_t; 195 196 struct au_mask { 197 unsigned int am_success; /* Success bits. */ 198 unsigned int am_failure; /* Failure bits. */ 199 }; 200 typedef struct au_mask au_mask_t; 201 202 struct auditinfo { 203 au_id_t ai_auid; /* Audit user ID. */ 204 au_mask_t ai_mask; /* Audit masks. */ 205 au_tid_t ai_termid; /* Terminal ID. */ 206 au_asid_t ai_asid; /* Audit session ID. */ 207 }; 208 typedef struct auditinfo auditinfo_t; 209 210 struct auditinfo_addr { 211 au_id_t ai_auid; /* Audit user ID. */ 212 au_mask_t ai_mask; /* Audit masks. */ 213 au_tid_addr_t ai_termid; /* Terminal ID. */ 214 au_asid_t ai_asid; /* Audit session ID. */ 215 au_asflgs_t ai_flags; /* Audit session flags. */ 216 }; 217 typedef struct auditinfo_addr auditinfo_addr_t; 218 219 struct auditpinfo { 220 pid_t ap_pid; /* ID of target process. */ 221 au_id_t ap_auid; /* Audit user ID. */ 222 au_mask_t ap_mask; /* Audit masks. */ 223 au_tid_t ap_termid; /* Terminal ID. */ 224 au_asid_t ap_asid; /* Audit session ID. */ 225 }; 226 typedef struct auditpinfo auditpinfo_t; 227 228 struct auditpinfo_addr { 229 pid_t ap_pid; /* ID of target process. */ 230 au_id_t ap_auid; /* Audit user ID. */ 231 au_mask_t ap_mask; /* Audit masks. */ 232 au_tid_addr_t ap_termid; /* Terminal ID. */ 233 au_asid_t ap_asid; /* Audit session ID. */ 234 au_asflgs_t ap_flags; /* Audit session flags. */ 235 }; 236 typedef struct auditpinfo_addr auditpinfo_addr_t; 237 238 struct au_session { 239 auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 240 au_mask_t as_mask; /* Process Audit Masks. */ 241 }; 242 typedef struct au_session au_session_t; 243 244 /* 245 * Contents of token_t are opaque outside of libbsm. 246 */ 247 typedef struct au_token token_t; 248 249 /* 250 * Kernel audit queue control parameters: 251 * Default: Maximum: 252 * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 253 * aq_lowater: AQ_LOWATER (10) <aq_hiwater 254 * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 255 * aq_delay: 20 20000 (not used) 256 */ 257 struct au_qctrl { 258 int aq_hiwater; /* Max # of audit recs in queue when */ 259 /* threads with new ARs get blocked. */ 260 261 int aq_lowater; /* # of audit recs in queue when */ 262 /* blocked threads get unblocked. */ 263 264 int aq_bufsz; /* Max size of audit record for audit(2). */ 265 int aq_delay; /* Queue delay (not used). */ 266 int aq_minfree; /* Minimum filesystem percent free space. */ 267 }; 268 typedef struct au_qctrl au_qctrl_t; 269 270 /* 271 * Structure for the audit statistics. 272 */ 273 struct audit_stat { 274 unsigned int as_version; 275 unsigned int as_numevent; 276 int as_generated; 277 int as_nonattrib; 278 int as_kernel; 279 int as_audit; 280 int as_auditctl; 281 int as_enqueue; 282 int as_written; 283 int as_wblocked; 284 int as_rblocked; 285 int as_dropped; 286 int as_totalsize; 287 unsigned int as_memused; 288 }; 289 typedef struct audit_stat au_stat_t; 290 291 /* 292 * Structure for the audit file statistics. 293 */ 294 struct audit_fstat { 295 u_int64_t af_filesz; 296 u_int64_t af_currsz; 297 }; 298 typedef struct audit_fstat au_fstat_t; 299 300 /* 301 * Audit to event class mapping. 302 */ 303 struct au_evclass_map { 304 au_event_t ec_number; 305 au_class_t ec_class; 306 }; 307 typedef struct au_evclass_map au_evclass_map_t; 308 309 /* 310 * Event-to-name mapping. 311 */ 312 #define EVNAMEMAP_NAME_SIZE 64 313 struct au_evname_map { 314 au_event_t en_number; 315 char en_name[EVNAMEMAP_NAME_SIZE]; 316 }; 317 typedef struct au_evname_map au_evname_map_t; 318 319 /* 320 * Audit system calls. 321 */ 322 #if !defined(_KERNEL) && !defined(KERNEL) 323 int audit(const void *, int); 324 int auditon(int, void *, int); 325 int auditctl(const char *); 326 int getauid(au_id_t *); 327 int setauid(const au_id_t *); 328 int getaudit(struct auditinfo *); 329 int setaudit(const struct auditinfo *); 330 int getaudit_addr(struct auditinfo_addr *, int); 331 int setaudit_addr(const struct auditinfo_addr *, int); 332 333 #ifdef __APPLE_API_PRIVATE 334 #include <mach/port.h> 335 mach_port_name_t audit_session_self(void); 336 au_asid_t audit_session_join(mach_port_name_t port); 337 #endif /* __APPLE_API_PRIVATE */ 338 339 #endif /* defined(_KERNEL) || defined(KERNEL) */ 340 341 __END_DECLS 342 343 #endif /* !_BSM_AUDIT_H */ 344