xref: /freebsd/sys/bsm/audit.h (revision 4fd2d3b6927878771635a3628ae1623daf810d39) 
1 /*
2  * Copyright (c) 2005 Apple Computer, Inc.
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  * 1.  Redistributions of source code must retain the above copyright
10  *     notice, this list of conditions and the following disclaimer.
11  * 2.  Redistributions in binary form must reproduce the above copyright
12  *     notice, this list of conditions and the following disclaimer in the
13  *     documentation and/or other materials provided with the distribution.
14  * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
15  *     its contributors may be used to endorse or promote products derived
16  *     from this software without specific prior written permission.
17  *
18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  *
29  * P4: //depot/projects/trustedbsd/audit3/sys/bsm/audit.h#40
30  * $FreeBSD$
31  */
32 
33 #ifndef _BSM_AUDIT_H
34 #define	_BSM_AUDIT_H
35 
36 #include <sys/param.h>
37 #include <sys/cdefs.h>
38 #include <sys/queue.h>
39 
40 #define	AUDIT_RECORD_MAGIC	0x828a0f1b
41 #define	MAX_AUDIT_RECORDS	20
42 #define	MAXAUDITDATA		(0x8000 - 1)
43 #define	MAX_AUDIT_RECORD_SIZE	MAXAUDITDATA
44 #define	MIN_AUDIT_FILE_SIZE	(512 * 1024)
45 
46 /*
47  * Minimum noumber of free blocks on the filesystem containing the audit
48  * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0
49  * as the kernel does an unsigned compare, plus we want to leave a few blocks
50  * free so userspace can terminate the log, etc.
51  */
52 #define	AUDIT_HARD_LIMIT_FREE_BLOCKS	4
53 
54 /*
55  * Triggers for the audit daemon.
56  */
57 #define	AUDIT_TRIGGER_MIN		1
58 #define	AUDIT_TRIGGER_LOW_SPACE		1	/* Below low watermark. */
59 #define	AUDIT_TRIGGER_ROTATE_KERNEL	2	/* Kernel requests rotate. */
60 #define	AUDIT_TRIGGER_READ_FILE		3	/* Re-read config file. */
61 #define	AUDIT_TRIGGER_CLOSE_AND_DIE	4	/* Terminate audit. */
62 #define	AUDIT_TRIGGER_NO_SPACE		5	/* Below min free space. */
63 #define	AUDIT_TRIGGER_ROTATE_USER	6	/* User requests roate. */
64 #define	AUDIT_TRIGGER_MAX		6
65 
66 /*
67  * The special device filename (FreeBSD).
68  */
69 #define	AUDITDEV_FILENAME	"audit"
70 #define	AUDIT_TRIGGER_FILE	("/dev/" AUDITDEV_FILENAME)
71 
72 /*
73  * Pre-defined audit IDs
74  */
75 #define	AU_DEFAUDITID	-1
76 
77 /*
78  * IPC types.
79  */
80 #define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */
81 #define	AT_IPC_SEM	((u_char)2)	/* Semaphore IPC id. */
82 #define	AT_IPC_SHM	((u_char)3)	/* Shared mem IPC id. */
83 
84 /*
85  * Audit conditions.
86  */
87 #define	AUC_UNSET		0
88 #define	AUC_AUDITING		1
89 #define	AUC_NOAUDIT		2
90 #define	AUC_DISABLED		-1
91 
92 /*
93  * auditon(2) commands.
94  */
95 #define	A_GETPOLICY	2
96 #define	A_SETPOLICY	3
97 #define	A_GETKMASK	4
98 #define	A_SETKMASK	5
99 #define	A_GETQCTRL	6
100 #define	A_SETQCTRL	7
101 #define	A_GETCWD	8
102 #define	A_GETCAR	9
103 #define	A_GETSTAT	12
104 #define	A_SETSTAT	13
105 #define	A_SETUMASK	14
106 #define	A_SETSMASK	15
107 #define	A_GETCOND	20
108 #define	A_SETCOND	21
109 #define	A_GETCLASS	22
110 #define	A_SETCLASS	23
111 #define	A_GETPINFO	24
112 #define	A_SETPMASK	25
113 #define	A_SETFSIZE	26
114 #define	A_GETFSIZE	27
115 #define	A_GETPINFO_ADDR	28
116 #define	A_GETKAUDIT	29
117 #define	A_SETKAUDIT	30
118 #define	A_SENDTRIGGER	31
119 
120 /*
121  * Audit policy controls.
122  */
123 #define	AUDIT_CNT	0x0001
124 #define	AUDIT_AHLT	0x0002
125 #define	AUDIT_ARGV	0x0004
126 #define	AUDIT_ARGE	0x0008
127 #define	AUDIT_SEQ	0x0010
128 #define	AUDIT_WINDATA	0x0020
129 #define	AUDIT_USER	0x0040
130 #define	AUDIT_GROUP	0x0080
131 #define	AUDIT_TRAIL	0x0100
132 #define	AUDIT_PATH	0x0200
133 #define	AUDIT_SCNT	0x0400
134 #define	AUDIT_PUBLIC	0x0800
135 #define	AUDIT_ZONENAME	0x1000
136 #define	AUDIT_PERZONE	0x2000
137 
138 /*
139  * Default audit queue control parameters.
140  */
141 #define	AQ_HIWATER	100
142 #define	AQ_MAXHIGH	10000
143 #define	AQ_LOWATER	10
144 #define	AQ_BUFSZ	MAXAUDITDATA
145 #define	AQ_MAXBUFSZ	1048576
146 
147 /*
148  * Default minimum percentage free space on file system.
149  */
150 #define	AU_FS_MINFREE	20
151 
152 /*
153  * Type definitions used indicating the length of variable length addresses
154  * in tokens containing addresses, such as header fields.
155  */
156 #define	AU_IPv4		4
157 #define	AU_IPv6		16
158 
159 __BEGIN_DECLS
160 
161 typedef	uid_t		au_id_t;
162 typedef	pid_t		au_asid_t;
163 typedef	u_int16_t	au_event_t;
164 typedef	u_int16_t	au_emod_t;
165 typedef	u_int32_t	au_class_t;
166 
167 struct au_tid {
168 	dev_t		port;
169 	u_int32_t	machine;
170 };
171 typedef	struct au_tid	au_tid_t;
172 
173 struct au_tid_addr {
174 	dev_t		at_port;
175 	u_int32_t	at_type;
176 	u_int32_t	at_addr[4];
177 };
178 typedef	struct au_tid_addr	au_tid_addr_t;
179 
180 struct au_mask {
181 	unsigned int    am_success;     /* Success bits. */
182 	unsigned int    am_failure;     /* Failure bits. */
183 };
184 typedef	struct au_mask	au_mask_t;
185 
186 struct auditinfo {
187 	au_id_t		ai_auid;	/* Audit user ID. */
188 	au_mask_t	ai_mask;	/* Audit masks. */
189 	au_tid_t	ai_termid;	/* Terminal ID. */
190 	au_asid_t	ai_asid;	/* Audit session ID. */
191 };
192 typedef	struct auditinfo	auditinfo_t;
193 
194 struct auditinfo_addr {
195 	au_id_t		ai_auid;	/* Audit user ID. */
196 	au_mask_t	ai_mask;	/* Audit masks. */
197 	au_tid_addr_t	ai_termid;	/* Terminal ID. */
198 	au_asid_t	ai_asid;	/* Audit session ID. */
199 };
200 typedef	struct auditinfo_addr	auditinfo_addr_t;
201 
202 struct auditpinfo {
203 	pid_t		ap_pid;		/* ID of target process. */
204 	au_id_t		ap_auid;	/* Audit user ID. */
205 	au_mask_t	ap_mask;	/* Audit masks. */
206 	au_tid_t	ap_termid;	/* Terminal ID. */
207 	au_asid_t	ap_asid;	/* Audit session ID. */
208 };
209 typedef	struct auditpinfo	auditpinfo_t;
210 
211 struct auditpinfo_addr {
212 	pid_t		ap_pid;		/* ID of target process. */
213 	au_id_t		ap_auid;	/* Audit user ID. */
214 	au_mask_t	ap_mask;	/* Audit masks. */
215 	au_tid_addr_t	ap_termid;	/* Terminal ID. */
216 	au_asid_t	ap_asid;	/* Audit session ID. */
217 };
218 typedef	struct auditpinfo_addr	auditpinfo_addr_t;
219 
220 /*
221  * Contents of token_t are opaque outside of libbsm.
222  */
223 typedef	struct au_token	token_t;
224 
225 /*
226  * Kernel audit queue control parameters.
227  */
228 struct au_qctrl {
229 	size_t	aq_hiwater;
230 	size_t	aq_lowater;
231 	size_t	aq_bufsz;
232 	clock_t	aq_delay;
233 	int	aq_minfree;	/* Minimum filesystem percent free space. */
234 };
235 typedef	struct au_qctrl	au_qctrl_t;
236 
237 /*
238  * Structure for the audit statistics.
239  */
240 struct audit_stat {
241 	unsigned int	as_version;
242 	unsigned int	as_numevent;
243 	int		as_generated;
244 	int		as_nonattrib;
245 	int		as_kernel;
246 	int		as_audit;
247 	int		as_auditctl;
248 	int		as_enqueue;
249 	int		as_written;
250 	int		as_wblocked;
251 	int		as_rblocked;
252 	int		as_dropped;
253 	int		as_totalsize;
254 	unsigned int	as_memused;
255 };
256 typedef	struct audit_stat	au_stat_t;
257 
258 /*
259  * Structure for the audit file statistics.
260  */
261 struct audit_fstat {
262 	u_quad_t	af_filesz;
263 	u_quad_t	af_currsz;
264 };
265 typedef	struct audit_fstat	au_fstat_t;
266 
267 /*
268  * Audit to event class mapping.
269  */
270 struct au_evclass_map {
271 	au_event_t	ec_number;
272 	au_class_t	ec_class;
273 };
274 typedef	struct au_evclass_map	au_evclass_map_t;
275 
276 /*
277  * Audit system calls.
278  */
279 #if !defined(_KERNEL) && !defined(KERNEL)
280 int	audit(const void *, int);
281 int	auditon(int, void *, int);
282 int	auditctl(const char *);
283 int	getauid(au_id_t *);
284 int	setauid(const au_id_t *);
285 int	getaudit(struct auditinfo *);
286 int	setaudit(const struct auditinfo *);
287 int	getaudit_addr(struct auditinfo_addr *, int);
288 int	setaudit_addr(const struct auditinfo_addr *, int);
289 #endif /* defined(_KERNEL) || defined(KERNEL) */
290 
291 __END_DECLS
292 
293 #endif /* !_BSM_AUDIT_H */
294