1*199767f8SToomas Soome /*- 2*199767f8SToomas Soome * Copyright (c) 2005-2009 Apple Inc. 3*199767f8SToomas Soome * All rights reserved. 4*199767f8SToomas Soome * 5*199767f8SToomas Soome * Redistribution and use in source and binary forms, with or without 6*199767f8SToomas Soome * modification, are permitted provided that the following conditions 7*199767f8SToomas Soome * are met: 8*199767f8SToomas Soome * 9*199767f8SToomas Soome * 1. Redistributions of source code must retain the above copyright 10*199767f8SToomas Soome * notice, this list of conditions and the following disclaimer. 11*199767f8SToomas Soome * 2. Redistributions in binary form must reproduce the above copyright 12*199767f8SToomas Soome * notice, this list of conditions and the following disclaimer in the 13*199767f8SToomas Soome * documentation and/or other materials provided with the distribution. 14*199767f8SToomas Soome * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15*199767f8SToomas Soome * its contributors may be used to endorse or promote products derived 16*199767f8SToomas Soome * from this software without specific prior written permission. 17*199767f8SToomas Soome * 18*199767f8SToomas Soome * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19*199767f8SToomas Soome * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20*199767f8SToomas Soome * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21*199767f8SToomas Soome * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22*199767f8SToomas Soome * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23*199767f8SToomas Soome * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24*199767f8SToomas Soome * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25*199767f8SToomas Soome * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26*199767f8SToomas Soome * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27*199767f8SToomas Soome * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28*199767f8SToomas Soome * 29*199767f8SToomas Soome * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 30*199767f8SToomas Soome * $FreeBSD$ 31*199767f8SToomas Soome */ 32*199767f8SToomas Soome 33*199767f8SToomas Soome #ifndef _BSM_AUDIT_H 34*199767f8SToomas Soome #define _BSM_AUDIT_H 35*199767f8SToomas Soome 36*199767f8SToomas Soome #include <sys/param.h> 37*199767f8SToomas Soome #include <sys/types.h> 38*199767f8SToomas Soome 39*199767f8SToomas Soome #define AUDIT_RECORD_MAGIC 0x828a0f1b 40*199767f8SToomas Soome #define MAX_AUDIT_RECORDS 20 41*199767f8SToomas Soome #define MAXAUDITDATA (0x8000 - 1) 42*199767f8SToomas Soome #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 43*199767f8SToomas Soome #define MIN_AUDIT_FILE_SIZE (512 * 1024) 44*199767f8SToomas Soome 45*199767f8SToomas Soome /* 46*199767f8SToomas Soome * Minimum noumber of free blocks on the filesystem containing the audit 47*199767f8SToomas Soome * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 48*199767f8SToomas Soome * as the kernel does an unsigned compare, plus we want to leave a few blocks 49*199767f8SToomas Soome * free so userspace can terminate the log, etc. 50*199767f8SToomas Soome */ 51*199767f8SToomas Soome #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 52*199767f8SToomas Soome 53*199767f8SToomas Soome /* 54*199767f8SToomas Soome * Triggers for the audit daemon. 55*199767f8SToomas Soome */ 56*199767f8SToomas Soome #define AUDIT_TRIGGER_MIN 1 57*199767f8SToomas Soome #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 58*199767f8SToomas Soome #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 59*199767f8SToomas Soome #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 60*199767f8SToomas Soome #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 61*199767f8SToomas Soome #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 62*199767f8SToomas Soome #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 63*199767f8SToomas Soome #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 64*199767f8SToomas Soome #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 65*199767f8SToomas Soome #define AUDIT_TRIGGER_MAX 8 66*199767f8SToomas Soome 67*199767f8SToomas Soome /* 68*199767f8SToomas Soome * The special device filename (FreeBSD). 69*199767f8SToomas Soome */ 70*199767f8SToomas Soome #define AUDITDEV_FILENAME "audit" 71*199767f8SToomas Soome #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 72*199767f8SToomas Soome 73*199767f8SToomas Soome /* 74*199767f8SToomas Soome * Pre-defined audit IDs 75*199767f8SToomas Soome */ 76*199767f8SToomas Soome #define AU_DEFAUDITID (uid_t)(-1) 77*199767f8SToomas Soome #define AU_DEFAUDITSID 0 78*199767f8SToomas Soome #define AU_ASSIGN_ASID -1 79*199767f8SToomas Soome 80*199767f8SToomas Soome /* 81*199767f8SToomas Soome * IPC types. 82*199767f8SToomas Soome */ 83*199767f8SToomas Soome #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 84*199767f8SToomas Soome #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 85*199767f8SToomas Soome #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 86*199767f8SToomas Soome 87*199767f8SToomas Soome /* 88*199767f8SToomas Soome * Audit conditions. 89*199767f8SToomas Soome */ 90*199767f8SToomas Soome #define AUC_UNSET 0 91*199767f8SToomas Soome #define AUC_AUDITING 1 92*199767f8SToomas Soome #define AUC_NOAUDIT 2 93*199767f8SToomas Soome #define AUC_DISABLED -1 94*199767f8SToomas Soome 95*199767f8SToomas Soome /* 96*199767f8SToomas Soome * auditon(2) commands. 97*199767f8SToomas Soome */ 98*199767f8SToomas Soome #define A_OLDGETPOLICY 2 99*199767f8SToomas Soome #define A_OLDSETPOLICY 3 100*199767f8SToomas Soome #define A_GETKMASK 4 101*199767f8SToomas Soome #define A_SETKMASK 5 102*199767f8SToomas Soome #define A_OLDGETQCTRL 6 103*199767f8SToomas Soome #define A_OLDSETQCTRL 7 104*199767f8SToomas Soome #define A_GETCWD 8 105*199767f8SToomas Soome #define A_GETCAR 9 106*199767f8SToomas Soome #define A_GETSTAT 12 107*199767f8SToomas Soome #define A_SETSTAT 13 108*199767f8SToomas Soome #define A_SETUMASK 14 109*199767f8SToomas Soome #define A_SETSMASK 15 110*199767f8SToomas Soome #define A_OLDGETCOND 20 111*199767f8SToomas Soome #define A_OLDSETCOND 21 112*199767f8SToomas Soome #define A_GETCLASS 22 113*199767f8SToomas Soome #define A_SETCLASS 23 114*199767f8SToomas Soome #define A_GETPINFO 24 115*199767f8SToomas Soome #define A_SETPMASK 25 116*199767f8SToomas Soome #define A_SETFSIZE 26 117*199767f8SToomas Soome #define A_GETFSIZE 27 118*199767f8SToomas Soome #define A_GETPINFO_ADDR 28 119*199767f8SToomas Soome #define A_GETKAUDIT 29 120*199767f8SToomas Soome #define A_SETKAUDIT 30 121*199767f8SToomas Soome #define A_SENDTRIGGER 31 122*199767f8SToomas Soome #define A_GETSINFO_ADDR 32 123*199767f8SToomas Soome #define A_GETPOLICY 33 124*199767f8SToomas Soome #define A_SETPOLICY 34 125*199767f8SToomas Soome #define A_GETQCTRL 35 126*199767f8SToomas Soome #define A_SETQCTRL 36 127*199767f8SToomas Soome #define A_GETCOND 37 128*199767f8SToomas Soome #define A_SETCOND 38 129*199767f8SToomas Soome 130*199767f8SToomas Soome /* 131*199767f8SToomas Soome * Audit policy controls. 132*199767f8SToomas Soome */ 133*199767f8SToomas Soome #define AUDIT_CNT 0x0001 134*199767f8SToomas Soome #define AUDIT_AHLT 0x0002 135*199767f8SToomas Soome #define AUDIT_ARGV 0x0004 136*199767f8SToomas Soome #define AUDIT_ARGE 0x0008 137*199767f8SToomas Soome #define AUDIT_SEQ 0x0010 138*199767f8SToomas Soome #define AUDIT_WINDATA 0x0020 139*199767f8SToomas Soome #define AUDIT_USER 0x0040 140*199767f8SToomas Soome #define AUDIT_GROUP 0x0080 141*199767f8SToomas Soome #define AUDIT_TRAIL 0x0100 142*199767f8SToomas Soome #define AUDIT_PATH 0x0200 143*199767f8SToomas Soome #define AUDIT_SCNT 0x0400 144*199767f8SToomas Soome #define AUDIT_PUBLIC 0x0800 145*199767f8SToomas Soome #define AUDIT_ZONENAME 0x1000 146*199767f8SToomas Soome #define AUDIT_PERZONE 0x2000 147*199767f8SToomas Soome 148*199767f8SToomas Soome /* 149*199767f8SToomas Soome * Default audit queue control parameters. 150*199767f8SToomas Soome */ 151*199767f8SToomas Soome #define AQ_HIWATER 100 152*199767f8SToomas Soome #define AQ_MAXHIGH 10000 153*199767f8SToomas Soome #define AQ_LOWATER 10 154*199767f8SToomas Soome #define AQ_BUFSZ MAXAUDITDATA 155*199767f8SToomas Soome #define AQ_MAXBUFSZ 1048576 156*199767f8SToomas Soome 157*199767f8SToomas Soome /* 158*199767f8SToomas Soome * Default minimum percentage free space on file system. 159*199767f8SToomas Soome */ 160*199767f8SToomas Soome #define AU_FS_MINFREE 20 161*199767f8SToomas Soome 162*199767f8SToomas Soome /* 163*199767f8SToomas Soome * Type definitions used indicating the length of variable length addresses 164*199767f8SToomas Soome * in tokens containing addresses, such as header fields. 165*199767f8SToomas Soome */ 166*199767f8SToomas Soome #define AU_IPv4 4 167*199767f8SToomas Soome #define AU_IPv6 16 168*199767f8SToomas Soome 169*199767f8SToomas Soome __BEGIN_DECLS 170*199767f8SToomas Soome 171*199767f8SToomas Soome typedef uid_t au_id_t; 172*199767f8SToomas Soome typedef pid_t au_asid_t; 173*199767f8SToomas Soome typedef u_int16_t au_event_t; 174*199767f8SToomas Soome typedef u_int16_t au_emod_t; 175*199767f8SToomas Soome typedef u_int32_t au_class_t; 176*199767f8SToomas Soome typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); 177*199767f8SToomas Soome 178*199767f8SToomas Soome struct au_tid { 179*199767f8SToomas Soome dev_t port; 180*199767f8SToomas Soome u_int32_t machine; 181*199767f8SToomas Soome }; 182*199767f8SToomas Soome typedef struct au_tid au_tid_t; 183*199767f8SToomas Soome 184*199767f8SToomas Soome struct au_tid_addr { 185*199767f8SToomas Soome dev_t at_port; 186*199767f8SToomas Soome u_int32_t at_type; 187*199767f8SToomas Soome u_int32_t at_addr[4]; 188*199767f8SToomas Soome }; 189*199767f8SToomas Soome typedef struct au_tid_addr au_tid_addr_t; 190*199767f8SToomas Soome 191*199767f8SToomas Soome struct au_mask { 192*199767f8SToomas Soome unsigned int am_success; /* Success bits. */ 193*199767f8SToomas Soome unsigned int am_failure; /* Failure bits. */ 194*199767f8SToomas Soome }; 195*199767f8SToomas Soome typedef struct au_mask au_mask_t; 196*199767f8SToomas Soome 197*199767f8SToomas Soome struct auditinfo { 198*199767f8SToomas Soome au_id_t ai_auid; /* Audit user ID. */ 199*199767f8SToomas Soome au_mask_t ai_mask; /* Audit masks. */ 200*199767f8SToomas Soome au_tid_t ai_termid; /* Terminal ID. */ 201*199767f8SToomas Soome au_asid_t ai_asid; /* Audit session ID. */ 202*199767f8SToomas Soome }; 203*199767f8SToomas Soome typedef struct auditinfo auditinfo_t; 204*199767f8SToomas Soome 205*199767f8SToomas Soome struct auditinfo_addr { 206*199767f8SToomas Soome au_id_t ai_auid; /* Audit user ID. */ 207*199767f8SToomas Soome au_mask_t ai_mask; /* Audit masks. */ 208*199767f8SToomas Soome au_tid_addr_t ai_termid; /* Terminal ID. */ 209*199767f8SToomas Soome au_asid_t ai_asid; /* Audit session ID. */ 210*199767f8SToomas Soome au_asflgs_t ai_flags; /* Audit session flags. */ 211*199767f8SToomas Soome }; 212*199767f8SToomas Soome typedef struct auditinfo_addr auditinfo_addr_t; 213*199767f8SToomas Soome 214*199767f8SToomas Soome struct auditpinfo { 215*199767f8SToomas Soome pid_t ap_pid; /* ID of target process. */ 216*199767f8SToomas Soome au_id_t ap_auid; /* Audit user ID. */ 217*199767f8SToomas Soome au_mask_t ap_mask; /* Audit masks. */ 218*199767f8SToomas Soome au_tid_t ap_termid; /* Terminal ID. */ 219*199767f8SToomas Soome au_asid_t ap_asid; /* Audit session ID. */ 220*199767f8SToomas Soome }; 221*199767f8SToomas Soome typedef struct auditpinfo auditpinfo_t; 222*199767f8SToomas Soome 223*199767f8SToomas Soome struct auditpinfo_addr { 224*199767f8SToomas Soome pid_t ap_pid; /* ID of target process. */ 225*199767f8SToomas Soome au_id_t ap_auid; /* Audit user ID. */ 226*199767f8SToomas Soome au_mask_t ap_mask; /* Audit masks. */ 227*199767f8SToomas Soome au_tid_addr_t ap_termid; /* Terminal ID. */ 228*199767f8SToomas Soome au_asid_t ap_asid; /* Audit session ID. */ 229*199767f8SToomas Soome au_asflgs_t ap_flags; /* Audit session flags. */ 230*199767f8SToomas Soome }; 231*199767f8SToomas Soome typedef struct auditpinfo_addr auditpinfo_addr_t; 232*199767f8SToomas Soome 233*199767f8SToomas Soome struct au_session { 234*199767f8SToomas Soome auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 235*199767f8SToomas Soome au_mask_t as_mask; /* Process Audit Masks. */ 236*199767f8SToomas Soome }; 237*199767f8SToomas Soome typedef struct au_session au_session_t; 238*199767f8SToomas Soome 239*199767f8SToomas Soome /* 240*199767f8SToomas Soome * Contents of token_t are opaque outside of libbsm. 241*199767f8SToomas Soome */ 242*199767f8SToomas Soome typedef struct au_token token_t; 243*199767f8SToomas Soome 244*199767f8SToomas Soome /* 245*199767f8SToomas Soome * Kernel audit queue control parameters: 246*199767f8SToomas Soome * Default: Maximum: 247*199767f8SToomas Soome * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 248*199767f8SToomas Soome * aq_lowater: AQ_LOWATER (10) <aq_hiwater 249*199767f8SToomas Soome * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 250*199767f8SToomas Soome * aq_delay: 20 20000 (not used) 251*199767f8SToomas Soome */ 252*199767f8SToomas Soome struct au_qctrl { 253*199767f8SToomas Soome int aq_hiwater; /* Max # of audit recs in queue when */ 254*199767f8SToomas Soome /* threads with new ARs get blocked. */ 255*199767f8SToomas Soome 256*199767f8SToomas Soome int aq_lowater; /* # of audit recs in queue when */ 257*199767f8SToomas Soome /* blocked threads get unblocked. */ 258*199767f8SToomas Soome 259*199767f8SToomas Soome int aq_bufsz; /* Max size of audit record for audit(2). */ 260*199767f8SToomas Soome int aq_delay; /* Queue delay (not used). */ 261*199767f8SToomas Soome int aq_minfree; /* Minimum filesystem percent free space. */ 262*199767f8SToomas Soome }; 263*199767f8SToomas Soome typedef struct au_qctrl au_qctrl_t; 264*199767f8SToomas Soome 265*199767f8SToomas Soome /* 266*199767f8SToomas Soome * Structure for the audit statistics. 267*199767f8SToomas Soome */ 268*199767f8SToomas Soome struct audit_stat { 269*199767f8SToomas Soome unsigned int as_version; 270*199767f8SToomas Soome unsigned int as_numevent; 271*199767f8SToomas Soome int as_generated; 272*199767f8SToomas Soome int as_nonattrib; 273*199767f8SToomas Soome int as_kernel; 274*199767f8SToomas Soome int as_audit; 275*199767f8SToomas Soome int as_auditctl; 276*199767f8SToomas Soome int as_enqueue; 277*199767f8SToomas Soome int as_written; 278*199767f8SToomas Soome int as_wblocked; 279*199767f8SToomas Soome int as_rblocked; 280*199767f8SToomas Soome int as_dropped; 281*199767f8SToomas Soome int as_totalsize; 282*199767f8SToomas Soome unsigned int as_memused; 283*199767f8SToomas Soome }; 284*199767f8SToomas Soome typedef struct audit_stat au_stat_t; 285*199767f8SToomas Soome 286*199767f8SToomas Soome /* 287*199767f8SToomas Soome * Structure for the audit file statistics. 288*199767f8SToomas Soome */ 289*199767f8SToomas Soome struct audit_fstat { 290*199767f8SToomas Soome u_int64_t af_filesz; 291*199767f8SToomas Soome u_int64_t af_currsz; 292*199767f8SToomas Soome }; 293*199767f8SToomas Soome typedef struct audit_fstat au_fstat_t; 294*199767f8SToomas Soome 295*199767f8SToomas Soome /* 296*199767f8SToomas Soome * Audit to event class mapping. 297*199767f8SToomas Soome */ 298*199767f8SToomas Soome struct au_evclass_map { 299*199767f8SToomas Soome au_event_t ec_number; 300*199767f8SToomas Soome au_class_t ec_class; 301*199767f8SToomas Soome }; 302*199767f8SToomas Soome typedef struct au_evclass_map au_evclass_map_t; 303*199767f8SToomas Soome 304*199767f8SToomas Soome /* 305*199767f8SToomas Soome * Audit system calls. 306*199767f8SToomas Soome */ 307*199767f8SToomas Soome #if !defined(_KERNEL) && !defined(KERNEL) 308*199767f8SToomas Soome int audit(const void *, int); 309*199767f8SToomas Soome int auditon(int, void *, int); 310*199767f8SToomas Soome int auditctl(const char *); 311*199767f8SToomas Soome int getauid(au_id_t *); 312*199767f8SToomas Soome int setauid(const au_id_t *); 313*199767f8SToomas Soome int getaudit(struct auditinfo *); 314*199767f8SToomas Soome int setaudit(const struct auditinfo *); 315*199767f8SToomas Soome int getaudit_addr(struct auditinfo_addr *, int); 316*199767f8SToomas Soome int setaudit_addr(const struct auditinfo_addr *, int); 317*199767f8SToomas Soome 318*199767f8SToomas Soome #ifdef __APPLE_API_PRIVATE 319*199767f8SToomas Soome #include <mach/port.h> 320*199767f8SToomas Soome mach_port_name_t audit_session_self(void); 321*199767f8SToomas Soome au_asid_t audit_session_join(mach_port_name_t port); 322*199767f8SToomas Soome #endif /* __APPLE_API_PRIVATE */ 323*199767f8SToomas Soome 324*199767f8SToomas Soome #endif /* defined(_KERNEL) || defined(KERNEL) */ 325*199767f8SToomas Soome 326*199767f8SToomas Soome __END_DECLS 327*199767f8SToomas Soome 328*199767f8SToomas Soome #endif /* !_BSM_AUDIT_H */ 329