xref: /titanic_50/usr/src/lib/libbc/inc/include/sys/audit.h (revision 7c478bd95313f5f23a4c958a745db2134aa03244)
1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate  * CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate  *
4*7c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate  * with the License.
8*7c478bd9Sstevel@tonic-gate  *
9*7c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate  * and limitations under the License.
13*7c478bd9Sstevel@tonic-gate  *
14*7c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate  *
20*7c478bd9Sstevel@tonic-gate  * CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate  */
22*7c478bd9Sstevel@tonic-gate /*
23*7c478bd9Sstevel@tonic-gate  * Copyright 1988 Sun Microsystems, Inc.  All rights reserved.
24*7c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate  */
26*7c478bd9Sstevel@tonic-gate 
27*7c478bd9Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
28*7c478bd9Sstevel@tonic-gate /*
29*7c478bd9Sstevel@tonic-gate  * Audit trail structures;
30*7c478bd9Sstevel@tonic-gate  */
31*7c478bd9Sstevel@tonic-gate 
32*7c478bd9Sstevel@tonic-gate #ifndef _sys_audit_h
33*7c478bd9Sstevel@tonic-gate #define _sys_audit_h
34*7c478bd9Sstevel@tonic-gate 
35*7c478bd9Sstevel@tonic-gate /*
36*7c478bd9Sstevel@tonic-gate  * Maximum size for audit data passed from the audit system call
37*7c478bd9Sstevel@tonic-gate  * This value is arbitrary, so offers of better numbers are invited.
38*7c478bd9Sstevel@tonic-gate  */
39*7c478bd9Sstevel@tonic-gate 
40*7c478bd9Sstevel@tonic-gate #define AUP_USER	(0x8000)
41*7c478bd9Sstevel@tonic-gate #define MAXAUDITDATA	(AUP_USER - 1)
42*7c478bd9Sstevel@tonic-gate #define AUDITMAGIC	0x00070009
43*7c478bd9Sstevel@tonic-gate 
44*7c478bd9Sstevel@tonic-gate /*
45*7c478bd9Sstevel@tonic-gate  * Audit conditions, statements reguarding what's to be done with
46*7c478bd9Sstevel@tonic-gate  * audit records.
47*7c478bd9Sstevel@tonic-gate  */
48*7c478bd9Sstevel@tonic-gate #define AUC_UNSET	0	/* on/off hasn't been decided */
49*7c478bd9Sstevel@tonic-gate #define AUC_AUDITING	1	/* auditing is being done */
50*7c478bd9Sstevel@tonic-gate #define AUC_NOAUDIT	2	/* auditing is not being done */
51*7c478bd9Sstevel@tonic-gate #define AUC_FCHDONE	3	/* no auditing, and you never can */
52*7c478bd9Sstevel@tonic-gate 
53*7c478bd9Sstevel@tonic-gate /*
54*7c478bd9Sstevel@tonic-gate  * Minimum and maximum record type values.  Change AUR_MAXRECTYPE when
55*7c478bd9Sstevel@tonic-gate  * adding new record types.
56*7c478bd9Sstevel@tonic-gate  */
57*7c478bd9Sstevel@tonic-gate #define	AUR_MINRECTYPE		1
58*7c478bd9Sstevel@tonic-gate #define	AUR_MAXRECTYPE		63
59*7c478bd9Sstevel@tonic-gate 
60*7c478bd9Sstevel@tonic-gate /*
61*7c478bd9Sstevel@tonic-gate  * Audit record type codes
62*7c478bd9Sstevel@tonic-gate  */
63*7c478bd9Sstevel@tonic-gate #define AUR_ACCESS		1
64*7c478bd9Sstevel@tonic-gate #define AUR_CHMOD		2
65*7c478bd9Sstevel@tonic-gate #define AUR_CHOWN		3
66*7c478bd9Sstevel@tonic-gate #define AUR_CREAT		4
67*7c478bd9Sstevel@tonic-gate #define AUR_FCHMOD		5
68*7c478bd9Sstevel@tonic-gate #define AUR_FCHOWN		6
69*7c478bd9Sstevel@tonic-gate #define AUR_FTRUNCATE		7
70*7c478bd9Sstevel@tonic-gate #define AUR_LINK		8
71*7c478bd9Sstevel@tonic-gate #define AUR_MKDIR		9
72*7c478bd9Sstevel@tonic-gate #define AUR_MKNOD		10
73*7c478bd9Sstevel@tonic-gate #define AUR_OPEN		11
74*7c478bd9Sstevel@tonic-gate #define AUR_RMDIR		12
75*7c478bd9Sstevel@tonic-gate #define AUR_RENAME		13
76*7c478bd9Sstevel@tonic-gate #define AUR_STAT		14
77*7c478bd9Sstevel@tonic-gate #define AUR_SYMLINK		15
78*7c478bd9Sstevel@tonic-gate #define AUR_TRUNCATE		16
79*7c478bd9Sstevel@tonic-gate #define AUR_UNLINK		17
80*7c478bd9Sstevel@tonic-gate #define AUR_UTIMES		18
81*7c478bd9Sstevel@tonic-gate #define AUR_EXECV		19
82*7c478bd9Sstevel@tonic-gate #define AUR_MSGCONV		20
83*7c478bd9Sstevel@tonic-gate #define AUR_MSGCTL		21
84*7c478bd9Sstevel@tonic-gate #define AUR_MSGGET		22
85*7c478bd9Sstevel@tonic-gate #define AUR_MSGRCV		23
86*7c478bd9Sstevel@tonic-gate #define AUR_MSGSND		24
87*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTL		25
88*7c478bd9Sstevel@tonic-gate #define AUR_SEMGET		26
89*7c478bd9Sstevel@tonic-gate #define AUR_SEMOP		27
90*7c478bd9Sstevel@tonic-gate #define AUR_SHMAT		28
91*7c478bd9Sstevel@tonic-gate #define AUR_SHMCTL		29
92*7c478bd9Sstevel@tonic-gate #define AUR_SHMDT		30
93*7c478bd9Sstevel@tonic-gate #define AUR_SHMGET		31
94*7c478bd9Sstevel@tonic-gate #define AUR_SOCKET		32
95*7c478bd9Sstevel@tonic-gate #define AUR_PTRACE		33
96*7c478bd9Sstevel@tonic-gate #define AUR_KILL		34
97*7c478bd9Sstevel@tonic-gate #define AUR_KILLPG		35
98*7c478bd9Sstevel@tonic-gate #define AUR_EXECVE		36
99*7c478bd9Sstevel@tonic-gate #define AUR_CORE		37
100*7c478bd9Sstevel@tonic-gate #define AUR_ADJTIME		38
101*7c478bd9Sstevel@tonic-gate #define AUR_SETTIMEOFDAY	39
102*7c478bd9Sstevel@tonic-gate #define AUR_SETHOSTNAME		40
103*7c478bd9Sstevel@tonic-gate #define AUR_SETDOMAINNAME	41
104*7c478bd9Sstevel@tonic-gate #define AUR_REBOOT		42
105*7c478bd9Sstevel@tonic-gate #define AUR_REBOOTFAIL		43
106*7c478bd9Sstevel@tonic-gate #define AUR_SYSACCT		44
107*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT_UFS		45
108*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT_NFS		46
109*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT		47
110*7c478bd9Sstevel@tonic-gate #define AUR_UNMOUNT		48
111*7c478bd9Sstevel@tonic-gate #define AUR_READLINK		49
112*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_ON		50
113*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_OFF		51
114*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_SET		52
115*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_LIM		53
116*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_SYNC		54
117*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA		55
118*7c478bd9Sstevel@tonic-gate #define AUR_STATFS		56
119*7c478bd9Sstevel@tonic-gate #define AUR_CHROOT		57
120*7c478bd9Sstevel@tonic-gate #define AUR_TEXT		58
121*7c478bd9Sstevel@tonic-gate #define AUR_CHDIR		59
122*7c478bd9Sstevel@tonic-gate #define AUR_MSGCTLRMID		60
123*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTL3		61
124*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTLALL		62
125*7c478bd9Sstevel@tonic-gate #define AUR_SHMCTLRMID		63
126*7c478bd9Sstevel@tonic-gate 
127*7c478bd9Sstevel@tonic-gate #define AUR_TRAILER		1000
128*7c478bd9Sstevel@tonic-gate 
129*7c478bd9Sstevel@tonic-gate /*
130*7c478bd9Sstevel@tonic-gate  * The classes of audit events
131*7c478bd9Sstevel@tonic-gate  */
132*7c478bd9Sstevel@tonic-gate #define AU_DREAD	0x00000001
133*7c478bd9Sstevel@tonic-gate #define AU_DWRITE	0x00000002
134*7c478bd9Sstevel@tonic-gate #define AU_DACCESS	0x00000004
135*7c478bd9Sstevel@tonic-gate #define AU_DCREATE	0x00000008
136*7c478bd9Sstevel@tonic-gate #define AU_LOGIN	0x00000010
137*7c478bd9Sstevel@tonic-gate #define AU_SREAD	0x00000020
138*7c478bd9Sstevel@tonic-gate #define AU_SCTL		0x00000040
139*7c478bd9Sstevel@tonic-gate #define AU_MINPRIV	0x00000080
140*7c478bd9Sstevel@tonic-gate #define AU_MAJPRIV	0x00000100
141*7c478bd9Sstevel@tonic-gate #define AU_ADMIN	0x00000200
142*7c478bd9Sstevel@tonic-gate #define AU_ASSIGN	0x00000400
143*7c478bd9Sstevel@tonic-gate 
144*7c478bd9Sstevel@tonic-gate /*
145*7c478bd9Sstevel@tonic-gate  * Success and failure are defined here because not everyone agrees on
146*7c478bd9Sstevel@tonic-gate  * which values rate success and which failure.
147*7c478bd9Sstevel@tonic-gate  */
148*7c478bd9Sstevel@tonic-gate #define AU_EITHER	-1
149*7c478bd9Sstevel@tonic-gate #define AU_SUCCESS	0
150*7c478bd9Sstevel@tonic-gate #define AU_FAILURE	1
151*7c478bd9Sstevel@tonic-gate 
152*7c478bd9Sstevel@tonic-gate /*
153*7c478bd9Sstevel@tonic-gate  * The user id -2(0xfffe) is never audited - in fact, a setauid(AU_NOAUDITID)
154*7c478bd9Sstevel@tonic-gate  * will turn off auditing.
155*7c478bd9Sstevel@tonic-gate  */
156*7c478bd9Sstevel@tonic-gate #define AU_NOAUDITID	-2
157*7c478bd9Sstevel@tonic-gate 
158*7c478bd9Sstevel@tonic-gate /*
159*7c478bd9Sstevel@tonic-gate  * The sturcture of the audit state
160*7c478bd9Sstevel@tonic-gate  */
161*7c478bd9Sstevel@tonic-gate struct audit_state {
162*7c478bd9Sstevel@tonic-gate 	unsigned int	as_success;	/* success bits */
163*7c478bd9Sstevel@tonic-gate 	unsigned int	as_failure;	/* failure bits */
164*7c478bd9Sstevel@tonic-gate };
165*7c478bd9Sstevel@tonic-gate typedef struct audit_state audit_state_t;
166*7c478bd9Sstevel@tonic-gate 
167*7c478bd9Sstevel@tonic-gate /*
168*7c478bd9Sstevel@tonic-gate  * The audit file header structure.
169*7c478bd9Sstevel@tonic-gate  * In the file it will be followed by a path name, the length of which is
170*7c478bd9Sstevel@tonic-gate  * kept in the ah_namelen field.
171*7c478bd9Sstevel@tonic-gate  */
172*7c478bd9Sstevel@tonic-gate struct audit_header {
173*7c478bd9Sstevel@tonic-gate 	int	ah_magic;	/* magic number */
174*7c478bd9Sstevel@tonic-gate 	time_t	ah_time;	/* the time */
175*7c478bd9Sstevel@tonic-gate 	short	ah_namelen;	/* length of file name */
176*7c478bd9Sstevel@tonic-gate };
177*7c478bd9Sstevel@tonic-gate typedef struct audit_header audit_header_t;
178*7c478bd9Sstevel@tonic-gate 
179*7c478bd9Sstevel@tonic-gate /*
180*7c478bd9Sstevel@tonic-gate  * The audit file trailer record structure.
181*7c478bd9Sstevel@tonic-gate  * In the file it will be followed by a path name, the length of which is
182*7c478bd9Sstevel@tonic-gate  * kept in the at_namelen field.
183*7c478bd9Sstevel@tonic-gate  */
184*7c478bd9Sstevel@tonic-gate struct audit_trailer {
185*7c478bd9Sstevel@tonic-gate 	short	at_record_size;		/* size of this */
186*7c478bd9Sstevel@tonic-gate 	short	at_record_type;		/* its type, a trailer */
187*7c478bd9Sstevel@tonic-gate 	time_t	at_time;		/* the time */
188*7c478bd9Sstevel@tonic-gate 	short	at_namelen;		/* length of file name */
189*7c478bd9Sstevel@tonic-gate };
190*7c478bd9Sstevel@tonic-gate typedef struct audit_trailer audit_trailer_t;
191*7c478bd9Sstevel@tonic-gate 
192*7c478bd9Sstevel@tonic-gate /*
193*7c478bd9Sstevel@tonic-gate  * The audit file record structure.
194*7c478bd9Sstevel@tonic-gate  * au_record_size is the size of the entire record.
195*7c478bd9Sstevel@tonic-gate  * au_param_count is the number of data items which follow the record.
196*7c478bd9Sstevel@tonic-gate  * There is a short ( 16 bit ) length for each of the following
197*7c478bd9Sstevel@tonic-gate  * parameters, then the parameters themselves. There is no way to know
198*7c478bd9Sstevel@tonic-gate  * what the parameters are from the data, unless the au_record_type
199*7c478bd9Sstevel@tonic-gate  * is understood.
200*7c478bd9Sstevel@tonic-gate  * The first parameter is the group list, hence au_param_count will
201*7c478bd9Sstevel@tonic-gate  * always be at least one.
202*7c478bd9Sstevel@tonic-gate  */
203*7c478bd9Sstevel@tonic-gate struct audit_record {
204*7c478bd9Sstevel@tonic-gate 	short		au_record_size;		/* size of this */
205*7c478bd9Sstevel@tonic-gate 	short		au_record_type;		/* its type */
206*7c478bd9Sstevel@tonic-gate 	unsigned int	au_event;		/* the event */
207*7c478bd9Sstevel@tonic-gate 	time_t		au_time;		/* the time */
208*7c478bd9Sstevel@tonic-gate 	uid_t		au_uid;			/* real uid */
209*7c478bd9Sstevel@tonic-gate 	uid_t		au_auid;		/* audit uid */
210*7c478bd9Sstevel@tonic-gate 	uid_t		au_euid;		/* effective */
211*7c478bd9Sstevel@tonic-gate 	gid_t		au_gid;			/* real group */
212*7c478bd9Sstevel@tonic-gate 	short		au_pid;			/* process id */
213*7c478bd9Sstevel@tonic-gate 	int		au_errno;		/* error code */
214*7c478bd9Sstevel@tonic-gate 	int		au_return;		/* a return value */
215*7c478bd9Sstevel@tonic-gate 	blabel_t	au_label;		/* also ... */
216*7c478bd9Sstevel@tonic-gate 	short		au_param_count;		/* # of parameters */
217*7c478bd9Sstevel@tonic-gate };
218*7c478bd9Sstevel@tonic-gate typedef struct audit_record audit_record_t;
219*7c478bd9Sstevel@tonic-gate 
220*7c478bd9Sstevel@tonic-gate /*
221*7c478bd9Sstevel@tonic-gate  * This structure controls a buffer for generating full pathnames
222*7c478bd9Sstevel@tonic-gate  * for filenames.
223*7c478bd9Sstevel@tonic-gate  */
224*7c478bd9Sstevel@tonic-gate struct au_path_s {
225*7c478bd9Sstevel@tonic-gate 	u_int		ap_size;		/* Size of buffer	     */
226*7c478bd9Sstevel@tonic-gate 	caddr_t		ap_buf;			/* Address of buffer	     */
227*7c478bd9Sstevel@tonic-gate 	caddr_t		ap_ptr;			/* Current position	     */
228*7c478bd9Sstevel@tonic-gate };
229*7c478bd9Sstevel@tonic-gate typedef struct au_path_s au_path_t;
230*7c478bd9Sstevel@tonic-gate 
231*7c478bd9Sstevel@tonic-gate #define AU_ALIGN(x)	(((x) + 1) & ~1)
232*7c478bd9Sstevel@tonic-gate 
233*7c478bd9Sstevel@tonic-gate #endif /*!_sys_audit_h*/
234