1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 1988 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate /* 29*7c478bd9Sstevel@tonic-gate * Audit trail structures; 30*7c478bd9Sstevel@tonic-gate */ 31*7c478bd9Sstevel@tonic-gate 32*7c478bd9Sstevel@tonic-gate #ifndef _sys_audit_h 33*7c478bd9Sstevel@tonic-gate #define _sys_audit_h 34*7c478bd9Sstevel@tonic-gate 35*7c478bd9Sstevel@tonic-gate /* 36*7c478bd9Sstevel@tonic-gate * Maximum size for audit data passed from the audit system call 37*7c478bd9Sstevel@tonic-gate * This value is arbitrary, so offers of better numbers are invited. 38*7c478bd9Sstevel@tonic-gate */ 39*7c478bd9Sstevel@tonic-gate 40*7c478bd9Sstevel@tonic-gate #define AUP_USER (0x8000) 41*7c478bd9Sstevel@tonic-gate #define MAXAUDITDATA (AUP_USER - 1) 42*7c478bd9Sstevel@tonic-gate #define AUDITMAGIC 0x00070009 43*7c478bd9Sstevel@tonic-gate 44*7c478bd9Sstevel@tonic-gate /* 45*7c478bd9Sstevel@tonic-gate * Audit conditions, statements reguarding what's to be done with 46*7c478bd9Sstevel@tonic-gate * audit records. 47*7c478bd9Sstevel@tonic-gate */ 48*7c478bd9Sstevel@tonic-gate #define AUC_UNSET 0 /* on/off hasn't been decided */ 49*7c478bd9Sstevel@tonic-gate #define AUC_AUDITING 1 /* auditing is being done */ 50*7c478bd9Sstevel@tonic-gate #define AUC_NOAUDIT 2 /* auditing is not being done */ 51*7c478bd9Sstevel@tonic-gate #define AUC_FCHDONE 3 /* no auditing, and you never can */ 52*7c478bd9Sstevel@tonic-gate 53*7c478bd9Sstevel@tonic-gate /* 54*7c478bd9Sstevel@tonic-gate * Minimum and maximum record type values. Change AUR_MAXRECTYPE when 55*7c478bd9Sstevel@tonic-gate * adding new record types. 56*7c478bd9Sstevel@tonic-gate */ 57*7c478bd9Sstevel@tonic-gate #define AUR_MINRECTYPE 1 58*7c478bd9Sstevel@tonic-gate #define AUR_MAXRECTYPE 63 59*7c478bd9Sstevel@tonic-gate 60*7c478bd9Sstevel@tonic-gate /* 61*7c478bd9Sstevel@tonic-gate * Audit record type codes 62*7c478bd9Sstevel@tonic-gate */ 63*7c478bd9Sstevel@tonic-gate #define AUR_ACCESS 1 64*7c478bd9Sstevel@tonic-gate #define AUR_CHMOD 2 65*7c478bd9Sstevel@tonic-gate #define AUR_CHOWN 3 66*7c478bd9Sstevel@tonic-gate #define AUR_CREAT 4 67*7c478bd9Sstevel@tonic-gate #define AUR_FCHMOD 5 68*7c478bd9Sstevel@tonic-gate #define AUR_FCHOWN 6 69*7c478bd9Sstevel@tonic-gate #define AUR_FTRUNCATE 7 70*7c478bd9Sstevel@tonic-gate #define AUR_LINK 8 71*7c478bd9Sstevel@tonic-gate #define AUR_MKDIR 9 72*7c478bd9Sstevel@tonic-gate #define AUR_MKNOD 10 73*7c478bd9Sstevel@tonic-gate #define AUR_OPEN 11 74*7c478bd9Sstevel@tonic-gate #define AUR_RMDIR 12 75*7c478bd9Sstevel@tonic-gate #define AUR_RENAME 13 76*7c478bd9Sstevel@tonic-gate #define AUR_STAT 14 77*7c478bd9Sstevel@tonic-gate #define AUR_SYMLINK 15 78*7c478bd9Sstevel@tonic-gate #define AUR_TRUNCATE 16 79*7c478bd9Sstevel@tonic-gate #define AUR_UNLINK 17 80*7c478bd9Sstevel@tonic-gate #define AUR_UTIMES 18 81*7c478bd9Sstevel@tonic-gate #define AUR_EXECV 19 82*7c478bd9Sstevel@tonic-gate #define AUR_MSGCONV 20 83*7c478bd9Sstevel@tonic-gate #define AUR_MSGCTL 21 84*7c478bd9Sstevel@tonic-gate #define AUR_MSGGET 22 85*7c478bd9Sstevel@tonic-gate #define AUR_MSGRCV 23 86*7c478bd9Sstevel@tonic-gate #define AUR_MSGSND 24 87*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTL 25 88*7c478bd9Sstevel@tonic-gate #define AUR_SEMGET 26 89*7c478bd9Sstevel@tonic-gate #define AUR_SEMOP 27 90*7c478bd9Sstevel@tonic-gate #define AUR_SHMAT 28 91*7c478bd9Sstevel@tonic-gate #define AUR_SHMCTL 29 92*7c478bd9Sstevel@tonic-gate #define AUR_SHMDT 30 93*7c478bd9Sstevel@tonic-gate #define AUR_SHMGET 31 94*7c478bd9Sstevel@tonic-gate #define AUR_SOCKET 32 95*7c478bd9Sstevel@tonic-gate #define AUR_PTRACE 33 96*7c478bd9Sstevel@tonic-gate #define AUR_KILL 34 97*7c478bd9Sstevel@tonic-gate #define AUR_KILLPG 35 98*7c478bd9Sstevel@tonic-gate #define AUR_EXECVE 36 99*7c478bd9Sstevel@tonic-gate #define AUR_CORE 37 100*7c478bd9Sstevel@tonic-gate #define AUR_ADJTIME 38 101*7c478bd9Sstevel@tonic-gate #define AUR_SETTIMEOFDAY 39 102*7c478bd9Sstevel@tonic-gate #define AUR_SETHOSTNAME 40 103*7c478bd9Sstevel@tonic-gate #define AUR_SETDOMAINNAME 41 104*7c478bd9Sstevel@tonic-gate #define AUR_REBOOT 42 105*7c478bd9Sstevel@tonic-gate #define AUR_REBOOTFAIL 43 106*7c478bd9Sstevel@tonic-gate #define AUR_SYSACCT 44 107*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT_UFS 45 108*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT_NFS 46 109*7c478bd9Sstevel@tonic-gate #define AUR_MOUNT 47 110*7c478bd9Sstevel@tonic-gate #define AUR_UNMOUNT 48 111*7c478bd9Sstevel@tonic-gate #define AUR_READLINK 49 112*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_ON 50 113*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_OFF 51 114*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_SET 52 115*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_LIM 53 116*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA_SYNC 54 117*7c478bd9Sstevel@tonic-gate #define AUR_QUOTA 55 118*7c478bd9Sstevel@tonic-gate #define AUR_STATFS 56 119*7c478bd9Sstevel@tonic-gate #define AUR_CHROOT 57 120*7c478bd9Sstevel@tonic-gate #define AUR_TEXT 58 121*7c478bd9Sstevel@tonic-gate #define AUR_CHDIR 59 122*7c478bd9Sstevel@tonic-gate #define AUR_MSGCTLRMID 60 123*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTL3 61 124*7c478bd9Sstevel@tonic-gate #define AUR_SEMCTLALL 62 125*7c478bd9Sstevel@tonic-gate #define AUR_SHMCTLRMID 63 126*7c478bd9Sstevel@tonic-gate 127*7c478bd9Sstevel@tonic-gate #define AUR_TRAILER 1000 128*7c478bd9Sstevel@tonic-gate 129*7c478bd9Sstevel@tonic-gate /* 130*7c478bd9Sstevel@tonic-gate * The classes of audit events 131*7c478bd9Sstevel@tonic-gate */ 132*7c478bd9Sstevel@tonic-gate #define AU_DREAD 0x00000001 133*7c478bd9Sstevel@tonic-gate #define AU_DWRITE 0x00000002 134*7c478bd9Sstevel@tonic-gate #define AU_DACCESS 0x00000004 135*7c478bd9Sstevel@tonic-gate #define AU_DCREATE 0x00000008 136*7c478bd9Sstevel@tonic-gate #define AU_LOGIN 0x00000010 137*7c478bd9Sstevel@tonic-gate #define AU_SREAD 0x00000020 138*7c478bd9Sstevel@tonic-gate #define AU_SCTL 0x00000040 139*7c478bd9Sstevel@tonic-gate #define AU_MINPRIV 0x00000080 140*7c478bd9Sstevel@tonic-gate #define AU_MAJPRIV 0x00000100 141*7c478bd9Sstevel@tonic-gate #define AU_ADMIN 0x00000200 142*7c478bd9Sstevel@tonic-gate #define AU_ASSIGN 0x00000400 143*7c478bd9Sstevel@tonic-gate 144*7c478bd9Sstevel@tonic-gate /* 145*7c478bd9Sstevel@tonic-gate * Success and failure are defined here because not everyone agrees on 146*7c478bd9Sstevel@tonic-gate * which values rate success and which failure. 147*7c478bd9Sstevel@tonic-gate */ 148*7c478bd9Sstevel@tonic-gate #define AU_EITHER -1 149*7c478bd9Sstevel@tonic-gate #define AU_SUCCESS 0 150*7c478bd9Sstevel@tonic-gate #define AU_FAILURE 1 151*7c478bd9Sstevel@tonic-gate 152*7c478bd9Sstevel@tonic-gate /* 153*7c478bd9Sstevel@tonic-gate * The user id -2(0xfffe) is never audited - in fact, a setauid(AU_NOAUDITID) 154*7c478bd9Sstevel@tonic-gate * will turn off auditing. 155*7c478bd9Sstevel@tonic-gate */ 156*7c478bd9Sstevel@tonic-gate #define AU_NOAUDITID -2 157*7c478bd9Sstevel@tonic-gate 158*7c478bd9Sstevel@tonic-gate /* 159*7c478bd9Sstevel@tonic-gate * The sturcture of the audit state 160*7c478bd9Sstevel@tonic-gate */ 161*7c478bd9Sstevel@tonic-gate struct audit_state { 162*7c478bd9Sstevel@tonic-gate unsigned int as_success; /* success bits */ 163*7c478bd9Sstevel@tonic-gate unsigned int as_failure; /* failure bits */ 164*7c478bd9Sstevel@tonic-gate }; 165*7c478bd9Sstevel@tonic-gate typedef struct audit_state audit_state_t; 166*7c478bd9Sstevel@tonic-gate 167*7c478bd9Sstevel@tonic-gate /* 168*7c478bd9Sstevel@tonic-gate * The audit file header structure. 169*7c478bd9Sstevel@tonic-gate * In the file it will be followed by a path name, the length of which is 170*7c478bd9Sstevel@tonic-gate * kept in the ah_namelen field. 171*7c478bd9Sstevel@tonic-gate */ 172*7c478bd9Sstevel@tonic-gate struct audit_header { 173*7c478bd9Sstevel@tonic-gate int ah_magic; /* magic number */ 174*7c478bd9Sstevel@tonic-gate time_t ah_time; /* the time */ 175*7c478bd9Sstevel@tonic-gate short ah_namelen; /* length of file name */ 176*7c478bd9Sstevel@tonic-gate }; 177*7c478bd9Sstevel@tonic-gate typedef struct audit_header audit_header_t; 178*7c478bd9Sstevel@tonic-gate 179*7c478bd9Sstevel@tonic-gate /* 180*7c478bd9Sstevel@tonic-gate * The audit file trailer record structure. 181*7c478bd9Sstevel@tonic-gate * In the file it will be followed by a path name, the length of which is 182*7c478bd9Sstevel@tonic-gate * kept in the at_namelen field. 183*7c478bd9Sstevel@tonic-gate */ 184*7c478bd9Sstevel@tonic-gate struct audit_trailer { 185*7c478bd9Sstevel@tonic-gate short at_record_size; /* size of this */ 186*7c478bd9Sstevel@tonic-gate short at_record_type; /* its type, a trailer */ 187*7c478bd9Sstevel@tonic-gate time_t at_time; /* the time */ 188*7c478bd9Sstevel@tonic-gate short at_namelen; /* length of file name */ 189*7c478bd9Sstevel@tonic-gate }; 190*7c478bd9Sstevel@tonic-gate typedef struct audit_trailer audit_trailer_t; 191*7c478bd9Sstevel@tonic-gate 192*7c478bd9Sstevel@tonic-gate /* 193*7c478bd9Sstevel@tonic-gate * The audit file record structure. 194*7c478bd9Sstevel@tonic-gate * au_record_size is the size of the entire record. 195*7c478bd9Sstevel@tonic-gate * au_param_count is the number of data items which follow the record. 196*7c478bd9Sstevel@tonic-gate * There is a short ( 16 bit ) length for each of the following 197*7c478bd9Sstevel@tonic-gate * parameters, then the parameters themselves. There is no way to know 198*7c478bd9Sstevel@tonic-gate * what the parameters are from the data, unless the au_record_type 199*7c478bd9Sstevel@tonic-gate * is understood. 200*7c478bd9Sstevel@tonic-gate * The first parameter is the group list, hence au_param_count will 201*7c478bd9Sstevel@tonic-gate * always be at least one. 202*7c478bd9Sstevel@tonic-gate */ 203*7c478bd9Sstevel@tonic-gate struct audit_record { 204*7c478bd9Sstevel@tonic-gate short au_record_size; /* size of this */ 205*7c478bd9Sstevel@tonic-gate short au_record_type; /* its type */ 206*7c478bd9Sstevel@tonic-gate unsigned int au_event; /* the event */ 207*7c478bd9Sstevel@tonic-gate time_t au_time; /* the time */ 208*7c478bd9Sstevel@tonic-gate uid_t au_uid; /* real uid */ 209*7c478bd9Sstevel@tonic-gate uid_t au_auid; /* audit uid */ 210*7c478bd9Sstevel@tonic-gate uid_t au_euid; /* effective */ 211*7c478bd9Sstevel@tonic-gate gid_t au_gid; /* real group */ 212*7c478bd9Sstevel@tonic-gate short au_pid; /* process id */ 213*7c478bd9Sstevel@tonic-gate int au_errno; /* error code */ 214*7c478bd9Sstevel@tonic-gate int au_return; /* a return value */ 215*7c478bd9Sstevel@tonic-gate blabel_t au_label; /* also ... */ 216*7c478bd9Sstevel@tonic-gate short au_param_count; /* # of parameters */ 217*7c478bd9Sstevel@tonic-gate }; 218*7c478bd9Sstevel@tonic-gate typedef struct audit_record audit_record_t; 219*7c478bd9Sstevel@tonic-gate 220*7c478bd9Sstevel@tonic-gate /* 221*7c478bd9Sstevel@tonic-gate * This structure controls a buffer for generating full pathnames 222*7c478bd9Sstevel@tonic-gate * for filenames. 223*7c478bd9Sstevel@tonic-gate */ 224*7c478bd9Sstevel@tonic-gate struct au_path_s { 225*7c478bd9Sstevel@tonic-gate u_int ap_size; /* Size of buffer */ 226*7c478bd9Sstevel@tonic-gate caddr_t ap_buf; /* Address of buffer */ 227*7c478bd9Sstevel@tonic-gate caddr_t ap_ptr; /* Current position */ 228*7c478bd9Sstevel@tonic-gate }; 229*7c478bd9Sstevel@tonic-gate typedef struct au_path_s au_path_t; 230*7c478bd9Sstevel@tonic-gate 231*7c478bd9Sstevel@tonic-gate #define AU_ALIGN(x) (((x) + 1) & ~1) 232*7c478bd9Sstevel@tonic-gate 233*7c478bd9Sstevel@tonic-gate #endif /*!_sys_audit_h*/ 234