17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*45916cd2Sjpk * Common Development and Distribution License (the "License"). 6*45916cd2Sjpk * You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate * 87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate * and limitations under the License. 127c478bd9Sstevel@tonic-gate * 137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate * 197c478bd9Sstevel@tonic-gate * CDDL HEADER END 207c478bd9Sstevel@tonic-gate */ 217c478bd9Sstevel@tonic-gate /* 22*45916cd2Sjpk * Copyright 2006 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate * Use is subject to license terms. 247c478bd9Sstevel@tonic-gate */ 257c478bd9Sstevel@tonic-gate 267c478bd9Sstevel@tonic-gate #ifndef _AUDITRT_H 277c478bd9Sstevel@tonic-gate #define _AUDITRT_H 287c478bd9Sstevel@tonic-gate 297c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 307c478bd9Sstevel@tonic-gate 317c478bd9Sstevel@tonic-gate #ifdef __cplusplus 327c478bd9Sstevel@tonic-gate extern "C" { 337c478bd9Sstevel@tonic-gate #endif 347c478bd9Sstevel@tonic-gate 357c478bd9Sstevel@tonic-gate /* 367c478bd9Sstevel@tonic-gate * Auditreduce data structures. 377c478bd9Sstevel@tonic-gate */ 387c478bd9Sstevel@tonic-gate 397c478bd9Sstevel@tonic-gate /* 407c478bd9Sstevel@tonic-gate * File Control Block 417c478bd9Sstevel@tonic-gate * Controls a single file. 427c478bd9Sstevel@tonic-gate * These are held by the pcb's in audit_pcbs[] in a linked list. 437c478bd9Sstevel@tonic-gate * There is one fcb for each file controlled by the pcb, 447c478bd9Sstevel@tonic-gate * and all of the files in a list have the same suffix in their names. 457c478bd9Sstevel@tonic-gate */ 467c478bd9Sstevel@tonic-gate struct audit_fcb { 477c478bd9Sstevel@tonic-gate struct audit_fcb *fcb_next; /* ptr to next fcb in list */ 487c478bd9Sstevel@tonic-gate int fcb_flags; /* flags - see below */ 497c478bd9Sstevel@tonic-gate time_t fcb_start; /* start time from filename */ 507c478bd9Sstevel@tonic-gate time_t fcb_end; /* end time from filename */ 517c478bd9Sstevel@tonic-gate char *fcb_suffix; /* ptr to suffix in fcb_file */ 527c478bd9Sstevel@tonic-gate char *fcb_name; /* ptr to name in fcb_file */ 537c478bd9Sstevel@tonic-gate char fcb_file[1]; /* full path and name string */ 547c478bd9Sstevel@tonic-gate }; 557c478bd9Sstevel@tonic-gate 567c478bd9Sstevel@tonic-gate typedef struct audit_fcb audit_fcb_t; 577c478bd9Sstevel@tonic-gate 587c478bd9Sstevel@tonic-gate /* 597c478bd9Sstevel@tonic-gate * Flags for fcb_flags. 607c478bd9Sstevel@tonic-gate */ 617c478bd9Sstevel@tonic-gate #define FF_NOTTERM 0x01 /* file is "not_terminated" */ 627c478bd9Sstevel@tonic-gate #define FF_DELETE 0x02 /* we may delete this file if requested */ 637c478bd9Sstevel@tonic-gate 647c478bd9Sstevel@tonic-gate /* 657c478bd9Sstevel@tonic-gate * Process Control Block 667c478bd9Sstevel@tonic-gate * A pcb comes in two types: 677c478bd9Sstevel@tonic-gate * It controls either: 687c478bd9Sstevel@tonic-gate * 697c478bd9Sstevel@tonic-gate * 1. A single group of pcbs (processes that are lower on the process tree). 707c478bd9Sstevel@tonic-gate * These are the pcb's that the process tree is built from. 717c478bd9Sstevel@tonic-gate * These are allocated as needed while the process tree is being built. 727c478bd9Sstevel@tonic-gate * 737c478bd9Sstevel@tonic-gate * 2. A single group of files (fcbs). 747c478bd9Sstevel@tonic-gate * All of the files in one pcb have the same suffix in their filename. 757c478bd9Sstevel@tonic-gate * They are controlled by the leaf nodes of the process tree. 767c478bd9Sstevel@tonic-gate * They are found in audit_pcbs[]. 777c478bd9Sstevel@tonic-gate * They are initially setup by process_fileopt() when the files to be 787c478bd9Sstevel@tonic-gate * processes are gathered together. Then they are parsed out to 797c478bd9Sstevel@tonic-gate * the leaf nodes by mfork(). 807c478bd9Sstevel@tonic-gate * A particular leaf node's range of audit_pcbs[] is determined 817c478bd9Sstevel@tonic-gate * in the call to mfork() by the lo and hi paramters. 827c478bd9Sstevel@tonic-gate */ 837c478bd9Sstevel@tonic-gate struct audit_pcb { 847c478bd9Sstevel@tonic-gate struct audit_pcb *pcb_below; /* ptr to group of pcb's */ 857c478bd9Sstevel@tonic-gate struct audit_pcb *pcb_next; /* ptr to next - for list in mproc() */ 867c478bd9Sstevel@tonic-gate int pcb_procno; /* subprocess # */ 877c478bd9Sstevel@tonic-gate int pcb_nrecs; /* how many records read (current pcb/file) */ 887c478bd9Sstevel@tonic-gate int pcb_nprecs; /* how many records put (current pcb/file) */ 897c478bd9Sstevel@tonic-gate int pcb_flags; /* flags - see below */ 907c478bd9Sstevel@tonic-gate int pcb_count; /* count of active pcb's */ 917c478bd9Sstevel@tonic-gate int pcb_lo; /* low index for pcb's */ 927c478bd9Sstevel@tonic-gate int pcb_hi; /* hi index for pcb's */ 937c478bd9Sstevel@tonic-gate int pcb_size; /* size of current record buffer */ 947c478bd9Sstevel@tonic-gate time_t pcb_time; /* time of current record */ 957c478bd9Sstevel@tonic-gate time_t pcb_otime; /* time of previous record */ 967c478bd9Sstevel@tonic-gate char *pcb_rec; /* ptr to current record buffer */ 977c478bd9Sstevel@tonic-gate char *pcb_suffix; /* ptr to suffix name (string) */ 987c478bd9Sstevel@tonic-gate audit_fcb_t *pcb_first; /* ptr to first fcb_ */ 997c478bd9Sstevel@tonic-gate audit_fcb_t *pcb_last; /* ptr to last fcb_ */ 1007c478bd9Sstevel@tonic-gate audit_fcb_t *pcb_cur; /* ptr to current fcb_ */ 1017c478bd9Sstevel@tonic-gate audit_fcb_t *pcb_dfirst; /* ptr to first fcb_ for deleting */ 1027c478bd9Sstevel@tonic-gate audit_fcb_t *pcb_dlast; /* ptr to last fcb_ for deleting */ 1037c478bd9Sstevel@tonic-gate FILE *pcb_fpr; /* read stream */ 1047c478bd9Sstevel@tonic-gate FILE *pcb_fpw; /* write stream */ 1057c478bd9Sstevel@tonic-gate }; 1067c478bd9Sstevel@tonic-gate 1077c478bd9Sstevel@tonic-gate typedef struct audit_pcb audit_pcb_t; 1087c478bd9Sstevel@tonic-gate 1097c478bd9Sstevel@tonic-gate /* 1107c478bd9Sstevel@tonic-gate * Flags for pcb_flags 1117c478bd9Sstevel@tonic-gate */ 1127c478bd9Sstevel@tonic-gate #define PF_ROOT 0x01 /* current pcb is the root of process tree */ 1137c478bd9Sstevel@tonic-gate #define PF_LEAF 0x02 /* current pcb is a leaf of process tree */ 1147c478bd9Sstevel@tonic-gate #define PF_FILE 0x04 /* current pcb uses files as input, not pipes */ 1157c478bd9Sstevel@tonic-gate 1167c478bd9Sstevel@tonic-gate /* 1177c478bd9Sstevel@tonic-gate * Message selection options 1187c478bd9Sstevel@tonic-gate */ 1197c478bd9Sstevel@tonic-gate #define M_AFTER 0x0001 /* 'a' after a time */ 1207c478bd9Sstevel@tonic-gate #define M_BEFORE 0x0002 /* 'b' before a time */ 1217c478bd9Sstevel@tonic-gate #define M_CLASS 0x0004 /* 'c' event class */ 1227c478bd9Sstevel@tonic-gate #define M_GROUPE 0x0008 /* 'f' effective group-id */ 1237c478bd9Sstevel@tonic-gate #define M_GROUPR 0x0010 /* 'g' real group-id */ 1247c478bd9Sstevel@tonic-gate #define M_OBJECT 0x0020 /* 'o' object */ 1257c478bd9Sstevel@tonic-gate #define M_SUBJECT 0x0040 /* 'j' subject */ 1267c478bd9Sstevel@tonic-gate #define M_TYPE 0x0080 /* 'm' event type */ 1277c478bd9Sstevel@tonic-gate #define M_USERA 0x0100 /* 'u' audit user */ 1287c478bd9Sstevel@tonic-gate #define M_USERE 0x0200 /* 'e' effective user */ 1297c478bd9Sstevel@tonic-gate #define M_USERR 0x0400 /* 'r' real user */ 130924c9144Sgww #define M_LABEL 0x0800 /* 'l' mandatory label range */ 1317c478bd9Sstevel@tonic-gate #define M_ZONENAME 0x1000 /* 'z' zone name */ 132924c9144Sgww #define M_SID 0x2000 /* 's' session ID */ 1337c478bd9Sstevel@tonic-gate #define M_SORF 0x4000 /* success or failure of event */ 134924c9144Sgww #define M_TID 0x8000 /* 't' terminal ID */ 1357c478bd9Sstevel@tonic-gate /* 1367c478bd9Sstevel@tonic-gate * object types 1377c478bd9Sstevel@tonic-gate */ 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate /* XXX Why is this a bit map? There can be only one M_OBJECT. */ 1407c478bd9Sstevel@tonic-gate 1417c478bd9Sstevel@tonic-gate #define OBJ_LP 0x00001 /* 'o' lp object */ 1427c478bd9Sstevel@tonic-gate #define OBJ_MSG 0x00002 /* 'o' msgq object */ 1437c478bd9Sstevel@tonic-gate #define OBJ_PATH 0x00004 /* 'o' file system object */ 1447c478bd9Sstevel@tonic-gate #define OBJ_PROC 0x00008 /* 'o' process object */ 1457c478bd9Sstevel@tonic-gate #define OBJ_SEM 0x00010 /* 'o' semaphore object */ 1467c478bd9Sstevel@tonic-gate #define OBJ_SHM 0x00020 /* 'o' shared memory object */ 1477c478bd9Sstevel@tonic-gate #define OBJ_SOCK 0x00040 /* 'o' socket object */ 1487c478bd9Sstevel@tonic-gate #define OBJ_FGROUP 0x00080 /* 'o' file group */ 1497c478bd9Sstevel@tonic-gate #define OBJ_FOWNER 0x00100 /* 'o' file owner */ 1507c478bd9Sstevel@tonic-gate #define OBJ_MSGGROUP 0x00200 /* 'o' msgq [c]group */ 1517c478bd9Sstevel@tonic-gate #define OBJ_MSGOWNER 0x00400 /* 'o' msgq [c]owner */ 1527c478bd9Sstevel@tonic-gate #define OBJ_PGROUP 0x00800 /* 'o' process [e]group */ 1537c478bd9Sstevel@tonic-gate #define OBJ_POWNER 0x01000 /* 'o' process [e]owner */ 1547c478bd9Sstevel@tonic-gate #define OBJ_SEMGROUP 0x02000 /* 'o' semaphore [c]group */ 1557c478bd9Sstevel@tonic-gate #define OBJ_SEMOWNER 0x04000 /* 'o' semaphore [c]owner */ 1567c478bd9Sstevel@tonic-gate #define OBJ_SHMGROUP 0x08000 /* 'o' shared memory [c]group */ 1577c478bd9Sstevel@tonic-gate #define OBJ_SHMOWNER 0x10000 /* 'o' shared memory [c]owner */ 1587c478bd9Sstevel@tonic-gate 1597c478bd9Sstevel@tonic-gate #define SOCKFLG_MACHINE 0 /* search socket token by machine name */ 1607c478bd9Sstevel@tonic-gate #define SOCKFLG_PORT 1 /* search socket token by port number */ 1617c478bd9Sstevel@tonic-gate 1627c478bd9Sstevel@tonic-gate /* 1637c478bd9Sstevel@tonic-gate * Global variables 1647c478bd9Sstevel@tonic-gate */ 1657c478bd9Sstevel@tonic-gate extern unsigned short m_type; /* 'm' message type */ 1667c478bd9Sstevel@tonic-gate extern gid_t m_groupr; /* 'g' real group-id */ 1677c478bd9Sstevel@tonic-gate extern gid_t m_groupe; /* 'f' effective group-id */ 1687c478bd9Sstevel@tonic-gate extern uid_t m_usera; /* 'u' audit user */ 1697c478bd9Sstevel@tonic-gate extern uid_t m_userr; /* 'r' real user */ 1707c478bd9Sstevel@tonic-gate extern uid_t m_usere; /* 'f' effective user */ 171924c9144Sgww extern au_asid_t m_sid; /* 's' session-id */ 1727c478bd9Sstevel@tonic-gate extern time_t m_after; /* 'a' after a time */ 1737c478bd9Sstevel@tonic-gate extern time_t m_before; /* 'b' before a time */ 1747c478bd9Sstevel@tonic-gate extern audit_state_t mask; /* used with m_class */ 1757c478bd9Sstevel@tonic-gate extern char *zonename; /* 'z' zonename */ 1767c478bd9Sstevel@tonic-gate 177*45916cd2Sjpk extern m_range_t *m_label; /* 'l' mandatory label range */ 1787c478bd9Sstevel@tonic-gate extern int flags; 1797c478bd9Sstevel@tonic-gate extern int checkflags; 1807c478bd9Sstevel@tonic-gate extern int socket_flag; 1817c478bd9Sstevel@tonic-gate extern int ip_type; 1827c478bd9Sstevel@tonic-gate extern int ip_ipv6[4]; /* ip ipv6 object identifier */ 1837c478bd9Sstevel@tonic-gate extern int obj_flag; /* 'o' object type */ 1847c478bd9Sstevel@tonic-gate extern int obj_id; /* object identifier */ 1857c478bd9Sstevel@tonic-gate extern gid_t obj_group; /* object group */ 1867c478bd9Sstevel@tonic-gate extern uid_t obj_owner; /* object owner */ 1877c478bd9Sstevel@tonic-gate extern int subj_id; /* subject identifier */ 1887c478bd9Sstevel@tonic-gate extern char ipc_type; /* 'o' object type - tell what type of IPC */ 1897c478bd9Sstevel@tonic-gate 1907c478bd9Sstevel@tonic-gate /* 1917c478bd9Sstevel@tonic-gate * File selection options 1927c478bd9Sstevel@tonic-gate */ 1937c478bd9Sstevel@tonic-gate extern char *f_machine; /* 'M' machine (suffix) type */ 1947c478bd9Sstevel@tonic-gate extern char *f_root; /* 'R' audit root */ 1957c478bd9Sstevel@tonic-gate extern char *f_server; /* 'S' server */ 1967c478bd9Sstevel@tonic-gate extern char *f_outfile; /* 'W' output file */ 1977c478bd9Sstevel@tonic-gate extern int f_all; /* 'A' all records from a file */ 1987c478bd9Sstevel@tonic-gate extern int f_complete; /* 'C' only completed files */ 1997c478bd9Sstevel@tonic-gate extern int f_delete; /* 'D' delete when done */ 2007c478bd9Sstevel@tonic-gate extern int f_quiet; /* 'Q' sshhhh! */ 2017c478bd9Sstevel@tonic-gate extern int f_verbose; /* 'V' verbose */ 2027c478bd9Sstevel@tonic-gate extern int f_stdin; /* '-' read from stdin */ 2037c478bd9Sstevel@tonic-gate extern int f_cmdline; /* files specified on the command line */ 2047c478bd9Sstevel@tonic-gate extern int new_mode; /* 'N' new object selection mode */ 2057c478bd9Sstevel@tonic-gate 2067c478bd9Sstevel@tonic-gate /* 2077c478bd9Sstevel@tonic-gate * Error reporting 2087c478bd9Sstevel@tonic-gate * Error_str is set whenever an error occurs to point to a string describing 2097c478bd9Sstevel@tonic-gate * the error. When the error message is printed error_str is also 2107c478bd9Sstevel@tonic-gate * printed to describe exactly what went wrong. 2117c478bd9Sstevel@tonic-gate * Errbuf is used to build messages with variables in them. 2127c478bd9Sstevel@tonic-gate */ 2137c478bd9Sstevel@tonic-gate extern char *error_str; /* current error message */ 2147c478bd9Sstevel@tonic-gate extern char errbuf[]; /* buffer for building error message */ 2157c478bd9Sstevel@tonic-gate extern char *ar; /* => "auditreduce:" */ 2167c478bd9Sstevel@tonic-gate 2177c478bd9Sstevel@tonic-gate /* 2187c478bd9Sstevel@tonic-gate * Control blocks 2197c478bd9Sstevel@tonic-gate * Audit_pcbs[] is an array of pcbs that control files directly. 2207c478bd9Sstevel@tonic-gate * In the program's initialization phase it will gather all of the input 2217c478bd9Sstevel@tonic-gate * files it needs to process. Each file will have one fcb allocated for it, 2227c478bd9Sstevel@tonic-gate * and each fcb will belong to one pcb from audit_pcbs[]. All of the files 2237c478bd9Sstevel@tonic-gate * in a single pcb will have the same suffix in their filenames. If the 2247c478bd9Sstevel@tonic-gate * number of active pcbs in audit_pcbs[] is greater that the number of open 2257c478bd9Sstevel@tonic-gate * files a single process can have then the program will need to fork 2267c478bd9Sstevel@tonic-gate * subprocesses to handle all of the files. 2277c478bd9Sstevel@tonic-gate */ 2287c478bd9Sstevel@tonic-gate extern audit_pcb_t *audit_pcbs; /* file-holding pcb's */ 2297c478bd9Sstevel@tonic-gate extern int pcbsize; /* current size of audit_pcbs[] */ 2307c478bd9Sstevel@tonic-gate extern int pcbnum; /* total # of active pcbs in audit_pcbs[] */ 2317c478bd9Sstevel@tonic-gate 2327c478bd9Sstevel@tonic-gate /* 2337c478bd9Sstevel@tonic-gate * Time values 2347c478bd9Sstevel@tonic-gate */ 2357c478bd9Sstevel@tonic-gate extern time_t f_start; /* time of start rec for outfile */ 2367c478bd9Sstevel@tonic-gate extern time_t f_end; /* time of end rec for outfile */ 2377c478bd9Sstevel@tonic-gate extern time_t time_now; /* time program began */ 2387c478bd9Sstevel@tonic-gate 2397c478bd9Sstevel@tonic-gate /* 2407c478bd9Sstevel@tonic-gate * Counting vars 2417c478bd9Sstevel@tonic-gate */ 2427c478bd9Sstevel@tonic-gate extern int filenum; /* number of files total */ 2437c478bd9Sstevel@tonic-gate 2447c478bd9Sstevel@tonic-gate /* 2457c478bd9Sstevel@tonic-gate * Global variable, class of current record being processed. 2467c478bd9Sstevel@tonic-gate */ 2477c478bd9Sstevel@tonic-gate extern int global_class; 2487c478bd9Sstevel@tonic-gate 2497c478bd9Sstevel@tonic-gate #ifdef __cplusplus 2507c478bd9Sstevel@tonic-gate } 2517c478bd9Sstevel@tonic-gate #endif 2527c478bd9Sstevel@tonic-gate 2537c478bd9Sstevel@tonic-gate #endif /* _AUDITRT_H */ 254