1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ 30 */ 31 32 #ifndef _BSM_AUDIT_H 33 #define _BSM_AUDIT_H 34 35 #include <sys/param.h> 36 #include <sys/types.h> 37 38 #define AUDIT_RECORD_MAGIC 0x828a0f1b 39 #define MAX_AUDIT_RECORDS 20 40 #define MAXAUDITDATA (0x8000 - 1) 41 #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 42 #define MIN_AUDIT_FILE_SIZE (512 * 1024) 43 44 /* 45 * Minimum noumber of free blocks on the filesystem containing the audit 46 * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 47 * as the kernel does an unsigned compare, plus we want to leave a few blocks 48 * free so userspace can terminate the log, etc. 49 */ 50 #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 51 52 /* 53 * Triggers for the audit daemon. 54 */ 55 #define AUDIT_TRIGGER_MIN 1 56 #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 57 #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 58 #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 59 #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 60 #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 61 #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 62 #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 63 #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 64 #define AUDIT_TRIGGER_MAX 8 65 66 /* 67 * The special device filename (FreeBSD). 68 */ 69 #define AUDITDEV_FILENAME "audit" 70 #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 71 72 /* 73 * Pre-defined audit IDs 74 */ 75 #define AU_DEFAUDITID (uid_t)(-1) 76 #define AU_DEFAUDITSID 0 77 #define AU_ASSIGN_ASID -1 78 79 /* 80 * IPC types. 81 */ 82 #define AT_IPC_MSG ((unsigned char)1) /* Message IPC id. */ 83 #define AT_IPC_SEM ((unsigned char)2) /* Semaphore IPC id. */ 84 #define AT_IPC_SHM ((unsigned char)3) /* Shared mem IPC id. */ 85 86 /* 87 * Audit conditions. 88 */ 89 #define AUC_UNSET 0 90 #define AUC_AUDITING 1 91 #define AUC_NOAUDIT 2 92 #define AUC_DISABLED -1 93 94 /* 95 * auditon(2) commands. 96 */ 97 #define A_OLDGETPOLICY 2 98 #define A_OLDSETPOLICY 3 99 #define A_GETKMASK 4 100 #define A_SETKMASK 5 101 #define A_OLDGETQCTRL 6 102 #define A_OLDSETQCTRL 7 103 #define A_GETCWD 8 104 #define A_GETCAR 9 105 #define A_GETSTAT 12 106 #define A_SETSTAT 13 107 #define A_SETUMASK 14 108 #define A_SETSMASK 15 109 #define A_OLDGETCOND 20 110 #define A_OLDSETCOND 21 111 #define A_GETCLASS 22 112 #define A_SETCLASS 23 113 #define A_GETPINFO 24 114 #define A_SETPMASK 25 115 #define A_SETFSIZE 26 116 #define A_GETFSIZE 27 117 #define A_GETPINFO_ADDR 28 118 #define A_GETKAUDIT 29 119 #define A_SETKAUDIT 30 120 #define A_SENDTRIGGER 31 121 #define A_GETSINFO_ADDR 32 122 #define A_GETPOLICY 33 123 #define A_SETPOLICY 34 124 #define A_GETQCTRL 35 125 #define A_SETQCTRL 36 126 #define A_GETCOND 37 127 #define A_SETCOND 38 128 #define A_GETSFLAGS 39 129 #define A_SETSFLAGS 40 130 #define A_GETCTLMODE 41 131 #define A_SETCTLMODE 42 132 #define A_GETEXPAFTER 43 133 #define A_SETEXPAFTER 44 134 135 /* 136 * Audit policy controls. 137 */ 138 #define AUDIT_CNT 0x0001 139 #define AUDIT_AHLT 0x0002 140 #define AUDIT_ARGV 0x0004 141 #define AUDIT_ARGE 0x0008 142 #define AUDIT_SEQ 0x0010 143 #define AUDIT_WINDATA 0x0020 144 #define AUDIT_USER 0x0040 145 #define AUDIT_GROUP 0x0080 146 #define AUDIT_TRAIL 0x0100 147 #define AUDIT_PATH 0x0200 148 #define AUDIT_SCNT 0x0400 149 #define AUDIT_PUBLIC 0x0800 150 #define AUDIT_ZONENAME 0x1000 151 #define AUDIT_PERZONE 0x2000 152 153 /* 154 * Default audit queue control parameters. 155 */ 156 #define AQ_HIWATER 100 157 #define AQ_MAXHIGH 10000 158 #define AQ_LOWATER 10 159 #define AQ_BUFSZ MAXAUDITDATA 160 #define AQ_MAXBUFSZ 1048576 161 162 /* 163 * Default minimum percentage free space on file system. 164 */ 165 #define AU_FS_MINFREE 20 166 167 /* 168 * Type definitions used indicating the length of variable length addresses 169 * in tokens containing addresses, such as header fields. 170 */ 171 #define AU_IPv4 4 172 #define AU_IPv6 16 173 174 /* 175 * Reserved audit class mask indicating which classes are unable to have 176 * events added or removed by unentitled processes. 177 */ 178 #define AU_CLASS_MASK_RESERVED 0x10000000 179 180 /* 181 * Audit control modes 182 */ 183 #define AUDIT_CTLMODE_NORMAL ((unsigned char)1) 184 #define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2) 185 186 /* 187 * Audit file expire_after op modes 188 */ 189 #define AUDIT_EXPIRE_OP_AND ((unsigned char)0) 190 #define AUDIT_EXPIRE_OP_OR ((unsigned char)1) 191 192 __BEGIN_DECLS 193 194 typedef uid_t au_id_t; 195 typedef pid_t au_asid_t; 196 typedef u_int16_t au_event_t; 197 typedef u_int16_t au_emod_t; 198 typedef u_int32_t au_class_t; 199 typedef u_int64_t au_asflgs_t __attribute__ ((aligned(8))); 200 typedef unsigned char au_ctlmode_t; 201 202 struct au_tid { 203 dev_t port; 204 u_int32_t machine; 205 }; 206 typedef struct au_tid au_tid_t; 207 208 struct au_tid_addr { 209 dev_t at_port; 210 u_int32_t at_type; 211 u_int32_t at_addr[4]; 212 }; 213 typedef struct au_tid_addr au_tid_addr_t; 214 215 struct au_mask { 216 unsigned int am_success; /* Success bits. */ 217 unsigned int am_failure; /* Failure bits. */ 218 }; 219 typedef struct au_mask au_mask_t; 220 221 struct auditinfo { 222 au_id_t ai_auid; /* Audit user ID. */ 223 au_mask_t ai_mask; /* Audit masks. */ 224 au_tid_t ai_termid; /* Terminal ID. */ 225 au_asid_t ai_asid; /* Audit session ID. */ 226 }; 227 typedef struct auditinfo auditinfo_t; 228 229 struct auditinfo_addr { 230 au_id_t ai_auid; /* Audit user ID. */ 231 au_mask_t ai_mask; /* Audit masks. */ 232 au_tid_addr_t ai_termid; /* Terminal ID. */ 233 au_asid_t ai_asid; /* Audit session ID. */ 234 au_asflgs_t ai_flags; /* Audit session flags. */ 235 }; 236 typedef struct auditinfo_addr auditinfo_addr_t; 237 238 struct auditpinfo { 239 pid_t ap_pid; /* ID of target process. */ 240 au_id_t ap_auid; /* Audit user ID. */ 241 au_mask_t ap_mask; /* Audit masks. */ 242 au_tid_t ap_termid; /* Terminal ID. */ 243 au_asid_t ap_asid; /* Audit session ID. */ 244 }; 245 typedef struct auditpinfo auditpinfo_t; 246 247 struct auditpinfo_addr { 248 pid_t ap_pid; /* ID of target process. */ 249 au_id_t ap_auid; /* Audit user ID. */ 250 au_mask_t ap_mask; /* Audit masks. */ 251 au_tid_addr_t ap_termid; /* Terminal ID. */ 252 au_asid_t ap_asid; /* Audit session ID. */ 253 au_asflgs_t ap_flags; /* Audit session flags. */ 254 }; 255 typedef struct auditpinfo_addr auditpinfo_addr_t; 256 257 struct au_session { 258 auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 259 au_mask_t as_mask; /* Process Audit Masks. */ 260 }; 261 typedef struct au_session au_session_t; 262 263 struct au_expire_after { 264 time_t age; /* Age after which trail files should be expired */ 265 size_t size; /* Aggregate trail size when files should be expired */ 266 unsigned char op_type; /* Operator used with the above values to determine when files should be expired */ 267 }; 268 typedef struct au_expire_after au_expire_after_t; 269 270 /* 271 * Contents of token_t are opaque outside of libbsm. 272 */ 273 typedef struct au_token token_t; 274 275 /* 276 * Kernel audit queue control parameters: 277 * Default: Maximum: 278 * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 279 * aq_lowater: AQ_LOWATER (10) <aq_hiwater 280 * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 281 * aq_delay: 20 20000 (not used) 282 */ 283 struct au_qctrl { 284 int aq_hiwater; /* Max # of audit recs in queue when */ 285 /* threads with new ARs get blocked. */ 286 287 int aq_lowater; /* # of audit recs in queue when */ 288 /* blocked threads get unblocked. */ 289 290 int aq_bufsz; /* Max size of audit record for audit(2). */ 291 int aq_delay; /* Queue delay (not used). */ 292 int aq_minfree; /* Minimum filesystem percent free space. */ 293 }; 294 typedef struct au_qctrl au_qctrl_t; 295 296 /* 297 * Structure for the audit statistics. 298 */ 299 struct audit_stat { 300 unsigned int as_version; 301 unsigned int as_numevent; 302 int as_generated; 303 int as_nonattrib; 304 int as_kernel; 305 int as_audit; 306 int as_auditctl; 307 int as_enqueue; 308 int as_written; 309 int as_wblocked; 310 int as_rblocked; 311 int as_dropped; 312 int as_totalsize; 313 unsigned int as_memused; 314 }; 315 typedef struct audit_stat au_stat_t; 316 317 /* 318 * Structure for the audit file statistics. 319 */ 320 struct audit_fstat { 321 u_int64_t af_filesz; 322 u_int64_t af_currsz; 323 }; 324 typedef struct audit_fstat au_fstat_t; 325 326 /* 327 * Audit to event class mapping. 328 */ 329 struct au_evclass_map { 330 au_event_t ec_number; 331 au_class_t ec_class; 332 }; 333 typedef struct au_evclass_map au_evclass_map_t; 334 335 /* 336 * Audit session flags for the ai_flags member of auditinfo_addr. 337 */ 338 enum audit_session_flags { 339 /* The initial session created by PID 1. */ 340 AU_SESSION_FLAG_IS_INITIAL = 0x0001, 341 342 /* The graphics subsystem (CoreGraphics, etc.) is available. */ 343 AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS = 0x0010, 344 345 /* /dev/tty is available. */ 346 AU_SESSION_FLAG_HAS_TTY = 0x0020, 347 348 /* The session was created for a remote connection. */ 349 AU_SESSION_FLAG_IS_REMOTE = 0x1000, 350 351 /* The console and associated devices are available. */ 352 AU_SESSION_FLAG_HAS_CONSOLE_ACCESS = 0x2000, 353 354 /* An active, authenticated user is associated with the session. */ 355 AU_SESSION_FLAG_HAS_AUTHENTICATED = 0x4000, 356 }; 357 358 __END_DECLS 359 360 #if !defined(_KERNEL) && !defined(KERNEL) 361 #include <Availability.h> 362 #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16)) 363 #else 364 #define __AUDIT_API_DEPRECATED 365 #endif 366 367 /* 368 * Audit system calls. 369 */ 370 #if !defined(_KERNEL) && !defined(KERNEL) 371 372 __BEGIN_DECLS 373 374 int audit(const void *, int) 375 __AUDIT_API_DEPRECATED; 376 int auditon(int, void *, int) 377 __AUDIT_API_DEPRECATED; 378 int auditctl(const char *) 379 __AUDIT_API_DEPRECATED; 380 int getauid(au_id_t *); 381 int setauid(const au_id_t *); 382 int getaudit_addr(struct auditinfo_addr *, int); 383 int setaudit_addr(const struct auditinfo_addr *, int); 384 385 __END_DECLS 386 387 #if defined(__APPLE__) 388 #include <Availability.h> 389 390 __BEGIN_DECLS 391 392 /* 393 * getaudit()/setaudit() are deprecated and have been replaced with 394 * wrappers to the getaudit_addr()/setaudit_addr() syscalls above. 395 */ 396 397 int getaudit(struct auditinfo *) 398 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 399 __IPHONE_2_0, __IPHONE_6_0); 400 int setaudit(const struct auditinfo *) 401 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 402 __IPHONE_2_0, __IPHONE_6_0); 403 404 __END_DECLS 405 406 #else 407 408 __BEGIN_DECLS 409 410 int getaudit(struct auditinfo *) 411 __AUDIT_API_DEPRECATED; 412 int setaudit(const struct auditinfo *) 413 __AUDIT_API_DEPRECATED; 414 415 __END_DECLS 416 417 #endif /* !__APPLE__ */ 418 419 #ifdef __APPLE_API_PRIVATE 420 #include <mach/port.h> 421 422 __BEGIN_DECLS 423 424 mach_port_name_t audit_session_self(void); 425 au_asid_t audit_session_join(mach_port_name_t port); 426 int audit_session_port(au_asid_t asid, mach_port_name_t *portname); 427 428 __END_DECLS 429 430 #endif /* __APPLE_API_PRIVATE */ 431 432 #endif /* defined(_KERNEL) || defined(KERNEL) */ 433 434 #endif /* !_BSM_AUDIT_H */ 435