1*a325d9c4SApple OSS Distributions /*- 2*a325d9c4SApple OSS Distributions * Copyright (c) 2005-2009 Apple Inc. 3*a325d9c4SApple OSS Distributions * All rights reserved. 4*a325d9c4SApple OSS Distributions * 5*a325d9c4SApple OSS Distributions * Redistribution and use in source and binary forms, with or without 6*a325d9c4SApple OSS Distributions * modification, are permitted provided that the following conditions 7*a325d9c4SApple OSS Distributions * are met: 8*a325d9c4SApple OSS Distributions * 9*a325d9c4SApple OSS Distributions * 1. Redistributions of source code must retain the above copyright 10*a325d9c4SApple OSS Distributions * notice, this list of conditions and the following disclaimer. 11*a325d9c4SApple OSS Distributions * 2. Redistributions in binary form must reproduce the above copyright 12*a325d9c4SApple OSS Distributions * notice, this list of conditions and the following disclaimer in the 13*a325d9c4SApple OSS Distributions * documentation and/or other materials provided with the distribution. 14*a325d9c4SApple OSS Distributions * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15*a325d9c4SApple OSS Distributions * its contributors may be used to endorse or promote products derived 16*a325d9c4SApple OSS Distributions * from this software without specific prior written permission. 17*a325d9c4SApple OSS Distributions * 18*a325d9c4SApple OSS Distributions * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19*a325d9c4SApple OSS Distributions * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20*a325d9c4SApple OSS Distributions * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21*a325d9c4SApple OSS Distributions * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22*a325d9c4SApple OSS Distributions * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23*a325d9c4SApple OSS Distributions * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24*a325d9c4SApple OSS Distributions * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25*a325d9c4SApple OSS Distributions * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26*a325d9c4SApple OSS Distributions * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27*a325d9c4SApple OSS Distributions * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28*a325d9c4SApple OSS Distributions * 29*a325d9c4SApple OSS Distributions * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ 30*a325d9c4SApple OSS Distributions */ 31*a325d9c4SApple OSS Distributions 32*a325d9c4SApple OSS Distributions #ifndef _BSM_AUDIT_H 33*a325d9c4SApple OSS Distributions #define _BSM_AUDIT_H 34*a325d9c4SApple OSS Distributions 35*a325d9c4SApple OSS Distributions #include <sys/param.h> 36*a325d9c4SApple OSS Distributions #include <sys/types.h> 37*a325d9c4SApple OSS Distributions 38*a325d9c4SApple OSS Distributions #define AUDIT_RECORD_MAGIC 0x828a0f1b 39*a325d9c4SApple OSS Distributions #define MAX_AUDIT_RECORDS 20 40*a325d9c4SApple OSS Distributions #define MAXAUDITDATA (0x8000 - 1) 41*a325d9c4SApple OSS Distributions #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 42*a325d9c4SApple OSS Distributions #define MIN_AUDIT_FILE_SIZE (512 * 1024) 43*a325d9c4SApple OSS Distributions 44*a325d9c4SApple OSS Distributions /* 45*a325d9c4SApple OSS Distributions * Minimum noumber of free blocks on the filesystem containing the audit 46*a325d9c4SApple OSS Distributions * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 47*a325d9c4SApple OSS Distributions * as the kernel does an unsigned compare, plus we want to leave a few blocks 48*a325d9c4SApple OSS Distributions * free so userspace can terminate the log, etc. 49*a325d9c4SApple OSS Distributions */ 50*a325d9c4SApple OSS Distributions #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 51*a325d9c4SApple OSS Distributions 52*a325d9c4SApple OSS Distributions /* 53*a325d9c4SApple OSS Distributions * Triggers for the audit daemon. 54*a325d9c4SApple OSS Distributions */ 55*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_MIN 1 56*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 57*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 58*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 59*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 60*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 61*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 62*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 63*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 64*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_MAX 8 65*a325d9c4SApple OSS Distributions 66*a325d9c4SApple OSS Distributions /* 67*a325d9c4SApple OSS Distributions * The special device filename (FreeBSD). 68*a325d9c4SApple OSS Distributions */ 69*a325d9c4SApple OSS Distributions #define AUDITDEV_FILENAME "audit" 70*a325d9c4SApple OSS Distributions #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 71*a325d9c4SApple OSS Distributions 72*a325d9c4SApple OSS Distributions /* 73*a325d9c4SApple OSS Distributions * Pre-defined audit IDs 74*a325d9c4SApple OSS Distributions */ 75*a325d9c4SApple OSS Distributions #define AU_DEFAUDITID (uid_t)(-1) 76*a325d9c4SApple OSS Distributions #define AU_DEFAUDITSID 0 77*a325d9c4SApple OSS Distributions #define AU_ASSIGN_ASID -1 78*a325d9c4SApple OSS Distributions 79*a325d9c4SApple OSS Distributions /* 80*a325d9c4SApple OSS Distributions * IPC types. 81*a325d9c4SApple OSS Distributions */ 82*a325d9c4SApple OSS Distributions #define AT_IPC_MSG ((unsigned char)1) /* Message IPC id. */ 83*a325d9c4SApple OSS Distributions #define AT_IPC_SEM ((unsigned char)2) /* Semaphore IPC id. */ 84*a325d9c4SApple OSS Distributions #define AT_IPC_SHM ((unsigned char)3) /* Shared mem IPC id. */ 85*a325d9c4SApple OSS Distributions 86*a325d9c4SApple OSS Distributions /* 87*a325d9c4SApple OSS Distributions * Audit conditions. 88*a325d9c4SApple OSS Distributions */ 89*a325d9c4SApple OSS Distributions #define AUC_UNSET 0 90*a325d9c4SApple OSS Distributions #define AUC_AUDITING 1 91*a325d9c4SApple OSS Distributions #define AUC_NOAUDIT 2 92*a325d9c4SApple OSS Distributions #define AUC_DISABLED -1 93*a325d9c4SApple OSS Distributions 94*a325d9c4SApple OSS Distributions /* 95*a325d9c4SApple OSS Distributions * auditon(2) commands. 96*a325d9c4SApple OSS Distributions */ 97*a325d9c4SApple OSS Distributions #define A_OLDGETPOLICY 2 98*a325d9c4SApple OSS Distributions #define A_OLDSETPOLICY 3 99*a325d9c4SApple OSS Distributions #define A_GETKMASK 4 100*a325d9c4SApple OSS Distributions #define A_SETKMASK 5 101*a325d9c4SApple OSS Distributions #define A_OLDGETQCTRL 6 102*a325d9c4SApple OSS Distributions #define A_OLDSETQCTRL 7 103*a325d9c4SApple OSS Distributions #define A_GETCWD 8 104*a325d9c4SApple OSS Distributions #define A_GETCAR 9 105*a325d9c4SApple OSS Distributions #define A_GETSTAT 12 106*a325d9c4SApple OSS Distributions #define A_SETSTAT 13 107*a325d9c4SApple OSS Distributions #define A_SETUMASK 14 108*a325d9c4SApple OSS Distributions #define A_SETSMASK 15 109*a325d9c4SApple OSS Distributions #define A_OLDGETCOND 20 110*a325d9c4SApple OSS Distributions #define A_OLDSETCOND 21 111*a325d9c4SApple OSS Distributions #define A_GETCLASS 22 112*a325d9c4SApple OSS Distributions #define A_SETCLASS 23 113*a325d9c4SApple OSS Distributions #define A_GETPINFO 24 114*a325d9c4SApple OSS Distributions #define A_SETPMASK 25 115*a325d9c4SApple OSS Distributions #define A_SETFSIZE 26 116*a325d9c4SApple OSS Distributions #define A_GETFSIZE 27 117*a325d9c4SApple OSS Distributions #define A_GETPINFO_ADDR 28 118*a325d9c4SApple OSS Distributions #define A_GETKAUDIT 29 119*a325d9c4SApple OSS Distributions #define A_SETKAUDIT 30 120*a325d9c4SApple OSS Distributions #define A_SENDTRIGGER 31 121*a325d9c4SApple OSS Distributions #define A_GETSINFO_ADDR 32 122*a325d9c4SApple OSS Distributions #define A_GETPOLICY 33 123*a325d9c4SApple OSS Distributions #define A_SETPOLICY 34 124*a325d9c4SApple OSS Distributions #define A_GETQCTRL 35 125*a325d9c4SApple OSS Distributions #define A_SETQCTRL 36 126*a325d9c4SApple OSS Distributions #define A_GETCOND 37 127*a325d9c4SApple OSS Distributions #define A_SETCOND 38 128*a325d9c4SApple OSS Distributions #define A_GETSFLAGS 39 129*a325d9c4SApple OSS Distributions #define A_SETSFLAGS 40 130*a325d9c4SApple OSS Distributions #define A_GETCTLMODE 41 131*a325d9c4SApple OSS Distributions #define A_SETCTLMODE 42 132*a325d9c4SApple OSS Distributions #define A_GETEXPAFTER 43 133*a325d9c4SApple OSS Distributions #define A_SETEXPAFTER 44 134*a325d9c4SApple OSS Distributions 135*a325d9c4SApple OSS Distributions /* 136*a325d9c4SApple OSS Distributions * Audit policy controls. 137*a325d9c4SApple OSS Distributions */ 138*a325d9c4SApple OSS Distributions #define AUDIT_CNT 0x0001 139*a325d9c4SApple OSS Distributions #define AUDIT_AHLT 0x0002 140*a325d9c4SApple OSS Distributions #define AUDIT_ARGV 0x0004 141*a325d9c4SApple OSS Distributions #define AUDIT_ARGE 0x0008 142*a325d9c4SApple OSS Distributions #define AUDIT_SEQ 0x0010 143*a325d9c4SApple OSS Distributions #define AUDIT_WINDATA 0x0020 144*a325d9c4SApple OSS Distributions #define AUDIT_USER 0x0040 145*a325d9c4SApple OSS Distributions #define AUDIT_GROUP 0x0080 146*a325d9c4SApple OSS Distributions #define AUDIT_TRAIL 0x0100 147*a325d9c4SApple OSS Distributions #define AUDIT_PATH 0x0200 148*a325d9c4SApple OSS Distributions #define AUDIT_SCNT 0x0400 149*a325d9c4SApple OSS Distributions #define AUDIT_PUBLIC 0x0800 150*a325d9c4SApple OSS Distributions #define AUDIT_ZONENAME 0x1000 151*a325d9c4SApple OSS Distributions #define AUDIT_PERZONE 0x2000 152*a325d9c4SApple OSS Distributions 153*a325d9c4SApple OSS Distributions /* 154*a325d9c4SApple OSS Distributions * Default audit queue control parameters. 155*a325d9c4SApple OSS Distributions */ 156*a325d9c4SApple OSS Distributions #define AQ_HIWATER 100 157*a325d9c4SApple OSS Distributions #define AQ_MAXHIGH 10000 158*a325d9c4SApple OSS Distributions #define AQ_LOWATER 10 159*a325d9c4SApple OSS Distributions #define AQ_BUFSZ MAXAUDITDATA 160*a325d9c4SApple OSS Distributions #define AQ_MAXBUFSZ 1048576 161*a325d9c4SApple OSS Distributions 162*a325d9c4SApple OSS Distributions /* 163*a325d9c4SApple OSS Distributions * Default minimum percentage free space on file system. 164*a325d9c4SApple OSS Distributions */ 165*a325d9c4SApple OSS Distributions #define AU_FS_MINFREE 20 166*a325d9c4SApple OSS Distributions 167*a325d9c4SApple OSS Distributions /* 168*a325d9c4SApple OSS Distributions * Type definitions used indicating the length of variable length addresses 169*a325d9c4SApple OSS Distributions * in tokens containing addresses, such as header fields. 170*a325d9c4SApple OSS Distributions */ 171*a325d9c4SApple OSS Distributions #define AU_IPv4 4 172*a325d9c4SApple OSS Distributions #define AU_IPv6 16 173*a325d9c4SApple OSS Distributions 174*a325d9c4SApple OSS Distributions /* 175*a325d9c4SApple OSS Distributions * Reserved audit class mask indicating which classes are unable to have 176*a325d9c4SApple OSS Distributions * events added or removed by unentitled processes. 177*a325d9c4SApple OSS Distributions */ 178*a325d9c4SApple OSS Distributions #define AU_CLASS_MASK_RESERVED 0x10000000 179*a325d9c4SApple OSS Distributions 180*a325d9c4SApple OSS Distributions /* 181*a325d9c4SApple OSS Distributions * Audit control modes 182*a325d9c4SApple OSS Distributions */ 183*a325d9c4SApple OSS Distributions #define AUDIT_CTLMODE_NORMAL ((unsigned char)1) 184*a325d9c4SApple OSS Distributions #define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2) 185*a325d9c4SApple OSS Distributions 186*a325d9c4SApple OSS Distributions /* 187*a325d9c4SApple OSS Distributions * Audit file expire_after op modes 188*a325d9c4SApple OSS Distributions */ 189*a325d9c4SApple OSS Distributions #define AUDIT_EXPIRE_OP_AND ((unsigned char)0) 190*a325d9c4SApple OSS Distributions #define AUDIT_EXPIRE_OP_OR ((unsigned char)1) 191*a325d9c4SApple OSS Distributions 192*a325d9c4SApple OSS Distributions __BEGIN_DECLS 193*a325d9c4SApple OSS Distributions 194*a325d9c4SApple OSS Distributions typedef uid_t au_id_t; 195*a325d9c4SApple OSS Distributions typedef pid_t au_asid_t; 196*a325d9c4SApple OSS Distributions typedef u_int16_t au_event_t; 197*a325d9c4SApple OSS Distributions typedef u_int16_t au_emod_t; 198*a325d9c4SApple OSS Distributions typedef u_int32_t au_class_t; 199*a325d9c4SApple OSS Distributions typedef u_int64_t au_asflgs_t __attribute__ ((aligned(8))); 200*a325d9c4SApple OSS Distributions typedef unsigned char au_ctlmode_t; 201*a325d9c4SApple OSS Distributions 202*a325d9c4SApple OSS Distributions struct au_tid { 203*a325d9c4SApple OSS Distributions dev_t port; 204*a325d9c4SApple OSS Distributions u_int32_t machine; 205*a325d9c4SApple OSS Distributions }; 206*a325d9c4SApple OSS Distributions typedef struct au_tid au_tid_t; 207*a325d9c4SApple OSS Distributions 208*a325d9c4SApple OSS Distributions struct au_tid_addr { 209*a325d9c4SApple OSS Distributions dev_t at_port; 210*a325d9c4SApple OSS Distributions u_int32_t at_type; 211*a325d9c4SApple OSS Distributions u_int32_t at_addr[4]; 212*a325d9c4SApple OSS Distributions }; 213*a325d9c4SApple OSS Distributions typedef struct au_tid_addr au_tid_addr_t; 214*a325d9c4SApple OSS Distributions 215*a325d9c4SApple OSS Distributions struct au_mask { 216*a325d9c4SApple OSS Distributions unsigned int am_success; /* Success bits. */ 217*a325d9c4SApple OSS Distributions unsigned int am_failure; /* Failure bits. */ 218*a325d9c4SApple OSS Distributions }; 219*a325d9c4SApple OSS Distributions typedef struct au_mask au_mask_t; 220*a325d9c4SApple OSS Distributions 221*a325d9c4SApple OSS Distributions struct auditinfo { 222*a325d9c4SApple OSS Distributions au_id_t ai_auid; /* Audit user ID. */ 223*a325d9c4SApple OSS Distributions au_mask_t ai_mask; /* Audit masks. */ 224*a325d9c4SApple OSS Distributions au_tid_t ai_termid; /* Terminal ID. */ 225*a325d9c4SApple OSS Distributions au_asid_t ai_asid; /* Audit session ID. */ 226*a325d9c4SApple OSS Distributions }; 227*a325d9c4SApple OSS Distributions typedef struct auditinfo auditinfo_t; 228*a325d9c4SApple OSS Distributions 229*a325d9c4SApple OSS Distributions struct auditinfo_addr { 230*a325d9c4SApple OSS Distributions au_id_t ai_auid; /* Audit user ID. */ 231*a325d9c4SApple OSS Distributions au_mask_t ai_mask; /* Audit masks. */ 232*a325d9c4SApple OSS Distributions au_tid_addr_t ai_termid; /* Terminal ID. */ 233*a325d9c4SApple OSS Distributions au_asid_t ai_asid; /* Audit session ID. */ 234*a325d9c4SApple OSS Distributions au_asflgs_t ai_flags; /* Audit session flags. */ 235*a325d9c4SApple OSS Distributions }; 236*a325d9c4SApple OSS Distributions typedef struct auditinfo_addr auditinfo_addr_t; 237*a325d9c4SApple OSS Distributions 238*a325d9c4SApple OSS Distributions struct auditpinfo { 239*a325d9c4SApple OSS Distributions pid_t ap_pid; /* ID of target process. */ 240*a325d9c4SApple OSS Distributions au_id_t ap_auid; /* Audit user ID. */ 241*a325d9c4SApple OSS Distributions au_mask_t ap_mask; /* Audit masks. */ 242*a325d9c4SApple OSS Distributions au_tid_t ap_termid; /* Terminal ID. */ 243*a325d9c4SApple OSS Distributions au_asid_t ap_asid; /* Audit session ID. */ 244*a325d9c4SApple OSS Distributions }; 245*a325d9c4SApple OSS Distributions typedef struct auditpinfo auditpinfo_t; 246*a325d9c4SApple OSS Distributions 247*a325d9c4SApple OSS Distributions struct auditpinfo_addr { 248*a325d9c4SApple OSS Distributions pid_t ap_pid; /* ID of target process. */ 249*a325d9c4SApple OSS Distributions au_id_t ap_auid; /* Audit user ID. */ 250*a325d9c4SApple OSS Distributions au_mask_t ap_mask; /* Audit masks. */ 251*a325d9c4SApple OSS Distributions au_tid_addr_t ap_termid; /* Terminal ID. */ 252*a325d9c4SApple OSS Distributions au_asid_t ap_asid; /* Audit session ID. */ 253*a325d9c4SApple OSS Distributions au_asflgs_t ap_flags; /* Audit session flags. */ 254*a325d9c4SApple OSS Distributions }; 255*a325d9c4SApple OSS Distributions typedef struct auditpinfo_addr auditpinfo_addr_t; 256*a325d9c4SApple OSS Distributions 257*a325d9c4SApple OSS Distributions struct au_session { 258*a325d9c4SApple OSS Distributions auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 259*a325d9c4SApple OSS Distributions au_mask_t as_mask; /* Process Audit Masks. */ 260*a325d9c4SApple OSS Distributions }; 261*a325d9c4SApple OSS Distributions typedef struct au_session au_session_t; 262*a325d9c4SApple OSS Distributions 263*a325d9c4SApple OSS Distributions struct au_expire_after { 264*a325d9c4SApple OSS Distributions time_t age; /* Age after which trail files should be expired */ 265*a325d9c4SApple OSS Distributions size_t size; /* Aggregate trail size when files should be expired */ 266*a325d9c4SApple OSS Distributions unsigned char op_type; /* Operator used with the above values to determine when files should be expired */ 267*a325d9c4SApple OSS Distributions }; 268*a325d9c4SApple OSS Distributions typedef struct au_expire_after au_expire_after_t; 269*a325d9c4SApple OSS Distributions 270*a325d9c4SApple OSS Distributions /* 271*a325d9c4SApple OSS Distributions * Contents of token_t are opaque outside of libbsm. 272*a325d9c4SApple OSS Distributions */ 273*a325d9c4SApple OSS Distributions typedef struct au_token token_t; 274*a325d9c4SApple OSS Distributions 275*a325d9c4SApple OSS Distributions /* 276*a325d9c4SApple OSS Distributions * Kernel audit queue control parameters: 277*a325d9c4SApple OSS Distributions * Default: Maximum: 278*a325d9c4SApple OSS Distributions * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 279*a325d9c4SApple OSS Distributions * aq_lowater: AQ_LOWATER (10) <aq_hiwater 280*a325d9c4SApple OSS Distributions * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 281*a325d9c4SApple OSS Distributions * aq_delay: 20 20000 (not used) 282*a325d9c4SApple OSS Distributions */ 283*a325d9c4SApple OSS Distributions struct au_qctrl { 284*a325d9c4SApple OSS Distributions int aq_hiwater; /* Max # of audit recs in queue when */ 285*a325d9c4SApple OSS Distributions /* threads with new ARs get blocked. */ 286*a325d9c4SApple OSS Distributions 287*a325d9c4SApple OSS Distributions int aq_lowater; /* # of audit recs in queue when */ 288*a325d9c4SApple OSS Distributions /* blocked threads get unblocked. */ 289*a325d9c4SApple OSS Distributions 290*a325d9c4SApple OSS Distributions int aq_bufsz; /* Max size of audit record for audit(2). */ 291*a325d9c4SApple OSS Distributions int aq_delay; /* Queue delay (not used). */ 292*a325d9c4SApple OSS Distributions int aq_minfree; /* Minimum filesystem percent free space. */ 293*a325d9c4SApple OSS Distributions }; 294*a325d9c4SApple OSS Distributions typedef struct au_qctrl au_qctrl_t; 295*a325d9c4SApple OSS Distributions 296*a325d9c4SApple OSS Distributions /* 297*a325d9c4SApple OSS Distributions * Structure for the audit statistics. 298*a325d9c4SApple OSS Distributions */ 299*a325d9c4SApple OSS Distributions struct audit_stat { 300*a325d9c4SApple OSS Distributions unsigned int as_version; 301*a325d9c4SApple OSS Distributions unsigned int as_numevent; 302*a325d9c4SApple OSS Distributions int as_generated; 303*a325d9c4SApple OSS Distributions int as_nonattrib; 304*a325d9c4SApple OSS Distributions int as_kernel; 305*a325d9c4SApple OSS Distributions int as_audit; 306*a325d9c4SApple OSS Distributions int as_auditctl; 307*a325d9c4SApple OSS Distributions int as_enqueue; 308*a325d9c4SApple OSS Distributions int as_written; 309*a325d9c4SApple OSS Distributions int as_wblocked; 310*a325d9c4SApple OSS Distributions int as_rblocked; 311*a325d9c4SApple OSS Distributions int as_dropped; 312*a325d9c4SApple OSS Distributions int as_totalsize; 313*a325d9c4SApple OSS Distributions unsigned int as_memused; 314*a325d9c4SApple OSS Distributions }; 315*a325d9c4SApple OSS Distributions typedef struct audit_stat au_stat_t; 316*a325d9c4SApple OSS Distributions 317*a325d9c4SApple OSS Distributions /* 318*a325d9c4SApple OSS Distributions * Structure for the audit file statistics. 319*a325d9c4SApple OSS Distributions */ 320*a325d9c4SApple OSS Distributions struct audit_fstat { 321*a325d9c4SApple OSS Distributions u_int64_t af_filesz; 322*a325d9c4SApple OSS Distributions u_int64_t af_currsz; 323*a325d9c4SApple OSS Distributions }; 324*a325d9c4SApple OSS Distributions typedef struct audit_fstat au_fstat_t; 325*a325d9c4SApple OSS Distributions 326*a325d9c4SApple OSS Distributions /* 327*a325d9c4SApple OSS Distributions * Audit to event class mapping. 328*a325d9c4SApple OSS Distributions */ 329*a325d9c4SApple OSS Distributions struct au_evclass_map { 330*a325d9c4SApple OSS Distributions au_event_t ec_number; 331*a325d9c4SApple OSS Distributions au_class_t ec_class; 332*a325d9c4SApple OSS Distributions }; 333*a325d9c4SApple OSS Distributions typedef struct au_evclass_map au_evclass_map_t; 334*a325d9c4SApple OSS Distributions 335*a325d9c4SApple OSS Distributions 336*a325d9c4SApple OSS Distributions #if !defined(_KERNEL) && !defined(KERNEL) 337*a325d9c4SApple OSS Distributions #include <Availability.h> 338*a325d9c4SApple OSS Distributions #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16)) 339*a325d9c4SApple OSS Distributions #else 340*a325d9c4SApple OSS Distributions #define __AUDIT_API_DEPRECATED 341*a325d9c4SApple OSS Distributions #endif 342*a325d9c4SApple OSS Distributions 343*a325d9c4SApple OSS Distributions /* 344*a325d9c4SApple OSS Distributions * Audit system calls. 345*a325d9c4SApple OSS Distributions */ 346*a325d9c4SApple OSS Distributions #if !defined(_KERNEL) && !defined(KERNEL) 347*a325d9c4SApple OSS Distributions int audit(const void *, int) 348*a325d9c4SApple OSS Distributions __AUDIT_API_DEPRECATED; 349*a325d9c4SApple OSS Distributions int auditon(int, void *, int) 350*a325d9c4SApple OSS Distributions __AUDIT_API_DEPRECATED; 351*a325d9c4SApple OSS Distributions int auditctl(const char *) 352*a325d9c4SApple OSS Distributions __AUDIT_API_DEPRECATED; 353*a325d9c4SApple OSS Distributions int getauid(au_id_t *); 354*a325d9c4SApple OSS Distributions int setauid(const au_id_t *); 355*a325d9c4SApple OSS Distributions int getaudit_addr(struct auditinfo_addr *, int); 356*a325d9c4SApple OSS Distributions int setaudit_addr(const struct auditinfo_addr *, int); 357*a325d9c4SApple OSS Distributions 358*a325d9c4SApple OSS Distributions #if defined(__APPLE__) 359*a325d9c4SApple OSS Distributions #include <Availability.h> 360*a325d9c4SApple OSS Distributions 361*a325d9c4SApple OSS Distributions /* 362*a325d9c4SApple OSS Distributions * getaudit()/setaudit() are deprecated and have been replaced with 363*a325d9c4SApple OSS Distributions * wrappers to the getaudit_addr()/setaudit_addr() syscalls above. 364*a325d9c4SApple OSS Distributions */ 365*a325d9c4SApple OSS Distributions 366*a325d9c4SApple OSS Distributions int getaudit(struct auditinfo *) 367*a325d9c4SApple OSS Distributions __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 368*a325d9c4SApple OSS Distributions __IPHONE_2_0, __IPHONE_6_0); 369*a325d9c4SApple OSS Distributions int setaudit(const struct auditinfo *) 370*a325d9c4SApple OSS Distributions __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 371*a325d9c4SApple OSS Distributions __IPHONE_2_0, __IPHONE_6_0); 372*a325d9c4SApple OSS Distributions #else 373*a325d9c4SApple OSS Distributions 374*a325d9c4SApple OSS Distributions int getaudit(struct auditinfo *) 375*a325d9c4SApple OSS Distributions __AUDIT_API_DEPRECATED; 376*a325d9c4SApple OSS Distributions int setaudit(const struct auditinfo *) 377*a325d9c4SApple OSS Distributions __AUDIT_API_DEPRECATED; 378*a325d9c4SApple OSS Distributions #endif /* !__APPLE__ */ 379*a325d9c4SApple OSS Distributions 380*a325d9c4SApple OSS Distributions #ifdef __APPLE_API_PRIVATE 381*a325d9c4SApple OSS Distributions #include <mach/port.h> 382*a325d9c4SApple OSS Distributions mach_port_name_t audit_session_self(void); 383*a325d9c4SApple OSS Distributions au_asid_t audit_session_join(mach_port_name_t port); 384*a325d9c4SApple OSS Distributions int audit_session_port(au_asid_t asid, mach_port_name_t *portname); 385*a325d9c4SApple OSS Distributions #endif /* __APPLE_API_PRIVATE */ 386*a325d9c4SApple OSS Distributions 387*a325d9c4SApple OSS Distributions #endif /* defined(_KERNEL) || defined(KERNEL) */ 388*a325d9c4SApple OSS Distributions 389*a325d9c4SApple OSS Distributions __END_DECLS 390*a325d9c4SApple OSS Distributions 391*a325d9c4SApple OSS Distributions #endif /* !_BSM_AUDIT_H */ 392