1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 $ 30 */ 31 32 #ifndef _BSM_AUDIT_H 33 #define _BSM_AUDIT_H 34 35 #include <sys/param.h> 36 #include <sys/types.h> 37 38 #define AUDIT_RECORD_MAGIC 0x828a0f1b 39 #define MAX_AUDIT_RECORDS 20 40 #define MAXAUDITDATA (0x8000 - 1) 41 #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 42 #define MIN_AUDIT_FILE_SIZE (512 * 1024) 43 44 /* 45 * Minimum noumber of free blocks on the filesystem containing the audit 46 * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 47 * as the kernel does an unsigned compare, plus we want to leave a few blocks 48 * free so userspace can terminate the log, etc. 49 */ 50 #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 51 52 /* 53 * Triggers for the audit daemon. 54 */ 55 #define AUDIT_TRIGGER_MIN 1 56 #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 57 #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 58 #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 59 #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 60 #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 61 #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 62 #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 63 #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 64 #define AUDIT_TRIGGER_MAX 8 65 66 /* 67 * The special device filename (FreeBSD). 68 */ 69 #define AUDITDEV_FILENAME "audit" 70 #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 71 72 /* 73 * Pre-defined audit IDs 74 */ 75 #define AU_DEFAUDITID (uid_t)(-1) 76 #define AU_DEFAUDITSID 0 77 #define AU_ASSIGN_ASID -1 78 79 /* 80 * IPC types. 81 */ 82 #define AT_IPC_MSG ((unsigned char)1) /* Message IPC id. */ 83 #define AT_IPC_SEM ((unsigned char)2) /* Semaphore IPC id. */ 84 #define AT_IPC_SHM ((unsigned char)3) /* Shared mem IPC id. */ 85 86 /* 87 * Audit conditions. 88 */ 89 #define AUC_UNSET 0 90 #define AUC_AUDITING 1 91 #define AUC_NOAUDIT 2 92 #define AUC_DISABLED -1 93 94 /* 95 * auditon(2) commands. 96 */ 97 #define A_OLDGETPOLICY 2 98 #define A_OLDSETPOLICY 3 99 #define A_GETKMASK 4 100 #define A_SETKMASK 5 101 #define A_OLDGETQCTRL 6 102 #define A_OLDSETQCTRL 7 103 #define A_GETCWD 8 104 #define A_GETCAR 9 105 #define A_GETSTAT 12 106 #define A_SETSTAT 13 107 #define A_SETUMASK 14 108 #define A_SETSMASK 15 109 #define A_OLDGETCOND 20 110 #define A_OLDSETCOND 21 111 #define A_GETCLASS 22 112 #define A_SETCLASS 23 113 #define A_GETPINFO 24 114 #define A_SETPMASK 25 115 #define A_SETFSIZE 26 116 #define A_GETFSIZE 27 117 #define A_GETPINFO_ADDR 28 118 #define A_GETKAUDIT 29 119 #define A_SETKAUDIT 30 120 #define A_SENDTRIGGER 31 121 #define A_GETSINFO_ADDR 32 122 #define A_GETPOLICY 33 123 #define A_SETPOLICY 34 124 #define A_GETQCTRL 35 125 #define A_SETQCTRL 36 126 #define A_GETCOND 37 127 #define A_SETCOND 38 128 #define A_GETSFLAGS 39 129 #define A_SETSFLAGS 40 130 #define A_GETCTLMODE 41 131 #define A_SETCTLMODE 42 132 #define A_GETEXPAFTER 43 133 #define A_SETEXPAFTER 44 134 135 /* 136 * Audit policy controls. 137 */ 138 #define AUDIT_CNT 0x0001 139 #define AUDIT_AHLT 0x0002 140 #define AUDIT_ARGV 0x0004 141 #define AUDIT_ARGE 0x0008 142 #define AUDIT_SEQ 0x0010 143 #define AUDIT_WINDATA 0x0020 144 #define AUDIT_USER 0x0040 145 #define AUDIT_GROUP 0x0080 146 #define AUDIT_TRAIL 0x0100 147 #define AUDIT_PATH 0x0200 148 #define AUDIT_SCNT 0x0400 149 #define AUDIT_PUBLIC 0x0800 150 #define AUDIT_ZONENAME 0x1000 151 #define AUDIT_PERZONE 0x2000 152 153 /* 154 * Default audit queue control parameters. 155 */ 156 #define AQ_HIWATER 100 157 #define AQ_MAXHIGH 10000 158 #define AQ_LOWATER 10 159 #define AQ_BUFSZ MAXAUDITDATA 160 #define AQ_MAXBUFSZ 1048576 161 162 /* 163 * Default minimum percentage free space on file system. 164 */ 165 #define AU_FS_MINFREE 20 166 167 /* 168 * Type definitions used indicating the length of variable length addresses 169 * in tokens containing addresses, such as header fields. 170 */ 171 #define AU_IPv4 4 172 #define AU_IPv6 16 173 174 /* 175 * Reserved audit class mask indicating which classes are unable to have 176 * events added or removed by unentitled processes. 177 */ 178 #define AU_CLASS_MASK_RESERVED 0x10000000 179 180 /* 181 * Audit control modes 182 */ 183 #define AUDIT_CTLMODE_NORMAL ((unsigned char)1) 184 #define AUDIT_CTLMODE_EXTERNAL ((unsigned char)2) 185 186 /* 187 * Audit file expire_after op modes 188 */ 189 #define AUDIT_EXPIRE_OP_AND ((unsigned char)0) 190 #define AUDIT_EXPIRE_OP_OR ((unsigned char)1) 191 192 __BEGIN_DECLS 193 194 typedef uid_t au_id_t; 195 typedef pid_t au_asid_t; 196 typedef u_int16_t au_event_t; 197 typedef u_int16_t au_emod_t; 198 typedef u_int32_t au_class_t; 199 typedef u_int64_t au_asflgs_t __attribute__ ((aligned(8))); 200 typedef unsigned char au_ctlmode_t; 201 202 struct au_tid { 203 dev_t port; 204 u_int32_t machine; 205 }; 206 typedef struct au_tid au_tid_t; 207 208 struct au_tid_addr { 209 dev_t at_port; 210 u_int32_t at_type; 211 u_int32_t at_addr[4]; 212 }; 213 typedef struct au_tid_addr au_tid_addr_t; 214 215 struct au_mask { 216 unsigned int am_success; /* Success bits. */ 217 unsigned int am_failure; /* Failure bits. */ 218 }; 219 typedef struct au_mask au_mask_t; 220 221 struct auditinfo { 222 au_id_t ai_auid; /* Audit user ID. */ 223 au_mask_t ai_mask; /* Audit masks. */ 224 au_tid_t ai_termid; /* Terminal ID. */ 225 au_asid_t ai_asid; /* Audit session ID. */ 226 }; 227 typedef struct auditinfo auditinfo_t; 228 229 struct auditinfo_addr { 230 au_id_t ai_auid; /* Audit user ID. */ 231 au_mask_t ai_mask; /* Audit masks. */ 232 au_tid_addr_t ai_termid; /* Terminal ID. */ 233 au_asid_t ai_asid; /* Audit session ID. */ 234 au_asflgs_t ai_flags; /* Audit session flags. */ 235 }; 236 typedef struct auditinfo_addr auditinfo_addr_t; 237 238 struct auditpinfo { 239 pid_t ap_pid; /* ID of target process. */ 240 au_id_t ap_auid; /* Audit user ID. */ 241 au_mask_t ap_mask; /* Audit masks. */ 242 au_tid_t ap_termid; /* Terminal ID. */ 243 au_asid_t ap_asid; /* Audit session ID. */ 244 }; 245 typedef struct auditpinfo auditpinfo_t; 246 247 struct auditpinfo_addr { 248 pid_t ap_pid; /* ID of target process. */ 249 au_id_t ap_auid; /* Audit user ID. */ 250 au_mask_t ap_mask; /* Audit masks. */ 251 au_tid_addr_t ap_termid; /* Terminal ID. */ 252 au_asid_t ap_asid; /* Audit session ID. */ 253 au_asflgs_t ap_flags; /* Audit session flags. */ 254 }; 255 typedef struct auditpinfo_addr auditpinfo_addr_t; 256 257 struct au_session { 258 auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 259 au_mask_t as_mask; /* Process Audit Masks. */ 260 }; 261 typedef struct au_session au_session_t; 262 263 struct au_expire_after { 264 time_t age; /* Age after which trail files should be expired */ 265 size_t size; /* Aggregate trail size when files should be expired */ 266 unsigned char op_type; /* Operator used with the above values to determine when files should be expired */ 267 }; 268 typedef struct au_expire_after au_expire_after_t; 269 270 /* 271 * Contents of token_t are opaque outside of libbsm. 272 */ 273 typedef struct au_token token_t; 274 275 /* 276 * Kernel audit queue control parameters: 277 * Default: Maximum: 278 * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 279 * aq_lowater: AQ_LOWATER (10) <aq_hiwater 280 * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 281 * aq_delay: 20 20000 (not used) 282 */ 283 struct au_qctrl { 284 int aq_hiwater; /* Max # of audit recs in queue when */ 285 /* threads with new ARs get blocked. */ 286 287 int aq_lowater; /* # of audit recs in queue when */ 288 /* blocked threads get unblocked. */ 289 290 int aq_bufsz; /* Max size of audit record for audit(2). */ 291 int aq_delay; /* Queue delay (not used). */ 292 int aq_minfree; /* Minimum filesystem percent free space. */ 293 }; 294 typedef struct au_qctrl au_qctrl_t; 295 296 /* 297 * Structure for the audit statistics. 298 */ 299 struct audit_stat { 300 unsigned int as_version; 301 unsigned int as_numevent; 302 int as_generated; 303 int as_nonattrib; 304 int as_kernel; 305 int as_audit; 306 int as_auditctl; 307 int as_enqueue; 308 int as_written; 309 int as_wblocked; 310 int as_rblocked; 311 int as_dropped; 312 int as_totalsize; 313 unsigned int as_memused; 314 }; 315 typedef struct audit_stat au_stat_t; 316 317 /* 318 * Structure for the audit file statistics. 319 */ 320 struct audit_fstat { 321 u_int64_t af_filesz; 322 u_int64_t af_currsz; 323 }; 324 typedef struct audit_fstat au_fstat_t; 325 326 /* 327 * Audit to event class mapping. 328 */ 329 struct au_evclass_map { 330 au_event_t ec_number; 331 au_class_t ec_class; 332 }; 333 typedef struct au_evclass_map au_evclass_map_t; 334 335 336 #if !defined(_KERNEL) && !defined(KERNEL) 337 #include <Availability.h> 338 #define __AUDIT_API_DEPRECATED __API_DEPRECATED("audit is deprecated", macos(10.4, 10.16)) 339 #else 340 #define __AUDIT_API_DEPRECATED 341 #endif 342 343 /* 344 * Audit system calls. 345 */ 346 #if !defined(_KERNEL) && !defined(KERNEL) 347 int audit(const void *, int) 348 __AUDIT_API_DEPRECATED; 349 int auditon(int, void *, int) 350 __AUDIT_API_DEPRECATED; 351 int auditctl(const char *) 352 __AUDIT_API_DEPRECATED; 353 int getauid(au_id_t *); 354 int setauid(const au_id_t *); 355 int getaudit_addr(struct auditinfo_addr *, int); 356 int setaudit_addr(const struct auditinfo_addr *, int); 357 358 #if defined(__APPLE__) 359 #include <Availability.h> 360 361 /* 362 * getaudit()/setaudit() are deprecated and have been replaced with 363 * wrappers to the getaudit_addr()/setaudit_addr() syscalls above. 364 */ 365 366 int getaudit(struct auditinfo *) 367 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 368 __IPHONE_2_0, __IPHONE_6_0); 369 int setaudit(const struct auditinfo *) 370 __OSX_AVAILABLE_BUT_DEPRECATED(__MAC_10_0, __MAC_10_8, 371 __IPHONE_2_0, __IPHONE_6_0); 372 #else 373 374 int getaudit(struct auditinfo *) 375 __AUDIT_API_DEPRECATED; 376 int setaudit(const struct auditinfo *) 377 __AUDIT_API_DEPRECATED; 378 #endif /* !__APPLE__ */ 379 380 #ifdef __APPLE_API_PRIVATE 381 #include <mach/port.h> 382 mach_port_name_t audit_session_self(void); 383 au_asid_t audit_session_join(mach_port_name_t port); 384 int audit_session_port(au_asid_t asid, mach_port_name_t *portname); 385 #endif /* __APPLE_API_PRIVATE */ 386 387 #endif /* defined(_KERNEL) || defined(KERNEL) */ 388 389 __END_DECLS 390 391 #endif /* !_BSM_AUDIT_H */ 392