2 * Copyright (c) 2005 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
15 * its contributors may be used to endorse or promote products derived
16 * from this software without specific prior written permission.
18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#1 $
35 #define AUDIT_RECORD_MAGIC 0x828a0f1b
36 #define MAX_AUDIT_RECORDS 20
37 #define MAXAUDITDATA (0x8000 - 1)
38 #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA
39 #define MIN_AUDIT_FILE_SIZE (512 * 1024)
42 * Triggers for the audit daemon.
44 #define AUDIT_TRIGGER_MIN 1
45 #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */
46 #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */
47 #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */
48 #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
49 #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
50 #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests roate. */
51 #define AUDIT_TRIGGER_MAX 6
54 * The special device filename (FreeBSD).
56 #define AUDITDEV_FILENAME "audit"
57 #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME)
60 * Pre-defined audit IDs
62 #define AU_DEFAUDITID -1
67 #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
68 #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
69 #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
75 #define AUC_AUDITING 1
77 #define AUC_DISABLED -1
80 * auditon(2) commands.
100 #define A_SETFSIZE 26
101 #define A_GETFSIZE 27
102 #define A_GETPINFO_ADDR 28
103 #define A_GETKAUDIT 29
104 #define A_SETKAUDIT 30
105 #define A_SENDTRIGGER 31
108 * Audit policy controls.
110 #define AUDIT_CNT 0x0001
111 #define AUDIT_AHLT 0x0002
112 #define AUDIT_ARGV 0x0004
113 #define AUDIT_ARGE 0x0008
114 #define AUDIT_SEQ 0x0010
115 #define AUDIT_WINDATA 0x0020
116 #define AUDIT_USER 0x0040
117 #define AUDIT_GROUP 0x0080
118 #define AUDIT_TRAIL 0x0100
119 #define AUDIT_PATH 0x0200
120 #define AUDIT_SCNT 0x0400
121 #define AUDIT_PUBLIC 0x0800
122 #define AUDIT_ZONENAME 0x1000
123 #define AUDIT_PERZONE 0x2000
126 * Default audit queue control parameters.
128 #define AQ_HIWATER 100
129 #define AQ_MAXHIGH 10000
130 #define AQ_LOWATER 10
131 #define AQ_BUFSZ MAXAUDITDATA
132 #define AQ_MAXBUFSZ 1048576
135 * Default minimum percentage free space on file system.
137 #define AU_FS_MINFREE 20
140 * Type definitions used indicating the length of variable length addresses
141 * in tokens containing addresses, such as header fields.
148 typedef uid_t au_id_t;
149 typedef pid_t au_asid_t;
150 typedef u_int16_t au_event_t;
151 typedef u_int16_t au_emod_t;
152 typedef u_int32_t au_class_t;
158 typedef struct au_tid au_tid_t;
163 u_int32_t at_addr[4];
165 typedef struct au_tid_addr au_tid_addr_t;
168 unsigned int am_success; /* Success bits. */
169 unsigned int am_failure; /* Failure bits. */
171 typedef struct au_mask au_mask_t;
174 au_id_t ai_auid; /* Audit user ID. */
175 au_mask_t ai_mask; /* Audit masks. */
176 au_tid_t ai_termid; /* Terminal ID. */
177 au_asid_t ai_asid; /* Audit session ID. */
179 typedef struct auditinfo auditinfo_t;
181 struct auditinfo_addr {
182 au_id_t ai_auid; /* Audit user ID. */
183 au_mask_t ai_mask; /* Audit masks. */
184 au_tid_addr_t ai_termid; /* Terminal ID. */
185 au_asid_t ai_asid; /* Audit session ID. */
187 typedef struct auditinfo_addr auditinfo_addr_t;
190 pid_t ap_pid; /* ID of target process. */
191 au_id_t ap_auid; /* Audit user ID. */
192 au_mask_t ap_mask; /* Audit masks. */
193 au_tid_t ap_termid; /* Terminal ID. */
194 au_asid_t ap_asid; /* Audit session ID. */
196 typedef struct auditpinfo auditpinfo_t;
198 struct auditpinfo_addr {
199 pid_t ap_pid; /* ID of target process. */
200 au_id_t ap_auid; /* Audit user ID. */
201 au_mask_t ap_mask; /* Audit masks. */
202 au_tid_addr_t ap_termid; /* Terminal ID. */
203 au_asid_t ap_asid; /* Audit session ID. */
205 typedef struct auditpinfo_addr auditpinfo_addr_t;
208 * Contents of token_t are opaque outside of libbsm.
210 typedef struct au_token token_t;
213 * Kernel audit queue control parameters.
220 int aq_minfree; /* Minimum filesystem percent free space. */
222 typedef struct au_qctrl au_qctrl_t;
225 * Structure for the audit statistics.
228 unsigned int as_version;
229 unsigned int as_numevent;
241 unsigned int as_memused;
243 typedef struct audit_stat au_stat_t;
246 * Structure for the audit file statistics.
252 typedef struct audit_fstat au_fstat_t;
255 * Audit to event class mapping.
257 struct au_evclass_map {
258 au_event_t ec_number;
261 typedef struct au_evclass_map au_evclass_map_t;
264 * Audit system calls.
266 #if !defined(_KERNEL) && !defined(KERNEL)
267 int audit(const void *, int);
268 int auditon(int, void *, int);
269 int auditctl(const char *);
270 int getauid(au_id_t *);
271 int setauid(const au_id_t *);
272 int getaudit(struct auditinfo *);
273 int setaudit(const struct auditinfo *);
274 int getaudit_addr(struct auditinfo_addr *, int);
275 int setaudit_addr(const struct auditinfo_addr *, int);
276 #endif /* defined(_KERNEL) || defined(KERNEL) */
280 #endif /* !_BSM_AUDIT_H */