2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright (c) 2005 Apple Computer, Inc.
7 * @APPLE_BSD_LICENSE_HEADER_START@
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
19 * its contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
23 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
24 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
25 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
26 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
27 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
29 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 * @APPLE_BSD_LICENSE_HEADER_END@
36 #include <sys/cdefs.h>
37 __FBSDID("$FreeBSD$");
39 #include <sys/types.h>
41 #include <bsm/libbsm.h>
42 #include <bsm/audit_uevents.h>
59 * The following tokens are included in the audit record for a successful
60 * login: header, subject, return.
63 au_login_success(void)
69 uid_t uid = pwd->pw_uid;
70 gid_t gid = pwd->pw_gid;
74 /* If we are not auditing, don't cut an audit record; just return. */
75 if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
78 errx(1, "could not determine audit condition");
80 if (au_cond == AUC_NOAUDIT)
83 /* Compute and set the user's preselection mask. */
84 if (au_user_mask(pwd->pw_name, &aumask) == -1)
85 errx(1, "could not calculate audit mask");
87 /* Set the audit info for the user. */
90 bcopy(&tid, &auinfo.ai_termid, sizeof(auinfo.ai_termid));
91 bcopy(&aumask, &auinfo.ai_mask, sizeof(auinfo.ai_mask));
92 if (setaudit(&auinfo) != 0)
93 err(1, "setaudit failed");
95 if ((aufd = au_open()) == -1)
96 errx(1, "audit error: au_open() failed");
98 if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
100 errx(1, "audit error: au_to_subject32() failed");
103 if ((tok = au_to_return32(0, 0)) == NULL)
104 errx(1, "audit error: au_to_return32() failed");
107 if (au_close(aufd, 1, AUE_login) == -1)
108 errx(1, "audit record was not committed.");
112 * The following tokens are included in the audit record for failed
113 * login attempts: header, subject, text, return.
116 au_login_fail(const char *errmsg, int na)
123 pid_t pid = getpid();
125 /* If we are not auditing, don't cut an audit record; just return. */
126 if (auditon(A_GETCOND, &au_cond, sizeof(au_cond)) < 0) {
129 errx(1, "could not determine audit condition");
131 if (au_cond == AUC_NOAUDIT)
134 if ((aufd = au_open()) == -1)
135 errx(1, "audit error: au_open() failed");
139 * Non attributable event. Assuming that login is not called
140 * within a user's session => auid,asid == -1.
142 if ((tok = au_to_subject32(-1, geteuid(), getegid(), -1, -1,
143 pid, -1, &tid)) == NULL)
144 errx(1, "audit error: au_to_subject32() failed");
146 /* We know the subject -- so use its value instead. */
149 if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid,
150 gid, pid, pid, &tid)) == NULL)
151 errx(1, "audit error: au_to_subject32() failed");
155 /* Include the error message. */
156 if ((tok = au_to_text(errmsg)) == NULL)
157 errx(1, "audit error: au_to_text() failed");
160 if ((tok = au_to_return32(1, errno)) == NULL)
161 errx(1, "audit error: au_to_return32() failed");
164 if (au_close(aufd, 1, AUE_login) == -1)
165 errx(1, "audit error: au_close() was not committed");
169 * The following tokens are included in the audit record for a logout:
170 * header, subject, return.
177 uid_t uid = pwd->pw_uid;
178 gid_t gid = pwd->pw_gid;
179 pid_t pid = getpid();
182 /* If we are not auditing, don't cut an audit record; just return. */
183 if (auditon(A_GETCOND, &au_cond, sizeof(int)) < 0) {
186 errx(1, "could not determine audit condition");
188 if (au_cond == AUC_NOAUDIT)
191 if ((aufd = au_open()) == -1)
192 errx(1, "audit error: au_open() failed");
194 /* The subject that is created (euid, egid of the current process). */
195 if ((tok = au_to_subject32(uid, geteuid(), getegid(), uid, gid, pid,
197 errx(1, "audit error: au_to_subject32() failed");
200 if ((tok = au_to_return32(0, 0)) == NULL)
201 errx(1, "audit error: au_to_return32() failed");
204 if (au_close(aufd, 1, AUE_logout) == -1)
205 errx(1, "audit record was not committed.");