2 * Copyright (c) 2004-2009 Apple Inc.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
14 * its contributors may be used to endorse or promote products derived
15 * from this software without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
34 * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
35 * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
38 #include <sys/types.h>
39 #include <sys/cdefs.h>
41 #include <inttypes.h> /* Required for audit.h. */
42 #include <time.h> /* Required for clock_t on Linux. */
44 #include <bsm/audit.h>
45 #include <bsm/audit_record.h>
50 #include <mach/mach.h> /* audit_token_t */
54 * Size parsed token vectors for execve(2) arguments and environmental
55 * variables. Note: changing these sizes affects the ABI of the token
56 * structure, and as the token structure is often placed in the caller stack,
57 * this is undesirable.
59 #define AUDIT_MAX_ARGS 128
60 #define AUDIT_MAX_ENV 128
63 * Arguments to au_preselect(3).
65 #define AU_PRS_USECACHE 0
66 #define AU_PRS_REREAD 1
68 #define AU_PRS_SUCCESS 1
69 #define AU_PRS_FAILURE 2
70 #define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
72 #define AUDIT_EVENT_FILE "/etc/security/audit_event"
73 #define AUDIT_CLASS_FILE "/etc/security/audit_class"
74 #define AUDIT_CONTROL_FILE "/etc/security/audit_control"
75 #define AUDIT_USER_FILE "/etc/security/audit_user"
77 #define DIR_CONTROL_ENTRY "dir"
78 #define DIST_CONTROL_ENTRY "dist"
79 #define FILESZ_CONTROL_ENTRY "filesz"
80 #define FLAGS_CONTROL_ENTRY "flags"
81 #define HOST_CONTROL_ENTRY "host"
82 #define MINFREE_CONTROL_ENTRY "minfree"
83 #define NA_CONTROL_ENTRY "naflags"
84 #define POLICY_CONTROL_ENTRY "policy"
85 #define EXPIRE_AFTER_CONTROL_ENTRY "expire-after"
87 #define AU_CLASS_NAME_MAX 8
88 #define AU_CLASS_DESC_MAX 72
89 #define AU_EVENT_NAME_MAX 30
90 #define AU_EVENT_DESC_MAX 50
91 #define AU_USER_NAME_MAX 50
92 #define AU_LINE_MAX 256
93 #define MAX_AUDITSTRING_LEN 256
94 #define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
97 * Arguments to au_close(3).
99 #define AU_TO_NO_WRITE 0 /* Abandon audit record. */
100 #define AU_TO_WRITE 1 /* Commit audit record. */
103 * Output format flags for au_print_flags_tok().
105 #define AU_OFLAG_NONE 0x0000 /* Default form. */
106 #define AU_OFLAG_RAW 0x0001 /* Raw, numeric form. */
107 #define AU_OFLAG_SHORT 0x0002 /* Short form. */
108 #define AU_OFLAG_XML 0x0004 /* XML form. */
109 #define AU_OFLAG_NORESOLVE 0x0008 /* No user/group name resolution. */
112 struct au_event_ent {
113 au_event_t ae_number;
118 typedef struct au_event_ent au_event_ent_t;
120 struct au_class_ent {
125 typedef struct au_class_ent au_class_ent_t;
132 typedef struct au_user_ent au_user_ent_t;
135 #define ADD_TO_MASK(m, c, sel) do { \
136 if (sel & AU_PRS_SUCCESS) \
137 (m)->am_success |= c; \
138 if (sel & AU_PRS_FAILURE) \
139 (m)->am_failure |= c; \
142 #define SUB_FROM_MASK(m, c, sel) do { \
143 if (sel & AU_PRS_SUCCESS) \
144 (m)->am_success &= ((m)->am_success ^ c); \
145 if (sel & AU_PRS_FAILURE) \
146 (m)->am_failure &= ((m)->am_failure ^ c); \
149 #define ADDMASK(m, v) do { \
150 (m)->am_success |= (v)->am_success; \
151 (m)->am_failure |= (v)->am_failure; \
154 #define SUBMASK(m, v) do { \
155 (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
156 (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
161 typedef struct au_tid32 {
166 typedef struct au_tid64 {
171 typedef struct au_tidaddr32 {
177 typedef struct au_tidaddr64 {
185 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
186 * text length 2 bytes
187 * text N bytes + 1 terminating NULL byte
204 * how to print 1 byte
207 * data items (depends on basic unit)
217 * file access mode 4 bytes
218 * owner user ID 4 bytes
219 * owner group ID 4 bytes
220 * file system ID 4 bytes
222 * device 4 bytes/8 bytes (32-bit/64-bit)
244 * text count null-terminated string(s)
248 char *text[AUDIT_MAX_ARGS];
253 * text count null-terminated string(s)
257 char *text[AUDIT_MAX_ENV];
262 * return value 4 bytes
270 * seconds of time 4 bytes
271 * milliseconds of time 4 bytes
272 * file name length 2 bytes
273 * file pathname N bytes + 1 terminating NULL byte
284 * number groups 2 bytes
285 * group list N * 4 bytes
289 u_int32_t list[AUDIT_MAX_GROUPS];
293 * record byte count 4 bytes
294 * version # 1 byte [2]
296 * event modifier 2 bytes
297 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
298 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
310 * record byte count 4 bytes
311 * version # 1 byte [2]
313 * event modifier 2 bytes
314 * address type/length 1 byte (XXX: actually, 4 bytes)
315 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
316 * seconds of time 4 bytes/8 bytes (32/64-bits)
317 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
351 * internet address 4 bytes
359 * internet address 16 bytes
367 * version and ihl 1 byte
368 * type of service 1 byte
375 * source address 4 bytes
376 * destination address 4 bytes
392 * object ID type 1 byte
401 * owner user ID 4 bytes
402 * owner group ID 4 bytes
403 * creator user ID 4 bytes
404 * creator group ID 4 bytes
405 * access mode 4 bytes
406 * slot sequence # 4 bytes
420 * port IP address 2 bytes
436 * path length 2 bytes
437 * path N bytes + 1 terminating NULL byte
446 * effective user ID 4 bytes
447 * effective group ID 4 bytes
448 * real user ID 4 bytes
449 * real group ID 4 bytes
453 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
454 * machine address 4 bytes
480 * effective user ID 4 bytes
481 * effective group ID 4 bytes
482 * real user ID 4 bytes
483 * real group ID 4 bytes
487 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
489 * machine address 16 bytes
514 * error status 1 byte
515 * return value 4 bytes/8 bytes (32-bit/64-bit value)
528 * sequence number 4 bytes
535 * socket type 2 bytes
537 * local Internet address 4 bytes
538 * remote port 2 bytes
539 * remote Internet address 4 bytes
550 * socket type 2 bytes
552 * address type/length 4 bytes
553 * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
554 * remote port 4 bytes
555 * address type/length 4 bytes
556 * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
569 * socket family 2 bytes
571 * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
577 } au_socketinet_ex32_t;
586 * socket family 2 bytes
596 * effective user ID 4 bytes
597 * effective group ID 4 bytes
598 * real user ID 4 bytes
599 * real group ID 4 bytes
603 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
604 * machine address 4 bytes
630 * effective user ID 4 bytes
631 * effective group ID 4 bytes
632 * real user ID 4 bytes
633 * real group ID 4 bytes
637 * port ID 4 bytes/8 bytes (32-bit/64-bit value)
639 * machine address 16 bytes
664 * text length 2 bytes
665 * text N bytes + 1 terminating NULL byte
673 * upriv status 1 byte
674 * privstr len 2 bytes
675 * privstr N bytes + 1 (\0 byte)
679 u_int16_t privstrlen;
685 * privtstrlen 2 bytes
686 * privtstr N Bytes + 1
688 * privstr N Bytes + 1
691 u_int16_t privtstrlen;
693 u_int16_t privstrlen;
698 * zonename length 2 bytes
699 * zonename text N bytes + 1 NULL terminator
720 * trailer magic number 2 bytes
721 * record byte count 4 bytes
738 au_execarg_t execarg;
739 au_execenv_t execenv;
744 au_header32_ex_t hdr32_ex;
746 au_header64_ex_t hdr64_ex;
748 au_inaddr_ex_t inaddr_ex;
751 au_ipcperm_t ipcperm;
756 au_proc32ex_t proc32_ex;
758 au_proc64ex_t proc64_ex;
763 au_socket_ex32_t socket_ex32;
764 au_socketinet_ex32_t sockinet_ex32;
765 au_socketunix_t sockunix;
766 au_subject32_t subj32;
767 au_subject32ex_t subj32_ex;
768 au_subject64_t subj64;
769 au_subject64ex_t subj64_ex;
772 au_invalid_t invalid;
774 au_zonename_t zonename;
776 au_privset_t privset;
777 } tt; /* The token is one of the above types */
780 typedef struct tokenstr tokenstr_t;
782 int audit_submit(short au_event, au_id_t auid,
783 char status, int reterr, const char *fmt, ...);
786 * Functions relating to querying audit class information.
788 void setauclass(void);
789 void endauclass(void);
790 struct au_class_ent *getauclassent(void);
791 struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
792 struct au_class_ent *getauclassnam(const char *name);
793 struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
795 struct au_class_ent *getauclassnum(au_class_t class_number);
796 struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
797 au_class_t class_number);
800 * Functions relating to querying audit control information.
804 int getacdir(char *name, int len);
806 int getacexpire(int *andflg, time_t *age, size_t *size);
807 int getacfilesz(size_t *size_val);
808 int getacflg(char *auditstr, int len);
809 int getachost(char *auditstr, size_t len);
810 int getacmin(int *min_val);
811 int getacna(char *auditstr, int len);
812 int getacpol(char *auditstr, size_t len);
813 int getauditflagsbin(char *auditstr, au_mask_t *masks);
814 int getauditflagschar(char *auditstr, au_mask_t *masks,
816 int au_preselect(au_event_t event, au_mask_t *mask_p,
818 ssize_t au_poltostr(int policy, size_t maxsize, char *buf);
819 int au_strtopol(const char *polstr, int *policy);
822 * Functions relating to querying audit event information.
824 void setauevent(void);
825 void endauevent(void);
826 struct au_event_ent *getauevent(void);
827 struct au_event_ent *getauevent_r(struct au_event_ent *e);
828 struct au_event_ent *getauevnam(const char *name);
829 struct au_event_ent *getauevnam_r(struct au_event_ent *e,
831 struct au_event_ent *getauevnum(au_event_t event_number);
832 struct au_event_ent *getauevnum_r(struct au_event_ent *e,
833 au_event_t event_number);
834 au_event_t *getauevnonam(const char *event_name);
835 au_event_t *getauevnonam_r(au_event_t *ev,
836 const char *event_name);
839 * Functions relating to querying audit user information.
841 void setauuser(void);
842 void endauuser(void);
843 struct au_user_ent *getauuserent(void);
844 struct au_user_ent *getauuserent_r(struct au_user_ent *u);
845 struct au_user_ent *getauusernam(const char *name);
846 struct au_user_ent *getauusernam_r(struct au_user_ent *u,
848 int au_user_mask(char *username, au_mask_t *mask_p);
849 int getfauditflags(au_mask_t *usremask,
850 au_mask_t *usrdmask, au_mask_t *lastmask);
853 * Functions for reading and printing records and tokens from audit trails.
855 int au_read_rec(FILE *fp, u_char **buf);
856 int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
857 //XXX The following interface has different prototype from BSM
858 void au_print_tok(FILE *outfp, tokenstr_t *tok,
859 char *del, char raw, char sfrm);
860 void au_print_flags_tok(FILE *outfp, tokenstr_t *tok,
861 char *del, int oflags);
862 void au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
863 char *del, char raw, char sfrm);
866 * Functions relating to XML output.
868 void au_print_xml_header(FILE *outfp);
869 void au_print_xml_footer(FILE *outfp);
872 * BSM library routines for converting between local and BSM constant spaces.
873 * (Note: some of these are replicated in audit_record.h for the benefit of
874 * the FreeBSD and Mac OS X kernels)
876 int au_bsm_to_domain(u_short bsm_domain, int *local_domainp);
877 int au_bsm_to_errno(u_char bsm_error, int *errorp);
878 int au_bsm_to_fcntl_cmd(u_short bsm_fcntl_cmd, int *local_fcntl_cmdp);
879 int au_bsm_to_socket_type(u_short bsm_socket_type,
880 int *local_socket_typep);
881 u_short au_domain_to_bsm(int local_domain);
882 u_char au_errno_to_bsm(int local_errno);
883 u_short au_fcntl_cmd_to_bsm(int local_fcntl_command);
884 u_short au_socket_type_to_bsm(int local_socket_type);
886 const char *au_strerror(u_char bsm_error);
890 * The remaining APIs are associated with Apple's BSM implementation, in
891 * particular as relates to Mach IPC auditing and triggers passed via Mach
895 #include <sys/appleapiopts.h>
897 /**************************************************************************
898 **************************************************************************
899 ** The following definitions, functions, etc., are NOT officially
900 ** supported: they may be changed or removed in the future. Do not use
901 ** them unless you are prepared to cope with that eventuality.
902 **************************************************************************
903 **************************************************************************/
905 #ifdef __APPLE_API_PRIVATE
906 #define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
907 #endif /* __APPLE_API_PRIVATE */
910 * au_get_state() return values
911 * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
912 * AUDIT_ON are deprecated and WILL be removed.
914 #ifdef __APPLE_API_PRIVATE
915 #define AUDIT_OFF AUC_NOAUDIT
916 #define AUDIT_ON AUC_AUDITING
917 #endif /* __APPLE_API_PRIVATE */
918 #endif /* !__APPLE__ */
921 * Error return codes for audit_set_terminal_id(), audit_write() and its
922 * brethren. We have 255 (not including kAUNoErr) to play with.
924 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
928 kAUBadParamErr = -66049,
932 kAUMakeSubjectTokErr,
933 kAUWriteSubjectTokErr,
934 kAUWriteCallerTokErr,
936 kAUWriteReturnTokErr,
944 * Error return codes for au_get_state() and/or its private support
945 * functions. These codes are designed to be compatible with the
946 * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
947 * Any changes to notify(3) may cause these values to change in future.
949 * AU_UNIMPL should never happen unless you've changed your system software
950 * without rebooting. Shame on you.
952 #ifdef __APPLE_API_PRIVATE
953 #define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
954 #endif /* __APPLE_API_PRIVATE */
955 #endif /* !__APPLE__ */
959 * XXX This prototype should be in audit_record.h
963 * @summary - au_free_token() deallocates a token_t created by any of
964 * the au_to_*() BSM API functions.
966 * The BSM API generally manages deallocation of token_t objects. However,
967 * if au_write() is passed a bad audit descriptor, the token_t * parameter
968 * will be left untouched. In that case, the caller can deallocate the
969 * token_t using au_free_token() if desired. This is, in fact, what
970 * audit_write() does, in keeping with the existing memory management model
973 * @param tok - A token_t * generated by one of the au_to_*() BSM API
974 * calls. For convenience, tok may be NULL, in which case
975 * au_free_token() returns immediately.
977 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
979 void au_free_token(token_t *tok);
982 * Lightweight check to determine if auditing is enabled. If a client
983 * wants to use this to govern whether an entire series of audit calls
984 * should be made--as in the common case of a caller building a set of
985 * tokens, then writing them--it should cache the audit status in a local
986 * variable. This call always returns the current state of auditing.
988 * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
989 * Otherwise the function can return any of the errno values defined for
990 * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
993 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
995 int au_get_state(void);
998 * Initialize the audit notification. If it has not already been initialized
999 * it will automatically on the first call of au_get_state().
1001 uint32_t au_notify_initialize(void);
1004 * Cancel audit notification and free the resources associated with it.
1005 * Responsible code that no longer needs to use au_get_state() should call
1008 int au_notify_terminate(void);
1011 /* OpenSSH compatibility */
1012 int cannot_audit(int);
1016 * audit_set_terminal_id()
1018 * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
1019 * used in audit session initialization by processes like /usr/bin/login.
1021 * @param tid - A pointer to an au_tid_t struct.
1023 * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
1024 * or kAUSysctlErr if one of the underlying system calls fails (a message
1025 * is sent to the system log in those cases).
1027 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1029 int audit_set_terminal_id(au_tid_t *tid);
1032 * BEGIN au_write() WRAPPERS
1034 * The following calls all wrap the existing BSM API. They use the
1035 * provided subject information, if any, to construct the subject token
1036 * required for every log message. They use the provided return/error
1037 * value(s), if any, to construct the success/failure indication required
1038 * for every log message. They only permit one "miscellaneous" token,
1039 * which should contain the event-specific logging information mandated by
1042 * All these calls assume the caller has previously determined that
1043 * auditing is enabled by calling au_get_state().
1049 * @summary - audit_write() is the basis for the other audit_write_*()
1050 * calls. Performs a basic write of an audit record (subject, additional
1051 * info, success/failure). Note that this call only permits logging one
1052 * caller-specified token; clients needing to log more flexibly must use
1053 * the existing BSM API (au_open(), et al.) directly.
1055 * Note on memory management: audit_write() guarantees that the token_t *s
1056 * passed to it will be deallocated whether or not the underlying write to
1057 * the audit log succeeded. This addresses an inconsistency in the
1058 * underlying BSM API in which token_t *s are usually but not always
1061 * @param event_code - The code for the event being logged. This should
1062 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1064 * @param subject - A token_t * generated by au_to_subject(),
1065 * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
1066 * required, subject should be NULL.
1068 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1069 * calls. This should correspond to the additional information required by
1070 * CAPP for the event being audited. If no additional information is
1071 * required, misctok should be NULL.
1073 * @param retval - The return value to be logged for this event. This
1074 * should be 0 (zero) for success, otherwise the value is event-specific.
1076 * @param errcode - Any error code associated with the return value (e.g.,
1077 * errno or h_errno). If there was no error, errcode should be 0 (zero).
1079 * @return - The status of the call: 0 (zero) on success, else one of the
1080 * kAU*Err values defined above.
1082 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1084 int audit_write(short event_code, token_t *subject, token_t *misctok,
1085 char retval, int errcode);
1088 * audit_write_success()
1090 * @summary - audit_write_success() records an auditable event that did not
1091 * encounter an error. The interface is designed to require as little
1092 * direct use of the au_to_*() API as possible. It builds a subject token
1093 * from the information passed in and uses that to invoke audit_write().
1094 * A subject, as defined by CAPP, is a process acting on the user's behalf.
1096 * If the subject information is the same as the current process, use
1097 * au_write_success_self().
1099 * @param event_code - The code for the event being logged. This should
1100 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1102 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1103 * calls. This should correspond to the additional information required by
1104 * CAPP for the event being audited. If no additional information is
1105 * required, misctok should be NULL.
1107 * @param auid - The subject's audit ID.
1109 * @param euid - The subject's effective user ID.
1111 * @param egid - The subject's effective group ID.
1113 * @param ruid - The subject's real user ID.
1115 * @param rgid - The subject's real group ID.
1117 * @param pid - The subject's process ID.
1119 * @param sid - The subject's session ID.
1121 * @param tid - The subject's terminal ID.
1123 * @return - The status of the call: 0 (zero) on success, else one of the
1124 * kAU*Err values defined above.
1126 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1128 int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
1129 uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
1130 au_asid_t sid, au_tid_t *tid);
1133 * audit_write_success_self()
1135 * @summary - Similar to audit_write_success(), but used when the subject
1136 * (process) is owned and operated by the auditable user him/herself.
1138 * @param event_code - The code for the event being logged. This should
1139 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1141 * @param misctok - A token_t * generated by one of the au_to_*() BSM API
1142 * calls. This should correspond to the additional information required by
1143 * CAPP for the event being audited. If no additional information is
1144 * required, misctok should be NULL.
1146 * @return - The status of the call: 0 (zero) on success, else one of the
1147 * kAU*Err values defined above.
1149 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1151 int audit_write_success_self(short event_code, token_t *misctok);
1154 * audit_write_failure()
1156 * @summary - audit_write_failure() records an auditable event that
1157 * encountered an error. The interface is designed to require as little
1158 * direct use of the au_to_*() API as possible. It builds a subject token
1159 * from the information passed in and uses that to invoke audit_write().
1160 * A subject, as defined by CAPP, is a process acting on the user's behalf.
1162 * If the subject information is the same as the current process, use
1163 * au_write_failure_self().
1165 * @param event_code - The code for the event being logged. This should
1166 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1168 * @param errmsg - A text message providing additional information about
1169 * the event being audited.
1171 * @param errret - A numerical value providing additional information about
1172 * the error. This is intended to store the value of errno or h_errno if
1173 * it's relevant. This can be 0 (zero) if no additional information is
1176 * @param auid - The subject's audit ID.
1178 * @param euid - The subject's effective user ID.
1180 * @param egid - The subject's effective group ID.
1182 * @param ruid - The subject's real user ID.
1184 * @param rgid - The subject's real group ID.
1186 * @param pid - The subject's process ID.
1188 * @param sid - The subject's session ID.
1190 * @param tid - The subject's terminal ID.
1192 * @return - The status of the call: 0 (zero) on success, else one of the
1193 * kAU*Err values defined above.
1195 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1197 int audit_write_failure(short event_code, char *errmsg, int errret,
1198 au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
1199 pid_t pid, au_asid_t sid, au_tid_t *tid);
1202 * audit_write_failure_self()
1204 * @summary - Similar to audit_write_failure(), but used when the subject
1205 * (process) is owned and operated by the auditable user him/herself.
1207 * @param event_code - The code for the event being logged. This should
1208 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1210 * @param errmsg - A text message providing additional information about
1211 * the event being audited.
1213 * @param errret - A numerical value providing additional information about
1214 * the error. This is intended to store the value of errno or h_errno if
1215 * it's relevant. This can be 0 (zero) if no additional information is
1218 * @return - The status of the call: 0 (zero) on success, else one of the
1219 * kAU*Err values defined above.
1221 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1223 int audit_write_failure_self(short event_code, char *errmsg, int errret);
1226 * audit_write_failure_na()
1228 * @summary - audit_write_failure_na() records errors during login. Such
1229 * errors are implicitly non-attributable (i.e., not ascribable to any user).
1231 * @param event_code - The code for the event being logged. This should
1232 * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
1234 * @param errmsg - A text message providing additional information about
1235 * the event being audited.
1237 * @param errret - A numerical value providing additional information about
1238 * the error. This is intended to store the value of errno or h_errno if
1239 * it's relevant. This can be 0 (zero) if no additional information is
1242 * @param euid - The subject's effective user ID.
1244 * @param egid - The subject's effective group ID.
1246 * @param pid - The subject's process ID.
1248 * @param tid - The subject's terminal ID.
1250 * @return - The status of the call: 0 (zero) on success, else one of the
1251 * kAU*Err values defined above.
1253 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1255 int audit_write_failure_na(short event_code, char *errmsg, int errret,
1256 uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
1258 /* END au_write() WRAPPERS */
1262 * audit_token_to_au32()
1264 * @summary - Extract information from an audit_token_t, used to identify
1265 * Mach tasks and senders of Mach messages as subjects to the audit system.
1266 * audit_tokent_to_au32() is the only method that should be used to parse
1267 * an audit_token_t, since its internal representation may change over
1268 * time. A pointer parameter may be NULL if that information is not
1271 * @param atoken - the audit token containing the desired information
1273 * @param auidp - Pointer to a uid_t; on return will be set to the task or
1274 * sender's audit user ID
1276 * @param euidp - Pointer to a uid_t; on return will be set to the task or
1277 * sender's effective user ID
1279 * @param egidp - Pointer to a gid_t; on return will be set to the task or
1280 * sender's effective group ID
1282 * @param ruidp - Pointer to a uid_t; on return will be set to the task or
1283 * sender's real user ID
1285 * @param rgidp - Pointer to a gid_t; on return will be set to the task or
1286 * sender's real group ID
1288 * @param pidp - Pointer to a pid_t; on return will be set to the task or
1289 * sender's process ID
1291 * @param asidp - Pointer to an au_asid_t; on return will be set to the
1292 * task or sender's audit session ID
1294 * @param tidp - Pointer to an au_tid_t; on return will be set to the task
1295 * or sender's terminal ID
1297 * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
1299 void audit_token_to_au32(
1300 audit_token_t atoken,
1309 #endif /* !__APPLE__ */
1312 * Wrapper functions to auditon(2).
1314 int audit_get_car(char *path, size_t sz);
1315 int audit_get_class(au_evclass_map_t *evc_map, size_t sz);
1316 int audit_set_class(au_evclass_map_t *evc_map, size_t sz);
1317 int audit_get_cond(int *cond);
1318 int audit_set_cond(int *cond);
1319 int audit_get_cwd(char *path, size_t sz);
1320 int audit_get_fsize(au_fstat_t *fstat, size_t sz);
1321 int audit_set_fsize(au_fstat_t *fstat, size_t sz);
1322 int audit_get_kmask(au_mask_t *kmask, size_t sz);
1323 int audit_set_kmask(au_mask_t *kmask, size_t sz);
1324 int audit_get_kaudit(auditinfo_addr_t *aia, size_t sz);
1325 int audit_set_kaudit(auditinfo_addr_t *aia, size_t sz);
1326 int audit_set_pmask(auditpinfo_t *api, size_t sz);
1327 int audit_get_pinfo(auditpinfo_t *api, size_t sz);
1328 int audit_get_pinfo_addr(auditpinfo_addr_t *apia, size_t sz);
1329 int audit_get_policy(int *policy);
1330 int audit_set_policy(int *policy);
1331 int audit_get_qctrl(au_qctrl_t *qctrl, size_t sz);
1332 int audit_set_qctrl(au_qctrl_t *qctrl, size_t sz);
1333 int audit_get_sinfo_addr(auditinfo_addr_t *aia, size_t sz);
1334 int audit_get_stat(au_stat_t *stats, size_t sz);
1335 int audit_set_stat(au_stat_t *stats, size_t sz);
1336 int audit_send_trigger(int *trigger);
1340 #endif /* !_LIBBSM_H_ */