]> git.saurik.com Git - apple/xnu.git/blame_incremental - bsd/man/man2/setaudit_addr.2
xnu-3248.20.55.tar.gz
[apple/xnu.git] / bsd / man / man2 / setaudit_addr.2
... / ...
CommitLineData
1.\"
2.\" Copyright (c) 2008-2011 Apple Inc. All rights reserved.
3.\"
4.\" @APPLE_LICENSE_HEADER_START@
5.\"
6.\" This file contains Original Code and/or Modifications of Original Code
7.\" as defined in and that are subject to the Apple Public Source License
8.\" Version 2.0 (the 'License'). You may not use this file except in
9.\" compliance with the License. Please obtain a copy of the License at
10.\" http://www.opensource.apple.com/apsl/ and read it before using this
11.\" file.
12.\"
13.\" The Original Code and all software distributed under the License are
14.\" distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15.\" EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16.\" INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17.\" FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18.\" Please see the License for the specific language governing rights and
19.\" limitations under the License.
20.\"
21.\" @APPLE_LICENSE_HEADER_END@
22.\"
23.Dd March 4, 2011
24.Dt SETAUDIT_ADDR 2
25.Os
26.Sh NAME
27.Nm setaudit_addr ,
28.Nm setaudit(NOW DEPRECATED)
29.Nd "set audit session state"
30.Sh SYNOPSIS
31.In bsm/audit.h
32.In bsm/audit_session.h
33.Ft int
34.Fn setaudit_addr "auditinfo_addr_t *auditinfo_addr" "u_int length"
35.Sh SYNOPSIS (NOW DEPRECATED)
36.In bsm/audit.h
37.Ft int
38.Fn setaudit "auditinfo_t *auditinfo"
39.Sh DESCRIPTION
40The
41.Fn setaudit_addr
42system call
43uses the
44.Fa auditinfo_addr_t
45data structure for the
46.Fa auditinfo_addr
47argument which supports Terminal IDs with large addresses
48such as those used in IP version 6. It is defined as follows:
49.nf
50.in +4n
51struct auditinfo_addr {
52 au_id_t ai_auid; /* Audit user ID. */
53 au_mask_t ai_mask; /* Audit masks. */
54 au_tid_addr_t ai_termid; /* Terminal ID. */
55 au_asid_t ai_asid; /* Audit session ID. */
56 u_int64_t ai_flags; /* Audit session flags */
57};
58typedef struct auditinfo_addr auditinfo_addr_t;
59.in
60.fi
61.Pp
62The
63.Fa ai_auid
64variable contains the audit identifier which is recorded in the audit log for
65each event the process caused. The value of AU_DEFAUDITID (-1) should not be
66used. The exception is if the value of audit identifier is known at the start
67of the session but will be determined and set later. Until
68.Fa ai_auid
69is set to something other than AU_DEFAUDITID any audit events
70generated by the system with be filtered by the non-attributed audit
71mask.
72.Pp
73The
74.Fa au_mask_t
75data structure defines the bit mask for auditing successful and failed events
76out of the predefined list of event classes. It is defined as follows:
77.nf
78.in +4n
79struct au_mask {
80 unsigned int am_success; /* success bits */
81 unsigned int am_failure; /* failure bits */
82};
83typedef struct au_mask au_mask_t;
84.in
85.fi
86.Pp
87The
88.Fa au_tid_addr_t
89data structure includes a larger address storage field and an additional
90field with the type of address stored:
91.nf
92.in +4n
93struct au_tid_addr {
94 dev_t at_port;
95 u_int32_t at_type;
96 u_int32_t at_addr[4];
97};
98typedef struct au_tid_addr au_tid_addr_t;
99.in
100.fi
101.Pp
102The
103.Fa ai_asid
104variable contains the audit session ID which is recorded with every event
105caused by the process. It can be any value in the range 1 to PID_MAX (99999).
106If the value of AU_ASSIGN_ASID is used for
107.Fa ai_asid
108a unique session ID will be generated by the kernel.
109The audit session ID will be returned in the
110.Fa ai_asid
111field on success.
112.Pp
113The
114.Fa ai_flags
115field is opaque to the kernel and can be used to store flags associated
116with the audit session. Please see the
117.Ao Pa bsm/audit_session.h Ac
118header file
119for more infomration and flag definitions for this platform.
120.Pp
121The
122.Fa setaudit_addr
123system call require an appropriate privilege to complete.
124.Pp
125This system call should only be called once at the start of a new
126session and not again during the same session to update the session
127information.
128There are some exceptions, however.
129The
130.Fa ai_auid
131field may be updated later if initially set to the value of
132AU_DEFAUDITID (-1).
133Likewise, the
134.Fa ai_termid
135fields may be updated later if the
136.Fa at_type
137field in
138.Fa au_tid_addr
139is set to AU_IPv4 and the other
140.Fa ai_tid_addr
141fields are all set to zero.
142Creating a new session is done by setting the
143.Fa ai_asid
144field to an unique session value or AU_ASSIGN_ASID.
145These system calls will fail when attempting to change the
146.Fa ai_auid
147or
148.Fa ai_termid
149fields once set to something other than the default values.
150The
151.Fa ai_flags
152field may be updated only according to local access control
153policy but this is usually accomplished with
154.Xr auditon 2
155using the A_SETSFLAGS command.
156The audit preselection masks may be changed at any time
157but are usually updated with
158.Xr auditon 2
159.Pp
160The
161.Fn setaudit
162system call (NOW DEPRECATED)
163sets the active audit session state for the current process via the
164.Vt auditinfo_t
165pointed to by
166.Fa auditinfo .
167The
168.Fn setaudit_addr
169system call
170sets extended state via
171.Fa auditinfo_addr
172and
173.Fa length .
174.Pp
175The
176.Fa auditinfo_t
177data structure (NOW DEPRECATED) is defined as follows:
178.nf
179.in +4n
180struct auditinfo {
181 au_id_t ai_auid; /* Audit user ID */
182 au_mask_t ai_mask; /* Audit masks */
183 au_tid_t ai_termid; /* Terminal ID */
184 au_asid_t ai_asid; /* Audit session ID */
185};
186typedef struct auditinfo auditinfo_t;
187.in
188.fi
189.Pp
190The
191.Fa au_termid_t
192data structure (NOW DEPRECATED) defines the Terminal ID recorded with every
193event caused by the process. It is defined as follows:
194.nf
195.in +4n
196struct au_tid {
197 dev_t port;
198 u_int32_t machine;
199};
200typedef struct au_tid au_tid_t;
201.in
202.fi
203.Sh RETURN VALUES
204.Rv -std setaudit_addr
205.Sh ERRORS
206.Bl -tag -width Er
207.It Bq Er EFAULT
208A failure occurred while data transferred to or from
209the kernel failed.
210.It Bq Er EINVAL
211Illegal argument was passed by a system call.
212.It Bq Er EPERM
213The process does not have sufficient permission to complete
214the operation.
215.El
216.Sh SEE ALSO
217.Xr audit 2 ,
218.Xr auditon 2 ,
219.Xr getaudit 2 ,
220.Xr getauid 2 ,
221.Xr setauid 2 ,
222.Xr libbsm 3
223.Sh HISTORY
224The OpenBSM implementation was created by McAfee Research, the security
225division of McAfee Inc., under contract to Apple Computer Inc.\& in 2004.
226It was subsequently adopted by the TrustedBSD Project as the foundation for
227the OpenBSM distribution.
228.Pp
229.Fn setaudit_addr
230replaced
231.Fn setaudit
232in Mac OS X 10.7 to support longer terminal addresses such as those used
233by IP version 6.
234.Fn setaudit
235is now deprecated and
236.Fn setaudit_addr
237should be used instead.
238.Sh AUTHORS
239.An -nosplit
240This software was created by McAfee Research, the security research division
241of McAfee, Inc., under contract to Apple Computer Inc.
242Additional authors include
243.An Wayne Salamon ,
244.An Robert Watson ,
245and SPARTA Inc.
246.Pp
247The Basic Security Module (BSM) interface to audit records and audit event
248stream format were defined by Sun Microsystems.
249.Pp
250This manual page was written by
251.An Robert Watson Aq rwatson@FreeBSD.org
252and
253.An Stacey Son Aq sson@FreeBSD.org .