bsd/sys/audit.h

   1 /*
   2  * Copyright (c) 2003 Apple Computer, Inc. All rights reserved.
   3  *
   4  * @APPLE_LICENSE_HEADER_START@
   5  *
   6  * The contents of this file constitute Original Code as defined in and
   7  * are subject to the Apple Public Source License Version 1.1 (the
   8  * "License").  You may not use this file except in compliance with the
   9  * License.  Please obtain a copy of the License at
  10  * http://www.apple.com/publicsource and read it before using this file.
  11  *
  12  * This Original Code and all software distributed under the License are
  13  * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  14  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  15  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  16  * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
  17  * License for the specific language governing rights and limitations
  18  * under the License.
  19  *
  20  * @APPLE_LICENSE_HEADER_END@
  21  */
  22
  23 #ifndef _SYS_AUDIT_H
  24 #define _SYS_AUDIT_H
  25
  26 #include <sys/queue.h>
  27 #include <sys/ucred.h>
  28 #include <sys/param.h>
  29 #include <sys/ipc.h>
  30 #include <sys/socket.h>
  31
  32 #define AUDIT_RECORD_MAGIC      0x828a0f1b
  33 #define MAX_AUDIT_RECORDS       20
  34 #define MAX_AUDIT_RECORD_SIZE   4096
  35
  36 /*
  37  * Define the masks for the classes of audit events.
  38  */
  39 #define AU_NULL         0x00000000
  40 #define AU_FREAD        0x00000001
  41 #define AU_FWRITE       0x00000002
  42 #define AU_FACCESS      0x00000004
  43 #define AU_FMODIFY      0x00000008
  44 #define AU_FCREATE      0x00000010
  45 #define AU_FDELETE      0x00000020
  46 #define AU_CLOSE        0x00000040
  47 #define AU_PROCESS      0x00000080
  48 #define AU_NET          0x00000100
  49 #define AU_IPC          0x00000200
  50 #define AU_NONAT        0x00000400
  51 #define AU_ADMIN        0x00000800
  52 #define AU_LOGIN        0x00001000
  53 #define AU_TFM          0x00002000
  54 #define AU_APPL         0x00004000
  55 #define AU_SETL         0x00008000
  56 #define AU_IFLOAT       0x00010000
  57 #define AU_PRIV         0x00020000
  58 #define AU_MAC_RW       0x00040000
  59 #define AU_XCONN        0x00080000
  60 #define AU_XCREATE      0x00100000
  61 #define AU_XDELETE      0x00200000
  62 #define AU_XIFLOAT      0x00400000
  63 #define AU_XPRIVS       0x00800000
  64 #define AU_XPRIVF       0x01000000
  65 #define AU_XMOVE        0x02000000
  66 #define AU_XDACF        0x04000000
  67 #define AU_XMACF        0x08000000
  68 #define AU_XSECATTR     0x10000000
  69 #define AU_IOCTL        0x20000000
  70 #define AU_EXEC         0x40000000
  71 #define AU_OTHER        0x80000000
  72 #define AU_ALL          0xffffffff
  73
  74 /*
  75  * IPC types
  76  */
  77 #define AT_IPC_MSG      ((u_char)1) /* message IPC id */
  78 #define AT_IPC_SEM      ((u_char)2) /* semaphore IPC id */
  79 #define AT_IPC_SHM      ((u_char)3) /* shared mem IPC id */
  80
  81 /*
  82  * Audit conditions.
  83  */
  84 #define AUC_UNSET               0
  85 #define AUC_AUDITING            1
  86 #define AUC_NOAUDIT             2
  87 #define AUC_DISABLED            -1
  88
  89 /*
  90  * auditon(2) commands.
  91  */
  92 #define A_GETPOLICY     2
  93 #define A_SETPOLICY     3
  94 #define A_GETKMASK      4
  95 #define A_SETKMASK      5
  96 #define A_GETQCTRL      6
  97 #define A_SETQCTRL      7
  98 #define A_GETCWD        8
  99 #define A_GETCAR        9
 100 #define A_GETSTAT       12
 101 #define A_SETSTAT       13
 102 #define A_SETUMASK      14
 103 #define A_SETSMASK      15
 104 #define A_GETCOND       20
 105 #define A_SETCOND       21
 106 #define A_GETCLASS      22
 107 #define A_SETCLASS      23
 108 #define A_GETPINFO      24
 109 #define A_SETPMASK      25
 110 #define A_SETFSIZE      26
 111 #define A_GETFSIZE      27
 112 #define A_GETPINFO_ADDR 28
 113 #define A_GETKAUDIT     29
 114 #define A_SETKAUDIT     30
 115
 116 /*
 117  * Audit policy controls.
 118  */
 119 #define AUDIT_CNT       0x0001
 120 #define AUDIT_AHLT      0x0002
 121 #define AUDIT_ARGV      0x0004
 122 #define AUDIT_ARGE      0x0008
 123 #define AUDIT_PASSWD    0x0010
 124 #define AUDIT_SEQ       0x0020
 125 #define AUDIT_WINDATA   0x0040
 126 #define AUDIT_USER      0x0080
 127 #define AUDIT_GROUP     0x0100
 128 #define AUDIT_TRAIL     0x0200
 129 #define AUDIT_PATH      0x0400
 130
 131 typedef uid_t au_id_t;
 132 typedef pid_t au_asid_t;
 133 typedef u_int16_t au_event_t;
 134 typedef u_int16_t au_emod_t;
 135 typedef u_int32_t au_class_t;
 136
 137 struct au_tid {
 138         dev_t port;
 139         u_int32_t machine;
 140 };
 141 typedef struct au_tid au_tid_t;
 142
 143 struct au_tid_addr {
 144         dev_t  at_port;
 145         u_int32_t at_type;
 146         u_int32_t at_addr[4];
 147 };
 148 typedef struct au_tid_addr au_tid_addr_t;
 149
 150 struct au_mask {
 151         unsigned int    am_success;     /* success bits */
 152         unsigned int    am_failure;     /* failure bits */
 153 };
 154 typedef struct au_mask au_mask_t;
 155
 156 struct auditinfo {
 157         au_id_t                 ai_auid;        /* Audit user ID */
 158         au_mask_t               ai_mask;        /* Audit masks */
 159         au_tid_t                ai_termid;      /* Terminal ID */
 160         au_asid_t               ai_asid;        /* Audit session ID */
 161 };
 162 typedef struct auditinfo auditinfo_t;
 163
 164 struct auditinfo_addr {
 165         au_id_t                 ai_auid;        /* Audit user ID */
 166         au_mask_t               ai_mask;        /* Audit masks */
 167         au_tid_addr_t           ai_termid;      /* Terminal ID */
 168         au_asid_t               ai_asid;        /* Audit session ID */
 169 };
 170 typedef struct auditinfo_addr auditinfo_addr_t;
 171
 172 /* Token and record structures */
 173
 174 struct au_token {
 175         u_char *t_data;
 176         size_t len;
 177         TAILQ_ENTRY(au_token) tokens;
 178 };
 179 typedef struct au_token token_t;
 180
 181 struct au_record {
 182         char used; /* Is this record currently being used */
 183         int desc; /* The descriptor associated with this record */
 184         TAILQ_HEAD(, au_token) token_q; /* queue of BSM tokens */
 185         u_char *data;
 186         size_t len;
 187         LIST_ENTRY(au_record) au_rec_q;
 188 };
 189 typedef struct au_record au_record_t;
 190
 191 #ifndef KERNEL
 192 #include <sys/cdefs.h>
 193
 194 __BEGIN_DECLS
 195 int audit (const void *, int);
 196 int auditon (int, void *, int);
 197 int auditsvc (int, int);
 198 int auditctl (const char *);
 199 int getauid (au_id_t *);
 200 int setauid (const au_id_t *);
 201 int getaudit (struct auditinfo *);
 202 int setaudit (const struct auditinfo *);
 203 int getaudit_addr (struct auditinfo_addr *, int);
 204 int setaudit_addr (const struct auditinfo_addr *, int);
 205 __END_DECLS
 206 #endif /* !KERNEL */
 207
 208 #endif /* !_SYS_AUDIT_H */