bsd/bsm/audit.h

   1 /*
   2  * @APPLE_LICENSE_HEADER_START@
   3  *
   4  * Copyright (c) 1999-2004 Apple Computer, Inc.  All Rights Reserved.
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. Please obtain a copy of the License at
  10  * http://www.opensource.apple.com/apsl/ and read it before using this
  11  * file.
  12  *
  13  * The Original Code and all software distributed under the License are
  14  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  15  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  16  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  17  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  18  * Please see the License for the specific language governing rights and
  19  * limitations under the License.
  20  *
  21  * @APPLE_LICENSE_HEADER_END@
  22  */
  23
  24 #ifndef _BSM_AUDIT_H
  25 #define _BSM_AUDIT_H
  26
  27 #include <sys/queue.h>
  28 #include <sys/types.h>
  29 #include <sys/param.h>
  30 #include <sys/socket.h>
  31 #include <sys/cdefs.h>
  32
  33 #define AUDIT_RECORD_MAGIC      0x828a0f1b
  34 #define MAX_AUDIT_RECORDS       20
  35 #define MAX_AUDIT_RECORD_SIZE   4096
  36 #define MIN_AUDIT_FILE_SIZE     512 * 1024
  37
  38 /*
  39  * Triggers for the audit daemon
  40  */
  41 #define AUDIT_TRIGGER_LOW_SPACE 1
  42 #define AUDIT_TRIGGER_FILE_FULL 2
  43
  44 /*
  45  * Pre-defined audit IDs
  46  */
  47 #define AU_DEFAUDITID   ((uid_t)-1)
  48
  49 /*
  50  * Define the masks for the classes of audit events.
  51  */
  52 #define AU_NULL         0x00000000
  53 #define AU_FREAD        0x00000001
  54 #define AU_FWRITE       0x00000002
  55 #define AU_FACCESS      0x00000004
  56 #define AU_FMODIFY      0x00000008
  57 #define AU_FCREATE      0x00000010
  58 #define AU_FDELETE      0x00000020
  59 #define AU_CLOSE        0x00000040
  60 #define AU_PROCESS      0x00000080
  61 #define AU_NET          0x00000100
  62 #define AU_IPC          0x00000200
  63 #define AU_NONAT        0x00000400
  64 #define AU_ADMIN        0x00000800
  65 #define AU_LOGIN        0x00001000
  66 #define AU_TFM          0x00002000
  67 #define AU_APPL         0x00004000
  68 #define AU_SETL         0x00008000
  69 #define AU_IFLOAT       0x00010000
  70 #define AU_PRIV         0x00020000
  71 #define AU_MAC_RW       0x00040000
  72 #define AU_XCONN        0x00080000
  73 #define AU_XCREATE      0x00100000
  74 #define AU_XDELETE      0x00200000
  75 #define AU_XIFLOAT      0x00400000
  76 #define AU_XPRIVS       0x00800000
  77 #define AU_XPRIVF       0x01000000
  78 #define AU_XMOVE        0x02000000
  79 #define AU_XDACF        0x04000000
  80 #define AU_XMACF        0x08000000
  81 #define AU_XSECATTR     0x10000000
  82 #define AU_IOCTL        0x20000000
  83 #define AU_EXEC         0x40000000
  84 #define AU_OTHER        0x80000000
  85 #define AU_ALL          0xffffffff
  86
  87 /*
  88  * IPC types
  89  */
  90 #define AT_IPC_MSG      ((u_char)1) /* message IPC id */
  91 #define AT_IPC_SEM      ((u_char)2) /* semaphore IPC id */
  92 #define AT_IPC_SHM      ((u_char)3) /* shared mem IPC id */
  93
  94 /*
  95  * Audit conditions.
  96  */
  97 #define AUC_UNSET               0
  98 #define AUC_AUDITING            1
  99 #define AUC_NOAUDIT             2
 100 #define AUC_DISABLED            -1
 101
 102 /*
 103  * auditon(2) commands.
 104  */
 105 #define A_GETPOLICY     2
 106 #define A_SETPOLICY     3
 107 #define A_GETKMASK      4
 108 #define A_SETKMASK      5
 109 #define A_GETQCTRL      6
 110 #define A_SETQCTRL      7
 111 #define A_GETCWD        8
 112 #define A_GETCAR        9
 113 #define A_GETSTAT       12
 114 #define A_SETSTAT       13
 115 #define A_SETUMASK      14
 116 #define A_SETSMASK      15
 117 #define A_GETCOND       20
 118 #define A_SETCOND       21
 119 #define A_GETCLASS      22
 120 #define A_SETCLASS      23
 121 #define A_GETPINFO      24
 122 #define A_SETPMASK      25
 123 #define A_SETFSIZE      26
 124 #define A_GETFSIZE      27
 125 #define A_GETPINFO_ADDR 28
 126 #define A_GETKAUDIT     29
 127 #define A_SETKAUDIT     30
 128
 129 /*
 130  * Audit policy controls.
 131  */
 132 #define AUDIT_CNT       0x0001
 133 #define AUDIT_AHLT      0x0002
 134 #define AUDIT_ARGV      0x0004
 135 #define AUDIT_ARGE      0x0008
 136 #define AUDIT_PASSWD    0x0010
 137 #define AUDIT_SEQ       0x0020
 138 #define AUDIT_WINDATA   0x0040
 139 #define AUDIT_USER      0x0080
 140 #define AUDIT_GROUP     0x0100
 141 #define AUDIT_TRAIL     0x0200
 142 #define AUDIT_PATH      0x0400
 143
 144 /*
 145  * Audit queue control parameters
 146  */
 147 #define AQ_HIWATER      100
 148 #define AQ_MAXHIGH      10000
 149 #define AQ_LOWATER      10
 150 #define AQ_BUFSZ        1024
 151 #define AQ_MAXBUFSZ     1048576
 152
 153 #define AU_FS_MINFREE   20   /* default min filesystem freespace, in percent */
 154
 155 __BEGIN_DECLS
 156
 157 typedef uid_t au_id_t;
 158 typedef pid_t au_asid_t;
 159 typedef u_int16_t au_event_t;
 160 typedef u_int16_t au_emod_t;
 161 typedef u_int32_t au_class_t;
 162
 163 struct au_tid {
 164         dev_t port;
 165         u_int32_t machine;
 166 };
 167 typedef struct au_tid au_tid_t;
 168
 169 struct au_tid_addr {
 170         dev_t  at_port;
 171         u_int32_t at_type;
 172         u_int32_t at_addr[4];
 173 };
 174 typedef struct au_tid_addr au_tid_addr_t;
 175
 176 struct au_mask {
 177         unsigned int    am_success;     /* success bits */
 178         unsigned int    am_failure;     /* failure bits */
 179 };
 180 typedef struct au_mask au_mask_t;
 181
 182 struct auditinfo {
 183         au_id_t                 ai_auid;        /* Audit user ID */
 184         au_mask_t               ai_mask;        /* Audit masks */
 185         au_tid_t                ai_termid;      /* Terminal ID */
 186         au_asid_t               ai_asid;        /* Audit session ID */
 187 };
 188 typedef struct auditinfo auditinfo_t;
 189
 190 struct auditinfo_addr {
 191         au_id_t                 ai_auid;        /* Audit user ID */
 192         au_mask_t               ai_mask;        /* Audit masks */
 193         au_tid_addr_t           ai_termid;      /* Terminal ID */
 194         au_asid_t               ai_asid;        /* Audit session ID */
 195 };
 196 typedef struct auditinfo_addr auditinfo_addr_t;
 197
 198 struct auditpinfo {
 199         pid_t                   ap_pid;         /* ID of target process */
 200         au_id_t                 ap_auid;        /* Audit user ID */
 201         au_mask_t               ap_mask;        /* Audit masks */
 202         au_tid_t                ap_termid;      /* Terminal ID */
 203         au_asid_t               ap_asid;        /* Audit session ID */
 204 };
 205 typedef struct auditpinfo auditpinfo_t;
 206
 207 struct auditpinfo_addr {
 208         pid_t                   ap_pid;         /* ID of target process */
 209         au_id_t                 ap_auid;        /* Audit user ID */
 210         au_mask_t               ap_mask;        /* Audit masks */
 211         au_tid_addr_t           ap_termid;      /* Terminal ID */
 212         au_asid_t               ap_asid;        /* Audit session ID */
 213 };
 214 typedef struct auditpinfo_addr auditpinfo_addr_t;
 215
 216 /* Token and record structures */
 217
 218 struct au_token {
 219         u_char *t_data;
 220         size_t len;
 221         TAILQ_ENTRY(au_token) tokens;
 222 };
 223 typedef struct au_token token_t;
 224
 225 struct au_record {
 226         char used; /* Is this record currently being used */
 227         int desc; /* The descriptor associated with this record */
 228         TAILQ_HEAD(, au_token) token_q; /* queue of BSM tokens */
 229         u_char *data;
 230         size_t len;
 231         LIST_ENTRY(au_record) au_rec_q;
 232 };
 233 typedef struct au_record au_record_t;
 234
 235 /*
 236  * Kernel audit queue control parameters.
 237  */
 238 struct au_qctrl {
 239         size_t  aq_hiwater;
 240         size_t  aq_lowater;
 241         size_t  aq_bufsz;
 242         clock_t aq_delay;
 243         int     aq_minfree;     /* minimum filesystem percent free space */
 244 };
 245 typedef struct au_qctrl au_qctrl_t;
 246
 247 /*
 248  * Structure for the audit statistics.
 249  */
 250 struct audit_stat {
 251         unsigned int as_version;
 252         unsigned int as_numevent;
 253         int as_generated;
 254         int as_nonattring;
 255         int as_kernel;
 256         int as_audit;
 257         int as_auditctl;
 258         int as_enqueu;
 259         int as_written;
 260         int as_wblocked;
 261         int as_rblocked;
 262         int as_dropped;
 263         int as_totalsize;
 264         unsigned int as_memused;
 265 };
 266 typedef struct audit_stat au_stat_t;
 267
 268 /*
 269  * Structure for the audit file statistics.
 270  */
 271 struct audit_fstat {
 272         u_quad_t af_filesz;
 273         u_quad_t af_currsz;
 274 };
 275 typedef struct audit_fstat au_fstat_t;
 276
 277 /*
 278  * Audit to event class mapping.
 279  */
 280 struct au_evclass_map {
 281         au_event_t ec_number;
 282         au_class_t ec_class;
 283 };
 284 typedef struct au_evclass_map au_evclass_map_t;
 285
 286 #ifndef KERNEL
 287
 288 int audit (const void *, int);
 289 int auditon (int, void *, int);
 290 int auditctl (const char *);
 291 int getauid (au_id_t *);
 292 int setauid (const au_id_t *);
 293 int getaudit (struct auditinfo *);
 294 int setaudit (const struct auditinfo *);
 295 int getaudit_addr (struct auditinfo_addr *, int);
 296 int setaudit_addr (const struct auditinfo_addr *, int);
 297 #endif /* !KERNEL */
 298
 299 __END_DECLS
 300
 301 #endif /* !_BSM_AUDIT_H */