bsd/bsm/audit.h

   1 /*
   2  * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
   3  *
   4  * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License.  The rights granted to you under the
  10  * License may not be used to create, or enable the creation or
  11  * redistribution of, unlawful or unlicensed copies of an Apple operating
  12  * system, or to circumvent, violate, or enable the circumvention or
  13  * violation of, any terms of an Apple operating system software license
  14  * agreement.
  15  *
  16  * Please obtain a copy of the License at
  17  * http://www.opensource.apple.com/apsl/ and read it before using this
  18  * file.
  19  *
  20  * The Original Code and all software distributed under the License are
  21  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  22  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  23  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  24  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  25  * Please see the License for the specific language governing rights and
  26  * limitations under the License.
  27  *
  28  * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
  29  */
  30
  31 #ifndef _BSM_AUDIT_H
  32 #define _BSM_AUDIT_H
  33
  34 #include <sys/queue.h>
  35 #include <sys/types.h>
  36 #include <sys/param.h>
  37 #include <sys/socket.h>
  38 #include <sys/cdefs.h>
  39
  40 #define AUDIT_RECORD_MAGIC      0x828a0f1b
  41 #define MAX_AUDIT_RECORDS       20
  42 #define MAX_AUDIT_RECORD_SIZE   4096
  43 #define MIN_AUDIT_FILE_SIZE     512 * 1024
  44
  45 /*
  46  * Triggers for the audit daemon
  47  */
  48 #define AUDIT_TRIGGER_LOW_SPACE 1
  49 #define AUDIT_TRIGGER_FILE_FULL 2
  50
  51 /*
  52  * Pre-defined audit IDs
  53  */
  54 #define AU_DEFAUDITID   ((uid_t)-1)
  55
  56 /*
  57  * Define the masks for the classes of audit events.
  58  */
  59 #define AU_NULL         0x00000000
  60 #define AU_FREAD        0x00000001
  61 #define AU_FWRITE       0x00000002
  62 #define AU_FACCESS      0x00000004
  63 #define AU_FMODIFY      0x00000008
  64 #define AU_FCREATE      0x00000010
  65 #define AU_FDELETE      0x00000020
  66 #define AU_CLOSE        0x00000040
  67 #define AU_PROCESS      0x00000080
  68 #define AU_NET          0x00000100
  69 #define AU_IPC          0x00000200
  70 #define AU_NONAT        0x00000400
  71 #define AU_ADMIN        0x00000800
  72 #define AU_LOGIN        0x00001000
  73 #define AU_TFM          0x00002000
  74 #define AU_APPL         0x00004000
  75 #define AU_SETL         0x00008000
  76 #define AU_IFLOAT       0x00010000
  77 #define AU_PRIV         0x00020000
  78 #define AU_MAC_RW       0x00040000
  79 #define AU_XCONN        0x00080000
  80 #define AU_XCREATE      0x00100000
  81 #define AU_XDELETE      0x00200000
  82 #define AU_XIFLOAT      0x00400000
  83 #define AU_XPRIVS       0x00800000
  84 #define AU_XPRIVF       0x01000000
  85 #define AU_XMOVE        0x02000000
  86 #define AU_XDACF        0x04000000
  87 #define AU_XMACF        0x08000000
  88 #define AU_XSECATTR     0x10000000
  89 #define AU_IOCTL        0x20000000
  90 #define AU_EXEC         0x40000000
  91 #define AU_OTHER        0x80000000
  92 #define AU_ALL          0xffffffff
  93
  94 /*
  95  * IPC types
  96  */
  97 #define AT_IPC_MSG      ((u_char)1) /* message IPC id */
  98 #define AT_IPC_SEM      ((u_char)2) /* semaphore IPC id */
  99 #define AT_IPC_SHM      ((u_char)3) /* shared mem IPC id */
 100
 101 /*
 102  * Audit conditions.
 103  */
 104 #define AUC_UNSET               0
 105 #define AUC_AUDITING            1
 106 #define AUC_NOAUDIT             2
 107 #define AUC_DISABLED            -1
 108
 109 /*
 110  * auditon(2) commands.
 111  */
 112 #define A_GETPOLICY     2
 113 #define A_SETPOLICY     3
 114 #define A_GETKMASK      4
 115 #define A_SETKMASK      5
 116 #define A_GETQCTRL      6
 117 #define A_SETQCTRL      7
 118 #define A_GETCWD        8
 119 #define A_GETCAR        9
 120 #define A_GETSTAT       12
 121 #define A_SETSTAT       13
 122 #define A_SETUMASK      14
 123 #define A_SETSMASK      15
 124 #define A_GETCOND       20
 125 #define A_SETCOND       21
 126 #define A_GETCLASS      22
 127 #define A_SETCLASS      23
 128 #define A_GETPINFO      24
 129 #define A_SETPMASK      25
 130 #define A_SETFSIZE      26
 131 #define A_GETFSIZE      27
 132 #define A_GETPINFO_ADDR 28
 133 #define A_GETKAUDIT     29
 134 #define A_SETKAUDIT     30
 135
 136 /*
 137  * Audit policy controls.
 138  */
 139 #define AUDIT_CNT       0x0001
 140 #define AUDIT_AHLT      0x0002
 141 #define AUDIT_ARGV      0x0004
 142 #define AUDIT_ARGE      0x0008
 143 #define AUDIT_PASSWD    0x0010
 144 #define AUDIT_SEQ       0x0020
 145 #define AUDIT_WINDATA   0x0040
 146 #define AUDIT_USER      0x0080
 147 #define AUDIT_GROUP     0x0100
 148 #define AUDIT_TRAIL     0x0200
 149 #define AUDIT_PATH      0x0400
 150
 151 /*
 152  * Audit queue control parameters
 153  */
 154 #define AQ_HIWATER      100
 155 #define AQ_MAXHIGH      10000
 156 #define AQ_LOWATER      10
 157 #define AQ_BUFSZ        1024
 158 #define AQ_MAXBUFSZ     1048576
 159
 160 #define AU_FS_MINFREE   20   /* default min filesystem freespace, in percent */
 161
 162 __BEGIN_DECLS
 163
 164 typedef uid_t au_id_t;
 165 typedef pid_t au_asid_t;
 166 typedef u_int16_t au_event_t;
 167 typedef u_int16_t au_emod_t;
 168 typedef u_int32_t au_class_t;
 169
 170 struct au_tid {
 171         dev_t port;
 172         u_int32_t machine;
 173 };
 174 typedef struct au_tid au_tid_t;
 175
 176 struct au_tid_addr {
 177         dev_t  at_port;
 178         u_int32_t at_type;
 179         u_int32_t at_addr[4];
 180 };
 181 typedef struct au_tid_addr au_tid_addr_t;
 182
 183 struct au_mask {
 184         unsigned int    am_success;     /* success bits */
 185         unsigned int    am_failure;     /* failure bits */
 186 };
 187 typedef struct au_mask au_mask_t;
 188
 189 struct auditinfo {
 190         au_id_t                 ai_auid;        /* Audit user ID */
 191         au_mask_t               ai_mask;        /* Audit masks */
 192         au_tid_t                ai_termid;      /* Terminal ID */
 193         au_asid_t               ai_asid;        /* Audit session ID */
 194 };
 195 typedef struct auditinfo auditinfo_t;
 196
 197 struct auditinfo_addr {
 198         au_id_t                 ai_auid;        /* Audit user ID */
 199         au_mask_t               ai_mask;        /* Audit masks */
 200         au_tid_addr_t           ai_termid;      /* Terminal ID */
 201         au_asid_t               ai_asid;        /* Audit session ID */
 202 };
 203 typedef struct auditinfo_addr auditinfo_addr_t;
 204
 205 struct auditpinfo {
 206         pid_t                   ap_pid;         /* ID of target process */
 207         au_id_t                 ap_auid;        /* Audit user ID */
 208         au_mask_t               ap_mask;        /* Audit masks */
 209         au_tid_t                ap_termid;      /* Terminal ID */
 210         au_asid_t               ap_asid;        /* Audit session ID */
 211 };
 212 typedef struct auditpinfo auditpinfo_t;
 213
 214 struct auditpinfo_addr {
 215         pid_t                   ap_pid;         /* ID of target process */
 216         au_id_t                 ap_auid;        /* Audit user ID */
 217         au_mask_t               ap_mask;        /* Audit masks */
 218         au_tid_addr_t           ap_termid;      /* Terminal ID */
 219         au_asid_t               ap_asid;        /* Audit session ID */
 220 };
 221 typedef struct auditpinfo_addr auditpinfo_addr_t;
 222
 223 /* Token and record structures */
 224
 225 struct au_token {
 226         u_char *t_data;
 227         size_t len;
 228         TAILQ_ENTRY(au_token) tokens;
 229 };
 230 typedef struct au_token token_t;
 231
 232 struct au_record {
 233         char used; /* Is this record currently being used */
 234         int desc; /* The descriptor associated with this record */
 235         TAILQ_HEAD(, au_token) token_q; /* queue of BSM tokens */
 236         u_char *data;
 237         size_t len;
 238         LIST_ENTRY(au_record) au_rec_q;
 239 };
 240 typedef struct au_record au_record_t;
 241
 242 /*
 243  * Kernel audit queue control parameters.
 244  */
 245 struct au_qctrl {
 246         size_t  aq_hiwater;
 247         size_t  aq_lowater;
 248         size_t  aq_bufsz;
 249         clock_t aq_delay;
 250         int     aq_minfree;     /* minimum filesystem percent free space */
 251 };
 252 typedef struct au_qctrl au_qctrl_t;
 253
 254 /*
 255  * Structure for the audit statistics.
 256  */
 257 struct audit_stat {
 258         unsigned int as_version;
 259         unsigned int as_numevent;
 260         int as_generated;
 261         int as_nonattring;
 262         int as_kernel;
 263         int as_audit;
 264         int as_auditctl;
 265         int as_enqueu;
 266         int as_written;
 267         int as_wblocked;
 268         int as_rblocked;
 269         int as_dropped;
 270         int as_totalsize;
 271         unsigned int as_memused;
 272 };
 273 typedef struct audit_stat au_stat_t;
 274
 275 /*
 276  * Structure for the audit file statistics.
 277  */
 278 struct audit_fstat {
 279         u_quad_t af_filesz;
 280         u_quad_t af_currsz;
 281 };
 282 typedef struct audit_fstat au_fstat_t;
 283
 284 /*
 285  * Audit to event class mapping.
 286  */
 287 struct au_evclass_map {
 288         au_event_t ec_number;
 289         au_class_t ec_class;
 290 };
 291 typedef struct au_evclass_map au_evclass_map_t;
 292
 293 #ifndef KERNEL
 294
 295 int audit (const void *, int);
 296 int auditon (int, void *, int);
 297 int auditctl (const char *);
 298 int getauid (au_id_t *);
 299 int setauid (const au_id_t *);
 300 int getaudit (struct auditinfo *);
 301 int setaudit (const struct auditinfo *);
 302 int getaudit_addr (struct auditinfo_addr *, int);
 303 int setaudit_addr (const struct auditinfo_addr *, int);
 304 #endif /* !KERNEL */
 305
 306 __END_DECLS
 307
 308 #endif /* !_BSM_AUDIT_H */