bsd/bsm/audit.h

   1 /*
   2  * Copyright (c) 1999-2007 Apple Inc.  All Rights Reserved.
   3  *
   4  * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
   5  *
   6  * This file contains Original Code and/or Modifications of Original Code
   7  * as defined in and that are subject to the Apple Public Source License
   8  * Version 2.0 (the 'License'). You may not use this file except in
   9  * compliance with the License. The rights granted to you under the License
  10  * may not be used to create, or enable the creation or redistribution of,
  11  * unlawful or unlicensed copies of an Apple operating system, or to
  12  * circumvent, violate, or enable the circumvention or violation of, any
  13  * terms of an Apple operating system software license agreement.
  14  *
  15  * Please obtain a copy of the License at
  16  * http://www.opensource.apple.com/apsl/ and read it before using this file.
  17  *
  18  * The Original Code and all software distributed under the License are
  19  * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
  20  * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
  21  * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
  22  * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
  23  * Please see the License for the specific language governing rights and
  24  * limitations under the License.
  25  *
  26  * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
  27  */
  28
  29 #ifndef _BSM_AUDIT_H
  30 #define _BSM_AUDIT_H
  31
  32 #include <sys/queue.h>
  33 #include <sys/types.h>
  34 #include <sys/param.h>
  35 #include <sys/socket.h>
  36 #include <sys/cdefs.h>
  37
  38 #define AUDIT_RECORD_MAGIC      0x828a0f1b
  39 #define MAX_AUDIT_RECORDS       20
  40 #define MAX_AUDIT_RECORD_SIZE   4096
  41 #define MIN_AUDIT_FILE_SIZE     512 * 1024
  42
  43 /*
  44  * Triggers for the audit daemon
  45  */
  46 #define AUDIT_TRIGGER_LOW_SPACE 1
  47 #define AUDIT_TRIGGER_FILE_FULL 2
  48
  49 /*
  50  * Pre-defined audit IDs
  51  */
  52 #define AU_DEFAUDITID   ((uid_t)-1)
  53
  54 /*
  55  * Define the masks for the classes of audit events.
  56  */
  57 #define AU_NULL         0x00000000
  58 #define AU_FREAD        0x00000001
  59 #define AU_FWRITE       0x00000002
  60 #define AU_FACCESS      0x00000004
  61 #define AU_FMODIFY      0x00000008
  62 #define AU_FCREATE      0x00000010
  63 #define AU_FDELETE      0x00000020
  64 #define AU_CLOSE        0x00000040
  65 #define AU_PROCESS      0x00000080
  66 #define AU_NET          0x00000100
  67 #define AU_IPC          0x00000200
  68 #define AU_NONAT        0x00000400
  69 #define AU_ADMIN        0x00000800
  70 #define AU_LOGIN        0x00001000
  71 #define AU_TFM          0x00002000
  72 #define AU_APPL         0x00004000
  73 #define AU_SETL         0x00008000
  74 #define AU_IFLOAT       0x00010000
  75 #define AU_PRIV         0x00020000
  76 #define AU_MAC_RW       0x00040000
  77 #define AU_XCONN        0x00080000
  78 #define AU_XCREATE      0x00100000
  79 #define AU_XDELETE      0x00200000
  80 #define AU_XIFLOAT      0x00400000
  81 #define AU_XPRIVS       0x00800000
  82 #define AU_XPRIVF       0x01000000
  83 #define AU_XMOVE        0x02000000
  84 #define AU_XDACF        0x04000000
  85 #define AU_XMACF        0x08000000
  86 #define AU_XSECATTR     0x10000000
  87 #define AU_IOCTL        0x20000000
  88 #define AU_EXEC         0x40000000
  89 #define AU_OTHER        0x80000000
  90 #define AU_ALL          0xffffffff
  91
  92 /*
  93  * IPC types
  94  */
  95 #define AT_IPC_MSG      ((u_char)1) /* message IPC id */
  96 #define AT_IPC_SEM      ((u_char)2) /* semaphore IPC id */
  97 #define AT_IPC_SHM      ((u_char)3) /* shared mem IPC id */
  98
  99 /*
 100  * Audit conditions.
 101  */
 102 #define AUC_UNSET               0
 103 #define AUC_AUDITING            1
 104 #define AUC_NOAUDIT             2
 105 #define AUC_DISABLED            -1
 106
 107 /*
 108  * auditon(2) commands.
 109  */
 110 #define A_GETPOLICY     2
 111 #define A_SETPOLICY     3
 112 #define A_GETKMASK      4
 113 #define A_SETKMASK      5
 114 #define A_GETQCTRL      6
 115 #define A_SETQCTRL      7
 116 #define A_GETCWD        8
 117 #define A_GETCAR        9
 118 #define A_GETSTAT       12
 119 #define A_SETSTAT       13
 120 #define A_SETUMASK      14
 121 #define A_SETSMASK      15
 122 #define A_GETCOND       20
 123 #define A_SETCOND       21
 124 #define A_GETCLASS      22
 125 #define A_SETCLASS      23
 126 #define A_GETPINFO      24
 127 #define A_SETPMASK      25
 128 #define A_SETFSIZE      26
 129 #define A_GETFSIZE      27
 130 #define A_GETPINFO_ADDR 28
 131 #define A_GETKAUDIT     29
 132 #define A_SETKAUDIT     30
 133
 134 /*
 135  * Audit policy controls.
 136  */
 137 #define AUDIT_CNT       0x0001
 138 #define AUDIT_AHLT      0x0002
 139 #define AUDIT_ARGV      0x0004
 140 #define AUDIT_ARGE      0x0008
 141 #define AUDIT_PASSWD    0x0010
 142 #define AUDIT_SEQ       0x0020
 143 #define AUDIT_WINDATA   0x0040
 144 #define AUDIT_USER      0x0080
 145 #define AUDIT_GROUP     0x0100
 146 #define AUDIT_TRAIL     0x0200
 147 #define AUDIT_PATH      0x0400
 148
 149 /*
 150  * Audit queue control parameters
 151  */
 152 #define AQ_HIWATER      100
 153 #define AQ_MAXHIGH      10000
 154 #define AQ_LOWATER      10
 155 #define AQ_BUFSZ        1024
 156 #define AQ_MAXBUFSZ     1048576
 157
 158 #define AU_FS_MINFREE   20   /* default min filesystem freespace, in percent */
 159
 160 __BEGIN_DECLS
 161
 162 typedef uid_t au_id_t;
 163 typedef pid_t au_asid_t;
 164 typedef u_int16_t au_event_t;
 165 typedef u_int16_t au_emod_t;
 166 typedef u_int32_t au_class_t;
 167
 168 struct au_tid {
 169         dev_t port;
 170         u_int32_t machine;
 171 };
 172 typedef struct au_tid au_tid_t;
 173
 174 struct au_tid_addr {
 175         dev_t  at_port;
 176         u_int32_t at_type;
 177         u_int32_t at_addr[4];
 178 };
 179 typedef struct au_tid_addr au_tid_addr_t;
 180
 181 struct au_mask {
 182         unsigned int    am_success;     /* success bits */
 183         unsigned int    am_failure;     /* failure bits */
 184 };
 185 typedef struct au_mask au_mask_t;
 186
 187 struct auditinfo {
 188         au_id_t                 ai_auid;        /* Audit user ID */
 189         au_mask_t               ai_mask;        /* Audit masks */
 190         au_tid_t                ai_termid;      /* Terminal ID */
 191         au_asid_t               ai_asid;        /* Audit session ID */
 192 };
 193 typedef struct auditinfo auditinfo_t;
 194
 195 struct auditinfo_addr {
 196         au_id_t                 ai_auid;        /* Audit user ID */
 197         au_mask_t               ai_mask;        /* Audit masks */
 198         au_tid_addr_t           ai_termid;      /* Terminal ID */
 199         au_asid_t               ai_asid;        /* Audit session ID */
 200 };
 201 typedef struct auditinfo_addr auditinfo_addr_t;
 202
 203 struct auditpinfo {
 204         pid_t                   ap_pid;         /* ID of target process */
 205         au_id_t                 ap_auid;        /* Audit user ID */
 206         au_mask_t               ap_mask;        /* Audit masks */
 207         au_tid_t                ap_termid;      /* Terminal ID */
 208         au_asid_t               ap_asid;        /* Audit session ID */
 209 };
 210 typedef struct auditpinfo auditpinfo_t;
 211
 212 struct auditpinfo_addr {
 213         pid_t                   ap_pid;         /* ID of target process */
 214         au_id_t                 ap_auid;        /* Audit user ID */
 215         au_mask_t               ap_mask;        /* Audit masks */
 216         au_tid_addr_t           ap_termid;      /* Terminal ID */
 217         au_asid_t               ap_asid;        /* Audit session ID */
 218 };
 219 typedef struct auditpinfo_addr auditpinfo_addr_t;
 220
 221 /* Token and record structures */
 222
 223 struct au_token {
 224         u_char *t_data;
 225         size_t len;
 226         TAILQ_ENTRY(au_token) tokens;
 227 };
 228 typedef struct au_token token_t;
 229
 230 struct au_record {
 231         char used; /* Is this record currently being used */
 232         int desc; /* The descriptor associated with this record */
 233         TAILQ_HEAD(, au_token) token_q; /* queue of BSM tokens */
 234         u_char *data;
 235         size_t len;
 236         LIST_ENTRY(au_record) au_rec_q;
 237 };
 238 typedef struct au_record au_record_t;
 239
 240 /*
 241  * Kernel audit queue control parameters.
 242  */
 243 struct au_qctrl {
 244         size_t  aq_hiwater;
 245         size_t  aq_lowater;
 246         size_t  aq_bufsz;
 247         clock_t aq_delay;
 248         int     aq_minfree;     /* minimum filesystem percent free space */
 249 };
 250 typedef struct au_qctrl au_qctrl_t;
 251
 252 /*
 253  * Structure for the audit statistics.
 254  */
 255 struct audit_stat {
 256         unsigned int as_version;
 257         unsigned int as_numevent;
 258         int as_generated;
 259         int as_nonattring;
 260         int as_kernel;
 261         int as_audit;
 262         int as_auditctl;
 263         int as_enqueu;
 264         int as_written;
 265         int as_wblocked;
 266         int as_rblocked;
 267         int as_dropped;
 268         int as_totalsize;
 269         unsigned int as_memused;
 270 };
 271 typedef struct audit_stat au_stat_t;
 272
 273 /*
 274  * Structure for the audit file statistics.
 275  */
 276 struct audit_fstat {
 277         u_quad_t af_filesz;
 278         u_quad_t af_currsz;
 279 };
 280 typedef struct audit_fstat au_fstat_t;
 281
 282 /*
 283  * Audit to event class mapping.
 284  */
 285 struct au_evclass_map {
 286         au_event_t ec_number;
 287         au_class_t ec_class;
 288 };
 289 typedef struct au_evclass_map au_evclass_map_t;
 290
 291 #ifndef KERNEL
 292
 293 int audit (const void *, int);
 294 int auditon (int, void *, int);
 295 int auditctl (const char *);
 296 int getauid (au_id_t *);
 297 int setauid (const au_id_t *);
 298 int getaudit (struct auditinfo *);
 299 int setaudit (const struct auditinfo *);
 300 int getaudit_addr (struct auditinfo_addr *, int);
 301 int setaudit_addr (const struct auditinfo_addr *, int);
 302 #endif /* !KERNEL */
 303
 304 __END_DECLS
 305
 306 #endif /* !_BSM_AUDIT_H */