Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
freebsd
GitHub Repository: freebsd/freebsd-src
 Path: blob/main/sys/bsm/audit.h
39475 views
1
/*-

2
 * SPDX-License-Identifier: BSD-3-Clause

3
 *

4
 * Copyright (c) 2005-2009 Apple Inc.

5
 * Copyright (c) 2016 Robert N. M. Watson

6
 * All rights reserved.

7
 *

8
 * Portions of this software were developed by BAE Systems, the University of

9
 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL

10
 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent

11
 * Computing (TC) research program.

12
 *

13
 * Redistribution and use in source and binary forms, with or without

14
 * modification, are permitted provided that the following conditions

15
 * are met:

16
 *

17
 * 1.  Redistributions of source code must retain the above copyright

18
 *     notice, this list of conditions and the following disclaimer.

19
 * 2.  Redistributions in binary form must reproduce the above copyright

20
 *     notice, this list of conditions and the following disclaimer in the

21
 *     documentation and/or other materials provided with the distribution.

22
 * 3.  Neither the name of Apple Inc. ("Apple") nor the names of

23
 *     its contributors may be used to endorse or promote products derived

24
 *     from this software without specific prior written permission.

25
 *

26
 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY

27
 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

28
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

29
 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY

30
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

31
 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;

32
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND

33
 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

34
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

35
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

36
 */

37


38
#ifndef	_BSM_AUDIT_H

39
#define	_BSM_AUDIT_H

40


41
#include <sys/param.h>

42
#include <sys/types.h>

43


44
#define	AUDIT_RECORD_MAGIC	0x828a0f1b

45
#define	MAX_AUDIT_RECORDS	20

46
#define	MAXAUDITDATA		(0x8000 - 1)

47
#define	MAX_AUDIT_RECORD_SIZE	MAXAUDITDATA

48
#define	MIN_AUDIT_FILE_SIZE	(512 * 1024)

49


50
/*

51
 * Minimum noumber of free blocks on the filesystem containing the audit

52
 * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0

53
 * as the kernel does an unsigned compare, plus we want to leave a few blocks

54
 * free so userspace can terminate the log, etc.

55
 */

56
#define	AUDIT_HARD_LIMIT_FREE_BLOCKS	4

57


58
/*

59
 * Triggers for the audit daemon.

60
 */

61
#define	AUDIT_TRIGGER_MIN		1

62
#define	AUDIT_TRIGGER_LOW_SPACE		1	/* Below low watermark. */

63
#define	AUDIT_TRIGGER_ROTATE_KERNEL	2	/* Kernel requests rotate. */

64
#define	AUDIT_TRIGGER_READ_FILE		3	/* Re-read config file. */

65
#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4	/* Terminate audit. */

66
#define	AUDIT_TRIGGER_NO_SPACE		5	/* Below min free space. */

67
#define	AUDIT_TRIGGER_ROTATE_USER	6	/* User requests rotate. */

68
#define	AUDIT_TRIGGER_INITIALIZE	7	/* User initialize of auditd. */

69
#define	AUDIT_TRIGGER_EXPIRE_TRAILS	8	/* User expiration of trails. */

70
#define	AUDIT_TRIGGER_MAX		8

71


72
/*

73
 * The special device filename (FreeBSD).

74
 */

75
#define	AUDITDEV_FILENAME	"audit"

76
#define	AUDIT_TRIGGER_FILE	("/dev/" AUDITDEV_FILENAME)

77


78
/*

79
 * Pre-defined audit IDs

80
 */

81
#define	AU_DEFAUDITID	(uid_t)(-1)

82
#define	AU_DEFAUDITSID	 0

83
#define	AU_ASSIGN_ASID	-1

84


85
/*

86
 * IPC types.

87
 */

88
#define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */

89
#define	AT_IPC_SEM	((u_char)2)	/* Semaphore IPC id. */

90
#define	AT_IPC_SHM	((u_char)3)	/* Shared mem IPC id. */

91


92
/*

93
 * Audit conditions.

94
 */

95
#define	AUC_UNSET		0

96
#define	AUC_AUDITING		1

97
#define	AUC_NOAUDIT		2

98
#define	AUC_DISABLED		-1

99


100
/*

101
 * auditon(2) commands.

102
 */

103
#define	A_OLDGETPOLICY	2

104
#define	A_OLDSETPOLICY	3

105
#define	A_GETKMASK	4

106
#define	A_SETKMASK	5

107
#define	A_OLDGETQCTRL	6

108
#define	A_OLDSETQCTRL	7

109
#define	A_GETCWD	8

110
#define	A_GETCAR	9

111
#define	A_GETSTAT	12

112
#define	A_SETSTAT	13

113
#define	A_SETUMASK	14

114
#define	A_SETSMASK	15

115
#define	A_OLDGETCOND	20

116
#define	A_OLDSETCOND	21

117
#define	A_GETCLASS	22

118
#define	A_SETCLASS	23

119
#define	A_GETPINFO	24

120
#define	A_SETPMASK	25

121
#define	A_SETFSIZE	26

122
#define	A_GETFSIZE	27

123
#define	A_GETPINFO_ADDR	28

124
#define	A_GETKAUDIT	29

125
#define	A_SETKAUDIT	30

126
#define	A_SENDTRIGGER	31

127
#define	A_GETSINFO_ADDR	32

128
#define	A_GETPOLICY	33

129
#define	A_SETPOLICY	34

130
#define	A_GETQCTRL	35

131
#define	A_SETQCTRL	36

132
#define	A_GETCOND	37

133
#define	A_SETCOND	38

134
#define	A_GETEVENT	39	/* Get audit event-to-name mapping. */

135
#define	A_SETEVENT	40	/* Set audit event-to-name mapping. */

136


137
/*

138
 * Audit policy controls.

139
 */

140
#define	AUDIT_CNT	0x0001

141
#define	AUDIT_AHLT	0x0002

142
#define	AUDIT_ARGV	0x0004

143
#define	AUDIT_ARGE	0x0008

144
#define	AUDIT_SEQ	0x0010

145
#define	AUDIT_WINDATA	0x0020

146
#define	AUDIT_USER	0x0040

147
#define	AUDIT_GROUP	0x0080

148
#define	AUDIT_TRAIL	0x0100

149
#define	AUDIT_PATH	0x0200

150
#define	AUDIT_SCNT	0x0400

151
#define	AUDIT_PUBLIC	0x0800

152
#define	AUDIT_ZONENAME	0x1000

153
#define	AUDIT_PERZONE	0x2000

154


155
/*

156
 * Default audit queue control parameters.

157
 */

158
#define	AQ_HIWATER	100

159
#define	AQ_MAXHIGH	10000

160
#define	AQ_LOWATER	10

161
#define	AQ_BUFSZ	MAXAUDITDATA

162
#define	AQ_MAXBUFSZ	1048576

163


164
/*

165
 * Default minimum percentage free space on file system.

166
 */

167
#define	AU_FS_MINFREE	20

168


169
/*

170
 * Type definitions used indicating the length of variable length addresses

171
 * in tokens containing addresses, such as header fields.

172
 */

173
#define	AU_IPv4		4

174
#define	AU_IPv6		16

175


176
__BEGIN_DECLS

177


178
typedef	uid_t		au_id_t;

179
typedef	pid_t		au_asid_t;

180
typedef	u_int16_t	au_event_t;

181
typedef	u_int16_t	au_emod_t;

182
typedef	u_int32_t	au_class_t;

183
typedef	u_int64_t	au_asflgs_t __attribute__ ((aligned (8)));

184


185
struct au_tid {

186
	u_int32_t	port;		/* XXX dev_t compatibility */

187
	u_int32_t	machine;

188
};

189
typedef	struct au_tid	au_tid_t;

190


191
struct au_tid_addr {

192
	u_int32_t	at_port;	/* XXX dev_t compatibility */

193
	u_int32_t	at_type;

194
	u_int32_t	at_addr[4];

195
};

196
typedef	struct au_tid_addr	au_tid_addr_t;

197


198
struct au_mask {

199
	unsigned int    am_success;     /* Success bits. */

200
	unsigned int    am_failure;     /* Failure bits. */

201
};

202
typedef	struct au_mask	au_mask_t;

203


204
struct auditinfo {

205
	au_id_t		ai_auid;	/* Audit user ID. */

206
	au_mask_t	ai_mask;	/* Audit masks. */

207
	au_tid_t	ai_termid;	/* Terminal ID. */

208
	au_asid_t	ai_asid;	/* Audit session ID. */

209
};

210
typedef	struct auditinfo	auditinfo_t;

211


212
struct auditinfo_addr {

213
	au_id_t		ai_auid;	/* Audit user ID. */

214
	au_mask_t	ai_mask;	/* Audit masks. */

215
	au_tid_addr_t	ai_termid;	/* Terminal ID. */

216
	au_asid_t	ai_asid;	/* Audit session ID. */

217
	au_asflgs_t	ai_flags;	/* Audit session flags. */

218
};

219
typedef	struct auditinfo_addr	auditinfo_addr_t;

220


221
struct auditpinfo {

222
	pid_t		ap_pid;		/* ID of target process. */

223
	au_id_t		ap_auid;	/* Audit user ID. */

224
	au_mask_t	ap_mask;	/* Audit masks. */

225
	au_tid_t	ap_termid;	/* Terminal ID. */

226
	au_asid_t	ap_asid;	/* Audit session ID. */

227
};

228
typedef	struct auditpinfo	auditpinfo_t;

229


230
struct auditpinfo_addr {

231
	pid_t		ap_pid;		/* ID of target process. */

232
	au_id_t		ap_auid;	/* Audit user ID. */

233
	au_mask_t	ap_mask;	/* Audit masks. */

234
	au_tid_addr_t	ap_termid;	/* Terminal ID. */

235
	au_asid_t	ap_asid;	/* Audit session ID. */

236
	au_asflgs_t	ap_flags;	/* Audit session flags. */

237
};

238
typedef	struct auditpinfo_addr	auditpinfo_addr_t;

239


240
struct au_session {

241
	auditinfo_addr_t	*as_aia_p;	/* Ptr to full audit info. */

242
	au_mask_t		 as_mask;	/* Process Audit Masks. */

243
};

244
typedef struct au_session       au_session_t;

245


246
/*

247
 * Contents of token_t are opaque outside of libbsm.

248
 */

249
typedef	struct au_token	token_t;

250


251
/*

252
 * Kernel audit queue control parameters:

253
 * 			Default:		Maximum:

254
 * 	aq_hiwater:	AQ_HIWATER (100)	AQ_MAXHIGH (10000) 

255
 * 	aq_lowater:	AQ_LOWATER (10)		<aq_hiwater

256
 * 	aq_bufsz:	AQ_BUFSZ (32767)	AQ_MAXBUFSZ (1048576)

257
 * 	aq_delay:	20			20000 (not used) 

258
 */

259
struct au_qctrl {

260
	int	aq_hiwater;	/* Max # of audit recs in queue when */

261
				/* threads with new ARs get blocked. */ 

262


263
	int	aq_lowater;	/* # of audit recs in queue when */

264
				/* blocked threads get unblocked. */

265


266
	int	aq_bufsz;	/* Max size of audit record for audit(2). */

267
	int	aq_delay;	/* Queue delay (not used). */

268
	int	aq_minfree;	/* Minimum filesystem percent free space. */

269
};

270
typedef	struct au_qctrl	au_qctrl_t;

271


272
/*

273
 * Structure for the audit statistics.

274
 */

275
struct audit_stat {

276
	unsigned int	as_version;

277
	unsigned int	as_numevent;

278
	int		as_generated;

279
	int		as_nonattrib;

280
	int		as_kernel;

281
	int		as_audit;

282
	int		as_auditctl;

283
	int		as_enqueue;

284
	int		as_written;

285
	int		as_wblocked;

286
	int		as_rblocked;

287
	int		as_dropped;

288
	int		as_totalsize;

289
	unsigned int	as_memused;

290
};

291
typedef	struct audit_stat	au_stat_t;

292


293
/*

294
 * Structure for the audit file statistics.

295
 */

296
struct audit_fstat {

297
	u_int64_t	af_filesz;

298
	u_int64_t	af_currsz;

299
};

300
typedef	struct audit_fstat	au_fstat_t;

301


302
/*

303
 * Audit to event class mapping.

304
 */

305
struct au_evclass_map {

306
	au_event_t	ec_number;

307
	au_class_t	ec_class;

308
};

309
typedef	struct au_evclass_map	au_evclass_map_t;

310


311
/*

312
 * Event-to-name mapping.

313
 */

314
#define	EVNAMEMAP_NAME_SIZE	64

315
struct au_evname_map {

316
	au_event_t	en_number;

317
	char		en_name[EVNAMEMAP_NAME_SIZE];

318
};

319
typedef struct au_evname_map	au_evname_map_t;

320


321
/*

322
 * Audit system calls.

323
 */

324
#if !defined(_KERNEL) && !defined(KERNEL)

325
int	audit(const void *, int);

326
int	auditon(int, void *, int);

327
int	auditctl(const char *);

328
int	getauid(au_id_t *);

329
int	setauid(const au_id_t *);

330
int	getaudit(struct auditinfo *);

331
int	setaudit(const struct auditinfo *);

332
int	getaudit_addr(struct auditinfo_addr *, int);

333
int	setaudit_addr(const struct auditinfo_addr *, int);

334


335
#ifdef __APPLE_API_PRIVATE

336
#include <mach/port.h>

337
mach_port_name_t audit_session_self(void);

338
au_asid_t	 audit_session_join(mach_port_name_t port);

339
#endif /* __APPLE_API_PRIVATE */

340


341
#endif /* defined(_KERNEL) || defined(KERNEL) */

342


343
__END_DECLS

344


345
#endif /* !_BSM_AUDIT_H */

346


347