The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/bsm/audit.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*-
    2  * Copyright (c) 2005-2009 Apple Inc.
    3  * All rights reserved.
    4  *
    5  * Redistribution and use in source and binary forms, with or without
    6  * modification, are permitted provided that the following conditions
    7  * are met:
    8  *
    9  * 1.  Redistributions of source code must retain the above copyright
   10  *     notice, this list of conditions and the following disclaimer.
   11  * 2.  Redistributions in binary form must reproduce the above copyright
   12  *     notice, this list of conditions and the following disclaimer in the
   13  *     documentation and/or other materials provided with the distribution.
   14  * 3.  Neither the name of Apple Inc. ("Apple") nor the names of
   15  *     its contributors may be used to endorse or promote products derived
   16  *     from this software without specific prior written permission.
   17  *
   18  * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
   19  * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
   20  * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   21  * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
   22  * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
   23  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
   24  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   25  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
   26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
   27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
   28  *
   29  * $FreeBSD$
   30  */
   31 
   32 #ifndef _BSM_AUDIT_H
   33 #define _BSM_AUDIT_H
   34 
   35 #include <sys/param.h>
   36 #include <sys/types.h>
   37 
   38 #define AUDIT_RECORD_MAGIC      0x828a0f1b
   39 #define MAX_AUDIT_RECORDS       20
   40 #define MAXAUDITDATA            (0x8000 - 1)
   41 #define MAX_AUDIT_RECORD_SIZE   MAXAUDITDATA
   42 #define MIN_AUDIT_FILE_SIZE     (512 * 1024)
   43 
   44 /*
   45  * Minimum noumber of free blocks on the filesystem containing the audit
   46  * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0
   47  * as the kernel does an unsigned compare, plus we want to leave a few blocks
   48  * free so userspace can terminate the log, etc.
   49  */
   50 #define AUDIT_HARD_LIMIT_FREE_BLOCKS    4
   51 
   52 /*
   53  * Triggers for the audit daemon.
   54  */
   55 #define AUDIT_TRIGGER_MIN               1
   56 #define AUDIT_TRIGGER_LOW_SPACE         1       /* Below low watermark. */
   57 #define AUDIT_TRIGGER_ROTATE_KERNEL     2       /* Kernel requests rotate. */
   58 #define AUDIT_TRIGGER_READ_FILE         3       /* Re-read config file. */
   59 #define AUDIT_TRIGGER_CLOSE_AND_DIE     4       /* Terminate audit. */
   60 #define AUDIT_TRIGGER_NO_SPACE          5       /* Below min free space. */
   61 #define AUDIT_TRIGGER_ROTATE_USER       6       /* User requests rotate. */
   62 #define AUDIT_TRIGGER_INITIALIZE        7       /* User initialize of auditd. */
   63 #define AUDIT_TRIGGER_EXPIRE_TRAILS     8       /* User expiration of trails. */
   64 #define AUDIT_TRIGGER_MAX               8
   65 
   66 /*
   67  * The special device filename (FreeBSD).
   68  */
   69 #define AUDITDEV_FILENAME       "audit"
   70 #define AUDIT_TRIGGER_FILE      ("/dev/" AUDITDEV_FILENAME)
   71 
   72 /*
   73  * Pre-defined audit IDs
   74  */
   75 #define AU_DEFAUDITID   (uid_t)(-1)
   76 #define AU_DEFAUDITSID   0
   77 #define AU_ASSIGN_ASID  -1
   78 
   79 /*
   80  * IPC types.
   81  */
   82 #define AT_IPC_MSG      ((u_char)1)     /* Message IPC id. */
   83 #define AT_IPC_SEM      ((u_char)2)     /* Semaphore IPC id. */
   84 #define AT_IPC_SHM      ((u_char)3)     /* Shared mem IPC id. */
   85 
   86 /*
   87  * Audit conditions.
   88  */
   89 #define AUC_UNSET               0
   90 #define AUC_AUDITING            1
   91 #define AUC_NOAUDIT             2
   92 #define AUC_DISABLED            -1
   93 
   94 /*
   95  * auditon(2) commands.
   96  */
   97 #define A_OLDGETPOLICY  2
   98 #define A_OLDSETPOLICY  3
   99 #define A_GETKMASK      4
  100 #define A_SETKMASK      5
  101 #define A_OLDGETQCTRL   6
  102 #define A_OLDSETQCTRL   7
  103 #define A_GETCWD        8
  104 #define A_GETCAR        9
  105 #define A_GETSTAT       12
  106 #define A_SETSTAT       13
  107 #define A_SETUMASK      14
  108 #define A_SETSMASK      15
  109 #define A_OLDGETCOND    20
  110 #define A_OLDSETCOND    21
  111 #define A_GETCLASS      22
  112 #define A_SETCLASS      23
  113 #define A_GETPINFO      24
  114 #define A_SETPMASK      25
  115 #define A_SETFSIZE      26
  116 #define A_GETFSIZE      27
  117 #define A_GETPINFO_ADDR 28
  118 #define A_GETKAUDIT     29
  119 #define A_SETKAUDIT     30
  120 #define A_SENDTRIGGER   31
  121 #define A_GETSINFO_ADDR 32
  122 #define A_GETPOLICY     33
  123 #define A_SETPOLICY     34
  124 #define A_GETQCTRL      35
  125 #define A_SETQCTRL      36
  126 #define A_GETCOND       37
  127 #define A_SETCOND       38
  128 
  129 /*
  130  * Audit policy controls.
  131  */
  132 #define AUDIT_CNT       0x0001
  133 #define AUDIT_AHLT      0x0002
  134 #define AUDIT_ARGV      0x0004
  135 #define AUDIT_ARGE      0x0008
  136 #define AUDIT_SEQ       0x0010
  137 #define AUDIT_WINDATA   0x0020
  138 #define AUDIT_USER      0x0040
  139 #define AUDIT_GROUP     0x0080
  140 #define AUDIT_TRAIL     0x0100
  141 #define AUDIT_PATH      0x0200
  142 #define AUDIT_SCNT      0x0400
  143 #define AUDIT_PUBLIC    0x0800
  144 #define AUDIT_ZONENAME  0x1000
  145 #define AUDIT_PERZONE   0x2000
  146 
  147 /*
  148  * Default audit queue control parameters.
  149  */
  150 #define AQ_HIWATER      100
  151 #define AQ_MAXHIGH      10000
  152 #define AQ_LOWATER      10
  153 #define AQ_BUFSZ        MAXAUDITDATA
  154 #define AQ_MAXBUFSZ     1048576
  155 
  156 /*
  157  * Default minimum percentage free space on file system.
  158  */
  159 #define AU_FS_MINFREE   20
  160 
  161 /*
  162  * Type definitions used indicating the length of variable length addresses
  163  * in tokens containing addresses, such as header fields.
  164  */
  165 #define AU_IPv4         4
  166 #define AU_IPv6         16
  167 
  168 __BEGIN_DECLS
  169 
  170 typedef uid_t           au_id_t;
  171 typedef pid_t           au_asid_t;
  172 typedef u_int16_t       au_event_t;
  173 typedef u_int16_t       au_emod_t;
  174 typedef u_int32_t       au_class_t;
  175 typedef u_int64_t       au_asflgs_t __attribute__ ((aligned (8)));
  176 
  177 struct au_tid {
  178         dev_t           port;
  179         u_int32_t       machine;
  180 };
  181 typedef struct au_tid   au_tid_t;
  182 
  183 struct au_tid_addr {
  184         dev_t           at_port;
  185         u_int32_t       at_type;
  186         u_int32_t       at_addr[4];
  187 };
  188 typedef struct au_tid_addr      au_tid_addr_t;
  189 
  190 struct au_mask {
  191         unsigned int    am_success;     /* Success bits. */
  192         unsigned int    am_failure;     /* Failure bits. */
  193 };
  194 typedef struct au_mask  au_mask_t;
  195 
  196 struct auditinfo {
  197         au_id_t         ai_auid;        /* Audit user ID. */
  198         au_mask_t       ai_mask;        /* Audit masks. */
  199         au_tid_t        ai_termid;      /* Terminal ID. */
  200         au_asid_t       ai_asid;        /* Audit session ID. */
  201 };
  202 typedef struct auditinfo        auditinfo_t;
  203 
  204 struct auditinfo_addr {
  205         au_id_t         ai_auid;        /* Audit user ID. */
  206         au_mask_t       ai_mask;        /* Audit masks. */
  207         au_tid_addr_t   ai_termid;      /* Terminal ID. */
  208         au_asid_t       ai_asid;        /* Audit session ID. */
  209         au_asflgs_t     ai_flags;       /* Audit session flags. */
  210 };
  211 typedef struct auditinfo_addr   auditinfo_addr_t;
  212 
  213 struct auditpinfo {
  214         pid_t           ap_pid;         /* ID of target process. */
  215         au_id_t         ap_auid;        /* Audit user ID. */
  216         au_mask_t       ap_mask;        /* Audit masks. */
  217         au_tid_t        ap_termid;      /* Terminal ID. */
  218         au_asid_t       ap_asid;        /* Audit session ID. */
  219 };
  220 typedef struct auditpinfo       auditpinfo_t;
  221 
  222 struct auditpinfo_addr {
  223         pid_t           ap_pid;         /* ID of target process. */
  224         au_id_t         ap_auid;        /* Audit user ID. */
  225         au_mask_t       ap_mask;        /* Audit masks. */
  226         au_tid_addr_t   ap_termid;      /* Terminal ID. */
  227         au_asid_t       ap_asid;        /* Audit session ID. */
  228         au_asflgs_t     ap_flags;       /* Audit session flags. */
  229 };
  230 typedef struct auditpinfo_addr  auditpinfo_addr_t;
  231 
  232 struct au_session {
  233         auditinfo_addr_t        *as_aia_p;      /* Ptr to full audit info. */
  234         au_mask_t                as_mask;       /* Process Audit Masks. */
  235 };
  236 typedef struct au_session       au_session_t;
  237 
  238 /*
  239  * Contents of token_t are opaque outside of libbsm.
  240  */
  241 typedef struct au_token token_t;
  242 
  243 /*
  244  * Kernel audit queue control parameters:
  245  *                      Default:                Maximum:
  246  *      aq_hiwater:     AQ_HIWATER (100)        AQ_MAXHIGH (10000) 
  247  *      aq_lowater:     AQ_LOWATER (10)         <aq_hiwater
  248  *      aq_bufsz:       AQ_BUFSZ (32767)        AQ_MAXBUFSZ (1048576)
  249  *      aq_delay:       20                      20000 (not used) 
  250  */
  251 struct au_qctrl {
  252         int     aq_hiwater;     /* Max # of audit recs in queue when */
  253                                 /* threads with new ARs get blocked. */ 
  254 
  255         int     aq_lowater;     /* # of audit recs in queue when */
  256                                 /* blocked threads get unblocked. */
  257 
  258         int     aq_bufsz;       /* Max size of audit record for audit(2). */
  259         int     aq_delay;       /* Queue delay (not used). */
  260         int     aq_minfree;     /* Minimum filesystem percent free space. */
  261 };
  262 typedef struct au_qctrl au_qctrl_t;
  263 
  264 /*
  265  * Structure for the audit statistics.
  266  */
  267 struct audit_stat {
  268         unsigned int    as_version;
  269         unsigned int    as_numevent;
  270         int             as_generated;
  271         int             as_nonattrib;
  272         int             as_kernel;
  273         int             as_audit;
  274         int             as_auditctl;
  275         int             as_enqueue;
  276         int             as_written;
  277         int             as_wblocked;
  278         int             as_rblocked;
  279         int             as_dropped;
  280         int             as_totalsize;
  281         unsigned int    as_memused;
  282 };
  283 typedef struct audit_stat       au_stat_t;
  284 
  285 /*
  286  * Structure for the audit file statistics.
  287  */
  288 struct audit_fstat {
  289         u_int64_t       af_filesz;
  290         u_int64_t       af_currsz;
  291 };
  292 typedef struct audit_fstat      au_fstat_t;
  293 
  294 /*
  295  * Audit to event class mapping.
  296  */
  297 struct au_evclass_map {
  298         au_event_t      ec_number;
  299         au_class_t      ec_class;
  300 };
  301 typedef struct au_evclass_map   au_evclass_map_t;
  302 
  303 /*
  304  * Audit system calls.
  305  */
  306 #if !defined(_KERNEL) && !defined(KERNEL)
  307 int     audit(const void *, int);
  308 int     auditon(int, void *, int);
  309 int     auditctl(const char *);
  310 int     getauid(au_id_t *);
  311 int     setauid(const au_id_t *);
  312 int     getaudit(struct auditinfo *);
  313 int     setaudit(const struct auditinfo *);
  314 int     getaudit_addr(struct auditinfo_addr *, int);
  315 int     setaudit_addr(const struct auditinfo_addr *, int);
  316 
  317 #ifdef __APPLE_API_PRIVATE
  318 #include <mach/port.h>
  319 mach_port_name_t audit_session_self(void);
  320 au_asid_t        audit_session_join(mach_port_name_t port);
  321 #endif /* __APPLE_API_PRIVATE */
  322 
  323 #endif /* defined(_KERNEL) || defined(KERNEL) */
  324 
  325 __END_DECLS
  326 
  327 #endif /* !_BSM_AUDIT_H */

Cache object: 463d785b4e2116b1a9b56927b3e6ffb1


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.