Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/bsm/audit.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * Copyright (c) 2005-2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 15 * its contributors may be used to endorse or promote products derived 16 * from this software without specific prior written permission. 17 * 18 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY 19 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 20 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 21 * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY 22 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 23 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 25 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 * 29 * P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#10 30 * $FreeBSD: releng/9.2/sys/bsm/audit.h 195740 2009-07-17 14:02:20Z rwatson $ 31 */ 32 33 #ifndef _BSM_AUDIT_H 34 #define _BSM_AUDIT_H 35 36 #include <sys/param.h> 37 #include <sys/types.h> 38 39 #define AUDIT_RECORD_MAGIC 0x828a0f1b 40 #define MAX_AUDIT_RECORDS 20 41 #define MAXAUDITDATA (0x8000 - 1) 42 #define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA 43 #define MIN_AUDIT_FILE_SIZE (512 * 1024) 44 45 /* 46 * Minimum noumber of free blocks on the filesystem containing the audit 47 * log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0 48 * as the kernel does an unsigned compare, plus we want to leave a few blocks 49 * free so userspace can terminate the log, etc. 50 */ 51 #define AUDIT_HARD_LIMIT_FREE_BLOCKS 4 52 53 /* 54 * Triggers for the audit daemon. 55 */ 56 #define AUDIT_TRIGGER_MIN 1 57 #define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */ 58 #define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */ 59 #define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */ 60 #define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */ 61 #define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */ 62 #define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests rotate. */ 63 #define AUDIT_TRIGGER_INITIALIZE 7 /* User initialize of auditd. */ 64 #define AUDIT_TRIGGER_EXPIRE_TRAILS 8 /* User expiration of trails. */ 65 #define AUDIT_TRIGGER_MAX 8 66 67 /* 68 * The special device filename (FreeBSD). 69 */ 70 #define AUDITDEV_FILENAME "audit" 71 #define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME) 72 73 /* 74 * Pre-defined audit IDs 75 */ 76 #define AU_DEFAUDITID (uid_t)(-1) 77 #define AU_DEFAUDITSID 0 78 #define AU_ASSIGN_ASID -1 79 80 /* 81 * IPC types. 82 */ 83 #define AT_IPC_MSG ((u_char)1) /* Message IPC id. */ 84 #define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */ 85 #define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */ 86 87 /* 88 * Audit conditions. 89 */ 90 #define AUC_UNSET 0 91 #define AUC_AUDITING 1 92 #define AUC_NOAUDIT 2 93 #define AUC_DISABLED -1 94 95 /* 96 * auditon(2) commands. 97 */ 98 #define A_OLDGETPOLICY 2 99 #define A_OLDSETPOLICY 3 100 #define A_GETKMASK 4 101 #define A_SETKMASK 5 102 #define A_OLDGETQCTRL 6 103 #define A_OLDSETQCTRL 7 104 #define A_GETCWD 8 105 #define A_GETCAR 9 106 #define A_GETSTAT 12 107 #define A_SETSTAT 13 108 #define A_SETUMASK 14 109 #define A_SETSMASK 15 110 #define A_OLDGETCOND 20 111 #define A_OLDSETCOND 21 112 #define A_GETCLASS 22 113 #define A_SETCLASS 23 114 #define A_GETPINFO 24 115 #define A_SETPMASK 25 116 #define A_SETFSIZE 26 117 #define A_GETFSIZE 27 118 #define A_GETPINFO_ADDR 28 119 #define A_GETKAUDIT 29 120 #define A_SETKAUDIT 30 121 #define A_SENDTRIGGER 31 122 #define A_GETSINFO_ADDR 32 123 #define A_GETPOLICY 33 124 #define A_SETPOLICY 34 125 #define A_GETQCTRL 35 126 #define A_SETQCTRL 36 127 #define A_GETCOND 37 128 #define A_SETCOND 38 129 130 /* 131 * Audit policy controls. 132 */ 133 #define AUDIT_CNT 0x0001 134 #define AUDIT_AHLT 0x0002 135 #define AUDIT_ARGV 0x0004 136 #define AUDIT_ARGE 0x0008 137 #define AUDIT_SEQ 0x0010 138 #define AUDIT_WINDATA 0x0020 139 #define AUDIT_USER 0x0040 140 #define AUDIT_GROUP 0x0080 141 #define AUDIT_TRAIL 0x0100 142 #define AUDIT_PATH 0x0200 143 #define AUDIT_SCNT 0x0400 144 #define AUDIT_PUBLIC 0x0800 145 #define AUDIT_ZONENAME 0x1000 146 #define AUDIT_PERZONE 0x2000 147 148 /* 149 * Default audit queue control parameters. 150 */ 151 #define AQ_HIWATER 100 152 #define AQ_MAXHIGH 10000 153 #define AQ_LOWATER 10 154 #define AQ_BUFSZ MAXAUDITDATA 155 #define AQ_MAXBUFSZ 1048576 156 157 /* 158 * Default minimum percentage free space on file system. 159 */ 160 #define AU_FS_MINFREE 20 161 162 /* 163 * Type definitions used indicating the length of variable length addresses 164 * in tokens containing addresses, such as header fields. 165 */ 166 #define AU_IPv4 4 167 #define AU_IPv6 16 168 169 __BEGIN_DECLS 170 171 typedef uid_t au_id_t; 172 typedef pid_t au_asid_t; 173 typedef u_int16_t au_event_t; 174 typedef u_int16_t au_emod_t; 175 typedef u_int32_t au_class_t; 176 typedef u_int64_t au_asflgs_t __attribute__ ((aligned (8))); 177 178 struct au_tid { 179 dev_t port; 180 u_int32_t machine; 181 }; 182 typedef struct au_tid au_tid_t; 183 184 struct au_tid_addr { 185 dev_t at_port; 186 u_int32_t at_type; 187 u_int32_t at_addr[4]; 188 }; 189 typedef struct au_tid_addr au_tid_addr_t; 190 191 struct au_mask { 192 unsigned int am_success; /* Success bits. */ 193 unsigned int am_failure; /* Failure bits. */ 194 }; 195 typedef struct au_mask au_mask_t; 196 197 struct auditinfo { 198 au_id_t ai_auid; /* Audit user ID. */ 199 au_mask_t ai_mask; /* Audit masks. */ 200 au_tid_t ai_termid; /* Terminal ID. */ 201 au_asid_t ai_asid; /* Audit session ID. */ 202 }; 203 typedef struct auditinfo auditinfo_t; 204 205 struct auditinfo_addr { 206 au_id_t ai_auid; /* Audit user ID. */ 207 au_mask_t ai_mask; /* Audit masks. */ 208 au_tid_addr_t ai_termid; /* Terminal ID. */ 209 au_asid_t ai_asid; /* Audit session ID. */ 210 au_asflgs_t ai_flags; /* Audit session flags. */ 211 }; 212 typedef struct auditinfo_addr auditinfo_addr_t; 213 214 struct auditpinfo { 215 pid_t ap_pid; /* ID of target process. */ 216 au_id_t ap_auid; /* Audit user ID. */ 217 au_mask_t ap_mask; /* Audit masks. */ 218 au_tid_t ap_termid; /* Terminal ID. */ 219 au_asid_t ap_asid; /* Audit session ID. */ 220 }; 221 typedef struct auditpinfo auditpinfo_t; 222 223 struct auditpinfo_addr { 224 pid_t ap_pid; /* ID of target process. */ 225 au_id_t ap_auid; /* Audit user ID. */ 226 au_mask_t ap_mask; /* Audit masks. */ 227 au_tid_addr_t ap_termid; /* Terminal ID. */ 228 au_asid_t ap_asid; /* Audit session ID. */ 229 au_asflgs_t ap_flags; /* Audit session flags. */ 230 }; 231 typedef struct auditpinfo_addr auditpinfo_addr_t; 232 233 struct au_session { 234 auditinfo_addr_t *as_aia_p; /* Ptr to full audit info. */ 235 au_mask_t as_mask; /* Process Audit Masks. */ 236 }; 237 typedef struct au_session au_session_t; 238 239 /* 240 * Contents of token_t are opaque outside of libbsm. 241 */ 242 typedef struct au_token token_t; 243 244 /* 245 * Kernel audit queue control parameters: 246 * Default: Maximum: 247 * aq_hiwater: AQ_HIWATER (100) AQ_MAXHIGH (10000) 248 * aq_lowater: AQ_LOWATER (10) <aq_hiwater 249 * aq_bufsz: AQ_BUFSZ (32767) AQ_MAXBUFSZ (1048576) 250 * aq_delay: 20 20000 (not used) 251 */ 252 struct au_qctrl { 253 int aq_hiwater; /* Max # of audit recs in queue when */ 254 /* threads with new ARs get blocked. */ 255 256 int aq_lowater; /* # of audit recs in queue when */ 257 /* blocked threads get unblocked. */ 258 259 int aq_bufsz; /* Max size of audit record for audit(2). */ 260 int aq_delay; /* Queue delay (not used). */ 261 int aq_minfree; /* Minimum filesystem percent free space. */ 262 }; 263 typedef struct au_qctrl au_qctrl_t; 264 265 /* 266 * Structure for the audit statistics. 267 */ 268 struct audit_stat { 269 unsigned int as_version; 270 unsigned int as_numevent; 271 int as_generated; 272 int as_nonattrib; 273 int as_kernel; 274 int as_audit; 275 int as_auditctl; 276 int as_enqueue; 277 int as_written; 278 int as_wblocked; 279 int as_rblocked; 280 int as_dropped; 281 int as_totalsize; 282 unsigned int as_memused; 283 }; 284 typedef struct audit_stat au_stat_t; 285 286 /* 287 * Structure for the audit file statistics. 288 */ 289 struct audit_fstat { 290 u_int64_t af_filesz; 291 u_int64_t af_currsz; 292 }; 293 typedef struct audit_fstat au_fstat_t; 294 295 /* 296 * Audit to event class mapping. 297 */ 298 struct au_evclass_map { 299 au_event_t ec_number; 300 au_class_t ec_class; 301 }; 302 typedef struct au_evclass_map au_evclass_map_t; 303 304 /* 305 * Audit system calls. 306 */ 307 #if !defined(_KERNEL) && !defined(KERNEL) 308 int audit(const void *, int); 309 int auditon(int, void *, int); 310 int auditctl(const char *); 311 int getauid(au_id_t *); 312 int setauid(const au_id_t *); 313 int getaudit(struct auditinfo *); 314 int setaudit(const struct auditinfo *); 315 int getaudit_addr(struct auditinfo_addr *, int); 316 int setaudit_addr(const struct auditinfo_addr *, int); 317 318 #ifdef __APPLE_API_PRIVATE 319 #include <mach/port.h> 320 mach_port_name_t audit_session_self(void); 321 au_asid_t audit_session_join(mach_port_name_t port); 322 #endif /* __APPLE_API_PRIVATE */ 323 324 #endif /* defined(_KERNEL) || defined(KERNEL) */ 325 326 __END_DECLS 327 328 #endif /* !_BSM_AUDIT_H */
Cache object: 669b894fe10313bacc88a15bc2ebb969
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]