Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
/*-
|
|
|
|
|
* Copyright (c) 2005 Apple Inc.
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
* All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
|
* are met:
|
|
|
|
|
*
|
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
* its contributors may be used to endorse or promote products derived
|
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
|
|
|
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
|
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
|
|
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
|
|
|
|
|
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
|
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
|
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
* $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#1 $
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _BSM_AUDIT_H
|
|
|
|
|
#define _BSM_AUDIT_H
|
|
|
|
|
|
|
|
|
|
#define AUDIT_RECORD_MAGIC 0x828a0f1b
|
|
|
|
|
#define MAX_AUDIT_RECORDS 20
|
2006-08-26 08:04:15 +00:00
|
|
|
#define MAXAUDITDATA (0x8000 - 1)
|
|
|
|
|
#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
#define MIN_AUDIT_FILE_SIZE (512 * 1024)
|
|
|
|
|
|
|
|
|
|
/*
|
2006-08-26 08:04:15 +00:00
|
|
|
* Triggers for the audit daemon.
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
*/
|
|
|
|
|
#define AUDIT_TRIGGER_MIN 1
|
2006-09-21 07:07:33 +00:00
|
|
|
#define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */
|
|
|
|
|
#define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */
|
|
|
|
|
#define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */
|
|
|
|
|
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
|
|
|
|
|
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
|
|
|
|
|
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests roate. */
|
|
|
|
|
#define AUDIT_TRIGGER_MAX 6
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
|
|
|
|
|
/*
|
2006-09-21 07:07:33 +00:00
|
|
|
* The special device filename (FreeBSD).
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
*/
|
2006-09-21 07:07:33 +00:00
|
|
|
#define AUDITDEV_FILENAME "audit"
|
|
|
|
|
#define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME)
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Pre-defined audit IDs
|
|
|
|
|
*/
|
|
|
|
|
#define AU_DEFAUDITID -1
|
|
|
|
|
|
|
|
|
|
/*
|
2006-08-26 08:04:15 +00:00
|
|
|
* IPC types.
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
*/
|
|
|
|
|
#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
|
|
|
|
|
#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
|
|
|
|
|
#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Audit conditions.
|
|
|
|
|
*/
|
|
|
|
|
#define AUC_UNSET 0
|
|
|
|
|
#define AUC_AUDITING 1
|
|
|
|
|
#define AUC_NOAUDIT 2
|
|
|
|
|
#define AUC_DISABLED -1
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* auditon(2) commands.
|
|
|
|
|
*/
|
|
|
|
|
#define A_GETPOLICY 2
|
|
|
|
|
#define A_SETPOLICY 3
|
|
|
|
|
#define A_GETKMASK 4
|
|
|
|
|
#define A_SETKMASK 5
|
|
|
|
|
#define A_GETQCTRL 6
|
|
|
|
|
#define A_SETQCTRL 7
|
|
|
|
|
#define A_GETCWD 8
|
|
|
|
|
#define A_GETCAR 9
|
|
|
|
|
#define A_GETSTAT 12
|
|
|
|
|
#define A_SETSTAT 13
|
|
|
|
|
#define A_SETUMASK 14
|
|
|
|
|
#define A_SETSMASK 15
|
|
|
|
|
#define A_GETCOND 20
|
|
|
|
|
#define A_SETCOND 21
|
|
|
|
|
#define A_GETCLASS 22
|
|
|
|
|
#define A_SETCLASS 23
|
|
|
|
|
#define A_GETPINFO 24
|
|
|
|
|
#define A_SETPMASK 25
|
|
|
|
|
#define A_SETFSIZE 26
|
|
|
|
|
#define A_GETFSIZE 27
|
|
|
|
|
#define A_GETPINFO_ADDR 28
|
|
|
|
|
#define A_GETKAUDIT 29
|
|
|
|
|
#define A_SETKAUDIT 30
|
|
|
|
|
#define A_SENDTRIGGER 31
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Audit policy controls.
|
|
|
|
|
*/
|
|
|
|
|
#define AUDIT_CNT 0x0001
|
|
|
|
|
#define AUDIT_AHLT 0x0002
|
|
|
|
|
#define AUDIT_ARGV 0x0004
|
|
|
|
|
#define AUDIT_ARGE 0x0008
|
2006-08-26 08:04:15 +00:00
|
|
|
#define AUDIT_SEQ 0x0010
|
|
|
|
|
#define AUDIT_WINDATA 0x0020
|
|
|
|
|
#define AUDIT_USER 0x0040
|
|
|
|
|
#define AUDIT_GROUP 0x0080
|
|
|
|
|
#define AUDIT_TRAIL 0x0100
|
|
|
|
|
#define AUDIT_PATH 0x0200
|
|
|
|
|
#define AUDIT_SCNT 0x0400
|
|
|
|
|
#define AUDIT_PUBLIC 0x0800
|
|
|
|
|
#define AUDIT_ZONENAME 0x1000
|
|
|
|
|
#define AUDIT_PERZONE 0x2000
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
|
|
|
|
|
/*
|
2006-09-21 07:07:33 +00:00
|
|
|
* Default audit queue control parameters.
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
*/
|
|
|
|
|
#define AQ_HIWATER 100
|
|
|
|
|
#define AQ_MAXHIGH 10000
|
|
|
|
|
#define AQ_LOWATER 10
|
2006-09-21 07:07:33 +00:00
|
|
|
#define AQ_BUFSZ MAXAUDITDATA
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
#define AQ_MAXBUFSZ 1048576
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Default minimum percentage free space on file system.
|
|
|
|
|
*/
|
|
|
|
|
#define AU_FS_MINFREE 20
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Type definitions used indicating the length of variable length addresses
|
|
|
|
|
* in tokens containing addresses, such as header fields.
|
|
|
|
|
*/
|
|
|
|
|
#define AU_IPv4 4
|
|
|
|
|
#define AU_IPv6 16
|
|
|
|
|
|
|
|
|
|
__BEGIN_DECLS
|
|
|
|
|
|
|
|
|
|
typedef uid_t au_id_t;
|
|
|
|
|
typedef pid_t au_asid_t;
|
|
|
|
|
typedef u_int16_t au_event_t;
|
|
|
|
|
typedef u_int16_t au_emod_t;
|
|
|
|
|
typedef u_int32_t au_class_t;
|
|
|
|
|
|
|
|
|
|
struct au_tid {
|
|
|
|
|
dev_t port;
|
|
|
|
|
u_int32_t machine;
|
|
|
|
|
};
|
|
|
|
|
typedef struct au_tid au_tid_t;
|
|
|
|
|
|
|
|
|
|
struct au_tid_addr {
|
|
|
|
|
dev_t at_port;
|
|
|
|
|
u_int32_t at_type;
|
|
|
|
|
u_int32_t at_addr[4];
|
|
|
|
|
};
|
|
|
|
|
typedef struct au_tid_addr au_tid_addr_t;
|
|
|
|
|
|
|
|
|
|
struct au_mask {
|
|
|
|
|
unsigned int am_success; /* Success bits. */
|
|
|
|
|
unsigned int am_failure; /* Failure bits. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct au_mask au_mask_t;
|
|
|
|
|
|
|
|
|
|
struct auditinfo {
|
|
|
|
|
au_id_t ai_auid; /* Audit user ID. */
|
|
|
|
|
au_mask_t ai_mask; /* Audit masks. */
|
|
|
|
|
au_tid_t ai_termid; /* Terminal ID. */
|
|
|
|
|
au_asid_t ai_asid; /* Audit session ID. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct auditinfo auditinfo_t;
|
|
|
|
|
|
|
|
|
|
struct auditinfo_addr {
|
|
|
|
|
au_id_t ai_auid; /* Audit user ID. */
|
|
|
|
|
au_mask_t ai_mask; /* Audit masks. */
|
|
|
|
|
au_tid_addr_t ai_termid; /* Terminal ID. */
|
|
|
|
|
au_asid_t ai_asid; /* Audit session ID. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct auditinfo_addr auditinfo_addr_t;
|
|
|
|
|
|
|
|
|
|
struct auditpinfo {
|
|
|
|
|
pid_t ap_pid; /* ID of target process. */
|
|
|
|
|
au_id_t ap_auid; /* Audit user ID. */
|
|
|
|
|
au_mask_t ap_mask; /* Audit masks. */
|
|
|
|
|
au_tid_t ap_termid; /* Terminal ID. */
|
|
|
|
|
au_asid_t ap_asid; /* Audit session ID. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct auditpinfo auditpinfo_t;
|
|
|
|
|
|
|
|
|
|
struct auditpinfo_addr {
|
|
|
|
|
pid_t ap_pid; /* ID of target process. */
|
|
|
|
|
au_id_t ap_auid; /* Audit user ID. */
|
|
|
|
|
au_mask_t ap_mask; /* Audit masks. */
|
|
|
|
|
au_tid_addr_t ap_termid; /* Terminal ID. */
|
|
|
|
|
au_asid_t ap_asid; /* Audit session ID. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct auditpinfo_addr auditpinfo_addr_t;
|
|
|
|
|
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 5:
- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
BSD-specific) build infrastructure, and more easy conditional building of
components. Currently, the primary feature loss is that automake does
not have native support for manual symlinks. This will be addressed in a
future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
(as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
those system calls.
- au_close() is not implemented on systems that don't have audit system
calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
picks up the necessary definitions.
Obtained from: TrustedBSD Project
2006-03-04 16:45:52 +00:00
|
|
|
/*
|
|
|
|
|
* Contents of token_t are opaque outside of libbsm.
|
|
|
|
|
*/
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
typedef struct au_token token_t;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Kernel audit queue control parameters.
|
|
|
|
|
*/
|
|
|
|
|
struct au_qctrl {
|
|
|
|
|
size_t aq_hiwater;
|
|
|
|
|
size_t aq_lowater;
|
|
|
|
|
size_t aq_bufsz;
|
|
|
|
|
clock_t aq_delay;
|
|
|
|
|
int aq_minfree; /* Minimum filesystem percent free space. */
|
|
|
|
|
};
|
|
|
|
|
typedef struct au_qctrl au_qctrl_t;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Structure for the audit statistics.
|
|
|
|
|
*/
|
|
|
|
|
struct audit_stat {
|
|
|
|
|
unsigned int as_version;
|
|
|
|
|
unsigned int as_numevent;
|
|
|
|
|
int as_generated;
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6:
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
buffer. Not likely to be used much by applications, but useful for
writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
kernel -- this is not a Solaris BSM API so can be modified without
causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
argument to the ordinary au_to_header32(), which is now implemented by
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
the APIs that invoke gettimeofday(), rather than having a variable
definition. Don't try to retrieve time zone information using
gettimeofday(), as it's not needed, and introduces possible failure
modes.
- Don't perform byte order transformations on the addr/machine fields of
the terminal ID that appears in the process32/subject32 tokens. These
are assumed to be IP addresses, and as such, to be in network byte
order.
- Universally, APIs now assume that IP addresses and ports are provided
in network byte order. APIs now generally provide these types in
network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
error information.
- Support for audit filters introduced: audit filters are dynamically
loaded shared objects that run in the context of a new daemon,
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
parsed versions of records to shared objects using a module API. This
will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
record submission for many applications.
Obtained from: TrustedBSD Project
2006-06-05 10:52:12 +00:00
|
|
|
int as_nonattrib;
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
int as_kernel;
|
|
|
|
|
int as_audit;
|
|
|
|
|
int as_auditctl;
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6:
- Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close();
previously we used hard-coded 0 and 1 values.
- Add man page for au_open(), au_write(), au_close(), and
au_close_buffer().
- Support a more complete range of data types for the arbitrary data token:
add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias
to AUR_INT), add AUR_INT64.
- Add au_close_token(), which allows writing a single token_t to a memory
buffer. Not likely to be used much by applications, but useful for
writing test tools.
- Modify au_to_file() so that it accepts a timeval in user space, not just
kernel -- this is not a Solaris BSM API so can be modified without
causing compatibility issues.
- Define a new API, au_to_header32_tm(), which adds a struct timeval
argument to the ordinary au_to_header32(), which is now implemented by
wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL
the APIs that invoke gettimeofday(), rather than having a variable
definition. Don't try to retrieve time zone information using
gettimeofday(), as it's not needed, and introduces possible failure
modes.
- Don't perform byte order transformations on the addr/machine fields of
the terminal ID that appears in the process32/subject32 tokens. These
are assumed to be IP addresses, and as such, to be in network byte
order.
- Universally, APIs now assume that IP addresses and ports are provided
in network byte order. APIs now generally provide these types in
network byte order when decoding.
- Beginnings of an OpenBSM test framework can now be found in openbsm/test.
This code is not built or installed by default.
- auditd now assigns more appropriate syslog levels to its debugging and
error information.
- Support for audit filters introduced: audit filters are dynamically
loaded shared objects that run in the context of a new daemon,
auditfilterd. The daemon reads from an audit pipe and feeds both BSM and
parsed versions of records to shared objects using a module API. This
will provide a framework for the writing of intrusion detection services.
- New utility API, audit_submit(), added to capture common elements of audit
record submission for many applications.
Obtained from: TrustedBSD Project
2006-06-05 10:52:12 +00:00
|
|
|
int as_enqueue;
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
int as_written;
|
|
|
|
|
int as_wblocked;
|
|
|
|
|
int as_rblocked;
|
|
|
|
|
int as_dropped;
|
|
|
|
|
int as_totalsize;
|
|
|
|
|
unsigned int as_memused;
|
|
|
|
|
};
|
|
|
|
|
typedef struct audit_stat au_stat_t;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Structure for the audit file statistics.
|
|
|
|
|
*/
|
|
|
|
|
struct audit_fstat {
|
|
|
|
|
u_quad_t af_filesz;
|
|
|
|
|
u_quad_t af_currsz;
|
|
|
|
|
};
|
|
|
|
|
typedef struct audit_fstat au_fstat_t;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Audit to event class mapping.
|
|
|
|
|
*/
|
|
|
|
|
struct au_evclass_map {
|
|
|
|
|
au_event_t ec_number;
|
|
|
|
|
au_class_t ec_class;
|
|
|
|
|
};
|
|
|
|
|
typedef struct au_evclass_map au_evclass_map_t;
|
|
|
|
|
|
Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 5:
- Update install notes to indicate /etc files are to be installed manually.
- On systems without LOG_SECURITY, use LOG_AUTH.
- Convert to autoconf/automake in order to move to a more portable (not
BSD-specific) build infrastructure, and more easy conditional building of
components. Currently, the primary feature loss is that automake does
not have native support for manual symlinks. This will be addressed in a
future OpenBSM release.
- Add compat/queue.h, to be used on systems dated BSD queue macro libraries
(as found on Linux).
- Rename CHANGELOG to HISTORY, as our change log doesn't follow some of the
existing conventions for a CHANGELOG.
- Some private data structures moved from audit.h to audit_internal.h to
prevent inappropriate use by applications and name space pollution.
- Improved detection and use of endian macros using autoconf.
- Avoid non-portable use of struct in6_addr, which is largely opaque.
- Avoid leaking BSD kernel socket related token code to user space in
bsm_token.c.
- Teach System V IPC calls to look for Linux naming variations for certain
struct ipc_perm fields.
- Test for audit system calls, and if not present, don't build
bsm_wrappers.c, bsm_notify.c, audit(8), and auditd(8), which rely on
those system calls.
- au_close() is not implemented on systems that don't have audit system
calls, but au_close_buffer() is.
- Work around missing BSDisms in bsm_wrapper.c.
- Fix nested includes so including libbsm.h in an application on Linux
picks up the necessary definitions.
Obtained from: TrustedBSD Project
2006-03-04 16:45:52 +00:00
|
|
|
/*
|
|
|
|
|
* Audit system calls.
|
|
|
|
|
*/
|
Initial vendor import of the TrustedBSD OpenBSM distribution, version
1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems. Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs. This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.
This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.
This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>. The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.
Many thanks to: wsalamon, trhodes
Obtained from: TrustedBSD Project
2006-01-31 19:40:12 +00:00
|
|
|
#if !defined(_KERNEL) && !defined(KERNEL)
|
|
|
|
|
int audit(const void *, int);
|
|
|
|
|
int auditon(int, void *, int);
|
|
|
|
|
int auditctl(const char *);
|
|
|
|
|
int getauid(au_id_t *);
|
|
|
|
|
int setauid(const au_id_t *);
|
|
|
|
|
int getaudit(struct auditinfo *);
|
|
|
|
|
int setaudit(const struct auditinfo *);
|
|
|
|
|
int getaudit_addr(struct auditinfo_addr *, int);
|
|
|
|
|
int setaudit_addr(const struct auditinfo_addr *, int);
|
|
|
|
|
#endif /* defined(_KERNEL) || defined(KERNEL) */
|
|
|
|
|
|
|
|
|
|
__END_DECLS
|
|
|
|
|
|
|
|
|
|
#endif /* !_BSM_AUDIT_H */
|