52267f7411
contrib/openbsm (svn merge) and sys/{bsm,security/audit} (manual merge).
- Add OpenBSM contrib tree to include paths for audit(8) and auditd(8).
- Merge support for new tokens, fixes to existing token generation to
audit_bsm_token.c.
- Synchronize bsm includes and definitions.
OpenBSM history for imported revisions below for reference.
MFC after: 1 month
Sponsored by: Apple Inc.
Obtained from: TrustedBSD Project
--
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not being arguments so
that const strings can be passed as arguments to tokens. This patch was
submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
294 lines
7.6 KiB
C
294 lines
7.6 KiB
C
/*-
|
|
* Copyright (c) 2005 Apple Inc.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
|
* its contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
|
|
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#1
|
|
* $FreeBSD$
|
|
*/
|
|
|
|
#ifndef _BSM_AUDIT_H
|
|
#define _BSM_AUDIT_H
|
|
|
|
#include <sys/param.h>
|
|
#include <sys/cdefs.h>
|
|
#include <sys/queue.h>
|
|
|
|
#define AUDIT_RECORD_MAGIC 0x828a0f1b
|
|
#define MAX_AUDIT_RECORDS 20
|
|
#define MAXAUDITDATA (0x8000 - 1)
|
|
#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA
|
|
#define MIN_AUDIT_FILE_SIZE (512 * 1024)
|
|
|
|
/*
|
|
* Minimum noumber of free blocks on the filesystem containing the audit
|
|
* log necessary to avoid a hard log rotation. DO NOT SET THIS VALUE TO 0
|
|
* as the kernel does an unsigned compare, plus we want to leave a few blocks
|
|
* free so userspace can terminate the log, etc.
|
|
*/
|
|
#define AUDIT_HARD_LIMIT_FREE_BLOCKS 4
|
|
|
|
/*
|
|
* Triggers for the audit daemon.
|
|
*/
|
|
#define AUDIT_TRIGGER_MIN 1
|
|
#define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */
|
|
#define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */
|
|
#define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */
|
|
#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
|
|
#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
|
|
#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests roate. */
|
|
#define AUDIT_TRIGGER_MAX 6
|
|
|
|
/*
|
|
* The special device filename (FreeBSD).
|
|
*/
|
|
#define AUDITDEV_FILENAME "audit"
|
|
#define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME)
|
|
|
|
/*
|
|
* Pre-defined audit IDs
|
|
*/
|
|
#define AU_DEFAUDITID -1
|
|
|
|
/*
|
|
* IPC types.
|
|
*/
|
|
#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
|
|
#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
|
|
#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
|
|
|
|
/*
|
|
* Audit conditions.
|
|
*/
|
|
#define AUC_UNSET 0
|
|
#define AUC_AUDITING 1
|
|
#define AUC_NOAUDIT 2
|
|
#define AUC_DISABLED -1
|
|
|
|
/*
|
|
* auditon(2) commands.
|
|
*/
|
|
#define A_GETPOLICY 2
|
|
#define A_SETPOLICY 3
|
|
#define A_GETKMASK 4
|
|
#define A_SETKMASK 5
|
|
#define A_GETQCTRL 6
|
|
#define A_SETQCTRL 7
|
|
#define A_GETCWD 8
|
|
#define A_GETCAR 9
|
|
#define A_GETSTAT 12
|
|
#define A_SETSTAT 13
|
|
#define A_SETUMASK 14
|
|
#define A_SETSMASK 15
|
|
#define A_GETCOND 20
|
|
#define A_SETCOND 21
|
|
#define A_GETCLASS 22
|
|
#define A_SETCLASS 23
|
|
#define A_GETPINFO 24
|
|
#define A_SETPMASK 25
|
|
#define A_SETFSIZE 26
|
|
#define A_GETFSIZE 27
|
|
#define A_GETPINFO_ADDR 28
|
|
#define A_GETKAUDIT 29
|
|
#define A_SETKAUDIT 30
|
|
#define A_SENDTRIGGER 31
|
|
|
|
/*
|
|
* Audit policy controls.
|
|
*/
|
|
#define AUDIT_CNT 0x0001
|
|
#define AUDIT_AHLT 0x0002
|
|
#define AUDIT_ARGV 0x0004
|
|
#define AUDIT_ARGE 0x0008
|
|
#define AUDIT_SEQ 0x0010
|
|
#define AUDIT_WINDATA 0x0020
|
|
#define AUDIT_USER 0x0040
|
|
#define AUDIT_GROUP 0x0080
|
|
#define AUDIT_TRAIL 0x0100
|
|
#define AUDIT_PATH 0x0200
|
|
#define AUDIT_SCNT 0x0400
|
|
#define AUDIT_PUBLIC 0x0800
|
|
#define AUDIT_ZONENAME 0x1000
|
|
#define AUDIT_PERZONE 0x2000
|
|
|
|
/*
|
|
* Default audit queue control parameters.
|
|
*/
|
|
#define AQ_HIWATER 100
|
|
#define AQ_MAXHIGH 10000
|
|
#define AQ_LOWATER 10
|
|
#define AQ_BUFSZ MAXAUDITDATA
|
|
#define AQ_MAXBUFSZ 1048576
|
|
|
|
/*
|
|
* Default minimum percentage free space on file system.
|
|
*/
|
|
#define AU_FS_MINFREE 20
|
|
|
|
/*
|
|
* Type definitions used indicating the length of variable length addresses
|
|
* in tokens containing addresses, such as header fields.
|
|
*/
|
|
#define AU_IPv4 4
|
|
#define AU_IPv6 16
|
|
|
|
__BEGIN_DECLS
|
|
|
|
typedef uid_t au_id_t;
|
|
typedef pid_t au_asid_t;
|
|
typedef u_int16_t au_event_t;
|
|
typedef u_int16_t au_emod_t;
|
|
typedef u_int32_t au_class_t;
|
|
|
|
struct au_tid {
|
|
dev_t port;
|
|
u_int32_t machine;
|
|
};
|
|
typedef struct au_tid au_tid_t;
|
|
|
|
struct au_tid_addr {
|
|
dev_t at_port;
|
|
u_int32_t at_type;
|
|
u_int32_t at_addr[4];
|
|
};
|
|
typedef struct au_tid_addr au_tid_addr_t;
|
|
|
|
struct au_mask {
|
|
unsigned int am_success; /* Success bits. */
|
|
unsigned int am_failure; /* Failure bits. */
|
|
};
|
|
typedef struct au_mask au_mask_t;
|
|
|
|
struct auditinfo {
|
|
au_id_t ai_auid; /* Audit user ID. */
|
|
au_mask_t ai_mask; /* Audit masks. */
|
|
au_tid_t ai_termid; /* Terminal ID. */
|
|
au_asid_t ai_asid; /* Audit session ID. */
|
|
};
|
|
typedef struct auditinfo auditinfo_t;
|
|
|
|
struct auditinfo_addr {
|
|
au_id_t ai_auid; /* Audit user ID. */
|
|
au_mask_t ai_mask; /* Audit masks. */
|
|
au_tid_addr_t ai_termid; /* Terminal ID. */
|
|
au_asid_t ai_asid; /* Audit session ID. */
|
|
};
|
|
typedef struct auditinfo_addr auditinfo_addr_t;
|
|
|
|
struct auditpinfo {
|
|
pid_t ap_pid; /* ID of target process. */
|
|
au_id_t ap_auid; /* Audit user ID. */
|
|
au_mask_t ap_mask; /* Audit masks. */
|
|
au_tid_t ap_termid; /* Terminal ID. */
|
|
au_asid_t ap_asid; /* Audit session ID. */
|
|
};
|
|
typedef struct auditpinfo auditpinfo_t;
|
|
|
|
struct auditpinfo_addr {
|
|
pid_t ap_pid; /* ID of target process. */
|
|
au_id_t ap_auid; /* Audit user ID. */
|
|
au_mask_t ap_mask; /* Audit masks. */
|
|
au_tid_addr_t ap_termid; /* Terminal ID. */
|
|
au_asid_t ap_asid; /* Audit session ID. */
|
|
};
|
|
typedef struct auditpinfo_addr auditpinfo_addr_t;
|
|
|
|
/*
|
|
* Contents of token_t are opaque outside of libbsm.
|
|
*/
|
|
typedef struct au_token token_t;
|
|
|
|
/*
|
|
* Kernel audit queue control parameters.
|
|
*/
|
|
struct au_qctrl {
|
|
size_t aq_hiwater;
|
|
size_t aq_lowater;
|
|
size_t aq_bufsz;
|
|
clock_t aq_delay;
|
|
int aq_minfree; /* Minimum filesystem percent free space. */
|
|
};
|
|
typedef struct au_qctrl au_qctrl_t;
|
|
|
|
/*
|
|
* Structure for the audit statistics.
|
|
*/
|
|
struct audit_stat {
|
|
unsigned int as_version;
|
|
unsigned int as_numevent;
|
|
int as_generated;
|
|
int as_nonattrib;
|
|
int as_kernel;
|
|
int as_audit;
|
|
int as_auditctl;
|
|
int as_enqueue;
|
|
int as_written;
|
|
int as_wblocked;
|
|
int as_rblocked;
|
|
int as_dropped;
|
|
int as_totalsize;
|
|
unsigned int as_memused;
|
|
};
|
|
typedef struct audit_stat au_stat_t;
|
|
|
|
/*
|
|
* Structure for the audit file statistics.
|
|
*/
|
|
struct audit_fstat {
|
|
u_quad_t af_filesz;
|
|
u_quad_t af_currsz;
|
|
};
|
|
typedef struct audit_fstat au_fstat_t;
|
|
|
|
/*
|
|
* Audit to event class mapping.
|
|
*/
|
|
struct au_evclass_map {
|
|
au_event_t ec_number;
|
|
au_class_t ec_class;
|
|
};
|
|
typedef struct au_evclass_map au_evclass_map_t;
|
|
|
|
/*
|
|
* Audit system calls.
|
|
*/
|
|
#if !defined(_KERNEL) && !defined(KERNEL)
|
|
int audit(const void *, int);
|
|
int auditon(int, void *, int);
|
|
int auditctl(const char *);
|
|
int getauid(au_id_t *);
|
|
int setauid(const au_id_t *);
|
|
int getaudit(struct auditinfo *);
|
|
int setaudit(const struct auditinfo *);
|
|
int getaudit_addr(struct auditinfo_addr *, int);
|
|
int setaudit_addr(const struct auditinfo_addr *, int);
|
|
#endif /* defined(_KERNEL) || defined(KERNEL) */
|
|
|
|
__END_DECLS
|
|
|
|
#endif /* !_BSM_AUDIT_H */
|