d9af45c4c8
notes: - Adopted Solaris-compatible format for subject32_ex and subject64_ex tokens, which previously did not correctly implement variable length address storage. - Prefer inttypes.h to stdint.h; enhance queue.h detection to test for TAILQ_FOREACH_SAFE(), which is present in recent BSD queue.h's, but not older ones. OpenBSM now builds on some FreeBSD 4.x version. - New event types for extended attributes, ACLs, and scheduling. Obtained from: TrustedBSD Project
1180 lines
32 KiB
C
1180 lines
32 KiB
C
/*
|
|
* Copyright (c) 2004 Apple Computer, Inc.
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions
|
|
* are met:
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
|
|
* its contributors may be used to endorse or promote products derived
|
|
* from this software without specific prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
|
|
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
|
|
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*
|
|
* $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#21 $
|
|
*/
|
|
|
|
#ifndef _LIBBSM_H_
|
|
#define _LIBBSM_H_
|
|
|
|
/*
|
|
* NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
|
|
* solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
|
|
*/
|
|
|
|
#define MAX_ARGS 10
|
|
#define MAX_ENV 10
|
|
|
|
#include <sys/types.h>
|
|
#include <sys/cdefs.h>
|
|
|
|
#include <inttypes.h> /* Required for audit.h. */
|
|
#include <time.h> /* Required for clock_t on Linux. */
|
|
|
|
#include <bsm/audit.h>
|
|
#include <bsm/audit_record.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#ifdef __APPLE__
|
|
#include <mach/mach.h> /* audit_token_t */
|
|
#endif
|
|
|
|
#define AU_PRS_SUCCESS 1
|
|
#define AU_PRS_FAILURE 2
|
|
#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
|
|
|
|
#define AU_PRS_USECACHE 0
|
|
#define AU_PRS_REREAD 1
|
|
|
|
#define AUDIT_EVENT_FILE "/etc/security/audit_event"
|
|
#define AUDIT_CLASS_FILE "/etc/security/audit_class"
|
|
#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
|
|
#define AUDIT_USER_FILE "/etc/security/audit_user"
|
|
|
|
#define DIR_CONTROL_ENTRY "dir"
|
|
#define MINFREE_CONTROL_ENTRY "minfree"
|
|
#define FLAGS_CONTROL_ENTRY "flags"
|
|
#define NA_CONTROL_ENTRY "naflags"
|
|
|
|
#define AU_CLASS_NAME_MAX 8
|
|
#define AU_CLASS_DESC_MAX 72
|
|
#define AU_EVENT_NAME_MAX 30
|
|
#define AU_EVENT_DESC_MAX 50
|
|
#define AU_USER_NAME_MAX 50
|
|
#define AU_LINE_MAX 256
|
|
#define MAX_AUDITSTRING_LEN 256
|
|
#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
|
|
|
|
/*
|
|
* These are referenced in Solaris 9 au_open(3BSM); values are guesses.
|
|
* Provided for OpenSSH compatibility.
|
|
*/
|
|
#define AU_TO_NO_WRITE 0
|
|
#define AU_TO_WRITE 1
|
|
|
|
__BEGIN_DECLS
|
|
struct au_event_ent {
|
|
au_event_t ae_number;
|
|
char *ae_name;
|
|
char *ae_desc;
|
|
au_class_t ae_class;
|
|
};
|
|
typedef struct au_event_ent au_event_ent_t;
|
|
|
|
struct au_class_ent {
|
|
char *ac_name;
|
|
au_class_t ac_class;
|
|
char *ac_desc;
|
|
};
|
|
typedef struct au_class_ent au_class_ent_t;
|
|
|
|
struct au_user_ent {
|
|
char *au_name;
|
|
au_mask_t au_always;
|
|
au_mask_t au_never;
|
|
};
|
|
typedef struct au_user_ent au_user_ent_t;
|
|
__END_DECLS
|
|
|
|
#define ADD_TO_MASK(m, c, sel) do { \
|
|
if (sel & AU_PRS_SUCCESS) \
|
|
(m)->am_success |= c; \
|
|
if (sel & AU_PRS_FAILURE) \
|
|
(m)->am_failure |= c; \
|
|
} while (0)
|
|
|
|
#define SUB_FROM_MASK(m, c, sel) do { \
|
|
if (sel & AU_PRS_SUCCESS) \
|
|
(m)->am_success &= ((m)->am_success ^ c); \
|
|
if (sel & AU_PRS_FAILURE) \
|
|
(m)->am_failure &= ((m)->am_failure ^ c); \
|
|
} while (0)
|
|
|
|
#define ADDMASK(m, v) do { \
|
|
(m)->am_success |= (v)->am_success; \
|
|
(m)->am_failure |= (v)->am_failure; \
|
|
} while(0)
|
|
|
|
#define SUBMASK(m, v) do { \
|
|
(m)->am_success &= ((m)->am_success ^ (v)->am_success); \
|
|
(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
|
|
} while(0)
|
|
|
|
__BEGIN_DECLS
|
|
|
|
/*
|
|
* Internal representation of audit user in libnsl.
|
|
*/
|
|
typedef struct au_user_str_s {
|
|
char *au_name;
|
|
char *au_always;
|
|
char *au_never;
|
|
} au_user_str_t;
|
|
|
|
typedef struct au_tid32 {
|
|
u_int32_t port;
|
|
u_int32_t addr;
|
|
} au_tid32_t;
|
|
|
|
typedef struct au_tid64 {
|
|
u_int64_t port;
|
|
u_int32_t addr;
|
|
} au_tid64_t;
|
|
|
|
typedef struct au_tidaddr32 {
|
|
u_int32_t port;
|
|
u_int32_t type;
|
|
u_int32_t addr[4];
|
|
} au_tidaddr32_t;
|
|
|
|
/*
|
|
* argument # 1 byte
|
|
* argument value 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* text length 2 bytes
|
|
* text N bytes + 1 terminating NULL byte
|
|
*/
|
|
typedef struct {
|
|
u_char no;
|
|
u_int32_t val;
|
|
u_int16_t len;
|
|
char *text;
|
|
} au_arg32_t;
|
|
|
|
typedef struct {
|
|
u_char no;
|
|
u_int64_t val;
|
|
u_int16_t len;
|
|
char *text;
|
|
} au_arg64_t;
|
|
|
|
/*
|
|
* how to print 1 byte
|
|
* basic unit 1 byte
|
|
* unit count 1 byte
|
|
* data items (depends on basic unit)
|
|
*/
|
|
typedef struct {
|
|
u_char howtopr;
|
|
u_char bu;
|
|
u_char uc;
|
|
u_char *data;
|
|
} au_arb_t;
|
|
|
|
/*
|
|
* file access mode 4 bytes
|
|
* owner user ID 4 bytes
|
|
* owner group ID 4 bytes
|
|
* file system ID 4 bytes
|
|
* node ID 8 bytes
|
|
* device 4 bytes/8 bytes (32-bit/64-bit)
|
|
*/
|
|
typedef struct {
|
|
u_int32_t mode;
|
|
u_int32_t uid;
|
|
u_int32_t gid;
|
|
u_int32_t fsid;
|
|
u_int64_t nid;
|
|
u_int32_t dev;
|
|
} au_attr32_t;
|
|
|
|
typedef struct {
|
|
u_int32_t mode;
|
|
u_int32_t uid;
|
|
u_int32_t gid;
|
|
u_int32_t fsid;
|
|
u_int64_t nid;
|
|
u_int64_t dev;
|
|
} au_attr64_t;
|
|
|
|
/*
|
|
* count 4 bytes
|
|
* text count null-terminated string(s)
|
|
*/
|
|
typedef struct {
|
|
u_int32_t count;
|
|
char *text[MAX_ARGS];
|
|
} au_execarg_t;
|
|
|
|
/*
|
|
* count 4 bytes
|
|
* text count null-terminated string(s)
|
|
*/
|
|
typedef struct {
|
|
u_int32_t count;
|
|
char *text[MAX_ENV];
|
|
} au_execenv_t;
|
|
|
|
/*
|
|
* status 4 bytes
|
|
* return value 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t status;
|
|
u_int32_t ret;
|
|
} au_exit_t;
|
|
|
|
/*
|
|
* seconds of time 4 bytes
|
|
* milliseconds of time 4 bytes
|
|
* file name length 2 bytes
|
|
* file pathname N bytes + 1 terminating NULL byte
|
|
*/
|
|
typedef struct {
|
|
u_int32_t s;
|
|
u_int32_t ms;
|
|
u_int16_t len;
|
|
char *name;
|
|
} au_file_t;
|
|
|
|
|
|
/*
|
|
* number groups 2 bytes
|
|
* group list N * 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t no;
|
|
u_int32_t list[BSM_MAX_GROUPS];
|
|
} au_groups_t;
|
|
|
|
/*
|
|
* record byte count 4 bytes
|
|
* version # 1 byte [2]
|
|
* event type 2 bytes
|
|
* event modifier 2 bytes
|
|
* seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
|
|
*/
|
|
typedef struct {
|
|
u_int32_t size;
|
|
u_char version;
|
|
u_int16_t e_type;
|
|
u_int16_t e_mod;
|
|
u_int32_t s;
|
|
u_int32_t ms;
|
|
} au_header32_t;
|
|
|
|
/*
|
|
* record byte count 4 bytes
|
|
* version # 1 byte [2]
|
|
* event type 2 bytes
|
|
* event modifier 2 bytes
|
|
* address type/length 1 byte (XXX: actually, 4 bytes)
|
|
* machine address 4 bytes/16 bytes (IPv4/IPv6 address)
|
|
* seconds of time 4 bytes/8 bytes (32/64-bits)
|
|
* nanoseconds of time 4 bytes/8 bytes (32/64-bits)
|
|
*/
|
|
typedef struct {
|
|
u_int32_t size;
|
|
u_char version;
|
|
u_int16_t e_type;
|
|
u_int16_t e_mod;
|
|
u_int32_t ad_type;
|
|
u_int32_t addr[4];
|
|
u_int32_t s;
|
|
u_int32_t ms;
|
|
} au_header32_ex_t;
|
|
|
|
typedef struct {
|
|
u_int32_t size;
|
|
u_char version;
|
|
u_int16_t e_type;
|
|
u_int16_t e_mod;
|
|
u_int64_t s;
|
|
u_int64_t ms;
|
|
} au_header64_t;
|
|
|
|
typedef struct {
|
|
u_int32_t size;
|
|
u_char version;
|
|
u_int16_t e_type;
|
|
u_int16_t e_mod;
|
|
u_int32_t ad_type;
|
|
u_int32_t addr[4];
|
|
u_int64_t s;
|
|
u_int64_t ms;
|
|
} au_header64_ex_t;
|
|
|
|
/*
|
|
* internet address 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t addr;
|
|
} au_inaddr_t;
|
|
|
|
/*
|
|
* type 4 bytes
|
|
* internet address 16 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t type;
|
|
u_int32_t addr[4];
|
|
} au_inaddr_ex_t;
|
|
|
|
/*
|
|
* version and ihl 1 byte
|
|
* type of service 1 byte
|
|
* length 2 bytes
|
|
* id 2 bytes
|
|
* offset 2 bytes
|
|
* ttl 1 byte
|
|
* protocol 1 byte
|
|
* checksum 2 bytes
|
|
* source address 4 bytes
|
|
* destination address 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_char version;
|
|
u_char tos;
|
|
u_int16_t len;
|
|
u_int16_t id;
|
|
u_int16_t offset;
|
|
u_char ttl;
|
|
u_char prot;
|
|
u_int16_t chksm;
|
|
u_int32_t src;
|
|
u_int32_t dest;
|
|
} au_ip_t;
|
|
|
|
/*
|
|
* object ID type 1 byte
|
|
* object ID 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_char type;
|
|
u_int32_t id;
|
|
} au_ipc_t;
|
|
|
|
/*
|
|
* owner user ID 4 bytes
|
|
* owner group ID 4 bytes
|
|
* creator user ID 4 bytes
|
|
* creator group ID 4 bytes
|
|
* access mode 4 bytes
|
|
* slot sequence # 4 bytes
|
|
* key 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t uid;
|
|
u_int32_t gid;
|
|
u_int32_t puid;
|
|
u_int32_t pgid;
|
|
u_int32_t mode;
|
|
u_int32_t seq;
|
|
u_int32_t key;
|
|
} au_ipcperm_t;
|
|
|
|
/*
|
|
* port IP address 2 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t port;
|
|
} au_iport_t;
|
|
|
|
/*
|
|
* length 2 bytes
|
|
* data length bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t size;
|
|
char *data;
|
|
} au_opaque_t;
|
|
|
|
/*
|
|
* path length 2 bytes
|
|
* path N bytes + 1 terminating NULL byte
|
|
*/
|
|
typedef struct {
|
|
u_int16_t len;
|
|
char *path;
|
|
} au_path_t;
|
|
|
|
/*
|
|
* audit ID 4 bytes
|
|
* effective user ID 4 bytes
|
|
* effective group ID 4 bytes
|
|
* real user ID 4 bytes
|
|
* real group ID 4 bytes
|
|
* process ID 4 bytes
|
|
* session ID 4 bytes
|
|
* terminal ID
|
|
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* machine address 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tid32_t tid;
|
|
} au_proc32_t;
|
|
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tid64_t tid;
|
|
} au_proc64_t;
|
|
|
|
/*
|
|
* audit ID 4 bytes
|
|
* effective user ID 4 bytes
|
|
* effective group ID 4 bytes
|
|
* real user ID 4 bytes
|
|
* real group ID 4 bytes
|
|
* process ID 4 bytes
|
|
* session ID 4 bytes
|
|
* terminal ID
|
|
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* type 4 bytes
|
|
* machine address 16 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tidaddr32_t tid;
|
|
} au_proc32ex_t;
|
|
|
|
/*
|
|
* error status 1 byte
|
|
* return value 4 bytes/8 bytes (32-bit/64-bit value)
|
|
*/
|
|
typedef struct {
|
|
u_char status;
|
|
u_int32_t ret;
|
|
} au_ret32_t;
|
|
|
|
typedef struct {
|
|
u_char err;
|
|
u_int64_t val;
|
|
} au_ret64_t;
|
|
|
|
/*
|
|
* sequence number 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t seqno;
|
|
} au_seq_t;
|
|
|
|
/*
|
|
* socket type 2 bytes
|
|
* local port 2 bytes
|
|
* local Internet address 4 bytes
|
|
* remote port 2 bytes
|
|
* remote Internet address 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t type;
|
|
u_int16_t l_port;
|
|
u_int32_t l_addr;
|
|
u_int16_t r_port;
|
|
u_int32_t r_addr;
|
|
} au_socket_t;
|
|
|
|
/*
|
|
* socket type 2 bytes
|
|
* local port 2 bytes
|
|
* address type/length 4 bytes
|
|
* local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
|
|
* remote port 4 bytes
|
|
* address type/length 4 bytes
|
|
* remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
|
|
*/
|
|
typedef struct {
|
|
u_int16_t type;
|
|
u_int16_t l_port;
|
|
u_int32_t l_ad_type;
|
|
u_int32_t l_addr;
|
|
u_int32_t r_port;
|
|
u_int32_t r_ad_type;
|
|
u_int32_t r_addr;
|
|
} au_socket_ex32_t;
|
|
|
|
/*
|
|
* socket family 2 bytes
|
|
* local port 2 bytes
|
|
* socket address 4 bytes/16 bytes (IPv4/IPv6 address)
|
|
*/
|
|
typedef struct {
|
|
u_int16_t family;
|
|
u_int16_t port;
|
|
u_int32_t addr;
|
|
} au_socketinet32_t;
|
|
|
|
/*
|
|
* socket family 2 bytes
|
|
* path 104 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t family;
|
|
char path[104];
|
|
} au_socketunix_t;
|
|
|
|
/*
|
|
* audit ID 4 bytes
|
|
* effective user ID 4 bytes
|
|
* effective group ID 4 bytes
|
|
* real user ID 4 bytes
|
|
* real group ID 4 bytes
|
|
* process ID 4 bytes
|
|
* session ID 4 bytes
|
|
* terminal ID
|
|
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* machine address 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tid32_t tid;
|
|
} au_subject32_t;
|
|
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tid64_t tid;
|
|
} au_subject64_t;
|
|
|
|
/*
|
|
* audit ID 4 bytes
|
|
* effective user ID 4 bytes
|
|
* effective group ID 4 bytes
|
|
* real user ID 4 bytes
|
|
* real group ID 4 bytes
|
|
* process ID 4 bytes
|
|
* session ID 4 bytes
|
|
* terminal ID
|
|
* port ID 4 bytes/8 bytes (32-bit/64-bit value)
|
|
* type 4 bytes
|
|
* machine address 16 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int32_t auid;
|
|
u_int32_t euid;
|
|
u_int32_t egid;
|
|
u_int32_t ruid;
|
|
u_int32_t rgid;
|
|
u_int32_t pid;
|
|
u_int32_t sid;
|
|
au_tidaddr32_t tid;
|
|
} au_subject32ex_t;
|
|
|
|
/*
|
|
* text length 2 bytes
|
|
* text N bytes + 1 terminating NULL byte
|
|
*/
|
|
typedef struct {
|
|
u_int16_t len;
|
|
char *text;
|
|
} au_text_t;
|
|
|
|
typedef struct {
|
|
u_int32_t ident;
|
|
u_int16_t filter;
|
|
u_int16_t flags;
|
|
u_int32_t fflags;
|
|
u_int32_t data;
|
|
} au_kevent_t;
|
|
|
|
typedef struct {
|
|
u_int16_t length;
|
|
char *data;
|
|
} au_invalid_t;
|
|
|
|
/*
|
|
* trailer magic number 2 bytes
|
|
* record byte count 4 bytes
|
|
*/
|
|
typedef struct {
|
|
u_int16_t magic;
|
|
u_int32_t count;
|
|
} au_trailer_t;
|
|
|
|
struct tokenstr {
|
|
u_char id;
|
|
u_char *data;
|
|
size_t len;
|
|
union {
|
|
au_arg32_t arg32;
|
|
au_arg64_t arg64;
|
|
au_arb_t arb;
|
|
au_attr32_t attr32;
|
|
au_attr64_t attr64;
|
|
au_execarg_t execarg;
|
|
au_execenv_t execenv;
|
|
au_exit_t exit;
|
|
au_file_t file;
|
|
au_groups_t grps;
|
|
au_header32_t hdr32;
|
|
au_header32_ex_t hdr32_ex;
|
|
au_header64_t hdr64;
|
|
au_header64_ex_t hdr64_ex;
|
|
au_inaddr_t inaddr;
|
|
au_inaddr_ex_t inaddr_ex;
|
|
au_ip_t ip;
|
|
au_ipc_t ipc;
|
|
au_ipcperm_t ipcperm;
|
|
au_iport_t iport;
|
|
au_opaque_t opaque;
|
|
au_path_t path;
|
|
au_proc32_t proc32;
|
|
au_proc64_t proc64;
|
|
au_proc32ex_t proc32_ex;
|
|
au_ret32_t ret32;
|
|
au_ret64_t ret64;
|
|
au_seq_t seq;
|
|
au_socket_t socket;
|
|
au_socket_ex32_t socket_ex32;
|
|
au_socketinet32_t sockinet32;
|
|
au_socketunix_t sockunix;
|
|
au_subject32_t subj32;
|
|
au_subject64_t subj64;
|
|
au_subject32ex_t subj32_ex;
|
|
au_text_t text;
|
|
au_kevent_t kevent;
|
|
au_invalid_t invalid;
|
|
au_trailer_t trail;
|
|
} tt; /* The token is one of the above types */
|
|
};
|
|
|
|
typedef struct tokenstr tokenstr_t;
|
|
|
|
int audit_submit(short au_event, au_id_t auid,
|
|
char status, int reterr, const char *fmt, ...);
|
|
|
|
/*
|
|
* Functions relating to querying audit class information.
|
|
*/
|
|
void setauclass(void);
|
|
void endauclass(void);
|
|
struct au_class_ent *getauclassent(void);
|
|
struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
|
|
struct au_class_ent *getauclassnam(const char *name);
|
|
struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
|
|
const char *name);
|
|
struct au_class_ent *getauclassnum(au_class_t class_number);
|
|
struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
|
|
au_class_t class_number);
|
|
|
|
/*
|
|
* Functions relating to querying audit control information.
|
|
*/
|
|
void setac(void);
|
|
void endac(void);
|
|
int getacdir(char *name, int len);
|
|
int getacmin(int *min_val);
|
|
int getacflg(char *auditstr, int len);
|
|
int getacna(char *auditstr, int len);
|
|
int getauditflagsbin(char *auditstr, au_mask_t *masks);
|
|
int getauditflagschar(char *auditstr, au_mask_t *masks,
|
|
int verbose);
|
|
int au_preselect(au_event_t event, au_mask_t *mask_p,
|
|
int sorf, int flag);
|
|
|
|
/*
|
|
* Functions relating to querying audit event information.
|
|
*
|
|
* XXXRW: getauevnonam() has no _r version?
|
|
*/
|
|
void setauevent(void);
|
|
void endauevent(void);
|
|
struct au_event_ent *getauevent(void);
|
|
struct au_event_ent *getauevent_r(struct au_event_ent *e);
|
|
struct au_event_ent *getauevnam(const char *name);
|
|
struct au_event_ent *getauevnam_r(struct au_event_ent *e,
|
|
const char *name);
|
|
struct au_event_ent *getauevnum(au_event_t event_number);
|
|
struct au_event_ent *getauevnum_r(struct au_event_ent *e,
|
|
au_event_t event_number);
|
|
au_event_t *getauevnonam(const char *event_name);
|
|
au_event_t *getauevnonam_r(au_event_t *ev,
|
|
const char *event_name);
|
|
|
|
/*
|
|
* Functions relating to querying audit user information.
|
|
*/
|
|
void setauuser(void);
|
|
void endauuser(void);
|
|
struct au_user_ent *getauuserent(void);
|
|
struct au_user_ent *getauuserent_r(struct au_user_ent *u);
|
|
struct au_user_ent *getauusernam(const char *name);
|
|
struct au_user_ent *getauusernam_r(struct au_user_ent *u,
|
|
const char *name);
|
|
int au_user_mask(char *username, au_mask_t *mask_p);
|
|
int getfauditflags(au_mask_t *usremask,
|
|
au_mask_t *usrdmask, au_mask_t *lastmask);
|
|
|
|
/*
|
|
* Functions for reading and printing records and tokens from audit trails.
|
|
*/
|
|
int au_read_rec(FILE *fp, u_char **buf);
|
|
int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
|
|
//XXX The following interface has different prototype from BSM
|
|
void au_print_tok(FILE *outfp, tokenstr_t *tok,
|
|
char *del, char raw, char sfrm);
|
|
__END_DECLS
|
|
|
|
#ifdef __APPLE__
|
|
#include <sys/appleapiopts.h>
|
|
|
|
/**************************************************************************
|
|
**************************************************************************
|
|
** The following definitions, functions, etc., are NOT officially
|
|
** supported: they may be changed or removed in the future. Do not use
|
|
** them unless you are prepared to cope with that eventuality.
|
|
**************************************************************************
|
|
**************************************************************************/
|
|
|
|
#ifdef __APPLE_API_PRIVATE
|
|
#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
|
|
#endif /* __APPLE_API_PRIVATE */
|
|
|
|
/*
|
|
* au_get_state() return values
|
|
* XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
|
|
* AUDIT_ON are deprecated and WILL be removed.
|
|
*/
|
|
#ifdef __APPLE_API_PRIVATE
|
|
#define AUDIT_OFF AUC_NOAUDIT
|
|
#define AUDIT_ON AUC_AUDITING
|
|
#endif /* __APPLE_API_PRIVATE */
|
|
#endif /* !__APPLE__ */
|
|
|
|
/*
|
|
* Error return codes for audit_set_terminal_id(), audit_write() and its
|
|
* brethren. We have 255 (not including kAUNoErr) to play with.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
enum {
|
|
kAUNoErr = 0,
|
|
kAUBadParamErr = -66049,
|
|
kAUStatErr,
|
|
kAUSysctlErr,
|
|
kAUOpenErr,
|
|
kAUMakeSubjectTokErr,
|
|
kAUWriteSubjectTokErr,
|
|
kAUWriteCallerTokErr,
|
|
kAUMakeReturnTokErr,
|
|
kAUWriteReturnTokErr,
|
|
kAUCloseErr,
|
|
kAUMakeTextTokErr,
|
|
kAULastErr
|
|
};
|
|
|
|
#ifdef __APPLE__
|
|
/*
|
|
* Error return codes for au_get_state() and/or its private support
|
|
* functions. These codes are designed to be compatible with the
|
|
* NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
|
|
* Any changes to notify(3) may cause these values to change in future.
|
|
*
|
|
* AU_UNIMPL should never happen unless you've changed your system software
|
|
* without rebooting. Shame on you.
|
|
*/
|
|
#ifdef __APPLE_API_PRIVATE
|
|
#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
|
|
#endif /* __APPLE_API_PRIVATE */
|
|
#endif /* !__APPLE__ */
|
|
|
|
__BEGIN_DECLS
|
|
/*
|
|
* XXX This prototype should be in audit_record.h
|
|
*
|
|
* au_free_token()
|
|
*
|
|
* @summary - au_free_token() deallocates a token_t created by any of
|
|
* the au_to_*() BSM API functions.
|
|
*
|
|
* The BSM API generally manages deallocation of token_t objects. However,
|
|
* if au_write() is passed a bad audit descriptor, the token_t * parameter
|
|
* will be left untouched. In that case, the caller can deallocate the
|
|
* token_t using au_free_token() if desired. This is, in fact, what
|
|
* audit_write() does, in keeping with the existing memory management model
|
|
* of the BSM API.
|
|
*
|
|
* @param tok - A token_t * generated by one of the au_to_*() BSM API
|
|
* calls. For convenience, tok may be NULL, in which case
|
|
* au_free_token() returns immediately.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
void au_free_token(token_t *tok);
|
|
|
|
/*
|
|
* Lightweight check to determine if auditing is enabled. If a client
|
|
* wants to use this to govern whether an entire series of audit calls
|
|
* should be made--as in the common case of a caller building a set of
|
|
* tokens, then writing them--it should cache the audit status in a local
|
|
* variable. This call always returns the current state of auditing.
|
|
*
|
|
* @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
|
|
* Otherwise the function can return any of the errno values defined for
|
|
* setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
|
|
* the system.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int au_get_state(void);
|
|
__END_DECLS
|
|
|
|
/* OpenSSH compatibility */
|
|
int cannot_audit(int);
|
|
|
|
__BEGIN_DECLS
|
|
/*
|
|
* audit_set_terminal_id()
|
|
*
|
|
* @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
|
|
* used in audit session initialization by processes like /usr/bin/login.
|
|
*
|
|
* @param tid - A pointer to an au_tid_t struct.
|
|
*
|
|
* @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
|
|
* or kAUSysctlErr if one of the underlying system calls fails (a message
|
|
* is sent to the system log in those cases).
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_set_terminal_id(au_tid_t *tid);
|
|
|
|
/*
|
|
* BEGIN au_write() WRAPPERS
|
|
*
|
|
* The following calls all wrap the existing BSM API. They use the
|
|
* provided subject information, if any, to construct the subject token
|
|
* required for every log message. They use the provided return/error
|
|
* value(s), if any, to construct the success/failure indication required
|
|
* for every log message. They only permit one "miscellaneous" token,
|
|
* which should contain the event-specific logging information mandated by
|
|
* CAPP.
|
|
*
|
|
* All these calls assume the caller has previously determined that
|
|
* auditing is enabled by calling au_get_state().
|
|
*/
|
|
|
|
/*
|
|
* audit_write()
|
|
*
|
|
* @summary - audit_write() is the basis for the other audit_write_*()
|
|
* calls. Performs a basic write of an audit record (subject, additional
|
|
* info, success/failure). Note that this call only permits logging one
|
|
* caller-specified token; clients needing to log more flexibly must use
|
|
* the existing BSM API (au_open(), et al.) directly.
|
|
*
|
|
* Note on memory management: audit_write() guarantees that the token_t *s
|
|
* passed to it will be deallocated whether or not the underlying write to
|
|
* the audit log succeeded. This addresses an inconsistency in the
|
|
* underlying BSM API in which token_t *s are usually but not always
|
|
* deallocated.
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param subject - A token_t * generated by au_to_subject(),
|
|
* au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
|
|
* required, subject should be NULL.
|
|
*
|
|
* @param misctok - A token_t * generated by one of the au_to_*() BSM API
|
|
* calls. This should correspond to the additional information required by
|
|
* CAPP for the event being audited. If no additional information is
|
|
* required, misctok should be NULL.
|
|
*
|
|
* @param retval - The return value to be logged for this event. This
|
|
* should be 0 (zero) for success, otherwise the value is event-specific.
|
|
*
|
|
* @param errcode - Any error code associated with the return value (e.g.,
|
|
* errno or h_errno). If there was no error, errcode should be 0 (zero).
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write(short event_code, token_t *subject, token_t *misctok,
|
|
char retval, int errcode);
|
|
|
|
/*
|
|
* audit_write_success()
|
|
*
|
|
* @summary - audit_write_success() records an auditable event that did not
|
|
* encounter an error. The interface is designed to require as little
|
|
* direct use of the au_to_*() API as possible. It builds a subject token
|
|
* from the information passed in and uses that to invoke audit_write().
|
|
* A subject, as defined by CAPP, is a process acting on the user's behalf.
|
|
*
|
|
* If the subject information is the same as the current process, use
|
|
* au_write_success_self().
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param misctok - A token_t * generated by one of the au_to_*() BSM API
|
|
* calls. This should correspond to the additional information required by
|
|
* CAPP for the event being audited. If no additional information is
|
|
* required, misctok should be NULL.
|
|
*
|
|
* @param auid - The subject's audit ID.
|
|
*
|
|
* @param euid - The subject's effective user ID.
|
|
*
|
|
* @param egid - The subject's effective group ID.
|
|
*
|
|
* @param ruid - The subject's real user ID.
|
|
*
|
|
* @param rgid - The subject's real group ID.
|
|
*
|
|
* @param pid - The subject's process ID.
|
|
*
|
|
* @param sid - The subject's session ID.
|
|
*
|
|
* @param tid - The subject's terminal ID.
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
|
|
uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
|
|
au_asid_t sid, au_tid_t *tid);
|
|
|
|
/*
|
|
* audit_write_success_self()
|
|
*
|
|
* @summary - Similar to audit_write_success(), but used when the subject
|
|
* (process) is owned and operated by the auditable user him/herself.
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param misctok - A token_t * generated by one of the au_to_*() BSM API
|
|
* calls. This should correspond to the additional information required by
|
|
* CAPP for the event being audited. If no additional information is
|
|
* required, misctok should be NULL.
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write_success_self(short event_code, token_t *misctok);
|
|
|
|
/*
|
|
* audit_write_failure()
|
|
*
|
|
* @summary - audit_write_failure() records an auditable event that
|
|
* encountered an error. The interface is designed to require as little
|
|
* direct use of the au_to_*() API as possible. It builds a subject token
|
|
* from the information passed in and uses that to invoke audit_write().
|
|
* A subject, as defined by CAPP, is a process acting on the user's behalf.
|
|
*
|
|
* If the subject information is the same as the current process, use
|
|
* au_write_failure_self().
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param errmsg - A text message providing additional information about
|
|
* the event being audited.
|
|
*
|
|
* @param errret - A numerical value providing additional information about
|
|
* the error. This is intended to store the value of errno or h_errno if
|
|
* it's relevant. This can be 0 (zero) if no additional information is
|
|
* available.
|
|
*
|
|
* @param auid - The subject's audit ID.
|
|
*
|
|
* @param euid - The subject's effective user ID.
|
|
*
|
|
* @param egid - The subject's effective group ID.
|
|
*
|
|
* @param ruid - The subject's real user ID.
|
|
*
|
|
* @param rgid - The subject's real group ID.
|
|
*
|
|
* @param pid - The subject's process ID.
|
|
*
|
|
* @param sid - The subject's session ID.
|
|
*
|
|
* @param tid - The subject's terminal ID.
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write_failure(short event_code, char *errmsg, int errret,
|
|
au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
|
|
pid_t pid, au_asid_t sid, au_tid_t *tid);
|
|
|
|
/*
|
|
* audit_write_failure_self()
|
|
*
|
|
* @summary - Similar to audit_write_failure(), but used when the subject
|
|
* (process) is owned and operated by the auditable user him/herself.
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param errmsg - A text message providing additional information about
|
|
* the event being audited.
|
|
*
|
|
* @param errret - A numerical value providing additional information about
|
|
* the error. This is intended to store the value of errno or h_errno if
|
|
* it's relevant. This can be 0 (zero) if no additional information is
|
|
* available.
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write_failure_self(short event_code, char *errmsg, int errret);
|
|
|
|
/*
|
|
* audit_write_failure_na()
|
|
*
|
|
* @summary - audit_write_failure_na() records errors during login. Such
|
|
* errors are implicitly non-attributable (i.e., not ascribable to any user).
|
|
*
|
|
* @param event_code - The code for the event being logged. This should
|
|
* be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
|
|
*
|
|
* @param errmsg - A text message providing additional information about
|
|
* the event being audited.
|
|
*
|
|
* @param errret - A numerical value providing additional information about
|
|
* the error. This is intended to store the value of errno or h_errno if
|
|
* it's relevant. This can be 0 (zero) if no additional information is
|
|
* available.
|
|
*
|
|
* @param euid - The subject's effective user ID.
|
|
*
|
|
* @param egid - The subject's effective group ID.
|
|
*
|
|
* @param pid - The subject's process ID.
|
|
*
|
|
* @param tid - The subject's terminal ID.
|
|
*
|
|
* @return - The status of the call: 0 (zero) on success, else one of the
|
|
* kAU*Err values defined above.
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
int audit_write_failure_na(short event_code, char *errmsg, int errret,
|
|
uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
|
|
|
|
/* END au_write() WRAPPERS */
|
|
|
|
#ifdef __APPLE__
|
|
/*
|
|
* audit_token_to_au32()
|
|
*
|
|
* @summary - Extract information from an audit_token_t, used to identify
|
|
* Mach tasks and senders of Mach messages as subjects to the audit system.
|
|
* audit_tokent_to_au32() is the only method that should be used to parse
|
|
* an audit_token_t, since its internal representation may change over
|
|
* time. A pointer parameter may be NULL if that information is not
|
|
* needed.
|
|
*
|
|
* @param atoken - the audit token containing the desired information
|
|
*
|
|
* @param auidp - Pointer to a uid_t; on return will be set to the task or
|
|
* sender's audit user ID
|
|
*
|
|
* @param euidp - Pointer to a uid_t; on return will be set to the task or
|
|
* sender's effective user ID
|
|
*
|
|
* @param egidp - Pointer to a gid_t; on return will be set to the task or
|
|
* sender's effective group ID
|
|
*
|
|
* @param ruidp - Pointer to a uid_t; on return will be set to the task or
|
|
* sender's real user ID
|
|
*
|
|
* @param rgidp - Pointer to a gid_t; on return will be set to the task or
|
|
* sender's real group ID
|
|
*
|
|
* @param pidp - Pointer to a pid_t; on return will be set to the task or
|
|
* sender's process ID
|
|
*
|
|
* @param asidp - Pointer to an au_asid_t; on return will be set to the
|
|
* task or sender's audit session ID
|
|
*
|
|
* @param tidp - Pointer to an au_tid_t; on return will be set to the task
|
|
* or sender's terminal ID
|
|
*
|
|
* XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
|
|
*/
|
|
void audit_token_to_au32(
|
|
audit_token_t atoken,
|
|
uid_t *auidp,
|
|
uid_t *euidp,
|
|
gid_t *egidp,
|
|
uid_t *ruidp,
|
|
gid_t *rgidp,
|
|
pid_t *pidp,
|
|
au_asid_t *asidp,
|
|
au_tid_t *tidp);
|
|
#endif /* !__APPLE__ */
|
|
|
|
__END_DECLS
|
|
|
|
#endif /* !_LIBBSM_H_ */
|