Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
/*-
|
2009-04-19 14:53:17 +00:00
|
|
|
* Copyright (c) 2005-2009 Apple Inc.
|
2005-02-02 14:27:36 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
2006-02-01 19:54:22 +00:00
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
2008-07-31 09:54:35 +00:00
|
|
|
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
|
2006-02-01 19:54:22 +00:00
|
|
|
* its contributors may be used to endorse or promote products derived
|
|
|
|
* from this software without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
|
|
|
|
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
|
|
|
* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
|
|
|
* DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
|
|
|
|
* DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
|
|
|
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
|
|
|
|
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
|
|
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
|
|
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*
|
2005-02-02 14:27:36 +00:00
|
|
|
* $FreeBSD$
|
|
|
|
*/
|
|
|
|
|
2005-05-29 16:11:34 +00:00
|
|
|
#ifndef _BSM_AUDIT_KEVENTS_H_
|
|
|
|
#define _BSM_AUDIT_KEVENTS_H_
|
2005-02-02 14:27:36 +00:00
|
|
|
|
2009-04-19 14:53:17 +00:00
|
|
|
/*
|
2015-12-20 23:22:04 +00:00
|
|
|
* The reserved event numbers for kernel events are 1...2047 and 43001..44999.
|
2009-04-19 14:53:17 +00:00
|
|
|
*/
|
2013-02-11 23:14:54 +00:00
|
|
|
#define AUE_IS_A_KEVENT(e) (((e) > 0 && (e) < 2048) || \
|
|
|
|
((e) > 43000 && (e) < 45000))
|
2009-04-19 14:53:17 +00:00
|
|
|
|
2005-02-02 14:27:36 +00:00
|
|
|
/*
|
2006-02-01 19:54:22 +00:00
|
|
|
* Values marked as AUE_NULL are not required to be audited as per CAPP.
|
|
|
|
*
|
|
|
|
* Some conflicts exist in the assignment of name to event number mappings
|
|
|
|
* between BSM implementations. In general, we prefer the OpenSolaris
|
|
|
|
* definition as we consider Solaris BSM to be authoritative. _DARWIN_ has
|
|
|
|
* been inserted for the Darwin variants. If necessary, other tags will be
|
|
|
|
* added in the future.
|
|
|
|
*/
|
|
|
|
#define AUE_NULL 0
|
|
|
|
#define AUE_EXIT 1
|
|
|
|
#define AUE_FORK 2
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_FORKALL AUE_FORK /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_OPEN 3
|
|
|
|
#define AUE_CREAT 4
|
|
|
|
#define AUE_LINK 5
|
|
|
|
#define AUE_UNLINK 6
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DELETE AUE_UNLINK /* Darwin-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_EXEC 7
|
|
|
|
#define AUE_CHDIR 8
|
|
|
|
#define AUE_MKNOD 9
|
|
|
|
#define AUE_CHMOD 10
|
|
|
|
#define AUE_CHOWN 11
|
|
|
|
#define AUE_UMOUNT 12
|
|
|
|
#define AUE_JUNK 13 /* Solaris-specific. */
|
|
|
|
#define AUE_ACCESS 14
|
|
|
|
#define AUE_KILL 15
|
|
|
|
#define AUE_STAT 16
|
|
|
|
#define AUE_LSTAT 17
|
|
|
|
#define AUE_ACCT 18
|
|
|
|
#define AUE_MCTL 19 /* Solaris-specific. */
|
|
|
|
#define AUE_REBOOT 20 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_SYMLINK 21
|
|
|
|
#define AUE_READLINK 22
|
|
|
|
#define AUE_EXECVE 23
|
|
|
|
#define AUE_CHROOT 24
|
|
|
|
#define AUE_VFORK 25
|
|
|
|
#define AUE_SETGROUPS 26
|
|
|
|
#define AUE_SETPGRP 27
|
|
|
|
#define AUE_SWAPON 28
|
|
|
|
#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_FCNTL 30
|
|
|
|
#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_CONNECT 32
|
|
|
|
#define AUE_ACCEPT 33
|
|
|
|
#define AUE_BIND 34
|
|
|
|
#define AUE_SETSOCKOPT 35
|
|
|
|
#define AUE_VTRACE 36 /* Solaris-specific. */
|
|
|
|
#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_FCHOWN 38
|
|
|
|
#define AUE_FCHMOD 39
|
|
|
|
#define AUE_SETREUID 40
|
|
|
|
#define AUE_SETREGID 41
|
|
|
|
#define AUE_RENAME 42
|
|
|
|
#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_FLOCK 45 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_SHUTDOWN 46
|
|
|
|
#define AUE_MKDIR 47
|
|
|
|
#define AUE_RMDIR 48
|
|
|
|
#define AUE_UTIMES 49
|
|
|
|
#define AUE_ADJTIME 50
|
|
|
|
#define AUE_SETRLIMIT 51
|
|
|
|
#define AUE_KILLPG 52
|
|
|
|
#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_STATFS 54
|
|
|
|
#define AUE_FSTATFS 55
|
|
|
|
#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_ASYNC_DAEMON 57
|
|
|
|
#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_SETDOMAINNAME 59
|
|
|
|
#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_EXPORTFS 61
|
|
|
|
#define AUE_MOUNT 62
|
|
|
|
#define AUE_SEMSYS 63
|
|
|
|
#define AUE_MSGSYS 64
|
|
|
|
#define AUE_SHMSYS 65
|
|
|
|
#define AUE_BSMSYS 66 /* Solaris-specific. */
|
|
|
|
#define AUE_RFSSYS 67 /* Solaris-specific. */
|
|
|
|
#define AUE_FCHDIR 68
|
|
|
|
#define AUE_FCHROOT 69
|
|
|
|
#define AUE_VPIXSYS 70 /* Solaris-specific. */
|
|
|
|
#define AUE_PATHCONF 71
|
|
|
|
#define AUE_OPEN_R 72
|
|
|
|
#define AUE_OPEN_RC 73
|
|
|
|
#define AUE_OPEN_RT 74
|
|
|
|
#define AUE_OPEN_RTC 75
|
|
|
|
#define AUE_OPEN_W 76
|
|
|
|
#define AUE_OPEN_WC 77
|
|
|
|
#define AUE_OPEN_WT 78
|
|
|
|
#define AUE_OPEN_WTC 79
|
|
|
|
#define AUE_OPEN_RW 80
|
|
|
|
#define AUE_OPEN_RWC 81
|
|
|
|
#define AUE_OPEN_RWT 82
|
|
|
|
#define AUE_OPEN_RWTC 83
|
|
|
|
#define AUE_MSGCTL 84
|
|
|
|
#define AUE_MSGCTL_RMID 85
|
|
|
|
#define AUE_MSGCTL_SET 86
|
|
|
|
#define AUE_MSGCTL_STAT 87
|
|
|
|
#define AUE_MSGGET 88
|
|
|
|
#define AUE_MSGRCV 89
|
|
|
|
#define AUE_MSGSND 90
|
|
|
|
#define AUE_SHMCTL 91
|
|
|
|
#define AUE_SHMCTL_RMID 92
|
|
|
|
#define AUE_SHMCTL_SET 93
|
|
|
|
#define AUE_SHMCTL_STAT 94
|
|
|
|
#define AUE_SHMGET 95
|
|
|
|
#define AUE_SHMAT 96
|
|
|
|
#define AUE_SHMDT 97
|
|
|
|
#define AUE_SEMCTL 98
|
|
|
|
#define AUE_SEMCTL_RMID 99
|
|
|
|
#define AUE_SEMCTL_SET 100
|
|
|
|
#define AUE_SEMCTL_STAT 101
|
|
|
|
#define AUE_SEMCTL_GETNCNT 102
|
|
|
|
#define AUE_SEMCTL_GETPID 103
|
|
|
|
#define AUE_SEMCTL_GETVAL 104
|
|
|
|
#define AUE_SEMCTL_GETALL 105
|
|
|
|
#define AUE_SEMCTL_GETZCNT 106
|
|
|
|
#define AUE_SEMCTL_SETVAL 107
|
|
|
|
#define AUE_SEMCTL_SETALL 108
|
|
|
|
#define AUE_SEMGET 109
|
|
|
|
#define AUE_SEMOP 110
|
|
|
|
#define AUE_CORE 111 /* Solaris-specific, currently. */
|
|
|
|
#define AUE_CLOSE 112
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_SYSTEMBOOT 113 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */
|
|
|
|
#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */
|
|
|
|
#define AUE_WRITEL 128 /* Solaris-specific. */
|
|
|
|
#define AUE_WRITEVL 129 /* Solaris-specific. */
|
|
|
|
#define AUE_GETAUID 130
|
|
|
|
#define AUE_SETAUID 131
|
|
|
|
#define AUE_GETAUDIT 132
|
|
|
|
#define AUE_SETAUDIT 133
|
|
|
|
#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */
|
|
|
|
#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITSVC 136 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITUSER 137 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITON 138
|
|
|
|
#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITON_GPOLICY 141
|
|
|
|
#define AUE_AUDITON_SPOLICY 142
|
|
|
|
#define AUE_AUDITON_GQCTRL 145
|
|
|
|
#define AUE_AUDITON_SQCTRL 146
|
|
|
|
#define AUE_GETKERNSTATE 147 /* Solaris-specific. */
|
|
|
|
#define AUE_SETKERNSTATE 148 /* Solaris-specific. */
|
|
|
|
#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_AUDITSTAT 150 /* Solaris-specific. */
|
|
|
|
#define AUE_REVOKE 151
|
|
|
|
#define AUE_MAC 152 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_ENTERPROM 153 /* Solaris-specific. */
|
|
|
|
#define AUE_EXITPROM 154 /* Solaris-specific. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_IFLOAT 155 /* Solaris-specific. */
|
|
|
|
#define AUE_PFLOAT 156 /* Solaris-specific. */
|
|
|
|
#define AUE_UPRIV 157 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_IOCTL 158
|
|
|
|
#define AUE_SOCKET 183
|
|
|
|
#define AUE_SENDTO 184
|
|
|
|
#define AUE_PIPE 185
|
|
|
|
#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */
|
|
|
|
#define AUE_SEND 187
|
|
|
|
#define AUE_SENDMSG 188
|
|
|
|
#define AUE_RECV 189
|
|
|
|
#define AUE_RECVMSG 190
|
|
|
|
#define AUE_RECVFROM 191
|
|
|
|
#define AUE_READ 192
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_GETDENTS 193
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_LSEEK 194
|
|
|
|
#define AUE_WRITE 195
|
|
|
|
#define AUE_WRITEV 196
|
|
|
|
#define AUE_NFS 197 /* Solaris-specific. */
|
|
|
|
#define AUE_READV 198
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_OSTAT 199 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */
|
|
|
|
#define AUE_STIME 201 /* XXXRW: Solaris old stime? */
|
|
|
|
#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */
|
|
|
|
#define AUE_NICE 203 /* XXXRW: Solaris old nice? */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_OSETPGRP 204 /* Solaris-specific. */
|
|
|
|
#define AUE_SETGID 205
|
|
|
|
#define AUE_READL 206 /* Solaris-specific. */
|
|
|
|
#define AUE_READVL 207 /* Solaris-specific. */
|
|
|
|
#define AUE_FSTAT 208
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_DUP2 209
|
|
|
|
#define AUE_MMAP 210
|
|
|
|
#define AUE_AUDIT 211
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_PRIOCNTLSYS 212 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_MUNMAP 213
|
|
|
|
#define AUE_SETEGID 214
|
|
|
|
#define AUE_SETEUID 215
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_PUTMSG 216 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GETMSG 217 /* Solaris-specific. */
|
|
|
|
#define AUE_PUTPMSG 218 /* Solaris-specific. */
|
|
|
|
#define AUE_GETPMSG 219 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITSYS 220 /* Solaris-specific. */
|
|
|
|
#define AUE_AUDITON_GETKMASK 221
|
|
|
|
#define AUE_AUDITON_SETKMASK 222
|
|
|
|
#define AUE_AUDITON_GETCWD 223
|
|
|
|
#define AUE_AUDITON_GETCAR 224
|
|
|
|
#define AUE_AUDITON_GETSTAT 225
|
|
|
|
#define AUE_AUDITON_SETSTAT 226
|
|
|
|
#define AUE_AUDITON_SETUMASK 227
|
|
|
|
#define AUE_AUDITON_SETSMASK 228
|
|
|
|
#define AUE_AUDITON_GETCOND 229
|
|
|
|
#define AUE_AUDITON_SETCOND 230
|
|
|
|
#define AUE_AUDITON_GETCLASS 231
|
|
|
|
#define AUE_AUDITON_SETCLASS 232
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_FUSERS 233 /* Solaris-specific; also UTSSYS? */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_STATVFS 234
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_XSTAT 235 /* Solaris-specific. */
|
|
|
|
#define AUE_LXSTAT 236 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_LCHOWN 237
|
|
|
|
#define AUE_MEMCNTL 238 /* Solaris-specific. */
|
|
|
|
#define AUE_SYSINFO 239 /* Solaris-specific. */
|
|
|
|
#define AUE_XMKNOD 240 /* Solaris-specific. */
|
|
|
|
#define AUE_FORK1 241
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_MODCTL 242 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_MODLOAD 243
|
|
|
|
#define AUE_MODUNLOAD 244
|
|
|
|
#define AUE_MODCONFIG 245 /* Solaris-specific. */
|
|
|
|
#define AUE_MODADDMAJ 246 /* Solaris-specific. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_SOCKACCEPT 247 /* Solaris-specific. */
|
|
|
|
#define AUE_SOCKCONNECT 248 /* Solaris-specific. */
|
|
|
|
#define AUE_SOCKSEND 249 /* Solaris-specific. */
|
|
|
|
#define AUE_SOCKRECEIVE 250 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_ACLSET 251
|
|
|
|
#define AUE_FACLSET 252
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DOORFS 253 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */
|
|
|
|
#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */
|
|
|
|
#define AUE_P_ONLINE 262 /* Solaris-specific. */
|
|
|
|
#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */
|
|
|
|
#define AUE_INST_SYNC 264 /* Solaris-specific. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_SOCKCONFIG 265 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SETAUDIT_ADDR 266
|
|
|
|
#define AUE_GETAUDIT_ADDR 267
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_UMOUNT2 268 /* Solaris-specific. */
|
|
|
|
#define AUE_FSAT 269 /* Solaris-specific. */
|
|
|
|
#define AUE_OPENAT_R 270
|
|
|
|
#define AUE_OPENAT_RC 271
|
|
|
|
#define AUE_OPENAT_RT 272
|
|
|
|
#define AUE_OPENAT_RTC 273
|
|
|
|
#define AUE_OPENAT_W 274
|
|
|
|
#define AUE_OPENAT_WC 275
|
|
|
|
#define AUE_OPENAT_WT 276
|
|
|
|
#define AUE_OPENAT_WTC 277
|
|
|
|
#define AUE_OPENAT_RW 278
|
|
|
|
#define AUE_OPENAT_RWC 279
|
|
|
|
#define AUE_OPENAT_RWT 280
|
|
|
|
#define AUE_OPENAT_RWTC 281
|
|
|
|
#define AUE_RENAMEAT 282
|
|
|
|
#define AUE_FSTATAT 283
|
|
|
|
#define AUE_FCHOWNAT 284
|
|
|
|
#define AUE_FUTIMESAT 285
|
|
|
|
#define AUE_UNLINKAT 286
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_CLOCK_SETTIME 287
|
|
|
|
#define AUE_NTP_ADJTIME 288
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_SETPPRIV 289 /* Solaris-specific. */
|
|
|
|
#define AUE_MODDEVPLCY 290 /* Solaris-specific. */
|
|
|
|
#define AUE_MODADDPRIV 291 /* Solaris-specific. */
|
|
|
|
#define AUE_CRYPTOADM 292 /* Solaris-specific. */
|
|
|
|
#define AUE_CONFIGKSSL 293 /* Solaris-specific. */
|
|
|
|
#define AUE_BRANDSYS 294 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_ADDRULE 295 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_DELRULE 296 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_CLONE 297 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_FLIP 298 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_FLUSH 299 /* Solaris-specific. */
|
|
|
|
#define AUE_PF_POLICY_ALGS 300 /* Solaris-specific. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_PORTFS 301 /* Solaris-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
|
|
|
|
/*
|
2006-08-26 08:17:58 +00:00
|
|
|
* Events added for Apple Darwin that potentially collide with future Solaris
|
|
|
|
* BSM events. These are assigned AUE_DARWIN prefixes, and are deprecated in
|
|
|
|
* new trails. Systems generating these events should switch to the new
|
|
|
|
* identifiers that avoid colliding with the Solaris identifier space.
|
2006-02-01 19:54:22 +00:00
|
|
|
*/
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_GETFSSTAT 301
|
|
|
|
#define AUE_DARWIN_PTRACE 302
|
|
|
|
#define AUE_DARWIN_CHFLAGS 303
|
|
|
|
#define AUE_DARWIN_FCHFLAGS 304
|
|
|
|
#define AUE_DARWIN_PROFILE 305
|
|
|
|
#define AUE_DARWIN_KTRACE 306
|
|
|
|
#define AUE_DARWIN_SETLOGIN 307
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DARWIN_REBOOT 308
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_REVOKE 309
|
|
|
|
#define AUE_DARWIN_UMASK 310
|
|
|
|
#define AUE_DARWIN_MPROTECT 311
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DARWIN_SETPRIORITY 312
|
|
|
|
#define AUE_DARWIN_SETTIMEOFDAY 313
|
|
|
|
#define AUE_DARWIN_FLOCK 314
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_MKFIFO 315
|
|
|
|
#define AUE_DARWIN_POLL 316
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DARWIN_SOCKETPAIR 317
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_FUTIMES 318
|
|
|
|
#define AUE_DARWIN_SETSID 319
|
|
|
|
#define AUE_DARWIN_SETPRIVEXEC 320 /* Darwin-specific. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DARWIN_NFSSVC 321
|
|
|
|
#define AUE_DARWIN_GETFH 322
|
|
|
|
#define AUE_DARWIN_QUOTACTL 323
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_ADDPROFILE 324 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_KDEBUGTRACE 325 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_KDBUGTRACE AUE_KDEBUGTRACE
|
|
|
|
#define AUE_DARWIN_FSTAT 326
|
|
|
|
#define AUE_DARWIN_FPATHCONF 327
|
|
|
|
#define AUE_DARWIN_GETDIRENTRIES 328
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_DARWIN_TRUNCATE 329
|
|
|
|
#define AUE_DARWIN_FTRUNCATE 330
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_DARWIN_SYSCTL 331
|
|
|
|
#define AUE_DARWIN_MLOCK 332
|
|
|
|
#define AUE_DARWIN_MUNLOCK 333
|
|
|
|
#define AUE_DARWIN_UNDELETE 334
|
|
|
|
#define AUE_DARWIN_GETATTRLIST 335 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_SETATTRLIST 336 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_GETDIRENTRIESATTR 337 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_EXCHANGEDATA 338 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_SEARCHFS 339 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_MINHERIT 340
|
|
|
|
#define AUE_DARWIN_SEMCONFIG 341
|
|
|
|
#define AUE_DARWIN_SEMOPEN 342
|
|
|
|
#define AUE_DARWIN_SEMCLOSE 343
|
|
|
|
#define AUE_DARWIN_SEMUNLINK 344
|
|
|
|
#define AUE_DARWIN_SHMOPEN 345
|
|
|
|
#define AUE_DARWIN_SHMUNLINK 346
|
|
|
|
#define AUE_DARWIN_LOADSHFILE 347 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_RESETSHFILE 348 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_NEWSYSTEMSHREG 349 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_PTHREADKILL 350 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_PTHREADSIGMASK 351 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_AUDITCTL 352
|
|
|
|
#define AUE_DARWIN_RFORK 353
|
|
|
|
#define AUE_DARWIN_LCHMOD 354
|
|
|
|
#define AUE_DARWIN_SWAPOFF 355
|
|
|
|
#define AUE_DARWIN_INITPROCESS 356 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_MAPFD 357 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_TASKFORPID 358 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_PIDFORTASK 359 /* Darwin-specific. */
|
|
|
|
#define AUE_DARWIN_SYSCTL_NONADMIN 360
|
|
|
|
#define AUE_DARWIN_COPYFILE 361 /* Darwin-specific. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Audit event identifiers added as part of OpenBSM, generally corresponding
|
|
|
|
* to events in FreeBSD, Darwin, and Linux that were not present in Solaris.
|
|
|
|
* These often duplicate events added to the Solaris set by Darwin, but use
|
|
|
|
* event identifiers in a higher range in order to avoid colliding with
|
|
|
|
* future Solaris additions.
|
2007-07-22 12:28:13 +00:00
|
|
|
*
|
|
|
|
* If an event in this section is later added to Solaris, we prefer the
|
|
|
|
* Solaris event identifier, and add _OPENBSM_ to the OpenBSM-specific
|
|
|
|
* identifier so that old trails can still be processed, but new trails use
|
|
|
|
* the Solaris identifier.
|
2006-08-26 08:17:58 +00:00
|
|
|
*/
|
|
|
|
#define AUE_GETFSSTAT 43001
|
|
|
|
#define AUE_PTRACE 43002
|
|
|
|
#define AUE_CHFLAGS 43003
|
|
|
|
#define AUE_FCHFLAGS 43004
|
|
|
|
#define AUE_PROFILE 43005
|
|
|
|
#define AUE_KTRACE 43006
|
|
|
|
#define AUE_SETLOGIN 43007
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_OPENBSM_REVOKE 43008 /* Solaris event now preferred. */
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_UMASK 43009
|
|
|
|
#define AUE_MPROTECT 43010
|
|
|
|
#define AUE_MKFIFO 43011
|
|
|
|
#define AUE_POLL 43012
|
|
|
|
#define AUE_FUTIMES 43013
|
|
|
|
#define AUE_SETSID 43014
|
|
|
|
#define AUE_SETPRIVEXEC 43015 /* Darwin-specific. */
|
|
|
|
#define AUE_ADDPROFILE 43016 /* Darwin-specific. */
|
|
|
|
#define AUE_KDEBUGTRACE 43017 /* Darwin-specific. */
|
|
|
|
#define AUE_KDBUGTRACE AUE_KDEBUGTRACE
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_OPENBSM_FSTAT 43018 /* Solaris event now preferred. */
|
2006-08-26 08:17:58 +00:00
|
|
|
#define AUE_FPATHCONF 43019
|
|
|
|
#define AUE_GETDIRENTRIES 43020
|
|
|
|
#define AUE_SYSCTL 43021
|
|
|
|
#define AUE_MLOCK 43022
|
|
|
|
#define AUE_MUNLOCK 43023
|
|
|
|
#define AUE_UNDELETE 43024
|
|
|
|
#define AUE_GETATTRLIST 43025 /* Darwin-specific. */
|
|
|
|
#define AUE_SETATTRLIST 43026 /* Darwin-specific. */
|
|
|
|
#define AUE_GETDIRENTRIESATTR 43027 /* Darwin-specific. */
|
|
|
|
#define AUE_EXCHANGEDATA 43028 /* Darwin-specific. */
|
|
|
|
#define AUE_SEARCHFS 43029 /* Darwin-specific. */
|
|
|
|
#define AUE_MINHERIT 43030
|
|
|
|
#define AUE_SEMCONFIG 43031
|
|
|
|
#define AUE_SEMOPEN 43032
|
|
|
|
#define AUE_SEMCLOSE 43033
|
|
|
|
#define AUE_SEMUNLINK 43034
|
|
|
|
#define AUE_SHMOPEN 43035
|
|
|
|
#define AUE_SHMUNLINK 43036
|
|
|
|
#define AUE_LOADSHFILE 43037 /* Darwin-specific. */
|
|
|
|
#define AUE_RESETSHFILE 43038 /* Darwin-specific. */
|
|
|
|
#define AUE_NEWSYSTEMSHREG 43039 /* Darwin-specific. */
|
|
|
|
#define AUE_PTHREADKILL 43040 /* Darwin-specific. */
|
|
|
|
#define AUE_PTHREADSIGMASK 43041 /* Darwin-specific. */
|
|
|
|
#define AUE_AUDITCTL 43042
|
|
|
|
#define AUE_RFORK 43043
|
|
|
|
#define AUE_LCHMOD 43044
|
|
|
|
#define AUE_SWAPOFF 43045
|
|
|
|
#define AUE_INITPROCESS 43046 /* Darwin-specific. */
|
|
|
|
#define AUE_MAPFD 43047 /* Darwin-specific. */
|
|
|
|
#define AUE_TASKFORPID 43048 /* Darwin-specific. */
|
|
|
|
#define AUE_PIDFORTASK 43049 /* Darwin-specific. */
|
|
|
|
#define AUE_SYSCTL_NONADMIN 43050
|
|
|
|
#define AUE_COPYFILE 43051 /* Darwin-specific. */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Events added to OpenBSM for FreeBSD and Linux; may also be used by Darwin
|
|
|
|
* in the future.
|
|
|
|
*/
|
|
|
|
#define AUE_LUTIMES 43052
|
|
|
|
#define AUE_LCHFLAGS 43053 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SENDFILE 43054 /* BSD/Linux-specific. */
|
|
|
|
#define AUE_USELIB 43055 /* Linux-specific. */
|
|
|
|
#define AUE_GETRESUID 43056
|
|
|
|
#define AUE_SETRESUID 43057
|
|
|
|
#define AUE_GETRESGID 43058
|
|
|
|
#define AUE_SETRESGID 43059
|
|
|
|
#define AUE_WAIT4 43060 /* FreeBSD-specific. */
|
|
|
|
#define AUE_LGETFH 43061 /* FreeBSD-specific. */
|
|
|
|
#define AUE_FHSTATFS 43062 /* FreeBSD-specific. */
|
|
|
|
#define AUE_FHOPEN 43063 /* FreeBSD-specific. */
|
|
|
|
#define AUE_FHSTAT 43064 /* FreeBSD-specific. */
|
|
|
|
#define AUE_JAIL 43065 /* FreeBSD-specific. */
|
|
|
|
#define AUE_EACCESS 43066 /* FreeBSD-specific. */
|
|
|
|
#define AUE_KQUEUE 43067 /* FreeBSD-specific. */
|
|
|
|
#define AUE_KEVENT 43068 /* FreeBSD-specific. */
|
|
|
|
#define AUE_FSYNC 43069
|
|
|
|
#define AUE_NMOUNT 43070 /* FreeBSD-specific. */
|
|
|
|
#define AUE_BDFLUSH 43071 /* Linux-specific. */
|
|
|
|
#define AUE_SETFSUID 43072 /* Linux-specific. */
|
|
|
|
#define AUE_SETFSGID 43073 /* Linux-specific. */
|
|
|
|
#define AUE_PERSONALITY 43074 /* Linux-specific. */
|
|
|
|
#define AUE_SCHED_GETSCHEDULER 43075 /* POSIX.1b. */
|
|
|
|
#define AUE_SCHED_SETSCHEDULER 43076 /* POSIX.1b. */
|
|
|
|
#define AUE_PRCTL 43077 /* Linux-specific. */
|
|
|
|
#define AUE_GETCWD 43078 /* FreeBSD/Linux-specific. */
|
|
|
|
#define AUE_CAPGET 43079 /* Linux-specific. */
|
|
|
|
#define AUE_CAPSET 43080 /* Linux-specific. */
|
|
|
|
#define AUE_PIVOT_ROOT 43081 /* Linux-specific. */
|
|
|
|
#define AUE_RTPRIO 43082 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SCHED_GETPARAM 43083 /* POSIX.1b. */
|
|
|
|
#define AUE_SCHED_SETPARAM 43084 /* POSIX.1b. */
|
|
|
|
#define AUE_SCHED_GET_PRIORITY_MAX 43085 /* POSIX.1b. */
|
|
|
|
#define AUE_SCHED_GET_PRIORITY_MIN 43086 /* POSIX.1b. */
|
|
|
|
#define AUE_SCHED_RR_GET_INTERVAL 43087 /* POSIX.1b. */
|
|
|
|
#define AUE_ACL_GET_FILE 43088 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_SET_FILE 43089 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_GET_FD 43090 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_SET_FD 43091 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_DELETE_FILE 43092 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_DELETE_FD 43093 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_CHECK_FILE 43094 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_CHECK_FD 43095 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_GET_LINK 43096 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_SET_LINK 43097 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_DELETE_LINK 43098 /* FreeBSD. */
|
|
|
|
#define AUE_ACL_CHECK_LINK 43099 /* FreeBSD. */
|
|
|
|
#define AUE_SYSARCH 43100 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTRCTL 43101 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_GET_FILE 43102 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_SET_FILE 43103 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_LIST_FILE 43104 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_DELETE_FILE 43105 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_GET_FD 43106 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_SET_FD 43107 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_LIST_FD 43108 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_DELETE_FD 43109 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_GET_LINK 43110 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_SET_LINK 43111 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_LIST_LINK 43112 /* FreeBSD. */
|
|
|
|
#define AUE_EXTATTR_DELETE_LINK 43113 /* FreeBSD. */
|
2006-09-21 07:27:02 +00:00
|
|
|
#define AUE_KENV 43114 /* FreeBSD. */
|
|
|
|
#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
|
|
|
|
#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
|
2006-09-25 12:22:07 +00:00
|
|
|
#define AUE_IOPERM 43117 /* Linux. */
|
|
|
|
#define AUE_READDIR 43118 /* Linux. */
|
|
|
|
#define AUE_IOPL 43119 /* Linux. */
|
|
|
|
#define AUE_VM86 43120 /* Linux. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_MAC_GET_PROC 43121 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_SET_PROC 43122 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_GET_FD 43123 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_GET_FILE 43124 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_SET_FD 43125 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_SET_FILE 43126 /* FreeBSD/Darwin. */
|
2007-04-16 16:13:10 +00:00
|
|
|
#define AUE_MAC_SYSCALL 43127 /* FreeBSD. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_MAC_GET_PID 43128 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_GET_LINK 43129 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_SET_LINK 43130 /* FreeBSD/Darwin. */
|
|
|
|
#define AUE_MAC_EXECVE 43131 /* FreeBSD/Darwin. */
|
2007-04-16 16:13:10 +00:00
|
|
|
#define AUE_GETPATH_FROMFD 43132 /* FreeBSD. */
|
|
|
|
#define AUE_GETPATH_FROMADDR 43133 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_OPEN 43134 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_SETATTR 43135 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_TIMEDRECEIVE 43136 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_TIMEDSEND 43137 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_NOTIFY 43138 /* FreeBSD. */
|
|
|
|
#define AUE_MQ_UNLINK 43139 /* FreeBSD. */
|
|
|
|
#define AUE_LISTEN 43140 /* FreeBSD/Darwin/Linux. */
|
|
|
|
#define AUE_MLOCKALL 43141 /* FreeBSD. */
|
|
|
|
#define AUE_MUNLOCKALL 43142 /* FreeBSD. */
|
2007-07-22 12:28:13 +00:00
|
|
|
#define AUE_CLOSEFROM 43143 /* FreeBSD. */
|
|
|
|
#define AUE_FEXECVE 43144 /* FreeBSD. */
|
|
|
|
#define AUE_FACCESSAT 43145 /* FreeBSD. */
|
|
|
|
#define AUE_FCHMODAT 43146 /* FreeBSD. */
|
|
|
|
#define AUE_LINKAT 43147 /* FreeBSD. */
|
|
|
|
#define AUE_MKDIRAT 43148 /* FreeBSD. */
|
|
|
|
#define AUE_MKFIFOAT 43149 /* FreeBSD. */
|
|
|
|
#define AUE_MKNODAT 43150 /* FreeBSD. */
|
|
|
|
#define AUE_READLINKAT 43151 /* FreeBSD. */
|
|
|
|
#define AUE_SYMLINKAT 43152 /* FreeBSD. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_MAC_GETFSSTAT 43153 /* Darwin. */
|
|
|
|
#define AUE_MAC_GET_MOUNT 43154 /* Darwin. */
|
|
|
|
#define AUE_MAC_GET_LCID 43155 /* Darwin. */
|
|
|
|
#define AUE_MAC_GET_LCTX 43156 /* Darwin. */
|
|
|
|
#define AUE_MAC_SET_LCTX 43157 /* Darwin. */
|
|
|
|
#define AUE_MAC_MOUNT 43158 /* Darwin. */
|
|
|
|
#define AUE_GETLCID 43159 /* Darwin. */
|
|
|
|
#define AUE_SETLCID 43160 /* Darwin. */
|
|
|
|
#define AUE_TASKNAMEFORPID 43161 /* Darwin. */
|
|
|
|
#define AUE_ACCESS_EXTENDED 43162 /* Darwin. */
|
|
|
|
#define AUE_CHMOD_EXTENDED 43163 /* Darwin. */
|
|
|
|
#define AUE_FCHMOD_EXTENDED 43164 /* Darwin. */
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_FSTAT_EXTENDED 43165 /* Darwin. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_LSTAT_EXTENDED 43166 /* Darwin. */
|
|
|
|
#define AUE_MKDIR_EXTENDED 43167 /* Darwin. */
|
|
|
|
#define AUE_MKFIFO_EXTENDED 43168 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED 43169 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_R 43170 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RC 43171 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RT 43172 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RTC 43173 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_W 43174 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_WC 43175 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_WT 43176 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_WTC 43177 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RW 43178 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RWC 43179 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RWT 43180 /* Darwin. */
|
|
|
|
#define AUE_OPEN_EXTENDED_RWTC 43181 /* Darwin. */
|
|
|
|
#define AUE_STAT_EXTENDED 43182 /* Darwin. */
|
|
|
|
#define AUE_UMASK_EXTENDED 43183 /* Darwin. */
|
|
|
|
#define AUE_OPENAT 43184 /* FreeBSD. */
|
2008-08-24 21:20:35 +00:00
|
|
|
#define AUE_POSIX_OPENPT 43185 /* FreeBSD. */
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_CAP_NEW 43186 /* TrustedBSD. */
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
#define AUE_CAP_RIGHTS_GET 43187 /* TrustedBSD. */
|
Change the cap_rights_t type from uint64_t to a structure that we can extend
in the future in a backward compatible (API and ABI) way.
The cap_rights_t represents capability rights. We used to use one bit to
represent one right, but we are running out of spare bits. Currently the new
structure provides place for 114 rights (so 50 more than the previous
cap_rights_t), but it is possible to grow the structure to hold at least 285
rights, although we can make it even larger if 285 rights won't be enough.
The structure definition looks like this:
struct cap_rights {
uint64_t cr_rights[CAP_RIGHTS_VERSION + 2];
};
The initial CAP_RIGHTS_VERSION is 0.
The top two bits in the first element of the cr_rights[] array contain total
number of elements in the array - 2. This means if those two bits are equal to
0, we have 2 array elements.
The top two bits in all remaining array elements should be 0.
The next five bits in all array elements contain array index. Only one bit is
used and bit position in this five-bits range defines array index. This means
there can be at most five array elements in the future.
To define new right the CAPRIGHT() macro must be used. The macro takes two
arguments - an array index and a bit to set, eg.
#define CAP_PDKILL CAPRIGHT(1, 0x0000000000000800ULL)
We still support aliases that combine few rights, but the rights have to belong
to the same array element, eg:
#define CAP_LOOKUP CAPRIGHT(0, 0x0000000000000400ULL)
#define CAP_FCHMOD CAPRIGHT(0, 0x0000000000002000ULL)
#define CAP_FCHMODAT (CAP_FCHMOD | CAP_LOOKUP)
There is new API to manage the new cap_rights_t structure:
cap_rights_t *cap_rights_init(cap_rights_t *rights, ...);
void cap_rights_set(cap_rights_t *rights, ...);
void cap_rights_clear(cap_rights_t *rights, ...);
bool cap_rights_is_set(const cap_rights_t *rights, ...);
bool cap_rights_is_valid(const cap_rights_t *rights);
void cap_rights_merge(cap_rights_t *dst, const cap_rights_t *src);
void cap_rights_remove(cap_rights_t *dst, const cap_rights_t *src);
bool cap_rights_contains(const cap_rights_t *big, const cap_rights_t *little);
Capability rights to the cap_rights_init(), cap_rights_set(),
cap_rights_clear() and cap_rights_is_set() functions are provided by
separating them with commas, eg:
cap_rights_t rights;
cap_rights_init(&rights, CAP_READ, CAP_WRITE, CAP_FSTAT);
There is no need to terminate the list of rights, as those functions are
actually macros that take care of the termination, eg:
#define cap_rights_set(rights, ...) \
__cap_rights_set((rights), __VA_ARGS__, 0ULL)
void __cap_rights_set(cap_rights_t *rights, ...);
Thanks to using one bit as an array index we can assert in those functions that
there are no two rights belonging to different array elements provided
together. For example this is illegal and will be detected, because CAP_LOOKUP
belongs to element 0 and CAP_PDKILL to element 1:
cap_rights_init(&rights, CAP_LOOKUP | CAP_PDKILL);
Providing several rights that belongs to the same array's element this way is
correct, but is not advised. It should only be used for aliases definition.
This commit also breaks compatibility with some existing Capsicum system calls,
but I see no other way to do that. This should be fine as Capsicum is still
experimental and this change is not going to 9.x.
Sponsored by: The FreeBSD Foundation
2013-09-05 00:09:56 +00:00
|
|
|
#define AUE_CAP_GETRIGHTS AUE_CAP_RIGHTS_GET
|
Vendor import of OpenBSM 1.1 alpha2, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 2
- Include files in OpenBSM are now broken out into two parts: library builds
required solely for user space, and system includes, which may also be
required for use in the kernels of systems integrating OpenBSM. Submitted
by Stacey Son.
- Configure option --with-native-includes allows forcing the use of native
include for system includes, rather than the versions bundled with OpenBSM.
This is intended specifically for platforms that ship OpenBSM, have adapted
versions of the system includes in a kernel source tree, and will use the
OpenBSM build infrastructure with an unmodified OpenBSM distribution,
allowing the customized system includes to be used with the OpenBSM build.
Submitted by Stacey Son.
- Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s
or asprintf(). Added compat/strlcpy.h for Linux.
- Remove compatibility defines for old Darwin token constant names; now only
BSM token names are provided and used.
- Add support for extended header tokens, which contain space for information
on the host generating the record.
- Add support for setting extended host information in the kernel, which is
used for setting host information in extended header tokens. The
audit_control file now supports a "host" parameter which can be used by
auditd to set the information; if not present, the kernel parameters won't
be set and auditd uses unextended headers for records that it generates.
OpenBSM 1.1 alpha 1
- Add option to auditreduce(1) which allows users to invert sense of
matching, such that BSM records that do not match, are selected.
- Fix bug in audit_write() where we commit an incomplete record in the
event there is an error writing the subject token. This was submitted
by Diego Giagio.
- Build support for Mac OS X 10.5.1 submitted by Eric Hall.
- Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed
as arguments to tokens. This patch was submitted by Xin LI.
- Modify the -m option so users can select more then one audit event.
- For Mac OS X, added Mach IPC support for audit trigger messages.
- Fixed a bug in getacna() which resulted in a locking problem on Mac OS X.
- Added LOG_PERROR flag to openlog when -d option is used with auditd.
- AUE events added for Mac OS X Leopard system calls.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-11-13 00:04:15 +00:00
|
|
|
#define AUE_CAP_ENTER 43188 /* TrustedBSD. */
|
|
|
|
#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_POSIX_SPAWN 43190 /* Darwin. */
|
|
|
|
#define AUE_FSGETPATH 43191 /* Darwin. */
|
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00
|
|
|
#define AUE_PREAD 43192 /* Darwin/FreeBSD. */
|
|
|
|
#define AUE_PWRITE 43193 /* Darwin/FreeBSD. */
|
2009-04-19 14:53:17 +00:00
|
|
|
#define AUE_FSCTL 43194 /* Darwin. */
|
|
|
|
#define AUE_FFSCTL 43195 /* Darwin. */
|
2009-07-08 15:23:18 +00:00
|
|
|
#define AUE_LPATHCONF 43196 /* FreeBSD. */
|
2009-09-29 21:25:59 +00:00
|
|
|
#define AUE_PDFORK 43197 /* FreeBSD. */
|
|
|
|
#define AUE_PDKILL 43198 /* FreeBSD. */
|
|
|
|
#define AUE_PDGETPID 43199 /* FreeBSD. */
|
|
|
|
#define AUE_PDWAIT 43200 /* FreeBSD. */
|
2012-11-13 12:52:31 +00:00
|
|
|
#define AUE_WAIT6 43201 /* FreeBSD. */
|
Merge Capsicum overhaul:
- Capability is no longer separate descriptor type. Now every descriptor
has set of its own capability rights.
- The cap_new(2) system call is left, but it is no longer documented and
should not be used in new code.
- The new syscall cap_rights_limit(2) should be used instead of
cap_new(2), which limits capability rights of the given descriptor
without creating a new one.
- The cap_getrights(2) syscall is renamed to cap_rights_get(2).
- If CAP_IOCTL capability right is present we can further reduce allowed
ioctls list with the new cap_ioctls_limit(2) syscall. List of allowed
ioctls can be retrived with cap_ioctls_get(2) syscall.
- If CAP_FCNTL capability right is present we can further reduce fcntls
that can be used with the new cap_fcntls_limit(2) syscall and retrive
them with cap_fcntls_get(2).
- To support ioctl and fcntl white-listing the filedesc structure was
heavly modified.
- The audit subsystem, kdump and procstat tools were updated to
recognize new syscalls.
- Capability rights were revised and eventhough I tried hard to provide
backward API and ABI compatibility there are some incompatible changes
that are described in detail below:
CAP_CREATE old behaviour:
- Allow for openat(2)+O_CREAT.
- Allow for linkat(2).
- Allow for symlinkat(2).
CAP_CREATE new behaviour:
- Allow for openat(2)+O_CREAT.
Added CAP_LINKAT:
- Allow for linkat(2). ABI: Reuses CAP_RMDIR bit.
- Allow to be target for renameat(2).
Added CAP_SYMLINKAT:
- Allow for symlinkat(2).
Removed CAP_DELETE. Old behaviour:
- Allow for unlinkat(2) when removing non-directory object.
- Allow to be source for renameat(2).
Removed CAP_RMDIR. Old behaviour:
- Allow for unlinkat(2) when removing directory.
Added CAP_RENAMEAT:
- Required for source directory for the renameat(2) syscall.
Added CAP_UNLINKAT (effectively it replaces CAP_DELETE and CAP_RMDIR):
- Allow for unlinkat(2) on any object.
- Required if target of renameat(2) exists and will be removed by this
call.
Removed CAP_MAPEXEC.
CAP_MMAP old behaviour:
- Allow for mmap(2) with any combination of PROT_NONE, PROT_READ and
PROT_WRITE.
CAP_MMAP new behaviour:
- Allow for mmap(2)+PROT_NONE.
Added CAP_MMAP_R:
- Allow for mmap(PROT_READ).
Added CAP_MMAP_W:
- Allow for mmap(PROT_WRITE).
Added CAP_MMAP_X:
- Allow for mmap(PROT_EXEC).
Added CAP_MMAP_RW:
- Allow for mmap(PROT_READ | PROT_WRITE).
Added CAP_MMAP_RX:
- Allow for mmap(PROT_READ | PROT_EXEC).
Added CAP_MMAP_WX:
- Allow for mmap(PROT_WRITE | PROT_EXEC).
Added CAP_MMAP_RWX:
- Allow for mmap(PROT_READ | PROT_WRITE | PROT_EXEC).
Renamed CAP_MKDIR to CAP_MKDIRAT.
Renamed CAP_MKFIFO to CAP_MKFIFOAT.
Renamed CAP_MKNODE to CAP_MKNODEAT.
CAP_READ old behaviour:
- Allow pread(2).
- Disallow read(2), readv(2) (if there is no CAP_SEEK).
CAP_READ new behaviour:
- Allow read(2), readv(2).
- Disallow pread(2) (CAP_SEEK was also required).
CAP_WRITE old behaviour:
- Allow pwrite(2).
- Disallow write(2), writev(2) (if there is no CAP_SEEK).
CAP_WRITE new behaviour:
- Allow write(2), writev(2).
- Disallow pwrite(2) (CAP_SEEK was also required).
Added convinient defines:
#define CAP_PREAD (CAP_SEEK | CAP_READ)
#define CAP_PWRITE (CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_R (CAP_MMAP | CAP_SEEK | CAP_READ)
#define CAP_MMAP_W (CAP_MMAP | CAP_SEEK | CAP_WRITE)
#define CAP_MMAP_X (CAP_MMAP | CAP_SEEK | 0x0000000000000008ULL)
#define CAP_MMAP_RW (CAP_MMAP_R | CAP_MMAP_W)
#define CAP_MMAP_RX (CAP_MMAP_R | CAP_MMAP_X)
#define CAP_MMAP_WX (CAP_MMAP_W | CAP_MMAP_X)
#define CAP_MMAP_RWX (CAP_MMAP_R | CAP_MMAP_W | CAP_MMAP_X)
#define CAP_RECV CAP_READ
#define CAP_SEND CAP_WRITE
#define CAP_SOCK_CLIENT \
(CAP_CONNECT | CAP_GETPEERNAME | CAP_GETSOCKNAME | CAP_GETSOCKOPT | \
CAP_PEELOFF | CAP_RECV | CAP_SEND | CAP_SETSOCKOPT | CAP_SHUTDOWN)
#define CAP_SOCK_SERVER \
(CAP_ACCEPT | CAP_BIND | CAP_GETPEERNAME | CAP_GETSOCKNAME | \
CAP_GETSOCKOPT | CAP_LISTEN | CAP_PEELOFF | CAP_RECV | CAP_SEND | \
CAP_SETSOCKOPT | CAP_SHUTDOWN)
Added defines for backward API compatibility:
#define CAP_MAPEXEC CAP_MMAP_X
#define CAP_DELETE CAP_UNLINKAT
#define CAP_MKDIR CAP_MKDIRAT
#define CAP_RMDIR CAP_UNLINKAT
#define CAP_MKFIFO CAP_MKFIFOAT
#define CAP_MKNOD CAP_MKNODAT
#define CAP_SOCK_ALL (CAP_SOCK_CLIENT | CAP_SOCK_SERVER)
Sponsored by: The FreeBSD Foundation
Reviewed by: Christoph Mallon <christoph.mallon@gmx.de>
Many aspects discussed with: rwatson, benl, jonathan
ABI compatibility discussed with: kib
2013-03-02 00:53:12 +00:00
|
|
|
#define AUE_CAP_RIGHTS_LIMIT 43202 /* TrustedBSD. */
|
|
|
|
#define AUE_CAP_IOCTLS_LIMIT 43203 /* TrustedBSD. */
|
|
|
|
#define AUE_CAP_IOCTLS_GET 43204 /* TrustedBSD. */
|
|
|
|
#define AUE_CAP_FCNTLS_LIMIT 43205 /* TrustedBSD. */
|
|
|
|
#define AUE_CAP_FCNTLS_GET 43206 /* TrustedBSD. */
|
2013-03-02 21:11:30 +00:00
|
|
|
#define AUE_BINDAT 43207 /* TrustedBSD. */
|
|
|
|
#define AUE_CONNECTAT 43208 /* TrustedBSD. */
|
2013-03-21 22:59:01 +00:00
|
|
|
#define AUE_CHFLAGSAT 43209 /* FreeBSD-specific. */
|
Merge OpenBSM 1.2-alpha5 from vendor branch to FreeBSD -CURRENT:
- Add a new "qsize" parameter in audit_control and the getacqsize(3) API to
query it, allowing to set the kernel's maximum audit queue length.
- Add support to push a mapping between audit event names and event numbers
into the kernel (where supported) using new A_GETEVENT and A_SETEVENT
auditon(2) operations.
- Add audit event identifiers for a number of new (and not-so-new) FreeBSD
system calls including those for asynchronous I/O, thread management, SCTP,
jails, multi-FIB support, and misc. POSIX interfaces such as
posix_fallocate(2) and posix_fadvise(2).
- On operating systems supporting Capsicum, auditreduce(1) and praudit(1) now
run sandboxed.
- Empty "flags" and "naflags" fields are now permitted in audit_control(5).
Many thanks to Christian Brueffer for producing the OpenBSM release and
importing/tagging it in the vendor branch. This release will allow improved
auditing of a range of new FreeBSD functionality, as well as non-traditional
events (e.g., fine-grained I/O auditing) not required by the Orange Book or
Common Criteria.
Obtained from: TrustedBSD Project
Sponsored by: DARPA, AFRL
MFC after: 3 weeks
2017-03-26 21:14:49 +00:00
|
|
|
#define AUE_PREADV 43210 /* FreeBSD-specific. */
|
|
|
|
#define AUE_PWRITEV 43211 /* FreeBSD-specific. */
|
|
|
|
#define AUE_POSIX_FALLOCATE 43212 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_MLOCK 43213 /* FreeBSD-specific. */
|
|
|
|
#define AUE_PROCCTL 43214 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_READ 43215 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_WRITE 43216 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_RETURN 43217 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_SUSPEND 43218 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_CANCEL 43219 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_ERROR 43220 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_WAITCOMPLETE 43221 /* FreeBSD-specific. */
|
|
|
|
#define AUE_AIO_FSYNC 43222 /* FreeBSD-specific. */
|
|
|
|
#define AUE_THR_CREATE 43223 /* FreeBSD-specific. */
|
|
|
|
#define AUE_THR_NEW 43224 /* FreeBSD-specific. */
|
|
|
|
#define AUE_THR_EXIT 43225 /* FreeBSD-specific. */
|
|
|
|
#define AUE_THR_KILL 43226 /* FreeBSD-specific. */
|
|
|
|
#define AUE_THR_KILL2 43227 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SETFIB 43228 /* FreeBSD-specific. */
|
|
|
|
#define AUE_LIO_LISTIO 43229 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SETUGID 43230 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SCTP_PEELOFF 43231 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SCTP_GENERIC_SENDMSG 43232 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SCTP_GENERIC_RECVMSG 43233 /* FreeBSD-specific. */
|
|
|
|
#define AUE_JAIL_GET 43234 /* FreeBSD-specific. */
|
|
|
|
#define AUE_JAIL_SET 43235 /* FreeBSD-specific. */
|
|
|
|
#define AUE_JAIL_REMOVE 43236 /* FreeBSD-specific. */
|
|
|
|
#define AUE_GETLOGINCLASS 43237 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SETLOGINCLASS 43238 /* FreeBSD-specific. */
|
|
|
|
#define AUE_POSIX_FADVISE 43239 /* FreeBSD-specific. */
|
|
|
|
#define AUE_SCTP_GENERIC_SENDMSG_IOV 43240 /* FreeBSD-specific. */
|
2006-02-01 19:54:22 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
|
|
|
|
* normal Solaris BSM identifiers. _O_ refers to it being an old, or compat
|
|
|
|
* interface. In most cases, Darwin has never implemented these system calls
|
|
|
|
* but picked up the fields in their system call table from their FreeBSD
|
|
|
|
* import. Happily, these have different names than the AUE_O* definitions
|
|
|
|
* in Solaris BSM.
|
|
|
|
*/
|
|
|
|
#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */
|
|
|
|
#define AUE_O_EXECVE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SBREAK AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_LSEEK AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_MOUNT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_UMOUNT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_STAT AUE_STAT /* Darwin */
|
|
|
|
#define AUE_O_LSTAT AUE_LSTAT /* Darwin */
|
|
|
|
#define AUE_O_FSTAT AUE_FSTAT /* Darwin */
|
|
|
|
#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_VREAD AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_VWRITE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_MMAP AUE_MMAP /* Darwin */
|
|
|
|
#define AUE_O_VADVISE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_VHANGUP AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_VLIMIT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_WAIT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */
|
|
|
|
#define AUE_O_GETDOPT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SETDOPT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_ACCEPT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SEND AUE_SENDMSG /* Darwin */
|
|
|
|
#define AUE_O_RECV AUE_RECVMSG /* Darwin */
|
|
|
|
#define AUE_O_VTIMES AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SIGVEC AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SIGSTACK AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */
|
|
|
|
#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */
|
|
|
|
#define AUE_O_VTRACE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_RESUBA AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
|
|
|
|
#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
|
|
|
|
#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
|
2006-02-04 13:22:44 +00:00
|
|
|
#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /* Darwin */
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
|
|
|
|
#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
|
|
|
|
#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETHOSTID AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SETHOSTID AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */
|
|
|
|
#define AUE_O_KILLPG AUE_KILL /* Darwin */
|
|
|
|
#define AUE_O_SETQUOTA AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_QUOTA AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */
|
|
|
|
#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */
|
|
|
|
#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_EXPORTFS AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_USTATE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_WAIT3 AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_RPAUSE AUE_NULL /* Darwin */
|
|
|
|
#define AUE_O_GETDENTS AUE_NULL /* Darwin */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Possible desired future values based on review of BSD/Darwin system calls.
|
2005-02-02 14:27:36 +00:00
|
|
|
*/
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_ATGETMSG AUE_NULL
|
|
|
|
#define AUE_ATPUTMSG AUE_NULL
|
|
|
|
#define AUE_ATSOCKET AUE_NULL
|
|
|
|
#define AUE_ATPGETREQ AUE_NULL
|
|
|
|
#define AUE_ATPGETRSP AUE_NULL
|
|
|
|
#define AUE_ATPSNDREQ AUE_NULL
|
|
|
|
#define AUE_ATPSNDRSP AUE_NULL
|
|
|
|
#define AUE_BSDTHREADCREATE AUE_NULL
|
|
|
|
#define AUE_BSDTHREADTERMINATE AUE_NULL
|
|
|
|
#define AUE_BSDTHREADREGISTER AUE_NULL
|
|
|
|
#define AUE_CHUD AUE_NULL
|
|
|
|
#define AUE_CSOPS AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_DUP AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_FDATASYNC AUE_NULL
|
|
|
|
#define AUE_FGETATTRLIST AUE_NULL
|
|
|
|
#define AUE_FGETXATTR AUE_NULL
|
|
|
|
#define AUE_FLISTXATTR AUE_NULL
|
|
|
|
#define AUE_FREMOVEXATTR AUE_NULL
|
|
|
|
#define AUE_FSETATTRLIST AUE_NULL
|
|
|
|
#define AUE_FSETXATTR AUE_NULL
|
|
|
|
#define AUE_FSTATFS64 AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_FSTATV AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_FSTAT64 AUE_NULL
|
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00
|
|
|
#define AUE_FSTAT64_EXTENDED AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GCCONTROL AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_GETDIRENTRIES64 AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GETDTABLESIZE AUE_NULL
|
|
|
|
#define AUE_GETEGID AUE_NULL
|
|
|
|
#define AUE_GETEUID AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_GETFSSTAT64 AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GETGID AUE_NULL
|
|
|
|
#define AUE_GETGROUPS AUE_NULL
|
|
|
|
#define AUE_GETITIMER AUE_NULL
|
|
|
|
#define AUE_GETLOGIN AUE_NULL
|
|
|
|
#define AUE_GETPEERNAME AUE_NULL
|
|
|
|
#define AUE_GETPGID AUE_NULL
|
|
|
|
#define AUE_GETPGRP AUE_NULL
|
|
|
|
#define AUE_GETPID AUE_NULL
|
|
|
|
#define AUE_GETPPID AUE_NULL
|
|
|
|
#define AUE_GETPRIORITY AUE_NULL
|
|
|
|
#define AUE_GETRLIMIT AUE_NULL
|
|
|
|
#define AUE_GETRUSAGE AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_GETSGROUPS AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GETSID AUE_NULL
|
|
|
|
#define AUE_GETSOCKNAME AUE_NULL
|
|
|
|
#define AUE_GETTIMEOFDAY AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_GETTID AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_GETUID AUE_NULL
|
|
|
|
#define AUE_GETSOCKOPT AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_GETWGROUPS AUE_NULL
|
|
|
|
#define AUE_GETXATTR AUE_NULL
|
|
|
|
#define AUE_IDENTITYSVC AUE_NULL
|
|
|
|
#define AUE_INITGROUPS AUE_NULL
|
|
|
|
#define AUE_IOPOLICYSYS AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_ISSETUGID AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_LIOLISTIO AUE_NULL
|
|
|
|
#define AUE_LISTXATTR AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_LSTATV AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_LSTAT64 AUE_NULL
|
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00
|
|
|
#define AUE_LSTAT64_EXTENDED AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_MADVISE AUE_NULL
|
|
|
|
#define AUE_MINCORE AUE_NULL
|
|
|
|
#define AUE_MKCOMPLEX AUE_NULL
|
|
|
|
#define AUE_MODWATCH AUE_NULL
|
|
|
|
#define AUE_MSGCL AUE_NULL
|
|
|
|
#define AUE_MSYNC AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_PROCINFO AUE_NULL
|
|
|
|
#define AUE_PTHREADCANCELED AUE_NULL
|
|
|
|
#define AUE_PTHREADCHDIR AUE_NULL
|
|
|
|
#define AUE_PTHREADCONDBROADCAST AUE_NULL
|
|
|
|
#define AUE_PTHREADCONDDESTORY AUE_NULL
|
|
|
|
#define AUE_PTHREADCONDINIT AUE_NULL
|
|
|
|
#define AUE_PTHREADCONDSIGNAL AUE_NULL
|
|
|
|
#define AUE_PTHREADCONDWAIT AUE_NULL
|
|
|
|
#define AUE_PTHREADFCHDIR AUE_NULL
|
|
|
|
#define AUE_PTHREADMARK AUE_NULL
|
|
|
|
#define AUE_PTHREADMUTEXDESTROY AUE_NULL
|
|
|
|
#define AUE_PTHREADMUTEXINIT AUE_NULL
|
|
|
|
#define AUE_PTHREADMUTEXTRYLOCK AUE_NULL
|
|
|
|
#define AUE_PTHREADMUTEXUNLOCK AUE_NULL
|
|
|
|
#define AUE_REMOVEXATTR AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SBRK AUE_NULL
|
|
|
|
#define AUE_SELECT AUE_NULL
|
|
|
|
#define AUE_SEMDESTROY AUE_NULL
|
|
|
|
#define AUE_SEMGETVALUE AUE_NULL
|
|
|
|
#define AUE_SEMINIT AUE_NULL
|
|
|
|
#define AUE_SEMPOST AUE_NULL
|
|
|
|
#define AUE_SEMTRYWAIT AUE_NULL
|
|
|
|
#define AUE_SEMWAIT AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_SEMWAITSIGNAL AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SETITIMER AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_SETSGROUPS AUE_NULL
|
|
|
|
#define AUE_SETTID AUE_NULL
|
|
|
|
#define AUE_SETTIDWITHPID AUE_NULL
|
|
|
|
#define AUE_SETWGROUPS AUE_NULL
|
|
|
|
#define AUE_SETXATTR AUE_NULL
|
|
|
|
#define AUE_SHAREDREGIONCHECK AUE_NULL
|
|
|
|
#define AUE_SHAREDREGIONMAP AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SIGACTION AUE_NULL
|
|
|
|
#define AUE_SIGALTSTACK AUE_NULL
|
|
|
|
#define AUE_SIGPENDING AUE_NULL
|
|
|
|
#define AUE_SIGPROCMASK AUE_NULL
|
|
|
|
#define AUE_SIGRETURN AUE_NULL
|
|
|
|
#define AUE_SIGSUSPEND AUE_NULL
|
|
|
|
#define AUE_SIGWAIT AUE_NULL
|
|
|
|
#define AUE_SSTK AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_STACKSNAPSHOT AUE_NULL
|
|
|
|
#define AUE_STATFS64 AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_STATV AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_STAT64 AUE_NULL
|
Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).
OpenBSM history for imported revision below for reference.
MFC after: 1 month
Sponsored by: Apple, Inc.
Obtained from: TrustedBSD Project
OpenBSM 1.1 beta 1
- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added. It is configured in
audit_control(5) with the expire-after parameter. If there is no
expire-after parameter in audit_control(5), the default, then the audit
trail files are not expired and removed. See audit_control(5) for
more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
partitions, rotate automatically at 2mb, and set the default policy to
cnt,argv rather than cnt so that execve(2) arguments are captured if
AUE_EXECVE events are audited. These may provide more usable defaults for
many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00
|
|
|
#define AUE_STAT64_EXTENDED AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_SYNC AUE_NULL
|
|
|
|
#define AUE_SYSCALL AUE_NULL
|
|
|
|
#define AUE_TABLE AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_VMPRESSUREMONITOR AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_WAITEVENT AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_WAITID AUE_NULL
|
2006-02-01 19:54:22 +00:00
|
|
|
#define AUE_WATCHEVENT AUE_NULL
|
Vendor import of OpenBSM 1.1 alpha4, which incorporates the following
changes since the last imported OpenBSM release:
OpenBSM 1.1 alpha 4
- With the addition of BSM error number mapping, we also need to map the
local error number passed to audit_submit(3) to a BSM error number,
rather than have the caller perform that conversion.
- Reallocate user audit events to avoid collisions with Solaris; adopt a
more formal allocation scheme, and add some events allocated in Solaris
that will be of immediate use on other platforms.
- Add an event for Calife.
- Add au_strerror(3), which allows generating strings for BSM errors
directly, rather than requiring applications to map to the local error
space, which might not be able to entirely represent the BSM error
number space.
- Major auditd rewrite for launchd(8) support. Add libauditd library
that is shared between launchd and auditd.
- Add AUDIT_TRIGGER_INITIALIZE trigger (sent via 'audit -i') for
(re)starting auditing under launchd(8) on Mac OS X.
- Add 'current' symlink to active audit trail.
- Add crash recovery of previous audit trail file when detected on audit
startup that it has not been properly terminated.
- Add the event AUE_audit_recovery to indicated when an audit trail file
has been recovered from not being properly terminated. This event is
stored in the new audit trail file and includes the path of recovered
audit trail file.
- Mac OS X and FreeBSD dependent code in auditd.c is separated into
auditd_darwin.c and auditd_fbsd.c files.
- Add an event for the posix_spawn(2) and fsgetpath(2) Mac OS X system
calls.
- For Mac OS X, we use ASL(3) instead of syslog(3) for logging.
- Add support for NOTICE level logging.
OpenBSM 1.1 alpha 3
- Add two new functions, au_bsm_to_errno() and au_errno_to_bsm(), to map
between BSM error numbers (largely the Solaris definitions) and local
errno(2) values for 32-bit and 64-bit return tokens. This is required
as operating systems don't agree on some of the values of more recent
error numbers.
- Fix a bug how au_to_exec_args(3) and au_to_exec_env(3) calculates the
total size for the token. This bug resulted in "unknown" tokens being
printed after the exec args/env tokens.
- Support for AUT_SOCKET_EX extended socket tokens, which describe a
socket using a pair of IPv4/IPv6 and port tuples.
- OpenBSM BSM file header version bumped for 1.1 release.
- Deprecated Darwin constants, such as TRAILER_PAD_MAGIC, removed.
Obtained from: TrustedBSD Project
Sponsored by: Apple Inc.
2008-12-28 22:40:42 +00:00
|
|
|
#define AUE_WORKQOPEN AUE_NULL
|
|
|
|
#define AUE_WORKQOPS AUE_NULL
|
2005-02-02 14:27:36 +00:00
|
|
|
|
2005-05-29 16:11:34 +00:00
|
|
|
#endif /* !_BSM_AUDIT_KEVENTS_H_ */
|