freebsd-skq/contrib/openbsm/bsm/auditd_lib.h
rwatson ee5318d543 Merge OpenBSM 1.1 beta 1 from OpenBSM vendor branch to head, both
contrib/openbsm (svn merge) and src/sys/{bsm,security/audit} (manual
merge).

OpenBSM history for imported revision below for reference.

MFC after:      1 month
Sponsored by:   Apple, Inc.
Obtained from:  TrustedBSD Project

OpenBSM 1.1 beta 1

- The filesz parameter in audit_control(5) now accepts suffixes: 'B' for
  Bytes, 'K' for Kilobytes, 'M' for Megabytes, and 'G' for Gigabytes.
  For legacy support no suffix defaults to bytes.
- Audit trail log expiration support added.  It is configured in
  audit_control(5) with the expire-after parameter.  If there is no
  expire-after parameter in audit_control(5), the default, then the audit
  trail files are not expired and removed.  See audit_control(5) for
  more information.
- Change defaults in audit_control: warn at 5% rather than 20% free for audit
  partitions, rotate automatically at 2mb, and set the default policy to
  cnt,argv rather than cnt so that execve(2) arguments are captured if
  AUE_EXECVE events are audited.  These may provide more usable defaults for
  many users.
- Use au_domain_to_bsm(3) and au_socket_type_to_bsm(3) to convert
  au_to_socket_ex(3) arguments to BSM format.
- Fix error encoding AUT_IPC_PERM tokens.
2009-03-02 13:29:18 +00:00

108 lines
4.3 KiB
C

/*-
* Copyright (c) 2008 Apple Inc.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of Apple Inc. ("Apple") nor the names of
* its contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
* ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $
*/
#ifndef _BSM_AUDITD_LIB_H_
#define _BSM_AUDITD_LIB_H_
/*
* Lengths for audit trail file components.
*/
#define NOT_TERMINATED "not_terminated"
#define CRASH_RECOVERY "crash_recovery"
#define POSTFIX_LEN (sizeof("YYYYMMDDhhmmss") - 1)
#define FILENAME_LEN ((2 * POSTFIX_LEN) + 2)
#define TIMESTAMP_LEN (POSTFIX_LEN + 1)
/*
* Macro to generate the timestamp string for trail file.
*/
#define getTSstr(t, b, l) \
( (((t) = time(0)) == (time_t)-1 ) || \
!strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0
/*
* The symbolic link to the currently active audit trail file.
*/
#define AUDIT_CURRENT_LINK "/var/audit/current"
/*
* Path of auditd plist file for launchd.
*/
#define AUDITD_PLIST_FILE \
"/System/Library/LaunchDaemons/com.apple.auditd.plist"
/*
* Error return codes for auditd_lib functions.
*/
#define ADE_NOERR 0 /* No Error or Success. */
#define ADE_PARSE -1 /* Error parsing audit_control(5). */
#define ADE_AUDITON -2 /* auditon(2) call failed. */
#define ADE_NOMEM -3 /* Error allocating memory. */
#define ADE_SOFTLIM -4 /* All audit log directories over soft limit. */
#define ADE_HARDLIM -5 /* All audit log directories over hard limit. */
#define ADE_STRERR -6 /* Error creating file name string. */
#define ADE_AU_OPEN -7 /* au_open(3) failed. */
#define ADE_AU_CLOSE -8 /* au_close(3) failed. */
#define ADE_SETAUDIT -9 /* setaudit(2) or setaudit_addr(2) failed. */
#define ADE_ACTL -10 /* "Soft" error with auditctl(2). */
#define ADE_ACTLERR -11 /* "Hard" error with auditctl(2). */
#define ADE_SWAPERR -12 /* The audit trail file could not be swap. */
#define ADE_RENAME -13 /* Error renaming crash recovery file. */
#define ADE_READLINK -14 /* Error reading 'current' link. */
#define ADE_SYMLINK -15 /* Error creating 'current' link. */
#define ADE_INVAL -16 /* Invalid argument. */
#define ADE_GETADDR -17 /* Error resolving address from hostname. */
#define ADE_ADDRFAM -18 /* Address family not supported. */
#define ADE_EXPIRE -19 /* Error expiring audit trail files. */
/*
* auditd_lib functions.
*/
const char *auditd_strerror(int errcode);
int auditd_set_minfree(void);
int auditd_expire_trails(int (*warn_expired)(char *));
int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *));
void auditd_close_dirs(void);
int auditd_set_evcmap(void);
int auditd_set_namask(void);
int auditd_set_policy(void);
int auditd_set_fsize(void);
int auditd_set_host(void);
int auditd_swap_trail(char *TS, char **newfile, gid_t gid,
int (*warn_getacdir)(char *));
int auditd_prevent_audit(void);
int auditd_gen_record(int event, char *path);
int auditd_new_curlink(char *curfile);
int audit_quick_start(void);
int audit_quick_stop(void);
#endif /* !_BSM_AUDITD_LIB_H_ */