Initial vendor import of the TrustedBSD OpenBSM distribution, version

1.0 alpha 1, an implementation of the documented Sun Basic Security
Module (BSM) Audit API and file format, as well as local extensions to
support the Mac OS X and FreeBSD operating systems.  Also included are
command line tools for audit trail reduction and conversion to text,
as well as documentation of the commands, file format, and APIs.  This
distribution is the foundation for the TrustedBSD Audit implementation,
and is a pre-release.

This is the first in a series of commits to introduce support for
Common Criteria CAPP security event audit support.

This software has been made possible through the generous
contributions of Apple Computer, Inc., SPARTA, Inc., as well as
members of the TrustedBSD Project, including Wayne Salamon <wsalamon>
and Tom Rhodes <trhodes>.  The original OpenBSM implementation was
created by McAfee Research under contract to Apple Computer, Inc., as
part of their CC CAPP security evaluation.

Many thanks to:	wsalamon, trhodes
Obtained from:	TrustedBSD Project

7 files changed, 2544 insertions, 0 deletions

diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile
new file mode 100644
index 0000000..ba63701
--- /dev/null
+++ b/contrib/openbsm/bsm/Makefile
@@ -0,0 +1,22 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $
+#
+
+INCS=	audit.h								\
+	audit_internal.h						\
+	audit_kevents.h							\
+	audit_record.h							\
+	audit_uevents.h							\
+	libbsm.h
+
+TARGET=	${DESTDIR}/usr/include/bsm
+
+all:
+default:
+depend:
+clean:
+
+install:
+	mkdir -p -m 0755 ${TARGET}
+	install -o root -g wheel -m 0644 ${INCS} ${TARGET}
+
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
new file mode 100644
index 0000000..1d208c1
--- /dev/null
+++ b/contrib/openbsm/bsm/audit.h
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_H
+#define	_BSM_AUDIT_H
+
+#define	AUDIT_RECORD_MAGIC	0x828a0f1b
+#define	MAX_AUDIT_RECORDS	20
+#define	MAX_AUDIT_RECORD_SIZE	4096
+#define	MIN_AUDIT_FILE_SIZE	(512 * 1024)
+
+/*
+ * Triggers for the audit daemon
+ */
+#define	AUDIT_TRIGGER_MIN		1
+#define	AUDIT_TRIGGER_LOW_SPACE		1
+#define	AUDIT_TRIGGER_OPEN_NEW		2
+#define	AUDIT_TRIGGER_READ_FILE		3
+#define	AUDIT_TRIGGER_CLOSE_AND_DIE	4
+#define	AUDIT_TRIGGER_NO_SPACE		5
+#define	AUDIT_TRIGGER_MAX		5
+
+/*
+ * File that will be read for trigger events from the kernel
+ */
+#define	AUDIT_TRIGGER_FILE	"/dev/audit"
+
+/*
+ * Pre-defined audit IDs
+ */
+#define	AU_DEFAUDITID	-1
+
+/*
+ * Define the masks for the classes of audit events.
+ */
+#define	AU_NULL		0x00000000
+#define	AU_FREAD	0x00000001
+#define	AU_FWRITE	0x00000002
+#define	AU_FACCESS	0x00000004
+#define	AU_FMODIFY	0x00000008
+#define	AU_FCREATE	0x00000010
+#define	AU_FDELETE	0x00000020
+#define	AU_CLOSE	0x00000040
+#define	AU_PROCESS	0x00000080
+#define	AU_NET		0x00000100
+#define	AU_IPC		0x00000200
+#define	AU_NONAT	0x00000400
+#define	AU_ADMIN	0x00000800
+#define	AU_LOGIN	0x00001000
+#define	AU_TFM		0x00002000
+#define	AU_APPL		0x00004000
+#define	AU_SETL		0x00008000
+#define	AU_IFLOAT	0x00010000
+#define	AU_PRIV		0x00020000
+#define	AU_MAC_RW	0x00040000
+#define	AU_XCONN	0x00080000
+#define	AU_XCREATE	0x00100000
+#define	AU_XDELETE	0x00200000
+#define	AU_XIFLOAT	0x00400000
+#define	AU_XPRIVS	0x00800000
+#define	AU_XPRIVF	0x01000000
+#define	AU_XMOVE	0x02000000
+#define	AU_XDACF	0x04000000
+#define	AU_XMACF	0x08000000
+#define	AU_XSECATTR	0x10000000
+#define	AU_IOCTL	0x20000000
+#define	AU_EXEC		0x40000000
+#define	AU_OTHER	0x80000000
+#define	AU_ALL		0xffffffff
+
+/*
+ * IPC types
+ */
+#define	AT_IPC_MSG	((u_char)1)	/* Message IPC id. */
+#define	AT_IPC_SEM	((u_char)2)	/* Semaphore IPC id. */
+#define	AT_IPC_SHM	((u_char)3)	/* Shared mem IPC id. */
+
+/*
+ * Audit conditions.
+ */
+#define	AUC_UNSET		0
+#define	AUC_AUDITING		1
+#define	AUC_NOAUDIT		2
+#define	AUC_DISABLED		-1
+
+/*
+ * auditon(2) commands.
+ */
+#define	A_GETPOLICY	2
+#define	A_SETPOLICY	3
+#define	A_GETKMASK	4
+#define	A_SETKMASK	5
+#define	A_GETQCTRL	6
+#define	A_SETQCTRL	7
+#define	A_GETCWD	8
+#define	A_GETCAR	9
+#define	A_GETSTAT	12
+#define	A_SETSTAT	13
+#define	A_SETUMASK	14
+#define	A_SETSMASK	15
+#define	A_GETCOND	20
+#define	A_SETCOND	21
+#define	A_GETCLASS	22
+#define	A_SETCLASS	23
+#define	A_GETPINFO	24
+#define	A_SETPMASK	25
+#define	A_SETFSIZE	26
+#define	A_GETFSIZE	27
+#define	A_GETPINFO_ADDR	28
+#define	A_GETKAUDIT	29
+#define	A_SETKAUDIT	30
+#define	A_SENDTRIGGER	31
+
+/*
+ * Audit policy controls.
+ */
+#define	AUDIT_CNT	0x0001
+#define	AUDIT_AHLT	0x0002
+#define	AUDIT_ARGV	0x0004
+#define	AUDIT_ARGE	0x0008
+#define	AUDIT_PASSWD	0x0010
+#define	AUDIT_SEQ	0x0020
+#define	AUDIT_WINDATA	0x0040
+#define	AUDIT_USER	0x0080
+#define	AUDIT_GROUP	0x0100
+#define	AUDIT_TRAIL	0x0200
+#define	AUDIT_PATH	0x0400
+
+/*
+ * Audit queue control parameters
+ */
+#define	AQ_HIWATER	100
+#define	AQ_MAXHIGH	10000
+#define	AQ_LOWATER	10
+#define	AQ_BUFSZ	1024
+#define	AQ_MAXBUFSZ	1048576
+
+/*
+ * Default minimum percentage free space on file system.
+ */
+#define	AU_FS_MINFREE	20
+
+/*
+ * Type definitions used indicating the length of variable length addresses
+ * in tokens containing addresses, such as header fields.
+ */
+#define	AU_IPv4		4
+#define	AU_IPv6		16
+
+__BEGIN_DECLS
+
+typedef	uid_t		au_id_t;
+typedef	pid_t		au_asid_t;
+typedef	u_int16_t	au_event_t;
+typedef	u_int16_t	au_emod_t;
+typedef	u_int32_t	au_class_t;
+
+struct au_tid {
+	dev_t		port;
+	u_int32_t	machine;
+};
+typedef	struct au_tid	au_tid_t;
+
+struct au_tid_addr {
+	dev_t		at_port;
+	u_int32_t	at_type;
+	u_int32_t	at_addr[4];
+};
+typedef	struct au_tid_addr	au_tid_addr_t;
+
+struct au_mask {
+	unsigned int    am_success;     /* Success bits. */
+	unsigned int    am_failure;     /* Failure bits. */
+};
+typedef	struct au_mask	au_mask_t;
+
+struct auditinfo {
+	au_id_t		ai_auid;	/* Audit user ID. */
+	au_mask_t	ai_mask;	/* Audit masks. */
+	au_tid_t	ai_termid;	/* Terminal ID. */
+	au_asid_t	ai_asid;	/* Audit session ID. */
+};
+typedef	struct auditinfo	auditinfo_t;
+
+struct auditinfo_addr {
+	au_id_t		ai_auid;	/* Audit user ID. */
+	au_mask_t	ai_mask;	/* Audit masks. */
+	au_tid_addr_t	ai_termid;	/* Terminal ID. */
+	au_asid_t	ai_asid;	/* Audit session ID. */
+};
+typedef	struct auditinfo_addr	auditinfo_addr_t;
+
+struct auditpinfo {
+	pid_t		ap_pid;		/* ID of target process. */
+	au_id_t		ap_auid;	/* Audit user ID. */
+	au_mask_t	ap_mask;	/* Audit masks. */
+	au_tid_t	ap_termid;	/* Terminal ID. */
+	au_asid_t	ap_asid;	/* Audit session ID. */
+};
+typedef	struct auditpinfo	auditpinfo_t;
+
+struct auditpinfo_addr {
+	pid_t		ap_pid;		/* ID of target process. */
+	au_id_t		ap_auid;	/* Audit user ID. */
+	au_mask_t	ap_mask;	/* Audit masks. */
+	au_tid_addr_t	ap_termid;	/* Terminal ID. */
+	au_asid_t	ap_asid;	/* Audit session ID. */
+};
+typedef	struct auditpinfo_addr	auditpinfo_addr_t;
+
+/* Token and record structures. */
+
+struct au_token {
+	u_char			*t_data;
+	size_t			 len;
+	TAILQ_ENTRY(au_token)	 tokens;
+};
+typedef	struct au_token	token_t;
+
+struct au_record {
+	char			 used;		/* Record currently in use? */
+	int			 desc;		/* Descriptor for record. */
+	TAILQ_HEAD(, au_token)	 token_q;	/* Queue of BSM tokens. */
+	u_char			*data;
+	size_t			 len;
+	LIST_ENTRY(au_record)	 au_rec_q;
+};
+typedef	struct au_record	au_record_t;
+
+/*
+ * Kernel audit queue control parameters.
+ */
+struct au_qctrl {
+	size_t	aq_hiwater;
+	size_t	aq_lowater;
+	size_t	aq_bufsz;
+	clock_t	aq_delay;
+	int	aq_minfree;	/* Minimum filesystem percent free space. */
+};
+typedef	struct au_qctrl	au_qctrl_t;
+
+/*
+ * Structure for the audit statistics.
+ */
+struct audit_stat {
+	unsigned int	as_version;
+	unsigned int	as_numevent;
+	int		as_generated;
+	int		as_nonattring;
+	int		as_kernel;
+	int		as_audit;
+	int		as_auditctl;
+	int		as_enqueu;
+	int		as_written;
+	int		as_wblocked;
+	int		as_rblocked;
+	int		as_dropped;
+	int		as_totalsize;
+	unsigned int	as_memused;
+};
+typedef	struct audit_stat	au_stat_t;
+
+/*
+ * Structure for the audit file statistics.
+ */
+struct audit_fstat {
+	u_quad_t	af_filesz;
+	u_quad_t	af_currsz;
+};
+typedef	struct audit_fstat	au_fstat_t;
+
+/*
+ * Audit to event class mapping.
+ */
+struct au_evclass_map {
+	au_event_t	ec_number;
+	au_class_t	ec_class;
+};
+typedef	struct au_evclass_map	au_evclass_map_t;
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+int	audit(const void *, int);
+int	auditon(int, void *, int);
+int	auditctl(const char *);
+int	getauid(au_id_t *);
+int	setauid(const au_id_t *);
+int	getaudit(struct auditinfo *);
+int	setaudit(const struct auditinfo *);
+int	getaudit_addr(struct auditinfo_addr *, int);
+int	setaudit_addr(const struct auditinfo_addr *, int);
+#endif /* defined(_KERNEL) || defined(KERNEL) */
+
+__END_DECLS
+
+#endif /* !_BSM_AUDIT_H */
diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h
new file mode 100644
index 0000000..2d98aae
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_internal.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $
+ */
+
+#ifndef _LIBBSM_INTERNAL_H
+#define	_LIBBSM_INTERNAL_H
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records.  Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+
+/* We could determined the header and trailer sizes by
+ * defining appropriate structures. We hold off that approach
+ * till we have a consistant way of using structures for all tokens.
+ * This is not straightforward since these token structures may
+ * contain pointers of whose contents we dont know the size
+ * (e.g text tokens)
+ */
+#define	BSM_HEADER_SIZE		18
+#define	BSM_TRAILER_SIZE	7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define	ADD_U_CHAR(loc, val)						\
+	do {								\
+		*(loc) = (val);						\
+		(loc) += sizeof(u_char);				\
+	} while(0)
+
+
+#define	ADD_U_INT16(loc, val)						\
+	do {								\
+		be16enc((loc), (val));					\
+		(loc) += sizeof(u_int16_t);				\
+	} while(0)
+
+#define	ADD_U_INT32(loc, val)						\
+	do {								\
+		be32enc((loc), (val));					\
+		(loc) += sizeof(u_int32_t);				\
+	} while(0)
+
+#define	ADD_U_INT64(loc, val)						\
+	do {								\
+		be64enc((loc), (val));					\
+		(loc) += sizeof(u_int64_t); 				\
+	} while(0)
+
+#define	ADD_MEM(loc, data, size)					\
+	do {								\
+		memcpy((loc), (data), (size));				\
+		(loc) += size;						\
+	} while(0)
+
+#define	ADD_STRING(loc, data, size)	ADD_MEM(loc, data, size)
+
+#endif /* !_LIBBSM_INTERNAL_H_ */
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
new file mode 100644
index 0000000..54cc308
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -0,0 +1,494 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $
+ */
+
+#ifndef _BSM_AUDIT_KEVENTS_H_
+#define	_BSM_AUDIT_KEVENTS_H_
+
+/*
+ * Values marked as AUE_NULL are not required to be audited as per CAPP.
+ *
+ * Some conflicts exist in the assignment of name to event number mappings
+ * between BSM implementations.  In general, we prefer the OpenSolaris
+ * definition as we consider Solaris BSM to be authoritative.  _DARWIN_ has
+ * been inserted for the Darwin variants.  If necessary, other tags will be
+ * added in the future.
+ */
+
+#define	AUE_NULL		0
+#define	AUE_EXIT		1
+#define	AUE_FORK		2
+#define	AUE_OPEN		3
+#define	AUE_CREAT		4
+#define	AUE_LINK		5
+#define	AUE_UNLINK		6
+#define	AUE_DELETE		AUE_UNLINK
+#define	AUE_EXEC		7
+#define	AUE_CHDIR		8
+#define	AUE_MKNOD		9
+#define	AUE_CHMOD		10
+#define	AUE_CHOWN		11
+#define	AUE_UMOUNT		12
+#define	AUE_JUNK		13	/* Solaris-specific. */
+#define	AUE_ACCESS		14
+#define	AUE_CHECKUSERACCESS	AUE_ACCESS
+#define	AUE_KILL		15
+#define	AUE_STAT		16
+#define	AUE_LSTAT		17
+#define	AUE_ACCT		18
+#define	AUE_MCTL		19	/* Solaris-specific. */
+#define	AUE_REBOOT		20	/* XXX: Darwin conflict. */
+#define	AUE_SYMLINK		21
+#define	AUE_READLINK		22
+#define	AUE_EXECVE		23
+#define	AUE_CHROOT		24
+#define	AUE_VFORK		25
+#define	AUE_SETGROUPS		26
+#define	AUE_SETPGRP		27
+#define	AUE_SWAPON		28
+#define	AUE_SETHOSTNAME		29	/* XXX: Darwin conflict. */
+#define	AUE_FCNTL		30
+#define	AUE_SETPRIORITY		31	/* XXX: Darwin conflict. */
+#define	AUE_CONNECT		32
+#define	AUE_ACCEPT		33
+#define	AUE_BIND		34
+#define	AUE_SETSOCKOPT		35
+#define	AUE_VTRACE		36	/* Solaris-specific. */
+#define	AUE_SETTIMEOFDAY	37	/* XXX: Darwin conflict. */
+#define	AUE_FCHOWN		38
+#define	AUE_FCHMOD		39
+#define	AUE_SETREUID		40
+#define	AUE_SETREGID		41
+#define	AUE_RENAME		42
+#define	AUE_TRUNCATE		43	/* XXX: Darwin conflict. */
+#define	AUE_FTRUNCATE		44	/* XXX: Darwin conflict. */
+#define	AUE_FLOCK		45	/* XXX: Darwin conflict. */
+#define	AUE_SHUTDOWN		46
+#define	AUE_MKDIR		47
+#define	AUE_RMDIR		48
+#define	AUE_UTIMES		49
+#define	AUE_ADJTIME		50
+#define	AUE_SETRLIMIT		51
+#define	AUE_KILLPG		52
+#define	AUE_NFS_SVC		53	/* XXX: Darwin conflict. */
+#define	AUE_STATFS		54
+#define	AUE_FSTATFS		55
+#define	AUE_UNMOUNT		56	/* XXX: Darwin conflict. */
+#define	AUE_ASYNC_DAEMON	57
+#define	AUE_NFS_GETFH		58	/* XXX: Darwin conflict. */
+#define	AUE_SETDOMAINNAME	59
+#define	AUE_QUOTACTL		60	/* XXX: Darwin conflict. */
+#define	AUE_EXPORTFS		61
+#define	AUE_MOUNT		62
+#define	AUE_SEMSYS		63
+#define	AUE_MSGSYS		64
+#define	AUE_SHMSYS		65
+#define	AUE_BSMSYS		66	/* Solaris-specific. */
+#define	AUE_RFSSYS		67	/* Solaris-specific. */
+#define	AUE_FCHDIR		68
+#define	AUE_FCHROOT		69
+#define	AUE_VPIXSYS		70	/* Solaris-specific. */
+#define	AUE_PATHCONF		71
+#define	AUE_OPEN_R		72
+#define	AUE_OPEN_RC		73
+#define	AUE_OPEN_RT		74
+#define	AUE_OPEN_RTC		75
+#define	AUE_OPEN_W		76
+#define	AUE_OPEN_WC		77
+#define	AUE_OPEN_WT		78
+#define	AUE_OPEN_WTC		79
+#define	AUE_OPEN_RW		80
+#define	AUE_OPEN_RWC		81
+#define	AUE_OPEN_RWT		82
+#define	AUE_OPEN_RWTC		83
+#define	AUE_MSGCTL		84
+#define	AUE_MSGCTL_RMID		85
+#define	AUE_MSGCTL_SET		86
+#define	AUE_MSGCTL_STAT		87
+#define	AUE_MSGGET		88
+#define	AUE_MSGRCV		89
+#define	AUE_MSGSND		90
+#define	AUE_SHMCTL		91
+#define	AUE_SHMCTL_RMID		92
+#define	AUE_SHMCTL_SET		93
+#define	AUE_SHMCTL_STAT		94
+#define	AUE_SHMGET		95
+#define	AUE_SHMAT		96
+#define	AUE_SHMDT		97
+#define	AUE_SEMCTL		98
+#define	AUE_SEMCTL_RMID		99
+#define	AUE_SEMCTL_SET		100
+#define	AUE_SEMCTL_STAT		101
+#define	AUE_SEMCTL_GETNCNT	102
+#define	AUE_SEMCTL_GETPID	103
+#define	AUE_SEMCTL_GETVAL	104
+#define	AUE_SEMCTL_GETALL	105
+#define	AUE_SEMCTL_GETZCNT	106
+#define	AUE_SEMCTL_SETVAL	107
+#define	AUE_SEMCTL_SETALL	108
+#define	AUE_SEMGET		109
+#define	AUE_SEMOP		110
+#define	AUE_CORE		111	/* Solaris-specific, currently. */
+#define	AUE_CLOSE		112
+#define	AUE_SYSTEMBOOT		113
+#define	AUE_ASYNC_DAEMON_EXIT	114	/* Solaris-specific. */
+#define	AUE_NFSSVC_EXIT		115	/* Solaris-specific. */
+#define	AUE_WRITEL		128	/* Solaris-specific. */
+#define	AUE_WRITEVL		129	/* Solaris-specific. */
+#define	AUE_GETAUID		130
+#define	AUE_SETAUID		131
+#define	AUE_GETAUDIT		132
+#define	AUE_SETAUDIT		133
+#define	AUE_GETUSERAUDIT	134	/* Solaris-specific. */
+#define	AUE_SETUSERAUDIT	135	/* Solaris-specific. */
+#define	AUE_AUDITSVC		136	/* Solaris-specific. */
+#define	AUE_AUDITUSER		137	/* Solaris-specific. */
+#define	AUE_AUDITON		138
+#define	AUE_AUDITON_GTERMID	139	/* Solaris-specific. */
+#define	AUE_AUDITON_STERMID	140	/* Solaris-specific. */
+#define	AUE_AUDITON_GPOLICY	141
+#define	AUE_AUDITON_SPOLICY	142
+#define	AUE_AUDITON_GQCTRL	145
+#define	AUE_AUDITON_SQCTRL	146
+#define	AUE_GETKERNSTATE	147	/* Solaris-specific. */
+#define	AUE_SETKERNSTATE	148	/* Solaris-specific. */
+#define	AUE_GETPORTAUDIT	149	/* Solaris-specific. */
+#define	AUE_AUDISTAT		150	/* Solaris-specific. */
+#define	AUE_ENTERPROM		153	/* Solaris-specific. */
+#define	AUE_EXITPROM		154	/* Solaris-specific. */
+#define	AUE_IOCTL		158
+#define	AUE_SOCKET		183
+#define	AUE_SENDTO		184
+#define	AUE_PIPE		185
+#define	AUE_SOCKETPAIR		186	/* XXX: Darwin conflict. */
+#define	AUE_SEND		187
+#define	AUE_SENDMSG		188
+#define	AUE_RECV		189
+#define	AUE_RECVMSG		190
+#define	AUE_RECVFROM		191
+#define	AUE_READ		192
+#define	AUE_LSEEK		194
+#define	AUE_WRITE		195
+#define	AUE_WRITEV		196
+#define	AUE_NFS			197	/* Solaris-specific. */
+#define	AUE_READV		198
+					/* XXXRW: XXX Solaris old stat()? */
+#define	AUE_SETUID		200	/* XXXRW: Solaris old setuid? */
+#define	AUE_STIME		201	/* XXXRW: Solaris old stime? */
+#define	AUE_UTIME		202	/* XXXRW: Solaris old utime? */
+#define	AUE_NICE		203	/* XXXRW: Solaris old nice? */
+					/* XXXRW: Solaris old setpgrp? */
+#define	AUE_SETGID		205	/* XXXRW: Solaris old setgid? */
+					/* XXXRW: Solaris readl? */
+					/* XXXRW: Solaris readvl()? */
+#define	AUE_DUP2		209
+#define	AUE_MMAP		210
+#define	AUE_AUDIT		211
+#define	AUE_PRIOCNTLSYS		212
+#define	AUE_MUNMAP		213
+#define	AUE_SETEGID		214
+#define	AUE_SETEUID		215
+#define	AUE_PUTMSG		216
+#define	AUE_GETMSG		217	/* Solaris-specific. */
+#define	AUE_PUTPMSG		218	/* Solaris-specific. */
+#define	AUE_GETPMSG		219	/* Solaris-specific. */
+#define	AUE_AUDITSYS		220	/* Solaris-specific. */
+#define	AUE_AUDITON_GETKMASK	221
+#define	AUE_AUDITON_SETKMASK	222
+#define	AUE_AUDITON_GETCWD	223
+#define	AUE_AUDITON_GETCAR	224
+#define	AUE_AUDITON_GETSTAT	225
+#define	AUE_AUDITON_SETSTAT	226
+#define	AUE_AUDITON_SETUMASK	227
+#define	AUE_AUDITON_SETSMASK	228
+#define	AUE_AUDITON_GETCOND	229
+#define	AUE_AUDITON_SETCOND	230
+#define	AUE_AUDITON_GETCLASS	231
+#define	AUE_AUDITON_SETCLASS	232
+#define	AUE_UTSSYS		233	/* Solaris-specific. */
+#define	AUE_STATVFS		234
+#define	AUE_XSTAT		235
+#define	AUE_LXSTAT		236
+#define	AUE_LCHOWN		237
+#define	AUE_MEMCNTL		238	/* Solaris-specific. */
+#define	AUE_SYSINFO		239	/* Solaris-specific. */
+#define	AUE_XMKNOD		240	/* Solaris-specific. */
+#define	AUE_FORK1		241
+					/* XXXRW: Solaris modctl()? */
+#define	AUE_MODLOAD		243
+#define	AUE_MODUNLOAD		244
+#define	AUE_MODCONFIG		245	/* Solaris-specific. */
+#define	AUE_MODADDMAJ		246	/* Solaris-specific. */
+#define	AUE_SOCKACCEPT		247
+#define	AUE_SOCKCONNECT		248
+#define	AUE_SOCKSEND		249
+#define	AUE_SOCKRECEIVE		250
+#define	AUE_ACLSET		251
+#define	AUE_FACLSET		252
+#define	AUE_DOORFS_DOOR_CALL	254	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_RETURN	255	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_CREATE	256	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_REVOKE	257	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_INFO	258	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_CRED	259	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_BIND	260	/* Solaris-specific. */
+#define	AUE_DOORFS_DOOR_UNBIND	261	/* Solaris-specific. */
+#define	AUE_P_ONLINE		262	/* Solaris-specific. */
+#define	AUE_PROCESSOR_BIND	263	/* Solaris-specific. */
+#define	AUE_INST_SYNC		264	/* Solaris-specific. */
+#define	AUE_SOCK_CONFIG		265	/* Solaris-specific. */
+#define	AUE_SETAUDIT_ADDR	266
+#define	AUE_GETAUDIT_ADDR	267
+#define	AUE_CLOCK_SETTIME	287
+#define	AUE_NTP_ADJTIME		288
+
+/*
+ * Events not present in OpenSolaris BSM, generally derived from Apple Darwin
+ * BSM or added in OpenBSM.  This start a little too close to the top end of
+ * the OpenSolaris event list for my comfort.
+ */
+#define	AUE_GETFSSTAT		301
+#define	AUE_PTRACE		302
+#define	AUE_CHFLAGS		303
+#define	AUE_FCHFLAGS		304
+#define	AUE_PROFILE		305
+#define	AUE_KTRACE		306
+#define	AUE_SETLOGIN		307
+#define	AUE_DARWIN_REBOOT	308	/* XXX: See AUE_REBOOT. */
+#define	AUE_REVOKE		309
+#define	AUE_UMASK		310
+#define	AUE_MPROTECT		311
+#define	AUE_DARWIN_SETPRIORITY	312	/* XXX: See AUE_SETPRIORITY. */
+#define	AUE_DARWIN_SETTIMEOFDAY	313	/* XXX: See AUE_SETTIMEOFDAY. */
+#define	AUE_DARWIN_FLOCK	314	/* XXX: See AUE_FLOCK. */
+#define	AUE_MKFIFO		315
+#define	AUE_POLL		316
+#define	AUE_DARWIN_SOCKETPAIR	317	/* XXXRW: See AUE_SOCKETPAIR. */
+#define	AUE_FUTIMES		318
+#define	AUE_SETSID		319
+#define	AUE_SETPRIVEXEC		320	/* Darwin-specific. */
+#define	AUE_DARWIN_NFSSVC	321	/* XXX: See AUE_NFS_SVC. */
+#define	AUE_DARWIN_GETFH	322	/* XXX: See AUE_NFS_GETFH. */
+#define	AUE_DARWIN_QUOTACTL	323	/* XXX: See AUE_QUOTACTL. */
+#define	AUE_ADDPROFILE		324	/* Darwin-specific. */
+#define	AUE_KDEBUGTRACE		325	/* Darwin-specific. */
+#define	AUE_KDBUGTRACE		AUE_KDEBUGTRACE
+#define	AUE_FSTAT		326
+#define	AUE_FPATHCONF		327
+#define	AUE_GETDIRENTRIES	328
+#define	AUE_DARWIN_TRUNCATE	329	/* XXX: See AUE_TRUNCATE. */
+#define	AUE_DARWIN_FTRUNCATE	330	/* XXX: See AUE_FTRUNCATE. */
+#define	AUE_SYSCTL		331
+#define	AUE_MLOCK		332
+#define	AUE_MUNLOCK		333
+#define	AUE_UNDELETE		334
+#define	AUE_GETATTRLIST		335	/* Darwin-specific. */
+#define	AUE_SETATTRLIST		336	/* Darwin-specific. */
+#define	AUE_GETDIRENTRIESATTR	337	/* Darwin-specific. */
+#define	AUE_EXCHANGEDATA	338	/* Darwin-specific. */
+#define	AUE_SEARCHFS		339	/* Darwin-specific. */
+#define	AUE_MINHERIT		340
+#define	AUE_SEMCONFIG		341
+#define	AUE_SEMOPEN		342
+#define	AUE_SEMCLOSE		343
+#define	AUE_SEMUNLINK		344
+#define	AUE_SHMOPEN		345
+#define	AUE_SHMUNLINK		346
+#define	AUE_LOADSHFILE		347	/* Darwin-specific. */
+#define	AUE_RESETSHFILE		348	/* Darwin-specific. */
+#define	AUE_NEWSYSTEMSHREG	349	/* Darwin-specific. */
+#define	AUE_PTHREADKILL		350	/* Darwin-specific. */
+#define	AUE_PTHREADSIGMASK	351	/* Darwin-specific. */
+#define	AUE_AUDITCTL		352
+#define	AUE_RFORK		353
+#define	AUE_LCHMOD		354
+#define	AUE_SWAPOFF		355
+#define	AUE_INITPROCESS		356	/* Darwin-specific. */
+#define	AUE_MAPFD		357	/* Darwin-specific. */
+#define	AUE_TASKFORPID		358	/* Darwin-specific. */
+#define	AUE_PIDFORTASK		359	/* Darwin-specific. */
+#define	AUE_SYSCTL_NONADMIN	360
+#define	AUE_COPYFILE		361	/* Darwin-specific. */
+#define	AUE_LUTIMES		362
+#define	AUE_LCHFLAGS		363	/* FreeBSD-specific. */
+#define	AUE_SENDFILE		364	/* BSD/Linux-specific. */
+#define	AUE_USELIB		365	/* Linux-specific. */
+#define	AUE_GETRESUID		366
+#define	AUE_SETRESUID		367
+#define	AUE_GETRESGID		368
+#define	AUE_SETRESGID		369
+#define	AUE_WAIT4		370	/* FreeBSD-specific. */
+#define	AUE_LGETFH		371	/* FreeBSD-specific. */
+#define	AUE_FHSTATFS		372	/* FreeBSD-specific. */
+#define	AUE_FHOPEN		373	/* FreeBSD-specific. */
+#define	AUE_FHSTAT		374	/* FreeBSD-specific. */
+#define	AUE_JAIL		375	/* FreeBSD-specific. */
+#define	AUE_EACCESS		376	/* FreeBSD-specific. */
+#define	AUE_KQUEUE		377	/* FreeBSD-specific. */
+#define	AUE_KEVENT		378	/* FreeBSD-specific. */
+#define	AUE_FSYNC		379
+#define AUE_NMOUNT		380	/* FreeBSD-specific. */
+
+/*
+ * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
+ * normal Solaris BSM identifiers.  _O_ refers to it being an old, or compat
+ * interface.  In most cases, Darwin has never implemented these system calls
+ * but picked up the fields in their system call table from their FreeBSD
+ * import.  Happily, these have different names than the AUE_O* definitions
+ * in Solaris BSM.
+ */
+#define	AUE_O_CREAT		AUE_OPEN_RWTC	/* Darwin */
+#define	AUE_O_EXECVE		AUE_NULL	/* Darwin */
+#define	AUE_O_SBREAK		AUE_NULL	/* Darwin */
+#define	AUE_O_LSEEK		AUE_NULL	/* Darwin */
+#define	AUE_O_MOUNT		AUE_NULL	/* Darwin */
+#define	AUE_O_UMOUNT		AUE_NULL	/* Darwin */
+#define	AUE_O_STAT		AUE_STAT	/* Darwin */
+#define	AUE_O_LSTAT		AUE_LSTAT	/* Darwin */
+#define	AUE_O_FSTAT		AUE_FSTAT	/* Darwin */
+#define	AUE_O_GETPAGESIZE	AUE_NULL	/* Darwin */
+#define	AUE_O_VREAD		AUE_NULL	/* Darwin */
+#define	AUE_O_VWRITE		AUE_NULL	/* Darwin */
+#define	AUE_O_MMAP		AUE_MMAP	/* Darwin */
+#define	AUE_O_VADVISE		AUE_NULL	/* Darwin */
+#define	AUE_O_VHANGUP		AUE_NULL	/* Darwin */
+#define	AUE_O_VLIMIT		AUE_NULL	/* Darwin */
+#define	AUE_O_WAIT		AUE_NULL	/* Darwin */
+#define	AUE_O_GETHOSTNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_SETHOSTNAME	AUE_SYSCTL	/* Darwin */
+#define	AUE_O_GETDOPT		AUE_NULL	/* Darwin */
+#define	AUE_O_SETDOPT		AUE_NULL	/* Darwin */
+#define	AUE_O_ACCEPT		AUE_NULL	/* Darwin */
+#define	AUE_O_SEND		AUE_SENDMSG	/* Darwin */
+#define	AUE_O_RECV		AUE_RECVMSG	/* Darwin */
+#define	AUE_O_VTIMES		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGVEC		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGBLOCK		AUE_NULL	/* Darwin */
+#define	AUE_O_SIGSETMASK	AUE_NULL	/* Darwin */
+#define	AUE_O_SIGSTACK		AUE_NULL	/* Darwin */
+#define	AUE_O_RECVMSG		AUE_RECVMSG	/* Darwin */
+#define	AUE_O_SENDMSG		AUE_SENDMSG	/* Darwin */
+#define	AUE_O_VTRACE		AUE_NULL	/* Darwin */
+#define	AUE_O_RESUBA		AUE_NULL	/* Darwin */
+#define	AUE_O_RECVFROM		AUE_RECVFROM	/* Darwin */
+#define	AUE_O_SETREUID		AUE_SETREUID	/* Darwin */
+#define	AUE_O_SETREGID		AUE_SETREGID	/* Darwin */
+#define	AUE_O_TRUNCATE		AUE_TRUNCATE	/* Darwin */
+#define	AUE_O_FTRUNCATE		AUE_FTRUNCATE	/* Darwin */
+#define	AUE_O_GETPEERNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_GETHOSTID		AUE_NULL	/* Darwin */
+#define	AUE_O_SETHOSTID		AUE_NULL	/* Darwin */
+#define	AUE_O_GETRLIMIT		AUE_NULL	/* Darwin */
+#define	AUE_O_SETRLIMIT		AUE_SETRLIMIT	/* Darwin */
+#define	AUE_O_KILLPG		AUE_KILL	/* Darwin */
+#define	AUE_O_SETQUOTA		AUE_NULL	/* Darwin */
+#define	AUE_O_QUOTA		AUE_NULL	/* Darwin */
+#define	AUE_O_GETSOCKNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_GETDIREENTRIES	AUE_GETDIREENTRIES	/* Darwin */
+#define	AUE_O_ASYNCDAEMON	AUE_NULL	/* Darwin */
+#define	AUE_O_GETDOMAINNAME	AUE_NULL	/* Darwin */
+#define	AUE_O_SETDOMAINNAME	AUE_SYSCTL	/* Darwin */
+#define	AUE_O_PCFS_MOUNT	AUE_NULL	/* Darwin */
+#define	AUE_O_EXPORTFS		AUE_NULL	/* Darwin */
+#define	AUE_O_USTATE		AUE_NULL	/* Darwin */
+#define	AUE_O_WAIT3		AUE_NULL	/* Darwin */
+#define	AUE_O_RPAUSE		AUE_NULL	/* Darwin */
+#define	AUE_O_GETDENTS		AUE_NULL	/* Darwin */
+
+/*
+ * Possible desired future values based on review of BSD/Darwin system calls.
+ */
+#define	AUE_DUP			AUE_NULL
+#define	AUE_FSCTL		AUE_NULL
+#define	AUE_FSTATV		AUE_NULL
+#define	AUE_GCCONTROL		AUE_NULL
+#define	AUE_GETDTABLESIZE	AUE_NULL
+#define	AUE_GETEGID		AUE_NULL
+#define	AUE_GETEUID		AUE_NULL
+#define	AUE_GETGID		AUE_NULL
+#define	AUE_GETGROUPS		AUE_NULL
+#define	AUE_GETITIMER		AUE_NULL
+#define	AUE_GETLOGIN		AUE_NULL
+#define	AUE_GETPEERNAME		AUE_NULL
+#define	AUE_GETPGID		AUE_NULL
+#define	AUE_GETPGRP		AUE_NULL
+#define	AUE_GETPID		AUE_NULL
+#define	AUE_GETPPID		AUE_NULL
+#define	AUE_GETPRIORITY		AUE_NULL
+#define	AUE_GETRLIMIT		AUE_NULL
+#define	AUE_GETRUSAGE		AUE_NULL
+#define	AUE_GETSID		AUE_NULL
+#define	AUE_GETSOCKNAME		AUE_NULL
+#define	AUE_GETTIMEOFDAY	AUE_NULL
+#define	AUE_GETUID		AUE_NULL
+#define	AUE_GETSOCKOPT		AUE_NULL
+#define	AUE_GTSOCKOPT		AUE_GETSOCKOPT	/* XXX: Typo in Darwin. */
+#define	AUE_ISSETUGID		AUE_NULL
+#define	AUE_LISTEN		AUE_NULL
+#define	AUE_LSTATV		AUE_NULL
+#define	AUE_MADVISE		AUE_NULL
+#define	AUE_MINCORE		AUE_NULL
+#define	AUE_MKCOMPLEX		AUE_NULL
+#define	AUE_MLOCKALL		AUE_NULL
+#define	AUE_MODWATCH		AUE_NULL
+#define	AUE_MSGCL		AUE_NULL
+#define	AUE_MSYNC		AUE_NULL
+#define	AUE_MUNLOCKALL		AUE_NULL
+#define	AUE_PREAD		AUE_NULL
+#define	AUE_PWRITE		AUE_NULL
+#define	AUE_SBRK		AUE_NULL
+#define	AUE_SELECT		AUE_NULL
+#define	AUE_SEMDESTROY		AUE_NULL
+#define	AUE_SEMGETVALUE		AUE_NULL
+#define	AUE_SEMINIT		AUE_NULL
+#define	AUE_SEMPOST		AUE_NULL
+#define	AUE_SEMTRYWAIT		AUE_NULL
+#define	AUE_SEMWAIT		AUE_NULL
+#define	AUE_SETITIMER		AUE_NULL
+#define	AUE_SIGACTION		AUE_NULL
+#define	AUE_SIGALTSTACK		AUE_NULL
+#define	AUE_SIGPENDING		AUE_NULL
+#define	AUE_SIGPROCMASK		AUE_NULL
+#define	AUE_SIGRETURN		AUE_NULL
+#define	AUE_SIGSUSPEND		AUE_NULL
+#define	AUE_SIGWAIT		AUE_NULL
+#define	AUE_SSTK		AUE_NULL
+#define	AUE_STATV		AUE_NULL
+#define	AUE_SYNC		AUE_NULL
+#define	AUE_SYSCALL		AUE_NULL
+#define	AUE_TABLE		AUE_NULL
+#define	AUE_WAITEVENT		AUE_NULL
+#define	AUE_WATCHEVENT		AUE_NULL
+
+#endif /* !_BSM_AUDIT_KEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
new file mode 100644
index 0000000..af9ba4d
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+/* Various token id types */
+
+/*
+ * Values inside the comments are not documented in the BSM pages and
+ * have been picked up from the header files
+ */
+
+/*
+ * Values marked as XXX do not have a value defined in the BSM header files
+ */
+
+#define	AUT_INVALID		0x00
+#define	AUT_OTHER_FILE32	0x11
+#define	AUT_OHEADER		0x12
+#define	AUT_TRAILER		0x13
+#define	AUT_HEADER32		0x14
+#define	AUT_HEADER32_EX		0x15
+#define	AUT_DATA		0x21
+#define	AUT_IPC			0x22
+#define	AUT_PATH		0x23
+#define	AUT_SUBJECT32		0x24
+#define	AUT_SERVER32		0x25
+#define	AUT_PROCESS32		0x26
+#define	AUT_RETURN32		0x27
+#define	AUT_TEXT		0x28
+#define	AUT_OPAQUE		0x29
+#define	AUT_IN_ADDR		0x2a
+#define	AUT_IP			0x2b
+#define	AUT_IPORT		0x2c
+#define	AUT_ARG32		0x2d
+#define	AUT_SOCKET		0x2e
+#define	AUT_SEQ			0x2f
+#define	AUT_ACL			0x30
+#define	AUT_ATTR		0x31
+#define	AUT_IPC_PERM		0x32
+#define	AUT_LABEL		0x33
+#define	AUT_GROUPS		0x34
+#define	AUT_ILABEL		0x35
+#define	AUT_SLABEL		0x36
+#define	AUT_CLEAR		0x37
+#define	AUT_PRIV		0x38
+#define	AUT_UPRIV		0x39
+#define	AUT_LIAISON		0x3a
+#define	AUT_NEWGROUPS		0x3b
+#define	AUT_EXEC_ARGS		0x3c
+#define	AUT_EXEC_ENV		0x3d
+#define	AUT_ATTR32		0x3e
+/* #define	AUT_????	0x3f */
+#define	AUT_XATOM		0x40
+#define	AUT_XOBJ		0x41
+#define	AUT_XPROTO		0x42
+#define	AUT_XSELECT		0x43
+/* XXXRW: Additional X11 tokens not defined? */
+#define	AUT_CMD			0x51
+#define	AUT_EXIT		0x52
+/* XXXRW: OpenBSM AUT_HOST 0x70? */
+#define	AUT_ARG64		0x71
+#define	AUT_RETURN64		0x72
+#define	AUT_ATTR64		0x73
+#define	AUT_HEADER64		0x74
+#define	AUT_SUBJECT64		0x75
+#define	AUT_SERVER64		0x76
+#define	AUT_PROCESS64		0x77
+#define	AUT_OTHER_FILE64	0x78
+#define	AUT_HEADER64_EX		0x79
+#define	AUT_SUBJECT32_EX	0x7a
+#define	AUT_PROCESS32_EX	0x7b
+#define	AUT_SUBJECT64_EX	0x7c
+#define	AUT_PROCESS64_EX	0x7d
+#define	AUT_IN_ADDR_EX		0x7e
+#define	AUT_SOCKET_EX		0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'.  We have
+ * compatibility defines.
+ */
+#define	AUT_HEADER		AUT_HEADER32
+#define	AUT_ARG			AUT_ARG32
+#define	AUT_RETURN		AUT_RETURN32
+#define	AUT_SUBJECT		AUT_SUBJECT32
+#define	AUT_SERVER		AUT_SERVER32
+#define	AUT_PROCESS		AUT_PROCESS32
+#define	AUT_OTHER_FILE		AUT_OTHER_FILE32
+
+/*
+ * Darwin's bsm distribution uses the following non-BSM token name defines.
+ * We provide them for a single OpenBSM release for compatibility reasons.
+ */
+#define	AU_FILE_TOKEN		AUT_OTHER_FILE32
+#define	AU_TRAILER_TOKEN	AUT_TRAILER
+#define	AU_HEADER_32_TOKEN	AUT_HEADER32
+#define	AU_DATA_TOKEN		AUT_DATA
+#define	AU_ARB_TOKEN		AUT_DATA
+#define	AU_IPC_TOKEN		AUT_IPC
+#define	AU_PATH_TOKEN		AUT_PATH
+#define	AU_SUBJECT_32_TOKEN	AUT_SUBJECT32
+#define	AU_PROCESS_32_TOKEN	AUT_PROCESS32
+#define	AU_RETURN_32_TOKEN	AUT_RETURN32
+#define	AU_TEXT_TOKEN		AUT_TEXT
+#define	AU_OPAQUE_TOKEN		AUT_OPAQUE
+#define	AU_IN_ADDR_TOKEN	AUT_IN_ADDR
+#define	AU_IP_TOKEN		AUT_IP
+#define	AU_IPORT_TOKEN		AUT_IPORT
+#define	AU_ARG32_TOKEN		AUT_ARG32
+#define	AU_SOCK_TOKEN		AUT_SOCKET
+#define	AU_SEQ_TOKEN		AUT_SEQ
+#define	AU_ATTR_TOKEN		AUT_ATTR
+#define	AU_IPCPERM_TOKEN	AUT_IPC_PERM
+#define	AU_NEWGROUPS_TOKEN	AUT_NEWGROUPS
+#define	AU_EXEC_ARG_TOKEN	AUT_EXEC_ARGS
+#define	AU_EXEC_ENV_TOKEN	AUT_EXEC_ENV
+#define	AU_ATTR32_TOKEN		AUT_ATTR32
+#define	AU_CMD_TOKEN		AUT_CMD
+#define	AU_EXIT_TOKEN		AUT_EXIT
+#define	AU_ARG64_TOKEN		AUT_ARG64
+#define	AU_RETURN_64_TOKEN	AUT_RETURN64
+#define	AU_ATTR64_TOKEN		AUT_ATTR64
+#define	AU_HEADER_64_TOKEN	AUT_HEADER64
+#define	AU_SUBJECT_64_TOKEN	AUT_SUBJECT64
+#define	AU_PROCESS_64_TOKEN	AUT_PROCESS64
+#define	AU_HEADER_64_EX_TOKEN	AUT_HEADER64_EX
+#define	AU_SUBJECT_32_EX_TOKEN	AUT_SUBJECT32_EX
+#define	AU_PROCESS_32_EX_TOKEN	AUT_PROCESS32_EX
+#define	AU_SUBJECT_64_EX_TOKEN	AUT_SUBJECT64_EX
+#define	AU_PROCESS_64_EX_TOKEN	AUT_PROCESS64_EX
+#define	AU_IN_ADDR_EX_TOKEN	AUT_IN_ADDR_EX
+#define	AU_SOCK_32_EX_TOKEN	AUT_SOCKET_EX
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM.  These originally came from Apple's
+ * BSM.
+ */
+#define	AUT_SOCKINET32		0x80		/* XXX */
+#define	AUT_SOCKINET128		0x81		/* XXX */
+#define	AUT_SOCKUNIX		0x82		/* XXX */
+#define	AU_SOCK_INET_32_TOKEN	AUT_SOCKINET32
+#define	AU_SOCK_INET_128_TOKEN	AUT_SOCKINET128
+#define	AU_SOCK_UNIX_TOKEN	AUT_SOCKUNIX
+
+/* print values for the arbitrary token */
+#define AUP_BINARY      0
+#define AUP_OCTAL       1
+#define AUP_DECIMAL     2
+#define AUP_HEX         3
+#define AUP_STRING      4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE        0
+#define AUR_SHORT       1
+#define AUR_LONG        2
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE       sizeof(u_char)
+#define AUR_SHORT_SIZE      sizeof(uint16_t)
+#define AUR_LONG_SIZE       sizeof(uint32_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR  0x4000   /* nonattributable event */
+#define PAD_FAILURE  0x8000   /* fail audit event */
+
+
+#define BSM_MAX_GROUPS      16
+#define HEADER_VERSION      1
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define	AUT_TRAILER_MAGIC	0xb105
+#define	TRAILER_PAD_MAGIC	AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int	 au_open(void);
+int	 au_write(int d, token_t *m);
+int	 au_close(int d, int keep, short event);
+int	 au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t	*au_to_file(char *file, struct timeval tm);
+#else
+token_t	*au_to_file(char *file);
+#endif
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+	    struct timeval tm);
+#else
+token_t	*au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t	*au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t	*au_to_me(void);
+token_t	*au_to_arg(char n, char *text, uint32_t v);
+token_t	*au_to_arg32(char n, char *text, uint32_t v);
+token_t	*au_to_arg64(char n, char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_attr(struct vnode_au_info *vni);
+token_t	*au_to_attr32(struct vnode_au_info *vni);
+token_t	*au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t	*au_to_data(char unit_print, char unit_type, char unit_count,
+	    char *p);
+token_t	*au_to_exit(int retval, int err);
+token_t	*au_to_groups(int *groups);
+token_t	*au_to_newgroups(uint16_t n, gid_t *groups);
+token_t	*au_to_in_addr(struct in_addr *internet_addr);
+token_t	*au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t	*au_to_ip(struct ip *ip);
+token_t	*au_to_ipc(char type, int id);
+token_t	*au_to_ipc_perm(struct ipc_perm *perm);
+token_t	*au_to_iport(uint16_t iport);
+token_t	*au_to_opaque(char *data, uint16_t bytes);
+token_t	*au_to_path(char *path);
+token_t	*au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+	    uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+	    au_tid_addr_t *tid);
+token_t	*au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_return(char status, uint32_t ret);
+token_t	*au_to_return32(char status, uint32_t ret);
+token_t	*au_to_return64(char status, uint64_t ret);
+token_t	*au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t	*au_to_socket(struct socket *so);
+token_t	*au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+token_t	*au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+	    struct sockaddr *ta);
+#endif
+
+token_t	*au_to_sock_inet(struct sockaddr_in *so);
+token_t	*au_to_sock_inet32(struct sockaddr_in *so);
+token_t	*au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t	*au_to_sock_unix(struct sockaddr_un *so);
+token_t	*au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t	*au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+	    gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t	*au_to_exec_args(const char **);
+token_t	*au_to_exec_env(const char **);
+token_t	*au_to_text(char *text);
+token_t	*au_to_kevent(struct kevent *kev);
+token_t	*au_to_trailer(int rec_size);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */
diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h
new file mode 100644
index 0000000..0493e31
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_uevents.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $
+ */
+
+#ifndef _BSM_AUDIT_UEVENTS_H_
+#define	_BSM_AUDIT_UEVENTS_H_
+
+/*-
+ * User level audit event numbers
+ *
+ * Range of audit event numbers:
+ * 0			Reserved, invalid
+ * 1     - 2047		Reserved for kernel events
+ * 2048  - 32767	Defined by BSM for user events
+ * 32768 - 36864	Reserved for Mac OS-X applications
+ * 36865 - 65535	Reserved for applications
+ *
+ */
+#define	AUE_at_create		6144
+#define	AUE_at_delete		6145
+#define	AUE_at_perm		6146
+#define	AUE_cron_invoke		6147
+#define	AUE_crontab_create	6148
+#define	AUE_crontab_delete	6149
+#define	AUE_crontab_perm	6150
+#define	AUE_inetd_connect	6151
+#define	AUE_login		6152
+#define	AUE_logout		6153
+#define	AUE_telnet		6154
+#define	AUE_rlogin		6155
+#define	AUE_mountd_mount	6156
+#define	AUE_mountd_umount	6157
+#define	AUE_rshd		6158
+#define	AUE_su			6159
+#define	AUE_halt		6160
+#define	AUE_reboot		6161
+#define	AUE_rexecd		6162
+#define	AUE_passwd		6163
+#define	AUE_rexd		6164
+#define	AUE_ftpd		6165
+#define	AUE_init		6166
+#define	AUE_uadmin		6167
+#define	AUE_shutdown		6168
+#define	AUE_poweroff		6169
+#define	AUE_crontab_mod		6170
+#define	AUE_audit_startup	6171
+#define	AUE_audit_shutdown	6172
+#define	AUE_allocate_succ	6200
+#define	AUE_allocate_fail	6201
+#define	AUE_deallocate_succ	6202
+#define	AUE_deallocate_fail	6203
+#define	AUE_listdevice_succ	6205
+#define	AUE_listdevice_fail	6206
+#define	AUE_create_user		6207
+#define	AUE_modify_user		6208
+#define	AUE_delete_user		6209
+#define	AUE_disable_user	6210
+#define	AUE_enable_user		6211
+#define	AUE_sudo		6300
+#define	AUE_modify_password	6501	/* Not assigned by Sun. */
+#define	AUE_create_group	6511	/* Not assigned by Sun. */
+#define	AUE_delete_group	6512	/* Not assigned by Sun. */
+#define	AUE_modify_group	6513	/* Not assigned by Sun. */
+#define	AUE_add_to_group	6514	/* Not assigned by Sun. */
+#define	AUE_remove_from_group	6515	/* Not assigned by Sun. */
+#define	AUE_revoke_obj		6521	/* Not assigned by Sun; not used. */
+#define	AUE_lw_login		6600	/* Not assigned by Sun; tentative. */
+#define	AUE_lw_logout		6601	/* Not assigned by Sun; tentative. */
+#define	AUE_auth_user		7000	/* Not assigned by Sun. */
+#define	AUE_ssconn		7001	/* Not assigned by Sun. */
+#define	AUE_ssauthorize		7002	/* Not assigned by Sun. */
+#define	AUE_ssauthint		7003	/* Not assigned by Sun. */
+#define	AUE_openssh		32800
+
+#endif /* !_BSM_AUDIT_UEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
new file mode 100644
index 0000000..baf9f14
--- /dev/null
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -0,0 +1,1175 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1.  Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ * 2.  Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ * 3.  Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ *     its contributors may be used to endorse or promote products derived
+ *     from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $
+ */
+
+#ifndef _LIBBSM_H_
+#define	_LIBBSM_H_
+
+/*
+ * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
+ * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
+ */
+
+#define	MAX_ARGS	10
+#define	MAX_ENV		10
+
+#include <sys/types.h>
+#include <sys/cdefs.h>
+#include <sys/queue.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_record.h>
+
+#include <stdio.h>
+#include <stdint.h>
+
+#ifdef __APPLE__
+#include <mach/mach.h>		/* audit_token_t */
+#endif
+
+#define	AU_PRS_SUCCESS	1
+#define	AU_PRS_FAILURE	2
+#define	AU_PRS_BOTH	(AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
+#define	AU_PRS_USECACHE	0
+#define	AU_PRS_REREAD	1
+
+#define	AUDIT_EVENT_FILE	"/etc/security/audit_event"
+#define	AUDIT_CLASS_FILE	"/etc/security/audit_class"
+#define	AUDIT_CONTROL_FILE	"/etc/security/audit_control"
+#define	AUDIT_USER_FILE		"/etc/security/audit_user"
+
+#define	DIR_CONTROL_ENTRY	"dir"
+#define	MINFREE_CONTROL_ENTRY	"minfree"
+#define	FLAGS_CONTROL_ENTRY	"flags"
+#define	NA_CONTROL_ENTRY	"naflags"
+
+#define	AU_CLASS_NAME_MAX	8
+#define	AU_CLASS_DESC_MAX	72
+#define	AU_EVENT_NAME_MAX	30
+#define	AU_EVENT_DESC_MAX	50
+#define	AU_USER_NAME_MAX	50
+#define	AU_LINE_MAX		256
+#define	MAX_AUDITSTRING_LEN	256
+#define	BSM_TEXTBUFSZ		MAX_AUDITSTRING_LEN	/* OpenSSH compatibility */
+
+/*
+ * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
+ * Provided for OpenSSH compatibility.
+ */
+#define	AU_TO_NO_WRITE		0
+#define	AU_TO_WRITE		1
+
+__BEGIN_DECLS
+struct au_event_ent {
+	au_event_t	 ae_number;
+	char		*ae_name;
+	char		*ae_desc;
+	au_class_t	 ae_class;
+};
+typedef struct au_event_ent au_event_ent_t;
+
+struct au_class_ent {
+	char		*ac_name;
+	au_class_t	 ac_class;
+	char		*ac_desc;
+};
+typedef struct au_class_ent au_class_ent_t;
+
+struct au_user_ent {
+	char		*au_name;
+	au_mask_t	 au_always;
+	au_mask_t	 au_never;
+};
+typedef struct au_user_ent au_user_ent_t;
+__END_DECLS
+
+#define	ADD_TO_MASK(m, c, sel) do {					\
+	if (sel & AU_PRS_SUCCESS)					\
+		(m)->am_success |= c;					\
+	if (sel & AU_PRS_FAILURE)					\
+		(m)->am_failure |= c;					\
+} while (0)
+
+#define	SUB_FROM_MASK(m, c, sel) do {					\
+	if (sel & AU_PRS_SUCCESS)					\
+		(m)->am_success &= ((m)->am_success ^ c);		\
+	if (sel & AU_PRS_FAILURE)					\
+		(m)->am_failure &= ((m)->am_failure ^ c);		\
+} while (0)
+
+#define	ADDMASK(m, v) do {						\
+	(m)->am_success |= (v)->am_success;				\
+	(m)->am_failure |= (v)->am_failure;				\
+} while(0)
+
+#define	SUBMASK(m, v) do {						\
+	(m)->am_success &= ((m)->am_success ^ (v)->am_success);		\
+	(m)->am_failure &= ((m)->am_failure ^ (v)->am_failure);		\
+} while(0)
+
+__BEGIN_DECLS
+
+/*
+ * Internal representation of audit user in libnsl.
+ */
+typedef struct au_user_str_s {
+	char	*au_name;
+	char	*au_always;
+	char	*au_never;
+} au_user_str_t;
+
+typedef struct au_tid32 {
+	u_int32_t	port;
+	u_int32_t	addr;
+} au_tid32_t;
+
+typedef struct au_tid64 {
+	u_int64_t	port;
+	u_int32_t	addr;
+} au_tid64_t;
+
+typedef struct au_tidaddr32 {
+	u_int32_t	port;
+	u_int32_t	type;
+	u_int32_t	addr[4];
+} au_tidaddr32_t;
+
+/*
+ * argument #              1 byte
+ * argument value          4 bytes/8 bytes (32-bit/64-bit value)
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_char		 no;
+	u_int32_t	 val;
+	u_int16_t	 len;
+	char		*text;
+} au_arg32_t;
+
+typedef struct {
+	u_char		 no;
+	u_int64_t	 val;
+	u_int16_t	 len;
+	char		*text;
+} au_arg64_t;
+
+/*
+ * how to print            1 byte
+ * basic unit              1 byte
+ * unit count              1 byte
+ * data items              (depends on basic unit)
+ */
+typedef struct {
+	u_char	 howtopr;
+	u_char	 bu;
+	u_char	 uc;
+	u_char	*data;
+} au_arb_t;
+
+/*
+ * file access mode        4 bytes
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * file system ID          4 bytes
+ * node ID                 8 bytes
+ * device                  4 bytes/8 bytes (32-bit/64-bit)
+ */
+typedef struct {
+	u_int32_t	mode;
+   	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	fsid;
+	u_int64_t	nid;
+	u_int32_t	dev;
+} au_attr32_t;
+
+typedef struct {
+	u_int32_t	mode;
+   	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	fsid;
+	u_int64_t	nid;
+	u_int64_t	dev;
+} au_attr64_t;
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+typedef struct {
+	u_int32_t	 count;
+	char		*text[MAX_ARGS];
+} au_execarg_t;
+
+/*
+ * count                   4 bytes
+ * text                    count null-terminated string(s)
+ */
+typedef struct {
+	u_int32_t	 count;
+	char		*text[MAX_ENV];
+} au_execenv_t;
+
+/*
+ * status                  4 bytes
+ * return value            4 bytes
+ */
+typedef struct {
+	u_int32_t	status;
+	u_int32_t	ret;
+} au_exit_t;
+
+/*
+ * seconds of time         4 bytes
+ * milliseconds of time    4 bytes
+ * file name length        2 bytes
+ * file pathname           N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int32_t	 s;
+	u_int32_t	 ms;
+	u_int16_t	 len;
+	char		*name;
+} au_file_t;
+
+
+/*
+ * number groups           2 bytes
+ * group list              N * 4 bytes
+ */
+typedef struct {
+	u_int16_t	no;
+	u_int32_t	list[BSM_MAX_GROUPS];
+} au_groups_t;
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte    [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	s;
+	u_int32_t	ms;
+} au_header32_t;
+
+/*
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     1 byte (XXX: actually, 4 bytes)
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	ad_type;
+	u_int32_t	addr[4];
+	u_int32_t	s;
+	u_int32_t	ms;
+} au_header32_ex_t;
+
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int64_t	s;
+	u_int64_t	ms;
+} au_header64_t;
+
+typedef struct {
+	u_int32_t	size;
+	u_char		version;
+	u_int16_t	e_type;
+	u_int16_t	e_mod;
+	u_int32_t	ad_type;
+	u_int32_t	addr[4];
+	u_int64_t	s;
+	u_int64_t	ms;
+} au_header64_ex_t;
+
+/*
+ * internet address        4 bytes
+ */
+typedef struct {
+	u_int32_t	addr;
+} au_inaddr_t;
+
+/*
+ * type                 4 bytes
+ * internet address     16 bytes
+ */
+typedef struct {
+	u_int32_t	type;
+	u_int32_t	addr[4];
+} au_inaddr_ex_t;
+
+/*
+ * version and ihl         1 byte
+ * type of service         1 byte
+ * length                  2 bytes
+ * id                      2 bytes
+ * offset                  2 bytes
+ * ttl                     1 byte
+ * protocol                1 byte
+ * checksum                2 bytes
+ * source address          4 bytes
+ * destination address     4 bytes
+ */
+typedef struct {
+	u_char		version;
+	u_char		tos;
+	u_int16_t	len;
+	u_int16_t	id;
+	u_int16_t	offset;
+	u_char		ttl;
+	u_char		prot;
+	u_int16_t	chksm;
+	u_int32_t	src;
+	u_int32_t	dest;
+} au_ip_t;
+
+/*
+ * object ID type          1 byte
+ * object ID               4 bytes
+ */
+typedef struct {
+	u_char		type;
+	u_int32_t	id;
+} au_ipc_t;
+
+/*
+ * owner user ID           4 bytes
+ * owner group ID          4 bytes
+ * creator user ID         4 bytes
+ * creator group ID        4 bytes
+ * access mode             4 bytes
+ * slot sequence #         4 bytes
+ * key                     4 bytes
+ */
+typedef struct {
+	u_int32_t	uid;
+	u_int32_t	gid;
+	u_int32_t	puid;
+	u_int32_t	pgid;
+	u_int32_t	mode;
+	u_int32_t	seq;
+	u_int32_t	key;
+} au_ipcperm_t;
+
+/*
+ * port IP address         2 bytes
+ */
+typedef struct {
+	u_int16_t	port;
+} au_iport_t;
+
+/*
+ * length		2 bytes
+ * data			length bytes
+ */
+typedef struct {
+	u_int16_t	 size;
+	char		*data;
+} au_opaque_t;
+
+/*
+ * path length             2 bytes
+ * path                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int16_t	 len;
+	char		*path;
+} au_path_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address       4 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid32_t	tid;
+} au_proc32_t;
+
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid64_t	tid;
+} au_proc64_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * type                  4 bytes
+ * machine address       16 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tidaddr32_t	tid;
+} au_proc32ex_t;
+
+/*
+ * error status            1 byte
+ * return value            4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+	u_char		status;
+	u_int32_t	ret;
+} au_ret32_t;
+
+typedef struct {
+	u_char		err;
+	u_int64_t	val;
+} au_ret64_t;
+
+/*
+ * sequence number         4 bytes
+ */
+typedef struct {
+	u_int32_t	seqno;
+} au_seq_t;
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * local Internet address  4 bytes
+ * remote port             2 bytes
+ * remote Internet address 4 bytes
+ */
+typedef struct {
+	u_int16_t	type;
+	u_int16_t	l_port;
+	u_int32_t	l_addr;
+	u_int16_t	r_port;
+	u_int32_t	r_addr;
+} au_socket_t;
+
+/*
+ * socket type             2 bytes
+ * local port              2 bytes
+ * address type/length     4 bytes
+ * local Internet address  4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port             4 bytes
+ * address type/length     4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+	u_int16_t	type;
+	u_int16_t	l_port;
+	u_int32_t	l_ad_type;
+	u_int32_t	l_addr;
+	u_int32_t	r_port;
+	u_int32_t	r_ad_type;
+	u_int32_t	r_addr;
+} au_socket_ex32_t;
+
+/*
+ * socket family           2 bytes
+ * local port              2 bytes
+ * socket address          4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+	u_int16_t	family;
+	u_int16_t	port;
+	u_int32_t	addr;
+} au_socketinet32_t;
+
+/*
+ * socket family           2 bytes
+ * path                    104 bytes
+ */
+typedef struct {
+	u_int16_t	family;
+	char		path[104];
+} au_socketunix_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * 	port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * 	machine address       4 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid32_t	tid;
+} au_subject32_t;
+
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tid64_t	tid;
+} au_subject64_t;
+
+/*
+ * audit ID                4 bytes
+ * effective user ID       4 bytes
+ * effective group ID      4 bytes
+ * real user ID            4 bytes
+ * real group ID           4 bytes
+ * process ID              4 bytes
+ * session ID              4 bytes
+ * terminal ID
+ * port ID               4 bytes/8 bytes (32-bit/64-bit value)
+ * type                  4 bytes
+ * machine address       16 bytes
+ */
+typedef struct {
+	u_int32_t	auid;
+	u_int32_t	euid;
+	u_int32_t	egid;
+	u_int32_t	ruid;
+	u_int32_t	rgid;
+	u_int32_t	pid;
+	u_int32_t	sid;
+	au_tidaddr32_t	tid;
+} au_subject32ex_t;
+
+/*
+ * text length             2 bytes
+ * text                    N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+	u_int16_t	 len;
+	char		*text;
+} au_text_t;
+
+typedef struct {
+	u_int32_t	ident;
+	u_int16_t	filter;
+	u_int16_t	flags;
+	u_int32_t	fflags;
+	u_int32_t	data;
+} au_kevent_t;
+
+typedef struct {
+	u_int16_t	 length;
+	char		*data;
+} au_invalid_t;
+
+/*
+ * trailer magic number    2 bytes
+ * record byte count       4 bytes
+ */
+typedef struct {
+	u_int16_t	magic;
+	u_int32_t	count;
+} au_trailer_t;
+
+struct tokenstr {
+	u_char	 id;
+	u_char	*data;
+	size_t	 len;
+	union {
+		au_arg32_t		arg32;
+		au_arg64_t		arg64;
+		au_arb_t		arb;
+		au_attr32_t		attr32;
+		au_attr64_t		attr64;
+		au_execarg_t		execarg;
+		au_execenv_t		execenv;
+		au_exit_t		exit;
+		au_file_t		file;
+		au_groups_t		grps;
+		au_header32_t		hdr32;
+		au_header32_ex_t	hdr32_ex;
+		au_header64_t		hdr64;
+		au_header64_ex_t	hdr64_ex;
+		au_inaddr_t		inaddr;
+		au_inaddr_ex_t		inaddr_ex;
+		au_ip_t			ip;
+		au_ipc_t		ipc;
+		au_ipcperm_t		ipcperm;
+		au_iport_t		iport;
+		au_opaque_t		opaque;
+		au_path_t		path;
+		au_proc32_t		proc32;
+		au_proc64_t		proc64;
+		au_proc32ex_t		proc32_ex;
+		au_ret32_t		ret32;
+		au_ret64_t		ret64;
+		au_seq_t		seq;
+		au_socket_t		socket;
+		au_socket_ex32_t	socket_ex32;
+		au_socketinet32_t	sockinet32;
+		au_socketunix_t		sockunix;
+		au_subject32_t		subj32;
+		au_subject64_t		subj64;
+		au_subject32ex_t	subj32_ex;
+		au_text_t		text;
+		au_kevent_t		kevent;
+		au_invalid_t		invalid;
+		au_trailer_t		trail;
+	} tt; /* The token is one of the above types */
+};
+
+typedef struct tokenstr tokenstr_t;
+
+/*
+ * Functions relating to querying audit class information.
+ */
+void			 setauclass(void);
+void			 endauclass(void);
+struct au_class_ent	*getauclassent(void);
+struct au_class_ent	*getauclassent_r(au_class_ent_t *class_int);
+struct au_class_ent	*getauclassnam(const char *name);
+struct au_class_ent	*getauclassnam_r(au_class_ent_t *class_int,
+			    const char *name);
+struct au_class_ent	*getauclassnum(au_class_t class_number);
+struct au_class_ent	*getauclassnum_r(au_class_ent_t *class_int,
+			    au_class_t class_number);
+
+/*
+ * Functions relating to querying audit control information.
+ */
+void			 setac(void);
+void			 endac(void);
+int			 getacdir(char *name, int len);
+int			 getacmin(int *min_val);
+int			 getacflg(char *auditstr, int len);
+int			 getacna(char *auditstr, int len);
+int			 getauditflagsbin(char *auditstr, au_mask_t *masks);
+int			 getauditflagschar(char *auditstr, au_mask_t *masks,
+			    int verbose);
+int			 au_preselect(au_event_t event, au_mask_t *mask_p,
+			    int sorf, int flag);
+
+/*
+ * Functions relating to querying audit event information.
+ *
+ * XXXRW: getauevnonam() has no _r version?
+ */
+void			 setauevent(void);
+void			 endauevent(void);
+struct au_event_ent	*getauevent(void);
+struct au_event_ent	*getauevent_r(struct au_event_ent *e);
+struct au_event_ent	*getauevnam(const char *name);
+struct au_event_ent	*getauevnam_r(struct au_event_ent *e,
+			    const char *name);
+struct au_event_ent	*getauevnum(au_event_t event_number);
+struct au_event_ent	*getauevnum_r(struct au_event_ent *e,
+			    au_event_t event_number);
+au_event_t		*getauevnonam(const char *event_name);
+au_event_t		*getauevnonam_r(au_event_t *ev,
+			    const char *event_name);
+
+/*
+ * Functions relating to querying audit user information.
+ */
+void			 setauuser(void);
+void			 endauuser(void);
+struct au_user_ent	*getauuserent(void);
+struct au_user_ent	*getauuserent_r(struct au_user_ent *u);
+struct au_user_ent	*getauusernam(const char *name);
+struct au_user_ent	*getauusernam_r(struct au_user_ent *u,
+			    const char *name);
+int			 au_user_mask(char *username, au_mask_t *mask_p);
+int			 getfauditflags(au_mask_t *usremask,
+			    au_mask_t *usrdmask, au_mask_t *lastmask);
+
+/*
+ * Functions for reading and printing records and tokens from audit trails.
+ */
+int			 au_read_rec(FILE *fp, u_char **buf);
+int			 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
+//XXX The following interface has different prototype from BSM
+void			 au_print_tok(FILE *outfp, tokenstr_t *tok,
+			    char *del, char raw, char sfrm);
+__END_DECLS
+
+#ifdef __APPLE__
+#include <sys/appleapiopts.h>
+
+/**************************************************************************
+ **************************************************************************
+ ** The following definitions, functions, etc., are NOT officially
+ ** supported: they may be changed or removed in the future.  Do not use
+ ** them unless you are prepared to cope with that eventuality.
+ **************************************************************************
+ **************************************************************************/
+
+#ifdef __APPLE_API_PRIVATE
+#define	__BSM_INTERNAL_NOTIFY_KEY	"com.apple.audit.change"
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * au_get_state() return values
+ * XXX  use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
+ * AUDIT_ON are deprecated and WILL be removed.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define	AUDIT_OFF	AUC_NOAUDIT
+#define	AUDIT_ON	AUC_AUDITING
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+/*
+ * Error return codes for audit_set_terminal_id(), audit_write() and its
+ * brethren.  We have 255 (not including kAUNoErr) to play with.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+enum {
+	kAUNoErr			= 0,
+	kAUBadParamErr			= -66049,
+	kAUStatErr,
+	kAUSysctlErr,
+	kAUOpenErr,
+	kAUMakeSubjectTokErr,
+	kAUWriteSubjectTokErr,
+	kAUWriteCallerTokErr,
+	kAUMakeReturnTokErr,
+	kAUWriteReturnTokErr,
+	kAUCloseErr,
+	kAUMakeTextTokErr,
+	kAULastErr
+};
+
+#ifdef __APPLE__
+/*
+ * Error return codes for au_get_state() and/or its private support
+ * functions.  These codes are designed to be compatible with the
+ * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
+ * Any changes to notify(3) may cause these values to change in future.
+ *
+ * AU_UNIMPL should never happen unless you've changed your system software
+ * without rebooting.  Shame on you.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define	AU_UNIMPL	NOTIFY_STATUS_FAILED + 1	/* audit unimplemented */
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+__BEGIN_DECLS
+/*
+ * XXX  This prototype should be in audit_record.h
+ *
+ * au_free_token()
+ *
+ * @summary - au_free_token() deallocates a token_t created by any of
+ * the au_to_*() BSM API functions.
+ *
+ * The BSM API generally manages deallocation of token_t objects.  However,
+ * if au_write() is passed a bad audit descriptor, the token_t * parameter
+ * will be left untouched.  In that case, the caller can deallocate the
+ * token_t using au_free_token() if desired.  This is, in fact, what
+ * audit_write() does, in keeping with the existing memory management model
+ * of the BSM API.
+ *
+ * @param tok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  For convenience, tok may be NULL, in which case
+ * au_free_token() returns immediately.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void	au_free_token(token_t *tok);
+
+/*
+ * Lightweight check to determine if auditing is enabled.  If a client
+ * wants to use this to govern whether an entire series of audit calls
+ * should be made--as in the common case of a caller building a set of
+ * tokens, then writing them--it should cache the audit status in a local
+ * variable.  This call always returns the current state of auditing.
+ *
+ * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
+ * Otherwise the function can return any of the errno values defined for
+ * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
+ * the system.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	au_get_state(void);
+__END_DECLS
+
+/* OpenSSH compatibility */
+#define	cannot_audit(x)	(!(au_get_state() == AUC_AUDITING))
+
+__BEGIN_DECLS
+/*
+ * audit_set_terminal_id()
+ *
+ * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
+ * used in audit session initialization by processes like /usr/bin/login.
+ *
+ * @param tid - A pointer to an au_tid_t struct.
+ *
+ * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
+ * or kAUSysctlErr if one of the underlying system calls fails (a message
+ * is sent to the system log in those cases).
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_set_terminal_id(au_tid_t *tid);
+
+/*
+ * BEGIN au_write() WRAPPERS
+ *
+ * The following calls all wrap the existing BSM API.  They use the
+ * provided subject information, if any, to construct the subject token
+ * required for every log message.  They use the provided return/error
+ * value(s), if any, to construct the success/failure indication required
+ * for every log message.  They only permit one "miscellaneous" token,
+ * which should contain the event-specific logging information mandated by
+ * CAPP.
+ *
+ * All these calls assume the caller has previously determined that
+ * auditing is enabled by calling au_get_state().
+ */
+
+/*
+ * audit_write()
+ *
+ * @summary - audit_write() is the basis for the other audit_write_*()
+ * calls.  Performs a basic write of an audit record (subject, additional
+ * info, success/failure).  Note that this call only permits logging one
+ * caller-specified token; clients needing to log more flexibly must use
+ * the existing BSM API (au_open(), et al.) directly.
+ *
+ * Note on memory management: audit_write() guarantees that the token_t *s
+ * passed to it will be deallocated whether or not the underlying write to
+ * the audit log succeeded.  This addresses an inconsistency in the
+ * underlying BSM API in which token_t *s are usually but not always
+ * deallocated.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param subject - A token_t * generated by au_to_subject(),
+ * au_to_subject32(), au_to_subject64(), or au_to_me().  If no subject is
+ * required, subject should be NULL.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param retval - The return value to be logged for this event.  This
+ * should be 0 (zero) for success, otherwise the value is event-specific.
+ *
+ * @param errcode - Any error code associated with the return value (e.g.,
+ * errno or h_errno).  If there was no error, errcode should be 0 (zero).
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write(short event_code, token_t *subject, token_t *misctok,
+	    char retval, int errcode);
+
+/*
+ * audit_write_success()
+ *
+ * @summary - audit_write_success() records an auditable event that did not
+ * encounter an error.  The interface is designed to require as little
+ * direct use of the au_to_*() API as possible.  It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_success_self().
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_success(short event_code, token_t *misctok, au_id_t auid,
+	    uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
+	    au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_success_self()
+ *
+ * @summary - Similar to audit_write_success(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls.  This should correspond to the additional information required by
+ * CAPP for the event being audited.  If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_success_self(short event_code, token_t *misctok);
+
+/*
+ * audit_write_failure()
+ *
+ * @summary - audit_write_failure() records an auditable event that
+ * encountered an error.  The interface is designed to require as little
+ * direct use of the au_to_*() API as possible.  It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_failure_self().
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure(short event_code, char *errmsg, int errret,
+	    au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+	    pid_t pid, au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_failure_self()
+ *
+ * @summary - Similar to audit_write_failure(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure_self(short event_code, char *errmsg, int errret);
+
+/*
+ * audit_write_failure_na()
+ *
+ * @summary - audit_write_failure_na() records errors during login.  Such
+ * errors are implicitly non-attributable (i.e., not ascribable to any user).
+ *
+ * @param event_code - The code for the event being logged.  This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error.  This is intended to store the value of errno or h_errno if
+ * it's relevant.  This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int	audit_write_failure_na(short event_code, char *errmsg, int errret,
+	    uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
+
+/* END au_write() WRAPPERS */
+
+#ifdef  __APPLE__
+/*
+ * audit_token_to_au32()
+ *
+ * @summary - Extract information from an audit_token_t, used to identify
+ * Mach tasks and senders of Mach messages as subjects to the audit system.
+ * audit_tokent_to_au32() is the only method that should be used to parse
+ * an audit_token_t, since its internal representation may change over
+ * time.  A pointer parameter may be NULL if that information is not
+ * needed.
+ *
+ * @param atoken - the audit token containing the desired information
+ *
+ * @param auidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's audit user ID
+ *
+ * @param euidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's effective user ID
+ *
+ * @param egidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's effective group ID
+ *
+ * @param ruidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's real user ID
+ *
+ * @param rgidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's real group ID
+ *
+ * @param pidp - Pointer to a pid_t; on return will be set to the task or
+ * sender's process ID
+ *
+ * @param asidp - Pointer to an au_asid_t; on return will be set to the
+ * task or sender's audit session ID
+ *
+ * @param tidp - Pointer to an au_tid_t; on return will be set to the task
+ * or sender's terminal ID
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void audit_token_to_au32(
+	audit_token_t	 atoken,
+	uid_t		*auidp,
+	uid_t		*euidp,
+	gid_t		*egidp,
+	uid_t		*ruidp,
+	gid_t		*rgidp,
+	pid_t		*pidp,
+	au_asid_t	*asidp,
+	au_tid_t	*tidp);
+#endif /* !__APPLE__ */
+
+__END_DECLS
+
+#endif /* !_LIBBSM_H_ */