diff options
Diffstat (limited to 'contrib/openbsm/bsm')
-rw-r--r-- | contrib/openbsm/bsm/Makefile.am | 3 | ||||
-rw-r--r-- | contrib/openbsm/bsm/Makefile.in | 3 | ||||
-rw-r--r-- | contrib/openbsm/bsm/audit_uevents.h | 96 | ||||
-rw-r--r-- | contrib/openbsm/bsm/auditd_lib.h | 105 | ||||
-rw-r--r-- | contrib/openbsm/bsm/libbsm.h | 32 |
5 files changed, 203 insertions, 36 deletions
diff --git a/contrib/openbsm/bsm/Makefile.am b/contrib/openbsm/bsm/Makefile.am index cad4115..b92f9cd 100644 --- a/contrib/openbsm/bsm/Makefile.am +++ b/contrib/openbsm/bsm/Makefile.am @@ -1,5 +1,5 @@ # -# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.am#3 $ +# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.am#4 $ # openbsmdir = $(includedir)/bsm @@ -7,5 +7,6 @@ openbsmdir = $(includedir)/bsm openbsm_HEADERS = \ audit_filter.h \ audit_uevents.h \ + auditd_lib.h \ libbsm.h diff --git a/contrib/openbsm/bsm/Makefile.in b/contrib/openbsm/bsm/Makefile.in index ed82a3b..5ea5ee2 100644 --- a/contrib/openbsm/bsm/Makefile.in +++ b/contrib/openbsm/bsm/Makefile.in @@ -15,7 +15,7 @@ @SET_MAKE@ # -# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.in#8 $ +# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile.in#9 $ # VPATH = @srcdir@ @@ -172,6 +172,7 @@ openbsmdir = $(includedir)/bsm openbsm_HEADERS = \ audit_filter.h \ audit_uevents.h \ + auditd_lib.h \ libbsm.h all: all-am diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h index 03d0f9b..53c5616 100644 --- a/contrib/openbsm/bsm/audit_uevents.h +++ b/contrib/openbsm/bsm/audit_uevents.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004 Apple Inc. + * Copyright (c) 2004-2008 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,22 +26,14 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#8 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#10 $ */ #ifndef _BSM_AUDIT_UEVENTS_H_ #define _BSM_AUDIT_UEVENTS_H_ -/*- - * User level audit event numbers - * - * Range of audit event numbers: - * 0 Reserved, invalid - * 1 - 2047 Reserved for kernel events - * 2048 - 32767 Defined by BSM for user events - * 32768 - 36864 Reserved for Mac OS-X applications - * 36865 - 65535 Reserved for applications - * +/* + * Solaris userspace events. */ #define AUE_at_create 6144 #define AUE_at_delete 6145 @@ -70,8 +62,13 @@ #define AUE_shutdown 6168 #define AUE_poweroff 6169 #define AUE_crontab_mod 6170 -#define AUE_audit_startup 6171 -#define AUE_audit_shutdown 6172 +#define AUE_ftpd_logout 6171 +#define AUE_ssh 6172 +#define AUE_role_login 6173 +#define AUE_prof_cmd 6180 +#define AUE_filesystem_add 6181 +#define AUE_filesystem_delete 6182 +#define AUE_filesystem_modify 6183 #define AUE_allocate_succ 6200 #define AUE_allocate_fail 6201 #define AUE_deallocate_succ 6202 @@ -83,20 +80,63 @@ #define AUE_delete_user 6209 #define AUE_disable_user 6210 #define AUE_enable_user 6211 -#define AUE_sudo 6300 -#define AUE_modify_password 6501 /* Not assigned by Sun. */ -#define AUE_create_group 6511 /* Not assigned by Sun. */ -#define AUE_delete_group 6512 /* Not assigned by Sun. */ -#define AUE_modify_group 6513 /* Not assigned by Sun. */ -#define AUE_add_to_group 6514 /* Not assigned by Sun. */ -#define AUE_remove_from_group 6515 /* Not assigned by Sun. */ -#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */ -#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */ -#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */ -#define AUE_auth_user 7000 /* Not assigned by Sun. */ -#define AUE_ssconn 7001 /* Not assigned by Sun. */ -#define AUE_ssauthorize 7002 /* Not assigned by Sun. */ -#define AUE_ssauthint 7003 /* Not assigned by Sun. */ +#define AUE_newgrp_login 6212 +#define AUE_admin_authentication 6213 +#define AUE_kadmind_auth 6214 +#define AUE_kadmind_unauth 6215 +#define AUE_krb5kdc_as_req 6216 +#define AUE_krb5kdc_tgs_req 6217 +#define AUE_krb5kdc_tgs_req_2ndtktmm 6218 +#define AUE_krb5kdc_tgs_req_alt_tgt 6219 + +/* + * Historic Darwin use of the low event numbering space, which collided with + * the Solaris event space. Now obsoleted and new, higher, event numbers + * assigned to make it easier to interpret Solaris events using the OpenBSM + * tools. + */ +#define AUE_DARWIN_audit_startup 6171 +#define AUE_DARWIN_audit_shutdown 6172 +#define AUE_DARWIN_sudo 6300 +#define AUE_DARWIN_modify_password 6501 +#define AUE_DARWIN_create_group 6511 +#define AUE_DARWIN_delete_group 6512 +#define AUE_DARWIN_modify_group 6513 +#define AUE_DARWIN_add_to_group 6514 +#define AUE_DARWIN_remove_from_group 6515 +#define AUE_DARWIN_revoke_obj 6521 +#define AUE_DARWIN_lw_login 6600 +#define AUE_DARWIN_lw_logout 6601 +#define AUE_DARWIN_auth_user 7000 +#define AUE_DARWIN_ssconn 7001 +#define AUE_DARWIN_ssauthorize 7002 +#define AUE_DARWIN_ssauthint 7003 + +/* + * Historic/third-party appliation allocations of event idenfiers. + */ #define AUE_openssh 32800 +/* + * OpenBSM-managed application event space. + */ +#define AUE_audit_startup 45000 /* Darwin-specific. */ +#define AUE_audit_shutdown 45001 /* Darwin-specific. */ +#define AUE_modify_password 45014 /* Darwin-specific. */ +#define AUE_create_group 45015 /* Darwin-specific. */ +#define AUE_delete_group 45016 /* Darwin-specific. */ +#define AUE_modify_group 45017 /* Darwin-specific. */ +#define AUE_add_to_group 45018 /* Darwin-specific. */ +#define AUE_remove_from_group 45019 /* Darwin-specific. */ +#define AUE_revoke_obj 45020 /* Darwin-specific. */ +#define AUE_lw_login 45021 /* Darwin-specific. */ +#define AUE_lw_logout 45022 /* Darwin-specific. */ +#define AUE_auth_user 45023 /* Darwin-specific. */ +#define AUE_ssconn 45024 /* Darwin-specific. */ +#define AUE_ssauthorize 45025 /* Darwin-specific. */ +#define AUE_ssauthint 45026 /* Darwin-specific. */ +#define AUE_calife 45027 /* OpenBSM-allocated. */ +#define AUE_sudo 45028 /* OpenBSM-allocated. */ +#define AUE_audit_recovery 45029 /* OpenBSM-allocated. */ + #endif /* !_BSM_AUDIT_UEVENTS_H_ */ diff --git a/contrib/openbsm/bsm/auditd_lib.h b/contrib/openbsm/bsm/auditd_lib.h new file mode 100644 index 0000000..77acff7 --- /dev/null +++ b/contrib/openbsm/bsm/auditd_lib.h @@ -0,0 +1,105 @@ +/*- + * Copyright (c) 2008 Apple Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of Apple Inc. ("Apple") nor the names of + * its contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR + * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#2 $ + */ + +#ifndef _BSM_AUDITD_LIB_H_ +#define _BSM_AUDITD_LIB_H_ + +/* + * Lengths for audit trail file components. + */ +#define NOT_TERMINATED "not_terminated" +#define CRASH_RECOVERY "crash_recovery" +#define POSTFIX_LEN (sizeof("YYYYMMDDhhmmss") - 1) +#define FILENAME_LEN ((2 * POSTFIX_LEN) + 2) +#define TIMESTAMP_LEN (POSTFIX_LEN + 1) + +/* + * Macro to generate the timestamp string for trail file. + */ +#define getTSstr(t, b, l) \ + ( (((t) = time(0)) == (time_t)-1 ) || \ + !strftime((b), (l), "%Y%m%d%H%M%S", gmtime(&(t)) ) ) ? -1 : 0 + +/* + * The symbolic link to the currently active audit trail file. + */ +#define AUDIT_CURRENT_LINK "/var/audit/current" + +/* + * Path of auditd plist file for launchd. + */ +#define AUDITD_PLIST_FILE \ + "/System/Library/LaunchDaemons/org.trustedbsd.auditd.plist" + +/* + * Error return codes for auditd_lib functions. + */ +#define ADE_NOERR 0 /* No Error or Success. */ +#define ADE_PARSE -1 /* Error parsing audit_control(5). */ +#define ADE_AUDITON -2 /* auditon(2) call failed. */ +#define ADE_NOMEM -3 /* Error allocating memory. */ +#define ADE_SOFTLIM -4 /* All audit log directories over soft limit. */ +#define ADE_HARDLIM -5 /* All audit log directories over hard limit. */ +#define ADE_STRERR -6 /* Error creating file name string. */ +#define ADE_AU_OPEN -7 /* au_open(3) failed. */ +#define ADE_AU_CLOSE -8 /* au_close(3) failed. */ +#define ADE_SETAUDIT -9 /* setaudit(2) or setaudit_addr(2) failed. */ +#define ADE_ACTL -10 /* "Soft" error with auditctl(2). */ +#define ADE_ACTLERR -11 /* "Hard" error with auditctl(2). */ +#define ADE_SWAPERR -12 /* The audit trail file could not be swap. */ +#define ADE_RENAME -13 /* Error renaming crash recovery file. */ +#define ADE_READLINK -14 /* Error reading 'current' link. */ +#define ADE_SYMLINK -15 /* Error creating 'current' link. */ +#define ADE_INVAL -16 /* Invalid argument. */ +#define ADE_GETADDR -17 /* Error resolving address from hostname. */ +#define ADE_ADDRFAM -18 /* Address family not supported. */ + +/* + * auditd_lib functions. + */ +const char *auditd_strerror(int errcode); +int auditd_set_minfree(void); +int auditd_read_dirs(int (*warn_soft)(char *), int (*warn_hard)(char *)); +void auditd_close_dirs(void); +int auditd_set_evcmap(void); +int auditd_set_namask(void); +int auditd_set_policy(void); +int auditd_set_fsize(void); +int auditd_set_host(void); +int auditd_swap_trail(char *TS, char **newfile, gid_t gid, + int (*warn_getacdir)(char *)); +int auditd_prevent_audit(void); +int auditd_gen_record(int event, char *path); +int auditd_new_curlink(char *curfile); +int audit_quick_start(void); +int audit_quick_stop(void); + +#endif /* !_BSM_AUDITD_LIB_H_ */ diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h index 97b9530..ba96e9d 100644 --- a/contrib/openbsm/bsm/libbsm.h +++ b/contrib/openbsm/bsm/libbsm.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 2004 Apple Inc. + * Copyright (c) 2004-2008 Apple Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#35 $ + * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#40 $ */ #ifndef _LIBBSM_H_ @@ -547,13 +547,13 @@ typedef struct { * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address) */ typedef struct { + u_int16_t domain; u_int16_t type; + u_int16_t atype; u_int16_t l_port; - u_int32_t l_ad_type; - u_int32_t l_addr; + u_int32_t l_addr[4]; u_int32_t r_port; - u_int32_t r_ad_type; - u_int32_t r_addr; + u_int32_t r_addr[4]; } au_socket_ex32_t; /* @@ -824,6 +824,13 @@ void au_print_xml_footer(FILE *outfp); __END_DECLS /* + * Functions relating to BSM<->errno conversion. + */ +int au_bsm_to_errno(u_char bsm_error, int *errorp); +u_char au_errno_to_bsm(int error); +const char *au_strerror(u_char bsm_error); + +/* * The remaining APIs are associated with Apple's BSM implementation, in * particular as relates to Mach IPC auditing and triggers passed via Mach * IPC. @@ -930,6 +937,19 @@ void au_free_token(token_t *tok); * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE. */ int au_get_state(void); + +/* + * Initialize the audit notification. If it has not already been initialized + * it will automatically on the first call of au_get_state(). + */ +uint32_t au_notify_initialize(void); + +/* + * Cancel audit notification and free the resources associated with it. + * Responsible code that no longer needs to use au_get_state() should call + * this. + */ +int au_notify_terminate(void); __END_DECLS /* OpenSSH compatibility */ |