summaryrefslogtreecommitdiffstats
path: root/contrib/openbsm/bsm
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/openbsm/bsm')
-rw-r--r--contrib/openbsm/bsm/Makefile22
-rw-r--r--contrib/openbsm/bsm/audit.h327
-rw-r--r--contrib/openbsm/bsm/audit_internal.h99
-rw-r--r--contrib/openbsm/bsm/audit_kevents.h494
-rw-r--r--contrib/openbsm/bsm/audit_record.h325
-rw-r--r--contrib/openbsm/bsm/audit_uevents.h102
-rw-r--r--contrib/openbsm/bsm/libbsm.h1175
7 files changed, 2544 insertions, 0 deletions
diff --git a/contrib/openbsm/bsm/Makefile b/contrib/openbsm/bsm/Makefile
new file mode 100644
index 0000000..ba63701
--- /dev/null
+++ b/contrib/openbsm/bsm/Makefile
@@ -0,0 +1,22 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/bsm/Makefile#7 $
+#
+
+INCS= audit.h \
+ audit_internal.h \
+ audit_kevents.h \
+ audit_record.h \
+ audit_uevents.h \
+ libbsm.h
+
+TARGET= ${DESTDIR}/usr/include/bsm
+
+all:
+default:
+depend:
+clean:
+
+install:
+ mkdir -p -m 0755 ${TARGET}
+ install -o root -g wheel -m 0644 ${INCS} ${TARGET}
+
diff --git a/contrib/openbsm/bsm/audit.h b/contrib/openbsm/bsm/audit.h
new file mode 100644
index 0000000..1d208c1
--- /dev/null
+++ b/contrib/openbsm/bsm/audit.h
@@ -0,0 +1,327 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_H
+#define _BSM_AUDIT_H
+
+#define AUDIT_RECORD_MAGIC 0x828a0f1b
+#define MAX_AUDIT_RECORDS 20
+#define MAX_AUDIT_RECORD_SIZE 4096
+#define MIN_AUDIT_FILE_SIZE (512 * 1024)
+
+/*
+ * Triggers for the audit daemon
+ */
+#define AUDIT_TRIGGER_MIN 1
+#define AUDIT_TRIGGER_LOW_SPACE 1
+#define AUDIT_TRIGGER_OPEN_NEW 2
+#define AUDIT_TRIGGER_READ_FILE 3
+#define AUDIT_TRIGGER_CLOSE_AND_DIE 4
+#define AUDIT_TRIGGER_NO_SPACE 5
+#define AUDIT_TRIGGER_MAX 5
+
+/*
+ * File that will be read for trigger events from the kernel
+ */
+#define AUDIT_TRIGGER_FILE "/dev/audit"
+
+/*
+ * Pre-defined audit IDs
+ */
+#define AU_DEFAUDITID -1
+
+/*
+ * Define the masks for the classes of audit events.
+ */
+#define AU_NULL 0x00000000
+#define AU_FREAD 0x00000001
+#define AU_FWRITE 0x00000002
+#define AU_FACCESS 0x00000004
+#define AU_FMODIFY 0x00000008
+#define AU_FCREATE 0x00000010
+#define AU_FDELETE 0x00000020
+#define AU_CLOSE 0x00000040
+#define AU_PROCESS 0x00000080
+#define AU_NET 0x00000100
+#define AU_IPC 0x00000200
+#define AU_NONAT 0x00000400
+#define AU_ADMIN 0x00000800
+#define AU_LOGIN 0x00001000
+#define AU_TFM 0x00002000
+#define AU_APPL 0x00004000
+#define AU_SETL 0x00008000
+#define AU_IFLOAT 0x00010000
+#define AU_PRIV 0x00020000
+#define AU_MAC_RW 0x00040000
+#define AU_XCONN 0x00080000
+#define AU_XCREATE 0x00100000
+#define AU_XDELETE 0x00200000
+#define AU_XIFLOAT 0x00400000
+#define AU_XPRIVS 0x00800000
+#define AU_XPRIVF 0x01000000
+#define AU_XMOVE 0x02000000
+#define AU_XDACF 0x04000000
+#define AU_XMACF 0x08000000
+#define AU_XSECATTR 0x10000000
+#define AU_IOCTL 0x20000000
+#define AU_EXEC 0x40000000
+#define AU_OTHER 0x80000000
+#define AU_ALL 0xffffffff
+
+/*
+ * IPC types
+ */
+#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
+#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
+#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
+
+/*
+ * Audit conditions.
+ */
+#define AUC_UNSET 0
+#define AUC_AUDITING 1
+#define AUC_NOAUDIT 2
+#define AUC_DISABLED -1
+
+/*
+ * auditon(2) commands.
+ */
+#define A_GETPOLICY 2
+#define A_SETPOLICY 3
+#define A_GETKMASK 4
+#define A_SETKMASK 5
+#define A_GETQCTRL 6
+#define A_SETQCTRL 7
+#define A_GETCWD 8
+#define A_GETCAR 9
+#define A_GETSTAT 12
+#define A_SETSTAT 13
+#define A_SETUMASK 14
+#define A_SETSMASK 15
+#define A_GETCOND 20
+#define A_SETCOND 21
+#define A_GETCLASS 22
+#define A_SETCLASS 23
+#define A_GETPINFO 24
+#define A_SETPMASK 25
+#define A_SETFSIZE 26
+#define A_GETFSIZE 27
+#define A_GETPINFO_ADDR 28
+#define A_GETKAUDIT 29
+#define A_SETKAUDIT 30
+#define A_SENDTRIGGER 31
+
+/*
+ * Audit policy controls.
+ */
+#define AUDIT_CNT 0x0001
+#define AUDIT_AHLT 0x0002
+#define AUDIT_ARGV 0x0004
+#define AUDIT_ARGE 0x0008
+#define AUDIT_PASSWD 0x0010
+#define AUDIT_SEQ 0x0020
+#define AUDIT_WINDATA 0x0040
+#define AUDIT_USER 0x0080
+#define AUDIT_GROUP 0x0100
+#define AUDIT_TRAIL 0x0200
+#define AUDIT_PATH 0x0400
+
+/*
+ * Audit queue control parameters
+ */
+#define AQ_HIWATER 100
+#define AQ_MAXHIGH 10000
+#define AQ_LOWATER 10
+#define AQ_BUFSZ 1024
+#define AQ_MAXBUFSZ 1048576
+
+/*
+ * Default minimum percentage free space on file system.
+ */
+#define AU_FS_MINFREE 20
+
+/*
+ * Type definitions used indicating the length of variable length addresses
+ * in tokens containing addresses, such as header fields.
+ */
+#define AU_IPv4 4
+#define AU_IPv6 16
+
+__BEGIN_DECLS
+
+typedef uid_t au_id_t;
+typedef pid_t au_asid_t;
+typedef u_int16_t au_event_t;
+typedef u_int16_t au_emod_t;
+typedef u_int32_t au_class_t;
+
+struct au_tid {
+ dev_t port;
+ u_int32_t machine;
+};
+typedef struct au_tid au_tid_t;
+
+struct au_tid_addr {
+ dev_t at_port;
+ u_int32_t at_type;
+ u_int32_t at_addr[4];
+};
+typedef struct au_tid_addr au_tid_addr_t;
+
+struct au_mask {
+ unsigned int am_success; /* Success bits. */
+ unsigned int am_failure; /* Failure bits. */
+};
+typedef struct au_mask au_mask_t;
+
+struct auditinfo {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo auditinfo_t;
+
+struct auditinfo_addr {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_addr_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo_addr auditinfo_addr_t;
+
+struct auditpinfo {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo auditpinfo_t;
+
+struct auditpinfo_addr {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_addr_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo_addr auditpinfo_addr_t;
+
+/* Token and record structures. */
+
+struct au_token {
+ u_char *t_data;
+ size_t len;
+ TAILQ_ENTRY(au_token) tokens;
+};
+typedef struct au_token token_t;
+
+struct au_record {
+ char used; /* Record currently in use? */
+ int desc; /* Descriptor for record. */
+ TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */
+ u_char *data;
+ size_t len;
+ LIST_ENTRY(au_record) au_rec_q;
+};
+typedef struct au_record au_record_t;
+
+/*
+ * Kernel audit queue control parameters.
+ */
+struct au_qctrl {
+ size_t aq_hiwater;
+ size_t aq_lowater;
+ size_t aq_bufsz;
+ clock_t aq_delay;
+ int aq_minfree; /* Minimum filesystem percent free space. */
+};
+typedef struct au_qctrl au_qctrl_t;
+
+/*
+ * Structure for the audit statistics.
+ */
+struct audit_stat {
+ unsigned int as_version;
+ unsigned int as_numevent;
+ int as_generated;
+ int as_nonattring;
+ int as_kernel;
+ int as_audit;
+ int as_auditctl;
+ int as_enqueu;
+ int as_written;
+ int as_wblocked;
+ int as_rblocked;
+ int as_dropped;
+ int as_totalsize;
+ unsigned int as_memused;
+};
+typedef struct audit_stat au_stat_t;
+
+/*
+ * Structure for the audit file statistics.
+ */
+struct audit_fstat {
+ u_quad_t af_filesz;
+ u_quad_t af_currsz;
+};
+typedef struct audit_fstat au_fstat_t;
+
+/*
+ * Audit to event class mapping.
+ */
+struct au_evclass_map {
+ au_event_t ec_number;
+ au_class_t ec_class;
+};
+typedef struct au_evclass_map au_evclass_map_t;
+
+#if !defined(_KERNEL) && !defined(KERNEL)
+int audit(const void *, int);
+int auditon(int, void *, int);
+int auditctl(const char *);
+int getauid(au_id_t *);
+int setauid(const au_id_t *);
+int getaudit(struct auditinfo *);
+int setaudit(const struct auditinfo *);
+int getaudit_addr(struct auditinfo_addr *, int);
+int setaudit_addr(const struct auditinfo_addr *, int);
+#endif /* defined(_KERNEL) || defined(KERNEL) */
+
+__END_DECLS
+
+#endif /* !_BSM_AUDIT_H */
diff --git a/contrib/openbsm/bsm/audit_internal.h b/contrib/openbsm/bsm/audit_internal.h
new file mode 100644
index 0000000..2d98aae
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_internal.h
@@ -0,0 +1,99 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_internal.h#7 $
+ */
+
+#ifndef _LIBBSM_INTERNAL_H
+#define _LIBBSM_INTERNAL_H
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records. Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+
+/* We could determined the header and trailer sizes by
+ * defining appropriate structures. We hold off that approach
+ * till we have a consistant way of using structures for all tokens.
+ * This is not straightforward since these token structures may
+ * contain pointers of whose contents we dont know the size
+ * (e.g text tokens)
+ */
+#define BSM_HEADER_SIZE 18
+#define BSM_TRAILER_SIZE 7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define ADD_U_CHAR(loc, val) \
+ do { \
+ *(loc) = (val); \
+ (loc) += sizeof(u_char); \
+ } while(0)
+
+
+#define ADD_U_INT16(loc, val) \
+ do { \
+ be16enc((loc), (val)); \
+ (loc) += sizeof(u_int16_t); \
+ } while(0)
+
+#define ADD_U_INT32(loc, val) \
+ do { \
+ be32enc((loc), (val)); \
+ (loc) += sizeof(u_int32_t); \
+ } while(0)
+
+#define ADD_U_INT64(loc, val) \
+ do { \
+ be64enc((loc), (val)); \
+ (loc) += sizeof(u_int64_t); \
+ } while(0)
+
+#define ADD_MEM(loc, data, size) \
+ do { \
+ memcpy((loc), (data), (size)); \
+ (loc) += size; \
+ } while(0)
+
+#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
+
+#endif /* !_LIBBSM_INTERNAL_H_ */
diff --git a/contrib/openbsm/bsm/audit_kevents.h b/contrib/openbsm/bsm/audit_kevents.h
new file mode 100644
index 0000000..54cc308
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_kevents.h
@@ -0,0 +1,494 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_kevents.h#29 $
+ */
+
+#ifndef _BSM_AUDIT_KEVENTS_H_
+#define _BSM_AUDIT_KEVENTS_H_
+
+/*
+ * Values marked as AUE_NULL are not required to be audited as per CAPP.
+ *
+ * Some conflicts exist in the assignment of name to event number mappings
+ * between BSM implementations. In general, we prefer the OpenSolaris
+ * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has
+ * been inserted for the Darwin variants. If necessary, other tags will be
+ * added in the future.
+ */
+
+#define AUE_NULL 0
+#define AUE_EXIT 1
+#define AUE_FORK 2
+#define AUE_OPEN 3
+#define AUE_CREAT 4
+#define AUE_LINK 5
+#define AUE_UNLINK 6
+#define AUE_DELETE AUE_UNLINK
+#define AUE_EXEC 7
+#define AUE_CHDIR 8
+#define AUE_MKNOD 9
+#define AUE_CHMOD 10
+#define AUE_CHOWN 11
+#define AUE_UMOUNT 12
+#define AUE_JUNK 13 /* Solaris-specific. */
+#define AUE_ACCESS 14
+#define AUE_CHECKUSERACCESS AUE_ACCESS
+#define AUE_KILL 15
+#define AUE_STAT 16
+#define AUE_LSTAT 17
+#define AUE_ACCT 18
+#define AUE_MCTL 19 /* Solaris-specific. */
+#define AUE_REBOOT 20 /* XXX: Darwin conflict. */
+#define AUE_SYMLINK 21
+#define AUE_READLINK 22
+#define AUE_EXECVE 23
+#define AUE_CHROOT 24
+#define AUE_VFORK 25
+#define AUE_SETGROUPS 26
+#define AUE_SETPGRP 27
+#define AUE_SWAPON 28
+#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */
+#define AUE_FCNTL 30
+#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */
+#define AUE_CONNECT 32
+#define AUE_ACCEPT 33
+#define AUE_BIND 34
+#define AUE_SETSOCKOPT 35
+#define AUE_VTRACE 36 /* Solaris-specific. */
+#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */
+#define AUE_FCHOWN 38
+#define AUE_FCHMOD 39
+#define AUE_SETREUID 40
+#define AUE_SETREGID 41
+#define AUE_RENAME 42
+#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */
+#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */
+#define AUE_FLOCK 45 /* XXX: Darwin conflict. */
+#define AUE_SHUTDOWN 46
+#define AUE_MKDIR 47
+#define AUE_RMDIR 48
+#define AUE_UTIMES 49
+#define AUE_ADJTIME 50
+#define AUE_SETRLIMIT 51
+#define AUE_KILLPG 52
+#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */
+#define AUE_STATFS 54
+#define AUE_FSTATFS 55
+#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */
+#define AUE_ASYNC_DAEMON 57
+#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */
+#define AUE_SETDOMAINNAME 59
+#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */
+#define AUE_EXPORTFS 61
+#define AUE_MOUNT 62
+#define AUE_SEMSYS 63
+#define AUE_MSGSYS 64
+#define AUE_SHMSYS 65
+#define AUE_BSMSYS 66 /* Solaris-specific. */
+#define AUE_RFSSYS 67 /* Solaris-specific. */
+#define AUE_FCHDIR 68
+#define AUE_FCHROOT 69
+#define AUE_VPIXSYS 70 /* Solaris-specific. */
+#define AUE_PATHCONF 71
+#define AUE_OPEN_R 72
+#define AUE_OPEN_RC 73
+#define AUE_OPEN_RT 74
+#define AUE_OPEN_RTC 75
+#define AUE_OPEN_W 76
+#define AUE_OPEN_WC 77
+#define AUE_OPEN_WT 78
+#define AUE_OPEN_WTC 79
+#define AUE_OPEN_RW 80
+#define AUE_OPEN_RWC 81
+#define AUE_OPEN_RWT 82
+#define AUE_OPEN_RWTC 83
+#define AUE_MSGCTL 84
+#define AUE_MSGCTL_RMID 85
+#define AUE_MSGCTL_SET 86
+#define AUE_MSGCTL_STAT 87
+#define AUE_MSGGET 88
+#define AUE_MSGRCV 89
+#define AUE_MSGSND 90
+#define AUE_SHMCTL 91
+#define AUE_SHMCTL_RMID 92
+#define AUE_SHMCTL_SET 93
+#define AUE_SHMCTL_STAT 94
+#define AUE_SHMGET 95
+#define AUE_SHMAT 96
+#define AUE_SHMDT 97
+#define AUE_SEMCTL 98
+#define AUE_SEMCTL_RMID 99
+#define AUE_SEMCTL_SET 100
+#define AUE_SEMCTL_STAT 101
+#define AUE_SEMCTL_GETNCNT 102
+#define AUE_SEMCTL_GETPID 103
+#define AUE_SEMCTL_GETVAL 104
+#define AUE_SEMCTL_GETALL 105
+#define AUE_SEMCTL_GETZCNT 106
+#define AUE_SEMCTL_SETVAL 107
+#define AUE_SEMCTL_SETALL 108
+#define AUE_SEMGET 109
+#define AUE_SEMOP 110
+#define AUE_CORE 111 /* Solaris-specific, currently. */
+#define AUE_CLOSE 112
+#define AUE_SYSTEMBOOT 113
+#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */
+#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */
+#define AUE_WRITEL 128 /* Solaris-specific. */
+#define AUE_WRITEVL 129 /* Solaris-specific. */
+#define AUE_GETAUID 130
+#define AUE_SETAUID 131
+#define AUE_GETAUDIT 132
+#define AUE_SETAUDIT 133
+#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */
+#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */
+#define AUE_AUDITSVC 136 /* Solaris-specific. */
+#define AUE_AUDITUSER 137 /* Solaris-specific. */
+#define AUE_AUDITON 138
+#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */
+#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */
+#define AUE_AUDITON_GPOLICY 141
+#define AUE_AUDITON_SPOLICY 142
+#define AUE_AUDITON_GQCTRL 145
+#define AUE_AUDITON_SQCTRL 146
+#define AUE_GETKERNSTATE 147 /* Solaris-specific. */
+#define AUE_SETKERNSTATE 148 /* Solaris-specific. */
+#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */
+#define AUE_AUDISTAT 150 /* Solaris-specific. */
+#define AUE_ENTERPROM 153 /* Solaris-specific. */
+#define AUE_EXITPROM 154 /* Solaris-specific. */
+#define AUE_IOCTL 158
+#define AUE_SOCKET 183
+#define AUE_SENDTO 184
+#define AUE_PIPE 185
+#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */
+#define AUE_SEND 187
+#define AUE_SENDMSG 188
+#define AUE_RECV 189
+#define AUE_RECVMSG 190
+#define AUE_RECVFROM 191
+#define AUE_READ 192
+#define AUE_LSEEK 194
+#define AUE_WRITE 195
+#define AUE_WRITEV 196
+#define AUE_NFS 197 /* Solaris-specific. */
+#define AUE_READV 198
+ /* XXXRW: XXX Solaris old stat()? */
+#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */
+#define AUE_STIME 201 /* XXXRW: Solaris old stime? */
+#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */
+#define AUE_NICE 203 /* XXXRW: Solaris old nice? */
+ /* XXXRW: Solaris old setpgrp? */
+#define AUE_SETGID 205 /* XXXRW: Solaris old setgid? */
+ /* XXXRW: Solaris readl? */
+ /* XXXRW: Solaris readvl()? */
+#define AUE_DUP2 209
+#define AUE_MMAP 210
+#define AUE_AUDIT 211
+#define AUE_PRIOCNTLSYS 212
+#define AUE_MUNMAP 213
+#define AUE_SETEGID 214
+#define AUE_SETEUID 215
+#define AUE_PUTMSG 216
+#define AUE_GETMSG 217 /* Solaris-specific. */
+#define AUE_PUTPMSG 218 /* Solaris-specific. */
+#define AUE_GETPMSG 219 /* Solaris-specific. */
+#define AUE_AUDITSYS 220 /* Solaris-specific. */
+#define AUE_AUDITON_GETKMASK 221
+#define AUE_AUDITON_SETKMASK 222
+#define AUE_AUDITON_GETCWD 223
+#define AUE_AUDITON_GETCAR 224
+#define AUE_AUDITON_GETSTAT 225
+#define AUE_AUDITON_SETSTAT 226
+#define AUE_AUDITON_SETUMASK 227
+#define AUE_AUDITON_SETSMASK 228
+#define AUE_AUDITON_GETCOND 229
+#define AUE_AUDITON_SETCOND 230
+#define AUE_AUDITON_GETCLASS 231
+#define AUE_AUDITON_SETCLASS 232
+#define AUE_UTSSYS 233 /* Solaris-specific. */
+#define AUE_STATVFS 234
+#define AUE_XSTAT 235
+#define AUE_LXSTAT 236
+#define AUE_LCHOWN 237
+#define AUE_MEMCNTL 238 /* Solaris-specific. */
+#define AUE_SYSINFO 239 /* Solaris-specific. */
+#define AUE_XMKNOD 240 /* Solaris-specific. */
+#define AUE_FORK1 241
+ /* XXXRW: Solaris modctl()? */
+#define AUE_MODLOAD 243
+#define AUE_MODUNLOAD 244
+#define AUE_MODCONFIG 245 /* Solaris-specific. */
+#define AUE_MODADDMAJ 246 /* Solaris-specific. */
+#define AUE_SOCKACCEPT 247
+#define AUE_SOCKCONNECT 248
+#define AUE_SOCKSEND 249
+#define AUE_SOCKRECEIVE 250
+#define AUE_ACLSET 251
+#define AUE_FACLSET 252
+#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */
+#define AUE_P_ONLINE 262 /* Solaris-specific. */
+#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */
+#define AUE_INST_SYNC 264 /* Solaris-specific. */
+#define AUE_SOCK_CONFIG 265 /* Solaris-specific. */
+#define AUE_SETAUDIT_ADDR 266
+#define AUE_GETAUDIT_ADDR 267
+#define AUE_CLOCK_SETTIME 287
+#define AUE_NTP_ADJTIME 288
+
+/*
+ * Events not present in OpenSolaris BSM, generally derived from Apple Darwin
+ * BSM or added in OpenBSM. This start a little too close to the top end of
+ * the OpenSolaris event list for my comfort.
+ */
+#define AUE_GETFSSTAT 301
+#define AUE_PTRACE 302
+#define AUE_CHFLAGS 303
+#define AUE_FCHFLAGS 304
+#define AUE_PROFILE 305
+#define AUE_KTRACE 306
+#define AUE_SETLOGIN 307
+#define AUE_DARWIN_REBOOT 308 /* XXX: See AUE_REBOOT. */
+#define AUE_REVOKE 309
+#define AUE_UMASK 310
+#define AUE_MPROTECT 311
+#define AUE_DARWIN_SETPRIORITY 312 /* XXX: See AUE_SETPRIORITY. */
+#define AUE_DARWIN_SETTIMEOFDAY 313 /* XXX: See AUE_SETTIMEOFDAY. */
+#define AUE_DARWIN_FLOCK 314 /* XXX: See AUE_FLOCK. */
+#define AUE_MKFIFO 315
+#define AUE_POLL 316
+#define AUE_DARWIN_SOCKETPAIR 317 /* XXXRW: See AUE_SOCKETPAIR. */
+#define AUE_FUTIMES 318
+#define AUE_SETSID 319
+#define AUE_SETPRIVEXEC 320 /* Darwin-specific. */
+#define AUE_DARWIN_NFSSVC 321 /* XXX: See AUE_NFS_SVC. */
+#define AUE_DARWIN_GETFH 322 /* XXX: See AUE_NFS_GETFH. */
+#define AUE_DARWIN_QUOTACTL 323 /* XXX: See AUE_QUOTACTL. */
+#define AUE_ADDPROFILE 324 /* Darwin-specific. */
+#define AUE_KDEBUGTRACE 325 /* Darwin-specific. */
+#define AUE_KDBUGTRACE AUE_KDEBUGTRACE
+#define AUE_FSTAT 326
+#define AUE_FPATHCONF 327
+#define AUE_GETDIRENTRIES 328
+#define AUE_DARWIN_TRUNCATE 329 /* XXX: See AUE_TRUNCATE. */
+#define AUE_DARWIN_FTRUNCATE 330 /* XXX: See AUE_FTRUNCATE. */
+#define AUE_SYSCTL 331
+#define AUE_MLOCK 332
+#define AUE_MUNLOCK 333
+#define AUE_UNDELETE 334
+#define AUE_GETATTRLIST 335 /* Darwin-specific. */
+#define AUE_SETATTRLIST 336 /* Darwin-specific. */
+#define AUE_GETDIRENTRIESATTR 337 /* Darwin-specific. */
+#define AUE_EXCHANGEDATA 338 /* Darwin-specific. */
+#define AUE_SEARCHFS 339 /* Darwin-specific. */
+#define AUE_MINHERIT 340
+#define AUE_SEMCONFIG 341
+#define AUE_SEMOPEN 342
+#define AUE_SEMCLOSE 343
+#define AUE_SEMUNLINK 344
+#define AUE_SHMOPEN 345
+#define AUE_SHMUNLINK 346
+#define AUE_LOADSHFILE 347 /* Darwin-specific. */
+#define AUE_RESETSHFILE 348 /* Darwin-specific. */
+#define AUE_NEWSYSTEMSHREG 349 /* Darwin-specific. */
+#define AUE_PTHREADKILL 350 /* Darwin-specific. */
+#define AUE_PTHREADSIGMASK 351 /* Darwin-specific. */
+#define AUE_AUDITCTL 352
+#define AUE_RFORK 353
+#define AUE_LCHMOD 354
+#define AUE_SWAPOFF 355
+#define AUE_INITPROCESS 356 /* Darwin-specific. */
+#define AUE_MAPFD 357 /* Darwin-specific. */
+#define AUE_TASKFORPID 358 /* Darwin-specific. */
+#define AUE_PIDFORTASK 359 /* Darwin-specific. */
+#define AUE_SYSCTL_NONADMIN 360
+#define AUE_COPYFILE 361 /* Darwin-specific. */
+#define AUE_LUTIMES 362
+#define AUE_LCHFLAGS 363 /* FreeBSD-specific. */
+#define AUE_SENDFILE 364 /* BSD/Linux-specific. */
+#define AUE_USELIB 365 /* Linux-specific. */
+#define AUE_GETRESUID 366
+#define AUE_SETRESUID 367
+#define AUE_GETRESGID 368
+#define AUE_SETRESGID 369
+#define AUE_WAIT4 370 /* FreeBSD-specific. */
+#define AUE_LGETFH 371 /* FreeBSD-specific. */
+#define AUE_FHSTATFS 372 /* FreeBSD-specific. */
+#define AUE_FHOPEN 373 /* FreeBSD-specific. */
+#define AUE_FHSTAT 374 /* FreeBSD-specific. */
+#define AUE_JAIL 375 /* FreeBSD-specific. */
+#define AUE_EACCESS 376 /* FreeBSD-specific. */
+#define AUE_KQUEUE 377 /* FreeBSD-specific. */
+#define AUE_KEVENT 378 /* FreeBSD-specific. */
+#define AUE_FSYNC 379
+#define AUE_NMOUNT 380 /* FreeBSD-specific. */
+
+/*
+ * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
+ * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat
+ * interface. In most cases, Darwin has never implemented these system calls
+ * but picked up the fields in their system call table from their FreeBSD
+ * import. Happily, these have different names than the AUE_O* definitions
+ * in Solaris BSM.
+ */
+#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */
+#define AUE_O_EXECVE AUE_NULL /* Darwin */
+#define AUE_O_SBREAK AUE_NULL /* Darwin */
+#define AUE_O_LSEEK AUE_NULL /* Darwin */
+#define AUE_O_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_UMOUNT AUE_NULL /* Darwin */
+#define AUE_O_STAT AUE_STAT /* Darwin */
+#define AUE_O_LSTAT AUE_LSTAT /* Darwin */
+#define AUE_O_FSTAT AUE_FSTAT /* Darwin */
+#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */
+#define AUE_O_VREAD AUE_NULL /* Darwin */
+#define AUE_O_VWRITE AUE_NULL /* Darwin */
+#define AUE_O_MMAP AUE_MMAP /* Darwin */
+#define AUE_O_VADVISE AUE_NULL /* Darwin */
+#define AUE_O_VHANGUP AUE_NULL /* Darwin */
+#define AUE_O_VLIMIT AUE_NULL /* Darwin */
+#define AUE_O_WAIT AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_GETDOPT AUE_NULL /* Darwin */
+#define AUE_O_SETDOPT AUE_NULL /* Darwin */
+#define AUE_O_ACCEPT AUE_NULL /* Darwin */
+#define AUE_O_SEND AUE_SENDMSG /* Darwin */
+#define AUE_O_RECV AUE_RECVMSG /* Darwin */
+#define AUE_O_VTIMES AUE_NULL /* Darwin */
+#define AUE_O_SIGVEC AUE_NULL /* Darwin */
+#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */
+#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */
+#define AUE_O_SIGSTACK AUE_NULL /* Darwin */
+#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */
+#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */
+#define AUE_O_VTRACE AUE_NULL /* Darwin */
+#define AUE_O_RESUBA AUE_NULL /* Darwin */
+#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
+#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
+#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
+#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
+#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
+#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */
+#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */
+#define AUE_O_KILLPG AUE_KILL /* Darwin */
+#define AUE_O_SETQUOTA AUE_NULL /* Darwin */
+#define AUE_O_QUOTA AUE_NULL /* Darwin */
+#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */
+#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */
+#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */
+#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */
+#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_EXPORTFS AUE_NULL /* Darwin */
+#define AUE_O_USTATE AUE_NULL /* Darwin */
+#define AUE_O_WAIT3 AUE_NULL /* Darwin */
+#define AUE_O_RPAUSE AUE_NULL /* Darwin */
+#define AUE_O_GETDENTS AUE_NULL /* Darwin */
+
+/*
+ * Possible desired future values based on review of BSD/Darwin system calls.
+ */
+#define AUE_DUP AUE_NULL
+#define AUE_FSCTL AUE_NULL
+#define AUE_FSTATV AUE_NULL
+#define AUE_GCCONTROL AUE_NULL
+#define AUE_GETDTABLESIZE AUE_NULL
+#define AUE_GETEGID AUE_NULL
+#define AUE_GETEUID AUE_NULL
+#define AUE_GETGID AUE_NULL
+#define AUE_GETGROUPS AUE_NULL
+#define AUE_GETITIMER AUE_NULL
+#define AUE_GETLOGIN AUE_NULL
+#define AUE_GETPEERNAME AUE_NULL
+#define AUE_GETPGID AUE_NULL
+#define AUE_GETPGRP AUE_NULL
+#define AUE_GETPID AUE_NULL
+#define AUE_GETPPID AUE_NULL
+#define AUE_GETPRIORITY AUE_NULL
+#define AUE_GETRLIMIT AUE_NULL
+#define AUE_GETRUSAGE AUE_NULL
+#define AUE_GETSID AUE_NULL
+#define AUE_GETSOCKNAME AUE_NULL
+#define AUE_GETTIMEOFDAY AUE_NULL
+#define AUE_GETUID AUE_NULL
+#define AUE_GETSOCKOPT AUE_NULL
+#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */
+#define AUE_ISSETUGID AUE_NULL
+#define AUE_LISTEN AUE_NULL
+#define AUE_LSTATV AUE_NULL
+#define AUE_MADVISE AUE_NULL
+#define AUE_MINCORE AUE_NULL
+#define AUE_MKCOMPLEX AUE_NULL
+#define AUE_MLOCKALL AUE_NULL
+#define AUE_MODWATCH AUE_NULL
+#define AUE_MSGCL AUE_NULL
+#define AUE_MSYNC AUE_NULL
+#define AUE_MUNLOCKALL AUE_NULL
+#define AUE_PREAD AUE_NULL
+#define AUE_PWRITE AUE_NULL
+#define AUE_SBRK AUE_NULL
+#define AUE_SELECT AUE_NULL
+#define AUE_SEMDESTROY AUE_NULL
+#define AUE_SEMGETVALUE AUE_NULL
+#define AUE_SEMINIT AUE_NULL
+#define AUE_SEMPOST AUE_NULL
+#define AUE_SEMTRYWAIT AUE_NULL
+#define AUE_SEMWAIT AUE_NULL
+#define AUE_SETITIMER AUE_NULL
+#define AUE_SIGACTION AUE_NULL
+#define AUE_SIGALTSTACK AUE_NULL
+#define AUE_SIGPENDING AUE_NULL
+#define AUE_SIGPROCMASK AUE_NULL
+#define AUE_SIGRETURN AUE_NULL
+#define AUE_SIGSUSPEND AUE_NULL
+#define AUE_SIGWAIT AUE_NULL
+#define AUE_SSTK AUE_NULL
+#define AUE_STATV AUE_NULL
+#define AUE_SYNC AUE_NULL
+#define AUE_SYSCALL AUE_NULL
+#define AUE_TABLE AUE_NULL
+#define AUE_WAITEVENT AUE_NULL
+#define AUE_WATCHEVENT AUE_NULL
+
+#endif /* !_BSM_AUDIT_KEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/audit_record.h b/contrib/openbsm/bsm/audit_record.h
new file mode 100644
index 0000000..af9ba4d
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_record.h
@@ -0,0 +1,325 @@
+/*
+ * Copyright (c) 2005 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_START@
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * @APPLE_BSD_LICENSE_HEADER_END@
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_record.h#14 $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+/* Various token id types */
+
+/*
+ * Values inside the comments are not documented in the BSM pages and
+ * have been picked up from the header files
+ */
+
+/*
+ * Values marked as XXX do not have a value defined in the BSM header files
+ */
+
+#define AUT_INVALID 0x00
+#define AUT_OTHER_FILE32 0x11
+#define AUT_OHEADER 0x12
+#define AUT_TRAILER 0x13
+#define AUT_HEADER32 0x14
+#define AUT_HEADER32_EX 0x15
+#define AUT_DATA 0x21
+#define AUT_IPC 0x22
+#define AUT_PATH 0x23
+#define AUT_SUBJECT32 0x24
+#define AUT_SERVER32 0x25
+#define AUT_PROCESS32 0x26
+#define AUT_RETURN32 0x27
+#define AUT_TEXT 0x28
+#define AUT_OPAQUE 0x29
+#define AUT_IN_ADDR 0x2a
+#define AUT_IP 0x2b
+#define AUT_IPORT 0x2c
+#define AUT_ARG32 0x2d
+#define AUT_SOCKET 0x2e
+#define AUT_SEQ 0x2f
+#define AUT_ACL 0x30
+#define AUT_ATTR 0x31
+#define AUT_IPC_PERM 0x32
+#define AUT_LABEL 0x33
+#define AUT_GROUPS 0x34
+#define AUT_ILABEL 0x35
+#define AUT_SLABEL 0x36
+#define AUT_CLEAR 0x37
+#define AUT_PRIV 0x38
+#define AUT_UPRIV 0x39
+#define AUT_LIAISON 0x3a
+#define AUT_NEWGROUPS 0x3b
+#define AUT_EXEC_ARGS 0x3c
+#define AUT_EXEC_ENV 0x3d
+#define AUT_ATTR32 0x3e
+/* #define AUT_???? 0x3f */
+#define AUT_XATOM 0x40
+#define AUT_XOBJ 0x41
+#define AUT_XPROTO 0x42
+#define AUT_XSELECT 0x43
+/* XXXRW: Additional X11 tokens not defined? */
+#define AUT_CMD 0x51
+#define AUT_EXIT 0x52
+/* XXXRW: OpenBSM AUT_HOST 0x70? */
+#define AUT_ARG64 0x71
+#define AUT_RETURN64 0x72
+#define AUT_ATTR64 0x73
+#define AUT_HEADER64 0x74
+#define AUT_SUBJECT64 0x75
+#define AUT_SERVER64 0x76
+#define AUT_PROCESS64 0x77
+#define AUT_OTHER_FILE64 0x78
+#define AUT_HEADER64_EX 0x79
+#define AUT_SUBJECT32_EX 0x7a
+#define AUT_PROCESS32_EX 0x7b
+#define AUT_SUBJECT64_EX 0x7c
+#define AUT_PROCESS64_EX 0x7d
+#define AUT_IN_ADDR_EX 0x7e
+#define AUT_SOCKET_EX 0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have
+ * compatibility defines.
+ */
+#define AUT_HEADER AUT_HEADER32
+#define AUT_ARG AUT_ARG32
+#define AUT_RETURN AUT_RETURN32
+#define AUT_SUBJECT AUT_SUBJECT32
+#define AUT_SERVER AUT_SERVER32
+#define AUT_PROCESS AUT_PROCESS32
+#define AUT_OTHER_FILE AUT_OTHER_FILE32
+
+/*
+ * Darwin's bsm distribution uses the following non-BSM token name defines.
+ * We provide them for a single OpenBSM release for compatibility reasons.
+ */
+#define AU_FILE_TOKEN AUT_OTHER_FILE32
+#define AU_TRAILER_TOKEN AUT_TRAILER
+#define AU_HEADER_32_TOKEN AUT_HEADER32
+#define AU_DATA_TOKEN AUT_DATA
+#define AU_ARB_TOKEN AUT_DATA
+#define AU_IPC_TOKEN AUT_IPC
+#define AU_PATH_TOKEN AUT_PATH
+#define AU_SUBJECT_32_TOKEN AUT_SUBJECT32
+#define AU_PROCESS_32_TOKEN AUT_PROCESS32
+#define AU_RETURN_32_TOKEN AUT_RETURN32
+#define AU_TEXT_TOKEN AUT_TEXT
+#define AU_OPAQUE_TOKEN AUT_OPAQUE
+#define AU_IN_ADDR_TOKEN AUT_IN_ADDR
+#define AU_IP_TOKEN AUT_IP
+#define AU_IPORT_TOKEN AUT_IPORT
+#define AU_ARG32_TOKEN AUT_ARG32
+#define AU_SOCK_TOKEN AUT_SOCKET
+#define AU_SEQ_TOKEN AUT_SEQ
+#define AU_ATTR_TOKEN AUT_ATTR
+#define AU_IPCPERM_TOKEN AUT_IPC_PERM
+#define AU_NEWGROUPS_TOKEN AUT_NEWGROUPS
+#define AU_EXEC_ARG_TOKEN AUT_EXEC_ARGS
+#define AU_EXEC_ENV_TOKEN AUT_EXEC_ENV
+#define AU_ATTR32_TOKEN AUT_ATTR32
+#define AU_CMD_TOKEN AUT_CMD
+#define AU_EXIT_TOKEN AUT_EXIT
+#define AU_ARG64_TOKEN AUT_ARG64
+#define AU_RETURN_64_TOKEN AUT_RETURN64
+#define AU_ATTR64_TOKEN AUT_ATTR64
+#define AU_HEADER_64_TOKEN AUT_HEADER64
+#define AU_SUBJECT_64_TOKEN AUT_SUBJECT64
+#define AU_PROCESS_64_TOKEN AUT_PROCESS64
+#define AU_HEADER_64_EX_TOKEN AUT_HEADER64_EX
+#define AU_SUBJECT_32_EX_TOKEN AUT_SUBJECT32_EX
+#define AU_PROCESS_32_EX_TOKEN AUT_PROCESS32_EX
+#define AU_SUBJECT_64_EX_TOKEN AUT_SUBJECT64_EX
+#define AU_PROCESS_64_EX_TOKEN AUT_PROCESS64_EX
+#define AU_IN_ADDR_EX_TOKEN AUT_IN_ADDR_EX
+#define AU_SOCK_32_EX_TOKEN AUT_SOCKET_EX
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM. These originally came from Apple's
+ * BSM.
+ */
+#define AUT_SOCKINET32 0x80 /* XXX */
+#define AUT_SOCKINET128 0x81 /* XXX */
+#define AUT_SOCKUNIX 0x82 /* XXX */
+#define AU_SOCK_INET_32_TOKEN AUT_SOCKINET32
+#define AU_SOCK_INET_128_TOKEN AUT_SOCKINET128
+#define AU_SOCK_UNIX_TOKEN AUT_SOCKUNIX
+
+/* print values for the arbitrary token */
+#define AUP_BINARY 0
+#define AUP_OCTAL 1
+#define AUP_DECIMAL 2
+#define AUP_HEX 3
+#define AUP_STRING 4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE 0
+#define AUR_SHORT 1
+#define AUR_LONG 2
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE sizeof(u_char)
+#define AUR_SHORT_SIZE sizeof(uint16_t)
+#define AUR_LONG_SIZE sizeof(uint32_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR 0x4000 /* nonattributable event */
+#define PAD_FAILURE 0x8000 /* fail audit event */
+
+
+#define BSM_MAX_GROUPS 16
+#define HEADER_VERSION 1
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define AUT_TRAILER_MAGIC 0xb105
+#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int au_open(void);
+int au_write(int d, token_t *m);
+int au_close(int d, int keep, short event);
+int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t *au_to_file(char *file, struct timeval tm);
+#else
+token_t *au_to_file(char *file);
+#endif
+
+#if defined(KERNEL) || defined(_KERNEL)
+token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+#else
+token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_me(void);
+token_t *au_to_arg(char n, char *text, uint32_t v);
+token_t *au_to_arg32(char n, char *text, uint32_t v);
+token_t *au_to_arg64(char n, char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_attr(struct vnode_au_info *vni);
+token_t *au_to_attr32(struct vnode_au_info *vni);
+token_t *au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t *au_to_data(char unit_print, char unit_type, char unit_count,
+ char *p);
+token_t *au_to_exit(int retval, int err);
+token_t *au_to_groups(int *groups);
+token_t *au_to_newgroups(uint16_t n, gid_t *groups);
+token_t *au_to_in_addr(struct in_addr *internet_addr);
+token_t *au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t *au_to_ip(struct ip *ip);
+token_t *au_to_ipc(char type, int id);
+token_t *au_to_ipc_perm(struct ipc_perm *perm);
+token_t *au_to_iport(uint16_t iport);
+token_t *au_to_opaque(char *data, uint16_t bytes);
+token_t *au_to_path(char *path);
+token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+ uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+ au_tid_addr_t *tid);
+token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_return(char status, uint32_t ret);
+token_t *au_to_return32(char status, uint32_t ret);
+token_t *au_to_return64(char status, uint64_t ret);
+token_t *au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_socket(struct socket *so);
+token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+#endif
+
+token_t *au_to_sock_inet(struct sockaddr_in *so);
+token_t *au_to_sock_inet32(struct sockaddr_in *so);
+token_t *au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t *au_to_sock_unix(struct sockaddr_un *so);
+token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_exec_args(const char **);
+token_t *au_to_exec_env(const char **);
+token_t *au_to_text(char *text);
+token_t *au_to_kevent(struct kevent *kev);
+token_t *au_to_trailer(int rec_size);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */
diff --git a/contrib/openbsm/bsm/audit_uevents.h b/contrib/openbsm/bsm/audit_uevents.h
new file mode 100644
index 0000000..0493e31
--- /dev/null
+++ b/contrib/openbsm/bsm/audit_uevents.h
@@ -0,0 +1,102 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/audit_uevents.h#7 $
+ */
+
+#ifndef _BSM_AUDIT_UEVENTS_H_
+#define _BSM_AUDIT_UEVENTS_H_
+
+/*-
+ * User level audit event numbers
+ *
+ * Range of audit event numbers:
+ * 0 Reserved, invalid
+ * 1 - 2047 Reserved for kernel events
+ * 2048 - 32767 Defined by BSM for user events
+ * 32768 - 36864 Reserved for Mac OS-X applications
+ * 36865 - 65535 Reserved for applications
+ *
+ */
+#define AUE_at_create 6144
+#define AUE_at_delete 6145
+#define AUE_at_perm 6146
+#define AUE_cron_invoke 6147
+#define AUE_crontab_create 6148
+#define AUE_crontab_delete 6149
+#define AUE_crontab_perm 6150
+#define AUE_inetd_connect 6151
+#define AUE_login 6152
+#define AUE_logout 6153
+#define AUE_telnet 6154
+#define AUE_rlogin 6155
+#define AUE_mountd_mount 6156
+#define AUE_mountd_umount 6157
+#define AUE_rshd 6158
+#define AUE_su 6159
+#define AUE_halt 6160
+#define AUE_reboot 6161
+#define AUE_rexecd 6162
+#define AUE_passwd 6163
+#define AUE_rexd 6164
+#define AUE_ftpd 6165
+#define AUE_init 6166
+#define AUE_uadmin 6167
+#define AUE_shutdown 6168
+#define AUE_poweroff 6169
+#define AUE_crontab_mod 6170
+#define AUE_audit_startup 6171
+#define AUE_audit_shutdown 6172
+#define AUE_allocate_succ 6200
+#define AUE_allocate_fail 6201
+#define AUE_deallocate_succ 6202
+#define AUE_deallocate_fail 6203
+#define AUE_listdevice_succ 6205
+#define AUE_listdevice_fail 6206
+#define AUE_create_user 6207
+#define AUE_modify_user 6208
+#define AUE_delete_user 6209
+#define AUE_disable_user 6210
+#define AUE_enable_user 6211
+#define AUE_sudo 6300
+#define AUE_modify_password 6501 /* Not assigned by Sun. */
+#define AUE_create_group 6511 /* Not assigned by Sun. */
+#define AUE_delete_group 6512 /* Not assigned by Sun. */
+#define AUE_modify_group 6513 /* Not assigned by Sun. */
+#define AUE_add_to_group 6514 /* Not assigned by Sun. */
+#define AUE_remove_from_group 6515 /* Not assigned by Sun. */
+#define AUE_revoke_obj 6521 /* Not assigned by Sun; not used. */
+#define AUE_lw_login 6600 /* Not assigned by Sun; tentative. */
+#define AUE_lw_logout 6601 /* Not assigned by Sun; tentative. */
+#define AUE_auth_user 7000 /* Not assigned by Sun. */
+#define AUE_ssconn 7001 /* Not assigned by Sun. */
+#define AUE_ssauthorize 7002 /* Not assigned by Sun. */
+#define AUE_ssauthint 7003 /* Not assigned by Sun. */
+#define AUE_openssh 32800
+
+#endif /* !_BSM_AUDIT_UEVENTS_H_ */
diff --git a/contrib/openbsm/bsm/libbsm.h b/contrib/openbsm/bsm/libbsm.h
new file mode 100644
index 0000000..baf9f14
--- /dev/null
+++ b/contrib/openbsm/bsm/libbsm.h
@@ -0,0 +1,1175 @@
+/*
+ * Copyright (c) 2004 Apple Computer, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
+ * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#14 $
+ */
+
+#ifndef _LIBBSM_H_
+#define _LIBBSM_H_
+
+/*
+ * NB: definitions, etc., marked with "OpenSSH compatibility" were introduced
+ * solely to allow OpenSSH to compile; Darwin/Apple code should not use them.
+ */
+
+#define MAX_ARGS 10
+#define MAX_ENV 10
+
+#include <sys/types.h>
+#include <sys/cdefs.h>
+#include <sys/queue.h>
+
+#include <bsm/audit.h>
+#include <bsm/audit_record.h>
+
+#include <stdio.h>
+#include <stdint.h>
+
+#ifdef __APPLE__
+#include <mach/mach.h> /* audit_token_t */
+#endif
+
+#define AU_PRS_SUCCESS 1
+#define AU_PRS_FAILURE 2
+#define AU_PRS_BOTH (AU_PRS_SUCCESS|AU_PRS_FAILURE)
+
+#define AU_PRS_USECACHE 0
+#define AU_PRS_REREAD 1
+
+#define AUDIT_EVENT_FILE "/etc/security/audit_event"
+#define AUDIT_CLASS_FILE "/etc/security/audit_class"
+#define AUDIT_CONTROL_FILE "/etc/security/audit_control"
+#define AUDIT_USER_FILE "/etc/security/audit_user"
+
+#define DIR_CONTROL_ENTRY "dir"
+#define MINFREE_CONTROL_ENTRY "minfree"
+#define FLAGS_CONTROL_ENTRY "flags"
+#define NA_CONTROL_ENTRY "naflags"
+
+#define AU_CLASS_NAME_MAX 8
+#define AU_CLASS_DESC_MAX 72
+#define AU_EVENT_NAME_MAX 30
+#define AU_EVENT_DESC_MAX 50
+#define AU_USER_NAME_MAX 50
+#define AU_LINE_MAX 256
+#define MAX_AUDITSTRING_LEN 256
+#define BSM_TEXTBUFSZ MAX_AUDITSTRING_LEN /* OpenSSH compatibility */
+
+/*
+ * These are referenced in Solaris 9 au_open(3BSM); values are guesses.
+ * Provided for OpenSSH compatibility.
+ */
+#define AU_TO_NO_WRITE 0
+#define AU_TO_WRITE 1
+
+__BEGIN_DECLS
+struct au_event_ent {
+ au_event_t ae_number;
+ char *ae_name;
+ char *ae_desc;
+ au_class_t ae_class;
+};
+typedef struct au_event_ent au_event_ent_t;
+
+struct au_class_ent {
+ char *ac_name;
+ au_class_t ac_class;
+ char *ac_desc;
+};
+typedef struct au_class_ent au_class_ent_t;
+
+struct au_user_ent {
+ char *au_name;
+ au_mask_t au_always;
+ au_mask_t au_never;
+};
+typedef struct au_user_ent au_user_ent_t;
+__END_DECLS
+
+#define ADD_TO_MASK(m, c, sel) do { \
+ if (sel & AU_PRS_SUCCESS) \
+ (m)->am_success |= c; \
+ if (sel & AU_PRS_FAILURE) \
+ (m)->am_failure |= c; \
+} while (0)
+
+#define SUB_FROM_MASK(m, c, sel) do { \
+ if (sel & AU_PRS_SUCCESS) \
+ (m)->am_success &= ((m)->am_success ^ c); \
+ if (sel & AU_PRS_FAILURE) \
+ (m)->am_failure &= ((m)->am_failure ^ c); \
+} while (0)
+
+#define ADDMASK(m, v) do { \
+ (m)->am_success |= (v)->am_success; \
+ (m)->am_failure |= (v)->am_failure; \
+} while(0)
+
+#define SUBMASK(m, v) do { \
+ (m)->am_success &= ((m)->am_success ^ (v)->am_success); \
+ (m)->am_failure &= ((m)->am_failure ^ (v)->am_failure); \
+} while(0)
+
+__BEGIN_DECLS
+
+/*
+ * Internal representation of audit user in libnsl.
+ */
+typedef struct au_user_str_s {
+ char *au_name;
+ char *au_always;
+ char *au_never;
+} au_user_str_t;
+
+typedef struct au_tid32 {
+ u_int32_t port;
+ u_int32_t addr;
+} au_tid32_t;
+
+typedef struct au_tid64 {
+ u_int64_t port;
+ u_int32_t addr;
+} au_tid64_t;
+
+typedef struct au_tidaddr32 {
+ u_int32_t port;
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_tidaddr32_t;
+
+/*
+ * argument # 1 byte
+ * argument value 4 bytes/8 bytes (32-bit/64-bit value)
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_char no;
+ u_int32_t val;
+ u_int16_t len;
+ char *text;
+} au_arg32_t;
+
+typedef struct {
+ u_char no;
+ u_int64_t val;
+ u_int16_t len;
+ char *text;
+} au_arg64_t;
+
+/*
+ * how to print 1 byte
+ * basic unit 1 byte
+ * unit count 1 byte
+ * data items (depends on basic unit)
+ */
+typedef struct {
+ u_char howtopr;
+ u_char bu;
+ u_char uc;
+ u_char *data;
+} au_arb_t;
+
+/*
+ * file access mode 4 bytes
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * file system ID 4 bytes
+ * node ID 8 bytes
+ * device 4 bytes/8 bytes (32-bit/64-bit)
+ */
+typedef struct {
+ u_int32_t mode;
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t fsid;
+ u_int64_t nid;
+ u_int32_t dev;
+} au_attr32_t;
+
+typedef struct {
+ u_int32_t mode;
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t fsid;
+ u_int64_t nid;
+ u_int64_t dev;
+} au_attr64_t;
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+typedef struct {
+ u_int32_t count;
+ char *text[MAX_ARGS];
+} au_execarg_t;
+
+/*
+ * count 4 bytes
+ * text count null-terminated string(s)
+ */
+typedef struct {
+ u_int32_t count;
+ char *text[MAX_ENV];
+} au_execenv_t;
+
+/*
+ * status 4 bytes
+ * return value 4 bytes
+ */
+typedef struct {
+ u_int32_t status;
+ u_int32_t ret;
+} au_exit_t;
+
+/*
+ * seconds of time 4 bytes
+ * milliseconds of time 4 bytes
+ * file name length 2 bytes
+ * file pathname N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int32_t s;
+ u_int32_t ms;
+ u_int16_t len;
+ char *name;
+} au_file_t;
+
+
+/*
+ * number groups 2 bytes
+ * group list N * 4 bytes
+ */
+typedef struct {
+ u_int16_t no;
+ u_int32_t list[BSM_MAX_GROUPS];
+} au_groups_t;
+
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t s;
+ u_int32_t ms;
+} au_header32_t;
+
+/*
+ * record byte count 4 bytes
+ * version # 1 byte [2]
+ * event type 2 bytes
+ * event modifier 2 bytes
+ * address type/length 1 byte (XXX: actually, 4 bytes)
+ * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time 4 bytes/8 bytes (32/64-bits)
+ * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
+ */
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t ad_type;
+ u_int32_t addr[4];
+ u_int32_t s;
+ u_int32_t ms;
+} au_header32_ex_t;
+
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int64_t s;
+ u_int64_t ms;
+} au_header64_t;
+
+typedef struct {
+ u_int32_t size;
+ u_char version;
+ u_int16_t e_type;
+ u_int16_t e_mod;
+ u_int32_t ad_type;
+ u_int32_t addr[4];
+ u_int64_t s;
+ u_int64_t ms;
+} au_header64_ex_t;
+
+/*
+ * internet address 4 bytes
+ */
+typedef struct {
+ u_int32_t addr;
+} au_inaddr_t;
+
+/*
+ * type 4 bytes
+ * internet address 16 bytes
+ */
+typedef struct {
+ u_int32_t type;
+ u_int32_t addr[4];
+} au_inaddr_ex_t;
+
+/*
+ * version and ihl 1 byte
+ * type of service 1 byte
+ * length 2 bytes
+ * id 2 bytes
+ * offset 2 bytes
+ * ttl 1 byte
+ * protocol 1 byte
+ * checksum 2 bytes
+ * source address 4 bytes
+ * destination address 4 bytes
+ */
+typedef struct {
+ u_char version;
+ u_char tos;
+ u_int16_t len;
+ u_int16_t id;
+ u_int16_t offset;
+ u_char ttl;
+ u_char prot;
+ u_int16_t chksm;
+ u_int32_t src;
+ u_int32_t dest;
+} au_ip_t;
+
+/*
+ * object ID type 1 byte
+ * object ID 4 bytes
+ */
+typedef struct {
+ u_char type;
+ u_int32_t id;
+} au_ipc_t;
+
+/*
+ * owner user ID 4 bytes
+ * owner group ID 4 bytes
+ * creator user ID 4 bytes
+ * creator group ID 4 bytes
+ * access mode 4 bytes
+ * slot sequence # 4 bytes
+ * key 4 bytes
+ */
+typedef struct {
+ u_int32_t uid;
+ u_int32_t gid;
+ u_int32_t puid;
+ u_int32_t pgid;
+ u_int32_t mode;
+ u_int32_t seq;
+ u_int32_t key;
+} au_ipcperm_t;
+
+/*
+ * port IP address 2 bytes
+ */
+typedef struct {
+ u_int16_t port;
+} au_iport_t;
+
+/*
+ * length 2 bytes
+ * data length bytes
+ */
+typedef struct {
+ u_int16_t size;
+ char *data;
+} au_opaque_t;
+
+/*
+ * path length 2 bytes
+ * path N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int16_t len;
+ char *path;
+} au_path_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid32_t tid;
+} au_proc32_t;
+
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid64_t tid;
+} au_proc64_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * type 4 bytes
+ * machine address 16 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr32_t tid;
+} au_proc32ex_t;
+
+/*
+ * error status 1 byte
+ * return value 4 bytes/8 bytes (32-bit/64-bit value)
+ */
+typedef struct {
+ u_char status;
+ u_int32_t ret;
+} au_ret32_t;
+
+typedef struct {
+ u_char err;
+ u_int64_t val;
+} au_ret64_t;
+
+/*
+ * sequence number 4 bytes
+ */
+typedef struct {
+ u_int32_t seqno;
+} au_seq_t;
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * local Internet address 4 bytes
+ * remote port 2 bytes
+ * remote Internet address 4 bytes
+ */
+typedef struct {
+ u_int16_t type;
+ u_int16_t l_port;
+ u_int32_t l_addr;
+ u_int16_t r_port;
+ u_int32_t r_addr;
+} au_socket_t;
+
+/*
+ * socket type 2 bytes
+ * local port 2 bytes
+ * address type/length 4 bytes
+ * local Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ * remote port 4 bytes
+ * address type/length 4 bytes
+ * remote Internet address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+ u_int16_t type;
+ u_int16_t l_port;
+ u_int32_t l_ad_type;
+ u_int32_t l_addr;
+ u_int32_t r_port;
+ u_int32_t r_ad_type;
+ u_int32_t r_addr;
+} au_socket_ex32_t;
+
+/*
+ * socket family 2 bytes
+ * local port 2 bytes
+ * socket address 4 bytes/16 bytes (IPv4/IPv6 address)
+ */
+typedef struct {
+ u_int16_t family;
+ u_int16_t port;
+ u_int32_t addr;
+} au_socketinet32_t;
+
+/*
+ * socket family 2 bytes
+ * path 104 bytes
+ */
+typedef struct {
+ u_int16_t family;
+ char path[104];
+} au_socketunix_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * machine address 4 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid32_t tid;
+} au_subject32_t;
+
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tid64_t tid;
+} au_subject64_t;
+
+/*
+ * audit ID 4 bytes
+ * effective user ID 4 bytes
+ * effective group ID 4 bytes
+ * real user ID 4 bytes
+ * real group ID 4 bytes
+ * process ID 4 bytes
+ * session ID 4 bytes
+ * terminal ID
+ * port ID 4 bytes/8 bytes (32-bit/64-bit value)
+ * type 4 bytes
+ * machine address 16 bytes
+ */
+typedef struct {
+ u_int32_t auid;
+ u_int32_t euid;
+ u_int32_t egid;
+ u_int32_t ruid;
+ u_int32_t rgid;
+ u_int32_t pid;
+ u_int32_t sid;
+ au_tidaddr32_t tid;
+} au_subject32ex_t;
+
+/*
+ * text length 2 bytes
+ * text N bytes + 1 terminating NULL byte
+ */
+typedef struct {
+ u_int16_t len;
+ char *text;
+} au_text_t;
+
+typedef struct {
+ u_int32_t ident;
+ u_int16_t filter;
+ u_int16_t flags;
+ u_int32_t fflags;
+ u_int32_t data;
+} au_kevent_t;
+
+typedef struct {
+ u_int16_t length;
+ char *data;
+} au_invalid_t;
+
+/*
+ * trailer magic number 2 bytes
+ * record byte count 4 bytes
+ */
+typedef struct {
+ u_int16_t magic;
+ u_int32_t count;
+} au_trailer_t;
+
+struct tokenstr {
+ u_char id;
+ u_char *data;
+ size_t len;
+ union {
+ au_arg32_t arg32;
+ au_arg64_t arg64;
+ au_arb_t arb;
+ au_attr32_t attr32;
+ au_attr64_t attr64;
+ au_execarg_t execarg;
+ au_execenv_t execenv;
+ au_exit_t exit;
+ au_file_t file;
+ au_groups_t grps;
+ au_header32_t hdr32;
+ au_header32_ex_t hdr32_ex;
+ au_header64_t hdr64;
+ au_header64_ex_t hdr64_ex;
+ au_inaddr_t inaddr;
+ au_inaddr_ex_t inaddr_ex;
+ au_ip_t ip;
+ au_ipc_t ipc;
+ au_ipcperm_t ipcperm;
+ au_iport_t iport;
+ au_opaque_t opaque;
+ au_path_t path;
+ au_proc32_t proc32;
+ au_proc64_t proc64;
+ au_proc32ex_t proc32_ex;
+ au_ret32_t ret32;
+ au_ret64_t ret64;
+ au_seq_t seq;
+ au_socket_t socket;
+ au_socket_ex32_t socket_ex32;
+ au_socketinet32_t sockinet32;
+ au_socketunix_t sockunix;
+ au_subject32_t subj32;
+ au_subject64_t subj64;
+ au_subject32ex_t subj32_ex;
+ au_text_t text;
+ au_kevent_t kevent;
+ au_invalid_t invalid;
+ au_trailer_t trail;
+ } tt; /* The token is one of the above types */
+};
+
+typedef struct tokenstr tokenstr_t;
+
+/*
+ * Functions relating to querying audit class information.
+ */
+void setauclass(void);
+void endauclass(void);
+struct au_class_ent *getauclassent(void);
+struct au_class_ent *getauclassent_r(au_class_ent_t *class_int);
+struct au_class_ent *getauclassnam(const char *name);
+struct au_class_ent *getauclassnam_r(au_class_ent_t *class_int,
+ const char *name);
+struct au_class_ent *getauclassnum(au_class_t class_number);
+struct au_class_ent *getauclassnum_r(au_class_ent_t *class_int,
+ au_class_t class_number);
+
+/*
+ * Functions relating to querying audit control information.
+ */
+void setac(void);
+void endac(void);
+int getacdir(char *name, int len);
+int getacmin(int *min_val);
+int getacflg(char *auditstr, int len);
+int getacna(char *auditstr, int len);
+int getauditflagsbin(char *auditstr, au_mask_t *masks);
+int getauditflagschar(char *auditstr, au_mask_t *masks,
+ int verbose);
+int au_preselect(au_event_t event, au_mask_t *mask_p,
+ int sorf, int flag);
+
+/*
+ * Functions relating to querying audit event information.
+ *
+ * XXXRW: getauevnonam() has no _r version?
+ */
+void setauevent(void);
+void endauevent(void);
+struct au_event_ent *getauevent(void);
+struct au_event_ent *getauevent_r(struct au_event_ent *e);
+struct au_event_ent *getauevnam(const char *name);
+struct au_event_ent *getauevnam_r(struct au_event_ent *e,
+ const char *name);
+struct au_event_ent *getauevnum(au_event_t event_number);
+struct au_event_ent *getauevnum_r(struct au_event_ent *e,
+ au_event_t event_number);
+au_event_t *getauevnonam(const char *event_name);
+au_event_t *getauevnonam_r(au_event_t *ev,
+ const char *event_name);
+
+/*
+ * Functions relating to querying audit user information.
+ */
+void setauuser(void);
+void endauuser(void);
+struct au_user_ent *getauuserent(void);
+struct au_user_ent *getauuserent_r(struct au_user_ent *u);
+struct au_user_ent *getauusernam(const char *name);
+struct au_user_ent *getauusernam_r(struct au_user_ent *u,
+ const char *name);
+int au_user_mask(char *username, au_mask_t *mask_p);
+int getfauditflags(au_mask_t *usremask,
+ au_mask_t *usrdmask, au_mask_t *lastmask);
+
+/*
+ * Functions for reading and printing records and tokens from audit trails.
+ */
+int au_read_rec(FILE *fp, u_char **buf);
+int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len);
+//XXX The following interface has different prototype from BSM
+void au_print_tok(FILE *outfp, tokenstr_t *tok,
+ char *del, char raw, char sfrm);
+__END_DECLS
+
+#ifdef __APPLE__
+#include <sys/appleapiopts.h>
+
+/**************************************************************************
+ **************************************************************************
+ ** The following definitions, functions, etc., are NOT officially
+ ** supported: they may be changed or removed in the future. Do not use
+ ** them unless you are prepared to cope with that eventuality.
+ **************************************************************************
+ **************************************************************************/
+
+#ifdef __APPLE_API_PRIVATE
+#define __BSM_INTERNAL_NOTIFY_KEY "com.apple.audit.change"
+#endif /* __APPLE_API_PRIVATE */
+
+/*
+ * au_get_state() return values
+ * XXX use AUC_* values directly instead (<bsm/audit.h>); AUDIT_OFF and
+ * AUDIT_ON are deprecated and WILL be removed.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define AUDIT_OFF AUC_NOAUDIT
+#define AUDIT_ON AUC_AUDITING
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+/*
+ * Error return codes for audit_set_terminal_id(), audit_write() and its
+ * brethren. We have 255 (not including kAUNoErr) to play with.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+enum {
+ kAUNoErr = 0,
+ kAUBadParamErr = -66049,
+ kAUStatErr,
+ kAUSysctlErr,
+ kAUOpenErr,
+ kAUMakeSubjectTokErr,
+ kAUWriteSubjectTokErr,
+ kAUWriteCallerTokErr,
+ kAUMakeReturnTokErr,
+ kAUWriteReturnTokErr,
+ kAUCloseErr,
+ kAUMakeTextTokErr,
+ kAULastErr
+};
+
+#ifdef __APPLE__
+/*
+ * Error return codes for au_get_state() and/or its private support
+ * functions. These codes are designed to be compatible with the
+ * NOTIFY_STATUS_* codes defined in <notify.h> but non-overlapping.
+ * Any changes to notify(3) may cause these values to change in future.
+ *
+ * AU_UNIMPL should never happen unless you've changed your system software
+ * without rebooting. Shame on you.
+ */
+#ifdef __APPLE_API_PRIVATE
+#define AU_UNIMPL NOTIFY_STATUS_FAILED + 1 /* audit unimplemented */
+#endif /* __APPLE_API_PRIVATE */
+#endif /* !__APPLE__ */
+
+__BEGIN_DECLS
+/*
+ * XXX This prototype should be in audit_record.h
+ *
+ * au_free_token()
+ *
+ * @summary - au_free_token() deallocates a token_t created by any of
+ * the au_to_*() BSM API functions.
+ *
+ * The BSM API generally manages deallocation of token_t objects. However,
+ * if au_write() is passed a bad audit descriptor, the token_t * parameter
+ * will be left untouched. In that case, the caller can deallocate the
+ * token_t using au_free_token() if desired. This is, in fact, what
+ * audit_write() does, in keeping with the existing memory management model
+ * of the BSM API.
+ *
+ * @param tok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. For convenience, tok may be NULL, in which case
+ * au_free_token() returns immediately.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void au_free_token(token_t *tok);
+
+/*
+ * Lightweight check to determine if auditing is enabled. If a client
+ * wants to use this to govern whether an entire series of audit calls
+ * should be made--as in the common case of a caller building a set of
+ * tokens, then writing them--it should cache the audit status in a local
+ * variable. This call always returns the current state of auditing.
+ *
+ * @return - AUC_AUDITING or AUC_NOAUDIT if no error occurred.
+ * Otherwise the function can return any of the errno values defined for
+ * setaudit(2), or AU_UNIMPL if audit does not appear to be supported by
+ * the system.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int au_get_state(void);
+__END_DECLS
+
+/* OpenSSH compatibility */
+#define cannot_audit(x) (!(au_get_state() == AUC_AUDITING))
+
+__BEGIN_DECLS
+/*
+ * audit_set_terminal_id()
+ *
+ * @summary - audit_set_terminal_id() fills in an au_tid_t struct, which is
+ * used in audit session initialization by processes like /usr/bin/login.
+ *
+ * @param tid - A pointer to an au_tid_t struct.
+ *
+ * @return - kAUNoErr on success; kAUBadParamErr if tid is NULL, kAUStatErr
+ * or kAUSysctlErr if one of the underlying system calls fails (a message
+ * is sent to the system log in those cases).
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_set_terminal_id(au_tid_t *tid);
+
+/*
+ * BEGIN au_write() WRAPPERS
+ *
+ * The following calls all wrap the existing BSM API. They use the
+ * provided subject information, if any, to construct the subject token
+ * required for every log message. They use the provided return/error
+ * value(s), if any, to construct the success/failure indication required
+ * for every log message. They only permit one "miscellaneous" token,
+ * which should contain the event-specific logging information mandated by
+ * CAPP.
+ *
+ * All these calls assume the caller has previously determined that
+ * auditing is enabled by calling au_get_state().
+ */
+
+/*
+ * audit_write()
+ *
+ * @summary - audit_write() is the basis for the other audit_write_*()
+ * calls. Performs a basic write of an audit record (subject, additional
+ * info, success/failure). Note that this call only permits logging one
+ * caller-specified token; clients needing to log more flexibly must use
+ * the existing BSM API (au_open(), et al.) directly.
+ *
+ * Note on memory management: audit_write() guarantees that the token_t *s
+ * passed to it will be deallocated whether or not the underlying write to
+ * the audit log succeeded. This addresses an inconsistency in the
+ * underlying BSM API in which token_t *s are usually but not always
+ * deallocated.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param subject - A token_t * generated by au_to_subject(),
+ * au_to_subject32(), au_to_subject64(), or au_to_me(). If no subject is
+ * required, subject should be NULL.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param retval - The return value to be logged for this event. This
+ * should be 0 (zero) for success, otherwise the value is event-specific.
+ *
+ * @param errcode - Any error code associated with the return value (e.g.,
+ * errno or h_errno). If there was no error, errcode should be 0 (zero).
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write(short event_code, token_t *subject, token_t *misctok,
+ char retval, int errcode);
+
+/*
+ * audit_write_success()
+ *
+ * @summary - audit_write_success() records an auditable event that did not
+ * encounter an error. The interface is designed to require as little
+ * direct use of the au_to_*() API as possible. It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_success_self().
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_success(short event_code, token_t *misctok, au_id_t auid,
+ uid_t euid, gid_t egid, uid_t ruid, gid_t rgid, pid_t pid,
+ au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_success_self()
+ *
+ * @summary - Similar to audit_write_success(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param misctok - A token_t * generated by one of the au_to_*() BSM API
+ * calls. This should correspond to the additional information required by
+ * CAPP for the event being audited. If no additional information is
+ * required, misctok should be NULL.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_success_self(short event_code, token_t *misctok);
+
+/*
+ * audit_write_failure()
+ *
+ * @summary - audit_write_failure() records an auditable event that
+ * encountered an error. The interface is designed to require as little
+ * direct use of the au_to_*() API as possible. It builds a subject token
+ * from the information passed in and uses that to invoke audit_write().
+ * A subject, as defined by CAPP, is a process acting on the user's behalf.
+ *
+ * If the subject information is the same as the current process, use
+ * au_write_failure_self().
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param auid - The subject's audit ID.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param ruid - The subject's real user ID.
+ *
+ * @param rgid - The subject's real group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param sid - The subject's session ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure(short event_code, char *errmsg, int errret,
+ au_id_t auid, uid_t euid, gid_t egid, uid_t ruid, gid_t rgid,
+ pid_t pid, au_asid_t sid, au_tid_t *tid);
+
+/*
+ * audit_write_failure_self()
+ *
+ * @summary - Similar to audit_write_failure(), but used when the subject
+ * (process) is owned and operated by the auditable user him/herself.
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure_self(short event_code, char *errmsg, int errret);
+
+/*
+ * audit_write_failure_na()
+ *
+ * @summary - audit_write_failure_na() records errors during login. Such
+ * errors are implicitly non-attributable (i.e., not ascribable to any user).
+ *
+ * @param event_code - The code for the event being logged. This should
+ * be one of the AUE_ values in /usr/include/bsm/audit_uevents.h.
+ *
+ * @param errmsg - A text message providing additional information about
+ * the event being audited.
+ *
+ * @param errret - A numerical value providing additional information about
+ * the error. This is intended to store the value of errno or h_errno if
+ * it's relevant. This can be 0 (zero) if no additional information is
+ * available.
+ *
+ * @param euid - The subject's effective user ID.
+ *
+ * @param egid - The subject's effective group ID.
+ *
+ * @param pid - The subject's process ID.
+ *
+ * @param tid - The subject's terminal ID.
+ *
+ * @return - The status of the call: 0 (zero) on success, else one of the
+ * kAU*Err values defined above.
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+int audit_write_failure_na(short event_code, char *errmsg, int errret,
+ uid_t euid, gid_t egid, pid_t pid, au_tid_t *tid);
+
+/* END au_write() WRAPPERS */
+
+#ifdef __APPLE__
+/*
+ * audit_token_to_au32()
+ *
+ * @summary - Extract information from an audit_token_t, used to identify
+ * Mach tasks and senders of Mach messages as subjects to the audit system.
+ * audit_tokent_to_au32() is the only method that should be used to parse
+ * an audit_token_t, since its internal representation may change over
+ * time. A pointer parameter may be NULL if that information is not
+ * needed.
+ *
+ * @param atoken - the audit token containing the desired information
+ *
+ * @param auidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's audit user ID
+ *
+ * @param euidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's effective user ID
+ *
+ * @param egidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's effective group ID
+ *
+ * @param ruidp - Pointer to a uid_t; on return will be set to the task or
+ * sender's real user ID
+ *
+ * @param rgidp - Pointer to a gid_t; on return will be set to the task or
+ * sender's real group ID
+ *
+ * @param pidp - Pointer to a pid_t; on return will be set to the task or
+ * sender's process ID
+ *
+ * @param asidp - Pointer to an au_asid_t; on return will be set to the
+ * task or sender's audit session ID
+ *
+ * @param tidp - Pointer to an au_tid_t; on return will be set to the task
+ * or sender's terminal ID
+ *
+ * XXXRW: In Apple's bsm-8, these are marked __APPLE_API_PRIVATE.
+ */
+void audit_token_to_au32(
+ audit_token_t atoken,
+ uid_t *auidp,
+ uid_t *euidp,
+ gid_t *egidp,
+ uid_t *ruidp,
+ gid_t *rgidp,
+ pid_t *pidp,
+ au_asid_t *asidp,
+ au_tid_t *tidp);
+#endif /* !__APPLE__ */
+
+__END_DECLS
+
+#endif /* !_LIBBSM_H_ */
OpenPOWER on IntegriCloud