1 /*- 2 * Copyright (c) 2009 Apple Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bsm/auditd_lib.h#4 $ 30 */ 31 32 #ifndef _BSM_AUDIT_SESSION_H_ 33 #define _BSM_AUDIT_SESSION_H_ 34 35 #include <inttypes.h> /* Required for audit.h. */ 36 #include <stdio.h> /* Required for FILE. */ 37 38 #include <bsm/audit.h> 39 #include <bsm/audit_kevents.h> /* Required for AUE_SESSION_* event def's. */ 40 41 /* Defined audit session flags for the ai_flags member of auditinfo_addr. 42 * These are opaque to XNU itself, although some may be of interest to certain 43 * kernel extensions, notably AU_SESSION_FLAG_HAS_CONSOLE_ACCESS. 44 */ 45 enum audit_session_flags { 46 /* The initial session created by PID 1. */ 47 AU_SESSION_FLAG_IS_INITIAL = 0x0001, 48 49 /* The graphics subsystem (CoreGraphics, etc.) is available. */ 50 AU_SESSION_FLAG_HAS_GRAPHIC_ACCESS = 0x0010, 51 52 /* /dev/tty is available. */ 53 AU_SESSION_FLAG_HAS_TTY = 0x0020, 54 55 /* The session was created for a remote connection. */ 56 AU_SESSION_FLAG_IS_REMOTE = 0x1000, 57 58 /* The console and associated devices are available. */ 59 AU_SESSION_FLAG_HAS_CONSOLE_ACCESS = 0x2000, 60 61 /* An active, authenticated user is associated with the session. */ 62 AU_SESSION_FLAG_HAS_AUTHENTICATED = 0x4000, 63 }; 64 65 /* 66 * Audit session device. 67 */ 68 69 #define AUDIT_SDEV_PATH "/dev/auditsessions" 70 71 /* 72 * au_sdev_open() flags 73 */ 74 enum au_sdev_open_flags { 75 /* Set audit session device to not to block on reads. */ 76 AU_SDEVF_NONBLOCK = 0x00000001, 77 78 79 /* Allow process to monitor all session. (Requires privilege.) */ 80 AU_SDEVF_ALLSESSIONS = 0x00010000, 81 }; 82 83 __BEGIN_DECLS 84 /* 85 * Audit session device handle. 86 */ 87 typedef struct au_sdev_handle { 88 FILE *ash_fp; 89 u_char *ash_buf; 90 int ash_reclen; 91 int ash_bytesread; 92 } au_sdev_handle_t; 93 94 /* 95 * au_sdev_open() 96 * 97 * @summary - Open the audit session pseudo device. 98 * 99 * @param flags - Flags that change the behavior of the device. The flags 100 * specified are formed by or'ing the following flag: AU_SDEVF_NONBLOCK for 101 * non-blocking I/O and AU_SDEF_ALLSESSIONS for monitoring all the sessions 102 * and not just the session of the current process. 103 * 104 * @return Upon success returns the audit session device handle. Otherwise, 105 * NULL is returned and the errno is set to indicate the error. 106 */ 107 au_sdev_handle_t *au_sdev_open(int flags); 108 109 /* 110 * au_sdev_close() 111 * 112 * @summary - Close the audit session pseudo device. 113 * 114 * @param ash - Audit session device handle. 115 * 116 * @return Upon successful completion 0 is returned. Otherwise, errno is set 117 * to indicate the error. 118 */ 119 int au_sdev_close(au_sdev_handle_t *ash); 120 121 /* 122 * au_sdev_fd() 123 * 124 * @summary - Get the file descriptor for the audit session device. 125 * 126 * @param ash - Audit session device handle. 127 * 128 * @return File descriptor of the audit session device. 129 */ 130 int au_sdev_fd(au_sdev_handle_t *ash); 131 132 /* 133 * au_sdev_read_aia() 134 * 135 * @summary - Read a session event and an auditinfo_addr record from kernel. 136 * 137 * @param ash - Audit session device handle. 138 * 139 * @param event - A pointer to an integer that will contain the event type: 140 * AUE_SESSION_START (start of a new session), AUE_SESSION_UPDATE (the 141 * session information has been changed), AUE_SESSION_END (all the processes in 142 * the session have exited), and AUE_SESSION_CLOSE (the session record has been 143 * removed from the kernel). 144 * 145 * @param aia_p - A pointer to an auditinfo_addr structure that will contain the 146 * audit session information on a successful return. The audit masks fields 147 * (ai_mask), however, does not currently contain correct informaiton. 148 * 149 * @return Upon sucessful completetion 0 is returned and the event and aia_p 150 * parameters will be populated. Otherwise, errno is set to indicate the error. 151 */ 152 int au_sdev_read_aia(au_sdev_handle_t *ash, int *event, 153 auditinfo_addr_t *aia_p); 154 155 __END_DECLS 156 157 #endif /* !_BSM_AUDIT_SESSION_H_ */ 158