Warning: That file was not part of the compilation database. It may have many parsing errors.

1/* libaudit.h --
2 * Copyright 2004-2018 Red Hat Inc., Durham, North Carolina.
3 * All Rights Reserved.
4 *
5 * This library is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU Lesser General Public
7 * License as published by the Free Software Foundation; either
8 * version 2.1 of the License, or (at your option) any later version.
9 *
10 * This library is distributed in the hope that it will be useful,
11 * but WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * Lesser General Public License for more details.
14 *
15 * You should have received a copy of the GNU Lesser General Public
16 * License along with this library; if not, write to the Free Software
17 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18 *
19 * Authors:
20 * Steve Grubb <sgrubb@redhat.com>
21 * Rickard E. (Rik) Faith <faith@redhat.com>
22 */
23#ifndef _LIBAUDIT_H_
24#define _LIBAUDIT_H_
25
26#ifdef __cplusplus
27extern "C" {
28#endif
29
30
31#include <asm/types.h>
32#include <stdint.h>
33#include <sys/socket.h>
34#include <linux/netlink.h>
35#include <linux/audit.h>
36#include <stdarg.h>
37#include <syslog.h>
38
39
40/* Audit message types as of 2.6.29 kernel:
41 * 1000 - 1099 are for commanding the audit system
42 * 1100 - 1199 user space trusted application messages
43 * 1200 - 1299 messages internal to the audit daemon
44 * 1300 - 1399 audit event messages
45 * 1400 - 1499 kernel SE Linux use
46 * 1500 - 1599 AppArmor events
47 * 1600 - 1699 kernel crypto events
48 * 1700 - 1799 kernel anomaly records
49 * 1800 - 1899 kernel integrity labels and related events
50 * 1800 - 1999 future kernel use
51 * 2001 - 2099 unused (kernel)
52 * 2100 - 2199 user space anomaly records
53 * 2200 - 2299 user space actions taken in response to anomalies
54 * 2300 - 2399 user space generated LSPP events
55 * 2400 - 2499 user space crypto events
56 * 2500 - 2599 user space virtualization management events
57 * 2600 - 2999 future user space (maybe integrity labels and related events)
58 */
59
60#define AUDIT_FIRST_USER_MSG 1100 /* First user space message */
61#define AUDIT_LAST_USER_MSG 1199 /* Last user space message */
62#define AUDIT_USER_AUTH 1100 /* User system access authentication */
63#define AUDIT_USER_ACCT 1101 /* User system access authorization */
64#define AUDIT_USER_MGMT 1102 /* User acct attribute change */
65#define AUDIT_CRED_ACQ 1103 /* User credential acquired */
66#define AUDIT_CRED_DISP 1104 /* User credential disposed */
67#define AUDIT_USER_START 1105 /* User session start */
68#define AUDIT_USER_END 1106 /* User session end */
69#define AUDIT_USER_AVC 1107 /* User space avc message */
70#define AUDIT_USER_CHAUTHTOK 1108 /* User acct password or pin changed */
71#define AUDIT_USER_ERR 1109 /* User acct state error */
72#define AUDIT_CRED_REFR 1110 /* User credential refreshed */
73#define AUDIT_USYS_CONFIG 1111 /* User space system config change */
74#define AUDIT_USER_LOGIN 1112 /* User has logged in */
75#define AUDIT_USER_LOGOUT 1113 /* User has logged out */
76#define AUDIT_ADD_USER 1114 /* User account added */
77#define AUDIT_DEL_USER 1115 /* User account deleted */
78#define AUDIT_ADD_GROUP 1116 /* Group account added */
79#define AUDIT_DEL_GROUP 1117 /* Group account deleted */
80#define AUDIT_DAC_CHECK 1118 /* User space DAC check results */
81#define AUDIT_CHGRP_ID 1119 /* User space group ID changed */
82#define AUDIT_TEST 1120 /* Used for test success messages */
83#define AUDIT_TRUSTED_APP 1121 /* Trusted app msg - freestyle text */
84#define AUDIT_USER_SELINUX_ERR 1122 /* SE Linux user space error */
85#define AUDIT_USER_CMD 1123 /* User shell command and args */
86#define AUDIT_USER_TTY 1124 /* Non-ICANON TTY input meaning */
87#define AUDIT_CHUSER_ID 1125 /* Changed user ID supplemental data */
88#define AUDIT_GRP_AUTH 1126 /* Authentication for group password */
89#define AUDIT_SYSTEM_BOOT 1127 /* System boot */
90#define AUDIT_SYSTEM_SHUTDOWN 1128 /* System shutdown */
91#define AUDIT_SYSTEM_RUNLEVEL 1129 /* System runlevel change */
92#define AUDIT_SERVICE_START 1130 /* Service (daemon) start */
93#define AUDIT_SERVICE_STOP 1131 /* Service (daemon) stop */
94#define AUDIT_GRP_MGMT 1132 /* Group account attr was modified */
95#define AUDIT_GRP_CHAUTHTOK 1133 /* Group acct password or pin changed */
96#define AUDIT_MAC_CHECK 1134 /* User space MAC decision results */
97#define AUDIT_ACCT_LOCK 1135 /* User's account locked by admin */
98#define AUDIT_ACCT_UNLOCK 1136 /* User's account unlocked by admin */
99#define AUDIT_USER_DEVICE 1137 /* User space hotplug device changes */
100#define AUDIT_SOFTWARE_UPDATE 1138 /* Software update event */
101
102#define AUDIT_FIRST_DAEMON 1200
103#define AUDIT_LAST_DAEMON 1299
104#define AUDIT_DAEMON_RECONFIG 1204 /* Auditd should reconfigure */
105#define AUDIT_DAEMON_ROTATE 1205 /* Auditd should rotate logs */
106#define AUDIT_DAEMON_RESUME 1206 /* Auditd should resume logging */
107#define AUDIT_DAEMON_ACCEPT 1207 /* Auditd accepted remote connection */
108#define AUDIT_DAEMON_CLOSE 1208 /* Auditd closed remote connection */
109#define AUDIT_DAEMON_ERR 1209 /* Auditd internal error */
110
111#define AUDIT_FIRST_EVENT 1300
112#define AUDIT_LAST_EVENT 1399
113
114#define AUDIT_FIRST_SELINUX 1400
115#define AUDIT_LAST_SELINUX 1499
116
117#define AUDIT_FIRST_APPARMOR 1500
118#define AUDIT_LAST_APPARMOR 1599
119#ifndef AUDIT_AA
120#define AUDIT_AA 1500 /* Not upstream yet */
121#define AUDIT_APPARMOR_AUDIT 1501
122#define AUDIT_APPARMOR_ALLOWED 1502
123#define AUDIT_APPARMOR_DENIED 1503
124#define AUDIT_APPARMOR_HINT 1504
125#define AUDIT_APPARMOR_STATUS 1505
126#define AUDIT_APPARMOR_ERROR 1506
127#endif
128
129#define AUDIT_FIRST_KERN_CRYPTO_MSG 1600
130#define AUDIT_LAST_KERN_CRYPTO_MSG 1699
131
132#define AUDIT_FIRST_KERN_ANOM_MSG 1700
133#define AUDIT_LAST_KERN_ANOM_MSG 1799
134
135#define AUDIT_INTEGRITY_FIRST_MSG 1800
136#define AUDIT_INTEGRITY_LAST_MSG 1899
137#ifndef AUDIT_INTEGRITY_DATA
138#define AUDIT_INTEGRITY_DATA 1800 /* Data integrity verification */
139#define AUDIT_INTEGRITY_METADATA 1801 // Metadata integrity verification
140#define AUDIT_INTEGRITY_STATUS 1802 /* Integrity enable status */
141#define AUDIT_INTEGRITY_HASH 1803 /* Integrity HASH type */
142#define AUDIT_INTEGRITY_PCR 1804 /* PCR invalidation msgs */
143#define AUDIT_INTEGRITY_RULE 1805 /* Policy rule */
144#endif
145
146#define AUDIT_FIRST_ANOM_MSG 2100
147#define AUDIT_LAST_ANOM_MSG 2199
148#define AUDIT_ANOM_LOGIN_FAILURES 2100 // Failed login limit reached
149#define AUDIT_ANOM_LOGIN_TIME 2101 // Login attempted at bad time
150#define AUDIT_ANOM_LOGIN_SESSIONS 2102 // Max concurrent sessions reached
151#define AUDIT_ANOM_LOGIN_ACCT 2103 // Login attempted to watched acct
152#define AUDIT_ANOM_LOGIN_LOCATION 2104 // Login from forbidden location
153#define AUDIT_ANOM_MAX_DAC 2105 // Max DAC failures reached
154#define AUDIT_ANOM_MAX_MAC 2106 // Max MAC failures reached
155#define AUDIT_ANOM_AMTU_FAIL 2107 // AMTU failure
156#define AUDIT_ANOM_RBAC_FAIL 2108 // RBAC self test failure
157#define AUDIT_ANOM_RBAC_INTEGRITY_FAIL 2109 // RBAC file integrity failure
158#define AUDIT_ANOM_CRYPTO_FAIL 2110 // Crypto system test failure
159#define AUDIT_ANOM_ACCESS_FS 2111 // Access of file or dir
160#define AUDIT_ANOM_EXEC 2112 // Execution of file
161#define AUDIT_ANOM_MK_EXEC 2113 // Make an executable
162#define AUDIT_ANOM_ADD_ACCT 2114 // Adding an acct
163#define AUDIT_ANOM_DEL_ACCT 2115 // Deleting an acct
164#define AUDIT_ANOM_MOD_ACCT 2116 // Changing an acct
165#define AUDIT_ANOM_ROOT_TRANS 2117 // User became root
166#define AUDIT_ANOM_LOGIN_SERVICE 2118 // Service acct attempted login
167
168#define AUDIT_FIRST_ANOM_RESP 2200
169#define AUDIT_LAST_ANOM_RESP 2299
170#define AUDIT_RESP_ANOMALY 2200 /* Anomaly not reacted to */
171#define AUDIT_RESP_ALERT 2201 /* Alert email was sent */
172#define AUDIT_RESP_KILL_PROC 2202 /* Kill program */
173#define AUDIT_RESP_TERM_ACCESS 2203 /* Terminate session */
174#define AUDIT_RESP_ACCT_REMOTE 2204 /* Acct locked from remote access*/
175#define AUDIT_RESP_ACCT_LOCK_TIMED 2205 /* User acct locked for time */
176#define AUDIT_RESP_ACCT_UNLOCK_TIMED 2206 /* User acct unlocked from time */
177#define AUDIT_RESP_ACCT_LOCK 2207 /* User acct was locked */
178#define AUDIT_RESP_TERM_LOCK 2208 /* Terminal was locked */
179#define AUDIT_RESP_SEBOOL 2209 /* Set an SE Linux boolean */
180#define AUDIT_RESP_EXEC 2210 /* Execute a script */
181#define AUDIT_RESP_SINGLE 2211 /* Go to single user mode */
182#define AUDIT_RESP_HALT 2212 /* take the system down */
183#define AUDIT_RESP_ORIGIN_BLOCK 2213 /* Address blocked by iptables */
184#define AUDIT_RESP_ORIGIN_BLOCK_TIMED 2214 /* Address blocked for time */
185
186#define AUDIT_FIRST_USER_LSPP_MSG 2300
187#define AUDIT_LAST_USER_LSPP_MSG 2399
188#define AUDIT_USER_ROLE_CHANGE 2300 /* User changed to a new role */
189#define AUDIT_ROLE_ASSIGN 2301 /* Admin assigned user to role */
190#define AUDIT_ROLE_REMOVE 2302 /* Admin removed user from role */
191#define AUDIT_LABEL_OVERRIDE 2303 /* Admin is overriding a label */
192#define AUDIT_LABEL_LEVEL_CHANGE 2304 /* Object's level was changed */
193#define AUDIT_USER_LABELED_EXPORT 2305 /* Object exported with label */
194#define AUDIT_USER_UNLABELED_EXPORT 2306 /* Object exported without label */
195#define AUDIT_DEV_ALLOC 2307 /* Device was allocated */
196#define AUDIT_DEV_DEALLOC 2308 /* Device was deallocated */
197#define AUDIT_FS_RELABEL 2309 /* Filesystem relabeled */
198#define AUDIT_USER_MAC_POLICY_LOAD 2310 /* Userspc daemon loaded policy */
199#define AUDIT_ROLE_MODIFY 2311 /* Admin modified a role */
200#define AUDIT_USER_MAC_CONFIG_CHANGE 2312 /* Change made to MAC policy */
201
202#define AUDIT_FIRST_CRYPTO_MSG 2400
203#define AUDIT_CRYPTO_TEST_USER 2400 /* Crypto test results */
204#define AUDIT_CRYPTO_PARAM_CHANGE_USER 2401 /* Crypto attribute change */
205#define AUDIT_CRYPTO_LOGIN 2402 /* Logged in as crypto officer */
206#define AUDIT_CRYPTO_LOGOUT 2403 /* Logged out from crypto */
207#define AUDIT_CRYPTO_KEY_USER 2404 /* Create,delete,negotiate */
208#define AUDIT_CRYPTO_FAILURE_USER 2405 /* Fail decrypt,encrypt,randomiz */
209#define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */
210#define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during
211 TLS session establishment */
212#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to
213 IKE SA */
214#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to
215 IPSEC SA */
216
217#define AUDIT_LAST_CRYPTO_MSG 2499
218
219#define AUDIT_FIRST_VIRT_MSG 2500
220#define AUDIT_VIRT_CONTROL 2500 /* Start, Pause, Stop VM */
221#define AUDIT_VIRT_RESOURCE 2501 /* Resource assignment */
222#define AUDIT_VIRT_MACHINE_ID 2502 /* Binding of label to VM */
223#define AUDIT_VIRT_INTEGRITY_CHECK 2503 /* Guest integrity results */
224#define AUDIT_VIRT_CREATE 2504 /* Creation of guest image */
225#define AUDIT_VIRT_DESTROY 2505 /* Destruction of guest image */
226#define AUDIT_VIRT_MIGRATE_IN 2506 /* Inbound guest migration info */
227#define AUDIT_VIRT_MIGRATE_OUT 2507 /* Outbound guest migration info */
228
229#define AUDIT_LAST_VIRT_MSG 2599
230
231#ifndef AUDIT_FIRST_USER_MSG2
232#define AUDIT_FIRST_USER_MSG2 2100 /* More userspace messages */
233#define AUDIT_LAST_USER_MSG2 2999
234#endif
235
236/* New kernel event definitions since 2.6.30 */
237#ifndef AUDIT_SET_FEATURE
238#define AUDIT_SET_FEATURE 1018 /* Turn an audit feature on or off */
239#endif
240
241#ifndef AUDIT_GET_FEATURE
242#define AUDIT_GET_FEATURE 1019 /* Get which features are enabled */
243#endif
244
245#ifndef AUDIT_MMAP
246#define AUDIT_MMAP 1323 /* Descriptor and flags in mmap */
247#endif
248
249#ifndef AUDIT_NETFILTER_PKT
250#define AUDIT_NETFILTER_PKT 1324 /* Packets traversing netfilter chains */
251#endif
252#ifndef AUDIT_NETFILTER_CFG
253#define AUDIT_NETFILTER_CFG 1325 /* Netfilter chain modifications */
254#endif
255
256#ifndef AUDIT_SECCOMP
257#define AUDIT_SECCOMP 1326 /* Secure Computing event */
258#endif
259
260#ifndef AUDIT_PROCTITLE
261#define AUDIT_PROCTITLE 1327 /* Process Title info */
262#endif
263
264#undef AUDIT_FEATURE_CHANGE
265#ifndef AUDIT_FEATURE_CHANGE
266#define AUDIT_FEATURE_CHANGE 1328 /* Audit feature changed value */
267#endif
268
269#ifndef AUDIT_REPLACE
270#define AUDIT_REPLACE 1329 /* Auditd replaced because probe failed */
271#endif
272
273#ifndef AUDIT_KERN_MODULE
274#define AUDIT_KERN_MODULE 1330 /* Kernel Module events */
275#endif
276
277#ifndef AUDIT_FANOTIFY
278#define AUDIT_FANOTIFY 1331 /* Fanotify access decision */
279#endif
280
281#ifndef AUDIT_ANOM_LINK
282#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */
283#endif
284
285/* This is related to the filterkey patch */
286#define AUDIT_KEY_SEPARATOR 0x01
287
288/* These are used in filter control */
289#ifndef AUDIT_FILTER_FS
290#define AUDIT_FILTER_FS 0x06 /* FS record filter in __audit_inode_child */
291#endif
292#ifndef AUDIT_FILTER_EXCLUDE
293#define AUDIT_FILTER_EXCLUDE AUDIT_FILTER_TYPE
294#endif
295#define AUDIT_FILTER_MASK 0x07 /* Mask to get actual filter */
296#define AUDIT_FILTER_UNSET 0x80 /* This value means filter is unset */
297
298/* Status symbol mask values */
299#ifndef AUDIT_STATUS_LOST
300#define AUDIT_STATUS_LOST 0x0040
301#endif
302
303/* These defines describe what features are in the kernel */
304#ifndef AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT
305#define AUDIT_FEATURE_BITMAP_BACKLOG_LIMIT 0x00000001
306#endif
307#ifndef AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME
308#define AUDIT_FEATURE_BITMAP_BACKLOG_WAIT_TIME 0x00000002
309#endif
310#ifndef AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH
311#define AUDIT_FEATURE_BITMAP_EXECUTABLE_PATH 0x00000004
312#endif
313#ifndef AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND
314#define AUDIT_FEATURE_BITMAP_EXCLUDE_EXTEND 0x00000008
315#endif
316#ifndef AUDIT_FEATURE_BITMAP_SESSIONID_FILTER
317#define AUDIT_FEATURE_BITMAP_SESSIONID_FILTER 0x00000010
318#endif
319#ifndef AUDIT_FEATURE_BITMAP_LOST_RESET
320#define AUDIT_FEATURE_BITMAP_LOST_RESET 0x00000020
321#endif
322#ifndef AUDIT_FEATURE_BITMAP_FILTER_FS
323#define AUDIT_FEATURE_BITMAP_FILTER_FS 0x00000040
324#endif
325
326/* Defines for interfield comparison update */
327#ifndef AUDIT_OBJ_UID
328#define AUDIT_OBJ_UID 109
329#endif
330#ifndef AUDIT_OBJ_GID
331#define AUDIT_OBJ_GID 110
332#endif
333#ifndef AUDIT_FIELD_COMPARE
334#define AUDIT_FIELD_COMPARE 111
335#endif
336#ifndef AUDIT_EXE
337#define AUDIT_EXE 112
338#endif
339
340#ifndef AUDIT_SESSIONID
341#define AUDIT_SESSIONID 25
342#endif
343
344#ifndef AUDIT_FSTYPE
345#define AUDIT_FSTYPE 26
346#endif
347
348#ifndef AUDIT_COMPARE_UID_TO_OBJ_UID
349#define AUDIT_COMPARE_UID_TO_OBJ_UID 1
350#endif
351#ifndef AUDIT_COMPARE_GID_TO_OBJ_GID
352#define AUDIT_COMPARE_GID_TO_OBJ_GID 2
353#endif
354#ifndef AUDIT_COMPARE_EUID_TO_OBJ_UID
355#define AUDIT_COMPARE_EUID_TO_OBJ_UID 3
356#endif
357#ifndef AUDIT_COMPARE_EGID_TO_OBJ_GID
358#define AUDIT_COMPARE_EGID_TO_OBJ_GID 4
359#endif
360#ifndef AUDIT_COMPARE_AUID_TO_OBJ_UID
361#define AUDIT_COMPARE_AUID_TO_OBJ_UID 5
362#endif
363#ifndef AUDIT_COMPARE_SUID_TO_OBJ_UID
364#define AUDIT_COMPARE_SUID_TO_OBJ_UID 6
365#endif
366#ifndef AUDIT_COMPARE_SGID_TO_OBJ_GID
367#define AUDIT_COMPARE_SGID_TO_OBJ_GID 7
368#endif
369#ifndef AUDIT_COMPARE_FSUID_TO_OBJ_UID
370#define AUDIT_COMPARE_FSUID_TO_OBJ_UID 8
371#endif
372#ifndef AUDIT_COMPARE_FSGID_TO_OBJ_GID
373#define AUDIT_COMPARE_FSGID_TO_OBJ_GID 9
374#endif
375#ifndef AUDIT_COMPARE_UID_TO_AUID
376#define AUDIT_COMPARE_UID_TO_AUID 10
377#endif
378#ifndef AUDIT_COMPARE_UID_TO_EUID
379#define AUDIT_COMPARE_UID_TO_EUID 11
380#endif
381#ifndef AUDIT_COMPARE_UID_TO_FSUID
382#define AUDIT_COMPARE_UID_TO_FSUID 12
383#endif
384#ifndef AUDIT_COMPARE_UID_TO_SUID
385#define AUDIT_COMPARE_UID_TO_SUID 13
386#endif
387#ifndef AUDIT_COMPARE_AUID_TO_FSUID
388#define AUDIT_COMPARE_AUID_TO_FSUID 14
389#endif
390#ifndef AUDIT_COMPARE_AUID_TO_SUID
391#define AUDIT_COMPARE_AUID_TO_SUID 15
392#endif
393#ifndef AUDIT_COMPARE_AUID_TO_EUID
394#define AUDIT_COMPARE_AUID_TO_EUID 16
395#endif
396#ifndef AUDIT_COMPARE_EUID_TO_SUID
397#define AUDIT_COMPARE_EUID_TO_SUID 17
398#endif
399#ifndef AUDIT_COMPARE_EUID_TO_FSUID
400#define AUDIT_COMPARE_EUID_TO_FSUID 18
401#endif
402#ifndef AUDIT_COMPARE_SUID_TO_FSUID
403#define AUDIT_COMPARE_SUID_TO_FSUID 19
404#endif
405#ifndef AUDIT_COMPARE_GID_TO_EGID
406#define AUDIT_COMPARE_GID_TO_EGID 20
407#endif
408#ifndef AUDIT_COMPARE_GID_TO_FSGID
409#define AUDIT_COMPARE_GID_TO_FSGID 21
410#endif
411#ifndef AUDIT_COMPARE_GID_TO_SGID
412#define AUDIT_COMPARE_GID_TO_SGID 22
413#endif
414#ifndef AUDIT_COMPARE_EGID_TO_FSGID
415#define AUDIT_COMPARE_EGID_TO_FSGID 23
416#endif
417#ifndef AUDIT_COMPARE_EGID_TO_SGID
418#define AUDIT_COMPARE_EGID_TO_SGID 24
419#endif
420#ifndef AUDIT_COMPARE_SGID_TO_FSGID
421#define AUDIT_COMPARE_SGID_TO_FSGID 25
422#endif
423
424#ifndef EM_ARM
425#define EM_ARM 40
426#endif
427#ifndef EM_AARCH64
428#define EM_AARCH64 183
429#endif
430
431#ifndef AUDIT_ARCH_AARCH64
432#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
433#endif
434
435#ifndef AUDIT_ARCH_PPC64LE
436#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
437#endif
438
439/* This is the character that separates event data from enrichment fields */
440#define AUDIT_INTERP_SEPARATOR 0x1D
441
442//////////////////////////////////////////////////////
443// This is an external ABI. Any changes in here will
444// likely affect pam_loginuid. There might be other
445// apps that use this low level interface, but I don't
446// know of any.
447//
448/* data structure for who signaled the audit daemon */
449struct audit_sig_info {
450 uid_t uid;
451 pid_t pid;
452 char ctx[0];
453};
454
455/* defines for audit subsystem */
456#define MAX_AUDIT_MESSAGE_LENGTH 8970 // PATH_MAX*2+CONTEXT_SIZE*2+11+256+1
457struct audit_message {
458 struct nlmsghdr nlh;
459 char data[MAX_AUDIT_MESSAGE_LENGTH];
460};
461
462// internal - forward declaration
463struct daemon_conf;
464
465struct audit_reply {
466 int type;
467 int len;
468 struct nlmsghdr *nlh;
469 struct audit_message msg;
470
471 /* Using a union to compress this structure since only one of
472 * the following should be valid for any packet. */
473 union {
474 struct audit_status *status;
475 struct audit_rule_data *ruledata;
476 struct audit_login *login;
477 char *message;
478 struct nlmsgerr *error;
479 struct audit_sig_info *signal_info;
480 struct daemon_conf *conf;
481#ifdef AUDIT_FEATURE_BITMAP_ALL
482 struct audit_features *features;
483#endif
484 };
485};
486
487//
488// End of ABI control
489//////////////////////////////////////////////////////
490
491//////////////////////////////////////////////////////
492// audit dispatcher interface
493//
494/* audit_dispatcher_header: This header is versioned. If anything gets
495 * added to it, it must go at the end and the version number bumped.
496 * This MUST BE fixed size for compatibility. If you are going to add
497 * new member then add them into _structure_ part.
498 */
499struct audit_dispatcher_header {
500 uint32_t ver; /* The version of this protocol */
501 uint32_t hlen; /* Header length */
502 uint32_t type; /* Message type */
503 uint32_t size; /* Size of data following the header */
504};
505
506// Original protocol starts with msg='
507#define AUDISP_PROTOCOL_VER 0
508
509// Starts with node and/or type already in the text before msg=
510// IOW, its preformatted in the audit daemon.
511#define AUDISP_PROTOCOL_VER2 1
512
513
514///////////////////////////////////////////////////
515// Libaudit API
516//
517
518/* This is the machine type list */
519typedef enum {
520 MACH_X86=0,
521 MACH_86_64,
522 MACH_IA64,
523 MACH_PPC64,
524 MACH_PPC,
525 MACH_S390X,
526 MACH_S390,
527 MACH_ALPHA,
528 MACH_ARM,
529 MACH_AARCH64,
530 MACH_PPC64LE
531} machine_t;
532
533/* These are the valid audit failure tunable enum values */
534typedef enum {
535 FAIL_IGNORE=0,
536 FAIL_LOG,
537 FAIL_TERMINATE
538} auditfail_t;
539
540/* Messages */
541typedef enum { MSG_STDERR, MSG_SYSLOG, MSG_QUIET } message_t;
542typedef enum { DBG_NO, DBG_YES } debug_message_t;
543void set_aumessage_mode(message_t mode, debug_message_t debug);
544
545/* General */
546typedef enum { GET_REPLY_BLOCKING=0, GET_REPLY_NONBLOCKING } reply_t;
547extern int audit_open(void);
548extern void audit_close(int fd);
549extern int audit_get_reply(int fd, struct audit_reply *rep, reply_t block,
550 int peek);
551extern uid_t audit_getloginuid(void);
552extern int audit_setloginuid(uid_t uid);
553extern uint32_t audit_get_session(void);
554extern int audit_detect_machine(void);
555extern int audit_determine_machine(const char *arch);
556
557/* Translation functions */
558extern int audit_name_to_field(const char *field);
559extern const char *audit_field_to_name(int field);
560extern int audit_name_to_syscall(const char *sc, int machine);
561extern const char *audit_syscall_to_name(int sc, int machine);
562extern int audit_name_to_flag(const char *flag);
563extern const char *audit_flag_to_name(int flag);
564extern int audit_name_to_action(const char *action);
565extern const char *audit_action_to_name(int action);
566extern int audit_name_to_msg_type(const char *msg_type);
567extern const char *audit_msg_type_to_name(int msg_type);
568extern int audit_name_to_machine(const char *machine);
569extern const char *audit_machine_to_name(int machine);
570extern unsigned int audit_machine_to_elf(int machine);
571extern int audit_elf_to_machine(unsigned int elf);
572extern const char *audit_operator_to_symbol(int op);
573extern int audit_name_to_errno(const char *error);
574extern const char *audit_errno_to_name(int error);
575extern int audit_name_to_ftype(const char *name);
576extern const char *audit_ftype_to_name(int ftype);
577extern int audit_name_to_fstype(const char *name);
578extern const char *audit_fstype_to_name(int fstype);
579extern void audit_number_to_errmsg(int errnumber, const char *opt);
580
581/* AUDIT_GET */
582extern int audit_request_status(int fd);
583extern int audit_is_enabled(int fd);
584extern int get_auditfail_action(auditfail_t *failmode);
585extern int audit_request_features(int fd);
586extern uint32_t audit_get_features(void);
587
588/* AUDIT_SET */
589typedef enum { WAIT_NO, WAIT_YES } rep_wait_t;
590extern int audit_set_pid(int fd, uint32_t pid, rep_wait_t wmode);
591extern int audit_set_enabled(int fd, uint32_t enabled);
592extern int audit_set_failure(int fd, uint32_t failure);
593extern int audit_set_rate_limit(int fd, uint32_t limit);
594extern int audit_set_backlog_limit(int fd, uint32_t limit);
595int audit_set_backlog_wait_time(int fd, uint32_t bwt);
596int audit_reset_lost(int fd);
597extern int audit_set_feature(int fd, unsigned feature, unsigned value, unsigned lock);
598extern int audit_set_loginuid_immutable(int fd);
599
600/* AUDIT_LIST_RULES */
601extern int audit_request_rules_list_data(int fd);
602
603/* SIGNAL_INFO */
604extern int audit_request_signal_info(int fd);
605
606/* AUDIT_WATCH */
607extern int audit_update_watch_perms(struct audit_rule_data *rule, int perms);
608extern int audit_add_watch(struct audit_rule_data **rulep, const char *path);
609extern int audit_add_dir(struct audit_rule_data **rulep, const char *path);
610extern int audit_add_watch_dir(int type, struct audit_rule_data **rulep,
611 const char *path);
612extern int audit_trim_subtrees(int fd);
613extern int audit_make_equivalent(int fd, const char *mount_point,
614 const char *subtree);
615
616/* AUDIT_ADD_RULE */
617extern int audit_add_rule_data(int fd, struct audit_rule_data *rule,
618 int flags, int action);
619
620/* AUDIT_DEL_RULE */
621extern int audit_delete_rule_data(int fd, struct audit_rule_data *rule,
622 int flags, int action);
623
624/* The following are for standard formatting of messages */
625extern int audit_value_needs_encoding(const char *str, unsigned int len);
626extern char *audit_encode_value(char *final,const char *buf,unsigned int size);
627extern char *audit_encode_nv_string(const char *name, const char *value,
628 unsigned int vlen);
629extern int audit_log_user_message(int audit_fd, int type, const char *message,
630 const char *hostname, const char *addr, const char *tty, int result);
631extern int audit_log_user_comm_message(int audit_fd, int type,
632 const char *message, const char *comm, const char *hostname,
633 const char *addr, const char *tty, int result);
634extern int audit_log_acct_message(int audit_fd, int type, const char *pgname,
635 const char *op, const char *name, unsigned int id,
636 const char *host, const char *addr, const char *tty, int result);
637extern int audit_log_user_avc_message(int audit_fd, int type,
638 const char *message, const char *hostname, const char *addr,
639 const char *tty, uid_t uid);
640extern int audit_log_semanage_message(int audit_fd, int type,
641 const char *pgname, const char *op, const char *name, unsigned int id,
642 const char *new_seuser, const char *new_role, const char *new_range,
643 const char *old_seuser, const char *old_role, const char *old_range,
644 const char *host, const char *addr,
645 const char *tty, int result);
646extern int audit_log_user_command(int audit_fd, int type, const char *command,
647 const char *tty, int result);
648
649/* Rule-building helper functions */
650extern int audit_rule_syscall_data(struct audit_rule_data *rule, int scall);
651extern int audit_rule_syscallbyname_data(struct audit_rule_data *rule,
652 const char *scall);
653/* Note that the following function takes a **, where audit_rule_fieldpair()
654 * takes just a *. That structure may need to be reallocated as a result of
655 * adding new fields */
656extern int audit_rule_fieldpair_data(struct audit_rule_data **rulep,
657 const char *pair, int flags);
658extern int audit_rule_interfield_comp_data(struct audit_rule_data **rulep,
659 const char *pair, int flags);
660extern void audit_rule_free_data(struct audit_rule_data *rule);
661
662/* Capability testing functions */
663int audit_can_control(void);
664int audit_can_write(void);
665int audit_can_read(void);
666
667#ifdef __cplusplus
668}
669#endif
670
671#endif
672

Warning: That file was not part of the compilation database. It may have many parsing errors.