audit.h
001:
002:
003:
004:
005:
006:
007:
008:
009:
010:
011:
012:
013:
014:
015:
016:
017:
018:
019:
020: <faith@redhat.com>
021:
022:
023:
024: #ifndef _LINUX_AUDIT_H_
025: #define _LINUX_AUDIT_H_
026:
027: #include <linux/types.h>
028: #include <linux/elf-em.h>
029:
030:
031:
032:
033:
034:
035:
036:
037:
038:
039:
040:
041:
042:
043:
044:
045:
046:
047:
048:
049:
050:
051:
052:
053: #define AUDIT_GET 1000
054: #define AUDIT_SET 1001
055: #define AUDIT_LIST 1002
056: #define AUDIT_ADD 1003
057: #define AUDIT_DEL 1004
058: #define AUDIT_USER 1005
059: #define AUDIT_LOGIN 1006
060: #define AUDIT_WATCH_INS 1007
061: #define AUDIT_WATCH_REM 1008
062: #define AUDIT_WATCH_LIST 1009
063: #define AUDIT_SIGNAL_INFO 1010
064: #define AUDIT_ADD_RULE 1011
065: #define AUDIT_DEL_RULE 1012
066: #define AUDIT_LIST_RULES 1013
067: #define AUDIT_TRIM 1014
068: #define AUDIT_MAKE_EQUIV 1015
069: #define AUDIT_TTY_GET 1016
070: #define AUDIT_TTY_SET 1017
071:
072: #define AUDIT_FIRST_USER_MSG 1100
073: #define AUDIT_USER_AVC 1107
074: #define AUDIT_USER_TTY 1124
075: #define AUDIT_LAST_USER_MSG 1199
076: #define AUDIT_FIRST_USER_MSG2 2100
077: #define AUDIT_LAST_USER_MSG2 2999
078:
079: #define AUDIT_DAEMON_START 1200
080: #define AUDIT_DAEMON_END 1201
081: #define AUDIT_DAEMON_ABORT 1202
082: #define AUDIT_DAEMON_CONFIG 1203
083:
084: #define AUDIT_SYSCALL 1300
085:
086: #define AUDIT_PATH 1302
087: #define AUDIT_IPC 1303
088: #define AUDIT_SOCKETCALL 1304
089: #define AUDIT_CONFIG_CHANGE 1305
090: #define AUDIT_SOCKADDR 1306
091: #define AUDIT_CWD 1307
092: #define AUDIT_EXECVE 1309
093: #define AUDIT_IPC_SET_PERM 1311
094: #define AUDIT_MQ_OPEN 1312
095: #define AUDIT_MQ_SENDRECV 1313
096: #define AUDIT_MQ_NOTIFY 1314
097: #define AUDIT_MQ_GETSETATTR 1315
098: #define AUDIT_KERNEL_OTHER 1316
099: #define AUDIT_FD_PAIR 1317
100: #define AUDIT_OBJ_PID 1318
101: #define AUDIT_TTY 1319
102: #define AUDIT_EOE 1320
103: #define AUDIT_BPRM_FCAPS 1321
104: #define AUDIT_CAPSET 1322
105: #define AUDIT_MMAP 1323
106: #define AUDIT_NETFILTER_PKT 1324
107: #define AUDIT_NETFILTER_CFG 1325
108:
109: #define AUDIT_AVC 1400
110: #define AUDIT_SELINUX_ERR 1401
111: #define AUDIT_AVC_PATH 1402
112: #define AUDIT_MAC_POLICY_LOAD 1403
113: #define AUDIT_MAC_STATUS 1404
114: #define AUDIT_MAC_CONFIG_CHANGE 1405
115: #define AUDIT_MAC_UNLBL_ALLOW 1406
116: #define AUDIT_MAC_CIPSOV4_ADD 1407
117: #define AUDIT_MAC_CIPSOV4_DEL 1408
118: #define AUDIT_MAC_MAP_ADD 1409
119: #define AUDIT_MAC_MAP_DEL 1410
120: #define AUDIT_MAC_IPSEC_ADDSA 1411
121: #define AUDIT_MAC_IPSEC_DELSA 1412
122: #define AUDIT_MAC_IPSEC_ADDSPD 1413
123: #define AUDIT_MAC_IPSEC_DELSPD 1414
124: #define AUDIT_MAC_IPSEC_EVENT 1415
125: #define AUDIT_MAC_UNLBL_STCADD 1416
126: #define AUDIT_MAC_UNLBL_STCDEL 1417
127:
128: #define AUDIT_FIRST_KERN_ANOM_MSG 1700
129: #define AUDIT_LAST_KERN_ANOM_MSG 1799
130: #define AUDIT_ANOM_PROMISCUOUS 1700
131: #define AUDIT_ANOM_ABEND 1701
132: #define AUDIT_INTEGRITY_DATA 1800
133: #define AUDIT_INTEGRITY_METADATA 1801
134: #define AUDIT_INTEGRITY_STATUS 1802
135: #define AUDIT_INTEGRITY_HASH 1803
136: #define AUDIT_INTEGRITY_PCR 1804
137: #define AUDIT_INTEGRITY_RULE 1805
138:
139: #define AUDIT_KERNEL 2000
140:
141:
142: #define AUDIT_FILTER_USER 0x00
143: #define AUDIT_FILTER_TASK 0x01
144: #define AUDIT_FILTER_ENTRY 0x02
145: #define AUDIT_FILTER_WATCH 0x03
146: #define AUDIT_FILTER_EXIT 0x04
147: #define AUDIT_FILTER_TYPE 0x05
148:
149: #define AUDIT_NR_FILTERS 6
150:
151: #define AUDIT_FILTER_PREPEND 0x10
152:
153:
154: #define AUDIT_NEVER 0
155: #define AUDIT_POSSIBLE 1
156: #define AUDIT_ALWAYS 2
157:
158:
159:
160: #define AUDIT_MAX_FIELDS 64
161: #define AUDIT_MAX_KEY_LEN 256
162: #define AUDIT_BITMASK_SIZE 64
163: #define AUDIT_WORD(nr) ((__u32)((nr)/32))
164: #define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32))
165:
166: #define AUDIT_SYSCALL_CLASSES 16
167: #define AUDIT_CLASS_DIR_WRITE 0
168: #define AUDIT_CLASS_DIR_WRITE_32 1
169: #define AUDIT_CLASS_CHATTR 2
170: #define AUDIT_CLASS_CHATTR_32 3
171: #define AUDIT_CLASS_READ 4
172: #define AUDIT_CLASS_READ_32 5
173: #define AUDIT_CLASS_WRITE 6
174: #define AUDIT_CLASS_WRITE_32 7
175: #define AUDIT_CLASS_SIGNAL 8
176: #define AUDIT_CLASS_SIGNAL_32 9
177:
178:
179:
180:
181:
182: #define AUDIT_UNUSED_BITS 0x07FFFC00
183:
184:
185:
186:
187:
188:
189: #define AUDIT_PID 0
190: #define AUDIT_UID 1
191: #define AUDIT_EUID 2
192: #define AUDIT_SUID 3
193: #define AUDIT_FSUID 4
194: #define AUDIT_GID 5
195: #define AUDIT_EGID 6
196: #define AUDIT_SGID 7
197: #define AUDIT_FSGID 8
198: #define AUDIT_LOGINUID 9
199: #define AUDIT_PERS 10
200: #define AUDIT_ARCH 11
201: #define AUDIT_MSGTYPE 12
202: #define AUDIT_SUBJ_USER 13
203: #define AUDIT_SUBJ_ROLE 14
204: #define AUDIT_SUBJ_TYPE 15
205: #define AUDIT_SUBJ_SEN 16
206: #define AUDIT_SUBJ_CLR 17
207: #define AUDIT_PPID 18
208: #define AUDIT_OBJ_USER 19
209: #define AUDIT_OBJ_ROLE 20
210: #define AUDIT_OBJ_TYPE 21
211: #define AUDIT_OBJ_LEV_LOW 22
212: #define AUDIT_OBJ_LEV_HIGH 23
213:
214:
215:
216: #define AUDIT_DEVMAJOR 100
217: #define AUDIT_DEVMINOR 101
218: #define AUDIT_INODE 102
219: #define AUDIT_EXIT 103
220: #define AUDIT_SUCCESS 104
221: #define AUDIT_WATCH 105
222: #define AUDIT_PERM 106
223: #define AUDIT_DIR 107
224: #define AUDIT_FILETYPE 108
225:
226: #define AUDIT_ARG0 200
227: #define AUDIT_ARG1 (AUDIT_ARG0+1)
228: #define AUDIT_ARG2 (AUDIT_ARG0+2)
229: #define AUDIT_ARG3 (AUDIT_ARG0+3)
230:
231: #define AUDIT_FILTERKEY 210
232:
233: #define AUDIT_NEGATE 0x80000000
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:
247:
248:
249:
250: #define AUDIT_BIT_MASK 0x08000000
251: #define AUDIT_LESS_THAN 0x10000000
252: #define AUDIT_GREATER_THAN 0x20000000
253: #define AUDIT_NOT_EQUAL 0x30000000
254: #define AUDIT_EQUAL 0x40000000
255: #define AUDIT_BIT_TEST (AUDIT_BIT_MASK|AUDIT_EQUAL)
256: #define AUDIT_LESS_THAN_OR_EQUAL (AUDIT_LESS_THAN|AUDIT_EQUAL)
257: #define AUDIT_GREATER_THAN_OR_EQUAL (AUDIT_GREATER_THAN|AUDIT_EQUAL)
258: #define AUDIT_OPERATORS (AUDIT_EQUAL|AUDIT_NOT_EQUAL|AUDIT_BIT_MASK)
259:
260: enum {
261: Audit_equal,
262: Audit_not_equal,
263: Audit_bitmask,
264: Audit_bittest,
265: Audit_lt,
266: Audit_gt,
267: Audit_le,
268: Audit_ge,
269: Audit_bad
270: };
271:
272:
273:
274: #define AUDIT_STATUS_ENABLED 0x0001
275: #define AUDIT_STATUS_FAILURE 0x0002
276: #define AUDIT_STATUS_PID 0x0004
277: #define AUDIT_STATUS_RATE_LIMIT 0x0008
278: #define AUDIT_STATUS_BACKLOG_LIMIT 0x0010
279:
280: #define AUDIT_FAIL_SILENT 0
281: #define AUDIT_FAIL_PRINTK 1
282: #define AUDIT_FAIL_PANIC 2
283:
284:
285: #define __AUDIT_ARCH_64BIT 0x80000000
286: #define __AUDIT_ARCH_LE 0x40000000
287: #define AUDIT_ARCH_ALPHA (EM_ALPHA|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
288: #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE)
289: #define AUDIT_ARCH_ARMEB (EM_ARM)
290: #define AUDIT_ARCH_CRIS (EM_CRIS|__AUDIT_ARCH_LE)
291: #define AUDIT_ARCH_FRV (EM_FRV)
292: #define AUDIT_ARCH_H8300 (EM_H8_300)
293: #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE)
294: #define AUDIT_ARCH_IA64 (EM_IA_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
295: #define AUDIT_ARCH_M32R (EM_M32R)
296: #define AUDIT_ARCH_M68K (EM_68K)
297: #define AUDIT_ARCH_MIPS (EM_MIPS)
298: #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
299: #define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT)
300: #define AUDIT_ARCH_MIPSEL64 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
301: #define AUDIT_ARCH_PARISC (EM_PARISC)
302: #define AUDIT_ARCH_PARISC64 (EM_PARISC|__AUDIT_ARCH_64BIT)
303: #define AUDIT_ARCH_PPC (EM_PPC)
304: #define AUDIT_ARCH_PPC64 (EM_PPC64|__AUDIT_ARCH_64BIT)
305: #define AUDIT_ARCH_S390 (EM_S390)
306: #define AUDIT_ARCH_S390X (EM_S390|__AUDIT_ARCH_64BIT)
307: #define AUDIT_ARCH_SH (EM_SH)
308: #define AUDIT_ARCH_SHEL (EM_SH|__AUDIT_ARCH_LE)
309: #define AUDIT_ARCH_SH64 (EM_SH|__AUDIT_ARCH_64BIT)
310: #define AUDIT_ARCH_SHEL64 (EM_SH|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
311: #define AUDIT_ARCH_SPARC (EM_SPARC)
312: #define AUDIT_ARCH_SPARC64 (EM_SPARCV9|__AUDIT_ARCH_64BIT)
313: #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
314:
315: #define AUDIT_PERM_EXEC 1
316: #define AUDIT_PERM_WRITE 2
317: #define AUDIT_PERM_READ 4
318: #define AUDIT_PERM_ATTR 8
319:
320: struct audit_status {
321: __u32 mask;
322: __u32 enabled;
323: __u32 failure;
324: __u32 pid;
325: __u32 rate_limit;
326: __u32 backlog_limit;
327: __u32 lost;
328: __u32 backlog;
329: };
330:
331: struct audit_tty_status {
332: __u32 enabled;
333: };
334:
335:
336:
337:
338:
339: struct audit_rule_data {
340: __u32 flags;
341: __u32 action;
342: __u32 field_count;
343: __u32 mask[AUDIT_BITMASK_SIZE];
344: __u32 fields[AUDIT_MAX_FIELDS];
345: __u32 values[AUDIT_MAX_FIELDS];
346: __u32 fieldflags[AUDIT_MAX_FIELDS];
347: __u32 buflen;
348: char buf[0];
349: };
350:
351:
352:
353:
354:
355: struct audit_rule {
356: __u32 flags;
357: __u32 action;
358: __u32 field_count;
359: __u32 mask[AUDIT_BITMASK_SIZE];
360: __u32 fields[AUDIT_MAX_FIELDS];
361: __u32 values[AUDIT_MAX_FIELDS];
362: };
363:
364: #endif
365:
© Andrew Scott 2006 -
2025,
All Rights Reserved