/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License (the "License"). * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2010 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. * * Copyright 2018 Nexenta Systems, Inc. All rights reserved. */ #ifndef _AUDITRT_H #define _AUDITRT_H #ifdef __cplusplus extern "C" { #endif /* * Auditreduce data structures. */ /* * File Control Block * Controls a single file. * These are held by the pcb's in audit_pcbs[] in a linked list. * There is one fcb for each file controlled by the pcb, * and all of the files in a list have the same suffix in their names. */ struct audit_fcb { struct audit_fcb *fcb_next; /* ptr to next fcb in list */ int fcb_flags; /* flags - see below */ time_t fcb_start; /* start time from filename */ time_t fcb_end; /* end time from filename */ char *fcb_suffix; /* ptr to suffix in fcb_file */ char *fcb_name; /* ptr to name in fcb_file */ char fcb_file[1]; /* full path and name string */ }; typedef struct audit_fcb audit_fcb_t; /* * Flags for fcb_flags. */ #define FF_NOTTERM 0x01 /* file is "not_terminated" */ #define FF_DELETE 0x02 /* we may delete this file if requested */ /* * Process Control Block * A pcb comes in two types: * It controls either: * * 1. A single group of pcbs (processes that are lower on the process tree). * These are the pcb's that the process tree is built from. * These are allocated as needed while the process tree is being built. * * 2. A single group of files (fcbs). * All of the files in one pcb have the same suffix in their filename. * They are controlled by the leaf nodes of the process tree. * They are found in audit_pcbs[]. * They are initially setup by process_fileopt() when the files to be * processes are gathered together. Then they are parsed out to * the leaf nodes by mfork(). * A particular leaf node's range of audit_pcbs[] is determined * in the call to mfork() by the lo and hi paramters. */ struct audit_pcb { struct audit_pcb *pcb_below; /* ptr to group of pcb's */ struct audit_pcb *pcb_next; /* ptr to next - for list in mproc() */ int pcb_procno; /* subprocess # */ int pcb_nrecs; /* how many records read (current pcb/file) */ int pcb_nprecs; /* how many records put (current pcb/file) */ int pcb_flags; /* flags - see below */ int pcb_count; /* count of active pcb's */ int pcb_lo; /* low index for pcb's */ int pcb_hi; /* hi index for pcb's */ int pcb_size; /* size of current record buffer */ time_t pcb_time; /* time of current record */ time_t pcb_otime; /* time of previous record */ char *pcb_rec; /* ptr to current record buffer */ char *pcb_suffix; /* ptr to suffix name (string) */ audit_fcb_t *pcb_first; /* ptr to first fcb_ */ audit_fcb_t *pcb_last; /* ptr to last fcb_ */ audit_fcb_t *pcb_cur; /* ptr to current fcb_ */ audit_fcb_t *pcb_dfirst; /* ptr to first fcb_ for deleting */ audit_fcb_t *pcb_dlast; /* ptr to last fcb_ for deleting */ FILE *pcb_fpr; /* read stream */ FILE *pcb_fpw; /* write stream */ }; typedef struct audit_pcb audit_pcb_t; /* * Flags for pcb_flags */ #define PF_ROOT 0x01 /* current pcb is the root of process tree */ #define PF_LEAF 0x02 /* current pcb is a leaf of process tree */ #define PF_USEFILE 0x04 /* current pcb uses files as input, not pipes */ /* * Message selection options */ #define M_AFTER 0x0001 /* 'a' after a time */ #define M_BEFORE 0x0002 /* 'b' before a time */ #define M_CLASS 0x0004 /* 'c' event class */ #define M_GROUPE 0x0008 /* 'f' effective group-id */ #define M_GROUPR 0x0010 /* 'g' real group-id */ #define M_OBJECT 0x0020 /* 'o' object */ #define M_SUBJECT 0x0040 /* 'j' subject */ #define M_TYPE 0x0080 /* 'm' event type */ #define M_USERA 0x0100 /* 'u' audit user */ #define M_USERE 0x0200 /* 'e' effective user */ #define M_USERR 0x0400 /* 'r' real user */ #define M_LABEL 0x0800 /* 'l' mandatory label range */ #define M_ZONENAME 0x1000 /* 'z' zone name */ #define M_SID 0x2000 /* 's' session ID */ #define M_SORF 0x4000 /* success or failure of event */ #define M_TID 0x8000 /* 't' terminal ID */ /* * object types */ /* XXX Why is this a bit map? There can be only one M_OBJECT. */ #define OBJ_LP 0x00001 /* 'o' lp object */ #define OBJ_MSG 0x00002 /* 'o' msgq object */ #define OBJ_PATH 0x00004 /* 'o' file system object */ #define OBJ_PROC 0x00008 /* 'o' process object */ #define OBJ_SEM 0x00010 /* 'o' semaphore object */ #define OBJ_SHM 0x00020 /* 'o' shared memory object */ #define OBJ_SOCK 0x00040 /* 'o' socket object */ #define OBJ_FGROUP 0x00080 /* 'o' file group */ #define OBJ_FOWNER 0x00100 /* 'o' file owner */ #define OBJ_MSGGROUP 0x00200 /* 'o' msgq [c]group */ #define OBJ_MSGOWNER 0x00400 /* 'o' msgq [c]owner */ #define OBJ_PGROUP 0x00800 /* 'o' process [e]group */ #define OBJ_POWNER 0x01000 /* 'o' process [e]owner */ #define OBJ_SEMGROUP 0x02000 /* 'o' semaphore [c]group */ #define OBJ_SEMOWNER 0x04000 /* 'o' semaphore [c]owner */ #define OBJ_SHMGROUP 0x08000 /* 'o' shared memory [c]group */ #define OBJ_SHMOWNER 0x10000 /* 'o' shared memory [c]owner */ #define OBJ_FMRI 0x20000 /* 'o' fmri object */ #define OBJ_USER 0x40000 /* 'o' user object */ #define OBJ_WSID 0x80000 /* 'o' windows sid object */ #define SOCKFLG_MACHINE 0 /* search socket token by machine name */ #define SOCKFLG_PORT 1 /* search socket token by port number */ /* * Global variables */ extern unsigned short m_type; /* 'm' message type */ extern gid_t m_groupr; /* 'g' real group-id */ extern gid_t m_groupe; /* 'f' effective group-id */ extern uid_t m_usera; /* 'u' audit user */ extern uid_t m_userr; /* 'r' real user */ extern uid_t m_usere; /* 'f' effective user */ extern au_asid_t m_sid; /* 's' session-id */ extern time_t m_after; /* 'a' after a time */ extern time_t m_before; /* 'b' before a time */ extern audit_state_t mask; /* used with m_class */ extern char *zonename; /* 'z' zonename */ extern m_range_t *m_label; /* 'l' mandatory label range */ extern int flags; extern int checkflags; extern int socket_flag; extern int ip_type; extern uchar_t ip_ipv6[16]; /* ip ipv6 object identifier */ extern int obj_flag; /* 'o' object type */ extern int obj_id; /* object identifier */ extern gid_t obj_group; /* object group */ extern uid_t obj_owner; /* object owner */ extern int subj_id; /* subject identifier */ extern char ipc_type; /* 'o' object type - tell what type of IPC */ extern scf_pattern_t fmri; /* 'o' fmri value */ extern uid_t obj_user; /* 'o' user value */ /* * File selection options */ extern char *f_machine; /* 'M' machine (suffix) type */ extern char *f_root; /* 'R' audit root */ extern char *f_server; /* 'S' server */ extern char *f_outfile; /* 'W' output file */ extern int f_all; /* 'A' all records from a file */ extern int f_complete; /* 'C' only completed files */ extern int f_delete; /* 'D' delete when done */ extern int f_quiet; /* 'Q' sshhhh! */ extern int f_verbose; /* 'V' verbose */ extern int f_stdin; /* '-' read from stdin */ extern int f_cmdline; /* files specified on the command line */ extern int new_mode; /* 'N' new object selection mode */ /* * Error reporting * Error_str is set whenever an error occurs to point to a string describing * the error. When the error message is printed error_str is also * printed to describe exactly what went wrong. * Errbuf is used to build messages with variables in them. */ extern char *error_str; /* current error message */ extern char errbuf[]; /* buffer for building error message */ extern char *ar; /* => "auditreduce:" */ /* * Control blocks * Audit_pcbs[] is an array of pcbs that control files directly. * In the program's initialization phase it will gather all of the input * files it needs to process. Each file will have one fcb allocated for it, * and each fcb will belong to one pcb from audit_pcbs[]. All of the files * in a single pcb will have the same suffix in their filenames. If the * number of active pcbs in audit_pcbs[] is greater that the number of open * files a single process can have then the program will need to fork * subprocesses to handle all of the files. */ extern audit_pcb_t *audit_pcbs; /* file-holding pcb's */ extern int pcbsize; /* current size of audit_pcbs[] */ extern int pcbnum; /* total # of active pcbs in audit_pcbs[] */ /* * Time values */ extern time_t f_start; /* time of start rec for outfile */ extern time_t f_end; /* time of end rec for outfile */ extern time_t time_now; /* time program began */ /* * Counting vars */ extern int filenum; /* number of files total */ /* * Global variable, class of current record being processed. */ extern int global_class; #ifdef __cplusplus } #endif #endif /* _AUDITRT_H */
