audit_kevents.h   [plain text]


/*
 * Copyright (c) 2006 Apple Computer, Inc. All Rights Reserved.
 * 
 * @APPLE_LICENSE_OSREFERENCE_HEADER_START@
 * 
 * This file contains Original Code and/or Modifications of Original Code 
 * as defined in and that are subject to the Apple Public Source License 
 * Version 2.0 (the 'License'). You may not use this file except in 
 * compliance with the License.  The rights granted to you under the 
 * License may not be used to create, or enable the creation or 
 * redistribution of, unlawful or unlicensed copies of an Apple operating 
 * system, or to circumvent, violate, or enable the circumvention or 
 * violation of, any terms of an Apple operating system software license 
 * agreement.
 *
 * Please obtain a copy of the License at 
 * http://www.opensource.apple.com/apsl/ and read it before using this 
 * file.
 *
 * The Original Code and all software distributed under the License are 
 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 
 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 
 * Please see the License for the specific language governing rights and 
 * limitations under the License.
 *
 * @APPLE_LICENSE_OSREFERENCE_HEADER_END@
 */

#ifndef _BSM_AUDIT_KEVENTS_H_
#define _BSM_AUDIT_KEVENTS_H_

/* 
 * Values marked as AUE_NULL are not required to be audited as per CAPP 
 *  
 * The second value within comments is the syscall number in Darwin
 *
 * Values in the third column are the values assigned by BSM for obsolete 
 * or old system calls   
 *
 * Values marked as XXX in the third column do not have an 
 * event number assigned as yet, and have (temporarily) been assigned 
 * value of AUE_NULL 
 */

#define	AUE_NULL        0
#define	AUE_EXIT        1               /*1*/	
#define	AUE_FORK        2               /*2*/
#define	AUE_OPEN        3               /*3*/
#define	AUE_READ        AUE_NULL        /*4*/
#define	AUE_WRITE       AUE_NULL        /*5*/
#define	AUE_OPEN_R      72              /*5*/
#define	AUE_OPEN_RC     73              /*5*/
#define	AUE_OPEN_RTC    75              /*5*/
#define	AUE_OPEN_RT     74              /*5*/
#define	AUE_OPEN_RW     80              /*5*/
#define	AUE_OPEN_RWC    81              /*5*/
#define	AUE_OPEN_RWTC   83              /*5*/
#define	AUE_OPEN_RWT    82              /*5*/
#define	AUE_OPEN_W      76              /*5*/
#define	AUE_OPEN_WC     77              /*5*/
#define	AUE_OPEN_WTC    79              /*5*/
#define	AUE_OPEN_WT	78              /*5*/
#define	AUE_CLOSE       112              /*6*/
#define	AU_WAIT4        AUE_NULL        /*7*/	
#define	AUE_O_CREAT     AUE_OPEN_RWTC   /*8*/     /*4*/
#define	AUE_LINK        5               /*9*/	
#define	AUE_UNLINK      6               /*10*/	
#define AUE_O_EXECV     AUE_NULL        /*11*/
#define	AUE_CHDIR       8               /*12*/
#define	AUE_FCHDIR      68              /*13*/
#define	AUE_MKNOD       9               /*14*/	
#define	AUE_CHMOD       10              /*15*/
#define	AUE_CHOWN       11              /*16*/
#define AUE_O_SBREAK    AUE_NULL        /*17*/
#define	AUE_GETFSSTAT   301		/*18*/
#define	AUE_O_LSEEK     AUE_NULL        /*19*/
#define AUE_GETPID      AUE_NULL        /*20*/
#define	AUE_O_MOUNT     AUE_NULL        /*21*/
#define	AUE_O_UMOUNT    AUE_NULL        /*22*/
#define	AUE_SETUID      200             /*23*/	
#define AUE_GETUID      AUE_NULL        /*24*/
#define AUE_GETEUID	AUE_NULL	/*25*/
#define AUE_PTRACE      302		/*26*/
#define	AUE_RECVMSG     190             /*27*/	
#define	AUE_SENDMSG     188             /*28*/
#define	AUE_RECVFROM    191             /*29*/
#define	AUE_ACCEPT      33              /*30*/
#define AUE_GETPEERNAME AUE_NULL        /*31*/
#define AUE_GETSOCKNAME AUE_NULL        /*32*/
#define	AUE_ACCESS      14              /*33*/
#define AUE_CHFLAGS     303		/*34*/
#define AUE_FCHFLAGS    304		/*35*/
#define AUE_SYNC        AUE_NULL        /*36*/				
#define	AUE_KILL        15              /*37*/	
#define	AUE_O_STAT      AUE_STAT        /*38*/
#define AUE_GETPPID     AUE_NULL	/*39*/
#define	AUE_O_LSTAT     AUE_LSTAT	/*40*/
#define AUE_DUP         AUE_NULL        /*41*/
#define	AUE_PIPE        185             /*42*/
#define AUE_GETEGID     AUE_NULL        /*43*/
#define AUE_PROFILE     305		/*44*/
#define AUE_KTRACE      306		/*45*/
#define AUE_REBOOT      308
#define AUE_SIGACTION   AUE_NULL        /*46*/    /*XXX*/
#define AUE_GETGID	AUE_NULL	/*47*/
#define AUE_SIGPROCMASK AUE_NULL        /*48*/    /*XXX*/
#define AUE_GETLOGIN    AUE_NULL        /*49*/
#define AUE_SETLOGIN    307		/*50*/
#define	AUE_ACCT        18              /*51*/	
#define AUE_SIGPENDING  AUE_NULL        /*52*/    /*XXX*/
#define AUE_SIGALTSTACK AUE_NULL        /*53*/    /*XXX*/
#define AUE_IOCTL       158             /*54*/
#define AUE_SYSTEMBOOT  113		/*55*/
#define AUE_REVOKE      309		/*56*/
#define AUE_SYMLINK     21              /*57*/
#define AUE_READLINK    22              /*58*/
#define AUE_EXECVE      23              /*59*/
#define AUE_UMASK       310		/*60*/
#define AUE_CHROOT      24              /*61*/ 
#define AUE_O_FSTAT     AUE_FSTAT       /*62*/

#define AUE_O_GETPAGESIZE AUE_NULL      /*64*/
#define AUE_MSYNC       AUE_NULL        /*65*/
#define AUE_VFORK       25              /*66*/
#define AUE_O_VREAD     AUE_NULL        /*67*/
#define AUE_O_VWRITE    AUE_NULL        /*68*/
#define AUE_SBRK        AUE_NULL        /*69*/    /*EOPNOTSUP*/
#define AUE_SSTK        AUE_NULL        /*70*/    /*EOPNOTSUP*/
#define AUE_O_MMAP      AUE_MMAP        /*71*/
#define AUE_O_VADVISE   AUE_NULL        /*72*/
#define AUE_MUNMAP      213             /*73*/
#define AUE_MPROTECT    311		/*74*/
#define AUE_MADVISE     AUE_NULL        /*75*/
#define AUE_O_VHANGUP   AUE_NULL        /*76*/
#define AUE_O_VLIMIT    AUE_NULL        /*77*/
#define AUE_MINCORE     AUE_NULL        /*78*/	
#define AUE_GETGROUPS   AUE_NULL        /*79*/
#define AUE_SETGROUPS   26              /*80*/
#define AUE_GETPGRP     AUE_NULL        /*81*/
#define AUE_SETPGRP     27		/*82*/
#define AUE_SETITIMER   AUE_NULL        /*83*/    /*XXX*/
#define AUE_O_WAIT      AUE_NULL        /*84*/
#define AUE_SWAPON      28              /*85*/
#define AUE_GETITIMER   AUE_NULL        /*86*/
#define AUE_O_GETHOSTNAME AUE_NULL      /*87*/
#define AUE_O_SETHOSTNAME AUE_SYSCTL    /*88*/
#define AUE_GETDTABLESIZE AUE_NULL      /*89*/
#define AUE_DUP2        AUE_NULL        /*90*/
#define AUE_O_GETDOPT   AUE_NULL        /*91*/
#define AUE_FCNTL       30              /*92*/
#define AUE_SELECT      AUE_NULL        /*93*/
#define AUE_O_SETDOPT   AUE_NULL        /*94*/
#define AUE_FSYNC       AUE_NULL        /*95*/
#define AUE_SETPRIORITY 312		/*96*/
#define AUE_SOCKET      183             /*97*/
#define AUE_CONNECT     32              /*98*/
#define AUE_O_ACCEPT    AUE_NULL        /*99*/
#define AUE_GETPRIORITY AUE_NULL        /*100*/
#define AUE_O_SEND      AUE_SENDMSG     /*101*/
#define AUE_O_RECV      AUE_RECVMSG     /*102*/
#define AUE_SIGRETURN   AUE_NULL        /*103*/   /*XXX*/
#define AUE_BIND        34              /*104*/
#define AUE_SETSOCKOPT  35              /*105*/
#define AUE_LISTEN      AUE_NULL        /*106*/
#define AUE_O_VTIMES    AUE_NULL        /*107*/
#define AUE_O_SIGVEC    AUE_NULL        /*108*/
#define AUE_O_SIGBLOCK  AUE_NULL        /*109*/
#define AUE_O_SIGSETMASK AUE_NULL       /*110*/
#define AUE_SIGSUSPEND  AUE_NULL        /*111*/   /*XXX*/
#define AUE_O_SIGSTACK  AUE_NULL        /*112*/
#define AUE_O_RECVMSG   AUE_RECVMSG     /*113*/
#define AUE_O_SENDMSG   AUE_SENDMSG     /*114*/
#define AUE_O_VTRACE    AUE_NULL        /*115*/   /*36*/
#define AUE_GETTIMEOFDAY AUE_NULL       /*116*/
#define AUE_GETRUSAGE   AUE_NULL        /*117*/
#define AUE_GTSOCKOPT   AUE_NULL        /*118*/
#define AUE_O_RESUBA    AUE_NULL        /*119*/
#define AUE_READV       AUE_NULL        /*120*/      
#define AUE_WRITEV      AUE_NULL        /*121*/
#define AUE_SETTIMEOFDAY 313		/*122*/
#define AUE_FCHOWN      38              /*123*/
#define AUE_FCHMOD      39              /*124*/
#define AUE_O_RECVFROM  AUE_RECVFROM    /*125*/
#define AUE_O_SETREUID  AUE_SETEUID        /*126*/   /*40*/
#define AUE_O_SETREGID  AUE_SETEGID        /*127*/   /*41*/
#define AUE_RENAME      42              /*128*/
#define AUE_O_TRUNCATE  AUE_TRUNCATE    /*129*/
#define AUE_O_FTRUNCATE AUE_FTRUNCATE   /*130*/
#define AUE_FLOCK       314		/*131*/
#define AUE_MKFIFO      315		/*132*/
#define AUE_SENDTO      184             /*133*/
#define AUE_SHUTDOWN    46              /*134*/
#define AUE_SOCKETPAIR  317		/*135*/
#define AUE_MKDIR       47              /*136*/
#define AUE_RMDIR       48              /*137*/
#define AUE_UTIMES      49              /*138*/
#define AUE_FUTIMES     318		/*139*/
#define AUE_ADJTIME     50              /*140*/
#define AUE_O_GETPEERNAME AUE_NULL      /*141*/
#define AUE_O_GETHOSTID AUE_NULL        /*142*/
#define AUE_O_SETHOSTID AUE_NULL        /*143*/
#define AUE_O_GETRLIMIT AUE_NULL        /*144*/
#define AUE_O_SETRLIMIT AUE_SETRLIMIT   /*145*/ 
#define AUE_O_KILLPG    AUE_KILL        /*146*/
#define AUE_SETSID      319		/*147*/
#define AUE_O_SETQUOTA  AUE_NULL        /*148*/
#define AUE_O_QUOTA     AUE_NULL        /*149*/
#define AUE_O_GETSOCKNAME AUE_NULL      /*150*/
#define AUE_GETPGID     AUE_NULL        /*151*/
#define AUE_SETPRIVEXEC 320		/*152*/
#define AUE_PREAD       AUE_NULL        /*153*/
#define AUE_PWRITE      AUE_NULL        /*154*/
#define AUE_NFSSVC      321		/*155*/
#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /*156*/
#define AUE_STATFS      54              /*157*/
#define AUE_FSTATFS     55              /*158*/
#define AUE_UNMOUNT     12              /*159*/
#define AUE_O_ASYNCDAEMON AUE_NULL      /*160*/
#define AUE_GETFH       322		/*161*/
#define AUE_O_GETDOMAINNAME AUE_NULL    /*162*/
#define AUE_O_SETDOMAINNAME AUE_SYSCTL  /*163*/
#define AUE_O_PCFS_MOUNT AUE_NULL       /*164*/
#define AUE_QUOTACTL    60		/*165*/
#define AUE_O_EXPORTFS  AUE_NULL        /*166*/
#define AUE_MOUNT       62              /*167*/
#define AUE_O_USTATE    AUE_NULL        /*168*/
#define AUE_TABLE       AUE_NULL        /*170*/   /*ENOSYS*/
#define AUE_O_WAIT3     AUE_NULL        /*171*/
#define AUE_O_RPAUSE    AUE_NULL        /*172*/
#define AUE_O_GETDENTS  AUE_NULL        /*174*/
#define AUE_GCCONTROL   AUE_NULL        /*175*/   /*ENOSYS*/
#define AUE_ADDPROFILE  324		/*176*/

#define AUE_KDBUGTRACE  325		/*180*/
#define AUE_SETGID      205             /*181*/
#define AUE_SETEGID     214             /*182*/
#define AUE_SETEUID     215             /*183*/

#define AUE_STAT        16              /*188*/
#define AUE_FSTAT       326		/*189*/
#define AUE_LSTAT       17              /*190*/
#define AUE_PATHCONF    71              /*191*/
#define AUE_FPATHCONF   327		/*192*/
#define AUE_GETRLIMIT   AUE_NULL        /*194*/
#define AUE_SETRLIMIT   51              /*195*/
#define AUE_GETDIRENTRIES 328		/*196*/
#define AUE_MMAP        210             /*197*/
#define AUE_SYSCALL     AUE_NULL        /*198*/   /*ENOSYS*/
#define AUE_LSEEK       AUE_NULL        /*199*/
#define AUE_TRUNCATE    329		/*200*/
#define AUE_FTRUNCATE   330		/*201*/
#define AUE_SYSCTL      331		/*202*/
#define AUE_MLOCK       332		/*203*/
#define AUE_MUNLOCK     333		/*204*/
#define AUE_UNDELETE    334		/*205*/

#define AUE_MKCOMPLEX   AUE_NULL        /*216*/   /*XXX*/
#define AUE_STATV       AUE_NULL        /*217*/   /*EOPNOTSUPP*/
#define AUE_LSTATV      AUE_NULL        /*218*/   /*EOPNOTSUPP*/
#define AUE_FSTATV      AUE_NULL        /*219*/   /*EOPNOTSUPP*/
#define AUE_GETATTRLIST 335		/*220*/
#define AUE_SETATTRLIST 336		/*221*/ 
#define AUE_GETDIRENTRIESATTR 337	/*222*/
#define AUE_EXCHANGEDATA 338		/*223*/
#define AUE_CHECKUSERACCESS AUE_ACCESS    /*224*/   /* To Be Removed */
#define AUE_SEARCHFS    339		/*225*/

#define AUE_DELETE      AUE_UNLINK        /*226*/   /* reserved */
#define AUE_COPYFILE    361        /*227*/   /* reserved */
#define AUE_WATCHEVENT  AUE_NULL        /*231*/   /* reserved */
#define AUE_WAITEVENT   AUE_NULL        /*232*/   /* reserved */
#define AUE_MODWATCH    AUE_NULL        /*233*/   /* reserved */
#define AUE_FSCTL       AUE_NULL        /*242*/   /* reserved */

#define AUE_MINHERIT    340		/*250*/
#define AUE_SEMSYS      AUE_NULL        /*251*/   /* To Be Removed */
#define AUE_MSGSYS      AUE_NULL        /*252*/   /* To Be Removed */
#define AUE_SHMSYS      AUE_NULL        /*253*/
#define AUE_SEMCTL	98              /*254*/
#define AUE_SEMCTL_GETALL  105          /*254*/
#define AUE_SEMCTL_GETNCNT 102          /*254*/
#define AUE_SEMCTL_GETPID  103          /*254*/
#define AUE_SEMCTL_GETVAL  104          /*254*/
#define AUE_SEMCTL_GETZCNT 106          /*254*/
#define AUE_SEMCTL_RMID    99           /*254*/
#define AUE_SEMCTL_SET     100          /*254*/
#define AUE_SEMCTL_SETALL  108          /*254*/
#define AUE_SEMCTL_SETVAL  107          /*254*/
#define AUE_SEMCTL_STAT	   101          /*254*/
#define AUE_SEMGET      109             /*255*/
#define AUE_SEMOP       110             /*256*/
#define AUE_SEMCONFIG   341		/*257*/
#define AUE_MSGCL       AUE_NULL        /*258*/   /*EOPNOTSUPP*/
#define AUE_MSGGET      88              /*259*/   /*88-EOPNOTSUPP*/
#define AUE_MSGRCV      89              /*261*/   /*89-EOPNOTSUPP*/
#define AUE_MSGSND      90              /*260*/   /*90-EOPNOTSUPP*/
#define AUE_SHMAT       96              /*262*/
#define AUE_SHMCTL      91              /*263*/
#define AUE_SHMCTL_RMID 92              /*263*/
#define AUE_SHMCTL_SET  93              /*263*/
#define AUE_SHMCTL_STAT 94              /*263*/
#define AUE_SHMDT       97              /*264*/
#define AUE_SHMGET      95              /*265*/
#define AUE_SHMOPEN     345		/*266*/
#define AUE_SHMUNLINK   346		/*267*/
#define AUE_SEMOPEN     342		/*268*/
#define AUE_SEMCLOSE    343		/*269*/
#define AUE_SEMUNLINK   344		/*270*/
#define AUE_SEMWAIT     AUE_NULL        /*271*/
#define AUE_SEMTRYWAIT  AUE_NULL        /*272*/
#define AUE_SEMPOST     AUE_NULL        /*273*/
#define AUE_SEMGETVALUE AUE_NULL        /*274*/   /*ENOSYS*/
#define AUE_SEMINIT     AUE_NULL        /*275*/   /*ENOSYS*/
#define AUE_SEMDESTROY  AUE_NULL        /*276*/   /*ENOSYS*/

#define AUE_LOADSHFILE  347		/*296*/
#define AUE_RESETSHFILE 348		/*297*/
#define AUE_NEWSYSTEMSHREG 349		/*298*/

#define AUE_GETSID      AUE_NULL        /*310*/

#define AUE_MLOCKALL    AUE_NULL        /*324*/   /*ENOSYS*/
#define AUE_MUNLOCKALL  AUE_NULL        /*325*/   /*ENOSYS*/

#define AUE_ISSETUGID   AUE_NULL        /*327*/
#define AUE_PTHREADKILL 350		/*328*/
#define AUE_PTHREADSIGMASK 351		/*329*/
#define AUE_SIGWAIT     AUE_NULL        /*330*/   /*XXX*/
#define AUE_SWAPOFF	355
#define AUE_INITPROCESS	356
#define AUE_MAPFD	357
#define AUE_TASKFORPID	358
#define AUE_PIDFORTASK	359
#define AUE_SYSCTL_NONADMIN	360

// BSM events - Have to identify which ones are relevant to MacOSX
#define AUE_ACLSET                      251
#define AUE_AUDIT                       211
#define AUE_AUDITON			138
#define AUE_AUDITON_GETCAR              224
#define AUE_AUDITON_GETCLASS            231
#define AUE_AUDITON_GETCOND             229
#define AUE_AUDITON_GETCWD              223
#define AUE_AUDITON_GETKMASK            221
#define AUE_AUDITON_GETSTAT             225
#define AUE_AUDITON_GPOLICY             141
#define AUE_AUDITON_GQCTRL              145
#define AUE_AUDITON_SETCLASS            232
#define AUE_AUDITON_SETCOND             230
#define AUE_AUDITON_SETKMASK            222
#define AUE_AUDITON_SETSMASK            228
#define AUE_AUDITON_SETSTAT             226
#define AUE_AUDITON_SETUMASK            227
#define AUE_AUDITON_SPOLICY             142
#define AUE_AUDITON_SQCTRL              146
#define AUE_AUDITCTL                    352
#define AUE_DOORFS_DOOR_BIND            260
#define AUE_DOORFS_DOOR_CALL            254
#define AUE_DOORFS_DOOR_CREATE          256
#define AUE_DOORFS_DOOR_CRED            259
#define AUE_DOORFS_DOOR_INFO            258
#define AUE_DOORFS_DOOR_RETURN          255
#define AUE_DOORFS_DOOR_REVOKE          257
#define AUE_DOORFS_DOOR_UNBIND          261
#define AUE_ENTERPROM                   153
#define AUE_EXEC                        7
#define AUE_EXITPROM                    154
#define	AUE_FACLSET                     252
#define AUE_FCHROOT                     69
#define AUE_FORK1                       241
#define AUE_GETAUDIT                    132
#define AUE_GETAUDIT_ADDR               267	
#define AUE_GETAUID                     130
#define AUE_GETMSG                      217
#define AUE_SOCKACCEPT                  247
#define AUE_SOCKRECEIVE                 250
#define AUE_GETPMSG                     219
#define AUE_GETPORTAUDIT                149
#define AUE_INST_SYNC                   264
#define AUE_LCHOWN                      237
#define AUE_LXSTAT                      236
#define AUE_MEMCNTL                     238
#define AUE_MODADDMAJ                   246
#define AUE_MODCONFIG                   245
#define AUE_MODLOAD                     243
#define AUE_MODUNLOAD                   244
#define AUE_MSGCTL                      84
#define AUE_MSGCTL_RMID                 85
#define AUE_MSGCTL_SET                  86
#define AUE_MSGCTL_STAT                 87
#define AUE_NICE                        203
#define AUE_P_ONLINE                    262
#define AUE_PRIOCNTLSYS                 212
#define AUE_CORE                        111
#define AUE_PROCESSOR_BIND              263
#define AUE_PUTMSG                      216
#define AUE_SOCKCONNECT                 248
#define AUE_SOCKSEND                    249
#define AUE_PUTPMSG                     218
#define AUE_SETAUDIT                    133
#define AUE_SETAUDIT_ADDR               266
#define AUE_SETAUID                     131
#define AUE_SOCKCONFIG                  183
#define AUE_STATVFS                     234
#define AUE_STIME                       201
#define AUE_SYSINFO                     39
#define AUE_UTIME                       202
#define AUE_UTSYS                       233
#define AUE_XMKNOD                      240
#define AUE_XSTAT                       235

#endif /* !_BSM_AUDIT_KEVENTS_H_ */