aboutsummaryrefslogtreecommitdiff
path: root/sys/bsm
diff options
context:
space:
mode:
authorRobert Watson <rwatson@FreeBSD.org>2008-11-13 00:04:15 +0000
committerRobert Watson <rwatson@FreeBSD.org>2008-11-13 00:04:15 +0000
commita5c6cfa00d9aad0a0da65a940ac6d782edfa841e (patch)
treedf6eec05070bdfdd7ef98d7164381dfbe7d070c5 /sys/bsm
parent2708261ab67b9e3822fdd9ea8d8e1acf5c6bbbc0 (diff)
downloadsrc-a5c6cfa00d9aad0a0da65a940ac6d782edfa841e.tar.gz
src-a5c6cfa00d9aad0a0da65a940ac6d782edfa841e.zip
Vendor import of OpenBSM 1.1 alpha2, which incorporates the followingvendor/openbsm/1.1-ALPHA-2
changes since the last imported OpenBSM release: OpenBSM 1.1 alpha 2 - Include files in OpenBSM are now broken out into two parts: library builds required solely for user space, and system includes, which may also be required for use in the kernels of systems integrating OpenBSM. Submitted by Stacey Son. - Configure option --with-native-includes allows forcing the use of native include for system includes, rather than the versions bundled with OpenBSM. This is intended specifically for platforms that ship OpenBSM, have adapted versions of the system includes in a kernel source tree, and will use the OpenBSM build infrastructure with an unmodified OpenBSM distribution, allowing the customized system includes to be used with the OpenBSM build. Submitted by Stacey Son. - Various strcpy()'s/strcat()'s have been changed to strlcpy()'s/strlcat()'s or asprintf(). Added compat/strlcpy.h for Linux. - Remove compatibility defines for old Darwin token constant names; now only BSM token names are provided and used. - Add support for extended header tokens, which contain space for information on the host generating the record. - Add support for setting extended host information in the kernel, which is used for setting host information in extended header tokens. The audit_control file now supports a "host" parameter which can be used by auditd to set the information; if not present, the kernel parameters won't be set and auditd uses unextended headers for records that it generates. OpenBSM 1.1 alpha 1 - Add option to auditreduce(1) which allows users to invert sense of matching, such that BSM records that do not match, are selected. - Fix bug in audit_write() where we commit an incomplete record in the event there is an error writing the subject token. This was submitted by Diego Giagio. - Build support for Mac OS X 10.5.1 submitted by Eric Hall. - Fix a bug which resulted in host XML attributes not beingguments so that const strings can be passed as arguments to tokens. This patch was submitted by Xin LI. - Modify the -m option so users can select more then one audit event. - For Mac OS X, added Mach IPC support for audit trigger messages. - Fixed a bug in getacna() which resulted in a locking problem on Mac OS X. - Added LOG_PERROR flag to openlog when -d option is used with auditd. - AUE events added for Mac OS X Leopard system calls. Obtained from: TrustedBSD Project Sponsored by: Apple Inc.
Notes
Notes: svn path=/vendor/openbsm/dist/; revision=184902 svn path=/vendor/openbsm/1.1-ALPHA-2/; revision=184903; tag=vendor/openbsm/1.1-ALPHA-2
Diffstat (limited to 'sys/bsm')
-rw-r--r--sys/bsm/Makefile.am14
-rw-r--r--sys/bsm/Makefile.in412
-rw-r--r--sys/bsm/audit.h280
-rw-r--r--sys/bsm/audit_internal.h117
-rw-r--r--sys/bsm/audit_kevents.h720
-rw-r--r--sys/bsm/audit_record.h293
6 files changed, 1836 insertions, 0 deletions
diff --git a/sys/bsm/Makefile.am b/sys/bsm/Makefile.am
new file mode 100644
index 000000000000..b3c7805bca8e
--- /dev/null
+++ b/sys/bsm/Makefile.am
@@ -0,0 +1,14 @@
+#
+# $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/Makefile.am#1 $
+#
+
+
+if ! USE_NATIVE_INCLUDES
+openbsmdir = $(includedir)/bsm
+
+openbsm_HEADERS = \
+ audit.h \
+ audit_internal.h \
+ audit_kevents.h \
+ audit_record.h
+endif
diff --git a/sys/bsm/Makefile.in b/sys/bsm/Makefile.in
new file mode 100644
index 000000000000..34cb9e6a0790
--- /dev/null
+++ b/sys/bsm/Makefile.in
@@ -0,0 +1,412 @@
+# Makefile.in generated by automake 1.10 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
+# 2003, 2004, 2005, 2006 Free Software Foundation, Inc.
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+#
+# $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/Makefile.in#2 $
+#
+
+VPATH = @srcdir@
+pkgdatadir = $(datadir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = sys/bsm
+DIST_COMMON = $(am__openbsm_HEADERS_DIST) $(srcdir)/Makefile.am \
+ $(srcdir)/Makefile.in
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config/config.h
+CONFIG_CLEAN_FILES =
+SOURCES =
+DIST_SOURCES =
+am__openbsm_HEADERS_DIST = audit.h audit_internal.h audit_kevents.h \
+ audit_record.h
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__installdirs = "$(DESTDIR)$(openbsmdir)"
+openbsmHEADERS_INSTALL = $(INSTALL_HEADER)
+HEADERS = $(openbsm_HEADERS)
+ETAGS = etags
+CTAGS = ctags
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CXX = @CXX@
+CXXCPP = @CXXCPP@
+CXXDEPMODE = @CXXDEPMODE@
+CXXFLAGS = @CXXFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+ECHO = @ECHO@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+F77 = @F77@
+FFLAGS = @FFLAGS@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LDFLAGS = @LDFLAGS@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MIG = @MIG@
+MKDIR_P = @MKDIR_P@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+RANLIB = @RANLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+STRIP = @STRIP@
+VERSION = @VERSION@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_CXX = @ac_ct_CXX@
+ac_ct_F77 = @ac_ct_F77@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = @localedir@
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+@USE_NATIVE_INCLUDES_FALSE@openbsmdir = $(includedir)/bsm
+@USE_NATIVE_INCLUDES_FALSE@openbsm_HEADERS = \
+@USE_NATIVE_INCLUDES_FALSE@ audit.h \
+@USE_NATIVE_INCLUDES_FALSE@ audit_internal.h \
+@USE_NATIVE_INCLUDES_FALSE@ audit_kevents.h \
+@USE_NATIVE_INCLUDES_FALSE@ audit_record.h
+
+all: all-am
+
+.SUFFIXES:
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
+ && exit 0; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign sys/bsm/Makefile'; \
+ cd $(top_srcdir) && \
+ $(AUTOMAKE) --foreign sys/bsm/Makefile
+.PRECIOUS: Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+install-openbsmHEADERS: $(openbsm_HEADERS)
+ @$(NORMAL_INSTALL)
+ test -z "$(openbsmdir)" || $(MKDIR_P) "$(DESTDIR)$(openbsmdir)"
+ @list='$(openbsm_HEADERS)'; for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ f=$(am__strip_dir) \
+ echo " $(openbsmHEADERS_INSTALL) '$$d$$p' '$(DESTDIR)$(openbsmdir)/$$f'"; \
+ $(openbsmHEADERS_INSTALL) "$$d$$p" "$(DESTDIR)$(openbsmdir)/$$f"; \
+ done
+
+uninstall-openbsmHEADERS:
+ @$(NORMAL_UNINSTALL)
+ @list='$(openbsm_HEADERS)'; for p in $$list; do \
+ f=$(am__strip_dir) \
+ echo " rm -f '$(DESTDIR)$(openbsmdir)/$$f'"; \
+ rm -f "$(DESTDIR)$(openbsmdir)/$$f"; \
+ done
+
+ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ mkid -fID $$unique
+tags: TAGS
+
+TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$tags $$unique; \
+ fi
+ctags: CTAGS
+CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
+ $(TAGS_FILES) $(LISP)
+ tags=; \
+ here=`pwd`; \
+ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | \
+ $(AWK) ' { files[$$0] = 1; } \
+ END { for (i in files) print i; }'`; \
+ test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$tags $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && cd $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) $$here
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ fi; \
+ cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ else \
+ test -f $(distdir)/$$file \
+ || cp -p $$d/$$file $(distdir)/$$file \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(HEADERS)
+installdirs:
+ for dir in "$(DESTDIR)$(openbsmdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ `test -z '$(STRIP)' || \
+ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool mostlyclean-am
+
+distclean: distclean-am
+ -rm -f Makefile
+distclean-am: clean-am distclean-generic distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+info: info-am
+
+info-am:
+
+install-data-am: install-openbsmHEADERS
+
+install-dvi: install-dvi-am
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-info: install-info-am
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-ps: install-ps-am
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-generic mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-openbsmHEADERS
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \
+ clean-libtool ctags distclean distclean-generic \
+ distclean-libtool distclean-tags distdir dvi dvi-am html \
+ html-am info info-am install install-am install-data \
+ install-data-am install-dvi install-dvi-am install-exec \
+ install-exec-am install-html install-html-am install-info \
+ install-info-am install-man install-openbsmHEADERS install-pdf \
+ install-pdf-am install-ps install-ps-am install-strip \
+ installcheck installcheck-am installdirs maintainer-clean \
+ maintainer-clean-generic mostlyclean mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \
+ uninstall-am uninstall-openbsmHEADERS
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/sys/bsm/audit.h b/sys/bsm/audit.h
new file mode 100644
index 000000000000..ebb84da19861
--- /dev/null
+++ b/sys/bsm/audit.h
@@ -0,0 +1,280 @@
+/*-
+ * Copyright (c) 2005 Apple Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit.h#1 $
+ */
+
+#ifndef _BSM_AUDIT_H
+#define _BSM_AUDIT_H
+
+#define AUDIT_RECORD_MAGIC 0x828a0f1b
+#define MAX_AUDIT_RECORDS 20
+#define MAXAUDITDATA (0x8000 - 1)
+#define MAX_AUDIT_RECORD_SIZE MAXAUDITDATA
+#define MIN_AUDIT_FILE_SIZE (512 * 1024)
+
+/*
+ * Triggers for the audit daemon.
+ */
+#define AUDIT_TRIGGER_MIN 1
+#define AUDIT_TRIGGER_LOW_SPACE 1 /* Below low watermark. */
+#define AUDIT_TRIGGER_ROTATE_KERNEL 2 /* Kernel requests rotate. */
+#define AUDIT_TRIGGER_READ_FILE 3 /* Re-read config file. */
+#define AUDIT_TRIGGER_CLOSE_AND_DIE 4 /* Terminate audit. */
+#define AUDIT_TRIGGER_NO_SPACE 5 /* Below min free space. */
+#define AUDIT_TRIGGER_ROTATE_USER 6 /* User requests roate. */
+#define AUDIT_TRIGGER_MAX 6
+
+/*
+ * The special device filename (FreeBSD).
+ */
+#define AUDITDEV_FILENAME "audit"
+#define AUDIT_TRIGGER_FILE ("/dev/" AUDITDEV_FILENAME)
+
+/*
+ * Pre-defined audit IDs
+ */
+#define AU_DEFAUDITID -1
+
+/*
+ * IPC types.
+ */
+#define AT_IPC_MSG ((u_char)1) /* Message IPC id. */
+#define AT_IPC_SEM ((u_char)2) /* Semaphore IPC id. */
+#define AT_IPC_SHM ((u_char)3) /* Shared mem IPC id. */
+
+/*
+ * Audit conditions.
+ */
+#define AUC_UNSET 0
+#define AUC_AUDITING 1
+#define AUC_NOAUDIT 2
+#define AUC_DISABLED -1
+
+/*
+ * auditon(2) commands.
+ */
+#define A_GETPOLICY 2
+#define A_SETPOLICY 3
+#define A_GETKMASK 4
+#define A_SETKMASK 5
+#define A_GETQCTRL 6
+#define A_SETQCTRL 7
+#define A_GETCWD 8
+#define A_GETCAR 9
+#define A_GETSTAT 12
+#define A_SETSTAT 13
+#define A_SETUMASK 14
+#define A_SETSMASK 15
+#define A_GETCOND 20
+#define A_SETCOND 21
+#define A_GETCLASS 22
+#define A_SETCLASS 23
+#define A_GETPINFO 24
+#define A_SETPMASK 25
+#define A_SETFSIZE 26
+#define A_GETFSIZE 27
+#define A_GETPINFO_ADDR 28
+#define A_GETKAUDIT 29
+#define A_SETKAUDIT 30
+#define A_SENDTRIGGER 31
+
+/*
+ * Audit policy controls.
+ */
+#define AUDIT_CNT 0x0001
+#define AUDIT_AHLT 0x0002
+#define AUDIT_ARGV 0x0004
+#define AUDIT_ARGE 0x0008
+#define AUDIT_SEQ 0x0010
+#define AUDIT_WINDATA 0x0020
+#define AUDIT_USER 0x0040
+#define AUDIT_GROUP 0x0080
+#define AUDIT_TRAIL 0x0100
+#define AUDIT_PATH 0x0200
+#define AUDIT_SCNT 0x0400
+#define AUDIT_PUBLIC 0x0800
+#define AUDIT_ZONENAME 0x1000
+#define AUDIT_PERZONE 0x2000
+
+/*
+ * Default audit queue control parameters.
+ */
+#define AQ_HIWATER 100
+#define AQ_MAXHIGH 10000
+#define AQ_LOWATER 10
+#define AQ_BUFSZ MAXAUDITDATA
+#define AQ_MAXBUFSZ 1048576
+
+/*
+ * Default minimum percentage free space on file system.
+ */
+#define AU_FS_MINFREE 20
+
+/*
+ * Type definitions used indicating the length of variable length addresses
+ * in tokens containing addresses, such as header fields.
+ */
+#define AU_IPv4 4
+#define AU_IPv6 16
+
+__BEGIN_DECLS
+
+typedef uid_t au_id_t;
+typedef pid_t au_asid_t;
+typedef u_int16_t au_event_t;
+typedef u_int16_t au_emod_t;
+typedef u_int32_t au_class_t;
+
+struct au_tid {
+ dev_t port;
+ u_int32_t machine;
+};
+typedef struct au_tid au_tid_t;
+
+struct au_tid_addr {
+ dev_t at_port;
+ u_int32_t at_type;
+ u_int32_t at_addr[4];
+};
+typedef struct au_tid_addr au_tid_addr_t;
+
+struct au_mask {
+ unsigned int am_success; /* Success bits. */
+ unsigned int am_failure; /* Failure bits. */
+};
+typedef struct au_mask au_mask_t;
+
+struct auditinfo {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo auditinfo_t;
+
+struct auditinfo_addr {
+ au_id_t ai_auid; /* Audit user ID. */
+ au_mask_t ai_mask; /* Audit masks. */
+ au_tid_addr_t ai_termid; /* Terminal ID. */
+ au_asid_t ai_asid; /* Audit session ID. */
+};
+typedef struct auditinfo_addr auditinfo_addr_t;
+
+struct auditpinfo {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo auditpinfo_t;
+
+struct auditpinfo_addr {
+ pid_t ap_pid; /* ID of target process. */
+ au_id_t ap_auid; /* Audit user ID. */
+ au_mask_t ap_mask; /* Audit masks. */
+ au_tid_addr_t ap_termid; /* Terminal ID. */
+ au_asid_t ap_asid; /* Audit session ID. */
+};
+typedef struct auditpinfo_addr auditpinfo_addr_t;
+
+/*
+ * Contents of token_t are opaque outside of libbsm.
+ */
+typedef struct au_token token_t;
+
+/*
+ * Kernel audit queue control parameters.
+ */
+struct au_qctrl {
+ size_t aq_hiwater;
+ size_t aq_lowater;
+ size_t aq_bufsz;
+ clock_t aq_delay;
+ int aq_minfree; /* Minimum filesystem percent free space. */
+};
+typedef struct au_qctrl au_qctrl_t;
+
+/*
+ * Structure for the audit statistics.
+ */
+struct audit_stat {
+ unsigned int as_version;
+ unsigned int as_numevent;
+ int as_generated;
+ int as_nonattrib;
+ int as_kernel;
+ int as_audit;
+ int as_auditctl;
+ int as_enqueue;
+ int as_written;
+ int as_wblocked;
+ int as_rblocked;
+ int as_dropped;
+ int as_totalsize;
+ unsigned int as_memused;
+};
+typedef struct audit_stat au_stat_t;
+
+/*
+ * Structure for the audit file statistics.
+ */
+struct audit_fstat {
+ u_quad_t af_filesz;
+ u_quad_t af_currsz;
+};
+typedef struct audit_fstat au_fstat_t;
+
+/*
+ * Audit to event class mapping.
+ */
+struct au_evclass_map {
+ au_event_t ec_number;
+ au_class_t ec_class;
+};
+typedef struct au_evclass_map au_evclass_map_t;
+
+/*
+ * Audit system calls.
+ */
+#if !defined(_KERNEL) && !defined(KERNEL)
+int audit(const void *, int);
+int auditon(int, void *, int);
+int auditctl(const char *);
+int getauid(au_id_t *);
+int setauid(const au_id_t *);
+int getaudit(struct auditinfo *);
+int setaudit(const struct auditinfo *);
+int getaudit_addr(struct auditinfo_addr *, int);
+int setaudit_addr(const struct auditinfo_addr *, int);
+#endif /* defined(_KERNEL) || defined(KERNEL) */
+
+__END_DECLS
+
+#endif /* !_BSM_AUDIT_H */
diff --git a/sys/bsm/audit_internal.h b/sys/bsm/audit_internal.h
new file mode 100644
index 000000000000..d3482b3d7478
--- /dev/null
+++ b/sys/bsm/audit_internal.h
@@ -0,0 +1,117 @@
+/*-
+ * Copyright (c) 2005 Apple Inc.
+ * Copyright (c) 2005 SPARTA, Inc.
+ * All rights reserved.
+ *
+ * This code was developed in part by Robert N. M. Watson, Senior Principal
+ * Scientist, SPARTA, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_internal.h#2 $
+ */
+
+#ifndef _AUDIT_INTERNAL_H
+#define _AUDIT_INTERNAL_H
+
+#if defined(__linux__) && !defined(__unused)
+#define __unused
+#endif
+
+/*
+ * audit_internal.h contains private interfaces that are shared by user space
+ * and the kernel for the purposes of assembling audit records. Applications
+ * should not include this file or use the APIs found within, or it may be
+ * broken with future releases of OpenBSM, which may delete, modify, or
+ * otherwise break these interfaces or the assumptions they rely on.
+ */
+struct au_token {
+ u_char *t_data;
+ size_t len;
+ TAILQ_ENTRY(au_token) tokens;
+};
+
+struct au_record {
+ char used; /* Record currently in use? */
+ int desc; /* Descriptor for record. */
+ TAILQ_HEAD(, au_token) token_q; /* Queue of BSM tokens. */
+ u_char *data;
+ size_t len;
+ LIST_ENTRY(au_record) au_rec_q;
+};
+typedef struct au_record au_record_t;
+
+
+/*
+ * We could determined the header and trailer sizes by defining appropriate
+ * structures. We hold off that approach until we have a consistent way of
+ * using structures for all tokens. This is not straightforward since these
+ * token structures may contain pointers of whose contents we do not know the
+ * size (e.g text tokens).
+ */
+#define AUDIT_HEADER_EX_SIZE(a) ((a)->ai_termid.at_type+18+sizeof(u_int32_t))
+#define AUDIT_HEADER_SIZE 18
+#define MAX_AUDIT_HEADER_SIZE (5*sizeof(u_int32_t)+18)
+#define AUDIT_TRAILER_SIZE 7
+
+/*
+ * BSM token streams store fields in big endian byte order, so as to be
+ * portable; when encoding and decoding, we must convert byte orders for
+ * typed values.
+ */
+#define ADD_U_CHAR(loc, val) \
+ do { \
+ *(loc) = (val); \
+ (loc) += sizeof(u_char); \
+ } while(0)
+
+
+#define ADD_U_INT16(loc, val) \
+ do { \
+ be16enc((loc), (val)); \
+ (loc) += sizeof(u_int16_t); \
+ } while(0)
+
+#define ADD_U_INT32(loc, val) \
+ do { \
+ be32enc((loc), (val)); \
+ (loc) += sizeof(u_int32_t); \
+ } while(0)
+
+#define ADD_U_INT64(loc, val) \
+ do { \
+ be64enc((loc), (val)); \
+ (loc) += sizeof(u_int64_t); \
+ } while(0)
+
+#define ADD_MEM(loc, data, size) \
+ do { \
+ memcpy((loc), (data), (size)); \
+ (loc) += size; \
+ } while(0)
+
+#define ADD_STRING(loc, data, size) ADD_MEM(loc, data, size)
+
+#endif /* !_AUDIT_INTERNAL_H_ */
diff --git a/sys/bsm/audit_kevents.h b/sys/bsm/audit_kevents.h
new file mode 100644
index 000000000000..34cf545270ab
--- /dev/null
+++ b/sys/bsm/audit_kevents.h
@@ -0,0 +1,720 @@
+/*-
+ * Copyright (c) 2005 Apple Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_kevents.h#3 $
+ */
+
+#ifndef _BSM_AUDIT_KEVENTS_H_
+#define _BSM_AUDIT_KEVENTS_H_
+
+/*
+ * Values marked as AUE_NULL are not required to be audited as per CAPP.
+ *
+ * Some conflicts exist in the assignment of name to event number mappings
+ * between BSM implementations. In general, we prefer the OpenSolaris
+ * definition as we consider Solaris BSM to be authoritative. _DARWIN_ has
+ * been inserted for the Darwin variants. If necessary, other tags will be
+ * added in the future.
+ */
+#define AUE_NULL 0
+#define AUE_EXIT 1
+#define AUE_FORK 2
+#define AUE_FORKALL AUE_FORK /* Solaris-specific. */
+#define AUE_OPEN 3
+#define AUE_CREAT 4
+#define AUE_LINK 5
+#define AUE_UNLINK 6
+#define AUE_DELETE AUE_UNLINK /* Darwin-specific. */
+#define AUE_EXEC 7
+#define AUE_CHDIR 8
+#define AUE_MKNOD 9
+#define AUE_CHMOD 10
+#define AUE_CHOWN 11
+#define AUE_UMOUNT 12
+#define AUE_JUNK 13 /* Solaris-specific. */
+#define AUE_ACCESS 14
+#define AUE_CHECKUSERACCESS AUE_ACCESS /* Darwin-specific. */
+#define AUE_KILL 15
+#define AUE_STAT 16
+#define AUE_LSTAT 17
+#define AUE_ACCT 18
+#define AUE_MCTL 19 /* Solaris-specific. */
+#define AUE_REBOOT 20 /* XXX: Darwin conflict. */
+#define AUE_SYMLINK 21
+#define AUE_READLINK 22
+#define AUE_EXECVE 23
+#define AUE_CHROOT 24
+#define AUE_VFORK 25
+#define AUE_SETGROUPS 26
+#define AUE_SETPGRP 27
+#define AUE_SWAPON 28
+#define AUE_SETHOSTNAME 29 /* XXX: Darwin conflict. */
+#define AUE_FCNTL 30
+#define AUE_SETPRIORITY 31 /* XXX: Darwin conflict. */
+#define AUE_CONNECT 32
+#define AUE_ACCEPT 33
+#define AUE_BIND 34
+#define AUE_SETSOCKOPT 35
+#define AUE_VTRACE 36 /* Solaris-specific. */
+#define AUE_SETTIMEOFDAY 37 /* XXX: Darwin conflict. */
+#define AUE_FCHOWN 38
+#define AUE_FCHMOD 39
+#define AUE_SETREUID 40
+#define AUE_SETREGID 41
+#define AUE_RENAME 42
+#define AUE_TRUNCATE 43 /* XXX: Darwin conflict. */
+#define AUE_FTRUNCATE 44 /* XXX: Darwin conflict. */
+#define AUE_FLOCK 45 /* XXX: Darwin conflict. */
+#define AUE_SHUTDOWN 46
+#define AUE_MKDIR 47
+#define AUE_RMDIR 48
+#define AUE_UTIMES 49
+#define AUE_ADJTIME 50
+#define AUE_SETRLIMIT 51
+#define AUE_KILLPG 52
+#define AUE_NFS_SVC 53 /* XXX: Darwin conflict. */
+#define AUE_STATFS 54
+#define AUE_FSTATFS 55
+#define AUE_UNMOUNT 56 /* XXX: Darwin conflict. */
+#define AUE_ASYNC_DAEMON 57
+#define AUE_NFS_GETFH 58 /* XXX: Darwin conflict. */
+#define AUE_SETDOMAINNAME 59
+#define AUE_QUOTACTL 60 /* XXX: Darwin conflict. */
+#define AUE_EXPORTFS 61
+#define AUE_MOUNT 62
+#define AUE_SEMSYS 63
+#define AUE_MSGSYS 64
+#define AUE_SHMSYS 65
+#define AUE_BSMSYS 66 /* Solaris-specific. */
+#define AUE_RFSSYS 67 /* Solaris-specific. */
+#define AUE_FCHDIR 68
+#define AUE_FCHROOT 69
+#define AUE_VPIXSYS 70 /* Solaris-specific. */
+#define AUE_PATHCONF 71
+#define AUE_OPEN_R 72
+#define AUE_OPEN_RC 73
+#define AUE_OPEN_RT 74
+#define AUE_OPEN_RTC 75
+#define AUE_OPEN_W 76
+#define AUE_OPEN_WC 77
+#define AUE_OPEN_WT 78
+#define AUE_OPEN_WTC 79
+#define AUE_OPEN_RW 80
+#define AUE_OPEN_RWC 81
+#define AUE_OPEN_RWT 82
+#define AUE_OPEN_RWTC 83
+#define AUE_MSGCTL 84
+#define AUE_MSGCTL_RMID 85
+#define AUE_MSGCTL_SET 86
+#define AUE_MSGCTL_STAT 87
+#define AUE_MSGGET 88
+#define AUE_MSGRCV 89
+#define AUE_MSGSND 90
+#define AUE_SHMCTL 91
+#define AUE_SHMCTL_RMID 92
+#define AUE_SHMCTL_SET 93
+#define AUE_SHMCTL_STAT 94
+#define AUE_SHMGET 95
+#define AUE_SHMAT 96
+#define AUE_SHMDT 97
+#define AUE_SEMCTL 98
+#define AUE_SEMCTL_RMID 99
+#define AUE_SEMCTL_SET 100
+#define AUE_SEMCTL_STAT 101
+#define AUE_SEMCTL_GETNCNT 102
+#define AUE_SEMCTL_GETPID 103
+#define AUE_SEMCTL_GETVAL 104
+#define AUE_SEMCTL_GETALL 105
+#define AUE_SEMCTL_GETZCNT 106
+#define AUE_SEMCTL_SETVAL 107
+#define AUE_SEMCTL_SETALL 108
+#define AUE_SEMGET 109
+#define AUE_SEMOP 110
+#define AUE_CORE 111 /* Solaris-specific, currently. */
+#define AUE_CLOSE 112
+#define AUE_SYSTEMBOOT 113 /* Solaris-specific. */
+#define AUE_ASYNC_DAEMON_EXIT 114 /* Solaris-specific. */
+#define AUE_NFSSVC_EXIT 115 /* Solaris-specific. */
+#define AUE_WRITEL 128 /* Solaris-specific. */
+#define AUE_WRITEVL 129 /* Solaris-specific. */
+#define AUE_GETAUID 130
+#define AUE_SETAUID 131
+#define AUE_GETAUDIT 132
+#define AUE_SETAUDIT 133
+#define AUE_GETUSERAUDIT 134 /* Solaris-specific. */
+#define AUE_SETUSERAUDIT 135 /* Solaris-specific. */
+#define AUE_AUDITSVC 136 /* Solaris-specific. */
+#define AUE_AUDITUSER 137 /* Solaris-specific. */
+#define AUE_AUDITON 138
+#define AUE_AUDITON_GTERMID 139 /* Solaris-specific. */
+#define AUE_AUDITON_STERMID 140 /* Solaris-specific. */
+#define AUE_AUDITON_GPOLICY 141
+#define AUE_AUDITON_SPOLICY 142
+#define AUE_AUDITON_GQCTRL 145
+#define AUE_AUDITON_SQCTRL 146
+#define AUE_GETKERNSTATE 147 /* Solaris-specific. */
+#define AUE_SETKERNSTATE 148 /* Solaris-specific. */
+#define AUE_GETPORTAUDIT 149 /* Solaris-specific. */
+#define AUE_AUDITSTAT 150 /* Solaris-specific. */
+#define AUE_REVOKE 151
+#define AUE_MAC 152 /* Solaris-specific. */
+#define AUE_ENTERPROM 153 /* Solaris-specific. */
+#define AUE_EXITPROM 154 /* Solaris-specific. */
+#define AUE_IFLOAT 155 /* Solaris-specific. */
+#define AUE_PFLOAT 156 /* Solaris-specific. */
+#define AUE_UPRIV 157 /* Solaris-specific. */
+#define AUE_IOCTL 158
+#define AUE_SOCKET 183
+#define AUE_SENDTO 184
+#define AUE_PIPE 185
+#define AUE_SOCKETPAIR 186 /* XXX: Darwin conflict. */
+#define AUE_SEND 187
+#define AUE_SENDMSG 188
+#define AUE_RECV 189
+#define AUE_RECVMSG 190
+#define AUE_RECVFROM 191
+#define AUE_READ 192
+#define AUE_GETDENTS 193
+#define AUE_LSEEK 194
+#define AUE_WRITE 195
+#define AUE_WRITEV 196
+#define AUE_NFS 197 /* Solaris-specific. */
+#define AUE_READV 198
+#define AUE_OSTAT 199 /* Solaris-specific. */
+#define AUE_SETUID 200 /* XXXRW: Solaris old setuid? */
+#define AUE_STIME 201 /* XXXRW: Solaris old stime? */
+#define AUE_UTIME 202 /* XXXRW: Solaris old utime? */
+#define AUE_NICE 203 /* XXXRW: Solaris old nice? */
+#define AUE_OSETPGRP 204 /* Solaris-specific. */
+#define AUE_SETGID 205
+#define AUE_READL 206 /* Solaris-specific. */
+#define AUE_READVL 207 /* Solaris-specific. */
+#define AUE_FSTAT 208
+#define AUE_DUP2 209
+#define AUE_MMAP 210
+#define AUE_AUDIT 211
+#define AUE_PRIOCNTLSYS 212 /* Solaris-specific. */
+#define AUE_MUNMAP 213
+#define AUE_SETEGID 214
+#define AUE_SETEUID 215
+#define AUE_PUTMSG 216 /* Solaris-specific. */
+#define AUE_GETMSG 217 /* Solaris-specific. */
+#define AUE_PUTPMSG 218 /* Solaris-specific. */
+#define AUE_GETPMSG 219 /* Solaris-specific. */
+#define AUE_AUDITSYS 220 /* Solaris-specific. */
+#define AUE_AUDITON_GETKMASK 221
+#define AUE_AUDITON_SETKMASK 222
+#define AUE_AUDITON_GETCWD 223
+#define AUE_AUDITON_GETCAR 224
+#define AUE_AUDITON_GETSTAT 225
+#define AUE_AUDITON_SETSTAT 226
+#define AUE_AUDITON_SETUMASK 227
+#define AUE_AUDITON_SETSMASK 228
+#define AUE_AUDITON_GETCOND 229
+#define AUE_AUDITON_SETCOND 230
+#define AUE_AUDITON_GETCLASS 231
+#define AUE_AUDITON_SETCLASS 232
+#define AUE_FUSERS 233 /* Solaris-specific; also UTSSYS? */
+#define AUE_STATVFS 234
+#define AUE_XSTAT 235 /* Solaris-specific. */
+#define AUE_LXSTAT 236 /* Solaris-specific. */
+#define AUE_LCHOWN 237
+#define AUE_MEMCNTL 238 /* Solaris-specific. */
+#define AUE_SYSINFO 239 /* Solaris-specific. */
+#define AUE_XMKNOD 240 /* Solaris-specific. */
+#define AUE_FORK1 241
+#define AUE_MODCTL 242 /* Solaris-specific. */
+#define AUE_MODLOAD 243
+#define AUE_MODUNLOAD 244
+#define AUE_MODCONFIG 245 /* Solaris-specific. */
+#define AUE_MODADDMAJ 246 /* Solaris-specific. */
+#define AUE_SOCKACCEPT 247 /* Solaris-specific. */
+#define AUE_SOCKCONNECT 248 /* Solaris-specific. */
+#define AUE_SOCKSEND 249 /* Solaris-specific. */
+#define AUE_SOCKRECEIVE 250 /* Solaris-specific. */
+#define AUE_ACLSET 251
+#define AUE_FACLSET 252
+#define AUE_DOORFS 253 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CALL 254 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_RETURN 255 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CREATE 256 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_REVOKE 257 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_INFO 258 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_CRED 259 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_BIND 260 /* Solaris-specific. */
+#define AUE_DOORFS_DOOR_UNBIND 261 /* Solaris-specific. */
+#define AUE_P_ONLINE 262 /* Solaris-specific. */
+#define AUE_PROCESSOR_BIND 263 /* Solaris-specific. */
+#define AUE_INST_SYNC 264 /* Solaris-specific. */
+#define AUE_SOCKCONFIG 265 /* Solaris-specific. */
+#define AUE_SETAUDIT_ADDR 266
+#define AUE_GETAUDIT_ADDR 267
+#define AUE_UMOUNT2 268 /* Solaris-specific. */
+#define AUE_FSAT 269 /* Solaris-specific. */
+#define AUE_OPENAT_R 270
+#define AUE_OPENAT_RC 271
+#define AUE_OPENAT_RT 272
+#define AUE_OPENAT_RTC 273
+#define AUE_OPENAT_W 274
+#define AUE_OPENAT_WC 275
+#define AUE_OPENAT_WT 276
+#define AUE_OPENAT_WTC 277
+#define AUE_OPENAT_RW 278
+#define AUE_OPENAT_RWC 279
+#define AUE_OPENAT_RWT 280
+#define AUE_OPENAT_RWTC 281
+#define AUE_RENAMEAT 282
+#define AUE_FSTATAT 283
+#define AUE_FCHOWNAT 284
+#define AUE_FUTIMESAT 285
+#define AUE_UNLINKAT 286
+#define AUE_CLOCK_SETTIME 287
+#define AUE_NTP_ADJTIME 288
+#define AUE_SETPPRIV 289 /* Solaris-specific. */
+#define AUE_MODDEVPLCY 290 /* Solaris-specific. */
+#define AUE_MODADDPRIV 291 /* Solaris-specific. */
+#define AUE_CRYPTOADM 292 /* Solaris-specific. */
+#define AUE_CONFIGKSSL 293 /* Solaris-specific. */
+#define AUE_BRANDSYS 294 /* Solaris-specific. */
+#define AUE_PF_POLICY_ADDRULE 295 /* Solaris-specific. */
+#define AUE_PF_POLICY_DELRULE 296 /* Solaris-specific. */
+#define AUE_PF_POLICY_CLONE 297 /* Solaris-specific. */
+#define AUE_PF_POLICY_FLIP 298 /* Solaris-specific. */
+#define AUE_PF_POLICY_FLUSH 299 /* Solaris-specific. */
+#define AUE_PF_POLICY_ALGS 300 /* Solaris-specific. */
+#define AUE_PORTFS 301 /* Solaris-specific. */
+
+/*
+ * Events added for Apple Darwin that potentially collide with future Solaris
+ * BSM events. These are assigned AUE_DARWIN prefixes, and are deprecated in
+ * new trails. Systems generating these events should switch to the new
+ * identifiers that avoid colliding with the Solaris identifier space.
+ */
+#define AUE_DARWIN_GETFSSTAT 301
+#define AUE_DARWIN_PTRACE 302
+#define AUE_DARWIN_CHFLAGS 303
+#define AUE_DARWIN_FCHFLAGS 304
+#define AUE_DARWIN_PROFILE 305
+#define AUE_DARWIN_KTRACE 306
+#define AUE_DARWIN_SETLOGIN 307
+#define AUE_DARWIN_REBOOT 308
+#define AUE_DARWIN_REVOKE 309
+#define AUE_DARWIN_UMASK 310
+#define AUE_DARWIN_MPROTECT 311
+#define AUE_DARWIN_SETPRIORITY 312
+#define AUE_DARWIN_SETTIMEOFDAY 313
+#define AUE_DARWIN_FLOCK 314
+#define AUE_DARWIN_MKFIFO 315
+#define AUE_DARWIN_POLL 316
+#define AUE_DARWIN_SOCKETPAIR 317
+#define AUE_DARWIN_FUTIMES 318
+#define AUE_DARWIN_SETSID 319
+#define AUE_DARWIN_SETPRIVEXEC 320 /* Darwin-specific. */
+#define AUE_DARWIN_NFSSVC 321
+#define AUE_DARWIN_GETFH 322
+#define AUE_DARWIN_QUOTACTL 323
+#define AUE_DARWIN_ADDPROFILE 324 /* Darwin-specific. */
+#define AUE_DARWIN_KDEBUGTRACE 325 /* Darwin-specific. */
+#define AUE_DARWIN_KDBUGTRACE AUE_KDEBUGTRACE
+#define AUE_DARWIN_FSTAT 326
+#define AUE_DARWIN_FPATHCONF 327
+#define AUE_DARWIN_GETDIRENTRIES 328
+#define AUE_DARWIN_TRUNCATE 329
+#define AUE_DARWIN_FTRUNCATE 330
+#define AUE_DARWIN_SYSCTL 331
+#define AUE_DARWIN_MLOCK 332
+#define AUE_DARWIN_MUNLOCK 333
+#define AUE_DARWIN_UNDELETE 334
+#define AUE_DARWIN_GETATTRLIST 335 /* Darwin-specific. */
+#define AUE_DARWIN_SETATTRLIST 336 /* Darwin-specific. */
+#define AUE_DARWIN_GETDIRENTRIESATTR 337 /* Darwin-specific. */
+#define AUE_DARWIN_EXCHANGEDATA 338 /* Darwin-specific. */
+#define AUE_DARWIN_SEARCHFS 339 /* Darwin-specific. */
+#define AUE_DARWIN_MINHERIT 340
+#define AUE_DARWIN_SEMCONFIG 341
+#define AUE_DARWIN_SEMOPEN 342
+#define AUE_DARWIN_SEMCLOSE 343
+#define AUE_DARWIN_SEMUNLINK 344
+#define AUE_DARWIN_SHMOPEN 345
+#define AUE_DARWIN_SHMUNLINK 346
+#define AUE_DARWIN_LOADSHFILE 347 /* Darwin-specific. */
+#define AUE_DARWIN_RESETSHFILE 348 /* Darwin-specific. */
+#define AUE_DARWIN_NEWSYSTEMSHREG 349 /* Darwin-specific. */
+#define AUE_DARWIN_PTHREADKILL 350 /* Darwin-specific. */
+#define AUE_DARWIN_PTHREADSIGMASK 351 /* Darwin-specific. */
+#define AUE_DARWIN_AUDITCTL 352
+#define AUE_DARWIN_RFORK 353
+#define AUE_DARWIN_LCHMOD 354
+#define AUE_DARWIN_SWAPOFF 355
+#define AUE_DARWIN_INITPROCESS 356 /* Darwin-specific. */
+#define AUE_DARWIN_MAPFD 357 /* Darwin-specific. */
+#define AUE_DARWIN_TASKFORPID 358 /* Darwin-specific. */
+#define AUE_DARWIN_PIDFORTASK 359 /* Darwin-specific. */
+#define AUE_DARWIN_SYSCTL_NONADMIN 360
+#define AUE_DARWIN_COPYFILE 361 /* Darwin-specific. */
+
+/*
+ * Audit event identifiers added as part of OpenBSM, generally corresponding
+ * to events in FreeBSD, Darwin, and Linux that were not present in Solaris.
+ * These often duplicate events added to the Solaris set by Darwin, but use
+ * event identifiers in a higher range in order to avoid colliding with
+ * future Solaris additions.
+ *
+ * If an event in this section is later added to Solaris, we prefer the
+ * Solaris event identifier, and add _OPENBSM_ to the OpenBSM-specific
+ * identifier so that old trails can still be processed, but new trails use
+ * the Solaris identifier.
+ */
+#define AUE_GETFSSTAT 43001
+#define AUE_PTRACE 43002
+#define AUE_CHFLAGS 43003
+#define AUE_FCHFLAGS 43004
+#define AUE_PROFILE 43005
+#define AUE_KTRACE 43006
+#define AUE_SETLOGIN 43007
+#define AUE_OPENBSM_REVOKE 43008 /* Solaris event now preferred. */
+#define AUE_UMASK 43009
+#define AUE_MPROTECT 43010
+#define AUE_MKFIFO 43011
+#define AUE_POLL 43012
+#define AUE_FUTIMES 43013
+#define AUE_SETSID 43014
+#define AUE_SETPRIVEXEC 43015 /* Darwin-specific. */
+#define AUE_ADDPROFILE 43016 /* Darwin-specific. */
+#define AUE_KDEBUGTRACE 43017 /* Darwin-specific. */
+#define AUE_KDBUGTRACE AUE_KDEBUGTRACE
+#define AUE_OPENBSM_FSTAT 43018 /* Solaris event now preferred. */
+#define AUE_FPATHCONF 43019
+#define AUE_GETDIRENTRIES 43020
+#define AUE_SYSCTL 43021
+#define AUE_MLOCK 43022
+#define AUE_MUNLOCK 43023
+#define AUE_UNDELETE 43024
+#define AUE_GETATTRLIST 43025 /* Darwin-specific. */
+#define AUE_SETATTRLIST 43026 /* Darwin-specific. */
+#define AUE_GETDIRENTRIESATTR 43027 /* Darwin-specific. */
+#define AUE_EXCHANGEDATA 43028 /* Darwin-specific. */
+#define AUE_SEARCHFS 43029 /* Darwin-specific. */
+#define AUE_MINHERIT 43030
+#define AUE_SEMCONFIG 43031
+#define AUE_SEMOPEN 43032
+#define AUE_SEMCLOSE 43033
+#define AUE_SEMUNLINK 43034
+#define AUE_SHMOPEN 43035
+#define AUE_SHMUNLINK 43036
+#define AUE_LOADSHFILE 43037 /* Darwin-specific. */
+#define AUE_RESETSHFILE 43038 /* Darwin-specific. */
+#define AUE_NEWSYSTEMSHREG 43039 /* Darwin-specific. */
+#define AUE_PTHREADKILL 43040 /* Darwin-specific. */
+#define AUE_PTHREADSIGMASK 43041 /* Darwin-specific. */
+#define AUE_AUDITCTL 43042
+#define AUE_RFORK 43043
+#define AUE_LCHMOD 43044
+#define AUE_SWAPOFF 43045
+#define AUE_INITPROCESS 43046 /* Darwin-specific. */
+#define AUE_MAPFD 43047 /* Darwin-specific. */
+#define AUE_TASKFORPID 43048 /* Darwin-specific. */
+#define AUE_PIDFORTASK 43049 /* Darwin-specific. */
+#define AUE_SYSCTL_NONADMIN 43050
+#define AUE_COPYFILE 43051 /* Darwin-specific. */
+
+/*
+ * Events added to OpenBSM for FreeBSD and Linux; may also be used by Darwin
+ * in the future.
+ */
+#define AUE_LUTIMES 43052
+#define AUE_LCHFLAGS 43053 /* FreeBSD-specific. */
+#define AUE_SENDFILE 43054 /* BSD/Linux-specific. */
+#define AUE_USELIB 43055 /* Linux-specific. */
+#define AUE_GETRESUID 43056
+#define AUE_SETRESUID 43057
+#define AUE_GETRESGID 43058
+#define AUE_SETRESGID 43059
+#define AUE_WAIT4 43060 /* FreeBSD-specific. */
+#define AUE_LGETFH 43061 /* FreeBSD-specific. */
+#define AUE_FHSTATFS 43062 /* FreeBSD-specific. */
+#define AUE_FHOPEN 43063 /* FreeBSD-specific. */
+#define AUE_FHSTAT 43064 /* FreeBSD-specific. */
+#define AUE_JAIL 43065 /* FreeBSD-specific. */
+#define AUE_EACCESS 43066 /* FreeBSD-specific. */
+#define AUE_KQUEUE 43067 /* FreeBSD-specific. */
+#define AUE_KEVENT 43068 /* FreeBSD-specific. */
+#define AUE_FSYNC 43069
+#define AUE_NMOUNT 43070 /* FreeBSD-specific. */
+#define AUE_BDFLUSH 43071 /* Linux-specific. */
+#define AUE_SETFSUID 43072 /* Linux-specific. */
+#define AUE_SETFSGID 43073 /* Linux-specific. */
+#define AUE_PERSONALITY 43074 /* Linux-specific. */
+#define AUE_SCHED_GETSCHEDULER 43075 /* POSIX.1b. */
+#define AUE_SCHED_SETSCHEDULER 43076 /* POSIX.1b. */
+#define AUE_PRCTL 43077 /* Linux-specific. */
+#define AUE_GETCWD 43078 /* FreeBSD/Linux-specific. */
+#define AUE_CAPGET 43079 /* Linux-specific. */
+#define AUE_CAPSET 43080 /* Linux-specific. */
+#define AUE_PIVOT_ROOT 43081 /* Linux-specific. */
+#define AUE_RTPRIO 43082 /* FreeBSD-specific. */
+#define AUE_SCHED_GETPARAM 43083 /* POSIX.1b. */
+#define AUE_SCHED_SETPARAM 43084 /* POSIX.1b. */
+#define AUE_SCHED_GET_PRIORITY_MAX 43085 /* POSIX.1b. */
+#define AUE_SCHED_GET_PRIORITY_MIN 43086 /* POSIX.1b. */
+#define AUE_SCHED_RR_GET_INTERVAL 43087 /* POSIX.1b. */
+#define AUE_ACL_GET_FILE 43088 /* FreeBSD. */
+#define AUE_ACL_SET_FILE 43089 /* FreeBSD. */
+#define AUE_ACL_GET_FD 43090 /* FreeBSD. */
+#define AUE_ACL_SET_FD 43091 /* FreeBSD. */
+#define AUE_ACL_DELETE_FILE 43092 /* FreeBSD. */
+#define AUE_ACL_DELETE_FD 43093 /* FreeBSD. */
+#define AUE_ACL_CHECK_FILE 43094 /* FreeBSD. */
+#define AUE_ACL_CHECK_FD 43095 /* FreeBSD. */
+#define AUE_ACL_GET_LINK 43096 /* FreeBSD. */
+#define AUE_ACL_SET_LINK 43097 /* FreeBSD. */
+#define AUE_ACL_DELETE_LINK 43098 /* FreeBSD. */
+#define AUE_ACL_CHECK_LINK 43099 /* FreeBSD. */
+#define AUE_SYSARCH 43100 /* FreeBSD. */
+#define AUE_EXTATTRCTL 43101 /* FreeBSD. */
+#define AUE_EXTATTR_GET_FILE 43102 /* FreeBSD. */
+#define AUE_EXTATTR_SET_FILE 43103 /* FreeBSD. */
+#define AUE_EXTATTR_LIST_FILE 43104 /* FreeBSD. */
+#define AUE_EXTATTR_DELETE_FILE 43105 /* FreeBSD. */
+#define AUE_EXTATTR_GET_FD 43106 /* FreeBSD. */
+#define AUE_EXTATTR_SET_FD 43107 /* FreeBSD. */
+#define AUE_EXTATTR_LIST_FD 43108 /* FreeBSD. */
+#define AUE_EXTATTR_DELETE_FD 43109 /* FreeBSD. */
+#define AUE_EXTATTR_GET_LINK 43110 /* FreeBSD. */
+#define AUE_EXTATTR_SET_LINK 43111 /* FreeBSD. */
+#define AUE_EXTATTR_LIST_LINK 43112 /* FreeBSD. */
+#define AUE_EXTATTR_DELETE_LINK 43113 /* FreeBSD. */
+#define AUE_KENV 43114 /* FreeBSD. */
+#define AUE_JAIL_ATTACH 43115 /* FreeBSD. */
+#define AUE_SYSCTL_WRITE 43116 /* FreeBSD. */
+#define AUE_IOPERM 43117 /* Linux. */
+#define AUE_READDIR 43118 /* Linux. */
+#define AUE_IOPL 43119 /* Linux. */
+#define AUE_VM86 43120 /* Linux. */
+#define AUE_MAC_GET_PROC 43121 /* FreeBSD/Darwin. */
+#define AUE_MAC_SET_PROC 43122 /* FreeBSD/Darwin. */
+#define AUE_MAC_GET_FD 43123 /* FreeBSD/Darwin. */
+#define AUE_MAC_GET_FILE 43124 /* FreeBSD/Darwin. */
+#define AUE_MAC_SET_FD 43125 /* FreeBSD/Darwin. */
+#define AUE_MAC_SET_FILE 43126 /* FreeBSD/Darwin. */
+#define AUE_MAC_SYSCALL 43127 /* FreeBSD. */
+#define AUE_MAC_GET_PID 43128 /* FreeBSD/Darwin. */
+#define AUE_MAC_GET_LINK 43129 /* FreeBSD/Darwin. */
+#define AUE_MAC_SET_LINK 43130 /* FreeBSD/Darwin. */
+#define AUE_MAC_EXECVE 43131 /* FreeBSD/Darwin. */
+#define AUE_GETPATH_FROMFD 43132 /* FreeBSD. */
+#define AUE_GETPATH_FROMADDR 43133 /* FreeBSD. */
+#define AUE_MQ_OPEN 43134 /* FreeBSD. */
+#define AUE_MQ_SETATTR 43135 /* FreeBSD. */
+#define AUE_MQ_TIMEDRECEIVE 43136 /* FreeBSD. */
+#define AUE_MQ_TIMEDSEND 43137 /* FreeBSD. */
+#define AUE_MQ_NOTIFY 43138 /* FreeBSD. */
+#define AUE_MQ_UNLINK 43139 /* FreeBSD. */
+#define AUE_LISTEN 43140 /* FreeBSD/Darwin/Linux. */
+#define AUE_MLOCKALL 43141 /* FreeBSD. */
+#define AUE_MUNLOCKALL 43142 /* FreeBSD. */
+#define AUE_CLOSEFROM 43143 /* FreeBSD. */
+#define AUE_FEXECVE 43144 /* FreeBSD. */
+#define AUE_FACCESSAT 43145 /* FreeBSD. */
+#define AUE_FCHMODAT 43146 /* FreeBSD. */
+#define AUE_LINKAT 43147 /* FreeBSD. */
+#define AUE_MKDIRAT 43148 /* FreeBSD. */
+#define AUE_MKFIFOAT 43149 /* FreeBSD. */
+#define AUE_MKNODAT 43150 /* FreeBSD. */
+#define AUE_READLINKAT 43151 /* FreeBSD. */
+#define AUE_SYMLINKAT 43152 /* FreeBSD. */
+#define AUE_MAC_GETFSSTAT 43153 /* Darwin. */
+#define AUE_MAC_GET_MOUNT 43154 /* Darwin. */
+#define AUE_MAC_GET_LCID 43155 /* Darwin. */
+#define AUE_MAC_GET_LCTX 43156 /* Darwin. */
+#define AUE_MAC_SET_LCTX 43157 /* Darwin. */
+#define AUE_MAC_MOUNT 43158 /* Darwin. */
+#define AUE_GETLCID 43159 /* Darwin. */
+#define AUE_SETLCID 43160 /* Darwin. */
+#define AUE_TASKNAMEFORPID 43161 /* Darwin. */
+#define AUE_ACCESS_EXTENDED 43162 /* Darwin. */
+#define AUE_CHMOD_EXTENDED 43163 /* Darwin. */
+#define AUE_FCHMOD_EXTENDED 43164 /* Darwin. */
+#define AUE_FSTAT_EXTENDED 43165 /* Dariwn. */
+#define AUE_LSTAT_EXTENDED 43166 /* Darwin. */
+#define AUE_MKDIR_EXTENDED 43167 /* Darwin. */
+#define AUE_MKFIFO_EXTENDED 43168 /* Darwin. */
+#define AUE_OPEN_EXTENDED 43169 /* Darwin. */
+#define AUE_OPEN_EXTENDED_R 43170 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RC 43171 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RT 43172 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RTC 43173 /* Darwin. */
+#define AUE_OPEN_EXTENDED_W 43174 /* Darwin. */
+#define AUE_OPEN_EXTENDED_WC 43175 /* Darwin. */
+#define AUE_OPEN_EXTENDED_WT 43176 /* Darwin. */
+#define AUE_OPEN_EXTENDED_WTC 43177 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RW 43178 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RWC 43179 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RWT 43180 /* Darwin. */
+#define AUE_OPEN_EXTENDED_RWTC 43181 /* Darwin. */
+#define AUE_STAT_EXTENDED 43182 /* Darwin. */
+#define AUE_UMASK_EXTENDED 43183 /* Darwin. */
+#define AUE_OPENAT 43184 /* FreeBSD. */
+#define AUE_POSIX_OPENPT 43185 /* FreeBSD. */
+#define AUE_CAP_NEW 43186 /* TrustedBSD. */
+#define AUE_CAP_GETRIGHTS 43187 /* TrustedBSD. */
+#define AUE_CAP_ENTER 43188 /* TrustedBSD. */
+#define AUE_CAP_GETMODE 43189 /* TrustedBSD. */
+
+/*
+ * Darwin BSM uses a number of AUE_O_* definitions, which are aliased to the
+ * normal Solaris BSM identifiers. _O_ refers to it being an old, or compat
+ * interface. In most cases, Darwin has never implemented these system calls
+ * but picked up the fields in their system call table from their FreeBSD
+ * import. Happily, these have different names than the AUE_O* definitions
+ * in Solaris BSM.
+ */
+#define AUE_O_CREAT AUE_OPEN_RWTC /* Darwin */
+#define AUE_O_EXECVE AUE_NULL /* Darwin */
+#define AUE_O_SBREAK AUE_NULL /* Darwin */
+#define AUE_O_LSEEK AUE_NULL /* Darwin */
+#define AUE_O_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_UMOUNT AUE_NULL /* Darwin */
+#define AUE_O_STAT AUE_STAT /* Darwin */
+#define AUE_O_LSTAT AUE_LSTAT /* Darwin */
+#define AUE_O_FSTAT AUE_FSTAT /* Darwin */
+#define AUE_O_GETPAGESIZE AUE_NULL /* Darwin */
+#define AUE_O_VREAD AUE_NULL /* Darwin */
+#define AUE_O_VWRITE AUE_NULL /* Darwin */
+#define AUE_O_MMAP AUE_MMAP /* Darwin */
+#define AUE_O_VADVISE AUE_NULL /* Darwin */
+#define AUE_O_VHANGUP AUE_NULL /* Darwin */
+#define AUE_O_VLIMIT AUE_NULL /* Darwin */
+#define AUE_O_WAIT AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTNAME AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_GETDOPT AUE_NULL /* Darwin */
+#define AUE_O_SETDOPT AUE_NULL /* Darwin */
+#define AUE_O_ACCEPT AUE_NULL /* Darwin */
+#define AUE_O_SEND AUE_SENDMSG /* Darwin */
+#define AUE_O_RECV AUE_RECVMSG /* Darwin */
+#define AUE_O_VTIMES AUE_NULL /* Darwin */
+#define AUE_O_SIGVEC AUE_NULL /* Darwin */
+#define AUE_O_SIGBLOCK AUE_NULL /* Darwin */
+#define AUE_O_SIGSETMASK AUE_NULL /* Darwin */
+#define AUE_O_SIGSTACK AUE_NULL /* Darwin */
+#define AUE_O_RECVMSG AUE_RECVMSG /* Darwin */
+#define AUE_O_SENDMSG AUE_SENDMSG /* Darwin */
+#define AUE_O_VTRACE AUE_NULL /* Darwin */
+#define AUE_O_RESUBA AUE_NULL /* Darwin */
+#define AUE_O_RECVFROM AUE_RECVFROM /* Darwin */
+#define AUE_O_SETREUID AUE_SETREUID /* Darwin */
+#define AUE_O_SETREGID AUE_SETREGID /* Darwin */
+#define AUE_O_GETDIRENTRIES AUE_GETDIRENTRIES /* Darwin */
+#define AUE_O_TRUNCATE AUE_TRUNCATE /* Darwin */
+#define AUE_O_FTRUNCATE AUE_FTRUNCATE /* Darwin */
+#define AUE_O_GETPEERNAME AUE_NULL /* Darwin */
+#define AUE_O_GETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_SETHOSTID AUE_NULL /* Darwin */
+#define AUE_O_GETRLIMIT AUE_NULL /* Darwin */
+#define AUE_O_SETRLIMIT AUE_SETRLIMIT /* Darwin */
+#define AUE_O_KILLPG AUE_KILL /* Darwin */
+#define AUE_O_SETQUOTA AUE_NULL /* Darwin */
+#define AUE_O_QUOTA AUE_NULL /* Darwin */
+#define AUE_O_GETSOCKNAME AUE_NULL /* Darwin */
+#define AUE_O_GETDIREENTRIES AUE_GETDIREENTRIES /* Darwin */
+#define AUE_O_ASYNCDAEMON AUE_NULL /* Darwin */
+#define AUE_O_GETDOMAINNAME AUE_NULL /* Darwin */
+#define AUE_O_SETDOMAINNAME AUE_SYSCTL /* Darwin */
+#define AUE_O_PCFS_MOUNT AUE_NULL /* Darwin */
+#define AUE_O_EXPORTFS AUE_NULL /* Darwin */
+#define AUE_O_USTATE AUE_NULL /* Darwin */
+#define AUE_O_WAIT3 AUE_NULL /* Darwin */
+#define AUE_O_RPAUSE AUE_NULL /* Darwin */
+#define AUE_O_GETDENTS AUE_NULL /* Darwin */
+
+/*
+ * Possible desired future values based on review of BSD/Darwin system calls.
+ */
+#define AUE_DUP AUE_NULL
+#define AUE_FSCTL AUE_NULL
+#define AUE_FSTATV AUE_NULL
+#define AUE_GCCONTROL AUE_NULL
+#define AUE_GETDTABLESIZE AUE_NULL
+#define AUE_GETEGID AUE_NULL
+#define AUE_GETEUID AUE_NULL
+#define AUE_GETGID AUE_NULL
+#define AUE_GETGROUPS AUE_NULL
+#define AUE_GETITIMER AUE_NULL
+#define AUE_GETLOGIN AUE_NULL
+#define AUE_GETPEERNAME AUE_NULL
+#define AUE_GETPGID AUE_NULL
+#define AUE_GETPGRP AUE_NULL
+#define AUE_GETPID AUE_NULL
+#define AUE_GETPPID AUE_NULL
+#define AUE_GETPRIORITY AUE_NULL
+#define AUE_GETRLIMIT AUE_NULL
+#define AUE_GETRUSAGE AUE_NULL
+#define AUE_GETSID AUE_NULL
+#define AUE_GETSOCKNAME AUE_NULL
+#define AUE_GETTIMEOFDAY AUE_NULL
+#define AUE_GETUID AUE_NULL
+#define AUE_GETSOCKOPT AUE_NULL
+#define AUE_GTSOCKOPT AUE_GETSOCKOPT /* XXX: Typo in Darwin. */
+#define AUE_ISSETUGID AUE_NULL
+#define AUE_LSTATV AUE_NULL
+#define AUE_MADVISE AUE_NULL
+#define AUE_MINCORE AUE_NULL
+#define AUE_MKCOMPLEX AUE_NULL
+#define AUE_MODWATCH AUE_NULL
+#define AUE_MSGCL AUE_NULL
+#define AUE_MSYNC AUE_NULL
+#define AUE_PREAD AUE_NULL
+#define AUE_PWRITE AUE_NULL
+#define AUE_PREADV AUE_NULL
+#define AUE_PWRITEV AUE_NULL
+#define AUE_SBRK AUE_NULL
+#define AUE_SELECT AUE_NULL
+#define AUE_SEMDESTROY AUE_NULL
+#define AUE_SEMGETVALUE AUE_NULL
+#define AUE_SEMINIT AUE_NULL
+#define AUE_SEMPOST AUE_NULL
+#define AUE_SEMTRYWAIT AUE_NULL
+#define AUE_SEMWAIT AUE_NULL
+#define AUE_SETITIMER AUE_NULL
+#define AUE_SIGACTION AUE_NULL
+#define AUE_SIGALTSTACK AUE_NULL
+#define AUE_SIGPENDING AUE_NULL
+#define AUE_SIGPROCMASK AUE_NULL
+#define AUE_SIGRETURN AUE_NULL
+#define AUE_SIGSUSPEND AUE_NULL
+#define AUE_SIGWAIT AUE_NULL
+#define AUE_SSTK AUE_NULL
+#define AUE_STATV AUE_NULL
+#define AUE_SYNC AUE_NULL
+#define AUE_SYSCALL AUE_NULL
+#define AUE_TABLE AUE_NULL
+#define AUE_WAITEVENT AUE_NULL
+#define AUE_WATCHEVENT AUE_NULL
+
+#endif /* !_BSM_AUDIT_KEVENTS_H_ */
diff --git a/sys/bsm/audit_record.h b/sys/bsm/audit_record.h
new file mode 100644
index 000000000000..ccca15b646d1
--- /dev/null
+++ b/sys/bsm/audit_record.h
@@ -0,0 +1,293 @@
+/*-
+ * Copyright (c) 2005-2008 Apple Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of Apple Inc. ("Apple") nor the names of
+ * its contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $P4: //depot/projects/trustedbsd/openbsm/sys/bsm/audit_record.h#3 $
+ */
+
+#ifndef _BSM_AUDIT_RECORD_H_
+#define _BSM_AUDIT_RECORD_H_
+
+#include <sys/time.h> /* struct timeval */
+
+/*
+ * Token type identifiers.
+ */
+#define AUT_INVALID 0x00
+#define AUT_OTHER_FILE32 0x11
+#define AUT_OHEADER 0x12
+#define AUT_TRAILER 0x13
+#define AUT_HEADER32 0x14
+#define AUT_HEADER32_EX 0x15
+#define AUT_DATA 0x21
+#define AUT_IPC 0x22
+#define AUT_PATH 0x23
+#define AUT_SUBJECT32 0x24
+#define AUT_XATPATH 0x25
+#define AUT_PROCESS32 0x26
+#define AUT_RETURN32 0x27
+#define AUT_TEXT 0x28
+#define AUT_OPAQUE 0x29
+#define AUT_IN_ADDR 0x2a
+#define AUT_IP 0x2b
+#define AUT_IPORT 0x2c
+#define AUT_ARG32 0x2d
+#define AUT_SOCKET 0x2e
+#define AUT_SEQ 0x2f
+#define AUT_ACL 0x30
+#define AUT_ATTR 0x31
+#define AUT_IPC_PERM 0x32
+#define AUT_LABEL 0x33
+#define AUT_GROUPS 0x34
+#define AUT_ACE 0x35
+#define AUT_PRIV 0x38
+#define AUT_UPRIV 0x39
+#define AUT_LIAISON 0x3a
+#define AUT_NEWGROUPS 0x3b
+#define AUT_EXEC_ARGS 0x3c
+#define AUT_EXEC_ENV 0x3d
+#define AUT_ATTR32 0x3e
+#define AUT_UNAUTH 0x3f
+#define AUT_XATOM 0x40
+#define AUT_XOBJ 0x41
+#define AUT_XPROTO 0x42
+#define AUT_XSELECT 0x43
+#define AUT_XCOLORMAP 0x44
+#define AUT_XCURSOR 0x45
+#define AUT_XFONT 0x46
+#define AUT_XGC 0x47
+#define AUT_XPIXMAP 0x48
+#define AUT_XPROPERTY 0x49
+#define AUT_XWINDOW 0x4a
+#define AUT_XCLIENT 0x4b
+#define AUT_CMD 0x51
+#define AUT_EXIT 0x52
+#define AUT_ZONENAME 0x60
+#define AUT_HOST 0x70
+#define AUT_ARG64 0x71
+#define AUT_RETURN64 0x72
+#define AUT_ATTR64 0x73
+#define AUT_HEADER64 0x74
+#define AUT_SUBJECT64 0x75
+#define AUT_PROCESS64 0x77
+#define AUT_OTHER_FILE64 0x78
+#define AUT_HEADER64_EX 0x79
+#define AUT_SUBJECT32_EX 0x7a
+#define AUT_PROCESS32_EX 0x7b
+#define AUT_SUBJECT64_EX 0x7c
+#define AUT_PROCESS64_EX 0x7d
+#define AUT_IN_ADDR_EX 0x7e
+#define AUT_SOCKET_EX 0x7f
+
+/*
+ * Pre-64-bit BSM, 32-bit tokens weren't explicitly named as '32'. We have
+ * compatibility defines.
+ */
+#define AUT_HEADER AUT_HEADER32
+#define AUT_ARG AUT_ARG32
+#define AUT_RETURN AUT_RETURN32
+#define AUT_SUBJECT AUT_SUBJECT32
+#define AUT_PROCESS AUT_PROCESS32
+#define AUT_OTHER_FILE AUT_OTHER_FILE32
+
+/*
+ * The values for the following token ids are not defined by BSM.
+ *
+ * XXXRW: Not sure how to handle these in OpenBSM yet, but I'll give them
+ * names more consistent with Sun's BSM. These originally came from Apple's
+ * BSM.
+ */
+#define AUT_SOCKINET32 0x80 /* XXX */
+#define AUT_SOCKINET128 0x81 /* XXX */
+#define AUT_SOCKUNIX 0x82 /* XXX */
+
+/* print values for the arbitrary token */
+#define AUP_BINARY 0
+#define AUP_OCTAL 1
+#define AUP_DECIMAL 2
+#define AUP_HEX 3
+#define AUP_STRING 4
+
+/* data-types for the arbitrary token */
+#define AUR_BYTE 0
+#define AUR_CHAR AUR_BYTE
+#define AUR_SHORT 1
+#define AUR_INT32 2
+#define AUR_INT AUR_INT32
+#define AUR_INT64 3
+
+/* ... and their sizes */
+#define AUR_BYTE_SIZE sizeof(u_char)
+#define AUR_CHAR_SIZE AUR_BYTE_SIZE
+#define AUR_SHORT_SIZE sizeof(uint16_t)
+#define AUR_INT32_SIZE sizeof(uint32_t)
+#define AUR_INT_SIZE AUR_INT32_SIZE
+#define AUR_INT64_SIZE sizeof(uint64_t)
+
+/* Modifiers for the header token */
+#define PAD_NOTATTR 0x4000 /* nonattributable event */
+#define PAD_FAILURE 0x8000 /* fail audit event */
+
+#define AUDIT_MAX_GROUPS 16
+
+/*
+ * A number of BSM versions are floating around and defined. Here are
+ * constants for them. OpenBSM uses the same token types, etc, used in the
+ * Solaris BSM version, but has a separate version number in order to
+ * identify a potentially different event identifier name space.
+ */
+#define AUDIT_HEADER_VERSION_OLDDARWIN 1 /* In retrospect, a mistake. */
+#define AUDIT_HEADER_VERSION_SOLARIS 2
+#define AUDIT_HEADER_VERSION_TSOL25 3
+#define AUDIT_HEADER_VERSION_TSOL 4
+#define AUDIT_HEADER_VERSION_OPENBSM 10
+
+/*
+ * BSM define is AUT_TRAILER_MAGIC; Apple BSM define is TRAILER_PAD_MAGIC; we
+ * split the difference, will remove the Apple define for the next release.
+ */
+#define AUT_TRAILER_MAGIC 0xb105
+#define TRAILER_PAD_MAGIC AUT_TRAILER_MAGIC
+
+/* BSM library calls */
+
+__BEGIN_DECLS
+
+struct in_addr;
+struct in6_addr;
+struct ip;
+struct ipc_perm;
+struct kevent;
+struct sockaddr_in;
+struct sockaddr_in6;
+struct sockaddr_un;
+#if defined(_KERNEL) || defined(KERNEL)
+struct vnode_au_info;
+#endif
+
+int au_open(void);
+int au_write(int d, token_t *m);
+int au_close(int d, int keep, short event);
+int au_close_buffer(int d, short event, u_char *buffer, size_t *buflen);
+int au_close_token(token_t *tok, u_char *buffer, size_t *buflen);
+
+token_t *au_to_file(const char *file, struct timeval tm);
+
+token_t *au_to_header32_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+token_t *au_to_header32_ex_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm, struct auditinfo_addr *aia);
+token_t *au_to_header64_tm(int rec_size, au_event_t e_type, au_emod_t e_mod,
+ struct timeval tm);
+#if !defined(KERNEL) && !defined(_KERNEL)
+token_t *au_to_header(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_header_ex(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_header32(int rec_size, au_event_t e_type, au_emod_t e_mod);
+token_t *au_to_header64(int rec_size, au_event_t e_type, au_emod_t e_mod);
+#endif
+
+token_t *au_to_me(void);
+token_t *au_to_arg(char n, const char *text, uint32_t v);
+token_t *au_to_arg32(char n, const char *text, uint32_t v);
+token_t *au_to_arg64(char n, const char *text, uint64_t v);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_attr(struct vnode_au_info *vni);
+token_t *au_to_attr32(struct vnode_au_info *vni);
+token_t *au_to_attr64(struct vnode_au_info *vni);
+#endif
+
+token_t *au_to_data(char unit_print, char unit_type, char unit_count,
+ const char *p);
+token_t *au_to_exit(int retval, int err);
+token_t *au_to_groups(int *groups);
+token_t *au_to_newgroups(uint16_t n, gid_t *groups);
+token_t *au_to_in_addr(struct in_addr *internet_addr);
+token_t *au_to_in_addr_ex(struct in6_addr *internet_addr);
+token_t *au_to_ip(struct ip *ip);
+token_t *au_to_ipc(char type, int id);
+token_t *au_to_ipc_perm(struct ipc_perm *perm);
+token_t *au_to_iport(uint16_t iport);
+token_t *au_to_opaque(const char *data, uint16_t bytes);
+token_t *au_to_path(const char *path);
+token_t *au_to_process(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_process_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_process32_ex(au_id_t auid, uid_t euid, gid_t egid,
+ uid_t ruid, gid_t rgid, pid_t pid, au_asid_t sid,
+ au_tid_addr_t *tid);
+token_t *au_to_process64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_return(char status, uint32_t ret);
+token_t *au_to_return32(char status, uint32_t ret);
+token_t *au_to_return64(char status, uint64_t ret);
+token_t *au_to_seq(long audit_count);
+
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_socket(struct socket *so);
+token_t *au_to_socket_ex_32(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+token_t *au_to_socket_ex_128(uint16_t lp, uint16_t rp, struct sockaddr *la,
+ struct sockaddr *ta);
+#endif
+
+token_t *au_to_sock_inet(struct sockaddr_in *so);
+token_t *au_to_sock_inet32(struct sockaddr_in *so);
+token_t *au_to_sock_inet128(struct sockaddr_in6 *so);
+token_t *au_to_sock_unix(struct sockaddr_un *so);
+token_t *au_to_subject(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject32(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject64(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_t *tid);
+token_t *au_to_subject_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject32_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+token_t *au_to_subject64_ex(au_id_t auid, uid_t euid, gid_t egid, uid_t ruid,
+ gid_t rgid, pid_t pid, au_asid_t sid, au_tid_addr_t *tid);
+#if defined(_KERNEL) || defined(KERNEL)
+token_t *au_to_exec_args(const char *args, int argc);
+token_t *au_to_exec_env(const char *envs, int envc);
+#else
+token_t *au_to_exec_args(char **argv);
+token_t *au_to_exec_env(char **envp);
+#endif
+token_t *au_to_text(const char *text);
+token_t *au_to_kevent(struct kevent *kev);
+token_t *au_to_trailer(int rec_size);
+token_t *au_to_zonename(const char *zonename);
+
+__END_DECLS
+
+#endif /* ! _BSM_AUDIT_RECORD_H_ */