-
Notifications
You must be signed in to change notification settings - Fork 30
/
logevt.h
87 lines (74 loc) · 3.05 KB
/
logevt.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
/*-
* xnumon - monitor macOS for malicious activity
* https://www.roe.ch/xnumon
*
* Copyright (c) 2017-2019, Daniel Roethlisberger <daniel@roe.ch>.
* All rights reserved.
*
* Licensed under the Open Software License version 3.0.
*/
#ifndef LOGEVT_H
#define LOGEVT_H
#include "logfmt.h"
#include "config.h"
#include "attrib.h"
#include "tommylist.h"
#include <time.h>
#include <stdint.h>
#include <stdio.h>
/*
* LOGEVT_VERSION must be incremented whenever the semantics or syntax of the
* log events change in any of the log formats. Adding information without
* breaking backwards compatibility also counts as a change. This is to
* facilitate compatibility management of tooling and data processing that
* depends on specific data to be presented in specific ways. The config
* dump in eventcode 0 is not considered part of the log event schema.
*
* LOGEVT_VERSION is only incremented at most once per xnumon release, which
* means that changes may happen between different commits during development
* without increasing LOGEVT_VERSION every time.
*/
#define LOGEVT_VERSION 7
/*
* This must be the very first element of all log event data structs passed
* to work_submit and log_submit.
*/
typedef int (*logevt_work_func_t)(void *);
typedef void (*logevt_free_func_t)(void *);
typedef struct {
uint64_t code;
#define LOGEVT_XNUMON_OPS 0 /* xnumon_ops_t */
#define LOGEVT_XNUMON_STATS 1 /* evtloop_stat_t */
#define LOGEVT_IMAGE_EXEC 2 /* image_exec_t */
#define LOGEVT_PROCESS_ACCESS 3 /* process_access_t */
#define LOGEVT_LAUNCHD_ADD 4 /* launchd_add_t */
#define LOGEVT_SOCKET_LISTEN 5 /* socket_listen_t */
#define LOGEVT_SOCKET_ACCEPT 6 /* socket_accept_t */
#define LOGEVT_SOCKET_CONNECT 7 /* socket_connect_t */
#define LOGEVT_SIZE 8
struct timespec tv;
logevt_work_func_t le_work;
logevt_free_func_t le_free;
tommy_node node;
} logevt_header_t;
#define LOGEVT_FLAG(E) (1 << (E))
#define LOGEVT_WANT(F,E) ((E) & (F))
#define LOGEVT_HACKMON LOGEVT_FLAG(LOGEVT_PROCESS_ACCESS)
#define LOGEVT_FILEMON LOGEVT_FLAG(LOGEVT_LAUNCHD_ADD)
#define LOGEVT_SOCKMON LOGEVT_FLAG(LOGEVT_SOCKET_LISTEN)|\
LOGEVT_FLAG(LOGEVT_SOCKET_ACCEPT)|\
LOGEVT_FLAG(LOGEVT_SOCKET_CONNECT)
typedef struct {
logevt_header_t hdr;
const char *subtype;
} xnumon_ops_t;
int logevt_xnumon_ops(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_xnumon_stats(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_image_exec(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_process_access(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_launchd_add(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_socket_listen(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_socket_accept(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
int logevt_socket_connect(logfmt_t *, FILE *, void *) NONNULL(1,2,3) WUNRES;
void logevt_init(config_t *);
#endif