bsm_io.c revision 293161
1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36#include <sys/types.h> 37 38#include <config/config.h> 39 40#ifdef USE_ENDIAN_H 41#include <endian.h> 42#endif 43#ifdef USE_SYS_ENDIAN_H 44#include <sys/endian.h> 45#endif 46#ifdef USE_MACHINE_ENDIAN_H 47#include <machine/endian.h> 48#endif 49#ifdef USE_COMPAT_ENDIAN_H 50#include <compat/endian.h> 51#endif 52#ifdef USE_COMPAT_ENDIAN_ENC_H 53#include <compat/endian_enc.h> 54#endif 55 56#ifdef HAVE_FULL_QUEUE_H 57#include <sys/queue.h> 58#else /* !HAVE_FULL_QUEUE_H */ 59#include <compat/queue.h> 60#endif /* !HAVE_FULL_QUEUE_H */ 61 62#include <sys/stat.h> 63#include <sys/socket.h> 64 65#include <bsm/libbsm.h> 66 67#include <unistd.h> 68#include <netinet/in.h> 69#include <arpa/inet.h> 70#include <errno.h> 71#include <time.h> 72#include <stdlib.h> 73#include <stdio.h> 74#include <string.h> 75#include <pwd.h> 76#include <grp.h> 77 78#ifdef HAVE_VIS 79#include <vis.h> 80#else 81#include <compat/vis.h> 82#endif 83 84#include <bsm/audit_internal.h> 85 86#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 87 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 88 (err) = 1; \ 89 } else { \ 90 memcpy((dest), (buf) + (bytesread), (size)); \ 91 bytesread += size; \ 92 } \ 93} while (0) 94 95#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 96 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 97 (dest) = buf[(bytesread)]; \ 98 (bytesread) += sizeof(u_char); \ 99 } else \ 100 (err) = 1; \ 101} while (0) 102 103#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 104 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 105 (dest) = be16dec((buf) + (bytesread)); \ 106 (bytesread) += sizeof(u_int16_t); \ 107 } else \ 108 (err) = 1; \ 109} while (0) 110 111#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 112 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 113 (dest) = be32dec((buf) + (bytesread)); \ 114 (bytesread) += sizeof(u_int32_t); \ 115 } else \ 116 (err) = 1; \ 117} while (0) 118 119#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 120 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 121 dest = be64dec((buf) + (bytesread)); \ 122 (bytesread) += sizeof(u_int64_t); \ 123 } else \ 124 (err) = 1; \ 125} while (0) 126 127#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 128 if ((bytesread) + (size) > (u_int32_t)(len)) \ 129 (err) = 1; \ 130 else { \ 131 (ptr) = (buf) + (bytesread); \ 132 (bytesread) += (size); \ 133 } \ 134} while (0) 135 136/* 137 * XML option. 138 */ 139#define AU_PLAIN 0 140#define AU_XML 1 141 142/* 143 * Prints the delimiter string. 144 */ 145static void 146print_delim(FILE *fp, const char *del) 147{ 148 149 fprintf(fp, "%s", del); 150} 151 152/* 153 * Prints a single byte in the given format. 154 */ 155static void 156print_1_byte(FILE *fp, u_char val, const char *format) 157{ 158 159 fprintf(fp, format, val); 160} 161 162/* 163 * Print 2 bytes in the given format. 164 */ 165static void 166print_2_bytes(FILE *fp, u_int16_t val, const char *format) 167{ 168 169 fprintf(fp, format, val); 170} 171 172/* 173 * Prints 4 bytes in the given format. 174 */ 175static void 176print_4_bytes(FILE *fp, u_int32_t val, const char *format) 177{ 178 179 fprintf(fp, format, val); 180} 181 182/* 183 * Prints 8 bytes in the given format. 184 */ 185static void 186print_8_bytes(FILE *fp, u_int64_t val, const char *format) 187{ 188 189 fprintf(fp, format, val); 190} 191 192/* 193 * Prints the given size of data bytes in hex. 194 */ 195static void 196print_mem(FILE *fp, u_char *data, size_t len) 197{ 198 u_int32_t i; 199 200 if (len > 0) { 201 fprintf(fp, "0x"); 202 for (i = 0; i < len; i++) 203 fprintf(fp, "%02x", data[i]); 204 } 205} 206 207/* 208 * Prints the given data bytes as a string. 209 */ 210static void 211print_string(FILE *fp, const char *str, size_t len) 212{ 213 u_int32_t i; 214 215 if (len > 0) { 216 for (i = 0; i < len; i++) { 217 if (str[i] != '\0') 218 fprintf(fp, "%c", str[i]); 219 } 220 } 221} 222 223/* 224 * Prints the given data bytes as an XML-sanitized string. 225 */ 226static void 227print_xml_string(FILE *fp, const char *str, size_t len) 228{ 229 u_int32_t i; 230 char visbuf[5]; 231 232 if (len == 0) 233 return; 234 235 for (i = 0; i < len; i++) { 236 switch (str[i]) { 237 case '\0': 238 return; 239 240 case '&': 241 (void) fprintf(fp, "&"); 242 break; 243 244 case '<': 245 (void) fprintf(fp, "<"); 246 break; 247 248 case '>': 249 (void) fprintf(fp, ">"); 250 break; 251 252 case '\"': 253 (void) fprintf(fp, """); 254 break; 255 256 case '\'': 257 (void) fprintf(fp, "'"); 258 break; 259 260 default: 261 (void) vis(visbuf, str[i], VIS_CSTYLE, 0); 262 (void) fprintf(fp, "%s", visbuf); 263 break; 264 } 265 } 266} 267 268/* 269 * Prints the beginning of an attribute. 270 */ 271static void 272open_attr(FILE *fp, const char *str) 273{ 274 275 fprintf(fp,"%s=\"", str); 276} 277 278/* 279 * Prints the end of an attribute. 280 */ 281static void 282close_attr(FILE *fp) 283{ 284 285 fprintf(fp,"\" "); 286} 287 288/* 289 * Prints the end of a tag. 290 */ 291static void 292close_tag(FILE *fp, u_char type) 293{ 294 295 switch(type) { 296 case AUT_HEADER32: 297 fprintf(fp, ">"); 298 break; 299 300 case AUT_HEADER32_EX: 301 fprintf(fp, ">"); 302 break; 303 304 case AUT_HEADER64: 305 fprintf(fp, ">"); 306 break; 307 308 case AUT_HEADER64_EX: 309 fprintf(fp, ">"); 310 break; 311 312 case AUT_ARG32: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_ARG64: 317 fprintf(fp, "/>"); 318 break; 319 320 case AUT_ATTR32: 321 fprintf(fp, "/>"); 322 break; 323 324 case AUT_ATTR64: 325 fprintf(fp, "/>"); 326 break; 327 328 case AUT_EXIT: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_EXEC_ARGS: 333 fprintf(fp, "</exec_args>"); 334 break; 335 336 case AUT_EXEC_ENV: 337 fprintf(fp, "</exec_env>"); 338 break; 339 340 case AUT_OTHER_FILE32: 341 fprintf(fp, "</file>"); 342 break; 343 344 case AUT_NEWGROUPS: 345 fprintf(fp, "</group>"); 346 break; 347 348 case AUT_IN_ADDR: 349 fprintf(fp, "</ip_address>"); 350 break; 351 352 case AUT_IN_ADDR_EX: 353 fprintf(fp, "</ip_address>"); 354 break; 355 356 case AUT_IP: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_IPC: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_IPC_PERM: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_IPORT: 369 fprintf(fp, "</ip_port>"); 370 break; 371 372 case AUT_OPAQUE: 373 fprintf(fp, "</opaque>"); 374 break; 375 376 case AUT_PATH: 377 fprintf(fp, "</path>"); 378 break; 379 380 case AUT_PROCESS32: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_PROCESS32_EX: 385 fprintf(fp, "/>"); 386 break; 387 388 case AUT_PROCESS64: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_PROCESS64_EX: 393 fprintf(fp, "/>"); 394 break; 395 396 case AUT_RETURN32: 397 fprintf(fp, "/>"); 398 break; 399 400 case AUT_RETURN64: 401 fprintf(fp, "/>"); 402 break; 403 404 case AUT_SEQ: 405 fprintf(fp, "/>"); 406 break; 407 408 case AUT_SOCKET: 409 fprintf(fp, "/>"); 410 break; 411 412 case AUT_SOCKINET32: 413 fprintf(fp, "/>"); 414 break; 415 416 case AUT_SOCKUNIX: 417 fprintf(fp, "/>"); 418 break; 419 420 case AUT_SOCKINET128: 421 fprintf(fp, "/>"); 422 break; 423 424 case AUT_SUBJECT32: 425 fprintf(fp, "/>"); 426 break; 427 428 case AUT_SUBJECT64: 429 fprintf(fp, "/>"); 430 break; 431 432 case AUT_SUBJECT32_EX: 433 fprintf(fp, "/>"); 434 break; 435 436 case AUT_SUBJECT64_EX: 437 fprintf(fp, "/>"); 438 break; 439 440 case AUT_TEXT: 441 fprintf(fp, "</text>"); 442 break; 443 444 case AUT_SOCKET_EX: 445 fprintf(fp, "/>"); 446 break; 447 448 case AUT_DATA: 449 fprintf(fp, "</arbitrary>"); 450 break; 451 452 case AUT_ZONENAME: 453 fprintf(fp, "/>"); 454 break; 455 } 456} 457 458/* 459 * Prints the token type in either the raw or the default form. 460 */ 461static void 462print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags) 463{ 464 465 if (oflags & AU_OFLAG_XML) { 466 switch(type) { 467 case AUT_HEADER32: 468 fprintf(fp, "<record "); 469 break; 470 471 case AUT_HEADER32_EX: 472 fprintf(fp, "<record "); 473 break; 474 475 case AUT_HEADER64: 476 fprintf(fp, "<record "); 477 break; 478 479 case AUT_HEADER64_EX: 480 fprintf(fp, "<record "); 481 break; 482 483 case AUT_TRAILER: 484 fprintf(fp, "</record>"); 485 break; 486 487 case AUT_ARG32: 488 fprintf(fp, "<argument "); 489 break; 490 491 case AUT_ARG64: 492 fprintf(fp, "<argument "); 493 break; 494 495 case AUT_ATTR32: 496 fprintf(fp, "<attribute "); 497 break; 498 499 case AUT_ATTR64: 500 fprintf(fp, "<attribute "); 501 break; 502 503 case AUT_EXIT: 504 fprintf(fp, "<exit "); 505 break; 506 507 case AUT_EXEC_ARGS: 508 fprintf(fp, "<exec_args>"); 509 break; 510 511 case AUT_EXEC_ENV: 512 fprintf(fp, "<exec_env>"); 513 break; 514 515 case AUT_OTHER_FILE32: 516 fprintf(fp, "<file "); 517 break; 518 519 case AUT_NEWGROUPS: 520 fprintf(fp, "<group>"); 521 break; 522 523 case AUT_IN_ADDR: 524 fprintf(fp, "<ip_address>"); 525 break; 526 527 case AUT_IN_ADDR_EX: 528 fprintf(fp, "<ip_address>"); 529 break; 530 531 case AUT_IP: 532 fprintf(fp, "<ip "); 533 break; 534 535 case AUT_IPC: 536 fprintf(fp, "<IPC"); 537 break; 538 539 case AUT_IPC_PERM: 540 fprintf(fp, "<IPC_perm "); 541 break; 542 543 case AUT_IPORT: 544 fprintf(fp, "<ip_port>"); 545 break; 546 547 case AUT_OPAQUE: 548 fprintf(fp, "<opaque>"); 549 break; 550 551 case AUT_PATH: 552 fprintf(fp, "<path>"); 553 break; 554 555 case AUT_PROCESS32: 556 fprintf(fp, "<process "); 557 break; 558 559 case AUT_PROCESS32_EX: 560 fprintf(fp, "<process "); 561 break; 562 563 case AUT_PROCESS64: 564 fprintf(fp, "<process "); 565 break; 566 567 case AUT_PROCESS64_EX: 568 fprintf(fp, "<process "); 569 break; 570 571 case AUT_RETURN32: 572 fprintf(fp, "<return "); 573 break; 574 575 case AUT_RETURN64: 576 fprintf(fp, "<return "); 577 break; 578 579 case AUT_SEQ: 580 fprintf(fp, "<sequence "); 581 break; 582 583 case AUT_SOCKET: 584 fprintf(fp, "<socket "); 585 break; 586 587 case AUT_SOCKINET32: 588 fprintf(fp, "<socket-inet "); 589 break; 590 591 case AUT_SOCKUNIX: 592 fprintf(fp, "<socket-unix "); 593 break; 594 595 case AUT_SOCKINET128: 596 fprintf(fp, "<socket-inet6 "); 597 break; 598 599 case AUT_SUBJECT32: 600 fprintf(fp, "<subject "); 601 break; 602 603 case AUT_SUBJECT64: 604 fprintf(fp, "<subject "); 605 break; 606 607 case AUT_SUBJECT32_EX: 608 fprintf(fp, "<subject "); 609 break; 610 611 case AUT_SUBJECT64_EX: 612 fprintf(fp, "<subject "); 613 break; 614 615 case AUT_TEXT: 616 fprintf(fp, "<text>"); 617 break; 618 619 case AUT_SOCKET_EX: 620 fprintf(fp, "<socket "); 621 break; 622 623 case AUT_DATA: 624 fprintf(fp, "<arbitrary "); 625 break; 626 627 case AUT_ZONENAME: 628 fprintf(fp, "<zone "); 629 break; 630 } 631 } else { 632 if (oflags & AU_OFLAG_RAW) 633 fprintf(fp, "%u", type); 634 else 635 fprintf(fp, "%s", tokname); 636 } 637} 638 639/* 640 * Prints a user value. 641 */ 642static void 643print_user(FILE *fp, u_int32_t usr, int oflags) 644{ 645 struct passwd *pwent; 646 647 if (oflags & AU_OFLAG_RAW) 648 fprintf(fp, "%d", usr); 649 else { 650 pwent = getpwuid(usr); 651 if (pwent != NULL) 652 fprintf(fp, "%s", pwent->pw_name); 653 else 654 fprintf(fp, "%d", usr); 655 } 656} 657 658/* 659 * Prints a group value. 660 */ 661static void 662print_group(FILE *fp, u_int32_t grp, int oflags) 663{ 664 struct group *grpent; 665 666 if (oflags & AU_OFLAG_RAW) 667 fprintf(fp, "%d", grp); 668 else { 669 grpent = getgrgid(grp); 670 if (grpent != NULL) 671 fprintf(fp, "%s", grpent->gr_name); 672 else 673 fprintf(fp, "%d", grp); 674 } 675} 676 677/* 678 * Prints the event from the header token in either the short, default or raw 679 * form. 680 */ 681static void 682print_event(FILE *fp, u_int16_t ev, int oflags) 683{ 684 char event_ent_name[AU_EVENT_NAME_MAX]; 685 char event_ent_desc[AU_EVENT_DESC_MAX]; 686 struct au_event_ent e, *ep; 687 688 bzero(&e, sizeof(e)); 689 bzero(event_ent_name, sizeof(event_ent_name)); 690 bzero(event_ent_desc, sizeof(event_ent_desc)); 691 e.ae_name = event_ent_name; 692 e.ae_desc = event_ent_desc; 693 694 ep = getauevnum_r(&e, ev); 695 if (ep == NULL) { 696 fprintf(fp, "%u", ev); 697 return; 698 } 699 700 if (oflags & AU_OFLAG_RAW) 701 fprintf(fp, "%u", ev); 702 else if (oflags & AU_OFLAG_SHORT) 703 fprintf(fp, "%s", e.ae_name); 704 else 705 fprintf(fp, "%s", e.ae_desc); 706} 707 708 709/* 710 * Prints the event modifier from the header token in either the default or 711 * raw form. 712 */ 713static void 714print_evmod(FILE *fp, u_int16_t evmod, int oflags) 715{ 716 if (oflags & AU_OFLAG_RAW) 717 fprintf(fp, "%u", evmod); 718 else 719 fprintf(fp, "%u", evmod); 720} 721 722/* 723 * Prints seconds in the ctime format. 724 */ 725static void 726print_sec32(FILE *fp, u_int32_t sec, int oflags) 727{ 728 time_t timestamp; 729 char timestr[26]; 730 731 if (oflags & AU_OFLAG_RAW) 732 fprintf(fp, "%u", sec); 733 else { 734 timestamp = (time_t)sec; 735 ctime_r(×tamp, timestr); 736 timestr[24] = '\0'; /* No new line */ 737 fprintf(fp, "%s", timestr); 738 } 739} 740 741/* 742 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 743 * assume a 32-bit time_t, we simply truncate for now. 744 */ 745static void 746print_sec64(FILE *fp, u_int64_t sec, int oflags) 747{ 748 time_t timestamp; 749 char timestr[26]; 750 751 if (oflags & AU_OFLAG_RAW) 752 fprintf(fp, "%u", (u_int32_t)sec); 753 else { 754 timestamp = (time_t)sec; 755 ctime_r(×tamp, timestr); 756 timestr[24] = '\0'; /* No new line */ 757 fprintf(fp, "%s", timestr); 758 } 759} 760 761/* 762 * Prints the excess milliseconds. 763 */ 764static void 765print_msec32(FILE *fp, u_int32_t msec, int oflags) 766{ 767 if (oflags & AU_OFLAG_RAW) 768 fprintf(fp, "%u", msec); 769 else 770 fprintf(fp, " + %u msec", msec); 771} 772 773/* 774 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 775 * a 32-bit msec, we simply truncate for now. 776 */ 777static void 778print_msec64(FILE *fp, u_int64_t msec, int oflags) 779{ 780 781 msec &= 0xffffffff; 782 if (oflags & AU_OFLAG_RAW) 783 fprintf(fp, "%u", (u_int32_t)msec); 784 else 785 fprintf(fp, " + %u msec", (u_int32_t)msec); 786} 787 788/* 789 * Prints a dotted form for the IP address. 790 */ 791static void 792print_ip_address(FILE *fp, u_int32_t ip) 793{ 794 struct in_addr ipaddr; 795 796 ipaddr.s_addr = ip; 797 fprintf(fp, "%s", inet_ntoa(ipaddr)); 798} 799 800/* 801 * Prints a string value for the given ip address. 802 */ 803static void 804print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 805{ 806 struct in_addr ipv4; 807 struct in6_addr ipv6; 808 char dst[INET6_ADDRSTRLEN]; 809 810 switch (type) { 811 case AU_IPv4: 812 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 813 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 814 INET6_ADDRSTRLEN)); 815 break; 816 817 case AU_IPv6: 818 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 819 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 820 INET6_ADDRSTRLEN)); 821 break; 822 823 default: 824 fprintf(fp, "invalid"); 825 } 826} 827 828/* 829 * Prints return value as success or failure. 830 */ 831static void 832print_retval(FILE *fp, u_char status, int oflags) 833{ 834 int error; 835 836 if (oflags & AU_OFLAG_RAW) 837 fprintf(fp, "%u", status); 838 else { 839 /* 840 * Convert to a local error number and print the OS's version 841 * of the error string if possible. We may want to provide 842 * an au_strerror(3) in the future so that we can print 843 * strings for non-local errors. 844 */ 845 if (au_bsm_to_errno(status, &error) == 0) { 846 if (error == 0) 847 fprintf(fp, "success"); 848 else 849 fprintf(fp, "failure : %s", strerror(error)); 850 } else 851 fprintf(fp, "failure: Unknown error: %d", status); 852 } 853} 854 855/* 856 * Prints the exit value. 857 */ 858static void 859print_errval(FILE *fp, u_int32_t val) 860{ 861 862 fprintf(fp, "Error %u", val); 863} 864 865/* 866 * Prints IPC type. 867 */ 868static void 869print_ipctype(FILE *fp, u_char type, int oflags) 870{ 871 if (oflags & AU_OFLAG_RAW) 872 fprintf(fp, "%u", type); 873 else { 874 if (type == AT_IPC_MSG) 875 fprintf(fp, "Message IPC"); 876 else if (type == AT_IPC_SEM) 877 fprintf(fp, "Semaphore IPC"); 878 else if (type == AT_IPC_SHM) 879 fprintf(fp, "Shared Memory IPC"); 880 else 881 fprintf(fp, "%u", type); 882 } 883} 884 885/* 886 * Print XML header. 887 */ 888void 889au_print_xml_header(FILE *outfp) 890{ 891 892 fprintf(outfp, "<?xml version='1.0' ?>\n"); 893 fprintf(outfp, "<audit>\n"); 894} 895 896/* 897 * Print XML footer. 898 */ 899void 900au_print_xml_footer(FILE *outfp) 901{ 902 903 fprintf(outfp, "</audit>\n"); 904} 905 906/* 907 * record byte count 4 bytes 908 * version # 1 byte [2] 909 * event type 2 bytes 910 * event modifier 2 bytes 911 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 912 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 913 */ 914static int 915fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 916{ 917 int err = 0; 918 919 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 920 if (err) 921 return (-1); 922 923 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 924 if (err) 925 return (-1); 926 927 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 928 if (err) 929 return (-1); 930 931 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 932 if (err) 933 return (-1); 934 935 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 936 if (err) 937 return (-1); 938 939 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 940 if (err) 941 return (-1); 942 943 return (0); 944} 945 946static void 947print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 948{ 949 950 print_tok_type(fp, tok->id, "header", oflags); 951 if (oflags & AU_OFLAG_XML) { 952 open_attr(fp, "version"); 953 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 954 close_attr(fp); 955 open_attr(fp, "event"); 956 print_event(fp, tok->tt.hdr32.e_type, oflags); 957 close_attr(fp); 958 open_attr(fp, "modifier"); 959 print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 960 close_attr(fp); 961 open_attr(fp, "time"); 962 print_sec32(fp, tok->tt.hdr32.s, oflags); 963 close_attr(fp); 964 open_attr(fp, "msec"); 965 print_msec32(fp, tok->tt.hdr32.ms, oflags); 966 close_attr(fp); 967 close_tag(fp, tok->id); 968 } else { 969 print_delim(fp, del); 970 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 971 print_delim(fp, del); 972 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 973 print_delim(fp, del); 974 print_event(fp, tok->tt.hdr32.e_type, oflags); 975 print_delim(fp, del); 976 print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 977 print_delim(fp, del); 978 print_sec32(fp, tok->tt.hdr32.s, oflags); 979 print_delim(fp, del); 980 print_msec32(fp, tok->tt.hdr32.ms, oflags); 981 } 982} 983 984/* 985 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 986 * depending on the bit of the specifications found. The OpenSolaris source 987 * code uses a 4-byte address length, followed by some number of bytes of 988 * address data. This contrasts with the Solaris audit.log.5 man page, which 989 * specifies a 1-byte length field. We use the Solaris 10 definition so that 990 * we can parse audit trails from that system. 991 * 992 * record byte count 4 bytes 993 * version # 1 byte [2] 994 * event type 2 bytes 995 * event modifier 2 bytes 996 * address type/length 4 bytes 997 * [ Solaris man page: address type/length 1 byte] 998 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 999 * seconds of time 4 bytes/8 bytes (32/64-bits) 1000 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1001 */ 1002static int 1003fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1004{ 1005 int err = 0; 1006 1007 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 1008 if (err) 1009 return (-1); 1010 1011 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 1012 if (err) 1013 return (-1); 1014 1015 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 1016 if (err) 1017 return (-1); 1018 1019 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 1020 if (err) 1021 return (-1); 1022 1023 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 1024 if (err) 1025 return (-1); 1026 1027 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 1028 switch (tok->tt.hdr32_ex.ad_type) { 1029 case AU_IPv4: 1030 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 1031 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 1032 if (err) 1033 return (-1); 1034 break; 1035 1036 case AU_IPv6: 1037 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 1038 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 1039 break; 1040 } 1041 1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 1043 if (err) 1044 return (-1); 1045 1046 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 1047 if (err) 1048 return (-1); 1049 1050 return (0); 1051} 1052 1053static void 1054print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1055{ 1056 1057 print_tok_type(fp, tok->id, "header_ex", oflags); 1058 if (oflags & AU_OFLAG_RAW) { 1059 open_attr(fp, "version"); 1060 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1061 close_attr(fp); 1062 open_attr(fp, "event"); 1063 print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1064 close_attr(fp); 1065 open_attr(fp, "modifier"); 1066 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1067 close_attr(fp); 1068 open_attr(fp, "host"); 1069 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1070 tok->tt.hdr32_ex.addr); 1071 close_attr(fp); 1072 open_attr(fp, "time"); 1073 print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1074 close_attr(fp); 1075 open_attr(fp, "msec"); 1076 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1077 close_attr(fp); 1078 close_tag(fp, tok->id); 1079 } else { 1080 print_delim(fp, del); 1081 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1082 print_delim(fp, del); 1083 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1084 print_delim(fp, del); 1085 print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1086 print_delim(fp, del); 1087 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1088 print_delim(fp, del); 1089 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1090 tok->tt.hdr32_ex.addr); 1091 print_delim(fp, del); 1092 print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1093 print_delim(fp, del); 1094 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1095 } 1096} 1097 1098/* 1099 * record byte count 4 bytes 1100 * event type 2 bytes 1101 * event modifier 2 bytes 1102 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1103 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1104 * version # 1105 */ 1106static int 1107fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1108{ 1109 int err = 0; 1110 1111 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1112 if (err) 1113 return (-1); 1114 1115 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1116 if (err) 1117 return (-1); 1118 1119 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1120 if (err) 1121 return (-1); 1122 1123 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1124 if (err) 1125 return (-1); 1126 1127 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1128 if (err) 1129 return (-1); 1130 1131 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1132 if (err) 1133 return (-1); 1134 1135 return (0); 1136} 1137 1138static void 1139print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1140{ 1141 1142 print_tok_type(fp, tok->id, "header", oflags); 1143 if (oflags & AU_OFLAG_XML) { 1144 open_attr(fp, "version"); 1145 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1146 close_attr(fp); 1147 open_attr(fp, "event"); 1148 print_event(fp, tok->tt.hdr64.e_type, oflags); 1149 close_attr(fp); 1150 open_attr(fp, "modifier"); 1151 print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1152 close_attr(fp); 1153 open_attr(fp, "time"); 1154 print_sec64(fp, tok->tt.hdr64.s, oflags); 1155 close_attr(fp); 1156 open_attr(fp, "msec"); 1157 print_msec64(fp, tok->tt.hdr64.ms, oflags); 1158 close_attr(fp); 1159 close_tag(fp, tok->id); 1160 } else { 1161 print_delim(fp, del); 1162 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1163 print_delim(fp, del); 1164 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1165 print_delim(fp, del); 1166 print_event(fp, tok->tt.hdr64.e_type, oflags); 1167 print_delim(fp, del); 1168 print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1169 print_delim(fp, del); 1170 print_sec64(fp, tok->tt.hdr64.s, oflags); 1171 print_delim(fp, del); 1172 print_msec64(fp, tok->tt.hdr64.ms, oflags); 1173 } 1174} 1175 1176/* 1177 * record byte count 4 bytes 1178 * version # 1 byte [2] 1179 * event type 2 bytes 1180 * event modifier 2 bytes 1181 * address type/length 4 bytes 1182 * [ Solaris man page: address type/length 1 byte] 1183 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1184 * seconds of time 4 bytes/8 bytes (32/64-bits) 1185 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1186 * 1187 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1188 * accuracy of the BSM spec. 1189 */ 1190static int 1191fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1192{ 1193 int err = 0; 1194 1195 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1196 if (err) 1197 return (-1); 1198 1199 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1200 if (err) 1201 return (-1); 1202 1203 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1204 if (err) 1205 return (-1); 1206 1207 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1208 if (err) 1209 return (-1); 1210 1211 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1212 if (err) 1213 return (-1); 1214 1215 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1216 switch (tok->tt.hdr64_ex.ad_type) { 1217 case AU_IPv4: 1218 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1219 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1220 if (err) 1221 return (-1); 1222 break; 1223 1224 case AU_IPv6: 1225 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1226 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1227 break; 1228 } 1229 1230 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1231 if (err) 1232 return (-1); 1233 1234 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1235 if (err) 1236 return (-1); 1237 1238 return (0); 1239} 1240 1241static void 1242print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1243{ 1244 1245 print_tok_type(fp, tok->id, "header_ex", oflags); 1246 if (oflags & AU_OFLAG_XML) { 1247 open_attr(fp, "version"); 1248 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1249 close_attr(fp); 1250 open_attr(fp, "event"); 1251 print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1252 close_attr(fp); 1253 open_attr(fp, "modifier"); 1254 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1255 close_attr(fp); 1256 open_attr(fp, "host"); 1257 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1258 tok->tt.hdr64_ex.addr); 1259 close_attr(fp); 1260 open_attr(fp, "time"); 1261 print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1262 close_attr(fp); 1263 open_attr(fp, "msec"); 1264 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1265 close_attr(fp); 1266 close_tag(fp, tok->id); 1267 } else { 1268 print_delim(fp, del); 1269 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1270 print_delim(fp, del); 1271 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1272 print_delim(fp, del); 1273 print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1274 print_delim(fp, del); 1275 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1276 print_delim(fp, del); 1277 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1278 tok->tt.hdr64_ex.addr); 1279 print_delim(fp, del); 1280 print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1281 print_delim(fp, del); 1282 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1283 } 1284} 1285 1286/* 1287 * trailer magic 2 bytes 1288 * record size 4 bytes 1289 */ 1290static int 1291fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1292{ 1293 int err = 0; 1294 1295 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1296 if (err) 1297 return (-1); 1298 1299 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1300 if (err) 1301 return (-1); 1302 1303 return (0); 1304} 1305 1306static void 1307print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1308{ 1309 1310 print_tok_type(fp, tok->id, "trailer", oflags); 1311 if (!(oflags & AU_OFLAG_XML)) { 1312 print_delim(fp, del); 1313 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1314 } 1315} 1316 1317/* 1318 * argument # 1 byte 1319 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1320 * text length 2 bytes 1321 * text N bytes + 1 terminating NULL byte 1322 */ 1323static int 1324fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1325{ 1326 int err = 0; 1327 1328 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1329 if (err) 1330 return (-1); 1331 1332 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1333 if (err) 1334 return (-1); 1335 1336 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1337 if (err) 1338 return (-1); 1339 1340 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1341 tok->len, err); 1342 if (err) 1343 return (-1); 1344 1345 return (0); 1346} 1347 1348static void 1349print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1350{ 1351 1352 print_tok_type(fp, tok->id, "argument", oflags); 1353 if (oflags & AU_OFLAG_XML) { 1354 open_attr(fp, "arg-num"); 1355 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1356 close_attr(fp); 1357 open_attr(fp, "value"); 1358 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1359 close_attr(fp); 1360 open_attr(fp, "desc"); 1361 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1362 close_attr(fp); 1363 close_tag(fp, tok->id); 1364 } else { 1365 print_delim(fp, del); 1366 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1367 print_delim(fp, del); 1368 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1369 print_delim(fp, del); 1370 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1371 } 1372} 1373 1374static int 1375fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1376{ 1377 int err = 0; 1378 1379 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1380 if (err) 1381 return (-1); 1382 1383 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1384 if (err) 1385 return (-1); 1386 1387 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1388 if (err) 1389 return (-1); 1390 1391 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1392 tok->len, err); 1393 if (err) 1394 return (-1); 1395 1396 return (0); 1397} 1398 1399static void 1400print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1401{ 1402 1403 print_tok_type(fp, tok->id, "argument", oflags); 1404 if (oflags & AU_OFLAG_XML) { 1405 open_attr(fp, "arg-num"); 1406 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1407 close_attr(fp); 1408 open_attr(fp, "value"); 1409 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1410 close_attr(fp); 1411 open_attr(fp, "desc"); 1412 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1413 close_attr(fp); 1414 close_tag(fp, tok->id); 1415 } else { 1416 print_delim(fp, del); 1417 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1418 print_delim(fp, del); 1419 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1420 print_delim(fp, del); 1421 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1422 } 1423} 1424 1425/* 1426 * how to print 1 byte 1427 * basic unit 1 byte 1428 * unit count 1 byte 1429 * data items (depends on basic unit) 1430 */ 1431static int 1432fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1433{ 1434 int err = 0; 1435 int datasize; 1436 1437 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1438 if (err) 1439 return (-1); 1440 1441 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1442 if (err) 1443 return (-1); 1444 1445 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1446 if (err) 1447 return (-1); 1448 1449 /* 1450 * Determine the size of the basic unit. 1451 */ 1452 switch(tok->tt.arb.bu) { 1453 case AUR_BYTE: 1454 /* case AUR_CHAR: */ 1455 datasize = AUR_BYTE_SIZE; 1456 break; 1457 1458 case AUR_SHORT: 1459 datasize = AUR_SHORT_SIZE; 1460 break; 1461 1462 case AUR_INT32: 1463 /* case AUR_INT: */ 1464 datasize = AUR_INT32_SIZE; 1465 break; 1466 1467 case AUR_INT64: 1468 datasize = AUR_INT64_SIZE; 1469 break; 1470 1471 default: 1472 return (-1); 1473 } 1474 1475 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1476 tok->len, err); 1477 if (err) 1478 return (-1); 1479 1480 return (0); 1481} 1482 1483static void 1484print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1485{ 1486 char *str; 1487 char *format; 1488 size_t size; 1489 int i; 1490 1491 print_tok_type(fp, tok->id, "arbitrary", oflags); 1492 if (!(oflags & AU_OFLAG_XML)) 1493 print_delim(fp, del); 1494 1495 switch(tok->tt.arb.howtopr) { 1496 case AUP_BINARY: 1497 str = "binary"; 1498 format = " %c"; 1499 break; 1500 1501 case AUP_OCTAL: 1502 str = "octal"; 1503 format = " %o"; 1504 break; 1505 1506 case AUP_DECIMAL: 1507 str = "decimal"; 1508 format = " %d"; 1509 break; 1510 1511 case AUP_HEX: 1512 str = "hex"; 1513 format = " %x"; 1514 break; 1515 1516 case AUP_STRING: 1517 str = "string"; 1518 format = "%c"; 1519 break; 1520 1521 default: 1522 return; 1523 } 1524 1525 if (oflags & AU_OFLAG_XML) { 1526 open_attr(fp, "print"); 1527 fprintf(fp, "%s",str); 1528 close_attr(fp); 1529 } else { 1530 print_string(fp, str, strlen(str)); 1531 print_delim(fp, del); 1532 } 1533 switch(tok->tt.arb.bu) { 1534 case AUR_BYTE: 1535 /* case AUR_CHAR: */ 1536 str = "byte"; 1537 size = AUR_BYTE_SIZE; 1538 if (oflags & AU_OFLAG_XML) { 1539 open_attr(fp, "type"); 1540 fprintf(fp, "%zu", size); 1541 close_attr(fp); 1542 open_attr(fp, "count"); 1543 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1544 close_attr(fp); 1545 fprintf(fp, ">"); 1546 for (i = 0; i<tok->tt.arb.uc; i++) 1547 fprintf(fp, format, *(tok->tt.arb.data + 1548 (size * i))); 1549 close_tag(fp, tok->id); 1550 } else { 1551 print_string(fp, str, strlen(str)); 1552 print_delim(fp, del); 1553 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1554 print_delim(fp, del); 1555 for (i = 0; i<tok->tt.arb.uc; i++) 1556 fprintf(fp, format, *(tok->tt.arb.data + 1557 (size * i))); 1558 } 1559 break; 1560 1561 case AUR_SHORT: 1562 str = "short"; 1563 size = AUR_SHORT_SIZE; 1564 if (oflags & AU_OFLAG_XML) { 1565 open_attr(fp, "type"); 1566 fprintf(fp, "%zu", size); 1567 close_attr(fp); 1568 open_attr(fp, "count"); 1569 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1570 close_attr(fp); 1571 fprintf(fp, ">"); 1572 for (i = 0; i < tok->tt.arb.uc; i++) 1573 fprintf(fp, format, 1574 *((u_int16_t *)(tok->tt.arb.data + 1575 (size * i)))); 1576 close_tag(fp, tok->id); 1577 } else { 1578 print_string(fp, str, strlen(str)); 1579 print_delim(fp, del); 1580 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1581 print_delim(fp, del); 1582 for (i = 0; i < tok->tt.arb.uc; i++) 1583 fprintf(fp, format, 1584 *((u_int16_t *)(tok->tt.arb.data + 1585 (size * i)))); 1586 } 1587 break; 1588 1589 case AUR_INT32: 1590 /* case AUR_INT: */ 1591 str = "int"; 1592 size = AUR_INT32_SIZE; 1593 if (oflags & AU_OFLAG_XML) { 1594 open_attr(fp, "type"); 1595 fprintf(fp, "%zu", size); 1596 close_attr(fp); 1597 open_attr(fp, "count"); 1598 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1599 close_attr(fp); 1600 fprintf(fp, ">"); 1601 for (i = 0; i < tok->tt.arb.uc; i++) 1602 fprintf(fp, format, 1603 *((u_int32_t *)(tok->tt.arb.data + 1604 (size * i)))); 1605 close_tag(fp, tok->id); 1606 } else { 1607 print_string(fp, str, strlen(str)); 1608 print_delim(fp, del); 1609 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1610 print_delim(fp, del); 1611 for (i = 0; i < tok->tt.arb.uc; i++) 1612 fprintf(fp, format, 1613 *((u_int32_t *)(tok->tt.arb.data + 1614 (size * i)))); 1615 } 1616 break; 1617 1618 case AUR_INT64: 1619 str = "int64"; 1620 size = AUR_INT64_SIZE; 1621 if (oflags & AU_OFLAG_XML) { 1622 open_attr(fp, "type"); 1623 fprintf(fp, "%zu", size); 1624 close_attr(fp); 1625 open_attr(fp, "count"); 1626 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1627 close_attr(fp); 1628 fprintf(fp, ">"); 1629 for (i = 0; i < tok->tt.arb.uc; i++) 1630 fprintf(fp, format, 1631 *((u_int64_t *)(tok->tt.arb.data + 1632 (size * i)))); 1633 close_tag(fp, tok->id); 1634 } else { 1635 print_string(fp, str, strlen(str)); 1636 print_delim(fp, del); 1637 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1638 print_delim(fp, del); 1639 for (i = 0; i < tok->tt.arb.uc; i++) 1640 fprintf(fp, format, 1641 *((u_int64_t *)(tok->tt.arb.data + 1642 (size * i)))); 1643 } 1644 break; 1645 1646 default: 1647 return; 1648 } 1649} 1650 1651/* 1652 * file access mode 4 bytes 1653 * owner user ID 4 bytes 1654 * owner group ID 4 bytes 1655 * file system ID 4 bytes 1656 * node ID 8 bytes 1657 * device 4 bytes/8 bytes (32-bit/64-bit) 1658 */ 1659static int 1660fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1661{ 1662 int err = 0; 1663 1664 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1665 if (err) 1666 return (-1); 1667 1668 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1669 if (err) 1670 return (-1); 1671 1672 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1673 if (err) 1674 return (-1); 1675 1676 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1677 if (err) 1678 return (-1); 1679 1680 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1681 if (err) 1682 return (-1); 1683 1684 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1685 if (err) 1686 return (-1); 1687 1688 return (0); 1689} 1690 1691static void 1692print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1693{ 1694 1695 print_tok_type(fp, tok->id, "attribute", oflags); 1696 if (oflags & AU_OFLAG_XML) { 1697 open_attr(fp, "mode"); 1698 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1699 close_attr(fp); 1700 open_attr(fp, "uid"); 1701 print_user(fp, tok->tt.attr32.uid, oflags); 1702 close_attr(fp); 1703 open_attr(fp, "gid"); 1704 print_group(fp, tok->tt.attr32.gid, oflags); 1705 close_attr(fp); 1706 open_attr(fp, "fsid"); 1707 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1708 close_attr(fp); 1709 open_attr(fp, "nodeid"); 1710 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1711 close_attr(fp); 1712 open_attr(fp, "device"); 1713 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1714 close_attr(fp); 1715 close_tag(fp, tok->id); 1716 } else { 1717 print_delim(fp, del); 1718 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1719 print_delim(fp, del); 1720 print_user(fp, tok->tt.attr32.uid, oflags); 1721 print_delim(fp, del); 1722 print_group(fp, tok->tt.attr32.gid, oflags); 1723 print_delim(fp, del); 1724 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1725 print_delim(fp, del); 1726 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1727 print_delim(fp, del); 1728 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1729 } 1730} 1731 1732/* 1733 * file access mode 4 bytes 1734 * owner user ID 4 bytes 1735 * owner group ID 4 bytes 1736 * file system ID 4 bytes 1737 * node ID 8 bytes 1738 * device 4 bytes/8 bytes (32-bit/64-bit) 1739 */ 1740static int 1741fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1742{ 1743 int err = 0; 1744 1745 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1746 if (err) 1747 return (-1); 1748 1749 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1750 if (err) 1751 return (-1); 1752 1753 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1754 if (err) 1755 return (-1); 1756 1757 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1758 if (err) 1759 return (-1); 1760 1761 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1762 if (err) 1763 return (-1); 1764 1765 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1766 if (err) 1767 return (-1); 1768 1769 return (0); 1770} 1771 1772static void 1773print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1774{ 1775 1776 print_tok_type(fp, tok->id, "attribute", oflags); 1777 if (oflags & AU_OFLAG_XML) { 1778 open_attr(fp, "mode"); 1779 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1780 close_attr(fp); 1781 open_attr(fp, "uid"); 1782 print_user(fp, tok->tt.attr64.uid, oflags); 1783 close_attr(fp); 1784 open_attr(fp, "gid"); 1785 print_group(fp, tok->tt.attr64.gid, oflags); 1786 close_attr(fp); 1787 open_attr(fp, "fsid"); 1788 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1789 close_attr(fp); 1790 open_attr(fp, "nodeid"); 1791 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1792 close_attr(fp); 1793 open_attr(fp, "device"); 1794 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1795 close_attr(fp); 1796 close_tag(fp, tok->id); 1797 } else { 1798 print_delim(fp, del); 1799 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1800 print_delim(fp, del); 1801 print_user(fp, tok->tt.attr64.uid, oflags); 1802 print_delim(fp, del); 1803 print_group(fp, tok->tt.attr64.gid, oflags); 1804 print_delim(fp, del); 1805 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1806 print_delim(fp, del); 1807 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1808 print_delim(fp, del); 1809 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1810 } 1811} 1812 1813/* 1814 * status 4 bytes 1815 * return value 4 bytes 1816 */ 1817static int 1818fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1819{ 1820 int err = 0; 1821 1822 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1823 if (err) 1824 return (-1); 1825 1826 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1827 if (err) 1828 return (-1); 1829 1830 return (0); 1831} 1832 1833static void 1834print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1835{ 1836 1837 print_tok_type(fp, tok->id, "exit", oflags); 1838 if (oflags & AU_OFLAG_XML) { 1839 open_attr(fp, "errval"); 1840 print_errval(fp, tok->tt.exit.status); 1841 close_attr(fp); 1842 open_attr(fp, "retval"); 1843 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1844 close_attr(fp); 1845 close_tag(fp, tok->id); 1846 } else { 1847 print_delim(fp, del); 1848 print_errval(fp, tok->tt.exit.status); 1849 print_delim(fp, del); 1850 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1851 } 1852} 1853 1854/* 1855 * count 4 bytes 1856 * text count null-terminated string(s) 1857 */ 1858static int 1859fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1860{ 1861 int err = 0; 1862 u_int32_t i; 1863 u_char *bptr; 1864 1865 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1866 if (err) 1867 return (-1); 1868 1869 for (i = 0; i < tok->tt.execarg.count; i++) { 1870 bptr = buf + tok->len; 1871 if (i < AUDIT_MAX_ARGS) 1872 tok->tt.execarg.text[i] = (char*)bptr; 1873 1874 /* Look for a null terminated string. */ 1875 while (bptr && (*bptr != '\0')) { 1876 if (++tok->len >= (u_int32_t)len) 1877 return (-1); 1878 bptr = buf + tok->len; 1879 } 1880 if (!bptr) 1881 return (-1); 1882 tok->len++; /* \0 character */ 1883 } 1884 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1885 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1886 1887 return (0); 1888} 1889 1890static void 1891print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1892{ 1893 u_int32_t i; 1894 1895 print_tok_type(fp, tok->id, "exec arg", oflags); 1896 for (i = 0; i < tok->tt.execarg.count; i++) { 1897 if (oflags & AU_OFLAG_XML) { 1898 fprintf(fp, "<arg>"); 1899 print_xml_string(fp, tok->tt.execarg.text[i], 1900 strlen(tok->tt.execarg.text[i])); 1901 fprintf(fp, "</arg>"); 1902 } else { 1903 print_delim(fp, del); 1904 print_string(fp, tok->tt.execarg.text[i], 1905 strlen(tok->tt.execarg.text[i])); 1906 } 1907 } 1908 if (oflags & AU_OFLAG_XML) 1909 close_tag(fp, tok->id); 1910} 1911 1912/* 1913 * count 4 bytes 1914 * text count null-terminated string(s) 1915 */ 1916static int 1917fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1918{ 1919 int err = 0; 1920 u_int32_t i; 1921 u_char *bptr; 1922 1923 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1924 if (err) 1925 return (-1); 1926 1927 for (i = 0; i < tok->tt.execenv.count; i++) { 1928 bptr = buf + tok->len; 1929 if (i < AUDIT_MAX_ENV) 1930 tok->tt.execenv.text[i] = (char*)bptr; 1931 1932 /* Look for a null terminated string. */ 1933 while (bptr && (*bptr != '\0')) { 1934 if (++tok->len >= (u_int32_t)len) 1935 return (-1); 1936 bptr = buf + tok->len; 1937 } 1938 if (!bptr) 1939 return (-1); 1940 tok->len++; /* \0 character */ 1941 } 1942 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1943 tok->tt.execenv.count = AUDIT_MAX_ENV; 1944 1945 return (0); 1946} 1947 1948static void 1949print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1950{ 1951 u_int32_t i; 1952 1953 print_tok_type(fp, tok->id, "exec env", oflags); 1954 for (i = 0; i< tok->tt.execenv.count; i++) { 1955 if (oflags & AU_OFLAG_XML) { 1956 fprintf(fp, "<env>"); 1957 print_xml_string(fp, tok->tt.execenv.text[i], 1958 strlen(tok->tt.execenv.text[i])); 1959 fprintf(fp, "</env>"); 1960 } else { 1961 print_delim(fp, del); 1962 print_string(fp, tok->tt.execenv.text[i], 1963 strlen(tok->tt.execenv.text[i])); 1964 } 1965 } 1966 if (oflags & AU_OFLAG_XML) 1967 close_tag(fp, tok->id); 1968} 1969 1970/* 1971 * seconds of time 4 bytes 1972 * milliseconds of time 4 bytes 1973 * file name len 2 bytes 1974 * file pathname N bytes + 1 terminating NULL byte 1975 */ 1976static int 1977fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1978{ 1979 int err = 0; 1980 1981 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1982 if (err) 1983 return (-1); 1984 1985 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1986 if (err) 1987 return (-1); 1988 1989 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1990 if (err) 1991 return (-1); 1992 1993 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1994 err); 1995 if (err) 1996 return (-1); 1997 1998 return (0); 1999} 2000 2001static void 2002print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2003{ 2004 2005 print_tok_type(fp, tok->id, "file", oflags); 2006 if (oflags & AU_OFLAG_XML) { 2007 open_attr(fp, "time"); 2008 print_sec32(fp, tok->tt.file.s, oflags); 2009 close_attr(fp); 2010 open_attr(fp, "msec"); 2011 print_msec32(fp, tok->tt.file.ms, oflags); 2012 close_attr(fp); 2013 fprintf(fp, ">"); 2014 print_string(fp, tok->tt.file.name, tok->tt.file.len); 2015 close_tag(fp, tok->id); 2016 } else { 2017 print_delim(fp, del); 2018 print_sec32(fp, tok->tt.file.s, oflags); 2019 print_delim(fp, del); 2020 print_msec32(fp, tok->tt.file.ms, oflags); 2021 print_delim(fp, del); 2022 print_string(fp, tok->tt.file.name, tok->tt.file.len); 2023 } 2024} 2025 2026/* 2027 * number groups 2 bytes 2028 * group list count * 4 bytes 2029 */ 2030static int 2031fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 2032{ 2033 int i; 2034 int err = 0; 2035 2036 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 2037 if (err) 2038 return (-1); 2039 2040 for (i = 0; i<tok->tt.grps.no; i++) { 2041 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2042 err); 2043 if (err) 2044 return (-1); 2045 } 2046 2047 return (0); 2048} 2049 2050static void 2051print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2052{ 2053 int i; 2054 2055 print_tok_type(fp, tok->id, "group", oflags); 2056 for (i = 0; i < tok->tt.grps.no; i++) { 2057 if (oflags & AU_OFLAG_XML) { 2058 fprintf(fp, "<gid>"); 2059 print_group(fp, tok->tt.grps.list[i], oflags); 2060 fprintf(fp, "</gid>"); 2061 close_tag(fp, tok->id); 2062 } else { 2063 print_delim(fp, del); 2064 print_group(fp, tok->tt.grps.list[i], oflags); 2065 } 2066 } 2067} 2068 2069/* 2070 * Internet addr 4 bytes 2071 */ 2072static int 2073fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2074{ 2075 int err = 0; 2076 2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2078 tok->len, err); 2079 if (err) 2080 return (-1); 2081 2082 return (0); 2083 2084} 2085 2086static void 2087print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2088{ 2089 2090 print_tok_type(fp, tok->id, "ip addr", oflags); 2091 if (oflags & AU_OFLAG_XML) { 2092 print_ip_address(fp, tok->tt.inaddr.addr); 2093 close_tag(fp, tok->id); 2094 } else { 2095 print_delim(fp, del); 2096 print_ip_address(fp, tok->tt.inaddr.addr); 2097 } 2098} 2099 2100/* 2101 * type 4 bytes 2102 * address 16 bytes 2103 */ 2104static int 2105fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2106{ 2107 int err = 0; 2108 2109 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2110 if (err) 2111 return (-1); 2112 2113 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2114 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2115 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2116 if (err) 2117 return (-1); 2118 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2119 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2120 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2121 if (err) 2122 return (-1); 2123 } else 2124 return (-1); 2125 2126 return (0); 2127} 2128 2129static void 2130print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2131{ 2132 2133 print_tok_type(fp, tok->id, "ip addr ex", oflags); 2134 if (oflags & AU_OFLAG_XML) { 2135 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2136 tok->tt.inaddr_ex.addr); 2137 close_tag(fp, tok->id); 2138 } else { 2139 print_delim(fp, del); 2140 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2141 tok->tt.inaddr_ex.addr); 2142 } 2143} 2144 2145/* 2146 * ip header 20 bytes 2147 */ 2148static int 2149fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2150{ 2151 int err = 0; 2152 2153 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2154 if (err) 2155 return (-1); 2156 2157 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2158 if (err) 2159 return (-1); 2160 2161 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2162 tok->len, err); 2163 if (err) 2164 return (-1); 2165 2166 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2167 tok->len, err); 2168 if (err) 2169 return (-1); 2170 2171 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2172 tok->len, err); 2173 if (err) 2174 return (-1); 2175 2176 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2177 if (err) 2178 return (-1); 2179 2180 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2181 if (err) 2182 return (-1); 2183 2184 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2185 tok->len, err); 2186 if (err) 2187 return (-1); 2188 2189 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2190 tok->len, err); 2191 if (err) 2192 return (-1); 2193 2194 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2195 tok->len, err); 2196 if (err) 2197 return (-1); 2198 2199 return (0); 2200} 2201 2202static void 2203print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2204{ 2205 2206 print_tok_type(fp, tok->id, "ip", oflags); 2207 if (oflags & AU_OFLAG_XML) { 2208 open_attr(fp, "version"); 2209 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2210 sizeof(u_char)); 2211 close_attr(fp); 2212 open_attr(fp, "service_type"); 2213 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2214 close_attr(fp); 2215 open_attr(fp, "len"); 2216 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2217 close_attr(fp); 2218 open_attr(fp, "id"); 2219 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2220 close_attr(fp); 2221 open_attr(fp, "offset"); 2222 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2223 close_attr(fp); 2224 open_attr(fp, "time_to_live"); 2225 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2226 close_attr(fp); 2227 open_attr(fp, "protocol"); 2228 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2229 close_attr(fp); 2230 open_attr(fp, "cksum"); 2231 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2232 close_attr(fp); 2233 open_attr(fp, "src_addr"); 2234 print_ip_address(fp, tok->tt.ip.src); 2235 close_attr(fp); 2236 open_attr(fp, "dest_addr"); 2237 print_ip_address(fp, tok->tt.ip.dest); 2238 close_attr(fp); 2239 close_tag(fp, tok->id); 2240 } else { 2241 print_delim(fp, del); 2242 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2243 sizeof(u_char)); 2244 print_delim(fp, del); 2245 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2246 print_delim(fp, del); 2247 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2248 print_delim(fp, del); 2249 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2250 print_delim(fp, del); 2251 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2252 print_delim(fp, del); 2253 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2254 print_delim(fp, del); 2255 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2256 print_delim(fp, del); 2257 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2258 print_delim(fp, del); 2259 print_ip_address(fp, tok->tt.ip.src); 2260 print_delim(fp, del); 2261 print_ip_address(fp, tok->tt.ip.dest); 2262 } 2263} 2264 2265/* 2266 * object ID type 1 byte 2267 * Object ID 4 bytes 2268 */ 2269static int 2270fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2271{ 2272 int err = 0; 2273 2274 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2275 if (err) 2276 return (-1); 2277 2278 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2279 if (err) 2280 return (-1); 2281 2282 return (0); 2283} 2284 2285static void 2286print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2287{ 2288 2289 print_tok_type(fp, tok->id, "IPC", oflags); 2290 if (oflags & AU_OFLAG_XML) { 2291 open_attr(fp, "ipc-type"); 2292 print_ipctype(fp, tok->tt.ipc.type, oflags); 2293 close_attr(fp); 2294 open_attr(fp, "ipc-id"); 2295 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2296 close_attr(fp); 2297 close_tag(fp, tok->id); 2298 } else { 2299 print_delim(fp, del); 2300 print_ipctype(fp, tok->tt.ipc.type, oflags); 2301 print_delim(fp, del); 2302 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2303 } 2304} 2305 2306/* 2307 * owner user id 4 bytes 2308 * owner group id 4 bytes 2309 * creator user id 4 bytes 2310 * creator group id 4 bytes 2311 * access mode 4 bytes 2312 * slot seq 4 bytes 2313 * key 4 bytes 2314 */ 2315static int 2316fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2317{ 2318 int err = 0; 2319 2320 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2321 if (err) 2322 return (-1); 2323 2324 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2325 if (err) 2326 return (-1); 2327 2328 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2329 if (err) 2330 return (-1); 2331 2332 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2333 if (err) 2334 return (-1); 2335 2336 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2337 if (err) 2338 return (-1); 2339 2340 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2341 if (err) 2342 return (-1); 2343 2344 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2345 if (err) 2346 return (-1); 2347 2348 return (0); 2349} 2350 2351static void 2352print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2353{ 2354 2355 print_tok_type(fp, tok->id, "IPC perm", oflags); 2356 if (oflags & AU_OFLAG_XML) { 2357 open_attr(fp, "uid"); 2358 print_user(fp, tok->tt.ipcperm.uid, oflags); 2359 close_attr(fp); 2360 open_attr(fp, "gid"); 2361 print_group(fp, tok->tt.ipcperm.gid, oflags); 2362 close_attr(fp); 2363 open_attr(fp, "creator-uid"); 2364 print_user(fp, tok->tt.ipcperm.puid, oflags); 2365 close_attr(fp); 2366 open_attr(fp, "creator-gid"); 2367 print_group(fp, tok->tt.ipcperm.pgid, oflags); 2368 close_attr(fp); 2369 open_attr(fp, "mode"); 2370 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2371 close_attr(fp); 2372 open_attr(fp, "seq"); 2373 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2374 close_attr(fp); 2375 open_attr(fp, "key"); 2376 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2377 close_attr(fp); 2378 close_tag(fp, tok->id); 2379 } else { 2380 print_delim(fp, del); 2381 print_user(fp, tok->tt.ipcperm.uid, oflags); 2382 print_delim(fp, del); 2383 print_group(fp, tok->tt.ipcperm.gid, oflags); 2384 print_delim(fp, del); 2385 print_user(fp, tok->tt.ipcperm.puid, oflags); 2386 print_delim(fp, del); 2387 print_group(fp, tok->tt.ipcperm.pgid, oflags); 2388 print_delim(fp, del); 2389 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2390 print_delim(fp, del); 2391 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2392 print_delim(fp, del); 2393 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2394 } 2395} 2396 2397/* 2398 * port Ip address 2 bytes 2399 */ 2400static int 2401fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2402{ 2403 int err = 0; 2404 2405 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2406 tok->len, err); 2407 if (err) 2408 return (-1); 2409 2410 return (0); 2411} 2412 2413static void 2414print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2415{ 2416 2417 print_tok_type(fp, tok->id, "ip port", oflags); 2418 if (oflags & AU_OFLAG_XML) { 2419 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2420 close_tag(fp, tok->id); 2421 } else { 2422 print_delim(fp, del); 2423 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2424 } 2425} 2426 2427/* 2428 * size 2 bytes 2429 * data size bytes 2430 */ 2431static int 2432fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2433{ 2434 int err = 0; 2435 2436 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2437 if (err) 2438 return (-1); 2439 2440 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2441 tok->len, err); 2442 if (err) 2443 return (-1); 2444 2445 return (0); 2446} 2447 2448static void 2449print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2450{ 2451 2452 print_tok_type(fp, tok->id, "opaque", oflags); 2453 if (oflags & AU_OFLAG_XML) { 2454 print_mem(fp, (u_char*)tok->tt.opaque.data, 2455 tok->tt.opaque.size); 2456 close_tag(fp, tok->id); 2457 } else { 2458 print_delim(fp, del); 2459 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2460 print_delim(fp, del); 2461 print_mem(fp, (u_char*)tok->tt.opaque.data, 2462 tok->tt.opaque.size); 2463 } 2464} 2465 2466/* 2467 * size 2 bytes 2468 * data size bytes 2469 */ 2470static int 2471fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2472{ 2473 int err = 0; 2474 2475 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2476 if (err) 2477 return (-1); 2478 2479 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2480 err); 2481 if (err) 2482 return (-1); 2483 2484 return (0); 2485} 2486 2487static void 2488print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2489{ 2490 2491 print_tok_type(fp, tok->id, "path", oflags); 2492 if (oflags & AU_OFLAG_XML) { 2493 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2494 close_tag(fp, tok->id); 2495 } else { 2496 print_delim(fp, del); 2497 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2498 } 2499} 2500 2501/* 2502 * token ID 1 byte 2503 * audit ID 4 bytes 2504 * euid 4 bytes 2505 * egid 4 bytes 2506 * ruid 4 bytes 2507 * rgid 4 bytes 2508 * pid 4 bytes 2509 * sessid 4 bytes 2510 * terminal ID 2511 * portid 4 bytes 2512 * machine id 4 bytes 2513 */ 2514static int 2515fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2516{ 2517 int err = 0; 2518 2519 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2520 if (err) 2521 return (-1); 2522 2523 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2524 if (err) 2525 return (-1); 2526 2527 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2528 if (err) 2529 return (-1); 2530 2531 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2532 if (err) 2533 return (-1); 2534 2535 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2536 if (err) 2537 return (-1); 2538 2539 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2540 if (err) 2541 return (-1); 2542 2543 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2544 if (err) 2545 return (-1); 2546 2547 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2548 if (err) 2549 return (-1); 2550 2551 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2552 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2553 if (err) 2554 return (-1); 2555 2556 return (0); 2557} 2558 2559static void 2560print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2561{ 2562 2563 print_tok_type(fp, tok->id, "process", oflags); 2564 if (oflags & AU_OFLAG_XML) { 2565 open_attr(fp, "audit-uid"); 2566 print_user(fp, tok->tt.proc32.auid, oflags); 2567 close_attr(fp); 2568 open_attr(fp, "uid"); 2569 print_user(fp, tok->tt.proc32.euid, oflags); 2570 close_attr(fp); 2571 open_attr(fp, "gid"); 2572 print_group(fp, tok->tt.proc32.egid, oflags); 2573 close_attr(fp); 2574 open_attr(fp, "ruid"); 2575 print_user(fp, tok->tt.proc32.ruid, oflags); 2576 close_attr(fp); 2577 open_attr(fp, "rgid"); 2578 print_group(fp, tok->tt.proc32.rgid, oflags); 2579 close_attr(fp); 2580 open_attr(fp, "pid"); 2581 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2582 close_attr(fp); 2583 open_attr(fp, "sid"); 2584 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2585 close_attr(fp); 2586 open_attr(fp, "tid"); 2587 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2588 print_ip_address(fp, tok->tt.proc32.tid.addr); 2589 close_attr(fp); 2590 close_tag(fp, tok->id); 2591 } else { 2592 print_delim(fp, del); 2593 print_user(fp, tok->tt.proc32.auid, oflags); 2594 print_delim(fp, del); 2595 print_user(fp, tok->tt.proc32.euid, oflags); 2596 print_delim(fp, del); 2597 print_group(fp, tok->tt.proc32.egid, oflags); 2598 print_delim(fp, del); 2599 print_user(fp, tok->tt.proc32.ruid, oflags); 2600 print_delim(fp, del); 2601 print_group(fp, tok->tt.proc32.rgid, oflags); 2602 print_delim(fp, del); 2603 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2604 print_delim(fp, del); 2605 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2606 print_delim(fp, del); 2607 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2608 print_delim(fp, del); 2609 print_ip_address(fp, tok->tt.proc32.tid.addr); 2610 } 2611} 2612 2613/* 2614 * token ID 1 byte 2615 * audit ID 4 bytes 2616 * euid 4 bytes 2617 * egid 4 bytes 2618 * ruid 4 bytes 2619 * rgid 4 bytes 2620 * pid 4 bytes 2621 * sessid 4 bytes 2622 * terminal ID 2623 * portid 8 bytes 2624 * machine id 4 bytes 2625 */ 2626static int 2627fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2628{ 2629 int err = 0; 2630 2631 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2632 if (err) 2633 return (-1); 2634 2635 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2636 if (err) 2637 return (-1); 2638 2639 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2640 if (err) 2641 return (-1); 2642 2643 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2644 if (err) 2645 return (-1); 2646 2647 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2648 if (err) 2649 return (-1); 2650 2651 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2652 if (err) 2653 return (-1); 2654 2655 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2656 if (err) 2657 return (-1); 2658 2659 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2660 if (err) 2661 return (-1); 2662 2663 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2664 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2665 if (err) 2666 return (-1); 2667 2668 return (0); 2669} 2670 2671static void 2672print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2673{ 2674 print_tok_type(fp, tok->id, "process", oflags); 2675 if (oflags & AU_OFLAG_XML) { 2676 open_attr(fp, "audit-uid"); 2677 print_user(fp, tok->tt.proc64.auid, oflags); 2678 close_attr(fp); 2679 open_attr(fp, "uid"); 2680 print_user(fp, tok->tt.proc64.euid, oflags); 2681 close_attr(fp); 2682 open_attr(fp, "gid"); 2683 print_group(fp, tok->tt.proc64.egid, oflags); 2684 close_attr(fp); 2685 open_attr(fp, "ruid"); 2686 print_user(fp, tok->tt.proc64.ruid, oflags); 2687 close_attr(fp); 2688 open_attr(fp, "rgid"); 2689 print_group(fp, tok->tt.proc64.rgid, oflags); 2690 close_attr(fp); 2691 open_attr(fp, "pid"); 2692 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2693 close_attr(fp); 2694 open_attr(fp, "sid"); 2695 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2696 close_attr(fp); 2697 open_attr(fp, "tid"); 2698 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2699 print_ip_address(fp, tok->tt.proc64.tid.addr); 2700 close_attr(fp); 2701 close_tag(fp, tok->id); 2702 } else { 2703 print_delim(fp, del); 2704 print_user(fp, tok->tt.proc64.auid, oflags); 2705 print_delim(fp, del); 2706 print_user(fp, tok->tt.proc64.euid, oflags); 2707 print_delim(fp, del); 2708 print_group(fp, tok->tt.proc64.egid, oflags); 2709 print_delim(fp, del); 2710 print_user(fp, tok->tt.proc64.ruid, oflags); 2711 print_delim(fp, del); 2712 print_group(fp, tok->tt.proc64.rgid, oflags); 2713 print_delim(fp, del); 2714 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2715 print_delim(fp, del); 2716 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2717 print_delim(fp, del); 2718 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2719 print_delim(fp, del); 2720 print_ip_address(fp, tok->tt.proc64.tid.addr); 2721 } 2722} 2723 2724/* 2725 * token ID 1 byte 2726 * audit ID 4 bytes 2727 * effective user ID 4 bytes 2728 * effective group ID 4 bytes 2729 * real user ID 4 bytes 2730 * real group ID 4 bytes 2731 * process ID 4 bytes 2732 * session ID 4 bytes 2733 * terminal ID 2734 * port ID 4 bytes 2735 * address type-len 4 bytes 2736 * machine address 16 bytes 2737 */ 2738static int 2739fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2740{ 2741 int err = 0; 2742 2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2744 if (err) 2745 return (-1); 2746 2747 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2748 if (err) 2749 return (-1); 2750 2751 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2752 if (err) 2753 return (-1); 2754 2755 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2756 if (err) 2757 return (-1); 2758 2759 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2760 if (err) 2761 return (-1); 2762 2763 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2764 if (err) 2765 return (-1); 2766 2767 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2768 if (err) 2769 return (-1); 2770 2771 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2772 err); 2773 if (err) 2774 return (-1); 2775 2776 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2777 err); 2778 if (err) 2779 return (-1); 2780 2781 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2782 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2783 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2784 if (err) 2785 return (-1); 2786 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2787 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2788 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2789 if (err) 2790 return (-1); 2791 } else 2792 return (-1); 2793 2794 return (0); 2795} 2796 2797static void 2798print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2799{ 2800 2801 print_tok_type(fp, tok->id, "process_ex", oflags); 2802 if (oflags & AU_OFLAG_XML) { 2803 open_attr(fp, "audit-uid"); 2804 print_user(fp, tok->tt.proc32_ex.auid, oflags); 2805 close_attr(fp); 2806 open_attr(fp, "uid"); 2807 print_user(fp, tok->tt.proc32_ex.euid, oflags); 2808 close_attr(fp); 2809 open_attr(fp, "gid"); 2810 print_group(fp, tok->tt.proc32_ex.egid, oflags); 2811 close_attr(fp); 2812 open_attr(fp, "ruid"); 2813 print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2814 close_attr(fp); 2815 open_attr(fp, "rgid"); 2816 print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2817 close_attr(fp); 2818 open_attr(fp, "pid"); 2819 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2820 close_attr(fp); 2821 open_attr(fp, "sid"); 2822 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2823 close_attr(fp); 2824 open_attr(fp, "tid"); 2825 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2826 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2827 tok->tt.proc32_ex.tid.addr); 2828 close_attr(fp); 2829 close_tag(fp, tok->id); 2830 } else { 2831 print_delim(fp, del); 2832 print_user(fp, tok->tt.proc32_ex.auid, oflags); 2833 print_delim(fp, del); 2834 print_user(fp, tok->tt.proc32_ex.euid, oflags); 2835 print_delim(fp, del); 2836 print_group(fp, tok->tt.proc32_ex.egid, oflags); 2837 print_delim(fp, del); 2838 print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2839 print_delim(fp, del); 2840 print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2841 print_delim(fp, del); 2842 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2843 print_delim(fp, del); 2844 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2845 print_delim(fp, del); 2846 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2847 print_delim(fp, del); 2848 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2849 tok->tt.proc32_ex.tid.addr); 2850 } 2851} 2852 2853/* 2854 * token ID 1 byte 2855 * audit ID 4 bytes 2856 * effective user ID 4 bytes 2857 * effective group ID 4 bytes 2858 * real user ID 4 bytes 2859 * real group ID 4 bytes 2860 * process ID 4 bytes 2861 * session ID 4 bytes 2862 * terminal ID 2863 * port ID 8 bytes 2864 * address type-len 4 bytes 2865 * machine address 16 bytes 2866 */ 2867static int 2868fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2869{ 2870 int err = 0; 2871 2872 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2873 if (err) 2874 return (-1); 2875 2876 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2877 if (err) 2878 return (-1); 2879 2880 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2881 if (err) 2882 return (-1); 2883 2884 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2885 if (err) 2886 return (-1); 2887 2888 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2889 if (err) 2890 return (-1); 2891 2892 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2893 if (err) 2894 return (-1); 2895 2896 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2897 if (err) 2898 return (-1); 2899 2900 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2901 err); 2902 if (err) 2903 return (-1); 2904 2905 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2906 err); 2907 if (err) 2908 return (-1); 2909 2910 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2911 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2912 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2913 if (err) 2914 return (-1); 2915 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2916 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2917 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2918 if (err) 2919 return (-1); 2920 } else 2921 return (-1); 2922 2923 return (0); 2924} 2925 2926static void 2927print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2928{ 2929 print_tok_type(fp, tok->id, "process_ex", oflags); 2930 if (oflags & AU_OFLAG_XML) { 2931 open_attr(fp, "audit-uid"); 2932 print_user(fp, tok->tt.proc64_ex.auid, oflags); 2933 close_attr(fp); 2934 open_attr(fp, "uid"); 2935 print_user(fp, tok->tt.proc64_ex.euid, oflags); 2936 close_attr(fp); 2937 open_attr(fp, "gid"); 2938 print_group(fp, tok->tt.proc64_ex.egid, oflags); 2939 close_attr(fp); 2940 open_attr(fp, "ruid"); 2941 print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2942 close_attr(fp); 2943 open_attr(fp, "rgid"); 2944 print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2945 close_attr(fp); 2946 open_attr(fp, "pid"); 2947 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2948 close_attr(fp); 2949 open_attr(fp, "sid"); 2950 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2951 close_attr(fp); 2952 open_attr(fp, "tid"); 2953 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2954 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2955 tok->tt.proc64_ex.tid.addr); 2956 close_attr(fp); 2957 close_tag(fp, tok->id); 2958 } else { 2959 print_delim(fp, del); 2960 print_user(fp, tok->tt.proc64_ex.auid, oflags); 2961 print_delim(fp, del); 2962 print_user(fp, tok->tt.proc64_ex.euid, oflags); 2963 print_delim(fp, del); 2964 print_group(fp, tok->tt.proc64_ex.egid, oflags); 2965 print_delim(fp, del); 2966 print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2967 print_delim(fp, del); 2968 print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2969 print_delim(fp, del); 2970 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2971 print_delim(fp, del); 2972 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2973 print_delim(fp, del); 2974 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2975 print_delim(fp, del); 2976 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2977 tok->tt.proc64_ex.tid.addr); 2978 } 2979} 2980 2981/* 2982 * errno 1 byte 2983 * return value 4 bytes 2984 */ 2985static int 2986fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2987{ 2988 int err = 0; 2989 2990 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2991 if (err) 2992 return (-1); 2993 2994 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2995 if (err) 2996 return (-1); 2997 2998 return (0); 2999} 3000 3001static void 3002print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3003{ 3004 3005 print_tok_type(fp, tok->id, "return", oflags); 3006 if (oflags & AU_OFLAG_XML) { 3007 open_attr(fp ,"errval"); 3008 print_retval(fp, tok->tt.ret32.status, oflags); 3009 close_attr(fp); 3010 open_attr(fp, "retval"); 3011 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3012 close_attr(fp); 3013 close_tag(fp, tok->id); 3014 } else { 3015 print_delim(fp, del); 3016 print_retval(fp, tok->tt.ret32.status, oflags); 3017 print_delim(fp, del); 3018 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3019 } 3020} 3021 3022static int 3023fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 3024{ 3025 int err = 0; 3026 3027 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3028 if (err) 3029 return (-1); 3030 3031 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3032 if (err) 3033 return (-1); 3034 3035 return (0); 3036} 3037 3038static void 3039print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3040{ 3041 3042 print_tok_type(fp, tok->id, "return", oflags); 3043 if (oflags & AU_OFLAG_XML) { 3044 open_attr(fp, "errval"); 3045 print_retval(fp, tok->tt.ret64.err, oflags); 3046 close_attr(fp); 3047 open_attr(fp, "retval"); 3048 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3049 close_attr(fp); 3050 close_tag(fp, tok->id); 3051 } else { 3052 print_delim(fp, del); 3053 print_retval(fp, tok->tt.ret64.err, oflags); 3054 print_delim(fp, del); 3055 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3056 } 3057} 3058 3059/* 3060 * seq 4 bytes 3061 */ 3062static int 3063fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3064{ 3065 int err = 0; 3066 3067 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3068 if (err) 3069 return (-1); 3070 3071 return (0); 3072} 3073 3074static void 3075print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3076{ 3077 3078 print_tok_type(fp, tok->id, "sequence", oflags); 3079 if (oflags & AU_OFLAG_XML) { 3080 open_attr(fp, "seq-num"); 3081 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3082 close_attr(fp); 3083 close_tag(fp, tok->id); 3084 } else { 3085 print_delim(fp, del); 3086 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3087 } 3088} 3089 3090/* 3091 * socket family 2 bytes 3092 * local port 2 bytes 3093 * socket address 4 bytes 3094 */ 3095static int 3096fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3097{ 3098 int err = 0; 3099 3100 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3101 err); 3102 if (err) 3103 return (-1); 3104 3105 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3106 sizeof(uint16_t), tok->len, err); 3107 if (err) 3108 return (-1); 3109 3110 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3111 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3112 if (err) 3113 return (-1); 3114 3115 return (0); 3116} 3117 3118static void 3119print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3120{ 3121 3122 print_tok_type(fp, tok->id, "socket-inet", oflags); 3123 if (oflags & AU_OFLAG_XML) { 3124 open_attr(fp, "type"); 3125 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3126 close_attr(fp); 3127 open_attr(fp, "port"); 3128 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3129 close_attr(fp); 3130 open_attr(fp, "addr"); 3131 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3132 close_attr(fp); 3133 close_tag(fp, tok->id); 3134 } else { 3135 print_delim(fp, del); 3136 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3137 print_delim(fp, del); 3138 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3139 print_delim(fp, del); 3140 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3141 } 3142} 3143 3144/* 3145 * socket family 2 bytes 3146 * local port 2 bytes 3147 * socket address 16 bytes 3148 */ 3149static int 3150fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3151{ 3152 int err = 0; 3153 3154 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3155 err); 3156 if (err) 3157 return (-1); 3158 3159 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3160 sizeof(uint16_t), tok->len, err); 3161 if (err) 3162 return (-1); 3163 3164 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3165 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3166 if (err) 3167 return (-1); 3168 3169 return (0); 3170} 3171 3172static void 3173print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3174{ 3175 3176 print_tok_type(fp, tok->id, "socket-inet6", oflags); 3177 if (oflags & AU_OFLAG_XML) { 3178 open_attr(fp, "type"); 3179 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3180 close_attr(fp); 3181 open_attr(fp, "port"); 3182 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3183 close_attr(fp); 3184 open_attr(fp, "addr"); 3185 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3186 close_attr(fp); 3187 close_tag(fp, tok->id); 3188 } else { 3189 print_delim(fp, del); 3190 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3191 print_delim(fp, del); 3192 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3193 print_delim(fp, del); 3194 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3195 } 3196} 3197 3198/* 3199 * socket family 2 bytes 3200 * path (up to) 104 bytes + NULL (NULL terminated string). 3201 */ 3202static int 3203fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3204{ 3205 int err = 0; 3206 u_char *p; 3207 int slen; 3208 3209 3210 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3211 if (err) 3212 return (-1); 3213 3214 /* slen = strnlen((buf + tok->len), 104) + 1; */ 3215 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); 3216 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; 3217 3218 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); 3219 if (err) 3220 return (-1); 3221 3222 return (0); 3223} 3224 3225static void 3226print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3227{ 3228 3229 print_tok_type(fp, tok->id, "socket-unix", oflags); 3230 if (oflags & AU_OFLAG_XML) { 3231 open_attr(fp, "type"); 3232 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3233 close_attr(fp); 3234 open_attr(fp, "port"); 3235 close_attr(fp); 3236 open_attr(fp, "addr"); 3237 print_string(fp, tok->tt.sockunix.path, 3238 strlen(tok->tt.sockunix.path)); 3239 close_attr(fp); 3240 close_tag(fp, tok->id); 3241 } else { 3242 print_delim(fp, del); 3243 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3244 print_delim(fp, del); 3245 print_string(fp, tok->tt.sockunix.path, 3246 strlen(tok->tt.sockunix.path)); 3247 } 3248} 3249 3250/* 3251 * socket type 2 bytes 3252 * local port 2 bytes 3253 * local address 4 bytes 3254 * remote port 2 bytes 3255 * remote address 4 bytes 3256 */ 3257static int 3258fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3259{ 3260 int err = 0; 3261 3262 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3263 if (err) 3264 return (-1); 3265 3266 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3267 tok->len, err); 3268 if (err) 3269 return (-1); 3270 3271 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3272 sizeof(tok->tt.socket.l_addr), tok->len, err); 3273 if (err) 3274 return (-1); 3275 3276 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3277 tok->len, err); 3278 if (err) 3279 return (-1); 3280 3281 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3282 sizeof(tok->tt.socket.r_addr), tok->len, err); 3283 if (err) 3284 return (-1); 3285 3286 return (0); 3287} 3288 3289static void 3290print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3291{ 3292 3293 print_tok_type(fp, tok->id, "socket", oflags); 3294 if (oflags & AU_OFLAG_XML) { 3295 open_attr(fp, "sock_type"); 3296 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3297 close_attr(fp); 3298 open_attr(fp, "lport"); 3299 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3300 close_attr(fp); 3301 open_attr(fp, "laddr"); 3302 print_ip_address(fp, tok->tt.socket.l_addr); 3303 close_attr(fp); 3304 open_attr(fp, "fport"); 3305 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3306 close_attr(fp); 3307 open_attr(fp, "faddr"); 3308 print_ip_address(fp, tok->tt.socket.r_addr); 3309 close_attr(fp); 3310 close_tag(fp, tok->id); 3311 } else { 3312 print_delim(fp, del); 3313 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3314 print_delim(fp, del); 3315 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3316 print_delim(fp, del); 3317 print_ip_address(fp, tok->tt.socket.l_addr); 3318 print_delim(fp, del); 3319 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3320 print_delim(fp, del); 3321 print_ip_address(fp, tok->tt.socket.r_addr); 3322 } 3323} 3324 3325/* 3326 * audit ID 4 bytes 3327 * euid 4 bytes 3328 * egid 4 bytes 3329 * ruid 4 bytes 3330 * rgid 4 bytes 3331 * pid 4 bytes 3332 * sessid 4 bytes 3333 * terminal ID 3334 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3335 * machine id 4 bytes 3336 */ 3337static int 3338fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3339{ 3340 int err = 0; 3341 3342 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3343 if (err) 3344 return (-1); 3345 3346 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3347 if (err) 3348 return (-1); 3349 3350 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3351 if (err) 3352 return (-1); 3353 3354 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3355 if (err) 3356 return (-1); 3357 3358 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3359 if (err) 3360 return (-1); 3361 3362 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3363 if (err) 3364 return (-1); 3365 3366 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3367 if (err) 3368 return (-1); 3369 3370 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3371 if (err) 3372 return (-1); 3373 3374 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3375 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3376 if (err) 3377 return (-1); 3378 3379 return (0); 3380} 3381 3382static void 3383print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3384{ 3385 3386 print_tok_type(fp, tok->id, "subject", oflags); 3387 if (oflags & AU_OFLAG_XML) { 3388 open_attr(fp, "audit-uid"); 3389 print_user(fp, tok->tt.subj32.auid, oflags); 3390 close_attr(fp); 3391 open_attr(fp, "uid"); 3392 print_user(fp, tok->tt.subj32.euid, oflags); 3393 close_attr(fp); 3394 open_attr(fp, "gid"); 3395 print_group(fp, tok->tt.subj32.egid, oflags); 3396 close_attr(fp); 3397 open_attr(fp, "ruid"); 3398 print_user(fp, tok->tt.subj32.ruid, oflags); 3399 close_attr(fp); 3400 open_attr(fp, "rgid"); 3401 print_group(fp, tok->tt.subj32.rgid, oflags); 3402 close_attr(fp); 3403 open_attr(fp,"pid"); 3404 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3405 close_attr(fp); 3406 open_attr(fp,"sid"); 3407 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3408 close_attr(fp); 3409 open_attr(fp,"tid"); 3410 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3411 print_ip_address(fp, tok->tt.subj32.tid.addr); 3412 close_attr(fp); 3413 close_tag(fp, tok->id); 3414 } else { 3415 print_delim(fp, del); 3416 print_user(fp, tok->tt.subj32.auid, oflags); 3417 print_delim(fp, del); 3418 print_user(fp, tok->tt.subj32.euid, oflags); 3419 print_delim(fp, del); 3420 print_group(fp, tok->tt.subj32.egid, oflags); 3421 print_delim(fp, del); 3422 print_user(fp, tok->tt.subj32.ruid, oflags); 3423 print_delim(fp, del); 3424 print_group(fp, tok->tt.subj32.rgid, oflags); 3425 print_delim(fp, del); 3426 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3427 print_delim(fp, del); 3428 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3429 print_delim(fp, del); 3430 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3431 print_delim(fp, del); 3432 print_ip_address(fp, tok->tt.subj32.tid.addr); 3433 } 3434} 3435 3436static void 3437print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3438{ 3439 3440 print_tok_type(fp, tok->id, "use of privilege", oflags); 3441 if (oflags & AU_OFLAG_XML) { 3442 open_attr(fp, "status"); 3443 if (tok->tt.priv.sorf) 3444 (void) fprintf(fp, "successful use of priv"); 3445 else 3446 (void) fprintf(fp, "failed use of priv"); 3447 close_attr(fp); 3448 open_attr(fp, "name"); 3449 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3450 close_attr(fp); 3451 close_tag(fp, tok->id); 3452 } else { 3453 print_delim(fp, del); 3454 if (tok->tt.priv.sorf) 3455 (void) fprintf(fp, "successful use of priv"); 3456 else 3457 (void) fprintf(fp, "failed use of priv"); 3458 print_delim(fp, del); 3459 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3460 } 3461} 3462 3463/* 3464 * status 1 byte 3465 * privstrlen 2 bytes 3466 * priv N bytes + 1 (\0 byte) 3467 */ 3468static int 3469fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len) 3470{ 3471 int err = 0; 3472 3473 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err); 3474 if (err) 3475 return (-1); 3476 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err); 3477 if (err) 3478 return (-1); 3479 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen, 3480 tok->len, err); 3481 if (err) 3482 return (-1); 3483 return (0); 3484} 3485 3486/* 3487 * privtstrlen 1 byte 3488 * privtstr N bytes + 1 3489 * privstrlen 1 byte 3490 * privstr N bytes + 1 3491 */ 3492static int 3493fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len) 3494{ 3495 int err = 0; 3496 3497 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen, 3498 tok->len, err); 3499 if (err) 3500 return (-1); 3501 SET_PTR((char *)buf, len, tok->tt.privset.privtstr, 3502 tok->tt.privset.privtstrlen, tok->len, err); 3503 if (err) 3504 return (-1); 3505 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen, 3506 tok->len, err); 3507 if (err) 3508 return (-1); 3509 SET_PTR((char *)buf, len, tok->tt.privset.privstr, 3510 tok->tt.privset.privstrlen, tok->len, err); 3511 if (err) 3512 return (-1); 3513 return (0); 3514} 3515 3516static void 3517print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3518{ 3519 3520 print_tok_type(fp, tok->id, "privilege", oflags); 3521 if (oflags & AU_OFLAG_XML) { 3522 open_attr(fp, "type"); 3523 print_string(fp, tok->tt.privset.privtstr, 3524 tok->tt.privset.privtstrlen); 3525 close_attr(fp); 3526 open_attr(fp, "priv"); 3527 print_string(fp, tok->tt.privset.privstr, 3528 tok->tt.privset.privstrlen); 3529 close_attr(fp); 3530 } else { 3531 print_delim(fp, del); 3532 print_string(fp, tok->tt.privset.privtstr, 3533 tok->tt.privset.privtstrlen); 3534 print_delim(fp, del); 3535 print_string(fp, tok->tt.privset.privstr, 3536 tok->tt.privset.privstrlen); 3537 } 3538} 3539 3540/* 3541 * audit ID 4 bytes 3542 * euid 4 bytes 3543 * egid 4 bytes 3544 * ruid 4 bytes 3545 * rgid 4 bytes 3546 * pid 4 bytes 3547 * sessid 4 bytes 3548 * terminal ID 3549 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3550 * machine id 4 bytes 3551 */ 3552static int 3553fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3554{ 3555 int err = 0; 3556 3557 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3558 if (err) 3559 return (-1); 3560 3561 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3562 if (err) 3563 return (-1); 3564 3565 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3566 if (err) 3567 return (-1); 3568 3569 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3570 if (err) 3571 return (-1); 3572 3573 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3574 if (err) 3575 return (-1); 3576 3577 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3578 if (err) 3579 return (-1); 3580 3581 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3582 if (err) 3583 return (-1); 3584 3585 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3586 if (err) 3587 return (-1); 3588 3589 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3590 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3591 if (err) 3592 return (-1); 3593 3594 return (0); 3595} 3596 3597static void 3598print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3599{ 3600 3601 print_tok_type(fp, tok->id, "subject", oflags); 3602 if (oflags & AU_OFLAG_XML) { 3603 open_attr(fp, "audit-uid"); 3604 print_user(fp, tok->tt.subj64.auid, oflags); 3605 close_attr(fp); 3606 open_attr(fp, "uid"); 3607 print_user(fp, tok->tt.subj64.euid, oflags); 3608 close_attr(fp); 3609 open_attr(fp, "gid"); 3610 print_group(fp, tok->tt.subj64.egid, oflags); 3611 close_attr(fp); 3612 open_attr(fp, "ruid"); 3613 print_user(fp, tok->tt.subj64.ruid, oflags); 3614 close_attr(fp); 3615 open_attr(fp, "rgid"); 3616 print_group(fp, tok->tt.subj64.rgid, oflags); 3617 close_attr(fp); 3618 open_attr(fp, "pid"); 3619 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3620 close_attr(fp); 3621 open_attr(fp, "sid"); 3622 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3623 close_attr(fp); 3624 open_attr(fp, "tid"); 3625 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3626 print_ip_address(fp, tok->tt.subj64.tid.addr); 3627 close_attr(fp); 3628 close_tag(fp, tok->id); 3629 } else { 3630 print_delim(fp, del); 3631 print_user(fp, tok->tt.subj64.auid, oflags); 3632 print_delim(fp, del); 3633 print_user(fp, tok->tt.subj64.euid, oflags); 3634 print_delim(fp, del); 3635 print_group(fp, tok->tt.subj64.egid, oflags); 3636 print_delim(fp, del); 3637 print_user(fp, tok->tt.subj64.ruid, oflags); 3638 print_delim(fp, del); 3639 print_group(fp, tok->tt.subj64.rgid, oflags); 3640 print_delim(fp, del); 3641 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3642 print_delim(fp, del); 3643 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3644 print_delim(fp, del); 3645 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3646 print_delim(fp, del); 3647 print_ip_address(fp, tok->tt.subj64.tid.addr); 3648 } 3649} 3650 3651/* 3652 * audit ID 4 bytes 3653 * euid 4 bytes 3654 * egid 4 bytes 3655 * ruid 4 bytes 3656 * rgid 4 bytes 3657 * pid 4 bytes 3658 * sessid 4 bytes 3659 * terminal ID 3660 * portid 4 bytes 3661 * type 4 bytes 3662 * machine id 16 bytes 3663 */ 3664static int 3665fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3666{ 3667 int err = 0; 3668 3669 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3670 if (err) 3671 return (-1); 3672 3673 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3674 if (err) 3675 return (-1); 3676 3677 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3678 if (err) 3679 return (-1); 3680 3681 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3682 if (err) 3683 return (-1); 3684 3685 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3686 if (err) 3687 return (-1); 3688 3689 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3690 if (err) 3691 return (-1); 3692 3693 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3694 if (err) 3695 return (-1); 3696 3697 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3698 err); 3699 if (err) 3700 return (-1); 3701 3702 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3703 err); 3704 if (err) 3705 return (-1); 3706 3707 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3708 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3709 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3710 if (err) 3711 return (-1); 3712 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3713 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3714 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3715 if (err) 3716 return (-1); 3717 } else 3718 return (-1); 3719 3720 return (0); 3721} 3722 3723static void 3724print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3725{ 3726 3727 print_tok_type(fp, tok->id, "subject_ex", oflags); 3728 if (oflags & AU_OFLAG_XML) { 3729 open_attr(fp, "audit-uid"); 3730 print_user(fp, tok->tt.subj32_ex.auid, oflags); 3731 close_attr(fp); 3732 open_attr(fp, "uid"); 3733 print_user(fp, tok->tt.subj32_ex.euid, oflags); 3734 close_attr(fp); 3735 open_attr(fp, "gid"); 3736 print_group(fp, tok->tt.subj32_ex.egid, oflags); 3737 close_attr(fp); 3738 open_attr(fp, "ruid"); 3739 print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3740 close_attr(fp); 3741 open_attr(fp, "rgid"); 3742 print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3743 close_attr(fp); 3744 open_attr(fp, "pid"); 3745 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3746 close_attr(fp); 3747 open_attr(fp, "sid"); 3748 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3749 close_attr(fp); 3750 open_attr(fp, "tid"); 3751 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3752 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3753 tok->tt.subj32_ex.tid.addr); 3754 close_attr(fp); 3755 close_tag(fp, tok->id); 3756 } else { 3757 print_delim(fp, del); 3758 print_user(fp, tok->tt.subj32_ex.auid, oflags); 3759 print_delim(fp, del); 3760 print_user(fp, tok->tt.subj32_ex.euid, oflags); 3761 print_delim(fp, del); 3762 print_group(fp, tok->tt.subj32_ex.egid, oflags); 3763 print_delim(fp, del); 3764 print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3765 print_delim(fp, del); 3766 print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3767 print_delim(fp, del); 3768 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3769 print_delim(fp, del); 3770 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3771 print_delim(fp, del); 3772 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3773 print_delim(fp, del); 3774 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3775 tok->tt.subj32_ex.tid.addr); 3776 } 3777} 3778 3779/* 3780 * audit ID 4 bytes 3781 * euid 4 bytes 3782 * egid 4 bytes 3783 * ruid 4 bytes 3784 * rgid 4 bytes 3785 * pid 4 bytes 3786 * sessid 4 bytes 3787 * terminal ID 3788 * portid 8 bytes 3789 * type 4 bytes 3790 * machine id 16 bytes 3791 */ 3792static int 3793fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3794{ 3795 int err = 0; 3796 3797 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3798 if (err) 3799 return (-1); 3800 3801 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3802 if (err) 3803 return (-1); 3804 3805 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3806 if (err) 3807 return (-1); 3808 3809 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3810 if (err) 3811 return (-1); 3812 3813 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3814 if (err) 3815 return (-1); 3816 3817 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3818 if (err) 3819 return (-1); 3820 3821 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3822 if (err) 3823 return (-1); 3824 3825 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3826 err); 3827 if (err) 3828 return (-1); 3829 3830 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3831 err); 3832 if (err) 3833 return (-1); 3834 3835 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3836 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3837 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3838 if (err) 3839 return (-1); 3840 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3841 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3842 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3843 if (err) 3844 return (-1); 3845 } else 3846 return (-1); 3847 3848 return (0); 3849} 3850 3851static void 3852print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3853{ 3854 print_tok_type(fp, tok->id, "subject_ex", oflags); 3855 if (oflags & AU_OFLAG_XML) { 3856 open_attr(fp, "audit-uid"); 3857 print_user(fp, tok->tt.subj64_ex.auid, oflags); 3858 close_attr(fp); 3859 open_attr(fp, "uid"); 3860 print_user(fp, tok->tt.subj64_ex.euid, oflags); 3861 close_attr(fp); 3862 open_attr(fp, "gid"); 3863 print_group(fp, tok->tt.subj64_ex.egid, oflags); 3864 close_attr(fp); 3865 open_attr(fp, "ruid"); 3866 print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3867 close_attr(fp); 3868 open_attr(fp, "rgid"); 3869 print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3870 close_attr(fp); 3871 open_attr(fp, "pid"); 3872 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3873 close_attr(fp); 3874 open_attr(fp, "sid"); 3875 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3876 close_attr(fp); 3877 open_attr(fp, "tid"); 3878 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3879 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3880 tok->tt.subj64_ex.tid.addr); 3881 close_attr(fp); 3882 close_tag(fp, tok->id); 3883 } else { 3884 print_delim(fp, del); 3885 print_user(fp, tok->tt.subj64_ex.auid, oflags); 3886 print_delim(fp, del); 3887 print_user(fp, tok->tt.subj64_ex.euid, oflags); 3888 print_delim(fp, del); 3889 print_group(fp, tok->tt.subj64_ex.egid, oflags); 3890 print_delim(fp, del); 3891 print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3892 print_delim(fp, del); 3893 print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3894 print_delim(fp, del); 3895 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3896 print_delim(fp, del); 3897 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3898 print_delim(fp, del); 3899 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3900 print_delim(fp, del); 3901 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3902 tok->tt.subj64_ex.tid.addr); 3903 } 3904} 3905 3906/* 3907 * size 2 bytes 3908 * data size bytes 3909 */ 3910static int 3911fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3912{ 3913 int err = 0; 3914 3915 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3916 if (err) 3917 return (-1); 3918 3919 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3920 err); 3921 if (err) 3922 return (-1); 3923 3924 return (0); 3925} 3926 3927static void 3928print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3929{ 3930 3931 print_tok_type(fp, tok->id, "text", oflags); 3932 if (oflags & AU_OFLAG_XML) { 3933 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3934 close_tag(fp, tok->id); 3935 } else { 3936 print_delim(fp, del); 3937 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3938 } 3939} 3940 3941/* 3942 * socket domain 2 bytes 3943 * socket type 2 bytes 3944 * address type 2 bytes 3945 * local port 2 bytes 3946 * local Internet address 4/16 bytes 3947 * remote port 2 bytes 3948 * remote Internet address 4/16 bytes 3949 */ 3950static int 3951fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3952{ 3953 int err = 0; 3954 3955 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3956 err); 3957 if (err) 3958 return (-1); 3959 3960 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3961 err); 3962 if (err) 3963 return (-1); 3964 3965 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3966 err); 3967 if (err) 3968 return (-1); 3969 3970 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3971 tok->tt.socket_ex32.atype != AU_IPv6) 3972 return (-1); 3973 3974 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3975 sizeof(uint16_t), tok->len, err); 3976 if (err) 3977 return (-1); 3978 3979 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3980 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3981 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3982 if (err) 3983 return (-1); 3984 } else { 3985 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3986 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3987 if (err) 3988 return (-1); 3989 } 3990 3991 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3992 sizeof(uint16_t), tok->len, err); 3993 if (err) 3994 return (-1); 3995 3996 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3997 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3998 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3999 if (err) 4000 return (-1); 4001 } else { 4002 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 4003 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 4004 if (err) 4005 return (-1); 4006 } 4007 4008 return (0); 4009} 4010 4011static void 4012print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4013{ 4014 4015 /* 4016 * This print routine prints BSM constant space domains and socket 4017 * types rather than converting them. If we add string printers for 4018 * these constants in the future, we may want to call conversion 4019 * routines. 4020 */ 4021 print_tok_type(fp, tok->id, "socket", oflags); 4022 if (oflags & AU_OFLAG_XML) { 4023 open_attr(fp, "sock_dom"); 4024 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4025 close_attr(fp); 4026 open_attr(fp, "sock_type"); 4027 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4028 close_attr(fp); 4029 open_attr(fp, "lport"); 4030 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4031 close_attr(fp); 4032 open_attr(fp, "laddr"); 4033 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4034 tok->tt.socket_ex32.l_addr); 4035 close_attr(fp); 4036 open_attr(fp, "faddr"); 4037 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4038 tok->tt.socket_ex32.r_addr); 4039 close_attr(fp); 4040 open_attr(fp, "fport"); 4041 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4042 close_attr(fp); 4043 close_tag(fp, tok->id); 4044 } else { 4045 print_delim(fp, del); 4046 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4047 print_delim(fp, del); 4048 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4049 print_delim(fp, del); 4050 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4051 print_delim(fp, del); 4052 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4053 tok->tt.socket_ex32.l_addr); 4054 print_delim(fp, del); 4055 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4056 print_delim(fp, del); 4057 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4058 tok->tt.socket_ex32.r_addr); 4059 } 4060} 4061 4062static int 4063fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 4064{ 4065 int err = 0; 4066 int recoversize; 4067 4068 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 4069 if (recoversize <= 0) 4070 return (-1); 4071 4072 tok->tt.invalid.length = recoversize; 4073 4074 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 4075 err); 4076 if (err) 4077 return (-1); 4078 4079 return (0); 4080} 4081 4082static void 4083print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4084{ 4085 4086 if (!(oflags & AU_OFLAG_XML)) { 4087 print_tok_type(fp, tok->id, "unknown", oflags); 4088 print_delim(fp, del); 4089 print_mem(fp, (u_char*)tok->tt.invalid.data, 4090 tok->tt.invalid.length); 4091 } 4092} 4093 4094 4095/* 4096 * size 2 bytes; 4097 * zonename size bytes; 4098 */ 4099static int 4100fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 4101{ 4102 int err = 0; 4103 4104 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 4105 if (err) 4106 return (-1); 4107 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 4108 tok->len, err); 4109 if (err) 4110 return (-1); 4111 return (0); 4112} 4113 4114static void 4115print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4116{ 4117 4118 print_tok_type(fp, tok->id, "zone", oflags); 4119 if (oflags & AU_OFLAG_XML) { 4120 open_attr(fp, "name"); 4121 print_string(fp, tok->tt.zonename.zonename, 4122 tok->tt.zonename.len); 4123 close_attr(fp); 4124 close_tag(fp, tok->id); 4125 } else { 4126 print_delim(fp, del); 4127 print_string(fp, tok->tt.zonename.zonename, 4128 tok->tt.zonename.len); 4129 } 4130} 4131 4132/* 4133 * Reads the token beginning at buf into tok. 4134 */ 4135int 4136au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4137{ 4138 4139 if (len <= 0) 4140 return (-1); 4141 4142 tok->len = 1; 4143 tok->data = buf; 4144 tok->id = *buf; 4145 4146 switch(tok->id) { 4147 case AUT_HEADER32: 4148 return (fetch_header32_tok(tok, buf, len)); 4149 4150 case AUT_HEADER32_EX: 4151 return (fetch_header32_ex_tok(tok, buf, len)); 4152 4153 case AUT_HEADER64: 4154 return (fetch_header64_tok(tok, buf, len)); 4155 4156 case AUT_HEADER64_EX: 4157 return (fetch_header64_ex_tok(tok, buf, len)); 4158 4159 case AUT_TRAILER: 4160 return (fetch_trailer_tok(tok, buf, len)); 4161 4162 case AUT_ARG32: 4163 return (fetch_arg32_tok(tok, buf, len)); 4164 4165 case AUT_ARG64: 4166 return (fetch_arg64_tok(tok, buf, len)); 4167 4168 case AUT_ATTR32: 4169 return (fetch_attr32_tok(tok, buf, len)); 4170 4171 case AUT_ATTR64: 4172 return (fetch_attr64_tok(tok, buf, len)); 4173 4174 case AUT_EXIT: 4175 return (fetch_exit_tok(tok, buf, len)); 4176 4177 case AUT_EXEC_ARGS: 4178 return (fetch_execarg_tok(tok, buf, len)); 4179 4180 case AUT_EXEC_ENV: 4181 return (fetch_execenv_tok(tok, buf, len)); 4182 4183 case AUT_OTHER_FILE32: 4184 return (fetch_file_tok(tok, buf, len)); 4185 4186 case AUT_NEWGROUPS: 4187 return (fetch_newgroups_tok(tok, buf, len)); 4188 4189 case AUT_IN_ADDR: 4190 return (fetch_inaddr_tok(tok, buf, len)); 4191 4192 case AUT_IN_ADDR_EX: 4193 return (fetch_inaddr_ex_tok(tok, buf, len)); 4194 4195 case AUT_IP: 4196 return (fetch_ip_tok(tok, buf, len)); 4197 4198 case AUT_IPC: 4199 return (fetch_ipc_tok(tok, buf, len)); 4200 4201 case AUT_IPC_PERM: 4202 return (fetch_ipcperm_tok(tok, buf, len)); 4203 4204 case AUT_IPORT: 4205 return (fetch_iport_tok(tok, buf, len)); 4206 4207 case AUT_OPAQUE: 4208 return (fetch_opaque_tok(tok, buf, len)); 4209 4210 case AUT_PATH: 4211 return (fetch_path_tok(tok, buf, len)); 4212 4213 case AUT_PROCESS32: 4214 return (fetch_process32_tok(tok, buf, len)); 4215 4216 case AUT_PROCESS32_EX: 4217 return (fetch_process32ex_tok(tok, buf, len)); 4218 4219 case AUT_PROCESS64: 4220 return (fetch_process64_tok(tok, buf, len)); 4221 4222 case AUT_PROCESS64_EX: 4223 return (fetch_process64ex_tok(tok, buf, len)); 4224 4225 case AUT_RETURN32: 4226 return (fetch_return32_tok(tok, buf, len)); 4227 4228 case AUT_RETURN64: 4229 return (fetch_return64_tok(tok, buf, len)); 4230 4231 case AUT_SEQ: 4232 return (fetch_seq_tok(tok, buf, len)); 4233 4234 case AUT_SOCKET: 4235 return (fetch_socket_tok(tok, buf, len)); 4236 4237 case AUT_SOCKINET32: 4238 return (fetch_sock_inet32_tok(tok, buf, len)); 4239 4240 case AUT_SOCKUNIX: 4241 return (fetch_sock_unix_tok(tok, buf, len)); 4242 4243 case AUT_SOCKINET128: 4244 return (fetch_sock_inet128_tok(tok, buf, len)); 4245 4246 case AUT_SUBJECT32: 4247 return (fetch_subject32_tok(tok, buf, len)); 4248 4249 case AUT_SUBJECT32_EX: 4250 return (fetch_subject32ex_tok(tok, buf, len)); 4251 4252 case AUT_SUBJECT64: 4253 return (fetch_subject64_tok(tok, buf, len)); 4254 4255 case AUT_SUBJECT64_EX: 4256 return (fetch_subject64ex_tok(tok, buf, len)); 4257 4258 case AUT_TEXT: 4259 return (fetch_text_tok(tok, buf, len)); 4260 4261 case AUT_SOCKET_EX: 4262 return (fetch_socketex32_tok(tok, buf, len)); 4263 4264 case AUT_DATA: 4265 return (fetch_arb_tok(tok, buf, len)); 4266 4267 case AUT_ZONENAME: 4268 return (fetch_zonename_tok(tok, buf, len)); 4269 4270 case AUT_UPRIV: 4271 return (fetch_priv_tok(tok, buf, len)); 4272 4273 case AUT_PRIV: 4274 return (fetch_privset_tok(tok, buf, len)); 4275 4276 default: 4277 return (fetch_invalid_tok(tok, buf, len)); 4278 } 4279} 4280 4281void 4282au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags) 4283{ 4284 4285 switch(tok->id) { 4286 case AUT_HEADER32: 4287 print_header32_tok(outfp, tok, del, oflags); 4288 return; 4289 4290 case AUT_HEADER32_EX: 4291 print_header32_ex_tok(outfp, tok, del, oflags); 4292 return; 4293 4294 case AUT_HEADER64: 4295 print_header64_tok(outfp, tok, del, oflags); 4296 return; 4297 4298 case AUT_HEADER64_EX: 4299 print_header64_ex_tok(outfp, tok, del, oflags); 4300 return; 4301 4302 case AUT_TRAILER: 4303 print_trailer_tok(outfp, tok, del, oflags); 4304 return; 4305 4306 case AUT_ARG32: 4307 print_arg32_tok(outfp, tok, del, oflags); 4308 return; 4309 4310 case AUT_ARG64: 4311 print_arg64_tok(outfp, tok, del, oflags); 4312 return; 4313 4314 case AUT_DATA: 4315 print_arb_tok(outfp, tok, del, oflags); 4316 return; 4317 4318 case AUT_ATTR32: 4319 print_attr32_tok(outfp, tok, del, oflags); 4320 return; 4321 4322 case AUT_ATTR64: 4323 print_attr64_tok(outfp, tok, del, oflags); 4324 return; 4325 4326 case AUT_EXIT: 4327 print_exit_tok(outfp, tok, del, oflags); 4328 return; 4329 4330 case AUT_EXEC_ARGS: 4331 print_execarg_tok(outfp, tok, del, oflags); 4332 return; 4333 4334 case AUT_EXEC_ENV: 4335 print_execenv_tok(outfp, tok, del, oflags); 4336 return; 4337 4338 case AUT_OTHER_FILE32: 4339 print_file_tok(outfp, tok, del, oflags); 4340 return; 4341 4342 case AUT_NEWGROUPS: 4343 print_newgroups_tok(outfp, tok, del, oflags); 4344 return; 4345 4346 case AUT_IN_ADDR: 4347 print_inaddr_tok(outfp, tok, del, oflags); 4348 return; 4349 4350 case AUT_IN_ADDR_EX: 4351 print_inaddr_ex_tok(outfp, tok, del, oflags); 4352 return; 4353 4354 case AUT_IP: 4355 print_ip_tok(outfp, tok, del, oflags); 4356 return; 4357 4358 case AUT_IPC: 4359 print_ipc_tok(outfp, tok, del, oflags); 4360 return; 4361 4362 case AUT_IPC_PERM: 4363 print_ipcperm_tok(outfp, tok, del, oflags); 4364 return; 4365 4366 case AUT_IPORT: 4367 print_iport_tok(outfp, tok, del, oflags); 4368 return; 4369 4370 case AUT_OPAQUE: 4371 print_opaque_tok(outfp, tok, del, oflags); 4372 return; 4373 4374 case AUT_PATH: 4375 print_path_tok(outfp, tok, del, oflags); 4376 return; 4377 4378 case AUT_PROCESS32: 4379 print_process32_tok(outfp, tok, del, oflags); 4380 return; 4381 4382 case AUT_PROCESS32_EX: 4383 print_process32ex_tok(outfp, tok, del, oflags); 4384 return; 4385 4386 case AUT_PROCESS64: 4387 print_process64_tok(outfp, tok, del, oflags); 4388 return; 4389 4390 case AUT_PROCESS64_EX: 4391 print_process64ex_tok(outfp, tok, del, oflags); 4392 return; 4393 4394 case AUT_RETURN32: 4395 print_return32_tok(outfp, tok, del, oflags); 4396 return; 4397 4398 case AUT_RETURN64: 4399 print_return64_tok(outfp, tok, del, oflags); 4400 return; 4401 4402 case AUT_SEQ: 4403 print_seq_tok(outfp, tok, del, oflags); 4404 return; 4405 4406 case AUT_SOCKET: 4407 print_socket_tok(outfp, tok, del, oflags); 4408 return; 4409 4410 case AUT_SOCKINET32: 4411 print_sock_inet32_tok(outfp, tok, del, oflags); 4412 return; 4413 4414 case AUT_SOCKUNIX: 4415 print_sock_unix_tok(outfp, tok, del, oflags); 4416 return; 4417 4418 case AUT_SOCKINET128: 4419 print_sock_inet128_tok(outfp, tok, del, oflags); 4420 return; 4421 4422 case AUT_SUBJECT32: 4423 print_subject32_tok(outfp, tok, del, oflags); 4424 return; 4425 4426 case AUT_SUBJECT64: 4427 print_subject64_tok(outfp, tok, del, oflags); 4428 return; 4429 4430 case AUT_SUBJECT32_EX: 4431 print_subject32ex_tok(outfp, tok, del, oflags); 4432 return; 4433 4434 case AUT_SUBJECT64_EX: 4435 print_subject64ex_tok(outfp, tok, del, oflags); 4436 return; 4437 4438 case AUT_TEXT: 4439 print_text_tok(outfp, tok, del, oflags); 4440 return; 4441 4442 case AUT_SOCKET_EX: 4443 print_socketex32_tok(outfp, tok, del, oflags); 4444 return; 4445 4446 case AUT_ZONENAME: 4447 print_zonename_tok(outfp, tok, del, oflags); 4448 return; 4449 4450 case AUT_UPRIV: 4451 print_upriv_tok(outfp, tok, del, oflags); 4452 return; 4453 4454 case AUT_PRIV: 4455 print_privset_tok(outfp, tok, del, oflags); 4456 return; 4457 4458 default: 4459 print_invalid_tok(outfp, tok, del, oflags); 4460 } 4461} 4462 4463/* 4464 * 'prints' the token out to outfp. 4465 */ 4466void 4467au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4468{ 4469 int oflags = AU_OFLAG_NONE; 4470 4471 if (raw) 4472 oflags |= AU_OFLAG_RAW; 4473 if (sfrm) 4474 oflags |= AU_OFLAG_SHORT; 4475 4476 au_print_flags_tok(outfp, tok, del, oflags); 4477} 4478 4479/* 4480 * 'prints' the token out to outfp in XML format. 4481 */ 4482void 4483au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4484 char sfrm) 4485{ 4486 int oflags = AU_OFLAG_XML; 4487 4488 if (raw) 4489 oflags |= AU_OFLAG_RAW; 4490 if (sfrm) 4491 oflags |= AU_OFLAG_SHORT; 4492 4493 au_print_flags_tok(outfp, tok, del, oflags); 4494} 4495 4496/* 4497 * Read a record from the file pointer, store data in buf memory for buf is 4498 * also allocated in this function and has to be free'd outside this call. 4499 * 4500 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4501 * complete audit record. 4502 * 4503 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4504 * state, because it will be partly offset into a record. We should rewind 4505 * or do something more intelligent. Particularly interesting is the case 4506 * where we perform a partial read of a record from a non-blockable file 4507 * descriptor. We should return the partial read and continue...? 4508 */ 4509int 4510au_read_rec(FILE *fp, u_char **buf) 4511{ 4512 u_char *bptr; 4513 u_int32_t recsize; 4514 u_int32_t bytestoread; 4515 u_char type; 4516 4517 u_int32_t sec, msec; 4518 u_int16_t filenamelen; 4519 4520 type = fgetc(fp); 4521 4522 switch (type) { 4523 case AUT_HEADER32: 4524 case AUT_HEADER32_EX: 4525 case AUT_HEADER64: 4526 case AUT_HEADER64_EX: 4527 /* read the record size from the token */ 4528 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4529 sizeof(u_int32_t)) { 4530 errno = EINVAL; 4531 return (-1); 4532 } 4533 recsize = be32toh(recsize); 4534 4535 /* Check for recsize sanity */ 4536 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4537 errno = EINVAL; 4538 return (-1); 4539 } 4540 4541 *buf = calloc(recsize, sizeof(u_char)); 4542 if (*buf == NULL) 4543 return (-1); 4544 bptr = *buf; 4545 4546 /* store the token contents already read, back to the buffer*/ 4547 *bptr = type; 4548 bptr++; 4549 be32enc(bptr, recsize); 4550 bptr += sizeof(u_int32_t); 4551 4552 /* now read remaining record bytes */ 4553 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4554 4555 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4556 free(*buf); 4557 errno = EINVAL; 4558 return (-1); 4559 } 4560 break; 4561 4562 case AUT_OTHER_FILE32: 4563 /* 4564 * The file token is variable-length, as it includes a 4565 * pathname. As a result, we have to read incrementally 4566 * until we know the total length, then allocate space and 4567 * read the rest. 4568 */ 4569 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4570 errno = EINVAL; 4571 return (-1); 4572 } 4573 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4574 errno = EINVAL; 4575 return (-1); 4576 } 4577 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4578 sizeof(filenamelen)) { 4579 errno = EINVAL; 4580 return (-1); 4581 } 4582 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4583 sizeof(filenamelen) + ntohs(filenamelen); 4584 *buf = malloc(recsize); 4585 if (*buf == NULL) 4586 return (-1); 4587 bptr = *buf; 4588 4589 bcopy(&type, bptr, sizeof(type)); 4590 bptr += sizeof(type); 4591 bcopy(&sec, bptr, sizeof(sec)); 4592 bptr += sizeof(sec); 4593 bcopy(&msec, bptr, sizeof(msec)); 4594 bptr += sizeof(msec); 4595 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4596 bptr += sizeof(filenamelen); 4597 4598 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4599 ntohs(filenamelen)) { 4600 free(buf); 4601 errno = EINVAL; 4602 return (-1); 4603 } 4604 break; 4605 4606 default: 4607 errno = EINVAL; 4608 return (-1); 4609 } 4610 4611 return (recsize); 4612} 4613