1/*- 2 * Copyright (c) 2004-2009 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#75 $ 36 */ 37 38#include <sys/types.h> 39 40#include <config/config.h> 41 42#ifdef USE_ENDIAN_H 43#include <endian.h> 44#endif 45#ifdef USE_SYS_ENDIAN_H 46#include <sys/endian.h> 47#endif 48#ifdef USE_MACHINE_ENDIAN_H 49#include <machine/endian.h> 50#endif 51#ifdef USE_COMPAT_ENDIAN_H 52#include <compat/endian.h> 53#endif 54#ifdef USE_COMPAT_ENDIAN_ENC_H 55#include <compat/endian_enc.h> 56#endif 57 58#ifdef HAVE_FULL_QUEUE_H 59#include <sys/queue.h> 60#else /* !HAVE_FULL_QUEUE_H */ 61#include <compat/queue.h> 62#endif /* !HAVE_FULL_QUEUE_H */ 63 64#include <sys/stat.h> 65#include <sys/socket.h> 66 67#include <bsm/libbsm.h> 68 69#include <unistd.h> 70#include <netinet/in.h> 71#include <arpa/inet.h> 72#include <errno.h> 73#include <time.h> 74#include <stdlib.h> 75#include <stdio.h> 76#include <string.h> 77#include <pwd.h> 78#include <grp.h> 79 80#ifdef HAVE_VIS 81#include <vis.h> 82#else 83#include <compat/vis.h> 84#endif 85 86#include <bsm/audit_internal.h> 87 88#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 89 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 90 (err) = 1; \ 91 } else { \ 92 memcpy((dest), (buf) + (bytesread), (size)); \ 93 bytesread += size; \ 94 } \ 95} while (0) 96 97#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 98 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 99 (dest) = buf[(bytesread)]; \ 100 (bytesread) += sizeof(u_char); \ 101 } else \ 102 (err) = 1; \ 103} while (0) 104 105#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 106 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 107 (dest) = be16dec((buf) + (bytesread)); \ 108 (bytesread) += sizeof(u_int16_t); \ 109 } else \ 110 (err) = 1; \ 111} while (0) 112 113#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 114 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 115 (dest) = be32dec((buf) + (bytesread)); \ 116 (bytesread) += sizeof(u_int32_t); \ 117 } else \ 118 (err) = 1; \ 119} while (0) 120 121#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 122 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 123 dest = be64dec((buf) + (bytesread)); \ 124 (bytesread) += sizeof(u_int64_t); \ 125 } else \ 126 (err) = 1; \ 127} while (0) 128 129#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 130 if ((bytesread) + (size) > (u_int32_t)(len)) \ 131 (err) = 1; \ 132 else { \ 133 (ptr) = (buf) + (bytesread); \ 134 (bytesread) += (size); \ 135 } \ 136} while (0) 137 138/* 139 * XML option. 140 */ 141#define AU_PLAIN 0 142#define AU_XML 1 143 144/* 145 * Prints the delimiter string. 146 */ 147static void 148print_delim(FILE *fp, const char *del) 149{ 150 151 fprintf(fp, "%s", del); 152} 153 154/* 155 * Prints a single byte in the given format. 156 */ 157static void 158print_1_byte(FILE *fp, u_char val, const char *format) 159{ 160 161 fprintf(fp, format, val); 162} 163 164/* 165 * Print 2 bytes in the given format. 166 */ 167static void 168print_2_bytes(FILE *fp, u_int16_t val, const char *format) 169{ 170 171 fprintf(fp, format, val); 172} 173 174/* 175 * Prints 4 bytes in the given format. 176 */ 177static void 178print_4_bytes(FILE *fp, u_int32_t val, const char *format) 179{ 180 181 fprintf(fp, format, val); 182} 183 184/* 185 * Prints 8 bytes in the given format. 186 */ 187static void 188print_8_bytes(FILE *fp, u_int64_t val, const char *format) 189{ 190 191 fprintf(fp, format, val); 192} 193 194/* 195 * Prints the given size of data bytes in hex. 196 */ 197static void 198print_mem(FILE *fp, u_char *data, size_t len) 199{ 200 u_int32_t i; 201 202 if (len > 0) { 203 fprintf(fp, "0x"); 204 for (i = 0; i < len; i++) 205 fprintf(fp, "%02x", data[i]); 206 } 207} 208 209/* 210 * Prints the given data bytes as a string. 211 */ 212static void 213print_string(FILE *fp, const char *str, size_t len) 214{ 215 u_int32_t i; 216 217 if (len > 0) { 218 for (i = 0; i < len; i++) { 219 if (str[i] != '\0') 220 fprintf(fp, "%c", str[i]); 221 } 222 } 223} 224 225/* 226 * Prints the given data bytes as an XML-sanitized string. 227 */ 228static void 229print_xml_string(FILE *fp, const char *str, size_t len) 230{ 231 u_int32_t i; 232 char visbuf[5]; 233 234 if (len == 0) 235 return; 236 237 for (i = 0; i < len; i++) { 238 switch (str[i]) { 239 case '\0': 240 return; 241 242 case '&': 243 (void) fprintf(fp, "&"); 244 break; 245 246 case '<': 247 (void) fprintf(fp, "<"); 248 break; 249 250 case '>': 251 (void) fprintf(fp, ">"); 252 break; 253 254 case '\"': 255 (void) fprintf(fp, """); 256 break; 257 258 case '\'': 259 (void) fprintf(fp, "'"); 260 break; 261 262 default: 263 (void) vis(visbuf, str[i], VIS_CSTYLE, 0); 264 (void) fprintf(fp, "%s", visbuf); 265 break; 266 } 267 } 268} 269 270/* 271 * Prints the beggining of attribute. 272 */ 273static void 274open_attr(FILE *fp, const char *str) 275{ 276 277 fprintf(fp,"%s=\"", str); 278} 279 280/* 281 * Prints the end of attribute. 282 */ 283static void 284close_attr(FILE *fp) 285{ 286 287 fprintf(fp,"\" "); 288} 289 290/* 291 * Prints the end of tag. 292 */ 293static void 294close_tag(FILE *fp, u_char type) 295{ 296 297 switch(type) { 298 case AUT_HEADER32: 299 fprintf(fp, ">"); 300 break; 301 302 case AUT_HEADER32_EX: 303 fprintf(fp, ">"); 304 break; 305 306 case AUT_HEADER64: 307 fprintf(fp, ">"); 308 break; 309 310 case AUT_HEADER64_EX: 311 fprintf(fp, ">"); 312 break; 313 314 case AUT_ARG32: 315 fprintf(fp, "/>"); 316 break; 317 318 case AUT_ARG64: 319 fprintf(fp, "/>"); 320 break; 321 322 case AUT_ATTR32: 323 fprintf(fp, "/>"); 324 break; 325 326 case AUT_ATTR64: 327 fprintf(fp, "/>"); 328 break; 329 330 case AUT_EXIT: 331 fprintf(fp, "/>"); 332 break; 333 334 case AUT_EXEC_ARGS: 335 fprintf(fp, "</exec_args>"); 336 break; 337 338 case AUT_EXEC_ENV: 339 fprintf(fp, "</exec_env>"); 340 break; 341 342 case AUT_OTHER_FILE32: 343 fprintf(fp, "</file>"); 344 break; 345 346 case AUT_NEWGROUPS: 347 fprintf(fp, "</group>"); 348 break; 349 350 case AUT_IN_ADDR: 351 fprintf(fp, "</ip_address>"); 352 break; 353 354 case AUT_IN_ADDR_EX: 355 fprintf(fp, "</ip_address>"); 356 break; 357 358 case AUT_IP: 359 fprintf(fp, "/>"); 360 break; 361 362 case AUT_IPC: 363 fprintf(fp, "/>"); 364 break; 365 366 case AUT_IPC_PERM: 367 fprintf(fp, "/>"); 368 break; 369 370 case AUT_IPORT: 371 fprintf(fp, "</ip_port>"); 372 break; 373 374 case AUT_OPAQUE: 375 fprintf(fp, "</opaque>"); 376 break; 377 378 case AUT_PATH: 379 fprintf(fp, "</path>"); 380 break; 381 382 case AUT_PROCESS32: 383 fprintf(fp, "/>"); 384 break; 385 386 case AUT_PROCESS32_EX: 387 fprintf(fp, "/>"); 388 break; 389 390 case AUT_PROCESS64: 391 fprintf(fp, "/>"); 392 break; 393 394 case AUT_PROCESS64_EX: 395 fprintf(fp, "/>"); 396 break; 397 398 case AUT_RETURN32: 399 fprintf(fp, "/>"); 400 break; 401 402 case AUT_RETURN64: 403 fprintf(fp, "/>"); 404 break; 405 406 case AUT_SEQ: 407 fprintf(fp, "/>"); 408 break; 409 410 case AUT_SOCKET: 411 fprintf(fp, "/>"); 412 break; 413 414 case AUT_SOCKINET32: 415 fprintf(fp, "/>"); 416 break; 417 418 case AUT_SOCKUNIX: 419 fprintf(fp, "/>"); 420 break; 421 422 case AUT_SOCKINET128: 423 fprintf(fp, "/>"); 424 break; 425 426 case AUT_SUBJECT32: 427 fprintf(fp, "/>"); 428 break; 429 430 case AUT_SUBJECT64: 431 fprintf(fp, "/>"); 432 break; 433 434 case AUT_SUBJECT32_EX: 435 fprintf(fp, "/>"); 436 break; 437 438 case AUT_SUBJECT64_EX: 439 fprintf(fp, "/>"); 440 break; 441 442 case AUT_TEXT: 443 fprintf(fp, "</text>"); 444 break; 445 446 case AUT_SOCKET_EX: 447 fprintf(fp, "/>"); 448 break; 449 450 case AUT_DATA: 451 fprintf(fp, "</arbitrary>"); 452 break; 453 454 case AUT_ZONENAME: 455 fprintf(fp, "/>"); 456 break; 457 } 458} 459 460/* 461 * Prints the token type in either the raw or the default form. 462 */ 463static void 464print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags) 465{ 466 467 if (oflags & AU_OFLAG_XML) { 468 switch(type) { 469 case AUT_HEADER32: 470 fprintf(fp, "<record "); 471 break; 472 473 case AUT_HEADER32_EX: 474 fprintf(fp, "<record "); 475 break; 476 477 case AUT_HEADER64: 478 fprintf(fp, "<record "); 479 break; 480 481 case AUT_HEADER64_EX: 482 fprintf(fp, "<record "); 483 break; 484 485 case AUT_TRAILER: 486 fprintf(fp, "</record>"); 487 break; 488 489 case AUT_ARG32: 490 fprintf(fp, "<argument "); 491 break; 492 493 case AUT_ARG64: 494 fprintf(fp, "<argument "); 495 break; 496 497 case AUT_ATTR32: 498 fprintf(fp, "<attribute "); 499 break; 500 501 case AUT_ATTR64: 502 fprintf(fp, "<attribute "); 503 break; 504 505 case AUT_EXIT: 506 fprintf(fp, "<exit "); 507 break; 508 509 case AUT_EXEC_ARGS: 510 fprintf(fp, "<exec_args>"); 511 break; 512 513 case AUT_EXEC_ENV: 514 fprintf(fp, "<exec_env>"); 515 break; 516 517 case AUT_OTHER_FILE32: 518 fprintf(fp, "<file "); 519 break; 520 521 case AUT_NEWGROUPS: 522 fprintf(fp, "<group>"); 523 break; 524 525 case AUT_IN_ADDR: 526 fprintf(fp, "<ip_address>"); 527 break; 528 529 case AUT_IN_ADDR_EX: 530 fprintf(fp, "<ip_address>"); 531 break; 532 533 case AUT_IP: 534 fprintf(fp, "<ip "); 535 break; 536 537 case AUT_IPC: 538 fprintf(fp, "<IPC"); 539 break; 540 541 case AUT_IPC_PERM: 542 fprintf(fp, "<IPC_perm "); 543 break; 544 545 case AUT_IPORT: 546 fprintf(fp, "<ip_port>"); 547 break; 548 549 case AUT_OPAQUE: 550 fprintf(fp, "<opaque>"); 551 break; 552 553 case AUT_PATH: 554 fprintf(fp, "<path>"); 555 break; 556 557 case AUT_PROCESS32: 558 fprintf(fp, "<process "); 559 break; 560 561 case AUT_PROCESS32_EX: 562 fprintf(fp, "<process "); 563 break; 564 565 case AUT_PROCESS64: 566 fprintf(fp, "<process "); 567 break; 568 569 case AUT_PROCESS64_EX: 570 fprintf(fp, "<process "); 571 break; 572 573 case AUT_RETURN32: 574 fprintf(fp, "<return "); 575 break; 576 577 case AUT_RETURN64: 578 fprintf(fp, "<return "); 579 break; 580 581 case AUT_SEQ: 582 fprintf(fp, "<sequence "); 583 break; 584 585 case AUT_SOCKET: 586 fprintf(fp, "<socket "); 587 break; 588 589 case AUT_SOCKINET32: 590 fprintf(fp, "<socket-inet "); 591 break; 592 593 case AUT_SOCKUNIX: 594 fprintf(fp, "<socket-unix "); 595 break; 596 597 case AUT_SOCKINET128: 598 fprintf(fp, "<socket-inet6 "); 599 600 case AUT_SUBJECT32: 601 fprintf(fp, "<subject "); 602 break; 603 604 case AUT_SUBJECT64: 605 fprintf(fp, "<subject "); 606 break; 607 608 case AUT_SUBJECT32_EX: 609 fprintf(fp, "<subject "); 610 break; 611 612 case AUT_SUBJECT64_EX: 613 fprintf(fp, "<subject "); 614 break; 615 616 case AUT_TEXT: 617 fprintf(fp, "<text>"); 618 break; 619 620 case AUT_SOCKET_EX: 621 fprintf(fp, "<socket "); 622 break; 623 624 case AUT_DATA: 625 fprintf(fp, "<arbitrary "); 626 break; 627 628 case AUT_ZONENAME: 629 fprintf(fp, "<zone "); 630 break; 631 } 632 } else { 633 if (oflags & AU_OFLAG_RAW) 634 fprintf(fp, "%u", type); 635 else 636 fprintf(fp, "%s", tokname); 637 } 638} 639 640/* 641 * Prints a user value. 642 */ 643static void 644print_user(FILE *fp, u_int32_t usr, int oflags) 645{ 646 struct passwd *pwent; 647 648 if (oflags & AU_OFLAG_RAW) 649 fprintf(fp, "%d", usr); 650 else { 651 pwent = getpwuid(usr); 652 if (pwent != NULL) 653 fprintf(fp, "%s", pwent->pw_name); 654 else 655 fprintf(fp, "%d", usr); 656 } 657} 658 659/* 660 * Prints a group value. 661 */ 662static void 663print_group(FILE *fp, u_int32_t grp, int oflags) 664{ 665 struct group *grpent; 666 667 if (oflags & AU_OFLAG_RAW) 668 fprintf(fp, "%d", grp); 669 else { 670 grpent = getgrgid(grp); 671 if (grpent != NULL) 672 fprintf(fp, "%s", grpent->gr_name); 673 else 674 fprintf(fp, "%d", grp); 675 } 676} 677 678/* 679 * Prints the event from the header token in either the short, default or raw 680 * form. 681 */ 682static void 683print_event(FILE *fp, u_int16_t ev, int oflags) 684{ 685 char event_ent_name[AU_EVENT_NAME_MAX]; 686 char event_ent_desc[AU_EVENT_DESC_MAX]; 687 struct au_event_ent e, *ep; 688 689 bzero(&e, sizeof(e)); 690 bzero(event_ent_name, sizeof(event_ent_name)); 691 bzero(event_ent_desc, sizeof(event_ent_desc)); 692 e.ae_name = event_ent_name; 693 e.ae_desc = event_ent_desc; 694 695 ep = getauevnum_r(&e, ev); 696 if (ep == NULL) { 697 fprintf(fp, "%u", ev); 698 return; 699 } 700 701 if (oflags & AU_OFLAG_RAW) 702 fprintf(fp, "%u", ev); 703 else if (oflags & AU_OFLAG_SHORT) 704 fprintf(fp, "%s", e.ae_name); 705 else 706 fprintf(fp, "%s", e.ae_desc); 707} 708 709 710/* 711 * Prints the event modifier from the header token in either the default or 712 * raw form. 713 */ 714static void 715print_evmod(FILE *fp, u_int16_t evmod, int oflags) 716{ 717 if (oflags & AU_OFLAG_RAW) 718 fprintf(fp, "%u", evmod); 719 else 720 fprintf(fp, "%u", evmod); 721} 722 723/* 724 * Prints seconds in the ctime format. 725 */ 726static void 727print_sec32(FILE *fp, u_int32_t sec, int oflags) 728{ 729 time_t timestamp; 730 char timestr[26]; 731 732 if (oflags & AU_OFLAG_RAW) 733 fprintf(fp, "%u", sec); 734 else { 735 timestamp = (time_t)sec; 736 ctime_r(×tamp, timestr); 737 timestr[24] = '\0'; /* No new line */ 738 fprintf(fp, "%s", timestr); 739 } 740} 741 742/* 743 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 744 * assume a 32-bit time_t, we simply truncate for now. 745 */ 746static void 747print_sec64(FILE *fp, u_int64_t sec, int oflags) 748{ 749 time_t timestamp; 750 char timestr[26]; 751 752 if (oflags & AU_OFLAG_RAW) 753 fprintf(fp, "%u", (u_int32_t)sec); 754 else { 755 timestamp = (time_t)sec; 756 ctime_r(×tamp, timestr); 757 timestr[24] = '\0'; /* No new line */ 758 fprintf(fp, "%s", timestr); 759 } 760} 761 762/* 763 * Prints the excess milliseconds. 764 */ 765static void 766print_msec32(FILE *fp, u_int32_t msec, int oflags) 767{ 768 if (oflags & AU_OFLAG_RAW) 769 fprintf(fp, "%u", msec); 770 else 771 fprintf(fp, " + %u msec", msec); 772} 773 774/* 775 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 776 * a 32-bit msec, we simply truncate for now. 777 */ 778static void 779print_msec64(FILE *fp, u_int64_t msec, int oflags) 780{ 781 782 msec &= 0xffffffff; 783 if (oflags & AU_OFLAG_RAW) 784 fprintf(fp, "%u", (u_int32_t)msec); 785 else 786 fprintf(fp, " + %u msec", (u_int32_t)msec); 787} 788 789/* 790 * Prints a dotted form for the IP address. 791 */ 792static void 793print_ip_address(FILE *fp, u_int32_t ip) 794{ 795 struct in_addr ipaddr; 796 797 ipaddr.s_addr = ip; 798 fprintf(fp, "%s", inet_ntoa(ipaddr)); 799} 800 801/* 802 * Prints a string value for the given ip address. 803 */ 804static void 805print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 806{ 807 struct in_addr ipv4; 808 struct in6_addr ipv6; 809 char dst[INET6_ADDRSTRLEN]; 810 811 switch (type) { 812 case AU_IPv4: 813 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 814 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 815 INET6_ADDRSTRLEN)); 816 break; 817 818 case AU_IPv6: 819 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 820 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 821 INET6_ADDRSTRLEN)); 822 break; 823 824 default: 825 fprintf(fp, "invalid"); 826 } 827} 828 829/* 830 * Prints return value as success or failure. 831 */ 832static void 833print_retval(FILE *fp, u_char status, int oflags) 834{ 835 int error; 836 837 if (oflags & AU_OFLAG_RAW) 838 fprintf(fp, "%u", status); 839 else { 840 /* 841 * Convert to a local error number and print the OS's version 842 * of the error string if possible. We may want to provide 843 * an au_strerror(3) in the future so that we can print 844 * strings for non-local errors. 845 */ 846 if (au_bsm_to_errno(status, &error) == 0) { 847 if (error == 0) 848 fprintf(fp, "success"); 849 else 850 fprintf(fp, "failure : %s", strerror(error)); 851 } else 852 fprintf(fp, "failure: Unknown error: %d", status); 853 } 854} 855 856/* 857 * Prints the exit value. 858 */ 859static void 860print_errval(FILE *fp, u_int32_t val) 861{ 862 863 fprintf(fp, "Error %u", val); 864} 865 866/* 867 * Prints IPC type. 868 */ 869static void 870print_ipctype(FILE *fp, u_char type, int oflags) 871{ 872 if (oflags & AU_OFLAG_RAW) 873 fprintf(fp, "%u", type); 874 else { 875 if (type == AT_IPC_MSG) 876 fprintf(fp, "Message IPC"); 877 else if (type == AT_IPC_SEM) 878 fprintf(fp, "Semaphore IPC"); 879 else if (type == AT_IPC_SHM) 880 fprintf(fp, "Shared Memory IPC"); 881 else 882 fprintf(fp, "%u", type); 883 } 884} 885 886/* 887 * Print XML header. 888 */ 889void 890au_print_xml_header(FILE *outfp) 891{ 892 893 fprintf(outfp, "<?xml version='1.0' ?>\n"); 894 fprintf(outfp, "<audit>\n"); 895} 896 897/* 898 * Print XML footer. 899 */ 900void 901au_print_xml_footer(FILE *outfp) 902{ 903 904 fprintf(outfp, "</audit>\n"); 905} 906 907/* 908 * record byte count 4 bytes 909 * version # 1 byte [2] 910 * event type 2 bytes 911 * event modifier 2 bytes 912 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 913 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 914 */ 915static int 916fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 917{ 918 int err = 0; 919 920 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 921 if (err) 922 return (-1); 923 924 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 925 if (err) 926 return (-1); 927 928 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 929 if (err) 930 return (-1); 931 932 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 933 if (err) 934 return (-1); 935 936 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 937 if (err) 938 return (-1); 939 940 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 941 if (err) 942 return (-1); 943 944 return (0); 945} 946 947static void 948print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 949{ 950 951 print_tok_type(fp, tok->id, "header", oflags); 952 if (oflags & AU_OFLAG_XML) { 953 open_attr(fp, "version"); 954 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 955 close_attr(fp); 956 open_attr(fp, "event"); 957 print_event(fp, tok->tt.hdr32.e_type, oflags); 958 close_attr(fp); 959 open_attr(fp, "modifier"); 960 print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 961 close_attr(fp); 962 open_attr(fp, "time"); 963 print_sec32(fp, tok->tt.hdr32.s, oflags); 964 close_attr(fp); 965 open_attr(fp, "msec"); 966 print_msec32(fp, tok->tt.hdr32.ms, oflags); 967 close_attr(fp); 968 close_tag(fp, tok->id); 969 } else { 970 print_delim(fp, del); 971 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 972 print_delim(fp, del); 973 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 974 print_delim(fp, del); 975 print_event(fp, tok->tt.hdr32.e_type, oflags); 976 print_delim(fp, del); 977 print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 978 print_delim(fp, del); 979 print_sec32(fp, tok->tt.hdr32.s, oflags); 980 print_delim(fp, del); 981 print_msec32(fp, tok->tt.hdr32.ms, oflags); 982 } 983} 984 985/* 986 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 987 * depending on the bit of the specifications found. The OpenSolaris source 988 * code uses a 4-byte address length, followed by some number of bytes of 989 * address data. This contrasts with the Solaris audit.log.5 man page, which 990 * specifies a 1-byte length field. We use the Solaris 10 definition so that 991 * we can parse audit trails from that system. 992 * 993 * record byte count 4 bytes 994 * version # 1 byte [2] 995 * event type 2 bytes 996 * event modifier 2 bytes 997 * address type/length 4 bytes 998 * [ Solaris man page: address type/length 1 byte] 999 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1000 * seconds of time 4 bytes/8 bytes (32/64-bits) 1001 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1002 */ 1003static int 1004fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1005{ 1006 int err = 0; 1007 1008 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 1009 if (err) 1010 return (-1); 1011 1012 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 1013 if (err) 1014 return (-1); 1015 1016 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 1017 if (err) 1018 return (-1); 1019 1020 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 1021 if (err) 1022 return (-1); 1023 1024 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 1025 if (err) 1026 return (-1); 1027 1028 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 1029 switch (tok->tt.hdr32_ex.ad_type) { 1030 case AU_IPv4: 1031 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 1032 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 1033 if (err) 1034 return (-1); 1035 break; 1036 1037 case AU_IPv6: 1038 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 1039 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 1040 break; 1041 } 1042 1043 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 1044 if (err) 1045 return (-1); 1046 1047 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 1048 if (err) 1049 return (-1); 1050 1051 return (0); 1052} 1053 1054static void 1055print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1056{ 1057 1058 print_tok_type(fp, tok->id, "header_ex", oflags); 1059 if (oflags & AU_OFLAG_RAW) { 1060 open_attr(fp, "version"); 1061 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1062 close_attr(fp); 1063 open_attr(fp, "event"); 1064 print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1065 close_attr(fp); 1066 open_attr(fp, "modifier"); 1067 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1068 close_attr(fp); 1069 open_attr(fp, "host"); 1070 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1071 tok->tt.hdr32_ex.addr); 1072 close_attr(fp); 1073 open_attr(fp, "time"); 1074 print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1075 close_attr(fp); 1076 open_attr(fp, "msec"); 1077 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1078 close_attr(fp); 1079 close_tag(fp, tok->id); 1080 } else { 1081 print_delim(fp, del); 1082 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1083 print_delim(fp, del); 1084 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1085 print_delim(fp, del); 1086 print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1087 print_delim(fp, del); 1088 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1089 print_delim(fp, del); 1090 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1091 tok->tt.hdr32_ex.addr); 1092 print_delim(fp, del); 1093 print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1094 print_delim(fp, del); 1095 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1096 } 1097} 1098 1099/* 1100 * record byte count 4 bytes 1101 * event type 2 bytes 1102 * event modifier 2 bytes 1103 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1104 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1105 * version # 1106 */ 1107static int 1108fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1109{ 1110 int err = 0; 1111 1112 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1113 if (err) 1114 return (-1); 1115 1116 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1117 if (err) 1118 return (-1); 1119 1120 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1121 if (err) 1122 return (-1); 1123 1124 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1125 if (err) 1126 return (-1); 1127 1128 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1129 if (err) 1130 return (-1); 1131 1132 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1133 if (err) 1134 return (-1); 1135 1136 return (0); 1137} 1138 1139static void 1140print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1141{ 1142 1143 print_tok_type(fp, tok->id, "header", oflags); 1144 if (oflags & AU_OFLAG_XML) { 1145 open_attr(fp, "version"); 1146 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1147 close_attr(fp); 1148 open_attr(fp, "event"); 1149 print_event(fp, tok->tt.hdr64.e_type, oflags); 1150 close_attr(fp); 1151 open_attr(fp, "modifier"); 1152 print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1153 close_attr(fp); 1154 open_attr(fp, "time"); 1155 print_sec64(fp, tok->tt.hdr64.s, oflags); 1156 close_attr(fp); 1157 open_attr(fp, "msec"); 1158 print_msec64(fp, tok->tt.hdr64.ms, oflags); 1159 close_attr(fp); 1160 close_tag(fp, tok->id); 1161 } else { 1162 print_delim(fp, del); 1163 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1164 print_delim(fp, del); 1165 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1166 print_delim(fp, del); 1167 print_event(fp, tok->tt.hdr64.e_type, oflags); 1168 print_delim(fp, del); 1169 print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1170 print_delim(fp, del); 1171 print_sec64(fp, tok->tt.hdr64.s, oflags); 1172 print_delim(fp, del); 1173 print_msec64(fp, tok->tt.hdr64.ms, oflags); 1174 } 1175} 1176 1177/* 1178 * record byte count 4 bytes 1179 * version # 1 byte [2] 1180 * event type 2 bytes 1181 * event modifier 2 bytes 1182 * address type/length 4 bytes 1183 * [ Solaris man page: address type/length 1 byte] 1184 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1185 * seconds of time 4 bytes/8 bytes (32/64-bits) 1186 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1187 * 1188 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1189 * accuracy of the BSM spec. 1190 */ 1191static int 1192fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1193{ 1194 int err = 0; 1195 1196 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1197 if (err) 1198 return (-1); 1199 1200 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1201 if (err) 1202 return (-1); 1203 1204 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1205 if (err) 1206 return (-1); 1207 1208 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1209 if (err) 1210 return (-1); 1211 1212 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1213 if (err) 1214 return (-1); 1215 1216 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1217 switch (tok->tt.hdr64_ex.ad_type) { 1218 case AU_IPv4: 1219 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1220 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1221 if (err) 1222 return (-1); 1223 break; 1224 1225 case AU_IPv6: 1226 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1227 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1228 break; 1229 } 1230 1231 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1232 if (err) 1233 return (-1); 1234 1235 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1236 if (err) 1237 return (-1); 1238 1239 return (0); 1240} 1241 1242static void 1243print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1244{ 1245 1246 print_tok_type(fp, tok->id, "header_ex", oflags); 1247 if (oflags & AU_OFLAG_XML) { 1248 open_attr(fp, "version"); 1249 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1250 close_attr(fp); 1251 open_attr(fp, "event"); 1252 print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1253 close_attr(fp); 1254 open_attr(fp, "modifier"); 1255 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1256 close_attr(fp); 1257 open_attr(fp, "host"); 1258 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1259 tok->tt.hdr64_ex.addr); 1260 close_attr(fp); 1261 open_attr(fp, "time"); 1262 print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1263 close_attr(fp); 1264 open_attr(fp, "msec"); 1265 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1266 close_attr(fp); 1267 close_tag(fp, tok->id); 1268 } else { 1269 print_delim(fp, del); 1270 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1271 print_delim(fp, del); 1272 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1273 print_delim(fp, del); 1274 print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1275 print_delim(fp, del); 1276 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1277 print_delim(fp, del); 1278 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1279 tok->tt.hdr64_ex.addr); 1280 print_delim(fp, del); 1281 print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1282 print_delim(fp, del); 1283 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1284 } 1285} 1286 1287/* 1288 * trailer magic 2 bytes 1289 * record size 4 bytes 1290 */ 1291static int 1292fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1293{ 1294 int err = 0; 1295 1296 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1297 if (err) 1298 return (-1); 1299 1300 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1301 if (err) 1302 return (-1); 1303 1304 return (0); 1305} 1306 1307static void 1308print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1309{ 1310 1311 print_tok_type(fp, tok->id, "trailer", oflags); 1312 if (!(oflags & AU_OFLAG_XML)) { 1313 print_delim(fp, del); 1314 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1315 } 1316} 1317 1318/* 1319 * argument # 1 byte 1320 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1321 * text length 2 bytes 1322 * text N bytes + 1 terminating NULL byte 1323 */ 1324static int 1325fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1326{ 1327 int err = 0; 1328 1329 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1330 if (err) 1331 return (-1); 1332 1333 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1334 if (err) 1335 return (-1); 1336 1337 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1338 if (err) 1339 return (-1); 1340 1341 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1342 tok->len, err); 1343 if (err) 1344 return (-1); 1345 1346 return (0); 1347} 1348 1349static void 1350print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1351{ 1352 1353 print_tok_type(fp, tok->id, "argument", oflags); 1354 if (oflags & AU_OFLAG_XML) { 1355 open_attr(fp, "arg-num"); 1356 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1357 close_attr(fp); 1358 open_attr(fp, "value"); 1359 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1360 close_attr(fp); 1361 open_attr(fp, "desc"); 1362 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1363 close_attr(fp); 1364 close_tag(fp, tok->id); 1365 } else { 1366 print_delim(fp, del); 1367 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1368 print_delim(fp, del); 1369 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1370 print_delim(fp, del); 1371 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1372 } 1373} 1374 1375static int 1376fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1377{ 1378 int err = 0; 1379 1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1381 if (err) 1382 return (-1); 1383 1384 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1385 if (err) 1386 return (-1); 1387 1388 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1389 if (err) 1390 return (-1); 1391 1392 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1393 tok->len, err); 1394 if (err) 1395 return (-1); 1396 1397 return (0); 1398} 1399 1400static void 1401print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1402{ 1403 1404 print_tok_type(fp, tok->id, "argument", oflags); 1405 if (oflags & AU_OFLAG_XML) { 1406 open_attr(fp, "arg-num"); 1407 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1408 close_attr(fp); 1409 open_attr(fp, "value"); 1410 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1411 close_attr(fp); 1412 open_attr(fp, "desc"); 1413 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1414 close_attr(fp); 1415 close_tag(fp, tok->id); 1416 } else { 1417 print_delim(fp, del); 1418 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1419 print_delim(fp, del); 1420 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1421 print_delim(fp, del); 1422 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1423 } 1424} 1425 1426/* 1427 * how to print 1 byte 1428 * basic unit 1 byte 1429 * unit count 1 byte 1430 * data items (depends on basic unit) 1431 */ 1432static int 1433fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1434{ 1435 int err = 0; 1436 int datasize; 1437 1438 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1439 if (err) 1440 return (-1); 1441 1442 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1443 if (err) 1444 return (-1); 1445 1446 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1447 if (err) 1448 return (-1); 1449 1450 /* 1451 * Determine the size of the basic unit. 1452 */ 1453 switch(tok->tt.arb.bu) { 1454 case AUR_BYTE: 1455 /* case AUR_CHAR: */ 1456 datasize = AUR_BYTE_SIZE; 1457 break; 1458 1459 case AUR_SHORT: 1460 datasize = AUR_SHORT_SIZE; 1461 break; 1462 1463 case AUR_INT32: 1464 /* case AUR_INT: */ 1465 datasize = AUR_INT32_SIZE; 1466 break; 1467 1468 case AUR_INT64: 1469 datasize = AUR_INT64_SIZE; 1470 break; 1471 1472 default: 1473 return (-1); 1474 } 1475 1476 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1477 tok->len, err); 1478 if (err) 1479 return (-1); 1480 1481 return (0); 1482} 1483 1484static void 1485print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1486{ 1487 char *str; 1488 char *format; 1489 size_t size; 1490 int i; 1491 1492 print_tok_type(fp, tok->id, "arbitrary", oflags); 1493 if (!(oflags & AU_OFLAG_XML)) 1494 print_delim(fp, del); 1495 1496 switch(tok->tt.arb.howtopr) { 1497 case AUP_BINARY: 1498 str = "binary"; 1499 format = " %c"; 1500 break; 1501 1502 case AUP_OCTAL: 1503 str = "octal"; 1504 format = " %o"; 1505 break; 1506 1507 case AUP_DECIMAL: 1508 str = "decimal"; 1509 format = " %d"; 1510 break; 1511 1512 case AUP_HEX: 1513 str = "hex"; 1514 format = " %x"; 1515 break; 1516 1517 case AUP_STRING: 1518 str = "string"; 1519 format = "%c"; 1520 break; 1521 1522 default: 1523 return; 1524 } 1525 1526 if (oflags & AU_OFLAG_XML) { 1527 open_attr(fp, "print"); 1528 fprintf(fp, "%s",str); 1529 close_attr(fp); 1530 } else { 1531 print_string(fp, str, strlen(str)); 1532 print_delim(fp, del); 1533 } 1534 switch(tok->tt.arb.bu) { 1535 case AUR_BYTE: 1536 /* case AUR_CHAR: */ 1537 str = "byte"; 1538 size = AUR_BYTE_SIZE; 1539 if (oflags & AU_OFLAG_XML) { 1540 open_attr(fp, "type"); 1541 fprintf(fp, "%zu", size); 1542 close_attr(fp); 1543 open_attr(fp, "count"); 1544 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1545 close_attr(fp); 1546 fprintf(fp, ">"); 1547 for (i = 0; i<tok->tt.arb.uc; i++) 1548 fprintf(fp, format, *(tok->tt.arb.data + 1549 (size * i))); 1550 close_tag(fp, tok->id); 1551 } else { 1552 print_string(fp, str, strlen(str)); 1553 print_delim(fp, del); 1554 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1555 print_delim(fp, del); 1556 for (i = 0; i<tok->tt.arb.uc; i++) 1557 fprintf(fp, format, *(tok->tt.arb.data + 1558 (size * i))); 1559 } 1560 break; 1561 1562 case AUR_SHORT: 1563 str = "short"; 1564 size = AUR_SHORT_SIZE; 1565 if (oflags & AU_OFLAG_XML) { 1566 open_attr(fp, "type"); 1567 fprintf(fp, "%zu", size); 1568 close_attr(fp); 1569 open_attr(fp, "count"); 1570 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1571 close_attr(fp); 1572 fprintf(fp, ">"); 1573 for (i = 0; i < tok->tt.arb.uc; i++) 1574 fprintf(fp, format, 1575 *((u_int16_t *)(tok->tt.arb.data + 1576 (size * i)))); 1577 close_tag(fp, tok->id); 1578 } else { 1579 print_string(fp, str, strlen(str)); 1580 print_delim(fp, del); 1581 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1582 print_delim(fp, del); 1583 for (i = 0; i < tok->tt.arb.uc; i++) 1584 fprintf(fp, format, 1585 *((u_int16_t *)(tok->tt.arb.data + 1586 (size * i)))); 1587 } 1588 break; 1589 1590 case AUR_INT32: 1591 /* case AUR_INT: */ 1592 str = "int"; 1593 size = AUR_INT32_SIZE; 1594 if (oflags & AU_OFLAG_XML) { 1595 open_attr(fp, "type"); 1596 fprintf(fp, "%zu", size); 1597 close_attr(fp); 1598 open_attr(fp, "count"); 1599 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1600 close_attr(fp); 1601 fprintf(fp, ">"); 1602 for (i = 0; i < tok->tt.arb.uc; i++) 1603 fprintf(fp, format, 1604 *((u_int32_t *)(tok->tt.arb.data + 1605 (size * i)))); 1606 close_tag(fp, tok->id); 1607 } else { 1608 print_string(fp, str, strlen(str)); 1609 print_delim(fp, del); 1610 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1611 print_delim(fp, del); 1612 for (i = 0; i < tok->tt.arb.uc; i++) 1613 fprintf(fp, format, 1614 *((u_int32_t *)(tok->tt.arb.data + 1615 (size * i)))); 1616 } 1617 break; 1618 1619 case AUR_INT64: 1620 str = "int64"; 1621 size = AUR_INT64_SIZE; 1622 if (oflags & AU_OFLAG_XML) { 1623 open_attr(fp, "type"); 1624 fprintf(fp, "%zu", size); 1625 close_attr(fp); 1626 open_attr(fp, "count"); 1627 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1628 close_attr(fp); 1629 fprintf(fp, ">"); 1630 for (i = 0; i < tok->tt.arb.uc; i++) 1631 fprintf(fp, format, 1632 *((u_int64_t *)(tok->tt.arb.data + 1633 (size * i)))); 1634 close_tag(fp, tok->id); 1635 } else { 1636 print_string(fp, str, strlen(str)); 1637 print_delim(fp, del); 1638 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1639 print_delim(fp, del); 1640 for (i = 0; i < tok->tt.arb.uc; i++) 1641 fprintf(fp, format, 1642 *((u_int64_t *)(tok->tt.arb.data + 1643 (size * i)))); 1644 } 1645 break; 1646 1647 default: 1648 return; 1649 } 1650} 1651 1652/* 1653 * file access mode 4 bytes 1654 * owner user ID 4 bytes 1655 * owner group ID 4 bytes 1656 * file system ID 4 bytes 1657 * node ID 8 bytes 1658 * device 4 bytes/8 bytes (32-bit/64-bit) 1659 */ 1660static int 1661fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1662{ 1663 int err = 0; 1664 1665 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1666 if (err) 1667 return (-1); 1668 1669 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1670 if (err) 1671 return (-1); 1672 1673 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1674 if (err) 1675 return (-1); 1676 1677 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1678 if (err) 1679 return (-1); 1680 1681 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1682 if (err) 1683 return (-1); 1684 1685 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1686 if (err) 1687 return (-1); 1688 1689 return (0); 1690} 1691 1692static void 1693print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1694{ 1695 1696 print_tok_type(fp, tok->id, "attribute", oflags); 1697 if (oflags & AU_OFLAG_XML) { 1698 open_attr(fp, "mode"); 1699 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1700 close_attr(fp); 1701 open_attr(fp, "uid"); 1702 print_user(fp, tok->tt.attr32.uid, oflags); 1703 close_attr(fp); 1704 open_attr(fp, "gid"); 1705 print_group(fp, tok->tt.attr32.gid, oflags); 1706 close_attr(fp); 1707 open_attr(fp, "fsid"); 1708 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1709 close_attr(fp); 1710 open_attr(fp, "nodeid"); 1711 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1712 close_attr(fp); 1713 open_attr(fp, "device"); 1714 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1715 close_attr(fp); 1716 close_tag(fp, tok->id); 1717 } else { 1718 print_delim(fp, del); 1719 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1720 print_delim(fp, del); 1721 print_user(fp, tok->tt.attr32.uid, oflags); 1722 print_delim(fp, del); 1723 print_group(fp, tok->tt.attr32.gid, oflags); 1724 print_delim(fp, del); 1725 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1726 print_delim(fp, del); 1727 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1728 print_delim(fp, del); 1729 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1730 } 1731} 1732 1733/* 1734 * file access mode 4 bytes 1735 * owner user ID 4 bytes 1736 * owner group ID 4 bytes 1737 * file system ID 4 bytes 1738 * node ID 8 bytes 1739 * device 4 bytes/8 bytes (32-bit/64-bit) 1740 */ 1741static int 1742fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1743{ 1744 int err = 0; 1745 1746 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1747 if (err) 1748 return (-1); 1749 1750 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1751 if (err) 1752 return (-1); 1753 1754 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1755 if (err) 1756 return (-1); 1757 1758 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1759 if (err) 1760 return (-1); 1761 1762 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1763 if (err) 1764 return (-1); 1765 1766 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1767 if (err) 1768 return (-1); 1769 1770 return (0); 1771} 1772 1773static void 1774print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1775{ 1776 1777 print_tok_type(fp, tok->id, "attribute", oflags); 1778 if (oflags & AU_OFLAG_XML) { 1779 open_attr(fp, "mode"); 1780 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1781 close_attr(fp); 1782 open_attr(fp, "uid"); 1783 print_user(fp, tok->tt.attr64.uid, oflags); 1784 close_attr(fp); 1785 open_attr(fp, "gid"); 1786 print_group(fp, tok->tt.attr64.gid, oflags); 1787 close_attr(fp); 1788 open_attr(fp, "fsid"); 1789 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1790 close_attr(fp); 1791 open_attr(fp, "nodeid"); 1792 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1793 close_attr(fp); 1794 open_attr(fp, "device"); 1795 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1796 close_attr(fp); 1797 close_tag(fp, tok->id); 1798 } else { 1799 print_delim(fp, del); 1800 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1801 print_delim(fp, del); 1802 print_user(fp, tok->tt.attr64.uid, oflags); 1803 print_delim(fp, del); 1804 print_group(fp, tok->tt.attr64.gid, oflags); 1805 print_delim(fp, del); 1806 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1807 print_delim(fp, del); 1808 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1809 print_delim(fp, del); 1810 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1811 } 1812} 1813 1814/* 1815 * status 4 bytes 1816 * return value 4 bytes 1817 */ 1818static int 1819fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1820{ 1821 int err = 0; 1822 1823 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1824 if (err) 1825 return (-1); 1826 1827 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1828 if (err) 1829 return (-1); 1830 1831 return (0); 1832} 1833 1834static void 1835print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1836{ 1837 1838 print_tok_type(fp, tok->id, "exit", oflags); 1839 if (oflags & AU_OFLAG_XML) { 1840 open_attr(fp, "errval"); 1841 print_errval(fp, tok->tt.exit.status); 1842 close_attr(fp); 1843 open_attr(fp, "retval"); 1844 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1845 close_attr(fp); 1846 close_tag(fp, tok->id); 1847 } else { 1848 print_delim(fp, del); 1849 print_errval(fp, tok->tt.exit.status); 1850 print_delim(fp, del); 1851 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1852 } 1853} 1854 1855/* 1856 * count 4 bytes 1857 * text count null-terminated string(s) 1858 */ 1859static int 1860fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1861{ 1862 int err = 0; 1863 u_int32_t i; 1864 u_char *bptr; 1865 1866 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1867 if (err) 1868 return (-1); 1869 1870 for (i = 0; i < tok->tt.execarg.count; i++) { 1871 bptr = buf + tok->len; 1872 if (i < AUDIT_MAX_ARGS) 1873 tok->tt.execarg.text[i] = (char*)bptr; 1874 1875 /* Look for a null terminated string. */ 1876 while (bptr && (*bptr != '\0')) { 1877 if (++tok->len >= (u_int32_t)len) 1878 return (-1); 1879 bptr = buf + tok->len; 1880 } 1881 if (!bptr) 1882 return (-1); 1883 tok->len++; /* \0 character */ 1884 } 1885 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1886 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1887 1888 return (0); 1889} 1890 1891static void 1892print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1893{ 1894 u_int32_t i; 1895 1896 print_tok_type(fp, tok->id, "exec arg", oflags); 1897 for (i = 0; i < tok->tt.execarg.count; i++) { 1898 if (oflags & AU_OFLAG_XML) { 1899 fprintf(fp, "<arg>"); 1900 print_xml_string(fp, tok->tt.execarg.text[i], 1901 strlen(tok->tt.execarg.text[i])); 1902 fprintf(fp, "</arg>"); 1903 } else { 1904 print_delim(fp, del); 1905 print_string(fp, tok->tt.execarg.text[i], 1906 strlen(tok->tt.execarg.text[i])); 1907 } 1908 } 1909 if (oflags & AU_OFLAG_XML) 1910 close_tag(fp, tok->id); 1911} 1912 1913/* 1914 * count 4 bytes 1915 * text count null-terminated string(s) 1916 */ 1917static int 1918fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1919{ 1920 int err = 0; 1921 u_int32_t i; 1922 u_char *bptr; 1923 1924 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1925 if (err) 1926 return (-1); 1927 1928 for (i = 0; i < tok->tt.execenv.count; i++) { 1929 bptr = buf + tok->len; 1930 if (i < AUDIT_MAX_ENV) 1931 tok->tt.execenv.text[i] = (char*)bptr; 1932 1933 /* Look for a null terminated string. */ 1934 while (bptr && (*bptr != '\0')) { 1935 if (++tok->len >= (u_int32_t)len) 1936 return (-1); 1937 bptr = buf + tok->len; 1938 } 1939 if (!bptr) 1940 return (-1); 1941 tok->len++; /* \0 character */ 1942 } 1943 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1944 tok->tt.execenv.count = AUDIT_MAX_ENV; 1945 1946 return (0); 1947} 1948 1949static void 1950print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1951{ 1952 u_int32_t i; 1953 1954 print_tok_type(fp, tok->id, "exec env", oflags); 1955 for (i = 0; i< tok->tt.execenv.count; i++) { 1956 if (oflags & AU_OFLAG_XML) { 1957 fprintf(fp, "<env>"); 1958 print_xml_string(fp, tok->tt.execenv.text[i], 1959 strlen(tok->tt.execenv.text[i])); 1960 fprintf(fp, "</env>"); 1961 } else { 1962 print_delim(fp, del); 1963 print_string(fp, tok->tt.execenv.text[i], 1964 strlen(tok->tt.execenv.text[i])); 1965 } 1966 } 1967 if (oflags & AU_OFLAG_XML) 1968 close_tag(fp, tok->id); 1969} 1970 1971/* 1972 * seconds of time 4 bytes 1973 * milliseconds of time 4 bytes 1974 * file name len 2 bytes 1975 * file pathname N bytes + 1 terminating NULL byte 1976 */ 1977static int 1978fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1979{ 1980 int err = 0; 1981 1982 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1983 if (err) 1984 return (-1); 1985 1986 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1987 if (err) 1988 return (-1); 1989 1990 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1991 if (err) 1992 return (-1); 1993 1994 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1995 err); 1996 if (err) 1997 return (-1); 1998 1999 return (0); 2000} 2001 2002static void 2003print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2004{ 2005 2006 print_tok_type(fp, tok->id, "file", oflags); 2007 if (oflags & AU_OFLAG_XML) { 2008 open_attr(fp, "time"); 2009 print_sec32(fp, tok->tt.file.s, oflags); 2010 close_attr(fp); 2011 open_attr(fp, "msec"); 2012 print_msec32(fp, tok->tt.file.ms, oflags); 2013 close_attr(fp); 2014 fprintf(fp, ">"); 2015 print_string(fp, tok->tt.file.name, tok->tt.file.len); 2016 close_tag(fp, tok->id); 2017 } else { 2018 print_delim(fp, del); 2019 print_sec32(fp, tok->tt.file.s, oflags); 2020 print_delim(fp, del); 2021 print_msec32(fp, tok->tt.file.ms, oflags); 2022 print_delim(fp, del); 2023 print_string(fp, tok->tt.file.name, tok->tt.file.len); 2024 } 2025} 2026 2027/* 2028 * number groups 2 bytes 2029 * group list count * 4 bytes 2030 */ 2031static int 2032fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 2033{ 2034 int i; 2035 int err = 0; 2036 2037 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 2038 if (err) 2039 return (-1); 2040 2041 for (i = 0; i<tok->tt.grps.no; i++) { 2042 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2043 err); 2044 if (err) 2045 return (-1); 2046 } 2047 2048 return (0); 2049} 2050 2051static void 2052print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2053{ 2054 int i; 2055 2056 print_tok_type(fp, tok->id, "group", oflags); 2057 for (i = 0; i < tok->tt.grps.no; i++) { 2058 if (oflags & AU_OFLAG_XML) { 2059 fprintf(fp, "<gid>"); 2060 print_group(fp, tok->tt.grps.list[i], oflags); 2061 fprintf(fp, "</gid>"); 2062 close_tag(fp, tok->id); 2063 } else { 2064 print_delim(fp, del); 2065 print_group(fp, tok->tt.grps.list[i], oflags); 2066 } 2067 } 2068} 2069 2070/* 2071 * Internet addr 4 bytes 2072 */ 2073static int 2074fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2075{ 2076 int err = 0; 2077 2078 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2079 tok->len, err); 2080 if (err) 2081 return (-1); 2082 2083 return (0); 2084 2085} 2086 2087static void 2088print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2089{ 2090 2091 print_tok_type(fp, tok->id, "ip addr", oflags); 2092 if (oflags & AU_OFLAG_XML) { 2093 print_ip_address(fp, tok->tt.inaddr.addr); 2094 close_tag(fp, tok->id); 2095 } else { 2096 print_delim(fp, del); 2097 print_ip_address(fp, tok->tt.inaddr.addr); 2098 } 2099} 2100 2101/* 2102 * type 4 bytes 2103 * address 16 bytes 2104 */ 2105static int 2106fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2107{ 2108 int err = 0; 2109 2110 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2111 if (err) 2112 return (-1); 2113 2114 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2115 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2116 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2117 if (err) 2118 return (-1); 2119 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2120 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2121 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2122 if (err) 2123 return (-1); 2124 } else 2125 return (-1); 2126 2127 return (0); 2128} 2129 2130static void 2131print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2132{ 2133 2134 print_tok_type(fp, tok->id, "ip addr ex", oflags); 2135 if (oflags & AU_OFLAG_XML) { 2136 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2137 tok->tt.inaddr_ex.addr); 2138 close_tag(fp, tok->id); 2139 } else { 2140 print_delim(fp, del); 2141 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2142 tok->tt.inaddr_ex.addr); 2143 } 2144} 2145 2146/* 2147 * ip header 20 bytes 2148 */ 2149static int 2150fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2151{ 2152 int err = 0; 2153 2154 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2155 if (err) 2156 return (-1); 2157 2158 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2159 if (err) 2160 return (-1); 2161 2162 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2163 tok->len, err); 2164 if (err) 2165 return (-1); 2166 2167 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2168 tok->len, err); 2169 if (err) 2170 return (-1); 2171 2172 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2173 tok->len, err); 2174 if (err) 2175 return (-1); 2176 2177 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2178 if (err) 2179 return (-1); 2180 2181 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2182 if (err) 2183 return (-1); 2184 2185 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2186 tok->len, err); 2187 if (err) 2188 return (-1); 2189 2190 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2191 tok->len, err); 2192 if (err) 2193 return (-1); 2194 2195 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2196 tok->len, err); 2197 if (err) 2198 return (-1); 2199 2200 return (0); 2201} 2202 2203static void 2204print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2205{ 2206 2207 print_tok_type(fp, tok->id, "ip", oflags); 2208 if (oflags & AU_OFLAG_XML) { 2209 open_attr(fp, "version"); 2210 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2211 sizeof(u_char)); 2212 close_attr(fp); 2213 open_attr(fp, "service_type"); 2214 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2215 close_attr(fp); 2216 open_attr(fp, "len"); 2217 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2218 close_attr(fp); 2219 open_attr(fp, "id"); 2220 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2221 close_attr(fp); 2222 open_attr(fp, "offset"); 2223 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2224 close_attr(fp); 2225 open_attr(fp, "time_to_live"); 2226 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2227 close_attr(fp); 2228 open_attr(fp, "protocol"); 2229 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2230 close_attr(fp); 2231 open_attr(fp, "cksum"); 2232 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2233 close_attr(fp); 2234 open_attr(fp, "src_addr"); 2235 print_ip_address(fp, tok->tt.ip.src); 2236 close_attr(fp); 2237 open_attr(fp, "dest_addr"); 2238 print_ip_address(fp, tok->tt.ip.dest); 2239 close_attr(fp); 2240 close_tag(fp, tok->id); 2241 } else { 2242 print_delim(fp, del); 2243 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2244 sizeof(u_char)); 2245 print_delim(fp, del); 2246 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2247 print_delim(fp, del); 2248 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2249 print_delim(fp, del); 2250 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2251 print_delim(fp, del); 2252 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2253 print_delim(fp, del); 2254 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2255 print_delim(fp, del); 2256 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2257 print_delim(fp, del); 2258 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2259 print_delim(fp, del); 2260 print_ip_address(fp, tok->tt.ip.src); 2261 print_delim(fp, del); 2262 print_ip_address(fp, tok->tt.ip.dest); 2263 } 2264} 2265 2266/* 2267 * object ID type 1 byte 2268 * Object ID 4 bytes 2269 */ 2270static int 2271fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2272{ 2273 int err = 0; 2274 2275 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2276 if (err) 2277 return (-1); 2278 2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2280 if (err) 2281 return (-1); 2282 2283 return (0); 2284} 2285 2286static void 2287print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2288{ 2289 2290 print_tok_type(fp, tok->id, "IPC", oflags); 2291 if (oflags & AU_OFLAG_XML) { 2292 open_attr(fp, "ipc-type"); 2293 print_ipctype(fp, tok->tt.ipc.type, oflags); 2294 close_attr(fp); 2295 open_attr(fp, "ipc-id"); 2296 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2297 close_attr(fp); 2298 close_tag(fp, tok->id); 2299 } else { 2300 print_delim(fp, del); 2301 print_ipctype(fp, tok->tt.ipc.type, oflags); 2302 print_delim(fp, del); 2303 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2304 } 2305} 2306 2307/* 2308 * owner user id 4 bytes 2309 * owner group id 4 bytes 2310 * creator user id 4 bytes 2311 * creator group id 4 bytes 2312 * access mode 4 bytes 2313 * slot seq 4 bytes 2314 * key 4 bytes 2315 */ 2316static int 2317fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2318{ 2319 int err = 0; 2320 2321 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2322 if (err) 2323 return (-1); 2324 2325 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2326 if (err) 2327 return (-1); 2328 2329 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2330 if (err) 2331 return (-1); 2332 2333 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2334 if (err) 2335 return (-1); 2336 2337 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2338 if (err) 2339 return (-1); 2340 2341 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2342 if (err) 2343 return (-1); 2344 2345 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2346 if (err) 2347 return (-1); 2348 2349 return (0); 2350} 2351 2352static void 2353print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2354{ 2355 2356 print_tok_type(fp, tok->id, "IPC perm", oflags); 2357 if (oflags & AU_OFLAG_XML) { 2358 open_attr(fp, "uid"); 2359 print_user(fp, tok->tt.ipcperm.uid, oflags); 2360 close_attr(fp); 2361 open_attr(fp, "gid"); 2362 print_group(fp, tok->tt.ipcperm.gid, oflags); 2363 close_attr(fp); 2364 open_attr(fp, "creator-uid"); 2365 print_user(fp, tok->tt.ipcperm.puid, oflags); 2366 close_attr(fp); 2367 open_attr(fp, "creator-gid"); 2368 print_group(fp, tok->tt.ipcperm.pgid, oflags); 2369 close_attr(fp); 2370 open_attr(fp, "mode"); 2371 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2372 close_attr(fp); 2373 open_attr(fp, "seq"); 2374 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2375 close_attr(fp); 2376 open_attr(fp, "key"); 2377 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2378 close_attr(fp); 2379 close_tag(fp, tok->id); 2380 } else { 2381 print_delim(fp, del); 2382 print_user(fp, tok->tt.ipcperm.uid, oflags); 2383 print_delim(fp, del); 2384 print_group(fp, tok->tt.ipcperm.gid, oflags); 2385 print_delim(fp, del); 2386 print_user(fp, tok->tt.ipcperm.puid, oflags); 2387 print_delim(fp, del); 2388 print_group(fp, tok->tt.ipcperm.pgid, oflags); 2389 print_delim(fp, del); 2390 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2391 print_delim(fp, del); 2392 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2393 print_delim(fp, del); 2394 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2395 } 2396} 2397 2398/* 2399 * port Ip address 2 bytes 2400 */ 2401static int 2402fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2403{ 2404 int err = 0; 2405 2406 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2407 tok->len, err); 2408 if (err) 2409 return (-1); 2410 2411 return (0); 2412} 2413 2414static void 2415print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2416{ 2417 2418 print_tok_type(fp, tok->id, "ip port", oflags); 2419 if (oflags & AU_OFLAG_XML) { 2420 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2421 close_tag(fp, tok->id); 2422 } else { 2423 print_delim(fp, del); 2424 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2425 } 2426} 2427 2428/* 2429 * size 2 bytes 2430 * data size bytes 2431 */ 2432static int 2433fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2434{ 2435 int err = 0; 2436 2437 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2438 if (err) 2439 return (-1); 2440 2441 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2442 tok->len, err); 2443 if (err) 2444 return (-1); 2445 2446 return (0); 2447} 2448 2449static void 2450print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2451{ 2452 2453 print_tok_type(fp, tok->id, "opaque", oflags); 2454 if (oflags & AU_OFLAG_XML) { 2455 print_mem(fp, (u_char*)tok->tt.opaque.data, 2456 tok->tt.opaque.size); 2457 close_tag(fp, tok->id); 2458 } else { 2459 print_delim(fp, del); 2460 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2461 print_delim(fp, del); 2462 print_mem(fp, (u_char*)tok->tt.opaque.data, 2463 tok->tt.opaque.size); 2464 } 2465} 2466 2467/* 2468 * size 2 bytes 2469 * data size bytes 2470 */ 2471static int 2472fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2473{ 2474 int err = 0; 2475 2476 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2477 if (err) 2478 return (-1); 2479 2480 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2481 err); 2482 if (err) 2483 return (-1); 2484 2485 return (0); 2486} 2487 2488static void 2489print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2490{ 2491 2492 print_tok_type(fp, tok->id, "path", oflags); 2493 if (oflags & AU_OFLAG_XML) { 2494 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2495 close_tag(fp, tok->id); 2496 } else { 2497 print_delim(fp, del); 2498 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2499 } 2500} 2501 2502/* 2503 * token ID 1 byte 2504 * audit ID 4 bytes 2505 * euid 4 bytes 2506 * egid 4 bytes 2507 * ruid 4 bytes 2508 * rgid 4 bytes 2509 * pid 4 bytes 2510 * sessid 4 bytes 2511 * terminal ID 2512 * portid 4 bytes 2513 * machine id 4 bytes 2514 */ 2515static int 2516fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2517{ 2518 int err = 0; 2519 2520 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2521 if (err) 2522 return (-1); 2523 2524 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2525 if (err) 2526 return (-1); 2527 2528 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2529 if (err) 2530 return (-1); 2531 2532 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2533 if (err) 2534 return (-1); 2535 2536 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2537 if (err) 2538 return (-1); 2539 2540 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2541 if (err) 2542 return (-1); 2543 2544 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2545 if (err) 2546 return (-1); 2547 2548 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2549 if (err) 2550 return (-1); 2551 2552 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2553 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2554 if (err) 2555 return (-1); 2556 2557 return (0); 2558} 2559 2560static void 2561print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2562{ 2563 2564 print_tok_type(fp, tok->id, "process", oflags); 2565 if (oflags & AU_OFLAG_XML) { 2566 open_attr(fp, "audit-uid"); 2567 print_user(fp, tok->tt.proc32.auid, oflags); 2568 close_attr(fp); 2569 open_attr(fp, "uid"); 2570 print_user(fp, tok->tt.proc32.euid, oflags); 2571 close_attr(fp); 2572 open_attr(fp, "gid"); 2573 print_group(fp, tok->tt.proc32.egid, oflags); 2574 close_attr(fp); 2575 open_attr(fp, "ruid"); 2576 print_user(fp, tok->tt.proc32.ruid, oflags); 2577 close_attr(fp); 2578 open_attr(fp, "rgid"); 2579 print_group(fp, tok->tt.proc32.rgid, oflags); 2580 close_attr(fp); 2581 open_attr(fp, "pid"); 2582 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2583 close_attr(fp); 2584 open_attr(fp, "sid"); 2585 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2586 close_attr(fp); 2587 open_attr(fp, "tid"); 2588 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2589 print_ip_address(fp, tok->tt.proc32.tid.addr); 2590 close_attr(fp); 2591 close_tag(fp, tok->id); 2592 } else { 2593 print_delim(fp, del); 2594 print_user(fp, tok->tt.proc32.auid, oflags); 2595 print_delim(fp, del); 2596 print_user(fp, tok->tt.proc32.euid, oflags); 2597 print_delim(fp, del); 2598 print_group(fp, tok->tt.proc32.egid, oflags); 2599 print_delim(fp, del); 2600 print_user(fp, tok->tt.proc32.ruid, oflags); 2601 print_delim(fp, del); 2602 print_group(fp, tok->tt.proc32.rgid, oflags); 2603 print_delim(fp, del); 2604 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2605 print_delim(fp, del); 2606 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2607 print_delim(fp, del); 2608 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2609 print_delim(fp, del); 2610 print_ip_address(fp, tok->tt.proc32.tid.addr); 2611 } 2612} 2613 2614/* 2615 * token ID 1 byte 2616 * audit ID 4 bytes 2617 * euid 4 bytes 2618 * egid 4 bytes 2619 * ruid 4 bytes 2620 * rgid 4 bytes 2621 * pid 4 bytes 2622 * sessid 4 bytes 2623 * terminal ID 2624 * portid 8 bytes 2625 * machine id 4 bytes 2626 */ 2627static int 2628fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2629{ 2630 int err = 0; 2631 2632 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2633 if (err) 2634 return (-1); 2635 2636 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2637 if (err) 2638 return (-1); 2639 2640 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2641 if (err) 2642 return (-1); 2643 2644 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2645 if (err) 2646 return (-1); 2647 2648 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2649 if (err) 2650 return (-1); 2651 2652 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2653 if (err) 2654 return (-1); 2655 2656 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2657 if (err) 2658 return (-1); 2659 2660 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2661 if (err) 2662 return (-1); 2663 2664 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2665 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2666 if (err) 2667 return (-1); 2668 2669 return (0); 2670} 2671 2672static void 2673print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2674{ 2675 print_tok_type(fp, tok->id, "process", oflags); 2676 if (oflags & AU_OFLAG_XML) { 2677 open_attr(fp, "audit-uid"); 2678 print_user(fp, tok->tt.proc64.auid, oflags); 2679 close_attr(fp); 2680 open_attr(fp, "uid"); 2681 print_user(fp, tok->tt.proc64.euid, oflags); 2682 close_attr(fp); 2683 open_attr(fp, "gid"); 2684 print_group(fp, tok->tt.proc64.egid, oflags); 2685 close_attr(fp); 2686 open_attr(fp, "ruid"); 2687 print_user(fp, tok->tt.proc64.ruid, oflags); 2688 close_attr(fp); 2689 open_attr(fp, "rgid"); 2690 print_group(fp, tok->tt.proc64.rgid, oflags); 2691 close_attr(fp); 2692 open_attr(fp, "pid"); 2693 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2694 close_attr(fp); 2695 open_attr(fp, "sid"); 2696 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2697 close_attr(fp); 2698 open_attr(fp, "tid"); 2699 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2700 print_ip_address(fp, tok->tt.proc64.tid.addr); 2701 close_attr(fp); 2702 close_tag(fp, tok->id); 2703 } else { 2704 print_delim(fp, del); 2705 print_user(fp, tok->tt.proc64.auid, oflags); 2706 print_delim(fp, del); 2707 print_user(fp, tok->tt.proc64.euid, oflags); 2708 print_delim(fp, del); 2709 print_group(fp, tok->tt.proc64.egid, oflags); 2710 print_delim(fp, del); 2711 print_user(fp, tok->tt.proc64.ruid, oflags); 2712 print_delim(fp, del); 2713 print_group(fp, tok->tt.proc64.rgid, oflags); 2714 print_delim(fp, del); 2715 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2716 print_delim(fp, del); 2717 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2718 print_delim(fp, del); 2719 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2720 print_delim(fp, del); 2721 print_ip_address(fp, tok->tt.proc64.tid.addr); 2722 } 2723} 2724 2725/* 2726 * token ID 1 byte 2727 * audit ID 4 bytes 2728 * effective user ID 4 bytes 2729 * effective group ID 4 bytes 2730 * real user ID 4 bytes 2731 * real group ID 4 bytes 2732 * process ID 4 bytes 2733 * session ID 4 bytes 2734 * terminal ID 2735 * port ID 4 bytes 2736 * address type-len 4 bytes 2737 * machine address 16 bytes 2738 */ 2739static int 2740fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2741{ 2742 int err = 0; 2743 2744 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2745 if (err) 2746 return (-1); 2747 2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2749 if (err) 2750 return (-1); 2751 2752 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2753 if (err) 2754 return (-1); 2755 2756 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2757 if (err) 2758 return (-1); 2759 2760 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2761 if (err) 2762 return (-1); 2763 2764 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2765 if (err) 2766 return (-1); 2767 2768 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2769 if (err) 2770 return (-1); 2771 2772 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2773 err); 2774 if (err) 2775 return (-1); 2776 2777 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2778 err); 2779 if (err) 2780 return (-1); 2781 2782 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2783 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2784 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2785 if (err) 2786 return (-1); 2787 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2788 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2789 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2790 if (err) 2791 return (-1); 2792 } else 2793 return (-1); 2794 2795 return (0); 2796} 2797 2798static void 2799print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2800{ 2801 2802 print_tok_type(fp, tok->id, "process_ex", oflags); 2803 if (oflags & AU_OFLAG_XML) { 2804 open_attr(fp, "audit-uid"); 2805 print_user(fp, tok->tt.proc32_ex.auid, oflags); 2806 close_attr(fp); 2807 open_attr(fp, "uid"); 2808 print_user(fp, tok->tt.proc32_ex.euid, oflags); 2809 close_attr(fp); 2810 open_attr(fp, "gid"); 2811 print_group(fp, tok->tt.proc32_ex.egid, oflags); 2812 close_attr(fp); 2813 open_attr(fp, "ruid"); 2814 print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2815 close_attr(fp); 2816 open_attr(fp, "rgid"); 2817 print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2818 close_attr(fp); 2819 open_attr(fp, "pid"); 2820 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2821 close_attr(fp); 2822 open_attr(fp, "sid"); 2823 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2824 close_attr(fp); 2825 open_attr(fp, "tid"); 2826 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2827 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2828 tok->tt.proc32_ex.tid.addr); 2829 close_attr(fp); 2830 close_tag(fp, tok->id); 2831 } else { 2832 print_delim(fp, del); 2833 print_user(fp, tok->tt.proc32_ex.auid, oflags); 2834 print_delim(fp, del); 2835 print_user(fp, tok->tt.proc32_ex.euid, oflags); 2836 print_delim(fp, del); 2837 print_group(fp, tok->tt.proc32_ex.egid, oflags); 2838 print_delim(fp, del); 2839 print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2840 print_delim(fp, del); 2841 print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2842 print_delim(fp, del); 2843 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2844 print_delim(fp, del); 2845 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2846 print_delim(fp, del); 2847 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2848 print_delim(fp, del); 2849 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2850 tok->tt.proc32_ex.tid.addr); 2851 } 2852} 2853 2854/* 2855 * token ID 1 byte 2856 * audit ID 4 bytes 2857 * effective user ID 4 bytes 2858 * effective group ID 4 bytes 2859 * real user ID 4 bytes 2860 * real group ID 4 bytes 2861 * process ID 4 bytes 2862 * session ID 4 bytes 2863 * terminal ID 2864 * port ID 8 bytes 2865 * address type-len 4 bytes 2866 * machine address 16 bytes 2867 */ 2868static int 2869fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2870{ 2871 int err = 0; 2872 2873 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2874 if (err) 2875 return (-1); 2876 2877 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2878 if (err) 2879 return (-1); 2880 2881 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2882 if (err) 2883 return (-1); 2884 2885 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2886 if (err) 2887 return (-1); 2888 2889 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2890 if (err) 2891 return (-1); 2892 2893 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2894 if (err) 2895 return (-1); 2896 2897 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2898 if (err) 2899 return (-1); 2900 2901 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2902 err); 2903 if (err) 2904 return (-1); 2905 2906 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2907 err); 2908 if (err) 2909 return (-1); 2910 2911 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2912 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2913 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2914 if (err) 2915 return (-1); 2916 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2917 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2918 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2919 if (err) 2920 return (-1); 2921 } else 2922 return (-1); 2923 2924 return (0); 2925} 2926 2927static void 2928print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2929{ 2930 print_tok_type(fp, tok->id, "process_ex", oflags); 2931 if (oflags & AU_OFLAG_XML) { 2932 open_attr(fp, "audit-uid"); 2933 print_user(fp, tok->tt.proc64_ex.auid, oflags); 2934 close_attr(fp); 2935 open_attr(fp, "uid"); 2936 print_user(fp, tok->tt.proc64_ex.euid, oflags); 2937 close_attr(fp); 2938 open_attr(fp, "gid"); 2939 print_group(fp, tok->tt.proc64_ex.egid, oflags); 2940 close_attr(fp); 2941 open_attr(fp, "ruid"); 2942 print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2943 close_attr(fp); 2944 open_attr(fp, "rgid"); 2945 print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2946 close_attr(fp); 2947 open_attr(fp, "pid"); 2948 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2949 close_attr(fp); 2950 open_attr(fp, "sid"); 2951 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2952 close_attr(fp); 2953 open_attr(fp, "tid"); 2954 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2955 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2956 tok->tt.proc64_ex.tid.addr); 2957 close_attr(fp); 2958 close_tag(fp, tok->id); 2959 } else { 2960 print_delim(fp, del); 2961 print_user(fp, tok->tt.proc64_ex.auid, oflags); 2962 print_delim(fp, del); 2963 print_user(fp, tok->tt.proc64_ex.euid, oflags); 2964 print_delim(fp, del); 2965 print_group(fp, tok->tt.proc64_ex.egid, oflags); 2966 print_delim(fp, del); 2967 print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2968 print_delim(fp, del); 2969 print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2970 print_delim(fp, del); 2971 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2972 print_delim(fp, del); 2973 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2974 print_delim(fp, del); 2975 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2976 print_delim(fp, del); 2977 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2978 tok->tt.proc64_ex.tid.addr); 2979 } 2980} 2981 2982/* 2983 * errno 1 byte 2984 * return value 4 bytes 2985 */ 2986static int 2987fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2988{ 2989 int err = 0; 2990 2991 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2992 if (err) 2993 return (-1); 2994 2995 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2996 if (err) 2997 return (-1); 2998 2999 return (0); 3000} 3001 3002static void 3003print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3004{ 3005 3006 print_tok_type(fp, tok->id, "return", oflags); 3007 if (oflags & AU_OFLAG_XML) { 3008 open_attr(fp ,"errval"); 3009 print_retval(fp, tok->tt.ret32.status, oflags); 3010 close_attr(fp); 3011 open_attr(fp, "retval"); 3012 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3013 close_attr(fp); 3014 close_tag(fp, tok->id); 3015 } else { 3016 print_delim(fp, del); 3017 print_retval(fp, tok->tt.ret32.status, oflags); 3018 print_delim(fp, del); 3019 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3020 } 3021} 3022 3023static int 3024fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 3025{ 3026 int err = 0; 3027 3028 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3029 if (err) 3030 return (-1); 3031 3032 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3033 if (err) 3034 return (-1); 3035 3036 return (0); 3037} 3038 3039static void 3040print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3041{ 3042 3043 print_tok_type(fp, tok->id, "return", oflags); 3044 if (oflags & AU_OFLAG_XML) { 3045 open_attr(fp, "errval"); 3046 print_retval(fp, tok->tt.ret64.err, oflags); 3047 close_attr(fp); 3048 open_attr(fp, "retval"); 3049 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3050 close_attr(fp); 3051 close_tag(fp, tok->id); 3052 } else { 3053 print_delim(fp, del); 3054 print_retval(fp, tok->tt.ret64.err, oflags); 3055 print_delim(fp, del); 3056 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3057 } 3058} 3059 3060/* 3061 * seq 4 bytes 3062 */ 3063static int 3064fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3065{ 3066 int err = 0; 3067 3068 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3069 if (err) 3070 return (-1); 3071 3072 return (0); 3073} 3074 3075static void 3076print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3077{ 3078 3079 print_tok_type(fp, tok->id, "sequence", oflags); 3080 if (oflags & AU_OFLAG_XML) { 3081 open_attr(fp, "seq-num"); 3082 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3083 close_attr(fp); 3084 close_tag(fp, tok->id); 3085 } else { 3086 print_delim(fp, del); 3087 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3088 } 3089} 3090 3091/* 3092 * socket family 2 bytes 3093 * local port 2 bytes 3094 * socket address 4 bytes 3095 */ 3096static int 3097fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3098{ 3099 int err = 0; 3100 3101 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3102 err); 3103 if (err) 3104 return (-1); 3105 3106 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3107 sizeof(uint16_t), tok->len, err); 3108 if (err) 3109 return (-1); 3110 3111 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3112 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3113 if (err) 3114 return (-1); 3115 3116 return (0); 3117} 3118 3119static void 3120print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3121{ 3122 3123 print_tok_type(fp, tok->id, "socket-inet", oflags); 3124 if (oflags & AU_OFLAG_XML) { 3125 open_attr(fp, "type"); 3126 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3127 close_attr(fp); 3128 open_attr(fp, "port"); 3129 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3130 close_attr(fp); 3131 open_attr(fp, "addr"); 3132 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3133 close_attr(fp); 3134 close_tag(fp, tok->id); 3135 } else { 3136 print_delim(fp, del); 3137 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3138 print_delim(fp, del); 3139 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3140 print_delim(fp, del); 3141 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3142 } 3143} 3144 3145/* 3146 * socket family 2 bytes 3147 * local port 2 bytes 3148 * socket address 16 bytes 3149 */ 3150static int 3151fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3152{ 3153 int err = 0; 3154 3155 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3156 err); 3157 if (err) 3158 return (-1); 3159 3160 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3161 sizeof(uint16_t), tok->len, err); 3162 if (err) 3163 return (-1); 3164 3165 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3166 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3167 if (err) 3168 return (-1); 3169 3170 return (0); 3171} 3172 3173static void 3174print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3175{ 3176 3177 print_tok_type(fp, tok->id, "socket-inet6", oflags); 3178 if (oflags & AU_OFLAG_XML) { 3179 open_attr(fp, "type"); 3180 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3181 close_attr(fp); 3182 open_attr(fp, "port"); 3183 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3184 close_attr(fp); 3185 open_attr(fp, "addr"); 3186 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3187 close_attr(fp); 3188 close_tag(fp, tok->id); 3189 } else { 3190 print_delim(fp, del); 3191 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3192 print_delim(fp, del); 3193 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3194 print_delim(fp, del); 3195 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3196 } 3197} 3198 3199/* 3200 * socket family 2 bytes 3201 * path (up to) 104 bytes + NULL (NULL terminated string). 3202 */ 3203static int 3204fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3205{ 3206 int err = 0; 3207 u_char *p; 3208 int slen; 3209 3210 3211 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3212 if (err) 3213 return (-1); 3214 3215 /* slen = strnlen((buf + tok->len), 104) + 1; */ 3216 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); 3217 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; 3218 3219 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); 3220 if (err) 3221 return (-1); 3222 3223 return (0); 3224} 3225 3226static void 3227print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3228{ 3229 3230 print_tok_type(fp, tok->id, "socket-unix", oflags); 3231 if (oflags & AU_OFLAG_XML) { 3232 open_attr(fp, "type"); 3233 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3234 close_attr(fp); 3235 open_attr(fp, "port"); 3236 close_attr(fp); 3237 open_attr(fp, "addr"); 3238 print_string(fp, tok->tt.sockunix.path, 3239 strlen(tok->tt.sockunix.path)); 3240 close_attr(fp); 3241 close_tag(fp, tok->id); 3242 } else { 3243 print_delim(fp, del); 3244 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3245 print_delim(fp, del); 3246 print_string(fp, tok->tt.sockunix.path, 3247 strlen(tok->tt.sockunix.path)); 3248 } 3249} 3250 3251/* 3252 * socket type 2 bytes 3253 * local port 2 bytes 3254 * local address 4 bytes 3255 * remote port 2 bytes 3256 * remote address 4 bytes 3257 */ 3258static int 3259fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3260{ 3261 int err = 0; 3262 3263 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3264 if (err) 3265 return (-1); 3266 3267 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3268 tok->len, err); 3269 if (err) 3270 return (-1); 3271 3272 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3273 sizeof(tok->tt.socket.l_addr), tok->len, err); 3274 if (err) 3275 return (-1); 3276 3277 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3278 tok->len, err); 3279 if (err) 3280 return (-1); 3281 3282 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3283 sizeof(tok->tt.socket.r_addr), tok->len, err); 3284 if (err) 3285 return (-1); 3286 3287 return (0); 3288} 3289 3290static void 3291print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3292{ 3293 3294 print_tok_type(fp, tok->id, "socket", oflags); 3295 if (oflags & AU_OFLAG_XML) { 3296 open_attr(fp, "sock_type"); 3297 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3298 close_attr(fp); 3299 open_attr(fp, "lport"); 3300 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3301 close_attr(fp); 3302 open_attr(fp, "laddr"); 3303 print_ip_address(fp, tok->tt.socket.l_addr); 3304 close_attr(fp); 3305 open_attr(fp, "fport"); 3306 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3307 close_attr(fp); 3308 open_attr(fp, "faddr"); 3309 print_ip_address(fp, tok->tt.socket.r_addr); 3310 close_attr(fp); 3311 close_tag(fp, tok->id); 3312 } else { 3313 print_delim(fp, del); 3314 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3315 print_delim(fp, del); 3316 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3317 print_delim(fp, del); 3318 print_ip_address(fp, tok->tt.socket.l_addr); 3319 print_delim(fp, del); 3320 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3321 print_delim(fp, del); 3322 print_ip_address(fp, tok->tt.socket.r_addr); 3323 } 3324} 3325 3326/* 3327 * audit ID 4 bytes 3328 * euid 4 bytes 3329 * egid 4 bytes 3330 * ruid 4 bytes 3331 * rgid 4 bytes 3332 * pid 4 bytes 3333 * sessid 4 bytes 3334 * terminal ID 3335 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3336 * machine id 4 bytes 3337 */ 3338static int 3339fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3340{ 3341 int err = 0; 3342 3343 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3344 if (err) 3345 return (-1); 3346 3347 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3348 if (err) 3349 return (-1); 3350 3351 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3352 if (err) 3353 return (-1); 3354 3355 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3356 if (err) 3357 return (-1); 3358 3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3360 if (err) 3361 return (-1); 3362 3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3364 if (err) 3365 return (-1); 3366 3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3368 if (err) 3369 return (-1); 3370 3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3372 if (err) 3373 return (-1); 3374 3375 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3376 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3377 if (err) 3378 return (-1); 3379 3380 return (0); 3381} 3382 3383static void 3384print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3385{ 3386 3387 print_tok_type(fp, tok->id, "subject", oflags); 3388 if (oflags & AU_OFLAG_XML) { 3389 open_attr(fp, "audit-uid"); 3390 print_user(fp, tok->tt.subj32.auid, oflags); 3391 close_attr(fp); 3392 open_attr(fp, "uid"); 3393 print_user(fp, tok->tt.subj32.euid, oflags); 3394 close_attr(fp); 3395 open_attr(fp, "gid"); 3396 print_group(fp, tok->tt.subj32.egid, oflags); 3397 close_attr(fp); 3398 open_attr(fp, "ruid"); 3399 print_user(fp, tok->tt.subj32.ruid, oflags); 3400 close_attr(fp); 3401 open_attr(fp, "rgid"); 3402 print_group(fp, tok->tt.subj32.rgid, oflags); 3403 close_attr(fp); 3404 open_attr(fp,"pid"); 3405 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3406 close_attr(fp); 3407 open_attr(fp,"sid"); 3408 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3409 close_attr(fp); 3410 open_attr(fp,"tid"); 3411 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3412 print_ip_address(fp, tok->tt.subj32.tid.addr); 3413 close_attr(fp); 3414 close_tag(fp, tok->id); 3415 } else { 3416 print_delim(fp, del); 3417 print_user(fp, tok->tt.subj32.auid, oflags); 3418 print_delim(fp, del); 3419 print_user(fp, tok->tt.subj32.euid, oflags); 3420 print_delim(fp, del); 3421 print_group(fp, tok->tt.subj32.egid, oflags); 3422 print_delim(fp, del); 3423 print_user(fp, tok->tt.subj32.ruid, oflags); 3424 print_delim(fp, del); 3425 print_group(fp, tok->tt.subj32.rgid, oflags); 3426 print_delim(fp, del); 3427 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3428 print_delim(fp, del); 3429 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3430 print_delim(fp, del); 3431 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3432 print_delim(fp, del); 3433 print_ip_address(fp, tok->tt.subj32.tid.addr); 3434 } 3435} 3436 3437static void 3438print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3439{ 3440 3441 print_tok_type(fp, tok->id, "use of privilege", oflags); 3442 if (oflags & AU_OFLAG_XML) { 3443 open_attr(fp, "status"); 3444 if (tok->tt.priv.sorf) 3445 (void) fprintf(fp, "successful use of priv"); 3446 else 3447 (void) fprintf(fp, "failed use of priv"); 3448 close_attr(fp); 3449 open_attr(fp, "name"); 3450 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3451 close_attr(fp); 3452 close_tag(fp, tok->id); 3453 } else { 3454 print_delim(fp, del); 3455 if (tok->tt.priv.sorf) 3456 (void) fprintf(fp, "successful use of priv"); 3457 else 3458 (void) fprintf(fp, "failed use of priv"); 3459 print_delim(fp, del); 3460 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3461 } 3462} 3463 3464/* 3465 * status 1 byte 3466 * privstrlen 2 bytes 3467 * priv N bytes + 1 (\0 byte) 3468 */ 3469static int 3470fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len) 3471{ 3472 int err = 0; 3473 3474 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err); 3475 if (err) 3476 return (-1); 3477 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err); 3478 if (err) 3479 return (-1); 3480 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen, 3481 tok->len, err); 3482 if (err) 3483 return (-1); 3484 return (0); 3485} 3486 3487/* 3488 * privtstrlen 1 byte 3489 * privtstr N bytes + 1 3490 * privstrlen 1 byte 3491 * privstr N bytes + 1 3492 */ 3493static int 3494fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len) 3495{ 3496 int err = 0; 3497 3498 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen, 3499 tok->len, err); 3500 if (err) 3501 return (-1); 3502 SET_PTR((char *)buf, len, tok->tt.privset.privtstr, 3503 tok->tt.privset.privtstrlen, tok->len, err); 3504 if (err) 3505 return (-1); 3506 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen, 3507 tok->len, err); 3508 if (err) 3509 return (-1); 3510 SET_PTR((char *)buf, len, tok->tt.privset.privstr, 3511 tok->tt.privset.privstrlen, tok->len, err); 3512 if (err) 3513 return (-1); 3514 return (0); 3515} 3516 3517static void 3518print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3519{ 3520 3521 print_tok_type(fp, tok->id, "privilege", oflags); 3522 if (oflags & AU_OFLAG_XML) { 3523 open_attr(fp, "type"); 3524 print_string(fp, tok->tt.privset.privtstr, 3525 tok->tt.privset.privtstrlen); 3526 close_attr(fp); 3527 open_attr(fp, "priv"); 3528 print_string(fp, tok->tt.privset.privstr, 3529 tok->tt.privset.privstrlen); 3530 close_attr(fp); 3531 } else { 3532 print_delim(fp, del); 3533 print_string(fp, tok->tt.privset.privtstr, 3534 tok->tt.privset.privtstrlen); 3535 print_delim(fp, del); 3536 print_string(fp, tok->tt.privset.privstr, 3537 tok->tt.privset.privstrlen); 3538 } 3539} 3540 3541/* 3542 * audit ID 4 bytes 3543 * euid 4 bytes 3544 * egid 4 bytes 3545 * ruid 4 bytes 3546 * rgid 4 bytes 3547 * pid 4 bytes 3548 * sessid 4 bytes 3549 * terminal ID 3550 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3551 * machine id 4 bytes 3552 */ 3553static int 3554fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3555{ 3556 int err = 0; 3557 3558 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3559 if (err) 3560 return (-1); 3561 3562 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3563 if (err) 3564 return (-1); 3565 3566 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3567 if (err) 3568 return (-1); 3569 3570 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3571 if (err) 3572 return (-1); 3573 3574 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3575 if (err) 3576 return (-1); 3577 3578 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3579 if (err) 3580 return (-1); 3581 3582 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3583 if (err) 3584 return (-1); 3585 3586 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3587 if (err) 3588 return (-1); 3589 3590 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3591 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3592 if (err) 3593 return (-1); 3594 3595 return (0); 3596} 3597 3598static void 3599print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3600{ 3601 3602 print_tok_type(fp, tok->id, "subject", oflags); 3603 if (oflags & AU_OFLAG_XML) { 3604 open_attr(fp, "audit-uid"); 3605 print_user(fp, tok->tt.subj64.auid, oflags); 3606 close_attr(fp); 3607 open_attr(fp, "uid"); 3608 print_user(fp, tok->tt.subj64.euid, oflags); 3609 close_attr(fp); 3610 open_attr(fp, "gid"); 3611 print_group(fp, tok->tt.subj64.egid, oflags); 3612 close_attr(fp); 3613 open_attr(fp, "ruid"); 3614 print_user(fp, tok->tt.subj64.ruid, oflags); 3615 close_attr(fp); 3616 open_attr(fp, "rgid"); 3617 print_group(fp, tok->tt.subj64.rgid, oflags); 3618 close_attr(fp); 3619 open_attr(fp, "pid"); 3620 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3621 close_attr(fp); 3622 open_attr(fp, "sid"); 3623 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3624 close_attr(fp); 3625 open_attr(fp, "tid"); 3626 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3627 print_ip_address(fp, tok->tt.subj64.tid.addr); 3628 close_attr(fp); 3629 close_tag(fp, tok->id); 3630 } else { 3631 print_delim(fp, del); 3632 print_user(fp, tok->tt.subj64.auid, oflags); 3633 print_delim(fp, del); 3634 print_user(fp, tok->tt.subj64.euid, oflags); 3635 print_delim(fp, del); 3636 print_group(fp, tok->tt.subj64.egid, oflags); 3637 print_delim(fp, del); 3638 print_user(fp, tok->tt.subj64.ruid, oflags); 3639 print_delim(fp, del); 3640 print_group(fp, tok->tt.subj64.rgid, oflags); 3641 print_delim(fp, del); 3642 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3643 print_delim(fp, del); 3644 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3645 print_delim(fp, del); 3646 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3647 print_delim(fp, del); 3648 print_ip_address(fp, tok->tt.subj64.tid.addr); 3649 } 3650} 3651 3652/* 3653 * audit ID 4 bytes 3654 * euid 4 bytes 3655 * egid 4 bytes 3656 * ruid 4 bytes 3657 * rgid 4 bytes 3658 * pid 4 bytes 3659 * sessid 4 bytes 3660 * terminal ID 3661 * portid 4 bytes 3662 * type 4 bytes 3663 * machine id 16 bytes 3664 */ 3665static int 3666fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3667{ 3668 int err = 0; 3669 3670 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3671 if (err) 3672 return (-1); 3673 3674 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3675 if (err) 3676 return (-1); 3677 3678 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3679 if (err) 3680 return (-1); 3681 3682 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3683 if (err) 3684 return (-1); 3685 3686 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3687 if (err) 3688 return (-1); 3689 3690 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3691 if (err) 3692 return (-1); 3693 3694 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3695 if (err) 3696 return (-1); 3697 3698 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3699 err); 3700 if (err) 3701 return (-1); 3702 3703 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3704 err); 3705 if (err) 3706 return (-1); 3707 3708 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3709 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3710 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3711 if (err) 3712 return (-1); 3713 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3714 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3715 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3716 if (err) 3717 return (-1); 3718 } else 3719 return (-1); 3720 3721 return (0); 3722} 3723 3724static void 3725print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3726{ 3727 3728 print_tok_type(fp, tok->id, "subject_ex", oflags); 3729 if (oflags & AU_OFLAG_XML) { 3730 open_attr(fp, "audit-uid"); 3731 print_user(fp, tok->tt.subj32_ex.auid, oflags); 3732 close_attr(fp); 3733 open_attr(fp, "uid"); 3734 print_user(fp, tok->tt.subj32_ex.euid, oflags); 3735 close_attr(fp); 3736 open_attr(fp, "gid"); 3737 print_group(fp, tok->tt.subj32_ex.egid, oflags); 3738 close_attr(fp); 3739 open_attr(fp, "ruid"); 3740 print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3741 close_attr(fp); 3742 open_attr(fp, "rgid"); 3743 print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3744 close_attr(fp); 3745 open_attr(fp, "pid"); 3746 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3747 close_attr(fp); 3748 open_attr(fp, "sid"); 3749 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3750 close_attr(fp); 3751 open_attr(fp, "tid"); 3752 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3753 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3754 tok->tt.subj32_ex.tid.addr); 3755 close_attr(fp); 3756 close_tag(fp, tok->id); 3757 } else { 3758 print_delim(fp, del); 3759 print_user(fp, tok->tt.subj32_ex.auid, oflags); 3760 print_delim(fp, del); 3761 print_user(fp, tok->tt.subj32_ex.euid, oflags); 3762 print_delim(fp, del); 3763 print_group(fp, tok->tt.subj32_ex.egid, oflags); 3764 print_delim(fp, del); 3765 print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3766 print_delim(fp, del); 3767 print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3768 print_delim(fp, del); 3769 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3770 print_delim(fp, del); 3771 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3772 print_delim(fp, del); 3773 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3774 print_delim(fp, del); 3775 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3776 tok->tt.subj32_ex.tid.addr); 3777 } 3778} 3779 3780/* 3781 * audit ID 4 bytes 3782 * euid 4 bytes 3783 * egid 4 bytes 3784 * ruid 4 bytes 3785 * rgid 4 bytes 3786 * pid 4 bytes 3787 * sessid 4 bytes 3788 * terminal ID 3789 * portid 8 bytes 3790 * type 4 bytes 3791 * machine id 16 bytes 3792 */ 3793static int 3794fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3795{ 3796 int err = 0; 3797 3798 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3799 if (err) 3800 return (-1); 3801 3802 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3803 if (err) 3804 return (-1); 3805 3806 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3807 if (err) 3808 return (-1); 3809 3810 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3811 if (err) 3812 return (-1); 3813 3814 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3815 if (err) 3816 return (-1); 3817 3818 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3819 if (err) 3820 return (-1); 3821 3822 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3823 if (err) 3824 return (-1); 3825 3826 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3827 err); 3828 if (err) 3829 return (-1); 3830 3831 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3832 err); 3833 if (err) 3834 return (-1); 3835 3836 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3837 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3838 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3839 if (err) 3840 return (-1); 3841 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3842 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3843 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3844 if (err) 3845 return (-1); 3846 } else 3847 return (-1); 3848 3849 return (0); 3850} 3851 3852static void 3853print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3854{ 3855 print_tok_type(fp, tok->id, "subject_ex", oflags); 3856 if (oflags & AU_OFLAG_XML) { 3857 open_attr(fp, "audit-uid"); 3858 print_user(fp, tok->tt.subj64_ex.auid, oflags); 3859 close_attr(fp); 3860 open_attr(fp, "uid"); 3861 print_user(fp, tok->tt.subj64_ex.euid, oflags); 3862 close_attr(fp); 3863 open_attr(fp, "gid"); 3864 print_group(fp, tok->tt.subj64_ex.egid, oflags); 3865 close_attr(fp); 3866 open_attr(fp, "ruid"); 3867 print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3868 close_attr(fp); 3869 open_attr(fp, "rgid"); 3870 print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3871 close_attr(fp); 3872 open_attr(fp, "pid"); 3873 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3874 close_attr(fp); 3875 open_attr(fp, "sid"); 3876 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3877 close_attr(fp); 3878 open_attr(fp, "tid"); 3879 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3880 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3881 tok->tt.subj64_ex.tid.addr); 3882 close_attr(fp); 3883 close_tag(fp, tok->id); 3884 } else { 3885 print_delim(fp, del); 3886 print_user(fp, tok->tt.subj64_ex.auid, oflags); 3887 print_delim(fp, del); 3888 print_user(fp, tok->tt.subj64_ex.euid, oflags); 3889 print_delim(fp, del); 3890 print_group(fp, tok->tt.subj64_ex.egid, oflags); 3891 print_delim(fp, del); 3892 print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3893 print_delim(fp, del); 3894 print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3895 print_delim(fp, del); 3896 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3897 print_delim(fp, del); 3898 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3899 print_delim(fp, del); 3900 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3901 print_delim(fp, del); 3902 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3903 tok->tt.subj64_ex.tid.addr); 3904 } 3905} 3906 3907/* 3908 * size 2 bytes 3909 * data size bytes 3910 */ 3911static int 3912fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3913{ 3914 int err = 0; 3915 3916 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3917 if (err) 3918 return (-1); 3919 3920 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3921 err); 3922 if (err) 3923 return (-1); 3924 3925 return (0); 3926} 3927 3928static void 3929print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3930{ 3931 3932 print_tok_type(fp, tok->id, "text", oflags); 3933 if (oflags & AU_OFLAG_XML) { 3934 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3935 close_tag(fp, tok->id); 3936 } else { 3937 print_delim(fp, del); 3938 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3939 } 3940} 3941 3942/* 3943 * socket domain 2 bytes 3944 * socket type 2 bytes 3945 * address type 2 bytes 3946 * local port 2 bytes 3947 * local Internet address 4/16 bytes 3948 * remote port 2 bytes 3949 * remote Internet address 4/16 bytes 3950 */ 3951static int 3952fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3953{ 3954 int err = 0; 3955 3956 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3957 err); 3958 if (err) 3959 return (-1); 3960 3961 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3962 err); 3963 if (err) 3964 return (-1); 3965 3966 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3967 err); 3968 if (err) 3969 return (-1); 3970 3971 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3972 tok->tt.socket_ex32.atype != AU_IPv6) 3973 return (-1); 3974 3975 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3976 sizeof(uint16_t), tok->len, err); 3977 if (err) 3978 return (-1); 3979 3980 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3981 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3982 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3983 if (err) 3984 return (-1); 3985 } else { 3986 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3987 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3988 if (err) 3989 return (-1); 3990 } 3991 3992 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3993 sizeof(uint16_t), tok->len, err); 3994 if (err) 3995 return (-1); 3996 3997 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3998 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3999 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 4000 if (err) 4001 return (-1); 4002 } else { 4003 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 4004 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 4005 if (err) 4006 return (-1); 4007 } 4008 4009 return (0); 4010} 4011 4012static void 4013print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4014{ 4015 4016 /* 4017 * This print routine prints BSM constant space domains and socket 4018 * types rather than converting them. If we add string printers for 4019 * these constants in the future, we may want to call conversion 4020 * routines. 4021 */ 4022 print_tok_type(fp, tok->id, "socket", oflags); 4023 if (oflags & AU_OFLAG_XML) { 4024 open_attr(fp, "sock_dom"); 4025 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4026 close_attr(fp); 4027 open_attr(fp, "sock_type"); 4028 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4029 close_attr(fp); 4030 open_attr(fp, "lport"); 4031 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4032 close_attr(fp); 4033 open_attr(fp, "laddr"); 4034 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4035 tok->tt.socket_ex32.l_addr); 4036 close_attr(fp); 4037 open_attr(fp, "faddr"); 4038 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4039 tok->tt.socket_ex32.r_addr); 4040 close_attr(fp); 4041 open_attr(fp, "fport"); 4042 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4043 close_attr(fp); 4044 close_tag(fp, tok->id); 4045 } else { 4046 print_delim(fp, del); 4047 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4048 print_delim(fp, del); 4049 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4050 print_delim(fp, del); 4051 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4052 print_delim(fp, del); 4053 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4054 tok->tt.socket_ex32.l_addr); 4055 print_delim(fp, del); 4056 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4057 print_delim(fp, del); 4058 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4059 tok->tt.socket_ex32.r_addr); 4060 } 4061} 4062 4063static int 4064fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 4065{ 4066 int err = 0; 4067 int recoversize; 4068 4069 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 4070 if (recoversize <= 0) 4071 return (-1); 4072 4073 tok->tt.invalid.length = recoversize; 4074 4075 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 4076 err); 4077 if (err) 4078 return (-1); 4079 4080 return (0); 4081} 4082 4083static void 4084print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4085{ 4086 4087 if (!(oflags & AU_OFLAG_XML)) { 4088 print_tok_type(fp, tok->id, "unknown", oflags); 4089 print_delim(fp, del); 4090 print_mem(fp, (u_char*)tok->tt.invalid.data, 4091 tok->tt.invalid.length); 4092 } 4093} 4094 4095 4096/* 4097 * size 2 bytes; 4098 * zonename size bytes; 4099 */ 4100static int 4101fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 4102{ 4103 int err = 0; 4104 4105 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 4106 if (err) 4107 return (-1); 4108 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 4109 tok->len, err); 4110 if (err) 4111 return (-1); 4112 return (0); 4113} 4114 4115static void 4116print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4117{ 4118 4119 print_tok_type(fp, tok->id, "zone", oflags); 4120 if (oflags & AU_OFLAG_XML) { 4121 open_attr(fp, "name"); 4122 print_string(fp, tok->tt.zonename.zonename, 4123 tok->tt.zonename.len); 4124 close_attr(fp); 4125 close_tag(fp, tok->id); 4126 } else { 4127 print_delim(fp, del); 4128 print_string(fp, tok->tt.zonename.zonename, 4129 tok->tt.zonename.len); 4130 } 4131} 4132 4133/* 4134 * Reads the token beginning at buf into tok. 4135 */ 4136int 4137au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4138{ 4139 4140 if (len <= 0) 4141 return (-1); 4142 4143 tok->len = 1; 4144 tok->data = buf; 4145 tok->id = *buf; 4146 4147 switch(tok->id) { 4148 case AUT_HEADER32: 4149 return (fetch_header32_tok(tok, buf, len)); 4150 4151 case AUT_HEADER32_EX: 4152 return (fetch_header32_ex_tok(tok, buf, len)); 4153 4154 case AUT_HEADER64: 4155 return (fetch_header64_tok(tok, buf, len)); 4156 4157 case AUT_HEADER64_EX: 4158 return (fetch_header64_ex_tok(tok, buf, len)); 4159 4160 case AUT_TRAILER: 4161 return (fetch_trailer_tok(tok, buf, len)); 4162 4163 case AUT_ARG32: 4164 return (fetch_arg32_tok(tok, buf, len)); 4165 4166 case AUT_ARG64: 4167 return (fetch_arg64_tok(tok, buf, len)); 4168 4169 case AUT_ATTR32: 4170 return (fetch_attr32_tok(tok, buf, len)); 4171 4172 case AUT_ATTR64: 4173 return (fetch_attr64_tok(tok, buf, len)); 4174 4175 case AUT_EXIT: 4176 return (fetch_exit_tok(tok, buf, len)); 4177 4178 case AUT_EXEC_ARGS: 4179 return (fetch_execarg_tok(tok, buf, len)); 4180 4181 case AUT_EXEC_ENV: 4182 return (fetch_execenv_tok(tok, buf, len)); 4183 4184 case AUT_OTHER_FILE32: 4185 return (fetch_file_tok(tok, buf, len)); 4186 4187 case AUT_NEWGROUPS: 4188 return (fetch_newgroups_tok(tok, buf, len)); 4189 4190 case AUT_IN_ADDR: 4191 return (fetch_inaddr_tok(tok, buf, len)); 4192 4193 case AUT_IN_ADDR_EX: 4194 return (fetch_inaddr_ex_tok(tok, buf, len)); 4195 4196 case AUT_IP: 4197 return (fetch_ip_tok(tok, buf, len)); 4198 4199 case AUT_IPC: 4200 return (fetch_ipc_tok(tok, buf, len)); 4201 4202 case AUT_IPC_PERM: 4203 return (fetch_ipcperm_tok(tok, buf, len)); 4204 4205 case AUT_IPORT: 4206 return (fetch_iport_tok(tok, buf, len)); 4207 4208 case AUT_OPAQUE: 4209 return (fetch_opaque_tok(tok, buf, len)); 4210 4211 case AUT_PATH: 4212 return (fetch_path_tok(tok, buf, len)); 4213 4214 case AUT_PROCESS32: 4215 return (fetch_process32_tok(tok, buf, len)); 4216 4217 case AUT_PROCESS32_EX: 4218 return (fetch_process32ex_tok(tok, buf, len)); 4219 4220 case AUT_PROCESS64: 4221 return (fetch_process64_tok(tok, buf, len)); 4222 4223 case AUT_PROCESS64_EX: 4224 return (fetch_process64ex_tok(tok, buf, len)); 4225 4226 case AUT_RETURN32: 4227 return (fetch_return32_tok(tok, buf, len)); 4228 4229 case AUT_RETURN64: 4230 return (fetch_return64_tok(tok, buf, len)); 4231 4232 case AUT_SEQ: 4233 return (fetch_seq_tok(tok, buf, len)); 4234 4235 case AUT_SOCKET: 4236 return (fetch_socket_tok(tok, buf, len)); 4237 4238 case AUT_SOCKINET32: 4239 return (fetch_sock_inet32_tok(tok, buf, len)); 4240 4241 case AUT_SOCKUNIX: 4242 return (fetch_sock_unix_tok(tok, buf, len)); 4243 4244 case AUT_SOCKINET128: 4245 return (fetch_sock_inet128_tok(tok, buf, len)); 4246 4247 case AUT_SUBJECT32: 4248 return (fetch_subject32_tok(tok, buf, len)); 4249 4250 case AUT_SUBJECT32_EX: 4251 return (fetch_subject32ex_tok(tok, buf, len)); 4252 4253 case AUT_SUBJECT64: 4254 return (fetch_subject64_tok(tok, buf, len)); 4255 4256 case AUT_SUBJECT64_EX: 4257 return (fetch_subject64ex_tok(tok, buf, len)); 4258 4259 case AUT_TEXT: 4260 return (fetch_text_tok(tok, buf, len)); 4261 4262 case AUT_SOCKET_EX: 4263 return (fetch_socketex32_tok(tok, buf, len)); 4264 4265 case AUT_DATA: 4266 return (fetch_arb_tok(tok, buf, len)); 4267 4268 case AUT_ZONENAME: 4269 return (fetch_zonename_tok(tok, buf, len)); 4270 4271 case AUT_UPRIV: 4272 return (fetch_priv_tok(tok, buf, len)); 4273 4274 case AUT_PRIV: 4275 return (fetch_privset_tok(tok, buf, len)); 4276 4277 default: 4278 return (fetch_invalid_tok(tok, buf, len)); 4279 } 4280} 4281 4282void 4283au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags) 4284{ 4285 4286 switch(tok->id) { 4287 case AUT_HEADER32: 4288 print_header32_tok(outfp, tok, del, oflags); 4289 return; 4290 4291 case AUT_HEADER32_EX: 4292 print_header32_ex_tok(outfp, tok, del, oflags); 4293 return; 4294 4295 case AUT_HEADER64: 4296 print_header64_tok(outfp, tok, del, oflags); 4297 return; 4298 4299 case AUT_HEADER64_EX: 4300 print_header64_ex_tok(outfp, tok, del, oflags); 4301 return; 4302 4303 case AUT_TRAILER: 4304 print_trailer_tok(outfp, tok, del, oflags); 4305 return; 4306 4307 case AUT_ARG32: 4308 print_arg32_tok(outfp, tok, del, oflags); 4309 return; 4310 4311 case AUT_ARG64: 4312 print_arg64_tok(outfp, tok, del, oflags); 4313 return; 4314 4315 case AUT_DATA: 4316 print_arb_tok(outfp, tok, del, oflags); 4317 return; 4318 4319 case AUT_ATTR32: 4320 print_attr32_tok(outfp, tok, del, oflags); 4321 return; 4322 4323 case AUT_ATTR64: 4324 print_attr64_tok(outfp, tok, del, oflags); 4325 return; 4326 4327 case AUT_EXIT: 4328 print_exit_tok(outfp, tok, del, oflags); 4329 return; 4330 4331 case AUT_EXEC_ARGS: 4332 print_execarg_tok(outfp, tok, del, oflags); 4333 return; 4334 4335 case AUT_EXEC_ENV: 4336 print_execenv_tok(outfp, tok, del, oflags); 4337 return; 4338 4339 case AUT_OTHER_FILE32: 4340 print_file_tok(outfp, tok, del, oflags); 4341 return; 4342 4343 case AUT_NEWGROUPS: 4344 print_newgroups_tok(outfp, tok, del, oflags); 4345 return; 4346 4347 case AUT_IN_ADDR: 4348 print_inaddr_tok(outfp, tok, del, oflags); 4349 return; 4350 4351 case AUT_IN_ADDR_EX: 4352 print_inaddr_ex_tok(outfp, tok, del, oflags); 4353 return; 4354 4355 case AUT_IP: 4356 print_ip_tok(outfp, tok, del, oflags); 4357 return; 4358 4359 case AUT_IPC: 4360 print_ipc_tok(outfp, tok, del, oflags); 4361 return; 4362 4363 case AUT_IPC_PERM: 4364 print_ipcperm_tok(outfp, tok, del, oflags); 4365 return; 4366 4367 case AUT_IPORT: 4368 print_iport_tok(outfp, tok, del, oflags); 4369 return; 4370 4371 case AUT_OPAQUE: 4372 print_opaque_tok(outfp, tok, del, oflags); 4373 return; 4374 4375 case AUT_PATH: 4376 print_path_tok(outfp, tok, del, oflags); 4377 return; 4378 4379 case AUT_PROCESS32: 4380 print_process32_tok(outfp, tok, del, oflags); 4381 return; 4382 4383 case AUT_PROCESS32_EX: 4384 print_process32ex_tok(outfp, tok, del, oflags); 4385 return; 4386 4387 case AUT_PROCESS64: 4388 print_process64_tok(outfp, tok, del, oflags); 4389 return; 4390 4391 case AUT_PROCESS64_EX: 4392 print_process64ex_tok(outfp, tok, del, oflags); 4393 return; 4394 4395 case AUT_RETURN32: 4396 print_return32_tok(outfp, tok, del, oflags); 4397 return; 4398 4399 case AUT_RETURN64: 4400 print_return64_tok(outfp, tok, del, oflags); 4401 return; 4402 4403 case AUT_SEQ: 4404 print_seq_tok(outfp, tok, del, oflags); 4405 return; 4406 4407 case AUT_SOCKET: 4408 print_socket_tok(outfp, tok, del, oflags); 4409 return; 4410 4411 case AUT_SOCKINET32: 4412 print_sock_inet32_tok(outfp, tok, del, oflags); 4413 return; 4414 4415 case AUT_SOCKUNIX: 4416 print_sock_unix_tok(outfp, tok, del, oflags); 4417 return; 4418 4419 case AUT_SOCKINET128: 4420 print_sock_inet128_tok(outfp, tok, del, oflags); 4421 return; 4422 4423 case AUT_SUBJECT32: 4424 print_subject32_tok(outfp, tok, del, oflags); 4425 return; 4426 4427 case AUT_SUBJECT64: 4428 print_subject64_tok(outfp, tok, del, oflags); 4429 return; 4430 4431 case AUT_SUBJECT32_EX: 4432 print_subject32ex_tok(outfp, tok, del, oflags); 4433 return; 4434 4435 case AUT_SUBJECT64_EX: 4436 print_subject64ex_tok(outfp, tok, del, oflags); 4437 return; 4438 4439 case AUT_TEXT: 4440 print_text_tok(outfp, tok, del, oflags); 4441 return; 4442 4443 case AUT_SOCKET_EX: 4444 print_socketex32_tok(outfp, tok, del, oflags); 4445 return; 4446 4447 case AUT_ZONENAME: 4448 print_zonename_tok(outfp, tok, del, oflags); 4449 return; 4450 4451 case AUT_UPRIV: 4452 print_upriv_tok(outfp, tok, del, oflags); 4453 return; 4454 4455 case AUT_PRIV: 4456 print_privset_tok(outfp, tok, del, oflags); 4457 return; 4458 4459 default: 4460 print_invalid_tok(outfp, tok, del, oflags); 4461 } 4462} 4463 4464/* 4465 * 'prints' the token out to outfp. 4466 */ 4467void 4468au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4469{ 4470 int oflags = AU_OFLAG_NONE; 4471 4472 if (raw) 4473 oflags |= AU_OFLAG_RAW; 4474 if (sfrm) 4475 oflags |= AU_OFLAG_SHORT; 4476 4477 au_print_flags_tok(outfp, tok, del, oflags); 4478} 4479 4480/* 4481 * 'prints' the token out to outfp in XML format. 4482 */ 4483void 4484au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4485 char sfrm) 4486{ 4487 int oflags = AU_OFLAG_XML; 4488 4489 if (raw) 4490 oflags |= AU_OFLAG_RAW; 4491 if (sfrm) 4492 oflags |= AU_OFLAG_SHORT; 4493 4494 au_print_flags_tok(outfp, tok, del, oflags); 4495} 4496 4497/* 4498 * Read a record from the file pointer, store data in buf memory for buf is 4499 * also allocated in this function and has to be free'd outside this call. 4500 * 4501 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4502 * complete audit record. 4503 * 4504 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4505 * state, because it will be partly offset into a record. We should rewind 4506 * or do something more intelligent. Particularly interesting is the case 4507 * where we perform a partial read of a record from a non-blockable file 4508 * descriptor. We should return the partial read and continue...? 4509 */ 4510int 4511au_read_rec(FILE *fp, u_char **buf) 4512{ 4513 u_char *bptr; 4514 u_int32_t recsize; 4515 u_int32_t bytestoread; 4516 u_char type; 4517 4518 u_int32_t sec, msec; 4519 u_int16_t filenamelen; 4520 4521 type = fgetc(fp); 4522 4523 switch (type) { 4524 case AUT_HEADER32: 4525 case AUT_HEADER32_EX: 4526 case AUT_HEADER64: 4527 case AUT_HEADER64_EX: 4528 /* read the record size from the token */ 4529 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4530 sizeof(u_int32_t)) { 4531 errno = EINVAL; 4532 return (-1); 4533 } 4534 recsize = be32toh(recsize); 4535 4536 /* Check for recsize sanity */ 4537 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4538 errno = EINVAL; 4539 return (-1); 4540 } 4541 4542 *buf = calloc(recsize, sizeof(u_char)); 4543 if (*buf == NULL) 4544 return (-1); 4545 bptr = *buf; 4546 4547 /* store the token contents already read, back to the buffer*/ 4548 *bptr = type; 4549 bptr++; 4550 be32enc(bptr, recsize); 4551 bptr += sizeof(u_int32_t); 4552 4553 /* now read remaining record bytes */ 4554 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4555 4556 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4557 free(*buf); 4558 errno = EINVAL; 4559 return (-1); 4560 } 4561 break; 4562 4563 case AUT_OTHER_FILE32: 4564 /* 4565 * The file token is variable-length, as it includes a 4566 * pathname. As a result, we have to read incrementally 4567 * until we know the total length, then allocate space and 4568 * read the rest. 4569 */ 4570 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4571 errno = EINVAL; 4572 return (-1); 4573 } 4574 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4575 errno = EINVAL; 4576 return (-1); 4577 } 4578 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4579 sizeof(filenamelen)) { 4580 errno = EINVAL; 4581 return (-1); 4582 } 4583 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4584 sizeof(filenamelen) + ntohs(filenamelen); 4585 *buf = malloc(recsize); 4586 if (*buf == NULL) 4587 return (-1); 4588 bptr = *buf; 4589 4590 bcopy(&type, bptr, sizeof(type)); 4591 bptr += sizeof(type); 4592 bcopy(&sec, bptr, sizeof(sec)); 4593 bptr += sizeof(sec); 4594 bcopy(&msec, bptr, sizeof(msec)); 4595 bptr += sizeof(msec); 4596 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4597 bptr += sizeof(filenamelen); 4598 4599 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4600 ntohs(filenamelen)) { 4601 free(buf); 4602 errno = EINVAL; 4603 return (-1); 4604 } 4605 break; 4606 4607 default: 4608 errno = EINVAL; 4609 return (-1); 4610 } 4611 4612 return (recsize); 4613} 4614