/* * CDDL HEADER START * * The contents of this file are subject to the terms of the * Common Development and Distribution License, Version 1.0 only * (the "License"). You may not use this file except in compliance * with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. * See the License for the specific language governing permissions * and limitations under the License. * * When distributing Covered Code, include this CDDL HEADER in each * file and include the License file at usr/src/OPENSOLARIS.LICENSE. * If applicable, add the following below this CDDL HEADER, with the * fields enclosed by brackets "[]" replaced with your own identifying * information: Portions Copyright [yyyy] [name of copyright owner] * * CDDL HEADER END */ /* * Copyright 2003 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ #pragma ident "%Z%%M% %I% %E% SMI" #include <dirent.h> #include <locale.h> #include <libintl.h> #include <stdlib.h> #include <strings.h> #include <stdio.h> #include <unistd.h> #include <sys/types.h> #include <sys/file.h> #include <bsm/audit.h> #include <bsm/audit_record.h> #include <bsm/libbsm.h> #include "praudit.h" #include "toktable.h" extern void init_tokens(void); /* shared with auditreduce */ static int check_inputs(int flags, const char *separator); static void checkpoint_progress(pr_context_t *context); static int print_audit_common(pr_context_t *context, int flags, const char *separator); static int token_processing(pr_context_t *context); static int initdone = 0; /* * This source is shared outside of praudit; the following lint directive * is needed to suppress praudit lint warnings about unused functions, for * functions which are only invoked outside praudit. */ /*LINTLIBRARY*/ /* * ---------------------------------------------------------------------- * check_inputs() - check input flags and delimiter. * Returns: * 0 - successful * -1 - invalid inputs. errno is set to EINVAL * ---------------------------------------------------------------------- */ static int check_inputs(int flags, const char *separator) { if ((flags & PRF_RAWM) && (flags & PRF_SHORTM)) { errno = EINVAL; return (-1); } /* Ignore the delimiter when XML is specified */ if (!(flags & PRF_XMLM) && (strlen(separator) >= SEP_SIZE)) { errno = EINVAL; return (-1); } return (0); } /* * ---------------------------------------------------------------------- * print_audit_xml_prolog_buf() - print the XML prolog. * 0 - successful * -1 - output buffer too small. errno is set to ENOSPC * ---------------------------------------------------------------------- */ int print_audit_xml_prolog_buf(char *out_buf, const int out_buf_len) { if (xml_prolog_len > out_buf_len) { errno = ENOSPC; return (-1); } (void) snprintf(out_buf, out_buf_len, "%s%s%s%s", prolog1, prolog_xsl, prolog2, xml_start); return (0); } /* * ---------------------------------------------------------------------- * print_audit_xml_ending_buf() - print the XML ending. * 0 - successful * -1 - output buffer too small. errno is set to ENOSPC * ---------------------------------------------------------------------- */ int print_audit_xml_ending_buf(char *out_buf, const int out_buf_len) { if (xml_end_len > out_buf_len) { errno = ENOSPC; return (-1); } (void) snprintf(out_buf, out_buf_len, "%s", xml_ending); return (0); } /* * ---------------------------------------------------------------------- * print_prolog() - print the XML prolog. * ---------------------------------------------------------------------- */ void print_audit_xml_prolog(void) { (void) printf("%s%s%s%s", prolog1, prolog_xsl, prolog2, xml_start); } /* * ---------------------------------------------------------------------- * print_ending() - print the XML ending. * ---------------------------------------------------------------------- */ void print_audit_xml_ending(void) { (void) printf("%s", xml_ending); } /* * ---------------------------------------------------------------------- * checkpoint_progress() - If starting a new file or header token, * checkpoint as needed to mark progress. * ---------------------------------------------------------------------- */ static void checkpoint_progress(pr_context_t *context) { int tokenid = context->tokenid; if (is_file_token(tokenid) || is_header_token(tokenid)) { if (context->data_mode == BUFMODE) { context->inbuf_last = context->audit_adr->adr_now - 1; context->outbuf_last = context->outbuf_p; } context->audit_rec_start = context->audit_adr->adr_now - 1; if (is_file_token(tokenid)) { context->audit_rec_len = 11; } } } /* * ---------------------------------------------------------------------- * print_audit_buf() - display contents of audit trail file * * Parses the binary audit data from the specified input * buffer, and formats as requested to the specified output * buffer. * * inputs: * in_buf, - address and length of binary audit input. * in_buf_len * out_buf, - address and length of output buffer to * out_buf_len copy formatted audit data to. * flags - formatting flags as defined in praudit.h * separator - field delimiter (or NULL if the default * delimiter of comma is to be used). * * return codes: 0 - success * ENOSPC... * ---------------------------------------------------------------------- */ int print_audit_buf(char **in_buf, int *in_buf_len, char **out_buf, int *out_buf_len, const int flags, const char *separator) { int retstat = 0; pr_context_t *context; if ((retstat = check_inputs(flags, separator)) != 0) return (retstat); if ((context = (pr_context_t *)malloc(sizeof (pr_context_t))) == NULL) { errno = EPERM; return (-1); } /* Init internal pointers and lengths... */ context->data_mode = BUFMODE; context->inbuf_last = context->inbuf_start = *in_buf; context->inbuf_totalsize = *in_buf_len; context->pending_flag = 0; context->current_rec = 0; context->outbuf_last = context->outbuf_start = context->outbuf_p = *out_buf; context->outbuf_remain_len = *out_buf_len; /* * get an adr pointer to the audit input buf */ context->audit_adr = (adr_t *)malloc(sizeof (adr_t)); (void) adrm_start(context->audit_adr, *in_buf); context->audit_rec_start = NULL; context->audit_rec_len = 0; retstat = print_audit_common(context, flags, separator); /* Check for and handle partial results as needed */ if (retstat != 0) { *in_buf = context->inbuf_last; *in_buf_len = context->inbuf_totalsize - (context->inbuf_last - context->inbuf_start); /* Return size of output */ *out_buf_len = context->outbuf_last - context->outbuf_start; if (*out_buf_len > 0) { /* null-terminate the output */ *(context->outbuf_last) = '\0'; *out_buf_len = *out_buf_len + 1; } } else { /* Return size of output */ *out_buf_len = context->outbuf_p - context->outbuf_start + 1; *(context->outbuf_p) = '\0'; /* null-terminate the output */ } (void) free(context->audit_adr); (void) free(context); return (retstat); } /* * ---------------------------------------------------------------------- * print_audit() - display contents of audit trail file * * Parses the binary audit data from the file mapped as stdin, * and formats as requested to file mapped as stdout. * inputs: * flags - formatting flags as defined in praudit.h * separator - field delimiter (or NULL if the default * delimiter of comma is to be used). * * return codes: -1 - error * 0 - successful * ---------------------------------------------------------------------- */ int print_audit(const int flags, const char *separator) { int retstat = 0; pr_context_t *context; if ((retstat = check_inputs(flags, separator)) != 0) return (retstat); if ((context = (pr_context_t *)malloc(sizeof (pr_context_t))) == NULL) { errno = EPERM; return (-1); } /* * get an adr pointer to the current audit file (stdin) */ context->audit_adr = malloc(sizeof (adr_t)); context->audit_adrf = malloc(sizeof (adrf_t)); adrf_start(context->audit_adrf, context->audit_adr, stdin); context->data_mode = FILEMODE; context->audit_rec_start = NULL; context->audit_rec_len = 0; context->pending_flag = 0; context->current_rec = 0; retstat = print_audit_common(context, flags, separator); (void) free(context->audit_adr); (void) free(context->audit_adrf); (void) free(context); return (retstat); } /* * ---------------------------------------------------------------------- * print_audit_common() - common routine for print_audit* functions. * * Parses the binary audit data, and formats as requested. * The context parameter defines whether the source of the * audit data is a buffer, or a file mapped to stdin, and * whether the output is to a buffer or a file mapped to * stdout. * * inputs: * context - defines the context of the request, including * info about the source and output. * flags - formatting flags as defined in praudit.h * separator - field delimiter (or NULL if the default * delimiter of comma is to be used). * * return codes: -1 - error * 0 - successful * ---------------------------------------------------------------------- */ static int print_audit_common(pr_context_t *context, const int flags, const char *separator) { int retstat = 0; if (!initdone) { init_tokens(); initdone++; } context->format = flags; /* start with default delimiter of comma */ (void) strlcpy(context->SEPARATOR, ",", SEP_SIZE); if (separator != NULL) { if (strlen(separator) < SEP_SIZE) { (void) strlcpy(context->SEPARATOR, separator, SEP_SIZE); } } while ((retstat == 0) && pr_input_remaining(context, 1)) { if (pr_adr_char(context, (char *)&(context->tokenid), 1) == 0) { retstat = token_processing(context); } else break; } /* * For buffer processing, if the entire input buffer was processed * successfully, but the last record in the buffer was incomplete * (according to the length from its header), then reflect an * "incomplete input" error (which will cause partial results to be * returned). */ if ((context->data_mode == BUFMODE) && (retstat == 0) && (context->audit_adr->adr_now < (context->audit_rec_start + context->audit_rec_len))) { retstat = -1; errno = EIO; } /* * If there was a last record that didn't get officially closed * off, do it now. */ if ((retstat == 0) && (context->format & PRF_XMLM) && (context->current_rec)) { retstat = do_newline(context, 1); if (retstat == 0) retstat = close_tag(context, context->current_rec); } return (retstat); } /* * ----------------------------------------------------------------------- * token_processing: * Calls the routine corresponding to the token id * passed in the parameter from the token table, tokentable * return codes : -1 - error * : 0 - successful * ----------------------------------------------------------------------- */ static int token_processing(pr_context_t *context) { uval_t uval; int retstat; int tokenid = context->tokenid; if ((tokenid > 0) && (tokenid <= MAXTOKEN) && (tokentable[tokenid].func != NOFUNC)) { /* * First check if there's a previous record that needs to be * closed off now; then checkpoint our progress as needed. */ if ((retstat = check_close_rec(context, tokenid)) != 0) return (retstat); checkpoint_progress(context); /* print token name */ if (context->format & PRF_XMLM) { retstat = open_tag(context, tokenid); } else { if (!(context->format & PRF_RAWM) && (tokentable[tokenid].t_name != (char *)0)) { uval.uvaltype = PRA_STRING; uval.string_val = gettext(tokentable[tokenid].t_name); } else { uval.uvaltype = PRA_BYTE; uval.char_val = tokenid; } retstat = pa_print(context, &uval, 0); } if (retstat == 0) retstat = (*tokentable[tokenid].func)(context); /* * For XML, close the token tag. Header tokens wrap the * entire record, so they only get closed later implicitly; * here, just make sure the header open tag gets finished. */ if ((retstat == 0) && (context->format & PRF_XMLM)) { if (!is_header_token(tokenid)) retstat = close_tag(context, tokenid); else retstat = finish_open_tag(context); } return (retstat); } /* here if token id is not in table */ (void) fprintf(stderr, gettext("praudit: No code associated with " "token id %d\n"), tokenid); return (0); }