xref: /titanic_52/usr/src/cmd/auditreduce/main.c (revision 77e01d41d44b2e8d121c8ab6f07828f307c1a1c3)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 
22 /*
23  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 /*
28  * The Secure SunOS audit reduction tool - auditreduce.
29  * Document SM0071 is the primary source of information on auditreduce.
30  *
31  * Composed of 4 source modules:
32  * main.c - main driver.
33  * option.c - command line option processing.
34  * process.c - record/file/process functions.
35  * time.c - date/time handling.
36  *
37  * Main(), write_header(), audit_stats(), and a_calloc()
38  * are the only functions visible outside this module.
39  */
40 
41 #include <siginfo.h>
42 #include <locale.h>
43 #include <libintl.h>
44 #include "auditr.h"
45 #include "auditrd.h"
46 
47 #if !defined(TEXT_DOMAIN)
48 #define	TEXT_DOMAIN "SUNW_OST_OSCMD"
49 #endif
50 
51 extern void	derive_str(time_t, char *);
52 extern int	process_options(int, char **);
53 extern int	mproc(audit_pcb_t *);
54 extern void	init_tokens(void);	/* shared with praudit */
55 
56 static int	a_pow(int, int);
57 static void	calc_procs(void);
58 static void	chld_handler(int);
59 static int	close_outfile(void);
60 static void	c_close(audit_pcb_t *, int);
61 static void	delete_infiles(void);
62 static void	gather_pcb(audit_pcb_t *, int, int);
63 static void	init_options(void);
64 static int	init_sig(void);
65 static void	int_handler(int);
66 static int	mfork(audit_pcb_t *, int, int, int);
67 static void	mcount(int, int);
68 static int	open_outfile(void);
69 static void	p_close(audit_pcb_t *);
70 static int	rename_outfile(void);
71 static void	rm_mem(audit_pcb_t *);
72 static void	rm_outfile(void);
73 static void	trim_mem(audit_pcb_t *);
74 static int	write_file_token(time_t);
75 static int	write_trailer(void);
76 
77 /*
78  * File globals.
79  */
80 static int	max_sproc;	/* maximum number of subprocesses per process */
81 static int	total_procs;	/* number of processes in the process tree */
82 static int	total_layers;	/* number of layers in the process tree */
83 
84 /*
85  * .func main - main.
86  * .desc The beginning. Main() calls each of the initialization routines
87  *	and then allocates the root pcb. Then it calls mfork() to get
88  *	the work done.
89  * .call	main(argc, argv).
90  * .arg	argc	- number of arguments.
91  * .arg	argv	- array of pointers to arguments.
92  * .ret	0	- via exit() - no errors detected.
93  * .ret	1	- via exit() - errors detected (messages printed).
94  */
95 int
96 main(int argc, char **argv)
97 {
98 	int	ret;
99 	audit_pcb_t *pcb;
100 
101 	/* Internationalization */
102 	(void) setlocale(LC_ALL, "");
103 	(void) textdomain(TEXT_DOMAIN);
104 
105 	root_pid = getpid();	/* know who is root process for error */
106 	init_options();		/* initialize options */
107 	init_tokens();		/* initialize token processing table */
108 	if (init_sig())		/* initialize signals */
109 		exit(1);
110 	if (process_options(argc, argv))
111 		exit(1);	/* process command line options */
112 	if (open_outfile())	/* setup root process output stream */
113 		exit(1);
114 	calc_procs();		/* see how many subprocesses we need */
115 	/*
116 	 * Allocate the root pcb and set it up.
117 	 */
118 	pcb = (audit_pcb_t *)a_calloc(1, sizeof (audit_pcb_t));
119 	pcb->pcb_procno = root_pid;
120 	pcb->pcb_flags |= PF_ROOT;
121 	pcb->pcb_fpw = stdout;
122 	pcb->pcb_time = -1;
123 	/*
124 	 * Now start the whole thing rolling.
125 	 */
126 	if (mfork(pcb, pcbnum, 0, pcbnum - 1)) {
127 		/*
128 		 * Error in processing somewhere. A message is already printed.
129 		 * Display usage statistics and remove the outfile.
130 		 */
131 		if (getpid() == root_pid) {
132 			audit_stats();
133 			(void) close_outfile();
134 			rm_outfile();
135 		}
136 		exit(1);
137 	}
138 	/*
139 	 * Clean up afterwards.
140 	 * Only do outfile cleanup if we are root process.
141 	 */
142 	if (getpid() == root_pid) {
143 		if ((ret = write_trailer()) == 0) { /* write trailer to file */
144 
145 			ret = close_outfile();	/* close the outfile */
146 		}
147 		/*
148 		 * If there was an error in cleanup then remove outfile.
149 		 */
150 		if (ret) {
151 			rm_outfile();
152 			exit(1);
153 		}
154 		/*
155 		 * And lastly delete the infiles if the user so wishes.
156 		 */
157 		if (f_delete)
158 			delete_infiles();
159 	}
160 	return (0);
161 /*NOTREACHED*/
162 }
163 
164 
165 /*
166  * .func mfork - main fork routine.
167  * .desc Create a (sub-)tree of processses if needed, or just do the work
168  *	if we have few enough groups to process. This is a recursive routine
169  *	which stops recursing when the number of files to process is small
170  *	enough. Each call to mfork() is responsible for a range of pcbs
171  *	from audit_pcbs[]. This range is designated by the lo and hi
172  *	arguments (inclusive). If the number of pcbs is small enough
173  *	then we have hit a leaf of the tree and mproc() is called to
174  *	do the processing. Otherwise we fork some processes and break
175  *	the range of pcbs up amongst them.
176  * .call	ret = mfork(pcb, nsp, lo, hi).
177  * .arg	pcb	- ptr to pcb that is root node of the to-be-created tree.
178  * .arg	nsp	- number of sub-processes this tree must process.
179  * .arg	lo	- lower-limit of process number range. Index into audit_pcbs.
180  * .arg	hi	- higher limit of pcb range. Index into audit_pcbs.
181  * .ret	0	- succesful completion.
182  * .ret	-1	- error encountered in processing - message already printed.
183  */
184 static int
185 mfork(audit_pcb_t *pcb, int nsp, int lo, int hi)
186 {
187 	int	range, procno, i, tofork, nnsp, nrem;
188 	int	fildes[2];
189 	audit_pcb_t *pcbn;
190 
191 #if AUDIT_PROC_TRACE
192 	(void) fprintf(stderr, "mfork: nsp %d %d->%d\n", nsp, lo, hi);
193 #endif
194 
195 	/*
196 	 * The range of pcb's to process is small enough now. Do the work.
197 	 */
198 	if (nsp <= max_sproc) {
199 		pcb->pcb_flags |= PF_LEAF;	/* leaf in process tree */
200 		pcb->pcb_below = audit_pcbs;	/* proc pcbs from audit_pcbs */
201 		gather_pcb(pcb, lo, hi);
202 		trim_mem(pcb);			/* trim allocated memory */
203 		return (mproc(pcb));		/* do the work */
204 	}
205 	/*
206 	 * Too many pcb's for one process - must fork.
207 	 * Try to balance the tree as it grows and make it short and fat.
208 	 * The thing to minimize is the number of times a record passes
209 	 * through a pipe.
210 	 */
211 	else {
212 		/*
213 		 * Fork less than the maximum number of processes.
214 		 */
215 		if (nsp <= max_sproc * (max_sproc - 1)) {
216 			tofork = nsp / max_sproc;
217 			if (nsp % max_sproc)
218 				tofork++;	/* how many to fork */
219 		}
220 		/*
221 		 * Fork the maximum number of processes.
222 		 */
223 		else {
224 			tofork = max_sproc;	/* how many to fork */
225 		}
226 		/*
227 		 * Allocate the nodes below us in the process tree.
228 		 */
229 		pcb->pcb_below = (audit_pcb_t *)
230 			a_calloc(tofork, sizeof (*pcb));
231 		nnsp = nsp / tofork;	/* # of pcbs per forked process */
232 		nrem = nsp % tofork;	/* remainder to spread around */
233 		/*
234 		 * Loop to fork all of the subs. Open a pipe for each.
235 		 * If there are any errors in pipes, forks, or getting streams
236 		 * for the pipes then quit altogether.
237 		 */
238 		for (i = 0; i < tofork; i++) {
239 			pcbn = &pcb->pcb_below[i];
240 			pcbn->pcb_time = -1;
241 			if (pipe(fildes)) {
242 				perror(gettext(
243 					"auditreduce: couldn't get a pipe"));
244 				return (-1);
245 			}
246 			/*
247 			 * Convert descriptors to streams.
248 			 */
249 			if ((pcbn->pcb_fpr = fdopen(fildes[0], "r")) == NULL) {
250 	perror(gettext("auditreduce: couldn't get read stream for pipe"));
251 				return (-1);
252 			}
253 			if ((pcbn->pcb_fpw = fdopen(fildes[1], "w")) == NULL) {
254 	perror(gettext("auditreduce: couldn't get write stream for pipe"));
255 				return (-1);
256 			}
257 			if ((procno = fork()) == -1) {
258 				perror(gettext("auditreduce: fork failed"));
259 				return (-1);
260 			}
261 			/*
262 			 * Calculate the range of pcbs from audit_pcbs [] this
263 			 * branch of the tree will be responsible for.
264 			 */
265 			range = (nrem > 0) ? nnsp + 1 : nnsp;
266 			/*
267 			 * Child route.
268 			 */
269 			if (procno == 0) {
270 				pcbn->pcb_procno = getpid();
271 				c_close(pcb, i); /* close unused streams */
272 				/*
273 				 * Continue resolving this branch.
274 				 */
275 				return (mfork(pcbn, range, lo, lo + range - 1));
276 			}
277 			/* Parent route. */
278 			else {
279 				pcbn->pcb_procno = i;
280 				/* allocate buffer to hold record */
281 				pcbn->pcb_rec = (char *)a_calloc(1,
282 				    AUDITBUFSIZE);
283 				pcbn->pcb_size = AUDITBUFSIZE;
284 				p_close(pcbn);	/* close unused streams */
285 
286 				nrem--;
287 				lo += range;
288 			}
289 		}
290 		/*
291 		 * Done forking all of the subs.
292 		 */
293 		gather_pcb(pcb, 0, tofork - 1);
294 		trim_mem(pcb);			/* free unused memory */
295 		return (mproc(pcb));
296 	}
297 }
298 
299 
300 /*
301  * .func	trim_mem - trim memory usage.
302  * .desc	Free un-needed allocated memory.
303  * .call	trim_mem(pcb).
304  * .arg	pcb	- ptr to pcb for current process.
305  * .ret	void.
306  */
307 static void
308 trim_mem(audit_pcb_t *pcb)
309 {
310 	int	count;
311 	size_t	size;
312 
313 	/*
314 	 * For the root don't free anything. We need to save audit_pcbs[]
315 	 * in case we are deleting the infiles at the end.
316 	 */
317 	if (pcb->pcb_flags & PF_ROOT)
318 		return;
319 	/*
320 	 * For a leaf save its part of audit_pcbs[] and then remove it all.
321 	 */
322 	if (pcb->pcb_flags & PF_LEAF) {
323 		count = pcb->pcb_count;
324 		size = sizeof (audit_pcb_t);
325 		/* allocate a new buffer to hold the pcbs */
326 		pcb->pcb_below = (audit_pcb_t *)a_calloc(count, size);
327 		/* save this pcb's portion */
328 		(void) memcpy((void *) pcb->pcb_below,
329 		    (void *) &audit_pcbs[pcb->pcb_lo], count * size);
330 		rm_mem(pcb);
331 		gather_pcb(pcb, 0, count - 1);
332 	}
333 		/*
334 		 * If this is an intermediate node then just remove it all.
335 		 */
336 	else {
337 		rm_mem(pcb);
338 	}
339 }
340 
341 
342 /*
343  * .func	rm_mem - remove memory.
344  * .desc	Remove unused memory associated with audit_pcbs[]. For each
345  *	pcb in audit_pcbs[] free the record buffer and all of
346  *	the fcbs. Then free audit_pcbs[].
347  * .call	rm_mem(pcbr).
348  * .arg	pcbr	- ptr to pcb of current process.
349  * .ret	void.
350  */
351 static void
352 rm_mem(audit_pcb_t *pcbr)
353 {
354 	int	i;
355 	audit_pcb_t *pcb;
356 	audit_fcb_t *fcb, *fcbn;
357 
358 	for (i = 0; i < pcbsize; i++) {
359 		/*
360 		 * Don't free the record buffer and fcbs for the pcbs this
361 		 * process is using.
362 		 */
363 		if (pcbr->pcb_flags & PF_LEAF) {
364 			if (pcbr->pcb_lo <= i || i <= pcbr->pcb_hi)
365 				continue;
366 		}
367 		pcb = &audit_pcbs[i];
368 		free(pcb->pcb_rec);
369 		for (fcb = pcb->pcb_first; fcb != NULL; /* */) {
370 			fcbn = fcb->fcb_next;
371 			free((char *)fcb);
372 			fcb = fcbn;
373 		}
374 	}
375 	free((char *)audit_pcbs);
376 }
377 
378 
379 /*
380  * .func	c_close - close unused streams.
381  * .desc	This is called for each child process just after being born.
382  *	The child closes the read stream for the pipe to its parent.
383  *	It also closes the read streams for the other children that
384  *	have been born before it. If any closes fail a warning message
385  *	is printed, but processing continues.
386  * .call	ret = c_close(pcb, i).
387  * .arg	pcb	- ptr to the child's parent pcb.
388  * .arg	i	- iteration # of child in forking loop.
389  * .ret	void.
390  */
391 static void
392 c_close(audit_pcb_t *pcb, int	i)
393 {
394 	int	j;
395 	audit_pcb_t *pcbt;
396 
397 	/*
398 	 * Do all pcbs in parent's group up to and including us
399 	 */
400 	for (j = 0; j <= i; j++) {
401 		pcbt = &pcb->pcb_below[j];
402 		if (fclose(pcbt->pcb_fpr) == EOF) {
403 			if (!f_quiet)
404 		perror(gettext("auditreduce: initial close on pipe failed"));
405 		}
406 		/*
407 		 * Free the buffer allocated to hold incoming records.
408 		 */
409 		if (i != j) {
410 			free(pcbt->pcb_rec);
411 		}
412 	}
413 }
414 
415 
416 /*
417  * .func	p_close - close unused streams for parent.
418  * .desc	Called by the parent right after forking a child.
419  *	Closes the write stream on the pipe to the child since
420  *	we will never use it.
421  * .call	p_close(pcbn),
422  * .arg	pcbn	- ptr to pcb.
423  * .ret	void.
424  */
425 static void
426 p_close(audit_pcb_t *pcbn)
427 {
428 	if (fclose(pcbn->pcb_fpw) == EOF) {
429 		if (!f_quiet)
430 		perror(gettext("auditreduce: close for write pipe failed"));
431 	}
432 }
433 
434 
435 /*
436  * .func	audit_stats - print statistics.
437  * .desc	Print usage statistics for the user if the run fails.
438  *	Tells them how many files they had and how many groups this
439  *	totalled. Also tell them how many layers and processes the
440  *	process tree had.
441  * .call	audit_stats().
442  * .arg	none.
443  * .ret	void.
444  */
445 void
446 audit_stats(void)
447 {
448 	struct rlimit rl;
449 
450 	if (getrlimit(RLIMIT_NOFILE, &rl) != -1)
451 		(void) fprintf(stderr,
452 		    gettext("%s The system allows %d files per process.\n"),
453 		    ar, rl.rlim_cur);
454 	(void) fprintf(stderr, gettext(
455 "%s There were %d file(s) %d file group(s) %d process(es) %d layer(s).\n"),
456 		ar, filenum, pcbnum, total_procs, total_layers);
457 }
458 
459 
460 /*
461  * .func gather_pcb - gather pcbs.
462  * .desc Gather together the range of the sub-processes that we are
463  *	responsible for. For a pcb that controls processes this is all
464  *	of the sub-processes that it forks. For a pcb that controls
465  *	files this is the the range of pcbs from audit_pcbs[].
466  * .call gather_pcb(pcb, lo, hi).
467  * .arg	pcb	- ptr to pcb.
468  * .arg	lo	- lo index into pcb_below.
469  * .arg	hi	- hi index into pcb_below.
470  * .ret	void.
471  */
472 static void
473 gather_pcb(audit_pcb_t *pcb, int lo, int hi)
474 {
475 	pcb->pcb_lo = lo;
476 	pcb->pcb_hi = hi;
477 	pcb->pcb_count = hi - lo + 1;
478 }
479 
480 
481 /*
482  * .func calc_procs - calculate process parameters.
483  * .desc Calculate the current run's paramters regarding how many
484  *	processes will have to be forked (maybe none).
485  *	5 is subtracted from maxfiles_proc to allow for stdin, stdout,
486  *	stderr, and the pipe to a parent process. The outfile
487  *	in the root process is assigned to stdout. The unused half of each
488  *	pipe is closed, to allow for more connections, but we still
489  *	have to have the 5th spot because in order to get the pipe
490  *	we need 2 descriptors up front.
491  * .call calc_procs().
492  * .arg	none.
493  * .ret	void.
494  */
495 static void
496 calc_procs(void)
497 {
498 	int	val;
499 	int	maxfiles_proc;
500 	struct rlimit rl;
501 
502 	if (getrlimit(RLIMIT_NOFILE, &rl) == -1) {
503 		perror("auditreduce: getrlimit");
504 		exit(1);
505 	}
506 
507 	maxfiles_proc = rl.rlim_cur;
508 
509 	max_sproc = maxfiles_proc - 5;	/* max subprocesses per process */
510 
511 	/*
512 	 * Calculate how many layers the process tree has.
513 	 */
514 	total_layers = 1;
515 	for (/* */; /* */; /* */) {
516 		val = a_pow(max_sproc, total_layers);
517 		if (val > pcbnum)
518 			break;
519 		total_layers++;
520 	}
521 	/*
522 	 * Count how many processes are in the process tree.
523 	 */
524 	mcount(pcbnum, 0);
525 
526 #if AUDIT_PROC_TRACE
527 	(void) fprintf(stderr,
528 	    "pcbnum %d filenum %d mfp %d msp %d ly %d tot %d\n\n",
529 	    pcbnum, filenum, maxfiles_proc, max_sproc,
530 	    total_layers, total_procs);
531 #endif
532 }
533 
534 
535 static int
536 a_pow(int base, int exp)
537 {
538 	int	i;
539 	int	answer;
540 
541 	if (exp == 0) {
542 		answer = 1;
543 	} else {
544 		answer = base;
545 		for (i = 0; i < (exp - 1); i++)
546 			answer *= base;
547 	}
548 	return (answer);
549 }
550 
551 
552 /*
553  * .func mcount - main count.
554  * .desc Go through the motions of building the process tree just
555  *	to count how many processes there are. Don't really
556  *	build anything. Answer is in global var total_procs.
557  * .call mcount(nsp, lo).
558  * .arg	nsp	- number of subs for this tree branch.
559  * .arg	lo	- lo side of range of subs.
560  * .ret	void.
561  */
562 static void
563 mcount(int nsp, int lo)
564 {
565 	int	range, i, tofork, nnsp, nrem;
566 
567 	total_procs++;		/* count another process created */
568 
569 	if (nsp > max_sproc) {
570 		if (nsp <= max_sproc * (max_sproc - 1)) {
571 			tofork = nsp / max_sproc;
572 			if (nsp % max_sproc)
573 				tofork++;
574 		} else {
575 			tofork = max_sproc;
576 		}
577 		nnsp = nsp / tofork;
578 		nrem = nsp % tofork;
579 		for (i = 0; i < tofork; i++) {
580 			range = (nrem > 0) ? nnsp + 1 : nnsp;
581 			mcount(range, lo);
582 			nrem--;
583 			lo += range;
584 		}
585 	}
586 }
587 
588 
589 /*
590  * .func delete_infiles - delete the input files.
591  * .desc If the user asked us to (via 'D' flag) then unlink the input files.
592  * .call ret = delete_infiles().
593  * .arg none.
594  * .ret void.
595  */
596 static void
597 delete_infiles(void)
598 {
599 	int	i;
600 	audit_pcb_t *pcb;
601 	audit_fcb_t *fcb;
602 
603 	for (i = 0; i < pcbsize; i++) {
604 		pcb = &audit_pcbs[i];
605 		fcb = pcb->pcb_dfirst;
606 		while (fcb != NULL) {
607 			/*
608 			 * Only delete a file if it was succesfully processed.
609 			 * If there were any read errors or bad records
610 			 * then don't delete it.
611 			 * There may still be unprocessed records in it.
612 			 */
613 			if (fcb->fcb_flags & FF_DELETE) {
614 				if (unlink(fcb->fcb_file)) {
615 					if (f_verbose) {
616 						(void) sprintf(errbuf, gettext(
617 						"%s delete on %s failed"),
618 						ar, fcb->fcb_file);
619 					}
620 					perror(errbuf);
621 				}
622 			}
623 			fcb = fcb->fcb_next;
624 		}
625 	}
626 }
627 
628 
629 /*
630  * .func rm_outfile - remove the outfile.
631  * .desc Remove the file we are writing the records to. We do this if
632  *	processing failed and we are quitting before finishing.
633  *	Update - don't actually remove the outfile, but generate
634  *	a warning about its possible heathen nature.
635  * .call ret = rm_outfile().
636  * .arg	none.
637  * .ret	void.
638  */
639 static void
640 rm_outfile(void)
641 {
642 #if 0
643 	if (f_outfile) {
644 		if (unlink(f_outtemp) == -1) {
645 			(void) sprintf(errbuf,
646 				gettext("%s delete on %s failed"),
647 				ar, f_outtemp);
648 			perror(errbuf);
649 		}
650 	}
651 #else
652 	(void) fprintf(stderr,
653 gettext("%s Warning: Incomplete audit file may have been generated - %s\n"),
654 		ar,
655 		(f_outfile == NULL) ? gettext("standard output") : f_outfile);
656 #endif
657 }
658 
659 
660 /*
661  * .func	close_outfile - close the outfile.
662  * .desc	Close the file we are writing records to.
663  * .call	ret = close_outfile().
664  * .arg	none.
665  * .ret	0	- close was succesful.
666  * .ret	-1	- close failed.
667  */
668 static int
669 close_outfile(void)
670 {
671 	if (fclose(stdout) == EOF) {
672 		(void) sprintf(errbuf, gettext("%s close on %s failed"),
673 		    ar, f_outfile ? f_outfile : "standard output");
674 		perror(errbuf);
675 		return (-1);
676 	}
677 	(void) fsync(fileno(stdout));
678 	return (rename_outfile());
679 }
680 
681 
682 /*
683  * .func write_header - write audit file header.
684  * .desc Write an audit file header to the output stream. The time in the
685  *	header is the time of the first record written to the stream. This
686  *	routine is called by the process handling the root node of the
687  *	process tree just before it writes the first record to the output
688  *	stream.
689  * .ret	0 - succesful write.
690  * .ret -1 - failed write - message printed.
691  */
692 int
693 write_header(void)
694 {
695 	return (write_file_token(f_start));
696 }
697 
698 
699 static int
700 write_file_token(time_t when)
701 {
702 	adr_t adr;			/* adr ptr */
703 	struct timeval tv;		/* time now */
704 	char	for_adr[16];		/* plenty of room */
705 #ifdef _LP64
706 	char	token_id = AUT_OTHER_FILE64;
707 #else
708 	char	token_id = AUT_OTHER_FILE32;
709 #endif
710 	short	i = 1;
711 	char	c = '\0';
712 
713 	tv.tv_sec = when;
714 	tv.tv_usec = 0;
715 	adr_start(&adr, for_adr);
716 	adr_char(&adr, &token_id, 1);
717 #ifdef _LP64
718 	adr_int64(&adr, (int64_t *)&tv, 2);
719 #else
720 	adr_int32(&adr, (int32_t *)&tv, 2);
721 #endif
722 	adr_short(&adr, &i, 1);
723 	adr_char(&adr, &c, 1);
724 
725 	if (fwrite(for_adr, sizeof (char), adr_count(&adr), stdout) !=
726 	    adr_count(&adr)) {
727 		if (when == f_start) {
728 			(void) sprintf(errbuf,
729 				gettext("%s error writing header to %s. "),
730 				ar,
731 				f_outfile ? f_outfile :
732 					gettext("standard output"));
733 		} else {
734 			(void) sprintf(errbuf,
735 				gettext("%s error writing trailer to %s. "),
736 				ar,
737 				f_outfile ? f_outfile :
738 					gettext("standard output"));
739 		}
740 		perror(errbuf);
741 		return (-1);
742 	}
743 	return (0);
744 }
745 
746 
747 /*
748  * .func  write_trailer - write audit file trailer.
749  * .desc  Write an audit file trailer to the output stream. The finish
750  *	time for the trailer is the time of the last record written
751  *	to the stream.
752  * .ret	0 - succesful write.
753  * .ret	-1 - failed write - message printed.
754  */
755 static int
756 write_trailer(void)
757 {
758 	return (write_file_token(f_end));
759 }
760 
761 
762 /*
763  * .func rename_outfile - rename the outfile.
764  * .desc If the user used the -O flag they only gave us the suffix name
765  *	for the outfile. We have to add the time stamps to put the filename
766  *	in the proper audit file name format. The start time will be the time
767  *	of the first record in the file and the end time will be the time of
768  *	the last record in the file.
769  * .ret	0 - rename succesful.
770  * .ret	-1 - rename failed - message printed.
771  */
772 static int
773 rename_outfile(void)
774 {
775 	char	f_newfile[MAXFILELEN];
776 	char	buf1[15], buf2[15];
777 	char	*f_file, *f_nfile, *f_time, *f_name;
778 
779 	if (f_outfile != NULL) {
780 		/*
781 		 * Get string representations of start and end times.
782 		 */
783 		derive_str(f_start, buf1);
784 		derive_str(f_end, buf2);
785 
786 		f_nfile = f_time = f_newfile;	/* working copy */
787 		f_file = f_name = f_outfile;	/* their version */
788 		while (*f_file) {
789 			if (*f_file == '/') {	/* look for filename */
790 				f_time = f_nfile + 1;
791 				f_name = f_file + 1;
792 			}
793 			*f_nfile++ = *f_file++;	/* make copy of their version */
794 		}
795 		*f_time = '\0';
796 		/* start time goes first */
797 		(void) strcat(f_newfile, buf1);
798 		(void) strcat(f_newfile, ".");
799 		/* then the finish time */
800 		(void) strcat(f_newfile, buf2);
801 		(void) strcat(f_newfile, ".");
802 		/* and the name they gave us */
803 		(void) strcat(f_newfile, f_name);
804 
805 #if AUDIT_FILE
806 		(void) fprintf(stderr, "rename_outfile: <%s> --> <%s>\n",
807 			f_outfile, f_newfile);
808 #endif
809 
810 #if AUDIT_RENAME
811 		if (rename(f_outtemp, f_newfile) == -1) {
812 			(void) fprintf(stderr,
813 			    "%s rename of %s to %s failed.\n",
814 			    ar, f_outtemp, f_newfile);
815 			return (-1);
816 		}
817 		f_outfile = f_newfile;
818 #else
819 		if (rename(f_outtemp, f_outfile) == -1) {
820 			(void) fprintf(stderr,
821 			    gettext("%s rename of %s to %s failed.\n"),
822 			    ar, f_outtemp, f_outfile);
823 			return (-1);
824 		}
825 #endif
826 	}
827 	return (0);
828 }
829 
830 
831 /*
832  * .func open_outfile - open the outfile.
833  * .desc Open the outfile specified by the -O option. Assign it to the
834  *	the standard output. Get a unique temporary name to use so we
835  *	don't clobber an existing file.
836  * .ret	0 - no errors detected.
837  * .ret	-1 - errors in processing (message already printed).
838  */
839 static int
840 open_outfile(void)
841 {
842 	int	tmpfd = -1;
843 
844 	if (f_outfile != NULL) {
845 		f_outtemp = (char *)a_calloc(1, strlen(f_outfile) + 8);
846 		(void) strcpy(f_outtemp, f_outfile);
847 		(void) strcat(f_outtemp, "XXXXXX");
848 		if ((tmpfd = mkstemp(f_outtemp)) == -1) {
849 			(void) sprintf(errbuf,
850 			    gettext("%s couldn't create temporary file"), ar);
851 			perror(errbuf);
852 			return (-1);
853 		}
854 		(void) fflush(stdout);
855 		if (tmpfd != fileno(stdout)) {
856 			if ((dup2(tmpfd, fileno(stdout))) == -1) {
857 				(void) sprintf(errbuf,
858 				    gettext("%s can't assign %s to the "
859 				    "standard output"), ar, f_outfile);
860 				perror(errbuf);
861 				return (-1);
862 			}
863 			(void) close(tmpfd);
864 		}
865 	}
866 	return (0);
867 }
868 
869 
870 /*
871  * .func init_options - initialize the options.
872  * .desc Give initial and/or default values to some options.
873  * .call init_options();
874  * .arg	none.
875  * .ret	void.
876  */
877 static void
878 init_options(void)
879 {
880 	struct timeval tp;
881 	struct timezone tpz;
882 
883 	/*
884 	 * Get current time for general use.
885 	 */
886 	if (gettimeofday(&tp, &tpz) == -1)
887 		perror(gettext("auditreduce: initial getttimeofday failed"));
888 
889 	time_now = tp.tv_sec;		/* save for general use */
890 	f_start = 0;			/* first record time default */
891 	f_end = time_now;		/* last record time default */
892 	m_after = 0;			/* Jan 1, 1970 00:00:00 */
893 
894 	/*
895 	 * Setup initial size of audit_pcbs[].
896 	 */
897 	pcbsize = PCB_INITSIZE;		/* initial size of file-holding pcb's */
898 
899 	audit_pcbs = (audit_pcb_t *)a_calloc(pcbsize, sizeof (audit_pcb_t));
900 
901 	/* description of 'current' error */
902 	error_str = gettext("initial error");
903 
904 }
905 
906 
907 /*
908  * .func a_calloc - audit calloc.
909  * .desc Calloc with check for failure. This is called by all of the
910  *	places that want memory.
911  * .call ptr = a_calloc(nelem, size).
912  * .arg	nelem - number of elements to allocate.
913  * .arg	size - size of each element.
914  * .ret	ptr - ptr to allocated and zeroed memory.
915  * .ret	never - if calloc fails then we never return.
916  */
917 void	*
918 a_calloc(int nelem, size_t size)
919 {
920 	void	*ptr;
921 
922 	if ((ptr = calloc((unsigned)nelem, size)) == NULL) {
923 		perror(gettext("auditreduce: memory allocation failed"));
924 		exit(1);
925 	}
926 	return (ptr);
927 }
928 
929 
930 /*
931  * .func init_sig - initial signal catching.
932  *
933  * .desc
934  *	Setup the signal catcher to catch the SIGCHLD signal plus
935  *	"environmental" signals -- keyboard plus other externally
936  *	generated signals such as out of file space or cpu time.  If a
937  *	child exits with either a non-zero exit code or was killed by
938  *	a signal to it then we will also exit with a non-zero exit
939  *	code. In this way abnormal conditions can be passed up to the
940  *	root process and the entire run be halted. Also catch the int
941  *	and quit signals. Remove the output file since it is in an
942  *	inconsistent state.
943  * .call ret = init_sig().
944  * .arg none.
945  * .ret 0 - no errors detected.
946  * .ret -1 - signal failed (message printed).
947  */
948 static int
949 init_sig(void)
950 {
951 	if (signal(SIGCHLD, chld_handler) == SIG_ERR) {
952 		perror(gettext("auditreduce: SIGCHLD signal failed"));
953 		return (-1);
954 	}
955 
956 	if (signal(SIGHUP, int_handler) == SIG_ERR) {
957 		perror(gettext("auditreduce: SIGHUP signal failed"));
958 		return (-1);
959 	}
960 	if (signal(SIGINT, int_handler) == SIG_ERR) {
961 		perror(gettext("auditreduce: SIGINT signal failed"));
962 		return (-1);
963 	}
964 	if (signal(SIGQUIT, int_handler) == SIG_ERR) {
965 		perror(gettext("auditreduce: SIGQUIT signal failed"));
966 		return (-1);
967 	}
968 	if (signal(SIGABRT, int_handler) == SIG_ERR) {
969 		perror(gettext("auditreduce: SIGABRT signal failed"));
970 		return (-1);
971 	}
972 	if (signal(SIGTERM, int_handler) == SIG_ERR) {
973 		perror(gettext("auditreduce: SIGTERM signal failed"));
974 		return (-1);
975 	}
976 	if (signal(SIGPWR, int_handler) == SIG_ERR) {
977 		perror(gettext("auditreduce: SIGPWR signal failed"));
978 		return (-1);
979 	}
980 	if (signal(SIGXCPU, int_handler) == SIG_ERR) {
981 		perror(gettext("auditreduce: SIGXCPU signal failed"));
982 		return (-1);
983 	}
984 	if (signal(SIGXFSZ, int_handler) == SIG_ERR) {
985 		perror(gettext("auditreduce: SIGXFSZ signal failed"));
986 		return (-1);
987 	}
988 	if (signal(SIGSEGV, int_handler) == SIG_ERR) {
989 		perror(gettext("auditreduce: SIGSEGV signal failed"));
990 		return (-1);
991 	}
992 
993 	return (0);
994 }
995 
996 
997 /*
998  * .func chld_handler - handle child signals.
999  * .desc Catch the SIGCHLD signals. Remove the root process
1000  *	output file because it is in an inconsistent state.
1001  *	Print a message giving the signal number and/or return code
1002  *	of the child who caused the signal.
1003  * .ret	void.
1004  */
1005 /* ARGSUSED */
1006 void
1007 chld_handler(int sig)
1008 {
1009 	int	pid;
1010 	int	status;
1011 
1012 	/*
1013 	 * Get pid and reasons for cause of event.
1014 	 */
1015 	pid = wait(&status);
1016 
1017 	if (pid > 0) {
1018 		/*
1019 		 * If child received a signal or exited with a non-zero
1020 		 * exit status then print message and exit
1021 		 */
1022 		if ((WHIBYTE(status) == 0 && WLOBYTE(status) != 0) ||
1023 		    (WHIBYTE(status) != 0 && WLOBYTE(status) == 0)) {
1024 			(void) fprintf(stderr,
1025 			    gettext("%s abnormal child termination - "), ar);
1026 
1027 			if (WHIBYTE(status) == 0 && WLOBYTE(status) != 0) {
1028 				psignal(WLOBYTE(status), "signal");
1029 				if (WCOREDUMP(status))
1030 					(void) fprintf(stderr,
1031 					    gettext("core dumped\n"));
1032 			}
1033 
1034 			if (WHIBYTE(status) != 0 && WLOBYTE(status) == 0)
1035 				(void) fprintf(stderr, gettext(
1036 					"return code %d\n"),
1037 					WHIBYTE(status));
1038 
1039 			/*
1040 			 * Get rid of outfile - it is suspect.
1041 			 */
1042 			if (f_outfile != NULL) {
1043 				(void) close_outfile();
1044 				rm_outfile();
1045 			}
1046 			/*
1047 			 * Give statistical info that may be useful.
1048 			 */
1049 			audit_stats();
1050 
1051 			exit(1);
1052 		}
1053 	}
1054 }
1055 
1056 
1057 /*
1058  * .func	int_handler - handle quit/int signals.
1059  * .desc	Catch the keyboard and other environmental signals.
1060  *		Remove the root process output file because it is in
1061  *		an inconsistent state.
1062  * .ret	void.
1063  */
1064 /* ARGSUSED */
1065 void
1066 int_handler(int sig)
1067 {
1068 	if (getpid() == root_pid) {
1069 		(void) close_outfile();
1070 		rm_outfile();
1071 		exit(1);
1072 	}
1073 	/*
1074 	 * For a child process don't give an error exit or the
1075 	 * parent process will catch it with the chld_handler and
1076 	 * try to erase the outfile again.
1077 	 */
1078 	exit(0);
1079 }
1080