1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 14 * its contributors may be used to endorse or promote products derived 15 * from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 21 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 25 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 26 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#9 $ 30 */ 31 32 /* 33 * Tool used to parse audit records conforming to the BSM structure. 34 */ 35 36 /* 37 * praudit [-lrs] [-ddel] [filenames] 38 */ 39 40 #include <bsm/libbsm.h> 41 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <unistd.h> 45 46 extern char *optarg; 47 extern int optind, optopt, opterr,optreset; 48 49 static char *del = ","; /* Default delimiter. */ 50 static int oneline = 0; 51 static int raw = 0; 52 static int shortfrm = 0; 53 static int partial = 0; 54 55 static void 56 usage() 57 { 58 59 fprintf(stderr, "Usage: praudit [-lrs] [-ddel] [filenames]\n"); 60 exit(1); 61 } 62 63 /* 64 * Token printing for each token type . 65 */ 66 static int 67 print_tokens(FILE *fp) 68 { 69 u_char *buf; 70 tokenstr_t tok; 71 int reclen; 72 int bytesread; 73 74 /* Allow tail -f | praudit to work. */ 75 if (partial) { 76 u_char type = 0; 77 /* Record must begin with a header token. */ 78 do { 79 type = fgetc(fp); 80 } while(type != AU_HEADER_32_TOKEN); 81 ungetc(type, fp); 82 } 83 84 while ((reclen = au_read_rec(fp, &buf)) != -1) { 85 bytesread = 0; 86 while (bytesread < reclen) { 87 /* Is this an incomplete record? */ 88 if (-1 == au_fetch_tok(&tok, buf + bytesread, 89 reclen - bytesread)) 90 break; 91 au_print_tok(stdout, &tok, del, raw, shortfrm); 92 bytesread += tok.len; 93 if (oneline) 94 printf("%s", del); 95 else 96 printf("\n"); 97 } 98 free(buf); 99 if (oneline) 100 printf("\n"); 101 } 102 return (0); 103 } 104 105 int 106 main(int argc, char **argv) 107 { 108 int ch; 109 int i; 110 FILE *fp; 111 112 while ((ch = getopt(argc, argv, "lprsd:")) != -1) { 113 switch(ch) { 114 case 'l': 115 oneline = 1; 116 break; 117 118 case 'r': 119 if (shortfrm) 120 usage(); /* Exclusive from shortfrm. */ 121 raw = 1; 122 break; 123 124 case 's': 125 if (raw) 126 usage(); /* Exclusive from raw. */ 127 shortfrm = 1; 128 break; 129 130 case 'd': 131 del = optarg; 132 break; 133 134 case 'p': 135 partial = 1; 136 break; 137 138 case '?': 139 default: 140 usage(); 141 } 142 } 143 144 /* For each of the files passed as arguments dump the contents. */ 145 if (optind == argc) { 146 print_tokens(stdin); 147 return (1); 148 } 149 for (i = optind; i < argc; i++) { 150 fp = fopen(argv[i], "r"); 151 if ((fp == NULL) || (print_tokens(fp) == -1)) 152 perror(argv[i]); 153 if (fp != NULL) 154 fclose(fp); 155 } 156 return (1); 157 } 158