1 /*- 2 * Copyright (c) 2004-2008 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#61 $ 36 */ 37 38 #include <sys/types.h> 39 40 #include <config/config.h> 41 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 42 #include <sys/endian.h> 43 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 44 #ifdef HAVE_MACHINE_ENDIAN_H 45 #include <machine/endian.h> 46 #else /* !HAVE_MACHINE_ENDIAN_H */ 47 #ifdef HAVE_ENDIAN_H 48 #include <endian.h> 49 #else /* !HAVE_ENDIAN_H */ 50 #error "No supported endian.h" 51 #endif /* !HAVE_ENDIAN_H */ 52 #endif /* !HAVE_MACHINE_ENDIAN_H */ 53 #include <compat/endian.h> 54 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 55 #ifdef HAVE_FULL_QUEUE_H 56 #include <sys/queue.h> 57 #else /* !HAVE_FULL_QUEUE_H */ 58 #include <compat/queue.h> 59 #endif /* !HAVE_FULL_QUEUE_H */ 60 61 #include <sys/stat.h> 62 #include <sys/socket.h> 63 64 #include <bsm/libbsm.h> 65 66 #include <unistd.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <time.h> 71 #include <stdlib.h> 72 #include <stdio.h> 73 #include <string.h> 74 #include <pwd.h> 75 #include <grp.h> 76 77 #include <bsm/audit_internal.h> 78 79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81 (err) = 1; \ 82 } else { \ 83 memcpy((dest), (buf) + (bytesread), (size)); \ 84 bytesread += size; \ 85 } \ 86 } while (0) 87 88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90 (dest) = buf[(bytesread)]; \ 91 (bytesread) += sizeof(u_char); \ 92 } else \ 93 (err) = 1; \ 94 } while (0) 95 96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98 (dest) = be16dec((buf) + (bytesread)); \ 99 (bytesread) += sizeof(u_int16_t); \ 100 } else \ 101 (err) = 1; \ 102 } while (0) 103 104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106 (dest) = be32dec((buf) + (bytesread)); \ 107 (bytesread) += sizeof(u_int32_t); \ 108 } else \ 109 (err) = 1; \ 110 } while (0) 111 112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114 dest = be64dec((buf) + (bytesread)); \ 115 (bytesread) += sizeof(u_int64_t); \ 116 } else \ 117 (err) = 1; \ 118 } while (0) 119 120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (u_int32_t)(len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127 } while (0) 128 129 /* 130 * XML option. 131 */ 132 #define AU_PLAIN 0 133 #define AU_XML 1 134 135 /* 136 * Prints the delimiter string. 137 */ 138 static void 139 print_delim(FILE *fp, const char *del) 140 { 141 142 fprintf(fp, "%s", del); 143 } 144 145 /* 146 * Prints a single byte in the given format. 147 */ 148 static void 149 print_1_byte(FILE *fp, u_char val, const char *format) 150 { 151 152 fprintf(fp, format, val); 153 } 154 155 /* 156 * Print 2 bytes in the given format. 157 */ 158 static void 159 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160 { 161 162 fprintf(fp, format, val); 163 } 164 165 /* 166 * Prints 4 bytes in the given format. 167 */ 168 static void 169 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170 { 171 172 fprintf(fp, format, val); 173 } 174 175 /* 176 * Prints 8 bytes in the given format. 177 */ 178 static void 179 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180 { 181 182 fprintf(fp, format, val); 183 } 184 185 /* 186 * Prints the given size of data bytes in hex. 187 */ 188 static void 189 print_mem(FILE *fp, u_char *data, size_t len) 190 { 191 u_int32_t i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%02x", data[i]); 197 } 198 } 199 200 /* 201 * Prints the given data bytes as a string. 202 */ 203 static void 204 print_string(FILE *fp, const char *str, size_t len) 205 { 206 u_int32_t i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214 } 215 216 /* 217 * Prints the beggining of attribute. 218 */ 219 static void 220 open_attr(FILE *fp, const char *str) 221 { 222 223 fprintf(fp,"%s=\"", str); 224 } 225 226 /* 227 * Prints the end of attribute. 228 */ 229 static void 230 close_attr(FILE *fp) 231 { 232 233 fprintf(fp,"\" "); 234 } 235 236 /* 237 * Prints the end of tag. 238 */ 239 static void 240 close_tag(FILE *fp, u_char type) 241 { 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SUBJECT32: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT64: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT32_EX: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT64_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_TEXT: 385 fprintf(fp, "</text>"); 386 break; 387 388 case AUT_SOCKET_EX: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_DATA: 393 fprintf(fp, "</arbitrary>"); 394 break; 395 396 case AUT_ZONENAME: 397 fprintf(fp, "/>"); 398 break; 399 } 400 } 401 402 /* 403 * Prints the token type in either the raw or the default form. 404 */ 405 static void 406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407 { 408 409 if (xml) { 410 switch(type) { 411 case AUT_HEADER32: 412 fprintf(fp, "<record "); 413 break; 414 415 case AUT_HEADER32_EX: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER64: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64_EX: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_TRAILER: 428 fprintf(fp, "</record>"); 429 break; 430 431 case AUT_ARG32: 432 fprintf(fp, "<argument "); 433 break; 434 435 case AUT_ARG64: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ATTR32: 440 fprintf(fp, "<attribute "); 441 break; 442 443 case AUT_ATTR64: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_EXIT: 448 fprintf(fp, "<exit "); 449 break; 450 451 case AUT_EXEC_ARGS: 452 fprintf(fp, "<exec_args>"); 453 break; 454 455 case AUT_EXEC_ENV: 456 fprintf(fp, "<exec_env>"); 457 break; 458 459 case AUT_OTHER_FILE32: 460 fprintf(fp, "<file "); 461 break; 462 463 case AUT_NEWGROUPS: 464 fprintf(fp, "<group>"); 465 break; 466 467 case AUT_IN_ADDR: 468 fprintf(fp, "<ip_address>"); 469 break; 470 471 case AUT_IN_ADDR_EX: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IP: 476 fprintf(fp, "<ip "); 477 break; 478 479 case AUT_IPC: 480 fprintf(fp, "<IPC"); 481 break; 482 483 case AUT_IPC_PERM: 484 fprintf(fp, "<IPC_perm "); 485 break; 486 487 case AUT_IPORT: 488 fprintf(fp, "<ip_port>"); 489 break; 490 491 case AUT_OPAQUE: 492 fprintf(fp, "<opaque>"); 493 break; 494 495 case AUT_PATH: 496 fprintf(fp, "<path>"); 497 break; 498 499 case AUT_PROCESS32: 500 fprintf(fp, "<process "); 501 break; 502 503 case AUT_PROCESS32_EX: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS64: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64_EX: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_RETURN32: 516 fprintf(fp, "<return "); 517 break; 518 519 case AUT_RETURN64: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_SEQ: 524 fprintf(fp, "<sequence "); 525 break; 526 527 case AUT_SOCKET: 528 fprintf(fp, "<socket "); 529 break; 530 531 case AUT_SOCKINET32: 532 fprintf(fp, "<old_socket"); 533 break; 534 535 case AUT_SOCKUNIX: 536 fprintf(fp, "<old_socket"); 537 break; 538 539 case AUT_SUBJECT32: 540 fprintf(fp, "<subject "); 541 break; 542 543 case AUT_SUBJECT64: 544 fprintf(fp, "<subject "); 545 break; 546 547 case AUT_SUBJECT32_EX: 548 fprintf(fp, "<subject "); 549 break; 550 551 case AUT_SUBJECT64_EX: 552 fprintf(fp, "<subject "); 553 break; 554 555 case AUT_TEXT: 556 fprintf(fp, "<text>"); 557 break; 558 559 case AUT_SOCKET_EX: 560 fprintf(fp, "<socket "); 561 break; 562 563 case AUT_DATA: 564 fprintf(fp, "<arbitrary "); 565 break; 566 567 case AUT_ZONENAME: 568 fprintf(fp, "<zone "); 569 break; 570 } 571 } else { 572 if (raw) 573 fprintf(fp, "%u", type); 574 else 575 fprintf(fp, "%s", tokname); 576 } 577 } 578 579 /* 580 * Prints a user value. 581 */ 582 static void 583 print_user(FILE *fp, u_int32_t usr, char raw) 584 { 585 struct passwd *pwent; 586 587 if (raw) 588 fprintf(fp, "%d", usr); 589 else { 590 pwent = getpwuid(usr); 591 if (pwent != NULL) 592 fprintf(fp, "%s", pwent->pw_name); 593 else 594 fprintf(fp, "%d", usr); 595 } 596 } 597 598 /* 599 * Prints a group value. 600 */ 601 static void 602 print_group(FILE *fp, u_int32_t grp, char raw) 603 { 604 struct group *grpent; 605 606 if (raw) 607 fprintf(fp, "%d", grp); 608 else { 609 grpent = getgrgid(grp); 610 if (grpent != NULL) 611 fprintf(fp, "%s", grpent->gr_name); 612 else 613 fprintf(fp, "%d", grp); 614 } 615 } 616 617 /* 618 * Prints the event from the header token in either the short, default or raw 619 * form. 620 */ 621 static void 622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623 { 624 char event_ent_name[AU_EVENT_NAME_MAX]; 625 char event_ent_desc[AU_EVENT_DESC_MAX]; 626 struct au_event_ent e, *ep; 627 628 bzero(&e, sizeof(e)); 629 bzero(event_ent_name, sizeof(event_ent_name)); 630 bzero(event_ent_desc, sizeof(event_ent_desc)); 631 e.ae_name = event_ent_name; 632 e.ae_desc = event_ent_desc; 633 634 ep = getauevnum_r(&e, ev); 635 if (ep == NULL) { 636 fprintf(fp, "%u", ev); 637 return; 638 } 639 640 if (raw) 641 fprintf(fp, "%u", ev); 642 else if (sfrm) 643 fprintf(fp, "%s", e.ae_name); 644 else 645 fprintf(fp, "%s", e.ae_desc); 646 } 647 648 649 /* 650 * Prints the event modifier from the header token in either the default or 651 * raw form. 652 */ 653 static void 654 print_evmod(FILE *fp, u_int16_t evmod, char raw) 655 { 656 if (raw) 657 fprintf(fp, "%u", evmod); 658 else 659 fprintf(fp, "%u", evmod); 660 } 661 662 /* 663 * Prints seconds in the ctime format. 664 */ 665 static void 666 print_sec32(FILE *fp, u_int32_t sec, char raw) 667 { 668 time_t timestamp; 669 char timestr[26]; 670 671 if (raw) 672 fprintf(fp, "%u", sec); 673 else { 674 timestamp = (time_t)sec; 675 ctime_r(×tamp, timestr); 676 timestr[24] = '\0'; /* No new line */ 677 fprintf(fp, "%s", timestr); 678 } 679 } 680 681 /* 682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683 * assume a 32-bit time_t, we simply truncate for now. 684 */ 685 static void 686 print_sec64(FILE *fp, u_int64_t sec, char raw) 687 { 688 time_t timestamp; 689 char timestr[26]; 690 691 if (raw) 692 fprintf(fp, "%u", (u_int32_t)sec); 693 else { 694 timestamp = (time_t)sec; 695 ctime_r(×tamp, timestr); 696 timestr[24] = '\0'; /* No new line */ 697 fprintf(fp, "%s", timestr); 698 } 699 } 700 701 /* 702 * Prints the excess milliseconds. 703 */ 704 static void 705 print_msec32(FILE *fp, u_int32_t msec, char raw) 706 { 707 if (raw) 708 fprintf(fp, "%u", msec); 709 else 710 fprintf(fp, " + %u msec", msec); 711 } 712 713 /* 714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715 * a 32-bit msec, we simply truncate for now. 716 */ 717 static void 718 print_msec64(FILE *fp, u_int64_t msec, char raw) 719 { 720 721 msec &= 0xffffffff; 722 if (raw) 723 fprintf(fp, "%u", (u_int32_t)msec); 724 else 725 fprintf(fp, " + %u msec", (u_int32_t)msec); 726 } 727 728 /* 729 * Prints a dotted form for the IP address. 730 */ 731 static void 732 print_ip_address(FILE *fp, u_int32_t ip) 733 { 734 struct in_addr ipaddr; 735 736 ipaddr.s_addr = ip; 737 fprintf(fp, "%s", inet_ntoa(ipaddr)); 738 } 739 740 /* 741 * Prints a string value for the given ip address. 742 */ 743 static void 744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745 { 746 struct in_addr ipv4; 747 struct in6_addr ipv6; 748 char dst[INET6_ADDRSTRLEN]; 749 750 switch (type) { 751 case AU_IPv4: 752 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754 INET6_ADDRSTRLEN)); 755 break; 756 757 case AU_IPv6: 758 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760 INET6_ADDRSTRLEN)); 761 break; 762 763 default: 764 fprintf(fp, "invalid"); 765 } 766 } 767 768 /* 769 * Prints return value as success or failure. 770 */ 771 static void 772 print_retval(FILE *fp, u_char status, char raw) 773 { 774 int error; 775 776 if (raw) 777 fprintf(fp, "%u", status); 778 else { 779 /* 780 * Convert to a local error number and print the OS's version 781 * of the error string if possible. We may want to provide 782 * an au_strerror(3) in the future so that we can print 783 * strings for non-local errors. 784 */ 785 if (au_bsm_to_errno(status, &error) == 0) { 786 if (error == 0) 787 fprintf(fp, "success"); 788 else 789 fprintf(fp, "failure : %s", strerror(error)); 790 } else 791 fprintf(fp, "failure: Unknown error: %d", status); 792 } 793 } 794 795 /* 796 * Prints the exit value. 797 */ 798 static void 799 print_errval(FILE *fp, u_int32_t val) 800 { 801 802 fprintf(fp, "Error %u", val); 803 } 804 805 /* 806 * Prints IPC type. 807 */ 808 static void 809 print_ipctype(FILE *fp, u_char type, char raw) 810 { 811 if (raw) 812 fprintf(fp, "%u", type); 813 else { 814 if (type == AT_IPC_MSG) 815 fprintf(fp, "Message IPC"); 816 else if (type == AT_IPC_SEM) 817 fprintf(fp, "Semaphore IPC"); 818 else if (type == AT_IPC_SHM) 819 fprintf(fp, "Shared Memory IPC"); 820 else 821 fprintf(fp, "%u", type); 822 } 823 } 824 825 /* 826 * Print XML header. 827 */ 828 void 829 au_print_xml_header(FILE *outfp) 830 { 831 832 fprintf(outfp, "<?xml version='1.0' ?>\n"); 833 fprintf(outfp, "<audit>\n"); 834 } 835 836 /* 837 * Print XML footer. 838 */ 839 void 840 au_print_xml_footer(FILE *outfp) 841 { 842 843 fprintf(outfp, "</audit>\n"); 844 } 845 846 /* 847 * record byte count 4 bytes 848 * version # 1 byte [2] 849 * event type 2 bytes 850 * event modifier 2 bytes 851 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 852 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 853 */ 854 static int 855 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 856 { 857 int err = 0; 858 859 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 860 if (err) 861 return (-1); 862 863 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 864 if (err) 865 return (-1); 866 867 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 868 if (err) 869 return (-1); 870 871 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 872 if (err) 873 return (-1); 874 875 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 876 if (err) 877 return (-1); 878 879 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 880 if (err) 881 return (-1); 882 883 return (0); 884 } 885 886 static void 887 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 888 int xml) 889 { 890 891 print_tok_type(fp, tok->id, "header", raw, xml); 892 if (xml) { 893 open_attr(fp, "version"); 894 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 895 close_attr(fp); 896 open_attr(fp, "event"); 897 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 898 close_attr(fp); 899 open_attr(fp, "modifier"); 900 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 901 close_attr(fp); 902 open_attr(fp, "time"); 903 print_sec32(fp, tok->tt.hdr32.s, raw); 904 close_attr(fp); 905 open_attr(fp, "msec"); 906 print_msec32(fp, tok->tt.hdr32.ms, 1); 907 close_attr(fp); 908 close_tag(fp, tok->id); 909 } else { 910 print_delim(fp, del); 911 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 912 print_delim(fp, del); 913 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 914 print_delim(fp, del); 915 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 916 print_delim(fp, del); 917 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 918 print_delim(fp, del); 919 print_sec32(fp, tok->tt.hdr32.s, raw); 920 print_delim(fp, del); 921 print_msec32(fp, tok->tt.hdr32.ms, raw); 922 } 923 } 924 925 /* 926 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 927 * depending on the bit of the specifications found. The OpenSolaris source 928 * code uses a 4-byte address length, followed by some number of bytes of 929 * address data. This contrasts with the Solaris audit.log.5 man page, which 930 * specifies a 1-byte length field. We use the Solaris 10 definition so that 931 * we can parse audit trails from that system. 932 * 933 * record byte count 4 bytes 934 * version # 1 byte [2] 935 * event type 2 bytes 936 * event modifier 2 bytes 937 * address type/length 4 bytes 938 * [ Solaris man page: address type/length 1 byte] 939 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 940 * seconds of time 4 bytes/8 bytes (32/64-bits) 941 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 942 */ 943 static int 944 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 945 { 946 int err = 0; 947 948 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 949 if (err) 950 return (-1); 951 952 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 953 if (err) 954 return (-1); 955 956 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 957 if (err) 958 return (-1); 959 960 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 961 if (err) 962 return (-1); 963 964 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 965 if (err) 966 return (-1); 967 968 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 969 switch (tok->tt.hdr32_ex.ad_type) { 970 case AU_IPv4: 971 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 972 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 973 if (err) 974 return (-1); 975 break; 976 977 case AU_IPv6: 978 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 979 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 980 break; 981 } 982 983 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 984 if (err) 985 return (-1); 986 987 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 988 if (err) 989 return (-1); 990 991 return (0); 992 } 993 994 static void 995 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 996 char sfrm, int xml) 997 { 998 999 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1000 if (xml) { 1001 open_attr(fp, "version"); 1002 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1003 close_attr(fp); 1004 open_attr(fp, "event"); 1005 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1006 close_attr(fp); 1007 open_attr(fp, "modifier"); 1008 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1009 close_attr(fp); 1010 open_attr(fp, "host"); 1011 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1012 tok->tt.hdr32_ex.addr); 1013 close_attr(fp); 1014 open_attr(fp, "time"); 1015 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1016 close_attr(fp); 1017 open_attr(fp, "msec"); 1018 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1019 close_attr(fp); 1020 close_tag(fp, tok->id); 1021 } else { 1022 print_delim(fp, del); 1023 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1024 print_delim(fp, del); 1025 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1026 print_delim(fp, del); 1027 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1028 print_delim(fp, del); 1029 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1030 print_delim(fp, del); 1031 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1032 tok->tt.hdr32_ex.addr); 1033 print_delim(fp, del); 1034 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1035 print_delim(fp, del); 1036 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1037 } 1038 } 1039 1040 /* 1041 * record byte count 4 bytes 1042 * event type 2 bytes 1043 * event modifier 2 bytes 1044 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1045 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1046 * version # 1047 */ 1048 static int 1049 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1050 { 1051 int err = 0; 1052 1053 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1054 if (err) 1055 return (-1); 1056 1057 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1058 if (err) 1059 return (-1); 1060 1061 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1062 if (err) 1063 return (-1); 1064 1065 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1066 if (err) 1067 return (-1); 1068 1069 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1070 if (err) 1071 return (-1); 1072 1073 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1074 if (err) 1075 return (-1); 1076 1077 return (0); 1078 } 1079 1080 static void 1081 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1082 int xml) 1083 { 1084 1085 print_tok_type(fp, tok->id, "header", raw, xml); 1086 if (xml) { 1087 open_attr(fp, "version"); 1088 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1089 close_attr(fp); 1090 open_attr(fp, "event"); 1091 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1092 close_attr(fp); 1093 open_attr(fp, "modifier"); 1094 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1095 close_attr(fp); 1096 open_attr(fp, "time"); 1097 print_sec64(fp, tok->tt.hdr64.s, raw); 1098 close_attr(fp); 1099 open_attr(fp, "msec"); 1100 print_msec64(fp, tok->tt.hdr64.ms, raw); 1101 close_attr(fp); 1102 close_tag(fp, tok->id); 1103 } else { 1104 print_delim(fp, del); 1105 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1106 print_delim(fp, del); 1107 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1108 print_delim(fp, del); 1109 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1110 print_delim(fp, del); 1111 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1112 print_delim(fp, del); 1113 print_sec64(fp, tok->tt.hdr64.s, raw); 1114 print_delim(fp, del); 1115 print_msec64(fp, tok->tt.hdr64.ms, raw); 1116 } 1117 } 1118 1119 /* 1120 * record byte count 4 bytes 1121 * version # 1 byte [2] 1122 * event type 2 bytes 1123 * event modifier 2 bytes 1124 * address type/length 4 bytes 1125 * [ Solaris man page: address type/length 1 byte] 1126 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1127 * seconds of time 4 bytes/8 bytes (32/64-bits) 1128 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1129 * 1130 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1131 * accuracy of the BSM spec. 1132 */ 1133 static int 1134 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1135 { 1136 int err = 0; 1137 1138 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1139 if (err) 1140 return (-1); 1141 1142 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1143 if (err) 1144 return (-1); 1145 1146 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1147 if (err) 1148 return (-1); 1149 1150 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1151 if (err) 1152 return (-1); 1153 1154 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1155 if (err) 1156 return (-1); 1157 1158 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1159 switch (tok->tt.hdr64_ex.ad_type) { 1160 case AU_IPv4: 1161 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1162 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1163 if (err) 1164 return (-1); 1165 break; 1166 1167 case AU_IPv6: 1168 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1169 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1170 break; 1171 } 1172 1173 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1174 if (err) 1175 return (-1); 1176 1177 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1178 if (err) 1179 return (-1); 1180 1181 return (0); 1182 } 1183 1184 static void 1185 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1186 char sfrm, int xml) 1187 { 1188 1189 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1190 if (xml) { 1191 open_attr(fp, "version"); 1192 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1193 close_attr(fp); 1194 open_attr(fp, "event"); 1195 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1196 close_attr(fp); 1197 open_attr(fp, "modifier"); 1198 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1199 close_attr(fp); 1200 open_attr(fp, "host"); 1201 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1202 tok->tt.hdr64_ex.addr); 1203 close_attr(fp); 1204 open_attr(fp, "time"); 1205 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1206 close_attr(fp); 1207 open_attr(fp, "msec"); 1208 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1209 close_attr(fp); 1210 close_tag(fp, tok->id); 1211 } else { 1212 print_delim(fp, del); 1213 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1214 print_delim(fp, del); 1215 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1216 print_delim(fp, del); 1217 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1218 print_delim(fp, del); 1219 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1220 print_delim(fp, del); 1221 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1222 tok->tt.hdr64_ex.addr); 1223 print_delim(fp, del); 1224 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1225 print_delim(fp, del); 1226 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1227 } 1228 } 1229 1230 /* 1231 * trailer magic 2 bytes 1232 * record size 4 bytes 1233 */ 1234 static int 1235 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1236 { 1237 int err = 0; 1238 1239 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1240 if (err) 1241 return (-1); 1242 1243 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1244 if (err) 1245 return (-1); 1246 1247 return (0); 1248 } 1249 1250 static void 1251 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1252 __unused char sfrm, int xml) 1253 { 1254 1255 print_tok_type(fp, tok->id, "trailer", raw, xml); 1256 if (!xml) { 1257 print_delim(fp, del); 1258 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1259 } 1260 } 1261 1262 /* 1263 * argument # 1 byte 1264 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1265 * text length 2 bytes 1266 * text N bytes + 1 terminating NULL byte 1267 */ 1268 static int 1269 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1270 { 1271 int err = 0; 1272 1273 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1274 if (err) 1275 return (-1); 1276 1277 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1278 if (err) 1279 return (-1); 1280 1281 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1282 if (err) 1283 return (-1); 1284 1285 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1286 tok->len, err); 1287 if (err) 1288 return (-1); 1289 1290 return (0); 1291 } 1292 1293 static void 1294 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1295 __unused char sfrm, int xml) 1296 { 1297 1298 print_tok_type(fp, tok->id, "argument", raw, xml); 1299 if (xml) { 1300 open_attr(fp, "arg-num"); 1301 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1302 close_attr(fp); 1303 open_attr(fp, "value"); 1304 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1305 close_attr(fp); 1306 open_attr(fp, "desc"); 1307 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1308 close_attr(fp); 1309 close_tag(fp, tok->id); 1310 } else { 1311 print_delim(fp, del); 1312 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1313 print_delim(fp, del); 1314 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1315 print_delim(fp, del); 1316 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1317 } 1318 } 1319 1320 static int 1321 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1322 { 1323 int err = 0; 1324 1325 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1326 if (err) 1327 return (-1); 1328 1329 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1330 if (err) 1331 return (-1); 1332 1333 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1334 if (err) 1335 return (-1); 1336 1337 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1338 tok->len, err); 1339 if (err) 1340 return (-1); 1341 1342 return (0); 1343 } 1344 1345 static void 1346 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1347 __unused char sfrm, int xml) 1348 { 1349 1350 print_tok_type(fp, tok->id, "argument", raw, xml); 1351 if (xml) { 1352 open_attr(fp, "arg-num"); 1353 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1354 close_attr(fp); 1355 open_attr(fp, "value"); 1356 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1357 close_attr(fp); 1358 open_attr(fp, "desc"); 1359 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1360 close_attr(fp); 1361 close_tag(fp, tok->id); 1362 } else { 1363 print_delim(fp, del); 1364 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1365 print_delim(fp, del); 1366 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1367 print_delim(fp, del); 1368 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1369 } 1370 } 1371 1372 /* 1373 * how to print 1 byte 1374 * basic unit 1 byte 1375 * unit count 1 byte 1376 * data items (depends on basic unit) 1377 */ 1378 static int 1379 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1380 { 1381 int err = 0; 1382 int datasize; 1383 1384 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1385 if (err) 1386 return (-1); 1387 1388 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1389 if (err) 1390 return (-1); 1391 1392 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1393 if (err) 1394 return (-1); 1395 1396 /* 1397 * Determine the size of the basic unit. 1398 */ 1399 switch(tok->tt.arb.bu) { 1400 case AUR_BYTE: 1401 /* case AUR_CHAR: */ 1402 datasize = AUR_BYTE_SIZE; 1403 break; 1404 1405 case AUR_SHORT: 1406 datasize = AUR_SHORT_SIZE; 1407 break; 1408 1409 case AUR_INT32: 1410 /* case AUR_INT: */ 1411 datasize = AUR_INT32_SIZE; 1412 break; 1413 1414 case AUR_INT64: 1415 datasize = AUR_INT64_SIZE; 1416 break; 1417 1418 default: 1419 return (-1); 1420 } 1421 1422 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1423 tok->len, err); 1424 if (err) 1425 return (-1); 1426 1427 return (0); 1428 } 1429 1430 static void 1431 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1432 __unused char sfrm, int xml) 1433 { 1434 char *str; 1435 char *format; 1436 size_t size; 1437 int i; 1438 1439 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1440 if (!xml) 1441 print_delim(fp, del); 1442 1443 switch(tok->tt.arb.howtopr) { 1444 case AUP_BINARY: 1445 str = "binary"; 1446 format = " %c"; 1447 break; 1448 1449 case AUP_OCTAL: 1450 str = "octal"; 1451 format = " %o"; 1452 break; 1453 1454 case AUP_DECIMAL: 1455 str = "decimal"; 1456 format = " %d"; 1457 break; 1458 1459 case AUP_HEX: 1460 str = "hex"; 1461 format = " %x"; 1462 break; 1463 1464 case AUP_STRING: 1465 str = "string"; 1466 format = "%c"; 1467 break; 1468 1469 default: 1470 return; 1471 } 1472 1473 if (xml) { 1474 open_attr(fp, "print"); 1475 fprintf(fp, "%s",str); 1476 close_attr(fp); 1477 } else { 1478 print_string(fp, str, strlen(str)); 1479 print_delim(fp, del); 1480 } 1481 switch(tok->tt.arb.bu) { 1482 case AUR_BYTE: 1483 /* case AUR_CHAR: */ 1484 str = "byte"; 1485 size = AUR_BYTE_SIZE; 1486 if (xml) { 1487 open_attr(fp, "type"); 1488 fprintf(fp, "%zu", size); 1489 close_attr(fp); 1490 open_attr(fp, "count"); 1491 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1492 close_attr(fp); 1493 fprintf(fp, ">"); 1494 for (i = 0; i<tok->tt.arb.uc; i++) 1495 fprintf(fp, format, *(tok->tt.arb.data + 1496 (size * i))); 1497 close_tag(fp, tok->id); 1498 } else { 1499 print_string(fp, str, strlen(str)); 1500 print_delim(fp, del); 1501 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1502 print_delim(fp, del); 1503 for (i = 0; i<tok->tt.arb.uc; i++) 1504 fprintf(fp, format, *(tok->tt.arb.data + 1505 (size * i))); 1506 } 1507 break; 1508 1509 case AUR_SHORT: 1510 str = "short"; 1511 size = AUR_SHORT_SIZE; 1512 if (xml) { 1513 open_attr(fp, "type"); 1514 fprintf(fp, "%zu", size); 1515 close_attr(fp); 1516 open_attr(fp, "count"); 1517 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1518 close_attr(fp); 1519 fprintf(fp, ">"); 1520 for (i = 0; i < tok->tt.arb.uc; i++) 1521 fprintf(fp, format, 1522 *((u_int16_t *)(tok->tt.arb.data + 1523 (size * i)))); 1524 close_tag(fp, tok->id); 1525 } else { 1526 print_string(fp, str, strlen(str)); 1527 print_delim(fp, del); 1528 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1529 print_delim(fp, del); 1530 for (i = 0; i < tok->tt.arb.uc; i++) 1531 fprintf(fp, format, 1532 *((u_int16_t *)(tok->tt.arb.data + 1533 (size * i)))); 1534 } 1535 break; 1536 1537 case AUR_INT32: 1538 /* case AUR_INT: */ 1539 str = "int"; 1540 size = AUR_INT32_SIZE; 1541 if (xml) { 1542 open_attr(fp, "type"); 1543 fprintf(fp, "%zu", size); 1544 close_attr(fp); 1545 open_attr(fp, "count"); 1546 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1547 close_attr(fp); 1548 fprintf(fp, ">"); 1549 for (i = 0; i < tok->tt.arb.uc; i++) 1550 fprintf(fp, format, 1551 *((u_int32_t *)(tok->tt.arb.data + 1552 (size * i)))); 1553 close_tag(fp, tok->id); 1554 } else { 1555 print_string(fp, str, strlen(str)); 1556 print_delim(fp, del); 1557 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1558 print_delim(fp, del); 1559 for (i = 0; i < tok->tt.arb.uc; i++) 1560 fprintf(fp, format, 1561 *((u_int32_t *)(tok->tt.arb.data + 1562 (size * i)))); 1563 } 1564 break; 1565 1566 case AUR_INT64: 1567 str = "int64"; 1568 size = AUR_INT64_SIZE; 1569 if (xml) { 1570 open_attr(fp, "type"); 1571 fprintf(fp, "%zu", size); 1572 close_attr(fp); 1573 open_attr(fp, "count"); 1574 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1575 close_attr(fp); 1576 fprintf(fp, ">"); 1577 for (i = 0; i < tok->tt.arb.uc; i++) 1578 fprintf(fp, format, 1579 *((u_int64_t *)(tok->tt.arb.data + 1580 (size * i)))); 1581 close_tag(fp, tok->id); 1582 } else { 1583 print_string(fp, str, strlen(str)); 1584 print_delim(fp, del); 1585 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1586 print_delim(fp, del); 1587 for (i = 0; i < tok->tt.arb.uc; i++) 1588 fprintf(fp, format, 1589 *((u_int64_t *)(tok->tt.arb.data + 1590 (size * i)))); 1591 } 1592 break; 1593 1594 default: 1595 return; 1596 } 1597 } 1598 1599 /* 1600 * file access mode 4 bytes 1601 * owner user ID 4 bytes 1602 * owner group ID 4 bytes 1603 * file system ID 4 bytes 1604 * node ID 8 bytes 1605 * device 4 bytes/8 bytes (32-bit/64-bit) 1606 */ 1607 static int 1608 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1609 { 1610 int err = 0; 1611 1612 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1613 if (err) 1614 return (-1); 1615 1616 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1617 if (err) 1618 return (-1); 1619 1620 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1621 if (err) 1622 return (-1); 1623 1624 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1625 if (err) 1626 return (-1); 1627 1628 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1629 if (err) 1630 return (-1); 1631 1632 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1633 if (err) 1634 return (-1); 1635 1636 return (0); 1637 } 1638 1639 static void 1640 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1641 __unused char sfrm, int xml) 1642 { 1643 1644 print_tok_type(fp, tok->id, "attribute", raw, xml); 1645 if (xml) { 1646 open_attr(fp, "mode"); 1647 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1648 close_attr(fp); 1649 open_attr(fp, "uid"); 1650 print_user(fp, tok->tt.attr32.uid, raw); 1651 close_attr(fp); 1652 open_attr(fp, "gid"); 1653 print_group(fp, tok->tt.attr32.gid, raw); 1654 close_attr(fp); 1655 open_attr(fp, "fsid"); 1656 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1657 close_attr(fp); 1658 open_attr(fp, "nodeid"); 1659 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1660 close_attr(fp); 1661 open_attr(fp, "device"); 1662 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1663 close_attr(fp); 1664 close_tag(fp, tok->id); 1665 } else { 1666 print_delim(fp, del); 1667 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1668 print_delim(fp, del); 1669 print_user(fp, tok->tt.attr32.uid, raw); 1670 print_delim(fp, del); 1671 print_group(fp, tok->tt.attr32.gid, raw); 1672 print_delim(fp, del); 1673 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1674 print_delim(fp, del); 1675 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1676 print_delim(fp, del); 1677 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1678 } 1679 } 1680 1681 /* 1682 * file access mode 4 bytes 1683 * owner user ID 4 bytes 1684 * owner group ID 4 bytes 1685 * file system ID 4 bytes 1686 * node ID 8 bytes 1687 * device 4 bytes/8 bytes (32-bit/64-bit) 1688 */ 1689 static int 1690 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1691 { 1692 int err = 0; 1693 1694 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1695 if (err) 1696 return (-1); 1697 1698 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1699 if (err) 1700 return (-1); 1701 1702 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1703 if (err) 1704 return (-1); 1705 1706 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1707 if (err) 1708 return (-1); 1709 1710 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1711 if (err) 1712 return (-1); 1713 1714 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1715 if (err) 1716 return (-1); 1717 1718 return (0); 1719 } 1720 1721 static void 1722 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1723 __unused char sfrm, int xml) 1724 { 1725 1726 print_tok_type(fp, tok->id, "attribute", raw, xml); 1727 if (xml) { 1728 open_attr(fp, "mode"); 1729 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1730 close_attr(fp); 1731 open_attr(fp, "uid"); 1732 print_user(fp, tok->tt.attr64.uid, raw); 1733 close_attr(fp); 1734 open_attr(fp, "gid"); 1735 print_group(fp, tok->tt.attr64.gid, raw); 1736 close_attr(fp); 1737 open_attr(fp, "fsid"); 1738 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1739 close_attr(fp); 1740 open_attr(fp, "nodeid"); 1741 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1742 close_attr(fp); 1743 open_attr(fp, "device"); 1744 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1745 close_attr(fp); 1746 close_tag(fp, tok->id); 1747 } else { 1748 print_delim(fp, del); 1749 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1750 print_delim(fp, del); 1751 print_user(fp, tok->tt.attr64.uid, raw); 1752 print_delim(fp, del); 1753 print_group(fp, tok->tt.attr64.gid, raw); 1754 print_delim(fp, del); 1755 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1756 print_delim(fp, del); 1757 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1758 print_delim(fp, del); 1759 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1760 } 1761 } 1762 1763 /* 1764 * status 4 bytes 1765 * return value 4 bytes 1766 */ 1767 static int 1768 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1769 { 1770 int err = 0; 1771 1772 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1773 if (err) 1774 return (-1); 1775 1776 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1777 if (err) 1778 return (-1); 1779 1780 return (0); 1781 } 1782 1783 static void 1784 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1785 __unused char sfrm, int xml) 1786 { 1787 1788 print_tok_type(fp, tok->id, "exit", raw, xml); 1789 if (xml) { 1790 open_attr(fp, "errval"); 1791 print_errval(fp, tok->tt.exit.status); 1792 close_attr(fp); 1793 open_attr(fp, "retval"); 1794 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1795 close_attr(fp); 1796 close_tag(fp, tok->id); 1797 } else { 1798 print_delim(fp, del); 1799 print_errval(fp, tok->tt.exit.status); 1800 print_delim(fp, del); 1801 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1802 } 1803 } 1804 1805 /* 1806 * count 4 bytes 1807 * text count null-terminated string(s) 1808 */ 1809 static int 1810 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1811 { 1812 int err = 0; 1813 u_int32_t i; 1814 u_char *bptr; 1815 1816 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1817 if (err) 1818 return (-1); 1819 1820 for (i = 0; i < tok->tt.execarg.count; i++) { 1821 bptr = buf + tok->len; 1822 if (i < AUDIT_MAX_ARGS) 1823 tok->tt.execarg.text[i] = (char*)bptr; 1824 1825 /* Look for a null terminated string. */ 1826 while (bptr && (*bptr != '\0')) { 1827 if (++tok->len >= (u_int32_t)len) 1828 return (-1); 1829 bptr = buf + tok->len; 1830 } 1831 if (!bptr) 1832 return (-1); 1833 tok->len++; /* \0 character */ 1834 } 1835 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1836 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1837 1838 return (0); 1839 } 1840 1841 static void 1842 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1843 __unused char sfrm, int xml) 1844 { 1845 u_int32_t i; 1846 1847 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1848 for (i = 0; i < tok->tt.execarg.count; i++) { 1849 if (xml) { 1850 fprintf(fp, "<arg>"); 1851 print_string(fp, tok->tt.execarg.text[i], 1852 strlen(tok->tt.execarg.text[i])); 1853 fprintf(fp, "</arg>"); 1854 } else { 1855 print_delim(fp, del); 1856 print_string(fp, tok->tt.execarg.text[i], 1857 strlen(tok->tt.execarg.text[i])); 1858 } 1859 } 1860 if (xml) 1861 close_tag(fp, tok->id); 1862 } 1863 1864 /* 1865 * count 4 bytes 1866 * text count null-terminated string(s) 1867 */ 1868 static int 1869 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1870 { 1871 int err = 0; 1872 u_int32_t i; 1873 u_char *bptr; 1874 1875 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1876 if (err) 1877 return (-1); 1878 1879 for (i = 0; i < tok->tt.execenv.count; i++) { 1880 bptr = buf + tok->len; 1881 if (i < AUDIT_MAX_ENV) 1882 tok->tt.execenv.text[i] = (char*)bptr; 1883 1884 /* Look for a null terminated string. */ 1885 while (bptr && (*bptr != '\0')) { 1886 if (++tok->len >= (u_int32_t)len) 1887 return (-1); 1888 bptr = buf + tok->len; 1889 } 1890 if (!bptr) 1891 return (-1); 1892 tok->len++; /* \0 character */ 1893 } 1894 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1895 tok->tt.execenv.count = AUDIT_MAX_ENV; 1896 1897 return (0); 1898 } 1899 1900 static void 1901 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1902 __unused char sfrm, int xml) 1903 { 1904 u_int32_t i; 1905 1906 print_tok_type(fp, tok->id, "exec env", raw, xml); 1907 for (i = 0; i< tok->tt.execenv.count; i++) { 1908 if (xml) { 1909 fprintf(fp, "<env>"); 1910 print_string(fp, tok->tt.execenv.text[i], 1911 strlen(tok->tt.execenv.text[i])); 1912 fprintf(fp, "</env>"); 1913 } else { 1914 print_delim(fp, del); 1915 print_string(fp, tok->tt.execenv.text[i], 1916 strlen(tok->tt.execenv.text[i])); 1917 } 1918 } 1919 if (xml) 1920 close_tag(fp, tok->id); 1921 } 1922 1923 /* 1924 * seconds of time 4 bytes 1925 * milliseconds of time 4 bytes 1926 * file name len 2 bytes 1927 * file pathname N bytes + 1 terminating NULL byte 1928 */ 1929 static int 1930 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1931 { 1932 int err = 0; 1933 1934 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1935 if (err) 1936 return (-1); 1937 1938 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1939 if (err) 1940 return (-1); 1941 1942 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1943 if (err) 1944 return (-1); 1945 1946 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1947 err); 1948 if (err) 1949 return (-1); 1950 1951 return (0); 1952 } 1953 1954 static void 1955 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1956 __unused char sfrm, int xml) 1957 { 1958 1959 print_tok_type(fp, tok->id, "file", raw, xml); 1960 if (xml) { 1961 open_attr(fp, "time"); 1962 print_sec32(fp, tok->tt.file.s, raw); 1963 close_attr(fp); 1964 open_attr(fp, "msec"); 1965 print_msec32(fp, tok->tt.file.ms, raw); 1966 close_attr(fp); 1967 fprintf(fp, ">"); 1968 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1969 close_tag(fp, tok->id); 1970 } else { 1971 print_delim(fp, del); 1972 print_sec32(fp, tok->tt.file.s, raw); 1973 print_delim(fp, del); 1974 print_msec32(fp, tok->tt.file.ms, raw); 1975 print_delim(fp, del); 1976 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1977 } 1978 } 1979 1980 /* 1981 * number groups 2 bytes 1982 * group list count * 4 bytes 1983 */ 1984 static int 1985 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1986 { 1987 int i; 1988 int err = 0; 1989 1990 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1991 if (err) 1992 return (-1); 1993 1994 for (i = 0; i<tok->tt.grps.no; i++) { 1995 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1996 err); 1997 if (err) 1998 return (-1); 1999 } 2000 2001 return (0); 2002 } 2003 2004 static void 2005 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2006 __unused char sfrm, int xml) 2007 { 2008 int i; 2009 2010 print_tok_type(fp, tok->id, "group", raw, xml); 2011 for (i = 0; i < tok->tt.grps.no; i++) { 2012 if (xml) { 2013 fprintf(fp, "<gid>"); 2014 print_group(fp, tok->tt.grps.list[i], raw); 2015 fprintf(fp, "</gid>"); 2016 close_tag(fp, tok->id); 2017 } else { 2018 print_delim(fp, del); 2019 print_group(fp, tok->tt.grps.list[i], raw); 2020 } 2021 } 2022 } 2023 2024 /* 2025 * Internet addr 4 bytes 2026 */ 2027 static int 2028 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2029 { 2030 int err = 0; 2031 2032 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2033 tok->len, err); 2034 if (err) 2035 return (-1); 2036 2037 return (0); 2038 2039 } 2040 2041 static void 2042 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2043 __unused char sfrm, int xml) 2044 { 2045 2046 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2047 if (xml) { 2048 print_ip_address(fp, tok->tt.inaddr.addr); 2049 close_tag(fp, tok->id); 2050 } else { 2051 print_delim(fp, del); 2052 print_ip_address(fp, tok->tt.inaddr.addr); 2053 } 2054 } 2055 2056 /* 2057 * type 4 bytes 2058 * address 16 bytes 2059 */ 2060 static int 2061 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2062 { 2063 int err = 0; 2064 2065 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2066 if (err) 2067 return (-1); 2068 2069 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2070 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2071 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2072 if (err) 2073 return (-1); 2074 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2075 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2076 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2077 if (err) 2078 return (-1); 2079 } else 2080 return (-1); 2081 2082 return (0); 2083 } 2084 2085 static void 2086 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2087 __unused char sfrm, int xml) 2088 { 2089 2090 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2091 if (xml) { 2092 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2093 tok->tt.inaddr_ex.addr); 2094 close_tag(fp, tok->id); 2095 } else { 2096 print_delim(fp, del); 2097 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2098 tok->tt.inaddr_ex.addr); 2099 } 2100 } 2101 2102 /* 2103 * ip header 20 bytes 2104 */ 2105 static int 2106 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2107 { 2108 int err = 0; 2109 2110 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2111 if (err) 2112 return (-1); 2113 2114 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2115 if (err) 2116 return (-1); 2117 2118 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2119 tok->len, err); 2120 if (err) 2121 return (-1); 2122 2123 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2124 tok->len, err); 2125 if (err) 2126 return (-1); 2127 2128 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2129 tok->len, err); 2130 if (err) 2131 return (-1); 2132 2133 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2134 if (err) 2135 return (-1); 2136 2137 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2138 if (err) 2139 return (-1); 2140 2141 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2142 tok->len, err); 2143 if (err) 2144 return (-1); 2145 2146 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2147 tok->len, err); 2148 if (err) 2149 return (-1); 2150 2151 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2152 tok->len, err); 2153 if (err) 2154 return (-1); 2155 2156 return (0); 2157 } 2158 2159 static void 2160 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2161 __unused char sfrm, int xml) 2162 { 2163 2164 print_tok_type(fp, tok->id, "ip", raw, xml); 2165 if (xml) { 2166 open_attr(fp, "version"); 2167 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2168 sizeof(u_char)); 2169 close_attr(fp); 2170 open_attr(fp, "service_type"); 2171 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2172 close_attr(fp); 2173 open_attr(fp, "len"); 2174 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2175 close_attr(fp); 2176 open_attr(fp, "id"); 2177 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2178 close_attr(fp); 2179 open_attr(fp, "offset"); 2180 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2181 close_attr(fp); 2182 open_attr(fp, "time_to_live"); 2183 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2184 close_attr(fp); 2185 open_attr(fp, "protocol"); 2186 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2187 close_attr(fp); 2188 open_attr(fp, "cksum"); 2189 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2190 close_attr(fp); 2191 open_attr(fp, "src_addr"); 2192 print_ip_address(fp, tok->tt.ip.src); 2193 close_attr(fp); 2194 open_attr(fp, "dest_addr"); 2195 print_ip_address(fp, tok->tt.ip.dest); 2196 close_attr(fp); 2197 close_tag(fp, tok->id); 2198 } else { 2199 print_delim(fp, del); 2200 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2201 sizeof(u_char)); 2202 print_delim(fp, del); 2203 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2204 print_delim(fp, del); 2205 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2206 print_delim(fp, del); 2207 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2208 print_delim(fp, del); 2209 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2210 print_delim(fp, del); 2211 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2212 print_delim(fp, del); 2213 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2214 print_delim(fp, del); 2215 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2216 print_delim(fp, del); 2217 print_ip_address(fp, tok->tt.ip.src); 2218 print_delim(fp, del); 2219 print_ip_address(fp, tok->tt.ip.dest); 2220 } 2221 } 2222 2223 /* 2224 * object ID type 1 byte 2225 * Object ID 4 bytes 2226 */ 2227 static int 2228 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2229 { 2230 int err = 0; 2231 2232 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2233 if (err) 2234 return (-1); 2235 2236 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2237 if (err) 2238 return (-1); 2239 2240 return (0); 2241 } 2242 2243 static void 2244 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2245 __unused char sfrm, int xml) 2246 { 2247 2248 print_tok_type(fp, tok->id, "IPC", raw, xml); 2249 if (xml) { 2250 open_attr(fp, "ipc-type"); 2251 print_ipctype(fp, tok->tt.ipc.type, raw); 2252 close_attr(fp); 2253 open_attr(fp, "ipc-id"); 2254 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2255 close_attr(fp); 2256 close_tag(fp, tok->id); 2257 } else { 2258 print_delim(fp, del); 2259 print_ipctype(fp, tok->tt.ipc.type, raw); 2260 print_delim(fp, del); 2261 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2262 } 2263 } 2264 2265 /* 2266 * owner user id 4 bytes 2267 * owner group id 4 bytes 2268 * creator user id 4 bytes 2269 * creator group id 4 bytes 2270 * access mode 4 bytes 2271 * slot seq 4 bytes 2272 * key 4 bytes 2273 */ 2274 static int 2275 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2276 { 2277 int err = 0; 2278 2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2280 if (err) 2281 return (-1); 2282 2283 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2284 if (err) 2285 return (-1); 2286 2287 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2288 if (err) 2289 return (-1); 2290 2291 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2292 if (err) 2293 return (-1); 2294 2295 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2296 if (err) 2297 return (-1); 2298 2299 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2300 if (err) 2301 return (-1); 2302 2303 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2304 if (err) 2305 return (-1); 2306 2307 return (0); 2308 } 2309 2310 static void 2311 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2312 __unused char sfrm, int xml) 2313 { 2314 2315 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2316 if (xml) { 2317 open_attr(fp, "uid"); 2318 print_user(fp, tok->tt.ipcperm.uid, raw); 2319 close_attr(fp); 2320 open_attr(fp, "gid"); 2321 print_group(fp, tok->tt.ipcperm.gid, raw); 2322 close_attr(fp); 2323 open_attr(fp, "creator-uid"); 2324 print_user(fp, tok->tt.ipcperm.puid, raw); 2325 close_attr(fp); 2326 open_attr(fp, "creator-gid"); 2327 print_group(fp, tok->tt.ipcperm.pgid, raw); 2328 close_attr(fp); 2329 open_attr(fp, "mode"); 2330 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2331 close_attr(fp); 2332 open_attr(fp, "seq"); 2333 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2334 close_attr(fp); 2335 open_attr(fp, "key"); 2336 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2337 close_attr(fp); 2338 close_tag(fp, tok->id); 2339 } else { 2340 print_delim(fp, del); 2341 print_user(fp, tok->tt.ipcperm.uid, raw); 2342 print_delim(fp, del); 2343 print_group(fp, tok->tt.ipcperm.gid, raw); 2344 print_delim(fp, del); 2345 print_user(fp, tok->tt.ipcperm.puid, raw); 2346 print_delim(fp, del); 2347 print_group(fp, tok->tt.ipcperm.pgid, raw); 2348 print_delim(fp, del); 2349 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2350 print_delim(fp, del); 2351 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2352 print_delim(fp, del); 2353 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2354 } 2355 } 2356 2357 /* 2358 * port Ip address 2 bytes 2359 */ 2360 static int 2361 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2362 { 2363 int err = 0; 2364 2365 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2366 tok->len, err); 2367 if (err) 2368 return (-1); 2369 2370 return (0); 2371 } 2372 2373 static void 2374 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2375 __unused char sfrm, int xml) 2376 { 2377 2378 print_tok_type(fp, tok->id, "ip port", raw, xml); 2379 if (xml) { 2380 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2381 close_tag(fp, tok->id); 2382 } else { 2383 print_delim(fp, del); 2384 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2385 } 2386 } 2387 2388 /* 2389 * size 2 bytes 2390 * data size bytes 2391 */ 2392 static int 2393 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2394 { 2395 int err = 0; 2396 2397 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2398 if (err) 2399 return (-1); 2400 2401 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2402 tok->len, err); 2403 if (err) 2404 return (-1); 2405 2406 return (0); 2407 } 2408 2409 static void 2410 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2411 __unused char sfrm, int xml) 2412 { 2413 2414 print_tok_type(fp, tok->id, "opaque", raw, xml); 2415 if (xml) { 2416 print_mem(fp, (u_char*)tok->tt.opaque.data, 2417 tok->tt.opaque.size); 2418 close_tag(fp, tok->id); 2419 } else { 2420 print_delim(fp, del); 2421 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2422 print_delim(fp, del); 2423 print_mem(fp, (u_char*)tok->tt.opaque.data, 2424 tok->tt.opaque.size); 2425 } 2426 } 2427 2428 /* 2429 * size 2 bytes 2430 * data size bytes 2431 */ 2432 static int 2433 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2434 { 2435 int err = 0; 2436 2437 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2438 if (err) 2439 return (-1); 2440 2441 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2442 err); 2443 if (err) 2444 return (-1); 2445 2446 return (0); 2447 } 2448 2449 static void 2450 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2451 __unused char sfrm, int xml) 2452 { 2453 2454 print_tok_type(fp, tok->id, "path", raw, xml); 2455 if (xml) { 2456 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2457 close_tag(fp, tok->id); 2458 } else { 2459 print_delim(fp, del); 2460 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2461 } 2462 } 2463 2464 /* 2465 * token ID 1 byte 2466 * audit ID 4 bytes 2467 * euid 4 bytes 2468 * egid 4 bytes 2469 * ruid 4 bytes 2470 * rgid 4 bytes 2471 * pid 4 bytes 2472 * sessid 4 bytes 2473 * terminal ID 2474 * portid 4 bytes 2475 * machine id 4 bytes 2476 */ 2477 static int 2478 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2479 { 2480 int err = 0; 2481 2482 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2483 if (err) 2484 return (-1); 2485 2486 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2487 if (err) 2488 return (-1); 2489 2490 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2491 if (err) 2492 return (-1); 2493 2494 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2495 if (err) 2496 return (-1); 2497 2498 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2499 if (err) 2500 return (-1); 2501 2502 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2503 if (err) 2504 return (-1); 2505 2506 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2507 if (err) 2508 return (-1); 2509 2510 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2511 if (err) 2512 return (-1); 2513 2514 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2515 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2516 if (err) 2517 return (-1); 2518 2519 return (0); 2520 } 2521 2522 static void 2523 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2524 __unused char sfrm, int xml) 2525 { 2526 2527 print_tok_type(fp, tok->id, "process", raw, xml); 2528 if (xml) { 2529 open_attr(fp, "audit-uid"); 2530 print_user(fp, tok->tt.proc32.auid, raw); 2531 close_attr(fp); 2532 open_attr(fp, "uid"); 2533 print_user(fp, tok->tt.proc32.euid, raw); 2534 close_attr(fp); 2535 open_attr(fp, "gid"); 2536 print_group(fp, tok->tt.proc32.egid, raw); 2537 close_attr(fp); 2538 open_attr(fp, "ruid"); 2539 print_user(fp, tok->tt.proc32.ruid, raw); 2540 close_attr(fp); 2541 open_attr(fp, "rgid"); 2542 print_group(fp, tok->tt.proc32.rgid, raw); 2543 close_attr(fp); 2544 open_attr(fp, "pid"); 2545 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2546 close_attr(fp); 2547 open_attr(fp, "sid"); 2548 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2549 close_attr(fp); 2550 open_attr(fp, "tid"); 2551 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2552 print_ip_address(fp, tok->tt.proc32.tid.addr); 2553 close_attr(fp); 2554 close_tag(fp, tok->id); 2555 } else { 2556 print_delim(fp, del); 2557 print_user(fp, tok->tt.proc32.auid, raw); 2558 print_delim(fp, del); 2559 print_user(fp, tok->tt.proc32.euid, raw); 2560 print_delim(fp, del); 2561 print_group(fp, tok->tt.proc32.egid, raw); 2562 print_delim(fp, del); 2563 print_user(fp, tok->tt.proc32.ruid, raw); 2564 print_delim(fp, del); 2565 print_group(fp, tok->tt.proc32.rgid, raw); 2566 print_delim(fp, del); 2567 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2568 print_delim(fp, del); 2569 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2570 print_delim(fp, del); 2571 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2572 print_delim(fp, del); 2573 print_ip_address(fp, tok->tt.proc32.tid.addr); 2574 } 2575 } 2576 2577 /* 2578 * token ID 1 byte 2579 * audit ID 4 bytes 2580 * euid 4 bytes 2581 * egid 4 bytes 2582 * ruid 4 bytes 2583 * rgid 4 bytes 2584 * pid 4 bytes 2585 * sessid 4 bytes 2586 * terminal ID 2587 * portid 8 bytes 2588 * machine id 4 bytes 2589 */ 2590 static int 2591 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2592 { 2593 int err = 0; 2594 2595 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2596 if (err) 2597 return (-1); 2598 2599 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2600 if (err) 2601 return (-1); 2602 2603 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2604 if (err) 2605 return (-1); 2606 2607 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2608 if (err) 2609 return (-1); 2610 2611 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2612 if (err) 2613 return (-1); 2614 2615 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2616 if (err) 2617 return (-1); 2618 2619 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2620 if (err) 2621 return (-1); 2622 2623 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2624 if (err) 2625 return (-1); 2626 2627 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2628 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2629 if (err) 2630 return (-1); 2631 2632 return (0); 2633 } 2634 2635 static void 2636 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2637 __unused char sfrm, int xml) 2638 { 2639 print_tok_type(fp, tok->id, "process", raw, xml); 2640 if (xml) { 2641 open_attr(fp, "audit-uid"); 2642 print_user(fp, tok->tt.proc64.auid, raw); 2643 close_attr(fp); 2644 open_attr(fp, "uid"); 2645 print_user(fp, tok->tt.proc64.euid, raw); 2646 close_attr(fp); 2647 open_attr(fp, "gid"); 2648 print_group(fp, tok->tt.proc64.egid, raw); 2649 close_attr(fp); 2650 open_attr(fp, "ruid"); 2651 print_user(fp, tok->tt.proc64.ruid, raw); 2652 close_attr(fp); 2653 open_attr(fp, "rgid"); 2654 print_group(fp, tok->tt.proc64.rgid, raw); 2655 close_attr(fp); 2656 open_attr(fp, "pid"); 2657 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2658 close_attr(fp); 2659 open_attr(fp, "sid"); 2660 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2661 close_attr(fp); 2662 open_attr(fp, "tid"); 2663 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2664 print_ip_address(fp, tok->tt.proc64.tid.addr); 2665 close_attr(fp); 2666 close_tag(fp, tok->id); 2667 } else { 2668 print_delim(fp, del); 2669 print_user(fp, tok->tt.proc64.auid, raw); 2670 print_delim(fp, del); 2671 print_user(fp, tok->tt.proc64.euid, raw); 2672 print_delim(fp, del); 2673 print_group(fp, tok->tt.proc64.egid, raw); 2674 print_delim(fp, del); 2675 print_user(fp, tok->tt.proc64.ruid, raw); 2676 print_delim(fp, del); 2677 print_group(fp, tok->tt.proc64.rgid, raw); 2678 print_delim(fp, del); 2679 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2680 print_delim(fp, del); 2681 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2682 print_delim(fp, del); 2683 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2684 print_delim(fp, del); 2685 print_ip_address(fp, tok->tt.proc64.tid.addr); 2686 } 2687 } 2688 2689 /* 2690 * token ID 1 byte 2691 * audit ID 4 bytes 2692 * effective user ID 4 bytes 2693 * effective group ID 4 bytes 2694 * real user ID 4 bytes 2695 * real group ID 4 bytes 2696 * process ID 4 bytes 2697 * session ID 4 bytes 2698 * terminal ID 2699 * port ID 4 bytes 2700 * address type-len 4 bytes 2701 * machine address 16 bytes 2702 */ 2703 static int 2704 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2705 { 2706 int err = 0; 2707 2708 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2709 if (err) 2710 return (-1); 2711 2712 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2713 if (err) 2714 return (-1); 2715 2716 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2717 if (err) 2718 return (-1); 2719 2720 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2721 if (err) 2722 return (-1); 2723 2724 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2725 if (err) 2726 return (-1); 2727 2728 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2729 if (err) 2730 return (-1); 2731 2732 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2733 if (err) 2734 return (-1); 2735 2736 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2737 err); 2738 if (err) 2739 return (-1); 2740 2741 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2742 err); 2743 if (err) 2744 return (-1); 2745 2746 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2747 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2748 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2749 if (err) 2750 return (-1); 2751 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2752 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2753 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2754 if (err) 2755 return (-1); 2756 } else 2757 return (-1); 2758 2759 return (0); 2760 } 2761 2762 static void 2763 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2764 __unused char sfrm, int xml) 2765 { 2766 2767 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2768 if (xml) { 2769 open_attr(fp, "audit-uid"); 2770 print_user(fp, tok->tt.proc32_ex.auid, raw); 2771 close_attr(fp); 2772 open_attr(fp, "uid"); 2773 print_user(fp, tok->tt.proc32_ex.euid, raw); 2774 close_attr(fp); 2775 open_attr(fp, "gid"); 2776 print_group(fp, tok->tt.proc32_ex.egid, raw); 2777 close_attr(fp); 2778 open_attr(fp, "ruid"); 2779 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2780 close_attr(fp); 2781 open_attr(fp, "rgid"); 2782 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2783 close_attr(fp); 2784 open_attr(fp, "pid"); 2785 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2786 close_attr(fp); 2787 open_attr(fp, "sid"); 2788 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2789 close_attr(fp); 2790 open_attr(fp, "tid"); 2791 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2792 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2793 tok->tt.proc32_ex.tid.addr); 2794 close_attr(fp); 2795 close_tag(fp, tok->id); 2796 } else { 2797 print_delim(fp, del); 2798 print_user(fp, tok->tt.proc32_ex.auid, raw); 2799 print_delim(fp, del); 2800 print_user(fp, tok->tt.proc32_ex.euid, raw); 2801 print_delim(fp, del); 2802 print_group(fp, tok->tt.proc32_ex.egid, raw); 2803 print_delim(fp, del); 2804 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2805 print_delim(fp, del); 2806 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2807 print_delim(fp, del); 2808 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2809 print_delim(fp, del); 2810 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2811 print_delim(fp, del); 2812 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2813 print_delim(fp, del); 2814 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2815 tok->tt.proc32_ex.tid.addr); 2816 } 2817 } 2818 2819 /* 2820 * token ID 1 byte 2821 * audit ID 4 bytes 2822 * effective user ID 4 bytes 2823 * effective group ID 4 bytes 2824 * real user ID 4 bytes 2825 * real group ID 4 bytes 2826 * process ID 4 bytes 2827 * session ID 4 bytes 2828 * terminal ID 2829 * port ID 8 bytes 2830 * address type-len 4 bytes 2831 * machine address 16 bytes 2832 */ 2833 static int 2834 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2835 { 2836 int err = 0; 2837 2838 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2839 if (err) 2840 return (-1); 2841 2842 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2843 if (err) 2844 return (-1); 2845 2846 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2847 if (err) 2848 return (-1); 2849 2850 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2851 if (err) 2852 return (-1); 2853 2854 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2855 if (err) 2856 return (-1); 2857 2858 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2859 if (err) 2860 return (-1); 2861 2862 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2863 if (err) 2864 return (-1); 2865 2866 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2867 err); 2868 if (err) 2869 return (-1); 2870 2871 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2872 err); 2873 if (err) 2874 return (-1); 2875 2876 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2877 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2878 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2879 if (err) 2880 return (-1); 2881 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2882 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2883 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2884 if (err) 2885 return (-1); 2886 } else 2887 return (-1); 2888 2889 return (0); 2890 } 2891 2892 static void 2893 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2894 __unused char sfrm, int xml) 2895 { 2896 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2897 if (xml) { 2898 open_attr(fp, "audit-uid"); 2899 print_user(fp, tok->tt.proc64_ex.auid, raw); 2900 close_attr(fp); 2901 open_attr(fp, "uid"); 2902 print_user(fp, tok->tt.proc64_ex.euid, raw); 2903 close_attr(fp); 2904 open_attr(fp, "gid"); 2905 print_group(fp, tok->tt.proc64_ex.egid, raw); 2906 close_attr(fp); 2907 open_attr(fp, "ruid"); 2908 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2909 close_attr(fp); 2910 open_attr(fp, "rgid"); 2911 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2912 close_attr(fp); 2913 open_attr(fp, "pid"); 2914 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2915 close_attr(fp); 2916 open_attr(fp, "sid"); 2917 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2918 close_attr(fp); 2919 open_attr(fp, "tid"); 2920 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2921 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2922 tok->tt.proc64_ex.tid.addr); 2923 close_attr(fp); 2924 close_tag(fp, tok->id); 2925 } else { 2926 print_delim(fp, del); 2927 print_user(fp, tok->tt.proc64_ex.auid, raw); 2928 print_delim(fp, del); 2929 print_user(fp, tok->tt.proc64_ex.euid, raw); 2930 print_delim(fp, del); 2931 print_group(fp, tok->tt.proc64_ex.egid, raw); 2932 print_delim(fp, del); 2933 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2934 print_delim(fp, del); 2935 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2936 print_delim(fp, del); 2937 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2938 print_delim(fp, del); 2939 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2940 print_delim(fp, del); 2941 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2942 print_delim(fp, del); 2943 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2944 tok->tt.proc64_ex.tid.addr); 2945 } 2946 } 2947 2948 /* 2949 * errno 1 byte 2950 * return value 4 bytes 2951 */ 2952 static int 2953 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2954 { 2955 int err = 0; 2956 2957 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2958 if (err) 2959 return (-1); 2960 2961 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2962 if (err) 2963 return (-1); 2964 2965 return (0); 2966 } 2967 2968 static void 2969 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2970 __unused char sfrm, int xml) 2971 { 2972 2973 print_tok_type(fp, tok->id, "return", raw, xml); 2974 if (xml) { 2975 open_attr(fp ,"errval"); 2976 print_retval(fp, tok->tt.ret32.status, raw); 2977 close_attr(fp); 2978 open_attr(fp, "retval"); 2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2980 close_attr(fp); 2981 close_tag(fp, tok->id); 2982 } else { 2983 print_delim(fp, del); 2984 print_retval(fp, tok->tt.ret32.status, raw); 2985 print_delim(fp, del); 2986 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2987 } 2988 } 2989 2990 static int 2991 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2992 { 2993 int err = 0; 2994 2995 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2996 if (err) 2997 return (-1); 2998 2999 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3000 if (err) 3001 return (-1); 3002 3003 return (0); 3004 } 3005 3006 static void 3007 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3008 __unused char sfrm, int xml) 3009 { 3010 3011 print_tok_type(fp, tok->id, "return", raw, xml); 3012 if (xml) { 3013 open_attr(fp, "errval"); 3014 print_retval(fp, tok->tt.ret64.err, raw); 3015 close_attr(fp); 3016 open_attr(fp, "retval"); 3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3018 close_attr(fp); 3019 close_tag(fp, tok->id); 3020 } else { 3021 print_delim(fp, del); 3022 print_retval(fp, tok->tt.ret64.err, raw); 3023 print_delim(fp, del); 3024 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3025 } 3026 } 3027 3028 /* 3029 * seq 4 bytes 3030 */ 3031 static int 3032 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3033 { 3034 int err = 0; 3035 3036 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3037 if (err) 3038 return (-1); 3039 3040 return (0); 3041 } 3042 3043 static void 3044 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3045 __unused char sfrm, int xml) 3046 { 3047 3048 print_tok_type(fp, tok->id, "sequence", raw, xml); 3049 if (xml) { 3050 open_attr(fp, "seq-num"); 3051 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3052 close_attr(fp); 3053 close_tag(fp, tok->id); 3054 } else { 3055 print_delim(fp, del); 3056 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3057 } 3058 } 3059 3060 /* 3061 * socket family 2 bytes 3062 * local port 2 bytes 3063 * socket address 4 bytes 3064 */ 3065 static int 3066 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3067 { 3068 int err = 0; 3069 3070 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3071 err); 3072 if (err) 3073 return (-1); 3074 3075 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3076 sizeof(uint16_t), tok->len, err); 3077 if (err) 3078 return (-1); 3079 3080 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3081 sizeof(tok->tt.sockinet32.addr), tok->len, err); 3082 if (err) 3083 return (-1); 3084 3085 return (0); 3086 } 3087 3088 static void 3089 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3090 __unused char sfrm, int xml) 3091 { 3092 3093 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3094 if (xml) { 3095 open_attr(fp, "type"); 3096 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3097 close_attr(fp); 3098 open_attr(fp, "port"); 3099 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3100 close_attr(fp); 3101 open_attr(fp, "addr"); 3102 print_ip_address(fp, tok->tt.sockinet32.addr); 3103 close_attr(fp); 3104 close_tag(fp, tok->id); 3105 } else { 3106 print_delim(fp, del); 3107 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3108 print_delim(fp, del); 3109 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3110 print_delim(fp, del); 3111 print_ip_address(fp, tok->tt.sockinet32.addr); 3112 } 3113 } 3114 3115 /* 3116 * socket family 2 bytes 3117 * path 104 bytes 3118 */ 3119 static int 3120 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3121 { 3122 int err = 0; 3123 3124 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3125 if (err) 3126 return (-1); 3127 3128 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3129 err); 3130 if (err) 3131 return (-1); 3132 3133 return (0); 3134 } 3135 3136 static void 3137 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3138 __unused char sfrm, int xml) 3139 { 3140 3141 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3142 if (xml) { 3143 open_attr(fp, "type"); 3144 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3145 close_attr(fp); 3146 open_attr(fp, "port"); 3147 close_attr(fp); 3148 open_attr(fp, "addr"); 3149 print_string(fp, tok->tt.sockunix.path, 3150 strlen(tok->tt.sockunix.path)); 3151 close_attr(fp); 3152 close_tag(fp, tok->id); 3153 } else { 3154 print_delim(fp, del); 3155 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3156 print_delim(fp, del); 3157 print_string(fp, tok->tt.sockunix.path, 3158 strlen(tok->tt.sockunix.path)); 3159 } 3160 } 3161 3162 /* 3163 * socket type 2 bytes 3164 * local port 2 bytes 3165 * local address 4 bytes 3166 * remote port 2 bytes 3167 * remote address 4 bytes 3168 */ 3169 static int 3170 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3171 { 3172 int err = 0; 3173 3174 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3175 if (err) 3176 return (-1); 3177 3178 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3179 tok->len, err); 3180 if (err) 3181 return (-1); 3182 3183 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3184 sizeof(tok->tt.socket.l_addr), tok->len, err); 3185 if (err) 3186 return (-1); 3187 3188 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3189 tok->len, err); 3190 if (err) 3191 return (-1); 3192 3193 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3194 sizeof(tok->tt.socket.r_addr), tok->len, err); 3195 if (err) 3196 return (-1); 3197 3198 return (0); 3199 } 3200 3201 static void 3202 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3203 __unused char sfrm, int xml) 3204 { 3205 3206 print_tok_type(fp, tok->id, "socket", raw, xml); 3207 if (xml) { 3208 open_attr(fp, "sock_type"); 3209 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3210 close_attr(fp); 3211 open_attr(fp, "lport"); 3212 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3213 close_attr(fp); 3214 open_attr(fp, "laddr"); 3215 print_ip_address(fp, tok->tt.socket.l_addr); 3216 close_attr(fp); 3217 open_attr(fp, "fport"); 3218 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3219 close_attr(fp); 3220 open_attr(fp, "faddr"); 3221 print_ip_address(fp, tok->tt.socket.r_addr); 3222 close_attr(fp); 3223 close_tag(fp, tok->id); 3224 } else { 3225 print_delim(fp, del); 3226 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3227 print_delim(fp, del); 3228 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3229 print_delim(fp, del); 3230 print_ip_address(fp, tok->tt.socket.l_addr); 3231 print_delim(fp, del); 3232 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3233 print_delim(fp, del); 3234 print_ip_address(fp, tok->tt.socket.r_addr); 3235 } 3236 } 3237 3238 /* 3239 * audit ID 4 bytes 3240 * euid 4 bytes 3241 * egid 4 bytes 3242 * ruid 4 bytes 3243 * rgid 4 bytes 3244 * pid 4 bytes 3245 * sessid 4 bytes 3246 * terminal ID 3247 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3248 * machine id 4 bytes 3249 */ 3250 static int 3251 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3252 { 3253 int err = 0; 3254 3255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3256 if (err) 3257 return (-1); 3258 3259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3260 if (err) 3261 return (-1); 3262 3263 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3264 if (err) 3265 return (-1); 3266 3267 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3268 if (err) 3269 return (-1); 3270 3271 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3272 if (err) 3273 return (-1); 3274 3275 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3276 if (err) 3277 return (-1); 3278 3279 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3280 if (err) 3281 return (-1); 3282 3283 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3284 if (err) 3285 return (-1); 3286 3287 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3288 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3289 if (err) 3290 return (-1); 3291 3292 return (0); 3293 } 3294 3295 static void 3296 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3297 __unused char sfrm, int xml) 3298 { 3299 3300 print_tok_type(fp, tok->id, "subject", raw, xml); 3301 if (xml) { 3302 open_attr(fp, "audit-uid"); 3303 print_user(fp, tok->tt.subj32.auid, raw); 3304 close_attr(fp); 3305 open_attr(fp, "uid"); 3306 print_user(fp, tok->tt.subj32.euid, raw); 3307 close_attr(fp); 3308 open_attr(fp, "gid"); 3309 print_group(fp, tok->tt.subj32.egid, raw); 3310 close_attr(fp); 3311 open_attr(fp, "ruid"); 3312 print_user(fp, tok->tt.subj32.ruid, raw); 3313 close_attr(fp); 3314 open_attr(fp, "rgid"); 3315 print_group(fp, tok->tt.subj32.rgid, raw); 3316 close_attr(fp); 3317 open_attr(fp,"pid"); 3318 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3319 close_attr(fp); 3320 open_attr(fp,"sid"); 3321 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3322 close_attr(fp); 3323 open_attr(fp,"tid"); 3324 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3325 print_ip_address(fp, tok->tt.subj32.tid.addr); 3326 close_attr(fp); 3327 close_tag(fp, tok->id); 3328 } else { 3329 print_delim(fp, del); 3330 print_user(fp, tok->tt.subj32.auid, raw); 3331 print_delim(fp, del); 3332 print_user(fp, tok->tt.subj32.euid, raw); 3333 print_delim(fp, del); 3334 print_group(fp, tok->tt.subj32.egid, raw); 3335 print_delim(fp, del); 3336 print_user(fp, tok->tt.subj32.ruid, raw); 3337 print_delim(fp, del); 3338 print_group(fp, tok->tt.subj32.rgid, raw); 3339 print_delim(fp, del); 3340 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3341 print_delim(fp, del); 3342 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3343 print_delim(fp, del); 3344 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3345 print_delim(fp, del); 3346 print_ip_address(fp, tok->tt.subj32.tid.addr); 3347 } 3348 } 3349 3350 /* 3351 * audit ID 4 bytes 3352 * euid 4 bytes 3353 * egid 4 bytes 3354 * ruid 4 bytes 3355 * rgid 4 bytes 3356 * pid 4 bytes 3357 * sessid 4 bytes 3358 * terminal ID 3359 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3360 * machine id 4 bytes 3361 */ 3362 static int 3363 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3364 { 3365 int err = 0; 3366 3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3368 if (err) 3369 return (-1); 3370 3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3372 if (err) 3373 return (-1); 3374 3375 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3376 if (err) 3377 return (-1); 3378 3379 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3380 if (err) 3381 return (-1); 3382 3383 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3384 if (err) 3385 return (-1); 3386 3387 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3388 if (err) 3389 return (-1); 3390 3391 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3392 if (err) 3393 return (-1); 3394 3395 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3396 if (err) 3397 return (-1); 3398 3399 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3400 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3401 if (err) 3402 return (-1); 3403 3404 return (0); 3405 } 3406 3407 static void 3408 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3409 __unused char sfrm, int xml) 3410 { 3411 3412 print_tok_type(fp, tok->id, "subject", raw, xml); 3413 if (xml) { 3414 open_attr(fp, "audit-uid"); 3415 print_user(fp, tok->tt.subj64.auid, raw); 3416 close_attr(fp); 3417 open_attr(fp, "uid"); 3418 print_user(fp, tok->tt.subj64.euid, raw); 3419 close_attr(fp); 3420 open_attr(fp, "gid"); 3421 print_group(fp, tok->tt.subj64.egid, raw); 3422 close_attr(fp); 3423 open_attr(fp, "ruid"); 3424 print_user(fp, tok->tt.subj64.ruid, raw); 3425 close_attr(fp); 3426 open_attr(fp, "rgid"); 3427 print_group(fp, tok->tt.subj64.rgid, raw); 3428 close_attr(fp); 3429 open_attr(fp, "pid"); 3430 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3431 close_attr(fp); 3432 open_attr(fp, "sid"); 3433 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3434 close_attr(fp); 3435 open_attr(fp, "tid"); 3436 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3437 print_ip_address(fp, tok->tt.subj64.tid.addr); 3438 close_attr(fp); 3439 close_tag(fp, tok->id); 3440 } else { 3441 print_delim(fp, del); 3442 print_user(fp, tok->tt.subj64.auid, raw); 3443 print_delim(fp, del); 3444 print_user(fp, tok->tt.subj64.euid, raw); 3445 print_delim(fp, del); 3446 print_group(fp, tok->tt.subj64.egid, raw); 3447 print_delim(fp, del); 3448 print_user(fp, tok->tt.subj64.ruid, raw); 3449 print_delim(fp, del); 3450 print_group(fp, tok->tt.subj64.rgid, raw); 3451 print_delim(fp, del); 3452 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3453 print_delim(fp, del); 3454 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3455 print_delim(fp, del); 3456 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3457 print_delim(fp, del); 3458 print_ip_address(fp, tok->tt.subj64.tid.addr); 3459 } 3460 } 3461 3462 /* 3463 * audit ID 4 bytes 3464 * euid 4 bytes 3465 * egid 4 bytes 3466 * ruid 4 bytes 3467 * rgid 4 bytes 3468 * pid 4 bytes 3469 * sessid 4 bytes 3470 * terminal ID 3471 * portid 4 bytes 3472 * type 4 bytes 3473 * machine id 16 bytes 3474 */ 3475 static int 3476 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3477 { 3478 int err = 0; 3479 3480 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3481 if (err) 3482 return (-1); 3483 3484 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3485 if (err) 3486 return (-1); 3487 3488 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3489 if (err) 3490 return (-1); 3491 3492 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3493 if (err) 3494 return (-1); 3495 3496 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3497 if (err) 3498 return (-1); 3499 3500 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3501 if (err) 3502 return (-1); 3503 3504 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3505 if (err) 3506 return (-1); 3507 3508 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3509 err); 3510 if (err) 3511 return (-1); 3512 3513 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3514 err); 3515 if (err) 3516 return (-1); 3517 3518 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3519 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3520 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3521 if (err) 3522 return (-1); 3523 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3524 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3525 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3526 if (err) 3527 return (-1); 3528 } else 3529 return (-1); 3530 3531 return (0); 3532 } 3533 3534 static void 3535 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3536 __unused char sfrm, int xml) 3537 { 3538 3539 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3540 if (xml) { 3541 open_attr(fp, "audit-uid"); 3542 print_user(fp, tok->tt.subj32_ex.auid, raw); 3543 close_attr(fp); 3544 open_attr(fp, "uid"); 3545 print_user(fp, tok->tt.subj32_ex.euid, raw); 3546 close_attr(fp); 3547 open_attr(fp, "gid"); 3548 print_group(fp, tok->tt.subj32_ex.egid, raw); 3549 close_attr(fp); 3550 open_attr(fp, "ruid"); 3551 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3552 close_attr(fp); 3553 open_attr(fp, "rgid"); 3554 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3555 close_attr(fp); 3556 open_attr(fp, "pid"); 3557 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3558 close_attr(fp); 3559 open_attr(fp, "sid"); 3560 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3561 close_attr(fp); 3562 open_attr(fp, "tid"); 3563 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3564 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3565 tok->tt.subj32_ex.tid.addr); 3566 close_attr(fp); 3567 close_tag(fp, tok->id); 3568 } else { 3569 print_delim(fp, del); 3570 print_user(fp, tok->tt.subj32_ex.auid, raw); 3571 print_delim(fp, del); 3572 print_user(fp, tok->tt.subj32_ex.euid, raw); 3573 print_delim(fp, del); 3574 print_group(fp, tok->tt.subj32_ex.egid, raw); 3575 print_delim(fp, del); 3576 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3577 print_delim(fp, del); 3578 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3579 print_delim(fp, del); 3580 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3581 print_delim(fp, del); 3582 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3583 print_delim(fp, del); 3584 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3585 print_delim(fp, del); 3586 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3587 tok->tt.subj32_ex.tid.addr); 3588 } 3589 } 3590 3591 /* 3592 * audit ID 4 bytes 3593 * euid 4 bytes 3594 * egid 4 bytes 3595 * ruid 4 bytes 3596 * rgid 4 bytes 3597 * pid 4 bytes 3598 * sessid 4 bytes 3599 * terminal ID 3600 * portid 8 bytes 3601 * type 4 bytes 3602 * machine id 16 bytes 3603 */ 3604 static int 3605 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3606 { 3607 int err = 0; 3608 3609 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3610 if (err) 3611 return (-1); 3612 3613 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3614 if (err) 3615 return (-1); 3616 3617 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3618 if (err) 3619 return (-1); 3620 3621 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3622 if (err) 3623 return (-1); 3624 3625 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3626 if (err) 3627 return (-1); 3628 3629 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3630 if (err) 3631 return (-1); 3632 3633 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3634 if (err) 3635 return (-1); 3636 3637 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3638 err); 3639 if (err) 3640 return (-1); 3641 3642 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3643 err); 3644 if (err) 3645 return (-1); 3646 3647 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3648 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3649 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3650 if (err) 3651 return (-1); 3652 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3653 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3654 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3655 if (err) 3656 return (-1); 3657 } else 3658 return (-1); 3659 3660 return (0); 3661 } 3662 3663 static void 3664 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3665 __unused char sfrm, int xml) 3666 { 3667 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3668 if (xml) { 3669 open_attr(fp, "audit-uid"); 3670 print_user(fp, tok->tt.subj64_ex.auid, raw); 3671 close_attr(fp); 3672 open_attr(fp, "uid"); 3673 print_user(fp, tok->tt.subj64_ex.euid, raw); 3674 close_attr(fp); 3675 open_attr(fp, "gid"); 3676 print_group(fp, tok->tt.subj64_ex.egid, raw); 3677 close_attr(fp); 3678 open_attr(fp, "ruid"); 3679 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3680 close_attr(fp); 3681 open_attr(fp, "rgid"); 3682 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3683 close_attr(fp); 3684 open_attr(fp, "pid"); 3685 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3686 close_attr(fp); 3687 open_attr(fp, "sid"); 3688 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3689 close_attr(fp); 3690 open_attr(fp, "tid"); 3691 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3692 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3693 tok->tt.subj64_ex.tid.addr); 3694 close_attr(fp); 3695 close_tag(fp, tok->id); 3696 } else { 3697 print_delim(fp, del); 3698 print_user(fp, tok->tt.subj64_ex.auid, raw); 3699 print_delim(fp, del); 3700 print_user(fp, tok->tt.subj64_ex.euid, raw); 3701 print_delim(fp, del); 3702 print_group(fp, tok->tt.subj64_ex.egid, raw); 3703 print_delim(fp, del); 3704 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3705 print_delim(fp, del); 3706 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3707 print_delim(fp, del); 3708 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3709 print_delim(fp, del); 3710 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3711 print_delim(fp, del); 3712 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3713 print_delim(fp, del); 3714 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3715 tok->tt.subj64_ex.tid.addr); 3716 } 3717 } 3718 3719 /* 3720 * size 2 bytes 3721 * data size bytes 3722 */ 3723 static int 3724 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3725 { 3726 int err = 0; 3727 3728 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3729 if (err) 3730 return (-1); 3731 3732 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3733 err); 3734 if (err) 3735 return (-1); 3736 3737 return (0); 3738 } 3739 3740 static void 3741 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3742 __unused char sfrm, int xml) 3743 { 3744 3745 print_tok_type(fp, tok->id, "text", raw, xml); 3746 if (xml) { 3747 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3748 close_tag(fp, tok->id); 3749 } else { 3750 print_delim(fp, del); 3751 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3752 } 3753 } 3754 3755 /* 3756 * socket domain 2 bytes 3757 * socket type 2 bytes 3758 * address type 2 bytes 3759 * local port 2 bytes 3760 * local Internet address 4/16 bytes 3761 * remote port 2 bytes 3762 * remote Internet address 4/16 bytes 3763 */ 3764 static int 3765 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3766 { 3767 int err = 0; 3768 3769 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3770 err); 3771 if (err) 3772 return (-1); 3773 3774 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3775 err); 3776 if (err) 3777 return (-1); 3778 3779 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3780 err); 3781 if (err) 3782 return (-1); 3783 3784 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3785 tok->tt.socket_ex32.atype != AU_IPv6) 3786 return (-1); 3787 3788 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3789 sizeof(uint16_t), tok->len, err); 3790 if (err) 3791 return (-1); 3792 3793 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3794 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3795 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3796 if (err) 3797 return (-1); 3798 } else { 3799 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3800 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3801 if (err) 3802 return (-1); 3803 } 3804 3805 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3806 sizeof(uint16_t), tok->len, err); 3807 if (err) 3808 return (-1); 3809 3810 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3811 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3812 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3813 if (err) 3814 return (-1); 3815 } else { 3816 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3817 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3818 if (err) 3819 return (-1); 3820 } 3821 3822 return (0); 3823 } 3824 3825 static void 3826 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3827 __unused char sfrm, int xml) 3828 { 3829 3830 /* 3831 * This print routine prints BSM constant space domains and socket 3832 * types rather than converting them. If we add string printers for 3833 * these constants in the future, we may want to call conversion 3834 * routines. 3835 */ 3836 print_tok_type(fp, tok->id, "socket", raw, xml); 3837 if (xml) { 3838 open_attr(fp, "sock_dom"); 3839 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3840 close_attr(fp); 3841 open_attr(fp, "sock_type"); 3842 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3843 close_attr(fp); 3844 open_attr(fp, "lport"); 3845 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3846 close_attr(fp); 3847 open_attr(fp, "laddr"); 3848 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3849 tok->tt.socket_ex32.l_addr); 3850 close_attr(fp); 3851 open_attr(fp, "faddr"); 3852 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3853 tok->tt.socket_ex32.r_addr); 3854 close_attr(fp); 3855 open_attr(fp, "fport"); 3856 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3857 close_attr(fp); 3858 close_tag(fp, tok->id); 3859 } else { 3860 print_delim(fp, del); 3861 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3862 print_delim(fp, del); 3863 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3864 print_delim(fp, del); 3865 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3866 print_delim(fp, del); 3867 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3868 tok->tt.socket_ex32.l_addr); 3869 print_delim(fp, del); 3870 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3871 print_delim(fp, del); 3872 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3873 tok->tt.socket_ex32.r_addr); 3874 } 3875 } 3876 3877 static int 3878 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3879 { 3880 int err = 0; 3881 int recoversize; 3882 3883 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3884 if (recoversize <= 0) 3885 return (-1); 3886 3887 tok->tt.invalid.length = recoversize; 3888 3889 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3890 err); 3891 if (err) 3892 return (-1); 3893 3894 return (0); 3895 } 3896 3897 static void 3898 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3899 __unused char sfrm, int xml) 3900 { 3901 3902 if (!xml) { 3903 print_tok_type(fp, tok->id, "unknown", raw, 0); 3904 print_delim(fp, del); 3905 print_mem(fp, (u_char*)tok->tt.invalid.data, 3906 tok->tt.invalid.length); 3907 } 3908 } 3909 3910 3911 /* 3912 * size 2 bytes; 3913 * zonename size bytes; 3914 */ 3915 static int 3916 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3917 { 3918 int err = 0; 3919 3920 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3921 if (err) 3922 return (-1); 3923 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3924 tok->len, err); 3925 if (err) 3926 return (-1); 3927 return (0); 3928 } 3929 3930 static void 3931 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3932 __unused char sfrm, int xml) 3933 { 3934 3935 print_tok_type(fp, tok->id, "zone", raw, xml); 3936 if (xml) { 3937 open_attr(fp, "name"); 3938 print_string(fp, tok->tt.zonename.zonename, 3939 tok->tt.zonename.len); 3940 close_attr(fp); 3941 close_tag(fp, tok->id); 3942 } else { 3943 print_delim(fp, del); 3944 print_string(fp, tok->tt.zonename.zonename, 3945 tok->tt.zonename.len); 3946 } 3947 } 3948 3949 /* 3950 * Reads the token beginning at buf into tok. 3951 */ 3952 int 3953 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3954 { 3955 3956 if (len <= 0) 3957 return (-1); 3958 3959 tok->len = 1; 3960 tok->data = buf; 3961 tok->id = *buf; 3962 3963 switch(tok->id) { 3964 case AUT_HEADER32: 3965 return (fetch_header32_tok(tok, buf, len)); 3966 3967 case AUT_HEADER32_EX: 3968 return (fetch_header32_ex_tok(tok, buf, len)); 3969 3970 case AUT_HEADER64: 3971 return (fetch_header64_tok(tok, buf, len)); 3972 3973 case AUT_HEADER64_EX: 3974 return (fetch_header64_ex_tok(tok, buf, len)); 3975 3976 case AUT_TRAILER: 3977 return (fetch_trailer_tok(tok, buf, len)); 3978 3979 case AUT_ARG32: 3980 return (fetch_arg32_tok(tok, buf, len)); 3981 3982 case AUT_ARG64: 3983 return (fetch_arg64_tok(tok, buf, len)); 3984 3985 case AUT_ATTR32: 3986 return (fetch_attr32_tok(tok, buf, len)); 3987 3988 case AUT_ATTR64: 3989 return (fetch_attr64_tok(tok, buf, len)); 3990 3991 case AUT_EXIT: 3992 return (fetch_exit_tok(tok, buf, len)); 3993 3994 case AUT_EXEC_ARGS: 3995 return (fetch_execarg_tok(tok, buf, len)); 3996 3997 case AUT_EXEC_ENV: 3998 return (fetch_execenv_tok(tok, buf, len)); 3999 4000 case AUT_OTHER_FILE32: 4001 return (fetch_file_tok(tok, buf, len)); 4002 4003 case AUT_NEWGROUPS: 4004 return (fetch_newgroups_tok(tok, buf, len)); 4005 4006 case AUT_IN_ADDR: 4007 return (fetch_inaddr_tok(tok, buf, len)); 4008 4009 case AUT_IN_ADDR_EX: 4010 return (fetch_inaddr_ex_tok(tok, buf, len)); 4011 4012 case AUT_IP: 4013 return (fetch_ip_tok(tok, buf, len)); 4014 4015 case AUT_IPC: 4016 return (fetch_ipc_tok(tok, buf, len)); 4017 4018 case AUT_IPC_PERM: 4019 return (fetch_ipcperm_tok(tok, buf, len)); 4020 4021 case AUT_IPORT: 4022 return (fetch_iport_tok(tok, buf, len)); 4023 4024 case AUT_OPAQUE: 4025 return (fetch_opaque_tok(tok, buf, len)); 4026 4027 case AUT_PATH: 4028 return (fetch_path_tok(tok, buf, len)); 4029 4030 case AUT_PROCESS32: 4031 return (fetch_process32_tok(tok, buf, len)); 4032 4033 case AUT_PROCESS32_EX: 4034 return (fetch_process32ex_tok(tok, buf, len)); 4035 4036 case AUT_PROCESS64: 4037 return (fetch_process64_tok(tok, buf, len)); 4038 4039 case AUT_PROCESS64_EX: 4040 return (fetch_process64ex_tok(tok, buf, len)); 4041 4042 case AUT_RETURN32: 4043 return (fetch_return32_tok(tok, buf, len)); 4044 4045 case AUT_RETURN64: 4046 return (fetch_return64_tok(tok, buf, len)); 4047 4048 case AUT_SEQ: 4049 return (fetch_seq_tok(tok, buf, len)); 4050 4051 case AUT_SOCKET: 4052 return (fetch_socket_tok(tok, buf, len)); 4053 4054 case AUT_SOCKINET32: 4055 return (fetch_sock_inet32_tok(tok, buf, len)); 4056 4057 case AUT_SOCKUNIX: 4058 return (fetch_sock_unix_tok(tok, buf, len)); 4059 4060 case AUT_SUBJECT32: 4061 return (fetch_subject32_tok(tok, buf, len)); 4062 4063 case AUT_SUBJECT32_EX: 4064 return (fetch_subject32ex_tok(tok, buf, len)); 4065 4066 case AUT_SUBJECT64: 4067 return (fetch_subject64_tok(tok, buf, len)); 4068 4069 case AUT_SUBJECT64_EX: 4070 return (fetch_subject64ex_tok(tok, buf, len)); 4071 4072 case AUT_TEXT: 4073 return (fetch_text_tok(tok, buf, len)); 4074 4075 case AUT_SOCKET_EX: 4076 return (fetch_socketex32_tok(tok, buf, len)); 4077 4078 case AUT_DATA: 4079 return (fetch_arb_tok(tok, buf, len)); 4080 4081 case AUT_ZONENAME: 4082 return (fetch_zonename_tok(tok, buf, len)); 4083 4084 default: 4085 return (fetch_invalid_tok(tok, buf, len)); 4086 } 4087 } 4088 4089 /* 4090 * 'prints' the token out to outfp. 4091 */ 4092 void 4093 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4094 { 4095 4096 switch(tok->id) { 4097 case AUT_HEADER32: 4098 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4099 return; 4100 4101 case AUT_HEADER32_EX: 4102 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4103 return; 4104 4105 case AUT_HEADER64: 4106 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4107 return; 4108 4109 case AUT_HEADER64_EX: 4110 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4111 return; 4112 4113 case AUT_TRAILER: 4114 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4115 return; 4116 4117 case AUT_ARG32: 4118 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4119 return; 4120 4121 case AUT_ARG64: 4122 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4123 return; 4124 4125 case AUT_DATA: 4126 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4127 return; 4128 4129 case AUT_ATTR32: 4130 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4131 return; 4132 4133 case AUT_ATTR64: 4134 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4135 return; 4136 4137 case AUT_EXIT: 4138 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4139 return; 4140 4141 case AUT_EXEC_ARGS: 4142 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4143 return; 4144 4145 case AUT_EXEC_ENV: 4146 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4147 return; 4148 4149 case AUT_OTHER_FILE32: 4150 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4151 return; 4152 4153 case AUT_NEWGROUPS: 4154 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4155 return; 4156 4157 case AUT_IN_ADDR: 4158 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4159 return; 4160 4161 case AUT_IN_ADDR_EX: 4162 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4163 return; 4164 4165 case AUT_IP: 4166 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4167 return; 4168 4169 case AUT_IPC: 4170 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4171 return; 4172 4173 case AUT_IPC_PERM: 4174 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4175 return; 4176 4177 case AUT_IPORT: 4178 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4179 return; 4180 4181 case AUT_OPAQUE: 4182 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4183 return; 4184 4185 case AUT_PATH: 4186 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4187 return; 4188 4189 case AUT_PROCESS32: 4190 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4191 return; 4192 4193 case AUT_PROCESS32_EX: 4194 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4195 return; 4196 4197 case AUT_PROCESS64: 4198 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4199 return; 4200 4201 case AUT_PROCESS64_EX: 4202 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4203 return; 4204 4205 case AUT_RETURN32: 4206 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4207 return; 4208 4209 case AUT_RETURN64: 4210 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4211 return; 4212 4213 case AUT_SEQ: 4214 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4215 return; 4216 4217 case AUT_SOCKET: 4218 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4219 return; 4220 4221 case AUT_SOCKINET32: 4222 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4223 return; 4224 4225 case AUT_SOCKUNIX: 4226 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4227 return; 4228 4229 case AUT_SUBJECT32: 4230 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4231 return; 4232 4233 case AUT_SUBJECT64: 4234 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4235 return; 4236 4237 case AUT_SUBJECT32_EX: 4238 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4239 return; 4240 4241 case AUT_SUBJECT64_EX: 4242 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4243 return; 4244 4245 case AUT_TEXT: 4246 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4247 return; 4248 4249 case AUT_SOCKET_EX: 4250 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4251 return; 4252 4253 case AUT_ZONENAME: 4254 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4255 return; 4256 4257 default: 4258 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4259 } 4260 } 4261 4262 /* 4263 * 'prints' the token out to outfp in XML format. 4264 */ 4265 void 4266 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4267 char sfrm) 4268 { 4269 4270 switch(tok->id) { 4271 case AUT_HEADER32: 4272 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4273 return; 4274 4275 case AUT_HEADER32_EX: 4276 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4277 return; 4278 4279 case AUT_HEADER64: 4280 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4281 return; 4282 4283 case AUT_HEADER64_EX: 4284 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4285 return; 4286 4287 case AUT_TRAILER: 4288 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4289 return; 4290 4291 case AUT_ARG32: 4292 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4293 return; 4294 4295 case AUT_ARG64: 4296 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4297 return; 4298 4299 case AUT_DATA: 4300 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4301 return; 4302 4303 case AUT_ATTR32: 4304 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4305 return; 4306 4307 case AUT_ATTR64: 4308 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4309 return; 4310 4311 case AUT_EXIT: 4312 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4313 return; 4314 4315 case AUT_EXEC_ARGS: 4316 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4317 return; 4318 4319 case AUT_EXEC_ENV: 4320 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4321 return; 4322 4323 case AUT_OTHER_FILE32: 4324 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4325 return; 4326 4327 case AUT_NEWGROUPS: 4328 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4329 return; 4330 4331 case AUT_IN_ADDR: 4332 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4333 return; 4334 4335 case AUT_IN_ADDR_EX: 4336 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4337 return; 4338 4339 case AUT_IP: 4340 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4341 return; 4342 4343 case AUT_IPC: 4344 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4345 return; 4346 4347 case AUT_IPC_PERM: 4348 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4349 return; 4350 4351 case AUT_IPORT: 4352 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4353 return; 4354 4355 case AUT_OPAQUE: 4356 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4357 return; 4358 4359 case AUT_PATH: 4360 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4361 return; 4362 4363 case AUT_PROCESS32: 4364 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4365 return; 4366 4367 case AUT_PROCESS32_EX: 4368 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4369 return; 4370 4371 case AUT_PROCESS64: 4372 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4373 return; 4374 4375 case AUT_PROCESS64_EX: 4376 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4377 return; 4378 4379 case AUT_RETURN32: 4380 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4381 return; 4382 4383 case AUT_RETURN64: 4384 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4385 return; 4386 4387 case AUT_SEQ: 4388 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4389 return; 4390 4391 case AUT_SOCKET: 4392 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4393 return; 4394 4395 case AUT_SOCKINET32: 4396 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4397 return; 4398 4399 case AUT_SOCKUNIX: 4400 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4401 return; 4402 4403 case AUT_SUBJECT32: 4404 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4405 return; 4406 4407 case AUT_SUBJECT64: 4408 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4409 return; 4410 4411 case AUT_SUBJECT32_EX: 4412 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4413 return; 4414 4415 case AUT_SUBJECT64_EX: 4416 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4417 return; 4418 4419 case AUT_TEXT: 4420 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4421 return; 4422 4423 case AUT_SOCKET_EX: 4424 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4425 return; 4426 4427 case AUT_ZONENAME: 4428 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4429 return; 4430 4431 default: 4432 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4433 } 4434 } 4435 4436 /* 4437 * Read a record from the file pointer, store data in buf memory for buf is 4438 * also allocated in this function and has to be free'd outside this call. 4439 * 4440 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4441 * complete audit record. 4442 * 4443 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4444 * state, because it will be partly offset into a record. We should rewind 4445 * or do something more intelligent. Particularly interesting is the case 4446 * where we perform a partial read of a record from a non-blockable file 4447 * descriptor. We should return the partial read and continue...? 4448 */ 4449 int 4450 au_read_rec(FILE *fp, u_char **buf) 4451 { 4452 u_char *bptr; 4453 u_int32_t recsize; 4454 u_int32_t bytestoread; 4455 u_char type; 4456 4457 u_int32_t sec, msec; 4458 u_int16_t filenamelen; 4459 4460 type = fgetc(fp); 4461 4462 switch (type) { 4463 case AUT_HEADER32: 4464 case AUT_HEADER32_EX: 4465 case AUT_HEADER64: 4466 case AUT_HEADER64_EX: 4467 /* read the record size from the token */ 4468 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4469 sizeof(u_int32_t)) { 4470 errno = EINVAL; 4471 return (-1); 4472 } 4473 recsize = be32toh(recsize); 4474 4475 /* Check for recsize sanity */ 4476 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4477 errno = EINVAL; 4478 return (-1); 4479 } 4480 4481 *buf = malloc(recsize * sizeof(u_char)); 4482 if (*buf == NULL) 4483 return (-1); 4484 bptr = *buf; 4485 memset(bptr, 0, recsize); 4486 4487 /* store the token contents already read, back to the buffer*/ 4488 *bptr = type; 4489 bptr++; 4490 be32enc(bptr, recsize); 4491 bptr += sizeof(u_int32_t); 4492 4493 /* now read remaining record bytes */ 4494 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4495 4496 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4497 free(*buf); 4498 errno = EINVAL; 4499 return (-1); 4500 } 4501 break; 4502 4503 case AUT_OTHER_FILE32: 4504 /* 4505 * The file token is variable-length, as it includes a 4506 * pathname. As a result, we have to read incrementally 4507 * until we know the total length, then allocate space and 4508 * read the rest. 4509 */ 4510 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4511 errno = EINVAL; 4512 return (-1); 4513 } 4514 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4515 errno = EINVAL; 4516 return (-1); 4517 } 4518 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4519 sizeof(filenamelen)) { 4520 errno = EINVAL; 4521 return (-1); 4522 } 4523 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4524 sizeof(filenamelen) + ntohs(filenamelen); 4525 *buf = malloc(recsize); 4526 if (*buf == NULL) 4527 return (-1); 4528 bptr = *buf; 4529 4530 bcopy(&type, bptr, sizeof(type)); 4531 bptr += sizeof(type); 4532 bcopy(&sec, bptr, sizeof(sec)); 4533 bptr += sizeof(sec); 4534 bcopy(&msec, bptr, sizeof(msec)); 4535 bptr += sizeof(msec); 4536 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4537 bptr += sizeof(filenamelen); 4538 4539 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4540 ntohs(filenamelen)) { 4541 free(buf); 4542 errno = EINVAL; 4543 return (-1); 4544 } 4545 break; 4546 4547 default: 4548 errno = EINVAL; 4549 return (-1); 4550 } 4551 4552 return (recsize); 4553 } 4554