1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#50 $ 36 */ 37 38 #include <sys/types.h> 39 40 #include <config/config.h> 41 #ifdef HAVE_SYS_ENDIAN_H 42 #include <sys/endian.h> 43 #else /* !HAVE_SYS_ENDIAN_H */ 44 #ifdef HAVE_MACHINE_ENDIAN_H 45 #include <machine/endian.h> 46 #else /* !HAVE_MACHINE_ENDIAN_H */ 47 #ifdef HAVE_ENDIAN_H 48 #include <endian.h> 49 #else /* !HAVE_ENDIAN_H */ 50 #error "No supported endian.h" 51 #endif /* !HAVE_ENDIAN_H */ 52 #endif /* !HAVE_MACHINE_ENDIAN_H */ 53 #include <compat/endian.h> 54 #endif /* !HAVE_SYS_ENDIAN_H */ 55 #ifdef HAVE_FULL_QUEUE_H 56 #include <sys/queue.h> 57 #else /* !HAVE_FULL_QUEUE_H */ 58 #include <compat/queue.h> 59 #endif /* !HAVE_FULL_QUEUE_H */ 60 61 #include <sys/stat.h> 62 #include <sys/socket.h> 63 64 #include <bsm/libbsm.h> 65 66 #include <unistd.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <time.h> 71 #include <stdlib.h> 72 #include <stdio.h> 73 #include <string.h> 74 #include <pwd.h> 75 #include <grp.h> 76 77 #include <bsm/audit_internal.h> 78 79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if (bytesread + size > len) { \ 81 err = 1; \ 82 } else { \ 83 memcpy(dest, buf + bytesread, size); \ 84 bytesread += size; \ 85 } \ 86 } while (0) 87 88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if (bytesread + sizeof(u_char) <= len) { \ 90 dest = buf[bytesread]; \ 91 bytesread += sizeof(u_char); \ 92 } else \ 93 err = 1; \ 94 } while (0) 95 96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if (bytesread + sizeof(u_int16_t) <= len) { \ 98 dest = be16dec(buf + bytesread); \ 99 bytesread += sizeof(u_int16_t); \ 100 } else \ 101 err = 1; \ 102 } while (0) 103 104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if (bytesread + sizeof(u_int32_t) <= len) { \ 106 dest = be32dec(buf + bytesread); \ 107 bytesread += sizeof(u_int32_t); \ 108 } else \ 109 err = 1; \ 110 } while (0) 111 112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if (bytesread + sizeof(u_int64_t) <= len) { \ 114 dest = be64dec(buf + bytesread); \ 115 bytesread += sizeof(u_int64_t); \ 116 } else \ 117 err = 1; \ 118 } while (0) 119 120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127 } while (0) 128 129 /* 130 * XML option. 131 */ 132 #define AU_PLAIN 0 133 #define AU_XML 1 134 135 /* 136 * Prints the delimiter string. 137 */ 138 static void 139 print_delim(FILE *fp, const char *del) 140 { 141 142 fprintf(fp, "%s", del); 143 } 144 145 /* 146 * Prints a single byte in the given format. 147 */ 148 static void 149 print_1_byte(FILE *fp, u_char val, const char *format) 150 { 151 152 fprintf(fp, format, val); 153 } 154 155 /* 156 * Print 2 bytes in the given format. 157 */ 158 static void 159 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160 { 161 162 fprintf(fp, format, val); 163 } 164 165 /* 166 * Prints 4 bytes in the given format. 167 */ 168 static void 169 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170 { 171 172 fprintf(fp, format, val); 173 } 174 175 /* 176 * Prints 8 bytes in the given format. 177 */ 178 static void 179 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180 { 181 182 fprintf(fp, format, val); 183 } 184 185 /* 186 * Prints the given size of data bytes in hex. 187 */ 188 static void 189 print_mem(FILE *fp, u_char *data, size_t len) 190 { 191 int i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%x", data[i]); 197 } 198 } 199 200 /* 201 * Prints the given data bytes as a string. 202 */ 203 static void 204 print_string(FILE *fp, const char *str, size_t len) 205 { 206 int i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214 } 215 216 /* 217 * Prints the beggining of attribute. 218 */ 219 static void 220 open_attr(FILE *fp, const char *str) 221 { 222 223 fprintf(fp,"%s=\"", str); 224 } 225 226 /* 227 * Prints the end of attribute. 228 */ 229 static void 230 close_attr(FILE *fp) 231 { 232 233 fprintf(fp,"\" "); 234 } 235 236 /* 237 * Prints the end of tag. 238 */ 239 static void 240 close_tag(FILE *fp, u_char type) 241 { 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SUBJECT32: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT64: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT32_EX: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT64_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_TEXT: 385 fprintf(fp, "</text>"); 386 break; 387 388 case AUT_SOCKET_EX: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_DATA: 393 fprintf(fp, "</arbitrary>"); 394 break; 395 396 case AUT_ZONENAME: 397 fprintf(fp, "/>"); 398 break; 399 } 400 } 401 402 /* 403 * Prints the token type in either the raw or the default form. 404 */ 405 static void 406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407 { 408 409 if (xml) { 410 switch(type) { 411 case AUT_HEADER32: 412 fprintf(fp, "<record "); 413 break; 414 415 case AUT_HEADER32_EX: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER64: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64_EX: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_TRAILER: 428 fprintf(fp, "</record>"); 429 break; 430 431 case AUT_ARG32: 432 fprintf(fp, "<argument "); 433 break; 434 435 case AUT_ARG64: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ATTR32: 440 fprintf(fp, "<attribute "); 441 break; 442 443 case AUT_ATTR64: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_EXIT: 448 fprintf(fp, "<exit "); 449 break; 450 451 case AUT_EXEC_ARGS: 452 fprintf(fp, "<exec_args>"); 453 break; 454 455 case AUT_EXEC_ENV: 456 fprintf(fp, "<exec_env>"); 457 break; 458 459 case AUT_OTHER_FILE32: 460 fprintf(fp, "<file "); 461 break; 462 463 case AUT_NEWGROUPS: 464 fprintf(fp, "<group>"); 465 break; 466 467 case AUT_IN_ADDR: 468 fprintf(fp, "<ip_address>"); 469 break; 470 471 case AUT_IN_ADDR_EX: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IP: 476 fprintf(fp, "<ip "); 477 break; 478 479 case AUT_IPC: 480 fprintf(fp, "<IPC"); 481 break; 482 483 case AUT_IPC_PERM: 484 fprintf(fp, "<IPC_perm "); 485 break; 486 487 case AUT_IPORT: 488 fprintf(fp, "<ip_port>"); 489 break; 490 491 case AUT_OPAQUE: 492 fprintf(fp, "<opaque>"); 493 break; 494 495 case AUT_PATH: 496 fprintf(fp, "<path>"); 497 break; 498 499 case AUT_PROCESS32: 500 fprintf(fp, "<process "); 501 break; 502 503 case AUT_PROCESS32_EX: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS64: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64_EX: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_RETURN32: 516 fprintf(fp, "<return "); 517 break; 518 519 case AUT_RETURN64: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_SEQ: 524 fprintf(fp, "<sequence "); 525 break; 526 527 case AUT_SOCKET: 528 fprintf(fp, "<socket "); 529 break; 530 531 case AUT_SOCKINET32: 532 fprintf(fp, "<old_socket"); 533 break; 534 535 case AUT_SOCKUNIX: 536 fprintf(fp, "<old_socket"); 537 break; 538 539 case AUT_SUBJECT32: 540 fprintf(fp, "<subject "); 541 break; 542 543 case AUT_SUBJECT64: 544 fprintf(fp, "<subject "); 545 break; 546 547 case AUT_SUBJECT32_EX: 548 fprintf(fp, "<subject "); 549 break; 550 551 case AUT_SUBJECT64_EX: 552 fprintf(fp, "<subject "); 553 break; 554 555 case AUT_TEXT: 556 fprintf(fp, "<text>"); 557 break; 558 559 case AUT_SOCKET_EX: 560 fprintf(fp, "<socket "); 561 break; 562 563 case AUT_DATA: 564 fprintf(fp, "<arbitrary "); 565 break; 566 567 case AUT_ZONENAME: 568 fprintf(fp, "<zone "); 569 break; 570 } 571 } else { 572 if (raw) 573 fprintf(fp, "%u", type); 574 else 575 fprintf(fp, "%s", tokname); 576 } 577 } 578 579 /* 580 * Prints a user value. 581 */ 582 static void 583 print_user(FILE *fp, u_int32_t usr, char raw) 584 { 585 struct passwd *pwent; 586 587 if (raw) 588 fprintf(fp, "%d", usr); 589 else { 590 pwent = getpwuid(usr); 591 if (pwent != NULL) 592 fprintf(fp, "%s", pwent->pw_name); 593 else 594 fprintf(fp, "%d", usr); 595 } 596 } 597 598 /* 599 * Prints a group value. 600 */ 601 static void 602 print_group(FILE *fp, u_int32_t grp, char raw) 603 { 604 struct group *grpent; 605 606 if (raw) 607 fprintf(fp, "%d", grp); 608 else { 609 grpent = getgrgid(grp); 610 if (grpent != NULL) 611 fprintf(fp, "%s", grpent->gr_name); 612 else 613 fprintf(fp, "%d", grp); 614 } 615 } 616 617 /* 618 * Prints the event from the header token in either the short, default or raw 619 * form. 620 */ 621 static void 622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623 { 624 char event_ent_name[AU_EVENT_NAME_MAX]; 625 char event_ent_desc[AU_EVENT_DESC_MAX]; 626 struct au_event_ent e, *ep; 627 628 bzero(&e, sizeof(e)); 629 bzero(event_ent_name, sizeof(event_ent_name)); 630 bzero(event_ent_desc, sizeof(event_ent_desc)); 631 e.ae_name = event_ent_name; 632 e.ae_desc = event_ent_desc; 633 634 ep = getauevnum_r(&e, ev); 635 if (ep == NULL) { 636 fprintf(fp, "%u", ev); 637 return; 638 } 639 640 if (raw) 641 fprintf(fp, "%u", ev); 642 else if (sfrm) 643 fprintf(fp, "%s", e.ae_name); 644 else 645 fprintf(fp, "%s", e.ae_desc); 646 } 647 648 649 /* 650 * Prints the event modifier from the header token in either the default or 651 * raw form. 652 */ 653 static void 654 print_evmod(FILE *fp, u_int16_t evmod, char raw) 655 { 656 if (raw) 657 fprintf(fp, "%u", evmod); 658 else 659 fprintf(fp, "%u", evmod); 660 } 661 662 /* 663 * Prints seconds in the ctime format. 664 */ 665 static void 666 print_sec32(FILE *fp, u_int32_t sec, char raw) 667 { 668 time_t timestamp; 669 char timestr[26]; 670 671 if (raw) 672 fprintf(fp, "%u", sec); 673 else { 674 timestamp = (time_t)sec; 675 ctime_r(×tamp, timestr); 676 timestr[24] = '\0'; /* No new line */ 677 fprintf(fp, "%s", timestr); 678 } 679 } 680 681 /* 682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683 * assume a 32-bit time_t, we simply truncate for now. 684 */ 685 static void 686 print_sec64(FILE *fp, u_int64_t sec, char raw) 687 { 688 time_t timestamp; 689 char timestr[26]; 690 691 if (raw) 692 fprintf(fp, "%u", (u_int32_t)sec); 693 else { 694 timestamp = (time_t)sec; 695 ctime_r(×tamp, timestr); 696 timestr[24] = '\0'; /* No new line */ 697 fprintf(fp, "%s", timestr); 698 } 699 } 700 701 /* 702 * Prints the excess milliseconds. 703 */ 704 static void 705 print_msec32(FILE *fp, u_int32_t msec, char raw) 706 { 707 if (raw) 708 fprintf(fp, "%u", msec); 709 else 710 fprintf(fp, " + %u msec", msec); 711 } 712 713 /* 714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715 * a 32-bit msec, we simply truncate for now. 716 */ 717 static void 718 print_msec64(FILE *fp, u_int64_t msec, char raw) 719 { 720 721 msec &= 0xffffffff; 722 if (raw) 723 fprintf(fp, "%u", (u_int32_t)msec); 724 else 725 fprintf(fp, " + %u msec", (u_int32_t)msec); 726 } 727 728 /* 729 * Prints a dotted form for the IP address. 730 */ 731 static void 732 print_ip_address(FILE *fp, u_int32_t ip) 733 { 734 struct in_addr ipaddr; 735 736 ipaddr.s_addr = ip; 737 fprintf(fp, "%s", inet_ntoa(ipaddr)); 738 } 739 740 /* 741 * Prints a string value for the given ip address. 742 */ 743 static void 744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745 { 746 struct in_addr ipv4; 747 struct in6_addr ipv6; 748 char dst[INET6_ADDRSTRLEN]; 749 750 switch (type) { 751 case AU_IPv4: 752 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754 INET6_ADDRSTRLEN)); 755 break; 756 757 case AU_IPv6: 758 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760 INET6_ADDRSTRLEN)); 761 break; 762 763 default: 764 fprintf(fp, "invalid"); 765 } 766 } 767 768 /* 769 * Prints return value as success or failure. 770 */ 771 static void 772 print_retval(FILE *fp, u_char status, char raw) 773 { 774 if (raw) 775 fprintf(fp, "%u", status); 776 else { 777 if (status == 0) 778 fprintf(fp, "success"); 779 else 780 fprintf(fp, "failure : %s", strerror(status)); 781 } 782 } 783 784 /* 785 * Prints the exit value. 786 */ 787 static void 788 print_errval(FILE *fp, u_int32_t val) 789 { 790 791 fprintf(fp, "Error %u", val); 792 } 793 794 /* 795 * Prints IPC type. 796 */ 797 static void 798 print_ipctype(FILE *fp, u_char type, char raw) 799 { 800 if (raw) 801 fprintf(fp, "%u", type); 802 else { 803 if (type == AT_IPC_MSG) 804 fprintf(fp, "Message IPC"); 805 else if (type == AT_IPC_SEM) 806 fprintf(fp, "Semaphore IPC"); 807 else if (type == AT_IPC_SHM) 808 fprintf(fp, "Shared Memory IPC"); 809 else 810 fprintf(fp, "%u", type); 811 } 812 } 813 814 /* 815 * Print XML header. 816 */ 817 void 818 au_print_xml_header(FILE *outfp) 819 { 820 821 fprintf(outfp, "<?xml version='1.0' ?>\n"); 822 fprintf(outfp, "<audit>\n"); 823 } 824 825 /* 826 * Print XML footer. 827 */ 828 void 829 au_print_xml_footer(FILE *outfp) 830 { 831 832 fprintf(outfp, "</audit>\n"); 833 } 834 835 /* 836 * record byte count 4 bytes 837 * version # 1 byte [2] 838 * event type 2 bytes 839 * event modifier 2 bytes 840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 842 */ 843 static int 844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 845 { 846 int err = 0; 847 848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 849 if (err) 850 return (-1); 851 852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 853 if (err) 854 return (-1); 855 856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 857 if (err) 858 return (-1); 859 860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 861 if (err) 862 return (-1); 863 864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 865 if (err) 866 return (-1); 867 868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 869 if (err) 870 return (-1); 871 872 return (0); 873 } 874 875 static void 876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 877 int xml) 878 { 879 880 print_tok_type(fp, tok->id, "header", raw, xml); 881 if (xml) { 882 open_attr(fp, "version"); 883 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 884 close_attr(fp); 885 open_attr(fp, "event"); 886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 887 close_attr(fp); 888 open_attr(fp, "modifier"); 889 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 890 close_attr(fp); 891 open_attr(fp, "time"); 892 print_sec32(fp, tok->tt.hdr32.s, raw); 893 close_attr(fp); 894 open_attr(fp, "msec"); 895 print_msec32(fp, tok->tt.hdr32.ms, 1); 896 close_attr(fp); 897 close_tag(fp, tok->id); 898 } else { 899 print_delim(fp, del); 900 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 901 print_delim(fp, del); 902 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 903 print_delim(fp, del); 904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905 print_delim(fp, del); 906 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 907 print_delim(fp, del); 908 print_sec32(fp, tok->tt.hdr32.s, raw); 909 print_delim(fp, del); 910 print_msec32(fp, tok->tt.hdr32.ms, raw); 911 } 912 } 913 914 /* 915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 916 * depending on the bit of the specifications found. The OpenSolaris source 917 * code uses a 4-byte address length, followed by some number of bytes of 918 * address data. This contrasts with the Solaris audit.log.5 man page, which 919 * specifies a 1-byte length field. We use the Solaris 10 definition so that 920 * we can parse audit trails from that system. 921 * 922 * record byte count 4 bytes 923 * version # 1 byte [2] 924 * event type 2 bytes 925 * event modifier 2 bytes 926 * address type/length 4 bytes 927 * [ Solaris man page: address type/length 1 byte] 928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 929 * seconds of time 4 bytes/8 bytes (32/64-bits) 930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 931 */ 932 static int 933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 934 { 935 int err = 0; 936 937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 938 if (err) 939 return (-1); 940 941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 942 if (err) 943 return (-1); 944 945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 946 if (err) 947 return (-1); 948 949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 950 if (err) 951 return (-1); 952 953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 954 if (err) 955 return (-1); 956 957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 958 switch (tok->tt.hdr32_ex.ad_type) { 959 case AU_IPv4: 960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 962 if (err) 963 return (-1); 964 break; 965 966 case AU_IPv6: 967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 969 break; 970 } 971 972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 973 if (err) 974 return (-1); 975 976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 977 if (err) 978 return (-1); 979 980 return (0); 981 } 982 983 static void 984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 985 char sfrm, int xml) 986 { 987 988 print_tok_type(fp, tok->id, "header_ex", raw, xml); 989 if (xml) { 990 open_attr(fp, "version"); 991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 992 close_attr(fp); 993 open_attr(fp, "event"); 994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 995 close_attr(fp); 996 open_attr(fp, "modifier"); 997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 998 close_attr(fp); 999 /* 1000 * No attribute for additional types. 1001 * 1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1003 tok->tt.hdr32_ex.addr); 1004 */ 1005 open_attr(fp, "time"); 1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1007 close_attr(fp); 1008 open_attr(fp, "msec"); 1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1010 close_attr(fp); 1011 close_tag(fp, tok->id); 1012 } else { 1013 print_delim(fp, del); 1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1015 print_delim(fp, del); 1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1017 print_delim(fp, del); 1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1019 print_delim(fp, del); 1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1021 print_delim(fp, del); 1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1023 tok->tt.hdr32_ex.addr); 1024 print_delim(fp, del); 1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1026 print_delim(fp, del); 1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1028 } 1029 } 1030 1031 /* 1032 * record byte count 4 bytes 1033 * event type 2 bytes 1034 * event modifier 2 bytes 1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1037 * version # 1038 */ 1039 static int 1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1041 { 1042 int err = 0; 1043 1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1045 if (err) 1046 return (-1); 1047 1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1049 if (err) 1050 return (-1); 1051 1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1053 if (err) 1054 return (-1); 1055 1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1057 if (err) 1058 return (-1); 1059 1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1061 if (err) 1062 return (-1); 1063 1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1065 if (err) 1066 return (-1); 1067 1068 return (0); 1069 } 1070 1071 static void 1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1073 int xml) 1074 { 1075 1076 print_tok_type(fp, tok->id, "header", raw, xml); 1077 if (xml) { 1078 open_attr(fp, "version"); 1079 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1080 close_attr(fp); 1081 open_attr(fp, "event"); 1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1083 close_attr(fp); 1084 open_attr(fp, "modifier"); 1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1086 close_attr(fp); 1087 open_attr(fp, "time"); 1088 print_sec64(fp, tok->tt.hdr64.s, raw); 1089 close_attr(fp); 1090 open_attr(fp, "msec"); 1091 print_msec64(fp, tok->tt.hdr64.ms, raw); 1092 close_attr(fp); 1093 close_tag(fp, tok->id); 1094 } else { 1095 print_delim(fp, del); 1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1097 print_delim(fp, del); 1098 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1099 print_delim(fp, del); 1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1101 print_delim(fp, del); 1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1103 print_delim(fp, del); 1104 print_sec64(fp, tok->tt.hdr64.s, raw); 1105 print_delim(fp, del); 1106 print_msec64(fp, tok->tt.hdr64.ms, raw); 1107 } 1108 } 1109 1110 /* 1111 * record byte count 4 bytes 1112 * version # 1 byte [2] 1113 * event type 2 bytes 1114 * event modifier 2 bytes 1115 * address type/length 4 bytes 1116 * [ Solaris man page: address type/length 1 byte] 1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1118 * seconds of time 4 bytes/8 bytes (32/64-bits) 1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1120 * 1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1122 * accuracy of the BSM spec. 1123 */ 1124 static int 1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1126 { 1127 int err = 0; 1128 1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1130 if (err) 1131 return (-1); 1132 1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1134 if (err) 1135 return (-1); 1136 1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1138 if (err) 1139 return (-1); 1140 1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1142 if (err) 1143 return (-1); 1144 1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1146 if (err) 1147 return (-1); 1148 1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1150 switch (tok->tt.hdr64_ex.ad_type) { 1151 case AU_IPv4: 1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1154 if (err) 1155 return (-1); 1156 break; 1157 1158 case AU_IPv6: 1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1161 break; 1162 } 1163 1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1165 if (err) 1166 return (-1); 1167 1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1169 if (err) 1170 return (-1); 1171 1172 return (0); 1173 } 1174 1175 static void 1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1177 char sfrm, int xml) 1178 { 1179 1180 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1181 if (xml) { 1182 open_attr(fp, "version"); 1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1184 close_attr(fp); 1185 open_attr(fp, "event"); 1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1187 close_attr(fp); 1188 open_attr(fp, "modifier"); 1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1190 close_attr(fp); 1191 /* 1192 * No attribute for additional types. 1193 * 1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1195 tok->tt.hdr64_ex.addr); 1196 */ 1197 open_attr(fp, "time"); 1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1199 close_attr(fp); 1200 open_attr(fp, "msec"); 1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1202 close_attr(fp); 1203 close_tag(fp, tok->id); 1204 } else { 1205 print_delim(fp, del); 1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1207 print_delim(fp, del); 1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1209 print_delim(fp, del); 1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1211 print_delim(fp, del); 1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1213 print_delim(fp, del); 1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1215 tok->tt.hdr64_ex.addr); 1216 print_delim(fp, del); 1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1218 print_delim(fp, del); 1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1220 } 1221 } 1222 1223 /* 1224 * trailer magic 2 bytes 1225 * record size 4 bytes 1226 */ 1227 static int 1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1229 { 1230 int err = 0; 1231 1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1233 if (err) 1234 return (-1); 1235 1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1237 if (err) 1238 return (-1); 1239 1240 return (0); 1241 } 1242 1243 static void 1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1245 __unused char sfrm, int xml) 1246 { 1247 1248 print_tok_type(fp, tok->id, "trailer", raw, xml); 1249 if (!xml) { 1250 print_delim(fp, del); 1251 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1252 } 1253 } 1254 1255 /* 1256 * argument # 1 byte 1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1258 * text length 2 bytes 1259 * text N bytes + 1 terminating NULL byte 1260 */ 1261 static int 1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1263 { 1264 int err = 0; 1265 1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1267 if (err) 1268 return (-1); 1269 1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1271 if (err) 1272 return (-1); 1273 1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1275 if (err) 1276 return (-1); 1277 1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1279 tok->len, err); 1280 if (err) 1281 return (-1); 1282 1283 return (0); 1284 } 1285 1286 static void 1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1288 __unused char sfrm, int xml) 1289 { 1290 1291 print_tok_type(fp, tok->id, "argument", raw, xml); 1292 if (xml) { 1293 open_attr(fp, "arg-num"); 1294 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1295 close_attr(fp); 1296 open_attr(fp, "value"); 1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1298 close_attr(fp); 1299 open_attr(fp, "desc"); 1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1301 close_attr(fp); 1302 close_tag(fp, tok->id); 1303 } else { 1304 print_delim(fp, del); 1305 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1306 print_delim(fp, del); 1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1308 print_delim(fp, del); 1309 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1310 } 1311 } 1312 1313 static int 1314 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1315 { 1316 int err = 0; 1317 1318 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1319 if (err) 1320 return (-1); 1321 1322 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1323 if (err) 1324 return (-1); 1325 1326 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1327 if (err) 1328 return (-1); 1329 1330 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1331 tok->len, err); 1332 if (err) 1333 return (-1); 1334 1335 return (0); 1336 } 1337 1338 static void 1339 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1340 __unused char sfrm, int xml) 1341 { 1342 1343 print_tok_type(fp, tok->id, "argument", raw, xml); 1344 if (xml) { 1345 open_attr(fp, "arg-num"); 1346 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1347 close_attr(fp); 1348 open_attr(fp, "value"); 1349 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1350 close_attr(fp); 1351 open_attr(fp, "desc"); 1352 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1353 close_attr(fp); 1354 close_tag(fp, tok->id); 1355 } else { 1356 print_delim(fp, del); 1357 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1358 print_delim(fp, del); 1359 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1360 print_delim(fp, del); 1361 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1362 } 1363 } 1364 1365 /* 1366 * how to print 1 byte 1367 * basic unit 1 byte 1368 * unit count 1 byte 1369 * data items (depends on basic unit) 1370 */ 1371 static int 1372 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1373 { 1374 int err = 0; 1375 int datasize; 1376 1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1378 if (err) 1379 return (-1); 1380 1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1382 if (err) 1383 return (-1); 1384 1385 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1386 if (err) 1387 return (-1); 1388 1389 /* 1390 * Determine the size of the basic unit. 1391 */ 1392 switch(tok->tt.arb.bu) { 1393 case AUR_BYTE: 1394 /* case AUR_CHAR: */ 1395 datasize = AUR_BYTE_SIZE; 1396 break; 1397 1398 case AUR_SHORT: 1399 datasize = AUR_SHORT_SIZE; 1400 break; 1401 1402 case AUR_INT32: 1403 /* case AUR_INT: */ 1404 datasize = AUR_INT32_SIZE; 1405 break; 1406 1407 case AUR_INT64: 1408 datasize = AUR_INT64_SIZE; 1409 break; 1410 1411 default: 1412 return (-1); 1413 } 1414 1415 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1416 tok->len, err); 1417 if (err) 1418 return (-1); 1419 1420 return (0); 1421 } 1422 1423 static void 1424 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1425 __unused char sfrm, int xml) 1426 { 1427 char *str; 1428 char *format; 1429 size_t size; 1430 int i; 1431 1432 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1433 if (!xml) 1434 print_delim(fp, del); 1435 1436 switch(tok->tt.arb.howtopr) { 1437 case AUP_BINARY: 1438 str = "binary"; 1439 format = " %c"; 1440 break; 1441 1442 case AUP_OCTAL: 1443 str = "octal"; 1444 format = " %o"; 1445 break; 1446 1447 case AUP_DECIMAL: 1448 str = "decimal"; 1449 format = " %d"; 1450 break; 1451 1452 case AUP_HEX: 1453 str = "hex"; 1454 format = " %x"; 1455 break; 1456 1457 case AUP_STRING: 1458 str = "string"; 1459 format = "%c"; 1460 break; 1461 1462 default: 1463 return; 1464 } 1465 1466 if (xml) { 1467 open_attr(fp, "print"); 1468 fprintf(fp, "%s",str); 1469 close_attr(fp); 1470 } else { 1471 print_string(fp, str, strlen(str)); 1472 print_delim(fp, del); 1473 } 1474 switch(tok->tt.arb.bu) { 1475 case AUR_BYTE: 1476 /* case AUR_CHAR: */ 1477 str = "byte"; 1478 size = AUR_BYTE_SIZE; 1479 if (xml) { 1480 open_attr(fp, "type"); 1481 fprintf(fp, "%u", size); 1482 close_attr(fp); 1483 open_attr(fp, "count"); 1484 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1485 close_attr(fp); 1486 fprintf(fp, ">"); 1487 for (i = 0; i<tok->tt.arb.uc; i++) 1488 fprintf(fp, format, *(tok->tt.arb.data + 1489 (size * i))); 1490 close_tag(fp, tok->id); 1491 } else { 1492 print_string(fp, str, strlen(str)); 1493 print_delim(fp, del); 1494 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1495 print_delim(fp, del); 1496 for (i = 0; i<tok->tt.arb.uc; i++) 1497 fprintf(fp, format, *(tok->tt.arb.data + 1498 (size * i))); 1499 } 1500 break; 1501 1502 case AUR_SHORT: 1503 str = "short"; 1504 size = AUR_SHORT_SIZE; 1505 if (xml) { 1506 open_attr(fp, "type"); 1507 fprintf(fp, "%u", size); 1508 close_attr(fp); 1509 open_attr(fp, "count"); 1510 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1511 close_attr(fp); 1512 fprintf(fp, ">"); 1513 for (i = 0; i < tok->tt.arb.uc; i++) 1514 fprintf(fp, format, 1515 *((u_int16_t *)(tok->tt.arb.data + 1516 (size * i)))); 1517 close_tag(fp, tok->id); 1518 } else { 1519 print_string(fp, str, strlen(str)); 1520 print_delim(fp, del); 1521 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1522 print_delim(fp, del); 1523 for (i = 0; i < tok->tt.arb.uc; i++) 1524 fprintf(fp, format, 1525 *((u_int16_t *)(tok->tt.arb.data + 1526 (size * i)))); 1527 } 1528 break; 1529 1530 case AUR_INT32: 1531 /* case AUR_INT: */ 1532 str = "int"; 1533 size = AUR_INT32_SIZE; 1534 if (xml) { 1535 open_attr(fp, "type"); 1536 fprintf(fp, "%u", size); 1537 close_attr(fp); 1538 open_attr(fp, "count"); 1539 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1540 close_attr(fp); 1541 fprintf(fp, ">"); 1542 for (i = 0; i < tok->tt.arb.uc; i++) 1543 fprintf(fp, format, 1544 *((u_int32_t *)(tok->tt.arb.data + 1545 (size * i)))); 1546 close_tag(fp, tok->id); 1547 } else { 1548 print_string(fp, str, strlen(str)); 1549 print_delim(fp, del); 1550 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1551 print_delim(fp, del); 1552 for (i = 0; i < tok->tt.arb.uc; i++) 1553 fprintf(fp, format, 1554 *((u_int32_t *)(tok->tt.arb.data + 1555 (size * i)))); 1556 } 1557 break; 1558 1559 case AUR_INT64: 1560 str = "int64"; 1561 size = AUR_INT64_SIZE; 1562 if (xml) { 1563 open_attr(fp, "type"); 1564 fprintf(fp, "%u", size); 1565 close_attr(fp); 1566 open_attr(fp, "count"); 1567 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1568 close_attr(fp); 1569 fprintf(fp, ">"); 1570 for (i = 0; i < tok->tt.arb.uc; i++) 1571 fprintf(fp, format, 1572 *((u_int64_t *)(tok->tt.arb.data + 1573 (size * i)))); 1574 close_tag(fp, tok->id); 1575 } else { 1576 print_string(fp, str, strlen(str)); 1577 print_delim(fp, del); 1578 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1579 print_delim(fp, del); 1580 for (i = 0; i < tok->tt.arb.uc; i++) 1581 fprintf(fp, format, 1582 *((u_int64_t *)(tok->tt.arb.data + 1583 (size * i)))); 1584 } 1585 break; 1586 1587 default: 1588 return; 1589 } 1590 } 1591 1592 /* 1593 * file access mode 4 bytes 1594 * owner user ID 4 bytes 1595 * owner group ID 4 bytes 1596 * file system ID 4 bytes 1597 * node ID 8 bytes 1598 * device 4 bytes/8 bytes (32-bit/64-bit) 1599 */ 1600 static int 1601 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1602 { 1603 int err = 0; 1604 1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1606 if (err) 1607 return (-1); 1608 1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1610 if (err) 1611 return (-1); 1612 1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1614 if (err) 1615 return (-1); 1616 1617 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1618 if (err) 1619 return (-1); 1620 1621 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1622 if (err) 1623 return (-1); 1624 1625 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1626 if (err) 1627 return (-1); 1628 1629 return (0); 1630 } 1631 1632 static void 1633 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1634 __unused char sfrm, int xml) 1635 { 1636 1637 print_tok_type(fp, tok->id, "attribute", raw, xml); 1638 if (xml) { 1639 open_attr(fp, "mode"); 1640 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1641 close_attr(fp); 1642 open_attr(fp, "uid"); 1643 print_user(fp, tok->tt.attr32.uid, raw); 1644 close_attr(fp); 1645 open_attr(fp, "gid"); 1646 print_group(fp, tok->tt.attr32.gid, raw); 1647 close_attr(fp); 1648 open_attr(fp, "fsid"); 1649 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1650 close_attr(fp); 1651 open_attr(fp, "nodeid"); 1652 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1653 close_attr(fp); 1654 open_attr(fp, "device"); 1655 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1656 close_attr(fp); 1657 close_tag(fp, tok->id); 1658 } else { 1659 print_delim(fp, del); 1660 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1661 print_delim(fp, del); 1662 print_user(fp, tok->tt.attr32.uid, raw); 1663 print_delim(fp, del); 1664 print_group(fp, tok->tt.attr32.gid, raw); 1665 print_delim(fp, del); 1666 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1667 print_delim(fp, del); 1668 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1669 print_delim(fp, del); 1670 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1671 } 1672 } 1673 1674 /* 1675 * file access mode 4 bytes 1676 * owner user ID 4 bytes 1677 * owner group ID 4 bytes 1678 * file system ID 4 bytes 1679 * node ID 8 bytes 1680 * device 4 bytes/8 bytes (32-bit/64-bit) 1681 */ 1682 static int 1683 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1684 { 1685 int err = 0; 1686 1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1688 if (err) 1689 return (-1); 1690 1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1692 if (err) 1693 return (-1); 1694 1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1696 if (err) 1697 return (-1); 1698 1699 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1700 if (err) 1701 return (-1); 1702 1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1704 if (err) 1705 return (-1); 1706 1707 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1708 if (err) 1709 return (-1); 1710 1711 return (0); 1712 } 1713 1714 static void 1715 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1716 __unused char sfrm, int xml) 1717 { 1718 1719 print_tok_type(fp, tok->id, "attribute", raw, xml); 1720 if (xml) { 1721 open_attr(fp, "mode"); 1722 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1723 close_attr(fp); 1724 open_attr(fp, "uid"); 1725 print_user(fp, tok->tt.attr64.uid, raw); 1726 close_attr(fp); 1727 open_attr(fp, "gid"); 1728 print_group(fp, tok->tt.attr64.gid, raw); 1729 close_attr(fp); 1730 open_attr(fp, "fsid"); 1731 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1732 close_attr(fp); 1733 open_attr(fp, "nodeid"); 1734 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1735 close_attr(fp); 1736 open_attr(fp, "device"); 1737 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1738 close_attr(fp); 1739 close_tag(fp, tok->id); 1740 } else { 1741 print_delim(fp, del); 1742 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1743 print_delim(fp, del); 1744 print_user(fp, tok->tt.attr64.uid, raw); 1745 print_delim(fp, del); 1746 print_group(fp, tok->tt.attr64.gid, raw); 1747 print_delim(fp, del); 1748 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1749 print_delim(fp, del); 1750 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1751 print_delim(fp, del); 1752 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1753 } 1754 } 1755 1756 /* 1757 * status 4 bytes 1758 * return value 4 bytes 1759 */ 1760 static int 1761 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1762 { 1763 int err = 0; 1764 1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1766 if (err) 1767 return (-1); 1768 1769 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1770 if (err) 1771 return (-1); 1772 1773 return (0); 1774 } 1775 1776 static void 1777 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1778 __unused char sfrm, int xml) 1779 { 1780 1781 print_tok_type(fp, tok->id, "exit", raw, xml); 1782 if (xml) { 1783 open_attr(fp, "errval"); 1784 print_errval(fp, tok->tt.exit.status); 1785 close_attr(fp); 1786 open_attr(fp, "retval"); 1787 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1788 close_attr(fp); 1789 close_tag(fp, tok->id); 1790 } else { 1791 print_delim(fp, del); 1792 print_errval(fp, tok->tt.exit.status); 1793 print_delim(fp, del); 1794 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1795 } 1796 } 1797 1798 /* 1799 * count 4 bytes 1800 * text count null-terminated string(s) 1801 */ 1802 static int 1803 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1804 { 1805 int err = 0; 1806 int i; 1807 u_char *bptr; 1808 1809 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1810 if (err) 1811 return (-1); 1812 1813 for (i = 0; i < tok->tt.execarg.count; i++) { 1814 bptr = buf + tok->len; 1815 if (i < AUDIT_MAX_ARGS) 1816 tok->tt.execarg.text[i] = (char*)bptr; 1817 1818 /* Look for a null terminated string. */ 1819 while (bptr && (*bptr != '\0')) { 1820 if (++tok->len >=len) 1821 return (-1); 1822 bptr = buf + tok->len; 1823 } 1824 if (!bptr) 1825 return (-1); 1826 tok->len++; /* \0 character */ 1827 } 1828 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1829 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1830 1831 return (0); 1832 } 1833 1834 static void 1835 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1836 __unused char sfrm, int xml) 1837 { 1838 int i; 1839 1840 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1841 for (i = 0; i < tok->tt.execarg.count; i++) { 1842 if (xml) { 1843 fprintf(fp, "<arg>"); 1844 print_string(fp, tok->tt.execarg.text[i], 1845 strlen(tok->tt.execarg.text[i])); 1846 fprintf(fp, "</arg>"); 1847 } else { 1848 print_delim(fp, del); 1849 print_string(fp, tok->tt.execarg.text[i], 1850 strlen(tok->tt.execarg.text[i])); 1851 } 1852 } 1853 if (xml) 1854 close_tag(fp, tok->id); 1855 } 1856 1857 /* 1858 * count 4 bytes 1859 * text count null-terminated string(s) 1860 */ 1861 static int 1862 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1863 { 1864 int err = 0; 1865 int i; 1866 u_char *bptr; 1867 1868 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1869 if (err) 1870 return (-1); 1871 1872 for (i = 0; i < tok->tt.execenv.count; i++) { 1873 bptr = buf + tok->len; 1874 if (i < AUDIT_MAX_ENV) 1875 tok->tt.execenv.text[i] = (char*)bptr; 1876 1877 /* Look for a null terminated string. */ 1878 while (bptr && (*bptr != '\0')) { 1879 if (++tok->len >=len) 1880 return (-1); 1881 bptr = buf + tok->len; 1882 } 1883 if (!bptr) 1884 return (-1); 1885 tok->len++; /* \0 character */ 1886 } 1887 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1888 tok->tt.execenv.count = AUDIT_MAX_ENV; 1889 1890 return (0); 1891 } 1892 1893 static void 1894 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1895 __unused char sfrm, int xml) 1896 { 1897 int i; 1898 1899 print_tok_type(fp, tok->id, "exec env", raw, xml); 1900 for (i = 0; i< tok->tt.execenv.count; i++) { 1901 if (xml) { 1902 fprintf(fp, "<env>"); 1903 print_string(fp, tok->tt.execenv.text[i], 1904 strlen(tok->tt.execenv.text[i])); 1905 fprintf(fp, "</env>"); 1906 } else { 1907 print_delim(fp, del); 1908 print_string(fp, tok->tt.execenv.text[i], 1909 strlen(tok->tt.execenv.text[i])); 1910 } 1911 } 1912 if (xml) 1913 close_tag(fp, tok->id); 1914 } 1915 1916 /* 1917 * seconds of time 4 bytes 1918 * milliseconds of time 4 bytes 1919 * file name len 2 bytes 1920 * file pathname N bytes + 1 terminating NULL byte 1921 */ 1922 static int 1923 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1924 { 1925 int err = 0; 1926 1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1928 if (err) 1929 return (-1); 1930 1931 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1932 if (err) 1933 return (-1); 1934 1935 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1936 if (err) 1937 return (-1); 1938 1939 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1940 err); 1941 if (err) 1942 return (-1); 1943 1944 return (0); 1945 } 1946 1947 static void 1948 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1949 __unused char sfrm, int xml) 1950 { 1951 1952 print_tok_type(fp, tok->id, "file", raw, xml); 1953 if (xml) { 1954 open_attr(fp, "time"); 1955 print_sec32(fp, tok->tt.file.s, raw); 1956 close_attr(fp); 1957 open_attr(fp, "msec"); 1958 print_msec32(fp, tok->tt.file.ms, raw); 1959 close_attr(fp); 1960 fprintf(fp, ">"); 1961 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1962 close_tag(fp, tok->id); 1963 } else { 1964 print_delim(fp, del); 1965 print_sec32(fp, tok->tt.file.s, raw); 1966 print_delim(fp, del); 1967 print_msec32(fp, tok->tt.file.ms, raw); 1968 print_delim(fp, del); 1969 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1970 } 1971 } 1972 1973 /* 1974 * number groups 2 bytes 1975 * group list count * 4 bytes 1976 */ 1977 static int 1978 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1979 { 1980 int i; 1981 int err = 0; 1982 1983 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1984 if (err) 1985 return (-1); 1986 1987 for (i = 0; i<tok->tt.grps.no; i++) { 1988 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1989 err); 1990 if (err) 1991 return (-1); 1992 } 1993 1994 return (0); 1995 } 1996 1997 static void 1998 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1999 __unused char sfrm, int xml) 2000 { 2001 int i; 2002 2003 print_tok_type(fp, tok->id, "group", raw, xml); 2004 for (i = 0; i < tok->tt.grps.no; i++) { 2005 if (xml) { 2006 fprintf(fp, "<gid>"); 2007 print_group(fp, tok->tt.grps.list[i], raw); 2008 fprintf(fp, "</gid>"); 2009 close_tag(fp, tok->id); 2010 } else { 2011 print_delim(fp, del); 2012 print_group(fp, tok->tt.grps.list[i], raw); 2013 } 2014 } 2015 } 2016 2017 /* 2018 * Internet addr 4 bytes 2019 */ 2020 static int 2021 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2022 { 2023 int err = 0; 2024 2025 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2026 tok->len, err); 2027 if (err) 2028 return (-1); 2029 2030 return (0); 2031 2032 } 2033 2034 static void 2035 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2036 __unused char sfrm, int xml) 2037 { 2038 2039 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2040 if (xml) { 2041 print_ip_address(fp, tok->tt.inaddr.addr); 2042 close_tag(fp, tok->id); 2043 } else { 2044 print_delim(fp, del); 2045 print_ip_address(fp, tok->tt.inaddr.addr); 2046 } 2047 } 2048 2049 /* 2050 * type 4 bytes 2051 * address 16 bytes 2052 */ 2053 static int 2054 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2055 { 2056 int err = 0; 2057 2058 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2059 if (err) 2060 return (-1); 2061 2062 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2063 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2064 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2065 if (err) 2066 return (-1); 2067 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2068 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2069 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2070 if (err) 2071 return (-1); 2072 } else 2073 return (-1); 2074 2075 return (0); 2076 } 2077 2078 static void 2079 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2080 __unused char sfrm, int xml) 2081 { 2082 2083 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2084 if (xml) { 2085 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2086 tok->tt.inaddr_ex.addr); 2087 close_tag(fp, tok->id); 2088 } else { 2089 print_delim(fp, del); 2090 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2091 tok->tt.inaddr_ex.addr); 2092 } 2093 } 2094 2095 /* 2096 * ip header 20 bytes 2097 */ 2098 static int 2099 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2100 { 2101 int err = 0; 2102 2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2104 if (err) 2105 return (-1); 2106 2107 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2108 if (err) 2109 return (-1); 2110 2111 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2112 tok->len, err); 2113 if (err) 2114 return (-1); 2115 2116 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2117 tok->len, err); 2118 if (err) 2119 return (-1); 2120 2121 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2122 tok->len, err); 2123 if (err) 2124 return (-1); 2125 2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2127 if (err) 2128 return (-1); 2129 2130 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2131 if (err) 2132 return (-1); 2133 2134 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2135 tok->len, err); 2136 if (err) 2137 return (-1); 2138 2139 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2140 tok->len, err); 2141 if (err) 2142 return (-1); 2143 2144 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2145 tok->len, err); 2146 if (err) 2147 return (-1); 2148 2149 return (0); 2150 } 2151 2152 static void 2153 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2154 __unused char sfrm, int xml) 2155 { 2156 2157 print_tok_type(fp, tok->id, "ip", raw, xml); 2158 if (xml) { 2159 open_attr(fp, "version"); 2160 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2161 sizeof(u_char)); 2162 close_attr(fp); 2163 open_attr(fp, "service_type"); 2164 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2165 close_attr(fp); 2166 open_attr(fp, "len"); 2167 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2168 close_attr(fp); 2169 open_attr(fp, "id"); 2170 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2171 close_attr(fp); 2172 open_attr(fp, "offset"); 2173 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2174 close_attr(fp); 2175 open_attr(fp, "time_to_live"); 2176 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2177 close_attr(fp); 2178 open_attr(fp, "protocol"); 2179 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2180 close_attr(fp); 2181 open_attr(fp, "cksum"); 2182 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2183 close_attr(fp); 2184 open_attr(fp, "src_addr"); 2185 print_ip_address(fp, tok->tt.ip.src); 2186 close_attr(fp); 2187 open_attr(fp, "dest_addr"); 2188 print_ip_address(fp, tok->tt.ip.dest); 2189 close_attr(fp); 2190 close_tag(fp, tok->id); 2191 } else { 2192 print_delim(fp, del); 2193 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2194 sizeof(u_char)); 2195 print_delim(fp, del); 2196 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2197 print_delim(fp, del); 2198 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2199 print_delim(fp, del); 2200 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2201 print_delim(fp, del); 2202 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2203 print_delim(fp, del); 2204 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2205 print_delim(fp, del); 2206 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2207 print_delim(fp, del); 2208 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2209 print_delim(fp, del); 2210 print_ip_address(fp, tok->tt.ip.src); 2211 print_delim(fp, del); 2212 print_ip_address(fp, tok->tt.ip.dest); 2213 } 2214 } 2215 2216 /* 2217 * object ID type 1 byte 2218 * Object ID 4 bytes 2219 */ 2220 static int 2221 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2222 { 2223 int err = 0; 2224 2225 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2226 if (err) 2227 return (-1); 2228 2229 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2230 if (err) 2231 return (-1); 2232 2233 return (0); 2234 } 2235 2236 static void 2237 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2238 __unused char sfrm, int xml) 2239 { 2240 2241 print_tok_type(fp, tok->id, "IPC", raw, xml); 2242 if (xml) { 2243 open_attr(fp, "ipc-type"); 2244 print_ipctype(fp, tok->tt.ipc.type, raw); 2245 close_attr(fp); 2246 open_attr(fp, "ipc-id"); 2247 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2248 close_attr(fp); 2249 close_tag(fp, tok->id); 2250 } else { 2251 print_delim(fp, del); 2252 print_ipctype(fp, tok->tt.ipc.type, raw); 2253 print_delim(fp, del); 2254 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2255 } 2256 } 2257 2258 /* 2259 * owner user id 4 bytes 2260 * owner group id 4 bytes 2261 * creator user id 4 bytes 2262 * creator group id 4 bytes 2263 * access mode 4 bytes 2264 * slot seq 4 bytes 2265 * key 4 bytes 2266 */ 2267 static int 2268 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2269 { 2270 int err = 0; 2271 2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2273 if (err) 2274 return (-1); 2275 2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2277 if (err) 2278 return (-1); 2279 2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2281 if (err) 2282 return (-1); 2283 2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2285 if (err) 2286 return (-1); 2287 2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2289 if (err) 2290 return (-1); 2291 2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2293 if (err) 2294 return (-1); 2295 2296 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2297 if (err) 2298 return (-1); 2299 2300 return (0); 2301 } 2302 2303 static void 2304 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2305 __unused char sfrm, int xml) 2306 { 2307 2308 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2309 if (xml) { 2310 open_attr(fp, "uid"); 2311 print_user(fp, tok->tt.ipcperm.uid, raw); 2312 close_attr(fp); 2313 open_attr(fp, "gid"); 2314 print_group(fp, tok->tt.ipcperm.gid, raw); 2315 close_attr(fp); 2316 open_attr(fp, "creator-uid"); 2317 print_user(fp, tok->tt.ipcperm.puid, raw); 2318 close_attr(fp); 2319 open_attr(fp, "creator-gid"); 2320 print_group(fp, tok->tt.ipcperm.pgid, raw); 2321 close_attr(fp); 2322 open_attr(fp, "mode"); 2323 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2324 close_attr(fp); 2325 open_attr(fp, "seq"); 2326 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2327 close_attr(fp); 2328 open_attr(fp, "key"); 2329 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2330 close_attr(fp); 2331 close_tag(fp, tok->id); 2332 } else { 2333 print_delim(fp, del); 2334 print_user(fp, tok->tt.ipcperm.uid, raw); 2335 print_delim(fp, del); 2336 print_group(fp, tok->tt.ipcperm.gid, raw); 2337 print_delim(fp, del); 2338 print_user(fp, tok->tt.ipcperm.puid, raw); 2339 print_delim(fp, del); 2340 print_group(fp, tok->tt.ipcperm.pgid, raw); 2341 print_delim(fp, del); 2342 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2343 print_delim(fp, del); 2344 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2345 print_delim(fp, del); 2346 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2347 } 2348 } 2349 2350 /* 2351 * port Ip address 2 bytes 2352 */ 2353 static int 2354 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2355 { 2356 int err = 0; 2357 2358 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2359 tok->len, err); 2360 if (err) 2361 return (-1); 2362 2363 return (0); 2364 } 2365 2366 static void 2367 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2368 __unused char sfrm, int xml) 2369 { 2370 2371 print_tok_type(fp, tok->id, "ip port", raw, xml); 2372 if (xml) { 2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2374 close_tag(fp, tok->id); 2375 } else { 2376 print_delim(fp, del); 2377 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2378 } 2379 } 2380 2381 /* 2382 * size 2 bytes 2383 * data size bytes 2384 */ 2385 static int 2386 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2387 { 2388 int err = 0; 2389 2390 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2391 if (err) 2392 return (-1); 2393 2394 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2395 tok->len, err); 2396 if (err) 2397 return (-1); 2398 2399 return (0); 2400 } 2401 2402 static void 2403 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2404 __unused char sfrm, int xml) 2405 { 2406 2407 print_tok_type(fp, tok->id, "opaque", raw, xml); 2408 if (xml) { 2409 print_mem(fp, (u_char*)tok->tt.opaque.data, 2410 tok->tt.opaque.size); 2411 close_tag(fp, tok->id); 2412 } else { 2413 print_delim(fp, del); 2414 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2415 print_delim(fp, del); 2416 print_mem(fp, (u_char*)tok->tt.opaque.data, 2417 tok->tt.opaque.size); 2418 } 2419 } 2420 2421 /* 2422 * size 2 bytes 2423 * data size bytes 2424 */ 2425 static int 2426 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2427 { 2428 int err = 0; 2429 2430 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2431 if (err) 2432 return (-1); 2433 2434 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2435 err); 2436 if (err) 2437 return (-1); 2438 2439 return (0); 2440 } 2441 2442 static void 2443 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2444 __unused char sfrm, int xml) 2445 { 2446 2447 print_tok_type(fp, tok->id, "path", raw, xml); 2448 if (xml) { 2449 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2450 close_tag(fp, tok->id); 2451 } else { 2452 print_delim(fp, del); 2453 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2454 } 2455 } 2456 2457 /* 2458 * token ID 1 byte 2459 * audit ID 4 bytes 2460 * euid 4 bytes 2461 * egid 4 bytes 2462 * ruid 4 bytes 2463 * rgid 4 bytes 2464 * pid 4 bytes 2465 * sessid 4 bytes 2466 * terminal ID 2467 * portid 4 bytes 2468 * machine id 4 bytes 2469 */ 2470 static int 2471 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2472 { 2473 int err = 0; 2474 2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2476 if (err) 2477 return (-1); 2478 2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2480 if (err) 2481 return (-1); 2482 2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2484 if (err) 2485 return (-1); 2486 2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2488 if (err) 2489 return (-1); 2490 2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2492 if (err) 2493 return (-1); 2494 2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2496 if (err) 2497 return (-1); 2498 2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2500 if (err) 2501 return (-1); 2502 2503 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2504 if (err) 2505 return (-1); 2506 2507 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2508 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2509 if (err) 2510 return (-1); 2511 2512 return (0); 2513 } 2514 2515 static void 2516 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2517 __unused char sfrm, int xml) 2518 { 2519 2520 print_tok_type(fp, tok->id, "process", raw, xml); 2521 if (xml) { 2522 open_attr(fp, "audit-uid"); 2523 print_user(fp, tok->tt.proc32.auid, raw); 2524 close_attr(fp); 2525 open_attr(fp, "uid"); 2526 print_user(fp, tok->tt.proc32.euid, raw); 2527 close_attr(fp); 2528 open_attr(fp, "gid"); 2529 print_group(fp, tok->tt.proc32.egid, raw); 2530 close_attr(fp); 2531 open_attr(fp, "ruid"); 2532 print_user(fp, tok->tt.proc32.ruid, raw); 2533 close_attr(fp); 2534 open_attr(fp, "rgid"); 2535 print_group(fp, tok->tt.proc32.rgid, raw); 2536 close_attr(fp); 2537 open_attr(fp, "pid"); 2538 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2539 close_attr(fp); 2540 open_attr(fp, "sid"); 2541 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2542 close_attr(fp); 2543 open_attr(fp, "tid"); 2544 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2545 print_ip_address(fp, tok->tt.proc32.tid.addr); 2546 close_attr(fp); 2547 close_tag(fp, tok->id); 2548 } else { 2549 print_delim(fp, del); 2550 print_user(fp, tok->tt.proc32.auid, raw); 2551 print_delim(fp, del); 2552 print_user(fp, tok->tt.proc32.euid, raw); 2553 print_delim(fp, del); 2554 print_group(fp, tok->tt.proc32.egid, raw); 2555 print_delim(fp, del); 2556 print_user(fp, tok->tt.proc32.ruid, raw); 2557 print_delim(fp, del); 2558 print_group(fp, tok->tt.proc32.rgid, raw); 2559 print_delim(fp, del); 2560 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2561 print_delim(fp, del); 2562 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2563 print_delim(fp, del); 2564 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2565 print_delim(fp, del); 2566 print_ip_address(fp, tok->tt.proc32.tid.addr); 2567 } 2568 } 2569 2570 /* 2571 * token ID 1 byte 2572 * audit ID 4 bytes 2573 * euid 4 bytes 2574 * egid 4 bytes 2575 * ruid 4 bytes 2576 * rgid 4 bytes 2577 * pid 4 bytes 2578 * sessid 4 bytes 2579 * terminal ID 2580 * portid 8 bytes 2581 * machine id 4 bytes 2582 */ 2583 static int 2584 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2585 { 2586 int err = 0; 2587 2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2589 if (err) 2590 return (-1); 2591 2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2593 if (err) 2594 return (-1); 2595 2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2597 if (err) 2598 return (-1); 2599 2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2601 if (err) 2602 return (-1); 2603 2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2605 if (err) 2606 return (-1); 2607 2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2609 if (err) 2610 return (-1); 2611 2612 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2613 if (err) 2614 return (-1); 2615 2616 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2617 if (err) 2618 return (-1); 2619 2620 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2621 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2622 if (err) 2623 return (-1); 2624 2625 return (0); 2626 } 2627 2628 static void 2629 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2630 __unused char sfrm, int xml) 2631 { 2632 print_tok_type(fp, tok->id, "process", raw, xml); 2633 if (xml) { 2634 open_attr(fp, "audit-uid"); 2635 print_user(fp, tok->tt.proc64.auid, raw); 2636 close_attr(fp); 2637 open_attr(fp, "uid"); 2638 print_user(fp, tok->tt.proc64.euid, raw); 2639 close_attr(fp); 2640 open_attr(fp, "gid"); 2641 print_group(fp, tok->tt.proc64.egid, raw); 2642 close_attr(fp); 2643 open_attr(fp, "ruid"); 2644 print_user(fp, tok->tt.proc64.ruid, raw); 2645 close_attr(fp); 2646 open_attr(fp, "rgid"); 2647 print_group(fp, tok->tt.proc64.rgid, raw); 2648 close_attr(fp); 2649 open_attr(fp, "pid"); 2650 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2651 close_attr(fp); 2652 open_attr(fp, "sid"); 2653 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2654 close_attr(fp); 2655 open_attr(fp, "tid"); 2656 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2657 print_ip_address(fp, tok->tt.proc64.tid.addr); 2658 close_attr(fp); 2659 close_tag(fp, tok->id); 2660 } else { 2661 print_delim(fp, del); 2662 print_user(fp, tok->tt.proc64.auid, raw); 2663 print_delim(fp, del); 2664 print_user(fp, tok->tt.proc64.euid, raw); 2665 print_delim(fp, del); 2666 print_group(fp, tok->tt.proc64.egid, raw); 2667 print_delim(fp, del); 2668 print_user(fp, tok->tt.proc64.ruid, raw); 2669 print_delim(fp, del); 2670 print_group(fp, tok->tt.proc64.rgid, raw); 2671 print_delim(fp, del); 2672 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2673 print_delim(fp, del); 2674 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2675 print_delim(fp, del); 2676 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2677 print_delim(fp, del); 2678 print_ip_address(fp, tok->tt.proc64.tid.addr); 2679 } 2680 } 2681 2682 /* 2683 * token ID 1 byte 2684 * audit ID 4 bytes 2685 * effective user ID 4 bytes 2686 * effective group ID 4 bytes 2687 * real user ID 4 bytes 2688 * real group ID 4 bytes 2689 * process ID 4 bytes 2690 * session ID 4 bytes 2691 * terminal ID 2692 * port ID 4 bytes 2693 * address type-len 4 bytes 2694 * machine address 16 bytes 2695 */ 2696 static int 2697 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2698 { 2699 int err = 0; 2700 2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2702 if (err) 2703 return (-1); 2704 2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2706 if (err) 2707 return (-1); 2708 2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2710 if (err) 2711 return (-1); 2712 2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2714 if (err) 2715 return (-1); 2716 2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2718 if (err) 2719 return (-1); 2720 2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2722 if (err) 2723 return (-1); 2724 2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2726 if (err) 2727 return (-1); 2728 2729 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2730 err); 2731 if (err) 2732 return (-1); 2733 2734 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2735 err); 2736 if (err) 2737 return (-1); 2738 2739 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2740 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2741 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2742 if (err) 2743 return (-1); 2744 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2745 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2746 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2747 if (err) 2748 return (-1); 2749 } else 2750 return (-1); 2751 2752 return (0); 2753 } 2754 2755 static void 2756 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2757 __unused char sfrm, int xml) 2758 { 2759 2760 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2761 if (xml) { 2762 open_attr(fp, "audit-uid"); 2763 print_user(fp, tok->tt.proc32_ex.auid, raw); 2764 close_attr(fp); 2765 open_attr(fp, "uid"); 2766 print_user(fp, tok->tt.proc32_ex.euid, raw); 2767 close_attr(fp); 2768 open_attr(fp, "gid"); 2769 print_group(fp, tok->tt.proc32_ex.egid, raw); 2770 close_attr(fp); 2771 open_attr(fp, "ruid"); 2772 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2773 close_attr(fp); 2774 open_attr(fp, "rgid"); 2775 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2776 close_attr(fp); 2777 open_attr(fp, "pid"); 2778 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2779 close_attr(fp); 2780 open_attr(fp, "sid"); 2781 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2782 close_attr(fp); 2783 open_attr(fp, "tid"); 2784 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2785 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2786 tok->tt.proc32_ex.tid.addr); 2787 close_attr(fp); 2788 close_tag(fp, tok->id); 2789 } else { 2790 print_delim(fp, del); 2791 print_user(fp, tok->tt.proc32_ex.auid, raw); 2792 print_delim(fp, del); 2793 print_user(fp, tok->tt.proc32_ex.euid, raw); 2794 print_delim(fp, del); 2795 print_group(fp, tok->tt.proc32_ex.egid, raw); 2796 print_delim(fp, del); 2797 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2798 print_delim(fp, del); 2799 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2800 print_delim(fp, del); 2801 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2802 print_delim(fp, del); 2803 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2804 print_delim(fp, del); 2805 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2806 print_delim(fp, del); 2807 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2808 tok->tt.proc32_ex.tid.addr); 2809 } 2810 } 2811 2812 /* 2813 * token ID 1 byte 2814 * audit ID 4 bytes 2815 * effective user ID 4 bytes 2816 * effective group ID 4 bytes 2817 * real user ID 4 bytes 2818 * real group ID 4 bytes 2819 * process ID 4 bytes 2820 * session ID 4 bytes 2821 * terminal ID 2822 * port ID 8 bytes 2823 * address type-len 4 bytes 2824 * machine address 16 bytes 2825 */ 2826 static int 2827 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2828 { 2829 int err = 0; 2830 2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2832 if (err) 2833 return (-1); 2834 2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2836 if (err) 2837 return (-1); 2838 2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2840 if (err) 2841 return (-1); 2842 2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2844 if (err) 2845 return (-1); 2846 2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2848 if (err) 2849 return (-1); 2850 2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2852 if (err) 2853 return (-1); 2854 2855 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2856 if (err) 2857 return (-1); 2858 2859 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2860 err); 2861 if (err) 2862 return (-1); 2863 2864 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2865 err); 2866 if (err) 2867 return (-1); 2868 2869 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2870 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2871 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2872 if (err) 2873 return (-1); 2874 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2875 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2876 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2877 if (err) 2878 return (-1); 2879 } else 2880 return (-1); 2881 2882 return (0); 2883 } 2884 2885 static void 2886 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2887 __unused char sfrm, int xml) 2888 { 2889 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2890 if (xml) { 2891 open_attr(fp, "audit-uid"); 2892 print_user(fp, tok->tt.proc64_ex.auid, raw); 2893 close_attr(fp); 2894 open_attr(fp, "uid"); 2895 print_user(fp, tok->tt.proc64_ex.euid, raw); 2896 close_attr(fp); 2897 open_attr(fp, "gid"); 2898 print_group(fp, tok->tt.proc64_ex.egid, raw); 2899 close_attr(fp); 2900 open_attr(fp, "ruid"); 2901 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2902 close_attr(fp); 2903 open_attr(fp, "rgid"); 2904 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2905 close_attr(fp); 2906 open_attr(fp, "pid"); 2907 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2908 close_attr(fp); 2909 open_attr(fp, "sid"); 2910 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2911 close_attr(fp); 2912 open_attr(fp, "tid"); 2913 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2914 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2915 tok->tt.proc64_ex.tid.addr); 2916 close_attr(fp); 2917 close_tag(fp, tok->id); 2918 } else { 2919 print_delim(fp, del); 2920 print_user(fp, tok->tt.proc64_ex.auid, raw); 2921 print_delim(fp, del); 2922 print_user(fp, tok->tt.proc64_ex.euid, raw); 2923 print_delim(fp, del); 2924 print_group(fp, tok->tt.proc64_ex.egid, raw); 2925 print_delim(fp, del); 2926 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2927 print_delim(fp, del); 2928 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2929 print_delim(fp, del); 2930 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2931 print_delim(fp, del); 2932 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2933 print_delim(fp, del); 2934 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2935 print_delim(fp, del); 2936 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2937 tok->tt.proc64_ex.tid.addr); 2938 } 2939 } 2940 2941 /* 2942 * errno 1 byte 2943 * return value 4 bytes 2944 */ 2945 static int 2946 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2947 { 2948 int err = 0; 2949 2950 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2951 if (err) 2952 return (-1); 2953 2954 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2955 if (err) 2956 return (-1); 2957 2958 return (0); 2959 } 2960 2961 static void 2962 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2963 __unused char sfrm, int xml) 2964 { 2965 2966 print_tok_type(fp, tok->id, "return", raw, xml); 2967 if (xml) { 2968 open_attr(fp ,"errval"); 2969 print_retval(fp, tok->tt.ret32.status, raw); 2970 close_attr(fp); 2971 open_attr(fp, "retval"); 2972 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2973 close_attr(fp); 2974 close_tag(fp, tok->id); 2975 } else { 2976 print_delim(fp, del); 2977 print_retval(fp, tok->tt.ret32.status, raw); 2978 print_delim(fp, del); 2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2980 } 2981 } 2982 2983 static int 2984 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2985 { 2986 int err = 0; 2987 2988 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2989 if (err) 2990 return (-1); 2991 2992 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 2993 if (err) 2994 return (-1); 2995 2996 return (0); 2997 } 2998 2999 static void 3000 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3001 __unused char sfrm, int xml) 3002 { 3003 3004 print_tok_type(fp, tok->id, "return", raw, xml); 3005 if (xml) { 3006 open_attr(fp, "errval"); 3007 print_retval(fp, tok->tt.ret64.err, raw); 3008 close_attr(fp); 3009 open_attr(fp, "retval"); 3010 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3011 close_attr(fp); 3012 close_tag(fp, tok->id); 3013 } else { 3014 print_delim(fp, del); 3015 print_retval(fp, tok->tt.ret64.err, raw); 3016 print_delim(fp, del); 3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3018 } 3019 } 3020 3021 /* 3022 * seq 4 bytes 3023 */ 3024 static int 3025 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3026 { 3027 int err = 0; 3028 3029 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3030 if (err) 3031 return (-1); 3032 3033 return (0); 3034 } 3035 3036 static void 3037 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3038 __unused char sfrm, int xml) 3039 { 3040 3041 print_tok_type(fp, tok->id, "sequence", raw, xml); 3042 if (xml) { 3043 open_attr(fp, "seq-num"); 3044 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3045 close_attr(fp); 3046 close_tag(fp, tok->id); 3047 } else { 3048 print_delim(fp, del); 3049 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3050 } 3051 } 3052 3053 /* 3054 * socket family 2 bytes 3055 * local port 2 bytes 3056 * socket address 4 bytes 3057 */ 3058 static int 3059 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3060 { 3061 int err = 0; 3062 3063 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3064 err); 3065 if (err) 3066 return (-1); 3067 3068 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3069 sizeof(uint16_t), tok->len, err); 3070 if (err) 3071 return (-1); 3072 3073 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3074 sizeof(tok->tt.sockinet32.addr), tok->len, err); 3075 if (err) 3076 return (-1); 3077 3078 return (0); 3079 } 3080 3081 static void 3082 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3083 __unused char sfrm, int xml) 3084 { 3085 3086 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3087 if (xml) { 3088 open_attr(fp, "type"); 3089 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3090 close_attr(fp); 3091 open_attr(fp, "port"); 3092 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3093 close_attr(fp); 3094 open_attr(fp, "addr"); 3095 print_ip_address(fp, tok->tt.sockinet32.addr); 3096 close_attr(fp); 3097 close_tag(fp, tok->id); 3098 } else { 3099 print_delim(fp, del); 3100 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3101 print_delim(fp, del); 3102 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3103 print_delim(fp, del); 3104 print_ip_address(fp, tok->tt.sockinet32.addr); 3105 } 3106 } 3107 3108 /* 3109 * socket family 2 bytes 3110 * path 104 bytes 3111 */ 3112 static int 3113 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3114 { 3115 int err = 0; 3116 3117 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3118 if (err) 3119 return (-1); 3120 3121 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3122 err); 3123 if (err) 3124 return (-1); 3125 3126 return (0); 3127 } 3128 3129 static void 3130 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3131 __unused char sfrm, int xml) 3132 { 3133 3134 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3135 if (xml) { 3136 open_attr(fp, "type"); 3137 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3138 close_attr(fp); 3139 open_attr(fp, "port"); 3140 close_attr(fp); 3141 open_attr(fp, "addr"); 3142 print_string(fp, tok->tt.sockunix.path, 3143 strlen(tok->tt.sockunix.path)); 3144 close_attr(fp); 3145 close_tag(fp, tok->id); 3146 } else { 3147 print_delim(fp, del); 3148 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3149 print_delim(fp, del); 3150 print_string(fp, tok->tt.sockunix.path, 3151 strlen(tok->tt.sockunix.path)); 3152 } 3153 } 3154 3155 /* 3156 * socket type 2 bytes 3157 * local port 2 bytes 3158 * local address 4 bytes 3159 * remote port 2 bytes 3160 * remote address 4 bytes 3161 */ 3162 static int 3163 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3164 { 3165 int err = 0; 3166 3167 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3168 if (err) 3169 return (-1); 3170 3171 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3172 tok->len, err); 3173 if (err) 3174 return (-1); 3175 3176 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3177 sizeof(tok->tt.socket.l_addr), tok->len, err); 3178 if (err) 3179 return (-1); 3180 3181 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3182 tok->len, err); 3183 if (err) 3184 return (-1); 3185 3186 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3187 sizeof(tok->tt.socket.r_addr), tok->len, err); 3188 if (err) 3189 return (-1); 3190 3191 return (0); 3192 } 3193 3194 static void 3195 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3196 __unused char sfrm, int xml) 3197 { 3198 3199 print_tok_type(fp, tok->id, "socket", raw, xml); 3200 if (xml) { 3201 open_attr(fp, "sock_type"); 3202 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3203 close_attr(fp); 3204 open_attr(fp, "lport"); 3205 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3206 close_attr(fp); 3207 open_attr(fp, "laddr"); 3208 print_ip_address(fp, tok->tt.socket.l_addr); 3209 close_attr(fp); 3210 open_attr(fp, "fport"); 3211 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3212 close_attr(fp); 3213 open_attr(fp, "faddr"); 3214 print_ip_address(fp, tok->tt.socket.r_addr); 3215 close_attr(fp); 3216 close_tag(fp, tok->id); 3217 } else { 3218 print_delim(fp, del); 3219 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3220 print_delim(fp, del); 3221 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3222 print_delim(fp, del); 3223 print_ip_address(fp, tok->tt.socket.l_addr); 3224 print_delim(fp, del); 3225 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3226 print_delim(fp, del); 3227 print_ip_address(fp, tok->tt.socket.r_addr); 3228 } 3229 } 3230 3231 /* 3232 * audit ID 4 bytes 3233 * euid 4 bytes 3234 * egid 4 bytes 3235 * ruid 4 bytes 3236 * rgid 4 bytes 3237 * pid 4 bytes 3238 * sessid 4 bytes 3239 * terminal ID 3240 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3241 * machine id 4 bytes 3242 */ 3243 static int 3244 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3245 { 3246 int err = 0; 3247 3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3249 if (err) 3250 return (-1); 3251 3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3253 if (err) 3254 return (-1); 3255 3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3257 if (err) 3258 return (-1); 3259 3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3261 if (err) 3262 return (-1); 3263 3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3265 if (err) 3266 return (-1); 3267 3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3269 if (err) 3270 return (-1); 3271 3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3273 if (err) 3274 return (-1); 3275 3276 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3277 if (err) 3278 return (-1); 3279 3280 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3281 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3282 if (err) 3283 return (-1); 3284 3285 return (0); 3286 } 3287 3288 static void 3289 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3290 __unused char sfrm, int xml) 3291 { 3292 3293 print_tok_type(fp, tok->id, "subject", raw, xml); 3294 if (xml) { 3295 open_attr(fp, "audit-uid"); 3296 print_user(fp, tok->tt.subj32.auid, raw); 3297 close_attr(fp); 3298 open_attr(fp, "uid"); 3299 print_user(fp, tok->tt.subj32.euid, raw); 3300 close_attr(fp); 3301 open_attr(fp, "gid"); 3302 print_group(fp, tok->tt.subj32.egid, raw); 3303 close_attr(fp); 3304 open_attr(fp, "ruid"); 3305 print_user(fp, tok->tt.subj32.ruid, raw); 3306 close_attr(fp); 3307 open_attr(fp, "rgid"); 3308 print_group(fp, tok->tt.subj32.rgid, raw); 3309 close_attr(fp); 3310 open_attr(fp,"pid"); 3311 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3312 close_attr(fp); 3313 open_attr(fp,"sid"); 3314 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3315 close_attr(fp); 3316 open_attr(fp,"tid"); 3317 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3318 print_ip_address(fp, tok->tt.subj32.tid.addr); 3319 close_attr(fp); 3320 close_tag(fp, tok->id); 3321 } else { 3322 print_delim(fp, del); 3323 print_user(fp, tok->tt.subj32.auid, raw); 3324 print_delim(fp, del); 3325 print_user(fp, tok->tt.subj32.euid, raw); 3326 print_delim(fp, del); 3327 print_group(fp, tok->tt.subj32.egid, raw); 3328 print_delim(fp, del); 3329 print_user(fp, tok->tt.subj32.ruid, raw); 3330 print_delim(fp, del); 3331 print_group(fp, tok->tt.subj32.rgid, raw); 3332 print_delim(fp, del); 3333 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3334 print_delim(fp, del); 3335 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3336 print_delim(fp, del); 3337 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3338 print_delim(fp, del); 3339 print_ip_address(fp, tok->tt.subj32.tid.addr); 3340 } 3341 } 3342 3343 /* 3344 * audit ID 4 bytes 3345 * euid 4 bytes 3346 * egid 4 bytes 3347 * ruid 4 bytes 3348 * rgid 4 bytes 3349 * pid 4 bytes 3350 * sessid 4 bytes 3351 * terminal ID 3352 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3353 * machine id 4 bytes 3354 */ 3355 static int 3356 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3357 { 3358 int err = 0; 3359 3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3361 if (err) 3362 return (-1); 3363 3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3365 if (err) 3366 return (-1); 3367 3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3369 if (err) 3370 return (-1); 3371 3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3373 if (err) 3374 return (-1); 3375 3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3377 if (err) 3378 return (-1); 3379 3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3381 if (err) 3382 return (-1); 3383 3384 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3385 if (err) 3386 return (-1); 3387 3388 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3389 if (err) 3390 return (-1); 3391 3392 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3393 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3394 if (err) 3395 return (-1); 3396 3397 return (0); 3398 } 3399 3400 static void 3401 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3402 __unused char sfrm, int xml) 3403 { 3404 3405 print_tok_type(fp, tok->id, "subject", raw, xml); 3406 if (xml) { 3407 open_attr(fp, "audit-uid"); 3408 print_user(fp, tok->tt.subj64.auid, raw); 3409 close_attr(fp); 3410 open_attr(fp, "uid"); 3411 print_user(fp, tok->tt.subj64.euid, raw); 3412 close_attr(fp); 3413 open_attr(fp, "gid"); 3414 print_group(fp, tok->tt.subj64.egid, raw); 3415 close_attr(fp); 3416 open_attr(fp, "ruid"); 3417 print_user(fp, tok->tt.subj64.ruid, raw); 3418 close_attr(fp); 3419 open_attr(fp, "rgid"); 3420 print_group(fp, tok->tt.subj64.rgid, raw); 3421 close_attr(fp); 3422 open_attr(fp, "pid"); 3423 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3424 close_attr(fp); 3425 open_attr(fp, "sid"); 3426 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3427 close_attr(fp); 3428 open_attr(fp, "tid"); 3429 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3430 print_ip_address(fp, tok->tt.subj64.tid.addr); 3431 close_attr(fp); 3432 close_tag(fp, tok->id); 3433 } else { 3434 print_delim(fp, del); 3435 print_user(fp, tok->tt.subj64.auid, raw); 3436 print_delim(fp, del); 3437 print_user(fp, tok->tt.subj64.euid, raw); 3438 print_delim(fp, del); 3439 print_group(fp, tok->tt.subj64.egid, raw); 3440 print_delim(fp, del); 3441 print_user(fp, tok->tt.subj64.ruid, raw); 3442 print_delim(fp, del); 3443 print_group(fp, tok->tt.subj64.rgid, raw); 3444 print_delim(fp, del); 3445 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3446 print_delim(fp, del); 3447 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3448 print_delim(fp, del); 3449 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3450 print_delim(fp, del); 3451 print_ip_address(fp, tok->tt.subj64.tid.addr); 3452 } 3453 } 3454 3455 /* 3456 * audit ID 4 bytes 3457 * euid 4 bytes 3458 * egid 4 bytes 3459 * ruid 4 bytes 3460 * rgid 4 bytes 3461 * pid 4 bytes 3462 * sessid 4 bytes 3463 * terminal ID 3464 * portid 4 bytes 3465 * type 4 bytes 3466 * machine id 16 bytes 3467 */ 3468 static int 3469 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3470 { 3471 int err = 0; 3472 3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3474 if (err) 3475 return (-1); 3476 3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3478 if (err) 3479 return (-1); 3480 3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3482 if (err) 3483 return (-1); 3484 3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3486 if (err) 3487 return (-1); 3488 3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3490 if (err) 3491 return (-1); 3492 3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3494 if (err) 3495 return (-1); 3496 3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3498 if (err) 3499 return (-1); 3500 3501 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3502 err); 3503 if (err) 3504 return (-1); 3505 3506 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3507 err); 3508 if (err) 3509 return (-1); 3510 3511 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3512 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3513 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3514 if (err) 3515 return (-1); 3516 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3517 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3518 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3519 if (err) 3520 return (-1); 3521 } else 3522 return (-1); 3523 3524 return (0); 3525 } 3526 3527 static void 3528 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3529 __unused char sfrm, int xml) 3530 { 3531 3532 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3533 if (xml) { 3534 open_attr(fp, "audit-uid"); 3535 print_user(fp, tok->tt.subj32_ex.auid, raw); 3536 close_attr(fp); 3537 open_attr(fp, "uid"); 3538 print_user(fp, tok->tt.subj32_ex.euid, raw); 3539 close_attr(fp); 3540 open_attr(fp, "gid"); 3541 print_group(fp, tok->tt.subj32_ex.egid, raw); 3542 close_attr(fp); 3543 open_attr(fp, "ruid"); 3544 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3545 close_attr(fp); 3546 open_attr(fp, "rgid"); 3547 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3548 close_attr(fp); 3549 open_attr(fp, "pid"); 3550 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3551 close_attr(fp); 3552 open_attr(fp, "sid"); 3553 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3554 close_attr(fp); 3555 open_attr(fp, "tid"); 3556 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3557 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3558 tok->tt.subj32_ex.tid.addr); 3559 close_attr(fp); 3560 close_tag(fp, tok->id); 3561 } else { 3562 print_delim(fp, del); 3563 print_user(fp, tok->tt.subj32_ex.auid, raw); 3564 print_delim(fp, del); 3565 print_user(fp, tok->tt.subj32_ex.euid, raw); 3566 print_delim(fp, del); 3567 print_group(fp, tok->tt.subj32_ex.egid, raw); 3568 print_delim(fp, del); 3569 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3570 print_delim(fp, del); 3571 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3572 print_delim(fp, del); 3573 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3574 print_delim(fp, del); 3575 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3576 print_delim(fp, del); 3577 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3578 print_delim(fp, del); 3579 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3580 tok->tt.subj32_ex.tid.addr); 3581 } 3582 } 3583 3584 /* 3585 * audit ID 4 bytes 3586 * euid 4 bytes 3587 * egid 4 bytes 3588 * ruid 4 bytes 3589 * rgid 4 bytes 3590 * pid 4 bytes 3591 * sessid 4 bytes 3592 * terminal ID 3593 * portid 8 bytes 3594 * type 4 bytes 3595 * machine id 16 bytes 3596 */ 3597 static int 3598 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3599 { 3600 int err = 0; 3601 3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3603 if (err) 3604 return (-1); 3605 3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3607 if (err) 3608 return (-1); 3609 3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3611 if (err) 3612 return (-1); 3613 3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3615 if (err) 3616 return (-1); 3617 3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3619 if (err) 3620 return (-1); 3621 3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3623 if (err) 3624 return (-1); 3625 3626 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3627 if (err) 3628 return (-1); 3629 3630 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3631 err); 3632 if (err) 3633 return (-1); 3634 3635 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3636 err); 3637 if (err) 3638 return (-1); 3639 3640 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3641 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3642 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3643 if (err) 3644 return (-1); 3645 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3646 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3647 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3648 if (err) 3649 return (-1); 3650 } else 3651 return (-1); 3652 3653 return (0); 3654 } 3655 3656 static void 3657 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3658 __unused char sfrm, int xml) 3659 { 3660 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3661 if (xml) { 3662 open_attr(fp, "audit-uid"); 3663 print_user(fp, tok->tt.subj64_ex.auid, raw); 3664 close_attr(fp); 3665 open_attr(fp, "uid"); 3666 print_user(fp, tok->tt.subj64_ex.euid, raw); 3667 close_attr(fp); 3668 open_attr(fp, "gid"); 3669 print_group(fp, tok->tt.subj64_ex.egid, raw); 3670 close_attr(fp); 3671 open_attr(fp, "ruid"); 3672 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3673 close_attr(fp); 3674 open_attr(fp, "rgid"); 3675 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3676 close_attr(fp); 3677 open_attr(fp, "pid"); 3678 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3679 close_attr(fp); 3680 open_attr(fp, "sid"); 3681 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3682 close_attr(fp); 3683 open_attr(fp, "tid"); 3684 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3685 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3686 tok->tt.subj64_ex.tid.addr); 3687 close_attr(fp); 3688 close_tag(fp, tok->id); 3689 } else { 3690 print_delim(fp, del); 3691 print_user(fp, tok->tt.subj64_ex.auid, raw); 3692 print_delim(fp, del); 3693 print_user(fp, tok->tt.subj64_ex.euid, raw); 3694 print_delim(fp, del); 3695 print_group(fp, tok->tt.subj64_ex.egid, raw); 3696 print_delim(fp, del); 3697 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3698 print_delim(fp, del); 3699 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3700 print_delim(fp, del); 3701 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3702 print_delim(fp, del); 3703 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3704 print_delim(fp, del); 3705 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3706 print_delim(fp, del); 3707 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3708 tok->tt.subj64_ex.tid.addr); 3709 } 3710 } 3711 3712 /* 3713 * size 2 bytes 3714 * data size bytes 3715 */ 3716 static int 3717 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3718 { 3719 int err = 0; 3720 3721 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3722 if (err) 3723 return (-1); 3724 3725 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3726 err); 3727 if (err) 3728 return (-1); 3729 3730 return (0); 3731 } 3732 3733 static void 3734 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3735 __unused char sfrm, int xml) 3736 { 3737 3738 print_tok_type(fp, tok->id, "text", raw, xml); 3739 if (xml) { 3740 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3741 close_tag(fp, tok->id); 3742 } else { 3743 print_delim(fp, del); 3744 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3745 } 3746 } 3747 3748 /* 3749 * socket type 2 bytes 3750 * local port 2 bytes 3751 * address type/length 4 bytes 3752 * local Internet address 4 bytes 3753 * remote port 4 bytes 3754 * address type/length 4 bytes 3755 * remote Internet address 4 bytes 3756 */ 3757 static int 3758 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3759 { 3760 int err = 0; 3761 3762 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3763 err); 3764 if (err) 3765 return (-1); 3766 3767 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3768 sizeof(uint16_t), tok->len, err); 3769 if (err) 3770 return (-1); 3771 3772 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 3773 err); 3774 if (err) 3775 return (-1); 3776 3777 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3778 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3779 if (err) 3780 return (-1); 3781 3782 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3783 sizeof(uint16_t), tok->len, err); 3784 if (err) 3785 return (-1); 3786 3787 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 3788 err); 3789 if (err) 3790 return (-1); 3791 3792 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3793 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3794 if (err) 3795 return (-1); 3796 3797 return (0); 3798 } 3799 3800 static void 3801 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3802 __unused char sfrm, int xml) 3803 { 3804 3805 print_tok_type(fp, tok->id, "socket", raw, xml); 3806 if (xml) { 3807 open_attr(fp, "sock_type"); 3808 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3809 close_attr(fp); 3810 open_attr(fp, "lport"); 3811 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3812 close_attr(fp); 3813 open_attr(fp, "laddr"); 3814 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3815 close_attr(fp); 3816 open_attr(fp, "faddr"); 3817 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3818 close_attr(fp); 3819 open_attr(fp, "fport"); 3820 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3821 close_attr(fp); 3822 close_tag(fp, tok->id); 3823 } else { 3824 print_delim(fp, del); 3825 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3826 print_delim(fp, del); 3827 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3828 print_delim(fp, del); 3829 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3830 print_delim(fp, del); 3831 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3832 print_delim(fp, del); 3833 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3834 } 3835 } 3836 3837 static int 3838 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3839 { 3840 int err = 0; 3841 int recoversize; 3842 3843 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3844 if (recoversize <= 0) 3845 return (-1); 3846 3847 tok->tt.invalid.length = recoversize; 3848 3849 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3850 err); 3851 if (err) 3852 return (-1); 3853 3854 return (0); 3855 } 3856 3857 static void 3858 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3859 __unused char sfrm, int xml) 3860 { 3861 3862 if (!xml) { 3863 print_tok_type(fp, tok->id, "unknown", raw, 0); 3864 print_delim(fp, del); 3865 print_mem(fp, (u_char*)tok->tt.invalid.data, 3866 tok->tt.invalid.length); 3867 } 3868 } 3869 3870 3871 /* 3872 * size 2 bytes; 3873 * zonename size bytes; 3874 */ 3875 static int 3876 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3877 { 3878 int err = 0; 3879 3880 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3881 if (err) 3882 return (-1); 3883 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3884 tok->len, err); 3885 if (err) 3886 return (-1); 3887 return (0); 3888 } 3889 3890 static void 3891 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3892 __unused char sfrm, int xml) 3893 { 3894 3895 print_tok_type(fp, tok->id, "zone", raw, xml); 3896 if (xml) { 3897 open_attr(fp, "name"); 3898 print_string(fp, tok->tt.zonename.zonename, 3899 tok->tt.zonename.len); 3900 close_attr(fp); 3901 close_tag(fp, tok->id); 3902 } else { 3903 print_delim(fp, del); 3904 print_string(fp, tok->tt.zonename.zonename, 3905 tok->tt.zonename.len); 3906 } 3907 } 3908 3909 /* 3910 * Reads the token beginning at buf into tok. 3911 */ 3912 int 3913 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3914 { 3915 3916 if (len <= 0) 3917 return (-1); 3918 3919 tok->len = 1; 3920 tok->data = buf; 3921 tok->id = *buf; 3922 3923 switch(tok->id) { 3924 case AUT_HEADER32: 3925 return (fetch_header32_tok(tok, buf, len)); 3926 3927 case AUT_HEADER32_EX: 3928 return (fetch_header32_ex_tok(tok, buf, len)); 3929 3930 case AUT_HEADER64: 3931 return (fetch_header64_tok(tok, buf, len)); 3932 3933 case AUT_HEADER64_EX: 3934 return (fetch_header64_ex_tok(tok, buf, len)); 3935 3936 case AUT_TRAILER: 3937 return (fetch_trailer_tok(tok, buf, len)); 3938 3939 case AUT_ARG32: 3940 return (fetch_arg32_tok(tok, buf, len)); 3941 3942 case AUT_ARG64: 3943 return (fetch_arg64_tok(tok, buf, len)); 3944 3945 case AUT_ATTR32: 3946 return (fetch_attr32_tok(tok, buf, len)); 3947 3948 case AUT_ATTR64: 3949 return (fetch_attr64_tok(tok, buf, len)); 3950 3951 case AUT_EXIT: 3952 return (fetch_exit_tok(tok, buf, len)); 3953 3954 case AUT_EXEC_ARGS: 3955 return (fetch_execarg_tok(tok, buf, len)); 3956 3957 case AUT_EXEC_ENV: 3958 return (fetch_execenv_tok(tok, buf, len)); 3959 3960 case AUT_OTHER_FILE32: 3961 return (fetch_file_tok(tok, buf, len)); 3962 3963 case AUT_NEWGROUPS: 3964 return (fetch_newgroups_tok(tok, buf, len)); 3965 3966 case AUT_IN_ADDR: 3967 return (fetch_inaddr_tok(tok, buf, len)); 3968 3969 case AUT_IN_ADDR_EX: 3970 return (fetch_inaddr_ex_tok(tok, buf, len)); 3971 3972 case AUT_IP: 3973 return (fetch_ip_tok(tok, buf, len)); 3974 3975 case AUT_IPC: 3976 return (fetch_ipc_tok(tok, buf, len)); 3977 3978 case AUT_IPC_PERM: 3979 return (fetch_ipcperm_tok(tok, buf, len)); 3980 3981 case AUT_IPORT: 3982 return (fetch_iport_tok(tok, buf, len)); 3983 3984 case AUT_OPAQUE: 3985 return (fetch_opaque_tok(tok, buf, len)); 3986 3987 case AUT_PATH: 3988 return (fetch_path_tok(tok, buf, len)); 3989 3990 case AUT_PROCESS32: 3991 return (fetch_process32_tok(tok, buf, len)); 3992 3993 case AUT_PROCESS32_EX: 3994 return (fetch_process32ex_tok(tok, buf, len)); 3995 3996 case AUT_PROCESS64: 3997 return (fetch_process64_tok(tok, buf, len)); 3998 3999 case AUT_PROCESS64_EX: 4000 return (fetch_process64ex_tok(tok, buf, len)); 4001 4002 case AUT_RETURN32: 4003 return (fetch_return32_tok(tok, buf, len)); 4004 4005 case AUT_RETURN64: 4006 return (fetch_return64_tok(tok, buf, len)); 4007 4008 case AUT_SEQ: 4009 return (fetch_seq_tok(tok, buf, len)); 4010 4011 case AUT_SOCKET: 4012 return (fetch_socket_tok(tok, buf, len)); 4013 4014 case AUT_SOCKINET32: 4015 return (fetch_sock_inet32_tok(tok, buf, len)); 4016 4017 case AUT_SOCKUNIX: 4018 return (fetch_sock_unix_tok(tok, buf, len)); 4019 4020 case AUT_SUBJECT32: 4021 return (fetch_subject32_tok(tok, buf, len)); 4022 4023 case AUT_SUBJECT32_EX: 4024 return (fetch_subject32ex_tok(tok, buf, len)); 4025 4026 case AUT_SUBJECT64: 4027 return (fetch_subject64_tok(tok, buf, len)); 4028 4029 case AUT_SUBJECT64_EX: 4030 return (fetch_subject64ex_tok(tok, buf, len)); 4031 4032 case AUT_TEXT: 4033 return (fetch_text_tok(tok, buf, len)); 4034 4035 case AUT_SOCKET_EX: 4036 return (fetch_socketex32_tok(tok, buf, len)); 4037 4038 case AUT_DATA: 4039 return (fetch_arb_tok(tok, buf, len)); 4040 4041 case AUT_ZONENAME: 4042 return (fetch_zonename_tok(tok, buf, len)); 4043 4044 default: 4045 return (fetch_invalid_tok(tok, buf, len)); 4046 } 4047 } 4048 4049 /* 4050 * 'prints' the token out to outfp. 4051 */ 4052 void 4053 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4054 { 4055 4056 switch(tok->id) { 4057 case AUT_HEADER32: 4058 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4059 return; 4060 4061 case AUT_HEADER32_EX: 4062 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4063 return; 4064 4065 case AUT_HEADER64: 4066 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4067 return; 4068 4069 case AUT_HEADER64_EX: 4070 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4071 return; 4072 4073 case AUT_TRAILER: 4074 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4075 return; 4076 4077 case AUT_ARG32: 4078 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4079 return; 4080 4081 case AUT_ARG64: 4082 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4083 return; 4084 4085 case AUT_DATA: 4086 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4087 return; 4088 4089 case AUT_ATTR32: 4090 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4091 return; 4092 4093 case AUT_ATTR64: 4094 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4095 return; 4096 4097 case AUT_EXIT: 4098 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4099 return; 4100 4101 case AUT_EXEC_ARGS: 4102 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4103 return; 4104 4105 case AUT_EXEC_ENV: 4106 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4107 return; 4108 4109 case AUT_OTHER_FILE32: 4110 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4111 return; 4112 4113 case AUT_NEWGROUPS: 4114 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4115 return; 4116 4117 case AUT_IN_ADDR: 4118 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4119 return; 4120 4121 case AUT_IN_ADDR_EX: 4122 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4123 return; 4124 4125 case AUT_IP: 4126 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4127 return; 4128 4129 case AUT_IPC: 4130 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4131 return; 4132 4133 case AUT_IPC_PERM: 4134 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4135 return; 4136 4137 case AUT_IPORT: 4138 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4139 return; 4140 4141 case AUT_OPAQUE: 4142 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4143 return; 4144 4145 case AUT_PATH: 4146 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4147 return; 4148 4149 case AUT_PROCESS32: 4150 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4151 return; 4152 4153 case AUT_PROCESS32_EX: 4154 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4155 return; 4156 4157 case AUT_PROCESS64: 4158 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4159 return; 4160 4161 case AUT_PROCESS64_EX: 4162 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4163 return; 4164 4165 case AUT_RETURN32: 4166 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4167 return; 4168 4169 case AUT_RETURN64: 4170 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4171 return; 4172 4173 case AUT_SEQ: 4174 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4175 return; 4176 4177 case AUT_SOCKET: 4178 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4179 return; 4180 4181 case AUT_SOCKINET32: 4182 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4183 return; 4184 4185 case AUT_SOCKUNIX: 4186 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4187 return; 4188 4189 case AUT_SUBJECT32: 4190 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4191 return; 4192 4193 case AUT_SUBJECT64: 4194 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4195 return; 4196 4197 case AUT_SUBJECT32_EX: 4198 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4199 return; 4200 4201 case AUT_SUBJECT64_EX: 4202 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4203 return; 4204 4205 case AUT_TEXT: 4206 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4207 return; 4208 4209 case AUT_SOCKET_EX: 4210 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4211 return; 4212 4213 case AUT_ZONENAME: 4214 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4215 return; 4216 4217 default: 4218 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4219 } 4220 } 4221 4222 /* 4223 * 'prints' the token out to outfp in XML format. 4224 */ 4225 void 4226 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4227 char sfrm) 4228 { 4229 4230 switch(tok->id) { 4231 case AUT_HEADER32: 4232 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4233 return; 4234 4235 case AUT_HEADER32_EX: 4236 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4237 return; 4238 4239 case AUT_HEADER64: 4240 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4241 return; 4242 4243 case AUT_HEADER64_EX: 4244 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4245 return; 4246 4247 case AUT_TRAILER: 4248 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4249 return; 4250 4251 case AUT_ARG32: 4252 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4253 return; 4254 4255 case AUT_ARG64: 4256 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4257 return; 4258 4259 case AUT_DATA: 4260 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4261 return; 4262 4263 case AUT_ATTR32: 4264 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4265 return; 4266 4267 case AUT_ATTR64: 4268 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4269 return; 4270 4271 case AUT_EXIT: 4272 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4273 return; 4274 4275 case AUT_EXEC_ARGS: 4276 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4277 return; 4278 4279 case AUT_EXEC_ENV: 4280 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4281 return; 4282 4283 case AUT_OTHER_FILE32: 4284 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4285 return; 4286 4287 case AUT_NEWGROUPS: 4288 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4289 return; 4290 4291 case AUT_IN_ADDR: 4292 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4293 return; 4294 4295 case AUT_IN_ADDR_EX: 4296 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4297 return; 4298 4299 case AUT_IP: 4300 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4301 return; 4302 4303 case AUT_IPC: 4304 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4305 return; 4306 4307 case AUT_IPC_PERM: 4308 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4309 return; 4310 4311 case AUT_IPORT: 4312 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4313 return; 4314 4315 case AUT_OPAQUE: 4316 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4317 return; 4318 4319 case AUT_PATH: 4320 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4321 return; 4322 4323 case AUT_PROCESS32: 4324 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4325 return; 4326 4327 case AUT_PROCESS32_EX: 4328 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4329 return; 4330 4331 case AUT_PROCESS64: 4332 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4333 return; 4334 4335 case AUT_PROCESS64_EX: 4336 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4337 return; 4338 4339 case AUT_RETURN32: 4340 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4341 return; 4342 4343 case AUT_RETURN64: 4344 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4345 return; 4346 4347 case AUT_SEQ: 4348 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4349 return; 4350 4351 case AUT_SOCKET: 4352 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4353 return; 4354 4355 case AUT_SOCKINET32: 4356 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4357 return; 4358 4359 case AUT_SOCKUNIX: 4360 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4361 return; 4362 4363 case AUT_SUBJECT32: 4364 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4365 return; 4366 4367 case AUT_SUBJECT64: 4368 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4369 return; 4370 4371 case AUT_SUBJECT32_EX: 4372 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4373 return; 4374 4375 case AUT_SUBJECT64_EX: 4376 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4377 return; 4378 4379 case AUT_TEXT: 4380 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4381 return; 4382 4383 case AUT_SOCKET_EX: 4384 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4385 return; 4386 4387 case AUT_ZONENAME: 4388 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4389 return; 4390 4391 default: 4392 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4393 } 4394 } 4395 4396 /* 4397 * Read a record from the file pointer, store data in buf memory for buf is 4398 * also allocated in this function and has to be free'd outside this call. 4399 * 4400 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4401 * complete audit record. 4402 * 4403 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4404 * state, because it will be partly offset into a record. We should rewind 4405 * or do something more intelligent. Particularly interesting is the case 4406 * where we perform a partial read of a record from a non-blockable file 4407 * descriptor. We should return the partial read and continue...? 4408 */ 4409 int 4410 au_read_rec(FILE *fp, u_char **buf) 4411 { 4412 u_char *bptr; 4413 u_int32_t recsize; 4414 u_int32_t bytestoread; 4415 u_char type; 4416 4417 u_int32_t sec, msec; 4418 u_int16_t filenamelen; 4419 4420 type = fgetc(fp); 4421 4422 switch (type) { 4423 case AUT_HEADER32: 4424 case AUT_HEADER32_EX: 4425 case AUT_HEADER64: 4426 case AUT_HEADER64_EX: 4427 /* read the record size from the token */ 4428 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4429 sizeof(u_int32_t)) { 4430 errno = EINVAL; 4431 return (-1); 4432 } 4433 recsize = be32toh(recsize); 4434 4435 /* Check for recsize sanity */ 4436 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4437 errno = EINVAL; 4438 return (-1); 4439 } 4440 4441 *buf = malloc(recsize * sizeof(u_char)); 4442 if (*buf == NULL) 4443 return (-1); 4444 bptr = *buf; 4445 memset(bptr, 0, recsize); 4446 4447 /* store the token contents already read, back to the buffer*/ 4448 *bptr = type; 4449 bptr++; 4450 be32enc(bptr, recsize); 4451 bptr += sizeof(u_int32_t); 4452 4453 /* now read remaining record bytes */ 4454 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4455 4456 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4457 free(*buf); 4458 errno = EINVAL; 4459 return (-1); 4460 } 4461 break; 4462 4463 case AUT_OTHER_FILE32: 4464 /* 4465 * The file token is variable-length, as it includes a 4466 * pathname. As a result, we have to read incrementally 4467 * until we know the total length, then allocate space and 4468 * read the rest. 4469 */ 4470 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4471 errno = EINVAL; 4472 return (-1); 4473 } 4474 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4475 errno = EINVAL; 4476 return (-1); 4477 } 4478 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4479 sizeof(filenamelen)) { 4480 errno = EINVAL; 4481 return (-1); 4482 } 4483 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4484 sizeof(filenamelen) + ntohs(filenamelen); 4485 *buf = malloc(recsize); 4486 if (*buf == NULL) 4487 return (-1); 4488 bptr = *buf; 4489 4490 bcopy(&type, bptr, sizeof(type)); 4491 bptr += sizeof(type); 4492 bcopy(&sec, bptr, sizeof(sec)); 4493 bptr += sizeof(sec); 4494 bcopy(&msec, bptr, sizeof(msec)); 4495 bptr += sizeof(msec); 4496 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4497 bptr += sizeof(filenamelen); 4498 4499 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4500 ntohs(filenamelen)) { 4501 free(buf); 4502 errno = EINVAL; 4503 return (-1); 4504 } 4505 break; 4506 4507 default: 4508 errno = EINVAL; 4509 return (-1); 4510 } 4511 4512 return (recsize); 4513 } 4514