1 /*- 2 * Copyright (c) 2004 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#55 $ 36 */ 37 38 #include <sys/types.h> 39 40 #include <config/config.h> 41 #ifdef HAVE_SYS_ENDIAN_H 42 #include <sys/endian.h> 43 #else /* !HAVE_SYS_ENDIAN_H */ 44 #ifdef HAVE_MACHINE_ENDIAN_H 45 #include <machine/endian.h> 46 #else /* !HAVE_MACHINE_ENDIAN_H */ 47 #ifdef HAVE_ENDIAN_H 48 #include <endian.h> 49 #else /* !HAVE_ENDIAN_H */ 50 #error "No supported endian.h" 51 #endif /* !HAVE_ENDIAN_H */ 52 #endif /* !HAVE_MACHINE_ENDIAN_H */ 53 #include <compat/endian.h> 54 #endif /* !HAVE_SYS_ENDIAN_H */ 55 #ifdef HAVE_FULL_QUEUE_H 56 #include <sys/queue.h> 57 #else /* !HAVE_FULL_QUEUE_H */ 58 #include <compat/queue.h> 59 #endif /* !HAVE_FULL_QUEUE_H */ 60 61 #include <sys/stat.h> 62 #include <sys/socket.h> 63 64 #include <bsm/libbsm.h> 65 66 #include <unistd.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <time.h> 71 #include <stdlib.h> 72 #include <stdio.h> 73 #include <string.h> 74 #include <pwd.h> 75 #include <grp.h> 76 77 #include <bsm/audit_internal.h> 78 79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81 (err) = 1; \ 82 } else { \ 83 memcpy((dest), (buf) + (bytesread), (size)); \ 84 bytesread += size; \ 85 } \ 86 } while (0) 87 88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90 (dest) = buf[(bytesread)]; \ 91 (bytesread) += sizeof(u_char); \ 92 } else \ 93 (err) = 1; \ 94 } while (0) 95 96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98 (dest) = be16dec((buf) + (bytesread)); \ 99 (bytesread) += sizeof(u_int16_t); \ 100 } else \ 101 (err) = 1; \ 102 } while (0) 103 104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106 (dest) = be32dec((buf) + (bytesread)); \ 107 (bytesread) += sizeof(u_int32_t); \ 108 } else \ 109 (err) = 1; \ 110 } while (0) 111 112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114 dest = be64dec((buf) + (bytesread)); \ 115 (bytesread) += sizeof(u_int64_t); \ 116 } else \ 117 (err) = 1; \ 118 } while (0) 119 120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (u_int32_t)(len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127 } while (0) 128 129 /* 130 * XML option. 131 */ 132 #define AU_PLAIN 0 133 #define AU_XML 1 134 135 /* 136 * Prints the delimiter string. 137 */ 138 static void 139 print_delim(FILE *fp, const char *del) 140 { 141 142 fprintf(fp, "%s", del); 143 } 144 145 /* 146 * Prints a single byte in the given format. 147 */ 148 static void 149 print_1_byte(FILE *fp, u_char val, const char *format) 150 { 151 152 fprintf(fp, format, val); 153 } 154 155 /* 156 * Print 2 bytes in the given format. 157 */ 158 static void 159 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160 { 161 162 fprintf(fp, format, val); 163 } 164 165 /* 166 * Prints 4 bytes in the given format. 167 */ 168 static void 169 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170 { 171 172 fprintf(fp, format, val); 173 } 174 175 /* 176 * Prints 8 bytes in the given format. 177 */ 178 static void 179 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180 { 181 182 fprintf(fp, format, val); 183 } 184 185 /* 186 * Prints the given size of data bytes in hex. 187 */ 188 static void 189 print_mem(FILE *fp, u_char *data, size_t len) 190 { 191 u_int32_t i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%x", data[i]); 197 } 198 } 199 200 /* 201 * Prints the given data bytes as a string. 202 */ 203 static void 204 print_string(FILE *fp, const char *str, size_t len) 205 { 206 u_int32_t i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214 } 215 216 /* 217 * Prints the beggining of attribute. 218 */ 219 static void 220 open_attr(FILE *fp, const char *str) 221 { 222 223 fprintf(fp,"%s=\"", str); 224 } 225 226 /* 227 * Prints the end of attribute. 228 */ 229 static void 230 close_attr(FILE *fp) 231 { 232 233 fprintf(fp,"\" "); 234 } 235 236 /* 237 * Prints the end of tag. 238 */ 239 static void 240 close_tag(FILE *fp, u_char type) 241 { 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SUBJECT32: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT64: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT32_EX: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT64_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_TEXT: 385 fprintf(fp, "</text>"); 386 break; 387 388 case AUT_SOCKET_EX: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_DATA: 393 fprintf(fp, "</arbitrary>"); 394 break; 395 396 case AUT_ZONENAME: 397 fprintf(fp, "/>"); 398 break; 399 } 400 } 401 402 /* 403 * Prints the token type in either the raw or the default form. 404 */ 405 static void 406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407 { 408 409 if (xml) { 410 switch(type) { 411 case AUT_HEADER32: 412 fprintf(fp, "<record "); 413 break; 414 415 case AUT_HEADER32_EX: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER64: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64_EX: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_TRAILER: 428 fprintf(fp, "</record>"); 429 break; 430 431 case AUT_ARG32: 432 fprintf(fp, "<argument "); 433 break; 434 435 case AUT_ARG64: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ATTR32: 440 fprintf(fp, "<attribute "); 441 break; 442 443 case AUT_ATTR64: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_EXIT: 448 fprintf(fp, "<exit "); 449 break; 450 451 case AUT_EXEC_ARGS: 452 fprintf(fp, "<exec_args>"); 453 break; 454 455 case AUT_EXEC_ENV: 456 fprintf(fp, "<exec_env>"); 457 break; 458 459 case AUT_OTHER_FILE32: 460 fprintf(fp, "<file "); 461 break; 462 463 case AUT_NEWGROUPS: 464 fprintf(fp, "<group>"); 465 break; 466 467 case AUT_IN_ADDR: 468 fprintf(fp, "<ip_address>"); 469 break; 470 471 case AUT_IN_ADDR_EX: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IP: 476 fprintf(fp, "<ip "); 477 break; 478 479 case AUT_IPC: 480 fprintf(fp, "<IPC"); 481 break; 482 483 case AUT_IPC_PERM: 484 fprintf(fp, "<IPC_perm "); 485 break; 486 487 case AUT_IPORT: 488 fprintf(fp, "<ip_port>"); 489 break; 490 491 case AUT_OPAQUE: 492 fprintf(fp, "<opaque>"); 493 break; 494 495 case AUT_PATH: 496 fprintf(fp, "<path>"); 497 break; 498 499 case AUT_PROCESS32: 500 fprintf(fp, "<process "); 501 break; 502 503 case AUT_PROCESS32_EX: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS64: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64_EX: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_RETURN32: 516 fprintf(fp, "<return "); 517 break; 518 519 case AUT_RETURN64: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_SEQ: 524 fprintf(fp, "<sequence "); 525 break; 526 527 case AUT_SOCKET: 528 fprintf(fp, "<socket "); 529 break; 530 531 case AUT_SOCKINET32: 532 fprintf(fp, "<old_socket"); 533 break; 534 535 case AUT_SOCKUNIX: 536 fprintf(fp, "<old_socket"); 537 break; 538 539 case AUT_SUBJECT32: 540 fprintf(fp, "<subject "); 541 break; 542 543 case AUT_SUBJECT64: 544 fprintf(fp, "<subject "); 545 break; 546 547 case AUT_SUBJECT32_EX: 548 fprintf(fp, "<subject "); 549 break; 550 551 case AUT_SUBJECT64_EX: 552 fprintf(fp, "<subject "); 553 break; 554 555 case AUT_TEXT: 556 fprintf(fp, "<text>"); 557 break; 558 559 case AUT_SOCKET_EX: 560 fprintf(fp, "<socket "); 561 break; 562 563 case AUT_DATA: 564 fprintf(fp, "<arbitrary "); 565 break; 566 567 case AUT_ZONENAME: 568 fprintf(fp, "<zone "); 569 break; 570 } 571 } else { 572 if (raw) 573 fprintf(fp, "%u", type); 574 else 575 fprintf(fp, "%s", tokname); 576 } 577 } 578 579 /* 580 * Prints a user value. 581 */ 582 static void 583 print_user(FILE *fp, u_int32_t usr, char raw) 584 { 585 struct passwd *pwent; 586 587 if (raw) 588 fprintf(fp, "%d", usr); 589 else { 590 pwent = getpwuid(usr); 591 if (pwent != NULL) 592 fprintf(fp, "%s", pwent->pw_name); 593 else 594 fprintf(fp, "%d", usr); 595 } 596 } 597 598 /* 599 * Prints a group value. 600 */ 601 static void 602 print_group(FILE *fp, u_int32_t grp, char raw) 603 { 604 struct group *grpent; 605 606 if (raw) 607 fprintf(fp, "%d", grp); 608 else { 609 grpent = getgrgid(grp); 610 if (grpent != NULL) 611 fprintf(fp, "%s", grpent->gr_name); 612 else 613 fprintf(fp, "%d", grp); 614 } 615 } 616 617 /* 618 * Prints the event from the header token in either the short, default or raw 619 * form. 620 */ 621 static void 622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623 { 624 char event_ent_name[AU_EVENT_NAME_MAX]; 625 char event_ent_desc[AU_EVENT_DESC_MAX]; 626 struct au_event_ent e, *ep; 627 628 bzero(&e, sizeof(e)); 629 bzero(event_ent_name, sizeof(event_ent_name)); 630 bzero(event_ent_desc, sizeof(event_ent_desc)); 631 e.ae_name = event_ent_name; 632 e.ae_desc = event_ent_desc; 633 634 ep = getauevnum_r(&e, ev); 635 if (ep == NULL) { 636 fprintf(fp, "%u", ev); 637 return; 638 } 639 640 if (raw) 641 fprintf(fp, "%u", ev); 642 else if (sfrm) 643 fprintf(fp, "%s", e.ae_name); 644 else 645 fprintf(fp, "%s", e.ae_desc); 646 } 647 648 649 /* 650 * Prints the event modifier from the header token in either the default or 651 * raw form. 652 */ 653 static void 654 print_evmod(FILE *fp, u_int16_t evmod, char raw) 655 { 656 if (raw) 657 fprintf(fp, "%u", evmod); 658 else 659 fprintf(fp, "%u", evmod); 660 } 661 662 /* 663 * Prints seconds in the ctime format. 664 */ 665 static void 666 print_sec32(FILE *fp, u_int32_t sec, char raw) 667 { 668 time_t timestamp; 669 char timestr[26]; 670 671 if (raw) 672 fprintf(fp, "%u", sec); 673 else { 674 timestamp = (time_t)sec; 675 ctime_r(×tamp, timestr); 676 timestr[24] = '\0'; /* No new line */ 677 fprintf(fp, "%s", timestr); 678 } 679 } 680 681 /* 682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683 * assume a 32-bit time_t, we simply truncate for now. 684 */ 685 static void 686 print_sec64(FILE *fp, u_int64_t sec, char raw) 687 { 688 time_t timestamp; 689 char timestr[26]; 690 691 if (raw) 692 fprintf(fp, "%u", (u_int32_t)sec); 693 else { 694 timestamp = (time_t)sec; 695 ctime_r(×tamp, timestr); 696 timestr[24] = '\0'; /* No new line */ 697 fprintf(fp, "%s", timestr); 698 } 699 } 700 701 /* 702 * Prints the excess milliseconds. 703 */ 704 static void 705 print_msec32(FILE *fp, u_int32_t msec, char raw) 706 { 707 if (raw) 708 fprintf(fp, "%u", msec); 709 else 710 fprintf(fp, " + %u msec", msec); 711 } 712 713 /* 714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715 * a 32-bit msec, we simply truncate for now. 716 */ 717 static void 718 print_msec64(FILE *fp, u_int64_t msec, char raw) 719 { 720 721 msec &= 0xffffffff; 722 if (raw) 723 fprintf(fp, "%u", (u_int32_t)msec); 724 else 725 fprintf(fp, " + %u msec", (u_int32_t)msec); 726 } 727 728 /* 729 * Prints a dotted form for the IP address. 730 */ 731 static void 732 print_ip_address(FILE *fp, u_int32_t ip) 733 { 734 struct in_addr ipaddr; 735 736 ipaddr.s_addr = ip; 737 fprintf(fp, "%s", inet_ntoa(ipaddr)); 738 } 739 740 /* 741 * Prints a string value for the given ip address. 742 */ 743 static void 744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745 { 746 struct in_addr ipv4; 747 struct in6_addr ipv6; 748 char dst[INET6_ADDRSTRLEN]; 749 750 switch (type) { 751 case AU_IPv4: 752 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754 INET6_ADDRSTRLEN)); 755 break; 756 757 case AU_IPv6: 758 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760 INET6_ADDRSTRLEN)); 761 break; 762 763 default: 764 fprintf(fp, "invalid"); 765 } 766 } 767 768 /* 769 * Prints return value as success or failure. 770 */ 771 static void 772 print_retval(FILE *fp, u_char status, char raw) 773 { 774 if (raw) 775 fprintf(fp, "%u", status); 776 else { 777 if (status == 0) 778 fprintf(fp, "success"); 779 else 780 fprintf(fp, "failure : %s", strerror(status)); 781 } 782 } 783 784 /* 785 * Prints the exit value. 786 */ 787 static void 788 print_errval(FILE *fp, u_int32_t val) 789 { 790 791 fprintf(fp, "Error %u", val); 792 } 793 794 /* 795 * Prints IPC type. 796 */ 797 static void 798 print_ipctype(FILE *fp, u_char type, char raw) 799 { 800 if (raw) 801 fprintf(fp, "%u", type); 802 else { 803 if (type == AT_IPC_MSG) 804 fprintf(fp, "Message IPC"); 805 else if (type == AT_IPC_SEM) 806 fprintf(fp, "Semaphore IPC"); 807 else if (type == AT_IPC_SHM) 808 fprintf(fp, "Shared Memory IPC"); 809 else 810 fprintf(fp, "%u", type); 811 } 812 } 813 814 /* 815 * Print XML header. 816 */ 817 void 818 au_print_xml_header(FILE *outfp) 819 { 820 821 fprintf(outfp, "<?xml version='1.0' ?>\n"); 822 fprintf(outfp, "<audit>\n"); 823 } 824 825 /* 826 * Print XML footer. 827 */ 828 void 829 au_print_xml_footer(FILE *outfp) 830 { 831 832 fprintf(outfp, "</audit>\n"); 833 } 834 835 /* 836 * record byte count 4 bytes 837 * version # 1 byte [2] 838 * event type 2 bytes 839 * event modifier 2 bytes 840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 842 */ 843 static int 844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 845 { 846 int err = 0; 847 848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 849 if (err) 850 return (-1); 851 852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 853 if (err) 854 return (-1); 855 856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 857 if (err) 858 return (-1); 859 860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 861 if (err) 862 return (-1); 863 864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 865 if (err) 866 return (-1); 867 868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 869 if (err) 870 return (-1); 871 872 return (0); 873 } 874 875 static void 876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 877 int xml) 878 { 879 880 print_tok_type(fp, tok->id, "header", raw, xml); 881 if (xml) { 882 open_attr(fp, "version"); 883 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 884 close_attr(fp); 885 open_attr(fp, "event"); 886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 887 close_attr(fp); 888 open_attr(fp, "modifier"); 889 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 890 close_attr(fp); 891 open_attr(fp, "time"); 892 print_sec32(fp, tok->tt.hdr32.s, raw); 893 close_attr(fp); 894 open_attr(fp, "msec"); 895 print_msec32(fp, tok->tt.hdr32.ms, 1); 896 close_attr(fp); 897 close_tag(fp, tok->id); 898 } else { 899 print_delim(fp, del); 900 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 901 print_delim(fp, del); 902 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 903 print_delim(fp, del); 904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905 print_delim(fp, del); 906 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 907 print_delim(fp, del); 908 print_sec32(fp, tok->tt.hdr32.s, raw); 909 print_delim(fp, del); 910 print_msec32(fp, tok->tt.hdr32.ms, raw); 911 } 912 } 913 914 /* 915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 916 * depending on the bit of the specifications found. The OpenSolaris source 917 * code uses a 4-byte address length, followed by some number of bytes of 918 * address data. This contrasts with the Solaris audit.log.5 man page, which 919 * specifies a 1-byte length field. We use the Solaris 10 definition so that 920 * we can parse audit trails from that system. 921 * 922 * record byte count 4 bytes 923 * version # 1 byte [2] 924 * event type 2 bytes 925 * event modifier 2 bytes 926 * address type/length 4 bytes 927 * [ Solaris man page: address type/length 1 byte] 928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 929 * seconds of time 4 bytes/8 bytes (32/64-bits) 930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 931 */ 932 static int 933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 934 { 935 int err = 0; 936 937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 938 if (err) 939 return (-1); 940 941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 942 if (err) 943 return (-1); 944 945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 946 if (err) 947 return (-1); 948 949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 950 if (err) 951 return (-1); 952 953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 954 if (err) 955 return (-1); 956 957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 958 switch (tok->tt.hdr32_ex.ad_type) { 959 case AU_IPv4: 960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 962 if (err) 963 return (-1); 964 break; 965 966 case AU_IPv6: 967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 969 break; 970 } 971 972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 973 if (err) 974 return (-1); 975 976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 977 if (err) 978 return (-1); 979 980 return (0); 981 } 982 983 static void 984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 985 char sfrm, int xml) 986 { 987 988 print_tok_type(fp, tok->id, "header_ex", raw, xml); 989 if (xml) { 990 open_attr(fp, "version"); 991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 992 close_attr(fp); 993 open_attr(fp, "event"); 994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 995 close_attr(fp); 996 open_attr(fp, "modifier"); 997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 998 close_attr(fp); 999 open_attr(fp, "host"); 1000 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1001 tok->tt.hdr32_ex.addr); 1002 close_attr(fp); 1003 open_attr(fp, "time"); 1004 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1005 close_attr(fp); 1006 open_attr(fp, "msec"); 1007 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1008 close_attr(fp); 1009 close_tag(fp, tok->id); 1010 } else { 1011 print_delim(fp, del); 1012 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1013 print_delim(fp, del); 1014 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1015 print_delim(fp, del); 1016 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1017 print_delim(fp, del); 1018 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1019 print_delim(fp, del); 1020 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1021 tok->tt.hdr32_ex.addr); 1022 print_delim(fp, del); 1023 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1024 print_delim(fp, del); 1025 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1026 } 1027 } 1028 1029 /* 1030 * record byte count 4 bytes 1031 * event type 2 bytes 1032 * event modifier 2 bytes 1033 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1034 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1035 * version # 1036 */ 1037 static int 1038 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1039 { 1040 int err = 0; 1041 1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1043 if (err) 1044 return (-1); 1045 1046 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1047 if (err) 1048 return (-1); 1049 1050 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1051 if (err) 1052 return (-1); 1053 1054 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1055 if (err) 1056 return (-1); 1057 1058 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1059 if (err) 1060 return (-1); 1061 1062 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1063 if (err) 1064 return (-1); 1065 1066 return (0); 1067 } 1068 1069 static void 1070 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1071 int xml) 1072 { 1073 1074 print_tok_type(fp, tok->id, "header", raw, xml); 1075 if (xml) { 1076 open_attr(fp, "version"); 1077 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1078 close_attr(fp); 1079 open_attr(fp, "event"); 1080 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1081 close_attr(fp); 1082 open_attr(fp, "modifier"); 1083 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1084 close_attr(fp); 1085 open_attr(fp, "time"); 1086 print_sec64(fp, tok->tt.hdr64.s, raw); 1087 close_attr(fp); 1088 open_attr(fp, "msec"); 1089 print_msec64(fp, tok->tt.hdr64.ms, raw); 1090 close_attr(fp); 1091 close_tag(fp, tok->id); 1092 } else { 1093 print_delim(fp, del); 1094 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1095 print_delim(fp, del); 1096 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1097 print_delim(fp, del); 1098 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1099 print_delim(fp, del); 1100 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1101 print_delim(fp, del); 1102 print_sec64(fp, tok->tt.hdr64.s, raw); 1103 print_delim(fp, del); 1104 print_msec64(fp, tok->tt.hdr64.ms, raw); 1105 } 1106 } 1107 1108 /* 1109 * record byte count 4 bytes 1110 * version # 1 byte [2] 1111 * event type 2 bytes 1112 * event modifier 2 bytes 1113 * address type/length 4 bytes 1114 * [ Solaris man page: address type/length 1 byte] 1115 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1116 * seconds of time 4 bytes/8 bytes (32/64-bits) 1117 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1118 * 1119 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1120 * accuracy of the BSM spec. 1121 */ 1122 static int 1123 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1124 { 1125 int err = 0; 1126 1127 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1128 if (err) 1129 return (-1); 1130 1131 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1132 if (err) 1133 return (-1); 1134 1135 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1136 if (err) 1137 return (-1); 1138 1139 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1140 if (err) 1141 return (-1); 1142 1143 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1144 if (err) 1145 return (-1); 1146 1147 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1148 switch (tok->tt.hdr64_ex.ad_type) { 1149 case AU_IPv4: 1150 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1151 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1152 if (err) 1153 return (-1); 1154 break; 1155 1156 case AU_IPv6: 1157 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1158 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1159 break; 1160 } 1161 1162 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1163 if (err) 1164 return (-1); 1165 1166 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1167 if (err) 1168 return (-1); 1169 1170 return (0); 1171 } 1172 1173 static void 1174 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1175 char sfrm, int xml) 1176 { 1177 1178 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1179 if (xml) { 1180 open_attr(fp, "version"); 1181 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1182 close_attr(fp); 1183 open_attr(fp, "event"); 1184 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1185 close_attr(fp); 1186 open_attr(fp, "modifier"); 1187 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1188 close_attr(fp); 1189 open_attr(fp, "host"); 1190 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1191 tok->tt.hdr64_ex.addr); 1192 close_attr(fp); 1193 open_attr(fp, "time"); 1194 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1195 close_attr(fp); 1196 open_attr(fp, "msec"); 1197 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1198 close_attr(fp); 1199 close_tag(fp, tok->id); 1200 } else { 1201 print_delim(fp, del); 1202 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1203 print_delim(fp, del); 1204 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1205 print_delim(fp, del); 1206 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1207 print_delim(fp, del); 1208 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1209 print_delim(fp, del); 1210 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1211 tok->tt.hdr64_ex.addr); 1212 print_delim(fp, del); 1213 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1214 print_delim(fp, del); 1215 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1216 } 1217 } 1218 1219 /* 1220 * trailer magic 2 bytes 1221 * record size 4 bytes 1222 */ 1223 static int 1224 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1225 { 1226 int err = 0; 1227 1228 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1229 if (err) 1230 return (-1); 1231 1232 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1233 if (err) 1234 return (-1); 1235 1236 return (0); 1237 } 1238 1239 static void 1240 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1241 __unused char sfrm, int xml) 1242 { 1243 1244 print_tok_type(fp, tok->id, "trailer", raw, xml); 1245 if (!xml) { 1246 print_delim(fp, del); 1247 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1248 } 1249 } 1250 1251 /* 1252 * argument # 1 byte 1253 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1254 * text length 2 bytes 1255 * text N bytes + 1 terminating NULL byte 1256 */ 1257 static int 1258 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1259 { 1260 int err = 0; 1261 1262 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1263 if (err) 1264 return (-1); 1265 1266 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1267 if (err) 1268 return (-1); 1269 1270 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1271 if (err) 1272 return (-1); 1273 1274 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1275 tok->len, err); 1276 if (err) 1277 return (-1); 1278 1279 return (0); 1280 } 1281 1282 static void 1283 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1284 __unused char sfrm, int xml) 1285 { 1286 1287 print_tok_type(fp, tok->id, "argument", raw, xml); 1288 if (xml) { 1289 open_attr(fp, "arg-num"); 1290 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1291 close_attr(fp); 1292 open_attr(fp, "value"); 1293 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1294 close_attr(fp); 1295 open_attr(fp, "desc"); 1296 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1297 close_attr(fp); 1298 close_tag(fp, tok->id); 1299 } else { 1300 print_delim(fp, del); 1301 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1302 print_delim(fp, del); 1303 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1304 print_delim(fp, del); 1305 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1306 } 1307 } 1308 1309 static int 1310 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1311 { 1312 int err = 0; 1313 1314 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1315 if (err) 1316 return (-1); 1317 1318 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1319 if (err) 1320 return (-1); 1321 1322 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1323 if (err) 1324 return (-1); 1325 1326 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1327 tok->len, err); 1328 if (err) 1329 return (-1); 1330 1331 return (0); 1332 } 1333 1334 static void 1335 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1336 __unused char sfrm, int xml) 1337 { 1338 1339 print_tok_type(fp, tok->id, "argument", raw, xml); 1340 if (xml) { 1341 open_attr(fp, "arg-num"); 1342 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1343 close_attr(fp); 1344 open_attr(fp, "value"); 1345 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1346 close_attr(fp); 1347 open_attr(fp, "desc"); 1348 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1349 close_attr(fp); 1350 close_tag(fp, tok->id); 1351 } else { 1352 print_delim(fp, del); 1353 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1354 print_delim(fp, del); 1355 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1356 print_delim(fp, del); 1357 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1358 } 1359 } 1360 1361 /* 1362 * how to print 1 byte 1363 * basic unit 1 byte 1364 * unit count 1 byte 1365 * data items (depends on basic unit) 1366 */ 1367 static int 1368 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1369 { 1370 int err = 0; 1371 int datasize; 1372 1373 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1374 if (err) 1375 return (-1); 1376 1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1378 if (err) 1379 return (-1); 1380 1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1382 if (err) 1383 return (-1); 1384 1385 /* 1386 * Determine the size of the basic unit. 1387 */ 1388 switch(tok->tt.arb.bu) { 1389 case AUR_BYTE: 1390 /* case AUR_CHAR: */ 1391 datasize = AUR_BYTE_SIZE; 1392 break; 1393 1394 case AUR_SHORT: 1395 datasize = AUR_SHORT_SIZE; 1396 break; 1397 1398 case AUR_INT32: 1399 /* case AUR_INT: */ 1400 datasize = AUR_INT32_SIZE; 1401 break; 1402 1403 case AUR_INT64: 1404 datasize = AUR_INT64_SIZE; 1405 break; 1406 1407 default: 1408 return (-1); 1409 } 1410 1411 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1412 tok->len, err); 1413 if (err) 1414 return (-1); 1415 1416 return (0); 1417 } 1418 1419 static void 1420 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1421 __unused char sfrm, int xml) 1422 { 1423 char *str; 1424 char *format; 1425 size_t size; 1426 int i; 1427 1428 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1429 if (!xml) 1430 print_delim(fp, del); 1431 1432 switch(tok->tt.arb.howtopr) { 1433 case AUP_BINARY: 1434 str = "binary"; 1435 format = " %c"; 1436 break; 1437 1438 case AUP_OCTAL: 1439 str = "octal"; 1440 format = " %o"; 1441 break; 1442 1443 case AUP_DECIMAL: 1444 str = "decimal"; 1445 format = " %d"; 1446 break; 1447 1448 case AUP_HEX: 1449 str = "hex"; 1450 format = " %x"; 1451 break; 1452 1453 case AUP_STRING: 1454 str = "string"; 1455 format = "%c"; 1456 break; 1457 1458 default: 1459 return; 1460 } 1461 1462 if (xml) { 1463 open_attr(fp, "print"); 1464 fprintf(fp, "%s",str); 1465 close_attr(fp); 1466 } else { 1467 print_string(fp, str, strlen(str)); 1468 print_delim(fp, del); 1469 } 1470 switch(tok->tt.arb.bu) { 1471 case AUR_BYTE: 1472 /* case AUR_CHAR: */ 1473 str = "byte"; 1474 size = AUR_BYTE_SIZE; 1475 if (xml) { 1476 open_attr(fp, "type"); 1477 fprintf(fp, "%zu", size); 1478 close_attr(fp); 1479 open_attr(fp, "count"); 1480 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1481 close_attr(fp); 1482 fprintf(fp, ">"); 1483 for (i = 0; i<tok->tt.arb.uc; i++) 1484 fprintf(fp, format, *(tok->tt.arb.data + 1485 (size * i))); 1486 close_tag(fp, tok->id); 1487 } else { 1488 print_string(fp, str, strlen(str)); 1489 print_delim(fp, del); 1490 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1491 print_delim(fp, del); 1492 for (i = 0; i<tok->tt.arb.uc; i++) 1493 fprintf(fp, format, *(tok->tt.arb.data + 1494 (size * i))); 1495 } 1496 break; 1497 1498 case AUR_SHORT: 1499 str = "short"; 1500 size = AUR_SHORT_SIZE; 1501 if (xml) { 1502 open_attr(fp, "type"); 1503 fprintf(fp, "%zu", size); 1504 close_attr(fp); 1505 open_attr(fp, "count"); 1506 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1507 close_attr(fp); 1508 fprintf(fp, ">"); 1509 for (i = 0; i < tok->tt.arb.uc; i++) 1510 fprintf(fp, format, 1511 *((u_int16_t *)(tok->tt.arb.data + 1512 (size * i)))); 1513 close_tag(fp, tok->id); 1514 } else { 1515 print_string(fp, str, strlen(str)); 1516 print_delim(fp, del); 1517 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1518 print_delim(fp, del); 1519 for (i = 0; i < tok->tt.arb.uc; i++) 1520 fprintf(fp, format, 1521 *((u_int16_t *)(tok->tt.arb.data + 1522 (size * i)))); 1523 } 1524 break; 1525 1526 case AUR_INT32: 1527 /* case AUR_INT: */ 1528 str = "int"; 1529 size = AUR_INT32_SIZE; 1530 if (xml) { 1531 open_attr(fp, "type"); 1532 fprintf(fp, "%zu", size); 1533 close_attr(fp); 1534 open_attr(fp, "count"); 1535 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1536 close_attr(fp); 1537 fprintf(fp, ">"); 1538 for (i = 0; i < tok->tt.arb.uc; i++) 1539 fprintf(fp, format, 1540 *((u_int32_t *)(tok->tt.arb.data + 1541 (size * i)))); 1542 close_tag(fp, tok->id); 1543 } else { 1544 print_string(fp, str, strlen(str)); 1545 print_delim(fp, del); 1546 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1547 print_delim(fp, del); 1548 for (i = 0; i < tok->tt.arb.uc; i++) 1549 fprintf(fp, format, 1550 *((u_int32_t *)(tok->tt.arb.data + 1551 (size * i)))); 1552 } 1553 break; 1554 1555 case AUR_INT64: 1556 str = "int64"; 1557 size = AUR_INT64_SIZE; 1558 if (xml) { 1559 open_attr(fp, "type"); 1560 fprintf(fp, "%zu", size); 1561 close_attr(fp); 1562 open_attr(fp, "count"); 1563 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1564 close_attr(fp); 1565 fprintf(fp, ">"); 1566 for (i = 0; i < tok->tt.arb.uc; i++) 1567 fprintf(fp, format, 1568 *((u_int64_t *)(tok->tt.arb.data + 1569 (size * i)))); 1570 close_tag(fp, tok->id); 1571 } else { 1572 print_string(fp, str, strlen(str)); 1573 print_delim(fp, del); 1574 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1575 print_delim(fp, del); 1576 for (i = 0; i < tok->tt.arb.uc; i++) 1577 fprintf(fp, format, 1578 *((u_int64_t *)(tok->tt.arb.data + 1579 (size * i)))); 1580 } 1581 break; 1582 1583 default: 1584 return; 1585 } 1586 } 1587 1588 /* 1589 * file access mode 4 bytes 1590 * owner user ID 4 bytes 1591 * owner group ID 4 bytes 1592 * file system ID 4 bytes 1593 * node ID 8 bytes 1594 * device 4 bytes/8 bytes (32-bit/64-bit) 1595 */ 1596 static int 1597 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1598 { 1599 int err = 0; 1600 1601 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1602 if (err) 1603 return (-1); 1604 1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1606 if (err) 1607 return (-1); 1608 1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1610 if (err) 1611 return (-1); 1612 1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1614 if (err) 1615 return (-1); 1616 1617 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1618 if (err) 1619 return (-1); 1620 1621 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1622 if (err) 1623 return (-1); 1624 1625 return (0); 1626 } 1627 1628 static void 1629 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1630 __unused char sfrm, int xml) 1631 { 1632 1633 print_tok_type(fp, tok->id, "attribute", raw, xml); 1634 if (xml) { 1635 open_attr(fp, "mode"); 1636 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1637 close_attr(fp); 1638 open_attr(fp, "uid"); 1639 print_user(fp, tok->tt.attr32.uid, raw); 1640 close_attr(fp); 1641 open_attr(fp, "gid"); 1642 print_group(fp, tok->tt.attr32.gid, raw); 1643 close_attr(fp); 1644 open_attr(fp, "fsid"); 1645 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1646 close_attr(fp); 1647 open_attr(fp, "nodeid"); 1648 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1649 close_attr(fp); 1650 open_attr(fp, "device"); 1651 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1652 close_attr(fp); 1653 close_tag(fp, tok->id); 1654 } else { 1655 print_delim(fp, del); 1656 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1657 print_delim(fp, del); 1658 print_user(fp, tok->tt.attr32.uid, raw); 1659 print_delim(fp, del); 1660 print_group(fp, tok->tt.attr32.gid, raw); 1661 print_delim(fp, del); 1662 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1663 print_delim(fp, del); 1664 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1665 print_delim(fp, del); 1666 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1667 } 1668 } 1669 1670 /* 1671 * file access mode 4 bytes 1672 * owner user ID 4 bytes 1673 * owner group ID 4 bytes 1674 * file system ID 4 bytes 1675 * node ID 8 bytes 1676 * device 4 bytes/8 bytes (32-bit/64-bit) 1677 */ 1678 static int 1679 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1680 { 1681 int err = 0; 1682 1683 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1684 if (err) 1685 return (-1); 1686 1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1688 if (err) 1689 return (-1); 1690 1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1692 if (err) 1693 return (-1); 1694 1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1696 if (err) 1697 return (-1); 1698 1699 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1700 if (err) 1701 return (-1); 1702 1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1704 if (err) 1705 return (-1); 1706 1707 return (0); 1708 } 1709 1710 static void 1711 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1712 __unused char sfrm, int xml) 1713 { 1714 1715 print_tok_type(fp, tok->id, "attribute", raw, xml); 1716 if (xml) { 1717 open_attr(fp, "mode"); 1718 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1719 close_attr(fp); 1720 open_attr(fp, "uid"); 1721 print_user(fp, tok->tt.attr64.uid, raw); 1722 close_attr(fp); 1723 open_attr(fp, "gid"); 1724 print_group(fp, tok->tt.attr64.gid, raw); 1725 close_attr(fp); 1726 open_attr(fp, "fsid"); 1727 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1728 close_attr(fp); 1729 open_attr(fp, "nodeid"); 1730 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1731 close_attr(fp); 1732 open_attr(fp, "device"); 1733 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1734 close_attr(fp); 1735 close_tag(fp, tok->id); 1736 } else { 1737 print_delim(fp, del); 1738 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1739 print_delim(fp, del); 1740 print_user(fp, tok->tt.attr64.uid, raw); 1741 print_delim(fp, del); 1742 print_group(fp, tok->tt.attr64.gid, raw); 1743 print_delim(fp, del); 1744 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1745 print_delim(fp, del); 1746 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1747 print_delim(fp, del); 1748 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1749 } 1750 } 1751 1752 /* 1753 * status 4 bytes 1754 * return value 4 bytes 1755 */ 1756 static int 1757 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1758 { 1759 int err = 0; 1760 1761 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1762 if (err) 1763 return (-1); 1764 1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1766 if (err) 1767 return (-1); 1768 1769 return (0); 1770 } 1771 1772 static void 1773 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1774 __unused char sfrm, int xml) 1775 { 1776 1777 print_tok_type(fp, tok->id, "exit", raw, xml); 1778 if (xml) { 1779 open_attr(fp, "errval"); 1780 print_errval(fp, tok->tt.exit.status); 1781 close_attr(fp); 1782 open_attr(fp, "retval"); 1783 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1784 close_attr(fp); 1785 close_tag(fp, tok->id); 1786 } else { 1787 print_delim(fp, del); 1788 print_errval(fp, tok->tt.exit.status); 1789 print_delim(fp, del); 1790 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1791 } 1792 } 1793 1794 /* 1795 * count 4 bytes 1796 * text count null-terminated string(s) 1797 */ 1798 static int 1799 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1800 { 1801 int err = 0; 1802 u_int32_t i; 1803 u_char *bptr; 1804 1805 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1806 if (err) 1807 return (-1); 1808 1809 for (i = 0; i < tok->tt.execarg.count; i++) { 1810 bptr = buf + tok->len; 1811 if (i < AUDIT_MAX_ARGS) 1812 tok->tt.execarg.text[i] = (char*)bptr; 1813 1814 /* Look for a null terminated string. */ 1815 while (bptr && (*bptr != '\0')) { 1816 if (++tok->len >= (u_int32_t)len) 1817 return (-1); 1818 bptr = buf + tok->len; 1819 } 1820 if (!bptr) 1821 return (-1); 1822 tok->len++; /* \0 character */ 1823 } 1824 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1825 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1826 1827 return (0); 1828 } 1829 1830 static void 1831 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1832 __unused char sfrm, int xml) 1833 { 1834 u_int32_t i; 1835 1836 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1837 for (i = 0; i < tok->tt.execarg.count; i++) { 1838 if (xml) { 1839 fprintf(fp, "<arg>"); 1840 print_string(fp, tok->tt.execarg.text[i], 1841 strlen(tok->tt.execarg.text[i])); 1842 fprintf(fp, "</arg>"); 1843 } else { 1844 print_delim(fp, del); 1845 print_string(fp, tok->tt.execarg.text[i], 1846 strlen(tok->tt.execarg.text[i])); 1847 } 1848 } 1849 if (xml) 1850 close_tag(fp, tok->id); 1851 } 1852 1853 /* 1854 * count 4 bytes 1855 * text count null-terminated string(s) 1856 */ 1857 static int 1858 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1859 { 1860 int err = 0; 1861 u_int32_t i; 1862 u_char *bptr; 1863 1864 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1865 if (err) 1866 return (-1); 1867 1868 for (i = 0; i < tok->tt.execenv.count; i++) { 1869 bptr = buf + tok->len; 1870 if (i < AUDIT_MAX_ENV) 1871 tok->tt.execenv.text[i] = (char*)bptr; 1872 1873 /* Look for a null terminated string. */ 1874 while (bptr && (*bptr != '\0')) { 1875 if (++tok->len >= (u_int32_t)len) 1876 return (-1); 1877 bptr = buf + tok->len; 1878 } 1879 if (!bptr) 1880 return (-1); 1881 tok->len++; /* \0 character */ 1882 } 1883 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1884 tok->tt.execenv.count = AUDIT_MAX_ENV; 1885 1886 return (0); 1887 } 1888 1889 static void 1890 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1891 __unused char sfrm, int xml) 1892 { 1893 u_int32_t i; 1894 1895 print_tok_type(fp, tok->id, "exec env", raw, xml); 1896 for (i = 0; i< tok->tt.execenv.count; i++) { 1897 if (xml) { 1898 fprintf(fp, "<env>"); 1899 print_string(fp, tok->tt.execenv.text[i], 1900 strlen(tok->tt.execenv.text[i])); 1901 fprintf(fp, "</env>"); 1902 } else { 1903 print_delim(fp, del); 1904 print_string(fp, tok->tt.execenv.text[i], 1905 strlen(tok->tt.execenv.text[i])); 1906 } 1907 } 1908 if (xml) 1909 close_tag(fp, tok->id); 1910 } 1911 1912 /* 1913 * seconds of time 4 bytes 1914 * milliseconds of time 4 bytes 1915 * file name len 2 bytes 1916 * file pathname N bytes + 1 terminating NULL byte 1917 */ 1918 static int 1919 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1920 { 1921 int err = 0; 1922 1923 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1924 if (err) 1925 return (-1); 1926 1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1928 if (err) 1929 return (-1); 1930 1931 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1932 if (err) 1933 return (-1); 1934 1935 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1936 err); 1937 if (err) 1938 return (-1); 1939 1940 return (0); 1941 } 1942 1943 static void 1944 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1945 __unused char sfrm, int xml) 1946 { 1947 1948 print_tok_type(fp, tok->id, "file", raw, xml); 1949 if (xml) { 1950 open_attr(fp, "time"); 1951 print_sec32(fp, tok->tt.file.s, raw); 1952 close_attr(fp); 1953 open_attr(fp, "msec"); 1954 print_msec32(fp, tok->tt.file.ms, raw); 1955 close_attr(fp); 1956 fprintf(fp, ">"); 1957 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1958 close_tag(fp, tok->id); 1959 } else { 1960 print_delim(fp, del); 1961 print_sec32(fp, tok->tt.file.s, raw); 1962 print_delim(fp, del); 1963 print_msec32(fp, tok->tt.file.ms, raw); 1964 print_delim(fp, del); 1965 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1966 } 1967 } 1968 1969 /* 1970 * number groups 2 bytes 1971 * group list count * 4 bytes 1972 */ 1973 static int 1974 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1975 { 1976 int i; 1977 int err = 0; 1978 1979 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1980 if (err) 1981 return (-1); 1982 1983 for (i = 0; i<tok->tt.grps.no; i++) { 1984 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1985 err); 1986 if (err) 1987 return (-1); 1988 } 1989 1990 return (0); 1991 } 1992 1993 static void 1994 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1995 __unused char sfrm, int xml) 1996 { 1997 int i; 1998 1999 print_tok_type(fp, tok->id, "group", raw, xml); 2000 for (i = 0; i < tok->tt.grps.no; i++) { 2001 if (xml) { 2002 fprintf(fp, "<gid>"); 2003 print_group(fp, tok->tt.grps.list[i], raw); 2004 fprintf(fp, "</gid>"); 2005 close_tag(fp, tok->id); 2006 } else { 2007 print_delim(fp, del); 2008 print_group(fp, tok->tt.grps.list[i], raw); 2009 } 2010 } 2011 } 2012 2013 /* 2014 * Internet addr 4 bytes 2015 */ 2016 static int 2017 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2018 { 2019 int err = 0; 2020 2021 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2022 tok->len, err); 2023 if (err) 2024 return (-1); 2025 2026 return (0); 2027 2028 } 2029 2030 static void 2031 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2032 __unused char sfrm, int xml) 2033 { 2034 2035 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2036 if (xml) { 2037 print_ip_address(fp, tok->tt.inaddr.addr); 2038 close_tag(fp, tok->id); 2039 } else { 2040 print_delim(fp, del); 2041 print_ip_address(fp, tok->tt.inaddr.addr); 2042 } 2043 } 2044 2045 /* 2046 * type 4 bytes 2047 * address 16 bytes 2048 */ 2049 static int 2050 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2051 { 2052 int err = 0; 2053 2054 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2055 if (err) 2056 return (-1); 2057 2058 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2059 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2060 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2061 if (err) 2062 return (-1); 2063 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2064 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2065 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2066 if (err) 2067 return (-1); 2068 } else 2069 return (-1); 2070 2071 return (0); 2072 } 2073 2074 static void 2075 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2076 __unused char sfrm, int xml) 2077 { 2078 2079 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2080 if (xml) { 2081 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2082 tok->tt.inaddr_ex.addr); 2083 close_tag(fp, tok->id); 2084 } else { 2085 print_delim(fp, del); 2086 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2087 tok->tt.inaddr_ex.addr); 2088 } 2089 } 2090 2091 /* 2092 * ip header 20 bytes 2093 */ 2094 static int 2095 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2096 { 2097 int err = 0; 2098 2099 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2100 if (err) 2101 return (-1); 2102 2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2104 if (err) 2105 return (-1); 2106 2107 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2108 tok->len, err); 2109 if (err) 2110 return (-1); 2111 2112 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2113 tok->len, err); 2114 if (err) 2115 return (-1); 2116 2117 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2118 tok->len, err); 2119 if (err) 2120 return (-1); 2121 2122 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2123 if (err) 2124 return (-1); 2125 2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2127 if (err) 2128 return (-1); 2129 2130 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2131 tok->len, err); 2132 if (err) 2133 return (-1); 2134 2135 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2136 tok->len, err); 2137 if (err) 2138 return (-1); 2139 2140 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2141 tok->len, err); 2142 if (err) 2143 return (-1); 2144 2145 return (0); 2146 } 2147 2148 static void 2149 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2150 __unused char sfrm, int xml) 2151 { 2152 2153 print_tok_type(fp, tok->id, "ip", raw, xml); 2154 if (xml) { 2155 open_attr(fp, "version"); 2156 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2157 sizeof(u_char)); 2158 close_attr(fp); 2159 open_attr(fp, "service_type"); 2160 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2161 close_attr(fp); 2162 open_attr(fp, "len"); 2163 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2164 close_attr(fp); 2165 open_attr(fp, "id"); 2166 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2167 close_attr(fp); 2168 open_attr(fp, "offset"); 2169 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2170 close_attr(fp); 2171 open_attr(fp, "time_to_live"); 2172 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2173 close_attr(fp); 2174 open_attr(fp, "protocol"); 2175 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2176 close_attr(fp); 2177 open_attr(fp, "cksum"); 2178 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2179 close_attr(fp); 2180 open_attr(fp, "src_addr"); 2181 print_ip_address(fp, tok->tt.ip.src); 2182 close_attr(fp); 2183 open_attr(fp, "dest_addr"); 2184 print_ip_address(fp, tok->tt.ip.dest); 2185 close_attr(fp); 2186 close_tag(fp, tok->id); 2187 } else { 2188 print_delim(fp, del); 2189 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2190 sizeof(u_char)); 2191 print_delim(fp, del); 2192 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2193 print_delim(fp, del); 2194 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2195 print_delim(fp, del); 2196 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2197 print_delim(fp, del); 2198 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2199 print_delim(fp, del); 2200 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2201 print_delim(fp, del); 2202 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2203 print_delim(fp, del); 2204 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2205 print_delim(fp, del); 2206 print_ip_address(fp, tok->tt.ip.src); 2207 print_delim(fp, del); 2208 print_ip_address(fp, tok->tt.ip.dest); 2209 } 2210 } 2211 2212 /* 2213 * object ID type 1 byte 2214 * Object ID 4 bytes 2215 */ 2216 static int 2217 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2218 { 2219 int err = 0; 2220 2221 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2222 if (err) 2223 return (-1); 2224 2225 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2226 if (err) 2227 return (-1); 2228 2229 return (0); 2230 } 2231 2232 static void 2233 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2234 __unused char sfrm, int xml) 2235 { 2236 2237 print_tok_type(fp, tok->id, "IPC", raw, xml); 2238 if (xml) { 2239 open_attr(fp, "ipc-type"); 2240 print_ipctype(fp, tok->tt.ipc.type, raw); 2241 close_attr(fp); 2242 open_attr(fp, "ipc-id"); 2243 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2244 close_attr(fp); 2245 close_tag(fp, tok->id); 2246 } else { 2247 print_delim(fp, del); 2248 print_ipctype(fp, tok->tt.ipc.type, raw); 2249 print_delim(fp, del); 2250 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2251 } 2252 } 2253 2254 /* 2255 * owner user id 4 bytes 2256 * owner group id 4 bytes 2257 * creator user id 4 bytes 2258 * creator group id 4 bytes 2259 * access mode 4 bytes 2260 * slot seq 4 bytes 2261 * key 4 bytes 2262 */ 2263 static int 2264 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2265 { 2266 int err = 0; 2267 2268 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2269 if (err) 2270 return (-1); 2271 2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2273 if (err) 2274 return (-1); 2275 2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2277 if (err) 2278 return (-1); 2279 2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2281 if (err) 2282 return (-1); 2283 2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2285 if (err) 2286 return (-1); 2287 2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2289 if (err) 2290 return (-1); 2291 2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2293 if (err) 2294 return (-1); 2295 2296 return (0); 2297 } 2298 2299 static void 2300 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2301 __unused char sfrm, int xml) 2302 { 2303 2304 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2305 if (xml) { 2306 open_attr(fp, "uid"); 2307 print_user(fp, tok->tt.ipcperm.uid, raw); 2308 close_attr(fp); 2309 open_attr(fp, "gid"); 2310 print_group(fp, tok->tt.ipcperm.gid, raw); 2311 close_attr(fp); 2312 open_attr(fp, "creator-uid"); 2313 print_user(fp, tok->tt.ipcperm.puid, raw); 2314 close_attr(fp); 2315 open_attr(fp, "creator-gid"); 2316 print_group(fp, tok->tt.ipcperm.pgid, raw); 2317 close_attr(fp); 2318 open_attr(fp, "mode"); 2319 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2320 close_attr(fp); 2321 open_attr(fp, "seq"); 2322 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2323 close_attr(fp); 2324 open_attr(fp, "key"); 2325 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2326 close_attr(fp); 2327 close_tag(fp, tok->id); 2328 } else { 2329 print_delim(fp, del); 2330 print_user(fp, tok->tt.ipcperm.uid, raw); 2331 print_delim(fp, del); 2332 print_group(fp, tok->tt.ipcperm.gid, raw); 2333 print_delim(fp, del); 2334 print_user(fp, tok->tt.ipcperm.puid, raw); 2335 print_delim(fp, del); 2336 print_group(fp, tok->tt.ipcperm.pgid, raw); 2337 print_delim(fp, del); 2338 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2339 print_delim(fp, del); 2340 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2341 print_delim(fp, del); 2342 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2343 } 2344 } 2345 2346 /* 2347 * port Ip address 2 bytes 2348 */ 2349 static int 2350 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2351 { 2352 int err = 0; 2353 2354 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2355 tok->len, err); 2356 if (err) 2357 return (-1); 2358 2359 return (0); 2360 } 2361 2362 static void 2363 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2364 __unused char sfrm, int xml) 2365 { 2366 2367 print_tok_type(fp, tok->id, "ip port", raw, xml); 2368 if (xml) { 2369 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2370 close_tag(fp, tok->id); 2371 } else { 2372 print_delim(fp, del); 2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2374 } 2375 } 2376 2377 /* 2378 * size 2 bytes 2379 * data size bytes 2380 */ 2381 static int 2382 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2383 { 2384 int err = 0; 2385 2386 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2387 if (err) 2388 return (-1); 2389 2390 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2391 tok->len, err); 2392 if (err) 2393 return (-1); 2394 2395 return (0); 2396 } 2397 2398 static void 2399 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2400 __unused char sfrm, int xml) 2401 { 2402 2403 print_tok_type(fp, tok->id, "opaque", raw, xml); 2404 if (xml) { 2405 print_mem(fp, (u_char*)tok->tt.opaque.data, 2406 tok->tt.opaque.size); 2407 close_tag(fp, tok->id); 2408 } else { 2409 print_delim(fp, del); 2410 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2411 print_delim(fp, del); 2412 print_mem(fp, (u_char*)tok->tt.opaque.data, 2413 tok->tt.opaque.size); 2414 } 2415 } 2416 2417 /* 2418 * size 2 bytes 2419 * data size bytes 2420 */ 2421 static int 2422 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2423 { 2424 int err = 0; 2425 2426 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2427 if (err) 2428 return (-1); 2429 2430 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2431 err); 2432 if (err) 2433 return (-1); 2434 2435 return (0); 2436 } 2437 2438 static void 2439 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2440 __unused char sfrm, int xml) 2441 { 2442 2443 print_tok_type(fp, tok->id, "path", raw, xml); 2444 if (xml) { 2445 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2446 close_tag(fp, tok->id); 2447 } else { 2448 print_delim(fp, del); 2449 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2450 } 2451 } 2452 2453 /* 2454 * token ID 1 byte 2455 * audit ID 4 bytes 2456 * euid 4 bytes 2457 * egid 4 bytes 2458 * ruid 4 bytes 2459 * rgid 4 bytes 2460 * pid 4 bytes 2461 * sessid 4 bytes 2462 * terminal ID 2463 * portid 4 bytes 2464 * machine id 4 bytes 2465 */ 2466 static int 2467 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2468 { 2469 int err = 0; 2470 2471 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2472 if (err) 2473 return (-1); 2474 2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2476 if (err) 2477 return (-1); 2478 2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2480 if (err) 2481 return (-1); 2482 2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2484 if (err) 2485 return (-1); 2486 2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2488 if (err) 2489 return (-1); 2490 2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2492 if (err) 2493 return (-1); 2494 2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2496 if (err) 2497 return (-1); 2498 2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2500 if (err) 2501 return (-1); 2502 2503 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2504 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2505 if (err) 2506 return (-1); 2507 2508 return (0); 2509 } 2510 2511 static void 2512 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2513 __unused char sfrm, int xml) 2514 { 2515 2516 print_tok_type(fp, tok->id, "process", raw, xml); 2517 if (xml) { 2518 open_attr(fp, "audit-uid"); 2519 print_user(fp, tok->tt.proc32.auid, raw); 2520 close_attr(fp); 2521 open_attr(fp, "uid"); 2522 print_user(fp, tok->tt.proc32.euid, raw); 2523 close_attr(fp); 2524 open_attr(fp, "gid"); 2525 print_group(fp, tok->tt.proc32.egid, raw); 2526 close_attr(fp); 2527 open_attr(fp, "ruid"); 2528 print_user(fp, tok->tt.proc32.ruid, raw); 2529 close_attr(fp); 2530 open_attr(fp, "rgid"); 2531 print_group(fp, tok->tt.proc32.rgid, raw); 2532 close_attr(fp); 2533 open_attr(fp, "pid"); 2534 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2535 close_attr(fp); 2536 open_attr(fp, "sid"); 2537 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2538 close_attr(fp); 2539 open_attr(fp, "tid"); 2540 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2541 print_ip_address(fp, tok->tt.proc32.tid.addr); 2542 close_attr(fp); 2543 close_tag(fp, tok->id); 2544 } else { 2545 print_delim(fp, del); 2546 print_user(fp, tok->tt.proc32.auid, raw); 2547 print_delim(fp, del); 2548 print_user(fp, tok->tt.proc32.euid, raw); 2549 print_delim(fp, del); 2550 print_group(fp, tok->tt.proc32.egid, raw); 2551 print_delim(fp, del); 2552 print_user(fp, tok->tt.proc32.ruid, raw); 2553 print_delim(fp, del); 2554 print_group(fp, tok->tt.proc32.rgid, raw); 2555 print_delim(fp, del); 2556 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2557 print_delim(fp, del); 2558 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2559 print_delim(fp, del); 2560 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2561 print_delim(fp, del); 2562 print_ip_address(fp, tok->tt.proc32.tid.addr); 2563 } 2564 } 2565 2566 /* 2567 * token ID 1 byte 2568 * audit ID 4 bytes 2569 * euid 4 bytes 2570 * egid 4 bytes 2571 * ruid 4 bytes 2572 * rgid 4 bytes 2573 * pid 4 bytes 2574 * sessid 4 bytes 2575 * terminal ID 2576 * portid 8 bytes 2577 * machine id 4 bytes 2578 */ 2579 static int 2580 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2581 { 2582 int err = 0; 2583 2584 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2585 if (err) 2586 return (-1); 2587 2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2589 if (err) 2590 return (-1); 2591 2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2593 if (err) 2594 return (-1); 2595 2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2597 if (err) 2598 return (-1); 2599 2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2601 if (err) 2602 return (-1); 2603 2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2605 if (err) 2606 return (-1); 2607 2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2609 if (err) 2610 return (-1); 2611 2612 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2613 if (err) 2614 return (-1); 2615 2616 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2617 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2618 if (err) 2619 return (-1); 2620 2621 return (0); 2622 } 2623 2624 static void 2625 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2626 __unused char sfrm, int xml) 2627 { 2628 print_tok_type(fp, tok->id, "process", raw, xml); 2629 if (xml) { 2630 open_attr(fp, "audit-uid"); 2631 print_user(fp, tok->tt.proc64.auid, raw); 2632 close_attr(fp); 2633 open_attr(fp, "uid"); 2634 print_user(fp, tok->tt.proc64.euid, raw); 2635 close_attr(fp); 2636 open_attr(fp, "gid"); 2637 print_group(fp, tok->tt.proc64.egid, raw); 2638 close_attr(fp); 2639 open_attr(fp, "ruid"); 2640 print_user(fp, tok->tt.proc64.ruid, raw); 2641 close_attr(fp); 2642 open_attr(fp, "rgid"); 2643 print_group(fp, tok->tt.proc64.rgid, raw); 2644 close_attr(fp); 2645 open_attr(fp, "pid"); 2646 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2647 close_attr(fp); 2648 open_attr(fp, "sid"); 2649 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2650 close_attr(fp); 2651 open_attr(fp, "tid"); 2652 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2653 print_ip_address(fp, tok->tt.proc64.tid.addr); 2654 close_attr(fp); 2655 close_tag(fp, tok->id); 2656 } else { 2657 print_delim(fp, del); 2658 print_user(fp, tok->tt.proc64.auid, raw); 2659 print_delim(fp, del); 2660 print_user(fp, tok->tt.proc64.euid, raw); 2661 print_delim(fp, del); 2662 print_group(fp, tok->tt.proc64.egid, raw); 2663 print_delim(fp, del); 2664 print_user(fp, tok->tt.proc64.ruid, raw); 2665 print_delim(fp, del); 2666 print_group(fp, tok->tt.proc64.rgid, raw); 2667 print_delim(fp, del); 2668 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2669 print_delim(fp, del); 2670 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2671 print_delim(fp, del); 2672 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2673 print_delim(fp, del); 2674 print_ip_address(fp, tok->tt.proc64.tid.addr); 2675 } 2676 } 2677 2678 /* 2679 * token ID 1 byte 2680 * audit ID 4 bytes 2681 * effective user ID 4 bytes 2682 * effective group ID 4 bytes 2683 * real user ID 4 bytes 2684 * real group ID 4 bytes 2685 * process ID 4 bytes 2686 * session ID 4 bytes 2687 * terminal ID 2688 * port ID 4 bytes 2689 * address type-len 4 bytes 2690 * machine address 16 bytes 2691 */ 2692 static int 2693 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2694 { 2695 int err = 0; 2696 2697 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2698 if (err) 2699 return (-1); 2700 2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2702 if (err) 2703 return (-1); 2704 2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2706 if (err) 2707 return (-1); 2708 2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2710 if (err) 2711 return (-1); 2712 2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2714 if (err) 2715 return (-1); 2716 2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2718 if (err) 2719 return (-1); 2720 2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2722 if (err) 2723 return (-1); 2724 2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2726 err); 2727 if (err) 2728 return (-1); 2729 2730 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2731 err); 2732 if (err) 2733 return (-1); 2734 2735 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2736 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2737 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2738 if (err) 2739 return (-1); 2740 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2741 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2742 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2743 if (err) 2744 return (-1); 2745 } else 2746 return (-1); 2747 2748 return (0); 2749 } 2750 2751 static void 2752 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2753 __unused char sfrm, int xml) 2754 { 2755 2756 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2757 if (xml) { 2758 open_attr(fp, "audit-uid"); 2759 print_user(fp, tok->tt.proc32_ex.auid, raw); 2760 close_attr(fp); 2761 open_attr(fp, "uid"); 2762 print_user(fp, tok->tt.proc32_ex.euid, raw); 2763 close_attr(fp); 2764 open_attr(fp, "gid"); 2765 print_group(fp, tok->tt.proc32_ex.egid, raw); 2766 close_attr(fp); 2767 open_attr(fp, "ruid"); 2768 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2769 close_attr(fp); 2770 open_attr(fp, "rgid"); 2771 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2772 close_attr(fp); 2773 open_attr(fp, "pid"); 2774 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2775 close_attr(fp); 2776 open_attr(fp, "sid"); 2777 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2778 close_attr(fp); 2779 open_attr(fp, "tid"); 2780 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2781 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2782 tok->tt.proc32_ex.tid.addr); 2783 close_attr(fp); 2784 close_tag(fp, tok->id); 2785 } else { 2786 print_delim(fp, del); 2787 print_user(fp, tok->tt.proc32_ex.auid, raw); 2788 print_delim(fp, del); 2789 print_user(fp, tok->tt.proc32_ex.euid, raw); 2790 print_delim(fp, del); 2791 print_group(fp, tok->tt.proc32_ex.egid, raw); 2792 print_delim(fp, del); 2793 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2794 print_delim(fp, del); 2795 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2796 print_delim(fp, del); 2797 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2798 print_delim(fp, del); 2799 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2800 print_delim(fp, del); 2801 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2802 print_delim(fp, del); 2803 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2804 tok->tt.proc32_ex.tid.addr); 2805 } 2806 } 2807 2808 /* 2809 * token ID 1 byte 2810 * audit ID 4 bytes 2811 * effective user ID 4 bytes 2812 * effective group ID 4 bytes 2813 * real user ID 4 bytes 2814 * real group ID 4 bytes 2815 * process ID 4 bytes 2816 * session ID 4 bytes 2817 * terminal ID 2818 * port ID 8 bytes 2819 * address type-len 4 bytes 2820 * machine address 16 bytes 2821 */ 2822 static int 2823 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2824 { 2825 int err = 0; 2826 2827 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2828 if (err) 2829 return (-1); 2830 2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2832 if (err) 2833 return (-1); 2834 2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2836 if (err) 2837 return (-1); 2838 2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2840 if (err) 2841 return (-1); 2842 2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2844 if (err) 2845 return (-1); 2846 2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2848 if (err) 2849 return (-1); 2850 2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2852 if (err) 2853 return (-1); 2854 2855 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2856 err); 2857 if (err) 2858 return (-1); 2859 2860 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2861 err); 2862 if (err) 2863 return (-1); 2864 2865 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2866 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2867 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2868 if (err) 2869 return (-1); 2870 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2871 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2872 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2873 if (err) 2874 return (-1); 2875 } else 2876 return (-1); 2877 2878 return (0); 2879 } 2880 2881 static void 2882 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2883 __unused char sfrm, int xml) 2884 { 2885 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2886 if (xml) { 2887 open_attr(fp, "audit-uid"); 2888 print_user(fp, tok->tt.proc64_ex.auid, raw); 2889 close_attr(fp); 2890 open_attr(fp, "uid"); 2891 print_user(fp, tok->tt.proc64_ex.euid, raw); 2892 close_attr(fp); 2893 open_attr(fp, "gid"); 2894 print_group(fp, tok->tt.proc64_ex.egid, raw); 2895 close_attr(fp); 2896 open_attr(fp, "ruid"); 2897 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2898 close_attr(fp); 2899 open_attr(fp, "rgid"); 2900 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2901 close_attr(fp); 2902 open_attr(fp, "pid"); 2903 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2904 close_attr(fp); 2905 open_attr(fp, "sid"); 2906 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2907 close_attr(fp); 2908 open_attr(fp, "tid"); 2909 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2910 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2911 tok->tt.proc64_ex.tid.addr); 2912 close_attr(fp); 2913 close_tag(fp, tok->id); 2914 } else { 2915 print_delim(fp, del); 2916 print_user(fp, tok->tt.proc64_ex.auid, raw); 2917 print_delim(fp, del); 2918 print_user(fp, tok->tt.proc64_ex.euid, raw); 2919 print_delim(fp, del); 2920 print_group(fp, tok->tt.proc64_ex.egid, raw); 2921 print_delim(fp, del); 2922 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2923 print_delim(fp, del); 2924 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2925 print_delim(fp, del); 2926 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2927 print_delim(fp, del); 2928 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2929 print_delim(fp, del); 2930 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2931 print_delim(fp, del); 2932 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2933 tok->tt.proc64_ex.tid.addr); 2934 } 2935 } 2936 2937 /* 2938 * errno 1 byte 2939 * return value 4 bytes 2940 */ 2941 static int 2942 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2943 { 2944 int err = 0; 2945 2946 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2947 if (err) 2948 return (-1); 2949 2950 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2951 if (err) 2952 return (-1); 2953 2954 return (0); 2955 } 2956 2957 static void 2958 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2959 __unused char sfrm, int xml) 2960 { 2961 2962 print_tok_type(fp, tok->id, "return", raw, xml); 2963 if (xml) { 2964 open_attr(fp ,"errval"); 2965 print_retval(fp, tok->tt.ret32.status, raw); 2966 close_attr(fp); 2967 open_attr(fp, "retval"); 2968 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2969 close_attr(fp); 2970 close_tag(fp, tok->id); 2971 } else { 2972 print_delim(fp, del); 2973 print_retval(fp, tok->tt.ret32.status, raw); 2974 print_delim(fp, del); 2975 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2976 } 2977 } 2978 2979 static int 2980 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2981 { 2982 int err = 0; 2983 2984 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2985 if (err) 2986 return (-1); 2987 2988 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 2989 if (err) 2990 return (-1); 2991 2992 return (0); 2993 } 2994 2995 static void 2996 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2997 __unused char sfrm, int xml) 2998 { 2999 3000 print_tok_type(fp, tok->id, "return", raw, xml); 3001 if (xml) { 3002 open_attr(fp, "errval"); 3003 print_retval(fp, tok->tt.ret64.err, raw); 3004 close_attr(fp); 3005 open_attr(fp, "retval"); 3006 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3007 close_attr(fp); 3008 close_tag(fp, tok->id); 3009 } else { 3010 print_delim(fp, del); 3011 print_retval(fp, tok->tt.ret64.err, raw); 3012 print_delim(fp, del); 3013 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3014 } 3015 } 3016 3017 /* 3018 * seq 4 bytes 3019 */ 3020 static int 3021 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3022 { 3023 int err = 0; 3024 3025 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3026 if (err) 3027 return (-1); 3028 3029 return (0); 3030 } 3031 3032 static void 3033 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3034 __unused char sfrm, int xml) 3035 { 3036 3037 print_tok_type(fp, tok->id, "sequence", raw, xml); 3038 if (xml) { 3039 open_attr(fp, "seq-num"); 3040 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3041 close_attr(fp); 3042 close_tag(fp, tok->id); 3043 } else { 3044 print_delim(fp, del); 3045 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3046 } 3047 } 3048 3049 /* 3050 * socket family 2 bytes 3051 * local port 2 bytes 3052 * socket address 4 bytes 3053 */ 3054 static int 3055 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3056 { 3057 int err = 0; 3058 3059 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3060 err); 3061 if (err) 3062 return (-1); 3063 3064 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3065 sizeof(uint16_t), tok->len, err); 3066 if (err) 3067 return (-1); 3068 3069 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3070 sizeof(tok->tt.sockinet32.addr), tok->len, err); 3071 if (err) 3072 return (-1); 3073 3074 return (0); 3075 } 3076 3077 static void 3078 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3079 __unused char sfrm, int xml) 3080 { 3081 3082 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3083 if (xml) { 3084 open_attr(fp, "type"); 3085 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3086 close_attr(fp); 3087 open_attr(fp, "port"); 3088 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3089 close_attr(fp); 3090 open_attr(fp, "addr"); 3091 print_ip_address(fp, tok->tt.sockinet32.addr); 3092 close_attr(fp); 3093 close_tag(fp, tok->id); 3094 } else { 3095 print_delim(fp, del); 3096 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3097 print_delim(fp, del); 3098 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3099 print_delim(fp, del); 3100 print_ip_address(fp, tok->tt.sockinet32.addr); 3101 } 3102 } 3103 3104 /* 3105 * socket family 2 bytes 3106 * path 104 bytes 3107 */ 3108 static int 3109 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3110 { 3111 int err = 0; 3112 3113 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3114 if (err) 3115 return (-1); 3116 3117 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3118 err); 3119 if (err) 3120 return (-1); 3121 3122 return (0); 3123 } 3124 3125 static void 3126 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3127 __unused char sfrm, int xml) 3128 { 3129 3130 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3131 if (xml) { 3132 open_attr(fp, "type"); 3133 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3134 close_attr(fp); 3135 open_attr(fp, "port"); 3136 close_attr(fp); 3137 open_attr(fp, "addr"); 3138 print_string(fp, tok->tt.sockunix.path, 3139 strlen(tok->tt.sockunix.path)); 3140 close_attr(fp); 3141 close_tag(fp, tok->id); 3142 } else { 3143 print_delim(fp, del); 3144 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3145 print_delim(fp, del); 3146 print_string(fp, tok->tt.sockunix.path, 3147 strlen(tok->tt.sockunix.path)); 3148 } 3149 } 3150 3151 /* 3152 * socket type 2 bytes 3153 * local port 2 bytes 3154 * local address 4 bytes 3155 * remote port 2 bytes 3156 * remote address 4 bytes 3157 */ 3158 static int 3159 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3160 { 3161 int err = 0; 3162 3163 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3164 if (err) 3165 return (-1); 3166 3167 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3168 tok->len, err); 3169 if (err) 3170 return (-1); 3171 3172 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3173 sizeof(tok->tt.socket.l_addr), tok->len, err); 3174 if (err) 3175 return (-1); 3176 3177 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3178 tok->len, err); 3179 if (err) 3180 return (-1); 3181 3182 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3183 sizeof(tok->tt.socket.r_addr), tok->len, err); 3184 if (err) 3185 return (-1); 3186 3187 return (0); 3188 } 3189 3190 static void 3191 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3192 __unused char sfrm, int xml) 3193 { 3194 3195 print_tok_type(fp, tok->id, "socket", raw, xml); 3196 if (xml) { 3197 open_attr(fp, "sock_type"); 3198 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3199 close_attr(fp); 3200 open_attr(fp, "lport"); 3201 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3202 close_attr(fp); 3203 open_attr(fp, "laddr"); 3204 print_ip_address(fp, tok->tt.socket.l_addr); 3205 close_attr(fp); 3206 open_attr(fp, "fport"); 3207 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3208 close_attr(fp); 3209 open_attr(fp, "faddr"); 3210 print_ip_address(fp, tok->tt.socket.r_addr); 3211 close_attr(fp); 3212 close_tag(fp, tok->id); 3213 } else { 3214 print_delim(fp, del); 3215 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3216 print_delim(fp, del); 3217 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3218 print_delim(fp, del); 3219 print_ip_address(fp, tok->tt.socket.l_addr); 3220 print_delim(fp, del); 3221 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3222 print_delim(fp, del); 3223 print_ip_address(fp, tok->tt.socket.r_addr); 3224 } 3225 } 3226 3227 /* 3228 * audit ID 4 bytes 3229 * euid 4 bytes 3230 * egid 4 bytes 3231 * ruid 4 bytes 3232 * rgid 4 bytes 3233 * pid 4 bytes 3234 * sessid 4 bytes 3235 * terminal ID 3236 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3237 * machine id 4 bytes 3238 */ 3239 static int 3240 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3241 { 3242 int err = 0; 3243 3244 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3245 if (err) 3246 return (-1); 3247 3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3249 if (err) 3250 return (-1); 3251 3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3253 if (err) 3254 return (-1); 3255 3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3257 if (err) 3258 return (-1); 3259 3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3261 if (err) 3262 return (-1); 3263 3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3265 if (err) 3266 return (-1); 3267 3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3269 if (err) 3270 return (-1); 3271 3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3273 if (err) 3274 return (-1); 3275 3276 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3277 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3278 if (err) 3279 return (-1); 3280 3281 return (0); 3282 } 3283 3284 static void 3285 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3286 __unused char sfrm, int xml) 3287 { 3288 3289 print_tok_type(fp, tok->id, "subject", raw, xml); 3290 if (xml) { 3291 open_attr(fp, "audit-uid"); 3292 print_user(fp, tok->tt.subj32.auid, raw); 3293 close_attr(fp); 3294 open_attr(fp, "uid"); 3295 print_user(fp, tok->tt.subj32.euid, raw); 3296 close_attr(fp); 3297 open_attr(fp, "gid"); 3298 print_group(fp, tok->tt.subj32.egid, raw); 3299 close_attr(fp); 3300 open_attr(fp, "ruid"); 3301 print_user(fp, tok->tt.subj32.ruid, raw); 3302 close_attr(fp); 3303 open_attr(fp, "rgid"); 3304 print_group(fp, tok->tt.subj32.rgid, raw); 3305 close_attr(fp); 3306 open_attr(fp,"pid"); 3307 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3308 close_attr(fp); 3309 open_attr(fp,"sid"); 3310 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3311 close_attr(fp); 3312 open_attr(fp,"tid"); 3313 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3314 print_ip_address(fp, tok->tt.subj32.tid.addr); 3315 close_attr(fp); 3316 close_tag(fp, tok->id); 3317 } else { 3318 print_delim(fp, del); 3319 print_user(fp, tok->tt.subj32.auid, raw); 3320 print_delim(fp, del); 3321 print_user(fp, tok->tt.subj32.euid, raw); 3322 print_delim(fp, del); 3323 print_group(fp, tok->tt.subj32.egid, raw); 3324 print_delim(fp, del); 3325 print_user(fp, tok->tt.subj32.ruid, raw); 3326 print_delim(fp, del); 3327 print_group(fp, tok->tt.subj32.rgid, raw); 3328 print_delim(fp, del); 3329 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3330 print_delim(fp, del); 3331 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3332 print_delim(fp, del); 3333 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3334 print_delim(fp, del); 3335 print_ip_address(fp, tok->tt.subj32.tid.addr); 3336 } 3337 } 3338 3339 /* 3340 * audit ID 4 bytes 3341 * euid 4 bytes 3342 * egid 4 bytes 3343 * ruid 4 bytes 3344 * rgid 4 bytes 3345 * pid 4 bytes 3346 * sessid 4 bytes 3347 * terminal ID 3348 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3349 * machine id 4 bytes 3350 */ 3351 static int 3352 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3353 { 3354 int err = 0; 3355 3356 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3357 if (err) 3358 return (-1); 3359 3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3361 if (err) 3362 return (-1); 3363 3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3365 if (err) 3366 return (-1); 3367 3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3369 if (err) 3370 return (-1); 3371 3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3373 if (err) 3374 return (-1); 3375 3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3377 if (err) 3378 return (-1); 3379 3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3381 if (err) 3382 return (-1); 3383 3384 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3385 if (err) 3386 return (-1); 3387 3388 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3389 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3390 if (err) 3391 return (-1); 3392 3393 return (0); 3394 } 3395 3396 static void 3397 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3398 __unused char sfrm, int xml) 3399 { 3400 3401 print_tok_type(fp, tok->id, "subject", raw, xml); 3402 if (xml) { 3403 open_attr(fp, "audit-uid"); 3404 print_user(fp, tok->tt.subj64.auid, raw); 3405 close_attr(fp); 3406 open_attr(fp, "uid"); 3407 print_user(fp, tok->tt.subj64.euid, raw); 3408 close_attr(fp); 3409 open_attr(fp, "gid"); 3410 print_group(fp, tok->tt.subj64.egid, raw); 3411 close_attr(fp); 3412 open_attr(fp, "ruid"); 3413 print_user(fp, tok->tt.subj64.ruid, raw); 3414 close_attr(fp); 3415 open_attr(fp, "rgid"); 3416 print_group(fp, tok->tt.subj64.rgid, raw); 3417 close_attr(fp); 3418 open_attr(fp, "pid"); 3419 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3420 close_attr(fp); 3421 open_attr(fp, "sid"); 3422 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3423 close_attr(fp); 3424 open_attr(fp, "tid"); 3425 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3426 print_ip_address(fp, tok->tt.subj64.tid.addr); 3427 close_attr(fp); 3428 close_tag(fp, tok->id); 3429 } else { 3430 print_delim(fp, del); 3431 print_user(fp, tok->tt.subj64.auid, raw); 3432 print_delim(fp, del); 3433 print_user(fp, tok->tt.subj64.euid, raw); 3434 print_delim(fp, del); 3435 print_group(fp, tok->tt.subj64.egid, raw); 3436 print_delim(fp, del); 3437 print_user(fp, tok->tt.subj64.ruid, raw); 3438 print_delim(fp, del); 3439 print_group(fp, tok->tt.subj64.rgid, raw); 3440 print_delim(fp, del); 3441 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3442 print_delim(fp, del); 3443 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3444 print_delim(fp, del); 3445 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3446 print_delim(fp, del); 3447 print_ip_address(fp, tok->tt.subj64.tid.addr); 3448 } 3449 } 3450 3451 /* 3452 * audit ID 4 bytes 3453 * euid 4 bytes 3454 * egid 4 bytes 3455 * ruid 4 bytes 3456 * rgid 4 bytes 3457 * pid 4 bytes 3458 * sessid 4 bytes 3459 * terminal ID 3460 * portid 4 bytes 3461 * type 4 bytes 3462 * machine id 16 bytes 3463 */ 3464 static int 3465 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3466 { 3467 int err = 0; 3468 3469 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3470 if (err) 3471 return (-1); 3472 3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3474 if (err) 3475 return (-1); 3476 3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3478 if (err) 3479 return (-1); 3480 3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3482 if (err) 3483 return (-1); 3484 3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3486 if (err) 3487 return (-1); 3488 3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3490 if (err) 3491 return (-1); 3492 3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3494 if (err) 3495 return (-1); 3496 3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3498 err); 3499 if (err) 3500 return (-1); 3501 3502 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3503 err); 3504 if (err) 3505 return (-1); 3506 3507 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3508 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3509 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3510 if (err) 3511 return (-1); 3512 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3513 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3514 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3515 if (err) 3516 return (-1); 3517 } else 3518 return (-1); 3519 3520 return (0); 3521 } 3522 3523 static void 3524 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3525 __unused char sfrm, int xml) 3526 { 3527 3528 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3529 if (xml) { 3530 open_attr(fp, "audit-uid"); 3531 print_user(fp, tok->tt.subj32_ex.auid, raw); 3532 close_attr(fp); 3533 open_attr(fp, "uid"); 3534 print_user(fp, tok->tt.subj32_ex.euid, raw); 3535 close_attr(fp); 3536 open_attr(fp, "gid"); 3537 print_group(fp, tok->tt.subj32_ex.egid, raw); 3538 close_attr(fp); 3539 open_attr(fp, "ruid"); 3540 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3541 close_attr(fp); 3542 open_attr(fp, "rgid"); 3543 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3544 close_attr(fp); 3545 open_attr(fp, "pid"); 3546 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3547 close_attr(fp); 3548 open_attr(fp, "sid"); 3549 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3550 close_attr(fp); 3551 open_attr(fp, "tid"); 3552 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3553 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3554 tok->tt.subj32_ex.tid.addr); 3555 close_attr(fp); 3556 close_tag(fp, tok->id); 3557 } else { 3558 print_delim(fp, del); 3559 print_user(fp, tok->tt.subj32_ex.auid, raw); 3560 print_delim(fp, del); 3561 print_user(fp, tok->tt.subj32_ex.euid, raw); 3562 print_delim(fp, del); 3563 print_group(fp, tok->tt.subj32_ex.egid, raw); 3564 print_delim(fp, del); 3565 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3566 print_delim(fp, del); 3567 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3568 print_delim(fp, del); 3569 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3570 print_delim(fp, del); 3571 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3572 print_delim(fp, del); 3573 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3574 print_delim(fp, del); 3575 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3576 tok->tt.subj32_ex.tid.addr); 3577 } 3578 } 3579 3580 /* 3581 * audit ID 4 bytes 3582 * euid 4 bytes 3583 * egid 4 bytes 3584 * ruid 4 bytes 3585 * rgid 4 bytes 3586 * pid 4 bytes 3587 * sessid 4 bytes 3588 * terminal ID 3589 * portid 8 bytes 3590 * type 4 bytes 3591 * machine id 16 bytes 3592 */ 3593 static int 3594 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3595 { 3596 int err = 0; 3597 3598 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3599 if (err) 3600 return (-1); 3601 3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3603 if (err) 3604 return (-1); 3605 3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3607 if (err) 3608 return (-1); 3609 3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3611 if (err) 3612 return (-1); 3613 3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3615 if (err) 3616 return (-1); 3617 3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3619 if (err) 3620 return (-1); 3621 3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3623 if (err) 3624 return (-1); 3625 3626 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3627 err); 3628 if (err) 3629 return (-1); 3630 3631 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3632 err); 3633 if (err) 3634 return (-1); 3635 3636 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3637 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3638 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3639 if (err) 3640 return (-1); 3641 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3642 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3643 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3644 if (err) 3645 return (-1); 3646 } else 3647 return (-1); 3648 3649 return (0); 3650 } 3651 3652 static void 3653 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3654 __unused char sfrm, int xml) 3655 { 3656 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3657 if (xml) { 3658 open_attr(fp, "audit-uid"); 3659 print_user(fp, tok->tt.subj64_ex.auid, raw); 3660 close_attr(fp); 3661 open_attr(fp, "uid"); 3662 print_user(fp, tok->tt.subj64_ex.euid, raw); 3663 close_attr(fp); 3664 open_attr(fp, "gid"); 3665 print_group(fp, tok->tt.subj64_ex.egid, raw); 3666 close_attr(fp); 3667 open_attr(fp, "ruid"); 3668 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3669 close_attr(fp); 3670 open_attr(fp, "rgid"); 3671 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3672 close_attr(fp); 3673 open_attr(fp, "pid"); 3674 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3675 close_attr(fp); 3676 open_attr(fp, "sid"); 3677 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3678 close_attr(fp); 3679 open_attr(fp, "tid"); 3680 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3681 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3682 tok->tt.subj64_ex.tid.addr); 3683 close_attr(fp); 3684 close_tag(fp, tok->id); 3685 } else { 3686 print_delim(fp, del); 3687 print_user(fp, tok->tt.subj64_ex.auid, raw); 3688 print_delim(fp, del); 3689 print_user(fp, tok->tt.subj64_ex.euid, raw); 3690 print_delim(fp, del); 3691 print_group(fp, tok->tt.subj64_ex.egid, raw); 3692 print_delim(fp, del); 3693 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3694 print_delim(fp, del); 3695 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3696 print_delim(fp, del); 3697 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3698 print_delim(fp, del); 3699 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3700 print_delim(fp, del); 3701 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3702 print_delim(fp, del); 3703 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3704 tok->tt.subj64_ex.tid.addr); 3705 } 3706 } 3707 3708 /* 3709 * size 2 bytes 3710 * data size bytes 3711 */ 3712 static int 3713 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3714 { 3715 int err = 0; 3716 3717 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3718 if (err) 3719 return (-1); 3720 3721 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3722 err); 3723 if (err) 3724 return (-1); 3725 3726 return (0); 3727 } 3728 3729 static void 3730 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3731 __unused char sfrm, int xml) 3732 { 3733 3734 print_tok_type(fp, tok->id, "text", raw, xml); 3735 if (xml) { 3736 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3737 close_tag(fp, tok->id); 3738 } else { 3739 print_delim(fp, del); 3740 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3741 } 3742 } 3743 3744 /* 3745 * socket type 2 bytes 3746 * local port 2 bytes 3747 * address type/length 4 bytes 3748 * local Internet address 4 bytes 3749 * remote port 4 bytes 3750 * address type/length 4 bytes 3751 * remote Internet address 4 bytes 3752 */ 3753 static int 3754 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3755 { 3756 int err = 0; 3757 3758 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3759 err); 3760 if (err) 3761 return (-1); 3762 3763 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3764 sizeof(uint16_t), tok->len, err); 3765 if (err) 3766 return (-1); 3767 3768 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 3769 err); 3770 if (err) 3771 return (-1); 3772 3773 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3774 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3775 if (err) 3776 return (-1); 3777 3778 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3779 sizeof(uint16_t), tok->len, err); 3780 if (err) 3781 return (-1); 3782 3783 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 3784 err); 3785 if (err) 3786 return (-1); 3787 3788 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3789 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3790 if (err) 3791 return (-1); 3792 3793 return (0); 3794 } 3795 3796 static void 3797 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3798 __unused char sfrm, int xml) 3799 { 3800 3801 print_tok_type(fp, tok->id, "socket", raw, xml); 3802 if (xml) { 3803 open_attr(fp, "sock_type"); 3804 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3805 close_attr(fp); 3806 open_attr(fp, "lport"); 3807 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3808 close_attr(fp); 3809 open_attr(fp, "laddr"); 3810 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3811 close_attr(fp); 3812 open_attr(fp, "faddr"); 3813 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3814 close_attr(fp); 3815 open_attr(fp, "fport"); 3816 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3817 close_attr(fp); 3818 close_tag(fp, tok->id); 3819 } else { 3820 print_delim(fp, del); 3821 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3822 print_delim(fp, del); 3823 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3824 print_delim(fp, del); 3825 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3826 print_delim(fp, del); 3827 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3828 print_delim(fp, del); 3829 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3830 } 3831 } 3832 3833 static int 3834 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3835 { 3836 int err = 0; 3837 int recoversize; 3838 3839 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3840 if (recoversize <= 0) 3841 return (-1); 3842 3843 tok->tt.invalid.length = recoversize; 3844 3845 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3846 err); 3847 if (err) 3848 return (-1); 3849 3850 return (0); 3851 } 3852 3853 static void 3854 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3855 __unused char sfrm, int xml) 3856 { 3857 3858 if (!xml) { 3859 print_tok_type(fp, tok->id, "unknown", raw, 0); 3860 print_delim(fp, del); 3861 print_mem(fp, (u_char*)tok->tt.invalid.data, 3862 tok->tt.invalid.length); 3863 } 3864 } 3865 3866 3867 /* 3868 * size 2 bytes; 3869 * zonename size bytes; 3870 */ 3871 static int 3872 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3873 { 3874 int err = 0; 3875 3876 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3877 if (err) 3878 return (-1); 3879 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3880 tok->len, err); 3881 if (err) 3882 return (-1); 3883 return (0); 3884 } 3885 3886 static void 3887 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3888 __unused char sfrm, int xml) 3889 { 3890 3891 print_tok_type(fp, tok->id, "zone", raw, xml); 3892 if (xml) { 3893 open_attr(fp, "name"); 3894 print_string(fp, tok->tt.zonename.zonename, 3895 tok->tt.zonename.len); 3896 close_attr(fp); 3897 close_tag(fp, tok->id); 3898 } else { 3899 print_delim(fp, del); 3900 print_string(fp, tok->tt.zonename.zonename, 3901 tok->tt.zonename.len); 3902 } 3903 } 3904 3905 /* 3906 * Reads the token beginning at buf into tok. 3907 */ 3908 int 3909 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3910 { 3911 3912 if (len <= 0) 3913 return (-1); 3914 3915 tok->len = 1; 3916 tok->data = buf; 3917 tok->id = *buf; 3918 3919 switch(tok->id) { 3920 case AUT_HEADER32: 3921 return (fetch_header32_tok(tok, buf, len)); 3922 3923 case AUT_HEADER32_EX: 3924 return (fetch_header32_ex_tok(tok, buf, len)); 3925 3926 case AUT_HEADER64: 3927 return (fetch_header64_tok(tok, buf, len)); 3928 3929 case AUT_HEADER64_EX: 3930 return (fetch_header64_ex_tok(tok, buf, len)); 3931 3932 case AUT_TRAILER: 3933 return (fetch_trailer_tok(tok, buf, len)); 3934 3935 case AUT_ARG32: 3936 return (fetch_arg32_tok(tok, buf, len)); 3937 3938 case AUT_ARG64: 3939 return (fetch_arg64_tok(tok, buf, len)); 3940 3941 case AUT_ATTR32: 3942 return (fetch_attr32_tok(tok, buf, len)); 3943 3944 case AUT_ATTR64: 3945 return (fetch_attr64_tok(tok, buf, len)); 3946 3947 case AUT_EXIT: 3948 return (fetch_exit_tok(tok, buf, len)); 3949 3950 case AUT_EXEC_ARGS: 3951 return (fetch_execarg_tok(tok, buf, len)); 3952 3953 case AUT_EXEC_ENV: 3954 return (fetch_execenv_tok(tok, buf, len)); 3955 3956 case AUT_OTHER_FILE32: 3957 return (fetch_file_tok(tok, buf, len)); 3958 3959 case AUT_NEWGROUPS: 3960 return (fetch_newgroups_tok(tok, buf, len)); 3961 3962 case AUT_IN_ADDR: 3963 return (fetch_inaddr_tok(tok, buf, len)); 3964 3965 case AUT_IN_ADDR_EX: 3966 return (fetch_inaddr_ex_tok(tok, buf, len)); 3967 3968 case AUT_IP: 3969 return (fetch_ip_tok(tok, buf, len)); 3970 3971 case AUT_IPC: 3972 return (fetch_ipc_tok(tok, buf, len)); 3973 3974 case AUT_IPC_PERM: 3975 return (fetch_ipcperm_tok(tok, buf, len)); 3976 3977 case AUT_IPORT: 3978 return (fetch_iport_tok(tok, buf, len)); 3979 3980 case AUT_OPAQUE: 3981 return (fetch_opaque_tok(tok, buf, len)); 3982 3983 case AUT_PATH: 3984 return (fetch_path_tok(tok, buf, len)); 3985 3986 case AUT_PROCESS32: 3987 return (fetch_process32_tok(tok, buf, len)); 3988 3989 case AUT_PROCESS32_EX: 3990 return (fetch_process32ex_tok(tok, buf, len)); 3991 3992 case AUT_PROCESS64: 3993 return (fetch_process64_tok(tok, buf, len)); 3994 3995 case AUT_PROCESS64_EX: 3996 return (fetch_process64ex_tok(tok, buf, len)); 3997 3998 case AUT_RETURN32: 3999 return (fetch_return32_tok(tok, buf, len)); 4000 4001 case AUT_RETURN64: 4002 return (fetch_return64_tok(tok, buf, len)); 4003 4004 case AUT_SEQ: 4005 return (fetch_seq_tok(tok, buf, len)); 4006 4007 case AUT_SOCKET: 4008 return (fetch_socket_tok(tok, buf, len)); 4009 4010 case AUT_SOCKINET32: 4011 return (fetch_sock_inet32_tok(tok, buf, len)); 4012 4013 case AUT_SOCKUNIX: 4014 return (fetch_sock_unix_tok(tok, buf, len)); 4015 4016 case AUT_SUBJECT32: 4017 return (fetch_subject32_tok(tok, buf, len)); 4018 4019 case AUT_SUBJECT32_EX: 4020 return (fetch_subject32ex_tok(tok, buf, len)); 4021 4022 case AUT_SUBJECT64: 4023 return (fetch_subject64_tok(tok, buf, len)); 4024 4025 case AUT_SUBJECT64_EX: 4026 return (fetch_subject64ex_tok(tok, buf, len)); 4027 4028 case AUT_TEXT: 4029 return (fetch_text_tok(tok, buf, len)); 4030 4031 case AUT_SOCKET_EX: 4032 return (fetch_socketex32_tok(tok, buf, len)); 4033 4034 case AUT_DATA: 4035 return (fetch_arb_tok(tok, buf, len)); 4036 4037 case AUT_ZONENAME: 4038 return (fetch_zonename_tok(tok, buf, len)); 4039 4040 default: 4041 return (fetch_invalid_tok(tok, buf, len)); 4042 } 4043 } 4044 4045 /* 4046 * 'prints' the token out to outfp. 4047 */ 4048 void 4049 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4050 { 4051 4052 switch(tok->id) { 4053 case AUT_HEADER32: 4054 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4055 return; 4056 4057 case AUT_HEADER32_EX: 4058 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4059 return; 4060 4061 case AUT_HEADER64: 4062 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4063 return; 4064 4065 case AUT_HEADER64_EX: 4066 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4067 return; 4068 4069 case AUT_TRAILER: 4070 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4071 return; 4072 4073 case AUT_ARG32: 4074 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4075 return; 4076 4077 case AUT_ARG64: 4078 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4079 return; 4080 4081 case AUT_DATA: 4082 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4083 return; 4084 4085 case AUT_ATTR32: 4086 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4087 return; 4088 4089 case AUT_ATTR64: 4090 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4091 return; 4092 4093 case AUT_EXIT: 4094 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4095 return; 4096 4097 case AUT_EXEC_ARGS: 4098 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4099 return; 4100 4101 case AUT_EXEC_ENV: 4102 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4103 return; 4104 4105 case AUT_OTHER_FILE32: 4106 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4107 return; 4108 4109 case AUT_NEWGROUPS: 4110 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4111 return; 4112 4113 case AUT_IN_ADDR: 4114 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4115 return; 4116 4117 case AUT_IN_ADDR_EX: 4118 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4119 return; 4120 4121 case AUT_IP: 4122 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4123 return; 4124 4125 case AUT_IPC: 4126 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4127 return; 4128 4129 case AUT_IPC_PERM: 4130 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4131 return; 4132 4133 case AUT_IPORT: 4134 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4135 return; 4136 4137 case AUT_OPAQUE: 4138 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4139 return; 4140 4141 case AUT_PATH: 4142 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4143 return; 4144 4145 case AUT_PROCESS32: 4146 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4147 return; 4148 4149 case AUT_PROCESS32_EX: 4150 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4151 return; 4152 4153 case AUT_PROCESS64: 4154 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4155 return; 4156 4157 case AUT_PROCESS64_EX: 4158 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4159 return; 4160 4161 case AUT_RETURN32: 4162 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4163 return; 4164 4165 case AUT_RETURN64: 4166 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4167 return; 4168 4169 case AUT_SEQ: 4170 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4171 return; 4172 4173 case AUT_SOCKET: 4174 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4175 return; 4176 4177 case AUT_SOCKINET32: 4178 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4179 return; 4180 4181 case AUT_SOCKUNIX: 4182 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4183 return; 4184 4185 case AUT_SUBJECT32: 4186 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4187 return; 4188 4189 case AUT_SUBJECT64: 4190 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4191 return; 4192 4193 case AUT_SUBJECT32_EX: 4194 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4195 return; 4196 4197 case AUT_SUBJECT64_EX: 4198 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4199 return; 4200 4201 case AUT_TEXT: 4202 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4203 return; 4204 4205 case AUT_SOCKET_EX: 4206 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4207 return; 4208 4209 case AUT_ZONENAME: 4210 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4211 return; 4212 4213 default: 4214 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4215 } 4216 } 4217 4218 /* 4219 * 'prints' the token out to outfp in XML format. 4220 */ 4221 void 4222 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4223 char sfrm) 4224 { 4225 4226 switch(tok->id) { 4227 case AUT_HEADER32: 4228 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4229 return; 4230 4231 case AUT_HEADER32_EX: 4232 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4233 return; 4234 4235 case AUT_HEADER64: 4236 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4237 return; 4238 4239 case AUT_HEADER64_EX: 4240 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4241 return; 4242 4243 case AUT_TRAILER: 4244 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4245 return; 4246 4247 case AUT_ARG32: 4248 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4249 return; 4250 4251 case AUT_ARG64: 4252 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4253 return; 4254 4255 case AUT_DATA: 4256 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4257 return; 4258 4259 case AUT_ATTR32: 4260 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4261 return; 4262 4263 case AUT_ATTR64: 4264 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4265 return; 4266 4267 case AUT_EXIT: 4268 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4269 return; 4270 4271 case AUT_EXEC_ARGS: 4272 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4273 return; 4274 4275 case AUT_EXEC_ENV: 4276 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4277 return; 4278 4279 case AUT_OTHER_FILE32: 4280 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4281 return; 4282 4283 case AUT_NEWGROUPS: 4284 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4285 return; 4286 4287 case AUT_IN_ADDR: 4288 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4289 return; 4290 4291 case AUT_IN_ADDR_EX: 4292 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4293 return; 4294 4295 case AUT_IP: 4296 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4297 return; 4298 4299 case AUT_IPC: 4300 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4301 return; 4302 4303 case AUT_IPC_PERM: 4304 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4305 return; 4306 4307 case AUT_IPORT: 4308 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4309 return; 4310 4311 case AUT_OPAQUE: 4312 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4313 return; 4314 4315 case AUT_PATH: 4316 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4317 return; 4318 4319 case AUT_PROCESS32: 4320 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4321 return; 4322 4323 case AUT_PROCESS32_EX: 4324 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4325 return; 4326 4327 case AUT_PROCESS64: 4328 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4329 return; 4330 4331 case AUT_PROCESS64_EX: 4332 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4333 return; 4334 4335 case AUT_RETURN32: 4336 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4337 return; 4338 4339 case AUT_RETURN64: 4340 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4341 return; 4342 4343 case AUT_SEQ: 4344 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4345 return; 4346 4347 case AUT_SOCKET: 4348 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4349 return; 4350 4351 case AUT_SOCKINET32: 4352 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4353 return; 4354 4355 case AUT_SOCKUNIX: 4356 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4357 return; 4358 4359 case AUT_SUBJECT32: 4360 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4361 return; 4362 4363 case AUT_SUBJECT64: 4364 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4365 return; 4366 4367 case AUT_SUBJECT32_EX: 4368 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4369 return; 4370 4371 case AUT_SUBJECT64_EX: 4372 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4373 return; 4374 4375 case AUT_TEXT: 4376 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4377 return; 4378 4379 case AUT_SOCKET_EX: 4380 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4381 return; 4382 4383 case AUT_ZONENAME: 4384 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4385 return; 4386 4387 default: 4388 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4389 } 4390 } 4391 4392 /* 4393 * Read a record from the file pointer, store data in buf memory for buf is 4394 * also allocated in this function and has to be free'd outside this call. 4395 * 4396 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4397 * complete audit record. 4398 * 4399 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4400 * state, because it will be partly offset into a record. We should rewind 4401 * or do something more intelligent. Particularly interesting is the case 4402 * where we perform a partial read of a record from a non-blockable file 4403 * descriptor. We should return the partial read and continue...? 4404 */ 4405 int 4406 au_read_rec(FILE *fp, u_char **buf) 4407 { 4408 u_char *bptr; 4409 u_int32_t recsize; 4410 u_int32_t bytestoread; 4411 u_char type; 4412 4413 u_int32_t sec, msec; 4414 u_int16_t filenamelen; 4415 4416 type = fgetc(fp); 4417 4418 switch (type) { 4419 case AUT_HEADER32: 4420 case AUT_HEADER32_EX: 4421 case AUT_HEADER64: 4422 case AUT_HEADER64_EX: 4423 /* read the record size from the token */ 4424 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4425 sizeof(u_int32_t)) { 4426 errno = EINVAL; 4427 return (-1); 4428 } 4429 recsize = be32toh(recsize); 4430 4431 /* Check for recsize sanity */ 4432 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4433 errno = EINVAL; 4434 return (-1); 4435 } 4436 4437 *buf = malloc(recsize * sizeof(u_char)); 4438 if (*buf == NULL) 4439 return (-1); 4440 bptr = *buf; 4441 memset(bptr, 0, recsize); 4442 4443 /* store the token contents already read, back to the buffer*/ 4444 *bptr = type; 4445 bptr++; 4446 be32enc(bptr, recsize); 4447 bptr += sizeof(u_int32_t); 4448 4449 /* now read remaining record bytes */ 4450 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4451 4452 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4453 free(*buf); 4454 errno = EINVAL; 4455 return (-1); 4456 } 4457 break; 4458 4459 case AUT_OTHER_FILE32: 4460 /* 4461 * The file token is variable-length, as it includes a 4462 * pathname. As a result, we have to read incrementally 4463 * until we know the total length, then allocate space and 4464 * read the rest. 4465 */ 4466 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4467 errno = EINVAL; 4468 return (-1); 4469 } 4470 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4471 errno = EINVAL; 4472 return (-1); 4473 } 4474 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4475 sizeof(filenamelen)) { 4476 errno = EINVAL; 4477 return (-1); 4478 } 4479 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4480 sizeof(filenamelen) + ntohs(filenamelen); 4481 *buf = malloc(recsize); 4482 if (*buf == NULL) 4483 return (-1); 4484 bptr = *buf; 4485 4486 bcopy(&type, bptr, sizeof(type)); 4487 bptr += sizeof(type); 4488 bcopy(&sec, bptr, sizeof(sec)); 4489 bptr += sizeof(sec); 4490 bcopy(&msec, bptr, sizeof(msec)); 4491 bptr += sizeof(msec); 4492 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4493 bptr += sizeof(filenamelen); 4494 4495 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4496 ntohs(filenamelen)) { 4497 free(buf); 4498 errno = EINVAL; 4499 return (-1); 4500 } 4501 break; 4502 4503 default: 4504 errno = EINVAL; 4505 return (-1); 4506 } 4507 4508 return (recsize); 4509 } 4510