1 /*- 2 * Copyright (c) 2004-2008 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#63 $ 36 */ 37 38 #include <sys/types.h> 39 40 #include <config/config.h> 41 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 42 #include <sys/endian.h> 43 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 44 #ifdef HAVE_MACHINE_ENDIAN_H 45 #include <machine/endian.h> 46 #else /* !HAVE_MACHINE_ENDIAN_H */ 47 #ifdef HAVE_ENDIAN_H 48 #include <endian.h> 49 #else /* !HAVE_ENDIAN_H */ 50 #error "No supported endian.h" 51 #endif /* !HAVE_ENDIAN_H */ 52 #endif /* !HAVE_MACHINE_ENDIAN_H */ 53 #include <compat/endian.h> 54 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 55 #ifdef HAVE_FULL_QUEUE_H 56 #include <sys/queue.h> 57 #else /* !HAVE_FULL_QUEUE_H */ 58 #include <compat/queue.h> 59 #endif /* !HAVE_FULL_QUEUE_H */ 60 61 #include <sys/stat.h> 62 #include <sys/socket.h> 63 64 #include <bsm/libbsm.h> 65 66 #include <unistd.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <time.h> 71 #include <stdlib.h> 72 #include <stdio.h> 73 #include <string.h> 74 #include <pwd.h> 75 #include <grp.h> 76 77 #include <bsm/audit_internal.h> 78 79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81 (err) = 1; \ 82 } else { \ 83 memcpy((dest), (buf) + (bytesread), (size)); \ 84 bytesread += size; \ 85 } \ 86 } while (0) 87 88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90 (dest) = buf[(bytesread)]; \ 91 (bytesread) += sizeof(u_char); \ 92 } else \ 93 (err) = 1; \ 94 } while (0) 95 96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98 (dest) = be16dec((buf) + (bytesread)); \ 99 (bytesread) += sizeof(u_int16_t); \ 100 } else \ 101 (err) = 1; \ 102 } while (0) 103 104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106 (dest) = be32dec((buf) + (bytesread)); \ 107 (bytesread) += sizeof(u_int32_t); \ 108 } else \ 109 (err) = 1; \ 110 } while (0) 111 112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114 dest = be64dec((buf) + (bytesread)); \ 115 (bytesread) += sizeof(u_int64_t); \ 116 } else \ 117 (err) = 1; \ 118 } while (0) 119 120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (u_int32_t)(len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127 } while (0) 128 129 /* 130 * XML option. 131 */ 132 #define AU_PLAIN 0 133 #define AU_XML 1 134 135 /* 136 * Prints the delimiter string. 137 */ 138 static void 139 print_delim(FILE *fp, const char *del) 140 { 141 142 fprintf(fp, "%s", del); 143 } 144 145 /* 146 * Prints a single byte in the given format. 147 */ 148 static void 149 print_1_byte(FILE *fp, u_char val, const char *format) 150 { 151 152 fprintf(fp, format, val); 153 } 154 155 /* 156 * Print 2 bytes in the given format. 157 */ 158 static void 159 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160 { 161 162 fprintf(fp, format, val); 163 } 164 165 /* 166 * Prints 4 bytes in the given format. 167 */ 168 static void 169 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170 { 171 172 fprintf(fp, format, val); 173 } 174 175 /* 176 * Prints 8 bytes in the given format. 177 */ 178 static void 179 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180 { 181 182 fprintf(fp, format, val); 183 } 184 185 /* 186 * Prints the given size of data bytes in hex. 187 */ 188 static void 189 print_mem(FILE *fp, u_char *data, size_t len) 190 { 191 u_int32_t i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%02x", data[i]); 197 } 198 } 199 200 /* 201 * Prints the given data bytes as a string. 202 */ 203 static void 204 print_string(FILE *fp, const char *str, size_t len) 205 { 206 u_int32_t i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214 } 215 216 /* 217 * Prints the beggining of attribute. 218 */ 219 static void 220 open_attr(FILE *fp, const char *str) 221 { 222 223 fprintf(fp,"%s=\"", str); 224 } 225 226 /* 227 * Prints the end of attribute. 228 */ 229 static void 230 close_attr(FILE *fp) 231 { 232 233 fprintf(fp,"\" "); 234 } 235 236 /* 237 * Prints the end of tag. 238 */ 239 static void 240 close_tag(FILE *fp, u_char type) 241 { 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SOCKINET128: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT32: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT64: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT32_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_SUBJECT64_EX: 385 fprintf(fp, "/>"); 386 break; 387 388 case AUT_TEXT: 389 fprintf(fp, "</text>"); 390 break; 391 392 case AUT_SOCKET_EX: 393 fprintf(fp, "/>"); 394 break; 395 396 case AUT_DATA: 397 fprintf(fp, "</arbitrary>"); 398 break; 399 400 case AUT_ZONENAME: 401 fprintf(fp, "/>"); 402 break; 403 } 404 } 405 406 /* 407 * Prints the token type in either the raw or the default form. 408 */ 409 static void 410 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 411 { 412 413 if (xml) { 414 switch(type) { 415 case AUT_HEADER32: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER32_EX: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_HEADER64_EX: 428 fprintf(fp, "<record "); 429 break; 430 431 case AUT_TRAILER: 432 fprintf(fp, "</record>"); 433 break; 434 435 case AUT_ARG32: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ARG64: 440 fprintf(fp, "<argument "); 441 break; 442 443 case AUT_ATTR32: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_ATTR64: 448 fprintf(fp, "<attribute "); 449 break; 450 451 case AUT_EXIT: 452 fprintf(fp, "<exit "); 453 break; 454 455 case AUT_EXEC_ARGS: 456 fprintf(fp, "<exec_args>"); 457 break; 458 459 case AUT_EXEC_ENV: 460 fprintf(fp, "<exec_env>"); 461 break; 462 463 case AUT_OTHER_FILE32: 464 fprintf(fp, "<file "); 465 break; 466 467 case AUT_NEWGROUPS: 468 fprintf(fp, "<group>"); 469 break; 470 471 case AUT_IN_ADDR: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IN_ADDR_EX: 476 fprintf(fp, "<ip_address>"); 477 break; 478 479 case AUT_IP: 480 fprintf(fp, "<ip "); 481 break; 482 483 case AUT_IPC: 484 fprintf(fp, "<IPC"); 485 break; 486 487 case AUT_IPC_PERM: 488 fprintf(fp, "<IPC_perm "); 489 break; 490 491 case AUT_IPORT: 492 fprintf(fp, "<ip_port>"); 493 break; 494 495 case AUT_OPAQUE: 496 fprintf(fp, "<opaque>"); 497 break; 498 499 case AUT_PATH: 500 fprintf(fp, "<path>"); 501 break; 502 503 case AUT_PROCESS32: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS32_EX: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_PROCESS64_EX: 516 fprintf(fp, "<process "); 517 break; 518 519 case AUT_RETURN32: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_RETURN64: 524 fprintf(fp, "<return "); 525 break; 526 527 case AUT_SEQ: 528 fprintf(fp, "<sequence "); 529 break; 530 531 case AUT_SOCKET: 532 fprintf(fp, "<socket "); 533 break; 534 535 case AUT_SOCKINET32: 536 fprintf(fp, "<socket-inet "); 537 break; 538 539 case AUT_SOCKUNIX: 540 fprintf(fp, "<socket-unix "); 541 break; 542 543 case AUT_SOCKINET128: 544 fprintf(fp, "<socket-inet6 "); 545 546 case AUT_SUBJECT32: 547 fprintf(fp, "<subject "); 548 break; 549 550 case AUT_SUBJECT64: 551 fprintf(fp, "<subject "); 552 break; 553 554 case AUT_SUBJECT32_EX: 555 fprintf(fp, "<subject "); 556 break; 557 558 case AUT_SUBJECT64_EX: 559 fprintf(fp, "<subject "); 560 break; 561 562 case AUT_TEXT: 563 fprintf(fp, "<text>"); 564 break; 565 566 case AUT_SOCKET_EX: 567 fprintf(fp, "<socket "); 568 break; 569 570 case AUT_DATA: 571 fprintf(fp, "<arbitrary "); 572 break; 573 574 case AUT_ZONENAME: 575 fprintf(fp, "<zone "); 576 break; 577 } 578 } else { 579 if (raw) 580 fprintf(fp, "%u", type); 581 else 582 fprintf(fp, "%s", tokname); 583 } 584 } 585 586 /* 587 * Prints a user value. 588 */ 589 static void 590 print_user(FILE *fp, u_int32_t usr, char raw) 591 { 592 struct passwd *pwent; 593 594 if (raw) 595 fprintf(fp, "%d", usr); 596 else { 597 pwent = getpwuid(usr); 598 if (pwent != NULL) 599 fprintf(fp, "%s", pwent->pw_name); 600 else 601 fprintf(fp, "%d", usr); 602 } 603 } 604 605 /* 606 * Prints a group value. 607 */ 608 static void 609 print_group(FILE *fp, u_int32_t grp, char raw) 610 { 611 struct group *grpent; 612 613 if (raw) 614 fprintf(fp, "%d", grp); 615 else { 616 grpent = getgrgid(grp); 617 if (grpent != NULL) 618 fprintf(fp, "%s", grpent->gr_name); 619 else 620 fprintf(fp, "%d", grp); 621 } 622 } 623 624 /* 625 * Prints the event from the header token in either the short, default or raw 626 * form. 627 */ 628 static void 629 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 630 { 631 char event_ent_name[AU_EVENT_NAME_MAX]; 632 char event_ent_desc[AU_EVENT_DESC_MAX]; 633 struct au_event_ent e, *ep; 634 635 bzero(&e, sizeof(e)); 636 bzero(event_ent_name, sizeof(event_ent_name)); 637 bzero(event_ent_desc, sizeof(event_ent_desc)); 638 e.ae_name = event_ent_name; 639 e.ae_desc = event_ent_desc; 640 641 ep = getauevnum_r(&e, ev); 642 if (ep == NULL) { 643 fprintf(fp, "%u", ev); 644 return; 645 } 646 647 if (raw) 648 fprintf(fp, "%u", ev); 649 else if (sfrm) 650 fprintf(fp, "%s", e.ae_name); 651 else 652 fprintf(fp, "%s", e.ae_desc); 653 } 654 655 656 /* 657 * Prints the event modifier from the header token in either the default or 658 * raw form. 659 */ 660 static void 661 print_evmod(FILE *fp, u_int16_t evmod, char raw) 662 { 663 if (raw) 664 fprintf(fp, "%u", evmod); 665 else 666 fprintf(fp, "%u", evmod); 667 } 668 669 /* 670 * Prints seconds in the ctime format. 671 */ 672 static void 673 print_sec32(FILE *fp, u_int32_t sec, char raw) 674 { 675 time_t timestamp; 676 char timestr[26]; 677 678 if (raw) 679 fprintf(fp, "%u", sec); 680 else { 681 timestamp = (time_t)sec; 682 ctime_r(×tamp, timestr); 683 timestr[24] = '\0'; /* No new line */ 684 fprintf(fp, "%s", timestr); 685 } 686 } 687 688 /* 689 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 690 * assume a 32-bit time_t, we simply truncate for now. 691 */ 692 static void 693 print_sec64(FILE *fp, u_int64_t sec, char raw) 694 { 695 time_t timestamp; 696 char timestr[26]; 697 698 if (raw) 699 fprintf(fp, "%u", (u_int32_t)sec); 700 else { 701 timestamp = (time_t)sec; 702 ctime_r(×tamp, timestr); 703 timestr[24] = '\0'; /* No new line */ 704 fprintf(fp, "%s", timestr); 705 } 706 } 707 708 /* 709 * Prints the excess milliseconds. 710 */ 711 static void 712 print_msec32(FILE *fp, u_int32_t msec, char raw) 713 { 714 if (raw) 715 fprintf(fp, "%u", msec); 716 else 717 fprintf(fp, " + %u msec", msec); 718 } 719 720 /* 721 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 722 * a 32-bit msec, we simply truncate for now. 723 */ 724 static void 725 print_msec64(FILE *fp, u_int64_t msec, char raw) 726 { 727 728 msec &= 0xffffffff; 729 if (raw) 730 fprintf(fp, "%u", (u_int32_t)msec); 731 else 732 fprintf(fp, " + %u msec", (u_int32_t)msec); 733 } 734 735 /* 736 * Prints a dotted form for the IP address. 737 */ 738 static void 739 print_ip_address(FILE *fp, u_int32_t ip) 740 { 741 struct in_addr ipaddr; 742 743 ipaddr.s_addr = ip; 744 fprintf(fp, "%s", inet_ntoa(ipaddr)); 745 } 746 747 /* 748 * Prints a string value for the given ip address. 749 */ 750 static void 751 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 752 { 753 struct in_addr ipv4; 754 struct in6_addr ipv6; 755 char dst[INET6_ADDRSTRLEN]; 756 757 switch (type) { 758 case AU_IPv4: 759 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 760 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 761 INET6_ADDRSTRLEN)); 762 break; 763 764 case AU_IPv6: 765 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 766 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 767 INET6_ADDRSTRLEN)); 768 break; 769 770 default: 771 fprintf(fp, "invalid"); 772 } 773 } 774 775 /* 776 * Prints return value as success or failure. 777 */ 778 static void 779 print_retval(FILE *fp, u_char status, char raw) 780 { 781 int error; 782 783 if (raw) 784 fprintf(fp, "%u", status); 785 else { 786 /* 787 * Convert to a local error number and print the OS's version 788 * of the error string if possible. We may want to provide 789 * an au_strerror(3) in the future so that we can print 790 * strings for non-local errors. 791 */ 792 if (au_bsm_to_errno(status, &error) == 0) { 793 if (error == 0) 794 fprintf(fp, "success"); 795 else 796 fprintf(fp, "failure : %s", strerror(error)); 797 } else 798 fprintf(fp, "failure: Unknown error: %d", status); 799 } 800 } 801 802 /* 803 * Prints the exit value. 804 */ 805 static void 806 print_errval(FILE *fp, u_int32_t val) 807 { 808 809 fprintf(fp, "Error %u", val); 810 } 811 812 /* 813 * Prints IPC type. 814 */ 815 static void 816 print_ipctype(FILE *fp, u_char type, char raw) 817 { 818 if (raw) 819 fprintf(fp, "%u", type); 820 else { 821 if (type == AT_IPC_MSG) 822 fprintf(fp, "Message IPC"); 823 else if (type == AT_IPC_SEM) 824 fprintf(fp, "Semaphore IPC"); 825 else if (type == AT_IPC_SHM) 826 fprintf(fp, "Shared Memory IPC"); 827 else 828 fprintf(fp, "%u", type); 829 } 830 } 831 832 /* 833 * Print XML header. 834 */ 835 void 836 au_print_xml_header(FILE *outfp) 837 { 838 839 fprintf(outfp, "<?xml version='1.0' ?>\n"); 840 fprintf(outfp, "<audit>\n"); 841 } 842 843 /* 844 * Print XML footer. 845 */ 846 void 847 au_print_xml_footer(FILE *outfp) 848 { 849 850 fprintf(outfp, "</audit>\n"); 851 } 852 853 /* 854 * record byte count 4 bytes 855 * version # 1 byte [2] 856 * event type 2 bytes 857 * event modifier 2 bytes 858 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 859 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 860 */ 861 static int 862 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 863 { 864 int err = 0; 865 866 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 867 if (err) 868 return (-1); 869 870 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 871 if (err) 872 return (-1); 873 874 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 875 if (err) 876 return (-1); 877 878 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 879 if (err) 880 return (-1); 881 882 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 883 if (err) 884 return (-1); 885 886 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 887 if (err) 888 return (-1); 889 890 return (0); 891 } 892 893 static void 894 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 895 int xml) 896 { 897 898 print_tok_type(fp, tok->id, "header", raw, xml); 899 if (xml) { 900 open_attr(fp, "version"); 901 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 902 close_attr(fp); 903 open_attr(fp, "event"); 904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905 close_attr(fp); 906 open_attr(fp, "modifier"); 907 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 908 close_attr(fp); 909 open_attr(fp, "time"); 910 print_sec32(fp, tok->tt.hdr32.s, raw); 911 close_attr(fp); 912 open_attr(fp, "msec"); 913 print_msec32(fp, tok->tt.hdr32.ms, 1); 914 close_attr(fp); 915 close_tag(fp, tok->id); 916 } else { 917 print_delim(fp, del); 918 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 919 print_delim(fp, del); 920 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 921 print_delim(fp, del); 922 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 923 print_delim(fp, del); 924 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 925 print_delim(fp, del); 926 print_sec32(fp, tok->tt.hdr32.s, raw); 927 print_delim(fp, del); 928 print_msec32(fp, tok->tt.hdr32.ms, raw); 929 } 930 } 931 932 /* 933 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 934 * depending on the bit of the specifications found. The OpenSolaris source 935 * code uses a 4-byte address length, followed by some number of bytes of 936 * address data. This contrasts with the Solaris audit.log.5 man page, which 937 * specifies a 1-byte length field. We use the Solaris 10 definition so that 938 * we can parse audit trails from that system. 939 * 940 * record byte count 4 bytes 941 * version # 1 byte [2] 942 * event type 2 bytes 943 * event modifier 2 bytes 944 * address type/length 4 bytes 945 * [ Solaris man page: address type/length 1 byte] 946 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 947 * seconds of time 4 bytes/8 bytes (32/64-bits) 948 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 949 */ 950 static int 951 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 952 { 953 int err = 0; 954 955 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 956 if (err) 957 return (-1); 958 959 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 960 if (err) 961 return (-1); 962 963 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 964 if (err) 965 return (-1); 966 967 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 968 if (err) 969 return (-1); 970 971 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 972 if (err) 973 return (-1); 974 975 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 976 switch (tok->tt.hdr32_ex.ad_type) { 977 case AU_IPv4: 978 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 979 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 980 if (err) 981 return (-1); 982 break; 983 984 case AU_IPv6: 985 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 986 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 987 break; 988 } 989 990 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 991 if (err) 992 return (-1); 993 994 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 995 if (err) 996 return (-1); 997 998 return (0); 999 } 1000 1001 static void 1002 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1003 char sfrm, int xml) 1004 { 1005 1006 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1007 if (xml) { 1008 open_attr(fp, "version"); 1009 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1010 close_attr(fp); 1011 open_attr(fp, "event"); 1012 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1013 close_attr(fp); 1014 open_attr(fp, "modifier"); 1015 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1016 close_attr(fp); 1017 open_attr(fp, "host"); 1018 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1019 tok->tt.hdr32_ex.addr); 1020 close_attr(fp); 1021 open_attr(fp, "time"); 1022 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1023 close_attr(fp); 1024 open_attr(fp, "msec"); 1025 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1026 close_attr(fp); 1027 close_tag(fp, tok->id); 1028 } else { 1029 print_delim(fp, del); 1030 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1031 print_delim(fp, del); 1032 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1033 print_delim(fp, del); 1034 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1035 print_delim(fp, del); 1036 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1037 print_delim(fp, del); 1038 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1039 tok->tt.hdr32_ex.addr); 1040 print_delim(fp, del); 1041 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1042 print_delim(fp, del); 1043 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1044 } 1045 } 1046 1047 /* 1048 * record byte count 4 bytes 1049 * event type 2 bytes 1050 * event modifier 2 bytes 1051 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1052 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1053 * version # 1054 */ 1055 static int 1056 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1057 { 1058 int err = 0; 1059 1060 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1061 if (err) 1062 return (-1); 1063 1064 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1065 if (err) 1066 return (-1); 1067 1068 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1069 if (err) 1070 return (-1); 1071 1072 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1073 if (err) 1074 return (-1); 1075 1076 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1077 if (err) 1078 return (-1); 1079 1080 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1081 if (err) 1082 return (-1); 1083 1084 return (0); 1085 } 1086 1087 static void 1088 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1089 int xml) 1090 { 1091 1092 print_tok_type(fp, tok->id, "header", raw, xml); 1093 if (xml) { 1094 open_attr(fp, "version"); 1095 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1096 close_attr(fp); 1097 open_attr(fp, "event"); 1098 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1099 close_attr(fp); 1100 open_attr(fp, "modifier"); 1101 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1102 close_attr(fp); 1103 open_attr(fp, "time"); 1104 print_sec64(fp, tok->tt.hdr64.s, raw); 1105 close_attr(fp); 1106 open_attr(fp, "msec"); 1107 print_msec64(fp, tok->tt.hdr64.ms, raw); 1108 close_attr(fp); 1109 close_tag(fp, tok->id); 1110 } else { 1111 print_delim(fp, del); 1112 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1113 print_delim(fp, del); 1114 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1115 print_delim(fp, del); 1116 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1117 print_delim(fp, del); 1118 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1119 print_delim(fp, del); 1120 print_sec64(fp, tok->tt.hdr64.s, raw); 1121 print_delim(fp, del); 1122 print_msec64(fp, tok->tt.hdr64.ms, raw); 1123 } 1124 } 1125 1126 /* 1127 * record byte count 4 bytes 1128 * version # 1 byte [2] 1129 * event type 2 bytes 1130 * event modifier 2 bytes 1131 * address type/length 4 bytes 1132 * [ Solaris man page: address type/length 1 byte] 1133 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1134 * seconds of time 4 bytes/8 bytes (32/64-bits) 1135 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1136 * 1137 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1138 * accuracy of the BSM spec. 1139 */ 1140 static int 1141 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1142 { 1143 int err = 0; 1144 1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1146 if (err) 1147 return (-1); 1148 1149 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1150 if (err) 1151 return (-1); 1152 1153 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1154 if (err) 1155 return (-1); 1156 1157 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1158 if (err) 1159 return (-1); 1160 1161 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1162 if (err) 1163 return (-1); 1164 1165 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1166 switch (tok->tt.hdr64_ex.ad_type) { 1167 case AU_IPv4: 1168 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1169 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1170 if (err) 1171 return (-1); 1172 break; 1173 1174 case AU_IPv6: 1175 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1176 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1177 break; 1178 } 1179 1180 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1181 if (err) 1182 return (-1); 1183 1184 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1185 if (err) 1186 return (-1); 1187 1188 return (0); 1189 } 1190 1191 static void 1192 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1193 char sfrm, int xml) 1194 { 1195 1196 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1197 if (xml) { 1198 open_attr(fp, "version"); 1199 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1200 close_attr(fp); 1201 open_attr(fp, "event"); 1202 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1203 close_attr(fp); 1204 open_attr(fp, "modifier"); 1205 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1206 close_attr(fp); 1207 open_attr(fp, "host"); 1208 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1209 tok->tt.hdr64_ex.addr); 1210 close_attr(fp); 1211 open_attr(fp, "time"); 1212 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1213 close_attr(fp); 1214 open_attr(fp, "msec"); 1215 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1216 close_attr(fp); 1217 close_tag(fp, tok->id); 1218 } else { 1219 print_delim(fp, del); 1220 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1221 print_delim(fp, del); 1222 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1223 print_delim(fp, del); 1224 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1225 print_delim(fp, del); 1226 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1227 print_delim(fp, del); 1228 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1229 tok->tt.hdr64_ex.addr); 1230 print_delim(fp, del); 1231 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1232 print_delim(fp, del); 1233 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1234 } 1235 } 1236 1237 /* 1238 * trailer magic 2 bytes 1239 * record size 4 bytes 1240 */ 1241 static int 1242 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1243 { 1244 int err = 0; 1245 1246 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1247 if (err) 1248 return (-1); 1249 1250 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1251 if (err) 1252 return (-1); 1253 1254 return (0); 1255 } 1256 1257 static void 1258 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1259 __unused char sfrm, int xml) 1260 { 1261 1262 print_tok_type(fp, tok->id, "trailer", raw, xml); 1263 if (!xml) { 1264 print_delim(fp, del); 1265 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1266 } 1267 } 1268 1269 /* 1270 * argument # 1 byte 1271 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1272 * text length 2 bytes 1273 * text N bytes + 1 terminating NULL byte 1274 */ 1275 static int 1276 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1277 { 1278 int err = 0; 1279 1280 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1281 if (err) 1282 return (-1); 1283 1284 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1285 if (err) 1286 return (-1); 1287 1288 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1289 if (err) 1290 return (-1); 1291 1292 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1293 tok->len, err); 1294 if (err) 1295 return (-1); 1296 1297 return (0); 1298 } 1299 1300 static void 1301 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1302 __unused char sfrm, int xml) 1303 { 1304 1305 print_tok_type(fp, tok->id, "argument", raw, xml); 1306 if (xml) { 1307 open_attr(fp, "arg-num"); 1308 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1309 close_attr(fp); 1310 open_attr(fp, "value"); 1311 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1312 close_attr(fp); 1313 open_attr(fp, "desc"); 1314 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1315 close_attr(fp); 1316 close_tag(fp, tok->id); 1317 } else { 1318 print_delim(fp, del); 1319 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1320 print_delim(fp, del); 1321 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1322 print_delim(fp, del); 1323 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1324 } 1325 } 1326 1327 static int 1328 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1329 { 1330 int err = 0; 1331 1332 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1333 if (err) 1334 return (-1); 1335 1336 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1337 if (err) 1338 return (-1); 1339 1340 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1341 if (err) 1342 return (-1); 1343 1344 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1345 tok->len, err); 1346 if (err) 1347 return (-1); 1348 1349 return (0); 1350 } 1351 1352 static void 1353 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1354 __unused char sfrm, int xml) 1355 { 1356 1357 print_tok_type(fp, tok->id, "argument", raw, xml); 1358 if (xml) { 1359 open_attr(fp, "arg-num"); 1360 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1361 close_attr(fp); 1362 open_attr(fp, "value"); 1363 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1364 close_attr(fp); 1365 open_attr(fp, "desc"); 1366 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1367 close_attr(fp); 1368 close_tag(fp, tok->id); 1369 } else { 1370 print_delim(fp, del); 1371 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1372 print_delim(fp, del); 1373 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1374 print_delim(fp, del); 1375 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1376 } 1377 } 1378 1379 /* 1380 * how to print 1 byte 1381 * basic unit 1 byte 1382 * unit count 1 byte 1383 * data items (depends on basic unit) 1384 */ 1385 static int 1386 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1387 { 1388 int err = 0; 1389 int datasize; 1390 1391 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1392 if (err) 1393 return (-1); 1394 1395 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1396 if (err) 1397 return (-1); 1398 1399 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1400 if (err) 1401 return (-1); 1402 1403 /* 1404 * Determine the size of the basic unit. 1405 */ 1406 switch(tok->tt.arb.bu) { 1407 case AUR_BYTE: 1408 /* case AUR_CHAR: */ 1409 datasize = AUR_BYTE_SIZE; 1410 break; 1411 1412 case AUR_SHORT: 1413 datasize = AUR_SHORT_SIZE; 1414 break; 1415 1416 case AUR_INT32: 1417 /* case AUR_INT: */ 1418 datasize = AUR_INT32_SIZE; 1419 break; 1420 1421 case AUR_INT64: 1422 datasize = AUR_INT64_SIZE; 1423 break; 1424 1425 default: 1426 return (-1); 1427 } 1428 1429 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1430 tok->len, err); 1431 if (err) 1432 return (-1); 1433 1434 return (0); 1435 } 1436 1437 static void 1438 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1439 __unused char sfrm, int xml) 1440 { 1441 char *str; 1442 char *format; 1443 size_t size; 1444 int i; 1445 1446 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1447 if (!xml) 1448 print_delim(fp, del); 1449 1450 switch(tok->tt.arb.howtopr) { 1451 case AUP_BINARY: 1452 str = "binary"; 1453 format = " %c"; 1454 break; 1455 1456 case AUP_OCTAL: 1457 str = "octal"; 1458 format = " %o"; 1459 break; 1460 1461 case AUP_DECIMAL: 1462 str = "decimal"; 1463 format = " %d"; 1464 break; 1465 1466 case AUP_HEX: 1467 str = "hex"; 1468 format = " %x"; 1469 break; 1470 1471 case AUP_STRING: 1472 str = "string"; 1473 format = "%c"; 1474 break; 1475 1476 default: 1477 return; 1478 } 1479 1480 if (xml) { 1481 open_attr(fp, "print"); 1482 fprintf(fp, "%s",str); 1483 close_attr(fp); 1484 } else { 1485 print_string(fp, str, strlen(str)); 1486 print_delim(fp, del); 1487 } 1488 switch(tok->tt.arb.bu) { 1489 case AUR_BYTE: 1490 /* case AUR_CHAR: */ 1491 str = "byte"; 1492 size = AUR_BYTE_SIZE; 1493 if (xml) { 1494 open_attr(fp, "type"); 1495 fprintf(fp, "%zu", size); 1496 close_attr(fp); 1497 open_attr(fp, "count"); 1498 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1499 close_attr(fp); 1500 fprintf(fp, ">"); 1501 for (i = 0; i<tok->tt.arb.uc; i++) 1502 fprintf(fp, format, *(tok->tt.arb.data + 1503 (size * i))); 1504 close_tag(fp, tok->id); 1505 } else { 1506 print_string(fp, str, strlen(str)); 1507 print_delim(fp, del); 1508 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1509 print_delim(fp, del); 1510 for (i = 0; i<tok->tt.arb.uc; i++) 1511 fprintf(fp, format, *(tok->tt.arb.data + 1512 (size * i))); 1513 } 1514 break; 1515 1516 case AUR_SHORT: 1517 str = "short"; 1518 size = AUR_SHORT_SIZE; 1519 if (xml) { 1520 open_attr(fp, "type"); 1521 fprintf(fp, "%zu", size); 1522 close_attr(fp); 1523 open_attr(fp, "count"); 1524 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1525 close_attr(fp); 1526 fprintf(fp, ">"); 1527 for (i = 0; i < tok->tt.arb.uc; i++) 1528 fprintf(fp, format, 1529 *((u_int16_t *)(tok->tt.arb.data + 1530 (size * i)))); 1531 close_tag(fp, tok->id); 1532 } else { 1533 print_string(fp, str, strlen(str)); 1534 print_delim(fp, del); 1535 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1536 print_delim(fp, del); 1537 for (i = 0; i < tok->tt.arb.uc; i++) 1538 fprintf(fp, format, 1539 *((u_int16_t *)(tok->tt.arb.data + 1540 (size * i)))); 1541 } 1542 break; 1543 1544 case AUR_INT32: 1545 /* case AUR_INT: */ 1546 str = "int"; 1547 size = AUR_INT32_SIZE; 1548 if (xml) { 1549 open_attr(fp, "type"); 1550 fprintf(fp, "%zu", size); 1551 close_attr(fp); 1552 open_attr(fp, "count"); 1553 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1554 close_attr(fp); 1555 fprintf(fp, ">"); 1556 for (i = 0; i < tok->tt.arb.uc; i++) 1557 fprintf(fp, format, 1558 *((u_int32_t *)(tok->tt.arb.data + 1559 (size * i)))); 1560 close_tag(fp, tok->id); 1561 } else { 1562 print_string(fp, str, strlen(str)); 1563 print_delim(fp, del); 1564 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1565 print_delim(fp, del); 1566 for (i = 0; i < tok->tt.arb.uc; i++) 1567 fprintf(fp, format, 1568 *((u_int32_t *)(tok->tt.arb.data + 1569 (size * i)))); 1570 } 1571 break; 1572 1573 case AUR_INT64: 1574 str = "int64"; 1575 size = AUR_INT64_SIZE; 1576 if (xml) { 1577 open_attr(fp, "type"); 1578 fprintf(fp, "%zu", size); 1579 close_attr(fp); 1580 open_attr(fp, "count"); 1581 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1582 close_attr(fp); 1583 fprintf(fp, ">"); 1584 for (i = 0; i < tok->tt.arb.uc; i++) 1585 fprintf(fp, format, 1586 *((u_int64_t *)(tok->tt.arb.data + 1587 (size * i)))); 1588 close_tag(fp, tok->id); 1589 } else { 1590 print_string(fp, str, strlen(str)); 1591 print_delim(fp, del); 1592 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1593 print_delim(fp, del); 1594 for (i = 0; i < tok->tt.arb.uc; i++) 1595 fprintf(fp, format, 1596 *((u_int64_t *)(tok->tt.arb.data + 1597 (size * i)))); 1598 } 1599 break; 1600 1601 default: 1602 return; 1603 } 1604 } 1605 1606 /* 1607 * file access mode 4 bytes 1608 * owner user ID 4 bytes 1609 * owner group ID 4 bytes 1610 * file system ID 4 bytes 1611 * node ID 8 bytes 1612 * device 4 bytes/8 bytes (32-bit/64-bit) 1613 */ 1614 static int 1615 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1616 { 1617 int err = 0; 1618 1619 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1620 if (err) 1621 return (-1); 1622 1623 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1624 if (err) 1625 return (-1); 1626 1627 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1628 if (err) 1629 return (-1); 1630 1631 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1632 if (err) 1633 return (-1); 1634 1635 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1636 if (err) 1637 return (-1); 1638 1639 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1640 if (err) 1641 return (-1); 1642 1643 return (0); 1644 } 1645 1646 static void 1647 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1648 __unused char sfrm, int xml) 1649 { 1650 1651 print_tok_type(fp, tok->id, "attribute", raw, xml); 1652 if (xml) { 1653 open_attr(fp, "mode"); 1654 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1655 close_attr(fp); 1656 open_attr(fp, "uid"); 1657 print_user(fp, tok->tt.attr32.uid, raw); 1658 close_attr(fp); 1659 open_attr(fp, "gid"); 1660 print_group(fp, tok->tt.attr32.gid, raw); 1661 close_attr(fp); 1662 open_attr(fp, "fsid"); 1663 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1664 close_attr(fp); 1665 open_attr(fp, "nodeid"); 1666 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1667 close_attr(fp); 1668 open_attr(fp, "device"); 1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1670 close_attr(fp); 1671 close_tag(fp, tok->id); 1672 } else { 1673 print_delim(fp, del); 1674 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1675 print_delim(fp, del); 1676 print_user(fp, tok->tt.attr32.uid, raw); 1677 print_delim(fp, del); 1678 print_group(fp, tok->tt.attr32.gid, raw); 1679 print_delim(fp, del); 1680 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1681 print_delim(fp, del); 1682 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1683 print_delim(fp, del); 1684 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1685 } 1686 } 1687 1688 /* 1689 * file access mode 4 bytes 1690 * owner user ID 4 bytes 1691 * owner group ID 4 bytes 1692 * file system ID 4 bytes 1693 * node ID 8 bytes 1694 * device 4 bytes/8 bytes (32-bit/64-bit) 1695 */ 1696 static int 1697 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1698 { 1699 int err = 0; 1700 1701 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1702 if (err) 1703 return (-1); 1704 1705 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1706 if (err) 1707 return (-1); 1708 1709 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1710 if (err) 1711 return (-1); 1712 1713 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1714 if (err) 1715 return (-1); 1716 1717 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1718 if (err) 1719 return (-1); 1720 1721 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1722 if (err) 1723 return (-1); 1724 1725 return (0); 1726 } 1727 1728 static void 1729 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1730 __unused char sfrm, int xml) 1731 { 1732 1733 print_tok_type(fp, tok->id, "attribute", raw, xml); 1734 if (xml) { 1735 open_attr(fp, "mode"); 1736 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1737 close_attr(fp); 1738 open_attr(fp, "uid"); 1739 print_user(fp, tok->tt.attr64.uid, raw); 1740 close_attr(fp); 1741 open_attr(fp, "gid"); 1742 print_group(fp, tok->tt.attr64.gid, raw); 1743 close_attr(fp); 1744 open_attr(fp, "fsid"); 1745 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1746 close_attr(fp); 1747 open_attr(fp, "nodeid"); 1748 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1749 close_attr(fp); 1750 open_attr(fp, "device"); 1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1752 close_attr(fp); 1753 close_tag(fp, tok->id); 1754 } else { 1755 print_delim(fp, del); 1756 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1757 print_delim(fp, del); 1758 print_user(fp, tok->tt.attr64.uid, raw); 1759 print_delim(fp, del); 1760 print_group(fp, tok->tt.attr64.gid, raw); 1761 print_delim(fp, del); 1762 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1763 print_delim(fp, del); 1764 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1765 print_delim(fp, del); 1766 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1767 } 1768 } 1769 1770 /* 1771 * status 4 bytes 1772 * return value 4 bytes 1773 */ 1774 static int 1775 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1776 { 1777 int err = 0; 1778 1779 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1780 if (err) 1781 return (-1); 1782 1783 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1784 if (err) 1785 return (-1); 1786 1787 return (0); 1788 } 1789 1790 static void 1791 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1792 __unused char sfrm, int xml) 1793 { 1794 1795 print_tok_type(fp, tok->id, "exit", raw, xml); 1796 if (xml) { 1797 open_attr(fp, "errval"); 1798 print_errval(fp, tok->tt.exit.status); 1799 close_attr(fp); 1800 open_attr(fp, "retval"); 1801 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1802 close_attr(fp); 1803 close_tag(fp, tok->id); 1804 } else { 1805 print_delim(fp, del); 1806 print_errval(fp, tok->tt.exit.status); 1807 print_delim(fp, del); 1808 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1809 } 1810 } 1811 1812 /* 1813 * count 4 bytes 1814 * text count null-terminated string(s) 1815 */ 1816 static int 1817 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1818 { 1819 int err = 0; 1820 u_int32_t i; 1821 u_char *bptr; 1822 1823 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1824 if (err) 1825 return (-1); 1826 1827 for (i = 0; i < tok->tt.execarg.count; i++) { 1828 bptr = buf + tok->len; 1829 if (i < AUDIT_MAX_ARGS) 1830 tok->tt.execarg.text[i] = (char*)bptr; 1831 1832 /* Look for a null terminated string. */ 1833 while (bptr && (*bptr != '\0')) { 1834 if (++tok->len >= (u_int32_t)len) 1835 return (-1); 1836 bptr = buf + tok->len; 1837 } 1838 if (!bptr) 1839 return (-1); 1840 tok->len++; /* \0 character */ 1841 } 1842 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1843 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1844 1845 return (0); 1846 } 1847 1848 static void 1849 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1850 __unused char sfrm, int xml) 1851 { 1852 u_int32_t i; 1853 1854 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1855 for (i = 0; i < tok->tt.execarg.count; i++) { 1856 if (xml) { 1857 fprintf(fp, "<arg>"); 1858 print_string(fp, tok->tt.execarg.text[i], 1859 strlen(tok->tt.execarg.text[i])); 1860 fprintf(fp, "</arg>"); 1861 } else { 1862 print_delim(fp, del); 1863 print_string(fp, tok->tt.execarg.text[i], 1864 strlen(tok->tt.execarg.text[i])); 1865 } 1866 } 1867 if (xml) 1868 close_tag(fp, tok->id); 1869 } 1870 1871 /* 1872 * count 4 bytes 1873 * text count null-terminated string(s) 1874 */ 1875 static int 1876 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1877 { 1878 int err = 0; 1879 u_int32_t i; 1880 u_char *bptr; 1881 1882 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1883 if (err) 1884 return (-1); 1885 1886 for (i = 0; i < tok->tt.execenv.count; i++) { 1887 bptr = buf + tok->len; 1888 if (i < AUDIT_MAX_ENV) 1889 tok->tt.execenv.text[i] = (char*)bptr; 1890 1891 /* Look for a null terminated string. */ 1892 while (bptr && (*bptr != '\0')) { 1893 if (++tok->len >= (u_int32_t)len) 1894 return (-1); 1895 bptr = buf + tok->len; 1896 } 1897 if (!bptr) 1898 return (-1); 1899 tok->len++; /* \0 character */ 1900 } 1901 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1902 tok->tt.execenv.count = AUDIT_MAX_ENV; 1903 1904 return (0); 1905 } 1906 1907 static void 1908 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1909 __unused char sfrm, int xml) 1910 { 1911 u_int32_t i; 1912 1913 print_tok_type(fp, tok->id, "exec env", raw, xml); 1914 for (i = 0; i< tok->tt.execenv.count; i++) { 1915 if (xml) { 1916 fprintf(fp, "<env>"); 1917 print_string(fp, tok->tt.execenv.text[i], 1918 strlen(tok->tt.execenv.text[i])); 1919 fprintf(fp, "</env>"); 1920 } else { 1921 print_delim(fp, del); 1922 print_string(fp, tok->tt.execenv.text[i], 1923 strlen(tok->tt.execenv.text[i])); 1924 } 1925 } 1926 if (xml) 1927 close_tag(fp, tok->id); 1928 } 1929 1930 /* 1931 * seconds of time 4 bytes 1932 * milliseconds of time 4 bytes 1933 * file name len 2 bytes 1934 * file pathname N bytes + 1 terminating NULL byte 1935 */ 1936 static int 1937 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1938 { 1939 int err = 0; 1940 1941 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1942 if (err) 1943 return (-1); 1944 1945 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1946 if (err) 1947 return (-1); 1948 1949 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1950 if (err) 1951 return (-1); 1952 1953 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1954 err); 1955 if (err) 1956 return (-1); 1957 1958 return (0); 1959 } 1960 1961 static void 1962 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1963 __unused char sfrm, int xml) 1964 { 1965 1966 print_tok_type(fp, tok->id, "file", raw, xml); 1967 if (xml) { 1968 open_attr(fp, "time"); 1969 print_sec32(fp, tok->tt.file.s, raw); 1970 close_attr(fp); 1971 open_attr(fp, "msec"); 1972 print_msec32(fp, tok->tt.file.ms, raw); 1973 close_attr(fp); 1974 fprintf(fp, ">"); 1975 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1976 close_tag(fp, tok->id); 1977 } else { 1978 print_delim(fp, del); 1979 print_sec32(fp, tok->tt.file.s, raw); 1980 print_delim(fp, del); 1981 print_msec32(fp, tok->tt.file.ms, raw); 1982 print_delim(fp, del); 1983 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1984 } 1985 } 1986 1987 /* 1988 * number groups 2 bytes 1989 * group list count * 4 bytes 1990 */ 1991 static int 1992 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1993 { 1994 int i; 1995 int err = 0; 1996 1997 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1998 if (err) 1999 return (-1); 2000 2001 for (i = 0; i<tok->tt.grps.no; i++) { 2002 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2003 err); 2004 if (err) 2005 return (-1); 2006 } 2007 2008 return (0); 2009 } 2010 2011 static void 2012 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2013 __unused char sfrm, int xml) 2014 { 2015 int i; 2016 2017 print_tok_type(fp, tok->id, "group", raw, xml); 2018 for (i = 0; i < tok->tt.grps.no; i++) { 2019 if (xml) { 2020 fprintf(fp, "<gid>"); 2021 print_group(fp, tok->tt.grps.list[i], raw); 2022 fprintf(fp, "</gid>"); 2023 close_tag(fp, tok->id); 2024 } else { 2025 print_delim(fp, del); 2026 print_group(fp, tok->tt.grps.list[i], raw); 2027 } 2028 } 2029 } 2030 2031 /* 2032 * Internet addr 4 bytes 2033 */ 2034 static int 2035 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2036 { 2037 int err = 0; 2038 2039 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2040 tok->len, err); 2041 if (err) 2042 return (-1); 2043 2044 return (0); 2045 2046 } 2047 2048 static void 2049 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2050 __unused char sfrm, int xml) 2051 { 2052 2053 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2054 if (xml) { 2055 print_ip_address(fp, tok->tt.inaddr.addr); 2056 close_tag(fp, tok->id); 2057 } else { 2058 print_delim(fp, del); 2059 print_ip_address(fp, tok->tt.inaddr.addr); 2060 } 2061 } 2062 2063 /* 2064 * type 4 bytes 2065 * address 16 bytes 2066 */ 2067 static int 2068 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2069 { 2070 int err = 0; 2071 2072 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2073 if (err) 2074 return (-1); 2075 2076 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2078 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2079 if (err) 2080 return (-1); 2081 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2082 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2083 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2084 if (err) 2085 return (-1); 2086 } else 2087 return (-1); 2088 2089 return (0); 2090 } 2091 2092 static void 2093 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2094 __unused char sfrm, int xml) 2095 { 2096 2097 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2098 if (xml) { 2099 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2100 tok->tt.inaddr_ex.addr); 2101 close_tag(fp, tok->id); 2102 } else { 2103 print_delim(fp, del); 2104 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2105 tok->tt.inaddr_ex.addr); 2106 } 2107 } 2108 2109 /* 2110 * ip header 20 bytes 2111 */ 2112 static int 2113 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2114 { 2115 int err = 0; 2116 2117 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2118 if (err) 2119 return (-1); 2120 2121 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2122 if (err) 2123 return (-1); 2124 2125 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2126 tok->len, err); 2127 if (err) 2128 return (-1); 2129 2130 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2131 tok->len, err); 2132 if (err) 2133 return (-1); 2134 2135 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2136 tok->len, err); 2137 if (err) 2138 return (-1); 2139 2140 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2141 if (err) 2142 return (-1); 2143 2144 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2145 if (err) 2146 return (-1); 2147 2148 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2149 tok->len, err); 2150 if (err) 2151 return (-1); 2152 2153 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2154 tok->len, err); 2155 if (err) 2156 return (-1); 2157 2158 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2159 tok->len, err); 2160 if (err) 2161 return (-1); 2162 2163 return (0); 2164 } 2165 2166 static void 2167 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2168 __unused char sfrm, int xml) 2169 { 2170 2171 print_tok_type(fp, tok->id, "ip", raw, xml); 2172 if (xml) { 2173 open_attr(fp, "version"); 2174 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2175 sizeof(u_char)); 2176 close_attr(fp); 2177 open_attr(fp, "service_type"); 2178 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2179 close_attr(fp); 2180 open_attr(fp, "len"); 2181 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2182 close_attr(fp); 2183 open_attr(fp, "id"); 2184 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2185 close_attr(fp); 2186 open_attr(fp, "offset"); 2187 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2188 close_attr(fp); 2189 open_attr(fp, "time_to_live"); 2190 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2191 close_attr(fp); 2192 open_attr(fp, "protocol"); 2193 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2194 close_attr(fp); 2195 open_attr(fp, "cksum"); 2196 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2197 close_attr(fp); 2198 open_attr(fp, "src_addr"); 2199 print_ip_address(fp, tok->tt.ip.src); 2200 close_attr(fp); 2201 open_attr(fp, "dest_addr"); 2202 print_ip_address(fp, tok->tt.ip.dest); 2203 close_attr(fp); 2204 close_tag(fp, tok->id); 2205 } else { 2206 print_delim(fp, del); 2207 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2208 sizeof(u_char)); 2209 print_delim(fp, del); 2210 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2211 print_delim(fp, del); 2212 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2213 print_delim(fp, del); 2214 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2215 print_delim(fp, del); 2216 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2217 print_delim(fp, del); 2218 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2219 print_delim(fp, del); 2220 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2221 print_delim(fp, del); 2222 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2223 print_delim(fp, del); 2224 print_ip_address(fp, tok->tt.ip.src); 2225 print_delim(fp, del); 2226 print_ip_address(fp, tok->tt.ip.dest); 2227 } 2228 } 2229 2230 /* 2231 * object ID type 1 byte 2232 * Object ID 4 bytes 2233 */ 2234 static int 2235 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2236 { 2237 int err = 0; 2238 2239 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2240 if (err) 2241 return (-1); 2242 2243 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2244 if (err) 2245 return (-1); 2246 2247 return (0); 2248 } 2249 2250 static void 2251 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2252 __unused char sfrm, int xml) 2253 { 2254 2255 print_tok_type(fp, tok->id, "IPC", raw, xml); 2256 if (xml) { 2257 open_attr(fp, "ipc-type"); 2258 print_ipctype(fp, tok->tt.ipc.type, raw); 2259 close_attr(fp); 2260 open_attr(fp, "ipc-id"); 2261 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2262 close_attr(fp); 2263 close_tag(fp, tok->id); 2264 } else { 2265 print_delim(fp, del); 2266 print_ipctype(fp, tok->tt.ipc.type, raw); 2267 print_delim(fp, del); 2268 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2269 } 2270 } 2271 2272 /* 2273 * owner user id 4 bytes 2274 * owner group id 4 bytes 2275 * creator user id 4 bytes 2276 * creator group id 4 bytes 2277 * access mode 4 bytes 2278 * slot seq 4 bytes 2279 * key 4 bytes 2280 */ 2281 static int 2282 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2283 { 2284 int err = 0; 2285 2286 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2287 if (err) 2288 return (-1); 2289 2290 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2291 if (err) 2292 return (-1); 2293 2294 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2295 if (err) 2296 return (-1); 2297 2298 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2299 if (err) 2300 return (-1); 2301 2302 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2303 if (err) 2304 return (-1); 2305 2306 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2307 if (err) 2308 return (-1); 2309 2310 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2311 if (err) 2312 return (-1); 2313 2314 return (0); 2315 } 2316 2317 static void 2318 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2319 __unused char sfrm, int xml) 2320 { 2321 2322 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2323 if (xml) { 2324 open_attr(fp, "uid"); 2325 print_user(fp, tok->tt.ipcperm.uid, raw); 2326 close_attr(fp); 2327 open_attr(fp, "gid"); 2328 print_group(fp, tok->tt.ipcperm.gid, raw); 2329 close_attr(fp); 2330 open_attr(fp, "creator-uid"); 2331 print_user(fp, tok->tt.ipcperm.puid, raw); 2332 close_attr(fp); 2333 open_attr(fp, "creator-gid"); 2334 print_group(fp, tok->tt.ipcperm.pgid, raw); 2335 close_attr(fp); 2336 open_attr(fp, "mode"); 2337 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2338 close_attr(fp); 2339 open_attr(fp, "seq"); 2340 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2341 close_attr(fp); 2342 open_attr(fp, "key"); 2343 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2344 close_attr(fp); 2345 close_tag(fp, tok->id); 2346 } else { 2347 print_delim(fp, del); 2348 print_user(fp, tok->tt.ipcperm.uid, raw); 2349 print_delim(fp, del); 2350 print_group(fp, tok->tt.ipcperm.gid, raw); 2351 print_delim(fp, del); 2352 print_user(fp, tok->tt.ipcperm.puid, raw); 2353 print_delim(fp, del); 2354 print_group(fp, tok->tt.ipcperm.pgid, raw); 2355 print_delim(fp, del); 2356 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2357 print_delim(fp, del); 2358 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2359 print_delim(fp, del); 2360 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2361 } 2362 } 2363 2364 /* 2365 * port Ip address 2 bytes 2366 */ 2367 static int 2368 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2369 { 2370 int err = 0; 2371 2372 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2373 tok->len, err); 2374 if (err) 2375 return (-1); 2376 2377 return (0); 2378 } 2379 2380 static void 2381 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2382 __unused char sfrm, int xml) 2383 { 2384 2385 print_tok_type(fp, tok->id, "ip port", raw, xml); 2386 if (xml) { 2387 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2388 close_tag(fp, tok->id); 2389 } else { 2390 print_delim(fp, del); 2391 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2392 } 2393 } 2394 2395 /* 2396 * size 2 bytes 2397 * data size bytes 2398 */ 2399 static int 2400 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2401 { 2402 int err = 0; 2403 2404 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2405 if (err) 2406 return (-1); 2407 2408 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2409 tok->len, err); 2410 if (err) 2411 return (-1); 2412 2413 return (0); 2414 } 2415 2416 static void 2417 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2418 __unused char sfrm, int xml) 2419 { 2420 2421 print_tok_type(fp, tok->id, "opaque", raw, xml); 2422 if (xml) { 2423 print_mem(fp, (u_char*)tok->tt.opaque.data, 2424 tok->tt.opaque.size); 2425 close_tag(fp, tok->id); 2426 } else { 2427 print_delim(fp, del); 2428 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2429 print_delim(fp, del); 2430 print_mem(fp, (u_char*)tok->tt.opaque.data, 2431 tok->tt.opaque.size); 2432 } 2433 } 2434 2435 /* 2436 * size 2 bytes 2437 * data size bytes 2438 */ 2439 static int 2440 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2441 { 2442 int err = 0; 2443 2444 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2445 if (err) 2446 return (-1); 2447 2448 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2449 err); 2450 if (err) 2451 return (-1); 2452 2453 return (0); 2454 } 2455 2456 static void 2457 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2458 __unused char sfrm, int xml) 2459 { 2460 2461 print_tok_type(fp, tok->id, "path", raw, xml); 2462 if (xml) { 2463 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2464 close_tag(fp, tok->id); 2465 } else { 2466 print_delim(fp, del); 2467 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2468 } 2469 } 2470 2471 /* 2472 * token ID 1 byte 2473 * audit ID 4 bytes 2474 * euid 4 bytes 2475 * egid 4 bytes 2476 * ruid 4 bytes 2477 * rgid 4 bytes 2478 * pid 4 bytes 2479 * sessid 4 bytes 2480 * terminal ID 2481 * portid 4 bytes 2482 * machine id 4 bytes 2483 */ 2484 static int 2485 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2486 { 2487 int err = 0; 2488 2489 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2490 if (err) 2491 return (-1); 2492 2493 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2494 if (err) 2495 return (-1); 2496 2497 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2498 if (err) 2499 return (-1); 2500 2501 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2502 if (err) 2503 return (-1); 2504 2505 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2506 if (err) 2507 return (-1); 2508 2509 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2510 if (err) 2511 return (-1); 2512 2513 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2514 if (err) 2515 return (-1); 2516 2517 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2518 if (err) 2519 return (-1); 2520 2521 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2522 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2523 if (err) 2524 return (-1); 2525 2526 return (0); 2527 } 2528 2529 static void 2530 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2531 __unused char sfrm, int xml) 2532 { 2533 2534 print_tok_type(fp, tok->id, "process", raw, xml); 2535 if (xml) { 2536 open_attr(fp, "audit-uid"); 2537 print_user(fp, tok->tt.proc32.auid, raw); 2538 close_attr(fp); 2539 open_attr(fp, "uid"); 2540 print_user(fp, tok->tt.proc32.euid, raw); 2541 close_attr(fp); 2542 open_attr(fp, "gid"); 2543 print_group(fp, tok->tt.proc32.egid, raw); 2544 close_attr(fp); 2545 open_attr(fp, "ruid"); 2546 print_user(fp, tok->tt.proc32.ruid, raw); 2547 close_attr(fp); 2548 open_attr(fp, "rgid"); 2549 print_group(fp, tok->tt.proc32.rgid, raw); 2550 close_attr(fp); 2551 open_attr(fp, "pid"); 2552 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2553 close_attr(fp); 2554 open_attr(fp, "sid"); 2555 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2556 close_attr(fp); 2557 open_attr(fp, "tid"); 2558 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2559 print_ip_address(fp, tok->tt.proc32.tid.addr); 2560 close_attr(fp); 2561 close_tag(fp, tok->id); 2562 } else { 2563 print_delim(fp, del); 2564 print_user(fp, tok->tt.proc32.auid, raw); 2565 print_delim(fp, del); 2566 print_user(fp, tok->tt.proc32.euid, raw); 2567 print_delim(fp, del); 2568 print_group(fp, tok->tt.proc32.egid, raw); 2569 print_delim(fp, del); 2570 print_user(fp, tok->tt.proc32.ruid, raw); 2571 print_delim(fp, del); 2572 print_group(fp, tok->tt.proc32.rgid, raw); 2573 print_delim(fp, del); 2574 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2575 print_delim(fp, del); 2576 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2577 print_delim(fp, del); 2578 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2579 print_delim(fp, del); 2580 print_ip_address(fp, tok->tt.proc32.tid.addr); 2581 } 2582 } 2583 2584 /* 2585 * token ID 1 byte 2586 * audit ID 4 bytes 2587 * euid 4 bytes 2588 * egid 4 bytes 2589 * ruid 4 bytes 2590 * rgid 4 bytes 2591 * pid 4 bytes 2592 * sessid 4 bytes 2593 * terminal ID 2594 * portid 8 bytes 2595 * machine id 4 bytes 2596 */ 2597 static int 2598 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2599 { 2600 int err = 0; 2601 2602 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2603 if (err) 2604 return (-1); 2605 2606 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2607 if (err) 2608 return (-1); 2609 2610 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2611 if (err) 2612 return (-1); 2613 2614 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2615 if (err) 2616 return (-1); 2617 2618 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2619 if (err) 2620 return (-1); 2621 2622 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2623 if (err) 2624 return (-1); 2625 2626 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2627 if (err) 2628 return (-1); 2629 2630 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2631 if (err) 2632 return (-1); 2633 2634 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2635 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2636 if (err) 2637 return (-1); 2638 2639 return (0); 2640 } 2641 2642 static void 2643 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2644 __unused char sfrm, int xml) 2645 { 2646 print_tok_type(fp, tok->id, "process", raw, xml); 2647 if (xml) { 2648 open_attr(fp, "audit-uid"); 2649 print_user(fp, tok->tt.proc64.auid, raw); 2650 close_attr(fp); 2651 open_attr(fp, "uid"); 2652 print_user(fp, tok->tt.proc64.euid, raw); 2653 close_attr(fp); 2654 open_attr(fp, "gid"); 2655 print_group(fp, tok->tt.proc64.egid, raw); 2656 close_attr(fp); 2657 open_attr(fp, "ruid"); 2658 print_user(fp, tok->tt.proc64.ruid, raw); 2659 close_attr(fp); 2660 open_attr(fp, "rgid"); 2661 print_group(fp, tok->tt.proc64.rgid, raw); 2662 close_attr(fp); 2663 open_attr(fp, "pid"); 2664 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2665 close_attr(fp); 2666 open_attr(fp, "sid"); 2667 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2668 close_attr(fp); 2669 open_attr(fp, "tid"); 2670 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2671 print_ip_address(fp, tok->tt.proc64.tid.addr); 2672 close_attr(fp); 2673 close_tag(fp, tok->id); 2674 } else { 2675 print_delim(fp, del); 2676 print_user(fp, tok->tt.proc64.auid, raw); 2677 print_delim(fp, del); 2678 print_user(fp, tok->tt.proc64.euid, raw); 2679 print_delim(fp, del); 2680 print_group(fp, tok->tt.proc64.egid, raw); 2681 print_delim(fp, del); 2682 print_user(fp, tok->tt.proc64.ruid, raw); 2683 print_delim(fp, del); 2684 print_group(fp, tok->tt.proc64.rgid, raw); 2685 print_delim(fp, del); 2686 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2687 print_delim(fp, del); 2688 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2689 print_delim(fp, del); 2690 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2691 print_delim(fp, del); 2692 print_ip_address(fp, tok->tt.proc64.tid.addr); 2693 } 2694 } 2695 2696 /* 2697 * token ID 1 byte 2698 * audit ID 4 bytes 2699 * effective user ID 4 bytes 2700 * effective group ID 4 bytes 2701 * real user ID 4 bytes 2702 * real group ID 4 bytes 2703 * process ID 4 bytes 2704 * session ID 4 bytes 2705 * terminal ID 2706 * port ID 4 bytes 2707 * address type-len 4 bytes 2708 * machine address 16 bytes 2709 */ 2710 static int 2711 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2712 { 2713 int err = 0; 2714 2715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2716 if (err) 2717 return (-1); 2718 2719 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2720 if (err) 2721 return (-1); 2722 2723 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2724 if (err) 2725 return (-1); 2726 2727 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2728 if (err) 2729 return (-1); 2730 2731 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2732 if (err) 2733 return (-1); 2734 2735 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2736 if (err) 2737 return (-1); 2738 2739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2740 if (err) 2741 return (-1); 2742 2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2744 err); 2745 if (err) 2746 return (-1); 2747 2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2749 err); 2750 if (err) 2751 return (-1); 2752 2753 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2754 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2755 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2756 if (err) 2757 return (-1); 2758 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2759 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2760 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2761 if (err) 2762 return (-1); 2763 } else 2764 return (-1); 2765 2766 return (0); 2767 } 2768 2769 static void 2770 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2771 __unused char sfrm, int xml) 2772 { 2773 2774 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2775 if (xml) { 2776 open_attr(fp, "audit-uid"); 2777 print_user(fp, tok->tt.proc32_ex.auid, raw); 2778 close_attr(fp); 2779 open_attr(fp, "uid"); 2780 print_user(fp, tok->tt.proc32_ex.euid, raw); 2781 close_attr(fp); 2782 open_attr(fp, "gid"); 2783 print_group(fp, tok->tt.proc32_ex.egid, raw); 2784 close_attr(fp); 2785 open_attr(fp, "ruid"); 2786 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2787 close_attr(fp); 2788 open_attr(fp, "rgid"); 2789 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2790 close_attr(fp); 2791 open_attr(fp, "pid"); 2792 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2793 close_attr(fp); 2794 open_attr(fp, "sid"); 2795 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2796 close_attr(fp); 2797 open_attr(fp, "tid"); 2798 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2799 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2800 tok->tt.proc32_ex.tid.addr); 2801 close_attr(fp); 2802 close_tag(fp, tok->id); 2803 } else { 2804 print_delim(fp, del); 2805 print_user(fp, tok->tt.proc32_ex.auid, raw); 2806 print_delim(fp, del); 2807 print_user(fp, tok->tt.proc32_ex.euid, raw); 2808 print_delim(fp, del); 2809 print_group(fp, tok->tt.proc32_ex.egid, raw); 2810 print_delim(fp, del); 2811 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2812 print_delim(fp, del); 2813 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2814 print_delim(fp, del); 2815 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2816 print_delim(fp, del); 2817 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2818 print_delim(fp, del); 2819 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2820 print_delim(fp, del); 2821 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2822 tok->tt.proc32_ex.tid.addr); 2823 } 2824 } 2825 2826 /* 2827 * token ID 1 byte 2828 * audit ID 4 bytes 2829 * effective user ID 4 bytes 2830 * effective group ID 4 bytes 2831 * real user ID 4 bytes 2832 * real group ID 4 bytes 2833 * process ID 4 bytes 2834 * session ID 4 bytes 2835 * terminal ID 2836 * port ID 8 bytes 2837 * address type-len 4 bytes 2838 * machine address 16 bytes 2839 */ 2840 static int 2841 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2842 { 2843 int err = 0; 2844 2845 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2846 if (err) 2847 return (-1); 2848 2849 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2850 if (err) 2851 return (-1); 2852 2853 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2854 if (err) 2855 return (-1); 2856 2857 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2858 if (err) 2859 return (-1); 2860 2861 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2862 if (err) 2863 return (-1); 2864 2865 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2866 if (err) 2867 return (-1); 2868 2869 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2870 if (err) 2871 return (-1); 2872 2873 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2874 err); 2875 if (err) 2876 return (-1); 2877 2878 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2879 err); 2880 if (err) 2881 return (-1); 2882 2883 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2884 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2885 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2886 if (err) 2887 return (-1); 2888 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2889 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2890 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2891 if (err) 2892 return (-1); 2893 } else 2894 return (-1); 2895 2896 return (0); 2897 } 2898 2899 static void 2900 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2901 __unused char sfrm, int xml) 2902 { 2903 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2904 if (xml) { 2905 open_attr(fp, "audit-uid"); 2906 print_user(fp, tok->tt.proc64_ex.auid, raw); 2907 close_attr(fp); 2908 open_attr(fp, "uid"); 2909 print_user(fp, tok->tt.proc64_ex.euid, raw); 2910 close_attr(fp); 2911 open_attr(fp, "gid"); 2912 print_group(fp, tok->tt.proc64_ex.egid, raw); 2913 close_attr(fp); 2914 open_attr(fp, "ruid"); 2915 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2916 close_attr(fp); 2917 open_attr(fp, "rgid"); 2918 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2919 close_attr(fp); 2920 open_attr(fp, "pid"); 2921 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2922 close_attr(fp); 2923 open_attr(fp, "sid"); 2924 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2925 close_attr(fp); 2926 open_attr(fp, "tid"); 2927 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2928 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2929 tok->tt.proc64_ex.tid.addr); 2930 close_attr(fp); 2931 close_tag(fp, tok->id); 2932 } else { 2933 print_delim(fp, del); 2934 print_user(fp, tok->tt.proc64_ex.auid, raw); 2935 print_delim(fp, del); 2936 print_user(fp, tok->tt.proc64_ex.euid, raw); 2937 print_delim(fp, del); 2938 print_group(fp, tok->tt.proc64_ex.egid, raw); 2939 print_delim(fp, del); 2940 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2941 print_delim(fp, del); 2942 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2943 print_delim(fp, del); 2944 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2945 print_delim(fp, del); 2946 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2947 print_delim(fp, del); 2948 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2949 print_delim(fp, del); 2950 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2951 tok->tt.proc64_ex.tid.addr); 2952 } 2953 } 2954 2955 /* 2956 * errno 1 byte 2957 * return value 4 bytes 2958 */ 2959 static int 2960 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2961 { 2962 int err = 0; 2963 2964 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2965 if (err) 2966 return (-1); 2967 2968 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2969 if (err) 2970 return (-1); 2971 2972 return (0); 2973 } 2974 2975 static void 2976 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2977 __unused char sfrm, int xml) 2978 { 2979 2980 print_tok_type(fp, tok->id, "return", raw, xml); 2981 if (xml) { 2982 open_attr(fp ,"errval"); 2983 print_retval(fp, tok->tt.ret32.status, raw); 2984 close_attr(fp); 2985 open_attr(fp, "retval"); 2986 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2987 close_attr(fp); 2988 close_tag(fp, tok->id); 2989 } else { 2990 print_delim(fp, del); 2991 print_retval(fp, tok->tt.ret32.status, raw); 2992 print_delim(fp, del); 2993 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2994 } 2995 } 2996 2997 static int 2998 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2999 { 3000 int err = 0; 3001 3002 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3003 if (err) 3004 return (-1); 3005 3006 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3007 if (err) 3008 return (-1); 3009 3010 return (0); 3011 } 3012 3013 static void 3014 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3015 __unused char sfrm, int xml) 3016 { 3017 3018 print_tok_type(fp, tok->id, "return", raw, xml); 3019 if (xml) { 3020 open_attr(fp, "errval"); 3021 print_retval(fp, tok->tt.ret64.err, raw); 3022 close_attr(fp); 3023 open_attr(fp, "retval"); 3024 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3025 close_attr(fp); 3026 close_tag(fp, tok->id); 3027 } else { 3028 print_delim(fp, del); 3029 print_retval(fp, tok->tt.ret64.err, raw); 3030 print_delim(fp, del); 3031 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3032 } 3033 } 3034 3035 /* 3036 * seq 4 bytes 3037 */ 3038 static int 3039 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3040 { 3041 int err = 0; 3042 3043 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3044 if (err) 3045 return (-1); 3046 3047 return (0); 3048 } 3049 3050 static void 3051 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3052 __unused char sfrm, int xml) 3053 { 3054 3055 print_tok_type(fp, tok->id, "sequence", raw, xml); 3056 if (xml) { 3057 open_attr(fp, "seq-num"); 3058 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3059 close_attr(fp); 3060 close_tag(fp, tok->id); 3061 } else { 3062 print_delim(fp, del); 3063 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3064 } 3065 } 3066 3067 /* 3068 * socket family 2 bytes 3069 * local port 2 bytes 3070 * socket address 4 bytes 3071 */ 3072 static int 3073 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3074 { 3075 int err = 0; 3076 3077 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3078 err); 3079 if (err) 3080 return (-1); 3081 3082 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3083 sizeof(uint16_t), tok->len, err); 3084 if (err) 3085 return (-1); 3086 3087 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3088 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3089 if (err) 3090 return (-1); 3091 3092 return (0); 3093 } 3094 3095 static void 3096 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3097 __unused char sfrm, int xml) 3098 { 3099 3100 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3101 if (xml) { 3102 open_attr(fp, "type"); 3103 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3104 close_attr(fp); 3105 open_attr(fp, "port"); 3106 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3107 close_attr(fp); 3108 open_attr(fp, "addr"); 3109 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3110 close_attr(fp); 3111 close_tag(fp, tok->id); 3112 } else { 3113 print_delim(fp, del); 3114 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3115 print_delim(fp, del); 3116 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3117 print_delim(fp, del); 3118 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3119 } 3120 } 3121 3122 /* 3123 * socket family 2 bytes 3124 * local port 2 bytes 3125 * socket address 16 bytes 3126 */ 3127 static int 3128 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3129 { 3130 int err = 0; 3131 3132 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3133 err); 3134 if (err) 3135 return (-1); 3136 3137 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3138 sizeof(uint16_t), tok->len, err); 3139 if (err) 3140 return (-1); 3141 3142 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3143 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3144 if (err) 3145 return (-1); 3146 3147 return (0); 3148 } 3149 3150 static void 3151 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3152 __unused char sfrm, int xml) 3153 { 3154 3155 print_tok_type(fp, tok->id, "socket-inet6", raw, xml); 3156 if (xml) { 3157 open_attr(fp, "type"); 3158 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3159 close_attr(fp); 3160 open_attr(fp, "port"); 3161 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3162 close_attr(fp); 3163 open_attr(fp, "addr"); 3164 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3165 close_attr(fp); 3166 close_tag(fp, tok->id); 3167 } else { 3168 print_delim(fp, del); 3169 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3170 print_delim(fp, del); 3171 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3172 print_delim(fp, del); 3173 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3174 } 3175 } 3176 3177 /* 3178 * socket family 2 bytes 3179 * path (up to) 104 bytes + NULL (NULL terminated string). 3180 */ 3181 static int 3182 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3183 { 3184 int err = 0; 3185 u_char *p; 3186 int slen; 3187 3188 3189 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3190 if (err) 3191 return (-1); 3192 3193 /* slen = strnlen((buf + tok->len), 104) + 1; */ 3194 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); 3195 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; 3196 3197 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); 3198 if (err) 3199 return (-1); 3200 3201 return (0); 3202 } 3203 3204 static void 3205 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3206 __unused char sfrm, int xml) 3207 { 3208 3209 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3210 if (xml) { 3211 open_attr(fp, "type"); 3212 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3213 close_attr(fp); 3214 open_attr(fp, "port"); 3215 close_attr(fp); 3216 open_attr(fp, "addr"); 3217 print_string(fp, tok->tt.sockunix.path, 3218 strlen(tok->tt.sockunix.path)); 3219 close_attr(fp); 3220 close_tag(fp, tok->id); 3221 } else { 3222 print_delim(fp, del); 3223 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3224 print_delim(fp, del); 3225 print_string(fp, tok->tt.sockunix.path, 3226 strlen(tok->tt.sockunix.path)); 3227 } 3228 } 3229 3230 /* 3231 * socket type 2 bytes 3232 * local port 2 bytes 3233 * local address 4 bytes 3234 * remote port 2 bytes 3235 * remote address 4 bytes 3236 */ 3237 static int 3238 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3239 { 3240 int err = 0; 3241 3242 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3243 if (err) 3244 return (-1); 3245 3246 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3247 tok->len, err); 3248 if (err) 3249 return (-1); 3250 3251 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3252 sizeof(tok->tt.socket.l_addr), tok->len, err); 3253 if (err) 3254 return (-1); 3255 3256 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3257 tok->len, err); 3258 if (err) 3259 return (-1); 3260 3261 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3262 sizeof(tok->tt.socket.r_addr), tok->len, err); 3263 if (err) 3264 return (-1); 3265 3266 return (0); 3267 } 3268 3269 static void 3270 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3271 __unused char sfrm, int xml) 3272 { 3273 3274 print_tok_type(fp, tok->id, "socket", raw, xml); 3275 if (xml) { 3276 open_attr(fp, "sock_type"); 3277 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3278 close_attr(fp); 3279 open_attr(fp, "lport"); 3280 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3281 close_attr(fp); 3282 open_attr(fp, "laddr"); 3283 print_ip_address(fp, tok->tt.socket.l_addr); 3284 close_attr(fp); 3285 open_attr(fp, "fport"); 3286 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3287 close_attr(fp); 3288 open_attr(fp, "faddr"); 3289 print_ip_address(fp, tok->tt.socket.r_addr); 3290 close_attr(fp); 3291 close_tag(fp, tok->id); 3292 } else { 3293 print_delim(fp, del); 3294 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3295 print_delim(fp, del); 3296 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3297 print_delim(fp, del); 3298 print_ip_address(fp, tok->tt.socket.l_addr); 3299 print_delim(fp, del); 3300 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3301 print_delim(fp, del); 3302 print_ip_address(fp, tok->tt.socket.r_addr); 3303 } 3304 } 3305 3306 /* 3307 * audit ID 4 bytes 3308 * euid 4 bytes 3309 * egid 4 bytes 3310 * ruid 4 bytes 3311 * rgid 4 bytes 3312 * pid 4 bytes 3313 * sessid 4 bytes 3314 * terminal ID 3315 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3316 * machine id 4 bytes 3317 */ 3318 static int 3319 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3320 { 3321 int err = 0; 3322 3323 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3324 if (err) 3325 return (-1); 3326 3327 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3328 if (err) 3329 return (-1); 3330 3331 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3332 if (err) 3333 return (-1); 3334 3335 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3336 if (err) 3337 return (-1); 3338 3339 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3340 if (err) 3341 return (-1); 3342 3343 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3344 if (err) 3345 return (-1); 3346 3347 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3348 if (err) 3349 return (-1); 3350 3351 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3352 if (err) 3353 return (-1); 3354 3355 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3356 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3357 if (err) 3358 return (-1); 3359 3360 return (0); 3361 } 3362 3363 static void 3364 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3365 __unused char sfrm, int xml) 3366 { 3367 3368 print_tok_type(fp, tok->id, "subject", raw, xml); 3369 if (xml) { 3370 open_attr(fp, "audit-uid"); 3371 print_user(fp, tok->tt.subj32.auid, raw); 3372 close_attr(fp); 3373 open_attr(fp, "uid"); 3374 print_user(fp, tok->tt.subj32.euid, raw); 3375 close_attr(fp); 3376 open_attr(fp, "gid"); 3377 print_group(fp, tok->tt.subj32.egid, raw); 3378 close_attr(fp); 3379 open_attr(fp, "ruid"); 3380 print_user(fp, tok->tt.subj32.ruid, raw); 3381 close_attr(fp); 3382 open_attr(fp, "rgid"); 3383 print_group(fp, tok->tt.subj32.rgid, raw); 3384 close_attr(fp); 3385 open_attr(fp,"pid"); 3386 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3387 close_attr(fp); 3388 open_attr(fp,"sid"); 3389 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3390 close_attr(fp); 3391 open_attr(fp,"tid"); 3392 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3393 print_ip_address(fp, tok->tt.subj32.tid.addr); 3394 close_attr(fp); 3395 close_tag(fp, tok->id); 3396 } else { 3397 print_delim(fp, del); 3398 print_user(fp, tok->tt.subj32.auid, raw); 3399 print_delim(fp, del); 3400 print_user(fp, tok->tt.subj32.euid, raw); 3401 print_delim(fp, del); 3402 print_group(fp, tok->tt.subj32.egid, raw); 3403 print_delim(fp, del); 3404 print_user(fp, tok->tt.subj32.ruid, raw); 3405 print_delim(fp, del); 3406 print_group(fp, tok->tt.subj32.rgid, raw); 3407 print_delim(fp, del); 3408 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3409 print_delim(fp, del); 3410 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3411 print_delim(fp, del); 3412 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3413 print_delim(fp, del); 3414 print_ip_address(fp, tok->tt.subj32.tid.addr); 3415 } 3416 } 3417 3418 /* 3419 * audit ID 4 bytes 3420 * euid 4 bytes 3421 * egid 4 bytes 3422 * ruid 4 bytes 3423 * rgid 4 bytes 3424 * pid 4 bytes 3425 * sessid 4 bytes 3426 * terminal ID 3427 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3428 * machine id 4 bytes 3429 */ 3430 static int 3431 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3432 { 3433 int err = 0; 3434 3435 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3436 if (err) 3437 return (-1); 3438 3439 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3440 if (err) 3441 return (-1); 3442 3443 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3444 if (err) 3445 return (-1); 3446 3447 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3448 if (err) 3449 return (-1); 3450 3451 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3452 if (err) 3453 return (-1); 3454 3455 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3456 if (err) 3457 return (-1); 3458 3459 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3460 if (err) 3461 return (-1); 3462 3463 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3464 if (err) 3465 return (-1); 3466 3467 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3468 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3469 if (err) 3470 return (-1); 3471 3472 return (0); 3473 } 3474 3475 static void 3476 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3477 __unused char sfrm, int xml) 3478 { 3479 3480 print_tok_type(fp, tok->id, "subject", raw, xml); 3481 if (xml) { 3482 open_attr(fp, "audit-uid"); 3483 print_user(fp, tok->tt.subj64.auid, raw); 3484 close_attr(fp); 3485 open_attr(fp, "uid"); 3486 print_user(fp, tok->tt.subj64.euid, raw); 3487 close_attr(fp); 3488 open_attr(fp, "gid"); 3489 print_group(fp, tok->tt.subj64.egid, raw); 3490 close_attr(fp); 3491 open_attr(fp, "ruid"); 3492 print_user(fp, tok->tt.subj64.ruid, raw); 3493 close_attr(fp); 3494 open_attr(fp, "rgid"); 3495 print_group(fp, tok->tt.subj64.rgid, raw); 3496 close_attr(fp); 3497 open_attr(fp, "pid"); 3498 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3499 close_attr(fp); 3500 open_attr(fp, "sid"); 3501 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3502 close_attr(fp); 3503 open_attr(fp, "tid"); 3504 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3505 print_ip_address(fp, tok->tt.subj64.tid.addr); 3506 close_attr(fp); 3507 close_tag(fp, tok->id); 3508 } else { 3509 print_delim(fp, del); 3510 print_user(fp, tok->tt.subj64.auid, raw); 3511 print_delim(fp, del); 3512 print_user(fp, tok->tt.subj64.euid, raw); 3513 print_delim(fp, del); 3514 print_group(fp, tok->tt.subj64.egid, raw); 3515 print_delim(fp, del); 3516 print_user(fp, tok->tt.subj64.ruid, raw); 3517 print_delim(fp, del); 3518 print_group(fp, tok->tt.subj64.rgid, raw); 3519 print_delim(fp, del); 3520 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3521 print_delim(fp, del); 3522 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3523 print_delim(fp, del); 3524 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3525 print_delim(fp, del); 3526 print_ip_address(fp, tok->tt.subj64.tid.addr); 3527 } 3528 } 3529 3530 /* 3531 * audit ID 4 bytes 3532 * euid 4 bytes 3533 * egid 4 bytes 3534 * ruid 4 bytes 3535 * rgid 4 bytes 3536 * pid 4 bytes 3537 * sessid 4 bytes 3538 * terminal ID 3539 * portid 4 bytes 3540 * type 4 bytes 3541 * machine id 16 bytes 3542 */ 3543 static int 3544 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3545 { 3546 int err = 0; 3547 3548 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3549 if (err) 3550 return (-1); 3551 3552 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3553 if (err) 3554 return (-1); 3555 3556 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3557 if (err) 3558 return (-1); 3559 3560 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3561 if (err) 3562 return (-1); 3563 3564 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3565 if (err) 3566 return (-1); 3567 3568 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3569 if (err) 3570 return (-1); 3571 3572 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3573 if (err) 3574 return (-1); 3575 3576 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3577 err); 3578 if (err) 3579 return (-1); 3580 3581 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3582 err); 3583 if (err) 3584 return (-1); 3585 3586 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3587 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3588 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3589 if (err) 3590 return (-1); 3591 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3592 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3593 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3594 if (err) 3595 return (-1); 3596 } else 3597 return (-1); 3598 3599 return (0); 3600 } 3601 3602 static void 3603 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3604 __unused char sfrm, int xml) 3605 { 3606 3607 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3608 if (xml) { 3609 open_attr(fp, "audit-uid"); 3610 print_user(fp, tok->tt.subj32_ex.auid, raw); 3611 close_attr(fp); 3612 open_attr(fp, "uid"); 3613 print_user(fp, tok->tt.subj32_ex.euid, raw); 3614 close_attr(fp); 3615 open_attr(fp, "gid"); 3616 print_group(fp, tok->tt.subj32_ex.egid, raw); 3617 close_attr(fp); 3618 open_attr(fp, "ruid"); 3619 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3620 close_attr(fp); 3621 open_attr(fp, "rgid"); 3622 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3623 close_attr(fp); 3624 open_attr(fp, "pid"); 3625 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3626 close_attr(fp); 3627 open_attr(fp, "sid"); 3628 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3629 close_attr(fp); 3630 open_attr(fp, "tid"); 3631 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3632 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3633 tok->tt.subj32_ex.tid.addr); 3634 close_attr(fp); 3635 close_tag(fp, tok->id); 3636 } else { 3637 print_delim(fp, del); 3638 print_user(fp, tok->tt.subj32_ex.auid, raw); 3639 print_delim(fp, del); 3640 print_user(fp, tok->tt.subj32_ex.euid, raw); 3641 print_delim(fp, del); 3642 print_group(fp, tok->tt.subj32_ex.egid, raw); 3643 print_delim(fp, del); 3644 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3645 print_delim(fp, del); 3646 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3647 print_delim(fp, del); 3648 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3649 print_delim(fp, del); 3650 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3651 print_delim(fp, del); 3652 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3653 print_delim(fp, del); 3654 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3655 tok->tt.subj32_ex.tid.addr); 3656 } 3657 } 3658 3659 /* 3660 * audit ID 4 bytes 3661 * euid 4 bytes 3662 * egid 4 bytes 3663 * ruid 4 bytes 3664 * rgid 4 bytes 3665 * pid 4 bytes 3666 * sessid 4 bytes 3667 * terminal ID 3668 * portid 8 bytes 3669 * type 4 bytes 3670 * machine id 16 bytes 3671 */ 3672 static int 3673 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3674 { 3675 int err = 0; 3676 3677 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3678 if (err) 3679 return (-1); 3680 3681 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3682 if (err) 3683 return (-1); 3684 3685 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3686 if (err) 3687 return (-1); 3688 3689 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3690 if (err) 3691 return (-1); 3692 3693 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3694 if (err) 3695 return (-1); 3696 3697 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3698 if (err) 3699 return (-1); 3700 3701 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3702 if (err) 3703 return (-1); 3704 3705 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3706 err); 3707 if (err) 3708 return (-1); 3709 3710 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3711 err); 3712 if (err) 3713 return (-1); 3714 3715 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3716 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3717 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3718 if (err) 3719 return (-1); 3720 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3721 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3722 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3723 if (err) 3724 return (-1); 3725 } else 3726 return (-1); 3727 3728 return (0); 3729 } 3730 3731 static void 3732 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3733 __unused char sfrm, int xml) 3734 { 3735 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3736 if (xml) { 3737 open_attr(fp, "audit-uid"); 3738 print_user(fp, tok->tt.subj64_ex.auid, raw); 3739 close_attr(fp); 3740 open_attr(fp, "uid"); 3741 print_user(fp, tok->tt.subj64_ex.euid, raw); 3742 close_attr(fp); 3743 open_attr(fp, "gid"); 3744 print_group(fp, tok->tt.subj64_ex.egid, raw); 3745 close_attr(fp); 3746 open_attr(fp, "ruid"); 3747 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3748 close_attr(fp); 3749 open_attr(fp, "rgid"); 3750 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3751 close_attr(fp); 3752 open_attr(fp, "pid"); 3753 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3754 close_attr(fp); 3755 open_attr(fp, "sid"); 3756 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3757 close_attr(fp); 3758 open_attr(fp, "tid"); 3759 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3760 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3761 tok->tt.subj64_ex.tid.addr); 3762 close_attr(fp); 3763 close_tag(fp, tok->id); 3764 } else { 3765 print_delim(fp, del); 3766 print_user(fp, tok->tt.subj64_ex.auid, raw); 3767 print_delim(fp, del); 3768 print_user(fp, tok->tt.subj64_ex.euid, raw); 3769 print_delim(fp, del); 3770 print_group(fp, tok->tt.subj64_ex.egid, raw); 3771 print_delim(fp, del); 3772 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3773 print_delim(fp, del); 3774 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3775 print_delim(fp, del); 3776 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3777 print_delim(fp, del); 3778 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3779 print_delim(fp, del); 3780 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3781 print_delim(fp, del); 3782 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3783 tok->tt.subj64_ex.tid.addr); 3784 } 3785 } 3786 3787 /* 3788 * size 2 bytes 3789 * data size bytes 3790 */ 3791 static int 3792 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3793 { 3794 int err = 0; 3795 3796 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3797 if (err) 3798 return (-1); 3799 3800 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3801 err); 3802 if (err) 3803 return (-1); 3804 3805 return (0); 3806 } 3807 3808 static void 3809 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3810 __unused char sfrm, int xml) 3811 { 3812 3813 print_tok_type(fp, tok->id, "text", raw, xml); 3814 if (xml) { 3815 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3816 close_tag(fp, tok->id); 3817 } else { 3818 print_delim(fp, del); 3819 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3820 } 3821 } 3822 3823 /* 3824 * socket domain 2 bytes 3825 * socket type 2 bytes 3826 * address type 2 bytes 3827 * local port 2 bytes 3828 * local Internet address 4/16 bytes 3829 * remote port 2 bytes 3830 * remote Internet address 4/16 bytes 3831 */ 3832 static int 3833 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3834 { 3835 int err = 0; 3836 3837 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3838 err); 3839 if (err) 3840 return (-1); 3841 3842 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3843 err); 3844 if (err) 3845 return (-1); 3846 3847 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3848 err); 3849 if (err) 3850 return (-1); 3851 3852 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3853 tok->tt.socket_ex32.atype != AU_IPv6) 3854 return (-1); 3855 3856 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3857 sizeof(uint16_t), tok->len, err); 3858 if (err) 3859 return (-1); 3860 3861 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3862 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3863 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3864 if (err) 3865 return (-1); 3866 } else { 3867 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3868 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3869 if (err) 3870 return (-1); 3871 } 3872 3873 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3874 sizeof(uint16_t), tok->len, err); 3875 if (err) 3876 return (-1); 3877 3878 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3879 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3880 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3881 if (err) 3882 return (-1); 3883 } else { 3884 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3885 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3886 if (err) 3887 return (-1); 3888 } 3889 3890 return (0); 3891 } 3892 3893 static void 3894 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3895 __unused char sfrm, int xml) 3896 { 3897 3898 /* 3899 * This print routine prints BSM constant space domains and socket 3900 * types rather than converting them. If we add string printers for 3901 * these constants in the future, we may want to call conversion 3902 * routines. 3903 */ 3904 print_tok_type(fp, tok->id, "socket", raw, xml); 3905 if (xml) { 3906 open_attr(fp, "sock_dom"); 3907 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3908 close_attr(fp); 3909 open_attr(fp, "sock_type"); 3910 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3911 close_attr(fp); 3912 open_attr(fp, "lport"); 3913 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3914 close_attr(fp); 3915 open_attr(fp, "laddr"); 3916 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3917 tok->tt.socket_ex32.l_addr); 3918 close_attr(fp); 3919 open_attr(fp, "faddr"); 3920 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3921 tok->tt.socket_ex32.r_addr); 3922 close_attr(fp); 3923 open_attr(fp, "fport"); 3924 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3925 close_attr(fp); 3926 close_tag(fp, tok->id); 3927 } else { 3928 print_delim(fp, del); 3929 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3930 print_delim(fp, del); 3931 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3932 print_delim(fp, del); 3933 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3934 print_delim(fp, del); 3935 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3936 tok->tt.socket_ex32.l_addr); 3937 print_delim(fp, del); 3938 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3939 print_delim(fp, del); 3940 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3941 tok->tt.socket_ex32.r_addr); 3942 } 3943 } 3944 3945 static int 3946 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3947 { 3948 int err = 0; 3949 int recoversize; 3950 3951 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3952 if (recoversize <= 0) 3953 return (-1); 3954 3955 tok->tt.invalid.length = recoversize; 3956 3957 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3958 err); 3959 if (err) 3960 return (-1); 3961 3962 return (0); 3963 } 3964 3965 static void 3966 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3967 __unused char sfrm, int xml) 3968 { 3969 3970 if (!xml) { 3971 print_tok_type(fp, tok->id, "unknown", raw, 0); 3972 print_delim(fp, del); 3973 print_mem(fp, (u_char*)tok->tt.invalid.data, 3974 tok->tt.invalid.length); 3975 } 3976 } 3977 3978 3979 /* 3980 * size 2 bytes; 3981 * zonename size bytes; 3982 */ 3983 static int 3984 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3985 { 3986 int err = 0; 3987 3988 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3989 if (err) 3990 return (-1); 3991 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3992 tok->len, err); 3993 if (err) 3994 return (-1); 3995 return (0); 3996 } 3997 3998 static void 3999 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 4000 __unused char sfrm, int xml) 4001 { 4002 4003 print_tok_type(fp, tok->id, "zone", raw, xml); 4004 if (xml) { 4005 open_attr(fp, "name"); 4006 print_string(fp, tok->tt.zonename.zonename, 4007 tok->tt.zonename.len); 4008 close_attr(fp); 4009 close_tag(fp, tok->id); 4010 } else { 4011 print_delim(fp, del); 4012 print_string(fp, tok->tt.zonename.zonename, 4013 tok->tt.zonename.len); 4014 } 4015 } 4016 4017 /* 4018 * Reads the token beginning at buf into tok. 4019 */ 4020 int 4021 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4022 { 4023 4024 if (len <= 0) 4025 return (-1); 4026 4027 tok->len = 1; 4028 tok->data = buf; 4029 tok->id = *buf; 4030 4031 switch(tok->id) { 4032 case AUT_HEADER32: 4033 return (fetch_header32_tok(tok, buf, len)); 4034 4035 case AUT_HEADER32_EX: 4036 return (fetch_header32_ex_tok(tok, buf, len)); 4037 4038 case AUT_HEADER64: 4039 return (fetch_header64_tok(tok, buf, len)); 4040 4041 case AUT_HEADER64_EX: 4042 return (fetch_header64_ex_tok(tok, buf, len)); 4043 4044 case AUT_TRAILER: 4045 return (fetch_trailer_tok(tok, buf, len)); 4046 4047 case AUT_ARG32: 4048 return (fetch_arg32_tok(tok, buf, len)); 4049 4050 case AUT_ARG64: 4051 return (fetch_arg64_tok(tok, buf, len)); 4052 4053 case AUT_ATTR32: 4054 return (fetch_attr32_tok(tok, buf, len)); 4055 4056 case AUT_ATTR64: 4057 return (fetch_attr64_tok(tok, buf, len)); 4058 4059 case AUT_EXIT: 4060 return (fetch_exit_tok(tok, buf, len)); 4061 4062 case AUT_EXEC_ARGS: 4063 return (fetch_execarg_tok(tok, buf, len)); 4064 4065 case AUT_EXEC_ENV: 4066 return (fetch_execenv_tok(tok, buf, len)); 4067 4068 case AUT_OTHER_FILE32: 4069 return (fetch_file_tok(tok, buf, len)); 4070 4071 case AUT_NEWGROUPS: 4072 return (fetch_newgroups_tok(tok, buf, len)); 4073 4074 case AUT_IN_ADDR: 4075 return (fetch_inaddr_tok(tok, buf, len)); 4076 4077 case AUT_IN_ADDR_EX: 4078 return (fetch_inaddr_ex_tok(tok, buf, len)); 4079 4080 case AUT_IP: 4081 return (fetch_ip_tok(tok, buf, len)); 4082 4083 case AUT_IPC: 4084 return (fetch_ipc_tok(tok, buf, len)); 4085 4086 case AUT_IPC_PERM: 4087 return (fetch_ipcperm_tok(tok, buf, len)); 4088 4089 case AUT_IPORT: 4090 return (fetch_iport_tok(tok, buf, len)); 4091 4092 case AUT_OPAQUE: 4093 return (fetch_opaque_tok(tok, buf, len)); 4094 4095 case AUT_PATH: 4096 return (fetch_path_tok(tok, buf, len)); 4097 4098 case AUT_PROCESS32: 4099 return (fetch_process32_tok(tok, buf, len)); 4100 4101 case AUT_PROCESS32_EX: 4102 return (fetch_process32ex_tok(tok, buf, len)); 4103 4104 case AUT_PROCESS64: 4105 return (fetch_process64_tok(tok, buf, len)); 4106 4107 case AUT_PROCESS64_EX: 4108 return (fetch_process64ex_tok(tok, buf, len)); 4109 4110 case AUT_RETURN32: 4111 return (fetch_return32_tok(tok, buf, len)); 4112 4113 case AUT_RETURN64: 4114 return (fetch_return64_tok(tok, buf, len)); 4115 4116 case AUT_SEQ: 4117 return (fetch_seq_tok(tok, buf, len)); 4118 4119 case AUT_SOCKET: 4120 return (fetch_socket_tok(tok, buf, len)); 4121 4122 case AUT_SOCKINET32: 4123 return (fetch_sock_inet32_tok(tok, buf, len)); 4124 4125 case AUT_SOCKUNIX: 4126 return (fetch_sock_unix_tok(tok, buf, len)); 4127 4128 case AUT_SOCKINET128: 4129 return (fetch_sock_inet128_tok(tok, buf, len)); 4130 4131 case AUT_SUBJECT32: 4132 return (fetch_subject32_tok(tok, buf, len)); 4133 4134 case AUT_SUBJECT32_EX: 4135 return (fetch_subject32ex_tok(tok, buf, len)); 4136 4137 case AUT_SUBJECT64: 4138 return (fetch_subject64_tok(tok, buf, len)); 4139 4140 case AUT_SUBJECT64_EX: 4141 return (fetch_subject64ex_tok(tok, buf, len)); 4142 4143 case AUT_TEXT: 4144 return (fetch_text_tok(tok, buf, len)); 4145 4146 case AUT_SOCKET_EX: 4147 return (fetch_socketex32_tok(tok, buf, len)); 4148 4149 case AUT_DATA: 4150 return (fetch_arb_tok(tok, buf, len)); 4151 4152 case AUT_ZONENAME: 4153 return (fetch_zonename_tok(tok, buf, len)); 4154 4155 default: 4156 return (fetch_invalid_tok(tok, buf, len)); 4157 } 4158 } 4159 4160 /* 4161 * 'prints' the token out to outfp. 4162 */ 4163 void 4164 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4165 { 4166 4167 switch(tok->id) { 4168 case AUT_HEADER32: 4169 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4170 return; 4171 4172 case AUT_HEADER32_EX: 4173 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4174 return; 4175 4176 case AUT_HEADER64: 4177 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4178 return; 4179 4180 case AUT_HEADER64_EX: 4181 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4182 return; 4183 4184 case AUT_TRAILER: 4185 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4186 return; 4187 4188 case AUT_ARG32: 4189 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4190 return; 4191 4192 case AUT_ARG64: 4193 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4194 return; 4195 4196 case AUT_DATA: 4197 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4198 return; 4199 4200 case AUT_ATTR32: 4201 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4202 return; 4203 4204 case AUT_ATTR64: 4205 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4206 return; 4207 4208 case AUT_EXIT: 4209 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4210 return; 4211 4212 case AUT_EXEC_ARGS: 4213 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4214 return; 4215 4216 case AUT_EXEC_ENV: 4217 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4218 return; 4219 4220 case AUT_OTHER_FILE32: 4221 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4222 return; 4223 4224 case AUT_NEWGROUPS: 4225 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4226 return; 4227 4228 case AUT_IN_ADDR: 4229 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4230 return; 4231 4232 case AUT_IN_ADDR_EX: 4233 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4234 return; 4235 4236 case AUT_IP: 4237 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4238 return; 4239 4240 case AUT_IPC: 4241 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4242 return; 4243 4244 case AUT_IPC_PERM: 4245 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4246 return; 4247 4248 case AUT_IPORT: 4249 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4250 return; 4251 4252 case AUT_OPAQUE: 4253 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4254 return; 4255 4256 case AUT_PATH: 4257 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4258 return; 4259 4260 case AUT_PROCESS32: 4261 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4262 return; 4263 4264 case AUT_PROCESS32_EX: 4265 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4266 return; 4267 4268 case AUT_PROCESS64: 4269 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4270 return; 4271 4272 case AUT_PROCESS64_EX: 4273 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4274 return; 4275 4276 case AUT_RETURN32: 4277 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4278 return; 4279 4280 case AUT_RETURN64: 4281 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4282 return; 4283 4284 case AUT_SEQ: 4285 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4286 return; 4287 4288 case AUT_SOCKET: 4289 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4290 return; 4291 4292 case AUT_SOCKINET32: 4293 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4294 return; 4295 4296 case AUT_SOCKUNIX: 4297 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4298 return; 4299 4300 case AUT_SOCKINET128: 4301 print_sock_inet128_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4302 return; 4303 4304 case AUT_SUBJECT32: 4305 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4306 return; 4307 4308 case AUT_SUBJECT64: 4309 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4310 return; 4311 4312 case AUT_SUBJECT32_EX: 4313 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4314 return; 4315 4316 case AUT_SUBJECT64_EX: 4317 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4318 return; 4319 4320 case AUT_TEXT: 4321 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4322 return; 4323 4324 case AUT_SOCKET_EX: 4325 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4326 return; 4327 4328 case AUT_ZONENAME: 4329 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4330 return; 4331 4332 default: 4333 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4334 } 4335 } 4336 4337 /* 4338 * 'prints' the token out to outfp in XML format. 4339 */ 4340 void 4341 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4342 char sfrm) 4343 { 4344 4345 switch(tok->id) { 4346 case AUT_HEADER32: 4347 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4348 return; 4349 4350 case AUT_HEADER32_EX: 4351 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4352 return; 4353 4354 case AUT_HEADER64: 4355 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4356 return; 4357 4358 case AUT_HEADER64_EX: 4359 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4360 return; 4361 4362 case AUT_TRAILER: 4363 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4364 return; 4365 4366 case AUT_ARG32: 4367 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4368 return; 4369 4370 case AUT_ARG64: 4371 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4372 return; 4373 4374 case AUT_DATA: 4375 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4376 return; 4377 4378 case AUT_ATTR32: 4379 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4380 return; 4381 4382 case AUT_ATTR64: 4383 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4384 return; 4385 4386 case AUT_EXIT: 4387 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4388 return; 4389 4390 case AUT_EXEC_ARGS: 4391 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4392 return; 4393 4394 case AUT_EXEC_ENV: 4395 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4396 return; 4397 4398 case AUT_OTHER_FILE32: 4399 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4400 return; 4401 4402 case AUT_NEWGROUPS: 4403 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4404 return; 4405 4406 case AUT_IN_ADDR: 4407 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4408 return; 4409 4410 case AUT_IN_ADDR_EX: 4411 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4412 return; 4413 4414 case AUT_IP: 4415 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4416 return; 4417 4418 case AUT_IPC: 4419 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4420 return; 4421 4422 case AUT_IPC_PERM: 4423 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4424 return; 4425 4426 case AUT_IPORT: 4427 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4428 return; 4429 4430 case AUT_OPAQUE: 4431 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4432 return; 4433 4434 case AUT_PATH: 4435 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4436 return; 4437 4438 case AUT_PROCESS32: 4439 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4440 return; 4441 4442 case AUT_PROCESS32_EX: 4443 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4444 return; 4445 4446 case AUT_PROCESS64: 4447 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4448 return; 4449 4450 case AUT_PROCESS64_EX: 4451 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4452 return; 4453 4454 case AUT_RETURN32: 4455 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4456 return; 4457 4458 case AUT_RETURN64: 4459 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4460 return; 4461 4462 case AUT_SEQ: 4463 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4464 return; 4465 4466 case AUT_SOCKET: 4467 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4468 return; 4469 4470 case AUT_SOCKINET32: 4471 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4472 return; 4473 4474 case AUT_SOCKUNIX: 4475 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4476 return; 4477 4478 case AUT_SUBJECT32: 4479 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4480 return; 4481 4482 case AUT_SUBJECT64: 4483 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4484 return; 4485 4486 case AUT_SUBJECT32_EX: 4487 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4488 return; 4489 4490 case AUT_SUBJECT64_EX: 4491 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4492 return; 4493 4494 case AUT_TEXT: 4495 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4496 return; 4497 4498 case AUT_SOCKET_EX: 4499 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4500 return; 4501 4502 case AUT_ZONENAME: 4503 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4504 return; 4505 4506 default: 4507 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4508 } 4509 } 4510 4511 /* 4512 * Read a record from the file pointer, store data in buf memory for buf is 4513 * also allocated in this function and has to be free'd outside this call. 4514 * 4515 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4516 * complete audit record. 4517 * 4518 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4519 * state, because it will be partly offset into a record. We should rewind 4520 * or do something more intelligent. Particularly interesting is the case 4521 * where we perform a partial read of a record from a non-blockable file 4522 * descriptor. We should return the partial read and continue...? 4523 */ 4524 int 4525 au_read_rec(FILE *fp, u_char **buf) 4526 { 4527 u_char *bptr; 4528 u_int32_t recsize; 4529 u_int32_t bytestoread; 4530 u_char type; 4531 4532 u_int32_t sec, msec; 4533 u_int16_t filenamelen; 4534 4535 type = fgetc(fp); 4536 4537 switch (type) { 4538 case AUT_HEADER32: 4539 case AUT_HEADER32_EX: 4540 case AUT_HEADER64: 4541 case AUT_HEADER64_EX: 4542 /* read the record size from the token */ 4543 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4544 sizeof(u_int32_t)) { 4545 errno = EINVAL; 4546 return (-1); 4547 } 4548 recsize = be32toh(recsize); 4549 4550 /* Check for recsize sanity */ 4551 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4552 errno = EINVAL; 4553 return (-1); 4554 } 4555 4556 *buf = malloc(recsize * sizeof(u_char)); 4557 if (*buf == NULL) 4558 return (-1); 4559 bptr = *buf; 4560 memset(bptr, 0, recsize); 4561 4562 /* store the token contents already read, back to the buffer*/ 4563 *bptr = type; 4564 bptr++; 4565 be32enc(bptr, recsize); 4566 bptr += sizeof(u_int32_t); 4567 4568 /* now read remaining record bytes */ 4569 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4570 4571 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4572 free(*buf); 4573 errno = EINVAL; 4574 return (-1); 4575 } 4576 break; 4577 4578 case AUT_OTHER_FILE32: 4579 /* 4580 * The file token is variable-length, as it includes a 4581 * pathname. As a result, we have to read incrementally 4582 * until we know the total length, then allocate space and 4583 * read the rest. 4584 */ 4585 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4586 errno = EINVAL; 4587 return (-1); 4588 } 4589 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4590 errno = EINVAL; 4591 return (-1); 4592 } 4593 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4594 sizeof(filenamelen)) { 4595 errno = EINVAL; 4596 return (-1); 4597 } 4598 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4599 sizeof(filenamelen) + ntohs(filenamelen); 4600 *buf = malloc(recsize); 4601 if (*buf == NULL) 4602 return (-1); 4603 bptr = *buf; 4604 4605 bcopy(&type, bptr, sizeof(type)); 4606 bptr += sizeof(type); 4607 bcopy(&sec, bptr, sizeof(sec)); 4608 bptr += sizeof(sec); 4609 bcopy(&msec, bptr, sizeof(msec)); 4610 bptr += sizeof(msec); 4611 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4612 bptr += sizeof(filenamelen); 4613 4614 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4615 ntohs(filenamelen)) { 4616 free(buf); 4617 errno = EINVAL; 4618 return (-1); 4619 } 4620 break; 4621 4622 default: 4623 errno = EINVAL; 4624 return (-1); 4625 } 4626 4627 return (recsize); 4628 } 4629