1 /* 2 * Copyright (c) 2004 Apple Computer, Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#48 $ 36 */ 37 38 #include <sys/types.h> 39 40 #include <config/config.h> 41 #ifdef HAVE_SYS_ENDIAN_H 42 #include <sys/endian.h> 43 #else /* !HAVE_SYS_ENDIAN_H */ 44 #ifdef HAVE_MACHINE_ENDIAN_H 45 #include <machine/endian.h> 46 #else /* !HAVE_MACHINE_ENDIAN_H */ 47 #ifdef HAVE_ENDIAN_H 48 #include <endian.h> 49 #else /* !HAVE_ENDIAN_H */ 50 #error "No supported endian.h" 51 #endif /* !HAVE_ENDIAN_H */ 52 #endif /* !HAVE_MACHINE_ENDIAN_H */ 53 #include <compat/endian.h> 54 #endif /* !HAVE_SYS_ENDIAN_H */ 55 #ifdef HAVE_FULL_QUEUE_H 56 #include <sys/queue.h> 57 #else /* !HAVE_FULL_QUEUE_H */ 58 #include <compat/queue.h> 59 #endif /* !HAVE_FULL_QUEUE_H */ 60 61 #include <sys/stat.h> 62 #include <sys/socket.h> 63 64 #include <bsm/libbsm.h> 65 66 #include <unistd.h> 67 #include <netinet/in.h> 68 #include <arpa/inet.h> 69 #include <errno.h> 70 #include <time.h> 71 #include <stdlib.h> 72 #include <stdio.h> 73 #include <string.h> 74 #include <pwd.h> 75 #include <grp.h> 76 77 #include <bsm/audit_internal.h> 78 79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if (bytesread + size > len) { \ 81 err = 1; \ 82 } else { \ 83 memcpy(dest, buf + bytesread, size); \ 84 bytesread += size; \ 85 } \ 86 } while (0) 87 88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if (bytesread + sizeof(u_char) <= len) { \ 90 dest = buf[bytesread]; \ 91 bytesread += sizeof(u_char); \ 92 } else \ 93 err = 1; \ 94 } while (0) 95 96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if (bytesread + sizeof(u_int16_t) <= len) { \ 98 dest = be16dec(buf + bytesread); \ 99 bytesread += sizeof(u_int16_t); \ 100 } else \ 101 err = 1; \ 102 } while (0) 103 104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if (bytesread + sizeof(u_int32_t) <= len) { \ 106 dest = be32dec(buf + bytesread); \ 107 bytesread += sizeof(u_int32_t); \ 108 } else \ 109 err = 1; \ 110 } while (0) 111 112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if (bytesread + sizeof(u_int64_t) <= len) { \ 114 dest = be64dec(buf + bytesread); \ 115 bytesread += sizeof(u_int64_t); \ 116 } else \ 117 err = 1; \ 118 } while (0) 119 120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127 } while (0) 128 129 /* 130 * XML option. 131 */ 132 #define AU_PLAIN 0 133 #define AU_XML 1 134 135 /* 136 * Prints the delimiter string. 137 */ 138 static void 139 print_delim(FILE *fp, const char *del) 140 { 141 142 fprintf(fp, "%s", del); 143 } 144 145 /* 146 * Prints a single byte in the given format. 147 */ 148 static void 149 print_1_byte(FILE *fp, u_char val, const char *format) 150 { 151 152 fprintf(fp, format, val); 153 } 154 155 /* 156 * Print 2 bytes in the given format. 157 */ 158 static void 159 print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160 { 161 162 fprintf(fp, format, val); 163 } 164 165 /* 166 * Prints 4 bytes in the given format. 167 */ 168 static void 169 print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170 { 171 172 fprintf(fp, format, val); 173 } 174 175 /* 176 * Prints 8 bytes in the given format. 177 */ 178 static void 179 print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180 { 181 182 fprintf(fp, format, val); 183 } 184 185 /* 186 * Prints the given size of data bytes in hex. 187 */ 188 static void 189 print_mem(FILE *fp, u_char *data, size_t len) 190 { 191 int i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%x", data[i]); 197 } 198 } 199 200 /* 201 * Prints the given data bytes as a string. 202 */ 203 static void 204 print_string(FILE *fp, const char *str, size_t len) 205 { 206 int i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214 } 215 216 /* 217 * Prints the beggining of attribute. 218 */ 219 static void 220 open_attr(FILE *fp, const char *str) 221 { 222 223 fprintf(fp,"%s=\"", str); 224 } 225 226 /* 227 * Prints the end of attribute. 228 */ 229 static void 230 close_attr(FILE *fp) 231 { 232 233 fprintf(fp,"\" "); 234 } 235 236 /* 237 * Prints the end of tag. 238 */ 239 static void 240 close_tag(FILE *fp, u_char type) 241 { 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SUBJECT32: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT64: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT32_EX: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT64_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_TEXT: 385 fprintf(fp, "</text>"); 386 break; 387 388 case AUT_SOCKET_EX: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_DATA: 393 fprintf(fp, "</arbitrary>"); 394 break; 395 396 case AUT_ZONENAME: 397 fprintf(fp, "/>"); 398 break; 399 } 400 } 401 402 /* 403 * Prints the token type in either the raw or the default form. 404 */ 405 static void 406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407 { 408 409 if (xml) { 410 switch(type) { 411 case AUT_HEADER32: 412 fprintf(fp, "<record "); 413 break; 414 415 case AUT_HEADER32_EX: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER64: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64_EX: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_TRAILER: 428 fprintf(fp, "</record>"); 429 break; 430 431 case AUT_ARG32: 432 fprintf(fp, "<argument "); 433 break; 434 435 case AUT_ARG64: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ATTR32: 440 fprintf(fp, "<attribute "); 441 break; 442 443 case AUT_ATTR64: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_EXIT: 448 fprintf(fp, "<exit "); 449 break; 450 451 case AUT_EXEC_ARGS: 452 fprintf(fp, "<exec_args>"); 453 break; 454 455 case AUT_EXEC_ENV: 456 fprintf(fp, "<exec_env>"); 457 break; 458 459 case AUT_OTHER_FILE32: 460 fprintf(fp, "<file "); 461 break; 462 463 case AUT_NEWGROUPS: 464 fprintf(fp, "<group>"); 465 break; 466 467 case AUT_IN_ADDR: 468 fprintf(fp, "<ip_address>"); 469 break; 470 471 case AUT_IN_ADDR_EX: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IP: 476 fprintf(fp, "<ip "); 477 break; 478 479 case AUT_IPC: 480 fprintf(fp, "<IPC"); 481 break; 482 483 case AUT_IPC_PERM: 484 fprintf(fp, "<IPC_perm "); 485 break; 486 487 case AUT_IPORT: 488 fprintf(fp, "<ip_port>"); 489 break; 490 491 case AUT_OPAQUE: 492 fprintf(fp, "<opaque>"); 493 break; 494 495 case AUT_PATH: 496 fprintf(fp, "<path>"); 497 break; 498 499 case AUT_PROCESS32: 500 fprintf(fp, "<process "); 501 break; 502 503 case AUT_PROCESS32_EX: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS64: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64_EX: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_RETURN32: 516 fprintf(fp, "<return "); 517 break; 518 519 case AUT_RETURN64: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_SEQ: 524 fprintf(fp, "<sequence "); 525 break; 526 527 case AUT_SOCKET: 528 fprintf(fp, "<socket "); 529 break; 530 531 case AUT_SOCKINET32: 532 fprintf(fp, "<old_socket"); 533 break; 534 535 case AUT_SOCKUNIX: 536 fprintf(fp, "<old_socket"); 537 break; 538 539 case AUT_SUBJECT32: 540 fprintf(fp, "<subject "); 541 break; 542 543 case AUT_SUBJECT64: 544 fprintf(fp, "<subject "); 545 break; 546 547 case AUT_SUBJECT32_EX: 548 fprintf(fp, "<subject "); 549 break; 550 551 case AUT_SUBJECT64_EX: 552 fprintf(fp, "<subject "); 553 break; 554 555 case AUT_TEXT: 556 fprintf(fp, "<text>"); 557 break; 558 559 case AUT_SOCKET_EX: 560 fprintf(fp, "<socket "); 561 break; 562 563 case AUT_DATA: 564 fprintf(fp, "<arbitrary "); 565 break; 566 567 case AUT_ZONENAME: 568 fprintf(fp, "<zone "); 569 break; 570 } 571 } else { 572 if (raw) 573 fprintf(fp, "%u", type); 574 else 575 fprintf(fp, "%s", tokname); 576 } 577 } 578 579 /* 580 * Prints a user value. 581 */ 582 static void 583 print_user(FILE *fp, u_int32_t usr, char raw) 584 { 585 struct passwd *pwent; 586 587 if (raw) 588 fprintf(fp, "%d", usr); 589 else { 590 pwent = getpwuid(usr); 591 if (pwent != NULL) 592 fprintf(fp, "%s", pwent->pw_name); 593 else 594 fprintf(fp, "%d", usr); 595 } 596 } 597 598 /* 599 * Prints a group value. 600 */ 601 static void 602 print_group(FILE *fp, u_int32_t grp, char raw) 603 { 604 struct group *grpent; 605 606 if (raw) 607 fprintf(fp, "%d", grp); 608 else { 609 grpent = getgrgid(grp); 610 if (grpent != NULL) 611 fprintf(fp, "%s", grpent->gr_name); 612 else 613 fprintf(fp, "%d", grp); 614 } 615 } 616 617 /* 618 * Prints the event from the header token in either the short, default or raw 619 * form. 620 */ 621 static void 622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623 { 624 char event_ent_name[AU_EVENT_NAME_MAX]; 625 char event_ent_desc[AU_EVENT_DESC_MAX]; 626 struct au_event_ent e, *ep; 627 628 bzero(&e, sizeof(e)); 629 bzero(event_ent_name, sizeof(event_ent_name)); 630 bzero(event_ent_desc, sizeof(event_ent_desc)); 631 e.ae_name = event_ent_name; 632 e.ae_desc = event_ent_desc; 633 634 ep = getauevnum_r(&e, ev); 635 if (ep == NULL) { 636 fprintf(fp, "%u", ev); 637 return; 638 } 639 640 if (raw) 641 fprintf(fp, "%u", ev); 642 else if (sfrm) 643 fprintf(fp, "%s", e.ae_name); 644 else 645 fprintf(fp, "%s", e.ae_desc); 646 } 647 648 649 /* 650 * Prints the event modifier from the header token in either the default or 651 * raw form. 652 */ 653 static void 654 print_evmod(FILE *fp, u_int16_t evmod, char raw) 655 { 656 if (raw) 657 fprintf(fp, "%u", evmod); 658 else 659 fprintf(fp, "%u", evmod); 660 } 661 662 /* 663 * Prints seconds in the ctime format. 664 */ 665 static void 666 print_sec32(FILE *fp, u_int32_t sec, char raw) 667 { 668 time_t timestamp; 669 char timestr[26]; 670 671 if (raw) 672 fprintf(fp, "%u", sec); 673 else { 674 timestamp = (time_t)sec; 675 ctime_r(×tamp, timestr); 676 timestr[24] = '\0'; /* No new line */ 677 fprintf(fp, "%s", timestr); 678 } 679 } 680 681 /* 682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683 * assume a 32-bit time_t, we simply truncate for now. 684 */ 685 static void 686 print_sec64(FILE *fp, u_int64_t sec, char raw) 687 { 688 time_t timestamp; 689 char timestr[26]; 690 691 if (raw) 692 fprintf(fp, "%u", (u_int32_t)sec); 693 else { 694 timestamp = (time_t)sec; 695 ctime_r(×tamp, timestr); 696 timestr[24] = '\0'; /* No new line */ 697 fprintf(fp, "%s", timestr); 698 } 699 } 700 701 /* 702 * Prints the excess milliseconds. 703 */ 704 static void 705 print_msec32(FILE *fp, u_int32_t msec, char raw) 706 { 707 if (raw) 708 fprintf(fp, "%u", msec); 709 else 710 fprintf(fp, " + %u msec", msec); 711 } 712 713 /* 714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715 * a 32-bit msec, we simply truncate for now. 716 */ 717 static void 718 print_msec64(FILE *fp, u_int64_t msec, char raw) 719 { 720 721 msec &= 0xffffffff; 722 if (raw) 723 fprintf(fp, "%u", (u_int32_t)msec); 724 else 725 fprintf(fp, " + %u msec", (u_int32_t)msec); 726 } 727 728 /* 729 * Prints a dotted form for the IP address. 730 */ 731 static void 732 print_ip_address(FILE *fp, u_int32_t ip) 733 { 734 struct in_addr ipaddr; 735 736 ipaddr.s_addr = ip; 737 fprintf(fp, "%s", inet_ntoa(ipaddr)); 738 } 739 740 /* 741 * Prints a string value for the given ip address. 742 */ 743 static void 744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745 { 746 struct in_addr ipv4; 747 struct in6_addr ipv6; 748 char dst[INET6_ADDRSTRLEN]; 749 750 switch (type) { 751 case AU_IPv4: 752 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754 INET6_ADDRSTRLEN)); 755 break; 756 757 case AU_IPv6: 758 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760 INET6_ADDRSTRLEN)); 761 break; 762 763 default: 764 fprintf(fp, "invalid"); 765 } 766 } 767 768 /* 769 * Prints return value as success or failure. 770 */ 771 static void 772 print_retval(FILE *fp, u_char status, char raw) 773 { 774 if (raw) 775 fprintf(fp, "%u", status); 776 else { 777 if (status == 0) 778 fprintf(fp, "success"); 779 else 780 fprintf(fp, "failure : %s", strerror(status)); 781 } 782 } 783 784 /* 785 * Prints the exit value. 786 */ 787 static void 788 print_errval(FILE *fp, u_int32_t val) 789 { 790 791 fprintf(fp, "Error %u", val); 792 } 793 794 /* 795 * Prints IPC type. 796 */ 797 static void 798 print_ipctype(FILE *fp, u_char type, char raw) 799 { 800 if (raw) 801 fprintf(fp, "%u", type); 802 else { 803 if (type == AT_IPC_MSG) 804 fprintf(fp, "Message IPC"); 805 else if (type == AT_IPC_SEM) 806 fprintf(fp, "Semaphore IPC"); 807 else if (type == AT_IPC_SHM) 808 fprintf(fp, "Shared Memory IPC"); 809 else 810 fprintf(fp, "%u", type); 811 } 812 } 813 814 /* 815 * Print XML header. 816 */ 817 void 818 au_print_xml_header(FILE *outfp) 819 { 820 821 fprintf(outfp, "<?xml version='1.0' ?>\n"); 822 fprintf(outfp, "<audit>\n"); 823 } 824 825 /* 826 * Print XML footer. 827 */ 828 void 829 au_print_xml_footer(FILE *outfp) 830 { 831 832 fprintf(outfp, "</audit>\n"); 833 } 834 835 /* 836 * record byte count 4 bytes 837 * version # 1 byte [2] 838 * event type 2 bytes 839 * event modifier 2 bytes 840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 842 */ 843 static int 844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 845 { 846 int err = 0; 847 848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 849 if (err) 850 return (-1); 851 852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 853 if (err) 854 return (-1); 855 856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 857 if (err) 858 return (-1); 859 860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 861 if (err) 862 return (-1); 863 864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 865 if (err) 866 return (-1); 867 868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 869 if (err) 870 return (-1); 871 872 return (0); 873 } 874 875 static void 876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 877 int xml) 878 { 879 880 print_tok_type(fp, tok->id, "header", raw, xml); 881 if (xml) { 882 open_attr(fp, "version"); 883 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 884 close_attr(fp); 885 open_attr(fp, "event"); 886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 887 close_attr(fp); 888 open_attr(fp, "modifier"); 889 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 890 close_attr(fp); 891 open_attr(fp, "time"); 892 print_sec32(fp, tok->tt.hdr32.s, raw); 893 close_attr(fp); 894 open_attr(fp, "msec"); 895 print_msec32(fp, tok->tt.hdr32.ms, 1); 896 close_attr(fp); 897 close_tag(fp, tok->id); 898 } else { 899 print_delim(fp, del); 900 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 901 print_delim(fp, del); 902 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 903 print_delim(fp, del); 904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905 print_delim(fp, del); 906 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 907 print_delim(fp, del); 908 print_sec32(fp, tok->tt.hdr32.s, raw); 909 print_delim(fp, del); 910 print_msec32(fp, tok->tt.hdr32.ms, raw); 911 } 912 } 913 914 /* 915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 916 * depending on the bit of the specifications found. The OpenSolaris source 917 * code uses a 4-byte address length, followed by some number of bytes of 918 * address data. This contrasts with the Solaris audit.log.5 man page, which 919 * specifies a 1-byte length field. We use the Solaris 10 definition so that 920 * we can parse audit trails from that system. 921 * 922 * record byte count 4 bytes 923 * version # 1 byte [2] 924 * event type 2 bytes 925 * event modifier 2 bytes 926 * address type/length 4 bytes 927 * [ Solaris man page: address type/length 1 byte] 928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 929 * seconds of time 4 bytes/8 bytes (32/64-bits) 930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 931 */ 932 static int 933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 934 { 935 int err = 0; 936 937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 938 if (err) 939 return (-1); 940 941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 942 if (err) 943 return (-1); 944 945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 946 if (err) 947 return (-1); 948 949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 950 if (err) 951 return (-1); 952 953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 954 if (err) 955 return (-1); 956 957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 958 switch (tok->tt.hdr32_ex.ad_type) { 959 case AU_IPv4: 960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 962 if (err) 963 return (-1); 964 break; 965 966 case AU_IPv6: 967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 969 break; 970 } 971 972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 973 if (err) 974 return (-1); 975 976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 977 if (err) 978 return (-1); 979 980 return (0); 981 } 982 983 static void 984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 985 char sfrm, int xml) 986 { 987 988 print_tok_type(fp, tok->id, "header_ex", raw, xml); 989 if (xml) { 990 open_attr(fp, "version"); 991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 992 close_attr(fp); 993 open_attr(fp, "event"); 994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 995 close_attr(fp); 996 open_attr(fp, "modifier"); 997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 998 close_attr(fp); 999 /* 1000 * No attribute for additional types. 1001 * 1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1003 tok->tt.hdr32_ex.addr); 1004 */ 1005 open_attr(fp, "time"); 1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1007 close_attr(fp); 1008 open_attr(fp, "msec"); 1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1010 close_attr(fp); 1011 close_tag(fp, tok->id); 1012 } else { 1013 print_delim(fp, del); 1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1015 print_delim(fp, del); 1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1017 print_delim(fp, del); 1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1019 print_delim(fp, del); 1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1021 print_delim(fp, del); 1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1023 tok->tt.hdr32_ex.addr); 1024 print_delim(fp, del); 1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1026 print_delim(fp, del); 1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1028 } 1029 } 1030 1031 /* 1032 * record byte count 4 bytes 1033 * event type 2 bytes 1034 * event modifier 2 bytes 1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1037 * version # 1038 */ 1039 static int 1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1041 { 1042 int err = 0; 1043 1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1045 if (err) 1046 return (-1); 1047 1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1049 if (err) 1050 return (-1); 1051 1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1053 if (err) 1054 return (-1); 1055 1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1057 if (err) 1058 return (-1); 1059 1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1061 if (err) 1062 return (-1); 1063 1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1065 if (err) 1066 return (-1); 1067 1068 return (0); 1069 } 1070 1071 static void 1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1073 int xml) 1074 { 1075 1076 print_tok_type(fp, tok->id, "header", raw, xml); 1077 if (xml) { 1078 open_attr(fp, "version"); 1079 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1080 close_attr(fp); 1081 open_attr(fp, "event"); 1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1083 close_attr(fp); 1084 open_attr(fp, "modifier"); 1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1086 close_attr(fp); 1087 open_attr(fp, "time"); 1088 print_sec64(fp, tok->tt.hdr64.s, raw); 1089 close_attr(fp); 1090 open_attr(fp, "msec"); 1091 print_msec64(fp, tok->tt.hdr64.ms, raw); 1092 close_attr(fp); 1093 close_tag(fp, tok->id); 1094 } else { 1095 print_delim(fp, del); 1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1097 print_delim(fp, del); 1098 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1099 print_delim(fp, del); 1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1101 print_delim(fp, del); 1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1103 print_delim(fp, del); 1104 print_sec64(fp, tok->tt.hdr64.s, raw); 1105 print_delim(fp, del); 1106 print_msec64(fp, tok->tt.hdr64.ms, raw); 1107 } 1108 } 1109 1110 /* 1111 * record byte count 4 bytes 1112 * version # 1 byte [2] 1113 * event type 2 bytes 1114 * event modifier 2 bytes 1115 * address type/length 4 bytes 1116 * [ Solaris man page: address type/length 1 byte] 1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1118 * seconds of time 4 bytes/8 bytes (32/64-bits) 1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1120 * 1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1122 * accuracy of the BSM spec. 1123 */ 1124 static int 1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1126 { 1127 int err = 0; 1128 1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1130 if (err) 1131 return (-1); 1132 1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1134 if (err) 1135 return (-1); 1136 1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1138 if (err) 1139 return (-1); 1140 1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1142 if (err) 1143 return (-1); 1144 1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1146 if (err) 1147 return (-1); 1148 1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1150 switch (tok->tt.hdr64_ex.ad_type) { 1151 case AU_IPv4: 1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1154 if (err) 1155 return (-1); 1156 break; 1157 1158 case AU_IPv6: 1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1161 break; 1162 } 1163 1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1165 if (err) 1166 return (-1); 1167 1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1169 if (err) 1170 return (-1); 1171 1172 return (0); 1173 } 1174 1175 static void 1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1177 char sfrm, int xml) 1178 { 1179 1180 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1181 if (xml) { 1182 open_attr(fp, "version"); 1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1184 close_attr(fp); 1185 open_attr(fp, "event"); 1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1187 close_attr(fp); 1188 open_attr(fp, "modifier"); 1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1190 close_attr(fp); 1191 /* 1192 * No attribute for additional types. 1193 * 1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1195 tok->tt.hdr64_ex.addr); 1196 */ 1197 open_attr(fp, "time"); 1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1199 close_attr(fp); 1200 open_attr(fp, "msec"); 1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1202 close_attr(fp); 1203 close_tag(fp, tok->id); 1204 } else { 1205 print_delim(fp, del); 1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1207 print_delim(fp, del); 1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1209 print_delim(fp, del); 1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1211 print_delim(fp, del); 1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1213 print_delim(fp, del); 1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1215 tok->tt.hdr64_ex.addr); 1216 print_delim(fp, del); 1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1218 print_delim(fp, del); 1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1220 } 1221 } 1222 1223 /* 1224 * trailer magic 2 bytes 1225 * record size 4 bytes 1226 */ 1227 static int 1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1229 { 1230 int err = 0; 1231 1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1233 if (err) 1234 return (-1); 1235 1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1237 if (err) 1238 return (-1); 1239 1240 return (0); 1241 } 1242 1243 static void 1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1245 __unused char sfrm, int xml) 1246 { 1247 1248 print_tok_type(fp, tok->id, "trailer", raw, xml); 1249 if (!xml) { 1250 print_delim(fp, del); 1251 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1252 } 1253 } 1254 1255 /* 1256 * argument # 1 byte 1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1258 * text length 2 bytes 1259 * text N bytes + 1 terminating NULL byte 1260 */ 1261 static int 1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1263 { 1264 int err = 0; 1265 1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1267 if (err) 1268 return (-1); 1269 1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1271 if (err) 1272 return (-1); 1273 1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1275 if (err) 1276 return (-1); 1277 1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1279 tok->len, err); 1280 if (err) 1281 return (-1); 1282 1283 return (0); 1284 } 1285 1286 static void 1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1288 __unused char sfrm, int xml) 1289 { 1290 1291 print_tok_type(fp, tok->id, "argument", raw, xml); 1292 if (xml) { 1293 open_attr(fp, "arg-num"); 1294 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1295 close_attr(fp); 1296 open_attr(fp, "value"); 1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1298 close_attr(fp); 1299 open_attr(fp, "desc"); 1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1301 close_attr(fp); 1302 close_tag(fp, tok->id); 1303 } else { 1304 print_delim(fp, del); 1305 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1306 print_delim(fp, del); 1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1308 print_delim(fp, del); 1309 } 1310 } 1311 1312 static int 1313 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1314 { 1315 int err = 0; 1316 1317 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1318 if (err) 1319 return (-1); 1320 1321 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1322 if (err) 1323 return (-1); 1324 1325 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1326 if (err) 1327 return (-1); 1328 1329 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1330 tok->len, err); 1331 if (err) 1332 return (-1); 1333 1334 return (0); 1335 } 1336 1337 static void 1338 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1339 __unused char sfrm, int xml) 1340 { 1341 1342 print_tok_type(fp, tok->id, "argument", raw, xml); 1343 if (xml) { 1344 open_attr(fp, "arg-num"); 1345 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1346 close_attr(fp); 1347 open_attr(fp, "value"); 1348 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1349 close_attr(fp); 1350 open_attr(fp, "desc"); 1351 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1352 close_attr(fp); 1353 close_tag(fp, tok->id); 1354 } else { 1355 print_delim(fp, del); 1356 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1357 print_delim(fp, del); 1358 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1359 print_delim(fp, del); 1360 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1361 } 1362 } 1363 1364 /* 1365 * how to print 1 byte 1366 * basic unit 1 byte 1367 * unit count 1 byte 1368 * data items (depends on basic unit) 1369 */ 1370 static int 1371 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1372 { 1373 int err = 0; 1374 int datasize; 1375 1376 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1377 if (err) 1378 return (-1); 1379 1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1381 if (err) 1382 return (-1); 1383 1384 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1385 if (err) 1386 return (-1); 1387 1388 /* 1389 * Determine the size of the basic unit. 1390 */ 1391 switch(tok->tt.arb.bu) { 1392 case AUR_BYTE: 1393 /* case AUR_CHAR: */ 1394 datasize = AUR_BYTE_SIZE; 1395 break; 1396 1397 case AUR_SHORT: 1398 datasize = AUR_SHORT_SIZE; 1399 break; 1400 1401 case AUR_INT32: 1402 /* case AUR_INT: */ 1403 datasize = AUR_INT32_SIZE; 1404 break; 1405 1406 case AUR_INT64: 1407 datasize = AUR_INT64_SIZE; 1408 break; 1409 1410 default: 1411 return (-1); 1412 } 1413 1414 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1415 tok->len, err); 1416 if (err) 1417 return (-1); 1418 1419 return (0); 1420 } 1421 1422 static void 1423 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1424 __unused char sfrm, int xml) 1425 { 1426 char *str; 1427 char *format; 1428 size_t size; 1429 int i; 1430 1431 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1432 if (!xml) 1433 print_delim(fp, del); 1434 1435 switch(tok->tt.arb.howtopr) { 1436 case AUP_BINARY: 1437 str = "binary"; 1438 format = " %c"; 1439 break; 1440 1441 case AUP_OCTAL: 1442 str = "octal"; 1443 format = " %o"; 1444 break; 1445 1446 case AUP_DECIMAL: 1447 str = "decimal"; 1448 format = " %d"; 1449 break; 1450 1451 case AUP_HEX: 1452 str = "hex"; 1453 format = " %x"; 1454 break; 1455 1456 case AUP_STRING: 1457 str = "string"; 1458 format = "%c"; 1459 break; 1460 1461 default: 1462 return; 1463 } 1464 1465 if (xml) { 1466 open_attr(fp, "print"); 1467 fprintf(fp, "%s",str); 1468 close_attr(fp); 1469 } else { 1470 print_string(fp, str, strlen(str)); 1471 print_delim(fp, del); 1472 } 1473 switch(tok->tt.arb.bu) { 1474 case AUR_BYTE: 1475 /* case AUR_CHAR: */ 1476 str = "byte"; 1477 size = AUR_BYTE_SIZE; 1478 if (xml) { 1479 open_attr(fp, "type"); 1480 fprintf(fp, "%u", size); 1481 close_attr(fp); 1482 open_attr(fp, "count"); 1483 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1484 close_attr(fp); 1485 fprintf(fp, ">"); 1486 for (i = 0; i<tok->tt.arb.uc; i++) 1487 fprintf(fp, format, *(tok->tt.arb.data + 1488 (size * i))); 1489 close_tag(fp, tok->id); 1490 } else { 1491 print_string(fp, str, strlen(str)); 1492 print_delim(fp, del); 1493 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1494 print_delim(fp, del); 1495 for (i = 0; i<tok->tt.arb.uc; i++) 1496 fprintf(fp, format, *(tok->tt.arb.data + 1497 (size * i))); 1498 } 1499 break; 1500 1501 case AUR_SHORT: 1502 str = "short"; 1503 size = AUR_SHORT_SIZE; 1504 if (xml) { 1505 open_attr(fp, "type"); 1506 fprintf(fp, "%u", size); 1507 close_attr(fp); 1508 open_attr(fp, "count"); 1509 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1510 close_attr(fp); 1511 fprintf(fp, ">"); 1512 for (i = 0; i < tok->tt.arb.uc; i++) 1513 fprintf(fp, format, 1514 *((u_int16_t *)(tok->tt.arb.data + 1515 (size * i)))); 1516 close_tag(fp, tok->id); 1517 } else { 1518 print_string(fp, str, strlen(str)); 1519 print_delim(fp, del); 1520 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1521 print_delim(fp, del); 1522 for (i = 0; i < tok->tt.arb.uc; i++) 1523 fprintf(fp, format, 1524 *((u_int16_t *)(tok->tt.arb.data + 1525 (size * i)))); 1526 } 1527 break; 1528 1529 case AUR_INT32: 1530 /* case AUR_INT: */ 1531 str = "int"; 1532 size = AUR_INT32_SIZE; 1533 if (xml) { 1534 open_attr(fp, "type"); 1535 fprintf(fp, "%u", size); 1536 close_attr(fp); 1537 open_attr(fp, "count"); 1538 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1539 close_attr(fp); 1540 fprintf(fp, ">"); 1541 for (i = 0; i < tok->tt.arb.uc; i++) 1542 fprintf(fp, format, 1543 *((u_int32_t *)(tok->tt.arb.data + 1544 (size * i)))); 1545 close_tag(fp, tok->id); 1546 } else { 1547 print_string(fp, str, strlen(str)); 1548 print_delim(fp, del); 1549 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1550 print_delim(fp, del); 1551 for (i = 0; i < tok->tt.arb.uc; i++) 1552 fprintf(fp, format, 1553 *((u_int32_t *)(tok->tt.arb.data + 1554 (size * i)))); 1555 } 1556 break; 1557 1558 case AUR_INT64: 1559 str = "int64"; 1560 size = AUR_INT64_SIZE; 1561 if (xml) { 1562 open_attr(fp, "type"); 1563 fprintf(fp, "%u", size); 1564 close_attr(fp); 1565 open_attr(fp, "count"); 1566 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1567 close_attr(fp); 1568 fprintf(fp, ">"); 1569 for (i = 0; i < tok->tt.arb.uc; i++) 1570 fprintf(fp, format, 1571 *((u_int64_t *)(tok->tt.arb.data + 1572 (size * i)))); 1573 close_tag(fp, tok->id); 1574 } else { 1575 print_string(fp, str, strlen(str)); 1576 print_delim(fp, del); 1577 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1578 print_delim(fp, del); 1579 for (i = 0; i < tok->tt.arb.uc; i++) 1580 fprintf(fp, format, 1581 *((u_int64_t *)(tok->tt.arb.data + 1582 (size * i)))); 1583 } 1584 break; 1585 1586 default: 1587 return; 1588 } 1589 } 1590 1591 /* 1592 * file access mode 4 bytes 1593 * owner user ID 4 bytes 1594 * owner group ID 4 bytes 1595 * file system ID 4 bytes 1596 * node ID 8 bytes 1597 * device 4 bytes/8 bytes (32-bit/64-bit) 1598 */ 1599 static int 1600 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1601 { 1602 int err = 0; 1603 1604 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1605 if (err) 1606 return (-1); 1607 1608 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1609 if (err) 1610 return (-1); 1611 1612 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1613 if (err) 1614 return (-1); 1615 1616 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1617 if (err) 1618 return (-1); 1619 1620 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1621 if (err) 1622 return (-1); 1623 1624 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1625 if (err) 1626 return (-1); 1627 1628 return (0); 1629 } 1630 1631 static void 1632 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1633 __unused char sfrm, int xml) 1634 { 1635 1636 print_tok_type(fp, tok->id, "attribute", raw, xml); 1637 if (xml) { 1638 open_attr(fp, "mode"); 1639 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1640 close_attr(fp); 1641 open_attr(fp, "uid"); 1642 print_user(fp, tok->tt.attr32.uid, raw); 1643 close_attr(fp); 1644 open_attr(fp, "gid"); 1645 print_group(fp, tok->tt.attr32.gid, raw); 1646 close_attr(fp); 1647 open_attr(fp, "fsid"); 1648 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1649 close_attr(fp); 1650 open_attr(fp, "nodeid"); 1651 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1652 close_attr(fp); 1653 open_attr(fp, "device"); 1654 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1655 close_attr(fp); 1656 close_tag(fp, tok->id); 1657 } else { 1658 print_delim(fp, del); 1659 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1660 print_delim(fp, del); 1661 print_user(fp, tok->tt.attr32.uid, raw); 1662 print_delim(fp, del); 1663 print_group(fp, tok->tt.attr32.gid, raw); 1664 print_delim(fp, del); 1665 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1666 print_delim(fp, del); 1667 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1668 print_delim(fp, del); 1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1670 } 1671 } 1672 1673 /* 1674 * file access mode 4 bytes 1675 * owner user ID 4 bytes 1676 * owner group ID 4 bytes 1677 * file system ID 4 bytes 1678 * node ID 8 bytes 1679 * device 4 bytes/8 bytes (32-bit/64-bit) 1680 */ 1681 static int 1682 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1683 { 1684 int err = 0; 1685 1686 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1687 if (err) 1688 return (-1); 1689 1690 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1691 if (err) 1692 return (-1); 1693 1694 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1695 if (err) 1696 return (-1); 1697 1698 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1699 if (err) 1700 return (-1); 1701 1702 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1703 if (err) 1704 return (-1); 1705 1706 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1707 if (err) 1708 return (-1); 1709 1710 return (0); 1711 } 1712 1713 static void 1714 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1715 __unused char sfrm, int xml) 1716 { 1717 1718 print_tok_type(fp, tok->id, "attribute", raw, xml); 1719 if (xml) { 1720 open_attr(fp, "mode"); 1721 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1722 close_attr(fp); 1723 open_attr(fp, "uid"); 1724 print_user(fp, tok->tt.attr64.uid, raw); 1725 close_attr(fp); 1726 open_attr(fp, "gid"); 1727 print_group(fp, tok->tt.attr64.gid, raw); 1728 close_attr(fp); 1729 open_attr(fp, "fsid"); 1730 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1731 close_attr(fp); 1732 open_attr(fp, "nodeid"); 1733 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1734 close_attr(fp); 1735 open_attr(fp, "device"); 1736 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1737 close_attr(fp); 1738 close_tag(fp, tok->id); 1739 } else { 1740 print_delim(fp, del); 1741 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1742 print_delim(fp, del); 1743 print_user(fp, tok->tt.attr64.uid, raw); 1744 print_delim(fp, del); 1745 print_group(fp, tok->tt.attr64.gid, raw); 1746 print_delim(fp, del); 1747 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1748 print_delim(fp, del); 1749 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1750 print_delim(fp, del); 1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1752 } 1753 } 1754 1755 /* 1756 * status 4 bytes 1757 * return value 4 bytes 1758 */ 1759 static int 1760 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1761 { 1762 int err = 0; 1763 1764 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1765 if (err) 1766 return (-1); 1767 1768 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1769 if (err) 1770 return (-1); 1771 1772 return (0); 1773 } 1774 1775 static void 1776 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1777 __unused char sfrm, int xml) 1778 { 1779 1780 print_tok_type(fp, tok->id, "exit", raw, xml); 1781 if (xml) { 1782 open_attr(fp, "errval"); 1783 print_errval(fp, tok->tt.exit.status); 1784 close_attr(fp); 1785 open_attr(fp, "retval"); 1786 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1787 close_attr(fp); 1788 close_tag(fp, tok->id); 1789 } else { 1790 print_delim(fp, del); 1791 print_errval(fp, tok->tt.exit.status); 1792 print_delim(fp, del); 1793 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1794 } 1795 } 1796 1797 /* 1798 * count 4 bytes 1799 * text count null-terminated string(s) 1800 */ 1801 static int 1802 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1803 { 1804 int err = 0; 1805 int i; 1806 u_char *bptr; 1807 1808 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1809 if (err) 1810 return (-1); 1811 1812 for (i = 0; i < tok->tt.execarg.count; i++) { 1813 bptr = buf + tok->len; 1814 if (i < AUDIT_MAX_ARGS) 1815 tok->tt.execarg.text[i] = (char*)bptr; 1816 1817 /* Look for a null terminated string. */ 1818 while (bptr && (*bptr != '\0')) { 1819 if (++tok->len >=len) 1820 return (-1); 1821 bptr = buf + tok->len; 1822 } 1823 if (!bptr) 1824 return (-1); 1825 tok->len++; /* \0 character */ 1826 } 1827 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1828 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1829 1830 return (0); 1831 } 1832 1833 static void 1834 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1835 __unused char sfrm, int xml) 1836 { 1837 int i; 1838 1839 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1840 for (i = 0; i < tok->tt.execarg.count; i++) { 1841 if (xml) { 1842 fprintf(fp, "<arg>"); 1843 print_string(fp, tok->tt.execarg.text[i], 1844 strlen(tok->tt.execarg.text[i])); 1845 fprintf(fp, "</arg>"); 1846 } else { 1847 print_delim(fp, del); 1848 print_string(fp, tok->tt.execarg.text[i], 1849 strlen(tok->tt.execarg.text[i])); 1850 } 1851 } 1852 if (xml) 1853 close_tag(fp, tok->id); 1854 } 1855 1856 /* 1857 * count 4 bytes 1858 * text count null-terminated string(s) 1859 */ 1860 static int 1861 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1862 { 1863 int err = 0; 1864 int i; 1865 u_char *bptr; 1866 1867 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1868 if (err) 1869 return (-1); 1870 1871 for (i = 0; i < tok->tt.execenv.count; i++) { 1872 bptr = buf + tok->len; 1873 if (i < AUDIT_MAX_ENV) 1874 tok->tt.execenv.text[i] = (char*)bptr; 1875 1876 /* Look for a null terminated string. */ 1877 while (bptr && (*bptr != '\0')) { 1878 if (++tok->len >=len) 1879 return (-1); 1880 bptr = buf + tok->len; 1881 } 1882 if (!bptr) 1883 return (-1); 1884 tok->len++; /* \0 character */ 1885 } 1886 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1887 tok->tt.execenv.count = AUDIT_MAX_ENV; 1888 1889 return (0); 1890 } 1891 1892 static void 1893 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1894 __unused char sfrm, int xml) 1895 { 1896 int i; 1897 1898 print_tok_type(fp, tok->id, "exec env", raw, xml); 1899 for (i = 0; i< tok->tt.execenv.count; i++) { 1900 if (xml) { 1901 fprintf(fp, "<env>"); 1902 print_string(fp, tok->tt.execenv.text[i], 1903 strlen(tok->tt.execenv.text[i])); 1904 fprintf(fp, "</env>"); 1905 } else { 1906 print_delim(fp, del); 1907 print_string(fp, tok->tt.execenv.text[i], 1908 strlen(tok->tt.execenv.text[i])); 1909 } 1910 } 1911 if (xml) 1912 close_tag(fp, tok->id); 1913 } 1914 1915 /* 1916 * seconds of time 4 bytes 1917 * milliseconds of time 4 bytes 1918 * file name len 2 bytes 1919 * file pathname N bytes + 1 terminating NULL byte 1920 */ 1921 static int 1922 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1923 { 1924 int err = 0; 1925 1926 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1927 if (err) 1928 return (-1); 1929 1930 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1931 if (err) 1932 return (-1); 1933 1934 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1935 if (err) 1936 return (-1); 1937 1938 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1939 err); 1940 if (err) 1941 return (-1); 1942 1943 return (0); 1944 } 1945 1946 static void 1947 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1948 __unused char sfrm, int xml) 1949 { 1950 1951 print_tok_type(fp, tok->id, "file", raw, xml); 1952 if (xml) { 1953 open_attr(fp, "time"); 1954 print_sec32(fp, tok->tt.file.s, raw); 1955 close_attr(fp); 1956 open_attr(fp, "msec"); 1957 print_msec32(fp, tok->tt.file.ms, raw); 1958 close_attr(fp); 1959 fprintf(fp, ">"); 1960 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1961 close_tag(fp, tok->id); 1962 } else { 1963 print_delim(fp, del); 1964 print_sec32(fp, tok->tt.file.s, raw); 1965 print_delim(fp, del); 1966 print_msec32(fp, tok->tt.file.ms, raw); 1967 print_delim(fp, del); 1968 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1969 } 1970 } 1971 1972 /* 1973 * number groups 2 bytes 1974 * group list count * 4 bytes 1975 */ 1976 static int 1977 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1978 { 1979 int i; 1980 int err = 0; 1981 1982 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1983 if (err) 1984 return (-1); 1985 1986 for (i = 0; i<tok->tt.grps.no; i++) { 1987 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1988 err); 1989 if (err) 1990 return (-1); 1991 } 1992 1993 return (0); 1994 } 1995 1996 static void 1997 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1998 __unused char sfrm, int xml) 1999 { 2000 int i; 2001 2002 print_tok_type(fp, tok->id, "group", raw, xml); 2003 for (i = 0; i < tok->tt.grps.no; i++) { 2004 if (xml) { 2005 fprintf(fp, "<gid>"); 2006 print_group(fp, tok->tt.grps.list[i], raw); 2007 fprintf(fp, "</gid>"); 2008 close_tag(fp, tok->id); 2009 } else { 2010 print_delim(fp, del); 2011 print_group(fp, tok->tt.grps.list[i], raw); 2012 } 2013 } 2014 } 2015 2016 /* 2017 * Internet addr 4 bytes 2018 */ 2019 static int 2020 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2021 { 2022 int err = 0; 2023 2024 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2025 tok->len, err); 2026 if (err) 2027 return (-1); 2028 2029 return (0); 2030 2031 } 2032 2033 static void 2034 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2035 __unused char sfrm, int xml) 2036 { 2037 2038 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2039 if (xml) { 2040 print_ip_address(fp, tok->tt.inaddr.addr); 2041 close_tag(fp, tok->id); 2042 } else { 2043 print_delim(fp, del); 2044 print_ip_address(fp, tok->tt.inaddr.addr); 2045 } 2046 } 2047 2048 /* 2049 * type 4 bytes 2050 * address 16 bytes 2051 */ 2052 static int 2053 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2054 { 2055 int err = 0; 2056 2057 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2058 if (err) 2059 return (-1); 2060 2061 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2062 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2063 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2064 if (err) 2065 return (-1); 2066 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2067 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2068 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2069 if (err) 2070 return (-1); 2071 } else 2072 return (-1); 2073 2074 return (0); 2075 } 2076 2077 static void 2078 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2079 __unused char sfrm, int xml) 2080 { 2081 2082 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2083 if (xml) { 2084 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2085 tok->tt.inaddr_ex.addr); 2086 close_tag(fp, tok->id); 2087 } else { 2088 print_delim(fp, del); 2089 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2090 tok->tt.inaddr_ex.addr); 2091 } 2092 } 2093 2094 /* 2095 * ip header 20 bytes 2096 */ 2097 static int 2098 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2099 { 2100 int err = 0; 2101 2102 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2103 if (err) 2104 return (-1); 2105 2106 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2107 if (err) 2108 return (-1); 2109 2110 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2111 tok->len, err); 2112 if (err) 2113 return (-1); 2114 2115 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2116 tok->len, err); 2117 if (err) 2118 return (-1); 2119 2120 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2121 tok->len, err); 2122 if (err) 2123 return (-1); 2124 2125 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2126 if (err) 2127 return (-1); 2128 2129 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2130 if (err) 2131 return (-1); 2132 2133 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2134 tok->len, err); 2135 if (err) 2136 return (-1); 2137 2138 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2139 tok->len, err); 2140 if (err) 2141 return (-1); 2142 2143 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2144 tok->len, err); 2145 if (err) 2146 return (-1); 2147 2148 return (0); 2149 } 2150 2151 static void 2152 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2153 __unused char sfrm, int xml) 2154 { 2155 2156 print_tok_type(fp, tok->id, "ip", raw, xml); 2157 if (xml) { 2158 open_attr(fp, "version"); 2159 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2160 sizeof(u_char)); 2161 close_attr(fp); 2162 open_attr(fp, "service_type"); 2163 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2164 close_attr(fp); 2165 open_attr(fp, "len"); 2166 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2167 close_attr(fp); 2168 open_attr(fp, "id"); 2169 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2170 close_attr(fp); 2171 open_attr(fp, "offset"); 2172 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2173 close_attr(fp); 2174 open_attr(fp, "time_to_live"); 2175 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2176 close_attr(fp); 2177 open_attr(fp, "protocol"); 2178 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2179 close_attr(fp); 2180 open_attr(fp, "cksum"); 2181 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2182 close_attr(fp); 2183 open_attr(fp, "src_addr"); 2184 print_ip_address(fp, tok->tt.ip.src); 2185 close_attr(fp); 2186 open_attr(fp, "dest_addr"); 2187 print_ip_address(fp, tok->tt.ip.dest); 2188 close_attr(fp); 2189 close_tag(fp, tok->id); 2190 } else { 2191 print_delim(fp, del); 2192 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2193 sizeof(u_char)); 2194 print_delim(fp, del); 2195 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2196 print_delim(fp, del); 2197 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2198 print_delim(fp, del); 2199 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2200 print_delim(fp, del); 2201 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2202 print_delim(fp, del); 2203 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2204 print_delim(fp, del); 2205 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2206 print_delim(fp, del); 2207 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2208 print_delim(fp, del); 2209 print_ip_address(fp, tok->tt.ip.src); 2210 print_delim(fp, del); 2211 print_ip_address(fp, tok->tt.ip.dest); 2212 } 2213 } 2214 2215 /* 2216 * object ID type 1 byte 2217 * Object ID 4 bytes 2218 */ 2219 static int 2220 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2221 { 2222 int err = 0; 2223 2224 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2225 if (err) 2226 return (-1); 2227 2228 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2229 if (err) 2230 return (-1); 2231 2232 return (0); 2233 } 2234 2235 static void 2236 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2237 __unused char sfrm, int xml) 2238 { 2239 2240 print_tok_type(fp, tok->id, "IPC", raw, xml); 2241 if (xml) { 2242 open_attr(fp, "ipc-type"); 2243 print_ipctype(fp, tok->tt.ipc.type, raw); 2244 close_attr(fp); 2245 open_attr(fp, "ipc-id"); 2246 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2247 close_attr(fp); 2248 close_tag(fp, tok->id); 2249 } else { 2250 print_delim(fp, del); 2251 print_ipctype(fp, tok->tt.ipc.type, raw); 2252 print_delim(fp, del); 2253 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2254 } 2255 } 2256 2257 /* 2258 * owner user id 4 bytes 2259 * owner group id 4 bytes 2260 * creator user id 4 bytes 2261 * creator group id 4 bytes 2262 * access mode 4 bytes 2263 * slot seq 4 bytes 2264 * key 4 bytes 2265 */ 2266 static int 2267 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2268 { 2269 int err = 0; 2270 2271 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2272 if (err) 2273 return (-1); 2274 2275 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2276 if (err) 2277 return (-1); 2278 2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2280 if (err) 2281 return (-1); 2282 2283 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2284 if (err) 2285 return (-1); 2286 2287 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2288 if (err) 2289 return (-1); 2290 2291 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2292 if (err) 2293 return (-1); 2294 2295 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2296 if (err) 2297 return (-1); 2298 2299 return (0); 2300 } 2301 2302 static void 2303 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2304 __unused char sfrm, int xml) 2305 { 2306 2307 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2308 if (xml) { 2309 open_attr(fp, "uid"); 2310 print_user(fp, tok->tt.ipcperm.uid, raw); 2311 close_attr(fp); 2312 open_attr(fp, "gid"); 2313 print_group(fp, tok->tt.ipcperm.gid, raw); 2314 close_attr(fp); 2315 open_attr(fp, "creator-uid"); 2316 print_user(fp, tok->tt.ipcperm.puid, raw); 2317 close_attr(fp); 2318 open_attr(fp, "creator-gid"); 2319 print_group(fp, tok->tt.ipcperm.pgid, raw); 2320 close_attr(fp); 2321 open_attr(fp, "mode"); 2322 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2323 close_attr(fp); 2324 open_attr(fp, "seq"); 2325 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2326 close_attr(fp); 2327 open_attr(fp, "key"); 2328 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2329 close_attr(fp); 2330 close_tag(fp, tok->id); 2331 } else { 2332 print_delim(fp, del); 2333 print_user(fp, tok->tt.ipcperm.uid, raw); 2334 print_delim(fp, del); 2335 print_group(fp, tok->tt.ipcperm.gid, raw); 2336 print_delim(fp, del); 2337 print_user(fp, tok->tt.ipcperm.puid, raw); 2338 print_delim(fp, del); 2339 print_group(fp, tok->tt.ipcperm.pgid, raw); 2340 print_delim(fp, del); 2341 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2342 print_delim(fp, del); 2343 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2344 print_delim(fp, del); 2345 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2346 } 2347 } 2348 2349 /* 2350 * port Ip address 2 bytes 2351 */ 2352 static int 2353 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2354 { 2355 int err = 0; 2356 2357 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2358 tok->len, err); 2359 if (err) 2360 return (-1); 2361 2362 return (0); 2363 } 2364 2365 static void 2366 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2367 __unused char sfrm, int xml) 2368 { 2369 2370 print_tok_type(fp, tok->id, "ip port", raw, xml); 2371 if (xml) { 2372 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2373 close_tag(fp, tok->id); 2374 } else { 2375 print_delim(fp, del); 2376 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2377 } 2378 } 2379 2380 /* 2381 * size 2 bytes 2382 * data size bytes 2383 */ 2384 static int 2385 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2386 { 2387 int err = 0; 2388 2389 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2390 if (err) 2391 return (-1); 2392 2393 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2394 tok->len, err); 2395 if (err) 2396 return (-1); 2397 2398 return (0); 2399 } 2400 2401 static void 2402 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2403 __unused char sfrm, int xml) 2404 { 2405 2406 print_tok_type(fp, tok->id, "opaque", raw, xml); 2407 if (xml) { 2408 print_mem(fp, (u_char*)tok->tt.opaque.data, 2409 tok->tt.opaque.size); 2410 close_tag(fp, tok->id); 2411 } else { 2412 print_delim(fp, del); 2413 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2414 print_delim(fp, del); 2415 print_mem(fp, (u_char*)tok->tt.opaque.data, 2416 tok->tt.opaque.size); 2417 } 2418 } 2419 2420 /* 2421 * size 2 bytes 2422 * data size bytes 2423 */ 2424 static int 2425 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2426 { 2427 int err = 0; 2428 2429 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2430 if (err) 2431 return (-1); 2432 2433 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2434 err); 2435 if (err) 2436 return (-1); 2437 2438 return (0); 2439 } 2440 2441 static void 2442 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2443 __unused char sfrm, int xml) 2444 { 2445 2446 print_tok_type(fp, tok->id, "path", raw, xml); 2447 if (xml) { 2448 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2449 close_tag(fp, tok->id); 2450 } else { 2451 print_delim(fp, del); 2452 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2453 } 2454 } 2455 2456 /* 2457 * token ID 1 byte 2458 * audit ID 4 bytes 2459 * euid 4 bytes 2460 * egid 4 bytes 2461 * ruid 4 bytes 2462 * rgid 4 bytes 2463 * pid 4 bytes 2464 * sessid 4 bytes 2465 * terminal ID 2466 * portid 4 bytes 2467 * machine id 4 bytes 2468 */ 2469 static int 2470 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2471 { 2472 int err = 0; 2473 2474 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2475 if (err) 2476 return (-1); 2477 2478 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2479 if (err) 2480 return (-1); 2481 2482 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2483 if (err) 2484 return (-1); 2485 2486 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2487 if (err) 2488 return (-1); 2489 2490 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2491 if (err) 2492 return (-1); 2493 2494 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2495 if (err) 2496 return (-1); 2497 2498 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2499 if (err) 2500 return (-1); 2501 2502 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2503 if (err) 2504 return (-1); 2505 2506 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2507 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2508 if (err) 2509 return (-1); 2510 2511 return (0); 2512 } 2513 2514 static void 2515 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2516 __unused char sfrm, int xml) 2517 { 2518 2519 print_tok_type(fp, tok->id, "process", raw, xml); 2520 if (xml) { 2521 open_attr(fp, "audit-uid"); 2522 print_user(fp, tok->tt.proc32.auid, raw); 2523 close_attr(fp); 2524 open_attr(fp, "uid"); 2525 print_user(fp, tok->tt.proc32.euid, raw); 2526 close_attr(fp); 2527 open_attr(fp, "gid"); 2528 print_group(fp, tok->tt.proc32.egid, raw); 2529 close_attr(fp); 2530 open_attr(fp, "ruid"); 2531 print_user(fp, tok->tt.proc32.ruid, raw); 2532 close_attr(fp); 2533 open_attr(fp, "rgid"); 2534 print_group(fp, tok->tt.proc32.rgid, raw); 2535 close_attr(fp); 2536 open_attr(fp, "pid"); 2537 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2538 close_attr(fp); 2539 open_attr(fp, "sid"); 2540 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2541 close_attr(fp); 2542 open_attr(fp, "tid"); 2543 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2544 print_ip_address(fp, tok->tt.proc32.tid.addr); 2545 close_attr(fp); 2546 close_tag(fp, tok->id); 2547 } else { 2548 print_delim(fp, del); 2549 print_user(fp, tok->tt.proc32.auid, raw); 2550 print_delim(fp, del); 2551 print_user(fp, tok->tt.proc32.euid, raw); 2552 print_delim(fp, del); 2553 print_group(fp, tok->tt.proc32.egid, raw); 2554 print_delim(fp, del); 2555 print_user(fp, tok->tt.proc32.ruid, raw); 2556 print_delim(fp, del); 2557 print_group(fp, tok->tt.proc32.rgid, raw); 2558 print_delim(fp, del); 2559 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2560 print_delim(fp, del); 2561 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2562 print_delim(fp, del); 2563 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2564 print_delim(fp, del); 2565 print_ip_address(fp, tok->tt.proc32.tid.addr); 2566 } 2567 } 2568 2569 /* 2570 * token ID 1 byte 2571 * audit ID 4 bytes 2572 * euid 4 bytes 2573 * egid 4 bytes 2574 * ruid 4 bytes 2575 * rgid 4 bytes 2576 * pid 4 bytes 2577 * sessid 4 bytes 2578 * terminal ID 2579 * portid 8 bytes 2580 * machine id 4 bytes 2581 */ 2582 static int 2583 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2584 { 2585 int err = 0; 2586 2587 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2588 if (err) 2589 return (-1); 2590 2591 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2592 if (err) 2593 return (-1); 2594 2595 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2596 if (err) 2597 return (-1); 2598 2599 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2600 if (err) 2601 return (-1); 2602 2603 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2604 if (err) 2605 return (-1); 2606 2607 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2608 if (err) 2609 return (-1); 2610 2611 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2612 if (err) 2613 return (-1); 2614 2615 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2616 if (err) 2617 return (-1); 2618 2619 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2620 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2621 if (err) 2622 return (-1); 2623 2624 return (0); 2625 } 2626 2627 static void 2628 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2629 __unused char sfrm, int xml) 2630 { 2631 print_tok_type(fp, tok->id, "process", raw, xml); 2632 if (xml) { 2633 open_attr(fp, "audit-uid"); 2634 print_user(fp, tok->tt.proc64.auid, raw); 2635 close_attr(fp); 2636 open_attr(fp, "uid"); 2637 print_user(fp, tok->tt.proc64.euid, raw); 2638 close_attr(fp); 2639 open_attr(fp, "gid"); 2640 print_group(fp, tok->tt.proc64.egid, raw); 2641 close_attr(fp); 2642 open_attr(fp, "ruid"); 2643 print_user(fp, tok->tt.proc64.ruid, raw); 2644 close_attr(fp); 2645 open_attr(fp, "rgid"); 2646 print_group(fp, tok->tt.proc64.rgid, raw); 2647 close_attr(fp); 2648 open_attr(fp, "pid"); 2649 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2650 close_attr(fp); 2651 open_attr(fp, "sid"); 2652 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2653 close_attr(fp); 2654 open_attr(fp, "tid"); 2655 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2656 print_ip_address(fp, tok->tt.proc64.tid.addr); 2657 close_attr(fp); 2658 close_tag(fp, tok->id); 2659 } else { 2660 print_delim(fp, del); 2661 print_user(fp, tok->tt.proc64.auid, raw); 2662 print_delim(fp, del); 2663 print_user(fp, tok->tt.proc64.euid, raw); 2664 print_delim(fp, del); 2665 print_group(fp, tok->tt.proc64.egid, raw); 2666 print_delim(fp, del); 2667 print_user(fp, tok->tt.proc64.ruid, raw); 2668 print_delim(fp, del); 2669 print_group(fp, tok->tt.proc64.rgid, raw); 2670 print_delim(fp, del); 2671 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2672 print_delim(fp, del); 2673 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2674 print_delim(fp, del); 2675 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2676 print_delim(fp, del); 2677 print_ip_address(fp, tok->tt.proc64.tid.addr); 2678 } 2679 } 2680 2681 /* 2682 * token ID 1 byte 2683 * audit ID 4 bytes 2684 * effective user ID 4 bytes 2685 * effective group ID 4 bytes 2686 * real user ID 4 bytes 2687 * real group ID 4 bytes 2688 * process ID 4 bytes 2689 * session ID 4 bytes 2690 * terminal ID 2691 * port ID 4 bytes 2692 * address type-len 4 bytes 2693 * machine address 16 bytes 2694 */ 2695 static int 2696 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2697 { 2698 int err = 0; 2699 2700 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2701 if (err) 2702 return (-1); 2703 2704 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2705 if (err) 2706 return (-1); 2707 2708 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2709 if (err) 2710 return (-1); 2711 2712 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2713 if (err) 2714 return (-1); 2715 2716 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2717 if (err) 2718 return (-1); 2719 2720 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2721 if (err) 2722 return (-1); 2723 2724 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2725 if (err) 2726 return (-1); 2727 2728 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2729 err); 2730 if (err) 2731 return (-1); 2732 2733 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2734 err); 2735 if (err) 2736 return (-1); 2737 2738 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2739 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2740 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2741 if (err) 2742 return (-1); 2743 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2744 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2745 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2746 if (err) 2747 return (-1); 2748 } else 2749 return (-1); 2750 2751 return (0); 2752 } 2753 2754 static void 2755 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2756 __unused char sfrm, int xml) 2757 { 2758 2759 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2760 if (xml) { 2761 open_attr(fp, "audit-uid"); 2762 print_user(fp, tok->tt.proc32_ex.auid, raw); 2763 close_attr(fp); 2764 open_attr(fp, "uid"); 2765 print_user(fp, tok->tt.proc32_ex.euid, raw); 2766 close_attr(fp); 2767 open_attr(fp, "gid"); 2768 print_group(fp, tok->tt.proc32_ex.egid, raw); 2769 close_attr(fp); 2770 open_attr(fp, "ruid"); 2771 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2772 close_attr(fp); 2773 open_attr(fp, "rgid"); 2774 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2775 close_attr(fp); 2776 open_attr(fp, "pid"); 2777 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2778 close_attr(fp); 2779 open_attr(fp, "sid"); 2780 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2781 close_attr(fp); 2782 open_attr(fp, "tid"); 2783 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2784 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2785 tok->tt.proc32_ex.tid.addr); 2786 close_attr(fp); 2787 close_tag(fp, tok->id); 2788 } else { 2789 print_delim(fp, del); 2790 print_user(fp, tok->tt.proc32_ex.auid, raw); 2791 print_delim(fp, del); 2792 print_user(fp, tok->tt.proc32_ex.euid, raw); 2793 print_delim(fp, del); 2794 print_group(fp, tok->tt.proc32_ex.egid, raw); 2795 print_delim(fp, del); 2796 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2797 print_delim(fp, del); 2798 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2799 print_delim(fp, del); 2800 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2801 print_delim(fp, del); 2802 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2803 print_delim(fp, del); 2804 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2805 print_delim(fp, del); 2806 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2807 tok->tt.proc32_ex.tid.addr); 2808 } 2809 } 2810 2811 /* 2812 * token ID 1 byte 2813 * audit ID 4 bytes 2814 * effective user ID 4 bytes 2815 * effective group ID 4 bytes 2816 * real user ID 4 bytes 2817 * real group ID 4 bytes 2818 * process ID 4 bytes 2819 * session ID 4 bytes 2820 * terminal ID 2821 * port ID 8 bytes 2822 * address type-len 4 bytes 2823 * machine address 16 bytes 2824 */ 2825 static int 2826 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2827 { 2828 int err = 0; 2829 2830 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2831 if (err) 2832 return (-1); 2833 2834 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2835 if (err) 2836 return (-1); 2837 2838 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2839 if (err) 2840 return (-1); 2841 2842 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2843 if (err) 2844 return (-1); 2845 2846 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2847 if (err) 2848 return (-1); 2849 2850 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2851 if (err) 2852 return (-1); 2853 2854 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2855 if (err) 2856 return (-1); 2857 2858 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2859 err); 2860 if (err) 2861 return (-1); 2862 2863 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2864 err); 2865 if (err) 2866 return (-1); 2867 2868 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2869 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2870 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2871 if (err) 2872 return (-1); 2873 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2874 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2875 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2876 if (err) 2877 return (-1); 2878 } else 2879 return (-1); 2880 2881 return (0); 2882 } 2883 2884 static void 2885 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2886 __unused char sfrm, int xml) 2887 { 2888 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2889 if (xml) { 2890 open_attr(fp, "audit-uid"); 2891 print_user(fp, tok->tt.proc64_ex.auid, raw); 2892 close_attr(fp); 2893 open_attr(fp, "uid"); 2894 print_user(fp, tok->tt.proc64_ex.euid, raw); 2895 close_attr(fp); 2896 open_attr(fp, "gid"); 2897 print_group(fp, tok->tt.proc64_ex.egid, raw); 2898 close_attr(fp); 2899 open_attr(fp, "ruid"); 2900 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2901 close_attr(fp); 2902 open_attr(fp, "rgid"); 2903 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2904 close_attr(fp); 2905 open_attr(fp, "pid"); 2906 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2907 close_attr(fp); 2908 open_attr(fp, "sid"); 2909 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2910 close_attr(fp); 2911 open_attr(fp, "tid"); 2912 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2913 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2914 tok->tt.proc64_ex.tid.addr); 2915 close_attr(fp); 2916 close_tag(fp, tok->id); 2917 } else { 2918 print_delim(fp, del); 2919 print_user(fp, tok->tt.proc64_ex.auid, raw); 2920 print_delim(fp, del); 2921 print_user(fp, tok->tt.proc64_ex.euid, raw); 2922 print_delim(fp, del); 2923 print_group(fp, tok->tt.proc64_ex.egid, raw); 2924 print_delim(fp, del); 2925 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2926 print_delim(fp, del); 2927 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2928 print_delim(fp, del); 2929 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2930 print_delim(fp, del); 2931 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2932 print_delim(fp, del); 2933 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2934 print_delim(fp, del); 2935 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2936 tok->tt.proc64_ex.tid.addr); 2937 } 2938 } 2939 2940 /* 2941 * errno 1 byte 2942 * return value 4 bytes 2943 */ 2944 static int 2945 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2946 { 2947 int err = 0; 2948 2949 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2950 if (err) 2951 return (-1); 2952 2953 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2954 if (err) 2955 return (-1); 2956 2957 return (0); 2958 } 2959 2960 static void 2961 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2962 __unused char sfrm, int xml) 2963 { 2964 2965 print_tok_type(fp, tok->id, "return", raw, xml); 2966 if (xml) { 2967 open_attr(fp ,"errval"); 2968 print_retval(fp, tok->tt.ret32.status, raw); 2969 close_attr(fp); 2970 open_attr(fp, "retval"); 2971 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2972 close_attr(fp); 2973 close_tag(fp, tok->id); 2974 } else { 2975 print_delim(fp, del); 2976 print_retval(fp, tok->tt.ret32.status, raw); 2977 print_delim(fp, del); 2978 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2979 } 2980 } 2981 2982 static int 2983 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2984 { 2985 int err = 0; 2986 2987 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2988 if (err) 2989 return (-1); 2990 2991 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 2992 if (err) 2993 return (-1); 2994 2995 return (0); 2996 } 2997 2998 static void 2999 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3000 __unused char sfrm, int xml) 3001 { 3002 3003 print_tok_type(fp, tok->id, "return", raw, xml); 3004 if (xml) { 3005 open_attr(fp, "errval"); 3006 print_retval(fp, tok->tt.ret64.err, raw); 3007 close_attr(fp); 3008 open_attr(fp, "retval"); 3009 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3010 close_attr(fp); 3011 close_tag(fp, tok->id); 3012 } else { 3013 print_delim(fp, del); 3014 print_retval(fp, tok->tt.ret64.err, raw); 3015 print_delim(fp, del); 3016 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3017 } 3018 } 3019 3020 /* 3021 * seq 4 bytes 3022 */ 3023 static int 3024 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3025 { 3026 int err = 0; 3027 3028 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3029 if (err) 3030 return (-1); 3031 3032 return (0); 3033 } 3034 3035 static void 3036 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3037 __unused char sfrm, int xml) 3038 { 3039 3040 print_tok_type(fp, tok->id, "sequence", raw, xml); 3041 if (xml) { 3042 open_attr(fp, "seq-num"); 3043 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3044 close_attr(fp); 3045 close_tag(fp, tok->id); 3046 } else { 3047 print_delim(fp, del); 3048 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3049 } 3050 } 3051 3052 /* 3053 * socket family 2 bytes 3054 * local port 2 bytes 3055 * socket address 4 bytes 3056 */ 3057 static int 3058 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3059 { 3060 int err = 0; 3061 3062 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3063 err); 3064 if (err) 3065 return (-1); 3066 3067 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3068 sizeof(uint16_t), tok->len, err); 3069 if (err) 3070 return (-1); 3071 3072 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3073 sizeof(tok->tt.sockinet32.addr), tok->len, err); 3074 if (err) 3075 return (-1); 3076 3077 return (0); 3078 } 3079 3080 static void 3081 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3082 __unused char sfrm, int xml) 3083 { 3084 3085 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3086 if (xml) { 3087 open_attr(fp, "type"); 3088 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3089 close_attr(fp); 3090 open_attr(fp, "port"); 3091 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3092 close_attr(fp); 3093 open_attr(fp, "addr"); 3094 print_ip_address(fp, tok->tt.sockinet32.addr); 3095 close_attr(fp); 3096 close_tag(fp, tok->id); 3097 } else { 3098 print_delim(fp, del); 3099 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3100 print_delim(fp, del); 3101 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3102 print_delim(fp, del); 3103 print_ip_address(fp, tok->tt.sockinet32.addr); 3104 } 3105 } 3106 3107 /* 3108 * socket family 2 bytes 3109 * path 104 bytes 3110 */ 3111 static int 3112 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3113 { 3114 int err = 0; 3115 3116 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3117 if (err) 3118 return (-1); 3119 3120 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3121 err); 3122 if (err) 3123 return (-1); 3124 3125 return (0); 3126 } 3127 3128 static void 3129 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3130 __unused char sfrm, int xml) 3131 { 3132 3133 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3134 if (xml) { 3135 open_attr(fp, "type"); 3136 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3137 close_attr(fp); 3138 open_attr(fp, "port"); 3139 close_attr(fp); 3140 open_attr(fp, "addr"); 3141 print_string(fp, tok->tt.sockunix.path, 3142 strlen(tok->tt.sockunix.path)); 3143 close_attr(fp); 3144 close_tag(fp, tok->id); 3145 } else { 3146 print_delim(fp, del); 3147 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3148 print_delim(fp, del); 3149 print_string(fp, tok->tt.sockunix.path, 3150 strlen(tok->tt.sockunix.path)); 3151 } 3152 } 3153 3154 /* 3155 * socket type 2 bytes 3156 * local port 2 bytes 3157 * local address 4 bytes 3158 * remote port 2 bytes 3159 * remote address 4 bytes 3160 */ 3161 static int 3162 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3163 { 3164 int err = 0; 3165 3166 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3167 if (err) 3168 return (-1); 3169 3170 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3171 tok->len, err); 3172 if (err) 3173 return (-1); 3174 3175 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3176 sizeof(tok->tt.socket.l_addr), tok->len, err); 3177 if (err) 3178 return (-1); 3179 3180 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3181 tok->len, err); 3182 if (err) 3183 return (-1); 3184 3185 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3186 sizeof(tok->tt.socket.r_addr), tok->len, err); 3187 if (err) 3188 return (-1); 3189 3190 return (0); 3191 } 3192 3193 static void 3194 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3195 __unused char sfrm, int xml) 3196 { 3197 3198 print_tok_type(fp, tok->id, "socket", raw, xml); 3199 if (xml) { 3200 open_attr(fp, "sock_type"); 3201 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3202 close_attr(fp); 3203 open_attr(fp, "lport"); 3204 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3205 close_attr(fp); 3206 open_attr(fp, "laddr"); 3207 print_ip_address(fp, tok->tt.socket.l_addr); 3208 close_attr(fp); 3209 open_attr(fp, "fport"); 3210 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3211 close_attr(fp); 3212 open_attr(fp, "faddr"); 3213 print_ip_address(fp, tok->tt.socket.r_addr); 3214 close_attr(fp); 3215 close_tag(fp, tok->id); 3216 } else { 3217 print_delim(fp, del); 3218 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3219 print_delim(fp, del); 3220 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3221 print_delim(fp, del); 3222 print_ip_address(fp, tok->tt.socket.l_addr); 3223 print_delim(fp, del); 3224 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3225 print_delim(fp, del); 3226 print_ip_address(fp, tok->tt.socket.r_addr); 3227 } 3228 } 3229 3230 /* 3231 * audit ID 4 bytes 3232 * euid 4 bytes 3233 * egid 4 bytes 3234 * ruid 4 bytes 3235 * rgid 4 bytes 3236 * pid 4 bytes 3237 * sessid 4 bytes 3238 * terminal ID 3239 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3240 * machine id 4 bytes 3241 */ 3242 static int 3243 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3244 { 3245 int err = 0; 3246 3247 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3248 if (err) 3249 return (-1); 3250 3251 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3252 if (err) 3253 return (-1); 3254 3255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3256 if (err) 3257 return (-1); 3258 3259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3260 if (err) 3261 return (-1); 3262 3263 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3264 if (err) 3265 return (-1); 3266 3267 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3268 if (err) 3269 return (-1); 3270 3271 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3272 if (err) 3273 return (-1); 3274 3275 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3276 if (err) 3277 return (-1); 3278 3279 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3280 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3281 if (err) 3282 return (-1); 3283 3284 return (0); 3285 } 3286 3287 static void 3288 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3289 __unused char sfrm, int xml) 3290 { 3291 3292 print_tok_type(fp, tok->id, "subject", raw, xml); 3293 if (xml) { 3294 open_attr(fp, "audit-uid"); 3295 print_user(fp, tok->tt.subj32.auid, raw); 3296 close_attr(fp); 3297 open_attr(fp, "uid"); 3298 print_user(fp, tok->tt.subj32.euid, raw); 3299 close_attr(fp); 3300 open_attr(fp, "gid"); 3301 print_group(fp, tok->tt.subj32.egid, raw); 3302 close_attr(fp); 3303 open_attr(fp, "ruid"); 3304 print_user(fp, tok->tt.subj32.ruid, raw); 3305 close_attr(fp); 3306 open_attr(fp, "rgid"); 3307 print_group(fp, tok->tt.subj32.rgid, raw); 3308 close_attr(fp); 3309 open_attr(fp,"pid"); 3310 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3311 close_attr(fp); 3312 open_attr(fp,"sid"); 3313 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3314 close_attr(fp); 3315 open_attr(fp,"tid"); 3316 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3317 print_ip_address(fp, tok->tt.subj32.tid.addr); 3318 close_attr(fp); 3319 close_tag(fp, tok->id); 3320 } else { 3321 print_delim(fp, del); 3322 print_user(fp, tok->tt.subj32.auid, raw); 3323 print_delim(fp, del); 3324 print_user(fp, tok->tt.subj32.euid, raw); 3325 print_delim(fp, del); 3326 print_group(fp, tok->tt.subj32.egid, raw); 3327 print_delim(fp, del); 3328 print_user(fp, tok->tt.subj32.ruid, raw); 3329 print_delim(fp, del); 3330 print_group(fp, tok->tt.subj32.rgid, raw); 3331 print_delim(fp, del); 3332 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3333 print_delim(fp, del); 3334 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3335 print_delim(fp, del); 3336 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3337 print_delim(fp, del); 3338 print_ip_address(fp, tok->tt.subj32.tid.addr); 3339 } 3340 } 3341 3342 /* 3343 * audit ID 4 bytes 3344 * euid 4 bytes 3345 * egid 4 bytes 3346 * ruid 4 bytes 3347 * rgid 4 bytes 3348 * pid 4 bytes 3349 * sessid 4 bytes 3350 * terminal ID 3351 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3352 * machine id 4 bytes 3353 */ 3354 static int 3355 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3356 { 3357 int err = 0; 3358 3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3360 if (err) 3361 return (-1); 3362 3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3364 if (err) 3365 return (-1); 3366 3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3368 if (err) 3369 return (-1); 3370 3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3372 if (err) 3373 return (-1); 3374 3375 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3376 if (err) 3377 return (-1); 3378 3379 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3380 if (err) 3381 return (-1); 3382 3383 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3384 if (err) 3385 return (-1); 3386 3387 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3388 if (err) 3389 return (-1); 3390 3391 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3392 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3393 if (err) 3394 return (-1); 3395 3396 return (0); 3397 } 3398 3399 static void 3400 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3401 __unused char sfrm, int xml) 3402 { 3403 3404 print_tok_type(fp, tok->id, "subject", raw, xml); 3405 if (xml) { 3406 open_attr(fp, "audit-uid"); 3407 print_user(fp, tok->tt.subj64.auid, raw); 3408 close_attr(fp); 3409 open_attr(fp, "uid"); 3410 print_user(fp, tok->tt.subj64.euid, raw); 3411 close_attr(fp); 3412 open_attr(fp, "gid"); 3413 print_group(fp, tok->tt.subj64.egid, raw); 3414 close_attr(fp); 3415 open_attr(fp, "ruid"); 3416 print_user(fp, tok->tt.subj64.ruid, raw); 3417 close_attr(fp); 3418 open_attr(fp, "rgid"); 3419 print_group(fp, tok->tt.subj64.rgid, raw); 3420 close_attr(fp); 3421 open_attr(fp, "pid"); 3422 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3423 close_attr(fp); 3424 open_attr(fp, "sid"); 3425 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3426 close_attr(fp); 3427 open_attr(fp, "tid"); 3428 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3429 print_ip_address(fp, tok->tt.subj64.tid.addr); 3430 close_attr(fp); 3431 close_tag(fp, tok->id); 3432 } else { 3433 print_delim(fp, del); 3434 print_user(fp, tok->tt.subj64.auid, raw); 3435 print_delim(fp, del); 3436 print_user(fp, tok->tt.subj64.euid, raw); 3437 print_delim(fp, del); 3438 print_group(fp, tok->tt.subj64.egid, raw); 3439 print_delim(fp, del); 3440 print_user(fp, tok->tt.subj64.ruid, raw); 3441 print_delim(fp, del); 3442 print_group(fp, tok->tt.subj64.rgid, raw); 3443 print_delim(fp, del); 3444 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3445 print_delim(fp, del); 3446 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3447 print_delim(fp, del); 3448 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3449 print_delim(fp, del); 3450 print_ip_address(fp, tok->tt.subj64.tid.addr); 3451 } 3452 } 3453 3454 /* 3455 * audit ID 4 bytes 3456 * euid 4 bytes 3457 * egid 4 bytes 3458 * ruid 4 bytes 3459 * rgid 4 bytes 3460 * pid 4 bytes 3461 * sessid 4 bytes 3462 * terminal ID 3463 * portid 4 bytes 3464 * type 4 bytes 3465 * machine id 16 bytes 3466 */ 3467 static int 3468 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3469 { 3470 int err = 0; 3471 3472 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3473 if (err) 3474 return (-1); 3475 3476 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3477 if (err) 3478 return (-1); 3479 3480 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3481 if (err) 3482 return (-1); 3483 3484 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3485 if (err) 3486 return (-1); 3487 3488 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3489 if (err) 3490 return (-1); 3491 3492 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3493 if (err) 3494 return (-1); 3495 3496 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3497 if (err) 3498 return (-1); 3499 3500 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3501 err); 3502 if (err) 3503 return (-1); 3504 3505 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3506 err); 3507 if (err) 3508 return (-1); 3509 3510 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3511 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3512 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3513 if (err) 3514 return (-1); 3515 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3516 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3517 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3518 if (err) 3519 return (-1); 3520 } else 3521 return (-1); 3522 3523 return (0); 3524 } 3525 3526 static void 3527 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3528 __unused char sfrm, int xml) 3529 { 3530 3531 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3532 if (xml) { 3533 open_attr(fp, "audit-uid"); 3534 print_user(fp, tok->tt.subj32_ex.auid, raw); 3535 close_attr(fp); 3536 open_attr(fp, "uid"); 3537 print_user(fp, tok->tt.subj32_ex.euid, raw); 3538 close_attr(fp); 3539 open_attr(fp, "gid"); 3540 print_group(fp, tok->tt.subj32_ex.egid, raw); 3541 close_attr(fp); 3542 open_attr(fp, "ruid"); 3543 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3544 close_attr(fp); 3545 open_attr(fp, "rgid"); 3546 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3547 close_attr(fp); 3548 open_attr(fp, "pid"); 3549 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3550 close_attr(fp); 3551 open_attr(fp, "sid"); 3552 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3553 close_attr(fp); 3554 open_attr(fp, "tid"); 3555 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3556 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3557 tok->tt.subj32_ex.tid.addr); 3558 close_attr(fp); 3559 close_tag(fp, tok->id); 3560 } else { 3561 print_delim(fp, del); 3562 print_user(fp, tok->tt.subj32_ex.auid, raw); 3563 print_delim(fp, del); 3564 print_user(fp, tok->tt.subj32_ex.euid, raw); 3565 print_delim(fp, del); 3566 print_group(fp, tok->tt.subj32_ex.egid, raw); 3567 print_delim(fp, del); 3568 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3569 print_delim(fp, del); 3570 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3571 print_delim(fp, del); 3572 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3573 print_delim(fp, del); 3574 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3575 print_delim(fp, del); 3576 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3577 print_delim(fp, del); 3578 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3579 tok->tt.subj32_ex.tid.addr); 3580 } 3581 } 3582 3583 /* 3584 * audit ID 4 bytes 3585 * euid 4 bytes 3586 * egid 4 bytes 3587 * ruid 4 bytes 3588 * rgid 4 bytes 3589 * pid 4 bytes 3590 * sessid 4 bytes 3591 * terminal ID 3592 * portid 8 bytes 3593 * type 4 bytes 3594 * machine id 16 bytes 3595 */ 3596 static int 3597 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3598 { 3599 int err = 0; 3600 3601 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3602 if (err) 3603 return (-1); 3604 3605 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3606 if (err) 3607 return (-1); 3608 3609 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3610 if (err) 3611 return (-1); 3612 3613 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3614 if (err) 3615 return (-1); 3616 3617 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3618 if (err) 3619 return (-1); 3620 3621 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3622 if (err) 3623 return (-1); 3624 3625 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3626 if (err) 3627 return (-1); 3628 3629 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3630 err); 3631 if (err) 3632 return (-1); 3633 3634 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3635 err); 3636 if (err) 3637 return (-1); 3638 3639 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3640 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3641 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3642 if (err) 3643 return (-1); 3644 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3645 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3646 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3647 if (err) 3648 return (-1); 3649 } else 3650 return (-1); 3651 3652 return (0); 3653 } 3654 3655 static void 3656 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3657 __unused char sfrm, int xml) 3658 { 3659 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3660 if (xml) { 3661 open_attr(fp, "audit-uid"); 3662 print_user(fp, tok->tt.subj64_ex.auid, raw); 3663 close_attr(fp); 3664 open_attr(fp, "uid"); 3665 print_user(fp, tok->tt.subj64_ex.euid, raw); 3666 close_attr(fp); 3667 open_attr(fp, "gid"); 3668 print_group(fp, tok->tt.subj64_ex.egid, raw); 3669 close_attr(fp); 3670 open_attr(fp, "ruid"); 3671 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3672 close_attr(fp); 3673 open_attr(fp, "rgid"); 3674 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3675 close_attr(fp); 3676 open_attr(fp, "pid"); 3677 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3678 close_attr(fp); 3679 open_attr(fp, "sid"); 3680 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3681 close_attr(fp); 3682 open_attr(fp, "tid"); 3683 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3684 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3685 tok->tt.subj64_ex.tid.addr); 3686 close_attr(fp); 3687 close_tag(fp, tok->id); 3688 } else { 3689 print_delim(fp, del); 3690 print_user(fp, tok->tt.subj64_ex.auid, raw); 3691 print_delim(fp, del); 3692 print_user(fp, tok->tt.subj64_ex.euid, raw); 3693 print_delim(fp, del); 3694 print_group(fp, tok->tt.subj64_ex.egid, raw); 3695 print_delim(fp, del); 3696 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3697 print_delim(fp, del); 3698 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3699 print_delim(fp, del); 3700 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3701 print_delim(fp, del); 3702 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3703 print_delim(fp, del); 3704 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3705 print_delim(fp, del); 3706 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3707 tok->tt.subj64_ex.tid.addr); 3708 } 3709 } 3710 3711 /* 3712 * size 2 bytes 3713 * data size bytes 3714 */ 3715 static int 3716 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3717 { 3718 int err = 0; 3719 3720 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3721 if (err) 3722 return (-1); 3723 3724 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3725 err); 3726 if (err) 3727 return (-1); 3728 3729 return (0); 3730 } 3731 3732 static void 3733 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3734 __unused char sfrm, int xml) 3735 { 3736 3737 print_tok_type(fp, tok->id, "text", raw, xml); 3738 if (xml) { 3739 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3740 close_tag(fp, tok->id); 3741 } else { 3742 print_delim(fp, del); 3743 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3744 } 3745 } 3746 3747 /* 3748 * socket type 2 bytes 3749 * local port 2 bytes 3750 * address type/length 4 bytes 3751 * local Internet address 4 bytes 3752 * remote port 4 bytes 3753 * address type/length 4 bytes 3754 * remote Internet address 4 bytes 3755 */ 3756 static int 3757 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3758 { 3759 int err = 0; 3760 3761 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3762 err); 3763 if (err) 3764 return (-1); 3765 3766 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3767 sizeof(uint16_t), tok->len, err); 3768 if (err) 3769 return (-1); 3770 3771 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len, 3772 err); 3773 if (err) 3774 return (-1); 3775 3776 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3777 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3778 if (err) 3779 return (-1); 3780 3781 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3782 sizeof(uint16_t), tok->len, err); 3783 if (err) 3784 return (-1); 3785 3786 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len, 3787 err); 3788 if (err) 3789 return (-1); 3790 3791 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3792 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3793 if (err) 3794 return (-1); 3795 3796 return (0); 3797 } 3798 3799 static void 3800 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3801 __unused char sfrm, int xml) 3802 { 3803 3804 print_tok_type(fp, tok->id, "socket", raw, xml); 3805 if (xml) { 3806 open_attr(fp, "sock_type"); 3807 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3808 close_attr(fp); 3809 open_attr(fp, "lport"); 3810 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3811 close_attr(fp); 3812 open_attr(fp, "laddr"); 3813 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3814 close_attr(fp); 3815 open_attr(fp, "faddr"); 3816 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3817 close_attr(fp); 3818 open_attr(fp, "fport"); 3819 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3820 close_attr(fp); 3821 close_tag(fp, tok->id); 3822 } else { 3823 print_delim(fp, del); 3824 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3825 print_delim(fp, del); 3826 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3827 print_delim(fp, del); 3828 print_ip_address(fp, tok->tt.socket_ex32.l_addr); 3829 print_delim(fp, del); 3830 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3831 print_delim(fp, del); 3832 print_ip_address(fp, tok->tt.socket_ex32.r_addr); 3833 } 3834 } 3835 3836 static int 3837 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3838 { 3839 int err = 0; 3840 int recoversize; 3841 3842 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3843 if (recoversize <= 0) 3844 return (-1); 3845 3846 tok->tt.invalid.length = recoversize; 3847 3848 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3849 err); 3850 if (err) 3851 return (-1); 3852 3853 return (0); 3854 } 3855 3856 static void 3857 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3858 __unused char sfrm, int xml) 3859 { 3860 3861 if (!xml) { 3862 print_tok_type(fp, tok->id, "unknown", raw, 0); 3863 print_delim(fp, del); 3864 print_mem(fp, (u_char*)tok->tt.invalid.data, 3865 tok->tt.invalid.length); 3866 } 3867 } 3868 3869 3870 /* 3871 * size 2 bytes; 3872 * zonename size bytes; 3873 */ 3874 static int 3875 fetch_zonename_tok(tokenstr_t *tok, char *buf, int len) 3876 { 3877 int err = 0; 3878 3879 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3880 if (err) 3881 return (-1); 3882 SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3883 tok->len, err); 3884 if (err) 3885 return (-1); 3886 return (0); 3887 } 3888 3889 static void 3890 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3891 __unused char sfrm, int xml) 3892 { 3893 3894 print_tok_type(fp, tok->id, "zone", raw, xml); 3895 if (xml) { 3896 open_attr(fp, "name"); 3897 print_string(fp, tok->tt.zonename.zonename, 3898 tok->tt.zonename.len); 3899 close_attr(fp); 3900 close_tag(fp, tok->id); 3901 } else { 3902 print_delim(fp, del); 3903 print_string(fp, tok->tt.zonename.zonename, 3904 tok->tt.zonename.len); 3905 } 3906 } 3907 3908 /* 3909 * Reads the token beginning at buf into tok. 3910 */ 3911 int 3912 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3913 { 3914 3915 if (len <= 0) 3916 return (-1); 3917 3918 tok->len = 1; 3919 tok->data = buf; 3920 tok->id = *buf; 3921 3922 switch(tok->id) { 3923 case AUT_HEADER32: 3924 return (fetch_header32_tok(tok, buf, len)); 3925 3926 case AUT_HEADER32_EX: 3927 return (fetch_header32_ex_tok(tok, buf, len)); 3928 3929 case AUT_HEADER64: 3930 return (fetch_header64_tok(tok, buf, len)); 3931 3932 case AUT_HEADER64_EX: 3933 return (fetch_header64_ex_tok(tok, buf, len)); 3934 3935 case AUT_TRAILER: 3936 return (fetch_trailer_tok(tok, buf, len)); 3937 3938 case AUT_ARG32: 3939 return (fetch_arg32_tok(tok, buf, len)); 3940 3941 case AUT_ARG64: 3942 return (fetch_arg64_tok(tok, buf, len)); 3943 3944 case AUT_ATTR32: 3945 return (fetch_attr32_tok(tok, buf, len)); 3946 3947 case AUT_ATTR64: 3948 return (fetch_attr64_tok(tok, buf, len)); 3949 3950 case AUT_EXIT: 3951 return (fetch_exit_tok(tok, buf, len)); 3952 3953 case AUT_EXEC_ARGS: 3954 return (fetch_execarg_tok(tok, buf, len)); 3955 3956 case AUT_EXEC_ENV: 3957 return (fetch_execenv_tok(tok, buf, len)); 3958 3959 case AUT_OTHER_FILE32: 3960 return (fetch_file_tok(tok, buf, len)); 3961 3962 case AUT_NEWGROUPS: 3963 return (fetch_newgroups_tok(tok, buf, len)); 3964 3965 case AUT_IN_ADDR: 3966 return (fetch_inaddr_tok(tok, buf, len)); 3967 3968 case AUT_IN_ADDR_EX: 3969 return (fetch_inaddr_ex_tok(tok, buf, len)); 3970 3971 case AUT_IP: 3972 return (fetch_ip_tok(tok, buf, len)); 3973 3974 case AUT_IPC: 3975 return (fetch_ipc_tok(tok, buf, len)); 3976 3977 case AUT_IPC_PERM: 3978 return (fetch_ipcperm_tok(tok, buf, len)); 3979 3980 case AUT_IPORT: 3981 return (fetch_iport_tok(tok, buf, len)); 3982 3983 case AUT_OPAQUE: 3984 return (fetch_opaque_tok(tok, buf, len)); 3985 3986 case AUT_PATH: 3987 return (fetch_path_tok(tok, buf, len)); 3988 3989 case AUT_PROCESS32: 3990 return (fetch_process32_tok(tok, buf, len)); 3991 3992 case AUT_PROCESS32_EX: 3993 return (fetch_process32ex_tok(tok, buf, len)); 3994 3995 case AUT_PROCESS64: 3996 return (fetch_process64_tok(tok, buf, len)); 3997 3998 case AUT_PROCESS64_EX: 3999 return (fetch_process64ex_tok(tok, buf, len)); 4000 4001 case AUT_RETURN32: 4002 return (fetch_return32_tok(tok, buf, len)); 4003 4004 case AUT_RETURN64: 4005 return (fetch_return64_tok(tok, buf, len)); 4006 4007 case AUT_SEQ: 4008 return (fetch_seq_tok(tok, buf, len)); 4009 4010 case AUT_SOCKET: 4011 return (fetch_socket_tok(tok, buf, len)); 4012 4013 case AUT_SOCKINET32: 4014 return (fetch_sock_inet32_tok(tok, buf, len)); 4015 4016 case AUT_SOCKUNIX: 4017 return (fetch_sock_unix_tok(tok, buf, len)); 4018 4019 case AUT_SUBJECT32: 4020 return (fetch_subject32_tok(tok, buf, len)); 4021 4022 case AUT_SUBJECT32_EX: 4023 return (fetch_subject32ex_tok(tok, buf, len)); 4024 4025 case AUT_SUBJECT64: 4026 return (fetch_subject64_tok(tok, buf, len)); 4027 4028 case AUT_SUBJECT64_EX: 4029 return (fetch_subject64ex_tok(tok, buf, len)); 4030 4031 case AUT_TEXT: 4032 return (fetch_text_tok(tok, buf, len)); 4033 4034 case AUT_SOCKET_EX: 4035 return (fetch_socketex32_tok(tok, buf, len)); 4036 4037 case AUT_DATA: 4038 return (fetch_arb_tok(tok, buf, len)); 4039 4040 case AUT_ZONENAME: 4041 return (fetch_zonename_tok(tok, buf, len)); 4042 4043 default: 4044 return (fetch_invalid_tok(tok, buf, len)); 4045 } 4046 } 4047 4048 /* 4049 * 'prints' the token out to outfp. 4050 */ 4051 void 4052 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4053 { 4054 4055 switch(tok->id) { 4056 case AUT_HEADER32: 4057 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4058 return; 4059 4060 case AUT_HEADER32_EX: 4061 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4062 return; 4063 4064 case AUT_HEADER64: 4065 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4066 return; 4067 4068 case AUT_HEADER64_EX: 4069 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4070 return; 4071 4072 case AUT_TRAILER: 4073 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4074 return; 4075 4076 case AUT_ARG32: 4077 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4078 return; 4079 4080 case AUT_ARG64: 4081 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4082 return; 4083 4084 case AUT_DATA: 4085 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4086 return; 4087 4088 case AUT_ATTR32: 4089 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4090 return; 4091 4092 case AUT_ATTR64: 4093 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4094 return; 4095 4096 case AUT_EXIT: 4097 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4098 return; 4099 4100 case AUT_EXEC_ARGS: 4101 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4102 return; 4103 4104 case AUT_EXEC_ENV: 4105 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4106 return; 4107 4108 case AUT_OTHER_FILE32: 4109 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4110 return; 4111 4112 case AUT_NEWGROUPS: 4113 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4114 return; 4115 4116 case AUT_IN_ADDR: 4117 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4118 return; 4119 4120 case AUT_IN_ADDR_EX: 4121 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4122 return; 4123 4124 case AUT_IP: 4125 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4126 return; 4127 4128 case AUT_IPC: 4129 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4130 return; 4131 4132 case AUT_IPC_PERM: 4133 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4134 return; 4135 4136 case AUT_IPORT: 4137 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4138 return; 4139 4140 case AUT_OPAQUE: 4141 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4142 return; 4143 4144 case AUT_PATH: 4145 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4146 return; 4147 4148 case AUT_PROCESS32: 4149 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4150 return; 4151 4152 case AUT_PROCESS32_EX: 4153 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4154 return; 4155 4156 case AUT_PROCESS64: 4157 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4158 return; 4159 4160 case AUT_PROCESS64_EX: 4161 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4162 return; 4163 4164 case AUT_RETURN32: 4165 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4166 return; 4167 4168 case AUT_RETURN64: 4169 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4170 return; 4171 4172 case AUT_SEQ: 4173 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4174 return; 4175 4176 case AUT_SOCKET: 4177 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4178 return; 4179 4180 case AUT_SOCKINET32: 4181 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4182 return; 4183 4184 case AUT_SOCKUNIX: 4185 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4186 return; 4187 4188 case AUT_SUBJECT32: 4189 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4190 return; 4191 4192 case AUT_SUBJECT64: 4193 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4194 return; 4195 4196 case AUT_SUBJECT32_EX: 4197 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4198 return; 4199 4200 case AUT_SUBJECT64_EX: 4201 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4202 return; 4203 4204 case AUT_TEXT: 4205 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4206 return; 4207 4208 case AUT_SOCKET_EX: 4209 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4210 return; 4211 4212 case AUT_ZONENAME: 4213 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4214 return; 4215 4216 default: 4217 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4218 } 4219 } 4220 4221 /* 4222 * 'prints' the token out to outfp in XML format. 4223 */ 4224 void 4225 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4226 char sfrm) 4227 { 4228 4229 switch(tok->id) { 4230 case AUT_HEADER32: 4231 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4232 return; 4233 4234 case AUT_HEADER32_EX: 4235 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4236 return; 4237 4238 case AUT_HEADER64: 4239 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4240 return; 4241 4242 case AUT_HEADER64_EX: 4243 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4244 return; 4245 4246 case AUT_TRAILER: 4247 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4248 return; 4249 4250 case AUT_ARG32: 4251 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4252 return; 4253 4254 case AUT_ARG64: 4255 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4256 return; 4257 4258 case AUT_DATA: 4259 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4260 return; 4261 4262 case AUT_ATTR32: 4263 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4264 return; 4265 4266 case AUT_ATTR64: 4267 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4268 return; 4269 4270 case AUT_EXIT: 4271 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4272 return; 4273 4274 case AUT_EXEC_ARGS: 4275 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4276 return; 4277 4278 case AUT_EXEC_ENV: 4279 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4280 return; 4281 4282 case AUT_OTHER_FILE32: 4283 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4284 return; 4285 4286 case AUT_NEWGROUPS: 4287 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4288 return; 4289 4290 case AUT_IN_ADDR: 4291 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4292 return; 4293 4294 case AUT_IN_ADDR_EX: 4295 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4296 return; 4297 4298 case AUT_IP: 4299 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4300 return; 4301 4302 case AUT_IPC: 4303 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4304 return; 4305 4306 case AUT_IPC_PERM: 4307 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4308 return; 4309 4310 case AUT_IPORT: 4311 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4312 return; 4313 4314 case AUT_OPAQUE: 4315 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4316 return; 4317 4318 case AUT_PATH: 4319 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4320 return; 4321 4322 case AUT_PROCESS32: 4323 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4324 return; 4325 4326 case AUT_PROCESS32_EX: 4327 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4328 return; 4329 4330 case AUT_PROCESS64: 4331 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4332 return; 4333 4334 case AUT_PROCESS64_EX: 4335 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4336 return; 4337 4338 case AUT_RETURN32: 4339 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4340 return; 4341 4342 case AUT_RETURN64: 4343 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4344 return; 4345 4346 case AUT_SEQ: 4347 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4348 return; 4349 4350 case AUT_SOCKET: 4351 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4352 return; 4353 4354 case AUT_SOCKINET32: 4355 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4356 return; 4357 4358 case AUT_SOCKUNIX: 4359 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4360 return; 4361 4362 case AUT_SUBJECT32: 4363 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4364 return; 4365 4366 case AUT_SUBJECT64: 4367 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4368 return; 4369 4370 case AUT_SUBJECT32_EX: 4371 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4372 return; 4373 4374 case AUT_SUBJECT64_EX: 4375 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4376 return; 4377 4378 case AUT_TEXT: 4379 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4380 return; 4381 4382 case AUT_SOCKET_EX: 4383 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4384 return; 4385 4386 case AUT_ZONENAME: 4387 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4388 return; 4389 4390 default: 4391 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4392 } 4393 } 4394 4395 /* 4396 * Read a record from the file pointer, store data in buf memory for buf is 4397 * also allocated in this function and has to be free'd outside this call. 4398 * 4399 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4400 * complete audit record. 4401 * 4402 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4403 * state, because it will be partly offset into a record. We should rewind 4404 * or do something more intelligent. Particularly interesting is the case 4405 * where we perform a partial read of a record from a non-blockable file 4406 * descriptor. We should return the partial read and continue...? 4407 */ 4408 int 4409 au_read_rec(FILE *fp, u_char **buf) 4410 { 4411 u_char *bptr; 4412 u_int32_t recsize; 4413 u_int32_t bytestoread; 4414 u_char type; 4415 4416 u_int32_t sec, msec; 4417 u_int16_t filenamelen; 4418 4419 type = fgetc(fp); 4420 4421 switch (type) { 4422 case AUT_HEADER32: 4423 case AUT_HEADER32_EX: 4424 case AUT_HEADER64: 4425 case AUT_HEADER64_EX: 4426 /* read the record size from the token */ 4427 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4428 sizeof(u_int32_t)) { 4429 errno = EINVAL; 4430 return (-1); 4431 } 4432 recsize = be32toh(recsize); 4433 4434 /* Check for recsize sanity */ 4435 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4436 errno = EINVAL; 4437 return (-1); 4438 } 4439 4440 *buf = malloc(recsize * sizeof(u_char)); 4441 if (*buf == NULL) 4442 return (-1); 4443 bptr = *buf; 4444 memset(bptr, 0, recsize); 4445 4446 /* store the token contents already read, back to the buffer*/ 4447 *bptr = type; 4448 bptr++; 4449 be32enc(bptr, recsize); 4450 bptr += sizeof(u_int32_t); 4451 4452 /* now read remaining record bytes */ 4453 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4454 4455 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4456 free(*buf); 4457 errno = EINVAL; 4458 return (-1); 4459 } 4460 break; 4461 4462 case AUT_OTHER_FILE32: 4463 /* 4464 * The file token is variable-length, as it includes a 4465 * pathname. As a result, we have to read incrementally 4466 * until we know the total length, then allocate space and 4467 * read the rest. 4468 */ 4469 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4470 errno = EINVAL; 4471 return (-1); 4472 } 4473 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4474 errno = EINVAL; 4475 return (-1); 4476 } 4477 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4478 sizeof(filenamelen)) { 4479 errno = EINVAL; 4480 return (-1); 4481 } 4482 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4483 sizeof(filenamelen) + ntohs(filenamelen); 4484 *buf = malloc(recsize); 4485 if (*buf == NULL) 4486 return (-1); 4487 bptr = *buf; 4488 4489 bcopy(&type, bptr, sizeof(type)); 4490 bptr += sizeof(type); 4491 bcopy(&sec, bptr, sizeof(sec)); 4492 bptr += sizeof(sec); 4493 bcopy(&msec, bptr, sizeof(msec)); 4494 bptr += sizeof(msec); 4495 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4496 bptr += sizeof(filenamelen); 4497 4498 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4499 ntohs(filenamelen)) { 4500 free(buf); 4501 errno = EINVAL; 4502 return (-1); 4503 } 4504 break; 4505 4506 default: 4507 errno = EINVAL; 4508 return (-1); 4509 } 4510 4511 return (recsize); 4512 } 4513