1185573Srwatson/*- 2243750Srwatson * Copyright (c) 2004-2009 Apple Inc. 3155131Srwatson * Copyright (c) 2005 SPARTA, Inc. 4155131Srwatson * Copyright (c) 2006 Robert N. M. Watson 5168777Srwatson * Copyright (c) 2006 Martin Voros 6155131Srwatson * All rights reserved. 7155131Srwatson * 8155131Srwatson * This code was developed in part by Robert N. M. Watson, Senior Principal 9155131Srwatson * Scientist, SPARTA, Inc. 10155131Srwatson * 11155131Srwatson * Redistribution and use in source and binary forms, with or without 12155131Srwatson * modification, are permitted provided that the following conditions 13155131Srwatson * are met: 14155131Srwatson * 1. Redistributions of source code must retain the above copyright 15155131Srwatson * notice, this list of conditions and the following disclaimer. 16155131Srwatson * 2. Redistributions in binary form must reproduce the above copyright 17155131Srwatson * notice, this list of conditions and the following disclaimer in the 18155131Srwatson * documentation and/or other materials provided with the distribution. 19243750Srwatson * 3. Neither the name of Apple Inc. ("Apple") nor the names of 20155131Srwatson * its contributors may be used to endorse or promote products derived 21155131Srwatson * from this software without specific prior written permission. 22155131Srwatson * 23155131Srwatson * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24155131Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25155131Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26155131Srwatson * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27155131Srwatson * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28155131Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29155131Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30155131Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31155131Srwatson * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32155131Srwatson * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33155131Srwatson * POSSIBILITY OF SUCH DAMAGE. 34155131Srwatson */ 35155131Srwatson 36155131Srwatson#include <sys/types.h> 37156283Srwatson 38156283Srwatson#include <config/config.h> 39243750Srwatson 40243750Srwatson#ifdef USE_ENDIAN_H 41243750Srwatson#include <endian.h> 42243750Srwatson#endif 43243750Srwatson#ifdef USE_SYS_ENDIAN_H 44156283Srwatson#include <sys/endian.h> 45243750Srwatson#endif 46243750Srwatson#ifdef USE_MACHINE_ENDIAN_H 47156283Srwatson#include <machine/endian.h> 48243750Srwatson#endif 49243750Srwatson#ifdef USE_COMPAT_ENDIAN_H 50155131Srwatson#include <compat/endian.h> 51243750Srwatson#endif 52243750Srwatson#ifdef USE_COMPAT_ENDIAN_ENC_H 53243750Srwatson#include <compat/endian_enc.h> 54243750Srwatson#endif 55243750Srwatson 56156283Srwatson#ifdef HAVE_FULL_QUEUE_H 57156283Srwatson#include <sys/queue.h> 58156283Srwatson#else /* !HAVE_FULL_QUEUE_H */ 59156283Srwatson#include <compat/queue.h> 60156283Srwatson#endif /* !HAVE_FULL_QUEUE_H */ 61156283Srwatson 62155131Srwatson#include <sys/stat.h> 63155131Srwatson#include <sys/socket.h> 64155131Srwatson 65155131Srwatson#include <bsm/libbsm.h> 66155131Srwatson 67155131Srwatson#include <unistd.h> 68155131Srwatson#include <netinet/in.h> 69155131Srwatson#include <arpa/inet.h> 70155131Srwatson#include <errno.h> 71155131Srwatson#include <time.h> 72155131Srwatson#include <stdlib.h> 73155131Srwatson#include <stdio.h> 74155131Srwatson#include <string.h> 75155131Srwatson#include <pwd.h> 76155131Srwatson#include <grp.h> 77155131Srwatson 78243750Srwatson#ifdef HAVE_VIS 79243750Srwatson#include <vis.h> 80243750Srwatson#else 81243750Srwatson#include <compat/vis.h> 82243750Srwatson#endif 83243750Srwatson 84155131Srwatson#include <bsm/audit_internal.h> 85155131Srwatson 86155131Srwatson#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 87185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) { \ 88185573Srwatson (err) = 1; \ 89155131Srwatson } else { \ 90185573Srwatson memcpy((dest), (buf) + (bytesread), (size)); \ 91155131Srwatson bytesread += size; \ 92155131Srwatson } \ 93155131Srwatson} while (0) 94155131Srwatson 95155131Srwatson#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 96185573Srwatson if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 97185573Srwatson (dest) = buf[(bytesread)]; \ 98185573Srwatson (bytesread) += sizeof(u_char); \ 99155131Srwatson } else \ 100185573Srwatson (err) = 1; \ 101155131Srwatson} while (0) 102155131Srwatson 103155131Srwatson#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 104185573Srwatson if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 105185573Srwatson (dest) = be16dec((buf) + (bytesread)); \ 106185573Srwatson (bytesread) += sizeof(u_int16_t); \ 107155131Srwatson } else \ 108185573Srwatson (err) = 1; \ 109155131Srwatson} while (0) 110155131Srwatson 111155131Srwatson#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 112185573Srwatson if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 113185573Srwatson (dest) = be32dec((buf) + (bytesread)); \ 114185573Srwatson (bytesread) += sizeof(u_int32_t); \ 115155131Srwatson } else \ 116243750Srwatson (err) = 1; \ 117155131Srwatson} while (0) 118155131Srwatson 119155131Srwatson#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 120185573Srwatson if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 121185573Srwatson dest = be64dec((buf) + (bytesread)); \ 122185573Srwatson (bytesread) += sizeof(u_int64_t); \ 123155131Srwatson } else \ 124243750Srwatson (err) = 1; \ 125155131Srwatson} while (0) 126155131Srwatson 127155131Srwatson#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 128185573Srwatson if ((bytesread) + (size) > (u_int32_t)(len)) \ 129155131Srwatson (err) = 1; \ 130155131Srwatson else { \ 131155131Srwatson (ptr) = (buf) + (bytesread); \ 132155131Srwatson (bytesread) += (size); \ 133155131Srwatson } \ 134155131Srwatson} while (0) 135155131Srwatson 136155131Srwatson/* 137168777Srwatson * XML option. 138168777Srwatson */ 139168777Srwatson#define AU_PLAIN 0 140168777Srwatson#define AU_XML 1 141168777Srwatson 142168777Srwatson/* 143155131Srwatson * Prints the delimiter string. 144155131Srwatson */ 145155131Srwatsonstatic void 146155131Srwatsonprint_delim(FILE *fp, const char *del) 147155131Srwatson{ 148155131Srwatson 149155131Srwatson fprintf(fp, "%s", del); 150155131Srwatson} 151155131Srwatson 152155131Srwatson/* 153155131Srwatson * Prints a single byte in the given format. 154155131Srwatson */ 155155131Srwatsonstatic void 156155131Srwatsonprint_1_byte(FILE *fp, u_char val, const char *format) 157155131Srwatson{ 158155131Srwatson 159155131Srwatson fprintf(fp, format, val); 160155131Srwatson} 161155131Srwatson 162155131Srwatson/* 163155131Srwatson * Print 2 bytes in the given format. 164155131Srwatson */ 165155131Srwatsonstatic void 166155131Srwatsonprint_2_bytes(FILE *fp, u_int16_t val, const char *format) 167155131Srwatson{ 168155131Srwatson 169155131Srwatson fprintf(fp, format, val); 170155131Srwatson} 171155131Srwatson 172155131Srwatson/* 173155131Srwatson * Prints 4 bytes in the given format. 174155131Srwatson */ 175155131Srwatsonstatic void 176155131Srwatsonprint_4_bytes(FILE *fp, u_int32_t val, const char *format) 177155131Srwatson{ 178155131Srwatson 179155131Srwatson fprintf(fp, format, val); 180155131Srwatson} 181155131Srwatson 182155131Srwatson/* 183155131Srwatson * Prints 8 bytes in the given format. 184155131Srwatson */ 185155131Srwatsonstatic void 186155131Srwatsonprint_8_bytes(FILE *fp, u_int64_t val, const char *format) 187155131Srwatson{ 188155131Srwatson 189155131Srwatson fprintf(fp, format, val); 190155131Srwatson} 191155131Srwatson 192155131Srwatson/* 193155131Srwatson * Prints the given size of data bytes in hex. 194155131Srwatson */ 195155131Srwatsonstatic void 196155131Srwatsonprint_mem(FILE *fp, u_char *data, size_t len) 197155131Srwatson{ 198185573Srwatson u_int32_t i; 199155131Srwatson 200155131Srwatson if (len > 0) { 201155131Srwatson fprintf(fp, "0x"); 202155131Srwatson for (i = 0; i < len; i++) 203189279Srwatson fprintf(fp, "%02x", data[i]); 204155131Srwatson } 205155131Srwatson} 206155131Srwatson 207155131Srwatson/* 208155131Srwatson * Prints the given data bytes as a string. 209155131Srwatson */ 210155131Srwatsonstatic void 211168777Srwatsonprint_string(FILE *fp, const char *str, size_t len) 212155131Srwatson{ 213185573Srwatson u_int32_t i; 214155131Srwatson 215155131Srwatson if (len > 0) { 216155131Srwatson for (i = 0; i < len; i++) { 217155131Srwatson if (str[i] != '\0') 218155131Srwatson fprintf(fp, "%c", str[i]); 219155131Srwatson } 220155131Srwatson } 221155131Srwatson} 222155131Srwatson 223155131Srwatson/* 224243750Srwatson * Prints the given data bytes as an XML-sanitized string. 225243750Srwatson */ 226243750Srwatsonstatic void 227243750Srwatsonprint_xml_string(FILE *fp, const char *str, size_t len) 228243750Srwatson{ 229243750Srwatson u_int32_t i; 230243750Srwatson char visbuf[5]; 231243750Srwatson 232243750Srwatson if (len == 0) 233243750Srwatson return; 234243750Srwatson 235243750Srwatson for (i = 0; i < len; i++) { 236243750Srwatson switch (str[i]) { 237243750Srwatson case '\0': 238243750Srwatson return; 239243750Srwatson 240243750Srwatson case '&': 241243750Srwatson (void) fprintf(fp, "&"); 242243750Srwatson break; 243243750Srwatson 244243750Srwatson case '<': 245243750Srwatson (void) fprintf(fp, "<"); 246243750Srwatson break; 247243750Srwatson 248243750Srwatson case '>': 249243750Srwatson (void) fprintf(fp, ">"); 250243750Srwatson break; 251243750Srwatson 252243750Srwatson case '\"': 253243750Srwatson (void) fprintf(fp, """); 254243750Srwatson break; 255243750Srwatson 256243750Srwatson case '\'': 257243750Srwatson (void) fprintf(fp, "'"); 258243750Srwatson break; 259243750Srwatson 260243750Srwatson default: 261243750Srwatson (void) vis(visbuf, str[i], VIS_CSTYLE, 0); 262243750Srwatson (void) fprintf(fp, "%s", visbuf); 263243750Srwatson break; 264243750Srwatson } 265243750Srwatson } 266243750Srwatson} 267243750Srwatson 268243750Srwatson/* 269293161Sbrueffer * Prints the beginning of an attribute. 270168777Srwatson */ 271168777Srwatsonstatic void 272168777Srwatsonopen_attr(FILE *fp, const char *str) 273168777Srwatson{ 274168777Srwatson 275168777Srwatson fprintf(fp,"%s=\"", str); 276168777Srwatson} 277168777Srwatson 278168777Srwatson/* 279293161Sbrueffer * Prints the end of an attribute. 280168777Srwatson */ 281168777Srwatsonstatic void 282168777Srwatsonclose_attr(FILE *fp) 283168777Srwatson{ 284168777Srwatson 285168777Srwatson fprintf(fp,"\" "); 286168777Srwatson} 287168777Srwatson 288168777Srwatson/* 289293161Sbrueffer * Prints the end of a tag. 290168777Srwatson */ 291168777Srwatsonstatic void 292168777Srwatsonclose_tag(FILE *fp, u_char type) 293168777Srwatson{ 294168777Srwatson 295168777Srwatson switch(type) { 296168777Srwatson case AUT_HEADER32: 297168777Srwatson fprintf(fp, ">"); 298168777Srwatson break; 299168777Srwatson 300168777Srwatson case AUT_HEADER32_EX: 301168777Srwatson fprintf(fp, ">"); 302168777Srwatson break; 303168777Srwatson 304168777Srwatson case AUT_HEADER64: 305168777Srwatson fprintf(fp, ">"); 306168777Srwatson break; 307168777Srwatson 308168777Srwatson case AUT_HEADER64_EX: 309168777Srwatson fprintf(fp, ">"); 310168777Srwatson break; 311168777Srwatson 312168777Srwatson case AUT_ARG32: 313168777Srwatson fprintf(fp, "/>"); 314168777Srwatson break; 315168777Srwatson 316168777Srwatson case AUT_ARG64: 317168777Srwatson fprintf(fp, "/>"); 318168777Srwatson break; 319168777Srwatson 320168777Srwatson case AUT_ATTR32: 321168777Srwatson fprintf(fp, "/>"); 322168777Srwatson break; 323168777Srwatson 324168777Srwatson case AUT_ATTR64: 325168777Srwatson fprintf(fp, "/>"); 326168777Srwatson break; 327168777Srwatson 328168777Srwatson case AUT_EXIT: 329168777Srwatson fprintf(fp, "/>"); 330168777Srwatson break; 331168777Srwatson 332168777Srwatson case AUT_EXEC_ARGS: 333168777Srwatson fprintf(fp, "</exec_args>"); 334168777Srwatson break; 335168777Srwatson 336168777Srwatson case AUT_EXEC_ENV: 337168777Srwatson fprintf(fp, "</exec_env>"); 338168777Srwatson break; 339168777Srwatson 340168777Srwatson case AUT_OTHER_FILE32: 341168777Srwatson fprintf(fp, "</file>"); 342168777Srwatson break; 343168777Srwatson 344168777Srwatson case AUT_NEWGROUPS: 345168777Srwatson fprintf(fp, "</group>"); 346168777Srwatson break; 347168777Srwatson 348168777Srwatson case AUT_IN_ADDR: 349168777Srwatson fprintf(fp, "</ip_address>"); 350168777Srwatson break; 351168777Srwatson 352168777Srwatson case AUT_IN_ADDR_EX: 353168777Srwatson fprintf(fp, "</ip_address>"); 354168777Srwatson break; 355168777Srwatson 356168777Srwatson case AUT_IP: 357168777Srwatson fprintf(fp, "/>"); 358168777Srwatson break; 359168777Srwatson 360168777Srwatson case AUT_IPC: 361168777Srwatson fprintf(fp, "/>"); 362168777Srwatson break; 363168777Srwatson 364168777Srwatson case AUT_IPC_PERM: 365168777Srwatson fprintf(fp, "/>"); 366168777Srwatson break; 367168777Srwatson 368168777Srwatson case AUT_IPORT: 369168777Srwatson fprintf(fp, "</ip_port>"); 370168777Srwatson break; 371168777Srwatson 372168777Srwatson case AUT_OPAQUE: 373168777Srwatson fprintf(fp, "</opaque>"); 374168777Srwatson break; 375168777Srwatson 376168777Srwatson case AUT_PATH: 377168777Srwatson fprintf(fp, "</path>"); 378168777Srwatson break; 379168777Srwatson 380168777Srwatson case AUT_PROCESS32: 381168777Srwatson fprintf(fp, "/>"); 382168777Srwatson break; 383168777Srwatson 384168777Srwatson case AUT_PROCESS32_EX: 385168777Srwatson fprintf(fp, "/>"); 386168777Srwatson break; 387168777Srwatson 388168777Srwatson case AUT_PROCESS64: 389168777Srwatson fprintf(fp, "/>"); 390168777Srwatson break; 391168777Srwatson 392168777Srwatson case AUT_PROCESS64_EX: 393168777Srwatson fprintf(fp, "/>"); 394168777Srwatson break; 395168777Srwatson 396168777Srwatson case AUT_RETURN32: 397168777Srwatson fprintf(fp, "/>"); 398168777Srwatson break; 399168777Srwatson 400168777Srwatson case AUT_RETURN64: 401168777Srwatson fprintf(fp, "/>"); 402168777Srwatson break; 403168777Srwatson 404168777Srwatson case AUT_SEQ: 405168777Srwatson fprintf(fp, "/>"); 406168777Srwatson break; 407168777Srwatson 408168777Srwatson case AUT_SOCKET: 409168777Srwatson fprintf(fp, "/>"); 410168777Srwatson break; 411168777Srwatson 412168777Srwatson case AUT_SOCKINET32: 413168777Srwatson fprintf(fp, "/>"); 414168777Srwatson break; 415168777Srwatson 416168777Srwatson case AUT_SOCKUNIX: 417168777Srwatson fprintf(fp, "/>"); 418168777Srwatson break; 419168777Srwatson 420191273Srwatson case AUT_SOCKINET128: 421191273Srwatson fprintf(fp, "/>"); 422191273Srwatson break; 423191273Srwatson 424168777Srwatson case AUT_SUBJECT32: 425168777Srwatson fprintf(fp, "/>"); 426168777Srwatson break; 427168777Srwatson 428168777Srwatson case AUT_SUBJECT64: 429168777Srwatson fprintf(fp, "/>"); 430168777Srwatson break; 431168777Srwatson 432168777Srwatson case AUT_SUBJECT32_EX: 433168777Srwatson fprintf(fp, "/>"); 434168777Srwatson break; 435168777Srwatson 436168777Srwatson case AUT_SUBJECT64_EX: 437168777Srwatson fprintf(fp, "/>"); 438168777Srwatson break; 439168777Srwatson 440168777Srwatson case AUT_TEXT: 441168777Srwatson fprintf(fp, "</text>"); 442168777Srwatson break; 443168777Srwatson 444168777Srwatson case AUT_SOCKET_EX: 445168777Srwatson fprintf(fp, "/>"); 446168777Srwatson break; 447168777Srwatson 448168777Srwatson case AUT_DATA: 449168777Srwatson fprintf(fp, "</arbitrary>"); 450168777Srwatson break; 451168777Srwatson 452168777Srwatson case AUT_ZONENAME: 453168777Srwatson fprintf(fp, "/>"); 454168777Srwatson break; 455168777Srwatson } 456168777Srwatson} 457168777Srwatson 458168777Srwatson/* 459155131Srwatson * Prints the token type in either the raw or the default form. 460155131Srwatson */ 461155131Srwatsonstatic void 462243750Srwatsonprint_tok_type(FILE *fp, u_char type, const char *tokname, int oflags) 463155131Srwatson{ 464155131Srwatson 465243750Srwatson if (oflags & AU_OFLAG_XML) { 466168777Srwatson switch(type) { 467168777Srwatson case AUT_HEADER32: 468168777Srwatson fprintf(fp, "<record "); 469168777Srwatson break; 470168777Srwatson 471168777Srwatson case AUT_HEADER32_EX: 472168777Srwatson fprintf(fp, "<record "); 473168777Srwatson break; 474168777Srwatson 475168777Srwatson case AUT_HEADER64: 476168777Srwatson fprintf(fp, "<record "); 477168777Srwatson break; 478168777Srwatson 479168777Srwatson case AUT_HEADER64_EX: 480168777Srwatson fprintf(fp, "<record "); 481168777Srwatson break; 482168777Srwatson 483168777Srwatson case AUT_TRAILER: 484168777Srwatson fprintf(fp, "</record>"); 485168777Srwatson break; 486168777Srwatson 487168777Srwatson case AUT_ARG32: 488168777Srwatson fprintf(fp, "<argument "); 489168777Srwatson break; 490168777Srwatson 491168777Srwatson case AUT_ARG64: 492168777Srwatson fprintf(fp, "<argument "); 493168777Srwatson break; 494168777Srwatson 495168777Srwatson case AUT_ATTR32: 496168777Srwatson fprintf(fp, "<attribute "); 497168777Srwatson break; 498168777Srwatson 499168777Srwatson case AUT_ATTR64: 500168777Srwatson fprintf(fp, "<attribute "); 501168777Srwatson break; 502168777Srwatson 503168777Srwatson case AUT_EXIT: 504168777Srwatson fprintf(fp, "<exit "); 505168777Srwatson break; 506168777Srwatson 507168777Srwatson case AUT_EXEC_ARGS: 508168777Srwatson fprintf(fp, "<exec_args>"); 509168777Srwatson break; 510168777Srwatson 511168777Srwatson case AUT_EXEC_ENV: 512168777Srwatson fprintf(fp, "<exec_env>"); 513168777Srwatson break; 514168777Srwatson 515168777Srwatson case AUT_OTHER_FILE32: 516168777Srwatson fprintf(fp, "<file "); 517168777Srwatson break; 518168777Srwatson 519168777Srwatson case AUT_NEWGROUPS: 520168777Srwatson fprintf(fp, "<group>"); 521168777Srwatson break; 522168777Srwatson 523168777Srwatson case AUT_IN_ADDR: 524168777Srwatson fprintf(fp, "<ip_address>"); 525168777Srwatson break; 526168777Srwatson 527168777Srwatson case AUT_IN_ADDR_EX: 528168777Srwatson fprintf(fp, "<ip_address>"); 529168777Srwatson break; 530168777Srwatson 531168777Srwatson case AUT_IP: 532168777Srwatson fprintf(fp, "<ip "); 533168777Srwatson break; 534168777Srwatson 535168777Srwatson case AUT_IPC: 536168777Srwatson fprintf(fp, "<IPC"); 537168777Srwatson break; 538168777Srwatson 539168777Srwatson case AUT_IPC_PERM: 540168777Srwatson fprintf(fp, "<IPC_perm "); 541168777Srwatson break; 542168777Srwatson 543168777Srwatson case AUT_IPORT: 544168777Srwatson fprintf(fp, "<ip_port>"); 545168777Srwatson break; 546168777Srwatson 547168777Srwatson case AUT_OPAQUE: 548168777Srwatson fprintf(fp, "<opaque>"); 549168777Srwatson break; 550168777Srwatson 551168777Srwatson case AUT_PATH: 552168777Srwatson fprintf(fp, "<path>"); 553168777Srwatson break; 554168777Srwatson 555168777Srwatson case AUT_PROCESS32: 556168777Srwatson fprintf(fp, "<process "); 557168777Srwatson break; 558168777Srwatson 559168777Srwatson case AUT_PROCESS32_EX: 560168777Srwatson fprintf(fp, "<process "); 561168777Srwatson break; 562168777Srwatson 563168777Srwatson case AUT_PROCESS64: 564168777Srwatson fprintf(fp, "<process "); 565168777Srwatson break; 566168777Srwatson 567168777Srwatson case AUT_PROCESS64_EX: 568168777Srwatson fprintf(fp, "<process "); 569168777Srwatson break; 570168777Srwatson 571168777Srwatson case AUT_RETURN32: 572168777Srwatson fprintf(fp, "<return "); 573168777Srwatson break; 574168777Srwatson 575168777Srwatson case AUT_RETURN64: 576168777Srwatson fprintf(fp, "<return "); 577168777Srwatson break; 578168777Srwatson 579168777Srwatson case AUT_SEQ: 580168777Srwatson fprintf(fp, "<sequence "); 581168777Srwatson break; 582168777Srwatson 583168777Srwatson case AUT_SOCKET: 584168777Srwatson fprintf(fp, "<socket "); 585168777Srwatson break; 586168777Srwatson 587168777Srwatson case AUT_SOCKINET32: 588191273Srwatson fprintf(fp, "<socket-inet "); 589168777Srwatson break; 590168777Srwatson 591168777Srwatson case AUT_SOCKUNIX: 592191273Srwatson fprintf(fp, "<socket-unix "); 593168777Srwatson break; 594168777Srwatson 595191273Srwatson case AUT_SOCKINET128: 596191273Srwatson fprintf(fp, "<socket-inet6 "); 597293161Sbrueffer break; 598191273Srwatson 599168777Srwatson case AUT_SUBJECT32: 600168777Srwatson fprintf(fp, "<subject "); 601168777Srwatson break; 602168777Srwatson 603168777Srwatson case AUT_SUBJECT64: 604168777Srwatson fprintf(fp, "<subject "); 605168777Srwatson break; 606168777Srwatson 607168777Srwatson case AUT_SUBJECT32_EX: 608168777Srwatson fprintf(fp, "<subject "); 609168777Srwatson break; 610168777Srwatson 611168777Srwatson case AUT_SUBJECT64_EX: 612168777Srwatson fprintf(fp, "<subject "); 613168777Srwatson break; 614168777Srwatson 615168777Srwatson case AUT_TEXT: 616168777Srwatson fprintf(fp, "<text>"); 617168777Srwatson break; 618168777Srwatson 619168777Srwatson case AUT_SOCKET_EX: 620168777Srwatson fprintf(fp, "<socket "); 621168777Srwatson break; 622168777Srwatson 623168777Srwatson case AUT_DATA: 624168777Srwatson fprintf(fp, "<arbitrary "); 625168777Srwatson break; 626168777Srwatson 627168777Srwatson case AUT_ZONENAME: 628168777Srwatson fprintf(fp, "<zone "); 629168777Srwatson break; 630168777Srwatson } 631168777Srwatson } else { 632243750Srwatson if (oflags & AU_OFLAG_RAW) 633168777Srwatson fprintf(fp, "%u", type); 634168777Srwatson else 635168777Srwatson fprintf(fp, "%s", tokname); 636168777Srwatson } 637155131Srwatson} 638155131Srwatson 639155131Srwatson/* 640155131Srwatson * Prints a user value. 641155131Srwatson */ 642155131Srwatsonstatic void 643243750Srwatsonprint_user(FILE *fp, u_int32_t usr, int oflags) 644155131Srwatson{ 645155131Srwatson struct passwd *pwent; 646155131Srwatson 647243750Srwatson if (oflags & AU_OFLAG_RAW) 648155131Srwatson fprintf(fp, "%d", usr); 649155131Srwatson else { 650155131Srwatson pwent = getpwuid(usr); 651155131Srwatson if (pwent != NULL) 652155131Srwatson fprintf(fp, "%s", pwent->pw_name); 653155131Srwatson else 654155131Srwatson fprintf(fp, "%d", usr); 655155131Srwatson } 656155131Srwatson} 657155131Srwatson 658155131Srwatson/* 659155131Srwatson * Prints a group value. 660155131Srwatson */ 661155131Srwatsonstatic void 662243750Srwatsonprint_group(FILE *fp, u_int32_t grp, int oflags) 663155131Srwatson{ 664155131Srwatson struct group *grpent; 665155131Srwatson 666243750Srwatson if (oflags & AU_OFLAG_RAW) 667155131Srwatson fprintf(fp, "%d", grp); 668155131Srwatson else { 669155131Srwatson grpent = getgrgid(grp); 670155131Srwatson if (grpent != NULL) 671155131Srwatson fprintf(fp, "%s", grpent->gr_name); 672155131Srwatson else 673155131Srwatson fprintf(fp, "%d", grp); 674155131Srwatson } 675155131Srwatson} 676155131Srwatson 677155131Srwatson/* 678155131Srwatson * Prints the event from the header token in either the short, default or raw 679155131Srwatson * form. 680155131Srwatson */ 681155131Srwatsonstatic void 682243750Srwatsonprint_event(FILE *fp, u_int16_t ev, int oflags) 683155131Srwatson{ 684155131Srwatson char event_ent_name[AU_EVENT_NAME_MAX]; 685155131Srwatson char event_ent_desc[AU_EVENT_DESC_MAX]; 686155131Srwatson struct au_event_ent e, *ep; 687155131Srwatson 688155131Srwatson bzero(&e, sizeof(e)); 689155131Srwatson bzero(event_ent_name, sizeof(event_ent_name)); 690155131Srwatson bzero(event_ent_desc, sizeof(event_ent_desc)); 691155131Srwatson e.ae_name = event_ent_name; 692155131Srwatson e.ae_desc = event_ent_desc; 693155131Srwatson 694155131Srwatson ep = getauevnum_r(&e, ev); 695155131Srwatson if (ep == NULL) { 696155131Srwatson fprintf(fp, "%u", ev); 697155131Srwatson return; 698155131Srwatson } 699155131Srwatson 700243750Srwatson if (oflags & AU_OFLAG_RAW) 701155131Srwatson fprintf(fp, "%u", ev); 702243750Srwatson else if (oflags & AU_OFLAG_SHORT) 703155131Srwatson fprintf(fp, "%s", e.ae_name); 704155131Srwatson else 705155131Srwatson fprintf(fp, "%s", e.ae_desc); 706155131Srwatson} 707155131Srwatson 708155131Srwatson 709155131Srwatson/* 710155131Srwatson * Prints the event modifier from the header token in either the default or 711155131Srwatson * raw form. 712155131Srwatson */ 713155131Srwatsonstatic void 714243750Srwatsonprint_evmod(FILE *fp, u_int16_t evmod, int oflags) 715155131Srwatson{ 716243750Srwatson if (oflags & AU_OFLAG_RAW) 717155131Srwatson fprintf(fp, "%u", evmod); 718155131Srwatson else 719155131Srwatson fprintf(fp, "%u", evmod); 720155131Srwatson} 721155131Srwatson 722155131Srwatson/* 723155131Srwatson * Prints seconds in the ctime format. 724155131Srwatson */ 725155131Srwatsonstatic void 726243750Srwatsonprint_sec32(FILE *fp, u_int32_t sec, int oflags) 727155131Srwatson{ 728155131Srwatson time_t timestamp; 729155131Srwatson char timestr[26]; 730155131Srwatson 731243750Srwatson if (oflags & AU_OFLAG_RAW) 732155131Srwatson fprintf(fp, "%u", sec); 733155131Srwatson else { 734155131Srwatson timestamp = (time_t)sec; 735155131Srwatson ctime_r(×tamp, timestr); 736155131Srwatson timestr[24] = '\0'; /* No new line */ 737155131Srwatson fprintf(fp, "%s", timestr); 738155131Srwatson } 739155131Srwatson} 740155131Srwatson 741155131Srwatson/* 742155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 743155131Srwatson * assume a 32-bit time_t, we simply truncate for now. 744155131Srwatson */ 745155131Srwatsonstatic void 746243750Srwatsonprint_sec64(FILE *fp, u_int64_t sec, int oflags) 747155131Srwatson{ 748155131Srwatson time_t timestamp; 749155131Srwatson char timestr[26]; 750155131Srwatson 751243750Srwatson if (oflags & AU_OFLAG_RAW) 752155131Srwatson fprintf(fp, "%u", (u_int32_t)sec); 753155131Srwatson else { 754155131Srwatson timestamp = (time_t)sec; 755155131Srwatson ctime_r(×tamp, timestr); 756155131Srwatson timestr[24] = '\0'; /* No new line */ 757155131Srwatson fprintf(fp, "%s", timestr); 758155131Srwatson } 759155131Srwatson} 760155131Srwatson 761155131Srwatson/* 762155131Srwatson * Prints the excess milliseconds. 763155131Srwatson */ 764155131Srwatsonstatic void 765243750Srwatsonprint_msec32(FILE *fp, u_int32_t msec, int oflags) 766155131Srwatson{ 767243750Srwatson if (oflags & AU_OFLAG_RAW) 768155131Srwatson fprintf(fp, "%u", msec); 769155131Srwatson else 770155131Srwatson fprintf(fp, " + %u msec", msec); 771155131Srwatson} 772155131Srwatson 773155131Srwatson/* 774155131Srwatson * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 775155131Srwatson * a 32-bit msec, we simply truncate for now. 776155131Srwatson */ 777155131Srwatsonstatic void 778243750Srwatsonprint_msec64(FILE *fp, u_int64_t msec, int oflags) 779155131Srwatson{ 780155131Srwatson 781155131Srwatson msec &= 0xffffffff; 782243750Srwatson if (oflags & AU_OFLAG_RAW) 783155131Srwatson fprintf(fp, "%u", (u_int32_t)msec); 784155131Srwatson else 785155131Srwatson fprintf(fp, " + %u msec", (u_int32_t)msec); 786155131Srwatson} 787155131Srwatson 788155131Srwatson/* 789155131Srwatson * Prints a dotted form for the IP address. 790155131Srwatson */ 791155131Srwatsonstatic void 792155131Srwatsonprint_ip_address(FILE *fp, u_int32_t ip) 793155131Srwatson{ 794155131Srwatson struct in_addr ipaddr; 795155131Srwatson 796155131Srwatson ipaddr.s_addr = ip; 797155131Srwatson fprintf(fp, "%s", inet_ntoa(ipaddr)); 798155131Srwatson} 799155131Srwatson 800168777Srwatson/* 801155131Srwatson * Prints a string value for the given ip address. 802155131Srwatson */ 803155131Srwatsonstatic void 804155131Srwatsonprint_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 805155131Srwatson{ 806155131Srwatson struct in_addr ipv4; 807155131Srwatson struct in6_addr ipv6; 808155131Srwatson char dst[INET6_ADDRSTRLEN]; 809155131Srwatson 810155131Srwatson switch (type) { 811155131Srwatson case AU_IPv4: 812155131Srwatson ipv4.s_addr = (in_addr_t)(ipaddr[0]); 813155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 814155131Srwatson INET6_ADDRSTRLEN)); 815155131Srwatson break; 816155131Srwatson 817155131Srwatson case AU_IPv6: 818156283Srwatson bcopy(ipaddr, &ipv6, sizeof(ipv6)); 819155131Srwatson fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 820155131Srwatson INET6_ADDRSTRLEN)); 821155131Srwatson break; 822155131Srwatson 823155131Srwatson default: 824155131Srwatson fprintf(fp, "invalid"); 825155131Srwatson } 826155131Srwatson} 827155131Srwatson 828155131Srwatson/* 829155131Srwatson * Prints return value as success or failure. 830155131Srwatson */ 831155131Srwatsonstatic void 832243750Srwatsonprint_retval(FILE *fp, u_char status, int oflags) 833155131Srwatson{ 834186647Srwatson int error; 835186647Srwatson 836243750Srwatson if (oflags & AU_OFLAG_RAW) 837155131Srwatson fprintf(fp, "%u", status); 838155131Srwatson else { 839186647Srwatson /* 840186647Srwatson * Convert to a local error number and print the OS's version 841186647Srwatson * of the error string if possible. We may want to provide 842186647Srwatson * an au_strerror(3) in the future so that we can print 843186647Srwatson * strings for non-local errors. 844186647Srwatson */ 845186647Srwatson if (au_bsm_to_errno(status, &error) == 0) { 846186647Srwatson if (error == 0) 847186647Srwatson fprintf(fp, "success"); 848186647Srwatson else 849186647Srwatson fprintf(fp, "failure : %s", strerror(error)); 850186647Srwatson } else 851186647Srwatson fprintf(fp, "failure: Unknown error: %d", status); 852155131Srwatson } 853155131Srwatson} 854155131Srwatson 855155131Srwatson/* 856155131Srwatson * Prints the exit value. 857155131Srwatson */ 858155131Srwatsonstatic void 859155131Srwatsonprint_errval(FILE *fp, u_int32_t val) 860155131Srwatson{ 861155131Srwatson 862155131Srwatson fprintf(fp, "Error %u", val); 863155131Srwatson} 864155131Srwatson 865155131Srwatson/* 866155131Srwatson * Prints IPC type. 867155131Srwatson */ 868155131Srwatsonstatic void 869243750Srwatsonprint_ipctype(FILE *fp, u_char type, int oflags) 870155131Srwatson{ 871243750Srwatson if (oflags & AU_OFLAG_RAW) 872155131Srwatson fprintf(fp, "%u", type); 873155131Srwatson else { 874155131Srwatson if (type == AT_IPC_MSG) 875155131Srwatson fprintf(fp, "Message IPC"); 876155131Srwatson else if (type == AT_IPC_SEM) 877155131Srwatson fprintf(fp, "Semaphore IPC"); 878155131Srwatson else if (type == AT_IPC_SHM) 879155131Srwatson fprintf(fp, "Shared Memory IPC"); 880155131Srwatson else 881155131Srwatson fprintf(fp, "%u", type); 882155131Srwatson } 883155131Srwatson} 884155131Srwatson 885155131Srwatson/* 886168777Srwatson * Print XML header. 887168777Srwatson */ 888168777Srwatsonvoid 889168777Srwatsonau_print_xml_header(FILE *outfp) 890168777Srwatson{ 891243750Srwatson 892168777Srwatson fprintf(outfp, "<?xml version='1.0' ?>\n"); 893168777Srwatson fprintf(outfp, "<audit>\n"); 894168777Srwatson} 895168777Srwatson 896168777Srwatson/* 897168777Srwatson * Print XML footer. 898168777Srwatson */ 899168777Srwatsonvoid 900168777Srwatsonau_print_xml_footer(FILE *outfp) 901168777Srwatson{ 902243750Srwatson 903168777Srwatson fprintf(outfp, "</audit>\n"); 904168777Srwatson} 905168777Srwatson 906168777Srwatson/* 907155131Srwatson * record byte count 4 bytes 908155131Srwatson * version # 1 byte [2] 909155131Srwatson * event type 2 bytes 910155131Srwatson * event modifier 2 bytes 911155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 912155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 913155131Srwatson */ 914155131Srwatsonstatic int 915168777Srwatsonfetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 916155131Srwatson{ 917155131Srwatson int err = 0; 918155131Srwatson 919155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 920155131Srwatson if (err) 921155131Srwatson return (-1); 922155131Srwatson 923155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 924155131Srwatson if (err) 925155131Srwatson return (-1); 926155131Srwatson 927155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 928155131Srwatson if (err) 929155131Srwatson return (-1); 930155131Srwatson 931155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 932155131Srwatson if (err) 933155131Srwatson return (-1); 934155131Srwatson 935155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 936155131Srwatson if (err) 937155131Srwatson return (-1); 938155131Srwatson 939155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 940155131Srwatson if (err) 941155131Srwatson return (-1); 942155131Srwatson 943155131Srwatson return (0); 944155131Srwatson} 945155131Srwatson 946155131Srwatsonstatic void 947243750Srwatsonprint_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 948155131Srwatson{ 949155131Srwatson 950243750Srwatson print_tok_type(fp, tok->id, "header", oflags); 951267573Sbrueffer if (oflags & AU_OFLAG_XML) { 952168777Srwatson open_attr(fp, "version"); 953168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 954168777Srwatson close_attr(fp); 955168777Srwatson open_attr(fp, "event"); 956243750Srwatson print_event(fp, tok->tt.hdr32.e_type, oflags); 957168777Srwatson close_attr(fp); 958168777Srwatson open_attr(fp, "modifier"); 959243750Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 960168777Srwatson close_attr(fp); 961168777Srwatson open_attr(fp, "time"); 962243750Srwatson print_sec32(fp, tok->tt.hdr32.s, oflags); 963168777Srwatson close_attr(fp); 964168777Srwatson open_attr(fp, "msec"); 965243750Srwatson print_msec32(fp, tok->tt.hdr32.ms, oflags); 966168777Srwatson close_attr(fp); 967168777Srwatson close_tag(fp, tok->id); 968168777Srwatson } else { 969168777Srwatson print_delim(fp, del); 970168777Srwatson print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 971168777Srwatson print_delim(fp, del); 972168777Srwatson print_1_byte(fp, tok->tt.hdr32.version, "%u"); 973168777Srwatson print_delim(fp, del); 974243750Srwatson print_event(fp, tok->tt.hdr32.e_type, oflags); 975168777Srwatson print_delim(fp, del); 976243750Srwatson print_evmod(fp, tok->tt.hdr32.e_mod, oflags); 977168777Srwatson print_delim(fp, del); 978243750Srwatson print_sec32(fp, tok->tt.hdr32.s, oflags); 979168777Srwatson print_delim(fp, del); 980243750Srwatson print_msec32(fp, tok->tt.hdr32.ms, oflags); 981168777Srwatson } 982155131Srwatson} 983155131Srwatson 984155131Srwatson/* 985155131Srwatson * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 986155131Srwatson * depending on the bit of the specifications found. The OpenSolaris source 987155131Srwatson * code uses a 4-byte address length, followed by some number of bytes of 988155131Srwatson * address data. This contrasts with the Solaris audit.log.5 man page, which 989155131Srwatson * specifies a 1-byte length field. We use the Solaris 10 definition so that 990155131Srwatson * we can parse audit trails from that system. 991155131Srwatson * 992155131Srwatson * record byte count 4 bytes 993155131Srwatson * version # 1 byte [2] 994155131Srwatson * event type 2 bytes 995155131Srwatson * event modifier 2 bytes 996155131Srwatson * address type/length 4 bytes 997155131Srwatson * [ Solaris man page: address type/length 1 byte] 998155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 999155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1000155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1001155131Srwatson */ 1002155131Srwatsonstatic int 1003168777Srwatsonfetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1004155131Srwatson{ 1005155131Srwatson int err = 0; 1006155131Srwatson 1007155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 1008155131Srwatson if (err) 1009155131Srwatson return (-1); 1010155131Srwatson 1011155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 1012155131Srwatson if (err) 1013155131Srwatson return (-1); 1014155131Srwatson 1015155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 1016155131Srwatson if (err) 1017155131Srwatson return (-1); 1018155131Srwatson 1019155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 1020155131Srwatson if (err) 1021155131Srwatson return (-1); 1022155131Srwatson 1023155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 1024155131Srwatson if (err) 1025155131Srwatson return (-1); 1026155131Srwatson 1027155131Srwatson bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 1028155131Srwatson switch (tok->tt.hdr32_ex.ad_type) { 1029155131Srwatson case AU_IPv4: 1030155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 1031155131Srwatson sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 1032155131Srwatson if (err) 1033155131Srwatson return (-1); 1034155131Srwatson break; 1035155131Srwatson 1036155131Srwatson case AU_IPv6: 1037155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 1038155131Srwatson sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 1039155131Srwatson break; 1040155131Srwatson } 1041155131Srwatson 1042155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 1043155131Srwatson if (err) 1044155131Srwatson return (-1); 1045155131Srwatson 1046155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 1047155131Srwatson if (err) 1048155131Srwatson return (-1); 1049155131Srwatson 1050155131Srwatson return (0); 1051155131Srwatson} 1052155131Srwatson 1053155131Srwatsonstatic void 1054243750Srwatsonprint_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1055155131Srwatson{ 1056155131Srwatson 1057243750Srwatson print_tok_type(fp, tok->id, "header_ex", oflags); 1058243750Srwatson if (oflags & AU_OFLAG_RAW) { 1059168777Srwatson open_attr(fp, "version"); 1060168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1061168777Srwatson close_attr(fp); 1062168777Srwatson open_attr(fp, "event"); 1063243750Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1064168777Srwatson close_attr(fp); 1065168777Srwatson open_attr(fp, "modifier"); 1066243750Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1067168777Srwatson close_attr(fp); 1068185573Srwatson open_attr(fp, "host"); 1069168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1070168777Srwatson tok->tt.hdr32_ex.addr); 1071185573Srwatson close_attr(fp); 1072168777Srwatson open_attr(fp, "time"); 1073243750Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1074168777Srwatson close_attr(fp); 1075168777Srwatson open_attr(fp, "msec"); 1076243750Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1077168777Srwatson close_attr(fp); 1078168777Srwatson close_tag(fp, tok->id); 1079168777Srwatson } else { 1080168777Srwatson print_delim(fp, del); 1081168777Srwatson print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1082168777Srwatson print_delim(fp, del); 1083168777Srwatson print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1084168777Srwatson print_delim(fp, del); 1085243750Srwatson print_event(fp, tok->tt.hdr32_ex.e_type, oflags); 1086168777Srwatson print_delim(fp, del); 1087243750Srwatson print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags); 1088168777Srwatson print_delim(fp, del); 1089168777Srwatson print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1090168777Srwatson tok->tt.hdr32_ex.addr); 1091168777Srwatson print_delim(fp, del); 1092243750Srwatson print_sec32(fp, tok->tt.hdr32_ex.s, oflags); 1093168777Srwatson print_delim(fp, del); 1094243750Srwatson print_msec32(fp, tok->tt.hdr32_ex.ms, oflags); 1095168777Srwatson } 1096155131Srwatson} 1097155131Srwatson 1098155131Srwatson/* 1099155131Srwatson * record byte count 4 bytes 1100155131Srwatson * event type 2 bytes 1101155131Srwatson * event modifier 2 bytes 1102155131Srwatson * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1103155131Srwatson * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1104168777Srwatson * version # 1105155131Srwatson */ 1106155131Srwatsonstatic int 1107168777Srwatsonfetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1108155131Srwatson{ 1109155131Srwatson int err = 0; 1110155131Srwatson 1111155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1112155131Srwatson if (err) 1113155131Srwatson return (-1); 1114155131Srwatson 1115155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1116155131Srwatson if (err) 1117155131Srwatson return (-1); 1118155131Srwatson 1119155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1120155131Srwatson if (err) 1121155131Srwatson return (-1); 1122155131Srwatson 1123155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1124155131Srwatson if (err) 1125155131Srwatson return (-1); 1126155131Srwatson 1127155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1128155131Srwatson if (err) 1129155131Srwatson return (-1); 1130155131Srwatson 1131155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1132155131Srwatson if (err) 1133155131Srwatson return (-1); 1134155131Srwatson 1135155131Srwatson return (0); 1136155131Srwatson} 1137155131Srwatson 1138155131Srwatsonstatic void 1139243750Srwatsonprint_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1140155131Srwatson{ 1141243750Srwatson 1142243750Srwatson print_tok_type(fp, tok->id, "header", oflags); 1143243750Srwatson if (oflags & AU_OFLAG_XML) { 1144168777Srwatson open_attr(fp, "version"); 1145168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1146168777Srwatson close_attr(fp); 1147168777Srwatson open_attr(fp, "event"); 1148243750Srwatson print_event(fp, tok->tt.hdr64.e_type, oflags); 1149168777Srwatson close_attr(fp); 1150168777Srwatson open_attr(fp, "modifier"); 1151243750Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1152168777Srwatson close_attr(fp); 1153168777Srwatson open_attr(fp, "time"); 1154243750Srwatson print_sec64(fp, tok->tt.hdr64.s, oflags); 1155168777Srwatson close_attr(fp); 1156168777Srwatson open_attr(fp, "msec"); 1157243750Srwatson print_msec64(fp, tok->tt.hdr64.ms, oflags); 1158168777Srwatson close_attr(fp); 1159168777Srwatson close_tag(fp, tok->id); 1160168777Srwatson } else { 1161168777Srwatson print_delim(fp, del); 1162168777Srwatson print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1163168777Srwatson print_delim(fp, del); 1164168777Srwatson print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1165168777Srwatson print_delim(fp, del); 1166243750Srwatson print_event(fp, tok->tt.hdr64.e_type, oflags); 1167168777Srwatson print_delim(fp, del); 1168243750Srwatson print_evmod(fp, tok->tt.hdr64.e_mod, oflags); 1169168777Srwatson print_delim(fp, del); 1170243750Srwatson print_sec64(fp, tok->tt.hdr64.s, oflags); 1171168777Srwatson print_delim(fp, del); 1172243750Srwatson print_msec64(fp, tok->tt.hdr64.ms, oflags); 1173168777Srwatson } 1174168777Srwatson} 1175155131Srwatson 1176155131Srwatson/* 1177155131Srwatson * record byte count 4 bytes 1178155131Srwatson * version # 1 byte [2] 1179155131Srwatson * event type 2 bytes 1180155131Srwatson * event modifier 2 bytes 1181155131Srwatson * address type/length 4 bytes 1182155131Srwatson * [ Solaris man page: address type/length 1 byte] 1183155131Srwatson * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1184155131Srwatson * seconds of time 4 bytes/8 bytes (32/64-bits) 1185155131Srwatson * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1186155131Srwatson * 1187155131Srwatson * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1188155131Srwatson * accuracy of the BSM spec. 1189155131Srwatson */ 1190155131Srwatsonstatic int 1191168777Srwatsonfetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1192155131Srwatson{ 1193155131Srwatson int err = 0; 1194155131Srwatson 1195155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1196155131Srwatson if (err) 1197155131Srwatson return (-1); 1198155131Srwatson 1199155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1200155131Srwatson if (err) 1201155131Srwatson return (-1); 1202155131Srwatson 1203155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1204155131Srwatson if (err) 1205155131Srwatson return (-1); 1206155131Srwatson 1207155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1208155131Srwatson if (err) 1209155131Srwatson return (-1); 1210155131Srwatson 1211155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1212155131Srwatson if (err) 1213155131Srwatson return (-1); 1214155131Srwatson 1215155131Srwatson bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1216155131Srwatson switch (tok->tt.hdr64_ex.ad_type) { 1217155131Srwatson case AU_IPv4: 1218155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1219155131Srwatson sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1220155131Srwatson if (err) 1221155131Srwatson return (-1); 1222155131Srwatson break; 1223155131Srwatson 1224155131Srwatson case AU_IPv6: 1225155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1226155131Srwatson sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1227155131Srwatson break; 1228155131Srwatson } 1229155131Srwatson 1230155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1231155131Srwatson if (err) 1232155131Srwatson return (-1); 1233155131Srwatson 1234155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1235155131Srwatson if (err) 1236155131Srwatson return (-1); 1237155131Srwatson 1238155131Srwatson return (0); 1239155131Srwatson} 1240155131Srwatson 1241155131Srwatsonstatic void 1242243750Srwatsonprint_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1243155131Srwatson{ 1244155131Srwatson 1245243750Srwatson print_tok_type(fp, tok->id, "header_ex", oflags); 1246243750Srwatson if (oflags & AU_OFLAG_XML) { 1247168777Srwatson open_attr(fp, "version"); 1248168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1249168777Srwatson close_attr(fp); 1250168777Srwatson open_attr(fp, "event"); 1251243750Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1252168777Srwatson close_attr(fp); 1253168777Srwatson open_attr(fp, "modifier"); 1254243750Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1255168777Srwatson close_attr(fp); 1256185573Srwatson open_attr(fp, "host"); 1257168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1258168777Srwatson tok->tt.hdr64_ex.addr); 1259185573Srwatson close_attr(fp); 1260168777Srwatson open_attr(fp, "time"); 1261243750Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1262168777Srwatson close_attr(fp); 1263168777Srwatson open_attr(fp, "msec"); 1264243750Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1265168777Srwatson close_attr(fp); 1266168777Srwatson close_tag(fp, tok->id); 1267168777Srwatson } else { 1268168777Srwatson print_delim(fp, del); 1269168777Srwatson print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1270168777Srwatson print_delim(fp, del); 1271168777Srwatson print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1272168777Srwatson print_delim(fp, del); 1273243750Srwatson print_event(fp, tok->tt.hdr64_ex.e_type, oflags); 1274168777Srwatson print_delim(fp, del); 1275243750Srwatson print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags); 1276168777Srwatson print_delim(fp, del); 1277168777Srwatson print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1278168777Srwatson tok->tt.hdr64_ex.addr); 1279168777Srwatson print_delim(fp, del); 1280243750Srwatson print_sec64(fp, tok->tt.hdr64_ex.s, oflags); 1281168777Srwatson print_delim(fp, del); 1282243750Srwatson print_msec64(fp, tok->tt.hdr64_ex.ms, oflags); 1283168777Srwatson } 1284155131Srwatson} 1285155131Srwatson 1286155131Srwatson/* 1287155131Srwatson * trailer magic 2 bytes 1288155131Srwatson * record size 4 bytes 1289155131Srwatson */ 1290155131Srwatsonstatic int 1291168777Srwatsonfetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1292155131Srwatson{ 1293155131Srwatson int err = 0; 1294155131Srwatson 1295155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1296155131Srwatson if (err) 1297155131Srwatson return (-1); 1298155131Srwatson 1299155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1300155131Srwatson if (err) 1301155131Srwatson return (-1); 1302155131Srwatson 1303155131Srwatson return (0); 1304155131Srwatson} 1305155131Srwatson 1306155131Srwatsonstatic void 1307243750Srwatsonprint_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1308155131Srwatson{ 1309155131Srwatson 1310243750Srwatson print_tok_type(fp, tok->id, "trailer", oflags); 1311243750Srwatson if (!(oflags & AU_OFLAG_XML)) { 1312168777Srwatson print_delim(fp, del); 1313168777Srwatson print_4_bytes(fp, tok->tt.trail.count, "%u"); 1314168777Srwatson } 1315155131Srwatson} 1316155131Srwatson 1317155131Srwatson/* 1318155131Srwatson * argument # 1 byte 1319155131Srwatson * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1320155131Srwatson * text length 2 bytes 1321155131Srwatson * text N bytes + 1 terminating NULL byte 1322155131Srwatson */ 1323155131Srwatsonstatic int 1324168777Srwatsonfetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1325155131Srwatson{ 1326155131Srwatson int err = 0; 1327155131Srwatson 1328155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1329155131Srwatson if (err) 1330155131Srwatson return (-1); 1331155131Srwatson 1332155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1333155131Srwatson if (err) 1334155131Srwatson return (-1); 1335155131Srwatson 1336155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1337155131Srwatson if (err) 1338155131Srwatson return (-1); 1339155131Srwatson 1340168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1341168777Srwatson tok->len, err); 1342155131Srwatson if (err) 1343155131Srwatson return (-1); 1344155131Srwatson 1345155131Srwatson return (0); 1346155131Srwatson} 1347155131Srwatson 1348155131Srwatsonstatic void 1349243750Srwatsonprint_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1350155131Srwatson{ 1351155131Srwatson 1352243750Srwatson print_tok_type(fp, tok->id, "argument", oflags); 1353243750Srwatson if (oflags & AU_OFLAG_XML) { 1354168777Srwatson open_attr(fp, "arg-num"); 1355168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1356168777Srwatson close_attr(fp); 1357168777Srwatson open_attr(fp, "value"); 1358168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1359168777Srwatson close_attr(fp); 1360168777Srwatson open_attr(fp, "desc"); 1361168777Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1362168777Srwatson close_attr(fp); 1363168777Srwatson close_tag(fp, tok->id); 1364168777Srwatson } else { 1365168777Srwatson print_delim(fp, del); 1366168777Srwatson print_1_byte(fp, tok->tt.arg32.no, "%u"); 1367168777Srwatson print_delim(fp, del); 1368168777Srwatson print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1369168777Srwatson print_delim(fp, del); 1370171537Srwatson print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1371168777Srwatson } 1372155131Srwatson} 1373155131Srwatson 1374155131Srwatsonstatic int 1375168777Srwatsonfetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1376155131Srwatson{ 1377155131Srwatson int err = 0; 1378155131Srwatson 1379155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1380155131Srwatson if (err) 1381155131Srwatson return (-1); 1382155131Srwatson 1383155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1384155131Srwatson if (err) 1385155131Srwatson return (-1); 1386155131Srwatson 1387155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1388155131Srwatson if (err) 1389155131Srwatson return (-1); 1390155131Srwatson 1391168777Srwatson SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1392168777Srwatson tok->len, err); 1393155131Srwatson if (err) 1394155131Srwatson return (-1); 1395155131Srwatson 1396155131Srwatson return (0); 1397155131Srwatson} 1398155131Srwatson 1399155131Srwatsonstatic void 1400243750Srwatsonprint_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1401155131Srwatson{ 1402155131Srwatson 1403243750Srwatson print_tok_type(fp, tok->id, "argument", oflags); 1404243750Srwatson if (oflags & AU_OFLAG_XML) { 1405168777Srwatson open_attr(fp, "arg-num"); 1406168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1407168777Srwatson close_attr(fp); 1408168777Srwatson open_attr(fp, "value"); 1409168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1410168777Srwatson close_attr(fp); 1411168777Srwatson open_attr(fp, "desc"); 1412168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1413168777Srwatson close_attr(fp); 1414168777Srwatson close_tag(fp, tok->id); 1415168777Srwatson } else { 1416168777Srwatson print_delim(fp, del); 1417168777Srwatson print_1_byte(fp, tok->tt.arg64.no, "%u"); 1418168777Srwatson print_delim(fp, del); 1419168777Srwatson print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1420168777Srwatson print_delim(fp, del); 1421168777Srwatson print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1422168777Srwatson } 1423155131Srwatson} 1424155131Srwatson 1425155131Srwatson/* 1426155131Srwatson * how to print 1 byte 1427155131Srwatson * basic unit 1 byte 1428155131Srwatson * unit count 1 byte 1429155131Srwatson * data items (depends on basic unit) 1430155131Srwatson */ 1431155131Srwatsonstatic int 1432168777Srwatsonfetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1433155131Srwatson{ 1434155131Srwatson int err = 0; 1435155131Srwatson int datasize; 1436155131Srwatson 1437155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1438155131Srwatson if (err) 1439155131Srwatson return (-1); 1440155131Srwatson 1441155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1442155131Srwatson if (err) 1443155131Srwatson return (-1); 1444155131Srwatson 1445155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1446155131Srwatson if (err) 1447155131Srwatson return (-1); 1448155131Srwatson 1449155131Srwatson /* 1450155131Srwatson * Determine the size of the basic unit. 1451155131Srwatson */ 1452155131Srwatson switch(tok->tt.arb.bu) { 1453155131Srwatson case AUR_BYTE: 1454159248Srwatson /* case AUR_CHAR: */ 1455155131Srwatson datasize = AUR_BYTE_SIZE; 1456155131Srwatson break; 1457155131Srwatson 1458155131Srwatson case AUR_SHORT: 1459155131Srwatson datasize = AUR_SHORT_SIZE; 1460155131Srwatson break; 1461155131Srwatson 1462159248Srwatson case AUR_INT32: 1463159248Srwatson /* case AUR_INT: */ 1464159248Srwatson datasize = AUR_INT32_SIZE; 1465155131Srwatson break; 1466155131Srwatson 1467159248Srwatson case AUR_INT64: 1468159248Srwatson datasize = AUR_INT64_SIZE; 1469159248Srwatson break; 1470159248Srwatson 1471155131Srwatson default: 1472155131Srwatson return (-1); 1473155131Srwatson } 1474155131Srwatson 1475155131Srwatson SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1476155131Srwatson tok->len, err); 1477155131Srwatson if (err) 1478155131Srwatson return (-1); 1479155131Srwatson 1480155131Srwatson return (0); 1481155131Srwatson} 1482155131Srwatson 1483155131Srwatsonstatic void 1484243750Srwatsonprint_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1485155131Srwatson{ 1486155131Srwatson char *str; 1487155131Srwatson char *format; 1488155131Srwatson size_t size; 1489155131Srwatson int i; 1490155131Srwatson 1491243750Srwatson print_tok_type(fp, tok->id, "arbitrary", oflags); 1492243750Srwatson if (!(oflags & AU_OFLAG_XML)) 1493168777Srwatson print_delim(fp, del); 1494155131Srwatson 1495155131Srwatson switch(tok->tt.arb.howtopr) { 1496155131Srwatson case AUP_BINARY: 1497155131Srwatson str = "binary"; 1498155131Srwatson format = " %c"; 1499155131Srwatson break; 1500155131Srwatson 1501155131Srwatson case AUP_OCTAL: 1502155131Srwatson str = "octal"; 1503155131Srwatson format = " %o"; 1504155131Srwatson break; 1505155131Srwatson 1506155131Srwatson case AUP_DECIMAL: 1507155131Srwatson str = "decimal"; 1508155131Srwatson format = " %d"; 1509155131Srwatson break; 1510155131Srwatson 1511155131Srwatson case AUP_HEX: 1512155131Srwatson str = "hex"; 1513155131Srwatson format = " %x"; 1514155131Srwatson break; 1515155131Srwatson 1516155131Srwatson case AUP_STRING: 1517155131Srwatson str = "string"; 1518155131Srwatson format = "%c"; 1519155131Srwatson break; 1520155131Srwatson 1521155131Srwatson default: 1522155131Srwatson return; 1523155131Srwatson } 1524155131Srwatson 1525243750Srwatson if (oflags & AU_OFLAG_XML) { 1526168777Srwatson open_attr(fp, "print"); 1527168777Srwatson fprintf(fp, "%s",str); 1528168777Srwatson close_attr(fp); 1529168777Srwatson } else { 1530168777Srwatson print_string(fp, str, strlen(str)); 1531168777Srwatson print_delim(fp, del); 1532168777Srwatson } 1533155131Srwatson switch(tok->tt.arb.bu) { 1534155131Srwatson case AUR_BYTE: 1535159248Srwatson /* case AUR_CHAR: */ 1536155131Srwatson str = "byte"; 1537155131Srwatson size = AUR_BYTE_SIZE; 1538243750Srwatson if (oflags & AU_OFLAG_XML) { 1539168777Srwatson open_attr(fp, "type"); 1540185573Srwatson fprintf(fp, "%zu", size); 1541168777Srwatson close_attr(fp); 1542168777Srwatson open_attr(fp, "count"); 1543168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1544168777Srwatson close_attr(fp); 1545168777Srwatson fprintf(fp, ">"); 1546168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1547168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1548168777Srwatson (size * i))); 1549168777Srwatson close_tag(fp, tok->id); 1550168777Srwatson } else { 1551168777Srwatson print_string(fp, str, strlen(str)); 1552168777Srwatson print_delim(fp, del); 1553168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1554168777Srwatson print_delim(fp, del); 1555168777Srwatson for (i = 0; i<tok->tt.arb.uc; i++) 1556168777Srwatson fprintf(fp, format, *(tok->tt.arb.data + 1557168777Srwatson (size * i))); 1558168777Srwatson } 1559155131Srwatson break; 1560155131Srwatson 1561155131Srwatson case AUR_SHORT: 1562155131Srwatson str = "short"; 1563155131Srwatson size = AUR_SHORT_SIZE; 1564243750Srwatson if (oflags & AU_OFLAG_XML) { 1565168777Srwatson open_attr(fp, "type"); 1566185573Srwatson fprintf(fp, "%zu", size); 1567168777Srwatson close_attr(fp); 1568168777Srwatson open_attr(fp, "count"); 1569168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1570168777Srwatson close_attr(fp); 1571168777Srwatson fprintf(fp, ">"); 1572168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1573168777Srwatson fprintf(fp, format, 1574168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1575168777Srwatson (size * i)))); 1576168777Srwatson close_tag(fp, tok->id); 1577168777Srwatson } else { 1578168777Srwatson print_string(fp, str, strlen(str)); 1579168777Srwatson print_delim(fp, del); 1580168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1581168777Srwatson print_delim(fp, del); 1582168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1583168777Srwatson fprintf(fp, format, 1584168777Srwatson *((u_int16_t *)(tok->tt.arb.data + 1585168777Srwatson (size * i)))); 1586168777Srwatson } 1587155131Srwatson break; 1588155131Srwatson 1589159248Srwatson case AUR_INT32: 1590159248Srwatson /* case AUR_INT: */ 1591155131Srwatson str = "int"; 1592159248Srwatson size = AUR_INT32_SIZE; 1593243750Srwatson if (oflags & AU_OFLAG_XML) { 1594168777Srwatson open_attr(fp, "type"); 1595185573Srwatson fprintf(fp, "%zu", size); 1596168777Srwatson close_attr(fp); 1597168777Srwatson open_attr(fp, "count"); 1598168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1599168777Srwatson close_attr(fp); 1600168777Srwatson fprintf(fp, ">"); 1601168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1602168777Srwatson fprintf(fp, format, 1603168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1604168777Srwatson (size * i)))); 1605168777Srwatson close_tag(fp, tok->id); 1606168777Srwatson } else { 1607168777Srwatson print_string(fp, str, strlen(str)); 1608168777Srwatson print_delim(fp, del); 1609168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1610168777Srwatson print_delim(fp, del); 1611168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1612168777Srwatson fprintf(fp, format, 1613168777Srwatson *((u_int32_t *)(tok->tt.arb.data + 1614168777Srwatson (size * i)))); 1615168777Srwatson } 1616155131Srwatson break; 1617155131Srwatson 1618159248Srwatson case AUR_INT64: 1619159248Srwatson str = "int64"; 1620159248Srwatson size = AUR_INT64_SIZE; 1621243750Srwatson if (oflags & AU_OFLAG_XML) { 1622168777Srwatson open_attr(fp, "type"); 1623185573Srwatson fprintf(fp, "%zu", size); 1624168777Srwatson close_attr(fp); 1625168777Srwatson open_attr(fp, "count"); 1626168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1627168777Srwatson close_attr(fp); 1628168777Srwatson fprintf(fp, ">"); 1629168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1630168777Srwatson fprintf(fp, format, 1631168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1632168777Srwatson (size * i)))); 1633168777Srwatson close_tag(fp, tok->id); 1634168777Srwatson } else { 1635168777Srwatson print_string(fp, str, strlen(str)); 1636168777Srwatson print_delim(fp, del); 1637168777Srwatson print_1_byte(fp, tok->tt.arb.uc, "%u"); 1638168777Srwatson print_delim(fp, del); 1639168777Srwatson for (i = 0; i < tok->tt.arb.uc; i++) 1640168777Srwatson fprintf(fp, format, 1641168777Srwatson *((u_int64_t *)(tok->tt.arb.data + 1642168777Srwatson (size * i)))); 1643168777Srwatson } 1644159248Srwatson break; 1645159248Srwatson 1646155131Srwatson default: 1647155131Srwatson return; 1648155131Srwatson } 1649155131Srwatson} 1650155131Srwatson 1651155131Srwatson/* 1652155131Srwatson * file access mode 4 bytes 1653155131Srwatson * owner user ID 4 bytes 1654155131Srwatson * owner group ID 4 bytes 1655155131Srwatson * file system ID 4 bytes 1656155131Srwatson * node ID 8 bytes 1657155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1658155131Srwatson */ 1659155131Srwatsonstatic int 1660168777Srwatsonfetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1661155131Srwatson{ 1662155131Srwatson int err = 0; 1663155131Srwatson 1664155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1665155131Srwatson if (err) 1666155131Srwatson return (-1); 1667155131Srwatson 1668155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1669155131Srwatson if (err) 1670155131Srwatson return (-1); 1671155131Srwatson 1672155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1673155131Srwatson if (err) 1674155131Srwatson return (-1); 1675155131Srwatson 1676155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1677155131Srwatson if (err) 1678155131Srwatson return (-1); 1679155131Srwatson 1680155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1681155131Srwatson if (err) 1682155131Srwatson return (-1); 1683155131Srwatson 1684155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1685155131Srwatson if (err) 1686155131Srwatson return (-1); 1687155131Srwatson 1688155131Srwatson return (0); 1689155131Srwatson} 1690155131Srwatson 1691155131Srwatsonstatic void 1692243750Srwatsonprint_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1693155131Srwatson{ 1694155131Srwatson 1695243750Srwatson print_tok_type(fp, tok->id, "attribute", oflags); 1696243750Srwatson if (oflags & AU_OFLAG_XML) { 1697168777Srwatson open_attr(fp, "mode"); 1698168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1699168777Srwatson close_attr(fp); 1700168777Srwatson open_attr(fp, "uid"); 1701243750Srwatson print_user(fp, tok->tt.attr32.uid, oflags); 1702168777Srwatson close_attr(fp); 1703168777Srwatson open_attr(fp, "gid"); 1704243750Srwatson print_group(fp, tok->tt.attr32.gid, oflags); 1705168777Srwatson close_attr(fp); 1706168777Srwatson open_attr(fp, "fsid"); 1707168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1708168777Srwatson close_attr(fp); 1709168777Srwatson open_attr(fp, "nodeid"); 1710168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1711168777Srwatson close_attr(fp); 1712168777Srwatson open_attr(fp, "device"); 1713168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1714168777Srwatson close_attr(fp); 1715168777Srwatson close_tag(fp, tok->id); 1716168777Srwatson } else { 1717168777Srwatson print_delim(fp, del); 1718168777Srwatson print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1719168777Srwatson print_delim(fp, del); 1720243750Srwatson print_user(fp, tok->tt.attr32.uid, oflags); 1721168777Srwatson print_delim(fp, del); 1722243750Srwatson print_group(fp, tok->tt.attr32.gid, oflags); 1723168777Srwatson print_delim(fp, del); 1724168777Srwatson print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1725168777Srwatson print_delim(fp, del); 1726168777Srwatson print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1727168777Srwatson print_delim(fp, del); 1728168777Srwatson print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1729168777Srwatson } 1730155131Srwatson} 1731155131Srwatson 1732155131Srwatson/* 1733155131Srwatson * file access mode 4 bytes 1734155131Srwatson * owner user ID 4 bytes 1735155131Srwatson * owner group ID 4 bytes 1736155131Srwatson * file system ID 4 bytes 1737155131Srwatson * node ID 8 bytes 1738155131Srwatson * device 4 bytes/8 bytes (32-bit/64-bit) 1739155131Srwatson */ 1740155131Srwatsonstatic int 1741168777Srwatsonfetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1742155131Srwatson{ 1743155131Srwatson int err = 0; 1744155131Srwatson 1745155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1746155131Srwatson if (err) 1747155131Srwatson return (-1); 1748155131Srwatson 1749155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1750155131Srwatson if (err) 1751155131Srwatson return (-1); 1752155131Srwatson 1753155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1754155131Srwatson if (err) 1755155131Srwatson return (-1); 1756155131Srwatson 1757155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1758155131Srwatson if (err) 1759155131Srwatson return (-1); 1760155131Srwatson 1761155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1762155131Srwatson if (err) 1763155131Srwatson return (-1); 1764155131Srwatson 1765155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1766155131Srwatson if (err) 1767155131Srwatson return (-1); 1768155131Srwatson 1769155131Srwatson return (0); 1770155131Srwatson} 1771155131Srwatson 1772155131Srwatsonstatic void 1773243750Srwatsonprint_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1774155131Srwatson{ 1775155131Srwatson 1776243750Srwatson print_tok_type(fp, tok->id, "attribute", oflags); 1777243750Srwatson if (oflags & AU_OFLAG_XML) { 1778168777Srwatson open_attr(fp, "mode"); 1779168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1780168777Srwatson close_attr(fp); 1781168777Srwatson open_attr(fp, "uid"); 1782243750Srwatson print_user(fp, tok->tt.attr64.uid, oflags); 1783168777Srwatson close_attr(fp); 1784168777Srwatson open_attr(fp, "gid"); 1785243750Srwatson print_group(fp, tok->tt.attr64.gid, oflags); 1786168777Srwatson close_attr(fp); 1787168777Srwatson open_attr(fp, "fsid"); 1788168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1789168777Srwatson close_attr(fp); 1790168777Srwatson open_attr(fp, "nodeid"); 1791168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1792168777Srwatson close_attr(fp); 1793168777Srwatson open_attr(fp, "device"); 1794168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1795168777Srwatson close_attr(fp); 1796168777Srwatson close_tag(fp, tok->id); 1797168777Srwatson } else { 1798168777Srwatson print_delim(fp, del); 1799168777Srwatson print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1800168777Srwatson print_delim(fp, del); 1801243750Srwatson print_user(fp, tok->tt.attr64.uid, oflags); 1802168777Srwatson print_delim(fp, del); 1803243750Srwatson print_group(fp, tok->tt.attr64.gid, oflags); 1804168777Srwatson print_delim(fp, del); 1805168777Srwatson print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1806168777Srwatson print_delim(fp, del); 1807168777Srwatson print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1808168777Srwatson print_delim(fp, del); 1809168777Srwatson print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1810168777Srwatson } 1811155131Srwatson} 1812155131Srwatson 1813155131Srwatson/* 1814155131Srwatson * status 4 bytes 1815155131Srwatson * return value 4 bytes 1816155131Srwatson */ 1817155131Srwatsonstatic int 1818168777Srwatsonfetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1819155131Srwatson{ 1820155131Srwatson int err = 0; 1821155131Srwatson 1822155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1823155131Srwatson if (err) 1824155131Srwatson return (-1); 1825155131Srwatson 1826155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1827155131Srwatson if (err) 1828155131Srwatson return (-1); 1829155131Srwatson 1830155131Srwatson return (0); 1831155131Srwatson} 1832155131Srwatson 1833155131Srwatsonstatic void 1834243750Srwatsonprint_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1835155131Srwatson{ 1836155131Srwatson 1837243750Srwatson print_tok_type(fp, tok->id, "exit", oflags); 1838243750Srwatson if (oflags & AU_OFLAG_XML) { 1839168777Srwatson open_attr(fp, "errval"); 1840168777Srwatson print_errval(fp, tok->tt.exit.status); 1841168777Srwatson close_attr(fp); 1842168777Srwatson open_attr(fp, "retval"); 1843168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1844168777Srwatson close_attr(fp); 1845168777Srwatson close_tag(fp, tok->id); 1846168777Srwatson } else { 1847168777Srwatson print_delim(fp, del); 1848168777Srwatson print_errval(fp, tok->tt.exit.status); 1849168777Srwatson print_delim(fp, del); 1850168777Srwatson print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1851168777Srwatson } 1852155131Srwatson} 1853155131Srwatson 1854155131Srwatson/* 1855155131Srwatson * count 4 bytes 1856155131Srwatson * text count null-terminated string(s) 1857155131Srwatson */ 1858155131Srwatsonstatic int 1859168777Srwatsonfetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1860155131Srwatson{ 1861155131Srwatson int err = 0; 1862185573Srwatson u_int32_t i; 1863168777Srwatson u_char *bptr; 1864155131Srwatson 1865155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1866155131Srwatson if (err) 1867155131Srwatson return (-1); 1868155131Srwatson 1869155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1870155131Srwatson bptr = buf + tok->len; 1871162503Srwatson if (i < AUDIT_MAX_ARGS) 1872168777Srwatson tok->tt.execarg.text[i] = (char*)bptr; 1873155131Srwatson 1874155131Srwatson /* Look for a null terminated string. */ 1875155131Srwatson while (bptr && (*bptr != '\0')) { 1876185573Srwatson if (++tok->len >= (u_int32_t)len) 1877155131Srwatson return (-1); 1878155131Srwatson bptr = buf + tok->len; 1879155131Srwatson } 1880155131Srwatson if (!bptr) 1881155131Srwatson return (-1); 1882155131Srwatson tok->len++; /* \0 character */ 1883155131Srwatson } 1884162503Srwatson if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1885162503Srwatson tok->tt.execarg.count = AUDIT_MAX_ARGS; 1886155131Srwatson 1887155131Srwatson return (0); 1888155131Srwatson} 1889155131Srwatson 1890155131Srwatsonstatic void 1891243750Srwatsonprint_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1892155131Srwatson{ 1893185573Srwatson u_int32_t i; 1894155131Srwatson 1895243750Srwatson print_tok_type(fp, tok->id, "exec arg", oflags); 1896155131Srwatson for (i = 0; i < tok->tt.execarg.count; i++) { 1897243750Srwatson if (oflags & AU_OFLAG_XML) { 1898168777Srwatson fprintf(fp, "<arg>"); 1899243750Srwatson print_xml_string(fp, tok->tt.execarg.text[i], 1900168777Srwatson strlen(tok->tt.execarg.text[i])); 1901168777Srwatson fprintf(fp, "</arg>"); 1902168777Srwatson } else { 1903168777Srwatson print_delim(fp, del); 1904168777Srwatson print_string(fp, tok->tt.execarg.text[i], 1905168777Srwatson strlen(tok->tt.execarg.text[i])); 1906168777Srwatson } 1907155131Srwatson } 1908243750Srwatson if (oflags & AU_OFLAG_XML) 1909168777Srwatson close_tag(fp, tok->id); 1910155131Srwatson} 1911155131Srwatson 1912155131Srwatson/* 1913155131Srwatson * count 4 bytes 1914155131Srwatson * text count null-terminated string(s) 1915155131Srwatson */ 1916155131Srwatsonstatic int 1917168777Srwatsonfetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1918155131Srwatson{ 1919155131Srwatson int err = 0; 1920185573Srwatson u_int32_t i; 1921168777Srwatson u_char *bptr; 1922155131Srwatson 1923155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1924155131Srwatson if (err) 1925155131Srwatson return (-1); 1926155131Srwatson 1927162503Srwatson for (i = 0; i < tok->tt.execenv.count; i++) { 1928155131Srwatson bptr = buf + tok->len; 1929162503Srwatson if (i < AUDIT_MAX_ENV) 1930168777Srwatson tok->tt.execenv.text[i] = (char*)bptr; 1931155131Srwatson 1932155131Srwatson /* Look for a null terminated string. */ 1933155131Srwatson while (bptr && (*bptr != '\0')) { 1934185573Srwatson if (++tok->len >= (u_int32_t)len) 1935155131Srwatson return (-1); 1936155131Srwatson bptr = buf + tok->len; 1937155131Srwatson } 1938155131Srwatson if (!bptr) 1939155131Srwatson return (-1); 1940155131Srwatson tok->len++; /* \0 character */ 1941155131Srwatson } 1942162503Srwatson if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1943162503Srwatson tok->tt.execenv.count = AUDIT_MAX_ENV; 1944155131Srwatson 1945155131Srwatson return (0); 1946155131Srwatson} 1947155131Srwatson 1948155131Srwatsonstatic void 1949243750Srwatsonprint_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 1950155131Srwatson{ 1951185573Srwatson u_int32_t i; 1952155131Srwatson 1953243750Srwatson print_tok_type(fp, tok->id, "exec env", oflags); 1954155131Srwatson for (i = 0; i< tok->tt.execenv.count; i++) { 1955243750Srwatson if (oflags & AU_OFLAG_XML) { 1956168777Srwatson fprintf(fp, "<env>"); 1957243750Srwatson print_xml_string(fp, tok->tt.execenv.text[i], 1958168777Srwatson strlen(tok->tt.execenv.text[i])); 1959168777Srwatson fprintf(fp, "</env>"); 1960168777Srwatson } else { 1961168777Srwatson print_delim(fp, del); 1962168777Srwatson print_string(fp, tok->tt.execenv.text[i], 1963168777Srwatson strlen(tok->tt.execenv.text[i])); 1964168777Srwatson } 1965155131Srwatson } 1966243750Srwatson if (oflags & AU_OFLAG_XML) 1967168777Srwatson close_tag(fp, tok->id); 1968155131Srwatson} 1969155131Srwatson 1970155131Srwatson/* 1971155131Srwatson * seconds of time 4 bytes 1972155131Srwatson * milliseconds of time 4 bytes 1973155131Srwatson * file name len 2 bytes 1974155131Srwatson * file pathname N bytes + 1 terminating NULL byte 1975155131Srwatson */ 1976155131Srwatsonstatic int 1977168777Srwatsonfetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1978155131Srwatson{ 1979155131Srwatson int err = 0; 1980155131Srwatson 1981155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1982155131Srwatson if (err) 1983155131Srwatson return (-1); 1984155131Srwatson 1985155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1986155131Srwatson if (err) 1987155131Srwatson return (-1); 1988155131Srwatson 1989155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1990155131Srwatson if (err) 1991155131Srwatson return (-1); 1992155131Srwatson 1993168777Srwatson SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1994168777Srwatson err); 1995155131Srwatson if (err) 1996155131Srwatson return (-1); 1997155131Srwatson 1998155131Srwatson return (0); 1999155131Srwatson} 2000155131Srwatson 2001155131Srwatsonstatic void 2002243750Srwatsonprint_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2003155131Srwatson{ 2004155131Srwatson 2005243750Srwatson print_tok_type(fp, tok->id, "file", oflags); 2006243750Srwatson if (oflags & AU_OFLAG_XML) { 2007168777Srwatson open_attr(fp, "time"); 2008243750Srwatson print_sec32(fp, tok->tt.file.s, oflags); 2009168777Srwatson close_attr(fp); 2010168777Srwatson open_attr(fp, "msec"); 2011243750Srwatson print_msec32(fp, tok->tt.file.ms, oflags); 2012168777Srwatson close_attr(fp); 2013168777Srwatson fprintf(fp, ">"); 2014168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 2015168777Srwatson close_tag(fp, tok->id); 2016168777Srwatson } else { 2017168777Srwatson print_delim(fp, del); 2018243750Srwatson print_sec32(fp, tok->tt.file.s, oflags); 2019168777Srwatson print_delim(fp, del); 2020243750Srwatson print_msec32(fp, tok->tt.file.ms, oflags); 2021168777Srwatson print_delim(fp, del); 2022168777Srwatson print_string(fp, tok->tt.file.name, tok->tt.file.len); 2023168777Srwatson } 2024155131Srwatson} 2025155131Srwatson 2026155131Srwatson/* 2027155131Srwatson * number groups 2 bytes 2028155131Srwatson * group list count * 4 bytes 2029155131Srwatson */ 2030155131Srwatsonstatic int 2031168777Srwatsonfetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 2032155131Srwatson{ 2033155131Srwatson int i; 2034155131Srwatson int err = 0; 2035155131Srwatson 2036155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 2037155131Srwatson if (err) 2038155131Srwatson return (-1); 2039155131Srwatson 2040155131Srwatson for (i = 0; i<tok->tt.grps.no; i++) { 2041155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2042155131Srwatson err); 2043243750Srwatson if (err) 2044243750Srwatson return (-1); 2045155131Srwatson } 2046155131Srwatson 2047155131Srwatson return (0); 2048155131Srwatson} 2049155131Srwatson 2050155131Srwatsonstatic void 2051243750Srwatsonprint_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2052155131Srwatson{ 2053155131Srwatson int i; 2054155131Srwatson 2055243750Srwatson print_tok_type(fp, tok->id, "group", oflags); 2056155131Srwatson for (i = 0; i < tok->tt.grps.no; i++) { 2057243750Srwatson if (oflags & AU_OFLAG_XML) { 2058168777Srwatson fprintf(fp, "<gid>"); 2059243750Srwatson print_group(fp, tok->tt.grps.list[i], oflags); 2060168777Srwatson fprintf(fp, "</gid>"); 2061168777Srwatson close_tag(fp, tok->id); 2062168777Srwatson } else { 2063168777Srwatson print_delim(fp, del); 2064243750Srwatson print_group(fp, tok->tt.grps.list[i], oflags); 2065168777Srwatson } 2066155131Srwatson } 2067155131Srwatson} 2068155131Srwatson 2069155131Srwatson/* 2070155131Srwatson * Internet addr 4 bytes 2071155131Srwatson */ 2072155131Srwatsonstatic int 2073168777Srwatsonfetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2074155131Srwatson{ 2075155131Srwatson int err = 0; 2076155131Srwatson 2077159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2078159248Srwatson tok->len, err); 2079155131Srwatson if (err) 2080155131Srwatson return (-1); 2081155131Srwatson 2082155131Srwatson return (0); 2083155131Srwatson 2084155131Srwatson} 2085155131Srwatson 2086155131Srwatsonstatic void 2087243750Srwatsonprint_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2088155131Srwatson{ 2089155131Srwatson 2090243750Srwatson print_tok_type(fp, tok->id, "ip addr", oflags); 2091243750Srwatson if (oflags & AU_OFLAG_XML) { 2092168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2093168777Srwatson close_tag(fp, tok->id); 2094168777Srwatson } else { 2095168777Srwatson print_delim(fp, del); 2096168777Srwatson print_ip_address(fp, tok->tt.inaddr.addr); 2097168777Srwatson } 2098155131Srwatson} 2099155131Srwatson 2100155131Srwatson/* 2101243750Srwatson * type 4 bytes 2102155131Srwatson * address 16 bytes 2103155131Srwatson */ 2104155131Srwatsonstatic int 2105168777Srwatsonfetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2106155131Srwatson{ 2107155131Srwatson int err = 0; 2108155131Srwatson 2109155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2110155131Srwatson if (err) 2111155131Srwatson return (-1); 2112155131Srwatson 2113155131Srwatson if (tok->tt.inaddr_ex.type == AU_IPv4) { 2114155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2115155131Srwatson sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2116155131Srwatson if (err) 2117155131Srwatson return (-1); 2118155131Srwatson } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2119155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2120155131Srwatson sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2121155131Srwatson if (err) 2122155131Srwatson return (-1); 2123155131Srwatson } else 2124155131Srwatson return (-1); 2125155131Srwatson 2126155131Srwatson return (0); 2127155131Srwatson} 2128155131Srwatson 2129155131Srwatsonstatic void 2130243750Srwatsonprint_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2131155131Srwatson{ 2132155131Srwatson 2133243750Srwatson print_tok_type(fp, tok->id, "ip addr ex", oflags); 2134243750Srwatson if (oflags & AU_OFLAG_XML) { 2135168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2136168777Srwatson tok->tt.inaddr_ex.addr); 2137168777Srwatson close_tag(fp, tok->id); 2138168777Srwatson } else { 2139168777Srwatson print_delim(fp, del); 2140168777Srwatson print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2141168777Srwatson tok->tt.inaddr_ex.addr); 2142168777Srwatson } 2143155131Srwatson} 2144155131Srwatson 2145155131Srwatson/* 2146155131Srwatson * ip header 20 bytes 2147155131Srwatson */ 2148155131Srwatsonstatic int 2149168777Srwatsonfetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2150155131Srwatson{ 2151155131Srwatson int err = 0; 2152155131Srwatson 2153155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2154155131Srwatson if (err) 2155155131Srwatson return (-1); 2156155131Srwatson 2157155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2158155131Srwatson if (err) 2159155131Srwatson return (-1); 2160155131Srwatson 2161159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2162159248Srwatson tok->len, err); 2163155131Srwatson if (err) 2164155131Srwatson return (-1); 2165155131Srwatson 2166159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2167159248Srwatson tok->len, err); 2168155131Srwatson if (err) 2169155131Srwatson return (-1); 2170155131Srwatson 2171159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2172159248Srwatson tok->len, err); 2173155131Srwatson if (err) 2174155131Srwatson return (-1); 2175155131Srwatson 2176155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2177155131Srwatson if (err) 2178155131Srwatson return (-1); 2179155131Srwatson 2180155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2181155131Srwatson if (err) 2182155131Srwatson return (-1); 2183155131Srwatson 2184159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2185159248Srwatson tok->len, err); 2186155131Srwatson if (err) 2187155131Srwatson return (-1); 2188155131Srwatson 2189155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2190155131Srwatson tok->len, err); 2191155131Srwatson if (err) 2192155131Srwatson return (-1); 2193155131Srwatson 2194155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2195155131Srwatson tok->len, err); 2196155131Srwatson if (err) 2197155131Srwatson return (-1); 2198155131Srwatson 2199155131Srwatson return (0); 2200155131Srwatson} 2201155131Srwatson 2202155131Srwatsonstatic void 2203243750Srwatsonprint_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2204155131Srwatson{ 2205155131Srwatson 2206243750Srwatson print_tok_type(fp, tok->id, "ip", oflags); 2207243750Srwatson if (oflags & AU_OFLAG_XML) { 2208168777Srwatson open_attr(fp, "version"); 2209168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2210168777Srwatson sizeof(u_char)); 2211168777Srwatson close_attr(fp); 2212168777Srwatson open_attr(fp, "service_type"); 2213168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2214168777Srwatson close_attr(fp); 2215168777Srwatson open_attr(fp, "len"); 2216168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2217168777Srwatson close_attr(fp); 2218168777Srwatson open_attr(fp, "id"); 2219168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2220168777Srwatson close_attr(fp); 2221168777Srwatson open_attr(fp, "offset"); 2222168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2223168777Srwatson close_attr(fp); 2224168777Srwatson open_attr(fp, "time_to_live"); 2225168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2226168777Srwatson close_attr(fp); 2227168777Srwatson open_attr(fp, "protocol"); 2228168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2229168777Srwatson close_attr(fp); 2230168777Srwatson open_attr(fp, "cksum"); 2231168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2232168777Srwatson close_attr(fp); 2233168777Srwatson open_attr(fp, "src_addr"); 2234168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2235168777Srwatson close_attr(fp); 2236168777Srwatson open_attr(fp, "dest_addr"); 2237168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2238168777Srwatson close_attr(fp); 2239168777Srwatson close_tag(fp, tok->id); 2240168777Srwatson } else { 2241168777Srwatson print_delim(fp, del); 2242168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.version), 2243168777Srwatson sizeof(u_char)); 2244168777Srwatson print_delim(fp, del); 2245168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2246168777Srwatson print_delim(fp, del); 2247168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2248168777Srwatson print_delim(fp, del); 2249168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2250168777Srwatson print_delim(fp, del); 2251168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2252168777Srwatson print_delim(fp, del); 2253168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2254168777Srwatson print_delim(fp, del); 2255168777Srwatson print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2256168777Srwatson print_delim(fp, del); 2257168777Srwatson print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2258168777Srwatson print_delim(fp, del); 2259168777Srwatson print_ip_address(fp, tok->tt.ip.src); 2260168777Srwatson print_delim(fp, del); 2261168777Srwatson print_ip_address(fp, tok->tt.ip.dest); 2262168777Srwatson } 2263155131Srwatson} 2264155131Srwatson 2265155131Srwatson/* 2266155131Srwatson * object ID type 1 byte 2267155131Srwatson * Object ID 4 bytes 2268155131Srwatson */ 2269155131Srwatsonstatic int 2270168777Srwatsonfetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2271155131Srwatson{ 2272155131Srwatson int err = 0; 2273155131Srwatson 2274155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2275155131Srwatson if (err) 2276155131Srwatson return (-1); 2277155131Srwatson 2278155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2279155131Srwatson if (err) 2280155131Srwatson return (-1); 2281155131Srwatson 2282155131Srwatson return (0); 2283155131Srwatson} 2284155131Srwatson 2285155131Srwatsonstatic void 2286243750Srwatsonprint_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2287155131Srwatson{ 2288155131Srwatson 2289243750Srwatson print_tok_type(fp, tok->id, "IPC", oflags); 2290243750Srwatson if (oflags & AU_OFLAG_XML) { 2291168777Srwatson open_attr(fp, "ipc-type"); 2292243750Srwatson print_ipctype(fp, tok->tt.ipc.type, oflags); 2293168777Srwatson close_attr(fp); 2294168777Srwatson open_attr(fp, "ipc-id"); 2295168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2296168777Srwatson close_attr(fp); 2297168777Srwatson close_tag(fp, tok->id); 2298168777Srwatson } else { 2299168777Srwatson print_delim(fp, del); 2300243750Srwatson print_ipctype(fp, tok->tt.ipc.type, oflags); 2301168777Srwatson print_delim(fp, del); 2302168777Srwatson print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2303168777Srwatson } 2304155131Srwatson} 2305155131Srwatson 2306155131Srwatson/* 2307155131Srwatson * owner user id 4 bytes 2308155131Srwatson * owner group id 4 bytes 2309155131Srwatson * creator user id 4 bytes 2310155131Srwatson * creator group id 4 bytes 2311155131Srwatson * access mode 4 bytes 2312155131Srwatson * slot seq 4 bytes 2313155131Srwatson * key 4 bytes 2314155131Srwatson */ 2315155131Srwatsonstatic int 2316168777Srwatsonfetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2317155131Srwatson{ 2318155131Srwatson int err = 0; 2319155131Srwatson 2320155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2321155131Srwatson if (err) 2322155131Srwatson return (-1); 2323155131Srwatson 2324155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2325155131Srwatson if (err) 2326155131Srwatson return (-1); 2327155131Srwatson 2328155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2329155131Srwatson if (err) 2330155131Srwatson return (-1); 2331155131Srwatson 2332155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2333155131Srwatson if (err) 2334155131Srwatson return (-1); 2335155131Srwatson 2336155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2337155131Srwatson if (err) 2338155131Srwatson return (-1); 2339155131Srwatson 2340155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2341155131Srwatson if (err) 2342155131Srwatson return (-1); 2343155131Srwatson 2344155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2345155131Srwatson if (err) 2346155131Srwatson return (-1); 2347155131Srwatson 2348155131Srwatson return (0); 2349155131Srwatson} 2350155131Srwatson 2351155131Srwatsonstatic void 2352243750Srwatsonprint_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2353155131Srwatson{ 2354155131Srwatson 2355243750Srwatson print_tok_type(fp, tok->id, "IPC perm", oflags); 2356243750Srwatson if (oflags & AU_OFLAG_XML) { 2357168777Srwatson open_attr(fp, "uid"); 2358243750Srwatson print_user(fp, tok->tt.ipcperm.uid, oflags); 2359168777Srwatson close_attr(fp); 2360168777Srwatson open_attr(fp, "gid"); 2361243750Srwatson print_group(fp, tok->tt.ipcperm.gid, oflags); 2362168777Srwatson close_attr(fp); 2363168777Srwatson open_attr(fp, "creator-uid"); 2364243750Srwatson print_user(fp, tok->tt.ipcperm.puid, oflags); 2365168777Srwatson close_attr(fp); 2366168777Srwatson open_attr(fp, "creator-gid"); 2367243750Srwatson print_group(fp, tok->tt.ipcperm.pgid, oflags); 2368168777Srwatson close_attr(fp); 2369168777Srwatson open_attr(fp, "mode"); 2370168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2371168777Srwatson close_attr(fp); 2372168777Srwatson open_attr(fp, "seq"); 2373168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2374168777Srwatson close_attr(fp); 2375168777Srwatson open_attr(fp, "key"); 2376168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2377168777Srwatson close_attr(fp); 2378168777Srwatson close_tag(fp, tok->id); 2379168777Srwatson } else { 2380168777Srwatson print_delim(fp, del); 2381243750Srwatson print_user(fp, tok->tt.ipcperm.uid, oflags); 2382168777Srwatson print_delim(fp, del); 2383243750Srwatson print_group(fp, tok->tt.ipcperm.gid, oflags); 2384168777Srwatson print_delim(fp, del); 2385243750Srwatson print_user(fp, tok->tt.ipcperm.puid, oflags); 2386168777Srwatson print_delim(fp, del); 2387243750Srwatson print_group(fp, tok->tt.ipcperm.pgid, oflags); 2388168777Srwatson print_delim(fp, del); 2389168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2390168777Srwatson print_delim(fp, del); 2391168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2392168777Srwatson print_delim(fp, del); 2393168777Srwatson print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2394168777Srwatson } 2395155131Srwatson} 2396155131Srwatson 2397155131Srwatson/* 2398155131Srwatson * port Ip address 2 bytes 2399155131Srwatson */ 2400155131Srwatsonstatic int 2401168777Srwatsonfetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2402155131Srwatson{ 2403155131Srwatson int err = 0; 2404155131Srwatson 2405159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2406159248Srwatson tok->len, err); 2407155131Srwatson if (err) 2408155131Srwatson return (-1); 2409155131Srwatson 2410155131Srwatson return (0); 2411155131Srwatson} 2412155131Srwatson 2413155131Srwatsonstatic void 2414243750Srwatsonprint_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2415155131Srwatson{ 2416155131Srwatson 2417243750Srwatson print_tok_type(fp, tok->id, "ip port", oflags); 2418243750Srwatson if (oflags & AU_OFLAG_XML) { 2419168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2420168777Srwatson close_tag(fp, tok->id); 2421168777Srwatson } else { 2422168777Srwatson print_delim(fp, del); 2423168777Srwatson print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2424168777Srwatson } 2425155131Srwatson} 2426155131Srwatson 2427155131Srwatson/* 2428155131Srwatson * size 2 bytes 2429155131Srwatson * data size bytes 2430155131Srwatson */ 2431155131Srwatsonstatic int 2432168777Srwatsonfetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2433155131Srwatson{ 2434155131Srwatson int err = 0; 2435155131Srwatson 2436155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2437155131Srwatson if (err) 2438155131Srwatson return (-1); 2439155131Srwatson 2440168777Srwatson SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2441168777Srwatson tok->len, err); 2442155131Srwatson if (err) 2443155131Srwatson return (-1); 2444155131Srwatson 2445155131Srwatson return (0); 2446155131Srwatson} 2447155131Srwatson 2448155131Srwatsonstatic void 2449243750Srwatsonprint_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2450155131Srwatson{ 2451155131Srwatson 2452243750Srwatson print_tok_type(fp, tok->id, "opaque", oflags); 2453243750Srwatson if (oflags & AU_OFLAG_XML) { 2454168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2455168777Srwatson tok->tt.opaque.size); 2456168777Srwatson close_tag(fp, tok->id); 2457168777Srwatson } else { 2458168777Srwatson print_delim(fp, del); 2459168777Srwatson print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2460168777Srwatson print_delim(fp, del); 2461168777Srwatson print_mem(fp, (u_char*)tok->tt.opaque.data, 2462168777Srwatson tok->tt.opaque.size); 2463168777Srwatson } 2464155131Srwatson} 2465155131Srwatson 2466155131Srwatson/* 2467155131Srwatson * size 2 bytes 2468155131Srwatson * data size bytes 2469155131Srwatson */ 2470155131Srwatsonstatic int 2471168777Srwatsonfetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2472155131Srwatson{ 2473155131Srwatson int err = 0; 2474155131Srwatson 2475155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2476155131Srwatson if (err) 2477155131Srwatson return (-1); 2478155131Srwatson 2479168777Srwatson SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2480168777Srwatson err); 2481155131Srwatson if (err) 2482155131Srwatson return (-1); 2483155131Srwatson 2484155131Srwatson return (0); 2485155131Srwatson} 2486155131Srwatson 2487155131Srwatsonstatic void 2488243750Srwatsonprint_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2489155131Srwatson{ 2490155131Srwatson 2491243750Srwatson print_tok_type(fp, tok->id, "path", oflags); 2492243750Srwatson if (oflags & AU_OFLAG_XML) { 2493168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2494168777Srwatson close_tag(fp, tok->id); 2495168777Srwatson } else { 2496168777Srwatson print_delim(fp, del); 2497168777Srwatson print_string(fp, tok->tt.path.path, tok->tt.path.len); 2498168777Srwatson } 2499155131Srwatson} 2500155131Srwatson 2501155131Srwatson/* 2502155131Srwatson * token ID 1 byte 2503155131Srwatson * audit ID 4 bytes 2504155131Srwatson * euid 4 bytes 2505155131Srwatson * egid 4 bytes 2506155131Srwatson * ruid 4 bytes 2507155131Srwatson * rgid 4 bytes 2508155131Srwatson * pid 4 bytes 2509155131Srwatson * sessid 4 bytes 2510155131Srwatson * terminal ID 2511155131Srwatson * portid 4 bytes 2512155131Srwatson * machine id 4 bytes 2513155131Srwatson */ 2514155131Srwatsonstatic int 2515168777Srwatsonfetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2516155131Srwatson{ 2517155131Srwatson int err = 0; 2518155131Srwatson 2519155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2520155131Srwatson if (err) 2521155131Srwatson return (-1); 2522155131Srwatson 2523155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2524155131Srwatson if (err) 2525155131Srwatson return (-1); 2526155131Srwatson 2527155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2528155131Srwatson if (err) 2529155131Srwatson return (-1); 2530155131Srwatson 2531155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2532155131Srwatson if (err) 2533155131Srwatson return (-1); 2534155131Srwatson 2535155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2536155131Srwatson if (err) 2537155131Srwatson return (-1); 2538155131Srwatson 2539155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2540155131Srwatson if (err) 2541155131Srwatson return (-1); 2542155131Srwatson 2543155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2544155131Srwatson if (err) 2545155131Srwatson return (-1); 2546155131Srwatson 2547155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2548155131Srwatson if (err) 2549155131Srwatson return (-1); 2550155131Srwatson 2551159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2552159248Srwatson sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2553155131Srwatson if (err) 2554155131Srwatson return (-1); 2555155131Srwatson 2556155131Srwatson return (0); 2557155131Srwatson} 2558155131Srwatson 2559155131Srwatsonstatic void 2560243750Srwatsonprint_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2561155131Srwatson{ 2562155131Srwatson 2563243750Srwatson print_tok_type(fp, tok->id, "process", oflags); 2564243750Srwatson if (oflags & AU_OFLAG_XML) { 2565168777Srwatson open_attr(fp, "audit-uid"); 2566243750Srwatson print_user(fp, tok->tt.proc32.auid, oflags); 2567168777Srwatson close_attr(fp); 2568168777Srwatson open_attr(fp, "uid"); 2569243750Srwatson print_user(fp, tok->tt.proc32.euid, oflags); 2570168777Srwatson close_attr(fp); 2571168777Srwatson open_attr(fp, "gid"); 2572243750Srwatson print_group(fp, tok->tt.proc32.egid, oflags); 2573168777Srwatson close_attr(fp); 2574168777Srwatson open_attr(fp, "ruid"); 2575243750Srwatson print_user(fp, tok->tt.proc32.ruid, oflags); 2576168777Srwatson close_attr(fp); 2577168777Srwatson open_attr(fp, "rgid"); 2578243750Srwatson print_group(fp, tok->tt.proc32.rgid, oflags); 2579168777Srwatson close_attr(fp); 2580168777Srwatson open_attr(fp, "pid"); 2581168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2582168777Srwatson close_attr(fp); 2583168777Srwatson open_attr(fp, "sid"); 2584168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2585168777Srwatson close_attr(fp); 2586168777Srwatson open_attr(fp, "tid"); 2587168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2588168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2589168777Srwatson close_attr(fp); 2590168777Srwatson close_tag(fp, tok->id); 2591168777Srwatson } else { 2592168777Srwatson print_delim(fp, del); 2593243750Srwatson print_user(fp, tok->tt.proc32.auid, oflags); 2594168777Srwatson print_delim(fp, del); 2595243750Srwatson print_user(fp, tok->tt.proc32.euid, oflags); 2596168777Srwatson print_delim(fp, del); 2597243750Srwatson print_group(fp, tok->tt.proc32.egid, oflags); 2598168777Srwatson print_delim(fp, del); 2599243750Srwatson print_user(fp, tok->tt.proc32.ruid, oflags); 2600168777Srwatson print_delim(fp, del); 2601243750Srwatson print_group(fp, tok->tt.proc32.rgid, oflags); 2602168777Srwatson print_delim(fp, del); 2603168777Srwatson print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2604168777Srwatson print_delim(fp, del); 2605168777Srwatson print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2606168777Srwatson print_delim(fp, del); 2607168777Srwatson print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2608168777Srwatson print_delim(fp, del); 2609168777Srwatson print_ip_address(fp, tok->tt.proc32.tid.addr); 2610168777Srwatson } 2611155131Srwatson} 2612155131Srwatson 2613168777Srwatson/* 2614168777Srwatson * token ID 1 byte 2615168777Srwatson * audit ID 4 bytes 2616168777Srwatson * euid 4 bytes 2617168777Srwatson * egid 4 bytes 2618168777Srwatson * ruid 4 bytes 2619168777Srwatson * rgid 4 bytes 2620168777Srwatson * pid 4 bytes 2621168777Srwatson * sessid 4 bytes 2622168777Srwatson * terminal ID 2623168777Srwatson * portid 8 bytes 2624168777Srwatson * machine id 4 bytes 2625168777Srwatson */ 2626155131Srwatsonstatic int 2627168777Srwatsonfetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2628155131Srwatson{ 2629155131Srwatson int err = 0; 2630155131Srwatson 2631168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2632168777Srwatson if (err) 2633168777Srwatson return (-1); 2634168777Srwatson 2635168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2636168777Srwatson if (err) 2637168777Srwatson return (-1); 2638168777Srwatson 2639168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2640168777Srwatson if (err) 2641168777Srwatson return (-1); 2642168777Srwatson 2643168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2644168777Srwatson if (err) 2645168777Srwatson return (-1); 2646168777Srwatson 2647168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2648168777Srwatson if (err) 2649168777Srwatson return (-1); 2650168777Srwatson 2651168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2652168777Srwatson if (err) 2653168777Srwatson return (-1); 2654168777Srwatson 2655168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2656168777Srwatson if (err) 2657168777Srwatson return (-1); 2658168777Srwatson 2659168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2660168777Srwatson if (err) 2661168777Srwatson return (-1); 2662168777Srwatson 2663168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2664168777Srwatson sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2665168777Srwatson if (err) 2666168777Srwatson return (-1); 2667168777Srwatson 2668168777Srwatson return (0); 2669168777Srwatson} 2670168777Srwatson 2671168777Srwatsonstatic void 2672243750Srwatsonprint_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2673168777Srwatson{ 2674243750Srwatson print_tok_type(fp, tok->id, "process", oflags); 2675243750Srwatson if (oflags & AU_OFLAG_XML) { 2676168777Srwatson open_attr(fp, "audit-uid"); 2677243750Srwatson print_user(fp, tok->tt.proc64.auid, oflags); 2678168777Srwatson close_attr(fp); 2679168777Srwatson open_attr(fp, "uid"); 2680243750Srwatson print_user(fp, tok->tt.proc64.euid, oflags); 2681168777Srwatson close_attr(fp); 2682168777Srwatson open_attr(fp, "gid"); 2683243750Srwatson print_group(fp, tok->tt.proc64.egid, oflags); 2684168777Srwatson close_attr(fp); 2685168777Srwatson open_attr(fp, "ruid"); 2686243750Srwatson print_user(fp, tok->tt.proc64.ruid, oflags); 2687168777Srwatson close_attr(fp); 2688168777Srwatson open_attr(fp, "rgid"); 2689243750Srwatson print_group(fp, tok->tt.proc64.rgid, oflags); 2690168777Srwatson close_attr(fp); 2691168777Srwatson open_attr(fp, "pid"); 2692168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2693168777Srwatson close_attr(fp); 2694168777Srwatson open_attr(fp, "sid"); 2695168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2696168777Srwatson close_attr(fp); 2697168777Srwatson open_attr(fp, "tid"); 2698168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2699168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2700168777Srwatson close_attr(fp); 2701168777Srwatson close_tag(fp, tok->id); 2702168777Srwatson } else { 2703168777Srwatson print_delim(fp, del); 2704243750Srwatson print_user(fp, tok->tt.proc64.auid, oflags); 2705168777Srwatson print_delim(fp, del); 2706243750Srwatson print_user(fp, tok->tt.proc64.euid, oflags); 2707168777Srwatson print_delim(fp, del); 2708243750Srwatson print_group(fp, tok->tt.proc64.egid, oflags); 2709168777Srwatson print_delim(fp, del); 2710243750Srwatson print_user(fp, tok->tt.proc64.ruid, oflags); 2711168777Srwatson print_delim(fp, del); 2712243750Srwatson print_group(fp, tok->tt.proc64.rgid, oflags); 2713168777Srwatson print_delim(fp, del); 2714168777Srwatson print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2715168777Srwatson print_delim(fp, del); 2716168777Srwatson print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2717168777Srwatson print_delim(fp, del); 2718168777Srwatson print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2719168777Srwatson print_delim(fp, del); 2720168777Srwatson print_ip_address(fp, tok->tt.proc64.tid.addr); 2721168777Srwatson } 2722168777Srwatson} 2723168777Srwatson 2724168777Srwatson/* 2725168777Srwatson * token ID 1 byte 2726168777Srwatson * audit ID 4 bytes 2727168777Srwatson * effective user ID 4 bytes 2728168777Srwatson * effective group ID 4 bytes 2729168777Srwatson * real user ID 4 bytes 2730168777Srwatson * real group ID 4 bytes 2731168777Srwatson * process ID 4 bytes 2732168777Srwatson * session ID 4 bytes 2733168777Srwatson * terminal ID 2734168777Srwatson * port ID 4 bytes 2735168777Srwatson * address type-len 4 bytes 2736168777Srwatson * machine address 16 bytes 2737168777Srwatson */ 2738168777Srwatsonstatic int 2739168777Srwatsonfetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2740168777Srwatson{ 2741168777Srwatson int err = 0; 2742168777Srwatson 2743155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2744155131Srwatson if (err) 2745155131Srwatson return (-1); 2746155131Srwatson 2747155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2748155131Srwatson if (err) 2749155131Srwatson return (-1); 2750155131Srwatson 2751155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2752155131Srwatson if (err) 2753155131Srwatson return (-1); 2754155131Srwatson 2755155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2756155131Srwatson if (err) 2757155131Srwatson return (-1); 2758155131Srwatson 2759155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2760155131Srwatson if (err) 2761155131Srwatson return (-1); 2762155131Srwatson 2763155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2764155131Srwatson if (err) 2765155131Srwatson return (-1); 2766155131Srwatson 2767155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2768155131Srwatson if (err) 2769155131Srwatson return (-1); 2770155131Srwatson 2771155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2772155131Srwatson err); 2773155131Srwatson if (err) 2774155131Srwatson return (-1); 2775155131Srwatson 2776155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2777155131Srwatson err); 2778155131Srwatson if (err) 2779155131Srwatson return (-1); 2780155131Srwatson 2781155131Srwatson if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2782155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2783155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2784155131Srwatson if (err) 2785155131Srwatson return (-1); 2786155131Srwatson } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2787155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2788155131Srwatson sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2789155131Srwatson if (err) 2790155131Srwatson return (-1); 2791155131Srwatson } else 2792155131Srwatson return (-1); 2793155131Srwatson 2794155131Srwatson return (0); 2795155131Srwatson} 2796155131Srwatson 2797155131Srwatsonstatic void 2798243750Srwatsonprint_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2799155131Srwatson{ 2800155131Srwatson 2801243750Srwatson print_tok_type(fp, tok->id, "process_ex", oflags); 2802243750Srwatson if (oflags & AU_OFLAG_XML) { 2803168777Srwatson open_attr(fp, "audit-uid"); 2804243750Srwatson print_user(fp, tok->tt.proc32_ex.auid, oflags); 2805168777Srwatson close_attr(fp); 2806168777Srwatson open_attr(fp, "uid"); 2807243750Srwatson print_user(fp, tok->tt.proc32_ex.euid, oflags); 2808168777Srwatson close_attr(fp); 2809168777Srwatson open_attr(fp, "gid"); 2810243750Srwatson print_group(fp, tok->tt.proc32_ex.egid, oflags); 2811168777Srwatson close_attr(fp); 2812168777Srwatson open_attr(fp, "ruid"); 2813243750Srwatson print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2814168777Srwatson close_attr(fp); 2815168777Srwatson open_attr(fp, "rgid"); 2816243750Srwatson print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2817168777Srwatson close_attr(fp); 2818168777Srwatson open_attr(fp, "pid"); 2819168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2820168777Srwatson close_attr(fp); 2821168777Srwatson open_attr(fp, "sid"); 2822168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2823168777Srwatson close_attr(fp); 2824168777Srwatson open_attr(fp, "tid"); 2825168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2826168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2827168777Srwatson tok->tt.proc32_ex.tid.addr); 2828168777Srwatson close_attr(fp); 2829168777Srwatson close_tag(fp, tok->id); 2830168777Srwatson } else { 2831168777Srwatson print_delim(fp, del); 2832243750Srwatson print_user(fp, tok->tt.proc32_ex.auid, oflags); 2833168777Srwatson print_delim(fp, del); 2834243750Srwatson print_user(fp, tok->tt.proc32_ex.euid, oflags); 2835168777Srwatson print_delim(fp, del); 2836243750Srwatson print_group(fp, tok->tt.proc32_ex.egid, oflags); 2837168777Srwatson print_delim(fp, del); 2838243750Srwatson print_user(fp, tok->tt.proc32_ex.ruid, oflags); 2839168777Srwatson print_delim(fp, del); 2840243750Srwatson print_group(fp, tok->tt.proc32_ex.rgid, oflags); 2841168777Srwatson print_delim(fp, del); 2842168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2843168777Srwatson print_delim(fp, del); 2844168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2845168777Srwatson print_delim(fp, del); 2846168777Srwatson print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2847168777Srwatson print_delim(fp, del); 2848168777Srwatson print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2849168777Srwatson tok->tt.proc32_ex.tid.addr); 2850168777Srwatson } 2851155131Srwatson} 2852155131Srwatson 2853155131Srwatson/* 2854168777Srwatson * token ID 1 byte 2855168777Srwatson * audit ID 4 bytes 2856168777Srwatson * effective user ID 4 bytes 2857168777Srwatson * effective group ID 4 bytes 2858168777Srwatson * real user ID 4 bytes 2859168777Srwatson * real group ID 4 bytes 2860168777Srwatson * process ID 4 bytes 2861168777Srwatson * session ID 4 bytes 2862168777Srwatson * terminal ID 2863168777Srwatson * port ID 8 bytes 2864168777Srwatson * address type-len 4 bytes 2865168777Srwatson * machine address 16 bytes 2866168777Srwatson */ 2867168777Srwatsonstatic int 2868168777Srwatsonfetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2869168777Srwatson{ 2870168777Srwatson int err = 0; 2871168777Srwatson 2872168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2873168777Srwatson if (err) 2874168777Srwatson return (-1); 2875168777Srwatson 2876168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2877168777Srwatson if (err) 2878168777Srwatson return (-1); 2879168777Srwatson 2880168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2881168777Srwatson if (err) 2882168777Srwatson return (-1); 2883168777Srwatson 2884168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2885168777Srwatson if (err) 2886168777Srwatson return (-1); 2887168777Srwatson 2888168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2889168777Srwatson if (err) 2890168777Srwatson return (-1); 2891168777Srwatson 2892168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2893168777Srwatson if (err) 2894168777Srwatson return (-1); 2895168777Srwatson 2896168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2897168777Srwatson if (err) 2898168777Srwatson return (-1); 2899168777Srwatson 2900168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2901168777Srwatson err); 2902168777Srwatson if (err) 2903168777Srwatson return (-1); 2904168777Srwatson 2905168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2906168777Srwatson err); 2907168777Srwatson if (err) 2908168777Srwatson return (-1); 2909168777Srwatson 2910168777Srwatson if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2911168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2912168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2913168777Srwatson if (err) 2914168777Srwatson return (-1); 2915168777Srwatson } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2916168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2917168777Srwatson sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2918168777Srwatson if (err) 2919168777Srwatson return (-1); 2920168777Srwatson } else 2921168777Srwatson return (-1); 2922168777Srwatson 2923168777Srwatson return (0); 2924168777Srwatson} 2925168777Srwatson 2926168777Srwatsonstatic void 2927243750Srwatsonprint_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 2928168777Srwatson{ 2929243750Srwatson print_tok_type(fp, tok->id, "process_ex", oflags); 2930243750Srwatson if (oflags & AU_OFLAG_XML) { 2931168777Srwatson open_attr(fp, "audit-uid"); 2932243750Srwatson print_user(fp, tok->tt.proc64_ex.auid, oflags); 2933168777Srwatson close_attr(fp); 2934168777Srwatson open_attr(fp, "uid"); 2935243750Srwatson print_user(fp, tok->tt.proc64_ex.euid, oflags); 2936168777Srwatson close_attr(fp); 2937168777Srwatson open_attr(fp, "gid"); 2938243750Srwatson print_group(fp, tok->tt.proc64_ex.egid, oflags); 2939168777Srwatson close_attr(fp); 2940168777Srwatson open_attr(fp, "ruid"); 2941243750Srwatson print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2942168777Srwatson close_attr(fp); 2943168777Srwatson open_attr(fp, "rgid"); 2944243750Srwatson print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2945168777Srwatson close_attr(fp); 2946168777Srwatson open_attr(fp, "pid"); 2947168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2948168777Srwatson close_attr(fp); 2949168777Srwatson open_attr(fp, "sid"); 2950168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2951168777Srwatson close_attr(fp); 2952168777Srwatson open_attr(fp, "tid"); 2953168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2954168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2955168777Srwatson tok->tt.proc64_ex.tid.addr); 2956168777Srwatson close_attr(fp); 2957168777Srwatson close_tag(fp, tok->id); 2958168777Srwatson } else { 2959168777Srwatson print_delim(fp, del); 2960243750Srwatson print_user(fp, tok->tt.proc64_ex.auid, oflags); 2961168777Srwatson print_delim(fp, del); 2962243750Srwatson print_user(fp, tok->tt.proc64_ex.euid, oflags); 2963168777Srwatson print_delim(fp, del); 2964243750Srwatson print_group(fp, tok->tt.proc64_ex.egid, oflags); 2965168777Srwatson print_delim(fp, del); 2966243750Srwatson print_user(fp, tok->tt.proc64_ex.ruid, oflags); 2967168777Srwatson print_delim(fp, del); 2968243750Srwatson print_group(fp, tok->tt.proc64_ex.rgid, oflags); 2969168777Srwatson print_delim(fp, del); 2970168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2971168777Srwatson print_delim(fp, del); 2972168777Srwatson print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2973168777Srwatson print_delim(fp, del); 2974168777Srwatson print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2975168777Srwatson print_delim(fp, del); 2976168777Srwatson print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2977168777Srwatson tok->tt.proc64_ex.tid.addr); 2978168777Srwatson } 2979168777Srwatson} 2980168777Srwatson 2981168777Srwatson/* 2982155131Srwatson * errno 1 byte 2983155131Srwatson * return value 4 bytes 2984155131Srwatson */ 2985155131Srwatsonstatic int 2986168777Srwatsonfetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2987155131Srwatson{ 2988155131Srwatson int err = 0; 2989155131Srwatson 2990155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2991155131Srwatson if (err) 2992155131Srwatson return (-1); 2993155131Srwatson 2994155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2995155131Srwatson if (err) 2996155131Srwatson return (-1); 2997155131Srwatson 2998155131Srwatson return (0); 2999155131Srwatson} 3000155131Srwatson 3001155131Srwatsonstatic void 3002243750Srwatsonprint_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3003155131Srwatson{ 3004155131Srwatson 3005243750Srwatson print_tok_type(fp, tok->id, "return", oflags); 3006243750Srwatson if (oflags & AU_OFLAG_XML) { 3007168777Srwatson open_attr(fp ,"errval"); 3008243750Srwatson print_retval(fp, tok->tt.ret32.status, oflags); 3009168777Srwatson close_attr(fp); 3010168777Srwatson open_attr(fp, "retval"); 3011168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3012168777Srwatson close_attr(fp); 3013168777Srwatson close_tag(fp, tok->id); 3014168777Srwatson } else { 3015168777Srwatson print_delim(fp, del); 3016243750Srwatson print_retval(fp, tok->tt.ret32.status, oflags); 3017168777Srwatson print_delim(fp, del); 3018168777Srwatson print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 3019168777Srwatson } 3020155131Srwatson} 3021155131Srwatson 3022155131Srwatsonstatic int 3023168777Srwatsonfetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 3024155131Srwatson{ 3025155131Srwatson int err = 0; 3026155131Srwatson 3027155131Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3028155131Srwatson if (err) 3029155131Srwatson return (-1); 3030155131Srwatson 3031155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3032155131Srwatson if (err) 3033155131Srwatson return (-1); 3034155131Srwatson 3035155131Srwatson return (0); 3036155131Srwatson} 3037155131Srwatson 3038155131Srwatsonstatic void 3039243750Srwatsonprint_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3040155131Srwatson{ 3041155131Srwatson 3042243750Srwatson print_tok_type(fp, tok->id, "return", oflags); 3043243750Srwatson if (oflags & AU_OFLAG_XML) { 3044168777Srwatson open_attr(fp, "errval"); 3045243750Srwatson print_retval(fp, tok->tt.ret64.err, oflags); 3046168777Srwatson close_attr(fp); 3047168777Srwatson open_attr(fp, "retval"); 3048168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3049168777Srwatson close_attr(fp); 3050168777Srwatson close_tag(fp, tok->id); 3051168777Srwatson } else { 3052168777Srwatson print_delim(fp, del); 3053243750Srwatson print_retval(fp, tok->tt.ret64.err, oflags); 3054168777Srwatson print_delim(fp, del); 3055168777Srwatson print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3056168777Srwatson } 3057155131Srwatson} 3058155131Srwatson 3059155131Srwatson/* 3060155131Srwatson * seq 4 bytes 3061155131Srwatson */ 3062155131Srwatsonstatic int 3063168777Srwatsonfetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3064155131Srwatson{ 3065155131Srwatson int err = 0; 3066155131Srwatson 3067155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3068155131Srwatson if (err) 3069155131Srwatson return (-1); 3070155131Srwatson 3071155131Srwatson return (0); 3072155131Srwatson} 3073155131Srwatson 3074155131Srwatsonstatic void 3075243750Srwatsonprint_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3076155131Srwatson{ 3077155131Srwatson 3078243750Srwatson print_tok_type(fp, tok->id, "sequence", oflags); 3079243750Srwatson if (oflags & AU_OFLAG_XML) { 3080168777Srwatson open_attr(fp, "seq-num"); 3081168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3082168777Srwatson close_attr(fp); 3083168777Srwatson close_tag(fp, tok->id); 3084168777Srwatson } else { 3085168777Srwatson print_delim(fp, del); 3086168777Srwatson print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3087168777Srwatson } 3088155131Srwatson} 3089155131Srwatson 3090155131Srwatson/* 3091155131Srwatson * socket family 2 bytes 3092155131Srwatson * local port 2 bytes 3093155131Srwatson * socket address 4 bytes 3094155131Srwatson */ 3095155131Srwatsonstatic int 3096168777Srwatsonfetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3097155131Srwatson{ 3098155131Srwatson int err = 0; 3099155131Srwatson 3100191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3101155131Srwatson err); 3102155131Srwatson if (err) 3103155131Srwatson return (-1); 3104155131Srwatson 3105191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3106159248Srwatson sizeof(uint16_t), tok->len, err); 3107155131Srwatson if (err) 3108155131Srwatson return (-1); 3109155131Srwatson 3110191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3111191273Srwatson sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3112155131Srwatson if (err) 3113155131Srwatson return (-1); 3114155131Srwatson 3115155131Srwatson return (0); 3116155131Srwatson} 3117155131Srwatson 3118155131Srwatsonstatic void 3119243750Srwatsonprint_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3120155131Srwatson{ 3121155131Srwatson 3122243750Srwatson print_tok_type(fp, tok->id, "socket-inet", oflags); 3123243750Srwatson if (oflags & AU_OFLAG_XML) { 3124168777Srwatson open_attr(fp, "type"); 3125191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3126168777Srwatson close_attr(fp); 3127168777Srwatson open_attr(fp, "port"); 3128191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3129168777Srwatson close_attr(fp); 3130168777Srwatson open_attr(fp, "addr"); 3131191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3132168777Srwatson close_attr(fp); 3133168777Srwatson close_tag(fp, tok->id); 3134168777Srwatson } else { 3135168777Srwatson print_delim(fp, del); 3136191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3137168777Srwatson print_delim(fp, del); 3138191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3139168777Srwatson print_delim(fp, del); 3140191273Srwatson print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3141168777Srwatson } 3142155131Srwatson} 3143155131Srwatson 3144155131Srwatson/* 3145191273Srwatson * socket family 2 bytes 3146191273Srwatson * local port 2 bytes 3147191273Srwatson * socket address 16 bytes 3148191273Srwatson */ 3149191273Srwatsonstatic int 3150191273Srwatsonfetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3151191273Srwatson{ 3152191273Srwatson int err = 0; 3153191273Srwatson 3154191273Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3155191273Srwatson err); 3156191273Srwatson if (err) 3157191273Srwatson return (-1); 3158191273Srwatson 3159191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3160191273Srwatson sizeof(uint16_t), tok->len, err); 3161191273Srwatson if (err) 3162191273Srwatson return (-1); 3163191273Srwatson 3164191273Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3165191273Srwatson sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3166191273Srwatson if (err) 3167191273Srwatson return (-1); 3168191273Srwatson 3169191273Srwatson return (0); 3170191273Srwatson} 3171191273Srwatson 3172191273Srwatsonstatic void 3173243750Srwatsonprint_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3174191273Srwatson{ 3175191273Srwatson 3176243750Srwatson print_tok_type(fp, tok->id, "socket-inet6", oflags); 3177243750Srwatson if (oflags & AU_OFLAG_XML) { 3178191273Srwatson open_attr(fp, "type"); 3179191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3180191273Srwatson close_attr(fp); 3181191273Srwatson open_attr(fp, "port"); 3182191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3183191273Srwatson close_attr(fp); 3184191273Srwatson open_attr(fp, "addr"); 3185191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3186191273Srwatson close_attr(fp); 3187191273Srwatson close_tag(fp, tok->id); 3188191273Srwatson } else { 3189191273Srwatson print_delim(fp, del); 3190191273Srwatson print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3191191273Srwatson print_delim(fp, del); 3192191273Srwatson print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3193191273Srwatson print_delim(fp, del); 3194191273Srwatson print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3195191273Srwatson } 3196191273Srwatson} 3197191273Srwatson 3198191273Srwatson/* 3199155131Srwatson * socket family 2 bytes 3200195740Srwatson * path (up to) 104 bytes + NULL (NULL terminated string). 3201155131Srwatson */ 3202159248Srwatsonstatic int 3203168777Srwatsonfetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3204155131Srwatson{ 3205155131Srwatson int err = 0; 3206195740Srwatson u_char *p; 3207195740Srwatson int slen; 3208155131Srwatson 3209195740Srwatson 3210155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3211155131Srwatson if (err) 3212155131Srwatson return (-1); 3213155131Srwatson 3214195740Srwatson /* slen = strnlen((buf + tok->len), 104) + 1; */ 3215195740Srwatson p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104); 3216243750Srwatson slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1; 3217195740Srwatson 3218195740Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err); 3219155131Srwatson if (err) 3220155131Srwatson return (-1); 3221155131Srwatson 3222155131Srwatson return (0); 3223155131Srwatson} 3224155131Srwatson 3225155131Srwatsonstatic void 3226243750Srwatsonprint_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3227155131Srwatson{ 3228155131Srwatson 3229243750Srwatson print_tok_type(fp, tok->id, "socket-unix", oflags); 3230243750Srwatson if (oflags & AU_OFLAG_XML) { 3231168777Srwatson open_attr(fp, "type"); 3232168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3233168777Srwatson close_attr(fp); 3234168777Srwatson open_attr(fp, "port"); 3235168777Srwatson close_attr(fp); 3236168777Srwatson open_attr(fp, "addr"); 3237168777Srwatson print_string(fp, tok->tt.sockunix.path, 3238168777Srwatson strlen(tok->tt.sockunix.path)); 3239168777Srwatson close_attr(fp); 3240168777Srwatson close_tag(fp, tok->id); 3241168777Srwatson } else { 3242168777Srwatson print_delim(fp, del); 3243168777Srwatson print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3244168777Srwatson print_delim(fp, del); 3245168777Srwatson print_string(fp, tok->tt.sockunix.path, 3246168777Srwatson strlen(tok->tt.sockunix.path)); 3247168777Srwatson } 3248155131Srwatson} 3249155131Srwatson 3250155131Srwatson/* 3251155131Srwatson * socket type 2 bytes 3252155131Srwatson * local port 2 bytes 3253155131Srwatson * local address 4 bytes 3254155131Srwatson * remote port 2 bytes 3255155131Srwatson * remote address 4 bytes 3256155131Srwatson */ 3257159248Srwatsonstatic int 3258168777Srwatsonfetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3259155131Srwatson{ 3260155131Srwatson int err = 0; 3261155131Srwatson 3262155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3263155131Srwatson if (err) 3264155131Srwatson return (-1); 3265155131Srwatson 3266159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3267159248Srwatson tok->len, err); 3268155131Srwatson if (err) 3269155131Srwatson return (-1); 3270155131Srwatson 3271155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3272155131Srwatson sizeof(tok->tt.socket.l_addr), tok->len, err); 3273155131Srwatson if (err) 3274155131Srwatson return (-1); 3275155131Srwatson 3276159248Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3277159248Srwatson tok->len, err); 3278155131Srwatson if (err) 3279155131Srwatson return (-1); 3280155131Srwatson 3281155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3282155131Srwatson sizeof(tok->tt.socket.r_addr), tok->len, err); 3283155131Srwatson if (err) 3284155131Srwatson return (-1); 3285155131Srwatson 3286155131Srwatson return (0); 3287155131Srwatson} 3288155131Srwatson 3289155131Srwatsonstatic void 3290243750Srwatsonprint_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3291155131Srwatson{ 3292155131Srwatson 3293243750Srwatson print_tok_type(fp, tok->id, "socket", oflags); 3294243750Srwatson if (oflags & AU_OFLAG_XML) { 3295168777Srwatson open_attr(fp, "sock_type"); 3296168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3297168777Srwatson close_attr(fp); 3298168777Srwatson open_attr(fp, "lport"); 3299168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3300168777Srwatson close_attr(fp); 3301168777Srwatson open_attr(fp, "laddr"); 3302168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3303168777Srwatson close_attr(fp); 3304168777Srwatson open_attr(fp, "fport"); 3305168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3306168777Srwatson close_attr(fp); 3307168777Srwatson open_attr(fp, "faddr"); 3308168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3309168777Srwatson close_attr(fp); 3310168777Srwatson close_tag(fp, tok->id); 3311168777Srwatson } else { 3312168777Srwatson print_delim(fp, del); 3313168777Srwatson print_2_bytes(fp, tok->tt.socket.type, "%u"); 3314168777Srwatson print_delim(fp, del); 3315168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3316168777Srwatson print_delim(fp, del); 3317168777Srwatson print_ip_address(fp, tok->tt.socket.l_addr); 3318168777Srwatson print_delim(fp, del); 3319168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3320168777Srwatson print_delim(fp, del); 3321168777Srwatson print_ip_address(fp, tok->tt.socket.r_addr); 3322168777Srwatson } 3323155131Srwatson} 3324155131Srwatson 3325155131Srwatson/* 3326155131Srwatson * audit ID 4 bytes 3327155131Srwatson * euid 4 bytes 3328155131Srwatson * egid 4 bytes 3329155131Srwatson * ruid 4 bytes 3330155131Srwatson * rgid 4 bytes 3331155131Srwatson * pid 4 bytes 3332155131Srwatson * sessid 4 bytes 3333155131Srwatson * terminal ID 3334155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3335155131Srwatson * machine id 4 bytes 3336155131Srwatson */ 3337155131Srwatsonstatic int 3338168777Srwatsonfetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3339155131Srwatson{ 3340155131Srwatson int err = 0; 3341155131Srwatson 3342155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3343155131Srwatson if (err) 3344155131Srwatson return (-1); 3345155131Srwatson 3346155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3347155131Srwatson if (err) 3348155131Srwatson return (-1); 3349155131Srwatson 3350155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3351155131Srwatson if (err) 3352155131Srwatson return (-1); 3353155131Srwatson 3354155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3355155131Srwatson if (err) 3356155131Srwatson return (-1); 3357155131Srwatson 3358155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3359155131Srwatson if (err) 3360155131Srwatson return (-1); 3361155131Srwatson 3362155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3363155131Srwatson if (err) 3364155131Srwatson return (-1); 3365155131Srwatson 3366155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3367155131Srwatson if (err) 3368155131Srwatson return (-1); 3369155131Srwatson 3370155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3371155131Srwatson if (err) 3372155131Srwatson return (-1); 3373155131Srwatson 3374155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3375155131Srwatson sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3376155131Srwatson if (err) 3377155131Srwatson return (-1); 3378155131Srwatson 3379155131Srwatson return (0); 3380155131Srwatson} 3381155131Srwatson 3382155131Srwatsonstatic void 3383243750Srwatsonprint_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3384155131Srwatson{ 3385155131Srwatson 3386243750Srwatson print_tok_type(fp, tok->id, "subject", oflags); 3387243750Srwatson if (oflags & AU_OFLAG_XML) { 3388168777Srwatson open_attr(fp, "audit-uid"); 3389243750Srwatson print_user(fp, tok->tt.subj32.auid, oflags); 3390168777Srwatson close_attr(fp); 3391168777Srwatson open_attr(fp, "uid"); 3392243750Srwatson print_user(fp, tok->tt.subj32.euid, oflags); 3393168777Srwatson close_attr(fp); 3394168777Srwatson open_attr(fp, "gid"); 3395243750Srwatson print_group(fp, tok->tt.subj32.egid, oflags); 3396168777Srwatson close_attr(fp); 3397168777Srwatson open_attr(fp, "ruid"); 3398243750Srwatson print_user(fp, tok->tt.subj32.ruid, oflags); 3399168777Srwatson close_attr(fp); 3400168777Srwatson open_attr(fp, "rgid"); 3401243750Srwatson print_group(fp, tok->tt.subj32.rgid, oflags); 3402168777Srwatson close_attr(fp); 3403168777Srwatson open_attr(fp,"pid"); 3404168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3405168777Srwatson close_attr(fp); 3406168777Srwatson open_attr(fp,"sid"); 3407168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3408168777Srwatson close_attr(fp); 3409168777Srwatson open_attr(fp,"tid"); 3410168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3411168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3412168777Srwatson close_attr(fp); 3413168777Srwatson close_tag(fp, tok->id); 3414168777Srwatson } else { 3415168777Srwatson print_delim(fp, del); 3416243750Srwatson print_user(fp, tok->tt.subj32.auid, oflags); 3417168777Srwatson print_delim(fp, del); 3418243750Srwatson print_user(fp, tok->tt.subj32.euid, oflags); 3419168777Srwatson print_delim(fp, del); 3420243750Srwatson print_group(fp, tok->tt.subj32.egid, oflags); 3421168777Srwatson print_delim(fp, del); 3422243750Srwatson print_user(fp, tok->tt.subj32.ruid, oflags); 3423168777Srwatson print_delim(fp, del); 3424243750Srwatson print_group(fp, tok->tt.subj32.rgid, oflags); 3425168777Srwatson print_delim(fp, del); 3426168777Srwatson print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3427168777Srwatson print_delim(fp, del); 3428168777Srwatson print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3429168777Srwatson print_delim(fp, del); 3430168777Srwatson print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3431168777Srwatson print_delim(fp, del); 3432168777Srwatson print_ip_address(fp, tok->tt.subj32.tid.addr); 3433168777Srwatson } 3434155131Srwatson} 3435155131Srwatson 3436243750Srwatsonstatic void 3437243750Srwatsonprint_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3438243750Srwatson{ 3439243750Srwatson 3440243750Srwatson print_tok_type(fp, tok->id, "use of privilege", oflags); 3441243750Srwatson if (oflags & AU_OFLAG_XML) { 3442243750Srwatson open_attr(fp, "status"); 3443243750Srwatson if (tok->tt.priv.sorf) 3444243750Srwatson (void) fprintf(fp, "successful use of priv"); 3445243750Srwatson else 3446243750Srwatson (void) fprintf(fp, "failed use of priv"); 3447243750Srwatson close_attr(fp); 3448243750Srwatson open_attr(fp, "name"); 3449243750Srwatson print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3450243750Srwatson close_attr(fp); 3451243750Srwatson close_tag(fp, tok->id); 3452243750Srwatson } else { 3453243750Srwatson print_delim(fp, del); 3454243750Srwatson if (tok->tt.priv.sorf) 3455243750Srwatson (void) fprintf(fp, "successful use of priv"); 3456243750Srwatson else 3457243750Srwatson (void) fprintf(fp, "failed use of priv"); 3458243750Srwatson print_delim(fp, del); 3459243750Srwatson print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen); 3460243750Srwatson } 3461243750Srwatson} 3462243750Srwatson 3463155131Srwatson/* 3464243750Srwatson * status 1 byte 3465243750Srwatson * privstrlen 2 bytes 3466243750Srwatson * priv N bytes + 1 (\0 byte) 3467243750Srwatson */ 3468243750Srwatsonstatic int 3469243750Srwatsonfetch_priv_tok(tokenstr_t *tok, u_char *buf, int len) 3470243750Srwatson{ 3471243750Srwatson int err = 0; 3472243750Srwatson 3473243750Srwatson READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err); 3474243750Srwatson if (err) 3475243750Srwatson return (-1); 3476243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err); 3477243750Srwatson if (err) 3478243750Srwatson return (-1); 3479243750Srwatson SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen, 3480243750Srwatson tok->len, err); 3481243750Srwatson if (err) 3482243750Srwatson return (-1); 3483243750Srwatson return (0); 3484243750Srwatson} 3485243750Srwatson 3486243750Srwatson/* 3487243750Srwatson * privtstrlen 1 byte 3488243750Srwatson * privtstr N bytes + 1 3489243750Srwatson * privstrlen 1 byte 3490243750Srwatson * privstr N bytes + 1 3491243750Srwatson */ 3492243750Srwatsonstatic int 3493243750Srwatsonfetch_privset_tok(tokenstr_t *tok, u_char *buf, int len) 3494243750Srwatson{ 3495243750Srwatson int err = 0; 3496243750Srwatson 3497243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen, 3498243750Srwatson tok->len, err); 3499243750Srwatson if (err) 3500243750Srwatson return (-1); 3501243750Srwatson SET_PTR((char *)buf, len, tok->tt.privset.privtstr, 3502243750Srwatson tok->tt.privset.privtstrlen, tok->len, err); 3503243750Srwatson if (err) 3504243750Srwatson return (-1); 3505243750Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen, 3506243750Srwatson tok->len, err); 3507243750Srwatson if (err) 3508243750Srwatson return (-1); 3509243750Srwatson SET_PTR((char *)buf, len, tok->tt.privset.privstr, 3510243750Srwatson tok->tt.privset.privstrlen, tok->len, err); 3511243750Srwatson if (err) 3512243750Srwatson return (-1); 3513243750Srwatson return (0); 3514243750Srwatson} 3515243750Srwatson 3516243750Srwatsonstatic void 3517243750Srwatsonprint_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3518243750Srwatson{ 3519243750Srwatson 3520243750Srwatson print_tok_type(fp, tok->id, "privilege", oflags); 3521243750Srwatson if (oflags & AU_OFLAG_XML) { 3522243750Srwatson open_attr(fp, "type"); 3523243750Srwatson print_string(fp, tok->tt.privset.privtstr, 3524243750Srwatson tok->tt.privset.privtstrlen); 3525243750Srwatson close_attr(fp); 3526243750Srwatson open_attr(fp, "priv"); 3527243750Srwatson print_string(fp, tok->tt.privset.privstr, 3528243750Srwatson tok->tt.privset.privstrlen); 3529243750Srwatson close_attr(fp); 3530243750Srwatson } else { 3531243750Srwatson print_delim(fp, del); 3532243750Srwatson print_string(fp, tok->tt.privset.privtstr, 3533243750Srwatson tok->tt.privset.privtstrlen); 3534243750Srwatson print_delim(fp, del); 3535243750Srwatson print_string(fp, tok->tt.privset.privstr, 3536243750Srwatson tok->tt.privset.privstrlen); 3537243750Srwatson } 3538243750Srwatson} 3539243750Srwatson 3540243750Srwatson/* 3541155131Srwatson * audit ID 4 bytes 3542155131Srwatson * euid 4 bytes 3543155131Srwatson * egid 4 bytes 3544155131Srwatson * ruid 4 bytes 3545155131Srwatson * rgid 4 bytes 3546155131Srwatson * pid 4 bytes 3547155131Srwatson * sessid 4 bytes 3548155131Srwatson * terminal ID 3549155131Srwatson * portid 4 bytes/8 bytes (32-bit/64-bit value) 3550155131Srwatson * machine id 4 bytes 3551155131Srwatson */ 3552155131Srwatsonstatic int 3553168777Srwatsonfetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3554155131Srwatson{ 3555155131Srwatson int err = 0; 3556155131Srwatson 3557155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3558155131Srwatson if (err) 3559155131Srwatson return (-1); 3560155131Srwatson 3561155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3562155131Srwatson if (err) 3563155131Srwatson return (-1); 3564155131Srwatson 3565155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3566155131Srwatson if (err) 3567155131Srwatson return (-1); 3568155131Srwatson 3569155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3570155131Srwatson if (err) 3571155131Srwatson return (-1); 3572155131Srwatson 3573155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3574155131Srwatson if (err) 3575155131Srwatson return (-1); 3576155131Srwatson 3577155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3578155131Srwatson if (err) 3579155131Srwatson return (-1); 3580155131Srwatson 3581155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3582155131Srwatson if (err) 3583155131Srwatson return (-1); 3584155131Srwatson 3585155131Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3586155131Srwatson if (err) 3587155131Srwatson return (-1); 3588155131Srwatson 3589155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3590155131Srwatson sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3591155131Srwatson if (err) 3592155131Srwatson return (-1); 3593155131Srwatson 3594155131Srwatson return (0); 3595155131Srwatson} 3596155131Srwatson 3597155131Srwatsonstatic void 3598243750Srwatsonprint_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3599155131Srwatson{ 3600155131Srwatson 3601243750Srwatson print_tok_type(fp, tok->id, "subject", oflags); 3602243750Srwatson if (oflags & AU_OFLAG_XML) { 3603168777Srwatson open_attr(fp, "audit-uid"); 3604243750Srwatson print_user(fp, tok->tt.subj64.auid, oflags); 3605168777Srwatson close_attr(fp); 3606168777Srwatson open_attr(fp, "uid"); 3607243750Srwatson print_user(fp, tok->tt.subj64.euid, oflags); 3608168777Srwatson close_attr(fp); 3609168777Srwatson open_attr(fp, "gid"); 3610243750Srwatson print_group(fp, tok->tt.subj64.egid, oflags); 3611168777Srwatson close_attr(fp); 3612168777Srwatson open_attr(fp, "ruid"); 3613243750Srwatson print_user(fp, tok->tt.subj64.ruid, oflags); 3614168777Srwatson close_attr(fp); 3615168777Srwatson open_attr(fp, "rgid"); 3616243750Srwatson print_group(fp, tok->tt.subj64.rgid, oflags); 3617168777Srwatson close_attr(fp); 3618168777Srwatson open_attr(fp, "pid"); 3619168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3620168777Srwatson close_attr(fp); 3621168777Srwatson open_attr(fp, "sid"); 3622168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3623168777Srwatson close_attr(fp); 3624168777Srwatson open_attr(fp, "tid"); 3625168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3626168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3627168777Srwatson close_attr(fp); 3628168777Srwatson close_tag(fp, tok->id); 3629168777Srwatson } else { 3630168777Srwatson print_delim(fp, del); 3631243750Srwatson print_user(fp, tok->tt.subj64.auid, oflags); 3632168777Srwatson print_delim(fp, del); 3633243750Srwatson print_user(fp, tok->tt.subj64.euid, oflags); 3634168777Srwatson print_delim(fp, del); 3635243750Srwatson print_group(fp, tok->tt.subj64.egid, oflags); 3636168777Srwatson print_delim(fp, del); 3637243750Srwatson print_user(fp, tok->tt.subj64.ruid, oflags); 3638168777Srwatson print_delim(fp, del); 3639243750Srwatson print_group(fp, tok->tt.subj64.rgid, oflags); 3640168777Srwatson print_delim(fp, del); 3641168777Srwatson print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3642168777Srwatson print_delim(fp, del); 3643168777Srwatson print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3644168777Srwatson print_delim(fp, del); 3645168777Srwatson print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3646168777Srwatson print_delim(fp, del); 3647168777Srwatson print_ip_address(fp, tok->tt.subj64.tid.addr); 3648168777Srwatson } 3649155131Srwatson} 3650155131Srwatson 3651155131Srwatson/* 3652155131Srwatson * audit ID 4 bytes 3653155131Srwatson * euid 4 bytes 3654155131Srwatson * egid 4 bytes 3655155131Srwatson * ruid 4 bytes 3656155131Srwatson * rgid 4 bytes 3657155131Srwatson * pid 4 bytes 3658155131Srwatson * sessid 4 bytes 3659155131Srwatson * terminal ID 3660155131Srwatson * portid 4 bytes 3661155131Srwatson * type 4 bytes 3662155131Srwatson * machine id 16 bytes 3663155131Srwatson */ 3664155131Srwatsonstatic int 3665168777Srwatsonfetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3666155131Srwatson{ 3667155131Srwatson int err = 0; 3668155131Srwatson 3669155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3670155131Srwatson if (err) 3671155131Srwatson return (-1); 3672155131Srwatson 3673155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3674155131Srwatson if (err) 3675155131Srwatson return (-1); 3676155131Srwatson 3677155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3678155131Srwatson if (err) 3679155131Srwatson return (-1); 3680155131Srwatson 3681155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3682155131Srwatson if (err) 3683155131Srwatson return (-1); 3684155131Srwatson 3685155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3686155131Srwatson if (err) 3687155131Srwatson return (-1); 3688155131Srwatson 3689155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3690155131Srwatson if (err) 3691155131Srwatson return (-1); 3692155131Srwatson 3693155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3694155131Srwatson if (err) 3695155131Srwatson return (-1); 3696155131Srwatson 3697155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3698155131Srwatson err); 3699155131Srwatson if (err) 3700155131Srwatson return (-1); 3701155131Srwatson 3702155131Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3703155131Srwatson err); 3704155131Srwatson if (err) 3705155131Srwatson return (-1); 3706155131Srwatson 3707155131Srwatson if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3708155131Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3709155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3710155131Srwatson if (err) 3711155131Srwatson return (-1); 3712155131Srwatson } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3713155131Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3714155131Srwatson sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3715155131Srwatson if (err) 3716155131Srwatson return (-1); 3717155131Srwatson } else 3718155131Srwatson return (-1); 3719155131Srwatson 3720155131Srwatson return (0); 3721155131Srwatson} 3722155131Srwatson 3723155131Srwatsonstatic void 3724243750Srwatsonprint_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3725155131Srwatson{ 3726155131Srwatson 3727243750Srwatson print_tok_type(fp, tok->id, "subject_ex", oflags); 3728243750Srwatson if (oflags & AU_OFLAG_XML) { 3729168777Srwatson open_attr(fp, "audit-uid"); 3730243750Srwatson print_user(fp, tok->tt.subj32_ex.auid, oflags); 3731168777Srwatson close_attr(fp); 3732168777Srwatson open_attr(fp, "uid"); 3733243750Srwatson print_user(fp, tok->tt.subj32_ex.euid, oflags); 3734168777Srwatson close_attr(fp); 3735168777Srwatson open_attr(fp, "gid"); 3736243750Srwatson print_group(fp, tok->tt.subj32_ex.egid, oflags); 3737168777Srwatson close_attr(fp); 3738168777Srwatson open_attr(fp, "ruid"); 3739243750Srwatson print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3740168777Srwatson close_attr(fp); 3741168777Srwatson open_attr(fp, "rgid"); 3742243750Srwatson print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3743168777Srwatson close_attr(fp); 3744168777Srwatson open_attr(fp, "pid"); 3745168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3746168777Srwatson close_attr(fp); 3747168777Srwatson open_attr(fp, "sid"); 3748168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3749168777Srwatson close_attr(fp); 3750168777Srwatson open_attr(fp, "tid"); 3751168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3752168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3753168777Srwatson tok->tt.subj32_ex.tid.addr); 3754168777Srwatson close_attr(fp); 3755168777Srwatson close_tag(fp, tok->id); 3756168777Srwatson } else { 3757168777Srwatson print_delim(fp, del); 3758243750Srwatson print_user(fp, tok->tt.subj32_ex.auid, oflags); 3759168777Srwatson print_delim(fp, del); 3760243750Srwatson print_user(fp, tok->tt.subj32_ex.euid, oflags); 3761168777Srwatson print_delim(fp, del); 3762243750Srwatson print_group(fp, tok->tt.subj32_ex.egid, oflags); 3763168777Srwatson print_delim(fp, del); 3764243750Srwatson print_user(fp, tok->tt.subj32_ex.ruid, oflags); 3765168777Srwatson print_delim(fp, del); 3766243750Srwatson print_group(fp, tok->tt.subj32_ex.rgid, oflags); 3767168777Srwatson print_delim(fp, del); 3768168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3769168777Srwatson print_delim(fp, del); 3770168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3771168777Srwatson print_delim(fp, del); 3772168777Srwatson print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3773168777Srwatson print_delim(fp, del); 3774168777Srwatson print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3775168777Srwatson tok->tt.subj32_ex.tid.addr); 3776168777Srwatson } 3777155131Srwatson} 3778155131Srwatson 3779155131Srwatson/* 3780168777Srwatson * audit ID 4 bytes 3781168777Srwatson * euid 4 bytes 3782168777Srwatson * egid 4 bytes 3783168777Srwatson * ruid 4 bytes 3784168777Srwatson * rgid 4 bytes 3785168777Srwatson * pid 4 bytes 3786168777Srwatson * sessid 4 bytes 3787168777Srwatson * terminal ID 3788168777Srwatson * portid 8 bytes 3789168777Srwatson * type 4 bytes 3790168777Srwatson * machine id 16 bytes 3791168777Srwatson */ 3792168777Srwatsonstatic int 3793168777Srwatsonfetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3794168777Srwatson{ 3795168777Srwatson int err = 0; 3796168777Srwatson 3797168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3798168777Srwatson if (err) 3799168777Srwatson return (-1); 3800168777Srwatson 3801168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3802168777Srwatson if (err) 3803168777Srwatson return (-1); 3804168777Srwatson 3805168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3806168777Srwatson if (err) 3807168777Srwatson return (-1); 3808168777Srwatson 3809168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3810168777Srwatson if (err) 3811168777Srwatson return (-1); 3812168777Srwatson 3813168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3814168777Srwatson if (err) 3815168777Srwatson return (-1); 3816168777Srwatson 3817168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3818168777Srwatson if (err) 3819168777Srwatson return (-1); 3820168777Srwatson 3821168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3822168777Srwatson if (err) 3823168777Srwatson return (-1); 3824168777Srwatson 3825168777Srwatson READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3826168777Srwatson err); 3827168777Srwatson if (err) 3828168777Srwatson return (-1); 3829168777Srwatson 3830168777Srwatson READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3831168777Srwatson err); 3832168777Srwatson if (err) 3833168777Srwatson return (-1); 3834168777Srwatson 3835168777Srwatson if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3836168777Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3837168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3838168777Srwatson if (err) 3839168777Srwatson return (-1); 3840168777Srwatson } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3841168777Srwatson READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3842168777Srwatson sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3843168777Srwatson if (err) 3844168777Srwatson return (-1); 3845168777Srwatson } else 3846168777Srwatson return (-1); 3847168777Srwatson 3848168777Srwatson return (0); 3849168777Srwatson} 3850168777Srwatson 3851168777Srwatsonstatic void 3852243750Srwatsonprint_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3853168777Srwatson{ 3854243750Srwatson print_tok_type(fp, tok->id, "subject_ex", oflags); 3855243750Srwatson if (oflags & AU_OFLAG_XML) { 3856168777Srwatson open_attr(fp, "audit-uid"); 3857243750Srwatson print_user(fp, tok->tt.subj64_ex.auid, oflags); 3858168777Srwatson close_attr(fp); 3859168777Srwatson open_attr(fp, "uid"); 3860243750Srwatson print_user(fp, tok->tt.subj64_ex.euid, oflags); 3861168777Srwatson close_attr(fp); 3862168777Srwatson open_attr(fp, "gid"); 3863243750Srwatson print_group(fp, tok->tt.subj64_ex.egid, oflags); 3864168777Srwatson close_attr(fp); 3865168777Srwatson open_attr(fp, "ruid"); 3866243750Srwatson print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3867168777Srwatson close_attr(fp); 3868168777Srwatson open_attr(fp, "rgid"); 3869243750Srwatson print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3870168777Srwatson close_attr(fp); 3871168777Srwatson open_attr(fp, "pid"); 3872168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3873168777Srwatson close_attr(fp); 3874168777Srwatson open_attr(fp, "sid"); 3875168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3876168777Srwatson close_attr(fp); 3877168777Srwatson open_attr(fp, "tid"); 3878168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3879168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3880168777Srwatson tok->tt.subj64_ex.tid.addr); 3881168777Srwatson close_attr(fp); 3882168777Srwatson close_tag(fp, tok->id); 3883168777Srwatson } else { 3884168777Srwatson print_delim(fp, del); 3885243750Srwatson print_user(fp, tok->tt.subj64_ex.auid, oflags); 3886168777Srwatson print_delim(fp, del); 3887243750Srwatson print_user(fp, tok->tt.subj64_ex.euid, oflags); 3888168777Srwatson print_delim(fp, del); 3889243750Srwatson print_group(fp, tok->tt.subj64_ex.egid, oflags); 3890168777Srwatson print_delim(fp, del); 3891243750Srwatson print_user(fp, tok->tt.subj64_ex.ruid, oflags); 3892168777Srwatson print_delim(fp, del); 3893243750Srwatson print_group(fp, tok->tt.subj64_ex.rgid, oflags); 3894168777Srwatson print_delim(fp, del); 3895168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3896168777Srwatson print_delim(fp, del); 3897168777Srwatson print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3898168777Srwatson print_delim(fp, del); 3899168777Srwatson print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3900168777Srwatson print_delim(fp, del); 3901168777Srwatson print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3902168777Srwatson tok->tt.subj64_ex.tid.addr); 3903168777Srwatson } 3904168777Srwatson} 3905168777Srwatson 3906168777Srwatson/* 3907155131Srwatson * size 2 bytes 3908155131Srwatson * data size bytes 3909155131Srwatson */ 3910155131Srwatsonstatic int 3911168777Srwatsonfetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3912155131Srwatson{ 3913155131Srwatson int err = 0; 3914155131Srwatson 3915155131Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3916155131Srwatson if (err) 3917155131Srwatson return (-1); 3918155131Srwatson 3919168777Srwatson SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3920155131Srwatson err); 3921155131Srwatson if (err) 3922155131Srwatson return (-1); 3923155131Srwatson 3924155131Srwatson return (0); 3925155131Srwatson} 3926155131Srwatson 3927155131Srwatsonstatic void 3928243750Srwatsonprint_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 3929155131Srwatson{ 3930155131Srwatson 3931243750Srwatson print_tok_type(fp, tok->id, "text", oflags); 3932243750Srwatson if (oflags & AU_OFLAG_XML) { 3933168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3934168777Srwatson close_tag(fp, tok->id); 3935168777Srwatson } else { 3936168777Srwatson print_delim(fp, del); 3937168777Srwatson print_string(fp, tok->tt.text.text, tok->tt.text.len); 3938168777Srwatson } 3939155131Srwatson} 3940155131Srwatson 3941155131Srwatson/* 3942186647Srwatson * socket domain 2 bytes 3943155131Srwatson * socket type 2 bytes 3944186647Srwatson * address type 2 bytes 3945155131Srwatson * local port 2 bytes 3946186647Srwatson * local Internet address 4/16 bytes 3947186647Srwatson * remote port 2 bytes 3948186647Srwatson * remote Internet address 4/16 bytes 3949155131Srwatson */ 3950155131Srwatsonstatic int 3951168777Srwatsonfetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3952155131Srwatson{ 3953155131Srwatson int err = 0; 3954155131Srwatson 3955186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3956155131Srwatson err); 3957155131Srwatson if (err) 3958155131Srwatson return (-1); 3959155131Srwatson 3960186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3961186647Srwatson err); 3962155131Srwatson if (err) 3963155131Srwatson return (-1); 3964155131Srwatson 3965186647Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3966155131Srwatson err); 3967155131Srwatson if (err) 3968155131Srwatson return (-1); 3969155131Srwatson 3970186647Srwatson if (tok->tt.socket_ex32.atype != AU_IPv4 && 3971186647Srwatson tok->tt.socket_ex32.atype != AU_IPv6) 3972155131Srwatson return (-1); 3973155131Srwatson 3974186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3975159248Srwatson sizeof(uint16_t), tok->len, err); 3976155131Srwatson if (err) 3977155131Srwatson return (-1); 3978155131Srwatson 3979186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3980186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3981186647Srwatson sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3982186647Srwatson if (err) 3983186647Srwatson return (-1); 3984186647Srwatson } else { 3985186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3986186647Srwatson sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3987186647Srwatson if (err) 3988186647Srwatson return (-1); 3989186647Srwatson } 3990155131Srwatson 3991186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3992186647Srwatson sizeof(uint16_t), tok->len, err); 3993155131Srwatson if (err) 3994155131Srwatson return (-1); 3995155131Srwatson 3996186647Srwatson if (tok->tt.socket_ex32.atype == AU_IPv4) { 3997186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3998186647Srwatson sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3999186647Srwatson if (err) 4000186647Srwatson return (-1); 4001186647Srwatson } else { 4002186647Srwatson READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 4003186647Srwatson sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 4004186647Srwatson if (err) 4005186647Srwatson return (-1); 4006186647Srwatson } 4007186647Srwatson 4008155131Srwatson return (0); 4009155131Srwatson} 4010155131Srwatson 4011155131Srwatsonstatic void 4012243750Srwatsonprint_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4013155131Srwatson{ 4014155131Srwatson 4015187214Srwatson /* 4016187214Srwatson * This print routine prints BSM constant space domains and socket 4017187214Srwatson * types rather than converting them. If we add string printers for 4018187214Srwatson * these constants in the future, we may want to call conversion 4019187214Srwatson * routines. 4020187214Srwatson */ 4021243750Srwatson print_tok_type(fp, tok->id, "socket", oflags); 4022243750Srwatson if (oflags & AU_OFLAG_XML) { 4023186647Srwatson open_attr(fp, "sock_dom"); 4024186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4025186647Srwatson close_attr(fp); 4026168777Srwatson open_attr(fp, "sock_type"); 4027168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4028168777Srwatson close_attr(fp); 4029168777Srwatson open_attr(fp, "lport"); 4030168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4031168777Srwatson close_attr(fp); 4032168777Srwatson open_attr(fp, "laddr"); 4033186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4034186647Srwatson tok->tt.socket_ex32.l_addr); 4035168777Srwatson close_attr(fp); 4036168777Srwatson open_attr(fp, "faddr"); 4037186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4038186647Srwatson tok->tt.socket_ex32.r_addr); 4039168777Srwatson close_attr(fp); 4040168777Srwatson open_attr(fp, "fport"); 4041185573Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4042168777Srwatson close_attr(fp); 4043168777Srwatson close_tag(fp, tok->id); 4044168777Srwatson } else { 4045168777Srwatson print_delim(fp, del); 4046186647Srwatson print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 4047186647Srwatson print_delim(fp, del); 4048168777Srwatson print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 4049168777Srwatson print_delim(fp, del); 4050168777Srwatson print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 4051168777Srwatson print_delim(fp, del); 4052186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4053186647Srwatson tok->tt.socket_ex32.l_addr); 4054168777Srwatson print_delim(fp, del); 4055168777Srwatson print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 4056168777Srwatson print_delim(fp, del); 4057186647Srwatson print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 4058186647Srwatson tok->tt.socket_ex32.r_addr); 4059168777Srwatson } 4060155131Srwatson} 4061155131Srwatson 4062155131Srwatsonstatic int 4063168777Srwatsonfetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 4064155131Srwatson{ 4065155131Srwatson int err = 0; 4066155131Srwatson int recoversize; 4067155131Srwatson 4068161630Srwatson recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 4069155131Srwatson if (recoversize <= 0) 4070155131Srwatson return (-1); 4071155131Srwatson 4072155131Srwatson tok->tt.invalid.length = recoversize; 4073155131Srwatson 4074168777Srwatson SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 4075168777Srwatson err); 4076155131Srwatson if (err) 4077155131Srwatson return (-1); 4078155131Srwatson 4079155131Srwatson return (0); 4080155131Srwatson} 4081155131Srwatson 4082155131Srwatsonstatic void 4083243750Srwatsonprint_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4084155131Srwatson{ 4085155131Srwatson 4086243750Srwatson if (!(oflags & AU_OFLAG_XML)) { 4087243750Srwatson print_tok_type(fp, tok->id, "unknown", oflags); 4088168777Srwatson print_delim(fp, del); 4089168777Srwatson print_mem(fp, (u_char*)tok->tt.invalid.data, 4090168777Srwatson tok->tt.invalid.length); 4091168777Srwatson } 4092155131Srwatson} 4093155131Srwatson 4094155131Srwatson 4095155131Srwatson/* 4096168777Srwatson * size 2 bytes; 4097168777Srwatson * zonename size bytes; 4098168777Srwatson */ 4099168777Srwatsonstatic int 4100173143Srwatsonfetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 4101168777Srwatson{ 4102168777Srwatson int err = 0; 4103168777Srwatson 4104168777Srwatson READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 4105168777Srwatson if (err) 4106168777Srwatson return (-1); 4107173143Srwatson SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 4108168777Srwatson tok->len, err); 4109168777Srwatson if (err) 4110168777Srwatson return (-1); 4111168777Srwatson return (0); 4112168777Srwatson} 4113168777Srwatson 4114168777Srwatsonstatic void 4115243750Srwatsonprint_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags) 4116168777Srwatson{ 4117168777Srwatson 4118243750Srwatson print_tok_type(fp, tok->id, "zone", oflags); 4119243750Srwatson if (oflags & AU_OFLAG_XML) { 4120168777Srwatson open_attr(fp, "name"); 4121168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4122168777Srwatson tok->tt.zonename.len); 4123168777Srwatson close_attr(fp); 4124168777Srwatson close_tag(fp, tok->id); 4125168777Srwatson } else { 4126168777Srwatson print_delim(fp, del); 4127168777Srwatson print_string(fp, tok->tt.zonename.zonename, 4128168777Srwatson tok->tt.zonename.len); 4129168777Srwatson } 4130168777Srwatson} 4131168777Srwatson 4132168777Srwatson/* 4133155131Srwatson * Reads the token beginning at buf into tok. 4134155131Srwatson */ 4135155131Srwatsonint 4136155131Srwatsonau_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4137155131Srwatson{ 4138155131Srwatson 4139155131Srwatson if (len <= 0) 4140155131Srwatson return (-1); 4141155131Srwatson 4142155131Srwatson tok->len = 1; 4143155131Srwatson tok->data = buf; 4144155131Srwatson tok->id = *buf; 4145155131Srwatson 4146155131Srwatson switch(tok->id) { 4147155131Srwatson case AUT_HEADER32: 4148155131Srwatson return (fetch_header32_tok(tok, buf, len)); 4149155131Srwatson 4150155131Srwatson case AUT_HEADER32_EX: 4151155131Srwatson return (fetch_header32_ex_tok(tok, buf, len)); 4152155131Srwatson 4153155131Srwatson case AUT_HEADER64: 4154155131Srwatson return (fetch_header64_tok(tok, buf, len)); 4155155131Srwatson 4156155131Srwatson case AUT_HEADER64_EX: 4157155131Srwatson return (fetch_header64_ex_tok(tok, buf, len)); 4158155131Srwatson 4159155131Srwatson case AUT_TRAILER: 4160155131Srwatson return (fetch_trailer_tok(tok, buf, len)); 4161155131Srwatson 4162155131Srwatson case AUT_ARG32: 4163155131Srwatson return (fetch_arg32_tok(tok, buf, len)); 4164155131Srwatson 4165155131Srwatson case AUT_ARG64: 4166155131Srwatson return (fetch_arg64_tok(tok, buf, len)); 4167155131Srwatson 4168155131Srwatson case AUT_ATTR32: 4169155131Srwatson return (fetch_attr32_tok(tok, buf, len)); 4170155131Srwatson 4171155131Srwatson case AUT_ATTR64: 4172155131Srwatson return (fetch_attr64_tok(tok, buf, len)); 4173155131Srwatson 4174155131Srwatson case AUT_EXIT: 4175155131Srwatson return (fetch_exit_tok(tok, buf, len)); 4176155131Srwatson 4177155131Srwatson case AUT_EXEC_ARGS: 4178155131Srwatson return (fetch_execarg_tok(tok, buf, len)); 4179155131Srwatson 4180155131Srwatson case AUT_EXEC_ENV: 4181155131Srwatson return (fetch_execenv_tok(tok, buf, len)); 4182155131Srwatson 4183155131Srwatson case AUT_OTHER_FILE32: 4184155131Srwatson return (fetch_file_tok(tok, buf, len)); 4185155131Srwatson 4186155131Srwatson case AUT_NEWGROUPS: 4187155131Srwatson return (fetch_newgroups_tok(tok, buf, len)); 4188155131Srwatson 4189155131Srwatson case AUT_IN_ADDR: 4190155131Srwatson return (fetch_inaddr_tok(tok, buf, len)); 4191155131Srwatson 4192155131Srwatson case AUT_IN_ADDR_EX: 4193155131Srwatson return (fetch_inaddr_ex_tok(tok, buf, len)); 4194155131Srwatson 4195155131Srwatson case AUT_IP: 4196155131Srwatson return (fetch_ip_tok(tok, buf, len)); 4197155131Srwatson 4198155131Srwatson case AUT_IPC: 4199155131Srwatson return (fetch_ipc_tok(tok, buf, len)); 4200155131Srwatson 4201155131Srwatson case AUT_IPC_PERM: 4202155131Srwatson return (fetch_ipcperm_tok(tok, buf, len)); 4203155131Srwatson 4204155131Srwatson case AUT_IPORT: 4205155131Srwatson return (fetch_iport_tok(tok, buf, len)); 4206155131Srwatson 4207155131Srwatson case AUT_OPAQUE: 4208155131Srwatson return (fetch_opaque_tok(tok, buf, len)); 4209155131Srwatson 4210155131Srwatson case AUT_PATH: 4211155131Srwatson return (fetch_path_tok(tok, buf, len)); 4212155131Srwatson 4213155131Srwatson case AUT_PROCESS32: 4214155131Srwatson return (fetch_process32_tok(tok, buf, len)); 4215155131Srwatson 4216155131Srwatson case AUT_PROCESS32_EX: 4217155131Srwatson return (fetch_process32ex_tok(tok, buf, len)); 4218155131Srwatson 4219168777Srwatson case AUT_PROCESS64: 4220168777Srwatson return (fetch_process64_tok(tok, buf, len)); 4221168777Srwatson 4222168777Srwatson case AUT_PROCESS64_EX: 4223168777Srwatson return (fetch_process64ex_tok(tok, buf, len)); 4224168777Srwatson 4225155131Srwatson case AUT_RETURN32: 4226155131Srwatson return (fetch_return32_tok(tok, buf, len)); 4227155131Srwatson 4228155131Srwatson case AUT_RETURN64: 4229155131Srwatson return (fetch_return64_tok(tok, buf, len)); 4230155131Srwatson 4231155131Srwatson case AUT_SEQ: 4232155131Srwatson return (fetch_seq_tok(tok, buf, len)); 4233155131Srwatson 4234155131Srwatson case AUT_SOCKET: 4235155131Srwatson return (fetch_socket_tok(tok, buf, len)); 4236155131Srwatson 4237155131Srwatson case AUT_SOCKINET32: 4238155131Srwatson return (fetch_sock_inet32_tok(tok, buf, len)); 4239155131Srwatson 4240155131Srwatson case AUT_SOCKUNIX: 4241155131Srwatson return (fetch_sock_unix_tok(tok, buf, len)); 4242155131Srwatson 4243191273Srwatson case AUT_SOCKINET128: 4244191273Srwatson return (fetch_sock_inet128_tok(tok, buf, len)); 4245191273Srwatson 4246155131Srwatson case AUT_SUBJECT32: 4247155131Srwatson return (fetch_subject32_tok(tok, buf, len)); 4248155131Srwatson 4249168777Srwatson case AUT_SUBJECT32_EX: 4250168777Srwatson return (fetch_subject32ex_tok(tok, buf, len)); 4251168777Srwatson 4252155131Srwatson case AUT_SUBJECT64: 4253155131Srwatson return (fetch_subject64_tok(tok, buf, len)); 4254155131Srwatson 4255168777Srwatson case AUT_SUBJECT64_EX: 4256168777Srwatson return (fetch_subject64ex_tok(tok, buf, len)); 4257155131Srwatson 4258155131Srwatson case AUT_TEXT: 4259155131Srwatson return (fetch_text_tok(tok, buf, len)); 4260155131Srwatson 4261155131Srwatson case AUT_SOCKET_EX: 4262155131Srwatson return (fetch_socketex32_tok(tok, buf, len)); 4263155131Srwatson 4264155131Srwatson case AUT_DATA: 4265155131Srwatson return (fetch_arb_tok(tok, buf, len)); 4266155131Srwatson 4267168777Srwatson case AUT_ZONENAME: 4268168777Srwatson return (fetch_zonename_tok(tok, buf, len)); 4269168777Srwatson 4270243750Srwatson case AUT_UPRIV: 4271243750Srwatson return (fetch_priv_tok(tok, buf, len)); 4272243750Srwatson 4273243750Srwatson case AUT_PRIV: 4274243750Srwatson return (fetch_privset_tok(tok, buf, len)); 4275243750Srwatson 4276155131Srwatson default: 4277155131Srwatson return (fetch_invalid_tok(tok, buf, len)); 4278155131Srwatson } 4279155131Srwatson} 4280155131Srwatson 4281155131Srwatsonvoid 4282243750Srwatsonau_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags) 4283155131Srwatson{ 4284155131Srwatson 4285155131Srwatson switch(tok->id) { 4286155131Srwatson case AUT_HEADER32: 4287243750Srwatson print_header32_tok(outfp, tok, del, oflags); 4288155131Srwatson return; 4289155131Srwatson 4290155131Srwatson case AUT_HEADER32_EX: 4291243750Srwatson print_header32_ex_tok(outfp, tok, del, oflags); 4292155131Srwatson return; 4293155131Srwatson 4294155131Srwatson case AUT_HEADER64: 4295243750Srwatson print_header64_tok(outfp, tok, del, oflags); 4296155131Srwatson return; 4297155131Srwatson 4298155131Srwatson case AUT_HEADER64_EX: 4299243750Srwatson print_header64_ex_tok(outfp, tok, del, oflags); 4300155131Srwatson return; 4301155131Srwatson 4302155131Srwatson case AUT_TRAILER: 4303243750Srwatson print_trailer_tok(outfp, tok, del, oflags); 4304155131Srwatson return; 4305155131Srwatson 4306155131Srwatson case AUT_ARG32: 4307243750Srwatson print_arg32_tok(outfp, tok, del, oflags); 4308155131Srwatson return; 4309155131Srwatson 4310155131Srwatson case AUT_ARG64: 4311243750Srwatson print_arg64_tok(outfp, tok, del, oflags); 4312155131Srwatson return; 4313155131Srwatson 4314155131Srwatson case AUT_DATA: 4315243750Srwatson print_arb_tok(outfp, tok, del, oflags); 4316155131Srwatson return; 4317155131Srwatson 4318155131Srwatson case AUT_ATTR32: 4319243750Srwatson print_attr32_tok(outfp, tok, del, oflags); 4320155131Srwatson return; 4321155131Srwatson 4322155131Srwatson case AUT_ATTR64: 4323243750Srwatson print_attr64_tok(outfp, tok, del, oflags); 4324155131Srwatson return; 4325155131Srwatson 4326155131Srwatson case AUT_EXIT: 4327243750Srwatson print_exit_tok(outfp, tok, del, oflags); 4328155131Srwatson return; 4329155131Srwatson 4330155131Srwatson case AUT_EXEC_ARGS: 4331243750Srwatson print_execarg_tok(outfp, tok, del, oflags); 4332155131Srwatson return; 4333155131Srwatson 4334155131Srwatson case AUT_EXEC_ENV: 4335243750Srwatson print_execenv_tok(outfp, tok, del, oflags); 4336155131Srwatson return; 4337155131Srwatson 4338155131Srwatson case AUT_OTHER_FILE32: 4339243750Srwatson print_file_tok(outfp, tok, del, oflags); 4340155131Srwatson return; 4341155131Srwatson 4342155131Srwatson case AUT_NEWGROUPS: 4343243750Srwatson print_newgroups_tok(outfp, tok, del, oflags); 4344155131Srwatson return; 4345155131Srwatson 4346155131Srwatson case AUT_IN_ADDR: 4347243750Srwatson print_inaddr_tok(outfp, tok, del, oflags); 4348155131Srwatson return; 4349155131Srwatson 4350155131Srwatson case AUT_IN_ADDR_EX: 4351243750Srwatson print_inaddr_ex_tok(outfp, tok, del, oflags); 4352155131Srwatson return; 4353155131Srwatson 4354155131Srwatson case AUT_IP: 4355243750Srwatson print_ip_tok(outfp, tok, del, oflags); 4356155131Srwatson return; 4357155131Srwatson 4358155131Srwatson case AUT_IPC: 4359243750Srwatson print_ipc_tok(outfp, tok, del, oflags); 4360155131Srwatson return; 4361155131Srwatson 4362155131Srwatson case AUT_IPC_PERM: 4363243750Srwatson print_ipcperm_tok(outfp, tok, del, oflags); 4364155131Srwatson return; 4365155131Srwatson 4366155131Srwatson case AUT_IPORT: 4367243750Srwatson print_iport_tok(outfp, tok, del, oflags); 4368155131Srwatson return; 4369155131Srwatson 4370155131Srwatson case AUT_OPAQUE: 4371243750Srwatson print_opaque_tok(outfp, tok, del, oflags); 4372155131Srwatson return; 4373155131Srwatson 4374155131Srwatson case AUT_PATH: 4375243750Srwatson print_path_tok(outfp, tok, del, oflags); 4376155131Srwatson return; 4377155131Srwatson 4378155131Srwatson case AUT_PROCESS32: 4379243750Srwatson print_process32_tok(outfp, tok, del, oflags); 4380155131Srwatson return; 4381155131Srwatson 4382155131Srwatson case AUT_PROCESS32_EX: 4383243750Srwatson print_process32ex_tok(outfp, tok, del, oflags); 4384155131Srwatson return; 4385155131Srwatson 4386168777Srwatson case AUT_PROCESS64: 4387243750Srwatson print_process64_tok(outfp, tok, del, oflags); 4388168777Srwatson return; 4389168777Srwatson 4390168777Srwatson case AUT_PROCESS64_EX: 4391243750Srwatson print_process64ex_tok(outfp, tok, del, oflags); 4392168777Srwatson return; 4393168777Srwatson 4394155131Srwatson case AUT_RETURN32: 4395243750Srwatson print_return32_tok(outfp, tok, del, oflags); 4396155131Srwatson return; 4397155131Srwatson 4398155131Srwatson case AUT_RETURN64: 4399243750Srwatson print_return64_tok(outfp, tok, del, oflags); 4400155131Srwatson return; 4401155131Srwatson 4402155131Srwatson case AUT_SEQ: 4403243750Srwatson print_seq_tok(outfp, tok, del, oflags); 4404155131Srwatson return; 4405155131Srwatson 4406155131Srwatson case AUT_SOCKET: 4407243750Srwatson print_socket_tok(outfp, tok, del, oflags); 4408155131Srwatson return; 4409155131Srwatson 4410155131Srwatson case AUT_SOCKINET32: 4411243750Srwatson print_sock_inet32_tok(outfp, tok, del, oflags); 4412155131Srwatson return; 4413155131Srwatson 4414155131Srwatson case AUT_SOCKUNIX: 4415243750Srwatson print_sock_unix_tok(outfp, tok, del, oflags); 4416155131Srwatson return; 4417155131Srwatson 4418191273Srwatson case AUT_SOCKINET128: 4419243750Srwatson print_sock_inet128_tok(outfp, tok, del, oflags); 4420191273Srwatson return; 4421191273Srwatson 4422155131Srwatson case AUT_SUBJECT32: 4423243750Srwatson print_subject32_tok(outfp, tok, del, oflags); 4424155131Srwatson return; 4425155131Srwatson 4426155131Srwatson case AUT_SUBJECT64: 4427243750Srwatson print_subject64_tok(outfp, tok, del, oflags); 4428155131Srwatson return; 4429155131Srwatson 4430155131Srwatson case AUT_SUBJECT32_EX: 4431243750Srwatson print_subject32ex_tok(outfp, tok, del, oflags); 4432155131Srwatson return; 4433155131Srwatson 4434168777Srwatson case AUT_SUBJECT64_EX: 4435243750Srwatson print_subject64ex_tok(outfp, tok, del, oflags); 4436168777Srwatson return; 4437168777Srwatson 4438155131Srwatson case AUT_TEXT: 4439243750Srwatson print_text_tok(outfp, tok, del, oflags); 4440155131Srwatson return; 4441155131Srwatson 4442155131Srwatson case AUT_SOCKET_EX: 4443243750Srwatson print_socketex32_tok(outfp, tok, del, oflags); 4444155131Srwatson return; 4445155131Srwatson 4446168777Srwatson case AUT_ZONENAME: 4447243750Srwatson print_zonename_tok(outfp, tok, del, oflags); 4448168777Srwatson return; 4449168777Srwatson 4450243750Srwatson case AUT_UPRIV: 4451243750Srwatson print_upriv_tok(outfp, tok, del, oflags); 4452243750Srwatson return; 4453243750Srwatson 4454243750Srwatson case AUT_PRIV: 4455243750Srwatson print_privset_tok(outfp, tok, del, oflags); 4456243750Srwatson return; 4457243750Srwatson 4458155131Srwatson default: 4459243750Srwatson print_invalid_tok(outfp, tok, del, oflags); 4460155131Srwatson } 4461155131Srwatson} 4462155131Srwatson 4463155131Srwatson/* 4464243750Srwatson * 'prints' the token out to outfp. 4465243750Srwatson */ 4466243750Srwatsonvoid 4467243750Srwatsonau_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4468243750Srwatson{ 4469243750Srwatson int oflags = AU_OFLAG_NONE; 4470243750Srwatson 4471243750Srwatson if (raw) 4472243750Srwatson oflags |= AU_OFLAG_RAW; 4473243750Srwatson if (sfrm) 4474243750Srwatson oflags |= AU_OFLAG_SHORT; 4475243750Srwatson 4476243750Srwatson au_print_flags_tok(outfp, tok, del, oflags); 4477243750Srwatson} 4478243750Srwatson 4479243750Srwatson/* 4480168777Srwatson * 'prints' the token out to outfp in XML format. 4481168777Srwatson */ 4482168777Srwatsonvoid 4483168777Srwatsonau_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4484168777Srwatson char sfrm) 4485168777Srwatson{ 4486243750Srwatson int oflags = AU_OFLAG_XML; 4487168777Srwatson 4488243750Srwatson if (raw) 4489243750Srwatson oflags |= AU_OFLAG_RAW; 4490243750Srwatson if (sfrm) 4491243750Srwatson oflags |= AU_OFLAG_SHORT; 4492168777Srwatson 4493243750Srwatson au_print_flags_tok(outfp, tok, del, oflags); 4494168777Srwatson} 4495168777Srwatson 4496168777Srwatson/* 4497155131Srwatson * Read a record from the file pointer, store data in buf memory for buf is 4498155131Srwatson * also allocated in this function and has to be free'd outside this call. 4499155131Srwatson * 4500155131Srwatson * au_read_rec() handles two possibilities: a stand-alone file token, or a 4501155131Srwatson * complete audit record. 4502155131Srwatson * 4503155131Srwatson * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4504155131Srwatson * state, because it will be partly offset into a record. We should rewind 4505155131Srwatson * or do something more intelligent. Particularly interesting is the case 4506155131Srwatson * where we perform a partial read of a record from a non-blockable file 4507155131Srwatson * descriptor. We should return the partial read and continue...? 4508155131Srwatson */ 4509155131Srwatsonint 4510155131Srwatsonau_read_rec(FILE *fp, u_char **buf) 4511155131Srwatson{ 4512155131Srwatson u_char *bptr; 4513155131Srwatson u_int32_t recsize; 4514155131Srwatson u_int32_t bytestoread; 4515155131Srwatson u_char type; 4516155131Srwatson 4517155131Srwatson u_int32_t sec, msec; 4518155131Srwatson u_int16_t filenamelen; 4519155131Srwatson 4520155131Srwatson type = fgetc(fp); 4521155131Srwatson 4522155131Srwatson switch (type) { 4523155131Srwatson case AUT_HEADER32: 4524155131Srwatson case AUT_HEADER32_EX: 4525155131Srwatson case AUT_HEADER64: 4526155131Srwatson case AUT_HEADER64_EX: 4527155131Srwatson /* read the record size from the token */ 4528155131Srwatson if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4529155131Srwatson sizeof(u_int32_t)) { 4530155131Srwatson errno = EINVAL; 4531155131Srwatson return (-1); 4532155131Srwatson } 4533155131Srwatson recsize = be32toh(recsize); 4534155131Srwatson 4535155131Srwatson /* Check for recsize sanity */ 4536155131Srwatson if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4537155131Srwatson errno = EINVAL; 4538155131Srwatson return (-1); 4539155131Srwatson } 4540155131Srwatson 4541243750Srwatson *buf = calloc(recsize, sizeof(u_char)); 4542155131Srwatson if (*buf == NULL) 4543155131Srwatson return (-1); 4544155131Srwatson bptr = *buf; 4545155131Srwatson 4546155131Srwatson /* store the token contents already read, back to the buffer*/ 4547155131Srwatson *bptr = type; 4548155131Srwatson bptr++; 4549155131Srwatson be32enc(bptr, recsize); 4550155131Srwatson bptr += sizeof(u_int32_t); 4551155131Srwatson 4552155131Srwatson /* now read remaining record bytes */ 4553155131Srwatson bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4554155131Srwatson 4555155131Srwatson if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4556155131Srwatson free(*buf); 4557155131Srwatson errno = EINVAL; 4558155131Srwatson return (-1); 4559155131Srwatson } 4560155131Srwatson break; 4561155131Srwatson 4562155131Srwatson case AUT_OTHER_FILE32: 4563155131Srwatson /* 4564155131Srwatson * The file token is variable-length, as it includes a 4565155131Srwatson * pathname. As a result, we have to read incrementally 4566155131Srwatson * until we know the total length, then allocate space and 4567155131Srwatson * read the rest. 4568155131Srwatson */ 4569155131Srwatson if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4570155131Srwatson errno = EINVAL; 4571155131Srwatson return (-1); 4572155131Srwatson } 4573155131Srwatson if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4574155131Srwatson errno = EINVAL; 4575155131Srwatson return (-1); 4576155131Srwatson } 4577155131Srwatson if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4578155131Srwatson sizeof(filenamelen)) { 4579155131Srwatson errno = EINVAL; 4580155131Srwatson return (-1); 4581155131Srwatson } 4582155131Srwatson recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4583155131Srwatson sizeof(filenamelen) + ntohs(filenamelen); 4584155131Srwatson *buf = malloc(recsize); 4585155131Srwatson if (*buf == NULL) 4586155131Srwatson return (-1); 4587155131Srwatson bptr = *buf; 4588155131Srwatson 4589155131Srwatson bcopy(&type, bptr, sizeof(type)); 4590155131Srwatson bptr += sizeof(type); 4591155131Srwatson bcopy(&sec, bptr, sizeof(sec)); 4592155131Srwatson bptr += sizeof(sec); 4593155131Srwatson bcopy(&msec, bptr, sizeof(msec)); 4594155131Srwatson bptr += sizeof(msec); 4595155131Srwatson bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4596155131Srwatson bptr += sizeof(filenamelen); 4597155131Srwatson 4598155131Srwatson if (fread(bptr, 1, ntohs(filenamelen), fp) < 4599155131Srwatson ntohs(filenamelen)) { 4600155131Srwatson free(buf); 4601155131Srwatson errno = EINVAL; 4602155131Srwatson return (-1); 4603155131Srwatson } 4604155131Srwatson break; 4605155131Srwatson 4606155131Srwatson default: 4607155131Srwatson errno = EINVAL; 4608155131Srwatson return (-1); 4609155131Srwatson } 4610155131Srwatson 4611155131Srwatson return (recsize); 4612155131Srwatson} 4613