bsm_io.c revision 186647
1/*- 2 * Copyright (c) 2004-2008 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#59 $ 36 */ 37 38#include <sys/types.h> 39 40#include <config/config.h> 41#if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 42#include <sys/endian.h> 43#else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 44#ifdef HAVE_MACHINE_ENDIAN_H 45#include <machine/endian.h> 46#else /* !HAVE_MACHINE_ENDIAN_H */ 47#ifdef HAVE_ENDIAN_H 48#include <endian.h> 49#else /* !HAVE_ENDIAN_H */ 50#error "No supported endian.h" 51#endif /* !HAVE_ENDIAN_H */ 52#endif /* !HAVE_MACHINE_ENDIAN_H */ 53#include <compat/endian.h> 54#endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 55#ifdef HAVE_FULL_QUEUE_H 56#include <sys/queue.h> 57#else /* !HAVE_FULL_QUEUE_H */ 58#include <compat/queue.h> 59#endif /* !HAVE_FULL_QUEUE_H */ 60 61#include <sys/stat.h> 62#include <sys/socket.h> 63 64#include <bsm/libbsm.h> 65 66#include <unistd.h> 67#include <netinet/in.h> 68#include <arpa/inet.h> 69#include <errno.h> 70#include <time.h> 71#include <stdlib.h> 72#include <stdio.h> 73#include <string.h> 74#include <pwd.h> 75#include <grp.h> 76 77#include <bsm/audit_internal.h> 78 79#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81 (err) = 1; \ 82 } else { \ 83 memcpy((dest), (buf) + (bytesread), (size)); \ 84 bytesread += size; \ 85 } \ 86} while (0) 87 88#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90 (dest) = buf[(bytesread)]; \ 91 (bytesread) += sizeof(u_char); \ 92 } else \ 93 (err) = 1; \ 94} while (0) 95 96#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98 (dest) = be16dec((buf) + (bytesread)); \ 99 (bytesread) += sizeof(u_int16_t); \ 100 } else \ 101 (err) = 1; \ 102} while (0) 103 104#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106 (dest) = be32dec((buf) + (bytesread)); \ 107 (bytesread) += sizeof(u_int32_t); \ 108 } else \ 109 (err) = 1; \ 110} while (0) 111 112#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114 dest = be64dec((buf) + (bytesread)); \ 115 (bytesread) += sizeof(u_int64_t); \ 116 } else \ 117 (err) = 1; \ 118} while (0) 119 120#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (u_int32_t)(len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127} while (0) 128 129/* 130 * XML option. 131 */ 132#define AU_PLAIN 0 133#define AU_XML 1 134 135/* 136 * Prints the delimiter string. 137 */ 138static void 139print_delim(FILE *fp, const char *del) 140{ 141 142 fprintf(fp, "%s", del); 143} 144 145/* 146 * Prints a single byte in the given format. 147 */ 148static void 149print_1_byte(FILE *fp, u_char val, const char *format) 150{ 151 152 fprintf(fp, format, val); 153} 154 155/* 156 * Print 2 bytes in the given format. 157 */ 158static void 159print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160{ 161 162 fprintf(fp, format, val); 163} 164 165/* 166 * Prints 4 bytes in the given format. 167 */ 168static void 169print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170{ 171 172 fprintf(fp, format, val); 173} 174 175/* 176 * Prints 8 bytes in the given format. 177 */ 178static void 179print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180{ 181 182 fprintf(fp, format, val); 183} 184 185/* 186 * Prints the given size of data bytes in hex. 187 */ 188static void 189print_mem(FILE *fp, u_char *data, size_t len) 190{ 191 u_int32_t i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%x", data[i]); 197 } 198} 199 200/* 201 * Prints the given data bytes as a string. 202 */ 203static void 204print_string(FILE *fp, const char *str, size_t len) 205{ 206 u_int32_t i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214} 215 216/* 217 * Prints the beggining of attribute. 218 */ 219static void 220open_attr(FILE *fp, const char *str) 221{ 222 223 fprintf(fp,"%s=\"", str); 224} 225 226/* 227 * Prints the end of attribute. 228 */ 229static void 230close_attr(FILE *fp) 231{ 232 233 fprintf(fp,"\" "); 234} 235 236/* 237 * Prints the end of tag. 238 */ 239static void 240close_tag(FILE *fp, u_char type) 241{ 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SUBJECT32: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT64: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT32_EX: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT64_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_TEXT: 385 fprintf(fp, "</text>"); 386 break; 387 388 case AUT_SOCKET_EX: 389 fprintf(fp, "/>"); 390 break; 391 392 case AUT_DATA: 393 fprintf(fp, "</arbitrary>"); 394 break; 395 396 case AUT_ZONENAME: 397 fprintf(fp, "/>"); 398 break; 399 } 400} 401 402/* 403 * Prints the token type in either the raw or the default form. 404 */ 405static void 406print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 407{ 408 409 if (xml) { 410 switch(type) { 411 case AUT_HEADER32: 412 fprintf(fp, "<record "); 413 break; 414 415 case AUT_HEADER32_EX: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER64: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64_EX: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_TRAILER: 428 fprintf(fp, "</record>"); 429 break; 430 431 case AUT_ARG32: 432 fprintf(fp, "<argument "); 433 break; 434 435 case AUT_ARG64: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ATTR32: 440 fprintf(fp, "<attribute "); 441 break; 442 443 case AUT_ATTR64: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_EXIT: 448 fprintf(fp, "<exit "); 449 break; 450 451 case AUT_EXEC_ARGS: 452 fprintf(fp, "<exec_args>"); 453 break; 454 455 case AUT_EXEC_ENV: 456 fprintf(fp, "<exec_env>"); 457 break; 458 459 case AUT_OTHER_FILE32: 460 fprintf(fp, "<file "); 461 break; 462 463 case AUT_NEWGROUPS: 464 fprintf(fp, "<group>"); 465 break; 466 467 case AUT_IN_ADDR: 468 fprintf(fp, "<ip_address>"); 469 break; 470 471 case AUT_IN_ADDR_EX: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IP: 476 fprintf(fp, "<ip "); 477 break; 478 479 case AUT_IPC: 480 fprintf(fp, "<IPC"); 481 break; 482 483 case AUT_IPC_PERM: 484 fprintf(fp, "<IPC_perm "); 485 break; 486 487 case AUT_IPORT: 488 fprintf(fp, "<ip_port>"); 489 break; 490 491 case AUT_OPAQUE: 492 fprintf(fp, "<opaque>"); 493 break; 494 495 case AUT_PATH: 496 fprintf(fp, "<path>"); 497 break; 498 499 case AUT_PROCESS32: 500 fprintf(fp, "<process "); 501 break; 502 503 case AUT_PROCESS32_EX: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS64: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64_EX: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_RETURN32: 516 fprintf(fp, "<return "); 517 break; 518 519 case AUT_RETURN64: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_SEQ: 524 fprintf(fp, "<sequence "); 525 break; 526 527 case AUT_SOCKET: 528 fprintf(fp, "<socket "); 529 break; 530 531 case AUT_SOCKINET32: 532 fprintf(fp, "<old_socket"); 533 break; 534 535 case AUT_SOCKUNIX: 536 fprintf(fp, "<old_socket"); 537 break; 538 539 case AUT_SUBJECT32: 540 fprintf(fp, "<subject "); 541 break; 542 543 case AUT_SUBJECT64: 544 fprintf(fp, "<subject "); 545 break; 546 547 case AUT_SUBJECT32_EX: 548 fprintf(fp, "<subject "); 549 break; 550 551 case AUT_SUBJECT64_EX: 552 fprintf(fp, "<subject "); 553 break; 554 555 case AUT_TEXT: 556 fprintf(fp, "<text>"); 557 break; 558 559 case AUT_SOCKET_EX: 560 fprintf(fp, "<socket "); 561 break; 562 563 case AUT_DATA: 564 fprintf(fp, "<arbitrary "); 565 break; 566 567 case AUT_ZONENAME: 568 fprintf(fp, "<zone "); 569 break; 570 } 571 } else { 572 if (raw) 573 fprintf(fp, "%u", type); 574 else 575 fprintf(fp, "%s", tokname); 576 } 577} 578 579/* 580 * Prints a user value. 581 */ 582static void 583print_user(FILE *fp, u_int32_t usr, char raw) 584{ 585 struct passwd *pwent; 586 587 if (raw) 588 fprintf(fp, "%d", usr); 589 else { 590 pwent = getpwuid(usr); 591 if (pwent != NULL) 592 fprintf(fp, "%s", pwent->pw_name); 593 else 594 fprintf(fp, "%d", usr); 595 } 596} 597 598/* 599 * Prints a group value. 600 */ 601static void 602print_group(FILE *fp, u_int32_t grp, char raw) 603{ 604 struct group *grpent; 605 606 if (raw) 607 fprintf(fp, "%d", grp); 608 else { 609 grpent = getgrgid(grp); 610 if (grpent != NULL) 611 fprintf(fp, "%s", grpent->gr_name); 612 else 613 fprintf(fp, "%d", grp); 614 } 615} 616 617/* 618 * Prints the event from the header token in either the short, default or raw 619 * form. 620 */ 621static void 622print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 623{ 624 char event_ent_name[AU_EVENT_NAME_MAX]; 625 char event_ent_desc[AU_EVENT_DESC_MAX]; 626 struct au_event_ent e, *ep; 627 628 bzero(&e, sizeof(e)); 629 bzero(event_ent_name, sizeof(event_ent_name)); 630 bzero(event_ent_desc, sizeof(event_ent_desc)); 631 e.ae_name = event_ent_name; 632 e.ae_desc = event_ent_desc; 633 634 ep = getauevnum_r(&e, ev); 635 if (ep == NULL) { 636 fprintf(fp, "%u", ev); 637 return; 638 } 639 640 if (raw) 641 fprintf(fp, "%u", ev); 642 else if (sfrm) 643 fprintf(fp, "%s", e.ae_name); 644 else 645 fprintf(fp, "%s", e.ae_desc); 646} 647 648 649/* 650 * Prints the event modifier from the header token in either the default or 651 * raw form. 652 */ 653static void 654print_evmod(FILE *fp, u_int16_t evmod, char raw) 655{ 656 if (raw) 657 fprintf(fp, "%u", evmod); 658 else 659 fprintf(fp, "%u", evmod); 660} 661 662/* 663 * Prints seconds in the ctime format. 664 */ 665static void 666print_sec32(FILE *fp, u_int32_t sec, char raw) 667{ 668 time_t timestamp; 669 char timestr[26]; 670 671 if (raw) 672 fprintf(fp, "%u", sec); 673 else { 674 timestamp = (time_t)sec; 675 ctime_r(×tamp, timestr); 676 timestr[24] = '\0'; /* No new line */ 677 fprintf(fp, "%s", timestr); 678 } 679} 680 681/* 682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 683 * assume a 32-bit time_t, we simply truncate for now. 684 */ 685static void 686print_sec64(FILE *fp, u_int64_t sec, char raw) 687{ 688 time_t timestamp; 689 char timestr[26]; 690 691 if (raw) 692 fprintf(fp, "%u", (u_int32_t)sec); 693 else { 694 timestamp = (time_t)sec; 695 ctime_r(×tamp, timestr); 696 timestr[24] = '\0'; /* No new line */ 697 fprintf(fp, "%s", timestr); 698 } 699} 700 701/* 702 * Prints the excess milliseconds. 703 */ 704static void 705print_msec32(FILE *fp, u_int32_t msec, char raw) 706{ 707 if (raw) 708 fprintf(fp, "%u", msec); 709 else 710 fprintf(fp, " + %u msec", msec); 711} 712 713/* 714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 715 * a 32-bit msec, we simply truncate for now. 716 */ 717static void 718print_msec64(FILE *fp, u_int64_t msec, char raw) 719{ 720 721 msec &= 0xffffffff; 722 if (raw) 723 fprintf(fp, "%u", (u_int32_t)msec); 724 else 725 fprintf(fp, " + %u msec", (u_int32_t)msec); 726} 727 728/* 729 * Prints a dotted form for the IP address. 730 */ 731static void 732print_ip_address(FILE *fp, u_int32_t ip) 733{ 734 struct in_addr ipaddr; 735 736 ipaddr.s_addr = ip; 737 fprintf(fp, "%s", inet_ntoa(ipaddr)); 738} 739 740/* 741 * Prints a string value for the given ip address. 742 */ 743static void 744print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 745{ 746 struct in_addr ipv4; 747 struct in6_addr ipv6; 748 char dst[INET6_ADDRSTRLEN]; 749 750 switch (type) { 751 case AU_IPv4: 752 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 754 INET6_ADDRSTRLEN)); 755 break; 756 757 case AU_IPv6: 758 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 760 INET6_ADDRSTRLEN)); 761 break; 762 763 default: 764 fprintf(fp, "invalid"); 765 } 766} 767 768/* 769 * Prints return value as success or failure. 770 */ 771static void 772print_retval(FILE *fp, u_char status, char raw) 773{ 774 int error; 775 776 if (raw) 777 fprintf(fp, "%u", status); 778 else { 779 /* 780 * Convert to a local error number and print the OS's version 781 * of the error string if possible. We may want to provide 782 * an au_strerror(3) in the future so that we can print 783 * strings for non-local errors. 784 */ 785 if (au_bsm_to_errno(status, &error) == 0) { 786 if (error == 0) 787 fprintf(fp, "success"); 788 else 789 fprintf(fp, "failure : %s", strerror(error)); 790 } else 791 fprintf(fp, "failure: Unknown error: %d", status); 792 } 793} 794 795/* 796 * Prints the exit value. 797 */ 798static void 799print_errval(FILE *fp, u_int32_t val) 800{ 801 802 fprintf(fp, "Error %u", val); 803} 804 805/* 806 * Prints IPC type. 807 */ 808static void 809print_ipctype(FILE *fp, u_char type, char raw) 810{ 811 if (raw) 812 fprintf(fp, "%u", type); 813 else { 814 if (type == AT_IPC_MSG) 815 fprintf(fp, "Message IPC"); 816 else if (type == AT_IPC_SEM) 817 fprintf(fp, "Semaphore IPC"); 818 else if (type == AT_IPC_SHM) 819 fprintf(fp, "Shared Memory IPC"); 820 else 821 fprintf(fp, "%u", type); 822 } 823} 824 825/* 826 * Print XML header. 827 */ 828void 829au_print_xml_header(FILE *outfp) 830{ 831 832 fprintf(outfp, "<?xml version='1.0' ?>\n"); 833 fprintf(outfp, "<audit>\n"); 834} 835 836/* 837 * Print XML footer. 838 */ 839void 840au_print_xml_footer(FILE *outfp) 841{ 842 843 fprintf(outfp, "</audit>\n"); 844} 845 846/* 847 * record byte count 4 bytes 848 * version # 1 byte [2] 849 * event type 2 bytes 850 * event modifier 2 bytes 851 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 852 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 853 */ 854static int 855fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 856{ 857 int err = 0; 858 859 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 860 if (err) 861 return (-1); 862 863 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 864 if (err) 865 return (-1); 866 867 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 868 if (err) 869 return (-1); 870 871 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 872 if (err) 873 return (-1); 874 875 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 876 if (err) 877 return (-1); 878 879 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 880 if (err) 881 return (-1); 882 883 return (0); 884} 885 886static void 887print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 888 int xml) 889{ 890 891 print_tok_type(fp, tok->id, "header", raw, xml); 892 if (xml) { 893 open_attr(fp, "version"); 894 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 895 close_attr(fp); 896 open_attr(fp, "event"); 897 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 898 close_attr(fp); 899 open_attr(fp, "modifier"); 900 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 901 close_attr(fp); 902 open_attr(fp, "time"); 903 print_sec32(fp, tok->tt.hdr32.s, raw); 904 close_attr(fp); 905 open_attr(fp, "msec"); 906 print_msec32(fp, tok->tt.hdr32.ms, 1); 907 close_attr(fp); 908 close_tag(fp, tok->id); 909 } else { 910 print_delim(fp, del); 911 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 912 print_delim(fp, del); 913 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 914 print_delim(fp, del); 915 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 916 print_delim(fp, del); 917 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 918 print_delim(fp, del); 919 print_sec32(fp, tok->tt.hdr32.s, raw); 920 print_delim(fp, del); 921 print_msec32(fp, tok->tt.hdr32.ms, raw); 922 } 923} 924 925/* 926 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 927 * depending on the bit of the specifications found. The OpenSolaris source 928 * code uses a 4-byte address length, followed by some number of bytes of 929 * address data. This contrasts with the Solaris audit.log.5 man page, which 930 * specifies a 1-byte length field. We use the Solaris 10 definition so that 931 * we can parse audit trails from that system. 932 * 933 * record byte count 4 bytes 934 * version # 1 byte [2] 935 * event type 2 bytes 936 * event modifier 2 bytes 937 * address type/length 4 bytes 938 * [ Solaris man page: address type/length 1 byte] 939 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 940 * seconds of time 4 bytes/8 bytes (32/64-bits) 941 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 942 */ 943static int 944fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 945{ 946 int err = 0; 947 948 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 949 if (err) 950 return (-1); 951 952 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 953 if (err) 954 return (-1); 955 956 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 957 if (err) 958 return (-1); 959 960 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 961 if (err) 962 return (-1); 963 964 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 965 if (err) 966 return (-1); 967 968 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 969 switch (tok->tt.hdr32_ex.ad_type) { 970 case AU_IPv4: 971 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 972 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 973 if (err) 974 return (-1); 975 break; 976 977 case AU_IPv6: 978 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 979 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 980 break; 981 } 982 983 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 984 if (err) 985 return (-1); 986 987 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 988 if (err) 989 return (-1); 990 991 return (0); 992} 993 994static void 995print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 996 char sfrm, int xml) 997{ 998 999 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1000 if (xml) { 1001 open_attr(fp, "version"); 1002 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1003 close_attr(fp); 1004 open_attr(fp, "event"); 1005 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1006 close_attr(fp); 1007 open_attr(fp, "modifier"); 1008 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1009 close_attr(fp); 1010 open_attr(fp, "host"); 1011 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1012 tok->tt.hdr32_ex.addr); 1013 close_attr(fp); 1014 open_attr(fp, "time"); 1015 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1016 close_attr(fp); 1017 open_attr(fp, "msec"); 1018 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1019 close_attr(fp); 1020 close_tag(fp, tok->id); 1021 } else { 1022 print_delim(fp, del); 1023 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1024 print_delim(fp, del); 1025 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1026 print_delim(fp, del); 1027 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1028 print_delim(fp, del); 1029 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1030 print_delim(fp, del); 1031 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1032 tok->tt.hdr32_ex.addr); 1033 print_delim(fp, del); 1034 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1035 print_delim(fp, del); 1036 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1037 } 1038} 1039 1040/* 1041 * record byte count 4 bytes 1042 * event type 2 bytes 1043 * event modifier 2 bytes 1044 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1045 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1046 * version # 1047 */ 1048static int 1049fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1050{ 1051 int err = 0; 1052 1053 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1054 if (err) 1055 return (-1); 1056 1057 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1058 if (err) 1059 return (-1); 1060 1061 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1062 if (err) 1063 return (-1); 1064 1065 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1066 if (err) 1067 return (-1); 1068 1069 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1070 if (err) 1071 return (-1); 1072 1073 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1074 if (err) 1075 return (-1); 1076 1077 return (0); 1078} 1079 1080static void 1081print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1082 int xml) 1083{ 1084 1085 print_tok_type(fp, tok->id, "header", raw, xml); 1086 if (xml) { 1087 open_attr(fp, "version"); 1088 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1089 close_attr(fp); 1090 open_attr(fp, "event"); 1091 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1092 close_attr(fp); 1093 open_attr(fp, "modifier"); 1094 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1095 close_attr(fp); 1096 open_attr(fp, "time"); 1097 print_sec64(fp, tok->tt.hdr64.s, raw); 1098 close_attr(fp); 1099 open_attr(fp, "msec"); 1100 print_msec64(fp, tok->tt.hdr64.ms, raw); 1101 close_attr(fp); 1102 close_tag(fp, tok->id); 1103 } else { 1104 print_delim(fp, del); 1105 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1106 print_delim(fp, del); 1107 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1108 print_delim(fp, del); 1109 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1110 print_delim(fp, del); 1111 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1112 print_delim(fp, del); 1113 print_sec64(fp, tok->tt.hdr64.s, raw); 1114 print_delim(fp, del); 1115 print_msec64(fp, tok->tt.hdr64.ms, raw); 1116 } 1117} 1118 1119/* 1120 * record byte count 4 bytes 1121 * version # 1 byte [2] 1122 * event type 2 bytes 1123 * event modifier 2 bytes 1124 * address type/length 4 bytes 1125 * [ Solaris man page: address type/length 1 byte] 1126 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1127 * seconds of time 4 bytes/8 bytes (32/64-bits) 1128 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1129 * 1130 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1131 * accuracy of the BSM spec. 1132 */ 1133static int 1134fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1135{ 1136 int err = 0; 1137 1138 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1139 if (err) 1140 return (-1); 1141 1142 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1143 if (err) 1144 return (-1); 1145 1146 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1147 if (err) 1148 return (-1); 1149 1150 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1151 if (err) 1152 return (-1); 1153 1154 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1155 if (err) 1156 return (-1); 1157 1158 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1159 switch (tok->tt.hdr64_ex.ad_type) { 1160 case AU_IPv4: 1161 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1162 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1163 if (err) 1164 return (-1); 1165 break; 1166 1167 case AU_IPv6: 1168 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1169 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1170 break; 1171 } 1172 1173 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1174 if (err) 1175 return (-1); 1176 1177 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1178 if (err) 1179 return (-1); 1180 1181 return (0); 1182} 1183 1184static void 1185print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1186 char sfrm, int xml) 1187{ 1188 1189 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1190 if (xml) { 1191 open_attr(fp, "version"); 1192 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1193 close_attr(fp); 1194 open_attr(fp, "event"); 1195 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1196 close_attr(fp); 1197 open_attr(fp, "modifier"); 1198 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1199 close_attr(fp); 1200 open_attr(fp, "host"); 1201 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1202 tok->tt.hdr64_ex.addr); 1203 close_attr(fp); 1204 open_attr(fp, "time"); 1205 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1206 close_attr(fp); 1207 open_attr(fp, "msec"); 1208 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1209 close_attr(fp); 1210 close_tag(fp, tok->id); 1211 } else { 1212 print_delim(fp, del); 1213 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1214 print_delim(fp, del); 1215 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1216 print_delim(fp, del); 1217 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1218 print_delim(fp, del); 1219 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1220 print_delim(fp, del); 1221 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1222 tok->tt.hdr64_ex.addr); 1223 print_delim(fp, del); 1224 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1225 print_delim(fp, del); 1226 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1227 } 1228} 1229 1230/* 1231 * trailer magic 2 bytes 1232 * record size 4 bytes 1233 */ 1234static int 1235fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1236{ 1237 int err = 0; 1238 1239 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1240 if (err) 1241 return (-1); 1242 1243 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1244 if (err) 1245 return (-1); 1246 1247 return (0); 1248} 1249 1250static void 1251print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1252 __unused char sfrm, int xml) 1253{ 1254 1255 print_tok_type(fp, tok->id, "trailer", raw, xml); 1256 if (!xml) { 1257 print_delim(fp, del); 1258 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1259 } 1260} 1261 1262/* 1263 * argument # 1 byte 1264 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1265 * text length 2 bytes 1266 * text N bytes + 1 terminating NULL byte 1267 */ 1268static int 1269fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1270{ 1271 int err = 0; 1272 1273 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1274 if (err) 1275 return (-1); 1276 1277 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1278 if (err) 1279 return (-1); 1280 1281 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1282 if (err) 1283 return (-1); 1284 1285 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1286 tok->len, err); 1287 if (err) 1288 return (-1); 1289 1290 return (0); 1291} 1292 1293static void 1294print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1295 __unused char sfrm, int xml) 1296{ 1297 1298 print_tok_type(fp, tok->id, "argument", raw, xml); 1299 if (xml) { 1300 open_attr(fp, "arg-num"); 1301 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1302 close_attr(fp); 1303 open_attr(fp, "value"); 1304 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1305 close_attr(fp); 1306 open_attr(fp, "desc"); 1307 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1308 close_attr(fp); 1309 close_tag(fp, tok->id); 1310 } else { 1311 print_delim(fp, del); 1312 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1313 print_delim(fp, del); 1314 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1315 print_delim(fp, del); 1316 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1317 } 1318} 1319 1320static int 1321fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1322{ 1323 int err = 0; 1324 1325 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1326 if (err) 1327 return (-1); 1328 1329 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1330 if (err) 1331 return (-1); 1332 1333 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1334 if (err) 1335 return (-1); 1336 1337 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1338 tok->len, err); 1339 if (err) 1340 return (-1); 1341 1342 return (0); 1343} 1344 1345static void 1346print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1347 __unused char sfrm, int xml) 1348{ 1349 1350 print_tok_type(fp, tok->id, "argument", raw, xml); 1351 if (xml) { 1352 open_attr(fp, "arg-num"); 1353 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1354 close_attr(fp); 1355 open_attr(fp, "value"); 1356 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1357 close_attr(fp); 1358 open_attr(fp, "desc"); 1359 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1360 close_attr(fp); 1361 close_tag(fp, tok->id); 1362 } else { 1363 print_delim(fp, del); 1364 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1365 print_delim(fp, del); 1366 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1367 print_delim(fp, del); 1368 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1369 } 1370} 1371 1372/* 1373 * how to print 1 byte 1374 * basic unit 1 byte 1375 * unit count 1 byte 1376 * data items (depends on basic unit) 1377 */ 1378static int 1379fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1380{ 1381 int err = 0; 1382 int datasize; 1383 1384 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1385 if (err) 1386 return (-1); 1387 1388 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1389 if (err) 1390 return (-1); 1391 1392 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1393 if (err) 1394 return (-1); 1395 1396 /* 1397 * Determine the size of the basic unit. 1398 */ 1399 switch(tok->tt.arb.bu) { 1400 case AUR_BYTE: 1401 /* case AUR_CHAR: */ 1402 datasize = AUR_BYTE_SIZE; 1403 break; 1404 1405 case AUR_SHORT: 1406 datasize = AUR_SHORT_SIZE; 1407 break; 1408 1409 case AUR_INT32: 1410 /* case AUR_INT: */ 1411 datasize = AUR_INT32_SIZE; 1412 break; 1413 1414 case AUR_INT64: 1415 datasize = AUR_INT64_SIZE; 1416 break; 1417 1418 default: 1419 return (-1); 1420 } 1421 1422 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1423 tok->len, err); 1424 if (err) 1425 return (-1); 1426 1427 return (0); 1428} 1429 1430static void 1431print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1432 __unused char sfrm, int xml) 1433{ 1434 char *str; 1435 char *format; 1436 size_t size; 1437 int i; 1438 1439 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1440 if (!xml) 1441 print_delim(fp, del); 1442 1443 switch(tok->tt.arb.howtopr) { 1444 case AUP_BINARY: 1445 str = "binary"; 1446 format = " %c"; 1447 break; 1448 1449 case AUP_OCTAL: 1450 str = "octal"; 1451 format = " %o"; 1452 break; 1453 1454 case AUP_DECIMAL: 1455 str = "decimal"; 1456 format = " %d"; 1457 break; 1458 1459 case AUP_HEX: 1460 str = "hex"; 1461 format = " %x"; 1462 break; 1463 1464 case AUP_STRING: 1465 str = "string"; 1466 format = "%c"; 1467 break; 1468 1469 default: 1470 return; 1471 } 1472 1473 if (xml) { 1474 open_attr(fp, "print"); 1475 fprintf(fp, "%s",str); 1476 close_attr(fp); 1477 } else { 1478 print_string(fp, str, strlen(str)); 1479 print_delim(fp, del); 1480 } 1481 switch(tok->tt.arb.bu) { 1482 case AUR_BYTE: 1483 /* case AUR_CHAR: */ 1484 str = "byte"; 1485 size = AUR_BYTE_SIZE; 1486 if (xml) { 1487 open_attr(fp, "type"); 1488 fprintf(fp, "%zu", size); 1489 close_attr(fp); 1490 open_attr(fp, "count"); 1491 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1492 close_attr(fp); 1493 fprintf(fp, ">"); 1494 for (i = 0; i<tok->tt.arb.uc; i++) 1495 fprintf(fp, format, *(tok->tt.arb.data + 1496 (size * i))); 1497 close_tag(fp, tok->id); 1498 } else { 1499 print_string(fp, str, strlen(str)); 1500 print_delim(fp, del); 1501 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1502 print_delim(fp, del); 1503 for (i = 0; i<tok->tt.arb.uc; i++) 1504 fprintf(fp, format, *(tok->tt.arb.data + 1505 (size * i))); 1506 } 1507 break; 1508 1509 case AUR_SHORT: 1510 str = "short"; 1511 size = AUR_SHORT_SIZE; 1512 if (xml) { 1513 open_attr(fp, "type"); 1514 fprintf(fp, "%zu", size); 1515 close_attr(fp); 1516 open_attr(fp, "count"); 1517 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1518 close_attr(fp); 1519 fprintf(fp, ">"); 1520 for (i = 0; i < tok->tt.arb.uc; i++) 1521 fprintf(fp, format, 1522 *((u_int16_t *)(tok->tt.arb.data + 1523 (size * i)))); 1524 close_tag(fp, tok->id); 1525 } else { 1526 print_string(fp, str, strlen(str)); 1527 print_delim(fp, del); 1528 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1529 print_delim(fp, del); 1530 for (i = 0; i < tok->tt.arb.uc; i++) 1531 fprintf(fp, format, 1532 *((u_int16_t *)(tok->tt.arb.data + 1533 (size * i)))); 1534 } 1535 break; 1536 1537 case AUR_INT32: 1538 /* case AUR_INT: */ 1539 str = "int"; 1540 size = AUR_INT32_SIZE; 1541 if (xml) { 1542 open_attr(fp, "type"); 1543 fprintf(fp, "%zu", size); 1544 close_attr(fp); 1545 open_attr(fp, "count"); 1546 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1547 close_attr(fp); 1548 fprintf(fp, ">"); 1549 for (i = 0; i < tok->tt.arb.uc; i++) 1550 fprintf(fp, format, 1551 *((u_int32_t *)(tok->tt.arb.data + 1552 (size * i)))); 1553 close_tag(fp, tok->id); 1554 } else { 1555 print_string(fp, str, strlen(str)); 1556 print_delim(fp, del); 1557 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1558 print_delim(fp, del); 1559 for (i = 0; i < tok->tt.arb.uc; i++) 1560 fprintf(fp, format, 1561 *((u_int32_t *)(tok->tt.arb.data + 1562 (size * i)))); 1563 } 1564 break; 1565 1566 case AUR_INT64: 1567 str = "int64"; 1568 size = AUR_INT64_SIZE; 1569 if (xml) { 1570 open_attr(fp, "type"); 1571 fprintf(fp, "%zu", size); 1572 close_attr(fp); 1573 open_attr(fp, "count"); 1574 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1575 close_attr(fp); 1576 fprintf(fp, ">"); 1577 for (i = 0; i < tok->tt.arb.uc; i++) 1578 fprintf(fp, format, 1579 *((u_int64_t *)(tok->tt.arb.data + 1580 (size * i)))); 1581 close_tag(fp, tok->id); 1582 } else { 1583 print_string(fp, str, strlen(str)); 1584 print_delim(fp, del); 1585 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1586 print_delim(fp, del); 1587 for (i = 0; i < tok->tt.arb.uc; i++) 1588 fprintf(fp, format, 1589 *((u_int64_t *)(tok->tt.arb.data + 1590 (size * i)))); 1591 } 1592 break; 1593 1594 default: 1595 return; 1596 } 1597} 1598 1599/* 1600 * file access mode 4 bytes 1601 * owner user ID 4 bytes 1602 * owner group ID 4 bytes 1603 * file system ID 4 bytes 1604 * node ID 8 bytes 1605 * device 4 bytes/8 bytes (32-bit/64-bit) 1606 */ 1607static int 1608fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1609{ 1610 int err = 0; 1611 1612 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1613 if (err) 1614 return (-1); 1615 1616 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1617 if (err) 1618 return (-1); 1619 1620 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1621 if (err) 1622 return (-1); 1623 1624 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1625 if (err) 1626 return (-1); 1627 1628 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1629 if (err) 1630 return (-1); 1631 1632 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1633 if (err) 1634 return (-1); 1635 1636 return (0); 1637} 1638 1639static void 1640print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1641 __unused char sfrm, int xml) 1642{ 1643 1644 print_tok_type(fp, tok->id, "attribute", raw, xml); 1645 if (xml) { 1646 open_attr(fp, "mode"); 1647 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1648 close_attr(fp); 1649 open_attr(fp, "uid"); 1650 print_user(fp, tok->tt.attr32.uid, raw); 1651 close_attr(fp); 1652 open_attr(fp, "gid"); 1653 print_group(fp, tok->tt.attr32.gid, raw); 1654 close_attr(fp); 1655 open_attr(fp, "fsid"); 1656 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1657 close_attr(fp); 1658 open_attr(fp, "nodeid"); 1659 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1660 close_attr(fp); 1661 open_attr(fp, "device"); 1662 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1663 close_attr(fp); 1664 close_tag(fp, tok->id); 1665 } else { 1666 print_delim(fp, del); 1667 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1668 print_delim(fp, del); 1669 print_user(fp, tok->tt.attr32.uid, raw); 1670 print_delim(fp, del); 1671 print_group(fp, tok->tt.attr32.gid, raw); 1672 print_delim(fp, del); 1673 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1674 print_delim(fp, del); 1675 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1676 print_delim(fp, del); 1677 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1678 } 1679} 1680 1681/* 1682 * file access mode 4 bytes 1683 * owner user ID 4 bytes 1684 * owner group ID 4 bytes 1685 * file system ID 4 bytes 1686 * node ID 8 bytes 1687 * device 4 bytes/8 bytes (32-bit/64-bit) 1688 */ 1689static int 1690fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1691{ 1692 int err = 0; 1693 1694 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1695 if (err) 1696 return (-1); 1697 1698 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1699 if (err) 1700 return (-1); 1701 1702 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1703 if (err) 1704 return (-1); 1705 1706 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1707 if (err) 1708 return (-1); 1709 1710 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1711 if (err) 1712 return (-1); 1713 1714 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1715 if (err) 1716 return (-1); 1717 1718 return (0); 1719} 1720 1721static void 1722print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1723 __unused char sfrm, int xml) 1724{ 1725 1726 print_tok_type(fp, tok->id, "attribute", raw, xml); 1727 if (xml) { 1728 open_attr(fp, "mode"); 1729 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1730 close_attr(fp); 1731 open_attr(fp, "uid"); 1732 print_user(fp, tok->tt.attr64.uid, raw); 1733 close_attr(fp); 1734 open_attr(fp, "gid"); 1735 print_group(fp, tok->tt.attr64.gid, raw); 1736 close_attr(fp); 1737 open_attr(fp, "fsid"); 1738 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1739 close_attr(fp); 1740 open_attr(fp, "nodeid"); 1741 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1742 close_attr(fp); 1743 open_attr(fp, "device"); 1744 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1745 close_attr(fp); 1746 close_tag(fp, tok->id); 1747 } else { 1748 print_delim(fp, del); 1749 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1750 print_delim(fp, del); 1751 print_user(fp, tok->tt.attr64.uid, raw); 1752 print_delim(fp, del); 1753 print_group(fp, tok->tt.attr64.gid, raw); 1754 print_delim(fp, del); 1755 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1756 print_delim(fp, del); 1757 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1758 print_delim(fp, del); 1759 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1760 } 1761} 1762 1763/* 1764 * status 4 bytes 1765 * return value 4 bytes 1766 */ 1767static int 1768fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1769{ 1770 int err = 0; 1771 1772 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1773 if (err) 1774 return (-1); 1775 1776 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1777 if (err) 1778 return (-1); 1779 1780 return (0); 1781} 1782 1783static void 1784print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1785 __unused char sfrm, int xml) 1786{ 1787 1788 print_tok_type(fp, tok->id, "exit", raw, xml); 1789 if (xml) { 1790 open_attr(fp, "errval"); 1791 print_errval(fp, tok->tt.exit.status); 1792 close_attr(fp); 1793 open_attr(fp, "retval"); 1794 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1795 close_attr(fp); 1796 close_tag(fp, tok->id); 1797 } else { 1798 print_delim(fp, del); 1799 print_errval(fp, tok->tt.exit.status); 1800 print_delim(fp, del); 1801 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1802 } 1803} 1804 1805/* 1806 * count 4 bytes 1807 * text count null-terminated string(s) 1808 */ 1809static int 1810fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1811{ 1812 int err = 0; 1813 u_int32_t i; 1814 u_char *bptr; 1815 1816 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1817 if (err) 1818 return (-1); 1819 1820 for (i = 0; i < tok->tt.execarg.count; i++) { 1821 bptr = buf + tok->len; 1822 if (i < AUDIT_MAX_ARGS) 1823 tok->tt.execarg.text[i] = (char*)bptr; 1824 1825 /* Look for a null terminated string. */ 1826 while (bptr && (*bptr != '\0')) { 1827 if (++tok->len >= (u_int32_t)len) 1828 return (-1); 1829 bptr = buf + tok->len; 1830 } 1831 if (!bptr) 1832 return (-1); 1833 tok->len++; /* \0 character */ 1834 } 1835 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1836 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1837 1838 return (0); 1839} 1840 1841static void 1842print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1843 __unused char sfrm, int xml) 1844{ 1845 u_int32_t i; 1846 1847 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1848 for (i = 0; i < tok->tt.execarg.count; i++) { 1849 if (xml) { 1850 fprintf(fp, "<arg>"); 1851 print_string(fp, tok->tt.execarg.text[i], 1852 strlen(tok->tt.execarg.text[i])); 1853 fprintf(fp, "</arg>"); 1854 } else { 1855 print_delim(fp, del); 1856 print_string(fp, tok->tt.execarg.text[i], 1857 strlen(tok->tt.execarg.text[i])); 1858 } 1859 } 1860 if (xml) 1861 close_tag(fp, tok->id); 1862} 1863 1864/* 1865 * count 4 bytes 1866 * text count null-terminated string(s) 1867 */ 1868static int 1869fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1870{ 1871 int err = 0; 1872 u_int32_t i; 1873 u_char *bptr; 1874 1875 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1876 if (err) 1877 return (-1); 1878 1879 for (i = 0; i < tok->tt.execenv.count; i++) { 1880 bptr = buf + tok->len; 1881 if (i < AUDIT_MAX_ENV) 1882 tok->tt.execenv.text[i] = (char*)bptr; 1883 1884 /* Look for a null terminated string. */ 1885 while (bptr && (*bptr != '\0')) { 1886 if (++tok->len >= (u_int32_t)len) 1887 return (-1); 1888 bptr = buf + tok->len; 1889 } 1890 if (!bptr) 1891 return (-1); 1892 tok->len++; /* \0 character */ 1893 } 1894 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1895 tok->tt.execenv.count = AUDIT_MAX_ENV; 1896 1897 return (0); 1898} 1899 1900static void 1901print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1902 __unused char sfrm, int xml) 1903{ 1904 u_int32_t i; 1905 1906 print_tok_type(fp, tok->id, "exec env", raw, xml); 1907 for (i = 0; i< tok->tt.execenv.count; i++) { 1908 if (xml) { 1909 fprintf(fp, "<env>"); 1910 print_string(fp, tok->tt.execenv.text[i], 1911 strlen(tok->tt.execenv.text[i])); 1912 fprintf(fp, "</env>"); 1913 } else { 1914 print_delim(fp, del); 1915 print_string(fp, tok->tt.execenv.text[i], 1916 strlen(tok->tt.execenv.text[i])); 1917 } 1918 } 1919 if (xml) 1920 close_tag(fp, tok->id); 1921} 1922 1923/* 1924 * seconds of time 4 bytes 1925 * milliseconds of time 4 bytes 1926 * file name len 2 bytes 1927 * file pathname N bytes + 1 terminating NULL byte 1928 */ 1929static int 1930fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1931{ 1932 int err = 0; 1933 1934 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1935 if (err) 1936 return (-1); 1937 1938 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1939 if (err) 1940 return (-1); 1941 1942 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1943 if (err) 1944 return (-1); 1945 1946 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1947 err); 1948 if (err) 1949 return (-1); 1950 1951 return (0); 1952} 1953 1954static void 1955print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1956 __unused char sfrm, int xml) 1957{ 1958 1959 print_tok_type(fp, tok->id, "file", raw, xml); 1960 if (xml) { 1961 open_attr(fp, "time"); 1962 print_sec32(fp, tok->tt.file.s, raw); 1963 close_attr(fp); 1964 open_attr(fp, "msec"); 1965 print_msec32(fp, tok->tt.file.ms, raw); 1966 close_attr(fp); 1967 fprintf(fp, ">"); 1968 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1969 close_tag(fp, tok->id); 1970 } else { 1971 print_delim(fp, del); 1972 print_sec32(fp, tok->tt.file.s, raw); 1973 print_delim(fp, del); 1974 print_msec32(fp, tok->tt.file.ms, raw); 1975 print_delim(fp, del); 1976 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1977 } 1978} 1979 1980/* 1981 * number groups 2 bytes 1982 * group list count * 4 bytes 1983 */ 1984static int 1985fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1986{ 1987 int i; 1988 int err = 0; 1989 1990 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1991 if (err) 1992 return (-1); 1993 1994 for (i = 0; i<tok->tt.grps.no; i++) { 1995 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 1996 err); 1997 if (err) 1998 return (-1); 1999 } 2000 2001 return (0); 2002} 2003 2004static void 2005print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2006 __unused char sfrm, int xml) 2007{ 2008 int i; 2009 2010 print_tok_type(fp, tok->id, "group", raw, xml); 2011 for (i = 0; i < tok->tt.grps.no; i++) { 2012 if (xml) { 2013 fprintf(fp, "<gid>"); 2014 print_group(fp, tok->tt.grps.list[i], raw); 2015 fprintf(fp, "</gid>"); 2016 close_tag(fp, tok->id); 2017 } else { 2018 print_delim(fp, del); 2019 print_group(fp, tok->tt.grps.list[i], raw); 2020 } 2021 } 2022} 2023 2024/* 2025 * Internet addr 4 bytes 2026 */ 2027static int 2028fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2029{ 2030 int err = 0; 2031 2032 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2033 tok->len, err); 2034 if (err) 2035 return (-1); 2036 2037 return (0); 2038 2039} 2040 2041static void 2042print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2043 __unused char sfrm, int xml) 2044{ 2045 2046 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2047 if (xml) { 2048 print_ip_address(fp, tok->tt.inaddr.addr); 2049 close_tag(fp, tok->id); 2050 } else { 2051 print_delim(fp, del); 2052 print_ip_address(fp, tok->tt.inaddr.addr); 2053 } 2054} 2055 2056/* 2057 * type 4 bytes 2058 * address 16 bytes 2059 */ 2060static int 2061fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2062{ 2063 int err = 0; 2064 2065 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2066 if (err) 2067 return (-1); 2068 2069 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2070 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2071 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2072 if (err) 2073 return (-1); 2074 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2075 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2076 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2077 if (err) 2078 return (-1); 2079 } else 2080 return (-1); 2081 2082 return (0); 2083} 2084 2085static void 2086print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2087 __unused char sfrm, int xml) 2088{ 2089 2090 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2091 if (xml) { 2092 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2093 tok->tt.inaddr_ex.addr); 2094 close_tag(fp, tok->id); 2095 } else { 2096 print_delim(fp, del); 2097 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2098 tok->tt.inaddr_ex.addr); 2099 } 2100} 2101 2102/* 2103 * ip header 20 bytes 2104 */ 2105static int 2106fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2107{ 2108 int err = 0; 2109 2110 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2111 if (err) 2112 return (-1); 2113 2114 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2115 if (err) 2116 return (-1); 2117 2118 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2119 tok->len, err); 2120 if (err) 2121 return (-1); 2122 2123 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2124 tok->len, err); 2125 if (err) 2126 return (-1); 2127 2128 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2129 tok->len, err); 2130 if (err) 2131 return (-1); 2132 2133 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2134 if (err) 2135 return (-1); 2136 2137 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2138 if (err) 2139 return (-1); 2140 2141 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2142 tok->len, err); 2143 if (err) 2144 return (-1); 2145 2146 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2147 tok->len, err); 2148 if (err) 2149 return (-1); 2150 2151 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2152 tok->len, err); 2153 if (err) 2154 return (-1); 2155 2156 return (0); 2157} 2158 2159static void 2160print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2161 __unused char sfrm, int xml) 2162{ 2163 2164 print_tok_type(fp, tok->id, "ip", raw, xml); 2165 if (xml) { 2166 open_attr(fp, "version"); 2167 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2168 sizeof(u_char)); 2169 close_attr(fp); 2170 open_attr(fp, "service_type"); 2171 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2172 close_attr(fp); 2173 open_attr(fp, "len"); 2174 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2175 close_attr(fp); 2176 open_attr(fp, "id"); 2177 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2178 close_attr(fp); 2179 open_attr(fp, "offset"); 2180 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2181 close_attr(fp); 2182 open_attr(fp, "time_to_live"); 2183 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2184 close_attr(fp); 2185 open_attr(fp, "protocol"); 2186 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2187 close_attr(fp); 2188 open_attr(fp, "cksum"); 2189 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2190 close_attr(fp); 2191 open_attr(fp, "src_addr"); 2192 print_ip_address(fp, tok->tt.ip.src); 2193 close_attr(fp); 2194 open_attr(fp, "dest_addr"); 2195 print_ip_address(fp, tok->tt.ip.dest); 2196 close_attr(fp); 2197 close_tag(fp, tok->id); 2198 } else { 2199 print_delim(fp, del); 2200 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2201 sizeof(u_char)); 2202 print_delim(fp, del); 2203 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2204 print_delim(fp, del); 2205 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2206 print_delim(fp, del); 2207 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2208 print_delim(fp, del); 2209 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2210 print_delim(fp, del); 2211 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2212 print_delim(fp, del); 2213 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2214 print_delim(fp, del); 2215 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2216 print_delim(fp, del); 2217 print_ip_address(fp, tok->tt.ip.src); 2218 print_delim(fp, del); 2219 print_ip_address(fp, tok->tt.ip.dest); 2220 } 2221} 2222 2223/* 2224 * object ID type 1 byte 2225 * Object ID 4 bytes 2226 */ 2227static int 2228fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2229{ 2230 int err = 0; 2231 2232 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2233 if (err) 2234 return (-1); 2235 2236 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2237 if (err) 2238 return (-1); 2239 2240 return (0); 2241} 2242 2243static void 2244print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2245 __unused char sfrm, int xml) 2246{ 2247 2248 print_tok_type(fp, tok->id, "IPC", raw, xml); 2249 if (xml) { 2250 open_attr(fp, "ipc-type"); 2251 print_ipctype(fp, tok->tt.ipc.type, raw); 2252 close_attr(fp); 2253 open_attr(fp, "ipc-id"); 2254 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2255 close_attr(fp); 2256 close_tag(fp, tok->id); 2257 } else { 2258 print_delim(fp, del); 2259 print_ipctype(fp, tok->tt.ipc.type, raw); 2260 print_delim(fp, del); 2261 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2262 } 2263} 2264 2265/* 2266 * owner user id 4 bytes 2267 * owner group id 4 bytes 2268 * creator user id 4 bytes 2269 * creator group id 4 bytes 2270 * access mode 4 bytes 2271 * slot seq 4 bytes 2272 * key 4 bytes 2273 */ 2274static int 2275fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2276{ 2277 int err = 0; 2278 2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2280 if (err) 2281 return (-1); 2282 2283 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2284 if (err) 2285 return (-1); 2286 2287 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2288 if (err) 2289 return (-1); 2290 2291 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2292 if (err) 2293 return (-1); 2294 2295 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2296 if (err) 2297 return (-1); 2298 2299 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2300 if (err) 2301 return (-1); 2302 2303 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2304 if (err) 2305 return (-1); 2306 2307 return (0); 2308} 2309 2310static void 2311print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2312 __unused char sfrm, int xml) 2313{ 2314 2315 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2316 if (xml) { 2317 open_attr(fp, "uid"); 2318 print_user(fp, tok->tt.ipcperm.uid, raw); 2319 close_attr(fp); 2320 open_attr(fp, "gid"); 2321 print_group(fp, tok->tt.ipcperm.gid, raw); 2322 close_attr(fp); 2323 open_attr(fp, "creator-uid"); 2324 print_user(fp, tok->tt.ipcperm.puid, raw); 2325 close_attr(fp); 2326 open_attr(fp, "creator-gid"); 2327 print_group(fp, tok->tt.ipcperm.pgid, raw); 2328 close_attr(fp); 2329 open_attr(fp, "mode"); 2330 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2331 close_attr(fp); 2332 open_attr(fp, "seq"); 2333 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2334 close_attr(fp); 2335 open_attr(fp, "key"); 2336 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2337 close_attr(fp); 2338 close_tag(fp, tok->id); 2339 } else { 2340 print_delim(fp, del); 2341 print_user(fp, tok->tt.ipcperm.uid, raw); 2342 print_delim(fp, del); 2343 print_group(fp, tok->tt.ipcperm.gid, raw); 2344 print_delim(fp, del); 2345 print_user(fp, tok->tt.ipcperm.puid, raw); 2346 print_delim(fp, del); 2347 print_group(fp, tok->tt.ipcperm.pgid, raw); 2348 print_delim(fp, del); 2349 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2350 print_delim(fp, del); 2351 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2352 print_delim(fp, del); 2353 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2354 } 2355} 2356 2357/* 2358 * port Ip address 2 bytes 2359 */ 2360static int 2361fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2362{ 2363 int err = 0; 2364 2365 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2366 tok->len, err); 2367 if (err) 2368 return (-1); 2369 2370 return (0); 2371} 2372 2373static void 2374print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2375 __unused char sfrm, int xml) 2376{ 2377 2378 print_tok_type(fp, tok->id, "ip port", raw, xml); 2379 if (xml) { 2380 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2381 close_tag(fp, tok->id); 2382 } else { 2383 print_delim(fp, del); 2384 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2385 } 2386} 2387 2388/* 2389 * size 2 bytes 2390 * data size bytes 2391 */ 2392static int 2393fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2394{ 2395 int err = 0; 2396 2397 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2398 if (err) 2399 return (-1); 2400 2401 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2402 tok->len, err); 2403 if (err) 2404 return (-1); 2405 2406 return (0); 2407} 2408 2409static void 2410print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2411 __unused char sfrm, int xml) 2412{ 2413 2414 print_tok_type(fp, tok->id, "opaque", raw, xml); 2415 if (xml) { 2416 print_mem(fp, (u_char*)tok->tt.opaque.data, 2417 tok->tt.opaque.size); 2418 close_tag(fp, tok->id); 2419 } else { 2420 print_delim(fp, del); 2421 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2422 print_delim(fp, del); 2423 print_mem(fp, (u_char*)tok->tt.opaque.data, 2424 tok->tt.opaque.size); 2425 } 2426} 2427 2428/* 2429 * size 2 bytes 2430 * data size bytes 2431 */ 2432static int 2433fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2434{ 2435 int err = 0; 2436 2437 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2438 if (err) 2439 return (-1); 2440 2441 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2442 err); 2443 if (err) 2444 return (-1); 2445 2446 return (0); 2447} 2448 2449static void 2450print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2451 __unused char sfrm, int xml) 2452{ 2453 2454 print_tok_type(fp, tok->id, "path", raw, xml); 2455 if (xml) { 2456 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2457 close_tag(fp, tok->id); 2458 } else { 2459 print_delim(fp, del); 2460 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2461 } 2462} 2463 2464/* 2465 * token ID 1 byte 2466 * audit ID 4 bytes 2467 * euid 4 bytes 2468 * egid 4 bytes 2469 * ruid 4 bytes 2470 * rgid 4 bytes 2471 * pid 4 bytes 2472 * sessid 4 bytes 2473 * terminal ID 2474 * portid 4 bytes 2475 * machine id 4 bytes 2476 */ 2477static int 2478fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2479{ 2480 int err = 0; 2481 2482 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2483 if (err) 2484 return (-1); 2485 2486 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2487 if (err) 2488 return (-1); 2489 2490 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2491 if (err) 2492 return (-1); 2493 2494 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2495 if (err) 2496 return (-1); 2497 2498 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2499 if (err) 2500 return (-1); 2501 2502 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2503 if (err) 2504 return (-1); 2505 2506 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2507 if (err) 2508 return (-1); 2509 2510 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2511 if (err) 2512 return (-1); 2513 2514 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2515 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2516 if (err) 2517 return (-1); 2518 2519 return (0); 2520} 2521 2522static void 2523print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2524 __unused char sfrm, int xml) 2525{ 2526 2527 print_tok_type(fp, tok->id, "process", raw, xml); 2528 if (xml) { 2529 open_attr(fp, "audit-uid"); 2530 print_user(fp, tok->tt.proc32.auid, raw); 2531 close_attr(fp); 2532 open_attr(fp, "uid"); 2533 print_user(fp, tok->tt.proc32.euid, raw); 2534 close_attr(fp); 2535 open_attr(fp, "gid"); 2536 print_group(fp, tok->tt.proc32.egid, raw); 2537 close_attr(fp); 2538 open_attr(fp, "ruid"); 2539 print_user(fp, tok->tt.proc32.ruid, raw); 2540 close_attr(fp); 2541 open_attr(fp, "rgid"); 2542 print_group(fp, tok->tt.proc32.rgid, raw); 2543 close_attr(fp); 2544 open_attr(fp, "pid"); 2545 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2546 close_attr(fp); 2547 open_attr(fp, "sid"); 2548 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2549 close_attr(fp); 2550 open_attr(fp, "tid"); 2551 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2552 print_ip_address(fp, tok->tt.proc32.tid.addr); 2553 close_attr(fp); 2554 close_tag(fp, tok->id); 2555 } else { 2556 print_delim(fp, del); 2557 print_user(fp, tok->tt.proc32.auid, raw); 2558 print_delim(fp, del); 2559 print_user(fp, tok->tt.proc32.euid, raw); 2560 print_delim(fp, del); 2561 print_group(fp, tok->tt.proc32.egid, raw); 2562 print_delim(fp, del); 2563 print_user(fp, tok->tt.proc32.ruid, raw); 2564 print_delim(fp, del); 2565 print_group(fp, tok->tt.proc32.rgid, raw); 2566 print_delim(fp, del); 2567 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2568 print_delim(fp, del); 2569 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2570 print_delim(fp, del); 2571 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2572 print_delim(fp, del); 2573 print_ip_address(fp, tok->tt.proc32.tid.addr); 2574 } 2575} 2576 2577/* 2578 * token ID 1 byte 2579 * audit ID 4 bytes 2580 * euid 4 bytes 2581 * egid 4 bytes 2582 * ruid 4 bytes 2583 * rgid 4 bytes 2584 * pid 4 bytes 2585 * sessid 4 bytes 2586 * terminal ID 2587 * portid 8 bytes 2588 * machine id 4 bytes 2589 */ 2590static int 2591fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2592{ 2593 int err = 0; 2594 2595 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2596 if (err) 2597 return (-1); 2598 2599 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2600 if (err) 2601 return (-1); 2602 2603 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2604 if (err) 2605 return (-1); 2606 2607 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2608 if (err) 2609 return (-1); 2610 2611 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2612 if (err) 2613 return (-1); 2614 2615 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2616 if (err) 2617 return (-1); 2618 2619 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2620 if (err) 2621 return (-1); 2622 2623 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2624 if (err) 2625 return (-1); 2626 2627 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2628 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2629 if (err) 2630 return (-1); 2631 2632 return (0); 2633} 2634 2635static void 2636print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2637 __unused char sfrm, int xml) 2638{ 2639 print_tok_type(fp, tok->id, "process", raw, xml); 2640 if (xml) { 2641 open_attr(fp, "audit-uid"); 2642 print_user(fp, tok->tt.proc64.auid, raw); 2643 close_attr(fp); 2644 open_attr(fp, "uid"); 2645 print_user(fp, tok->tt.proc64.euid, raw); 2646 close_attr(fp); 2647 open_attr(fp, "gid"); 2648 print_group(fp, tok->tt.proc64.egid, raw); 2649 close_attr(fp); 2650 open_attr(fp, "ruid"); 2651 print_user(fp, tok->tt.proc64.ruid, raw); 2652 close_attr(fp); 2653 open_attr(fp, "rgid"); 2654 print_group(fp, tok->tt.proc64.rgid, raw); 2655 close_attr(fp); 2656 open_attr(fp, "pid"); 2657 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2658 close_attr(fp); 2659 open_attr(fp, "sid"); 2660 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2661 close_attr(fp); 2662 open_attr(fp, "tid"); 2663 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2664 print_ip_address(fp, tok->tt.proc64.tid.addr); 2665 close_attr(fp); 2666 close_tag(fp, tok->id); 2667 } else { 2668 print_delim(fp, del); 2669 print_user(fp, tok->tt.proc64.auid, raw); 2670 print_delim(fp, del); 2671 print_user(fp, tok->tt.proc64.euid, raw); 2672 print_delim(fp, del); 2673 print_group(fp, tok->tt.proc64.egid, raw); 2674 print_delim(fp, del); 2675 print_user(fp, tok->tt.proc64.ruid, raw); 2676 print_delim(fp, del); 2677 print_group(fp, tok->tt.proc64.rgid, raw); 2678 print_delim(fp, del); 2679 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2680 print_delim(fp, del); 2681 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2682 print_delim(fp, del); 2683 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2684 print_delim(fp, del); 2685 print_ip_address(fp, tok->tt.proc64.tid.addr); 2686 } 2687} 2688 2689/* 2690 * token ID 1 byte 2691 * audit ID 4 bytes 2692 * effective user ID 4 bytes 2693 * effective group ID 4 bytes 2694 * real user ID 4 bytes 2695 * real group ID 4 bytes 2696 * process ID 4 bytes 2697 * session ID 4 bytes 2698 * terminal ID 2699 * port ID 4 bytes 2700 * address type-len 4 bytes 2701 * machine address 16 bytes 2702 */ 2703static int 2704fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2705{ 2706 int err = 0; 2707 2708 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2709 if (err) 2710 return (-1); 2711 2712 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2713 if (err) 2714 return (-1); 2715 2716 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2717 if (err) 2718 return (-1); 2719 2720 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2721 if (err) 2722 return (-1); 2723 2724 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2725 if (err) 2726 return (-1); 2727 2728 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2729 if (err) 2730 return (-1); 2731 2732 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2733 if (err) 2734 return (-1); 2735 2736 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2737 err); 2738 if (err) 2739 return (-1); 2740 2741 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2742 err); 2743 if (err) 2744 return (-1); 2745 2746 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2747 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2748 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2749 if (err) 2750 return (-1); 2751 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2752 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2753 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2754 if (err) 2755 return (-1); 2756 } else 2757 return (-1); 2758 2759 return (0); 2760} 2761 2762static void 2763print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2764 __unused char sfrm, int xml) 2765{ 2766 2767 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2768 if (xml) { 2769 open_attr(fp, "audit-uid"); 2770 print_user(fp, tok->tt.proc32_ex.auid, raw); 2771 close_attr(fp); 2772 open_attr(fp, "uid"); 2773 print_user(fp, tok->tt.proc32_ex.euid, raw); 2774 close_attr(fp); 2775 open_attr(fp, "gid"); 2776 print_group(fp, tok->tt.proc32_ex.egid, raw); 2777 close_attr(fp); 2778 open_attr(fp, "ruid"); 2779 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2780 close_attr(fp); 2781 open_attr(fp, "rgid"); 2782 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2783 close_attr(fp); 2784 open_attr(fp, "pid"); 2785 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2786 close_attr(fp); 2787 open_attr(fp, "sid"); 2788 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2789 close_attr(fp); 2790 open_attr(fp, "tid"); 2791 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2792 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2793 tok->tt.proc32_ex.tid.addr); 2794 close_attr(fp); 2795 close_tag(fp, tok->id); 2796 } else { 2797 print_delim(fp, del); 2798 print_user(fp, tok->tt.proc32_ex.auid, raw); 2799 print_delim(fp, del); 2800 print_user(fp, tok->tt.proc32_ex.euid, raw); 2801 print_delim(fp, del); 2802 print_group(fp, tok->tt.proc32_ex.egid, raw); 2803 print_delim(fp, del); 2804 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2805 print_delim(fp, del); 2806 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2807 print_delim(fp, del); 2808 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2809 print_delim(fp, del); 2810 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2811 print_delim(fp, del); 2812 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2813 print_delim(fp, del); 2814 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2815 tok->tt.proc32_ex.tid.addr); 2816 } 2817} 2818 2819/* 2820 * token ID 1 byte 2821 * audit ID 4 bytes 2822 * effective user ID 4 bytes 2823 * effective group ID 4 bytes 2824 * real user ID 4 bytes 2825 * real group ID 4 bytes 2826 * process ID 4 bytes 2827 * session ID 4 bytes 2828 * terminal ID 2829 * port ID 8 bytes 2830 * address type-len 4 bytes 2831 * machine address 16 bytes 2832 */ 2833static int 2834fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2835{ 2836 int err = 0; 2837 2838 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2839 if (err) 2840 return (-1); 2841 2842 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2843 if (err) 2844 return (-1); 2845 2846 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2847 if (err) 2848 return (-1); 2849 2850 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2851 if (err) 2852 return (-1); 2853 2854 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2855 if (err) 2856 return (-1); 2857 2858 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2859 if (err) 2860 return (-1); 2861 2862 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2863 if (err) 2864 return (-1); 2865 2866 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2867 err); 2868 if (err) 2869 return (-1); 2870 2871 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2872 err); 2873 if (err) 2874 return (-1); 2875 2876 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2877 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2878 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2879 if (err) 2880 return (-1); 2881 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2882 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2883 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2884 if (err) 2885 return (-1); 2886 } else 2887 return (-1); 2888 2889 return (0); 2890} 2891 2892static void 2893print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2894 __unused char sfrm, int xml) 2895{ 2896 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2897 if (xml) { 2898 open_attr(fp, "audit-uid"); 2899 print_user(fp, tok->tt.proc64_ex.auid, raw); 2900 close_attr(fp); 2901 open_attr(fp, "uid"); 2902 print_user(fp, tok->tt.proc64_ex.euid, raw); 2903 close_attr(fp); 2904 open_attr(fp, "gid"); 2905 print_group(fp, tok->tt.proc64_ex.egid, raw); 2906 close_attr(fp); 2907 open_attr(fp, "ruid"); 2908 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2909 close_attr(fp); 2910 open_attr(fp, "rgid"); 2911 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2912 close_attr(fp); 2913 open_attr(fp, "pid"); 2914 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2915 close_attr(fp); 2916 open_attr(fp, "sid"); 2917 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2918 close_attr(fp); 2919 open_attr(fp, "tid"); 2920 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2921 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2922 tok->tt.proc64_ex.tid.addr); 2923 close_attr(fp); 2924 close_tag(fp, tok->id); 2925 } else { 2926 print_delim(fp, del); 2927 print_user(fp, tok->tt.proc64_ex.auid, raw); 2928 print_delim(fp, del); 2929 print_user(fp, tok->tt.proc64_ex.euid, raw); 2930 print_delim(fp, del); 2931 print_group(fp, tok->tt.proc64_ex.egid, raw); 2932 print_delim(fp, del); 2933 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2934 print_delim(fp, del); 2935 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2936 print_delim(fp, del); 2937 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2938 print_delim(fp, del); 2939 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2940 print_delim(fp, del); 2941 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2942 print_delim(fp, del); 2943 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2944 tok->tt.proc64_ex.tid.addr); 2945 } 2946} 2947 2948/* 2949 * errno 1 byte 2950 * return value 4 bytes 2951 */ 2952static int 2953fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2954{ 2955 int err = 0; 2956 2957 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2958 if (err) 2959 return (-1); 2960 2961 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2962 if (err) 2963 return (-1); 2964 2965 return (0); 2966} 2967 2968static void 2969print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2970 __unused char sfrm, int xml) 2971{ 2972 2973 print_tok_type(fp, tok->id, "return", raw, xml); 2974 if (xml) { 2975 open_attr(fp ,"errval"); 2976 print_retval(fp, tok->tt.ret32.status, raw); 2977 close_attr(fp); 2978 open_attr(fp, "retval"); 2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2980 close_attr(fp); 2981 close_tag(fp, tok->id); 2982 } else { 2983 print_delim(fp, del); 2984 print_retval(fp, tok->tt.ret32.status, raw); 2985 print_delim(fp, del); 2986 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2987 } 2988} 2989 2990static int 2991fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2992{ 2993 int err = 0; 2994 2995 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 2996 if (err) 2997 return (-1); 2998 2999 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3000 if (err) 3001 return (-1); 3002 3003 return (0); 3004} 3005 3006static void 3007print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3008 __unused char sfrm, int xml) 3009{ 3010 3011 print_tok_type(fp, tok->id, "return", raw, xml); 3012 if (xml) { 3013 open_attr(fp, "errval"); 3014 print_retval(fp, tok->tt.ret64.err, raw); 3015 close_attr(fp); 3016 open_attr(fp, "retval"); 3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3018 close_attr(fp); 3019 close_tag(fp, tok->id); 3020 } else { 3021 print_delim(fp, del); 3022 print_retval(fp, tok->tt.ret64.err, raw); 3023 print_delim(fp, del); 3024 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3025 } 3026} 3027 3028/* 3029 * seq 4 bytes 3030 */ 3031static int 3032fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3033{ 3034 int err = 0; 3035 3036 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3037 if (err) 3038 return (-1); 3039 3040 return (0); 3041} 3042 3043static void 3044print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3045 __unused char sfrm, int xml) 3046{ 3047 3048 print_tok_type(fp, tok->id, "sequence", raw, xml); 3049 if (xml) { 3050 open_attr(fp, "seq-num"); 3051 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3052 close_attr(fp); 3053 close_tag(fp, tok->id); 3054 } else { 3055 print_delim(fp, del); 3056 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3057 } 3058} 3059 3060/* 3061 * socket family 2 bytes 3062 * local port 2 bytes 3063 * socket address 4 bytes 3064 */ 3065static int 3066fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3067{ 3068 int err = 0; 3069 3070 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len, 3071 err); 3072 if (err) 3073 return (-1); 3074 3075 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port, 3076 sizeof(uint16_t), tok->len, err); 3077 if (err) 3078 return (-1); 3079 3080 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr, 3081 sizeof(tok->tt.sockinet32.addr), tok->len, err); 3082 if (err) 3083 return (-1); 3084 3085 return (0); 3086} 3087 3088static void 3089print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3090 __unused char sfrm, int xml) 3091{ 3092 3093 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3094 if (xml) { 3095 open_attr(fp, "type"); 3096 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3097 close_attr(fp); 3098 open_attr(fp, "port"); 3099 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3100 close_attr(fp); 3101 open_attr(fp, "addr"); 3102 print_ip_address(fp, tok->tt.sockinet32.addr); 3103 close_attr(fp); 3104 close_tag(fp, tok->id); 3105 } else { 3106 print_delim(fp, del); 3107 print_2_bytes(fp, tok->tt.sockinet32.family, "%u"); 3108 print_delim(fp, del); 3109 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u"); 3110 print_delim(fp, del); 3111 print_ip_address(fp, tok->tt.sockinet32.addr); 3112 } 3113} 3114 3115/* 3116 * socket family 2 bytes 3117 * path 104 bytes 3118 */ 3119static int 3120fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3121{ 3122 int err = 0; 3123 3124 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3125 if (err) 3126 return (-1); 3127 3128 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3129 err); 3130 if (err) 3131 return (-1); 3132 3133 return (0); 3134} 3135 3136static void 3137print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3138 __unused char sfrm, int xml) 3139{ 3140 3141 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3142 if (xml) { 3143 open_attr(fp, "type"); 3144 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3145 close_attr(fp); 3146 open_attr(fp, "port"); 3147 close_attr(fp); 3148 open_attr(fp, "addr"); 3149 print_string(fp, tok->tt.sockunix.path, 3150 strlen(tok->tt.sockunix.path)); 3151 close_attr(fp); 3152 close_tag(fp, tok->id); 3153 } else { 3154 print_delim(fp, del); 3155 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3156 print_delim(fp, del); 3157 print_string(fp, tok->tt.sockunix.path, 3158 strlen(tok->tt.sockunix.path)); 3159 } 3160} 3161 3162/* 3163 * socket type 2 bytes 3164 * local port 2 bytes 3165 * local address 4 bytes 3166 * remote port 2 bytes 3167 * remote address 4 bytes 3168 */ 3169static int 3170fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3171{ 3172 int err = 0; 3173 3174 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3175 if (err) 3176 return (-1); 3177 3178 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3179 tok->len, err); 3180 if (err) 3181 return (-1); 3182 3183 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3184 sizeof(tok->tt.socket.l_addr), tok->len, err); 3185 if (err) 3186 return (-1); 3187 3188 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3189 tok->len, err); 3190 if (err) 3191 return (-1); 3192 3193 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3194 sizeof(tok->tt.socket.r_addr), tok->len, err); 3195 if (err) 3196 return (-1); 3197 3198 return (0); 3199} 3200 3201static void 3202print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3203 __unused char sfrm, int xml) 3204{ 3205 3206 print_tok_type(fp, tok->id, "socket", raw, xml); 3207 if (xml) { 3208 open_attr(fp, "sock_type"); 3209 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3210 close_attr(fp); 3211 open_attr(fp, "lport"); 3212 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3213 close_attr(fp); 3214 open_attr(fp, "laddr"); 3215 print_ip_address(fp, tok->tt.socket.l_addr); 3216 close_attr(fp); 3217 open_attr(fp, "fport"); 3218 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3219 close_attr(fp); 3220 open_attr(fp, "faddr"); 3221 print_ip_address(fp, tok->tt.socket.r_addr); 3222 close_attr(fp); 3223 close_tag(fp, tok->id); 3224 } else { 3225 print_delim(fp, del); 3226 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3227 print_delim(fp, del); 3228 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3229 print_delim(fp, del); 3230 print_ip_address(fp, tok->tt.socket.l_addr); 3231 print_delim(fp, del); 3232 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3233 print_delim(fp, del); 3234 print_ip_address(fp, tok->tt.socket.r_addr); 3235 } 3236} 3237 3238/* 3239 * audit ID 4 bytes 3240 * euid 4 bytes 3241 * egid 4 bytes 3242 * ruid 4 bytes 3243 * rgid 4 bytes 3244 * pid 4 bytes 3245 * sessid 4 bytes 3246 * terminal ID 3247 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3248 * machine id 4 bytes 3249 */ 3250static int 3251fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3252{ 3253 int err = 0; 3254 3255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3256 if (err) 3257 return (-1); 3258 3259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3260 if (err) 3261 return (-1); 3262 3263 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3264 if (err) 3265 return (-1); 3266 3267 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3268 if (err) 3269 return (-1); 3270 3271 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3272 if (err) 3273 return (-1); 3274 3275 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3276 if (err) 3277 return (-1); 3278 3279 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3280 if (err) 3281 return (-1); 3282 3283 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3284 if (err) 3285 return (-1); 3286 3287 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3288 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3289 if (err) 3290 return (-1); 3291 3292 return (0); 3293} 3294 3295static void 3296print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3297 __unused char sfrm, int xml) 3298{ 3299 3300 print_tok_type(fp, tok->id, "subject", raw, xml); 3301 if (xml) { 3302 open_attr(fp, "audit-uid"); 3303 print_user(fp, tok->tt.subj32.auid, raw); 3304 close_attr(fp); 3305 open_attr(fp, "uid"); 3306 print_user(fp, tok->tt.subj32.euid, raw); 3307 close_attr(fp); 3308 open_attr(fp, "gid"); 3309 print_group(fp, tok->tt.subj32.egid, raw); 3310 close_attr(fp); 3311 open_attr(fp, "ruid"); 3312 print_user(fp, tok->tt.subj32.ruid, raw); 3313 close_attr(fp); 3314 open_attr(fp, "rgid"); 3315 print_group(fp, tok->tt.subj32.rgid, raw); 3316 close_attr(fp); 3317 open_attr(fp,"pid"); 3318 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3319 close_attr(fp); 3320 open_attr(fp,"sid"); 3321 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3322 close_attr(fp); 3323 open_attr(fp,"tid"); 3324 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3325 print_ip_address(fp, tok->tt.subj32.tid.addr); 3326 close_attr(fp); 3327 close_tag(fp, tok->id); 3328 } else { 3329 print_delim(fp, del); 3330 print_user(fp, tok->tt.subj32.auid, raw); 3331 print_delim(fp, del); 3332 print_user(fp, tok->tt.subj32.euid, raw); 3333 print_delim(fp, del); 3334 print_group(fp, tok->tt.subj32.egid, raw); 3335 print_delim(fp, del); 3336 print_user(fp, tok->tt.subj32.ruid, raw); 3337 print_delim(fp, del); 3338 print_group(fp, tok->tt.subj32.rgid, raw); 3339 print_delim(fp, del); 3340 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3341 print_delim(fp, del); 3342 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3343 print_delim(fp, del); 3344 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3345 print_delim(fp, del); 3346 print_ip_address(fp, tok->tt.subj32.tid.addr); 3347 } 3348} 3349 3350/* 3351 * audit ID 4 bytes 3352 * euid 4 bytes 3353 * egid 4 bytes 3354 * ruid 4 bytes 3355 * rgid 4 bytes 3356 * pid 4 bytes 3357 * sessid 4 bytes 3358 * terminal ID 3359 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3360 * machine id 4 bytes 3361 */ 3362static int 3363fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3364{ 3365 int err = 0; 3366 3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3368 if (err) 3369 return (-1); 3370 3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3372 if (err) 3373 return (-1); 3374 3375 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3376 if (err) 3377 return (-1); 3378 3379 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3380 if (err) 3381 return (-1); 3382 3383 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3384 if (err) 3385 return (-1); 3386 3387 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3388 if (err) 3389 return (-1); 3390 3391 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3392 if (err) 3393 return (-1); 3394 3395 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3396 if (err) 3397 return (-1); 3398 3399 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3400 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3401 if (err) 3402 return (-1); 3403 3404 return (0); 3405} 3406 3407static void 3408print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3409 __unused char sfrm, int xml) 3410{ 3411 3412 print_tok_type(fp, tok->id, "subject", raw, xml); 3413 if (xml) { 3414 open_attr(fp, "audit-uid"); 3415 print_user(fp, tok->tt.subj64.auid, raw); 3416 close_attr(fp); 3417 open_attr(fp, "uid"); 3418 print_user(fp, tok->tt.subj64.euid, raw); 3419 close_attr(fp); 3420 open_attr(fp, "gid"); 3421 print_group(fp, tok->tt.subj64.egid, raw); 3422 close_attr(fp); 3423 open_attr(fp, "ruid"); 3424 print_user(fp, tok->tt.subj64.ruid, raw); 3425 close_attr(fp); 3426 open_attr(fp, "rgid"); 3427 print_group(fp, tok->tt.subj64.rgid, raw); 3428 close_attr(fp); 3429 open_attr(fp, "pid"); 3430 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3431 close_attr(fp); 3432 open_attr(fp, "sid"); 3433 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3434 close_attr(fp); 3435 open_attr(fp, "tid"); 3436 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3437 print_ip_address(fp, tok->tt.subj64.tid.addr); 3438 close_attr(fp); 3439 close_tag(fp, tok->id); 3440 } else { 3441 print_delim(fp, del); 3442 print_user(fp, tok->tt.subj64.auid, raw); 3443 print_delim(fp, del); 3444 print_user(fp, tok->tt.subj64.euid, raw); 3445 print_delim(fp, del); 3446 print_group(fp, tok->tt.subj64.egid, raw); 3447 print_delim(fp, del); 3448 print_user(fp, tok->tt.subj64.ruid, raw); 3449 print_delim(fp, del); 3450 print_group(fp, tok->tt.subj64.rgid, raw); 3451 print_delim(fp, del); 3452 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3453 print_delim(fp, del); 3454 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3455 print_delim(fp, del); 3456 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3457 print_delim(fp, del); 3458 print_ip_address(fp, tok->tt.subj64.tid.addr); 3459 } 3460} 3461 3462/* 3463 * audit ID 4 bytes 3464 * euid 4 bytes 3465 * egid 4 bytes 3466 * ruid 4 bytes 3467 * rgid 4 bytes 3468 * pid 4 bytes 3469 * sessid 4 bytes 3470 * terminal ID 3471 * portid 4 bytes 3472 * type 4 bytes 3473 * machine id 16 bytes 3474 */ 3475static int 3476fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3477{ 3478 int err = 0; 3479 3480 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3481 if (err) 3482 return (-1); 3483 3484 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3485 if (err) 3486 return (-1); 3487 3488 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3489 if (err) 3490 return (-1); 3491 3492 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3493 if (err) 3494 return (-1); 3495 3496 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3497 if (err) 3498 return (-1); 3499 3500 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3501 if (err) 3502 return (-1); 3503 3504 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3505 if (err) 3506 return (-1); 3507 3508 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3509 err); 3510 if (err) 3511 return (-1); 3512 3513 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3514 err); 3515 if (err) 3516 return (-1); 3517 3518 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3519 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3520 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3521 if (err) 3522 return (-1); 3523 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3524 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3525 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3526 if (err) 3527 return (-1); 3528 } else 3529 return (-1); 3530 3531 return (0); 3532} 3533 3534static void 3535print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3536 __unused char sfrm, int xml) 3537{ 3538 3539 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3540 if (xml) { 3541 open_attr(fp, "audit-uid"); 3542 print_user(fp, tok->tt.subj32_ex.auid, raw); 3543 close_attr(fp); 3544 open_attr(fp, "uid"); 3545 print_user(fp, tok->tt.subj32_ex.euid, raw); 3546 close_attr(fp); 3547 open_attr(fp, "gid"); 3548 print_group(fp, tok->tt.subj32_ex.egid, raw); 3549 close_attr(fp); 3550 open_attr(fp, "ruid"); 3551 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3552 close_attr(fp); 3553 open_attr(fp, "rgid"); 3554 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3555 close_attr(fp); 3556 open_attr(fp, "pid"); 3557 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3558 close_attr(fp); 3559 open_attr(fp, "sid"); 3560 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3561 close_attr(fp); 3562 open_attr(fp, "tid"); 3563 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3564 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3565 tok->tt.subj32_ex.tid.addr); 3566 close_attr(fp); 3567 close_tag(fp, tok->id); 3568 } else { 3569 print_delim(fp, del); 3570 print_user(fp, tok->tt.subj32_ex.auid, raw); 3571 print_delim(fp, del); 3572 print_user(fp, tok->tt.subj32_ex.euid, raw); 3573 print_delim(fp, del); 3574 print_group(fp, tok->tt.subj32_ex.egid, raw); 3575 print_delim(fp, del); 3576 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3577 print_delim(fp, del); 3578 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3579 print_delim(fp, del); 3580 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3581 print_delim(fp, del); 3582 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3583 print_delim(fp, del); 3584 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3585 print_delim(fp, del); 3586 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3587 tok->tt.subj32_ex.tid.addr); 3588 } 3589} 3590 3591/* 3592 * audit ID 4 bytes 3593 * euid 4 bytes 3594 * egid 4 bytes 3595 * ruid 4 bytes 3596 * rgid 4 bytes 3597 * pid 4 bytes 3598 * sessid 4 bytes 3599 * terminal ID 3600 * portid 8 bytes 3601 * type 4 bytes 3602 * machine id 16 bytes 3603 */ 3604static int 3605fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3606{ 3607 int err = 0; 3608 3609 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3610 if (err) 3611 return (-1); 3612 3613 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3614 if (err) 3615 return (-1); 3616 3617 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3618 if (err) 3619 return (-1); 3620 3621 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3622 if (err) 3623 return (-1); 3624 3625 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3626 if (err) 3627 return (-1); 3628 3629 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3630 if (err) 3631 return (-1); 3632 3633 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3634 if (err) 3635 return (-1); 3636 3637 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3638 err); 3639 if (err) 3640 return (-1); 3641 3642 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3643 err); 3644 if (err) 3645 return (-1); 3646 3647 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3648 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3649 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3650 if (err) 3651 return (-1); 3652 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3653 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3654 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3655 if (err) 3656 return (-1); 3657 } else 3658 return (-1); 3659 3660 return (0); 3661} 3662 3663static void 3664print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3665 __unused char sfrm, int xml) 3666{ 3667 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3668 if (xml) { 3669 open_attr(fp, "audit-uid"); 3670 print_user(fp, tok->tt.subj64_ex.auid, raw); 3671 close_attr(fp); 3672 open_attr(fp, "uid"); 3673 print_user(fp, tok->tt.subj64_ex.euid, raw); 3674 close_attr(fp); 3675 open_attr(fp, "gid"); 3676 print_group(fp, tok->tt.subj64_ex.egid, raw); 3677 close_attr(fp); 3678 open_attr(fp, "ruid"); 3679 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3680 close_attr(fp); 3681 open_attr(fp, "rgid"); 3682 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3683 close_attr(fp); 3684 open_attr(fp, "pid"); 3685 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3686 close_attr(fp); 3687 open_attr(fp, "sid"); 3688 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3689 close_attr(fp); 3690 open_attr(fp, "tid"); 3691 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3692 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3693 tok->tt.subj64_ex.tid.addr); 3694 close_attr(fp); 3695 close_tag(fp, tok->id); 3696 } else { 3697 print_delim(fp, del); 3698 print_user(fp, tok->tt.subj64_ex.auid, raw); 3699 print_delim(fp, del); 3700 print_user(fp, tok->tt.subj64_ex.euid, raw); 3701 print_delim(fp, del); 3702 print_group(fp, tok->tt.subj64_ex.egid, raw); 3703 print_delim(fp, del); 3704 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3705 print_delim(fp, del); 3706 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3707 print_delim(fp, del); 3708 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3709 print_delim(fp, del); 3710 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3711 print_delim(fp, del); 3712 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3713 print_delim(fp, del); 3714 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3715 tok->tt.subj64_ex.tid.addr); 3716 } 3717} 3718 3719/* 3720 * size 2 bytes 3721 * data size bytes 3722 */ 3723static int 3724fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3725{ 3726 int err = 0; 3727 3728 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3729 if (err) 3730 return (-1); 3731 3732 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3733 err); 3734 if (err) 3735 return (-1); 3736 3737 return (0); 3738} 3739 3740static void 3741print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3742 __unused char sfrm, int xml) 3743{ 3744 3745 print_tok_type(fp, tok->id, "text", raw, xml); 3746 if (xml) { 3747 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3748 close_tag(fp, tok->id); 3749 } else { 3750 print_delim(fp, del); 3751 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3752 } 3753} 3754 3755/* 3756 * socket domain 2 bytes 3757 * socket type 2 bytes 3758 * address type 2 bytes 3759 * local port 2 bytes 3760 * local Internet address 4/16 bytes 3761 * remote port 2 bytes 3762 * remote Internet address 4/16 bytes 3763 */ 3764static int 3765fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3766{ 3767 int err = 0; 3768 3769 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3770 err); 3771 if (err) 3772 return (-1); 3773 3774 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3775 err); 3776 if (err) 3777 return (-1); 3778 3779 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3780 err); 3781 if (err) 3782 return (-1); 3783 3784 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3785 tok->tt.socket_ex32.atype != AU_IPv6) 3786 return (-1); 3787 3788 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3789 sizeof(uint16_t), tok->len, err); 3790 if (err) 3791 return (-1); 3792 3793 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3794 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3795 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3796 if (err) 3797 return (-1); 3798 } else { 3799 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3800 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3801 if (err) 3802 return (-1); 3803 } 3804 3805 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3806 sizeof(uint16_t), tok->len, err); 3807 if (err) 3808 return (-1); 3809 3810 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3811 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3812 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3813 if (err) 3814 return (-1); 3815 } else { 3816 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3817 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3818 if (err) 3819 return (-1); 3820 } 3821 3822 return (0); 3823} 3824 3825static void 3826print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3827 __unused char sfrm, int xml) 3828{ 3829 3830 print_tok_type(fp, tok->id, "socket", raw, xml); 3831 if (xml) { 3832 open_attr(fp, "sock_dom"); 3833 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3834 close_attr(fp); 3835 open_attr(fp, "sock_type"); 3836 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3837 close_attr(fp); 3838 open_attr(fp, "lport"); 3839 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3840 close_attr(fp); 3841 open_attr(fp, "laddr"); 3842 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3843 tok->tt.socket_ex32.l_addr); 3844 close_attr(fp); 3845 open_attr(fp, "faddr"); 3846 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3847 tok->tt.socket_ex32.r_addr); 3848 close_attr(fp); 3849 open_attr(fp, "fport"); 3850 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3851 close_attr(fp); 3852 close_tag(fp, tok->id); 3853 } else { 3854 print_delim(fp, del); 3855 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3856 print_delim(fp, del); 3857 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3858 print_delim(fp, del); 3859 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3860 print_delim(fp, del); 3861 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3862 tok->tt.socket_ex32.l_addr); 3863 print_delim(fp, del); 3864 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3865 print_delim(fp, del); 3866 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3867 tok->tt.socket_ex32.r_addr); 3868 } 3869} 3870 3871static int 3872fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3873{ 3874 int err = 0; 3875 int recoversize; 3876 3877 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3878 if (recoversize <= 0) 3879 return (-1); 3880 3881 tok->tt.invalid.length = recoversize; 3882 3883 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3884 err); 3885 if (err) 3886 return (-1); 3887 3888 return (0); 3889} 3890 3891static void 3892print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3893 __unused char sfrm, int xml) 3894{ 3895 3896 if (!xml) { 3897 print_tok_type(fp, tok->id, "unknown", raw, 0); 3898 print_delim(fp, del); 3899 print_mem(fp, (u_char*)tok->tt.invalid.data, 3900 tok->tt.invalid.length); 3901 } 3902} 3903 3904 3905/* 3906 * size 2 bytes; 3907 * zonename size bytes; 3908 */ 3909static int 3910fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3911{ 3912 int err = 0; 3913 3914 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3915 if (err) 3916 return (-1); 3917 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3918 tok->len, err); 3919 if (err) 3920 return (-1); 3921 return (0); 3922} 3923 3924static void 3925print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3926 __unused char sfrm, int xml) 3927{ 3928 3929 print_tok_type(fp, tok->id, "zone", raw, xml); 3930 if (xml) { 3931 open_attr(fp, "name"); 3932 print_string(fp, tok->tt.zonename.zonename, 3933 tok->tt.zonename.len); 3934 close_attr(fp); 3935 close_tag(fp, tok->id); 3936 } else { 3937 print_delim(fp, del); 3938 print_string(fp, tok->tt.zonename.zonename, 3939 tok->tt.zonename.len); 3940 } 3941} 3942 3943/* 3944 * Reads the token beginning at buf into tok. 3945 */ 3946int 3947au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 3948{ 3949 3950 if (len <= 0) 3951 return (-1); 3952 3953 tok->len = 1; 3954 tok->data = buf; 3955 tok->id = *buf; 3956 3957 switch(tok->id) { 3958 case AUT_HEADER32: 3959 return (fetch_header32_tok(tok, buf, len)); 3960 3961 case AUT_HEADER32_EX: 3962 return (fetch_header32_ex_tok(tok, buf, len)); 3963 3964 case AUT_HEADER64: 3965 return (fetch_header64_tok(tok, buf, len)); 3966 3967 case AUT_HEADER64_EX: 3968 return (fetch_header64_ex_tok(tok, buf, len)); 3969 3970 case AUT_TRAILER: 3971 return (fetch_trailer_tok(tok, buf, len)); 3972 3973 case AUT_ARG32: 3974 return (fetch_arg32_tok(tok, buf, len)); 3975 3976 case AUT_ARG64: 3977 return (fetch_arg64_tok(tok, buf, len)); 3978 3979 case AUT_ATTR32: 3980 return (fetch_attr32_tok(tok, buf, len)); 3981 3982 case AUT_ATTR64: 3983 return (fetch_attr64_tok(tok, buf, len)); 3984 3985 case AUT_EXIT: 3986 return (fetch_exit_tok(tok, buf, len)); 3987 3988 case AUT_EXEC_ARGS: 3989 return (fetch_execarg_tok(tok, buf, len)); 3990 3991 case AUT_EXEC_ENV: 3992 return (fetch_execenv_tok(tok, buf, len)); 3993 3994 case AUT_OTHER_FILE32: 3995 return (fetch_file_tok(tok, buf, len)); 3996 3997 case AUT_NEWGROUPS: 3998 return (fetch_newgroups_tok(tok, buf, len)); 3999 4000 case AUT_IN_ADDR: 4001 return (fetch_inaddr_tok(tok, buf, len)); 4002 4003 case AUT_IN_ADDR_EX: 4004 return (fetch_inaddr_ex_tok(tok, buf, len)); 4005 4006 case AUT_IP: 4007 return (fetch_ip_tok(tok, buf, len)); 4008 4009 case AUT_IPC: 4010 return (fetch_ipc_tok(tok, buf, len)); 4011 4012 case AUT_IPC_PERM: 4013 return (fetch_ipcperm_tok(tok, buf, len)); 4014 4015 case AUT_IPORT: 4016 return (fetch_iport_tok(tok, buf, len)); 4017 4018 case AUT_OPAQUE: 4019 return (fetch_opaque_tok(tok, buf, len)); 4020 4021 case AUT_PATH: 4022 return (fetch_path_tok(tok, buf, len)); 4023 4024 case AUT_PROCESS32: 4025 return (fetch_process32_tok(tok, buf, len)); 4026 4027 case AUT_PROCESS32_EX: 4028 return (fetch_process32ex_tok(tok, buf, len)); 4029 4030 case AUT_PROCESS64: 4031 return (fetch_process64_tok(tok, buf, len)); 4032 4033 case AUT_PROCESS64_EX: 4034 return (fetch_process64ex_tok(tok, buf, len)); 4035 4036 case AUT_RETURN32: 4037 return (fetch_return32_tok(tok, buf, len)); 4038 4039 case AUT_RETURN64: 4040 return (fetch_return64_tok(tok, buf, len)); 4041 4042 case AUT_SEQ: 4043 return (fetch_seq_tok(tok, buf, len)); 4044 4045 case AUT_SOCKET: 4046 return (fetch_socket_tok(tok, buf, len)); 4047 4048 case AUT_SOCKINET32: 4049 return (fetch_sock_inet32_tok(tok, buf, len)); 4050 4051 case AUT_SOCKUNIX: 4052 return (fetch_sock_unix_tok(tok, buf, len)); 4053 4054 case AUT_SUBJECT32: 4055 return (fetch_subject32_tok(tok, buf, len)); 4056 4057 case AUT_SUBJECT32_EX: 4058 return (fetch_subject32ex_tok(tok, buf, len)); 4059 4060 case AUT_SUBJECT64: 4061 return (fetch_subject64_tok(tok, buf, len)); 4062 4063 case AUT_SUBJECT64_EX: 4064 return (fetch_subject64ex_tok(tok, buf, len)); 4065 4066 case AUT_TEXT: 4067 return (fetch_text_tok(tok, buf, len)); 4068 4069 case AUT_SOCKET_EX: 4070 return (fetch_socketex32_tok(tok, buf, len)); 4071 4072 case AUT_DATA: 4073 return (fetch_arb_tok(tok, buf, len)); 4074 4075 case AUT_ZONENAME: 4076 return (fetch_zonename_tok(tok, buf, len)); 4077 4078 default: 4079 return (fetch_invalid_tok(tok, buf, len)); 4080 } 4081} 4082 4083/* 4084 * 'prints' the token out to outfp. 4085 */ 4086void 4087au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4088{ 4089 4090 switch(tok->id) { 4091 case AUT_HEADER32: 4092 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4093 return; 4094 4095 case AUT_HEADER32_EX: 4096 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4097 return; 4098 4099 case AUT_HEADER64: 4100 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4101 return; 4102 4103 case AUT_HEADER64_EX: 4104 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4105 return; 4106 4107 case AUT_TRAILER: 4108 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4109 return; 4110 4111 case AUT_ARG32: 4112 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4113 return; 4114 4115 case AUT_ARG64: 4116 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4117 return; 4118 4119 case AUT_DATA: 4120 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4121 return; 4122 4123 case AUT_ATTR32: 4124 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4125 return; 4126 4127 case AUT_ATTR64: 4128 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4129 return; 4130 4131 case AUT_EXIT: 4132 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4133 return; 4134 4135 case AUT_EXEC_ARGS: 4136 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4137 return; 4138 4139 case AUT_EXEC_ENV: 4140 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4141 return; 4142 4143 case AUT_OTHER_FILE32: 4144 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4145 return; 4146 4147 case AUT_NEWGROUPS: 4148 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4149 return; 4150 4151 case AUT_IN_ADDR: 4152 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4153 return; 4154 4155 case AUT_IN_ADDR_EX: 4156 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4157 return; 4158 4159 case AUT_IP: 4160 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4161 return; 4162 4163 case AUT_IPC: 4164 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4165 return; 4166 4167 case AUT_IPC_PERM: 4168 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4169 return; 4170 4171 case AUT_IPORT: 4172 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4173 return; 4174 4175 case AUT_OPAQUE: 4176 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4177 return; 4178 4179 case AUT_PATH: 4180 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4181 return; 4182 4183 case AUT_PROCESS32: 4184 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4185 return; 4186 4187 case AUT_PROCESS32_EX: 4188 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4189 return; 4190 4191 case AUT_PROCESS64: 4192 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4193 return; 4194 4195 case AUT_PROCESS64_EX: 4196 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4197 return; 4198 4199 case AUT_RETURN32: 4200 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4201 return; 4202 4203 case AUT_RETURN64: 4204 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4205 return; 4206 4207 case AUT_SEQ: 4208 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4209 return; 4210 4211 case AUT_SOCKET: 4212 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4213 return; 4214 4215 case AUT_SOCKINET32: 4216 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4217 return; 4218 4219 case AUT_SOCKUNIX: 4220 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4221 return; 4222 4223 case AUT_SUBJECT32: 4224 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4225 return; 4226 4227 case AUT_SUBJECT64: 4228 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4229 return; 4230 4231 case AUT_SUBJECT32_EX: 4232 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4233 return; 4234 4235 case AUT_SUBJECT64_EX: 4236 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4237 return; 4238 4239 case AUT_TEXT: 4240 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4241 return; 4242 4243 case AUT_SOCKET_EX: 4244 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4245 return; 4246 4247 case AUT_ZONENAME: 4248 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4249 return; 4250 4251 default: 4252 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4253 } 4254} 4255 4256/* 4257 * 'prints' the token out to outfp in XML format. 4258 */ 4259void 4260au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4261 char sfrm) 4262{ 4263 4264 switch(tok->id) { 4265 case AUT_HEADER32: 4266 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4267 return; 4268 4269 case AUT_HEADER32_EX: 4270 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4271 return; 4272 4273 case AUT_HEADER64: 4274 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4275 return; 4276 4277 case AUT_HEADER64_EX: 4278 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4279 return; 4280 4281 case AUT_TRAILER: 4282 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4283 return; 4284 4285 case AUT_ARG32: 4286 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4287 return; 4288 4289 case AUT_ARG64: 4290 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4291 return; 4292 4293 case AUT_DATA: 4294 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4295 return; 4296 4297 case AUT_ATTR32: 4298 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4299 return; 4300 4301 case AUT_ATTR64: 4302 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4303 return; 4304 4305 case AUT_EXIT: 4306 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4307 return; 4308 4309 case AUT_EXEC_ARGS: 4310 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4311 return; 4312 4313 case AUT_EXEC_ENV: 4314 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4315 return; 4316 4317 case AUT_OTHER_FILE32: 4318 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4319 return; 4320 4321 case AUT_NEWGROUPS: 4322 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4323 return; 4324 4325 case AUT_IN_ADDR: 4326 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4327 return; 4328 4329 case AUT_IN_ADDR_EX: 4330 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4331 return; 4332 4333 case AUT_IP: 4334 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4335 return; 4336 4337 case AUT_IPC: 4338 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4339 return; 4340 4341 case AUT_IPC_PERM: 4342 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4343 return; 4344 4345 case AUT_IPORT: 4346 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4347 return; 4348 4349 case AUT_OPAQUE: 4350 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4351 return; 4352 4353 case AUT_PATH: 4354 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4355 return; 4356 4357 case AUT_PROCESS32: 4358 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4359 return; 4360 4361 case AUT_PROCESS32_EX: 4362 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4363 return; 4364 4365 case AUT_PROCESS64: 4366 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4367 return; 4368 4369 case AUT_PROCESS64_EX: 4370 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4371 return; 4372 4373 case AUT_RETURN32: 4374 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4375 return; 4376 4377 case AUT_RETURN64: 4378 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4379 return; 4380 4381 case AUT_SEQ: 4382 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4383 return; 4384 4385 case AUT_SOCKET: 4386 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4387 return; 4388 4389 case AUT_SOCKINET32: 4390 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4391 return; 4392 4393 case AUT_SOCKUNIX: 4394 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4395 return; 4396 4397 case AUT_SUBJECT32: 4398 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4399 return; 4400 4401 case AUT_SUBJECT64: 4402 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4403 return; 4404 4405 case AUT_SUBJECT32_EX: 4406 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4407 return; 4408 4409 case AUT_SUBJECT64_EX: 4410 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4411 return; 4412 4413 case AUT_TEXT: 4414 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4415 return; 4416 4417 case AUT_SOCKET_EX: 4418 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4419 return; 4420 4421 case AUT_ZONENAME: 4422 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4423 return; 4424 4425 default: 4426 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4427 } 4428} 4429 4430/* 4431 * Read a record from the file pointer, store data in buf memory for buf is 4432 * also allocated in this function and has to be free'd outside this call. 4433 * 4434 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4435 * complete audit record. 4436 * 4437 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4438 * state, because it will be partly offset into a record. We should rewind 4439 * or do something more intelligent. Particularly interesting is the case 4440 * where we perform a partial read of a record from a non-blockable file 4441 * descriptor. We should return the partial read and continue...? 4442 */ 4443int 4444au_read_rec(FILE *fp, u_char **buf) 4445{ 4446 u_char *bptr; 4447 u_int32_t recsize; 4448 u_int32_t bytestoread; 4449 u_char type; 4450 4451 u_int32_t sec, msec; 4452 u_int16_t filenamelen; 4453 4454 type = fgetc(fp); 4455 4456 switch (type) { 4457 case AUT_HEADER32: 4458 case AUT_HEADER32_EX: 4459 case AUT_HEADER64: 4460 case AUT_HEADER64_EX: 4461 /* read the record size from the token */ 4462 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4463 sizeof(u_int32_t)) { 4464 errno = EINVAL; 4465 return (-1); 4466 } 4467 recsize = be32toh(recsize); 4468 4469 /* Check for recsize sanity */ 4470 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4471 errno = EINVAL; 4472 return (-1); 4473 } 4474 4475 *buf = malloc(recsize * sizeof(u_char)); 4476 if (*buf == NULL) 4477 return (-1); 4478 bptr = *buf; 4479 memset(bptr, 0, recsize); 4480 4481 /* store the token contents already read, back to the buffer*/ 4482 *bptr = type; 4483 bptr++; 4484 be32enc(bptr, recsize); 4485 bptr += sizeof(u_int32_t); 4486 4487 /* now read remaining record bytes */ 4488 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4489 4490 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4491 free(*buf); 4492 errno = EINVAL; 4493 return (-1); 4494 } 4495 break; 4496 4497 case AUT_OTHER_FILE32: 4498 /* 4499 * The file token is variable-length, as it includes a 4500 * pathname. As a result, we have to read incrementally 4501 * until we know the total length, then allocate space and 4502 * read the rest. 4503 */ 4504 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4505 errno = EINVAL; 4506 return (-1); 4507 } 4508 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4509 errno = EINVAL; 4510 return (-1); 4511 } 4512 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4513 sizeof(filenamelen)) { 4514 errno = EINVAL; 4515 return (-1); 4516 } 4517 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4518 sizeof(filenamelen) + ntohs(filenamelen); 4519 *buf = malloc(recsize); 4520 if (*buf == NULL) 4521 return (-1); 4522 bptr = *buf; 4523 4524 bcopy(&type, bptr, sizeof(type)); 4525 bptr += sizeof(type); 4526 bcopy(&sec, bptr, sizeof(sec)); 4527 bptr += sizeof(sec); 4528 bcopy(&msec, bptr, sizeof(msec)); 4529 bptr += sizeof(msec); 4530 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4531 bptr += sizeof(filenamelen); 4532 4533 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4534 ntohs(filenamelen)) { 4535 free(buf); 4536 errno = EINVAL; 4537 return (-1); 4538 } 4539 break; 4540 4541 default: 4542 errno = EINVAL; 4543 return (-1); 4544 } 4545 4546 return (recsize); 4547} 4548