bsm_io.c revision 191273
1/*- 2 * Copyright (c) 2004-2008 Apple Inc. 3 * Copyright (c) 2005 SPARTA, Inc. 4 * Copyright (c) 2006 Robert N. M. Watson 5 * Copyright (c) 2006 Martin Voros 6 * All rights reserved. 7 * 8 * This code was developed in part by Robert N. M. Watson, Senior Principal 9 * Scientist, SPARTA, Inc. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of 20 * its contributors may be used to endorse or promote products derived 21 * from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR 27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING 32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 33 * POSSIBILITY OF SUCH DAMAGE. 34 * 35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#62 $ 36 */ 37 38#include <sys/types.h> 39 40#include <config/config.h> 41#if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC) 42#include <sys/endian.h> 43#else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 44#ifdef HAVE_MACHINE_ENDIAN_H 45#include <machine/endian.h> 46#else /* !HAVE_MACHINE_ENDIAN_H */ 47#ifdef HAVE_ENDIAN_H 48#include <endian.h> 49#else /* !HAVE_ENDIAN_H */ 50#error "No supported endian.h" 51#endif /* !HAVE_ENDIAN_H */ 52#endif /* !HAVE_MACHINE_ENDIAN_H */ 53#include <compat/endian.h> 54#endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */ 55#ifdef HAVE_FULL_QUEUE_H 56#include <sys/queue.h> 57#else /* !HAVE_FULL_QUEUE_H */ 58#include <compat/queue.h> 59#endif /* !HAVE_FULL_QUEUE_H */ 60 61#include <sys/stat.h> 62#include <sys/socket.h> 63 64#include <bsm/libbsm.h> 65 66#include <unistd.h> 67#include <netinet/in.h> 68#include <arpa/inet.h> 69#include <errno.h> 70#include <time.h> 71#include <stdlib.h> 72#include <stdio.h> 73#include <string.h> 74#include <pwd.h> 75#include <grp.h> 76 77#include <bsm/audit_internal.h> 78 79#define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \ 80 if ((bytesread) + (size) > (u_int32_t)(len)) { \ 81 (err) = 1; \ 82 } else { \ 83 memcpy((dest), (buf) + (bytesread), (size)); \ 84 bytesread += size; \ 85 } \ 86} while (0) 87 88#define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \ 89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \ 90 (dest) = buf[(bytesread)]; \ 91 (bytesread) += sizeof(u_char); \ 92 } else \ 93 (err) = 1; \ 94} while (0) 95 96#define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \ 97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \ 98 (dest) = be16dec((buf) + (bytesread)); \ 99 (bytesread) += sizeof(u_int16_t); \ 100 } else \ 101 (err) = 1; \ 102} while (0) 103 104#define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \ 105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \ 106 (dest) = be32dec((buf) + (bytesread)); \ 107 (bytesread) += sizeof(u_int32_t); \ 108 } else \ 109 (err) = 1; \ 110} while (0) 111 112#define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \ 113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \ 114 dest = be64dec((buf) + (bytesread)); \ 115 (bytesread) += sizeof(u_int64_t); \ 116 } else \ 117 (err) = 1; \ 118} while (0) 119 120#define SET_PTR(buf, len, ptr, size, bytesread, err) do { \ 121 if ((bytesread) + (size) > (u_int32_t)(len)) \ 122 (err) = 1; \ 123 else { \ 124 (ptr) = (buf) + (bytesread); \ 125 (bytesread) += (size); \ 126 } \ 127} while (0) 128 129/* 130 * XML option. 131 */ 132#define AU_PLAIN 0 133#define AU_XML 1 134 135/* 136 * Prints the delimiter string. 137 */ 138static void 139print_delim(FILE *fp, const char *del) 140{ 141 142 fprintf(fp, "%s", del); 143} 144 145/* 146 * Prints a single byte in the given format. 147 */ 148static void 149print_1_byte(FILE *fp, u_char val, const char *format) 150{ 151 152 fprintf(fp, format, val); 153} 154 155/* 156 * Print 2 bytes in the given format. 157 */ 158static void 159print_2_bytes(FILE *fp, u_int16_t val, const char *format) 160{ 161 162 fprintf(fp, format, val); 163} 164 165/* 166 * Prints 4 bytes in the given format. 167 */ 168static void 169print_4_bytes(FILE *fp, u_int32_t val, const char *format) 170{ 171 172 fprintf(fp, format, val); 173} 174 175/* 176 * Prints 8 bytes in the given format. 177 */ 178static void 179print_8_bytes(FILE *fp, u_int64_t val, const char *format) 180{ 181 182 fprintf(fp, format, val); 183} 184 185/* 186 * Prints the given size of data bytes in hex. 187 */ 188static void 189print_mem(FILE *fp, u_char *data, size_t len) 190{ 191 u_int32_t i; 192 193 if (len > 0) { 194 fprintf(fp, "0x"); 195 for (i = 0; i < len; i++) 196 fprintf(fp, "%02x", data[i]); 197 } 198} 199 200/* 201 * Prints the given data bytes as a string. 202 */ 203static void 204print_string(FILE *fp, const char *str, size_t len) 205{ 206 u_int32_t i; 207 208 if (len > 0) { 209 for (i = 0; i < len; i++) { 210 if (str[i] != '\0') 211 fprintf(fp, "%c", str[i]); 212 } 213 } 214} 215 216/* 217 * Prints the beggining of attribute. 218 */ 219static void 220open_attr(FILE *fp, const char *str) 221{ 222 223 fprintf(fp,"%s=\"", str); 224} 225 226/* 227 * Prints the end of attribute. 228 */ 229static void 230close_attr(FILE *fp) 231{ 232 233 fprintf(fp,"\" "); 234} 235 236/* 237 * Prints the end of tag. 238 */ 239static void 240close_tag(FILE *fp, u_char type) 241{ 242 243 switch(type) { 244 case AUT_HEADER32: 245 fprintf(fp, ">"); 246 break; 247 248 case AUT_HEADER32_EX: 249 fprintf(fp, ">"); 250 break; 251 252 case AUT_HEADER64: 253 fprintf(fp, ">"); 254 break; 255 256 case AUT_HEADER64_EX: 257 fprintf(fp, ">"); 258 break; 259 260 case AUT_ARG32: 261 fprintf(fp, "/>"); 262 break; 263 264 case AUT_ARG64: 265 fprintf(fp, "/>"); 266 break; 267 268 case AUT_ATTR32: 269 fprintf(fp, "/>"); 270 break; 271 272 case AUT_ATTR64: 273 fprintf(fp, "/>"); 274 break; 275 276 case AUT_EXIT: 277 fprintf(fp, "/>"); 278 break; 279 280 case AUT_EXEC_ARGS: 281 fprintf(fp, "</exec_args>"); 282 break; 283 284 case AUT_EXEC_ENV: 285 fprintf(fp, "</exec_env>"); 286 break; 287 288 case AUT_OTHER_FILE32: 289 fprintf(fp, "</file>"); 290 break; 291 292 case AUT_NEWGROUPS: 293 fprintf(fp, "</group>"); 294 break; 295 296 case AUT_IN_ADDR: 297 fprintf(fp, "</ip_address>"); 298 break; 299 300 case AUT_IN_ADDR_EX: 301 fprintf(fp, "</ip_address>"); 302 break; 303 304 case AUT_IP: 305 fprintf(fp, "/>"); 306 break; 307 308 case AUT_IPC: 309 fprintf(fp, "/>"); 310 break; 311 312 case AUT_IPC_PERM: 313 fprintf(fp, "/>"); 314 break; 315 316 case AUT_IPORT: 317 fprintf(fp, "</ip_port>"); 318 break; 319 320 case AUT_OPAQUE: 321 fprintf(fp, "</opaque>"); 322 break; 323 324 case AUT_PATH: 325 fprintf(fp, "</path>"); 326 break; 327 328 case AUT_PROCESS32: 329 fprintf(fp, "/>"); 330 break; 331 332 case AUT_PROCESS32_EX: 333 fprintf(fp, "/>"); 334 break; 335 336 case AUT_PROCESS64: 337 fprintf(fp, "/>"); 338 break; 339 340 case AUT_PROCESS64_EX: 341 fprintf(fp, "/>"); 342 break; 343 344 case AUT_RETURN32: 345 fprintf(fp, "/>"); 346 break; 347 348 case AUT_RETURN64: 349 fprintf(fp, "/>"); 350 break; 351 352 case AUT_SEQ: 353 fprintf(fp, "/>"); 354 break; 355 356 case AUT_SOCKET: 357 fprintf(fp, "/>"); 358 break; 359 360 case AUT_SOCKINET32: 361 fprintf(fp, "/>"); 362 break; 363 364 case AUT_SOCKUNIX: 365 fprintf(fp, "/>"); 366 break; 367 368 case AUT_SOCKINET128: 369 fprintf(fp, "/>"); 370 break; 371 372 case AUT_SUBJECT32: 373 fprintf(fp, "/>"); 374 break; 375 376 case AUT_SUBJECT64: 377 fprintf(fp, "/>"); 378 break; 379 380 case AUT_SUBJECT32_EX: 381 fprintf(fp, "/>"); 382 break; 383 384 case AUT_SUBJECT64_EX: 385 fprintf(fp, "/>"); 386 break; 387 388 case AUT_TEXT: 389 fprintf(fp, "</text>"); 390 break; 391 392 case AUT_SOCKET_EX: 393 fprintf(fp, "/>"); 394 break; 395 396 case AUT_DATA: 397 fprintf(fp, "</arbitrary>"); 398 break; 399 400 case AUT_ZONENAME: 401 fprintf(fp, "/>"); 402 break; 403 } 404} 405 406/* 407 * Prints the token type in either the raw or the default form. 408 */ 409static void 410print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml) 411{ 412 413 if (xml) { 414 switch(type) { 415 case AUT_HEADER32: 416 fprintf(fp, "<record "); 417 break; 418 419 case AUT_HEADER32_EX: 420 fprintf(fp, "<record "); 421 break; 422 423 case AUT_HEADER64: 424 fprintf(fp, "<record "); 425 break; 426 427 case AUT_HEADER64_EX: 428 fprintf(fp, "<record "); 429 break; 430 431 case AUT_TRAILER: 432 fprintf(fp, "</record>"); 433 break; 434 435 case AUT_ARG32: 436 fprintf(fp, "<argument "); 437 break; 438 439 case AUT_ARG64: 440 fprintf(fp, "<argument "); 441 break; 442 443 case AUT_ATTR32: 444 fprintf(fp, "<attribute "); 445 break; 446 447 case AUT_ATTR64: 448 fprintf(fp, "<attribute "); 449 break; 450 451 case AUT_EXIT: 452 fprintf(fp, "<exit "); 453 break; 454 455 case AUT_EXEC_ARGS: 456 fprintf(fp, "<exec_args>"); 457 break; 458 459 case AUT_EXEC_ENV: 460 fprintf(fp, "<exec_env>"); 461 break; 462 463 case AUT_OTHER_FILE32: 464 fprintf(fp, "<file "); 465 break; 466 467 case AUT_NEWGROUPS: 468 fprintf(fp, "<group>"); 469 break; 470 471 case AUT_IN_ADDR: 472 fprintf(fp, "<ip_address>"); 473 break; 474 475 case AUT_IN_ADDR_EX: 476 fprintf(fp, "<ip_address>"); 477 break; 478 479 case AUT_IP: 480 fprintf(fp, "<ip "); 481 break; 482 483 case AUT_IPC: 484 fprintf(fp, "<IPC"); 485 break; 486 487 case AUT_IPC_PERM: 488 fprintf(fp, "<IPC_perm "); 489 break; 490 491 case AUT_IPORT: 492 fprintf(fp, "<ip_port>"); 493 break; 494 495 case AUT_OPAQUE: 496 fprintf(fp, "<opaque>"); 497 break; 498 499 case AUT_PATH: 500 fprintf(fp, "<path>"); 501 break; 502 503 case AUT_PROCESS32: 504 fprintf(fp, "<process "); 505 break; 506 507 case AUT_PROCESS32_EX: 508 fprintf(fp, "<process "); 509 break; 510 511 case AUT_PROCESS64: 512 fprintf(fp, "<process "); 513 break; 514 515 case AUT_PROCESS64_EX: 516 fprintf(fp, "<process "); 517 break; 518 519 case AUT_RETURN32: 520 fprintf(fp, "<return "); 521 break; 522 523 case AUT_RETURN64: 524 fprintf(fp, "<return "); 525 break; 526 527 case AUT_SEQ: 528 fprintf(fp, "<sequence "); 529 break; 530 531 case AUT_SOCKET: 532 fprintf(fp, "<socket "); 533 break; 534 535 case AUT_SOCKINET32: 536 fprintf(fp, "<socket-inet "); 537 break; 538 539 case AUT_SOCKUNIX: 540 fprintf(fp, "<socket-unix "); 541 break; 542 543 case AUT_SOCKINET128: 544 fprintf(fp, "<socket-inet6 "); 545 546 case AUT_SUBJECT32: 547 fprintf(fp, "<subject "); 548 break; 549 550 case AUT_SUBJECT64: 551 fprintf(fp, "<subject "); 552 break; 553 554 case AUT_SUBJECT32_EX: 555 fprintf(fp, "<subject "); 556 break; 557 558 case AUT_SUBJECT64_EX: 559 fprintf(fp, "<subject "); 560 break; 561 562 case AUT_TEXT: 563 fprintf(fp, "<text>"); 564 break; 565 566 case AUT_SOCKET_EX: 567 fprintf(fp, "<socket "); 568 break; 569 570 case AUT_DATA: 571 fprintf(fp, "<arbitrary "); 572 break; 573 574 case AUT_ZONENAME: 575 fprintf(fp, "<zone "); 576 break; 577 } 578 } else { 579 if (raw) 580 fprintf(fp, "%u", type); 581 else 582 fprintf(fp, "%s", tokname); 583 } 584} 585 586/* 587 * Prints a user value. 588 */ 589static void 590print_user(FILE *fp, u_int32_t usr, char raw) 591{ 592 struct passwd *pwent; 593 594 if (raw) 595 fprintf(fp, "%d", usr); 596 else { 597 pwent = getpwuid(usr); 598 if (pwent != NULL) 599 fprintf(fp, "%s", pwent->pw_name); 600 else 601 fprintf(fp, "%d", usr); 602 } 603} 604 605/* 606 * Prints a group value. 607 */ 608static void 609print_group(FILE *fp, u_int32_t grp, char raw) 610{ 611 struct group *grpent; 612 613 if (raw) 614 fprintf(fp, "%d", grp); 615 else { 616 grpent = getgrgid(grp); 617 if (grpent != NULL) 618 fprintf(fp, "%s", grpent->gr_name); 619 else 620 fprintf(fp, "%d", grp); 621 } 622} 623 624/* 625 * Prints the event from the header token in either the short, default or raw 626 * form. 627 */ 628static void 629print_event(FILE *fp, u_int16_t ev, char raw, char sfrm) 630{ 631 char event_ent_name[AU_EVENT_NAME_MAX]; 632 char event_ent_desc[AU_EVENT_DESC_MAX]; 633 struct au_event_ent e, *ep; 634 635 bzero(&e, sizeof(e)); 636 bzero(event_ent_name, sizeof(event_ent_name)); 637 bzero(event_ent_desc, sizeof(event_ent_desc)); 638 e.ae_name = event_ent_name; 639 e.ae_desc = event_ent_desc; 640 641 ep = getauevnum_r(&e, ev); 642 if (ep == NULL) { 643 fprintf(fp, "%u", ev); 644 return; 645 } 646 647 if (raw) 648 fprintf(fp, "%u", ev); 649 else if (sfrm) 650 fprintf(fp, "%s", e.ae_name); 651 else 652 fprintf(fp, "%s", e.ae_desc); 653} 654 655 656/* 657 * Prints the event modifier from the header token in either the default or 658 * raw form. 659 */ 660static void 661print_evmod(FILE *fp, u_int16_t evmod, char raw) 662{ 663 if (raw) 664 fprintf(fp, "%u", evmod); 665 else 666 fprintf(fp, "%u", evmod); 667} 668 669/* 670 * Prints seconds in the ctime format. 671 */ 672static void 673print_sec32(FILE *fp, u_int32_t sec, char raw) 674{ 675 time_t timestamp; 676 char timestr[26]; 677 678 if (raw) 679 fprintf(fp, "%u", sec); 680 else { 681 timestamp = (time_t)sec; 682 ctime_r(×tamp, timestr); 683 timestr[24] = '\0'; /* No new line */ 684 fprintf(fp, "%s", timestr); 685 } 686} 687 688/* 689 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we 690 * assume a 32-bit time_t, we simply truncate for now. 691 */ 692static void 693print_sec64(FILE *fp, u_int64_t sec, char raw) 694{ 695 time_t timestamp; 696 char timestr[26]; 697 698 if (raw) 699 fprintf(fp, "%u", (u_int32_t)sec); 700 else { 701 timestamp = (time_t)sec; 702 ctime_r(×tamp, timestr); 703 timestr[24] = '\0'; /* No new line */ 704 fprintf(fp, "%s", timestr); 705 } 706} 707 708/* 709 * Prints the excess milliseconds. 710 */ 711static void 712print_msec32(FILE *fp, u_int32_t msec, char raw) 713{ 714 if (raw) 715 fprintf(fp, "%u", msec); 716 else 717 fprintf(fp, " + %u msec", msec); 718} 719 720/* 721 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume 722 * a 32-bit msec, we simply truncate for now. 723 */ 724static void 725print_msec64(FILE *fp, u_int64_t msec, char raw) 726{ 727 728 msec &= 0xffffffff; 729 if (raw) 730 fprintf(fp, "%u", (u_int32_t)msec); 731 else 732 fprintf(fp, " + %u msec", (u_int32_t)msec); 733} 734 735/* 736 * Prints a dotted form for the IP address. 737 */ 738static void 739print_ip_address(FILE *fp, u_int32_t ip) 740{ 741 struct in_addr ipaddr; 742 743 ipaddr.s_addr = ip; 744 fprintf(fp, "%s", inet_ntoa(ipaddr)); 745} 746 747/* 748 * Prints a string value for the given ip address. 749 */ 750static void 751print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr) 752{ 753 struct in_addr ipv4; 754 struct in6_addr ipv6; 755 char dst[INET6_ADDRSTRLEN]; 756 757 switch (type) { 758 case AU_IPv4: 759 ipv4.s_addr = (in_addr_t)(ipaddr[0]); 760 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst, 761 INET6_ADDRSTRLEN)); 762 break; 763 764 case AU_IPv6: 765 bcopy(ipaddr, &ipv6, sizeof(ipv6)); 766 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst, 767 INET6_ADDRSTRLEN)); 768 break; 769 770 default: 771 fprintf(fp, "invalid"); 772 } 773} 774 775/* 776 * Prints return value as success or failure. 777 */ 778static void 779print_retval(FILE *fp, u_char status, char raw) 780{ 781 int error; 782 783 if (raw) 784 fprintf(fp, "%u", status); 785 else { 786 /* 787 * Convert to a local error number and print the OS's version 788 * of the error string if possible. We may want to provide 789 * an au_strerror(3) in the future so that we can print 790 * strings for non-local errors. 791 */ 792 if (au_bsm_to_errno(status, &error) == 0) { 793 if (error == 0) 794 fprintf(fp, "success"); 795 else 796 fprintf(fp, "failure : %s", strerror(error)); 797 } else 798 fprintf(fp, "failure: Unknown error: %d", status); 799 } 800} 801 802/* 803 * Prints the exit value. 804 */ 805static void 806print_errval(FILE *fp, u_int32_t val) 807{ 808 809 fprintf(fp, "Error %u", val); 810} 811 812/* 813 * Prints IPC type. 814 */ 815static void 816print_ipctype(FILE *fp, u_char type, char raw) 817{ 818 if (raw) 819 fprintf(fp, "%u", type); 820 else { 821 if (type == AT_IPC_MSG) 822 fprintf(fp, "Message IPC"); 823 else if (type == AT_IPC_SEM) 824 fprintf(fp, "Semaphore IPC"); 825 else if (type == AT_IPC_SHM) 826 fprintf(fp, "Shared Memory IPC"); 827 else 828 fprintf(fp, "%u", type); 829 } 830} 831 832/* 833 * Print XML header. 834 */ 835void 836au_print_xml_header(FILE *outfp) 837{ 838 839 fprintf(outfp, "<?xml version='1.0' ?>\n"); 840 fprintf(outfp, "<audit>\n"); 841} 842 843/* 844 * Print XML footer. 845 */ 846void 847au_print_xml_footer(FILE *outfp) 848{ 849 850 fprintf(outfp, "</audit>\n"); 851} 852 853/* 854 * record byte count 4 bytes 855 * version # 1 byte [2] 856 * event type 2 bytes 857 * event modifier 2 bytes 858 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 859 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 860 */ 861static int 862fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len) 863{ 864 int err = 0; 865 866 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err); 867 if (err) 868 return (-1); 869 870 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err); 871 if (err) 872 return (-1); 873 874 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err); 875 if (err) 876 return (-1); 877 878 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err); 879 if (err) 880 return (-1); 881 882 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err); 883 if (err) 884 return (-1); 885 886 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err); 887 if (err) 888 return (-1); 889 890 return (0); 891} 892 893static void 894print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 895 int xml) 896{ 897 898 print_tok_type(fp, tok->id, "header", raw, xml); 899 if (xml) { 900 open_attr(fp, "version"); 901 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 902 close_attr(fp); 903 open_attr(fp, "event"); 904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 905 close_attr(fp); 906 open_attr(fp, "modifier"); 907 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 908 close_attr(fp); 909 open_attr(fp, "time"); 910 print_sec32(fp, tok->tt.hdr32.s, raw); 911 close_attr(fp); 912 open_attr(fp, "msec"); 913 print_msec32(fp, tok->tt.hdr32.ms, 1); 914 close_attr(fp); 915 close_tag(fp, tok->id); 916 } else { 917 print_delim(fp, del); 918 print_4_bytes(fp, tok->tt.hdr32.size, "%u"); 919 print_delim(fp, del); 920 print_1_byte(fp, tok->tt.hdr32.version, "%u"); 921 print_delim(fp, del); 922 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm); 923 print_delim(fp, del); 924 print_evmod(fp, tok->tt.hdr32.e_mod, raw); 925 print_delim(fp, del); 926 print_sec32(fp, tok->tt.hdr32.s, raw); 927 print_delim(fp, del); 928 print_msec32(fp, tok->tt.hdr32.ms, raw); 929 } 930} 931 932/* 933 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit 934 * depending on the bit of the specifications found. The OpenSolaris source 935 * code uses a 4-byte address length, followed by some number of bytes of 936 * address data. This contrasts with the Solaris audit.log.5 man page, which 937 * specifies a 1-byte length field. We use the Solaris 10 definition so that 938 * we can parse audit trails from that system. 939 * 940 * record byte count 4 bytes 941 * version # 1 byte [2] 942 * event type 2 bytes 943 * event modifier 2 bytes 944 * address type/length 4 bytes 945 * [ Solaris man page: address type/length 1 byte] 946 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 947 * seconds of time 4 bytes/8 bytes (32/64-bits) 948 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 949 */ 950static int 951fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len) 952{ 953 int err = 0; 954 955 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err); 956 if (err) 957 return (-1); 958 959 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err); 960 if (err) 961 return (-1); 962 963 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err); 964 if (err) 965 return (-1); 966 967 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err); 968 if (err) 969 return (-1); 970 971 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err); 972 if (err) 973 return (-1); 974 975 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr)); 976 switch (tok->tt.hdr32_ex.ad_type) { 977 case AU_IPv4: 978 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0], 979 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err); 980 if (err) 981 return (-1); 982 break; 983 984 case AU_IPv6: 985 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr, 986 sizeof(tok->tt.hdr32_ex.addr), tok->len, err); 987 break; 988 } 989 990 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err); 991 if (err) 992 return (-1); 993 994 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err); 995 if (err) 996 return (-1); 997 998 return (0); 999} 1000 1001static void 1002print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1003 char sfrm, int xml) 1004{ 1005 1006 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1007 if (xml) { 1008 open_attr(fp, "version"); 1009 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1010 close_attr(fp); 1011 open_attr(fp, "event"); 1012 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1013 close_attr(fp); 1014 open_attr(fp, "modifier"); 1015 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1016 close_attr(fp); 1017 open_attr(fp, "host"); 1018 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1019 tok->tt.hdr32_ex.addr); 1020 close_attr(fp); 1021 open_attr(fp, "time"); 1022 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1023 close_attr(fp); 1024 open_attr(fp, "msec"); 1025 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1026 close_attr(fp); 1027 close_tag(fp, tok->id); 1028 } else { 1029 print_delim(fp, del); 1030 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u"); 1031 print_delim(fp, del); 1032 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u"); 1033 print_delim(fp, del); 1034 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm); 1035 print_delim(fp, del); 1036 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw); 1037 print_delim(fp, del); 1038 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type, 1039 tok->tt.hdr32_ex.addr); 1040 print_delim(fp, del); 1041 print_sec32(fp, tok->tt.hdr32_ex.s, raw); 1042 print_delim(fp, del); 1043 print_msec32(fp, tok->tt.hdr32_ex.ms, raw); 1044 } 1045} 1046 1047/* 1048 * record byte count 4 bytes 1049 * event type 2 bytes 1050 * event modifier 2 bytes 1051 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1052 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value) 1053 * version # 1054 */ 1055static int 1056fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len) 1057{ 1058 int err = 0; 1059 1060 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err); 1061 if (err) 1062 return (-1); 1063 1064 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err); 1065 if (err) 1066 return (-1); 1067 1068 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err); 1069 if (err) 1070 return (-1); 1071 1072 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err); 1073 if (err) 1074 return (-1); 1075 1076 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err); 1077 if (err) 1078 return (-1); 1079 1080 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err); 1081 if (err) 1082 return (-1); 1083 1084 return (0); 1085} 1086 1087static void 1088print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm, 1089 int xml) 1090{ 1091 1092 print_tok_type(fp, tok->id, "header", raw, xml); 1093 if (xml) { 1094 open_attr(fp, "version"); 1095 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1096 close_attr(fp); 1097 open_attr(fp, "event"); 1098 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1099 close_attr(fp); 1100 open_attr(fp, "modifier"); 1101 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1102 close_attr(fp); 1103 open_attr(fp, "time"); 1104 print_sec64(fp, tok->tt.hdr64.s, raw); 1105 close_attr(fp); 1106 open_attr(fp, "msec"); 1107 print_msec64(fp, tok->tt.hdr64.ms, raw); 1108 close_attr(fp); 1109 close_tag(fp, tok->id); 1110 } else { 1111 print_delim(fp, del); 1112 print_4_bytes(fp, tok->tt.hdr64.size, "%u"); 1113 print_delim(fp, del); 1114 print_1_byte(fp, tok->tt.hdr64.version, "%u"); 1115 print_delim(fp, del); 1116 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm); 1117 print_delim(fp, del); 1118 print_evmod(fp, tok->tt.hdr64.e_mod, raw); 1119 print_delim(fp, del); 1120 print_sec64(fp, tok->tt.hdr64.s, raw); 1121 print_delim(fp, del); 1122 print_msec64(fp, tok->tt.hdr64.ms, raw); 1123 } 1124} 1125 1126/* 1127 * record byte count 4 bytes 1128 * version # 1 byte [2] 1129 * event type 2 bytes 1130 * event modifier 2 bytes 1131 * address type/length 4 bytes 1132 * [ Solaris man page: address type/length 1 byte] 1133 * machine address 4 bytes/16 bytes (IPv4/IPv6 address) 1134 * seconds of time 4 bytes/8 bytes (32/64-bits) 1135 * nanoseconds of time 4 bytes/8 bytes (32/64-bits) 1136 * 1137 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the 1138 * accuracy of the BSM spec. 1139 */ 1140static int 1141fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len) 1142{ 1143 int err = 0; 1144 1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err); 1146 if (err) 1147 return (-1); 1148 1149 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err); 1150 if (err) 1151 return (-1); 1152 1153 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err); 1154 if (err) 1155 return (-1); 1156 1157 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err); 1158 if (err) 1159 return (-1); 1160 1161 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err); 1162 if (err) 1163 return (-1); 1164 1165 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr)); 1166 switch (tok->tt.hdr64_ex.ad_type) { 1167 case AU_IPv4: 1168 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0], 1169 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err); 1170 if (err) 1171 return (-1); 1172 break; 1173 1174 case AU_IPv6: 1175 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr, 1176 sizeof(tok->tt.hdr64_ex.addr), tok->len, err); 1177 break; 1178 } 1179 1180 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err); 1181 if (err) 1182 return (-1); 1183 1184 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err); 1185 if (err) 1186 return (-1); 1187 1188 return (0); 1189} 1190 1191static void 1192print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1193 char sfrm, int xml) 1194{ 1195 1196 print_tok_type(fp, tok->id, "header_ex", raw, xml); 1197 if (xml) { 1198 open_attr(fp, "version"); 1199 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1200 close_attr(fp); 1201 open_attr(fp, "event"); 1202 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1203 close_attr(fp); 1204 open_attr(fp, "modifier"); 1205 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1206 close_attr(fp); 1207 open_attr(fp, "host"); 1208 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1209 tok->tt.hdr64_ex.addr); 1210 close_attr(fp); 1211 open_attr(fp, "time"); 1212 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1213 close_attr(fp); 1214 open_attr(fp, "msec"); 1215 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1216 close_attr(fp); 1217 close_tag(fp, tok->id); 1218 } else { 1219 print_delim(fp, del); 1220 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u"); 1221 print_delim(fp, del); 1222 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u"); 1223 print_delim(fp, del); 1224 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm); 1225 print_delim(fp, del); 1226 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw); 1227 print_delim(fp, del); 1228 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type, 1229 tok->tt.hdr64_ex.addr); 1230 print_delim(fp, del); 1231 print_sec64(fp, tok->tt.hdr64_ex.s, raw); 1232 print_delim(fp, del); 1233 print_msec64(fp, tok->tt.hdr64_ex.ms, raw); 1234 } 1235} 1236 1237/* 1238 * trailer magic 2 bytes 1239 * record size 4 bytes 1240 */ 1241static int 1242fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len) 1243{ 1244 int err = 0; 1245 1246 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err); 1247 if (err) 1248 return (-1); 1249 1250 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err); 1251 if (err) 1252 return (-1); 1253 1254 return (0); 1255} 1256 1257static void 1258print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1259 __unused char sfrm, int xml) 1260{ 1261 1262 print_tok_type(fp, tok->id, "trailer", raw, xml); 1263 if (!xml) { 1264 print_delim(fp, del); 1265 print_4_bytes(fp, tok->tt.trail.count, "%u"); 1266 } 1267} 1268 1269/* 1270 * argument # 1 byte 1271 * argument value 4 bytes/8 bytes (32-bit/64-bit value) 1272 * text length 2 bytes 1273 * text N bytes + 1 terminating NULL byte 1274 */ 1275static int 1276fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len) 1277{ 1278 int err = 0; 1279 1280 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err); 1281 if (err) 1282 return (-1); 1283 1284 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err); 1285 if (err) 1286 return (-1); 1287 1288 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err); 1289 if (err) 1290 return (-1); 1291 1292 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len, 1293 tok->len, err); 1294 if (err) 1295 return (-1); 1296 1297 return (0); 1298} 1299 1300static void 1301print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1302 __unused char sfrm, int xml) 1303{ 1304 1305 print_tok_type(fp, tok->id, "argument", raw, xml); 1306 if (xml) { 1307 open_attr(fp, "arg-num"); 1308 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1309 close_attr(fp); 1310 open_attr(fp, "value"); 1311 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1312 close_attr(fp); 1313 open_attr(fp, "desc"); 1314 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1315 close_attr(fp); 1316 close_tag(fp, tok->id); 1317 } else { 1318 print_delim(fp, del); 1319 print_1_byte(fp, tok->tt.arg32.no, "%u"); 1320 print_delim(fp, del); 1321 print_4_bytes(fp, tok->tt.arg32.val, "0x%x"); 1322 print_delim(fp, del); 1323 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len); 1324 } 1325} 1326 1327static int 1328fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len) 1329{ 1330 int err = 0; 1331 1332 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err); 1333 if (err) 1334 return (-1); 1335 1336 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err); 1337 if (err) 1338 return (-1); 1339 1340 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err); 1341 if (err) 1342 return (-1); 1343 1344 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len, 1345 tok->len, err); 1346 if (err) 1347 return (-1); 1348 1349 return (0); 1350} 1351 1352static void 1353print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1354 __unused char sfrm, int xml) 1355{ 1356 1357 print_tok_type(fp, tok->id, "argument", raw, xml); 1358 if (xml) { 1359 open_attr(fp, "arg-num"); 1360 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1361 close_attr(fp); 1362 open_attr(fp, "value"); 1363 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1364 close_attr(fp); 1365 open_attr(fp, "desc"); 1366 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1367 close_attr(fp); 1368 close_tag(fp, tok->id); 1369 } else { 1370 print_delim(fp, del); 1371 print_1_byte(fp, tok->tt.arg64.no, "%u"); 1372 print_delim(fp, del); 1373 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx"); 1374 print_delim(fp, del); 1375 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len); 1376 } 1377} 1378 1379/* 1380 * how to print 1 byte 1381 * basic unit 1 byte 1382 * unit count 1 byte 1383 * data items (depends on basic unit) 1384 */ 1385static int 1386fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len) 1387{ 1388 int err = 0; 1389 int datasize; 1390 1391 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err); 1392 if (err) 1393 return (-1); 1394 1395 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err); 1396 if (err) 1397 return (-1); 1398 1399 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err); 1400 if (err) 1401 return (-1); 1402 1403 /* 1404 * Determine the size of the basic unit. 1405 */ 1406 switch(tok->tt.arb.bu) { 1407 case AUR_BYTE: 1408 /* case AUR_CHAR: */ 1409 datasize = AUR_BYTE_SIZE; 1410 break; 1411 1412 case AUR_SHORT: 1413 datasize = AUR_SHORT_SIZE; 1414 break; 1415 1416 case AUR_INT32: 1417 /* case AUR_INT: */ 1418 datasize = AUR_INT32_SIZE; 1419 break; 1420 1421 case AUR_INT64: 1422 datasize = AUR_INT64_SIZE; 1423 break; 1424 1425 default: 1426 return (-1); 1427 } 1428 1429 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc, 1430 tok->len, err); 1431 if (err) 1432 return (-1); 1433 1434 return (0); 1435} 1436 1437static void 1438print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1439 __unused char sfrm, int xml) 1440{ 1441 char *str; 1442 char *format; 1443 size_t size; 1444 int i; 1445 1446 print_tok_type(fp, tok->id, "arbitrary", raw, xml); 1447 if (!xml) 1448 print_delim(fp, del); 1449 1450 switch(tok->tt.arb.howtopr) { 1451 case AUP_BINARY: 1452 str = "binary"; 1453 format = " %c"; 1454 break; 1455 1456 case AUP_OCTAL: 1457 str = "octal"; 1458 format = " %o"; 1459 break; 1460 1461 case AUP_DECIMAL: 1462 str = "decimal"; 1463 format = " %d"; 1464 break; 1465 1466 case AUP_HEX: 1467 str = "hex"; 1468 format = " %x"; 1469 break; 1470 1471 case AUP_STRING: 1472 str = "string"; 1473 format = "%c"; 1474 break; 1475 1476 default: 1477 return; 1478 } 1479 1480 if (xml) { 1481 open_attr(fp, "print"); 1482 fprintf(fp, "%s",str); 1483 close_attr(fp); 1484 } else { 1485 print_string(fp, str, strlen(str)); 1486 print_delim(fp, del); 1487 } 1488 switch(tok->tt.arb.bu) { 1489 case AUR_BYTE: 1490 /* case AUR_CHAR: */ 1491 str = "byte"; 1492 size = AUR_BYTE_SIZE; 1493 if (xml) { 1494 open_attr(fp, "type"); 1495 fprintf(fp, "%zu", size); 1496 close_attr(fp); 1497 open_attr(fp, "count"); 1498 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1499 close_attr(fp); 1500 fprintf(fp, ">"); 1501 for (i = 0; i<tok->tt.arb.uc; i++) 1502 fprintf(fp, format, *(tok->tt.arb.data + 1503 (size * i))); 1504 close_tag(fp, tok->id); 1505 } else { 1506 print_string(fp, str, strlen(str)); 1507 print_delim(fp, del); 1508 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1509 print_delim(fp, del); 1510 for (i = 0; i<tok->tt.arb.uc; i++) 1511 fprintf(fp, format, *(tok->tt.arb.data + 1512 (size * i))); 1513 } 1514 break; 1515 1516 case AUR_SHORT: 1517 str = "short"; 1518 size = AUR_SHORT_SIZE; 1519 if (xml) { 1520 open_attr(fp, "type"); 1521 fprintf(fp, "%zu", size); 1522 close_attr(fp); 1523 open_attr(fp, "count"); 1524 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1525 close_attr(fp); 1526 fprintf(fp, ">"); 1527 for (i = 0; i < tok->tt.arb.uc; i++) 1528 fprintf(fp, format, 1529 *((u_int16_t *)(tok->tt.arb.data + 1530 (size * i)))); 1531 close_tag(fp, tok->id); 1532 } else { 1533 print_string(fp, str, strlen(str)); 1534 print_delim(fp, del); 1535 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1536 print_delim(fp, del); 1537 for (i = 0; i < tok->tt.arb.uc; i++) 1538 fprintf(fp, format, 1539 *((u_int16_t *)(tok->tt.arb.data + 1540 (size * i)))); 1541 } 1542 break; 1543 1544 case AUR_INT32: 1545 /* case AUR_INT: */ 1546 str = "int"; 1547 size = AUR_INT32_SIZE; 1548 if (xml) { 1549 open_attr(fp, "type"); 1550 fprintf(fp, "%zu", size); 1551 close_attr(fp); 1552 open_attr(fp, "count"); 1553 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1554 close_attr(fp); 1555 fprintf(fp, ">"); 1556 for (i = 0; i < tok->tt.arb.uc; i++) 1557 fprintf(fp, format, 1558 *((u_int32_t *)(tok->tt.arb.data + 1559 (size * i)))); 1560 close_tag(fp, tok->id); 1561 } else { 1562 print_string(fp, str, strlen(str)); 1563 print_delim(fp, del); 1564 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1565 print_delim(fp, del); 1566 for (i = 0; i < tok->tt.arb.uc; i++) 1567 fprintf(fp, format, 1568 *((u_int32_t *)(tok->tt.arb.data + 1569 (size * i)))); 1570 } 1571 break; 1572 1573 case AUR_INT64: 1574 str = "int64"; 1575 size = AUR_INT64_SIZE; 1576 if (xml) { 1577 open_attr(fp, "type"); 1578 fprintf(fp, "%zu", size); 1579 close_attr(fp); 1580 open_attr(fp, "count"); 1581 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1582 close_attr(fp); 1583 fprintf(fp, ">"); 1584 for (i = 0; i < tok->tt.arb.uc; i++) 1585 fprintf(fp, format, 1586 *((u_int64_t *)(tok->tt.arb.data + 1587 (size * i)))); 1588 close_tag(fp, tok->id); 1589 } else { 1590 print_string(fp, str, strlen(str)); 1591 print_delim(fp, del); 1592 print_1_byte(fp, tok->tt.arb.uc, "%u"); 1593 print_delim(fp, del); 1594 for (i = 0; i < tok->tt.arb.uc; i++) 1595 fprintf(fp, format, 1596 *((u_int64_t *)(tok->tt.arb.data + 1597 (size * i)))); 1598 } 1599 break; 1600 1601 default: 1602 return; 1603 } 1604} 1605 1606/* 1607 * file access mode 4 bytes 1608 * owner user ID 4 bytes 1609 * owner group ID 4 bytes 1610 * file system ID 4 bytes 1611 * node ID 8 bytes 1612 * device 4 bytes/8 bytes (32-bit/64-bit) 1613 */ 1614static int 1615fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len) 1616{ 1617 int err = 0; 1618 1619 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err); 1620 if (err) 1621 return (-1); 1622 1623 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err); 1624 if (err) 1625 return (-1); 1626 1627 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err); 1628 if (err) 1629 return (-1); 1630 1631 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err); 1632 if (err) 1633 return (-1); 1634 1635 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err); 1636 if (err) 1637 return (-1); 1638 1639 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err); 1640 if (err) 1641 return (-1); 1642 1643 return (0); 1644} 1645 1646static void 1647print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1648 __unused char sfrm, int xml) 1649{ 1650 1651 print_tok_type(fp, tok->id, "attribute", raw, xml); 1652 if (xml) { 1653 open_attr(fp, "mode"); 1654 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1655 close_attr(fp); 1656 open_attr(fp, "uid"); 1657 print_user(fp, tok->tt.attr32.uid, raw); 1658 close_attr(fp); 1659 open_attr(fp, "gid"); 1660 print_group(fp, tok->tt.attr32.gid, raw); 1661 close_attr(fp); 1662 open_attr(fp, "fsid"); 1663 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1664 close_attr(fp); 1665 open_attr(fp, "nodeid"); 1666 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1667 close_attr(fp); 1668 open_attr(fp, "device"); 1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1670 close_attr(fp); 1671 close_tag(fp, tok->id); 1672 } else { 1673 print_delim(fp, del); 1674 print_4_bytes(fp, tok->tt.attr32.mode, "%o"); 1675 print_delim(fp, del); 1676 print_user(fp, tok->tt.attr32.uid, raw); 1677 print_delim(fp, del); 1678 print_group(fp, tok->tt.attr32.gid, raw); 1679 print_delim(fp, del); 1680 print_4_bytes(fp, tok->tt.attr32.fsid, "%u"); 1681 print_delim(fp, del); 1682 print_8_bytes(fp, tok->tt.attr32.nid, "%lld"); 1683 print_delim(fp, del); 1684 print_4_bytes(fp, tok->tt.attr32.dev, "%u"); 1685 } 1686} 1687 1688/* 1689 * file access mode 4 bytes 1690 * owner user ID 4 bytes 1691 * owner group ID 4 bytes 1692 * file system ID 4 bytes 1693 * node ID 8 bytes 1694 * device 4 bytes/8 bytes (32-bit/64-bit) 1695 */ 1696static int 1697fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len) 1698{ 1699 int err = 0; 1700 1701 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err); 1702 if (err) 1703 return (-1); 1704 1705 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err); 1706 if (err) 1707 return (-1); 1708 1709 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err); 1710 if (err) 1711 return (-1); 1712 1713 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err); 1714 if (err) 1715 return (-1); 1716 1717 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err); 1718 if (err) 1719 return (-1); 1720 1721 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err); 1722 if (err) 1723 return (-1); 1724 1725 return (0); 1726} 1727 1728static void 1729print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1730 __unused char sfrm, int xml) 1731{ 1732 1733 print_tok_type(fp, tok->id, "attribute", raw, xml); 1734 if (xml) { 1735 open_attr(fp, "mode"); 1736 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1737 close_attr(fp); 1738 open_attr(fp, "uid"); 1739 print_user(fp, tok->tt.attr64.uid, raw); 1740 close_attr(fp); 1741 open_attr(fp, "gid"); 1742 print_group(fp, tok->tt.attr64.gid, raw); 1743 close_attr(fp); 1744 open_attr(fp, "fsid"); 1745 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1746 close_attr(fp); 1747 open_attr(fp, "nodeid"); 1748 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1749 close_attr(fp); 1750 open_attr(fp, "device"); 1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1752 close_attr(fp); 1753 close_tag(fp, tok->id); 1754 } else { 1755 print_delim(fp, del); 1756 print_4_bytes(fp, tok->tt.attr64.mode, "%o"); 1757 print_delim(fp, del); 1758 print_user(fp, tok->tt.attr64.uid, raw); 1759 print_delim(fp, del); 1760 print_group(fp, tok->tt.attr64.gid, raw); 1761 print_delim(fp, del); 1762 print_4_bytes(fp, tok->tt.attr64.fsid, "%u"); 1763 print_delim(fp, del); 1764 print_8_bytes(fp, tok->tt.attr64.nid, "%lld"); 1765 print_delim(fp, del); 1766 print_8_bytes(fp, tok->tt.attr64.dev, "%llu"); 1767 } 1768} 1769 1770/* 1771 * status 4 bytes 1772 * return value 4 bytes 1773 */ 1774static int 1775fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len) 1776{ 1777 int err = 0; 1778 1779 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err); 1780 if (err) 1781 return (-1); 1782 1783 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err); 1784 if (err) 1785 return (-1); 1786 1787 return (0); 1788} 1789 1790static void 1791print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1792 __unused char sfrm, int xml) 1793{ 1794 1795 print_tok_type(fp, tok->id, "exit", raw, xml); 1796 if (xml) { 1797 open_attr(fp, "errval"); 1798 print_errval(fp, tok->tt.exit.status); 1799 close_attr(fp); 1800 open_attr(fp, "retval"); 1801 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1802 close_attr(fp); 1803 close_tag(fp, tok->id); 1804 } else { 1805 print_delim(fp, del); 1806 print_errval(fp, tok->tt.exit.status); 1807 print_delim(fp, del); 1808 print_4_bytes(fp, tok->tt.exit.ret, "%u"); 1809 } 1810} 1811 1812/* 1813 * count 4 bytes 1814 * text count null-terminated string(s) 1815 */ 1816static int 1817fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len) 1818{ 1819 int err = 0; 1820 u_int32_t i; 1821 u_char *bptr; 1822 1823 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err); 1824 if (err) 1825 return (-1); 1826 1827 for (i = 0; i < tok->tt.execarg.count; i++) { 1828 bptr = buf + tok->len; 1829 if (i < AUDIT_MAX_ARGS) 1830 tok->tt.execarg.text[i] = (char*)bptr; 1831 1832 /* Look for a null terminated string. */ 1833 while (bptr && (*bptr != '\0')) { 1834 if (++tok->len >= (u_int32_t)len) 1835 return (-1); 1836 bptr = buf + tok->len; 1837 } 1838 if (!bptr) 1839 return (-1); 1840 tok->len++; /* \0 character */ 1841 } 1842 if (tok->tt.execarg.count > AUDIT_MAX_ARGS) 1843 tok->tt.execarg.count = AUDIT_MAX_ARGS; 1844 1845 return (0); 1846} 1847 1848static void 1849print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1850 __unused char sfrm, int xml) 1851{ 1852 u_int32_t i; 1853 1854 print_tok_type(fp, tok->id, "exec arg", raw, xml); 1855 for (i = 0; i < tok->tt.execarg.count; i++) { 1856 if (xml) { 1857 fprintf(fp, "<arg>"); 1858 print_string(fp, tok->tt.execarg.text[i], 1859 strlen(tok->tt.execarg.text[i])); 1860 fprintf(fp, "</arg>"); 1861 } else { 1862 print_delim(fp, del); 1863 print_string(fp, tok->tt.execarg.text[i], 1864 strlen(tok->tt.execarg.text[i])); 1865 } 1866 } 1867 if (xml) 1868 close_tag(fp, tok->id); 1869} 1870 1871/* 1872 * count 4 bytes 1873 * text count null-terminated string(s) 1874 */ 1875static int 1876fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len) 1877{ 1878 int err = 0; 1879 u_int32_t i; 1880 u_char *bptr; 1881 1882 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err); 1883 if (err) 1884 return (-1); 1885 1886 for (i = 0; i < tok->tt.execenv.count; i++) { 1887 bptr = buf + tok->len; 1888 if (i < AUDIT_MAX_ENV) 1889 tok->tt.execenv.text[i] = (char*)bptr; 1890 1891 /* Look for a null terminated string. */ 1892 while (bptr && (*bptr != '\0')) { 1893 if (++tok->len >= (u_int32_t)len) 1894 return (-1); 1895 bptr = buf + tok->len; 1896 } 1897 if (!bptr) 1898 return (-1); 1899 tok->len++; /* \0 character */ 1900 } 1901 if (tok->tt.execenv.count > AUDIT_MAX_ENV) 1902 tok->tt.execenv.count = AUDIT_MAX_ENV; 1903 1904 return (0); 1905} 1906 1907static void 1908print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1909 __unused char sfrm, int xml) 1910{ 1911 u_int32_t i; 1912 1913 print_tok_type(fp, tok->id, "exec env", raw, xml); 1914 for (i = 0; i< tok->tt.execenv.count; i++) { 1915 if (xml) { 1916 fprintf(fp, "<env>"); 1917 print_string(fp, tok->tt.execenv.text[i], 1918 strlen(tok->tt.execenv.text[i])); 1919 fprintf(fp, "</env>"); 1920 } else { 1921 print_delim(fp, del); 1922 print_string(fp, tok->tt.execenv.text[i], 1923 strlen(tok->tt.execenv.text[i])); 1924 } 1925 } 1926 if (xml) 1927 close_tag(fp, tok->id); 1928} 1929 1930/* 1931 * seconds of time 4 bytes 1932 * milliseconds of time 4 bytes 1933 * file name len 2 bytes 1934 * file pathname N bytes + 1 terminating NULL byte 1935 */ 1936static int 1937fetch_file_tok(tokenstr_t *tok, u_char *buf, int len) 1938{ 1939 int err = 0; 1940 1941 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err); 1942 if (err) 1943 return (-1); 1944 1945 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err); 1946 if (err) 1947 return (-1); 1948 1949 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err); 1950 if (err) 1951 return (-1); 1952 1953 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, 1954 err); 1955 if (err) 1956 return (-1); 1957 1958 return (0); 1959} 1960 1961static void 1962print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 1963 __unused char sfrm, int xml) 1964{ 1965 1966 print_tok_type(fp, tok->id, "file", raw, xml); 1967 if (xml) { 1968 open_attr(fp, "time"); 1969 print_sec32(fp, tok->tt.file.s, raw); 1970 close_attr(fp); 1971 open_attr(fp, "msec"); 1972 print_msec32(fp, tok->tt.file.ms, raw); 1973 close_attr(fp); 1974 fprintf(fp, ">"); 1975 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1976 close_tag(fp, tok->id); 1977 } else { 1978 print_delim(fp, del); 1979 print_sec32(fp, tok->tt.file.s, raw); 1980 print_delim(fp, del); 1981 print_msec32(fp, tok->tt.file.ms, raw); 1982 print_delim(fp, del); 1983 print_string(fp, tok->tt.file.name, tok->tt.file.len); 1984 } 1985} 1986 1987/* 1988 * number groups 2 bytes 1989 * group list count * 4 bytes 1990 */ 1991static int 1992fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len) 1993{ 1994 int i; 1995 int err = 0; 1996 1997 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err); 1998 if (err) 1999 return (-1); 2000 2001 for (i = 0; i<tok->tt.grps.no; i++) { 2002 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len, 2003 err); 2004 if (err) 2005 return (-1); 2006 } 2007 2008 return (0); 2009} 2010 2011static void 2012print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2013 __unused char sfrm, int xml) 2014{ 2015 int i; 2016 2017 print_tok_type(fp, tok->id, "group", raw, xml); 2018 for (i = 0; i < tok->tt.grps.no; i++) { 2019 if (xml) { 2020 fprintf(fp, "<gid>"); 2021 print_group(fp, tok->tt.grps.list[i], raw); 2022 fprintf(fp, "</gid>"); 2023 close_tag(fp, tok->id); 2024 } else { 2025 print_delim(fp, del); 2026 print_group(fp, tok->tt.grps.list[i], raw); 2027 } 2028 } 2029} 2030 2031/* 2032 * Internet addr 4 bytes 2033 */ 2034static int 2035fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len) 2036{ 2037 int err = 0; 2038 2039 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t), 2040 tok->len, err); 2041 if (err) 2042 return (-1); 2043 2044 return (0); 2045 2046} 2047 2048static void 2049print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2050 __unused char sfrm, int xml) 2051{ 2052 2053 print_tok_type(fp, tok->id, "ip addr", raw, xml); 2054 if (xml) { 2055 print_ip_address(fp, tok->tt.inaddr.addr); 2056 close_tag(fp, tok->id); 2057 } else { 2058 print_delim(fp, del); 2059 print_ip_address(fp, tok->tt.inaddr.addr); 2060 } 2061} 2062 2063/* 2064 * type 4 bytes 2065 * address 16 bytes 2066 */ 2067static int 2068fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len) 2069{ 2070 int err = 0; 2071 2072 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err); 2073 if (err) 2074 return (-1); 2075 2076 if (tok->tt.inaddr_ex.type == AU_IPv4) { 2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0], 2078 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err); 2079 if (err) 2080 return (-1); 2081 } else if (tok->tt.inaddr_ex.type == AU_IPv6) { 2082 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr, 2083 sizeof(tok->tt.inaddr_ex.addr), tok->len, err); 2084 if (err) 2085 return (-1); 2086 } else 2087 return (-1); 2088 2089 return (0); 2090} 2091 2092static void 2093print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2094 __unused char sfrm, int xml) 2095{ 2096 2097 print_tok_type(fp, tok->id, "ip addr ex", raw, xml); 2098 if (xml) { 2099 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2100 tok->tt.inaddr_ex.addr); 2101 close_tag(fp, tok->id); 2102 } else { 2103 print_delim(fp, del); 2104 print_ip_ex_address(fp, tok->tt.inaddr_ex.type, 2105 tok->tt.inaddr_ex.addr); 2106 } 2107} 2108 2109/* 2110 * ip header 20 bytes 2111 */ 2112static int 2113fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len) 2114{ 2115 int err = 0; 2116 2117 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err); 2118 if (err) 2119 return (-1); 2120 2121 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err); 2122 if (err) 2123 return (-1); 2124 2125 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t), 2126 tok->len, err); 2127 if (err) 2128 return (-1); 2129 2130 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t), 2131 tok->len, err); 2132 if (err) 2133 return (-1); 2134 2135 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t), 2136 tok->len, err); 2137 if (err) 2138 return (-1); 2139 2140 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err); 2141 if (err) 2142 return (-1); 2143 2144 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err); 2145 if (err) 2146 return (-1); 2147 2148 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t), 2149 tok->len, err); 2150 if (err) 2151 return (-1); 2152 2153 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src), 2154 tok->len, err); 2155 if (err) 2156 return (-1); 2157 2158 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest), 2159 tok->len, err); 2160 if (err) 2161 return (-1); 2162 2163 return (0); 2164} 2165 2166static void 2167print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2168 __unused char sfrm, int xml) 2169{ 2170 2171 print_tok_type(fp, tok->id, "ip", raw, xml); 2172 if (xml) { 2173 open_attr(fp, "version"); 2174 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2175 sizeof(u_char)); 2176 close_attr(fp); 2177 open_attr(fp, "service_type"); 2178 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2179 close_attr(fp); 2180 open_attr(fp, "len"); 2181 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2182 close_attr(fp); 2183 open_attr(fp, "id"); 2184 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2185 close_attr(fp); 2186 open_attr(fp, "offset"); 2187 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2188 close_attr(fp); 2189 open_attr(fp, "time_to_live"); 2190 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2191 close_attr(fp); 2192 open_attr(fp, "protocol"); 2193 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2194 close_attr(fp); 2195 open_attr(fp, "cksum"); 2196 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2197 close_attr(fp); 2198 open_attr(fp, "src_addr"); 2199 print_ip_address(fp, tok->tt.ip.src); 2200 close_attr(fp); 2201 open_attr(fp, "dest_addr"); 2202 print_ip_address(fp, tok->tt.ip.dest); 2203 close_attr(fp); 2204 close_tag(fp, tok->id); 2205 } else { 2206 print_delim(fp, del); 2207 print_mem(fp, (u_char *)(&tok->tt.ip.version), 2208 sizeof(u_char)); 2209 print_delim(fp, del); 2210 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char)); 2211 print_delim(fp, del); 2212 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u"); 2213 print_delim(fp, del); 2214 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u"); 2215 print_delim(fp, del); 2216 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u"); 2217 print_delim(fp, del); 2218 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char)); 2219 print_delim(fp, del); 2220 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char)); 2221 print_delim(fp, del); 2222 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u"); 2223 print_delim(fp, del); 2224 print_ip_address(fp, tok->tt.ip.src); 2225 print_delim(fp, del); 2226 print_ip_address(fp, tok->tt.ip.dest); 2227 } 2228} 2229 2230/* 2231 * object ID type 1 byte 2232 * Object ID 4 bytes 2233 */ 2234static int 2235fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len) 2236{ 2237 int err = 0; 2238 2239 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err); 2240 if (err) 2241 return (-1); 2242 2243 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err); 2244 if (err) 2245 return (-1); 2246 2247 return (0); 2248} 2249 2250static void 2251print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2252 __unused char sfrm, int xml) 2253{ 2254 2255 print_tok_type(fp, tok->id, "IPC", raw, xml); 2256 if (xml) { 2257 open_attr(fp, "ipc-type"); 2258 print_ipctype(fp, tok->tt.ipc.type, raw); 2259 close_attr(fp); 2260 open_attr(fp, "ipc-id"); 2261 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2262 close_attr(fp); 2263 close_tag(fp, tok->id); 2264 } else { 2265 print_delim(fp, del); 2266 print_ipctype(fp, tok->tt.ipc.type, raw); 2267 print_delim(fp, del); 2268 print_4_bytes(fp, tok->tt.ipc.id, "%u"); 2269 } 2270} 2271 2272/* 2273 * owner user id 4 bytes 2274 * owner group id 4 bytes 2275 * creator user id 4 bytes 2276 * creator group id 4 bytes 2277 * access mode 4 bytes 2278 * slot seq 4 bytes 2279 * key 4 bytes 2280 */ 2281static int 2282fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len) 2283{ 2284 int err = 0; 2285 2286 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err); 2287 if (err) 2288 return (-1); 2289 2290 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err); 2291 if (err) 2292 return (-1); 2293 2294 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err); 2295 if (err) 2296 return (-1); 2297 2298 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err); 2299 if (err) 2300 return (-1); 2301 2302 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err); 2303 if (err) 2304 return (-1); 2305 2306 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err); 2307 if (err) 2308 return (-1); 2309 2310 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err); 2311 if (err) 2312 return (-1); 2313 2314 return (0); 2315} 2316 2317static void 2318print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2319 __unused char sfrm, int xml) 2320{ 2321 2322 print_tok_type(fp, tok->id, "IPC perm", raw, xml); 2323 if (xml) { 2324 open_attr(fp, "uid"); 2325 print_user(fp, tok->tt.ipcperm.uid, raw); 2326 close_attr(fp); 2327 open_attr(fp, "gid"); 2328 print_group(fp, tok->tt.ipcperm.gid, raw); 2329 close_attr(fp); 2330 open_attr(fp, "creator-uid"); 2331 print_user(fp, tok->tt.ipcperm.puid, raw); 2332 close_attr(fp); 2333 open_attr(fp, "creator-gid"); 2334 print_group(fp, tok->tt.ipcperm.pgid, raw); 2335 close_attr(fp); 2336 open_attr(fp, "mode"); 2337 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2338 close_attr(fp); 2339 open_attr(fp, "seq"); 2340 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2341 close_attr(fp); 2342 open_attr(fp, "key"); 2343 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2344 close_attr(fp); 2345 close_tag(fp, tok->id); 2346 } else { 2347 print_delim(fp, del); 2348 print_user(fp, tok->tt.ipcperm.uid, raw); 2349 print_delim(fp, del); 2350 print_group(fp, tok->tt.ipcperm.gid, raw); 2351 print_delim(fp, del); 2352 print_user(fp, tok->tt.ipcperm.puid, raw); 2353 print_delim(fp, del); 2354 print_group(fp, tok->tt.ipcperm.pgid, raw); 2355 print_delim(fp, del); 2356 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o"); 2357 print_delim(fp, del); 2358 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u"); 2359 print_delim(fp, del); 2360 print_4_bytes(fp, tok->tt.ipcperm.key, "%u"); 2361 } 2362} 2363 2364/* 2365 * port Ip address 2 bytes 2366 */ 2367static int 2368fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len) 2369{ 2370 int err = 0; 2371 2372 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t), 2373 tok->len, err); 2374 if (err) 2375 return (-1); 2376 2377 return (0); 2378} 2379 2380static void 2381print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2382 __unused char sfrm, int xml) 2383{ 2384 2385 print_tok_type(fp, tok->id, "ip port", raw, xml); 2386 if (xml) { 2387 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2388 close_tag(fp, tok->id); 2389 } else { 2390 print_delim(fp, del); 2391 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x"); 2392 } 2393} 2394 2395/* 2396 * size 2 bytes 2397 * data size bytes 2398 */ 2399static int 2400fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len) 2401{ 2402 int err = 0; 2403 2404 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err); 2405 if (err) 2406 return (-1); 2407 2408 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size, 2409 tok->len, err); 2410 if (err) 2411 return (-1); 2412 2413 return (0); 2414} 2415 2416static void 2417print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2418 __unused char sfrm, int xml) 2419{ 2420 2421 print_tok_type(fp, tok->id, "opaque", raw, xml); 2422 if (xml) { 2423 print_mem(fp, (u_char*)tok->tt.opaque.data, 2424 tok->tt.opaque.size); 2425 close_tag(fp, tok->id); 2426 } else { 2427 print_delim(fp, del); 2428 print_2_bytes(fp, tok->tt.opaque.size, "%u"); 2429 print_delim(fp, del); 2430 print_mem(fp, (u_char*)tok->tt.opaque.data, 2431 tok->tt.opaque.size); 2432 } 2433} 2434 2435/* 2436 * size 2 bytes 2437 * data size bytes 2438 */ 2439static int 2440fetch_path_tok(tokenstr_t *tok, u_char *buf, int len) 2441{ 2442 int err = 0; 2443 2444 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err); 2445 if (err) 2446 return (-1); 2447 2448 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, 2449 err); 2450 if (err) 2451 return (-1); 2452 2453 return (0); 2454} 2455 2456static void 2457print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2458 __unused char sfrm, int xml) 2459{ 2460 2461 print_tok_type(fp, tok->id, "path", raw, xml); 2462 if (xml) { 2463 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2464 close_tag(fp, tok->id); 2465 } else { 2466 print_delim(fp, del); 2467 print_string(fp, tok->tt.path.path, tok->tt.path.len); 2468 } 2469} 2470 2471/* 2472 * token ID 1 byte 2473 * audit ID 4 bytes 2474 * euid 4 bytes 2475 * egid 4 bytes 2476 * ruid 4 bytes 2477 * rgid 4 bytes 2478 * pid 4 bytes 2479 * sessid 4 bytes 2480 * terminal ID 2481 * portid 4 bytes 2482 * machine id 4 bytes 2483 */ 2484static int 2485fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len) 2486{ 2487 int err = 0; 2488 2489 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err); 2490 if (err) 2491 return (-1); 2492 2493 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err); 2494 if (err) 2495 return (-1); 2496 2497 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err); 2498 if (err) 2499 return (-1); 2500 2501 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err); 2502 if (err) 2503 return (-1); 2504 2505 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err); 2506 if (err) 2507 return (-1); 2508 2509 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err); 2510 if (err) 2511 return (-1); 2512 2513 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err); 2514 if (err) 2515 return (-1); 2516 2517 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err); 2518 if (err) 2519 return (-1); 2520 2521 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr, 2522 sizeof(tok->tt.proc32.tid.addr), tok->len, err); 2523 if (err) 2524 return (-1); 2525 2526 return (0); 2527} 2528 2529static void 2530print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2531 __unused char sfrm, int xml) 2532{ 2533 2534 print_tok_type(fp, tok->id, "process", raw, xml); 2535 if (xml) { 2536 open_attr(fp, "audit-uid"); 2537 print_user(fp, tok->tt.proc32.auid, raw); 2538 close_attr(fp); 2539 open_attr(fp, "uid"); 2540 print_user(fp, tok->tt.proc32.euid, raw); 2541 close_attr(fp); 2542 open_attr(fp, "gid"); 2543 print_group(fp, tok->tt.proc32.egid, raw); 2544 close_attr(fp); 2545 open_attr(fp, "ruid"); 2546 print_user(fp, tok->tt.proc32.ruid, raw); 2547 close_attr(fp); 2548 open_attr(fp, "rgid"); 2549 print_group(fp, tok->tt.proc32.rgid, raw); 2550 close_attr(fp); 2551 open_attr(fp, "pid"); 2552 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2553 close_attr(fp); 2554 open_attr(fp, "sid"); 2555 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2556 close_attr(fp); 2557 open_attr(fp, "tid"); 2558 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2559 print_ip_address(fp, tok->tt.proc32.tid.addr); 2560 close_attr(fp); 2561 close_tag(fp, tok->id); 2562 } else { 2563 print_delim(fp, del); 2564 print_user(fp, tok->tt.proc32.auid, raw); 2565 print_delim(fp, del); 2566 print_user(fp, tok->tt.proc32.euid, raw); 2567 print_delim(fp, del); 2568 print_group(fp, tok->tt.proc32.egid, raw); 2569 print_delim(fp, del); 2570 print_user(fp, tok->tt.proc32.ruid, raw); 2571 print_delim(fp, del); 2572 print_group(fp, tok->tt.proc32.rgid, raw); 2573 print_delim(fp, del); 2574 print_4_bytes(fp, tok->tt.proc32.pid, "%u"); 2575 print_delim(fp, del); 2576 print_4_bytes(fp, tok->tt.proc32.sid, "%u"); 2577 print_delim(fp, del); 2578 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u"); 2579 print_delim(fp, del); 2580 print_ip_address(fp, tok->tt.proc32.tid.addr); 2581 } 2582} 2583 2584/* 2585 * token ID 1 byte 2586 * audit ID 4 bytes 2587 * euid 4 bytes 2588 * egid 4 bytes 2589 * ruid 4 bytes 2590 * rgid 4 bytes 2591 * pid 4 bytes 2592 * sessid 4 bytes 2593 * terminal ID 2594 * portid 8 bytes 2595 * machine id 4 bytes 2596 */ 2597static int 2598fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len) 2599{ 2600 int err = 0; 2601 2602 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err); 2603 if (err) 2604 return (-1); 2605 2606 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err); 2607 if (err) 2608 return (-1); 2609 2610 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err); 2611 if (err) 2612 return (-1); 2613 2614 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err); 2615 if (err) 2616 return (-1); 2617 2618 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err); 2619 if (err) 2620 return (-1); 2621 2622 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err); 2623 if (err) 2624 return (-1); 2625 2626 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err); 2627 if (err) 2628 return (-1); 2629 2630 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err); 2631 if (err) 2632 return (-1); 2633 2634 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr, 2635 sizeof(tok->tt.proc64.tid.addr), tok->len, err); 2636 if (err) 2637 return (-1); 2638 2639 return (0); 2640} 2641 2642static void 2643print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2644 __unused char sfrm, int xml) 2645{ 2646 print_tok_type(fp, tok->id, "process", raw, xml); 2647 if (xml) { 2648 open_attr(fp, "audit-uid"); 2649 print_user(fp, tok->tt.proc64.auid, raw); 2650 close_attr(fp); 2651 open_attr(fp, "uid"); 2652 print_user(fp, tok->tt.proc64.euid, raw); 2653 close_attr(fp); 2654 open_attr(fp, "gid"); 2655 print_group(fp, tok->tt.proc64.egid, raw); 2656 close_attr(fp); 2657 open_attr(fp, "ruid"); 2658 print_user(fp, tok->tt.proc64.ruid, raw); 2659 close_attr(fp); 2660 open_attr(fp, "rgid"); 2661 print_group(fp, tok->tt.proc64.rgid, raw); 2662 close_attr(fp); 2663 open_attr(fp, "pid"); 2664 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2665 close_attr(fp); 2666 open_attr(fp, "sid"); 2667 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2668 close_attr(fp); 2669 open_attr(fp, "tid"); 2670 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2671 print_ip_address(fp, tok->tt.proc64.tid.addr); 2672 close_attr(fp); 2673 close_tag(fp, tok->id); 2674 } else { 2675 print_delim(fp, del); 2676 print_user(fp, tok->tt.proc64.auid, raw); 2677 print_delim(fp, del); 2678 print_user(fp, tok->tt.proc64.euid, raw); 2679 print_delim(fp, del); 2680 print_group(fp, tok->tt.proc64.egid, raw); 2681 print_delim(fp, del); 2682 print_user(fp, tok->tt.proc64.ruid, raw); 2683 print_delim(fp, del); 2684 print_group(fp, tok->tt.proc64.rgid, raw); 2685 print_delim(fp, del); 2686 print_4_bytes(fp, tok->tt.proc64.pid, "%u"); 2687 print_delim(fp, del); 2688 print_4_bytes(fp, tok->tt.proc64.sid, "%u"); 2689 print_delim(fp, del); 2690 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu"); 2691 print_delim(fp, del); 2692 print_ip_address(fp, tok->tt.proc64.tid.addr); 2693 } 2694} 2695 2696/* 2697 * token ID 1 byte 2698 * audit ID 4 bytes 2699 * effective user ID 4 bytes 2700 * effective group ID 4 bytes 2701 * real user ID 4 bytes 2702 * real group ID 4 bytes 2703 * process ID 4 bytes 2704 * session ID 4 bytes 2705 * terminal ID 2706 * port ID 4 bytes 2707 * address type-len 4 bytes 2708 * machine address 16 bytes 2709 */ 2710static int 2711fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len) 2712{ 2713 int err = 0; 2714 2715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err); 2716 if (err) 2717 return (-1); 2718 2719 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err); 2720 if (err) 2721 return (-1); 2722 2723 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err); 2724 if (err) 2725 return (-1); 2726 2727 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err); 2728 if (err) 2729 return (-1); 2730 2731 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err); 2732 if (err) 2733 return (-1); 2734 2735 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err); 2736 if (err) 2737 return (-1); 2738 2739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err); 2740 if (err) 2741 return (-1); 2742 2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len, 2744 err); 2745 if (err) 2746 return (-1); 2747 2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len, 2749 err); 2750 if (err) 2751 return (-1); 2752 2753 if (tok->tt.proc32_ex.tid.type == AU_IPv4) { 2754 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0], 2755 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err); 2756 if (err) 2757 return (-1); 2758 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) { 2759 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr, 2760 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err); 2761 if (err) 2762 return (-1); 2763 } else 2764 return (-1); 2765 2766 return (0); 2767} 2768 2769static void 2770print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2771 __unused char sfrm, int xml) 2772{ 2773 2774 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2775 if (xml) { 2776 open_attr(fp, "audit-uid"); 2777 print_user(fp, tok->tt.proc32_ex.auid, raw); 2778 close_attr(fp); 2779 open_attr(fp, "uid"); 2780 print_user(fp, tok->tt.proc32_ex.euid, raw); 2781 close_attr(fp); 2782 open_attr(fp, "gid"); 2783 print_group(fp, tok->tt.proc32_ex.egid, raw); 2784 close_attr(fp); 2785 open_attr(fp, "ruid"); 2786 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2787 close_attr(fp); 2788 open_attr(fp, "rgid"); 2789 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2790 close_attr(fp); 2791 open_attr(fp, "pid"); 2792 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2793 close_attr(fp); 2794 open_attr(fp, "sid"); 2795 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2796 close_attr(fp); 2797 open_attr(fp, "tid"); 2798 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2799 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2800 tok->tt.proc32_ex.tid.addr); 2801 close_attr(fp); 2802 close_tag(fp, tok->id); 2803 } else { 2804 print_delim(fp, del); 2805 print_user(fp, tok->tt.proc32_ex.auid, raw); 2806 print_delim(fp, del); 2807 print_user(fp, tok->tt.proc32_ex.euid, raw); 2808 print_delim(fp, del); 2809 print_group(fp, tok->tt.proc32_ex.egid, raw); 2810 print_delim(fp, del); 2811 print_user(fp, tok->tt.proc32_ex.ruid, raw); 2812 print_delim(fp, del); 2813 print_group(fp, tok->tt.proc32_ex.rgid, raw); 2814 print_delim(fp, del); 2815 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u"); 2816 print_delim(fp, del); 2817 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u"); 2818 print_delim(fp, del); 2819 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u"); 2820 print_delim(fp, del); 2821 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type, 2822 tok->tt.proc32_ex.tid.addr); 2823 } 2824} 2825 2826/* 2827 * token ID 1 byte 2828 * audit ID 4 bytes 2829 * effective user ID 4 bytes 2830 * effective group ID 4 bytes 2831 * real user ID 4 bytes 2832 * real group ID 4 bytes 2833 * process ID 4 bytes 2834 * session ID 4 bytes 2835 * terminal ID 2836 * port ID 8 bytes 2837 * address type-len 4 bytes 2838 * machine address 16 bytes 2839 */ 2840static int 2841fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len) 2842{ 2843 int err = 0; 2844 2845 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err); 2846 if (err) 2847 return (-1); 2848 2849 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err); 2850 if (err) 2851 return (-1); 2852 2853 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err); 2854 if (err) 2855 return (-1); 2856 2857 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err); 2858 if (err) 2859 return (-1); 2860 2861 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err); 2862 if (err) 2863 return (-1); 2864 2865 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err); 2866 if (err) 2867 return (-1); 2868 2869 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err); 2870 if (err) 2871 return (-1); 2872 2873 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len, 2874 err); 2875 if (err) 2876 return (-1); 2877 2878 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len, 2879 err); 2880 if (err) 2881 return (-1); 2882 2883 if (tok->tt.proc64_ex.tid.type == AU_IPv4) { 2884 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0], 2885 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err); 2886 if (err) 2887 return (-1); 2888 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) { 2889 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr, 2890 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err); 2891 if (err) 2892 return (-1); 2893 } else 2894 return (-1); 2895 2896 return (0); 2897} 2898 2899static void 2900print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2901 __unused char sfrm, int xml) 2902{ 2903 print_tok_type(fp, tok->id, "process_ex", raw, xml); 2904 if (xml) { 2905 open_attr(fp, "audit-uid"); 2906 print_user(fp, tok->tt.proc64_ex.auid, raw); 2907 close_attr(fp); 2908 open_attr(fp, "uid"); 2909 print_user(fp, tok->tt.proc64_ex.euid, raw); 2910 close_attr(fp); 2911 open_attr(fp, "gid"); 2912 print_group(fp, tok->tt.proc64_ex.egid, raw); 2913 close_attr(fp); 2914 open_attr(fp, "ruid"); 2915 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2916 close_attr(fp); 2917 open_attr(fp, "rgid"); 2918 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2919 close_attr(fp); 2920 open_attr(fp, "pid"); 2921 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2922 close_attr(fp); 2923 open_attr(fp, "sid"); 2924 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2925 close_attr(fp); 2926 open_attr(fp, "tid"); 2927 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2928 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2929 tok->tt.proc64_ex.tid.addr); 2930 close_attr(fp); 2931 close_tag(fp, tok->id); 2932 } else { 2933 print_delim(fp, del); 2934 print_user(fp, tok->tt.proc64_ex.auid, raw); 2935 print_delim(fp, del); 2936 print_user(fp, tok->tt.proc64_ex.euid, raw); 2937 print_delim(fp, del); 2938 print_group(fp, tok->tt.proc64_ex.egid, raw); 2939 print_delim(fp, del); 2940 print_user(fp, tok->tt.proc64_ex.ruid, raw); 2941 print_delim(fp, del); 2942 print_group(fp, tok->tt.proc64_ex.rgid, raw); 2943 print_delim(fp, del); 2944 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u"); 2945 print_delim(fp, del); 2946 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u"); 2947 print_delim(fp, del); 2948 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu"); 2949 print_delim(fp, del); 2950 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type, 2951 tok->tt.proc64_ex.tid.addr); 2952 } 2953} 2954 2955/* 2956 * errno 1 byte 2957 * return value 4 bytes 2958 */ 2959static int 2960fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len) 2961{ 2962 int err = 0; 2963 2964 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err); 2965 if (err) 2966 return (-1); 2967 2968 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err); 2969 if (err) 2970 return (-1); 2971 2972 return (0); 2973} 2974 2975static void 2976print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 2977 __unused char sfrm, int xml) 2978{ 2979 2980 print_tok_type(fp, tok->id, "return", raw, xml); 2981 if (xml) { 2982 open_attr(fp ,"errval"); 2983 print_retval(fp, tok->tt.ret32.status, raw); 2984 close_attr(fp); 2985 open_attr(fp, "retval"); 2986 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2987 close_attr(fp); 2988 close_tag(fp, tok->id); 2989 } else { 2990 print_delim(fp, del); 2991 print_retval(fp, tok->tt.ret32.status, raw); 2992 print_delim(fp, del); 2993 print_4_bytes(fp, tok->tt.ret32.ret, "%u"); 2994 } 2995} 2996 2997static int 2998fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len) 2999{ 3000 int err = 0; 3001 3002 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err); 3003 if (err) 3004 return (-1); 3005 3006 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err); 3007 if (err) 3008 return (-1); 3009 3010 return (0); 3011} 3012 3013static void 3014print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3015 __unused char sfrm, int xml) 3016{ 3017 3018 print_tok_type(fp, tok->id, "return", raw, xml); 3019 if (xml) { 3020 open_attr(fp, "errval"); 3021 print_retval(fp, tok->tt.ret64.err, raw); 3022 close_attr(fp); 3023 open_attr(fp, "retval"); 3024 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3025 close_attr(fp); 3026 close_tag(fp, tok->id); 3027 } else { 3028 print_delim(fp, del); 3029 print_retval(fp, tok->tt.ret64.err, raw); 3030 print_delim(fp, del); 3031 print_8_bytes(fp, tok->tt.ret64.val, "%lld"); 3032 } 3033} 3034 3035/* 3036 * seq 4 bytes 3037 */ 3038static int 3039fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len) 3040{ 3041 int err = 0; 3042 3043 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err); 3044 if (err) 3045 return (-1); 3046 3047 return (0); 3048} 3049 3050static void 3051print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3052 __unused char sfrm, int xml) 3053{ 3054 3055 print_tok_type(fp, tok->id, "sequence", raw, xml); 3056 if (xml) { 3057 open_attr(fp, "seq-num"); 3058 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3059 close_attr(fp); 3060 close_tag(fp, tok->id); 3061 } else { 3062 print_delim(fp, del); 3063 print_4_bytes(fp, tok->tt.seq.seqno, "%u"); 3064 } 3065} 3066 3067/* 3068 * socket family 2 bytes 3069 * local port 2 bytes 3070 * socket address 4 bytes 3071 */ 3072static int 3073fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len) 3074{ 3075 int err = 0; 3076 3077 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3078 err); 3079 if (err) 3080 return (-1); 3081 3082 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3083 sizeof(uint16_t), tok->len, err); 3084 if (err) 3085 return (-1); 3086 3087 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3088 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err); 3089 if (err) 3090 return (-1); 3091 3092 return (0); 3093} 3094 3095static void 3096print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3097 __unused char sfrm, int xml) 3098{ 3099 3100 print_tok_type(fp, tok->id, "socket-inet", raw, xml); 3101 if (xml) { 3102 open_attr(fp, "type"); 3103 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3104 close_attr(fp); 3105 open_attr(fp, "port"); 3106 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3107 close_attr(fp); 3108 open_attr(fp, "addr"); 3109 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3110 close_attr(fp); 3111 close_tag(fp, tok->id); 3112 } else { 3113 print_delim(fp, del); 3114 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3115 print_delim(fp, del); 3116 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3117 print_delim(fp, del); 3118 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]); 3119 } 3120} 3121 3122/* 3123 * socket family 2 bytes 3124 * local port 2 bytes 3125 * socket address 16 bytes 3126 */ 3127static int 3128fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len) 3129{ 3130 int err = 0; 3131 3132 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len, 3133 err); 3134 if (err) 3135 return (-1); 3136 3137 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port, 3138 sizeof(uint16_t), tok->len, err); 3139 if (err) 3140 return (-1); 3141 3142 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr, 3143 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err); 3144 if (err) 3145 return (-1); 3146 3147 return (0); 3148} 3149 3150static void 3151print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3152 __unused char sfrm, int xml) 3153{ 3154 3155 print_tok_type(fp, tok->id, "socket-inet6", raw, xml); 3156 if (xml) { 3157 open_attr(fp, "type"); 3158 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3159 close_attr(fp); 3160 open_attr(fp, "port"); 3161 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3162 close_attr(fp); 3163 open_attr(fp, "addr"); 3164 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3165 close_attr(fp); 3166 close_tag(fp, tok->id); 3167 } else { 3168 print_delim(fp, del); 3169 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u"); 3170 print_delim(fp, del); 3171 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u"); 3172 print_delim(fp, del); 3173 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr); 3174 } 3175} 3176 3177/* 3178 * socket family 2 bytes 3179 * path 104 bytes 3180 */ 3181static int 3182fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len) 3183{ 3184 int err = 0; 3185 3186 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err); 3187 if (err) 3188 return (-1); 3189 3190 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len, 3191 err); 3192 if (err) 3193 return (-1); 3194 3195 return (0); 3196} 3197 3198static void 3199print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3200 __unused char sfrm, int xml) 3201{ 3202 3203 print_tok_type(fp, tok->id, "socket-unix", raw, xml); 3204 if (xml) { 3205 open_attr(fp, "type"); 3206 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3207 close_attr(fp); 3208 open_attr(fp, "port"); 3209 close_attr(fp); 3210 open_attr(fp, "addr"); 3211 print_string(fp, tok->tt.sockunix.path, 3212 strlen(tok->tt.sockunix.path)); 3213 close_attr(fp); 3214 close_tag(fp, tok->id); 3215 } else { 3216 print_delim(fp, del); 3217 print_2_bytes(fp, tok->tt.sockunix.family, "%u"); 3218 print_delim(fp, del); 3219 print_string(fp, tok->tt.sockunix.path, 3220 strlen(tok->tt.sockunix.path)); 3221 } 3222} 3223 3224/* 3225 * socket type 2 bytes 3226 * local port 2 bytes 3227 * local address 4 bytes 3228 * remote port 2 bytes 3229 * remote address 4 bytes 3230 */ 3231static int 3232fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len) 3233{ 3234 int err = 0; 3235 3236 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err); 3237 if (err) 3238 return (-1); 3239 3240 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t), 3241 tok->len, err); 3242 if (err) 3243 return (-1); 3244 3245 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3246 sizeof(tok->tt.socket.l_addr), tok->len, err); 3247 if (err) 3248 return (-1); 3249 3250 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t), 3251 tok->len, err); 3252 if (err) 3253 return (-1); 3254 3255 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr, 3256 sizeof(tok->tt.socket.r_addr), tok->len, err); 3257 if (err) 3258 return (-1); 3259 3260 return (0); 3261} 3262 3263static void 3264print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3265 __unused char sfrm, int xml) 3266{ 3267 3268 print_tok_type(fp, tok->id, "socket", raw, xml); 3269 if (xml) { 3270 open_attr(fp, "sock_type"); 3271 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3272 close_attr(fp); 3273 open_attr(fp, "lport"); 3274 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3275 close_attr(fp); 3276 open_attr(fp, "laddr"); 3277 print_ip_address(fp, tok->tt.socket.l_addr); 3278 close_attr(fp); 3279 open_attr(fp, "fport"); 3280 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3281 close_attr(fp); 3282 open_attr(fp, "faddr"); 3283 print_ip_address(fp, tok->tt.socket.r_addr); 3284 close_attr(fp); 3285 close_tag(fp, tok->id); 3286 } else { 3287 print_delim(fp, del); 3288 print_2_bytes(fp, tok->tt.socket.type, "%u"); 3289 print_delim(fp, del); 3290 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u"); 3291 print_delim(fp, del); 3292 print_ip_address(fp, tok->tt.socket.l_addr); 3293 print_delim(fp, del); 3294 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u"); 3295 print_delim(fp, del); 3296 print_ip_address(fp, tok->tt.socket.r_addr); 3297 } 3298} 3299 3300/* 3301 * audit ID 4 bytes 3302 * euid 4 bytes 3303 * egid 4 bytes 3304 * ruid 4 bytes 3305 * rgid 4 bytes 3306 * pid 4 bytes 3307 * sessid 4 bytes 3308 * terminal ID 3309 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3310 * machine id 4 bytes 3311 */ 3312static int 3313fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len) 3314{ 3315 int err = 0; 3316 3317 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err); 3318 if (err) 3319 return (-1); 3320 3321 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err); 3322 if (err) 3323 return (-1); 3324 3325 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err); 3326 if (err) 3327 return (-1); 3328 3329 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err); 3330 if (err) 3331 return (-1); 3332 3333 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err); 3334 if (err) 3335 return (-1); 3336 3337 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err); 3338 if (err) 3339 return (-1); 3340 3341 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err); 3342 if (err) 3343 return (-1); 3344 3345 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err); 3346 if (err) 3347 return (-1); 3348 3349 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr, 3350 sizeof(tok->tt.subj32.tid.addr), tok->len, err); 3351 if (err) 3352 return (-1); 3353 3354 return (0); 3355} 3356 3357static void 3358print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3359 __unused char sfrm, int xml) 3360{ 3361 3362 print_tok_type(fp, tok->id, "subject", raw, xml); 3363 if (xml) { 3364 open_attr(fp, "audit-uid"); 3365 print_user(fp, tok->tt.subj32.auid, raw); 3366 close_attr(fp); 3367 open_attr(fp, "uid"); 3368 print_user(fp, tok->tt.subj32.euid, raw); 3369 close_attr(fp); 3370 open_attr(fp, "gid"); 3371 print_group(fp, tok->tt.subj32.egid, raw); 3372 close_attr(fp); 3373 open_attr(fp, "ruid"); 3374 print_user(fp, tok->tt.subj32.ruid, raw); 3375 close_attr(fp); 3376 open_attr(fp, "rgid"); 3377 print_group(fp, tok->tt.subj32.rgid, raw); 3378 close_attr(fp); 3379 open_attr(fp,"pid"); 3380 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3381 close_attr(fp); 3382 open_attr(fp,"sid"); 3383 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3384 close_attr(fp); 3385 open_attr(fp,"tid"); 3386 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u "); 3387 print_ip_address(fp, tok->tt.subj32.tid.addr); 3388 close_attr(fp); 3389 close_tag(fp, tok->id); 3390 } else { 3391 print_delim(fp, del); 3392 print_user(fp, tok->tt.subj32.auid, raw); 3393 print_delim(fp, del); 3394 print_user(fp, tok->tt.subj32.euid, raw); 3395 print_delim(fp, del); 3396 print_group(fp, tok->tt.subj32.egid, raw); 3397 print_delim(fp, del); 3398 print_user(fp, tok->tt.subj32.ruid, raw); 3399 print_delim(fp, del); 3400 print_group(fp, tok->tt.subj32.rgid, raw); 3401 print_delim(fp, del); 3402 print_4_bytes(fp, tok->tt.subj32.pid, "%u"); 3403 print_delim(fp, del); 3404 print_4_bytes(fp, tok->tt.subj32.sid, "%u"); 3405 print_delim(fp, del); 3406 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u"); 3407 print_delim(fp, del); 3408 print_ip_address(fp, tok->tt.subj32.tid.addr); 3409 } 3410} 3411 3412/* 3413 * audit ID 4 bytes 3414 * euid 4 bytes 3415 * egid 4 bytes 3416 * ruid 4 bytes 3417 * rgid 4 bytes 3418 * pid 4 bytes 3419 * sessid 4 bytes 3420 * terminal ID 3421 * portid 4 bytes/8 bytes (32-bit/64-bit value) 3422 * machine id 4 bytes 3423 */ 3424static int 3425fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len) 3426{ 3427 int err = 0; 3428 3429 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err); 3430 if (err) 3431 return (-1); 3432 3433 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err); 3434 if (err) 3435 return (-1); 3436 3437 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err); 3438 if (err) 3439 return (-1); 3440 3441 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err); 3442 if (err) 3443 return (-1); 3444 3445 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err); 3446 if (err) 3447 return (-1); 3448 3449 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err); 3450 if (err) 3451 return (-1); 3452 3453 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err); 3454 if (err) 3455 return (-1); 3456 3457 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err); 3458 if (err) 3459 return (-1); 3460 3461 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr, 3462 sizeof(tok->tt.subj64.tid.addr), tok->len, err); 3463 if (err) 3464 return (-1); 3465 3466 return (0); 3467} 3468 3469static void 3470print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3471 __unused char sfrm, int xml) 3472{ 3473 3474 print_tok_type(fp, tok->id, "subject", raw, xml); 3475 if (xml) { 3476 open_attr(fp, "audit-uid"); 3477 print_user(fp, tok->tt.subj64.auid, raw); 3478 close_attr(fp); 3479 open_attr(fp, "uid"); 3480 print_user(fp, tok->tt.subj64.euid, raw); 3481 close_attr(fp); 3482 open_attr(fp, "gid"); 3483 print_group(fp, tok->tt.subj64.egid, raw); 3484 close_attr(fp); 3485 open_attr(fp, "ruid"); 3486 print_user(fp, tok->tt.subj64.ruid, raw); 3487 close_attr(fp); 3488 open_attr(fp, "rgid"); 3489 print_group(fp, tok->tt.subj64.rgid, raw); 3490 close_attr(fp); 3491 open_attr(fp, "pid"); 3492 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3493 close_attr(fp); 3494 open_attr(fp, "sid"); 3495 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3496 close_attr(fp); 3497 open_attr(fp, "tid"); 3498 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3499 print_ip_address(fp, tok->tt.subj64.tid.addr); 3500 close_attr(fp); 3501 close_tag(fp, tok->id); 3502 } else { 3503 print_delim(fp, del); 3504 print_user(fp, tok->tt.subj64.auid, raw); 3505 print_delim(fp, del); 3506 print_user(fp, tok->tt.subj64.euid, raw); 3507 print_delim(fp, del); 3508 print_group(fp, tok->tt.subj64.egid, raw); 3509 print_delim(fp, del); 3510 print_user(fp, tok->tt.subj64.ruid, raw); 3511 print_delim(fp, del); 3512 print_group(fp, tok->tt.subj64.rgid, raw); 3513 print_delim(fp, del); 3514 print_4_bytes(fp, tok->tt.subj64.pid, "%u"); 3515 print_delim(fp, del); 3516 print_4_bytes(fp, tok->tt.subj64.sid, "%u"); 3517 print_delim(fp, del); 3518 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu"); 3519 print_delim(fp, del); 3520 print_ip_address(fp, tok->tt.subj64.tid.addr); 3521 } 3522} 3523 3524/* 3525 * audit ID 4 bytes 3526 * euid 4 bytes 3527 * egid 4 bytes 3528 * ruid 4 bytes 3529 * rgid 4 bytes 3530 * pid 4 bytes 3531 * sessid 4 bytes 3532 * terminal ID 3533 * portid 4 bytes 3534 * type 4 bytes 3535 * machine id 16 bytes 3536 */ 3537static int 3538fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len) 3539{ 3540 int err = 0; 3541 3542 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err); 3543 if (err) 3544 return (-1); 3545 3546 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err); 3547 if (err) 3548 return (-1); 3549 3550 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err); 3551 if (err) 3552 return (-1); 3553 3554 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err); 3555 if (err) 3556 return (-1); 3557 3558 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err); 3559 if (err) 3560 return (-1); 3561 3562 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err); 3563 if (err) 3564 return (-1); 3565 3566 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err); 3567 if (err) 3568 return (-1); 3569 3570 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len, 3571 err); 3572 if (err) 3573 return (-1); 3574 3575 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len, 3576 err); 3577 if (err) 3578 return (-1); 3579 3580 if (tok->tt.subj32_ex.tid.type == AU_IPv4) { 3581 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0], 3582 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err); 3583 if (err) 3584 return (-1); 3585 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) { 3586 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr, 3587 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err); 3588 if (err) 3589 return (-1); 3590 } else 3591 return (-1); 3592 3593 return (0); 3594} 3595 3596static void 3597print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3598 __unused char sfrm, int xml) 3599{ 3600 3601 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3602 if (xml) { 3603 open_attr(fp, "audit-uid"); 3604 print_user(fp, tok->tt.subj32_ex.auid, raw); 3605 close_attr(fp); 3606 open_attr(fp, "uid"); 3607 print_user(fp, tok->tt.subj32_ex.euid, raw); 3608 close_attr(fp); 3609 open_attr(fp, "gid"); 3610 print_group(fp, tok->tt.subj32_ex.egid, raw); 3611 close_attr(fp); 3612 open_attr(fp, "ruid"); 3613 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3614 close_attr(fp); 3615 open_attr(fp, "rgid"); 3616 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3617 close_attr(fp); 3618 open_attr(fp, "pid"); 3619 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3620 close_attr(fp); 3621 open_attr(fp, "sid"); 3622 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3623 close_attr(fp); 3624 open_attr(fp, "tid"); 3625 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3626 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3627 tok->tt.subj32_ex.tid.addr); 3628 close_attr(fp); 3629 close_tag(fp, tok->id); 3630 } else { 3631 print_delim(fp, del); 3632 print_user(fp, tok->tt.subj32_ex.auid, raw); 3633 print_delim(fp, del); 3634 print_user(fp, tok->tt.subj32_ex.euid, raw); 3635 print_delim(fp, del); 3636 print_group(fp, tok->tt.subj32_ex.egid, raw); 3637 print_delim(fp, del); 3638 print_user(fp, tok->tt.subj32_ex.ruid, raw); 3639 print_delim(fp, del); 3640 print_group(fp, tok->tt.subj32_ex.rgid, raw); 3641 print_delim(fp, del); 3642 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u"); 3643 print_delim(fp, del); 3644 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u"); 3645 print_delim(fp, del); 3646 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u"); 3647 print_delim(fp, del); 3648 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type, 3649 tok->tt.subj32_ex.tid.addr); 3650 } 3651} 3652 3653/* 3654 * audit ID 4 bytes 3655 * euid 4 bytes 3656 * egid 4 bytes 3657 * ruid 4 bytes 3658 * rgid 4 bytes 3659 * pid 4 bytes 3660 * sessid 4 bytes 3661 * terminal ID 3662 * portid 8 bytes 3663 * type 4 bytes 3664 * machine id 16 bytes 3665 */ 3666static int 3667fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len) 3668{ 3669 int err = 0; 3670 3671 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err); 3672 if (err) 3673 return (-1); 3674 3675 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err); 3676 if (err) 3677 return (-1); 3678 3679 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err); 3680 if (err) 3681 return (-1); 3682 3683 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err); 3684 if (err) 3685 return (-1); 3686 3687 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err); 3688 if (err) 3689 return (-1); 3690 3691 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err); 3692 if (err) 3693 return (-1); 3694 3695 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err); 3696 if (err) 3697 return (-1); 3698 3699 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len, 3700 err); 3701 if (err) 3702 return (-1); 3703 3704 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len, 3705 err); 3706 if (err) 3707 return (-1); 3708 3709 if (tok->tt.subj64_ex.tid.type == AU_IPv4) { 3710 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0], 3711 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err); 3712 if (err) 3713 return (-1); 3714 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) { 3715 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr, 3716 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err); 3717 if (err) 3718 return (-1); 3719 } else 3720 return (-1); 3721 3722 return (0); 3723} 3724 3725static void 3726print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3727 __unused char sfrm, int xml) 3728{ 3729 print_tok_type(fp, tok->id, "subject_ex", raw, xml); 3730 if (xml) { 3731 open_attr(fp, "audit-uid"); 3732 print_user(fp, tok->tt.subj64_ex.auid, raw); 3733 close_attr(fp); 3734 open_attr(fp, "uid"); 3735 print_user(fp, tok->tt.subj64_ex.euid, raw); 3736 close_attr(fp); 3737 open_attr(fp, "gid"); 3738 print_group(fp, tok->tt.subj64_ex.egid, raw); 3739 close_attr(fp); 3740 open_attr(fp, "ruid"); 3741 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3742 close_attr(fp); 3743 open_attr(fp, "rgid"); 3744 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3745 close_attr(fp); 3746 open_attr(fp, "pid"); 3747 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3748 close_attr(fp); 3749 open_attr(fp, "sid"); 3750 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3751 close_attr(fp); 3752 open_attr(fp, "tid"); 3753 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3754 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3755 tok->tt.subj64_ex.tid.addr); 3756 close_attr(fp); 3757 close_tag(fp, tok->id); 3758 } else { 3759 print_delim(fp, del); 3760 print_user(fp, tok->tt.subj64_ex.auid, raw); 3761 print_delim(fp, del); 3762 print_user(fp, tok->tt.subj64_ex.euid, raw); 3763 print_delim(fp, del); 3764 print_group(fp, tok->tt.subj64_ex.egid, raw); 3765 print_delim(fp, del); 3766 print_user(fp, tok->tt.subj64_ex.ruid, raw); 3767 print_delim(fp, del); 3768 print_group(fp, tok->tt.subj64_ex.rgid, raw); 3769 print_delim(fp, del); 3770 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u"); 3771 print_delim(fp, del); 3772 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u"); 3773 print_delim(fp, del); 3774 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu"); 3775 print_delim(fp, del); 3776 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type, 3777 tok->tt.subj64_ex.tid.addr); 3778 } 3779} 3780 3781/* 3782 * size 2 bytes 3783 * data size bytes 3784 */ 3785static int 3786fetch_text_tok(tokenstr_t *tok, u_char *buf, int len) 3787{ 3788 int err = 0; 3789 3790 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err); 3791 if (err) 3792 return (-1); 3793 3794 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len, 3795 err); 3796 if (err) 3797 return (-1); 3798 3799 return (0); 3800} 3801 3802static void 3803print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3804 __unused char sfrm, int xml) 3805{ 3806 3807 print_tok_type(fp, tok->id, "text", raw, xml); 3808 if (xml) { 3809 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3810 close_tag(fp, tok->id); 3811 } else { 3812 print_delim(fp, del); 3813 print_string(fp, tok->tt.text.text, tok->tt.text.len); 3814 } 3815} 3816 3817/* 3818 * socket domain 2 bytes 3819 * socket type 2 bytes 3820 * address type 2 bytes 3821 * local port 2 bytes 3822 * local Internet address 4/16 bytes 3823 * remote port 2 bytes 3824 * remote Internet address 4/16 bytes 3825 */ 3826static int 3827fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len) 3828{ 3829 int err = 0; 3830 3831 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len, 3832 err); 3833 if (err) 3834 return (-1); 3835 3836 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len, 3837 err); 3838 if (err) 3839 return (-1); 3840 3841 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len, 3842 err); 3843 if (err) 3844 return (-1); 3845 3846 if (tok->tt.socket_ex32.atype != AU_IPv4 && 3847 tok->tt.socket_ex32.atype != AU_IPv6) 3848 return (-1); 3849 3850 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port, 3851 sizeof(uint16_t), tok->len, err); 3852 if (err) 3853 return (-1); 3854 3855 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3856 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3857 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err); 3858 if (err) 3859 return (-1); 3860 } else { 3861 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr, 3862 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err); 3863 if (err) 3864 return (-1); 3865 } 3866 3867 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port, 3868 sizeof(uint16_t), tok->len, err); 3869 if (err) 3870 return (-1); 3871 3872 if (tok->tt.socket_ex32.atype == AU_IPv4) { 3873 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3874 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err); 3875 if (err) 3876 return (-1); 3877 } else { 3878 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr, 3879 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err); 3880 if (err) 3881 return (-1); 3882 } 3883 3884 return (0); 3885} 3886 3887static void 3888print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3889 __unused char sfrm, int xml) 3890{ 3891 3892 /* 3893 * This print routine prints BSM constant space domains and socket 3894 * types rather than converting them. If we add string printers for 3895 * these constants in the future, we may want to call conversion 3896 * routines. 3897 */ 3898 print_tok_type(fp, tok->id, "socket", raw, xml); 3899 if (xml) { 3900 open_attr(fp, "sock_dom"); 3901 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3902 close_attr(fp); 3903 open_attr(fp, "sock_type"); 3904 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3905 close_attr(fp); 3906 open_attr(fp, "lport"); 3907 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3908 close_attr(fp); 3909 open_attr(fp, "laddr"); 3910 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3911 tok->tt.socket_ex32.l_addr); 3912 close_attr(fp); 3913 open_attr(fp, "faddr"); 3914 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3915 tok->tt.socket_ex32.r_addr); 3916 close_attr(fp); 3917 open_attr(fp, "fport"); 3918 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3919 close_attr(fp); 3920 close_tag(fp, tok->id); 3921 } else { 3922 print_delim(fp, del); 3923 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x"); 3924 print_delim(fp, del); 3925 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x"); 3926 print_delim(fp, del); 3927 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x"); 3928 print_delim(fp, del); 3929 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3930 tok->tt.socket_ex32.l_addr); 3931 print_delim(fp, del); 3932 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x"); 3933 print_delim(fp, del); 3934 print_ip_ex_address(fp, tok->tt.socket_ex32.atype, 3935 tok->tt.socket_ex32.r_addr); 3936 } 3937} 3938 3939static int 3940fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len) 3941{ 3942 int err = 0; 3943 int recoversize; 3944 3945 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE); 3946 if (recoversize <= 0) 3947 return (-1); 3948 3949 tok->tt.invalid.length = recoversize; 3950 3951 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len, 3952 err); 3953 if (err) 3954 return (-1); 3955 3956 return (0); 3957} 3958 3959static void 3960print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3961 __unused char sfrm, int xml) 3962{ 3963 3964 if (!xml) { 3965 print_tok_type(fp, tok->id, "unknown", raw, 0); 3966 print_delim(fp, del); 3967 print_mem(fp, (u_char*)tok->tt.invalid.data, 3968 tok->tt.invalid.length); 3969 } 3970} 3971 3972 3973/* 3974 * size 2 bytes; 3975 * zonename size bytes; 3976 */ 3977static int 3978fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len) 3979{ 3980 int err = 0; 3981 3982 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err); 3983 if (err) 3984 return (-1); 3985 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len, 3986 tok->len, err); 3987 if (err) 3988 return (-1); 3989 return (0); 3990} 3991 3992static void 3993print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, 3994 __unused char sfrm, int xml) 3995{ 3996 3997 print_tok_type(fp, tok->id, "zone", raw, xml); 3998 if (xml) { 3999 open_attr(fp, "name"); 4000 print_string(fp, tok->tt.zonename.zonename, 4001 tok->tt.zonename.len); 4002 close_attr(fp); 4003 close_tag(fp, tok->id); 4004 } else { 4005 print_delim(fp, del); 4006 print_string(fp, tok->tt.zonename.zonename, 4007 tok->tt.zonename.len); 4008 } 4009} 4010 4011/* 4012 * Reads the token beginning at buf into tok. 4013 */ 4014int 4015au_fetch_tok(tokenstr_t *tok, u_char *buf, int len) 4016{ 4017 4018 if (len <= 0) 4019 return (-1); 4020 4021 tok->len = 1; 4022 tok->data = buf; 4023 tok->id = *buf; 4024 4025 switch(tok->id) { 4026 case AUT_HEADER32: 4027 return (fetch_header32_tok(tok, buf, len)); 4028 4029 case AUT_HEADER32_EX: 4030 return (fetch_header32_ex_tok(tok, buf, len)); 4031 4032 case AUT_HEADER64: 4033 return (fetch_header64_tok(tok, buf, len)); 4034 4035 case AUT_HEADER64_EX: 4036 return (fetch_header64_ex_tok(tok, buf, len)); 4037 4038 case AUT_TRAILER: 4039 return (fetch_trailer_tok(tok, buf, len)); 4040 4041 case AUT_ARG32: 4042 return (fetch_arg32_tok(tok, buf, len)); 4043 4044 case AUT_ARG64: 4045 return (fetch_arg64_tok(tok, buf, len)); 4046 4047 case AUT_ATTR32: 4048 return (fetch_attr32_tok(tok, buf, len)); 4049 4050 case AUT_ATTR64: 4051 return (fetch_attr64_tok(tok, buf, len)); 4052 4053 case AUT_EXIT: 4054 return (fetch_exit_tok(tok, buf, len)); 4055 4056 case AUT_EXEC_ARGS: 4057 return (fetch_execarg_tok(tok, buf, len)); 4058 4059 case AUT_EXEC_ENV: 4060 return (fetch_execenv_tok(tok, buf, len)); 4061 4062 case AUT_OTHER_FILE32: 4063 return (fetch_file_tok(tok, buf, len)); 4064 4065 case AUT_NEWGROUPS: 4066 return (fetch_newgroups_tok(tok, buf, len)); 4067 4068 case AUT_IN_ADDR: 4069 return (fetch_inaddr_tok(tok, buf, len)); 4070 4071 case AUT_IN_ADDR_EX: 4072 return (fetch_inaddr_ex_tok(tok, buf, len)); 4073 4074 case AUT_IP: 4075 return (fetch_ip_tok(tok, buf, len)); 4076 4077 case AUT_IPC: 4078 return (fetch_ipc_tok(tok, buf, len)); 4079 4080 case AUT_IPC_PERM: 4081 return (fetch_ipcperm_tok(tok, buf, len)); 4082 4083 case AUT_IPORT: 4084 return (fetch_iport_tok(tok, buf, len)); 4085 4086 case AUT_OPAQUE: 4087 return (fetch_opaque_tok(tok, buf, len)); 4088 4089 case AUT_PATH: 4090 return (fetch_path_tok(tok, buf, len)); 4091 4092 case AUT_PROCESS32: 4093 return (fetch_process32_tok(tok, buf, len)); 4094 4095 case AUT_PROCESS32_EX: 4096 return (fetch_process32ex_tok(tok, buf, len)); 4097 4098 case AUT_PROCESS64: 4099 return (fetch_process64_tok(tok, buf, len)); 4100 4101 case AUT_PROCESS64_EX: 4102 return (fetch_process64ex_tok(tok, buf, len)); 4103 4104 case AUT_RETURN32: 4105 return (fetch_return32_tok(tok, buf, len)); 4106 4107 case AUT_RETURN64: 4108 return (fetch_return64_tok(tok, buf, len)); 4109 4110 case AUT_SEQ: 4111 return (fetch_seq_tok(tok, buf, len)); 4112 4113 case AUT_SOCKET: 4114 return (fetch_socket_tok(tok, buf, len)); 4115 4116 case AUT_SOCKINET32: 4117 return (fetch_sock_inet32_tok(tok, buf, len)); 4118 4119 case AUT_SOCKUNIX: 4120 return (fetch_sock_unix_tok(tok, buf, len)); 4121 4122 case AUT_SOCKINET128: 4123 return (fetch_sock_inet128_tok(tok, buf, len)); 4124 4125 case AUT_SUBJECT32: 4126 return (fetch_subject32_tok(tok, buf, len)); 4127 4128 case AUT_SUBJECT32_EX: 4129 return (fetch_subject32ex_tok(tok, buf, len)); 4130 4131 case AUT_SUBJECT64: 4132 return (fetch_subject64_tok(tok, buf, len)); 4133 4134 case AUT_SUBJECT64_EX: 4135 return (fetch_subject64ex_tok(tok, buf, len)); 4136 4137 case AUT_TEXT: 4138 return (fetch_text_tok(tok, buf, len)); 4139 4140 case AUT_SOCKET_EX: 4141 return (fetch_socketex32_tok(tok, buf, len)); 4142 4143 case AUT_DATA: 4144 return (fetch_arb_tok(tok, buf, len)); 4145 4146 case AUT_ZONENAME: 4147 return (fetch_zonename_tok(tok, buf, len)); 4148 4149 default: 4150 return (fetch_invalid_tok(tok, buf, len)); 4151 } 4152} 4153 4154/* 4155 * 'prints' the token out to outfp. 4156 */ 4157void 4158au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm) 4159{ 4160 4161 switch(tok->id) { 4162 case AUT_HEADER32: 4163 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4164 return; 4165 4166 case AUT_HEADER32_EX: 4167 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4168 return; 4169 4170 case AUT_HEADER64: 4171 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4172 return; 4173 4174 case AUT_HEADER64_EX: 4175 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4176 return; 4177 4178 case AUT_TRAILER: 4179 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4180 return; 4181 4182 case AUT_ARG32: 4183 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4184 return; 4185 4186 case AUT_ARG64: 4187 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4188 return; 4189 4190 case AUT_DATA: 4191 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4192 return; 4193 4194 case AUT_ATTR32: 4195 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4196 return; 4197 4198 case AUT_ATTR64: 4199 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4200 return; 4201 4202 case AUT_EXIT: 4203 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4204 return; 4205 4206 case AUT_EXEC_ARGS: 4207 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4208 return; 4209 4210 case AUT_EXEC_ENV: 4211 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4212 return; 4213 4214 case AUT_OTHER_FILE32: 4215 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4216 return; 4217 4218 case AUT_NEWGROUPS: 4219 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4220 return; 4221 4222 case AUT_IN_ADDR: 4223 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4224 return; 4225 4226 case AUT_IN_ADDR_EX: 4227 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4228 return; 4229 4230 case AUT_IP: 4231 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4232 return; 4233 4234 case AUT_IPC: 4235 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4236 return; 4237 4238 case AUT_IPC_PERM: 4239 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4240 return; 4241 4242 case AUT_IPORT: 4243 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4244 return; 4245 4246 case AUT_OPAQUE: 4247 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4248 return; 4249 4250 case AUT_PATH: 4251 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4252 return; 4253 4254 case AUT_PROCESS32: 4255 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4256 return; 4257 4258 case AUT_PROCESS32_EX: 4259 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4260 return; 4261 4262 case AUT_PROCESS64: 4263 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4264 return; 4265 4266 case AUT_PROCESS64_EX: 4267 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4268 return; 4269 4270 case AUT_RETURN32: 4271 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4272 return; 4273 4274 case AUT_RETURN64: 4275 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4276 return; 4277 4278 case AUT_SEQ: 4279 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4280 return; 4281 4282 case AUT_SOCKET: 4283 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4284 return; 4285 4286 case AUT_SOCKINET32: 4287 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4288 return; 4289 4290 case AUT_SOCKUNIX: 4291 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4292 return; 4293 4294 case AUT_SOCKINET128: 4295 print_sock_inet128_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4296 return; 4297 4298 case AUT_SUBJECT32: 4299 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4300 return; 4301 4302 case AUT_SUBJECT64: 4303 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4304 return; 4305 4306 case AUT_SUBJECT32_EX: 4307 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4308 return; 4309 4310 case AUT_SUBJECT64_EX: 4311 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4312 return; 4313 4314 case AUT_TEXT: 4315 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4316 return; 4317 4318 case AUT_SOCKET_EX: 4319 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4320 return; 4321 4322 case AUT_ZONENAME: 4323 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4324 return; 4325 4326 default: 4327 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN); 4328 } 4329} 4330 4331/* 4332 * 'prints' the token out to outfp in XML format. 4333 */ 4334void 4335au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw, 4336 char sfrm) 4337{ 4338 4339 switch(tok->id) { 4340 case AUT_HEADER32: 4341 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4342 return; 4343 4344 case AUT_HEADER32_EX: 4345 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4346 return; 4347 4348 case AUT_HEADER64: 4349 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4350 return; 4351 4352 case AUT_HEADER64_EX: 4353 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4354 return; 4355 4356 case AUT_TRAILER: 4357 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML); 4358 return; 4359 4360 case AUT_ARG32: 4361 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4362 return; 4363 4364 case AUT_ARG64: 4365 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4366 return; 4367 4368 case AUT_DATA: 4369 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML); 4370 return; 4371 4372 case AUT_ATTR32: 4373 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4374 return; 4375 4376 case AUT_ATTR64: 4377 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4378 return; 4379 4380 case AUT_EXIT: 4381 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML); 4382 return; 4383 4384 case AUT_EXEC_ARGS: 4385 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML); 4386 return; 4387 4388 case AUT_EXEC_ENV: 4389 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML); 4390 return; 4391 4392 case AUT_OTHER_FILE32: 4393 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML); 4394 return; 4395 4396 case AUT_NEWGROUPS: 4397 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML); 4398 return; 4399 4400 case AUT_IN_ADDR: 4401 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML); 4402 return; 4403 4404 case AUT_IN_ADDR_EX: 4405 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4406 return; 4407 4408 case AUT_IP: 4409 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML); 4410 return; 4411 4412 case AUT_IPC: 4413 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML); 4414 return; 4415 4416 case AUT_IPC_PERM: 4417 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML); 4418 return; 4419 4420 case AUT_IPORT: 4421 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML); 4422 return; 4423 4424 case AUT_OPAQUE: 4425 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML); 4426 return; 4427 4428 case AUT_PATH: 4429 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML); 4430 return; 4431 4432 case AUT_PROCESS32: 4433 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4434 return; 4435 4436 case AUT_PROCESS32_EX: 4437 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4438 return; 4439 4440 case AUT_PROCESS64: 4441 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4442 return; 4443 4444 case AUT_PROCESS64_EX: 4445 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4446 return; 4447 4448 case AUT_RETURN32: 4449 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4450 return; 4451 4452 case AUT_RETURN64: 4453 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4454 return; 4455 4456 case AUT_SEQ: 4457 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML); 4458 return; 4459 4460 case AUT_SOCKET: 4461 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML); 4462 return; 4463 4464 case AUT_SOCKINET32: 4465 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4466 return; 4467 4468 case AUT_SOCKUNIX: 4469 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML); 4470 return; 4471 4472 case AUT_SUBJECT32: 4473 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4474 return; 4475 4476 case AUT_SUBJECT64: 4477 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML); 4478 return; 4479 4480 case AUT_SUBJECT32_EX: 4481 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4482 return; 4483 4484 case AUT_SUBJECT64_EX: 4485 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML); 4486 return; 4487 4488 case AUT_TEXT: 4489 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML); 4490 return; 4491 4492 case AUT_SOCKET_EX: 4493 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML); 4494 return; 4495 4496 case AUT_ZONENAME: 4497 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML); 4498 return; 4499 4500 default: 4501 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML); 4502 } 4503} 4504 4505/* 4506 * Read a record from the file pointer, store data in buf memory for buf is 4507 * also allocated in this function and has to be free'd outside this call. 4508 * 4509 * au_read_rec() handles two possibilities: a stand-alone file token, or a 4510 * complete audit record. 4511 * 4512 * XXXRW: Note that if we hit an error, we leave the stream in an unusable 4513 * state, because it will be partly offset into a record. We should rewind 4514 * or do something more intelligent. Particularly interesting is the case 4515 * where we perform a partial read of a record from a non-blockable file 4516 * descriptor. We should return the partial read and continue...? 4517 */ 4518int 4519au_read_rec(FILE *fp, u_char **buf) 4520{ 4521 u_char *bptr; 4522 u_int32_t recsize; 4523 u_int32_t bytestoread; 4524 u_char type; 4525 4526 u_int32_t sec, msec; 4527 u_int16_t filenamelen; 4528 4529 type = fgetc(fp); 4530 4531 switch (type) { 4532 case AUT_HEADER32: 4533 case AUT_HEADER32_EX: 4534 case AUT_HEADER64: 4535 case AUT_HEADER64_EX: 4536 /* read the record size from the token */ 4537 if (fread(&recsize, 1, sizeof(u_int32_t), fp) < 4538 sizeof(u_int32_t)) { 4539 errno = EINVAL; 4540 return (-1); 4541 } 4542 recsize = be32toh(recsize); 4543 4544 /* Check for recsize sanity */ 4545 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) { 4546 errno = EINVAL; 4547 return (-1); 4548 } 4549 4550 *buf = malloc(recsize * sizeof(u_char)); 4551 if (*buf == NULL) 4552 return (-1); 4553 bptr = *buf; 4554 memset(bptr, 0, recsize); 4555 4556 /* store the token contents already read, back to the buffer*/ 4557 *bptr = type; 4558 bptr++; 4559 be32enc(bptr, recsize); 4560 bptr += sizeof(u_int32_t); 4561 4562 /* now read remaining record bytes */ 4563 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char)); 4564 4565 if (fread(bptr, 1, bytestoread, fp) < bytestoread) { 4566 free(*buf); 4567 errno = EINVAL; 4568 return (-1); 4569 } 4570 break; 4571 4572 case AUT_OTHER_FILE32: 4573 /* 4574 * The file token is variable-length, as it includes a 4575 * pathname. As a result, we have to read incrementally 4576 * until we know the total length, then allocate space and 4577 * read the rest. 4578 */ 4579 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) { 4580 errno = EINVAL; 4581 return (-1); 4582 } 4583 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) { 4584 errno = EINVAL; 4585 return (-1); 4586 } 4587 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) < 4588 sizeof(filenamelen)) { 4589 errno = EINVAL; 4590 return (-1); 4591 } 4592 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) + 4593 sizeof(filenamelen) + ntohs(filenamelen); 4594 *buf = malloc(recsize); 4595 if (*buf == NULL) 4596 return (-1); 4597 bptr = *buf; 4598 4599 bcopy(&type, bptr, sizeof(type)); 4600 bptr += sizeof(type); 4601 bcopy(&sec, bptr, sizeof(sec)); 4602 bptr += sizeof(sec); 4603 bcopy(&msec, bptr, sizeof(msec)); 4604 bptr += sizeof(msec); 4605 bcopy(&filenamelen, bptr, sizeof(filenamelen)); 4606 bptr += sizeof(filenamelen); 4607 4608 if (fread(bptr, 1, ntohs(filenamelen), fp) < 4609 ntohs(filenamelen)) { 4610 free(buf); 4611 errno = EINVAL; 4612 return (-1); 4613 } 4614 break; 4615 4616 default: 4617 errno = EINVAL; 4618 return (-1); 4619 } 4620 4621 return (recsize); 4622} 4623