Date: Sun, 29 Jan 2006 16:35:43 GMT From: Robert Watson <rwatson@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 90627 for review Message-ID: <200601291635.k0TGZhqr071889@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=90627 Change 90627 by rwatson@rwatson_peppercorn on 2006/01/29 16:35:27 Integrate TrustedBSD OpenBSM code into TrustedBSD audit3 branch: - License cleanup - $P4$ - README update - auditreduce bug fixing and cleanup - praudit cleanup - Audit events update, cleanup, preference for Solaris definitions over Darwin Affected files ... .. //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/LICENSE#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/README#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/Makefile#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.h#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/Makefile#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.1#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/praudit/praudit.c#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/Makefile#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit.h#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_internal.h#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_kevents.h#13 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_record.h#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/audit_uevents.h#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/bsm/libbsm.h#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/compat/endian.h#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_class#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_control#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_event#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_user#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/etc/audit_warn#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/Makefile#4 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_class.3#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_control.3#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_event.3#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_free_token.3#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_io.3#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_mask.3#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_token.3#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/au_user.3#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_audit.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_class.c#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_control.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_event.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_flags.c#7 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_io.c#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_mask.c#6 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_notify.c#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_token.c#8 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_user.c#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/bsm_wrappers.c#5 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/libbsm/libbsm.3#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/Makefile#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit.log.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_class.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_control.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_event.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_user.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/audit_warn.5#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditctl.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/auditon.2#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/event_code.5#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/getaudit.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/getauid.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/setaudit.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/man/setauid.2#2 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/tools/Makefile#3 integrate .. //depot/projects/trustedbsd/audit3/contrib/openbsm/tools/audump.c#4 integrate Differences ... ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#3 (text+ko) ==== @@ -61,4 +61,6 @@ or static memory is returned for non-_r() versions of API calls. _free() calls dropped as a result, and source code compatibility with OpenSolaris improved significantly. +- Annotate BSM events with origin OS and compatibility information. +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/CHANGELOG#3 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/LICENSE#3 (text+ko) ==== @@ -1,41 +1,14 @@ -OpenBSM is covered by a number of copyrights, with two variants of the BSD -license depending on origination. The TrustedBSD Project would appreciate -the contribution of fixes and enhancements under identical of substantially -similar licenses. +OpenBSM is covered by a number of copyrights, with licenses being either two +or three clause BSD licenses. Individual file headers should be consulted +for specific copyrights on specific components. The TrustedBSD Project would +appreciate the contribution of fixes and enhancements under identical or +substantially similar licenses: - * Copyright (c) 2004 Apple Computer, Inc. + * Copyright (c) <year> <copyright holder> * All rights reserved. * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of - * its contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. + * <any additional comments or credits> * - * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR - * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRING LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING - * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - - * Copyright (c) 2005 SPARTA, Inc. - * All rights reserved. - * - * This code was developed in part by Robert N. M. Watson, Senior Principal - * Scientist, SPARTA, Inc. - * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -56,3 +29,5 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. + +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/LICENSE#3 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile#2 (text+ko) ==== @@ -1,5 +1,5 @@ # -# +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/Makefile#2 $ # SUBDIR= bsm \ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/README#5 (text+ko) ==== @@ -77,3 +77,10 @@ Information on OpenBSM may be found on the OpenBSM home page: + http://www.OpenBSM.org/ + +Information on TrustedBSD may be found on the TrustedBSD home page: + + http://www.TrustedBSD.org/ + +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/README#5 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#3 (text+ko) ==== @@ -6,3 +6,5 @@ test that things work properly with respect to endianness of the local platform. - Document contents of libbsm "public" data structures in libbsm man pages. + +$P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/TODO#3 $ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/VERSION#2 (text+ko) ==== @@ -1,1 +1,1 @@ -1.0-PRERELEASE +OPENBSM_1_0_ALPHA_1 ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile#2 (text+ko) ==== @@ -1,5 +1,5 @@ # -# +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/Makefile#2 $ # SUBDIR= auditreduce \ ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/Makefile#2 (text+ko) ==== @@ -1,5 +1,5 @@ # -# $FreeBSD$ +# $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/Makefile#2 $ # CFLAGS+= -I- -I ../.. -I ../../libbsm -L ../../libbsm -I. ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#2 (text+ko) ==== @@ -1,4 +1,5 @@ -.\" Copyright (c) 2004, Apple Computer, Inc. All rights reserved. +.\" Copyright (c) 2004 Apple Computer, Inc. +.\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -24,6 +25,8 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" +.\" $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.1#2 $ +.\" .Dd Jan 24, 2004 .Dt AUDITREDUCE 1 .Os ==== //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#4 (text+ko) ==== @@ -1,5 +1,6 @@ /* - * Copyright (c) 2004, Apple Computer, Inc. All rights reserved. + * Copyright (c) 2004 Apple Computer, Inc. + * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -24,11 +25,13 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. + * + * $P4: //depot/projects/trustedbsd/audit3/contrib/openbsm/bin/auditreduce/auditreduce.c#4 $ */ /* * Tool used to merge and select audit records from audit trail files - */ + */ /* * XXX Currently we do not support merging of records from multiple @@ -50,33 +53,32 @@ #include "auditreduce.h" +extern char *optarg; +extern int optind, optopt, opterr,optreset; -extern char *optarg; -extern int optind, optopt, opterr,optreset; +static au_mask_t maskp; /* Class. */ +static time_t p_atime; /* Created after this time. */ +static time_t p_btime; /* Created before this time. */ +static uint16_t p_evtype; /* Event that we are searching for. */ +static int p_auid; /* Audit id. */ +static int p_euid; /* Effective user id. */ +static int p_egid; /* Effective group id. */ +static int p_rgid; /* Real group id. */ +static int p_ruid; /* Real user id. */ +static int p_subid; /* Subject id. */ -static au_mask_t maskp; /* Used while selecting based on class */ -static time_t p_atime;/* select records created after this time */ -static time_t p_btime;/* select records created before this time */ -static uint16_t p_evtype; /* The event that we are searching for */ -static int p_auid; /* audit id */ -static int p_euid; /* effective user id */ -static int p_egid; /* effective group id */ -static int p_rgid; /* real group id */ -static int p_ruid; /* real user id */ -static int p_subid; /* subject id */ - -/* Following are the objects (-o option) that we can select upon */ -static char *p_fileobj = NULL; -static char *p_msgqobj = NULL; -static char *p_pidobj = NULL; -static char *p_semobj = NULL; -static char *p_shmobj = NULL; -static char *p_sockobj = NULL; +/* + * Following are the objects (-o option) that we can select upon. + */ +static char *p_fileobj = NULL; +static char *p_msgqobj = NULL; +static char *p_pidobj = NULL; +static char *p_semobj = NULL; +static char *p_shmobj = NULL; +static char *p_sockobj = NULL; - static uint32_t opttochk = 0; - static void usage(const char *msg) { @@ -105,179 +107,177 @@ } /* - * Check if the given auid matches the selection criteria + * Check if the given auid matches the selection criteria. */ -static int select_auid(int au) +static int +select_auid(int au) { - /* check if we want to select on auid */ - if(ISOPTSET(opttochk, OPT_u)) { - if(au != p_auid) { - return 0; - } + + /* Check if we want to select on auid. */ + if (ISOPTSET(opttochk, OPT_u)) { + if (au != p_auid) + return (0); } - return 1; + return (1); } /* - * Check if the given euid matches the selection criteria + * Check if the given euid matches the selection criteria. */ -static int select_euid(int euser) +static int +select_euid(int euser) { - /* check if we want to select on euid */ - if(ISOPTSET(opttochk, OPT_e)) { - if(euser != p_euid) { - return 0; - } + + /* Check if we want to select on euid. */ + if (ISOPTSET(opttochk, OPT_e)) { + if (euser != p_euid) + return (0); } - return 1; + return (1); } /* - * Check if the given egid matches the selection criteria + * Check if the given egid matches the selection criteria. */ -static int select_egid(int egrp) +static int +select_egid(int egrp) { - /* check if we want to select on egid */ - if(ISOPTSET(opttochk, OPT_f)) { - if(egrp != p_egid) { - return 0; - } + + /* Check if we want to select on egid. */ + if (ISOPTSET(opttochk, OPT_f)) { + if (egrp != p_egid) + return (0); } - return 1; + return (1); } /* - * Check if the given rgid matches the selection criteria + * Check if the given rgid matches the selection criteria. */ -static int select_rgid(int grp) +static int +select_rgid(int grp) { - /* check if we want to select on rgid */ - if(ISOPTSET(opttochk, OPT_g)) { - if(grp != p_rgid) { - return 0; - } + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_g)) { + if (grp != p_rgid) + return (0); } - return 1; + return (1); } /* - * Check if the given ruid matches the selection criteria + * Check if the given ruid matches the selection criteria. */ -static int select_ruid(int user) +static int +select_ruid(int user) { - /* check if we want to select on rgid */ - if(ISOPTSET(opttochk, OPT_r)) { - if(user != p_ruid) { - return 0; - } + + /* Check if we want to select on rgid. */ + if (ISOPTSET(opttochk, OPT_r)) { + if (user != p_ruid) + return (0); } - return 1; + return (1); } /* - * Check if the given subject id (pid) matches the selection criteria + * Check if the given subject id (pid) matches the selection criteria. */ -static int select_subid(int subid) +static int +select_subid(int subid) { - /* check if we want to select on subject uid */ - if(ISOPTSET(opttochk, OPT_j)) { - if(subid != p_subid) { - return 0; - } + + /* Check if we want to select on subject uid. */ + if (ISOPTSET(opttochk, OPT_j)) { + if (subid != p_subid) + return (0); } - return 1; + return (1); } /* - * Check if object's pid maches the given pid + * Check if object's pid maches the given pid. */ -static int select_pidobj(uint32_t pid) +static int +select_pidobj(uint32_t pid) { - if(ISOPTSET(opttochk, OPT_op)) { - if(pid != strtol(p_pidobj, (char **)NULL, 10)) { - return 0; - } + + if (ISOPTSET(opttochk, OPT_op)) { + if (pid != strtol(p_pidobj, (char **)NULL, 10)) + return (0); } - return 1; + return (1); } /* - * Check if the given ipc object with the given type matches the - * selection criteria + * Check if the given ipc object with the given type matches the selection + * criteria. */ -static int select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) +static int +select_ipcobj(u_char type, uint32_t id, uint32_t *optchkd) { - if(type == AT_IPC_MSG) { + + if (type == AT_IPC_MSG) { SETOPT((*optchkd), OPT_om); - if(ISOPTSET(opttochk, OPT_om)) { - if(id != strtol(p_msgqobj, (char **)NULL, 10)) { - return 0; - } + if (ISOPTSET(opttochk, OPT_om)) { + if (id != strtol(p_msgqobj, (char **)NULL, 10)) + return (0); } - return 1; - } - else if(type == AT_IPC_SEM) { + return (1); + } else if (type == AT_IPC_SEM) { SETOPT((*optchkd), OPT_ose); - if(ISOPTSET(opttochk, OPT_ose)) { - if(id != strtol(p_semobj, (char **)NULL, 10)) { - return 0; - } + if (ISOPTSET(opttochk, OPT_ose)) { + if (id != strtol(p_semobj, (char **)NULL, 10)) + return (0); } - return 1; - } - else if (type == AT_IPC_SHM) { + return (1); + } else if (type == AT_IPC_SHM) { SETOPT((*optchkd), OPT_osh); - if(ISOPTSET(opttochk, OPT_osh)) { - if(id != strtol(p_shmobj, (char **)NULL, 10)) { - return 0; - } + if (ISOPTSET(opttochk, OPT_osh)) { + if (id != strtol(p_shmobj, (char **)NULL, 10)) + return (0); } - return 1; + return (1); } - /* unknown type -- filter if *any* ipc filtering is required */ - if(ISOPTSET(opttochk, OPT_om) - || ISOPTSET(opttochk, OPT_ose) - || ISOPTSET(opttochk, OPT_osh)) { - return 0; - } + /* Unknown type -- filter if *any* ipc filtering is required. */ + if (ISOPTSET(opttochk, OPT_om) || ISOPTSET(opttochk, OPT_ose) + || ISOPTSET(opttochk, OPT_osh)) + return (0); - return 1; + return (1); } /* - * Check if the file name matches selection criteria + * Check if the file name matches selection criteria. */ -static int select_filepath(char *path, uint32_t *optchkd) +static int +select_filepath(char *path, uint32_t *optchkd) { char *loc; SETOPT((*optchkd), OPT_of); - if(ISOPTSET(opttochk, OPT_of)) { - if(p_fileobj[0] == '~') { - /* object should not be in path */ + if (ISOPTSET(opttochk, OPT_of)) { + if (p_fileobj[0] == '~') { + /* Object should not be in path. */ loc = strstr(path, p_fileobj + 1); - if((loc != NULL) && (loc == path)) { - return 0; - } - } - else { - /* object should be in path */ + if ((loc != NULL) && (loc == path)) + return (0); + } else { + /* Object should be in path. */ loc = strstr(path, p_fileobj); - if((loc == NULL) || (loc != path)) { - return 0; - } + if ((loc == NULL) || (loc != path)) + return (0); } } - return 1; + return (1); } - - /* - * Returns 1 if the following pass the selection rules: + * Returns 1 if the following pass the selection rules: * * before-time, * after time, @@ -285,44 +285,46 @@ * class, * event */ -static int select_hdr32(tokenstr_t tok, uint32_t *optchkd) +static int +select_hdr32(tokenstr_t tok, uint32_t *optchkd) { + SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m)); - /* The A option overrides a,b and d */ - if(!ISOPTSET(opttochk, OPT_A)) { - if(ISOPTSET(opttochk, OPT_a)) { + /* The A option overrides a, b and d. */ + if (!ISOPTSET(opttochk, OPT_A)) { + if (ISOPTSET(opttochk, OPT_a)) { if (difftime((time_t)tok.tt.hdr32.s, p_atime) < 0) { - /* record was created before p_atime */ - return 0; + /* Record was created before p_atime. */ + return (0); } } - if(ISOPTSET(opttochk, OPT_b)) { + if (ISOPTSET(opttochk, OPT_b)) { if (difftime(p_btime, (time_t)tok.tt.hdr32.s) < 0) { - /* record was created after p_btime */ - return 0; + /* Record was created after p_btime. */ + return (0); } } } - if(ISOPTSET(opttochk, OPT_c)) { + if (ISOPTSET(opttochk, OPT_c)) { + /* + * Check if the classes represented by the event matches + * given class. + */ + if (au_preselect(tok.tt.hdr32.e_type, &maskp, AU_PRS_BOTH, + AU_PRS_USECACHE) != 1) + return (0); + } - /* check if the classes represented by the event matches given class */ - if(au_preselect(tok.tt.hdr32.e_type, &maskp, - AU_PRS_BOTH, AU_PRS_USECACHE) != 1) { - return 0; - } - } - - /* check if event matches */ - if(ISOPTSET(opttochk, OPT_m)) { - if(tok.tt.hdr32.e_type != p_evtype) { - return 0; - } + /* Check if event matches. */ + if (ISOPTSET(opttochk, OPT_m)) { + if (tok.tt.hdr32.e_type != p_evtype) + return (0); } - return 1; + return (1); } /* @@ -334,31 +336,25 @@ * ruid, * process id */ -static int select_proc32(tokenstr_t tok, uint32_t *optchkd) +static int +select_proc32(tokenstr_t tok, uint32_t *optchkd) { + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_op)); - if( !select_auid(tok.tt.proc32.auid)) { - return 0; - } - if( !select_euid(tok.tt.proc32.euid)) { - return 0; - } - if( !select_egid(tok.tt.proc32.egid)) { - return 0; - } - if( !select_rgid(tok.tt.proc32.rgid)) { - return 0; - } - if( !select_ruid(tok.tt.proc32.ruid)) { - return 0; - } - - if( !select_pidobj(tok.tt.proc32.pid)) { - return 0; - } - - return 1; + if (!select_auid(tok.tt.proc32.auid)) + return (0); + if (!select_euid(tok.tt.proc32.euid)) + return (0); + if (!select_egid(tok.tt.proc32.egid)) + return (0); + if (!select_rgid(tok.tt.proc32.rgid)) + return (0); + if (!select_ruid(tok.tt.proc32.ruid)) + return (0); + if (!select_pidobj(tok.tt.proc32.pid)) + return (0); + return (1); } /* @@ -370,169 +366,159 @@ * ruid, * subject id */ -static int select_subj32(tokenstr_t tok, uint32_t *optchkd) +static int +select_subj32(tokenstr_t tok, uint32_t *optchkd) { + SETOPT((*optchkd), (OPT_u | OPT_e | OPT_f | OPT_g | OPT_r | OPT_j)); - if( !select_auid(tok.tt.subj32.auid)) { - return 0; - } - if( !select_euid(tok.tt.subj32.euid)) { - return 0; - } - if( !select_egid(tok.tt.subj32.egid)) { - return 0; - } - if( !select_rgid(tok.tt.subj32.rgid)) { - return 0; - } - if( !select_ruid(tok.tt.subj32.ruid)) { - return 0; - } - if( !select_subid(tok.tt.subj32.pid)) { - return 0; - } - return 1; + if (!select_auid(tok.tt.subj32.auid)) + return (0); + if (!select_euid(tok.tt.subj32.euid)) + return (0); + if (!select_egid(tok.tt.subj32.egid)) + return (0); + if (!select_rgid(tok.tt.subj32.rgid)) + return (0); + if (!select_ruid(tok.tt.subj32.ruid)) + return (0); + if (!select_subid(tok.tt.subj32.pid)) + return (0); + return (1); } /* - * Read each record from the audit trail. - * Check if it is selected after passing through each of the options + * Read each record from the audit trail. Check if it is selected after + * passing through each of the options */ -static int select_records(FILE *fp) +static int +select_records(FILE *fp) { u_char *buf; tokenstr_t tok; int reclen; - int bytesread; + int bytesread; int selected; uint32_t optchkd; int err = 0; - - while((reclen = au_read_rec(fp, &buf)) != -1) { - + while ((reclen = au_read_rec(fp, &buf)) != -1) { optchkd = 0; bytesread = 0; selected = 1; - while ((selected == 1) && (bytesread < reclen)) { - - if(-1 == au_fetch_tok(&tok, buf + bytesread, reclen - bytesread)) { - /* is this an incomplete record ? */ + if (-1 == au_fetch_tok(&tok, buf + bytesread, + reclen - bytesread)) { + /* Is this an incomplete record? */ err = 1; break; } - /* For each token type we have have different selection criteria */ + /* + * For each token type we have have different + * selection criteria. + */ switch(tok.id) { - case AU_HEADER_32_TOKEN : - selected = select_hdr32(tok, &optchkd); - break; + case AU_HEADER_32_TOKEN: + selected = select_hdr32(tok, + &optchkd); + break; - case AU_PROCESS_32_TOKEN : - selected = select_proc32(tok, &optchkd); - break; + case AU_PROCESS_32_TOKEN: + selected = select_proc32(tok, + &optchkd); + break; - case AU_SUBJECT_32_TOKEN : - selected = select_subj32(tok, &optchkd); - break; + case AU_SUBJECT_32_TOKEN: + selected = select_subj32(tok, + &optchkd); + break; - case AU_IPC_TOKEN : - selected = select_ipcobj(tok.tt.ipc.type, tok.tt.ipc.id, &optchkd); - break; + case AU_IPC_TOKEN: + selected = select_ipcobj( + tok.tt.ipc.type, tok.tt.ipc.id, + &optchkd); + break; - case AU_FILE_TOKEN : - selected = select_filepath(tok.tt.file.name, &optchkd); - break; + case AU_FILE_TOKEN: + selected = select_filepath( + tok.tt.file.name, &optchkd); + break; - case AU_PATH_TOKEN : - selected = select_filepath(tok.tt.path.path, &optchkd); - break; + case AU_PATH_TOKEN: + selected = select_filepath( + tok.tt.path.path, &optchkd); + break; - /* - * The following tokens dont have any relevant attributes - * that we can select upon - */ - case AU_TRAILER_TOKEN : - case AU_ARG32_TOKEN : - case AU_ATTR32_TOKEN : - case AU_EXIT_TOKEN : - case AU_NEWGROUPS_TOKEN : - case AU_IN_ADDR_TOKEN : - case AU_IP_TOKEN : - case AU_IPCPERM_TOKEN : - case AU_IPORT_TOKEN : - case AU_OPAQUE_TOKEN : - case AU_RETURN_32_TOKEN : - case AU_SEQ_TOKEN : - case AU_TEXT_TOKEN : - case AU_ARB_TOKEN : - case AU_SOCK_TOKEN : - default: - break; + /* + * The following tokens dont have any relevant + * attributes that we can select upon. + */ + case AU_TRAILER_TOKEN: + case AU_ARG32_TOKEN: + case AU_ATTR32_TOKEN: + case AU_EXIT_TOKEN: + case AU_NEWGROUPS_TOKEN: + case AU_IN_ADDR_TOKEN: + case AU_IP_TOKEN: + case AU_IPCPERM_TOKEN: + case AU_IPORT_TOKEN: + case AU_OPAQUE_TOKEN: + case AU_RETURN_32_TOKEN: + case AU_SEQ_TOKEN: + case AU_TEXT_TOKEN: + case AU_ARB_TOKEN: + case AU_SOCK_TOKEN: + default: + break; } - bytesread += tok.len; } - - if((selected == 1) && (!err)) { - - /* check if all the options were matched */ - if(!(opttochk & ~optchkd)) { - /* XXX write this record to the output file */ - + if ((selected == 1) && (!err)) { + /* Check if all the options were matched. */ + if (!(opttochk & ~optchkd)) { + /* XXX Write this record to the output file. */ /* default to stdout */ fwrite(buf, 1, reclen, stdout); } } - free(buf); } - - return 0; + return (0); } - /* - * The -o option has the form object_type=object_value - * Identify the object components + * The -o option has the form object_type=object_value. Identify the object + * components. */ -void parse_object_type(char *name, char *val) +void +parse_object_type(char *name, char *val) { - if(val == NULL) + if (val == NULL) return; - if(!strcmp(name, FILEOBJ)) { + if (!strcmp(name, FILEOBJ)) { p_fileobj = val; SETOPT(opttochk, OPT_of); - } - else if( !strcmp(name, MSGQIDOBJ)) { + } else if (!strcmp(name, MSGQIDOBJ)) { p_msgqobj = val; SETOPT(opttochk, OPT_om); - } - else if( !strcmp(name, PIDOBJ)) { + } else if (!strcmp(name, PIDOBJ)) { p_pidobj = val; SETOPT(opttochk, OPT_op); - } - else if( !strcmp(name, SEMIDOBJ)) { + } else if (!strcmp(name, SEMIDOBJ)) { p_semobj = val; SETOPT(opttochk, OPT_ose); - } - else if( !strcmp(name, SHMIDOBJ)) { + } else if (!strcmp(name, SHMIDOBJ)) { p_shmobj = val; SETOPT(opttochk, OPT_osh); - } - else if( !strcmp(name, SOCKOBJ)) { + } else if (!strcmp(name, SOCKOBJ)) { p_sockobj = val; SETOPT(opttochk, OPT_oso); - } - else { + } else usage("unknown value for -o"); - } } - int main(int argc, char **argv) { @@ -540,11 +526,12 @@ struct passwd *pw; struct tm tm; au_event_t *n; - FILE *fp; + FILE *fp; int i; char *objval, *converr; char ch; char timestr[128]; + char *fname; converr = NULL; @@ -553,28 +540,33 @@ case 'A': SETOPT(opttochk, OPT_A); break; + case 'a': if (ISOPTSET(opttochk, OPT_a)) { usage("d is exclusive with a and b"); } SETOPT(opttochk, OPT_a); strptime(optarg, "%Y%m%d%H%M%S", &tm); - strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", &tm); - //fprintf(stderr, "Time converted = %s\n", timestr); + strftime(timestr, sizeof(timestr), "%Y%m%d%H%M%S", + &tm); + /* fprintf(stderr, "Time converted = %s\n", timestr); */ p_atime = mktime(&tm); >>> TRUNCATED FOR MAIL (1000 lines) <<<
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200601291635.k0TGZhqr071889>