2 * Copyright (c) 2004-2008 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#63 $
38 #include <sys/types.h>
40 #include <config/config.h>
41 #if defined(HAVE_SYS_ENDIAN_H) && defined(HAVE_BE32ENC)
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H || !HAVE_BE32ENC */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
62 #include <sys/socket.h>
64 #include <bsm/libbsm.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
77 #include <bsm/audit_internal.h>
79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if ((bytesread) + (size) > (u_int32_t)(len)) { \
83 memcpy((dest), (buf) + (bytesread), (size)); \
88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
90 (dest) = buf[(bytesread)]; \
91 (bytesread) += sizeof(u_char); \
96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
98 (dest) = be16dec((buf) + (bytesread)); \
99 (bytesread) += sizeof(u_int16_t); \
104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
106 (dest) = be32dec((buf) + (bytesread)); \
107 (bytesread) += sizeof(u_int32_t); \
112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
114 dest = be64dec((buf) + (bytesread)); \
115 (bytesread) += sizeof(u_int64_t); \
120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (u_int32_t)(len)) \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
136 * Prints the delimiter string.
139 print_delim(FILE *fp, const char *del)
142 fprintf(fp, "%s", del);
146 * Prints a single byte in the given format.
149 print_1_byte(FILE *fp, u_char val, const char *format)
152 fprintf(fp, format, val);
156 * Print 2 bytes in the given format.
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
162 fprintf(fp, format, val);
166 * Prints 4 bytes in the given format.
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
172 fprintf(fp, format, val);
176 * Prints 8 bytes in the given format.
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
182 fprintf(fp, format, val);
186 * Prints the given size of data bytes in hex.
189 print_mem(FILE *fp, u_char *data, size_t len)
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%02x", data[i]);
201 * Prints the given data bytes as a string.
204 print_string(FILE *fp, const char *str, size_t len)
209 for (i = 0; i < len; i++) {
211 fprintf(fp, "%c", str[i]);
217 * Prints the beggining of attribute.
220 open_attr(FILE *fp, const char *str)
223 fprintf(fp,"%s=\"", str);
227 * Prints the end of attribute.
237 * Prints the end of tag.
240 close_tag(FILE *fp, u_char type)
248 case AUT_HEADER32_EX:
256 case AUT_HEADER64_EX:
281 fprintf(fp, "</exec_args>");
285 fprintf(fp, "</exec_env>");
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
293 fprintf(fp, "</group>");
297 fprintf(fp, "</ip_address>");
301 fprintf(fp, "</ip_address>");
317 fprintf(fp, "</ip_port>");
321 fprintf(fp, "</opaque>");
325 fprintf(fp, "</path>");
332 case AUT_PROCESS32_EX:
340 case AUT_PROCESS64_EX:
368 case AUT_SOCKINET128:
380 case AUT_SUBJECT32_EX:
384 case AUT_SUBJECT64_EX:
389 fprintf(fp, "</text>");
397 fprintf(fp, "</arbitrary>");
407 * Prints the token type in either the raw or the default form.
410 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
416 fprintf(fp, "<record ");
419 case AUT_HEADER32_EX:
420 fprintf(fp, "<record ");
424 fprintf(fp, "<record ");
427 case AUT_HEADER64_EX:
428 fprintf(fp, "<record ");
432 fprintf(fp, "</record>");
436 fprintf(fp, "<argument ");
440 fprintf(fp, "<argument ");
444 fprintf(fp, "<attribute ");
448 fprintf(fp, "<attribute ");
452 fprintf(fp, "<exit ");
456 fprintf(fp, "<exec_args>");
460 fprintf(fp, "<exec_env>");
463 case AUT_OTHER_FILE32:
464 fprintf(fp, "<file ");
468 fprintf(fp, "<group>");
472 fprintf(fp, "<ip_address>");
476 fprintf(fp, "<ip_address>");
488 fprintf(fp, "<IPC_perm ");
492 fprintf(fp, "<ip_port>");
496 fprintf(fp, "<opaque>");
500 fprintf(fp, "<path>");
504 fprintf(fp, "<process ");
507 case AUT_PROCESS32_EX:
508 fprintf(fp, "<process ");
512 fprintf(fp, "<process ");
515 case AUT_PROCESS64_EX:
516 fprintf(fp, "<process ");
520 fprintf(fp, "<return ");
524 fprintf(fp, "<return ");
528 fprintf(fp, "<sequence ");
532 fprintf(fp, "<socket ");
536 fprintf(fp, "<socket-inet ");
540 fprintf(fp, "<socket-unix ");
543 case AUT_SOCKINET128:
544 fprintf(fp, "<socket-inet6 ");
547 fprintf(fp, "<subject ");
551 fprintf(fp, "<subject ");
554 case AUT_SUBJECT32_EX:
555 fprintf(fp, "<subject ");
558 case AUT_SUBJECT64_EX:
559 fprintf(fp, "<subject ");
563 fprintf(fp, "<text>");
567 fprintf(fp, "<socket ");
571 fprintf(fp, "<arbitrary ");
575 fprintf(fp, "<zone ");
580 fprintf(fp, "%u", type);
582 fprintf(fp, "%s", tokname);
587 * Prints a user value.
590 print_user(FILE *fp, u_int32_t usr, char raw)
592 struct passwd *pwent;
595 fprintf(fp, "%d", usr);
597 pwent = getpwuid(usr);
599 fprintf(fp, "%s", pwent->pw_name);
601 fprintf(fp, "%d", usr);
606 * Prints a group value.
609 print_group(FILE *fp, u_int32_t grp, char raw)
611 struct group *grpent;
614 fprintf(fp, "%d", grp);
616 grpent = getgrgid(grp);
618 fprintf(fp, "%s", grpent->gr_name);
620 fprintf(fp, "%d", grp);
625 * Prints the event from the header token in either the short, default or raw
629 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
631 char event_ent_name[AU_EVENT_NAME_MAX];
632 char event_ent_desc[AU_EVENT_DESC_MAX];
633 struct au_event_ent e, *ep;
635 bzero(&e, sizeof(e));
636 bzero(event_ent_name, sizeof(event_ent_name));
637 bzero(event_ent_desc, sizeof(event_ent_desc));
638 e.ae_name = event_ent_name;
639 e.ae_desc = event_ent_desc;
641 ep = getauevnum_r(&e, ev);
643 fprintf(fp, "%u", ev);
648 fprintf(fp, "%u", ev);
650 fprintf(fp, "%s", e.ae_name);
652 fprintf(fp, "%s", e.ae_desc);
657 * Prints the event modifier from the header token in either the default or
661 print_evmod(FILE *fp, u_int16_t evmod, char raw)
664 fprintf(fp, "%u", evmod);
666 fprintf(fp, "%u", evmod);
670 * Prints seconds in the ctime format.
673 print_sec32(FILE *fp, u_int32_t sec, char raw)
679 fprintf(fp, "%u", sec);
681 timestamp = (time_t)sec;
682 ctime_r(×tamp, timestr);
683 timestr[24] = '\0'; /* No new line */
684 fprintf(fp, "%s", timestr);
689 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
690 * assume a 32-bit time_t, we simply truncate for now.
693 print_sec64(FILE *fp, u_int64_t sec, char raw)
699 fprintf(fp, "%u", (u_int32_t)sec);
701 timestamp = (time_t)sec;
702 ctime_r(×tamp, timestr);
703 timestr[24] = '\0'; /* No new line */
704 fprintf(fp, "%s", timestr);
709 * Prints the excess milliseconds.
712 print_msec32(FILE *fp, u_int32_t msec, char raw)
715 fprintf(fp, "%u", msec);
717 fprintf(fp, " + %u msec", msec);
721 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
722 * a 32-bit msec, we simply truncate for now.
725 print_msec64(FILE *fp, u_int64_t msec, char raw)
730 fprintf(fp, "%u", (u_int32_t)msec);
732 fprintf(fp, " + %u msec", (u_int32_t)msec);
736 * Prints a dotted form for the IP address.
739 print_ip_address(FILE *fp, u_int32_t ip)
741 struct in_addr ipaddr;
744 fprintf(fp, "%s", inet_ntoa(ipaddr));
748 * Prints a string value for the given ip address.
751 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
754 struct in6_addr ipv6;
755 char dst[INET6_ADDRSTRLEN];
759 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
760 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
765 bcopy(ipaddr, &ipv6, sizeof(ipv6));
766 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
771 fprintf(fp, "invalid");
776 * Prints return value as success or failure.
779 print_retval(FILE *fp, u_char status, char raw)
784 fprintf(fp, "%u", status);
787 * Convert to a local error number and print the OS's version
788 * of the error string if possible. We may want to provide
789 * an au_strerror(3) in the future so that we can print
790 * strings for non-local errors.
792 if (au_bsm_to_errno(status, &error) == 0) {
794 fprintf(fp, "success");
796 fprintf(fp, "failure : %s", strerror(error));
798 fprintf(fp, "failure: Unknown error: %d", status);
803 * Prints the exit value.
806 print_errval(FILE *fp, u_int32_t val)
809 fprintf(fp, "Error %u", val);
816 print_ipctype(FILE *fp, u_char type, char raw)
819 fprintf(fp, "%u", type);
821 if (type == AT_IPC_MSG)
822 fprintf(fp, "Message IPC");
823 else if (type == AT_IPC_SEM)
824 fprintf(fp, "Semaphore IPC");
825 else if (type == AT_IPC_SHM)
826 fprintf(fp, "Shared Memory IPC");
828 fprintf(fp, "%u", type);
836 au_print_xml_header(FILE *outfp)
839 fprintf(outfp, "<?xml version='1.0' ?>\n");
840 fprintf(outfp, "<audit>\n");
847 au_print_xml_footer(FILE *outfp)
850 fprintf(outfp, "</audit>\n");
854 * record byte count 4 bytes
855 * version # 1 byte [2]
857 * event modifier 2 bytes
858 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
859 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
862 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
866 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
870 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
874 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
878 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
882 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
886 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
894 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
898 print_tok_type(fp, tok->id, "header", raw, xml);
900 open_attr(fp, "version");
901 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 open_attr(fp, "event");
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
906 open_attr(fp, "modifier");
907 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
909 open_attr(fp, "time");
910 print_sec32(fp, tok->tt.hdr32.s, raw);
912 open_attr(fp, "msec");
913 print_msec32(fp, tok->tt.hdr32.ms, 1);
915 close_tag(fp, tok->id);
917 print_delim(fp, del);
918 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
919 print_delim(fp, del);
920 print_1_byte(fp, tok->tt.hdr32.version, "%u");
921 print_delim(fp, del);
922 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
923 print_delim(fp, del);
924 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
925 print_delim(fp, del);
926 print_sec32(fp, tok->tt.hdr32.s, raw);
927 print_delim(fp, del);
928 print_msec32(fp, tok->tt.hdr32.ms, raw);
933 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
934 * depending on the bit of the specifications found. The OpenSolaris source
935 * code uses a 4-byte address length, followed by some number of bytes of
936 * address data. This contrasts with the Solaris audit.log.5 man page, which
937 * specifies a 1-byte length field. We use the Solaris 10 definition so that
938 * we can parse audit trails from that system.
940 * record byte count 4 bytes
941 * version # 1 byte [2]
943 * event modifier 2 bytes
944 * address type/length 4 bytes
945 * [ Solaris man page: address type/length 1 byte]
946 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
947 * seconds of time 4 bytes/8 bytes (32/64-bits)
948 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
951 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
955 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
959 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
963 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
967 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
971 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
975 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
976 switch (tok->tt.hdr32_ex.ad_type) {
978 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
979 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
985 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
986 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
990 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
994 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1002 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1006 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1008 open_attr(fp, "version");
1009 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1011 open_attr(fp, "event");
1012 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1014 open_attr(fp, "modifier");
1015 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1017 open_attr(fp, "host");
1018 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1019 tok->tt.hdr32_ex.addr);
1021 open_attr(fp, "time");
1022 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1024 open_attr(fp, "msec");
1025 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1027 close_tag(fp, tok->id);
1029 print_delim(fp, del);
1030 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1031 print_delim(fp, del);
1032 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1033 print_delim(fp, del);
1034 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1035 print_delim(fp, del);
1036 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1037 print_delim(fp, del);
1038 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1039 tok->tt.hdr32_ex.addr);
1040 print_delim(fp, del);
1041 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1042 print_delim(fp, del);
1043 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1048 * record byte count 4 bytes
1049 * event type 2 bytes
1050 * event modifier 2 bytes
1051 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1052 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1056 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1060 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1064 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1068 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1072 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1076 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1080 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1088 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1092 print_tok_type(fp, tok->id, "header", raw, xml);
1094 open_attr(fp, "version");
1095 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1097 open_attr(fp, "event");
1098 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1100 open_attr(fp, "modifier");
1101 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 open_attr(fp, "time");
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1106 open_attr(fp, "msec");
1107 print_msec64(fp, tok->tt.hdr64.ms, raw);
1109 close_tag(fp, tok->id);
1111 print_delim(fp, del);
1112 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1113 print_delim(fp, del);
1114 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1115 print_delim(fp, del);
1116 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1117 print_delim(fp, del);
1118 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1119 print_delim(fp, del);
1120 print_sec64(fp, tok->tt.hdr64.s, raw);
1121 print_delim(fp, del);
1122 print_msec64(fp, tok->tt.hdr64.ms, raw);
1127 * record byte count 4 bytes
1128 * version # 1 byte [2]
1129 * event type 2 bytes
1130 * event modifier 2 bytes
1131 * address type/length 4 bytes
1132 * [ Solaris man page: address type/length 1 byte]
1133 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1134 * seconds of time 4 bytes/8 bytes (32/64-bits)
1135 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1137 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1138 * accuracy of the BSM spec.
1141 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1149 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1153 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1157 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1161 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1165 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1166 switch (tok->tt.hdr64_ex.ad_type) {
1168 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1169 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1175 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1176 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1180 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1184 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1192 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1196 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1198 open_attr(fp, "version");
1199 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1201 open_attr(fp, "event");
1202 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1204 open_attr(fp, "modifier");
1205 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1207 open_attr(fp, "host");
1208 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1209 tok->tt.hdr64_ex.addr);
1211 open_attr(fp, "time");
1212 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1214 open_attr(fp, "msec");
1215 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1217 close_tag(fp, tok->id);
1219 print_delim(fp, del);
1220 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1221 print_delim(fp, del);
1222 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1223 print_delim(fp, del);
1224 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1225 print_delim(fp, del);
1226 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1227 print_delim(fp, del);
1228 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1229 tok->tt.hdr64_ex.addr);
1230 print_delim(fp, del);
1231 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1232 print_delim(fp, del);
1233 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1238 * trailer magic 2 bytes
1239 * record size 4 bytes
1242 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1246 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1250 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1258 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1259 __unused char sfrm, int xml)
1262 print_tok_type(fp, tok->id, "trailer", raw, xml);
1264 print_delim(fp, del);
1265 print_4_bytes(fp, tok->tt.trail.count, "%u");
1271 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1272 * text length 2 bytes
1273 * text N bytes + 1 terminating NULL byte
1276 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1280 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1284 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1288 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1292 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1301 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1302 __unused char sfrm, int xml)
1305 print_tok_type(fp, tok->id, "argument", raw, xml);
1307 open_attr(fp, "arg-num");
1308 print_1_byte(fp, tok->tt.arg32.no, "%u");
1310 open_attr(fp, "value");
1311 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1313 open_attr(fp, "desc");
1314 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1316 close_tag(fp, tok->id);
1318 print_delim(fp, del);
1319 print_1_byte(fp, tok->tt.arg32.no, "%u");
1320 print_delim(fp, del);
1321 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1322 print_delim(fp, del);
1323 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1328 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1332 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1336 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1340 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1344 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1353 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1354 __unused char sfrm, int xml)
1357 print_tok_type(fp, tok->id, "argument", raw, xml);
1359 open_attr(fp, "arg-num");
1360 print_1_byte(fp, tok->tt.arg64.no, "%u");
1362 open_attr(fp, "value");
1363 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1365 open_attr(fp, "desc");
1366 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1368 close_tag(fp, tok->id);
1370 print_delim(fp, del);
1371 print_1_byte(fp, tok->tt.arg64.no, "%u");
1372 print_delim(fp, del);
1373 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1374 print_delim(fp, del);
1375 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1380 * how to print 1 byte
1383 * data items (depends on basic unit)
1386 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1391 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1395 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1399 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1404 * Determine the size of the basic unit.
1406 switch(tok->tt.arb.bu) {
1408 /* case AUR_CHAR: */
1409 datasize = AUR_BYTE_SIZE;
1413 datasize = AUR_SHORT_SIZE;
1418 datasize = AUR_INT32_SIZE;
1422 datasize = AUR_INT64_SIZE;
1429 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1438 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1439 __unused char sfrm, int xml)
1446 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1448 print_delim(fp, del);
1450 switch(tok->tt.arb.howtopr) {
1481 open_attr(fp, "print");
1482 fprintf(fp, "%s",str);
1485 print_string(fp, str, strlen(str));
1486 print_delim(fp, del);
1488 switch(tok->tt.arb.bu) {
1490 /* case AUR_CHAR: */
1492 size = AUR_BYTE_SIZE;
1494 open_attr(fp, "type");
1495 fprintf(fp, "%zu", size);
1497 open_attr(fp, "count");
1498 print_1_byte(fp, tok->tt.arb.uc, "%u");
1501 for (i = 0; i<tok->tt.arb.uc; i++)
1502 fprintf(fp, format, *(tok->tt.arb.data +
1504 close_tag(fp, tok->id);
1506 print_string(fp, str, strlen(str));
1507 print_delim(fp, del);
1508 print_1_byte(fp, tok->tt.arb.uc, "%u");
1509 print_delim(fp, del);
1510 for (i = 0; i<tok->tt.arb.uc; i++)
1511 fprintf(fp, format, *(tok->tt.arb.data +
1518 size = AUR_SHORT_SIZE;
1520 open_attr(fp, "type");
1521 fprintf(fp, "%zu", size);
1523 open_attr(fp, "count");
1524 print_1_byte(fp, tok->tt.arb.uc, "%u");
1527 for (i = 0; i < tok->tt.arb.uc; i++)
1529 *((u_int16_t *)(tok->tt.arb.data +
1531 close_tag(fp, tok->id);
1533 print_string(fp, str, strlen(str));
1534 print_delim(fp, del);
1535 print_1_byte(fp, tok->tt.arb.uc, "%u");
1536 print_delim(fp, del);
1537 for (i = 0; i < tok->tt.arb.uc; i++)
1539 *((u_int16_t *)(tok->tt.arb.data +
1547 size = AUR_INT32_SIZE;
1549 open_attr(fp, "type");
1550 fprintf(fp, "%zu", size);
1552 open_attr(fp, "count");
1553 print_1_byte(fp, tok->tt.arb.uc, "%u");
1556 for (i = 0; i < tok->tt.arb.uc; i++)
1558 *((u_int32_t *)(tok->tt.arb.data +
1560 close_tag(fp, tok->id);
1562 print_string(fp, str, strlen(str));
1563 print_delim(fp, del);
1564 print_1_byte(fp, tok->tt.arb.uc, "%u");
1565 print_delim(fp, del);
1566 for (i = 0; i < tok->tt.arb.uc; i++)
1568 *((u_int32_t *)(tok->tt.arb.data +
1575 size = AUR_INT64_SIZE;
1577 open_attr(fp, "type");
1578 fprintf(fp, "%zu", size);
1580 open_attr(fp, "count");
1581 print_1_byte(fp, tok->tt.arb.uc, "%u");
1584 for (i = 0; i < tok->tt.arb.uc; i++)
1586 *((u_int64_t *)(tok->tt.arb.data +
1588 close_tag(fp, tok->id);
1590 print_string(fp, str, strlen(str));
1591 print_delim(fp, del);
1592 print_1_byte(fp, tok->tt.arb.uc, "%u");
1593 print_delim(fp, del);
1594 for (i = 0; i < tok->tt.arb.uc; i++)
1596 *((u_int64_t *)(tok->tt.arb.data +
1607 * file access mode 4 bytes
1608 * owner user ID 4 bytes
1609 * owner group ID 4 bytes
1610 * file system ID 4 bytes
1612 * device 4 bytes/8 bytes (32-bit/64-bit)
1615 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1619 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1623 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1627 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1631 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1635 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1639 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1647 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1648 __unused char sfrm, int xml)
1651 print_tok_type(fp, tok->id, "attribute", raw, xml);
1653 open_attr(fp, "mode");
1654 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1656 open_attr(fp, "uid");
1657 print_user(fp, tok->tt.attr32.uid, raw);
1659 open_attr(fp, "gid");
1660 print_group(fp, tok->tt.attr32.gid, raw);
1662 open_attr(fp, "fsid");
1663 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1665 open_attr(fp, "nodeid");
1666 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1668 open_attr(fp, "device");
1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1671 close_tag(fp, tok->id);
1673 print_delim(fp, del);
1674 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1675 print_delim(fp, del);
1676 print_user(fp, tok->tt.attr32.uid, raw);
1677 print_delim(fp, del);
1678 print_group(fp, tok->tt.attr32.gid, raw);
1679 print_delim(fp, del);
1680 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1681 print_delim(fp, del);
1682 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1683 print_delim(fp, del);
1684 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1689 * file access mode 4 bytes
1690 * owner user ID 4 bytes
1691 * owner group ID 4 bytes
1692 * file system ID 4 bytes
1694 * device 4 bytes/8 bytes (32-bit/64-bit)
1697 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1701 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1705 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1709 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1713 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1717 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1721 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1729 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1730 __unused char sfrm, int xml)
1733 print_tok_type(fp, tok->id, "attribute", raw, xml);
1735 open_attr(fp, "mode");
1736 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1738 open_attr(fp, "uid");
1739 print_user(fp, tok->tt.attr64.uid, raw);
1741 open_attr(fp, "gid");
1742 print_group(fp, tok->tt.attr64.gid, raw);
1744 open_attr(fp, "fsid");
1745 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1747 open_attr(fp, "nodeid");
1748 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1750 open_attr(fp, "device");
1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1753 close_tag(fp, tok->id);
1755 print_delim(fp, del);
1756 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1757 print_delim(fp, del);
1758 print_user(fp, tok->tt.attr64.uid, raw);
1759 print_delim(fp, del);
1760 print_group(fp, tok->tt.attr64.gid, raw);
1761 print_delim(fp, del);
1762 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1763 print_delim(fp, del);
1764 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1765 print_delim(fp, del);
1766 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1772 * return value 4 bytes
1775 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1779 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1783 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1791 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1792 __unused char sfrm, int xml)
1795 print_tok_type(fp, tok->id, "exit", raw, xml);
1797 open_attr(fp, "errval");
1798 print_errval(fp, tok->tt.exit.status);
1800 open_attr(fp, "retval");
1801 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1803 close_tag(fp, tok->id);
1805 print_delim(fp, del);
1806 print_errval(fp, tok->tt.exit.status);
1807 print_delim(fp, del);
1808 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1814 * text count null-terminated string(s)
1817 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1823 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1827 for (i = 0; i < tok->tt.execarg.count; i++) {
1828 bptr = buf + tok->len;
1829 if (i < AUDIT_MAX_ARGS)
1830 tok->tt.execarg.text[i] = (char*)bptr;
1832 /* Look for a null terminated string. */
1833 while (bptr && (*bptr != '\0')) {
1834 if (++tok->len >= (u_int32_t)len)
1836 bptr = buf + tok->len;
1840 tok->len++; /* \0 character */
1842 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1843 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1849 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1850 __unused char sfrm, int xml)
1854 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1855 for (i = 0; i < tok->tt.execarg.count; i++) {
1857 fprintf(fp, "<arg>");
1858 print_string(fp, tok->tt.execarg.text[i],
1859 strlen(tok->tt.execarg.text[i]));
1860 fprintf(fp, "</arg>");
1862 print_delim(fp, del);
1863 print_string(fp, tok->tt.execarg.text[i],
1864 strlen(tok->tt.execarg.text[i]));
1868 close_tag(fp, tok->id);
1873 * text count null-terminated string(s)
1876 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1882 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1886 for (i = 0; i < tok->tt.execenv.count; i++) {
1887 bptr = buf + tok->len;
1888 if (i < AUDIT_MAX_ENV)
1889 tok->tt.execenv.text[i] = (char*)bptr;
1891 /* Look for a null terminated string. */
1892 while (bptr && (*bptr != '\0')) {
1893 if (++tok->len >= (u_int32_t)len)
1895 bptr = buf + tok->len;
1899 tok->len++; /* \0 character */
1901 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1902 tok->tt.execenv.count = AUDIT_MAX_ENV;
1908 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1909 __unused char sfrm, int xml)
1913 print_tok_type(fp, tok->id, "exec env", raw, xml);
1914 for (i = 0; i< tok->tt.execenv.count; i++) {
1916 fprintf(fp, "<env>");
1917 print_string(fp, tok->tt.execenv.text[i],
1918 strlen(tok->tt.execenv.text[i]));
1919 fprintf(fp, "</env>");
1921 print_delim(fp, del);
1922 print_string(fp, tok->tt.execenv.text[i],
1923 strlen(tok->tt.execenv.text[i]));
1927 close_tag(fp, tok->id);
1931 * seconds of time 4 bytes
1932 * milliseconds of time 4 bytes
1933 * file name len 2 bytes
1934 * file pathname N bytes + 1 terminating NULL byte
1937 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1941 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1945 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1949 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1953 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1962 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1963 __unused char sfrm, int xml)
1966 print_tok_type(fp, tok->id, "file", raw, xml);
1968 open_attr(fp, "time");
1969 print_sec32(fp, tok->tt.file.s, raw);
1971 open_attr(fp, "msec");
1972 print_msec32(fp, tok->tt.file.ms, raw);
1975 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1976 close_tag(fp, tok->id);
1978 print_delim(fp, del);
1979 print_sec32(fp, tok->tt.file.s, raw);
1980 print_delim(fp, del);
1981 print_msec32(fp, tok->tt.file.ms, raw);
1982 print_delim(fp, del);
1983 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1988 * number groups 2 bytes
1989 * group list count * 4 bytes
1992 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1997 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2001 for (i = 0; i<tok->tt.grps.no; i++) {
2002 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2012 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2013 __unused char sfrm, int xml)
2017 print_tok_type(fp, tok->id, "group", raw, xml);
2018 for (i = 0; i < tok->tt.grps.no; i++) {
2020 fprintf(fp, "<gid>");
2021 print_group(fp, tok->tt.grps.list[i], raw);
2022 fprintf(fp, "</gid>");
2023 close_tag(fp, tok->id);
2025 print_delim(fp, del);
2026 print_group(fp, tok->tt.grps.list[i], raw);
2032 * Internet addr 4 bytes
2035 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2039 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2049 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2050 __unused char sfrm, int xml)
2053 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2055 print_ip_address(fp, tok->tt.inaddr.addr);
2056 close_tag(fp, tok->id);
2058 print_delim(fp, del);
2059 print_ip_address(fp, tok->tt.inaddr.addr);
2068 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2072 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2076 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2078 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2081 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2082 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2083 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2093 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2094 __unused char sfrm, int xml)
2097 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2099 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2100 tok->tt.inaddr_ex.addr);
2101 close_tag(fp, tok->id);
2103 print_delim(fp, del);
2104 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2105 tok->tt.inaddr_ex.addr);
2110 * ip header 20 bytes
2113 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2117 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2121 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2125 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2130 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2135 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2140 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2144 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2148 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2153 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2158 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2167 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2168 __unused char sfrm, int xml)
2171 print_tok_type(fp, tok->id, "ip", raw, xml);
2173 open_attr(fp, "version");
2174 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2177 open_attr(fp, "service_type");
2178 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2180 open_attr(fp, "len");
2181 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2183 open_attr(fp, "id");
2184 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2186 open_attr(fp, "offset");
2187 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2189 open_attr(fp, "time_to_live");
2190 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2192 open_attr(fp, "protocol");
2193 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2195 open_attr(fp, "cksum");
2196 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2198 open_attr(fp, "src_addr");
2199 print_ip_address(fp, tok->tt.ip.src);
2201 open_attr(fp, "dest_addr");
2202 print_ip_address(fp, tok->tt.ip.dest);
2204 close_tag(fp, tok->id);
2206 print_delim(fp, del);
2207 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2209 print_delim(fp, del);
2210 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2211 print_delim(fp, del);
2212 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2213 print_delim(fp, del);
2214 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2215 print_delim(fp, del);
2216 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2217 print_delim(fp, del);
2218 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2219 print_delim(fp, del);
2220 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2221 print_delim(fp, del);
2222 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2223 print_delim(fp, del);
2224 print_ip_address(fp, tok->tt.ip.src);
2225 print_delim(fp, del);
2226 print_ip_address(fp, tok->tt.ip.dest);
2231 * object ID type 1 byte
2235 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2239 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2243 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2251 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2252 __unused char sfrm, int xml)
2255 print_tok_type(fp, tok->id, "IPC", raw, xml);
2257 open_attr(fp, "ipc-type");
2258 print_ipctype(fp, tok->tt.ipc.type, raw);
2260 open_attr(fp, "ipc-id");
2261 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2263 close_tag(fp, tok->id);
2265 print_delim(fp, del);
2266 print_ipctype(fp, tok->tt.ipc.type, raw);
2267 print_delim(fp, del);
2268 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2273 * owner user id 4 bytes
2274 * owner group id 4 bytes
2275 * creator user id 4 bytes
2276 * creator group id 4 bytes
2277 * access mode 4 bytes
2282 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2286 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2290 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2294 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2298 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2302 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2306 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2310 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2318 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2319 __unused char sfrm, int xml)
2322 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2324 open_attr(fp, "uid");
2325 print_user(fp, tok->tt.ipcperm.uid, raw);
2327 open_attr(fp, "gid");
2328 print_group(fp, tok->tt.ipcperm.gid, raw);
2330 open_attr(fp, "creator-uid");
2331 print_user(fp, tok->tt.ipcperm.puid, raw);
2333 open_attr(fp, "creator-gid");
2334 print_group(fp, tok->tt.ipcperm.pgid, raw);
2336 open_attr(fp, "mode");
2337 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2339 open_attr(fp, "seq");
2340 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2342 open_attr(fp, "key");
2343 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2345 close_tag(fp, tok->id);
2347 print_delim(fp, del);
2348 print_user(fp, tok->tt.ipcperm.uid, raw);
2349 print_delim(fp, del);
2350 print_group(fp, tok->tt.ipcperm.gid, raw);
2351 print_delim(fp, del);
2352 print_user(fp, tok->tt.ipcperm.puid, raw);
2353 print_delim(fp, del);
2354 print_group(fp, tok->tt.ipcperm.pgid, raw);
2355 print_delim(fp, del);
2356 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2357 print_delim(fp, del);
2358 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2359 print_delim(fp, del);
2360 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2365 * port Ip address 2 bytes
2368 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2372 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2381 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2382 __unused char sfrm, int xml)
2385 print_tok_type(fp, tok->id, "ip port", raw, xml);
2387 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2388 close_tag(fp, tok->id);
2390 print_delim(fp, del);
2391 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2400 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2404 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2408 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2417 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2418 __unused char sfrm, int xml)
2421 print_tok_type(fp, tok->id, "opaque", raw, xml);
2423 print_mem(fp, (u_char*)tok->tt.opaque.data,
2424 tok->tt.opaque.size);
2425 close_tag(fp, tok->id);
2427 print_delim(fp, del);
2428 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2429 print_delim(fp, del);
2430 print_mem(fp, (u_char*)tok->tt.opaque.data,
2431 tok->tt.opaque.size);
2440 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2444 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2448 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2457 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2458 __unused char sfrm, int xml)
2461 print_tok_type(fp, tok->id, "path", raw, xml);
2463 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2464 close_tag(fp, tok->id);
2466 print_delim(fp, del);
2467 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2482 * machine id 4 bytes
2485 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2489 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2493 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2497 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2501 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2505 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2509 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2513 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2517 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2521 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2522 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2530 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2531 __unused char sfrm, int xml)
2534 print_tok_type(fp, tok->id, "process", raw, xml);
2536 open_attr(fp, "audit-uid");
2537 print_user(fp, tok->tt.proc32.auid, raw);
2539 open_attr(fp, "uid");
2540 print_user(fp, tok->tt.proc32.euid, raw);
2542 open_attr(fp, "gid");
2543 print_group(fp, tok->tt.proc32.egid, raw);
2545 open_attr(fp, "ruid");
2546 print_user(fp, tok->tt.proc32.ruid, raw);
2548 open_attr(fp, "rgid");
2549 print_group(fp, tok->tt.proc32.rgid, raw);
2551 open_attr(fp, "pid");
2552 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2554 open_attr(fp, "sid");
2555 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2557 open_attr(fp, "tid");
2558 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2559 print_ip_address(fp, tok->tt.proc32.tid.addr);
2561 close_tag(fp, tok->id);
2563 print_delim(fp, del);
2564 print_user(fp, tok->tt.proc32.auid, raw);
2565 print_delim(fp, del);
2566 print_user(fp, tok->tt.proc32.euid, raw);
2567 print_delim(fp, del);
2568 print_group(fp, tok->tt.proc32.egid, raw);
2569 print_delim(fp, del);
2570 print_user(fp, tok->tt.proc32.ruid, raw);
2571 print_delim(fp, del);
2572 print_group(fp, tok->tt.proc32.rgid, raw);
2573 print_delim(fp, del);
2574 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2575 print_delim(fp, del);
2576 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2577 print_delim(fp, del);
2578 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2579 print_delim(fp, del);
2580 print_ip_address(fp, tok->tt.proc32.tid.addr);
2595 * machine id 4 bytes
2598 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2602 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2606 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2610 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2614 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2618 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2622 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2626 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2630 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2634 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2635 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2643 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2644 __unused char sfrm, int xml)
2646 print_tok_type(fp, tok->id, "process", raw, xml);
2648 open_attr(fp, "audit-uid");
2649 print_user(fp, tok->tt.proc64.auid, raw);
2651 open_attr(fp, "uid");
2652 print_user(fp, tok->tt.proc64.euid, raw);
2654 open_attr(fp, "gid");
2655 print_group(fp, tok->tt.proc64.egid, raw);
2657 open_attr(fp, "ruid");
2658 print_user(fp, tok->tt.proc64.ruid, raw);
2660 open_attr(fp, "rgid");
2661 print_group(fp, tok->tt.proc64.rgid, raw);
2663 open_attr(fp, "pid");
2664 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2666 open_attr(fp, "sid");
2667 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2669 open_attr(fp, "tid");
2670 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2671 print_ip_address(fp, tok->tt.proc64.tid.addr);
2673 close_tag(fp, tok->id);
2675 print_delim(fp, del);
2676 print_user(fp, tok->tt.proc64.auid, raw);
2677 print_delim(fp, del);
2678 print_user(fp, tok->tt.proc64.euid, raw);
2679 print_delim(fp, del);
2680 print_group(fp, tok->tt.proc64.egid, raw);
2681 print_delim(fp, del);
2682 print_user(fp, tok->tt.proc64.ruid, raw);
2683 print_delim(fp, del);
2684 print_group(fp, tok->tt.proc64.rgid, raw);
2685 print_delim(fp, del);
2686 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2687 print_delim(fp, del);
2688 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2689 print_delim(fp, del);
2690 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2691 print_delim(fp, del);
2692 print_ip_address(fp, tok->tt.proc64.tid.addr);
2699 * effective user ID 4 bytes
2700 * effective group ID 4 bytes
2701 * real user ID 4 bytes
2702 * real group ID 4 bytes
2703 * process ID 4 bytes
2704 * session ID 4 bytes
2707 * address type-len 4 bytes
2708 * machine address 16 bytes
2711 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2719 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2723 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2727 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2731 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2735 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2753 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2754 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2755 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2758 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2759 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2760 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2770 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2771 __unused char sfrm, int xml)
2774 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2776 open_attr(fp, "audit-uid");
2777 print_user(fp, tok->tt.proc32_ex.auid, raw);
2779 open_attr(fp, "uid");
2780 print_user(fp, tok->tt.proc32_ex.euid, raw);
2782 open_attr(fp, "gid");
2783 print_group(fp, tok->tt.proc32_ex.egid, raw);
2785 open_attr(fp, "ruid");
2786 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2788 open_attr(fp, "rgid");
2789 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2791 open_attr(fp, "pid");
2792 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2794 open_attr(fp, "sid");
2795 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2797 open_attr(fp, "tid");
2798 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2799 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2800 tok->tt.proc32_ex.tid.addr);
2802 close_tag(fp, tok->id);
2804 print_delim(fp, del);
2805 print_user(fp, tok->tt.proc32_ex.auid, raw);
2806 print_delim(fp, del);
2807 print_user(fp, tok->tt.proc32_ex.euid, raw);
2808 print_delim(fp, del);
2809 print_group(fp, tok->tt.proc32_ex.egid, raw);
2810 print_delim(fp, del);
2811 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2812 print_delim(fp, del);
2813 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2814 print_delim(fp, del);
2815 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2816 print_delim(fp, del);
2817 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2818 print_delim(fp, del);
2819 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2820 print_delim(fp, del);
2821 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2822 tok->tt.proc32_ex.tid.addr);
2829 * effective user ID 4 bytes
2830 * effective group ID 4 bytes
2831 * real user ID 4 bytes
2832 * real group ID 4 bytes
2833 * process ID 4 bytes
2834 * session ID 4 bytes
2837 * address type-len 4 bytes
2838 * machine address 16 bytes
2841 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2845 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2849 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2853 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2857 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2861 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2865 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2869 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2873 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2878 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2883 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2884 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2885 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2888 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2889 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2890 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2900 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2901 __unused char sfrm, int xml)
2903 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2905 open_attr(fp, "audit-uid");
2906 print_user(fp, tok->tt.proc64_ex.auid, raw);
2908 open_attr(fp, "uid");
2909 print_user(fp, tok->tt.proc64_ex.euid, raw);
2911 open_attr(fp, "gid");
2912 print_group(fp, tok->tt.proc64_ex.egid, raw);
2914 open_attr(fp, "ruid");
2915 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2917 open_attr(fp, "rgid");
2918 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2920 open_attr(fp, "pid");
2921 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2923 open_attr(fp, "sid");
2924 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2926 open_attr(fp, "tid");
2927 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2928 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2929 tok->tt.proc64_ex.tid.addr);
2931 close_tag(fp, tok->id);
2933 print_delim(fp, del);
2934 print_user(fp, tok->tt.proc64_ex.auid, raw);
2935 print_delim(fp, del);
2936 print_user(fp, tok->tt.proc64_ex.euid, raw);
2937 print_delim(fp, del);
2938 print_group(fp, tok->tt.proc64_ex.egid, raw);
2939 print_delim(fp, del);
2940 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2941 print_delim(fp, del);
2942 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2943 print_delim(fp, del);
2944 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2945 print_delim(fp, del);
2946 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2947 print_delim(fp, del);
2948 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2949 print_delim(fp, del);
2950 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2951 tok->tt.proc64_ex.tid.addr);
2957 * return value 4 bytes
2960 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2964 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2968 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2976 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2977 __unused char sfrm, int xml)
2980 print_tok_type(fp, tok->id, "return", raw, xml);
2982 open_attr(fp ,"errval");
2983 print_retval(fp, tok->tt.ret32.status, raw);
2985 open_attr(fp, "retval");
2986 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2988 close_tag(fp, tok->id);
2990 print_delim(fp, del);
2991 print_retval(fp, tok->tt.ret32.status, raw);
2992 print_delim(fp, del);
2993 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2998 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3002 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3006 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3014 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3015 __unused char sfrm, int xml)
3018 print_tok_type(fp, tok->id, "return", raw, xml);
3020 open_attr(fp, "errval");
3021 print_retval(fp, tok->tt.ret64.err, raw);
3023 open_attr(fp, "retval");
3024 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3026 close_tag(fp, tok->id);
3028 print_delim(fp, del);
3029 print_retval(fp, tok->tt.ret64.err, raw);
3030 print_delim(fp, del);
3031 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3039 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3043 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3051 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3052 __unused char sfrm, int xml)
3055 print_tok_type(fp, tok->id, "sequence", raw, xml);
3057 open_attr(fp, "seq-num");
3058 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3060 close_tag(fp, tok->id);
3062 print_delim(fp, del);
3063 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3068 * socket family 2 bytes
3069 * local port 2 bytes
3070 * socket address 4 bytes
3073 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3077 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3082 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3083 sizeof(uint16_t), tok->len, err);
3087 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3088 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3096 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3097 __unused char sfrm, int xml)
3100 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3102 open_attr(fp, "type");
3103 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3105 open_attr(fp, "port");
3106 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3108 open_attr(fp, "addr");
3109 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3111 close_tag(fp, tok->id);
3113 print_delim(fp, del);
3114 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3115 print_delim(fp, del);
3116 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3117 print_delim(fp, del);
3118 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3123 * socket family 2 bytes
3124 * local port 2 bytes
3125 * socket address 16 bytes
3128 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3132 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3137 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3138 sizeof(uint16_t), tok->len, err);
3142 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3143 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3151 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3152 __unused char sfrm, int xml)
3155 print_tok_type(fp, tok->id, "socket-inet6", raw, xml);
3157 open_attr(fp, "type");
3158 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3160 open_attr(fp, "port");
3161 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3163 open_attr(fp, "addr");
3164 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3166 close_tag(fp, tok->id);
3168 print_delim(fp, del);
3169 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3170 print_delim(fp, del);
3171 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3172 print_delim(fp, del);
3173 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3178 * socket family 2 bytes
3179 * path (up to) 104 bytes + NULL (NULL terminated string).
3182 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3189 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3193 /* slen = strnlen((buf + tok->len), 104) + 1; */
3194 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3195 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1;
3197 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3205 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3206 __unused char sfrm, int xml)
3209 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3211 open_attr(fp, "type");
3212 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3214 open_attr(fp, "port");
3216 open_attr(fp, "addr");
3217 print_string(fp, tok->tt.sockunix.path,
3218 strlen(tok->tt.sockunix.path));
3220 close_tag(fp, tok->id);
3222 print_delim(fp, del);
3223 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3224 print_delim(fp, del);
3225 print_string(fp, tok->tt.sockunix.path,
3226 strlen(tok->tt.sockunix.path));
3231 * socket type 2 bytes
3232 * local port 2 bytes
3233 * local address 4 bytes
3234 * remote port 2 bytes
3235 * remote address 4 bytes
3238 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3242 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3246 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3251 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3252 sizeof(tok->tt.socket.l_addr), tok->len, err);
3256 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3261 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3262 sizeof(tok->tt.socket.r_addr), tok->len, err);
3270 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3271 __unused char sfrm, int xml)
3274 print_tok_type(fp, tok->id, "socket", raw, xml);
3276 open_attr(fp, "sock_type");
3277 print_2_bytes(fp, tok->tt.socket.type, "%u");
3279 open_attr(fp, "lport");
3280 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3282 open_attr(fp, "laddr");
3283 print_ip_address(fp, tok->tt.socket.l_addr);
3285 open_attr(fp, "fport");
3286 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3288 open_attr(fp, "faddr");
3289 print_ip_address(fp, tok->tt.socket.r_addr);
3291 close_tag(fp, tok->id);
3293 print_delim(fp, del);
3294 print_2_bytes(fp, tok->tt.socket.type, "%u");
3295 print_delim(fp, del);
3296 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3297 print_delim(fp, del);
3298 print_ip_address(fp, tok->tt.socket.l_addr);
3299 print_delim(fp, del);
3300 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3301 print_delim(fp, del);
3302 print_ip_address(fp, tok->tt.socket.r_addr);
3315 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3316 * machine id 4 bytes
3319 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3323 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3327 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3331 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3335 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3339 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3343 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3347 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3351 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3355 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3356 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3364 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3365 __unused char sfrm, int xml)
3368 print_tok_type(fp, tok->id, "subject", raw, xml);
3370 open_attr(fp, "audit-uid");
3371 print_user(fp, tok->tt.subj32.auid, raw);
3373 open_attr(fp, "uid");
3374 print_user(fp, tok->tt.subj32.euid, raw);
3376 open_attr(fp, "gid");
3377 print_group(fp, tok->tt.subj32.egid, raw);
3379 open_attr(fp, "ruid");
3380 print_user(fp, tok->tt.subj32.ruid, raw);
3382 open_attr(fp, "rgid");
3383 print_group(fp, tok->tt.subj32.rgid, raw);
3385 open_attr(fp,"pid");
3386 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3388 open_attr(fp,"sid");
3389 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3391 open_attr(fp,"tid");
3392 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3393 print_ip_address(fp, tok->tt.subj32.tid.addr);
3395 close_tag(fp, tok->id);
3397 print_delim(fp, del);
3398 print_user(fp, tok->tt.subj32.auid, raw);
3399 print_delim(fp, del);
3400 print_user(fp, tok->tt.subj32.euid, raw);
3401 print_delim(fp, del);
3402 print_group(fp, tok->tt.subj32.egid, raw);
3403 print_delim(fp, del);
3404 print_user(fp, tok->tt.subj32.ruid, raw);
3405 print_delim(fp, del);
3406 print_group(fp, tok->tt.subj32.rgid, raw);
3407 print_delim(fp, del);
3408 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3409 print_delim(fp, del);
3410 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3411 print_delim(fp, del);
3412 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3413 print_delim(fp, del);
3414 print_ip_address(fp, tok->tt.subj32.tid.addr);
3427 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3428 * machine id 4 bytes
3431 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3435 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3439 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3443 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3447 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3451 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3455 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3459 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3463 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3467 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3468 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3476 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3477 __unused char sfrm, int xml)
3480 print_tok_type(fp, tok->id, "subject", raw, xml);
3482 open_attr(fp, "audit-uid");
3483 print_user(fp, tok->tt.subj64.auid, raw);
3485 open_attr(fp, "uid");
3486 print_user(fp, tok->tt.subj64.euid, raw);
3488 open_attr(fp, "gid");
3489 print_group(fp, tok->tt.subj64.egid, raw);
3491 open_attr(fp, "ruid");
3492 print_user(fp, tok->tt.subj64.ruid, raw);
3494 open_attr(fp, "rgid");
3495 print_group(fp, tok->tt.subj64.rgid, raw);
3497 open_attr(fp, "pid");
3498 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3500 open_attr(fp, "sid");
3501 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3503 open_attr(fp, "tid");
3504 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3505 print_ip_address(fp, tok->tt.subj64.tid.addr);
3507 close_tag(fp, tok->id);
3509 print_delim(fp, del);
3510 print_user(fp, tok->tt.subj64.auid, raw);
3511 print_delim(fp, del);
3512 print_user(fp, tok->tt.subj64.euid, raw);
3513 print_delim(fp, del);
3514 print_group(fp, tok->tt.subj64.egid, raw);
3515 print_delim(fp, del);
3516 print_user(fp, tok->tt.subj64.ruid, raw);
3517 print_delim(fp, del);
3518 print_group(fp, tok->tt.subj64.rgid, raw);
3519 print_delim(fp, del);
3520 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3521 print_delim(fp, del);
3522 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3523 print_delim(fp, del);
3524 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3525 print_delim(fp, del);
3526 print_ip_address(fp, tok->tt.subj64.tid.addr);
3541 * machine id 16 bytes
3544 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3548 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3552 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3556 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3560 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3564 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3568 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3572 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3576 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3581 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3586 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3587 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3588 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3591 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3592 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3593 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3603 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3604 __unused char sfrm, int xml)
3607 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3609 open_attr(fp, "audit-uid");
3610 print_user(fp, tok->tt.subj32_ex.auid, raw);
3612 open_attr(fp, "uid");
3613 print_user(fp, tok->tt.subj32_ex.euid, raw);
3615 open_attr(fp, "gid");
3616 print_group(fp, tok->tt.subj32_ex.egid, raw);
3618 open_attr(fp, "ruid");
3619 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3621 open_attr(fp, "rgid");
3622 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3624 open_attr(fp, "pid");
3625 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3627 open_attr(fp, "sid");
3628 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3630 open_attr(fp, "tid");
3631 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3632 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3633 tok->tt.subj32_ex.tid.addr);
3635 close_tag(fp, tok->id);
3637 print_delim(fp, del);
3638 print_user(fp, tok->tt.subj32_ex.auid, raw);
3639 print_delim(fp, del);
3640 print_user(fp, tok->tt.subj32_ex.euid, raw);
3641 print_delim(fp, del);
3642 print_group(fp, tok->tt.subj32_ex.egid, raw);
3643 print_delim(fp, del);
3644 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3645 print_delim(fp, del);
3646 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3647 print_delim(fp, del);
3648 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3649 print_delim(fp, del);
3650 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3651 print_delim(fp, del);
3652 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3653 print_delim(fp, del);
3654 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3655 tok->tt.subj32_ex.tid.addr);
3670 * machine id 16 bytes
3673 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3677 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3681 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3685 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3689 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3693 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3697 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3701 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3705 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3710 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3715 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3716 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3717 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3720 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3721 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3722 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3732 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3733 __unused char sfrm, int xml)
3735 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3737 open_attr(fp, "audit-uid");
3738 print_user(fp, tok->tt.subj64_ex.auid, raw);
3740 open_attr(fp, "uid");
3741 print_user(fp, tok->tt.subj64_ex.euid, raw);
3743 open_attr(fp, "gid");
3744 print_group(fp, tok->tt.subj64_ex.egid, raw);
3746 open_attr(fp, "ruid");
3747 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3749 open_attr(fp, "rgid");
3750 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3752 open_attr(fp, "pid");
3753 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3755 open_attr(fp, "sid");
3756 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3758 open_attr(fp, "tid");
3759 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3760 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3761 tok->tt.subj64_ex.tid.addr);
3763 close_tag(fp, tok->id);
3765 print_delim(fp, del);
3766 print_user(fp, tok->tt.subj64_ex.auid, raw);
3767 print_delim(fp, del);
3768 print_user(fp, tok->tt.subj64_ex.euid, raw);
3769 print_delim(fp, del);
3770 print_group(fp, tok->tt.subj64_ex.egid, raw);
3771 print_delim(fp, del);
3772 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3773 print_delim(fp, del);
3774 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3775 print_delim(fp, del);
3776 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3777 print_delim(fp, del);
3778 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3779 print_delim(fp, del);
3780 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3781 print_delim(fp, del);
3782 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3783 tok->tt.subj64_ex.tid.addr);
3792 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3796 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3800 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3809 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3810 __unused char sfrm, int xml)
3813 print_tok_type(fp, tok->id, "text", raw, xml);
3815 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3816 close_tag(fp, tok->id);
3818 print_delim(fp, del);
3819 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3824 * socket domain 2 bytes
3825 * socket type 2 bytes
3826 * address type 2 bytes
3827 * local port 2 bytes
3828 * local Internet address 4/16 bytes
3829 * remote port 2 bytes
3830 * remote Internet address 4/16 bytes
3833 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3837 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3842 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3847 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3852 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3853 tok->tt.socket_ex32.atype != AU_IPv6)
3856 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3857 sizeof(uint16_t), tok->len, err);
3861 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3862 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3863 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3867 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3868 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3873 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3874 sizeof(uint16_t), tok->len, err);
3878 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3879 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3880 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
3884 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3885 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3894 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3895 __unused char sfrm, int xml)
3899 * This print routine prints BSM constant space domains and socket
3900 * types rather than converting them. If we add string printers for
3901 * these constants in the future, we may want to call conversion
3904 print_tok_type(fp, tok->id, "socket", raw, xml);
3906 open_attr(fp, "sock_dom");
3907 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3909 open_attr(fp, "sock_type");
3910 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3912 open_attr(fp, "lport");
3913 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3915 open_attr(fp, "laddr");
3916 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3917 tok->tt.socket_ex32.l_addr);
3919 open_attr(fp, "faddr");
3920 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3921 tok->tt.socket_ex32.r_addr);
3923 open_attr(fp, "fport");
3924 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3926 close_tag(fp, tok->id);
3928 print_delim(fp, del);
3929 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
3930 print_delim(fp, del);
3931 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3932 print_delim(fp, del);
3933 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3934 print_delim(fp, del);
3935 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3936 tok->tt.socket_ex32.l_addr);
3937 print_delim(fp, del);
3938 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3939 print_delim(fp, del);
3940 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
3941 tok->tt.socket_ex32.r_addr);
3946 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3951 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3952 if (recoversize <= 0)
3955 tok->tt.invalid.length = recoversize;
3957 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3966 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3967 __unused char sfrm, int xml)
3971 print_tok_type(fp, tok->id, "unknown", raw, 0);
3972 print_delim(fp, del);
3973 print_mem(fp, (u_char*)tok->tt.invalid.data,
3974 tok->tt.invalid.length);
3981 * zonename size bytes;
3984 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3988 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3991 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3999 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
4000 __unused char sfrm, int xml)
4003 print_tok_type(fp, tok->id, "zone", raw, xml);
4005 open_attr(fp, "name");
4006 print_string(fp, tok->tt.zonename.zonename,
4007 tok->tt.zonename.len);
4009 close_tag(fp, tok->id);
4011 print_delim(fp, del);
4012 print_string(fp, tok->tt.zonename.zonename,
4013 tok->tt.zonename.len);
4018 * Reads the token beginning at buf into tok.
4021 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4033 return (fetch_header32_tok(tok, buf, len));
4035 case AUT_HEADER32_EX:
4036 return (fetch_header32_ex_tok(tok, buf, len));
4039 return (fetch_header64_tok(tok, buf, len));
4041 case AUT_HEADER64_EX:
4042 return (fetch_header64_ex_tok(tok, buf, len));
4045 return (fetch_trailer_tok(tok, buf, len));
4048 return (fetch_arg32_tok(tok, buf, len));
4051 return (fetch_arg64_tok(tok, buf, len));
4054 return (fetch_attr32_tok(tok, buf, len));
4057 return (fetch_attr64_tok(tok, buf, len));
4060 return (fetch_exit_tok(tok, buf, len));
4063 return (fetch_execarg_tok(tok, buf, len));
4066 return (fetch_execenv_tok(tok, buf, len));
4068 case AUT_OTHER_FILE32:
4069 return (fetch_file_tok(tok, buf, len));
4072 return (fetch_newgroups_tok(tok, buf, len));
4075 return (fetch_inaddr_tok(tok, buf, len));
4077 case AUT_IN_ADDR_EX:
4078 return (fetch_inaddr_ex_tok(tok, buf, len));
4081 return (fetch_ip_tok(tok, buf, len));
4084 return (fetch_ipc_tok(tok, buf, len));
4087 return (fetch_ipcperm_tok(tok, buf, len));
4090 return (fetch_iport_tok(tok, buf, len));
4093 return (fetch_opaque_tok(tok, buf, len));
4096 return (fetch_path_tok(tok, buf, len));
4099 return (fetch_process32_tok(tok, buf, len));
4101 case AUT_PROCESS32_EX:
4102 return (fetch_process32ex_tok(tok, buf, len));
4105 return (fetch_process64_tok(tok, buf, len));
4107 case AUT_PROCESS64_EX:
4108 return (fetch_process64ex_tok(tok, buf, len));
4111 return (fetch_return32_tok(tok, buf, len));
4114 return (fetch_return64_tok(tok, buf, len));
4117 return (fetch_seq_tok(tok, buf, len));
4120 return (fetch_socket_tok(tok, buf, len));
4122 case AUT_SOCKINET32:
4123 return (fetch_sock_inet32_tok(tok, buf, len));
4126 return (fetch_sock_unix_tok(tok, buf, len));
4128 case AUT_SOCKINET128:
4129 return (fetch_sock_inet128_tok(tok, buf, len));
4132 return (fetch_subject32_tok(tok, buf, len));
4134 case AUT_SUBJECT32_EX:
4135 return (fetch_subject32ex_tok(tok, buf, len));
4138 return (fetch_subject64_tok(tok, buf, len));
4140 case AUT_SUBJECT64_EX:
4141 return (fetch_subject64ex_tok(tok, buf, len));
4144 return (fetch_text_tok(tok, buf, len));
4147 return (fetch_socketex32_tok(tok, buf, len));
4150 return (fetch_arb_tok(tok, buf, len));
4153 return (fetch_zonename_tok(tok, buf, len));
4156 return (fetch_invalid_tok(tok, buf, len));
4161 * 'prints' the token out to outfp.
4164 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4169 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4172 case AUT_HEADER32_EX:
4173 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4177 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4180 case AUT_HEADER64_EX:
4181 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4185 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4189 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4193 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4197 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4201 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4205 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4209 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4213 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4217 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4220 case AUT_OTHER_FILE32:
4221 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4225 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4229 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4232 case AUT_IN_ADDR_EX:
4233 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4237 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4241 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4245 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4249 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4253 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4257 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4261 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4264 case AUT_PROCESS32_EX:
4265 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4269 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4272 case AUT_PROCESS64_EX:
4273 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4277 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4281 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4285 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4289 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4292 case AUT_SOCKINET32:
4293 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4297 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4300 case AUT_SOCKINET128:
4301 print_sock_inet128_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4305 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4309 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4312 case AUT_SUBJECT32_EX:
4313 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4316 case AUT_SUBJECT64_EX:
4317 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4321 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4325 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4329 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4333 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4338 * 'prints' the token out to outfp in XML format.
4341 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4347 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4350 case AUT_HEADER32_EX:
4351 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4355 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4358 case AUT_HEADER64_EX:
4359 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4363 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4367 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4371 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4375 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4379 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4383 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4387 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4391 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4395 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4398 case AUT_OTHER_FILE32:
4399 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4403 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4407 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4410 case AUT_IN_ADDR_EX:
4411 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4415 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4419 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4423 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4427 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4431 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4435 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4439 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4442 case AUT_PROCESS32_EX:
4443 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4447 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4450 case AUT_PROCESS64_EX:
4451 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4455 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4459 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4463 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4467 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4470 case AUT_SOCKINET32:
4471 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4475 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4479 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4483 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4486 case AUT_SUBJECT32_EX:
4487 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4490 case AUT_SUBJECT64_EX:
4491 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4495 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4499 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4503 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4507 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4512 * Read a record from the file pointer, store data in buf memory for buf is
4513 * also allocated in this function and has to be free'd outside this call.
4515 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4516 * complete audit record.
4518 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4519 * state, because it will be partly offset into a record. We should rewind
4520 * or do something more intelligent. Particularly interesting is the case
4521 * where we perform a partial read of a record from a non-blockable file
4522 * descriptor. We should return the partial read and continue...?
4525 au_read_rec(FILE *fp, u_char **buf)
4529 u_int32_t bytestoread;
4532 u_int32_t sec, msec;
4533 u_int16_t filenamelen;
4539 case AUT_HEADER32_EX:
4541 case AUT_HEADER64_EX:
4542 /* read the record size from the token */
4543 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4544 sizeof(u_int32_t)) {
4548 recsize = be32toh(recsize);
4550 /* Check for recsize sanity */
4551 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4556 *buf = malloc(recsize * sizeof(u_char));
4560 memset(bptr, 0, recsize);
4562 /* store the token contents already read, back to the buffer*/
4565 be32enc(bptr, recsize);
4566 bptr += sizeof(u_int32_t);
4568 /* now read remaining record bytes */
4569 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4571 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4578 case AUT_OTHER_FILE32:
4580 * The file token is variable-length, as it includes a
4581 * pathname. As a result, we have to read incrementally
4582 * until we know the total length, then allocate space and
4585 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4589 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4593 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4594 sizeof(filenamelen)) {
4598 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4599 sizeof(filenamelen) + ntohs(filenamelen);
4600 *buf = malloc(recsize);
4605 bcopy(&type, bptr, sizeof(type));
4606 bptr += sizeof(type);
4607 bcopy(&sec, bptr, sizeof(sec));
4608 bptr += sizeof(sec);
4609 bcopy(&msec, bptr, sizeof(msec));
4610 bptr += sizeof(msec);
4611 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4612 bptr += sizeof(filenamelen);
4614 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4615 ntohs(filenamelen)) {