2 * Copyright (c) 2004 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#55 $
38 #include <sys/types.h>
40 #include <config/config.h>
41 #ifdef HAVE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
62 #include <sys/socket.h>
64 #include <bsm/libbsm.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
77 #include <bsm/audit_internal.h>
79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if ((bytesread) + (size) > (u_int32_t)(len)) { \
83 memcpy((dest), (buf) + (bytesread), (size)); \
88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
90 (dest) = buf[(bytesread)]; \
91 (bytesread) += sizeof(u_char); \
96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
98 (dest) = be16dec((buf) + (bytesread)); \
99 (bytesread) += sizeof(u_int16_t); \
104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
106 (dest) = be32dec((buf) + (bytesread)); \
107 (bytesread) += sizeof(u_int32_t); \
112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
114 dest = be64dec((buf) + (bytesread)); \
115 (bytesread) += sizeof(u_int64_t); \
120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (u_int32_t)(len)) \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
136 * Prints the delimiter string.
139 print_delim(FILE *fp, const char *del)
142 fprintf(fp, "%s", del);
146 * Prints a single byte in the given format.
149 print_1_byte(FILE *fp, u_char val, const char *format)
152 fprintf(fp, format, val);
156 * Print 2 bytes in the given format.
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
162 fprintf(fp, format, val);
166 * Prints 4 bytes in the given format.
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
172 fprintf(fp, format, val);
176 * Prints 8 bytes in the given format.
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
182 fprintf(fp, format, val);
186 * Prints the given size of data bytes in hex.
189 print_mem(FILE *fp, u_char *data, size_t len)
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
201 * Prints the given data bytes as a string.
204 print_string(FILE *fp, const char *str, size_t len)
209 for (i = 0; i < len; i++) {
211 fprintf(fp, "%c", str[i]);
217 * Prints the beggining of attribute.
220 open_attr(FILE *fp, const char *str)
223 fprintf(fp,"%s=\"", str);
227 * Prints the end of attribute.
237 * Prints the end of tag.
240 close_tag(FILE *fp, u_char type)
248 case AUT_HEADER32_EX:
256 case AUT_HEADER64_EX:
281 fprintf(fp, "</exec_args>");
285 fprintf(fp, "</exec_env>");
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
293 fprintf(fp, "</group>");
297 fprintf(fp, "</ip_address>");
301 fprintf(fp, "</ip_address>");
317 fprintf(fp, "</ip_port>");
321 fprintf(fp, "</opaque>");
325 fprintf(fp, "</path>");
332 case AUT_PROCESS32_EX:
340 case AUT_PROCESS64_EX:
376 case AUT_SUBJECT32_EX:
380 case AUT_SUBJECT64_EX:
385 fprintf(fp, "</text>");
393 fprintf(fp, "</arbitrary>");
403 * Prints the token type in either the raw or the default form.
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
412 fprintf(fp, "<record ");
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
420 fprintf(fp, "<record ");
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
428 fprintf(fp, "</record>");
432 fprintf(fp, "<argument ");
436 fprintf(fp, "<argument ");
440 fprintf(fp, "<attribute ");
444 fprintf(fp, "<attribute ");
448 fprintf(fp, "<exit ");
452 fprintf(fp, "<exec_args>");
456 fprintf(fp, "<exec_env>");
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
464 fprintf(fp, "<group>");
468 fprintf(fp, "<ip_address>");
472 fprintf(fp, "<ip_address>");
484 fprintf(fp, "<IPC_perm ");
488 fprintf(fp, "<ip_port>");
492 fprintf(fp, "<opaque>");
496 fprintf(fp, "<path>");
500 fprintf(fp, "<process ");
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
508 fprintf(fp, "<process ");
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
516 fprintf(fp, "<return ");
520 fprintf(fp, "<return ");
524 fprintf(fp, "<sequence ");
528 fprintf(fp, "<socket ");
532 fprintf(fp, "<old_socket");
536 fprintf(fp, "<old_socket");
540 fprintf(fp, "<subject ");
544 fprintf(fp, "<subject ");
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
556 fprintf(fp, "<text>");
560 fprintf(fp, "<socket ");
564 fprintf(fp, "<arbitrary ");
568 fprintf(fp, "<zone ");
573 fprintf(fp, "%u", type);
575 fprintf(fp, "%s", tokname);
580 * Prints a user value.
583 print_user(FILE *fp, u_int32_t usr, char raw)
585 struct passwd *pwent;
588 fprintf(fp, "%d", usr);
590 pwent = getpwuid(usr);
592 fprintf(fp, "%s", pwent->pw_name);
594 fprintf(fp, "%d", usr);
599 * Prints a group value.
602 print_group(FILE *fp, u_int32_t grp, char raw)
604 struct group *grpent;
607 fprintf(fp, "%d", grp);
609 grpent = getgrgid(grp);
611 fprintf(fp, "%s", grpent->gr_name);
613 fprintf(fp, "%d", grp);
618 * Prints the event from the header token in either the short, default or raw
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
634 ep = getauevnum_r(&e, ev);
636 fprintf(fp, "%u", ev);
641 fprintf(fp, "%u", ev);
643 fprintf(fp, "%s", e.ae_name);
645 fprintf(fp, "%s", e.ae_desc);
650 * Prints the event modifier from the header token in either the default or
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
657 fprintf(fp, "%u", evmod);
659 fprintf(fp, "%u", evmod);
663 * Prints seconds in the ctime format.
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
672 fprintf(fp, "%u", sec);
674 timestamp = (time_t)sec;
675 ctime_r(×tamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
694 timestamp = (time_t)sec;
695 ctime_r(×tamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
702 * Prints the excess milliseconds.
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
708 fprintf(fp, "%u", msec);
710 fprintf(fp, " + %u msec", msec);
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
729 * Prints a dotted form for the IP address.
732 print_ip_address(FILE *fp, u_int32_t ip)
734 struct in_addr ipaddr;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
741 * Prints a string value for the given ip address.
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
764 fprintf(fp, "invalid");
769 * Prints return value as success or failure.
772 print_retval(FILE *fp, u_char status, char raw)
775 fprintf(fp, "%u", status);
778 fprintf(fp, "success");
780 fprintf(fp, "failure : %s", strerror(status));
785 * Prints the exit value.
788 print_errval(FILE *fp, u_int32_t val)
791 fprintf(fp, "Error %u", val);
798 print_ipctype(FILE *fp, u_char type, char raw)
801 fprintf(fp, "%u", type);
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
810 fprintf(fp, "%u", type);
818 au_print_xml_header(FILE *outfp)
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
829 au_print_xml_footer(FILE *outfp)
832 fprintf(outfp, "</audit>\n");
836 * record byte count 4 bytes
837 * version # 1 byte [2]
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
880 print_tok_type(fp, tok->id, "header", raw, xml);
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
897 close_tag(fp, tok->id);
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
922 * record byte count 4 bytes
923 * version # 1 byte [2]
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
999 open_attr(fp, "host");
1000 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1001 tok->tt.hdr32_ex.addr);
1003 open_attr(fp, "time");
1004 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1006 open_attr(fp, "msec");
1007 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1009 close_tag(fp, tok->id);
1011 print_delim(fp, del);
1012 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1013 print_delim(fp, del);
1014 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1015 print_delim(fp, del);
1016 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1017 print_delim(fp, del);
1018 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1019 print_delim(fp, del);
1020 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1021 tok->tt.hdr32_ex.addr);
1022 print_delim(fp, del);
1023 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1024 print_delim(fp, del);
1025 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1030 * record byte count 4 bytes
1031 * event type 2 bytes
1032 * event modifier 2 bytes
1033 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1034 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1038 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1046 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1050 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1054 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1058 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1062 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1070 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1074 print_tok_type(fp, tok->id, "header", raw, xml);
1076 open_attr(fp, "version");
1077 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1079 open_attr(fp, "event");
1080 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1082 open_attr(fp, "modifier");
1083 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1085 open_attr(fp, "time");
1086 print_sec64(fp, tok->tt.hdr64.s, raw);
1088 open_attr(fp, "msec");
1089 print_msec64(fp, tok->tt.hdr64.ms, raw);
1091 close_tag(fp, tok->id);
1093 print_delim(fp, del);
1094 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1095 print_delim(fp, del);
1096 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1097 print_delim(fp, del);
1098 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1099 print_delim(fp, del);
1100 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1101 print_delim(fp, del);
1102 print_sec64(fp, tok->tt.hdr64.s, raw);
1103 print_delim(fp, del);
1104 print_msec64(fp, tok->tt.hdr64.ms, raw);
1109 * record byte count 4 bytes
1110 * version # 1 byte [2]
1111 * event type 2 bytes
1112 * event modifier 2 bytes
1113 * address type/length 4 bytes
1114 * [ Solaris man page: address type/length 1 byte]
1115 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1116 * seconds of time 4 bytes/8 bytes (32/64-bits)
1117 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1119 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1120 * accuracy of the BSM spec.
1123 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1127 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1131 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1135 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1139 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1143 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1147 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1148 switch (tok->tt.hdr64_ex.ad_type) {
1150 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1151 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1157 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1158 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1162 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1166 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1174 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1178 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1180 open_attr(fp, "version");
1181 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1183 open_attr(fp, "event");
1184 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1186 open_attr(fp, "modifier");
1187 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1189 open_attr(fp, "host");
1190 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1191 tok->tt.hdr64_ex.addr);
1193 open_attr(fp, "time");
1194 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1196 open_attr(fp, "msec");
1197 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1199 close_tag(fp, tok->id);
1201 print_delim(fp, del);
1202 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1203 print_delim(fp, del);
1204 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1205 print_delim(fp, del);
1206 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1207 print_delim(fp, del);
1208 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1209 print_delim(fp, del);
1210 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1211 tok->tt.hdr64_ex.addr);
1212 print_delim(fp, del);
1213 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1214 print_delim(fp, del);
1215 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1220 * trailer magic 2 bytes
1221 * record size 4 bytes
1224 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1228 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1232 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1240 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1241 __unused char sfrm, int xml)
1244 print_tok_type(fp, tok->id, "trailer", raw, xml);
1246 print_delim(fp, del);
1247 print_4_bytes(fp, tok->tt.trail.count, "%u");
1253 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1254 * text length 2 bytes
1255 * text N bytes + 1 terminating NULL byte
1258 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1262 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1266 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1270 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1274 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1283 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1284 __unused char sfrm, int xml)
1287 print_tok_type(fp, tok->id, "argument", raw, xml);
1289 open_attr(fp, "arg-num");
1290 print_1_byte(fp, tok->tt.arg32.no, "%u");
1292 open_attr(fp, "value");
1293 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1295 open_attr(fp, "desc");
1296 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1298 close_tag(fp, tok->id);
1300 print_delim(fp, del);
1301 print_1_byte(fp, tok->tt.arg32.no, "%u");
1302 print_delim(fp, del);
1303 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1304 print_delim(fp, del);
1305 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1310 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1314 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1318 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1322 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1326 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1335 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1336 __unused char sfrm, int xml)
1339 print_tok_type(fp, tok->id, "argument", raw, xml);
1341 open_attr(fp, "arg-num");
1342 print_1_byte(fp, tok->tt.arg64.no, "%u");
1344 open_attr(fp, "value");
1345 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1347 open_attr(fp, "desc");
1348 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1350 close_tag(fp, tok->id);
1352 print_delim(fp, del);
1353 print_1_byte(fp, tok->tt.arg64.no, "%u");
1354 print_delim(fp, del);
1355 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1356 print_delim(fp, del);
1357 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1362 * how to print 1 byte
1365 * data items (depends on basic unit)
1368 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1373 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1386 * Determine the size of the basic unit.
1388 switch(tok->tt.arb.bu) {
1390 /* case AUR_CHAR: */
1391 datasize = AUR_BYTE_SIZE;
1395 datasize = AUR_SHORT_SIZE;
1400 datasize = AUR_INT32_SIZE;
1404 datasize = AUR_INT64_SIZE;
1411 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1420 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1421 __unused char sfrm, int xml)
1428 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1430 print_delim(fp, del);
1432 switch(tok->tt.arb.howtopr) {
1463 open_attr(fp, "print");
1464 fprintf(fp, "%s",str);
1467 print_string(fp, str, strlen(str));
1468 print_delim(fp, del);
1470 switch(tok->tt.arb.bu) {
1472 /* case AUR_CHAR: */
1474 size = AUR_BYTE_SIZE;
1476 open_attr(fp, "type");
1477 fprintf(fp, "%zu", size);
1479 open_attr(fp, "count");
1480 print_1_byte(fp, tok->tt.arb.uc, "%u");
1483 for (i = 0; i<tok->tt.arb.uc; i++)
1484 fprintf(fp, format, *(tok->tt.arb.data +
1486 close_tag(fp, tok->id);
1488 print_string(fp, str, strlen(str));
1489 print_delim(fp, del);
1490 print_1_byte(fp, tok->tt.arb.uc, "%u");
1491 print_delim(fp, del);
1492 for (i = 0; i<tok->tt.arb.uc; i++)
1493 fprintf(fp, format, *(tok->tt.arb.data +
1500 size = AUR_SHORT_SIZE;
1502 open_attr(fp, "type");
1503 fprintf(fp, "%zu", size);
1505 open_attr(fp, "count");
1506 print_1_byte(fp, tok->tt.arb.uc, "%u");
1509 for (i = 0; i < tok->tt.arb.uc; i++)
1511 *((u_int16_t *)(tok->tt.arb.data +
1513 close_tag(fp, tok->id);
1515 print_string(fp, str, strlen(str));
1516 print_delim(fp, del);
1517 print_1_byte(fp, tok->tt.arb.uc, "%u");
1518 print_delim(fp, del);
1519 for (i = 0; i < tok->tt.arb.uc; i++)
1521 *((u_int16_t *)(tok->tt.arb.data +
1529 size = AUR_INT32_SIZE;
1531 open_attr(fp, "type");
1532 fprintf(fp, "%zu", size);
1534 open_attr(fp, "count");
1535 print_1_byte(fp, tok->tt.arb.uc, "%u");
1538 for (i = 0; i < tok->tt.arb.uc; i++)
1540 *((u_int32_t *)(tok->tt.arb.data +
1542 close_tag(fp, tok->id);
1544 print_string(fp, str, strlen(str));
1545 print_delim(fp, del);
1546 print_1_byte(fp, tok->tt.arb.uc, "%u");
1547 print_delim(fp, del);
1548 for (i = 0; i < tok->tt.arb.uc; i++)
1550 *((u_int32_t *)(tok->tt.arb.data +
1557 size = AUR_INT64_SIZE;
1559 open_attr(fp, "type");
1560 fprintf(fp, "%zu", size);
1562 open_attr(fp, "count");
1563 print_1_byte(fp, tok->tt.arb.uc, "%u");
1566 for (i = 0; i < tok->tt.arb.uc; i++)
1568 *((u_int64_t *)(tok->tt.arb.data +
1570 close_tag(fp, tok->id);
1572 print_string(fp, str, strlen(str));
1573 print_delim(fp, del);
1574 print_1_byte(fp, tok->tt.arb.uc, "%u");
1575 print_delim(fp, del);
1576 for (i = 0; i < tok->tt.arb.uc; i++)
1578 *((u_int64_t *)(tok->tt.arb.data +
1589 * file access mode 4 bytes
1590 * owner user ID 4 bytes
1591 * owner group ID 4 bytes
1592 * file system ID 4 bytes
1594 * device 4 bytes/8 bytes (32-bit/64-bit)
1597 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1601 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1617 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1621 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1629 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1630 __unused char sfrm, int xml)
1633 print_tok_type(fp, tok->id, "attribute", raw, xml);
1635 open_attr(fp, "mode");
1636 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1638 open_attr(fp, "uid");
1639 print_user(fp, tok->tt.attr32.uid, raw);
1641 open_attr(fp, "gid");
1642 print_group(fp, tok->tt.attr32.gid, raw);
1644 open_attr(fp, "fsid");
1645 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1647 open_attr(fp, "nodeid");
1648 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1650 open_attr(fp, "device");
1651 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1653 close_tag(fp, tok->id);
1655 print_delim(fp, del);
1656 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1657 print_delim(fp, del);
1658 print_user(fp, tok->tt.attr32.uid, raw);
1659 print_delim(fp, del);
1660 print_group(fp, tok->tt.attr32.gid, raw);
1661 print_delim(fp, del);
1662 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1663 print_delim(fp, del);
1664 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1665 print_delim(fp, del);
1666 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1671 * file access mode 4 bytes
1672 * owner user ID 4 bytes
1673 * owner group ID 4 bytes
1674 * file system ID 4 bytes
1676 * device 4 bytes/8 bytes (32-bit/64-bit)
1679 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1683 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1699 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1711 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1712 __unused char sfrm, int xml)
1715 print_tok_type(fp, tok->id, "attribute", raw, xml);
1717 open_attr(fp, "mode");
1718 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1720 open_attr(fp, "uid");
1721 print_user(fp, tok->tt.attr64.uid, raw);
1723 open_attr(fp, "gid");
1724 print_group(fp, tok->tt.attr64.gid, raw);
1726 open_attr(fp, "fsid");
1727 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1729 open_attr(fp, "nodeid");
1730 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1732 open_attr(fp, "device");
1733 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1735 close_tag(fp, tok->id);
1737 print_delim(fp, del);
1738 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1739 print_delim(fp, del);
1740 print_user(fp, tok->tt.attr64.uid, raw);
1741 print_delim(fp, del);
1742 print_group(fp, tok->tt.attr64.gid, raw);
1743 print_delim(fp, del);
1744 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1745 print_delim(fp, del);
1746 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1747 print_delim(fp, del);
1748 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1754 * return value 4 bytes
1757 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1761 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1773 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1774 __unused char sfrm, int xml)
1777 print_tok_type(fp, tok->id, "exit", raw, xml);
1779 open_attr(fp, "errval");
1780 print_errval(fp, tok->tt.exit.status);
1782 open_attr(fp, "retval");
1783 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1785 close_tag(fp, tok->id);
1787 print_delim(fp, del);
1788 print_errval(fp, tok->tt.exit.status);
1789 print_delim(fp, del);
1790 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1796 * text count null-terminated string(s)
1799 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1805 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1809 for (i = 0; i < tok->tt.execarg.count; i++) {
1810 bptr = buf + tok->len;
1811 if (i < AUDIT_MAX_ARGS)
1812 tok->tt.execarg.text[i] = (char*)bptr;
1814 /* Look for a null terminated string. */
1815 while (bptr && (*bptr != '\0')) {
1816 if (++tok->len >= (u_int32_t)len)
1818 bptr = buf + tok->len;
1822 tok->len++; /* \0 character */
1824 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1825 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1831 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1832 __unused char sfrm, int xml)
1836 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1837 for (i = 0; i < tok->tt.execarg.count; i++) {
1839 fprintf(fp, "<arg>");
1840 print_string(fp, tok->tt.execarg.text[i],
1841 strlen(tok->tt.execarg.text[i]));
1842 fprintf(fp, "</arg>");
1844 print_delim(fp, del);
1845 print_string(fp, tok->tt.execarg.text[i],
1846 strlen(tok->tt.execarg.text[i]));
1850 close_tag(fp, tok->id);
1855 * text count null-terminated string(s)
1858 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1864 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1868 for (i = 0; i < tok->tt.execenv.count; i++) {
1869 bptr = buf + tok->len;
1870 if (i < AUDIT_MAX_ENV)
1871 tok->tt.execenv.text[i] = (char*)bptr;
1873 /* Look for a null terminated string. */
1874 while (bptr && (*bptr != '\0')) {
1875 if (++tok->len >= (u_int32_t)len)
1877 bptr = buf + tok->len;
1881 tok->len++; /* \0 character */
1883 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1884 tok->tt.execenv.count = AUDIT_MAX_ENV;
1890 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1891 __unused char sfrm, int xml)
1895 print_tok_type(fp, tok->id, "exec env", raw, xml);
1896 for (i = 0; i< tok->tt.execenv.count; i++) {
1898 fprintf(fp, "<env>");
1899 print_string(fp, tok->tt.execenv.text[i],
1900 strlen(tok->tt.execenv.text[i]));
1901 fprintf(fp, "</env>");
1903 print_delim(fp, del);
1904 print_string(fp, tok->tt.execenv.text[i],
1905 strlen(tok->tt.execenv.text[i]));
1909 close_tag(fp, tok->id);
1913 * seconds of time 4 bytes
1914 * milliseconds of time 4 bytes
1915 * file name len 2 bytes
1916 * file pathname N bytes + 1 terminating NULL byte
1919 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1923 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1931 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1935 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1944 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1945 __unused char sfrm, int xml)
1948 print_tok_type(fp, tok->id, "file", raw, xml);
1950 open_attr(fp, "time");
1951 print_sec32(fp, tok->tt.file.s, raw);
1953 open_attr(fp, "msec");
1954 print_msec32(fp, tok->tt.file.ms, raw);
1957 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1958 close_tag(fp, tok->id);
1960 print_delim(fp, del);
1961 print_sec32(fp, tok->tt.file.s, raw);
1962 print_delim(fp, del);
1963 print_msec32(fp, tok->tt.file.ms, raw);
1964 print_delim(fp, del);
1965 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1970 * number groups 2 bytes
1971 * group list count * 4 bytes
1974 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1979 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1983 for (i = 0; i<tok->tt.grps.no; i++) {
1984 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1994 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1995 __unused char sfrm, int xml)
1999 print_tok_type(fp, tok->id, "group", raw, xml);
2000 for (i = 0; i < tok->tt.grps.no; i++) {
2002 fprintf(fp, "<gid>");
2003 print_group(fp, tok->tt.grps.list[i], raw);
2004 fprintf(fp, "</gid>");
2005 close_tag(fp, tok->id);
2007 print_delim(fp, del);
2008 print_group(fp, tok->tt.grps.list[i], raw);
2014 * Internet addr 4 bytes
2017 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2021 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2031 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2032 __unused char sfrm, int xml)
2035 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2037 print_ip_address(fp, tok->tt.inaddr.addr);
2038 close_tag(fp, tok->id);
2040 print_delim(fp, del);
2041 print_ip_address(fp, tok->tt.inaddr.addr);
2050 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2054 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2058 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2059 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2060 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2063 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2064 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2065 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2075 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2076 __unused char sfrm, int xml)
2079 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2081 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2082 tok->tt.inaddr_ex.addr);
2083 close_tag(fp, tok->id);
2085 print_delim(fp, del);
2086 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2087 tok->tt.inaddr_ex.addr);
2092 * ip header 20 bytes
2095 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2099 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2107 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2112 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2117 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2122 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2130 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2135 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2140 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2149 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2150 __unused char sfrm, int xml)
2153 print_tok_type(fp, tok->id, "ip", raw, xml);
2155 open_attr(fp, "version");
2156 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2159 open_attr(fp, "service_type");
2160 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2162 open_attr(fp, "len");
2163 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2165 open_attr(fp, "id");
2166 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2168 open_attr(fp, "offset");
2169 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2171 open_attr(fp, "time_to_live");
2172 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2174 open_attr(fp, "protocol");
2175 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2177 open_attr(fp, "cksum");
2178 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2180 open_attr(fp, "src_addr");
2181 print_ip_address(fp, tok->tt.ip.src);
2183 open_attr(fp, "dest_addr");
2184 print_ip_address(fp, tok->tt.ip.dest);
2186 close_tag(fp, tok->id);
2188 print_delim(fp, del);
2189 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2191 print_delim(fp, del);
2192 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2193 print_delim(fp, del);
2194 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2195 print_delim(fp, del);
2196 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2197 print_delim(fp, del);
2198 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2199 print_delim(fp, del);
2200 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2201 print_delim(fp, del);
2202 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2203 print_delim(fp, del);
2204 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2205 print_delim(fp, del);
2206 print_ip_address(fp, tok->tt.ip.src);
2207 print_delim(fp, del);
2208 print_ip_address(fp, tok->tt.ip.dest);
2213 * object ID type 1 byte
2217 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2221 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2225 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2233 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2234 __unused char sfrm, int xml)
2237 print_tok_type(fp, tok->id, "IPC", raw, xml);
2239 open_attr(fp, "ipc-type");
2240 print_ipctype(fp, tok->tt.ipc.type, raw);
2242 open_attr(fp, "ipc-id");
2243 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2245 close_tag(fp, tok->id);
2247 print_delim(fp, del);
2248 print_ipctype(fp, tok->tt.ipc.type, raw);
2249 print_delim(fp, del);
2250 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2255 * owner user id 4 bytes
2256 * owner group id 4 bytes
2257 * creator user id 4 bytes
2258 * creator group id 4 bytes
2259 * access mode 4 bytes
2264 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2268 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2300 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2301 __unused char sfrm, int xml)
2304 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2306 open_attr(fp, "uid");
2307 print_user(fp, tok->tt.ipcperm.uid, raw);
2309 open_attr(fp, "gid");
2310 print_group(fp, tok->tt.ipcperm.gid, raw);
2312 open_attr(fp, "creator-uid");
2313 print_user(fp, tok->tt.ipcperm.puid, raw);
2315 open_attr(fp, "creator-gid");
2316 print_group(fp, tok->tt.ipcperm.pgid, raw);
2318 open_attr(fp, "mode");
2319 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2321 open_attr(fp, "seq");
2322 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2324 open_attr(fp, "key");
2325 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2327 close_tag(fp, tok->id);
2329 print_delim(fp, del);
2330 print_user(fp, tok->tt.ipcperm.uid, raw);
2331 print_delim(fp, del);
2332 print_group(fp, tok->tt.ipcperm.gid, raw);
2333 print_delim(fp, del);
2334 print_user(fp, tok->tt.ipcperm.puid, raw);
2335 print_delim(fp, del);
2336 print_group(fp, tok->tt.ipcperm.pgid, raw);
2337 print_delim(fp, del);
2338 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2339 print_delim(fp, del);
2340 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2341 print_delim(fp, del);
2342 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2347 * port Ip address 2 bytes
2350 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2354 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2363 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2364 __unused char sfrm, int xml)
2367 print_tok_type(fp, tok->id, "ip port", raw, xml);
2369 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2370 close_tag(fp, tok->id);
2372 print_delim(fp, del);
2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2382 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2386 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2390 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2399 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2400 __unused char sfrm, int xml)
2403 print_tok_type(fp, tok->id, "opaque", raw, xml);
2405 print_mem(fp, (u_char*)tok->tt.opaque.data,
2406 tok->tt.opaque.size);
2407 close_tag(fp, tok->id);
2409 print_delim(fp, del);
2410 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2411 print_delim(fp, del);
2412 print_mem(fp, (u_char*)tok->tt.opaque.data,
2413 tok->tt.opaque.size);
2422 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2426 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2430 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2439 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2440 __unused char sfrm, int xml)
2443 print_tok_type(fp, tok->id, "path", raw, xml);
2445 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2446 close_tag(fp, tok->id);
2448 print_delim(fp, del);
2449 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2464 * machine id 4 bytes
2467 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2471 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2503 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2504 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2512 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2513 __unused char sfrm, int xml)
2516 print_tok_type(fp, tok->id, "process", raw, xml);
2518 open_attr(fp, "audit-uid");
2519 print_user(fp, tok->tt.proc32.auid, raw);
2521 open_attr(fp, "uid");
2522 print_user(fp, tok->tt.proc32.euid, raw);
2524 open_attr(fp, "gid");
2525 print_group(fp, tok->tt.proc32.egid, raw);
2527 open_attr(fp, "ruid");
2528 print_user(fp, tok->tt.proc32.ruid, raw);
2530 open_attr(fp, "rgid");
2531 print_group(fp, tok->tt.proc32.rgid, raw);
2533 open_attr(fp, "pid");
2534 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2536 open_attr(fp, "sid");
2537 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2539 open_attr(fp, "tid");
2540 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2541 print_ip_address(fp, tok->tt.proc32.tid.addr);
2543 close_tag(fp, tok->id);
2545 print_delim(fp, del);
2546 print_user(fp, tok->tt.proc32.auid, raw);
2547 print_delim(fp, del);
2548 print_user(fp, tok->tt.proc32.euid, raw);
2549 print_delim(fp, del);
2550 print_group(fp, tok->tt.proc32.egid, raw);
2551 print_delim(fp, del);
2552 print_user(fp, tok->tt.proc32.ruid, raw);
2553 print_delim(fp, del);
2554 print_group(fp, tok->tt.proc32.rgid, raw);
2555 print_delim(fp, del);
2556 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2557 print_delim(fp, del);
2558 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2559 print_delim(fp, del);
2560 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2561 print_delim(fp, del);
2562 print_ip_address(fp, tok->tt.proc32.tid.addr);
2577 * machine id 4 bytes
2580 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2584 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2612 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2616 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2617 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2625 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2626 __unused char sfrm, int xml)
2628 print_tok_type(fp, tok->id, "process", raw, xml);
2630 open_attr(fp, "audit-uid");
2631 print_user(fp, tok->tt.proc64.auid, raw);
2633 open_attr(fp, "uid");
2634 print_user(fp, tok->tt.proc64.euid, raw);
2636 open_attr(fp, "gid");
2637 print_group(fp, tok->tt.proc64.egid, raw);
2639 open_attr(fp, "ruid");
2640 print_user(fp, tok->tt.proc64.ruid, raw);
2642 open_attr(fp, "rgid");
2643 print_group(fp, tok->tt.proc64.rgid, raw);
2645 open_attr(fp, "pid");
2646 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2648 open_attr(fp, "sid");
2649 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2651 open_attr(fp, "tid");
2652 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2653 print_ip_address(fp, tok->tt.proc64.tid.addr);
2655 close_tag(fp, tok->id);
2657 print_delim(fp, del);
2658 print_user(fp, tok->tt.proc64.auid, raw);
2659 print_delim(fp, del);
2660 print_user(fp, tok->tt.proc64.euid, raw);
2661 print_delim(fp, del);
2662 print_group(fp, tok->tt.proc64.egid, raw);
2663 print_delim(fp, del);
2664 print_user(fp, tok->tt.proc64.ruid, raw);
2665 print_delim(fp, del);
2666 print_group(fp, tok->tt.proc64.rgid, raw);
2667 print_delim(fp, del);
2668 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2669 print_delim(fp, del);
2670 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2671 print_delim(fp, del);
2672 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2673 print_delim(fp, del);
2674 print_ip_address(fp, tok->tt.proc64.tid.addr);
2681 * effective user ID 4 bytes
2682 * effective group ID 4 bytes
2683 * real user ID 4 bytes
2684 * real group ID 4 bytes
2685 * process ID 4 bytes
2686 * session ID 4 bytes
2689 * address type-len 4 bytes
2690 * machine address 16 bytes
2693 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2697 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2730 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2735 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2736 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2737 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2740 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2741 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2742 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2752 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2753 __unused char sfrm, int xml)
2756 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2758 open_attr(fp, "audit-uid");
2759 print_user(fp, tok->tt.proc32_ex.auid, raw);
2761 open_attr(fp, "uid");
2762 print_user(fp, tok->tt.proc32_ex.euid, raw);
2764 open_attr(fp, "gid");
2765 print_group(fp, tok->tt.proc32_ex.egid, raw);
2767 open_attr(fp, "ruid");
2768 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2770 open_attr(fp, "rgid");
2771 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2773 open_attr(fp, "pid");
2774 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2776 open_attr(fp, "sid");
2777 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2779 open_attr(fp, "tid");
2780 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2781 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2782 tok->tt.proc32_ex.tid.addr);
2784 close_tag(fp, tok->id);
2786 print_delim(fp, del);
2787 print_user(fp, tok->tt.proc32_ex.auid, raw);
2788 print_delim(fp, del);
2789 print_user(fp, tok->tt.proc32_ex.euid, raw);
2790 print_delim(fp, del);
2791 print_group(fp, tok->tt.proc32_ex.egid, raw);
2792 print_delim(fp, del);
2793 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2794 print_delim(fp, del);
2795 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2796 print_delim(fp, del);
2797 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2798 print_delim(fp, del);
2799 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2800 print_delim(fp, del);
2801 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2802 print_delim(fp, del);
2803 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2804 tok->tt.proc32_ex.tid.addr);
2811 * effective user ID 4 bytes
2812 * effective group ID 4 bytes
2813 * real user ID 4 bytes
2814 * real group ID 4 bytes
2815 * process ID 4 bytes
2816 * session ID 4 bytes
2819 * address type-len 4 bytes
2820 * machine address 16 bytes
2823 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2827 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2855 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2860 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2865 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2866 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2867 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2870 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2871 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2872 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2882 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2883 __unused char sfrm, int xml)
2885 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2887 open_attr(fp, "audit-uid");
2888 print_user(fp, tok->tt.proc64_ex.auid, raw);
2890 open_attr(fp, "uid");
2891 print_user(fp, tok->tt.proc64_ex.euid, raw);
2893 open_attr(fp, "gid");
2894 print_group(fp, tok->tt.proc64_ex.egid, raw);
2896 open_attr(fp, "ruid");
2897 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2899 open_attr(fp, "rgid");
2900 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2902 open_attr(fp, "pid");
2903 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2905 open_attr(fp, "sid");
2906 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2908 open_attr(fp, "tid");
2909 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2910 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2911 tok->tt.proc64_ex.tid.addr);
2913 close_tag(fp, tok->id);
2915 print_delim(fp, del);
2916 print_user(fp, tok->tt.proc64_ex.auid, raw);
2917 print_delim(fp, del);
2918 print_user(fp, tok->tt.proc64_ex.euid, raw);
2919 print_delim(fp, del);
2920 print_group(fp, tok->tt.proc64_ex.egid, raw);
2921 print_delim(fp, del);
2922 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2923 print_delim(fp, del);
2924 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2925 print_delim(fp, del);
2926 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2927 print_delim(fp, del);
2928 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2929 print_delim(fp, del);
2930 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2931 print_delim(fp, del);
2932 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2933 tok->tt.proc64_ex.tid.addr);
2939 * return value 4 bytes
2942 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2946 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2950 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2958 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2959 __unused char sfrm, int xml)
2962 print_tok_type(fp, tok->id, "return", raw, xml);
2964 open_attr(fp ,"errval");
2965 print_retval(fp, tok->tt.ret32.status, raw);
2967 open_attr(fp, "retval");
2968 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2970 close_tag(fp, tok->id);
2972 print_delim(fp, del);
2973 print_retval(fp, tok->tt.ret32.status, raw);
2974 print_delim(fp, del);
2975 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2980 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2984 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2988 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2996 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2997 __unused char sfrm, int xml)
3000 print_tok_type(fp, tok->id, "return", raw, xml);
3002 open_attr(fp, "errval");
3003 print_retval(fp, tok->tt.ret64.err, raw);
3005 open_attr(fp, "retval");
3006 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3008 close_tag(fp, tok->id);
3010 print_delim(fp, del);
3011 print_retval(fp, tok->tt.ret64.err, raw);
3012 print_delim(fp, del);
3013 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3021 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3025 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3033 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3034 __unused char sfrm, int xml)
3037 print_tok_type(fp, tok->id, "sequence", raw, xml);
3039 open_attr(fp, "seq-num");
3040 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3042 close_tag(fp, tok->id);
3044 print_delim(fp, del);
3045 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3050 * socket family 2 bytes
3051 * local port 2 bytes
3052 * socket address 4 bytes
3055 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3059 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3064 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3065 sizeof(uint16_t), tok->len, err);
3069 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3070 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3078 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3079 __unused char sfrm, int xml)
3082 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3084 open_attr(fp, "type");
3085 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3087 open_attr(fp, "port");
3088 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3090 open_attr(fp, "addr");
3091 print_ip_address(fp, tok->tt.sockinet32.addr);
3093 close_tag(fp, tok->id);
3095 print_delim(fp, del);
3096 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3097 print_delim(fp, del);
3098 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3099 print_delim(fp, del);
3100 print_ip_address(fp, tok->tt.sockinet32.addr);
3105 * socket family 2 bytes
3109 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3113 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3117 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3126 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3127 __unused char sfrm, int xml)
3130 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3132 open_attr(fp, "type");
3133 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3135 open_attr(fp, "port");
3137 open_attr(fp, "addr");
3138 print_string(fp, tok->tt.sockunix.path,
3139 strlen(tok->tt.sockunix.path));
3141 close_tag(fp, tok->id);
3143 print_delim(fp, del);
3144 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3145 print_delim(fp, del);
3146 print_string(fp, tok->tt.sockunix.path,
3147 strlen(tok->tt.sockunix.path));
3152 * socket type 2 bytes
3153 * local port 2 bytes
3154 * local address 4 bytes
3155 * remote port 2 bytes
3156 * remote address 4 bytes
3159 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3163 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3167 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3172 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3173 sizeof(tok->tt.socket.l_addr), tok->len, err);
3177 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3182 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3183 sizeof(tok->tt.socket.r_addr), tok->len, err);
3191 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3192 __unused char sfrm, int xml)
3195 print_tok_type(fp, tok->id, "socket", raw, xml);
3197 open_attr(fp, "sock_type");
3198 print_2_bytes(fp, tok->tt.socket.type, "%u");
3200 open_attr(fp, "lport");
3201 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3203 open_attr(fp, "laddr");
3204 print_ip_address(fp, tok->tt.socket.l_addr);
3206 open_attr(fp, "fport");
3207 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3209 open_attr(fp, "faddr");
3210 print_ip_address(fp, tok->tt.socket.r_addr);
3212 close_tag(fp, tok->id);
3214 print_delim(fp, del);
3215 print_2_bytes(fp, tok->tt.socket.type, "%u");
3216 print_delim(fp, del);
3217 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3218 print_delim(fp, del);
3219 print_ip_address(fp, tok->tt.socket.l_addr);
3220 print_delim(fp, del);
3221 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3222 print_delim(fp, del);
3223 print_ip_address(fp, tok->tt.socket.r_addr);
3236 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3237 * machine id 4 bytes
3240 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3244 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3276 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3277 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3285 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3286 __unused char sfrm, int xml)
3289 print_tok_type(fp, tok->id, "subject", raw, xml);
3291 open_attr(fp, "audit-uid");
3292 print_user(fp, tok->tt.subj32.auid, raw);
3294 open_attr(fp, "uid");
3295 print_user(fp, tok->tt.subj32.euid, raw);
3297 open_attr(fp, "gid");
3298 print_group(fp, tok->tt.subj32.egid, raw);
3300 open_attr(fp, "ruid");
3301 print_user(fp, tok->tt.subj32.ruid, raw);
3303 open_attr(fp, "rgid");
3304 print_group(fp, tok->tt.subj32.rgid, raw);
3306 open_attr(fp,"pid");
3307 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3309 open_attr(fp,"sid");
3310 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3312 open_attr(fp,"tid");
3313 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3314 print_ip_address(fp, tok->tt.subj32.tid.addr);
3316 close_tag(fp, tok->id);
3318 print_delim(fp, del);
3319 print_user(fp, tok->tt.subj32.auid, raw);
3320 print_delim(fp, del);
3321 print_user(fp, tok->tt.subj32.euid, raw);
3322 print_delim(fp, del);
3323 print_group(fp, tok->tt.subj32.egid, raw);
3324 print_delim(fp, del);
3325 print_user(fp, tok->tt.subj32.ruid, raw);
3326 print_delim(fp, del);
3327 print_group(fp, tok->tt.subj32.rgid, raw);
3328 print_delim(fp, del);
3329 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3330 print_delim(fp, del);
3331 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3332 print_delim(fp, del);
3333 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3334 print_delim(fp, del);
3335 print_ip_address(fp, tok->tt.subj32.tid.addr);
3348 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3349 * machine id 4 bytes
3352 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3356 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3384 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3388 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3389 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3397 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3398 __unused char sfrm, int xml)
3401 print_tok_type(fp, tok->id, "subject", raw, xml);
3403 open_attr(fp, "audit-uid");
3404 print_user(fp, tok->tt.subj64.auid, raw);
3406 open_attr(fp, "uid");
3407 print_user(fp, tok->tt.subj64.euid, raw);
3409 open_attr(fp, "gid");
3410 print_group(fp, tok->tt.subj64.egid, raw);
3412 open_attr(fp, "ruid");
3413 print_user(fp, tok->tt.subj64.ruid, raw);
3415 open_attr(fp, "rgid");
3416 print_group(fp, tok->tt.subj64.rgid, raw);
3418 open_attr(fp, "pid");
3419 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3421 open_attr(fp, "sid");
3422 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3424 open_attr(fp, "tid");
3425 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3426 print_ip_address(fp, tok->tt.subj64.tid.addr);
3428 close_tag(fp, tok->id);
3430 print_delim(fp, del);
3431 print_user(fp, tok->tt.subj64.auid, raw);
3432 print_delim(fp, del);
3433 print_user(fp, tok->tt.subj64.euid, raw);
3434 print_delim(fp, del);
3435 print_group(fp, tok->tt.subj64.egid, raw);
3436 print_delim(fp, del);
3437 print_user(fp, tok->tt.subj64.ruid, raw);
3438 print_delim(fp, del);
3439 print_group(fp, tok->tt.subj64.rgid, raw);
3440 print_delim(fp, del);
3441 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3442 print_delim(fp, del);
3443 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3444 print_delim(fp, del);
3445 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3446 print_delim(fp, del);
3447 print_ip_address(fp, tok->tt.subj64.tid.addr);
3462 * machine id 16 bytes
3465 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3469 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3502 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3507 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3508 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3509 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3512 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3513 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3514 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3524 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3525 __unused char sfrm, int xml)
3528 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3530 open_attr(fp, "audit-uid");
3531 print_user(fp, tok->tt.subj32_ex.auid, raw);
3533 open_attr(fp, "uid");
3534 print_user(fp, tok->tt.subj32_ex.euid, raw);
3536 open_attr(fp, "gid");
3537 print_group(fp, tok->tt.subj32_ex.egid, raw);
3539 open_attr(fp, "ruid");
3540 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3542 open_attr(fp, "rgid");
3543 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3545 open_attr(fp, "pid");
3546 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3548 open_attr(fp, "sid");
3549 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3551 open_attr(fp, "tid");
3552 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3553 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3554 tok->tt.subj32_ex.tid.addr);
3556 close_tag(fp, tok->id);
3558 print_delim(fp, del);
3559 print_user(fp, tok->tt.subj32_ex.auid, raw);
3560 print_delim(fp, del);
3561 print_user(fp, tok->tt.subj32_ex.euid, raw);
3562 print_delim(fp, del);
3563 print_group(fp, tok->tt.subj32_ex.egid, raw);
3564 print_delim(fp, del);
3565 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3566 print_delim(fp, del);
3567 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3568 print_delim(fp, del);
3569 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3570 print_delim(fp, del);
3571 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3572 print_delim(fp, del);
3573 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3574 print_delim(fp, del);
3575 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3576 tok->tt.subj32_ex.tid.addr);
3591 * machine id 16 bytes
3594 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3598 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3626 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3631 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3636 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3637 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3638 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3641 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3642 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3643 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3653 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3654 __unused char sfrm, int xml)
3656 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3658 open_attr(fp, "audit-uid");
3659 print_user(fp, tok->tt.subj64_ex.auid, raw);
3661 open_attr(fp, "uid");
3662 print_user(fp, tok->tt.subj64_ex.euid, raw);
3664 open_attr(fp, "gid");
3665 print_group(fp, tok->tt.subj64_ex.egid, raw);
3667 open_attr(fp, "ruid");
3668 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3670 open_attr(fp, "rgid");
3671 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3673 open_attr(fp, "pid");
3674 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3676 open_attr(fp, "sid");
3677 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3679 open_attr(fp, "tid");
3680 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3681 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3682 tok->tt.subj64_ex.tid.addr);
3684 close_tag(fp, tok->id);
3686 print_delim(fp, del);
3687 print_user(fp, tok->tt.subj64_ex.auid, raw);
3688 print_delim(fp, del);
3689 print_user(fp, tok->tt.subj64_ex.euid, raw);
3690 print_delim(fp, del);
3691 print_group(fp, tok->tt.subj64_ex.egid, raw);
3692 print_delim(fp, del);
3693 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3694 print_delim(fp, del);
3695 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3696 print_delim(fp, del);
3697 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3698 print_delim(fp, del);
3699 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3700 print_delim(fp, del);
3701 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3702 print_delim(fp, del);
3703 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3704 tok->tt.subj64_ex.tid.addr);
3713 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3717 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3721 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3730 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3731 __unused char sfrm, int xml)
3734 print_tok_type(fp, tok->id, "text", raw, xml);
3736 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3737 close_tag(fp, tok->id);
3739 print_delim(fp, del);
3740 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3745 * socket type 2 bytes
3746 * local port 2 bytes
3747 * address type/length 4 bytes
3748 * local Internet address 4 bytes
3749 * remote port 4 bytes
3750 * address type/length 4 bytes
3751 * remote Internet address 4 bytes
3754 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3758 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3763 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3764 sizeof(uint16_t), tok->len, err);
3768 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3773 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3774 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3778 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3779 sizeof(uint16_t), tok->len, err);
3783 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3788 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3789 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3797 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3798 __unused char sfrm, int xml)
3801 print_tok_type(fp, tok->id, "socket", raw, xml);
3803 open_attr(fp, "sock_type");
3804 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3806 open_attr(fp, "lport");
3807 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3809 open_attr(fp, "laddr");
3810 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3812 open_attr(fp, "faddr");
3813 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3815 open_attr(fp, "fport");
3816 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3818 close_tag(fp, tok->id);
3820 print_delim(fp, del);
3821 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3822 print_delim(fp, del);
3823 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3824 print_delim(fp, del);
3825 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3826 print_delim(fp, del);
3827 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3828 print_delim(fp, del);
3829 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3834 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3839 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3840 if (recoversize <= 0)
3843 tok->tt.invalid.length = recoversize;
3845 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3854 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3855 __unused char sfrm, int xml)
3859 print_tok_type(fp, tok->id, "unknown", raw, 0);
3860 print_delim(fp, del);
3861 print_mem(fp, (u_char*)tok->tt.invalid.data,
3862 tok->tt.invalid.length);
3869 * zonename size bytes;
3872 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
3876 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3879 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3887 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3888 __unused char sfrm, int xml)
3891 print_tok_type(fp, tok->id, "zone", raw, xml);
3893 open_attr(fp, "name");
3894 print_string(fp, tok->tt.zonename.zonename,
3895 tok->tt.zonename.len);
3897 close_tag(fp, tok->id);
3899 print_delim(fp, del);
3900 print_string(fp, tok->tt.zonename.zonename,
3901 tok->tt.zonename.len);
3906 * Reads the token beginning at buf into tok.
3909 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3921 return (fetch_header32_tok(tok, buf, len));
3923 case AUT_HEADER32_EX:
3924 return (fetch_header32_ex_tok(tok, buf, len));
3927 return (fetch_header64_tok(tok, buf, len));
3929 case AUT_HEADER64_EX:
3930 return (fetch_header64_ex_tok(tok, buf, len));
3933 return (fetch_trailer_tok(tok, buf, len));
3936 return (fetch_arg32_tok(tok, buf, len));
3939 return (fetch_arg64_tok(tok, buf, len));
3942 return (fetch_attr32_tok(tok, buf, len));
3945 return (fetch_attr64_tok(tok, buf, len));
3948 return (fetch_exit_tok(tok, buf, len));
3951 return (fetch_execarg_tok(tok, buf, len));
3954 return (fetch_execenv_tok(tok, buf, len));
3956 case AUT_OTHER_FILE32:
3957 return (fetch_file_tok(tok, buf, len));
3960 return (fetch_newgroups_tok(tok, buf, len));
3963 return (fetch_inaddr_tok(tok, buf, len));
3965 case AUT_IN_ADDR_EX:
3966 return (fetch_inaddr_ex_tok(tok, buf, len));
3969 return (fetch_ip_tok(tok, buf, len));
3972 return (fetch_ipc_tok(tok, buf, len));
3975 return (fetch_ipcperm_tok(tok, buf, len));
3978 return (fetch_iport_tok(tok, buf, len));
3981 return (fetch_opaque_tok(tok, buf, len));
3984 return (fetch_path_tok(tok, buf, len));
3987 return (fetch_process32_tok(tok, buf, len));
3989 case AUT_PROCESS32_EX:
3990 return (fetch_process32ex_tok(tok, buf, len));
3993 return (fetch_process64_tok(tok, buf, len));
3995 case AUT_PROCESS64_EX:
3996 return (fetch_process64ex_tok(tok, buf, len));
3999 return (fetch_return32_tok(tok, buf, len));
4002 return (fetch_return64_tok(tok, buf, len));
4005 return (fetch_seq_tok(tok, buf, len));
4008 return (fetch_socket_tok(tok, buf, len));
4010 case AUT_SOCKINET32:
4011 return (fetch_sock_inet32_tok(tok, buf, len));
4014 return (fetch_sock_unix_tok(tok, buf, len));
4017 return (fetch_subject32_tok(tok, buf, len));
4019 case AUT_SUBJECT32_EX:
4020 return (fetch_subject32ex_tok(tok, buf, len));
4023 return (fetch_subject64_tok(tok, buf, len));
4025 case AUT_SUBJECT64_EX:
4026 return (fetch_subject64ex_tok(tok, buf, len));
4029 return (fetch_text_tok(tok, buf, len));
4032 return (fetch_socketex32_tok(tok, buf, len));
4035 return (fetch_arb_tok(tok, buf, len));
4038 return (fetch_zonename_tok(tok, buf, len));
4041 return (fetch_invalid_tok(tok, buf, len));
4046 * 'prints' the token out to outfp.
4049 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4054 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4057 case AUT_HEADER32_EX:
4058 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4062 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4065 case AUT_HEADER64_EX:
4066 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4070 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4074 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4078 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4082 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4086 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4090 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4094 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4098 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4102 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4105 case AUT_OTHER_FILE32:
4106 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4110 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4114 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4117 case AUT_IN_ADDR_EX:
4118 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4122 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4126 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4130 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4134 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4138 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4142 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4146 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4149 case AUT_PROCESS32_EX:
4150 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4154 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4157 case AUT_PROCESS64_EX:
4158 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4162 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4166 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4170 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4174 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4177 case AUT_SOCKINET32:
4178 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4182 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4186 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4190 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4193 case AUT_SUBJECT32_EX:
4194 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4197 case AUT_SUBJECT64_EX:
4198 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4202 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4206 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4210 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4214 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4219 * 'prints' the token out to outfp in XML format.
4222 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4228 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4231 case AUT_HEADER32_EX:
4232 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4236 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4239 case AUT_HEADER64_EX:
4240 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4244 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4248 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4252 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4256 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4260 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4264 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4268 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4272 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4276 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4279 case AUT_OTHER_FILE32:
4280 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4284 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4288 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4291 case AUT_IN_ADDR_EX:
4292 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4296 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4300 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4304 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4308 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4312 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4316 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4320 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4323 case AUT_PROCESS32_EX:
4324 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4328 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4331 case AUT_PROCESS64_EX:
4332 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4336 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4340 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4344 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4348 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4351 case AUT_SOCKINET32:
4352 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4356 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4360 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4364 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4367 case AUT_SUBJECT32_EX:
4368 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4371 case AUT_SUBJECT64_EX:
4372 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4376 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4380 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4384 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4388 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4393 * Read a record from the file pointer, store data in buf memory for buf is
4394 * also allocated in this function and has to be free'd outside this call.
4396 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4397 * complete audit record.
4399 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4400 * state, because it will be partly offset into a record. We should rewind
4401 * or do something more intelligent. Particularly interesting is the case
4402 * where we perform a partial read of a record from a non-blockable file
4403 * descriptor. We should return the partial read and continue...?
4406 au_read_rec(FILE *fp, u_char **buf)
4410 u_int32_t bytestoread;
4413 u_int32_t sec, msec;
4414 u_int16_t filenamelen;
4420 case AUT_HEADER32_EX:
4422 case AUT_HEADER64_EX:
4423 /* read the record size from the token */
4424 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4425 sizeof(u_int32_t)) {
4429 recsize = be32toh(recsize);
4431 /* Check for recsize sanity */
4432 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4437 *buf = malloc(recsize * sizeof(u_char));
4441 memset(bptr, 0, recsize);
4443 /* store the token contents already read, back to the buffer*/
4446 be32enc(bptr, recsize);
4447 bptr += sizeof(u_int32_t);
4449 /* now read remaining record bytes */
4450 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4452 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4459 case AUT_OTHER_FILE32:
4461 * The file token is variable-length, as it includes a
4462 * pathname. As a result, we have to read incrementally
4463 * until we know the total length, then allocate space and
4466 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4470 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4474 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4475 sizeof(filenamelen)) {
4479 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4480 sizeof(filenamelen) + ntohs(filenamelen);
4481 *buf = malloc(recsize);
4486 bcopy(&type, bptr, sizeof(type));
4487 bptr += sizeof(type);
4488 bcopy(&sec, bptr, sizeof(sec));
4489 bptr += sizeof(sec);
4490 bcopy(&msec, bptr, sizeof(msec));
4491 bptr += sizeof(msec);
4492 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4493 bptr += sizeof(filenamelen);
4495 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4496 ntohs(filenamelen)) {