2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
7 * This code was developed in part by Robert N. M. Watson, Senior Principal
8 * Scientist, SPARTA, Inc.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
19 * its contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
22 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
26 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
30 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
31 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
32 * POSSIBILITY OF SUCH DAMAGE.
34 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
37 #include <sys/types.h>
39 #include <config/config.h>
40 #ifdef HAVE_SYS_ENDIAN_H
41 #include <sys/endian.h>
42 #else /* !HAVE_SYS_ENDIAN_H */
43 #ifdef HAVE_MACHINE_ENDIAN_H
44 #include <machine/endian.h>
45 #else /* !HAVE_MACHINE_ENDIAN_H */
48 #else /* !HAVE_ENDIAN_H */
49 #error "No supported endian.h"
50 #endif /* !HAVE_ENDIAN_H */
51 #endif /* !HAVE_MACHINE_ENDIAN_H */
52 #include <compat/endian.h>
53 #endif /* !HAVE_SYS_ENDIAN_H */
54 #ifdef HAVE_FULL_QUEUE_H
55 #include <sys/queue.h>
56 #else /* !HAVE_FULL_QUEUE_H */
57 #include <compat/queue.h>
58 #endif /* !HAVE_FULL_QUEUE_H */
61 #include <sys/socket.h>
63 #include <bsm/libbsm.h>
66 #include <netinet/in.h>
67 #include <arpa/inet.h>
76 #include <bsm/audit_internal.h>
78 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
79 if (bytesread + size > len) { \
82 memcpy(dest, buf + bytesread, size); \
87 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
88 if (bytesread + sizeof(u_char) <= len) { \
89 dest = buf[bytesread]; \
90 bytesread += sizeof(u_char); \
95 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
96 if (bytesread + sizeof(u_int16_t) <= len) { \
97 dest = be16dec(buf + bytesread); \
98 bytesread += sizeof(u_int16_t); \
103 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
104 if (bytesread + sizeof(u_int32_t) <= len) { \
105 dest = be32dec(buf + bytesread); \
106 bytesread += sizeof(u_int32_t); \
111 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
112 if (bytesread + sizeof(u_int64_t) <= len) { \
113 dest = be64dec(buf + bytesread); \
114 bytesread += sizeof(u_int64_t); \
119 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
120 if ((bytesread) + (size) > (len)) \
123 (ptr) = (buf) + (bytesread); \
124 (bytesread) += (size); \
129 * Prints the delimiter string.
132 print_delim(FILE *fp, const char *del)
135 fprintf(fp, "%s", del);
139 * Prints a single byte in the given format.
142 print_1_byte(FILE *fp, u_char val, const char *format)
145 fprintf(fp, format, val);
149 * Print 2 bytes in the given format.
152 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
155 fprintf(fp, format, val);
159 * Prints 4 bytes in the given format.
162 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
165 fprintf(fp, format, val);
169 * Prints 8 bytes in the given format.
172 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
175 fprintf(fp, format, val);
179 * Prints the given size of data bytes in hex.
182 print_mem(FILE *fp, u_char *data, size_t len)
188 for (i = 0; i < len; i++)
189 fprintf(fp, "%x", data[i]);
194 * Prints the given data bytes as a string.
197 print_string(FILE *fp, u_char *str, size_t len)
202 for (i = 0; i < len; i++) {
204 fprintf(fp, "%c", str[i]);
210 * Prints the token type in either the raw or the default form.
213 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
217 fprintf(fp, "%u", type);
219 fprintf(fp, "%s", tokname);
223 * Prints a user value.
226 print_user(FILE *fp, u_int32_t usr, char raw)
228 struct passwd *pwent;
231 fprintf(fp, "%d", usr);
233 pwent = getpwuid(usr);
235 fprintf(fp, "%s", pwent->pw_name);
237 fprintf(fp, "%d", usr);
242 * Prints a group value.
245 print_group(FILE *fp, u_int32_t grp, char raw)
247 struct group *grpent;
250 fprintf(fp, "%d", grp);
252 grpent = getgrgid(grp);
254 fprintf(fp, "%s", grpent->gr_name);
256 fprintf(fp, "%d", grp);
261 * Prints the event from the header token in either the short, default or raw
265 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
267 char event_ent_name[AU_EVENT_NAME_MAX];
268 char event_ent_desc[AU_EVENT_DESC_MAX];
269 struct au_event_ent e, *ep;
271 bzero(&e, sizeof(e));
272 bzero(event_ent_name, sizeof(event_ent_name));
273 bzero(event_ent_desc, sizeof(event_ent_desc));
274 e.ae_name = event_ent_name;
275 e.ae_desc = event_ent_desc;
277 ep = getauevnum_r(&e, ev);
279 fprintf(fp, "%u", ev);
284 fprintf(fp, "%u", ev);
286 fprintf(fp, "%s", e.ae_name);
288 fprintf(fp, "%s", e.ae_desc);
293 * Prints the event modifier from the header token in either the default or
297 print_evmod(FILE *fp, u_int16_t evmod, char raw)
300 fprintf(fp, "%u", evmod);
302 fprintf(fp, "%u", evmod);
306 * Prints seconds in the ctime format.
309 print_sec32(FILE *fp, u_int32_t sec, char raw)
315 fprintf(fp, "%u", sec);
317 timestamp = (time_t)sec;
318 ctime_r(×tamp, timestr);
319 timestr[24] = '\0'; /* No new line */
320 fprintf(fp, "%s", timestr);
325 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
326 * assume a 32-bit time_t, we simply truncate for now.
329 print_sec64(FILE *fp, u_int64_t sec, char raw)
335 fprintf(fp, "%u", (u_int32_t)sec);
337 timestamp = (time_t)sec;
338 ctime_r(×tamp, timestr);
339 timestr[24] = '\0'; /* No new line */
340 fprintf(fp, "%s", timestr);
345 * Prints the excess milliseconds.
348 print_msec32(FILE *fp, u_int32_t msec, char raw)
351 fprintf(fp, "%u", msec);
353 fprintf(fp, " + %u msec", msec);
357 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
358 * a 32-bit msec, we simply truncate for now.
361 print_msec64(FILE *fp, u_int64_t msec, char raw)
366 fprintf(fp, "%u", (u_int32_t)msec);
368 fprintf(fp, " + %u msec", (u_int32_t)msec);
372 * Prints a dotted form for the IP address.
375 print_ip_address(FILE *fp, u_int32_t ip)
377 struct in_addr ipaddr;
380 fprintf(fp, "%s", inet_ntoa(ipaddr));
384 * Prints a string value for the given ip address.
387 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
390 struct in6_addr ipv6;
391 char dst[INET6_ADDRSTRLEN];
395 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
396 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
401 bcopy(ipaddr, &ipv6, sizeof(ipv6));
402 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
407 fprintf(fp, "invalid");
412 * Prints return value as success or failure.
415 print_retval(FILE *fp, u_char status, char raw)
418 fprintf(fp, "%u", status);
421 fprintf(fp, "success");
423 fprintf(fp, "failure : %s", strerror(status));
428 * Prints the exit value.
431 print_errval(FILE *fp, u_int32_t val)
434 fprintf(fp, "Error %u", val);
441 print_ipctype(FILE *fp, u_char type, char raw)
444 fprintf(fp, "%u", type);
446 if (type == AT_IPC_MSG)
447 fprintf(fp, "Message IPC");
448 else if (type == AT_IPC_SEM)
449 fprintf(fp, "Semaphore IPC");
450 else if (type == AT_IPC_SHM)
451 fprintf(fp, "Shared Memory IPC");
453 fprintf(fp, "%u", type);
458 * record byte count 4 bytes
459 * version # 1 byte [2]
461 * event modifier 2 bytes
462 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
463 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
466 fetch_header32_tok(tokenstr_t *tok, char *buf, int len)
470 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
474 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
478 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
482 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
486 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
490 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
498 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
501 print_tok_type(fp, tok->id, "header", raw);
502 print_delim(fp, del);
503 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
504 print_delim(fp, del);
505 print_1_byte(fp, tok->tt.hdr32.version, "%u");
506 print_delim(fp, del);
507 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
508 print_delim(fp, del);
509 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
510 print_delim(fp, del);
511 print_sec32(fp, tok->tt.hdr32.s, raw);
512 print_delim(fp, del);
513 print_msec32(fp, tok->tt.hdr32.ms, raw);
517 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
518 * depending on the bit of the specifications found. The OpenSolaris source
519 * code uses a 4-byte address length, followed by some number of bytes of
520 * address data. This contrasts with the Solaris audit.log.5 man page, which
521 * specifies a 1-byte length field. We use the Solaris 10 definition so that
522 * we can parse audit trails from that system.
524 * record byte count 4 bytes
525 * version # 1 byte [2]
527 * event modifier 2 bytes
528 * address type/length 4 bytes
529 * [ Solaris man page: address type/length 1 byte]
530 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
531 * seconds of time 4 bytes/8 bytes (32/64-bits)
532 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
535 fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
539 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
543 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
547 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
551 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
555 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
559 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
560 switch (tok->tt.hdr32_ex.ad_type) {
562 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
563 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
569 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
570 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
574 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
578 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
586 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
590 print_tok_type(fp, tok->id, "header_ex", raw);
591 print_delim(fp, del);
592 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
593 print_delim(fp, del);
594 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
595 print_delim(fp, del);
596 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
597 print_delim(fp, del);
598 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
599 print_delim(fp, del);
600 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
601 tok->tt.hdr32_ex.addr);
602 print_delim(fp, del);
603 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
604 print_delim(fp, del);
605 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
609 * record byte count 4 bytes
611 * event modifier 2 bytes
612 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
613 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
617 fetch_header64_tok(tokenstr_t *tok, char *buf, int len)
621 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
625 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
629 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
633 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
637 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
641 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
649 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
652 print_tok_type(fp, tok->id, "header", raw);
653 print_delim(fp, del);
654 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
655 print_delim(fp, del);
656 print_1_byte(fp, tok->tt.hdr64.version, "%u");
657 print_delim(fp, del);
658 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
659 print_delim(fp, del);
660 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
661 print_delim(fp, del);
662 print_sec64(fp, tok->tt.hdr64.s, raw);
663 print_delim(fp, del);
664 print_msec64(fp, tok->tt.hdr64.ms, raw);
667 * record byte count 4 bytes
668 * version # 1 byte [2]
670 * event modifier 2 bytes
671 * address type/length 4 bytes
672 * [ Solaris man page: address type/length 1 byte]
673 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
674 * seconds of time 4 bytes/8 bytes (32/64-bits)
675 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
677 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
678 * accuracy of the BSM spec.
681 fetch_header64_ex_tok(tokenstr_t *tok, char *buf, int len)
685 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
689 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
693 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
697 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
701 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
705 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
706 switch (tok->tt.hdr64_ex.ad_type) {
708 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
709 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
715 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
716 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
720 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
724 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
732 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
735 print_tok_type(fp, tok->id, "header_ex", raw);
736 print_delim(fp, del);
737 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
738 print_delim(fp, del);
739 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
740 print_delim(fp, del);
741 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
742 print_delim(fp, del);
743 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
744 print_delim(fp, del);
745 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
746 tok->tt.hdr64_ex.addr);
747 print_delim(fp, del);
748 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
749 print_delim(fp, del);
750 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
754 * trailer magic 2 bytes
755 * record size 4 bytes
758 fetch_trailer_tok(tokenstr_t *tok, char *buf, int len)
762 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
766 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
774 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
778 print_tok_type(fp, tok->id, "trailer", raw);
779 print_delim(fp, del);
780 print_4_bytes(fp, tok->tt.trail.count, "%u");
785 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
786 * text length 2 bytes
787 * text N bytes + 1 terminating NULL byte
790 fetch_arg32_tok(tokenstr_t *tok, char *buf, int len)
794 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
798 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
802 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
806 SET_PTR(buf, len, tok->tt.arg32.text, tok->tt.arg32.len, tok->len,
815 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
819 print_tok_type(fp, tok->id, "argument", raw);
820 print_delim(fp, del);
821 print_1_byte(fp, tok->tt.arg32.no, "%u");
822 print_delim(fp, del);
823 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
824 print_delim(fp, del);
825 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
829 fetch_arg64_tok(tokenstr_t *tok, char *buf, int len)
833 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
837 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
841 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
845 SET_PTR(buf, len, tok->tt.arg64.text, tok->tt.arg64.len, tok->len,
854 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
858 print_tok_type(fp, tok->id, "argument", raw);
859 print_delim(fp, del);
860 print_1_byte(fp, tok->tt.arg64.no, "%u");
861 print_delim(fp, del);
862 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
863 print_delim(fp, del);
864 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
868 * how to print 1 byte
871 * data items (depends on basic unit)
874 fetch_arb_tok(tokenstr_t *tok, char *buf, int len)
879 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
883 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
887 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
892 * Determine the size of the basic unit.
894 switch(tok->tt.arb.bu) {
897 datasize = AUR_BYTE_SIZE;
901 datasize = AUR_SHORT_SIZE;
906 datasize = AUR_INT32_SIZE;
910 datasize = AUR_INT64_SIZE;
917 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
926 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
934 print_tok_type(fp, tok->id, "arbitrary", raw);
935 print_delim(fp, del);
937 switch(tok->tt.arb.howtopr) {
967 print_string(fp, str, strlen(str));
968 print_delim(fp, del);
969 switch(tok->tt.arb.bu) {
973 size = AUR_BYTE_SIZE;
974 print_string(fp, str, strlen(str));
975 print_delim(fp, del);
976 print_1_byte(fp, tok->tt.arb.uc, "%u");
977 print_delim(fp, del);
978 for (i = 0; i<tok->tt.arb.uc; i++)
979 fprintf(fp, format, *(tok->tt.arb.data + (size * i)));
984 size = AUR_SHORT_SIZE;
985 print_string(fp, str, strlen(str));
986 print_delim(fp, del);
987 print_1_byte(fp, tok->tt.arb.uc, "%u");
988 print_delim(fp, del);
989 for (i = 0; i < tok->tt.arb.uc; i++)
990 fprintf(fp, format, *((u_int16_t *)(tok->tt.arb.data +
997 size = AUR_INT32_SIZE;
998 print_string(fp, str, strlen(str));
999 print_delim(fp, del);
1000 print_1_byte(fp, tok->tt.arb.uc, "%u");
1001 print_delim(fp, del);
1002 for (i = 0; i < tok->tt.arb.uc; i++)
1003 fprintf(fp, format, *((u_int32_t *)(tok->tt.arb.data +
1009 size = AUR_INT64_SIZE;
1010 print_string(fp, str, strlen(str));
1011 print_delim(fp, del);
1012 print_1_byte(fp, tok->tt.arb.uc, "%u");
1013 print_delim(fp, del);
1014 for (i = 0; i < tok->tt.arb.uc; i++)
1015 fprintf(fp, format, *((u_int64_t *)(tok->tt.arb.data +
1025 * file access mode 4 bytes
1026 * owner user ID 4 bytes
1027 * owner group ID 4 bytes
1028 * file system ID 4 bytes
1030 * device 4 bytes/8 bytes (32-bit/64-bit)
1033 fetch_attr32_tok(tokenstr_t *tok, char *buf, int len)
1037 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1041 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1045 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1049 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1053 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1057 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1065 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1069 print_tok_type(fp, tok->id, "attribute", raw);
1070 print_delim(fp, del);
1071 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1072 print_delim(fp, del);
1073 print_user(fp, tok->tt.attr32.uid, raw);
1074 print_delim(fp, del);
1075 print_group(fp, tok->tt.attr32.gid, raw);
1076 print_delim(fp, del);
1077 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1078 print_delim(fp, del);
1079 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1080 print_delim(fp, del);
1081 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1085 * file access mode 4 bytes
1086 * owner user ID 4 bytes
1087 * owner group ID 4 bytes
1088 * file system ID 4 bytes
1090 * device 4 bytes/8 bytes (32-bit/64-bit)
1093 fetch_attr64_tok(tokenstr_t *tok, char *buf, int len)
1097 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1101 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1105 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1109 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1113 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1117 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1125 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1129 print_tok_type(fp, tok->id, "attribute", raw);
1130 print_delim(fp, del);
1131 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1132 print_delim(fp, del);
1133 print_user(fp, tok->tt.attr64.uid, raw);
1134 print_delim(fp, del);
1135 print_group(fp, tok->tt.attr64.gid, raw);
1136 print_delim(fp, del);
1137 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1138 print_delim(fp, del);
1139 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1140 print_delim(fp, del);
1141 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1146 * return value 4 bytes
1149 fetch_exit_tok(tokenstr_t *tok, char *buf, int len)
1153 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1157 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1165 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1169 print_tok_type(fp, tok->id, "exit", raw);
1170 print_delim(fp, del);
1171 print_errval(fp, tok->tt.exit.status);
1172 print_delim(fp, del);
1173 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1178 * text count null-terminated string(s)
1181 fetch_execarg_tok(tokenstr_t *tok, char *buf, int len)
1187 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1191 for (i = 0; i < tok->tt.execarg.count; i++) {
1192 bptr = buf + tok->len;
1193 if (i < AUDIT_MAX_ARGS)
1194 tok->tt.execarg.text[i] = bptr;
1196 /* Look for a null terminated string. */
1197 while (bptr && (*bptr != '\0')) {
1198 if (++tok->len >=len)
1200 bptr = buf + tok->len;
1204 tok->len++; /* \0 character */
1206 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1207 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1213 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1218 print_tok_type(fp, tok->id, "exec arg", raw);
1219 for (i = 0; i < tok->tt.execarg.count; i++) {
1220 print_delim(fp, del);
1221 print_string(fp, tok->tt.execarg.text[i],
1222 strlen(tok->tt.execarg.text[i]));
1228 * text count null-terminated string(s)
1231 fetch_execenv_tok(tokenstr_t *tok, char *buf, int len)
1237 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1241 for (i = 0; i < tok->tt.execenv.count; i++) {
1242 bptr = buf + tok->len;
1243 if (i < AUDIT_MAX_ENV)
1244 tok->tt.execenv.text[i] = bptr;
1246 /* Look for a null terminated string. */
1247 while (bptr && (*bptr != '\0')) {
1248 if (++tok->len >=len)
1250 bptr = buf + tok->len;
1254 tok->len++; /* \0 character */
1256 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1257 tok->tt.execenv.count = AUDIT_MAX_ENV;
1263 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1268 print_tok_type(fp, tok->id, "exec env", raw);
1269 for (i = 0; i< tok->tt.execenv.count; i++) {
1270 print_delim(fp, del);
1271 print_string(fp, tok->tt.execenv.text[i],
1272 strlen(tok->tt.execenv.text[i]));
1277 * seconds of time 4 bytes
1278 * milliseconds of time 4 bytes
1279 * file name len 2 bytes
1280 * file pathname N bytes + 1 terminating NULL byte
1283 fetch_file_tok(tokenstr_t *tok, char *buf, int len)
1287 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1291 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1295 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1299 SET_PTR(buf, len, tok->tt.file.name, tok->tt.file.len, tok->len, err);
1307 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1311 print_tok_type(fp, tok->id, "file", raw);
1312 print_delim(fp, del);
1313 print_sec32(fp, tok->tt.file.s, raw);
1314 print_delim(fp, del);
1315 print_msec32(fp, tok->tt.file.ms, raw);
1316 print_delim(fp, del);
1317 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1321 * number groups 2 bytes
1322 * group list count * 4 bytes
1325 fetch_newgroups_tok(tokenstr_t *tok, char *buf, int len)
1330 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1334 for (i = 0; i<tok->tt.grps.no; i++) {
1335 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1345 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1350 print_tok_type(fp, tok->id, "group", raw);
1351 for (i = 0; i < tok->tt.grps.no; i++) {
1352 print_delim(fp, del);
1353 print_group(fp, tok->tt.grps.list[i], raw);
1358 * Internet addr 4 bytes
1361 fetch_inaddr_tok(tokenstr_t *tok, char *buf, int len)
1365 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
1375 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1379 print_tok_type(fp, tok->id, "ip addr", raw);
1380 print_delim(fp, del);
1381 print_ip_address(fp, tok->tt.inaddr.addr);
1389 fetch_inaddr_ex_tok(tokenstr_t *tok, char *buf, int len)
1393 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
1397 if (tok->tt.inaddr_ex.type == AU_IPv4) {
1398 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
1399 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
1402 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
1403 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
1404 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
1414 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1418 print_tok_type(fp, tok->id, "ip addr ex", raw);
1419 print_delim(fp, del);
1420 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
1421 tok->tt.inaddr_ex.addr);
1425 * ip header 20 bytes
1428 fetch_ip_tok(tokenstr_t *tok, char *buf, int len)
1432 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
1436 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
1440 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
1445 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
1450 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
1455 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
1459 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
1463 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
1468 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
1473 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
1482 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1486 print_tok_type(fp, tok->id, "ip", raw);
1487 print_delim(fp, del);
1488 print_mem(fp, (u_char *)(&tok->tt.ip.version), sizeof(u_char));
1489 print_delim(fp, del);
1490 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
1491 print_delim(fp, del);
1492 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
1493 print_delim(fp, del);
1494 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
1495 print_delim(fp, del);
1496 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
1497 print_delim(fp, del);
1498 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
1499 print_delim(fp, del);
1500 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
1501 print_delim(fp, del);
1502 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
1503 print_delim(fp, del);
1504 print_ip_address(fp, tok->tt.ip.src);
1505 print_delim(fp, del);
1506 print_ip_address(fp, tok->tt.ip.dest);
1510 * object ID type 1 byte
1514 fetch_ipc_tok(tokenstr_t *tok, char *buf, int len)
1518 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
1522 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
1530 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1534 print_tok_type(fp, tok->id, "IPC", raw);
1535 print_delim(fp, del);
1536 print_ipctype(fp, tok->tt.ipc.type, raw);
1537 print_delim(fp, del);
1538 print_4_bytes(fp, tok->tt.ipc.id, "%u");
1542 * owner user id 4 bytes
1543 * owner group id 4 bytes
1544 * creator user id 4 bytes
1545 * creator group id 4 bytes
1546 * access mode 4 bytes
1551 fetch_ipcperm_tok(tokenstr_t *tok, char *buf, int len)
1555 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
1559 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
1563 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
1567 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
1571 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
1575 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
1579 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
1587 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1591 print_tok_type(fp, tok->id, "IPC perm", raw);
1592 print_delim(fp, del);
1593 print_user(fp, tok->tt.ipcperm.uid, raw);
1594 print_delim(fp, del);
1595 print_group(fp, tok->tt.ipcperm.gid, raw);
1596 print_delim(fp, del);
1597 print_user(fp, tok->tt.ipcperm.puid, raw);
1598 print_delim(fp, del);
1599 print_group(fp, tok->tt.ipcperm.pgid, raw);
1600 print_delim(fp, del);
1601 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
1602 print_delim(fp, del);
1603 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
1604 print_delim(fp, del);
1605 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
1609 * port Ip address 2 bytes
1612 fetch_iport_tok(tokenstr_t *tok, char *buf, int len)
1616 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
1625 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1629 print_tok_type(fp, tok->id, "ip port", raw);
1630 print_delim(fp, del);
1631 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
1639 fetch_opaque_tok(tokenstr_t *tok, char *buf, int len)
1643 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
1647 SET_PTR(buf, len, tok->tt.opaque.data, tok->tt.opaque.size, tok->len,
1656 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1660 print_tok_type(fp, tok->id, "opaque", raw);
1661 print_delim(fp, del);
1662 print_2_bytes(fp, tok->tt.opaque.size, "%u");
1663 print_delim(fp, del);
1664 print_mem(fp, tok->tt.opaque.data, tok->tt.opaque.size);
1672 fetch_path_tok(tokenstr_t *tok, char *buf, int len)
1676 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
1680 SET_PTR(buf, len, tok->tt.path.path, tok->tt.path.len, tok->len, err);
1688 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1692 print_tok_type(fp, tok->id, "path", raw);
1693 print_delim(fp, del);
1694 print_string(fp, tok->tt.path.path, tok->tt.path.len);
1708 * machine id 4 bytes
1711 fetch_process32_tok(tokenstr_t *tok, char *buf, int len)
1715 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
1719 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
1723 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
1727 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
1731 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
1735 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
1739 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
1743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
1747 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
1748 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
1756 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1760 print_tok_type(fp, tok->id, "process", raw);
1761 print_delim(fp, del);
1762 print_user(fp, tok->tt.proc32.auid, raw);
1763 print_delim(fp, del);
1764 print_user(fp, tok->tt.proc32.euid, raw);
1765 print_delim(fp, del);
1766 print_group(fp, tok->tt.proc32.egid, raw);
1767 print_delim(fp, del);
1768 print_user(fp, tok->tt.proc32.ruid, raw);
1769 print_delim(fp, del);
1770 print_group(fp, tok->tt.proc32.rgid, raw);
1771 print_delim(fp, del);
1772 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
1773 print_delim(fp, del);
1774 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
1775 print_delim(fp, del);
1776 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
1777 print_delim(fp, del);
1778 print_ip_address(fp, tok->tt.proc32.tid.addr);
1782 fetch_process32ex_tok(tokenstr_t *tok, char *buf, int len)
1786 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
1790 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
1794 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
1798 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
1802 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
1806 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
1810 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
1814 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
1819 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
1824 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
1825 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
1826 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
1829 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
1830 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
1831 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
1841 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1845 print_tok_type(fp, tok->id, "process_ex", raw);
1846 print_delim(fp, del);
1847 print_user(fp, tok->tt.proc32_ex.auid, raw);
1848 print_delim(fp, del);
1849 print_user(fp, tok->tt.proc32_ex.euid, raw);
1850 print_delim(fp, del);
1851 print_group(fp, tok->tt.proc32_ex.egid, raw);
1852 print_delim(fp, del);
1853 print_user(fp, tok->tt.proc32_ex.ruid, raw);
1854 print_delim(fp, del);
1855 print_group(fp, tok->tt.proc32_ex.rgid, raw);
1856 print_delim(fp, del);
1857 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
1858 print_delim(fp, del);
1859 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
1860 print_delim(fp, del);
1861 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
1862 print_delim(fp, del);
1863 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
1864 tok->tt.proc32_ex.tid.addr);
1869 * return value 4 bytes
1872 fetch_return32_tok(tokenstr_t *tok, char *buf, int len)
1876 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
1880 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
1888 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1892 print_tok_type(fp, tok->id, "return", raw);
1893 print_delim(fp, del);
1894 print_retval(fp, tok->tt.ret32.status, raw);
1895 print_delim(fp, del);
1896 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
1900 fetch_return64_tok(tokenstr_t *tok, char *buf, int len)
1904 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
1908 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
1916 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1920 print_tok_type(fp, tok->id, "return", raw);
1921 print_delim(fp, del);
1922 print_retval(fp, tok->tt.ret64.err, raw);
1923 print_delim(fp, del);
1924 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
1931 fetch_seq_tok(tokenstr_t *tok, char *buf, int len)
1935 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
1943 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1947 print_tok_type(fp, tok->id, "sequence", raw);
1948 print_delim(fp, del);
1949 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
1953 * socket family 2 bytes
1954 * local port 2 bytes
1955 * socket address 4 bytes
1958 fetch_sock_inet32_tok(tokenstr_t *tok, char *buf, int len)
1962 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
1967 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
1968 sizeof(uint16_t), tok->len, err);
1972 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
1973 sizeof(tok->tt.sockinet32.addr), tok->len, err);
1981 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1985 print_tok_type(fp, tok->id, "socket-inet", raw);
1986 print_delim(fp, del);
1987 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
1988 print_delim(fp, del);
1989 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
1990 print_delim(fp, del);
1991 print_ip_address(fp, tok->tt.sockinet32.addr);
1995 * socket family 2 bytes
1999 fetch_sock_unix_tok(tokenstr_t *tok, char *buf, int len)
2003 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
2007 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
2016 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2020 print_tok_type(fp, tok->id, "socket-unix", raw);
2021 print_delim(fp, del);
2022 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
2023 print_delim(fp, del);
2024 print_string(fp, tok->tt.sockunix.path,
2025 strlen(tok->tt.sockunix.path));
2029 * socket type 2 bytes
2030 * local port 2 bytes
2031 * local address 4 bytes
2032 * remote port 2 bytes
2033 * remote address 4 bytes
2036 fetch_socket_tok(tokenstr_t *tok, char *buf, int len)
2040 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
2044 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
2049 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
2050 sizeof(tok->tt.socket.l_addr), tok->len, err);
2054 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
2059 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
2060 sizeof(tok->tt.socket.r_addr), tok->len, err);
2068 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2072 print_tok_type(fp, tok->id, "socket", raw);
2073 print_delim(fp, del);
2074 print_2_bytes(fp, tok->tt.socket.type, "%u");
2075 print_delim(fp, del);
2076 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
2077 print_delim(fp, del);
2078 print_ip_address(fp, tok->tt.socket.l_addr);
2079 print_delim(fp, del);
2080 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
2081 print_delim(fp, del);
2082 print_ip_address(fp, tok->tt.socket.r_addr);
2094 * portid 4 bytes/8 bytes (32-bit/64-bit value)
2095 * machine id 4 bytes
2098 fetch_subject32_tok(tokenstr_t *tok, char *buf, int len)
2102 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
2106 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
2110 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
2114 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
2118 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
2122 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
2126 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
2130 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
2134 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
2135 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
2143 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2147 print_tok_type(fp, tok->id, "subject", raw);
2148 print_delim(fp, del);
2149 print_user(fp, tok->tt.subj32.auid, raw);
2150 print_delim(fp, del);
2151 print_user(fp, tok->tt.subj32.euid, raw);
2152 print_delim(fp, del);
2153 print_group(fp, tok->tt.subj32.egid, raw);
2154 print_delim(fp, del);
2155 print_user(fp, tok->tt.subj32.ruid, raw);
2156 print_delim(fp, del);
2157 print_group(fp, tok->tt.subj32.rgid, raw);
2158 print_delim(fp, del);
2159 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
2160 print_delim(fp, del);
2161 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
2162 print_delim(fp, del);
2163 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
2164 print_delim(fp, del);
2165 print_ip_address(fp, tok->tt.subj32.tid.addr);
2177 * portid 4 bytes/8 bytes (32-bit/64-bit value)
2178 * machine id 4 bytes
2181 fetch_subject64_tok(tokenstr_t *tok, char *buf, int len)
2185 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
2189 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
2193 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
2197 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
2201 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
2205 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
2209 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
2213 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
2217 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
2218 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
2226 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2230 print_tok_type(fp, tok->id, "subject", raw);
2231 print_delim(fp, del);
2232 print_user(fp, tok->tt.subj64.auid, raw);
2233 print_delim(fp, del);
2234 print_user(fp, tok->tt.subj64.euid, raw);
2235 print_delim(fp, del);
2236 print_group(fp, tok->tt.subj64.egid, raw);
2237 print_delim(fp, del);
2238 print_user(fp, tok->tt.subj64.ruid, raw);
2239 print_delim(fp, del);
2240 print_group(fp, tok->tt.subj64.rgid, raw);
2241 print_delim(fp, del);
2242 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
2243 print_delim(fp, del);
2244 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
2245 print_delim(fp, del);
2246 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
2247 print_delim(fp, del);
2248 print_ip_address(fp, tok->tt.subj64.tid.addr);
2262 * machine id 16 bytes
2265 fetch_subject32ex_tok(tokenstr_t *tok, char *buf, int len)
2269 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
2273 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
2277 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
2281 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
2285 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
2289 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
2293 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
2297 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
2302 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
2307 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
2308 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
2309 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
2312 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
2313 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
2314 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
2324 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2328 print_tok_type(fp, tok->id, "subject_ex", raw);
2329 print_delim(fp, del);
2330 print_user(fp, tok->tt.subj32_ex.auid, raw);
2331 print_delim(fp, del);
2332 print_user(fp, tok->tt.subj32_ex.euid, raw);
2333 print_delim(fp, del);
2334 print_group(fp, tok->tt.subj32_ex.egid, raw);
2335 print_delim(fp, del);
2336 print_user(fp, tok->tt.subj32_ex.ruid, raw);
2337 print_delim(fp, del);
2338 print_group(fp, tok->tt.subj32_ex.rgid, raw);
2339 print_delim(fp, del);
2340 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
2341 print_delim(fp, del);
2342 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
2343 print_delim(fp, del);
2344 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
2345 print_delim(fp, del);
2346 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
2347 tok->tt.subj32_ex.tid.addr);
2355 fetch_text_tok(tokenstr_t *tok, char *buf, int len)
2359 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
2363 SET_PTR(buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
2372 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2376 print_tok_type(fp, tok->id, "text", raw);
2377 print_delim(fp, del);
2378 print_string(fp, tok->tt.text.text, tok->tt.text.len);
2382 * socket type 2 bytes
2383 * local port 2 bytes
2384 * address type/length 4 bytes
2385 * local Internet address 4 bytes
2386 * remote port 4 bytes
2387 * address type/length 4 bytes
2388 * remote Internet address 4 bytes
2391 fetch_socketex32_tok(tokenstr_t *tok, char *buf, int len)
2395 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
2400 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
2401 sizeof(uint16_t), tok->len, err);
2405 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
2410 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
2411 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
2415 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
2416 sizeof(uint16_t), tok->len, err);
2420 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
2425 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
2426 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
2434 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2438 print_tok_type(fp, tok->id, "socket", raw);
2439 print_delim(fp, del);
2440 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
2441 print_delim(fp, del);
2442 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
2443 print_delim(fp, del);
2444 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
2445 print_delim(fp, del);
2446 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
2447 print_delim(fp, del);
2448 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
2452 fetch_invalid_tok(tokenstr_t *tok, char *buf, int len)
2457 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
2458 if (recoversize <= 0)
2461 tok->tt.invalid.length = recoversize;
2463 SET_PTR(buf, len, tok->tt.invalid.data, recoversize, tok->len, err);
2471 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2475 print_tok_type(fp, tok->id, "unknown", raw);
2476 print_delim(fp, del);
2477 print_mem(fp, tok->tt.invalid.data, tok->tt.invalid.length);
2482 * Reads the token beginning at buf into tok.
2485 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
2497 return (fetch_header32_tok(tok, buf, len));
2499 case AUT_HEADER32_EX:
2500 return (fetch_header32_ex_tok(tok, buf, len));
2503 return (fetch_header64_tok(tok, buf, len));
2505 case AUT_HEADER64_EX:
2506 return (fetch_header64_ex_tok(tok, buf, len));
2509 return (fetch_trailer_tok(tok, buf, len));
2512 return (fetch_arg32_tok(tok, buf, len));
2515 return (fetch_arg64_tok(tok, buf, len));
2518 return (fetch_attr32_tok(tok, buf, len));
2521 return (fetch_attr64_tok(tok, buf, len));
2524 return (fetch_exit_tok(tok, buf, len));
2527 return (fetch_execarg_tok(tok, buf, len));
2530 return (fetch_execenv_tok(tok, buf, len));
2532 case AUT_OTHER_FILE32:
2533 return (fetch_file_tok(tok, buf, len));
2536 return (fetch_newgroups_tok(tok, buf, len));
2539 return (fetch_inaddr_tok(tok, buf, len));
2541 case AUT_IN_ADDR_EX:
2542 return (fetch_inaddr_ex_tok(tok, buf, len));
2545 return (fetch_ip_tok(tok, buf, len));
2548 return (fetch_ipc_tok(tok, buf, len));
2551 return (fetch_ipcperm_tok(tok, buf, len));
2554 return (fetch_iport_tok(tok, buf, len));
2557 return (fetch_opaque_tok(tok, buf, len));
2560 return (fetch_path_tok(tok, buf, len));
2563 return (fetch_process32_tok(tok, buf, len));
2565 case AUT_PROCESS32_EX:
2566 return (fetch_process32ex_tok(tok, buf, len));
2569 return (fetch_return32_tok(tok, buf, len));
2572 return (fetch_return64_tok(tok, buf, len));
2575 return (fetch_seq_tok(tok, buf, len));
2578 return (fetch_socket_tok(tok, buf, len));
2580 case AUT_SOCKINET32:
2581 return (fetch_sock_inet32_tok(tok, buf, len));
2584 return (fetch_sock_unix_tok(tok, buf, len));
2587 return (fetch_subject32_tok(tok, buf, len));
2590 return (fetch_subject64_tok(tok, buf, len));
2592 case AUT_SUBJECT32_EX:
2593 return (fetch_subject32ex_tok(tok, buf, len));
2596 return (fetch_text_tok(tok, buf, len));
2599 return (fetch_socketex32_tok(tok, buf, len));
2602 return (fetch_arb_tok(tok, buf, len));
2605 return (fetch_invalid_tok(tok, buf, len));
2610 * 'prints' the token out to outfp
2613 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
2618 print_header32_tok(outfp, tok, del, raw, sfrm);
2621 case AUT_HEADER32_EX:
2622 print_header32_ex_tok(outfp, tok, del, raw, sfrm);
2626 print_header64_tok(outfp, tok, del, raw, sfrm);
2629 case AUT_HEADER64_EX:
2630 print_header64_ex_tok(outfp, tok, del, raw, sfrm);
2634 print_trailer_tok(outfp, tok, del, raw, sfrm);
2638 print_arg32_tok(outfp, tok, del, raw, sfrm);
2642 print_arg64_tok(outfp, tok, del, raw, sfrm);
2646 print_arb_tok(outfp, tok, del, raw, sfrm);
2650 print_attr32_tok(outfp, tok, del, raw, sfrm);
2654 print_attr64_tok(outfp, tok, del, raw, sfrm);
2658 print_exit_tok(outfp, tok, del, raw, sfrm);
2662 print_execarg_tok(outfp, tok, del, raw, sfrm);
2666 print_execenv_tok(outfp, tok, del, raw, sfrm);
2669 case AUT_OTHER_FILE32:
2670 print_file_tok(outfp, tok, del, raw, sfrm);
2674 print_newgroups_tok(outfp, tok, del, raw, sfrm);
2678 print_inaddr_tok(outfp, tok, del, raw, sfrm);
2681 case AUT_IN_ADDR_EX:
2682 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm);
2686 print_ip_tok(outfp, tok, del, raw, sfrm);
2690 print_ipc_tok(outfp, tok, del, raw, sfrm);
2694 print_ipcperm_tok(outfp, tok, del, raw, sfrm);
2698 print_iport_tok(outfp, tok, del, raw, sfrm);
2702 print_opaque_tok(outfp, tok, del, raw, sfrm);
2706 print_path_tok(outfp, tok, del, raw, sfrm);
2710 print_process32_tok(outfp, tok, del, raw, sfrm);
2713 case AUT_PROCESS32_EX:
2714 print_process32ex_tok(outfp, tok, del, raw, sfrm);
2718 print_return32_tok(outfp, tok, del, raw, sfrm);
2722 print_return64_tok(outfp, tok, del, raw, sfrm);
2726 print_seq_tok(outfp, tok, del, raw, sfrm);
2730 print_socket_tok(outfp, tok, del, raw, sfrm);
2733 case AUT_SOCKINET32:
2734 print_sock_inet32_tok(outfp, tok, del, raw, sfrm);
2738 print_sock_unix_tok(outfp, tok, del, raw, sfrm);
2742 print_subject32_tok(outfp, tok, del, raw, sfrm);
2746 print_subject64_tok(outfp, tok, del, raw, sfrm);
2749 case AUT_SUBJECT32_EX:
2750 print_subject32ex_tok(outfp, tok, del, raw, sfrm);
2754 print_text_tok(outfp, tok, del, raw, sfrm);
2758 print_socketex32_tok(outfp, tok, del, raw, sfrm);
2762 print_invalid_tok(outfp, tok, del, raw, sfrm);
2767 * Read a record from the file pointer, store data in buf memory for buf is
2768 * also allocated in this function and has to be free'd outside this call.
2770 * au_read_rec() handles two possibilities: a stand-alone file token, or a
2771 * complete audit record.
2773 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
2774 * state, because it will be partly offset into a record. We should rewind
2775 * or do something more intelligent. Particularly interesting is the case
2776 * where we perform a partial read of a record from a non-blockable file
2777 * descriptor. We should return the partial read and continue...?
2780 au_read_rec(FILE *fp, u_char **buf)
2784 u_int32_t bytestoread;
2787 u_int32_t sec, msec;
2788 u_int16_t filenamelen;
2794 case AUT_HEADER32_EX:
2796 case AUT_HEADER64_EX:
2797 /* read the record size from the token */
2798 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
2799 sizeof(u_int32_t)) {
2803 recsize = be32toh(recsize);
2805 /* Check for recsize sanity */
2806 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
2811 *buf = malloc(recsize * sizeof(u_char));
2815 memset(bptr, 0, recsize);
2817 /* store the token contents already read, back to the buffer*/
2820 be32enc(bptr, recsize);
2821 bptr += sizeof(u_int32_t);
2823 /* now read remaining record bytes */
2824 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
2826 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
2833 case AUT_OTHER_FILE32:
2835 * The file token is variable-length, as it includes a
2836 * pathname. As a result, we have to read incrementally
2837 * until we know the total length, then allocate space and
2840 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
2844 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
2848 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
2849 sizeof(filenamelen)) {
2853 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
2854 sizeof(filenamelen) + ntohs(filenamelen);
2855 *buf = malloc(recsize);
2860 bcopy(&type, bptr, sizeof(type));
2861 bptr += sizeof(type);
2862 bcopy(&sec, bptr, sizeof(sec));
2863 bptr += sizeof(sec);
2864 bcopy(&msec, bptr, sizeof(msec));
2865 bptr += sizeof(msec);
2866 bcopy(&filenamelen, bptr, sizeof(filenamelen));
2867 bptr += sizeof(filenamelen);
2869 if (fread(bptr, 1, ntohs(filenamelen), fp) <
2870 ntohs(filenamelen)) {