2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#48 $
38 #include <sys/types.h>
40 #include <config/config.h>
41 #ifdef HAVE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
62 #include <sys/socket.h>
64 #include <bsm/libbsm.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
77 #include <bsm/audit_internal.h>
79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if (bytesread + size > len) { \
83 memcpy(dest, buf + bytesread, size); \
88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if (bytesread + sizeof(u_char) <= len) { \
90 dest = buf[bytesread]; \
91 bytesread += sizeof(u_char); \
96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if (bytesread + sizeof(u_int16_t) <= len) { \
98 dest = be16dec(buf + bytesread); \
99 bytesread += sizeof(u_int16_t); \
104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if (bytesread + sizeof(u_int32_t) <= len) { \
106 dest = be32dec(buf + bytesread); \
107 bytesread += sizeof(u_int32_t); \
112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if (bytesread + sizeof(u_int64_t) <= len) { \
114 dest = be64dec(buf + bytesread); \
115 bytesread += sizeof(u_int64_t); \
120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (len)) \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
136 * Prints the delimiter string.
139 print_delim(FILE *fp, const char *del)
142 fprintf(fp, "%s", del);
146 * Prints a single byte in the given format.
149 print_1_byte(FILE *fp, u_char val, const char *format)
152 fprintf(fp, format, val);
156 * Print 2 bytes in the given format.
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
162 fprintf(fp, format, val);
166 * Prints 4 bytes in the given format.
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
172 fprintf(fp, format, val);
176 * Prints 8 bytes in the given format.
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
182 fprintf(fp, format, val);
186 * Prints the given size of data bytes in hex.
189 print_mem(FILE *fp, u_char *data, size_t len)
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
201 * Prints the given data bytes as a string.
204 print_string(FILE *fp, const char *str, size_t len)
209 for (i = 0; i < len; i++) {
211 fprintf(fp, "%c", str[i]);
217 * Prints the beggining of attribute.
220 open_attr(FILE *fp, const char *str)
223 fprintf(fp,"%s=\"", str);
227 * Prints the end of attribute.
237 * Prints the end of tag.
240 close_tag(FILE *fp, u_char type)
248 case AUT_HEADER32_EX:
256 case AUT_HEADER64_EX:
281 fprintf(fp, "</exec_args>");
285 fprintf(fp, "</exec_env>");
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
293 fprintf(fp, "</group>");
297 fprintf(fp, "</ip_address>");
301 fprintf(fp, "</ip_address>");
317 fprintf(fp, "</ip_port>");
321 fprintf(fp, "</opaque>");
325 fprintf(fp, "</path>");
332 case AUT_PROCESS32_EX:
340 case AUT_PROCESS64_EX:
376 case AUT_SUBJECT32_EX:
380 case AUT_SUBJECT64_EX:
385 fprintf(fp, "</text>");
393 fprintf(fp, "</arbitrary>");
403 * Prints the token type in either the raw or the default form.
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
412 fprintf(fp, "<record ");
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
420 fprintf(fp, "<record ");
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
428 fprintf(fp, "</record>");
432 fprintf(fp, "<argument ");
436 fprintf(fp, "<argument ");
440 fprintf(fp, "<attribute ");
444 fprintf(fp, "<attribute ");
448 fprintf(fp, "<exit ");
452 fprintf(fp, "<exec_args>");
456 fprintf(fp, "<exec_env>");
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
464 fprintf(fp, "<group>");
468 fprintf(fp, "<ip_address>");
472 fprintf(fp, "<ip_address>");
484 fprintf(fp, "<IPC_perm ");
488 fprintf(fp, "<ip_port>");
492 fprintf(fp, "<opaque>");
496 fprintf(fp, "<path>");
500 fprintf(fp, "<process ");
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
508 fprintf(fp, "<process ");
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
516 fprintf(fp, "<return ");
520 fprintf(fp, "<return ");
524 fprintf(fp, "<sequence ");
528 fprintf(fp, "<socket ");
532 fprintf(fp, "<old_socket");
536 fprintf(fp, "<old_socket");
540 fprintf(fp, "<subject ");
544 fprintf(fp, "<subject ");
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
556 fprintf(fp, "<text>");
560 fprintf(fp, "<socket ");
564 fprintf(fp, "<arbitrary ");
568 fprintf(fp, "<zone ");
573 fprintf(fp, "%u", type);
575 fprintf(fp, "%s", tokname);
580 * Prints a user value.
583 print_user(FILE *fp, u_int32_t usr, char raw)
585 struct passwd *pwent;
588 fprintf(fp, "%d", usr);
590 pwent = getpwuid(usr);
592 fprintf(fp, "%s", pwent->pw_name);
594 fprintf(fp, "%d", usr);
599 * Prints a group value.
602 print_group(FILE *fp, u_int32_t grp, char raw)
604 struct group *grpent;
607 fprintf(fp, "%d", grp);
609 grpent = getgrgid(grp);
611 fprintf(fp, "%s", grpent->gr_name);
613 fprintf(fp, "%d", grp);
618 * Prints the event from the header token in either the short, default or raw
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
634 ep = getauevnum_r(&e, ev);
636 fprintf(fp, "%u", ev);
641 fprintf(fp, "%u", ev);
643 fprintf(fp, "%s", e.ae_name);
645 fprintf(fp, "%s", e.ae_desc);
650 * Prints the event modifier from the header token in either the default or
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
657 fprintf(fp, "%u", evmod);
659 fprintf(fp, "%u", evmod);
663 * Prints seconds in the ctime format.
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
672 fprintf(fp, "%u", sec);
674 timestamp = (time_t)sec;
675 ctime_r(×tamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
694 timestamp = (time_t)sec;
695 ctime_r(×tamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
702 * Prints the excess milliseconds.
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
708 fprintf(fp, "%u", msec);
710 fprintf(fp, " + %u msec", msec);
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
729 * Prints a dotted form for the IP address.
732 print_ip_address(FILE *fp, u_int32_t ip)
734 struct in_addr ipaddr;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
741 * Prints a string value for the given ip address.
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
764 fprintf(fp, "invalid");
769 * Prints return value as success or failure.
772 print_retval(FILE *fp, u_char status, char raw)
775 fprintf(fp, "%u", status);
778 fprintf(fp, "success");
780 fprintf(fp, "failure : %s", strerror(status));
785 * Prints the exit value.
788 print_errval(FILE *fp, u_int32_t val)
791 fprintf(fp, "Error %u", val);
798 print_ipctype(FILE *fp, u_char type, char raw)
801 fprintf(fp, "%u", type);
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
810 fprintf(fp, "%u", type);
818 au_print_xml_header(FILE *outfp)
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
829 au_print_xml_footer(FILE *outfp)
832 fprintf(outfp, "</audit>\n");
836 * record byte count 4 bytes
837 * version # 1 byte [2]
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
880 print_tok_type(fp, tok->id, "header", raw, xml);
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
897 close_tag(fp, tok->id);
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
922 * record byte count 4 bytes
923 * version # 1 byte [2]
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1000 * No attribute for additional types.
1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 tok->tt.hdr32_ex.addr);
1005 open_attr(fp, "time");
1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1008 open_attr(fp, "msec");
1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1011 close_tag(fp, tok->id);
1013 print_delim(fp, del);
1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 print_delim(fp, del);
1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 print_delim(fp, del);
1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 print_delim(fp, del);
1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 print_delim(fp, del);
1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 tok->tt.hdr32_ex.addr);
1024 print_delim(fp, del);
1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 print_delim(fp, del);
1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1032 * record byte count 4 bytes
1033 * event type 2 bytes
1034 * event modifier 2 bytes
1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1076 print_tok_type(fp, tok->id, "header", raw, xml);
1078 open_attr(fp, "version");
1079 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1081 open_attr(fp, "event");
1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1084 open_attr(fp, "modifier");
1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1087 open_attr(fp, "time");
1088 print_sec64(fp, tok->tt.hdr64.s, raw);
1090 open_attr(fp, "msec");
1091 print_msec64(fp, tok->tt.hdr64.ms, raw);
1093 close_tag(fp, tok->id);
1095 print_delim(fp, del);
1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 print_delim(fp, del);
1098 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 print_delim(fp, del);
1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 print_delim(fp, del);
1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 print_delim(fp, del);
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1105 print_delim(fp, del);
1106 print_msec64(fp, tok->tt.hdr64.ms, raw);
1111 * record byte count 4 bytes
1112 * version # 1 byte [2]
1113 * event type 2 bytes
1114 * event modifier 2 bytes
1115 * address type/length 4 bytes
1116 * [ Solaris man page: address type/length 1 byte]
1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1118 * seconds of time 4 bytes/8 bytes (32/64-bits)
1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122 * accuracy of the BSM spec.
1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 switch (tok->tt.hdr64_ex.ad_type) {
1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1180 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1182 open_attr(fp, "version");
1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1185 open_attr(fp, "event");
1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1188 open_attr(fp, "modifier");
1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1192 * No attribute for additional types.
1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 tok->tt.hdr64_ex.addr);
1197 open_attr(fp, "time");
1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1200 open_attr(fp, "msec");
1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1203 close_tag(fp, tok->id);
1205 print_delim(fp, del);
1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 print_delim(fp, del);
1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 print_delim(fp, del);
1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 print_delim(fp, del);
1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 print_delim(fp, del);
1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 tok->tt.hdr64_ex.addr);
1216 print_delim(fp, del);
1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 print_delim(fp, del);
1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1224 * trailer magic 2 bytes
1225 * record size 4 bytes
1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245 __unused char sfrm, int xml)
1248 print_tok_type(fp, tok->id, "trailer", raw, xml);
1250 print_delim(fp, del);
1251 print_4_bytes(fp, tok->tt.trail.count, "%u");
1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1258 * text length 2 bytes
1259 * text N bytes + 1 terminating NULL byte
1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288 __unused char sfrm, int xml)
1291 print_tok_type(fp, tok->id, "argument", raw, xml);
1293 open_attr(fp, "arg-num");
1294 print_1_byte(fp, tok->tt.arg32.no, "%u");
1296 open_attr(fp, "value");
1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1299 open_attr(fp, "desc");
1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1302 close_tag(fp, tok->id);
1304 print_delim(fp, del);
1305 print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 print_delim(fp, del);
1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 print_delim(fp, del);
1313 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1317 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1321 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1325 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1329 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1338 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1339 __unused char sfrm, int xml)
1342 print_tok_type(fp, tok->id, "argument", raw, xml);
1344 open_attr(fp, "arg-num");
1345 print_1_byte(fp, tok->tt.arg64.no, "%u");
1347 open_attr(fp, "value");
1348 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1350 open_attr(fp, "desc");
1351 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1353 close_tag(fp, tok->id);
1355 print_delim(fp, del);
1356 print_1_byte(fp, tok->tt.arg64.no, "%u");
1357 print_delim(fp, del);
1358 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1359 print_delim(fp, del);
1360 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1365 * how to print 1 byte
1368 * data items (depends on basic unit)
1371 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1376 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1384 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1389 * Determine the size of the basic unit.
1391 switch(tok->tt.arb.bu) {
1393 /* case AUR_CHAR: */
1394 datasize = AUR_BYTE_SIZE;
1398 datasize = AUR_SHORT_SIZE;
1403 datasize = AUR_INT32_SIZE;
1407 datasize = AUR_INT64_SIZE;
1414 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1423 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1424 __unused char sfrm, int xml)
1431 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1433 print_delim(fp, del);
1435 switch(tok->tt.arb.howtopr) {
1466 open_attr(fp, "print");
1467 fprintf(fp, "%s",str);
1470 print_string(fp, str, strlen(str));
1471 print_delim(fp, del);
1473 switch(tok->tt.arb.bu) {
1475 /* case AUR_CHAR: */
1477 size = AUR_BYTE_SIZE;
1479 open_attr(fp, "type");
1480 fprintf(fp, "%u", size);
1482 open_attr(fp, "count");
1483 print_1_byte(fp, tok->tt.arb.uc, "%u");
1486 for (i = 0; i<tok->tt.arb.uc; i++)
1487 fprintf(fp, format, *(tok->tt.arb.data +
1489 close_tag(fp, tok->id);
1491 print_string(fp, str, strlen(str));
1492 print_delim(fp, del);
1493 print_1_byte(fp, tok->tt.arb.uc, "%u");
1494 print_delim(fp, del);
1495 for (i = 0; i<tok->tt.arb.uc; i++)
1496 fprintf(fp, format, *(tok->tt.arb.data +
1503 size = AUR_SHORT_SIZE;
1505 open_attr(fp, "type");
1506 fprintf(fp, "%u", size);
1508 open_attr(fp, "count");
1509 print_1_byte(fp, tok->tt.arb.uc, "%u");
1512 for (i = 0; i < tok->tt.arb.uc; i++)
1514 *((u_int16_t *)(tok->tt.arb.data +
1516 close_tag(fp, tok->id);
1518 print_string(fp, str, strlen(str));
1519 print_delim(fp, del);
1520 print_1_byte(fp, tok->tt.arb.uc, "%u");
1521 print_delim(fp, del);
1522 for (i = 0; i < tok->tt.arb.uc; i++)
1524 *((u_int16_t *)(tok->tt.arb.data +
1532 size = AUR_INT32_SIZE;
1534 open_attr(fp, "type");
1535 fprintf(fp, "%u", size);
1537 open_attr(fp, "count");
1538 print_1_byte(fp, tok->tt.arb.uc, "%u");
1541 for (i = 0; i < tok->tt.arb.uc; i++)
1543 *((u_int32_t *)(tok->tt.arb.data +
1545 close_tag(fp, tok->id);
1547 print_string(fp, str, strlen(str));
1548 print_delim(fp, del);
1549 print_1_byte(fp, tok->tt.arb.uc, "%u");
1550 print_delim(fp, del);
1551 for (i = 0; i < tok->tt.arb.uc; i++)
1553 *((u_int32_t *)(tok->tt.arb.data +
1560 size = AUR_INT64_SIZE;
1562 open_attr(fp, "type");
1563 fprintf(fp, "%u", size);
1565 open_attr(fp, "count");
1566 print_1_byte(fp, tok->tt.arb.uc, "%u");
1569 for (i = 0; i < tok->tt.arb.uc; i++)
1571 *((u_int64_t *)(tok->tt.arb.data +
1573 close_tag(fp, tok->id);
1575 print_string(fp, str, strlen(str));
1576 print_delim(fp, del);
1577 print_1_byte(fp, tok->tt.arb.uc, "%u");
1578 print_delim(fp, del);
1579 for (i = 0; i < tok->tt.arb.uc; i++)
1581 *((u_int64_t *)(tok->tt.arb.data +
1592 * file access mode 4 bytes
1593 * owner user ID 4 bytes
1594 * owner group ID 4 bytes
1595 * file system ID 4 bytes
1597 * device 4 bytes/8 bytes (32-bit/64-bit)
1600 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1604 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1608 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1612 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1616 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1620 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1624 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1632 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1633 __unused char sfrm, int xml)
1636 print_tok_type(fp, tok->id, "attribute", raw, xml);
1638 open_attr(fp, "mode");
1639 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1641 open_attr(fp, "uid");
1642 print_user(fp, tok->tt.attr32.uid, raw);
1644 open_attr(fp, "gid");
1645 print_group(fp, tok->tt.attr32.gid, raw);
1647 open_attr(fp, "fsid");
1648 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1650 open_attr(fp, "nodeid");
1651 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1653 open_attr(fp, "device");
1654 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1656 close_tag(fp, tok->id);
1658 print_delim(fp, del);
1659 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1660 print_delim(fp, del);
1661 print_user(fp, tok->tt.attr32.uid, raw);
1662 print_delim(fp, del);
1663 print_group(fp, tok->tt.attr32.gid, raw);
1664 print_delim(fp, del);
1665 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1666 print_delim(fp, del);
1667 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1668 print_delim(fp, del);
1669 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1674 * file access mode 4 bytes
1675 * owner user ID 4 bytes
1676 * owner group ID 4 bytes
1677 * file system ID 4 bytes
1679 * device 4 bytes/8 bytes (32-bit/64-bit)
1682 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1686 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1690 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1694 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1698 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1702 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1706 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1714 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1715 __unused char sfrm, int xml)
1718 print_tok_type(fp, tok->id, "attribute", raw, xml);
1720 open_attr(fp, "mode");
1721 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1723 open_attr(fp, "uid");
1724 print_user(fp, tok->tt.attr64.uid, raw);
1726 open_attr(fp, "gid");
1727 print_group(fp, tok->tt.attr64.gid, raw);
1729 open_attr(fp, "fsid");
1730 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1732 open_attr(fp, "nodeid");
1733 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1735 open_attr(fp, "device");
1736 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1738 close_tag(fp, tok->id);
1740 print_delim(fp, del);
1741 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1742 print_delim(fp, del);
1743 print_user(fp, tok->tt.attr64.uid, raw);
1744 print_delim(fp, del);
1745 print_group(fp, tok->tt.attr64.gid, raw);
1746 print_delim(fp, del);
1747 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1748 print_delim(fp, del);
1749 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1750 print_delim(fp, del);
1751 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1757 * return value 4 bytes
1760 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1764 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1768 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1776 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1777 __unused char sfrm, int xml)
1780 print_tok_type(fp, tok->id, "exit", raw, xml);
1782 open_attr(fp, "errval");
1783 print_errval(fp, tok->tt.exit.status);
1785 open_attr(fp, "retval");
1786 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1788 close_tag(fp, tok->id);
1790 print_delim(fp, del);
1791 print_errval(fp, tok->tt.exit.status);
1792 print_delim(fp, del);
1793 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1799 * text count null-terminated string(s)
1802 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1808 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1812 for (i = 0; i < tok->tt.execarg.count; i++) {
1813 bptr = buf + tok->len;
1814 if (i < AUDIT_MAX_ARGS)
1815 tok->tt.execarg.text[i] = (char*)bptr;
1817 /* Look for a null terminated string. */
1818 while (bptr && (*bptr != '\0')) {
1819 if (++tok->len >=len)
1821 bptr = buf + tok->len;
1825 tok->len++; /* \0 character */
1827 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1828 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1834 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1835 __unused char sfrm, int xml)
1839 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1840 for (i = 0; i < tok->tt.execarg.count; i++) {
1842 fprintf(fp, "<arg>");
1843 print_string(fp, tok->tt.execarg.text[i],
1844 strlen(tok->tt.execarg.text[i]));
1845 fprintf(fp, "</arg>");
1847 print_delim(fp, del);
1848 print_string(fp, tok->tt.execarg.text[i],
1849 strlen(tok->tt.execarg.text[i]));
1853 close_tag(fp, tok->id);
1858 * text count null-terminated string(s)
1861 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1867 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1871 for (i = 0; i < tok->tt.execenv.count; i++) {
1872 bptr = buf + tok->len;
1873 if (i < AUDIT_MAX_ENV)
1874 tok->tt.execenv.text[i] = (char*)bptr;
1876 /* Look for a null terminated string. */
1877 while (bptr && (*bptr != '\0')) {
1878 if (++tok->len >=len)
1880 bptr = buf + tok->len;
1884 tok->len++; /* \0 character */
1886 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1887 tok->tt.execenv.count = AUDIT_MAX_ENV;
1893 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1894 __unused char sfrm, int xml)
1898 print_tok_type(fp, tok->id, "exec env", raw, xml);
1899 for (i = 0; i< tok->tt.execenv.count; i++) {
1901 fprintf(fp, "<env>");
1902 print_string(fp, tok->tt.execenv.text[i],
1903 strlen(tok->tt.execenv.text[i]));
1904 fprintf(fp, "</env>");
1906 print_delim(fp, del);
1907 print_string(fp, tok->tt.execenv.text[i],
1908 strlen(tok->tt.execenv.text[i]));
1912 close_tag(fp, tok->id);
1916 * seconds of time 4 bytes
1917 * milliseconds of time 4 bytes
1918 * file name len 2 bytes
1919 * file pathname N bytes + 1 terminating NULL byte
1922 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1926 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1930 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1934 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1938 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1947 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1948 __unused char sfrm, int xml)
1951 print_tok_type(fp, tok->id, "file", raw, xml);
1953 open_attr(fp, "time");
1954 print_sec32(fp, tok->tt.file.s, raw);
1956 open_attr(fp, "msec");
1957 print_msec32(fp, tok->tt.file.ms, raw);
1960 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1961 close_tag(fp, tok->id);
1963 print_delim(fp, del);
1964 print_sec32(fp, tok->tt.file.s, raw);
1965 print_delim(fp, del);
1966 print_msec32(fp, tok->tt.file.ms, raw);
1967 print_delim(fp, del);
1968 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1973 * number groups 2 bytes
1974 * group list count * 4 bytes
1977 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1982 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1986 for (i = 0; i<tok->tt.grps.no; i++) {
1987 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1997 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1998 __unused char sfrm, int xml)
2002 print_tok_type(fp, tok->id, "group", raw, xml);
2003 for (i = 0; i < tok->tt.grps.no; i++) {
2005 fprintf(fp, "<gid>");
2006 print_group(fp, tok->tt.grps.list[i], raw);
2007 fprintf(fp, "</gid>");
2008 close_tag(fp, tok->id);
2010 print_delim(fp, del);
2011 print_group(fp, tok->tt.grps.list[i], raw);
2017 * Internet addr 4 bytes
2020 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2024 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2034 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2035 __unused char sfrm, int xml)
2038 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2040 print_ip_address(fp, tok->tt.inaddr.addr);
2041 close_tag(fp, tok->id);
2043 print_delim(fp, del);
2044 print_ip_address(fp, tok->tt.inaddr.addr);
2053 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2057 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2061 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2062 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2063 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2066 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2067 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2068 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2078 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2079 __unused char sfrm, int xml)
2082 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2084 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2085 tok->tt.inaddr_ex.addr);
2086 close_tag(fp, tok->id);
2088 print_delim(fp, del);
2089 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2090 tok->tt.inaddr_ex.addr);
2095 * ip header 20 bytes
2098 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2102 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2106 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2110 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2115 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2120 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2125 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2129 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2133 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2138 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2143 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2152 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2153 __unused char sfrm, int xml)
2156 print_tok_type(fp, tok->id, "ip", raw, xml);
2158 open_attr(fp, "version");
2159 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2162 open_attr(fp, "service_type");
2163 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2165 open_attr(fp, "len");
2166 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2168 open_attr(fp, "id");
2169 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2171 open_attr(fp, "offset");
2172 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2174 open_attr(fp, "time_to_live");
2175 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2177 open_attr(fp, "protocol");
2178 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2180 open_attr(fp, "cksum");
2181 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2183 open_attr(fp, "src_addr");
2184 print_ip_address(fp, tok->tt.ip.src);
2186 open_attr(fp, "dest_addr");
2187 print_ip_address(fp, tok->tt.ip.dest);
2189 close_tag(fp, tok->id);
2191 print_delim(fp, del);
2192 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2194 print_delim(fp, del);
2195 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2196 print_delim(fp, del);
2197 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2198 print_delim(fp, del);
2199 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2200 print_delim(fp, del);
2201 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2202 print_delim(fp, del);
2203 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2204 print_delim(fp, del);
2205 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2206 print_delim(fp, del);
2207 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2208 print_delim(fp, del);
2209 print_ip_address(fp, tok->tt.ip.src);
2210 print_delim(fp, del);
2211 print_ip_address(fp, tok->tt.ip.dest);
2216 * object ID type 1 byte
2220 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2224 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2228 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2236 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2237 __unused char sfrm, int xml)
2240 print_tok_type(fp, tok->id, "IPC", raw, xml);
2242 open_attr(fp, "ipc-type");
2243 print_ipctype(fp, tok->tt.ipc.type, raw);
2245 open_attr(fp, "ipc-id");
2246 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2248 close_tag(fp, tok->id);
2250 print_delim(fp, del);
2251 print_ipctype(fp, tok->tt.ipc.type, raw);
2252 print_delim(fp, del);
2253 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2258 * owner user id 4 bytes
2259 * owner group id 4 bytes
2260 * creator user id 4 bytes
2261 * creator group id 4 bytes
2262 * access mode 4 bytes
2267 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2271 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2275 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2283 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2287 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2291 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2295 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2303 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2304 __unused char sfrm, int xml)
2307 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2309 open_attr(fp, "uid");
2310 print_user(fp, tok->tt.ipcperm.uid, raw);
2312 open_attr(fp, "gid");
2313 print_group(fp, tok->tt.ipcperm.gid, raw);
2315 open_attr(fp, "creator-uid");
2316 print_user(fp, tok->tt.ipcperm.puid, raw);
2318 open_attr(fp, "creator-gid");
2319 print_group(fp, tok->tt.ipcperm.pgid, raw);
2321 open_attr(fp, "mode");
2322 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2324 open_attr(fp, "seq");
2325 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2327 open_attr(fp, "key");
2328 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2330 close_tag(fp, tok->id);
2332 print_delim(fp, del);
2333 print_user(fp, tok->tt.ipcperm.uid, raw);
2334 print_delim(fp, del);
2335 print_group(fp, tok->tt.ipcperm.gid, raw);
2336 print_delim(fp, del);
2337 print_user(fp, tok->tt.ipcperm.puid, raw);
2338 print_delim(fp, del);
2339 print_group(fp, tok->tt.ipcperm.pgid, raw);
2340 print_delim(fp, del);
2341 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2342 print_delim(fp, del);
2343 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2344 print_delim(fp, del);
2345 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2350 * port Ip address 2 bytes
2353 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2357 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2366 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2367 __unused char sfrm, int xml)
2370 print_tok_type(fp, tok->id, "ip port", raw, xml);
2372 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2373 close_tag(fp, tok->id);
2375 print_delim(fp, del);
2376 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2385 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2389 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2393 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2402 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2403 __unused char sfrm, int xml)
2406 print_tok_type(fp, tok->id, "opaque", raw, xml);
2408 print_mem(fp, (u_char*)tok->tt.opaque.data,
2409 tok->tt.opaque.size);
2410 close_tag(fp, tok->id);
2412 print_delim(fp, del);
2413 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2414 print_delim(fp, del);
2415 print_mem(fp, (u_char*)tok->tt.opaque.data,
2416 tok->tt.opaque.size);
2425 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2429 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2433 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2442 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2443 __unused char sfrm, int xml)
2446 print_tok_type(fp, tok->id, "path", raw, xml);
2448 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2449 close_tag(fp, tok->id);
2451 print_delim(fp, del);
2452 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2467 * machine id 4 bytes
2470 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2474 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2478 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2482 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2486 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2490 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2494 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2498 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2502 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2506 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2507 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2515 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2516 __unused char sfrm, int xml)
2519 print_tok_type(fp, tok->id, "process", raw, xml);
2521 open_attr(fp, "audit-uid");
2522 print_user(fp, tok->tt.proc32.auid, raw);
2524 open_attr(fp, "uid");
2525 print_user(fp, tok->tt.proc32.euid, raw);
2527 open_attr(fp, "gid");
2528 print_group(fp, tok->tt.proc32.egid, raw);
2530 open_attr(fp, "ruid");
2531 print_user(fp, tok->tt.proc32.ruid, raw);
2533 open_attr(fp, "rgid");
2534 print_group(fp, tok->tt.proc32.rgid, raw);
2536 open_attr(fp, "pid");
2537 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2539 open_attr(fp, "sid");
2540 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2542 open_attr(fp, "tid");
2543 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2544 print_ip_address(fp, tok->tt.proc32.tid.addr);
2546 close_tag(fp, tok->id);
2548 print_delim(fp, del);
2549 print_user(fp, tok->tt.proc32.auid, raw);
2550 print_delim(fp, del);
2551 print_user(fp, tok->tt.proc32.euid, raw);
2552 print_delim(fp, del);
2553 print_group(fp, tok->tt.proc32.egid, raw);
2554 print_delim(fp, del);
2555 print_user(fp, tok->tt.proc32.ruid, raw);
2556 print_delim(fp, del);
2557 print_group(fp, tok->tt.proc32.rgid, raw);
2558 print_delim(fp, del);
2559 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2560 print_delim(fp, del);
2561 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2562 print_delim(fp, del);
2563 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2564 print_delim(fp, del);
2565 print_ip_address(fp, tok->tt.proc32.tid.addr);
2580 * machine id 4 bytes
2583 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2587 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2591 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2595 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2599 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2603 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2607 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2611 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2615 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2619 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2620 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2628 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2629 __unused char sfrm, int xml)
2631 print_tok_type(fp, tok->id, "process", raw, xml);
2633 open_attr(fp, "audit-uid");
2634 print_user(fp, tok->tt.proc64.auid, raw);
2636 open_attr(fp, "uid");
2637 print_user(fp, tok->tt.proc64.euid, raw);
2639 open_attr(fp, "gid");
2640 print_group(fp, tok->tt.proc64.egid, raw);
2642 open_attr(fp, "ruid");
2643 print_user(fp, tok->tt.proc64.ruid, raw);
2645 open_attr(fp, "rgid");
2646 print_group(fp, tok->tt.proc64.rgid, raw);
2648 open_attr(fp, "pid");
2649 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2651 open_attr(fp, "sid");
2652 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2654 open_attr(fp, "tid");
2655 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2656 print_ip_address(fp, tok->tt.proc64.tid.addr);
2658 close_tag(fp, tok->id);
2660 print_delim(fp, del);
2661 print_user(fp, tok->tt.proc64.auid, raw);
2662 print_delim(fp, del);
2663 print_user(fp, tok->tt.proc64.euid, raw);
2664 print_delim(fp, del);
2665 print_group(fp, tok->tt.proc64.egid, raw);
2666 print_delim(fp, del);
2667 print_user(fp, tok->tt.proc64.ruid, raw);
2668 print_delim(fp, del);
2669 print_group(fp, tok->tt.proc64.rgid, raw);
2670 print_delim(fp, del);
2671 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2672 print_delim(fp, del);
2673 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2674 print_delim(fp, del);
2675 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2676 print_delim(fp, del);
2677 print_ip_address(fp, tok->tt.proc64.tid.addr);
2684 * effective user ID 4 bytes
2685 * effective group ID 4 bytes
2686 * real user ID 4 bytes
2687 * real group ID 4 bytes
2688 * process ID 4 bytes
2689 * session ID 4 bytes
2692 * address type-len 4 bytes
2693 * machine address 16 bytes
2696 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2700 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2704 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2708 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2712 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2716 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2720 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2724 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2728 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2733 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2738 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2739 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2740 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2743 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2744 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2745 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2755 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2756 __unused char sfrm, int xml)
2759 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2761 open_attr(fp, "audit-uid");
2762 print_user(fp, tok->tt.proc32_ex.auid, raw);
2764 open_attr(fp, "uid");
2765 print_user(fp, tok->tt.proc32_ex.euid, raw);
2767 open_attr(fp, "gid");
2768 print_group(fp, tok->tt.proc32_ex.egid, raw);
2770 open_attr(fp, "ruid");
2771 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2773 open_attr(fp, "rgid");
2774 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2776 open_attr(fp, "pid");
2777 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2779 open_attr(fp, "sid");
2780 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2782 open_attr(fp, "tid");
2783 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2784 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2785 tok->tt.proc32_ex.tid.addr);
2787 close_tag(fp, tok->id);
2789 print_delim(fp, del);
2790 print_user(fp, tok->tt.proc32_ex.auid, raw);
2791 print_delim(fp, del);
2792 print_user(fp, tok->tt.proc32_ex.euid, raw);
2793 print_delim(fp, del);
2794 print_group(fp, tok->tt.proc32_ex.egid, raw);
2795 print_delim(fp, del);
2796 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2797 print_delim(fp, del);
2798 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2799 print_delim(fp, del);
2800 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2801 print_delim(fp, del);
2802 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2803 print_delim(fp, del);
2804 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2805 print_delim(fp, del);
2806 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2807 tok->tt.proc32_ex.tid.addr);
2814 * effective user ID 4 bytes
2815 * effective group ID 4 bytes
2816 * real user ID 4 bytes
2817 * real group ID 4 bytes
2818 * process ID 4 bytes
2819 * session ID 4 bytes
2822 * address type-len 4 bytes
2823 * machine address 16 bytes
2826 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2830 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2834 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2838 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2842 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2846 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2850 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2854 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2858 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2863 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2868 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2869 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2870 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2873 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2874 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2875 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2885 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2886 __unused char sfrm, int xml)
2888 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2890 open_attr(fp, "audit-uid");
2891 print_user(fp, tok->tt.proc64_ex.auid, raw);
2893 open_attr(fp, "uid");
2894 print_user(fp, tok->tt.proc64_ex.euid, raw);
2896 open_attr(fp, "gid");
2897 print_group(fp, tok->tt.proc64_ex.egid, raw);
2899 open_attr(fp, "ruid");
2900 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2902 open_attr(fp, "rgid");
2903 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2905 open_attr(fp, "pid");
2906 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2908 open_attr(fp, "sid");
2909 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2911 open_attr(fp, "tid");
2912 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2913 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2914 tok->tt.proc64_ex.tid.addr);
2916 close_tag(fp, tok->id);
2918 print_delim(fp, del);
2919 print_user(fp, tok->tt.proc64_ex.auid, raw);
2920 print_delim(fp, del);
2921 print_user(fp, tok->tt.proc64_ex.euid, raw);
2922 print_delim(fp, del);
2923 print_group(fp, tok->tt.proc64_ex.egid, raw);
2924 print_delim(fp, del);
2925 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2926 print_delim(fp, del);
2927 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2928 print_delim(fp, del);
2929 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2930 print_delim(fp, del);
2931 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2932 print_delim(fp, del);
2933 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2934 print_delim(fp, del);
2935 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2936 tok->tt.proc64_ex.tid.addr);
2942 * return value 4 bytes
2945 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2949 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2953 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2961 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2962 __unused char sfrm, int xml)
2965 print_tok_type(fp, tok->id, "return", raw, xml);
2967 open_attr(fp ,"errval");
2968 print_retval(fp, tok->tt.ret32.status, raw);
2970 open_attr(fp, "retval");
2971 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2973 close_tag(fp, tok->id);
2975 print_delim(fp, del);
2976 print_retval(fp, tok->tt.ret32.status, raw);
2977 print_delim(fp, del);
2978 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2983 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2987 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2991 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
2999 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3000 __unused char sfrm, int xml)
3003 print_tok_type(fp, tok->id, "return", raw, xml);
3005 open_attr(fp, "errval");
3006 print_retval(fp, tok->tt.ret64.err, raw);
3008 open_attr(fp, "retval");
3009 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3011 close_tag(fp, tok->id);
3013 print_delim(fp, del);
3014 print_retval(fp, tok->tt.ret64.err, raw);
3015 print_delim(fp, del);
3016 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3024 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3028 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3036 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3037 __unused char sfrm, int xml)
3040 print_tok_type(fp, tok->id, "sequence", raw, xml);
3042 open_attr(fp, "seq-num");
3043 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3045 close_tag(fp, tok->id);
3047 print_delim(fp, del);
3048 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3053 * socket family 2 bytes
3054 * local port 2 bytes
3055 * socket address 4 bytes
3058 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3062 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3067 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3068 sizeof(uint16_t), tok->len, err);
3072 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3073 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3081 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3082 __unused char sfrm, int xml)
3085 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3087 open_attr(fp, "type");
3088 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3090 open_attr(fp, "port");
3091 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3093 open_attr(fp, "addr");
3094 print_ip_address(fp, tok->tt.sockinet32.addr);
3096 close_tag(fp, tok->id);
3098 print_delim(fp, del);
3099 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3100 print_delim(fp, del);
3101 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3102 print_delim(fp, del);
3103 print_ip_address(fp, tok->tt.sockinet32.addr);
3108 * socket family 2 bytes
3112 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3116 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3120 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3129 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3130 __unused char sfrm, int xml)
3133 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3135 open_attr(fp, "type");
3136 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3138 open_attr(fp, "port");
3140 open_attr(fp, "addr");
3141 print_string(fp, tok->tt.sockunix.path,
3142 strlen(tok->tt.sockunix.path));
3144 close_tag(fp, tok->id);
3146 print_delim(fp, del);
3147 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3148 print_delim(fp, del);
3149 print_string(fp, tok->tt.sockunix.path,
3150 strlen(tok->tt.sockunix.path));
3155 * socket type 2 bytes
3156 * local port 2 bytes
3157 * local address 4 bytes
3158 * remote port 2 bytes
3159 * remote address 4 bytes
3162 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3166 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3170 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3175 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3176 sizeof(tok->tt.socket.l_addr), tok->len, err);
3180 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3185 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3186 sizeof(tok->tt.socket.r_addr), tok->len, err);
3194 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3195 __unused char sfrm, int xml)
3198 print_tok_type(fp, tok->id, "socket", raw, xml);
3200 open_attr(fp, "sock_type");
3201 print_2_bytes(fp, tok->tt.socket.type, "%u");
3203 open_attr(fp, "lport");
3204 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3206 open_attr(fp, "laddr");
3207 print_ip_address(fp, tok->tt.socket.l_addr);
3209 open_attr(fp, "fport");
3210 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3212 open_attr(fp, "faddr");
3213 print_ip_address(fp, tok->tt.socket.r_addr);
3215 close_tag(fp, tok->id);
3217 print_delim(fp, del);
3218 print_2_bytes(fp, tok->tt.socket.type, "%u");
3219 print_delim(fp, del);
3220 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3221 print_delim(fp, del);
3222 print_ip_address(fp, tok->tt.socket.l_addr);
3223 print_delim(fp, del);
3224 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3225 print_delim(fp, del);
3226 print_ip_address(fp, tok->tt.socket.r_addr);
3239 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3240 * machine id 4 bytes
3243 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3247 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3251 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3255 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3259 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3263 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3267 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3271 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3275 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3279 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3280 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3288 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3289 __unused char sfrm, int xml)
3292 print_tok_type(fp, tok->id, "subject", raw, xml);
3294 open_attr(fp, "audit-uid");
3295 print_user(fp, tok->tt.subj32.auid, raw);
3297 open_attr(fp, "uid");
3298 print_user(fp, tok->tt.subj32.euid, raw);
3300 open_attr(fp, "gid");
3301 print_group(fp, tok->tt.subj32.egid, raw);
3303 open_attr(fp, "ruid");
3304 print_user(fp, tok->tt.subj32.ruid, raw);
3306 open_attr(fp, "rgid");
3307 print_group(fp, tok->tt.subj32.rgid, raw);
3309 open_attr(fp,"pid");
3310 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3312 open_attr(fp,"sid");
3313 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3315 open_attr(fp,"tid");
3316 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3317 print_ip_address(fp, tok->tt.subj32.tid.addr);
3319 close_tag(fp, tok->id);
3321 print_delim(fp, del);
3322 print_user(fp, tok->tt.subj32.auid, raw);
3323 print_delim(fp, del);
3324 print_user(fp, tok->tt.subj32.euid, raw);
3325 print_delim(fp, del);
3326 print_group(fp, tok->tt.subj32.egid, raw);
3327 print_delim(fp, del);
3328 print_user(fp, tok->tt.subj32.ruid, raw);
3329 print_delim(fp, del);
3330 print_group(fp, tok->tt.subj32.rgid, raw);
3331 print_delim(fp, del);
3332 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3333 print_delim(fp, del);
3334 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3335 print_delim(fp, del);
3336 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3337 print_delim(fp, del);
3338 print_ip_address(fp, tok->tt.subj32.tid.addr);
3351 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3352 * machine id 4 bytes
3355 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3375 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3379 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3383 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3387 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3391 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3392 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3400 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3401 __unused char sfrm, int xml)
3404 print_tok_type(fp, tok->id, "subject", raw, xml);
3406 open_attr(fp, "audit-uid");
3407 print_user(fp, tok->tt.subj64.auid, raw);
3409 open_attr(fp, "uid");
3410 print_user(fp, tok->tt.subj64.euid, raw);
3412 open_attr(fp, "gid");
3413 print_group(fp, tok->tt.subj64.egid, raw);
3415 open_attr(fp, "ruid");
3416 print_user(fp, tok->tt.subj64.ruid, raw);
3418 open_attr(fp, "rgid");
3419 print_group(fp, tok->tt.subj64.rgid, raw);
3421 open_attr(fp, "pid");
3422 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3424 open_attr(fp, "sid");
3425 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3427 open_attr(fp, "tid");
3428 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3429 print_ip_address(fp, tok->tt.subj64.tid.addr);
3431 close_tag(fp, tok->id);
3433 print_delim(fp, del);
3434 print_user(fp, tok->tt.subj64.auid, raw);
3435 print_delim(fp, del);
3436 print_user(fp, tok->tt.subj64.euid, raw);
3437 print_delim(fp, del);
3438 print_group(fp, tok->tt.subj64.egid, raw);
3439 print_delim(fp, del);
3440 print_user(fp, tok->tt.subj64.ruid, raw);
3441 print_delim(fp, del);
3442 print_group(fp, tok->tt.subj64.rgid, raw);
3443 print_delim(fp, del);
3444 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3445 print_delim(fp, del);
3446 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3447 print_delim(fp, del);
3448 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3449 print_delim(fp, del);
3450 print_ip_address(fp, tok->tt.subj64.tid.addr);
3465 * machine id 16 bytes
3468 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3472 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3476 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3480 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3484 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3488 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3492 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3496 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3500 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3505 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3510 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3511 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3512 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3515 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3516 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3517 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3527 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3528 __unused char sfrm, int xml)
3531 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3533 open_attr(fp, "audit-uid");
3534 print_user(fp, tok->tt.subj32_ex.auid, raw);
3536 open_attr(fp, "uid");
3537 print_user(fp, tok->tt.subj32_ex.euid, raw);
3539 open_attr(fp, "gid");
3540 print_group(fp, tok->tt.subj32_ex.egid, raw);
3542 open_attr(fp, "ruid");
3543 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3545 open_attr(fp, "rgid");
3546 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3548 open_attr(fp, "pid");
3549 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3551 open_attr(fp, "sid");
3552 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3554 open_attr(fp, "tid");
3555 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3556 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3557 tok->tt.subj32_ex.tid.addr);
3559 close_tag(fp, tok->id);
3561 print_delim(fp, del);
3562 print_user(fp, tok->tt.subj32_ex.auid, raw);
3563 print_delim(fp, del);
3564 print_user(fp, tok->tt.subj32_ex.euid, raw);
3565 print_delim(fp, del);
3566 print_group(fp, tok->tt.subj32_ex.egid, raw);
3567 print_delim(fp, del);
3568 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3569 print_delim(fp, del);
3570 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3571 print_delim(fp, del);
3572 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3573 print_delim(fp, del);
3574 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3575 print_delim(fp, del);
3576 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3577 print_delim(fp, del);
3578 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3579 tok->tt.subj32_ex.tid.addr);
3594 * machine id 16 bytes
3597 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3601 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3605 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3609 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3613 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3617 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3621 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3625 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3629 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3634 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3639 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3640 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3641 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3644 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3645 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3646 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3656 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3657 __unused char sfrm, int xml)
3659 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3661 open_attr(fp, "audit-uid");
3662 print_user(fp, tok->tt.subj64_ex.auid, raw);
3664 open_attr(fp, "uid");
3665 print_user(fp, tok->tt.subj64_ex.euid, raw);
3667 open_attr(fp, "gid");
3668 print_group(fp, tok->tt.subj64_ex.egid, raw);
3670 open_attr(fp, "ruid");
3671 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3673 open_attr(fp, "rgid");
3674 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3676 open_attr(fp, "pid");
3677 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3679 open_attr(fp, "sid");
3680 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3682 open_attr(fp, "tid");
3683 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3684 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3685 tok->tt.subj64_ex.tid.addr);
3687 close_tag(fp, tok->id);
3689 print_delim(fp, del);
3690 print_user(fp, tok->tt.subj64_ex.auid, raw);
3691 print_delim(fp, del);
3692 print_user(fp, tok->tt.subj64_ex.euid, raw);
3693 print_delim(fp, del);
3694 print_group(fp, tok->tt.subj64_ex.egid, raw);
3695 print_delim(fp, del);
3696 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3697 print_delim(fp, del);
3698 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3699 print_delim(fp, del);
3700 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3701 print_delim(fp, del);
3702 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3703 print_delim(fp, del);
3704 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3705 print_delim(fp, del);
3706 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3707 tok->tt.subj64_ex.tid.addr);
3716 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3720 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3724 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3733 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3734 __unused char sfrm, int xml)
3737 print_tok_type(fp, tok->id, "text", raw, xml);
3739 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3740 close_tag(fp, tok->id);
3742 print_delim(fp, del);
3743 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3748 * socket type 2 bytes
3749 * local port 2 bytes
3750 * address type/length 4 bytes
3751 * local Internet address 4 bytes
3752 * remote port 4 bytes
3753 * address type/length 4 bytes
3754 * remote Internet address 4 bytes
3757 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3761 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3766 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3767 sizeof(uint16_t), tok->len, err);
3771 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3776 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3777 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3781 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3782 sizeof(uint16_t), tok->len, err);
3786 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3791 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3792 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3800 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3801 __unused char sfrm, int xml)
3804 print_tok_type(fp, tok->id, "socket", raw, xml);
3806 open_attr(fp, "sock_type");
3807 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3809 open_attr(fp, "lport");
3810 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3812 open_attr(fp, "laddr");
3813 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3815 open_attr(fp, "faddr");
3816 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3818 open_attr(fp, "fport");
3819 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3821 close_tag(fp, tok->id);
3823 print_delim(fp, del);
3824 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3825 print_delim(fp, del);
3826 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3827 print_delim(fp, del);
3828 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3829 print_delim(fp, del);
3830 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3831 print_delim(fp, del);
3832 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3837 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3842 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3843 if (recoversize <= 0)
3846 tok->tt.invalid.length = recoversize;
3848 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3857 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3858 __unused char sfrm, int xml)
3862 print_tok_type(fp, tok->id, "unknown", raw, 0);
3863 print_delim(fp, del);
3864 print_mem(fp, (u_char*)tok->tt.invalid.data,
3865 tok->tt.invalid.length);
3872 * zonename size bytes;
3875 fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
3879 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3882 SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3890 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3891 __unused char sfrm, int xml)
3894 print_tok_type(fp, tok->id, "zone", raw, xml);
3896 open_attr(fp, "name");
3897 print_string(fp, tok->tt.zonename.zonename,
3898 tok->tt.zonename.len);
3900 close_tag(fp, tok->id);
3902 print_delim(fp, del);
3903 print_string(fp, tok->tt.zonename.zonename,
3904 tok->tt.zonename.len);
3909 * Reads the token beginning at buf into tok.
3912 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3924 return (fetch_header32_tok(tok, buf, len));
3926 case AUT_HEADER32_EX:
3927 return (fetch_header32_ex_tok(tok, buf, len));
3930 return (fetch_header64_tok(tok, buf, len));
3932 case AUT_HEADER64_EX:
3933 return (fetch_header64_ex_tok(tok, buf, len));
3936 return (fetch_trailer_tok(tok, buf, len));
3939 return (fetch_arg32_tok(tok, buf, len));
3942 return (fetch_arg64_tok(tok, buf, len));
3945 return (fetch_attr32_tok(tok, buf, len));
3948 return (fetch_attr64_tok(tok, buf, len));
3951 return (fetch_exit_tok(tok, buf, len));
3954 return (fetch_execarg_tok(tok, buf, len));
3957 return (fetch_execenv_tok(tok, buf, len));
3959 case AUT_OTHER_FILE32:
3960 return (fetch_file_tok(tok, buf, len));
3963 return (fetch_newgroups_tok(tok, buf, len));
3966 return (fetch_inaddr_tok(tok, buf, len));
3968 case AUT_IN_ADDR_EX:
3969 return (fetch_inaddr_ex_tok(tok, buf, len));
3972 return (fetch_ip_tok(tok, buf, len));
3975 return (fetch_ipc_tok(tok, buf, len));
3978 return (fetch_ipcperm_tok(tok, buf, len));
3981 return (fetch_iport_tok(tok, buf, len));
3984 return (fetch_opaque_tok(tok, buf, len));
3987 return (fetch_path_tok(tok, buf, len));
3990 return (fetch_process32_tok(tok, buf, len));
3992 case AUT_PROCESS32_EX:
3993 return (fetch_process32ex_tok(tok, buf, len));
3996 return (fetch_process64_tok(tok, buf, len));
3998 case AUT_PROCESS64_EX:
3999 return (fetch_process64ex_tok(tok, buf, len));
4002 return (fetch_return32_tok(tok, buf, len));
4005 return (fetch_return64_tok(tok, buf, len));
4008 return (fetch_seq_tok(tok, buf, len));
4011 return (fetch_socket_tok(tok, buf, len));
4013 case AUT_SOCKINET32:
4014 return (fetch_sock_inet32_tok(tok, buf, len));
4017 return (fetch_sock_unix_tok(tok, buf, len));
4020 return (fetch_subject32_tok(tok, buf, len));
4022 case AUT_SUBJECT32_EX:
4023 return (fetch_subject32ex_tok(tok, buf, len));
4026 return (fetch_subject64_tok(tok, buf, len));
4028 case AUT_SUBJECT64_EX:
4029 return (fetch_subject64ex_tok(tok, buf, len));
4032 return (fetch_text_tok(tok, buf, len));
4035 return (fetch_socketex32_tok(tok, buf, len));
4038 return (fetch_arb_tok(tok, buf, len));
4041 return (fetch_zonename_tok(tok, buf, len));
4044 return (fetch_invalid_tok(tok, buf, len));
4049 * 'prints' the token out to outfp.
4052 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4057 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4060 case AUT_HEADER32_EX:
4061 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4065 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4068 case AUT_HEADER64_EX:
4069 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4073 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4077 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4081 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4085 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4089 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4093 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4097 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4101 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4105 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4108 case AUT_OTHER_FILE32:
4109 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4113 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4117 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4120 case AUT_IN_ADDR_EX:
4121 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4125 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4129 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4133 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4137 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4141 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4145 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4149 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4152 case AUT_PROCESS32_EX:
4153 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4157 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4160 case AUT_PROCESS64_EX:
4161 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4165 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4169 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4173 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4177 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4180 case AUT_SOCKINET32:
4181 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4185 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4189 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4193 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4196 case AUT_SUBJECT32_EX:
4197 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4200 case AUT_SUBJECT64_EX:
4201 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4205 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4209 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4213 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4217 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4222 * 'prints' the token out to outfp in XML format.
4225 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4231 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4234 case AUT_HEADER32_EX:
4235 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4239 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4242 case AUT_HEADER64_EX:
4243 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4247 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4251 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4255 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4259 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4263 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4267 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4271 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4275 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4279 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4282 case AUT_OTHER_FILE32:
4283 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4287 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4291 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4294 case AUT_IN_ADDR_EX:
4295 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4299 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4303 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4307 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4311 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4315 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4319 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4323 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4326 case AUT_PROCESS32_EX:
4327 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4331 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4334 case AUT_PROCESS64_EX:
4335 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4339 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4343 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4347 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4351 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4354 case AUT_SOCKINET32:
4355 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4359 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4363 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4367 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4370 case AUT_SUBJECT32_EX:
4371 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4374 case AUT_SUBJECT64_EX:
4375 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4379 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4383 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4387 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4391 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4396 * Read a record from the file pointer, store data in buf memory for buf is
4397 * also allocated in this function and has to be free'd outside this call.
4399 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4400 * complete audit record.
4402 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4403 * state, because it will be partly offset into a record. We should rewind
4404 * or do something more intelligent. Particularly interesting is the case
4405 * where we perform a partial read of a record from a non-blockable file
4406 * descriptor. We should return the partial read and continue...?
4409 au_read_rec(FILE *fp, u_char **buf)
4413 u_int32_t bytestoread;
4416 u_int32_t sec, msec;
4417 u_int16_t filenamelen;
4423 case AUT_HEADER32_EX:
4425 case AUT_HEADER64_EX:
4426 /* read the record size from the token */
4427 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4428 sizeof(u_int32_t)) {
4432 recsize = be32toh(recsize);
4434 /* Check for recsize sanity */
4435 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4440 *buf = malloc(recsize * sizeof(u_char));
4444 memset(bptr, 0, recsize);
4446 /* store the token contents already read, back to the buffer*/
4449 be32enc(bptr, recsize);
4450 bptr += sizeof(u_int32_t);
4452 /* now read remaining record bytes */
4453 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4455 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4462 case AUT_OTHER_FILE32:
4464 * The file token is variable-length, as it includes a
4465 * pathname. As a result, we have to read incrementally
4466 * until we know the total length, then allocate space and
4469 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4473 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4477 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4478 sizeof(filenamelen)) {
4482 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4483 sizeof(filenamelen) + ntohs(filenamelen);
4484 *buf = malloc(recsize);
4489 bcopy(&type, bptr, sizeof(type));
4490 bptr += sizeof(type);
4491 bcopy(&sec, bptr, sizeof(sec));
4492 bptr += sizeof(sec);
4493 bcopy(&msec, bptr, sizeof(msec));
4494 bptr += sizeof(msec);
4495 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4496 bptr += sizeof(filenamelen);
4498 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4499 ntohs(filenamelen)) {