2 * Copyright (c) 2004 Apple Computer, Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Computer, Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#49 $
38 #include <sys/types.h>
40 #include <config/config.h>
41 #ifdef HAVE_SYS_ENDIAN_H
42 #include <sys/endian.h>
43 #else /* !HAVE_SYS_ENDIAN_H */
44 #ifdef HAVE_MACHINE_ENDIAN_H
45 #include <machine/endian.h>
46 #else /* !HAVE_MACHINE_ENDIAN_H */
49 #else /* !HAVE_ENDIAN_H */
50 #error "No supported endian.h"
51 #endif /* !HAVE_ENDIAN_H */
52 #endif /* !HAVE_MACHINE_ENDIAN_H */
53 #include <compat/endian.h>
54 #endif /* !HAVE_SYS_ENDIAN_H */
55 #ifdef HAVE_FULL_QUEUE_H
56 #include <sys/queue.h>
57 #else /* !HAVE_FULL_QUEUE_H */
58 #include <compat/queue.h>
59 #endif /* !HAVE_FULL_QUEUE_H */
62 #include <sys/socket.h>
64 #include <bsm/libbsm.h>
67 #include <netinet/in.h>
68 #include <arpa/inet.h>
77 #include <bsm/audit_internal.h>
79 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
80 if (bytesread + size > len) { \
83 memcpy(dest, buf + bytesread, size); \
88 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
89 if (bytesread + sizeof(u_char) <= len) { \
90 dest = buf[bytesread]; \
91 bytesread += sizeof(u_char); \
96 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
97 if (bytesread + sizeof(u_int16_t) <= len) { \
98 dest = be16dec(buf + bytesread); \
99 bytesread += sizeof(u_int16_t); \
104 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
105 if (bytesread + sizeof(u_int32_t) <= len) { \
106 dest = be32dec(buf + bytesread); \
107 bytesread += sizeof(u_int32_t); \
112 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
113 if (bytesread + sizeof(u_int64_t) <= len) { \
114 dest = be64dec(buf + bytesread); \
115 bytesread += sizeof(u_int64_t); \
120 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
121 if ((bytesread) + (size) > (len)) \
124 (ptr) = (buf) + (bytesread); \
125 (bytesread) += (size); \
136 * Prints the delimiter string.
139 print_delim(FILE *fp, const char *del)
142 fprintf(fp, "%s", del);
146 * Prints a single byte in the given format.
149 print_1_byte(FILE *fp, u_char val, const char *format)
152 fprintf(fp, format, val);
156 * Print 2 bytes in the given format.
159 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
162 fprintf(fp, format, val);
166 * Prints 4 bytes in the given format.
169 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
172 fprintf(fp, format, val);
176 * Prints 8 bytes in the given format.
179 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
182 fprintf(fp, format, val);
186 * Prints the given size of data bytes in hex.
189 print_mem(FILE *fp, u_char *data, size_t len)
195 for (i = 0; i < len; i++)
196 fprintf(fp, "%x", data[i]);
201 * Prints the given data bytes as a string.
204 print_string(FILE *fp, const char *str, size_t len)
209 for (i = 0; i < len; i++) {
211 fprintf(fp, "%c", str[i]);
217 * Prints the beggining of attribute.
220 open_attr(FILE *fp, const char *str)
223 fprintf(fp,"%s=\"", str);
227 * Prints the end of attribute.
237 * Prints the end of tag.
240 close_tag(FILE *fp, u_char type)
248 case AUT_HEADER32_EX:
256 case AUT_HEADER64_EX:
281 fprintf(fp, "</exec_args>");
285 fprintf(fp, "</exec_env>");
288 case AUT_OTHER_FILE32:
289 fprintf(fp, "</file>");
293 fprintf(fp, "</group>");
297 fprintf(fp, "</ip_address>");
301 fprintf(fp, "</ip_address>");
317 fprintf(fp, "</ip_port>");
321 fprintf(fp, "</opaque>");
325 fprintf(fp, "</path>");
332 case AUT_PROCESS32_EX:
340 case AUT_PROCESS64_EX:
376 case AUT_SUBJECT32_EX:
380 case AUT_SUBJECT64_EX:
385 fprintf(fp, "</text>");
393 fprintf(fp, "</arbitrary>");
403 * Prints the token type in either the raw or the default form.
406 print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
412 fprintf(fp, "<record ");
415 case AUT_HEADER32_EX:
416 fprintf(fp, "<record ");
420 fprintf(fp, "<record ");
423 case AUT_HEADER64_EX:
424 fprintf(fp, "<record ");
428 fprintf(fp, "</record>");
432 fprintf(fp, "<argument ");
436 fprintf(fp, "<argument ");
440 fprintf(fp, "<attribute ");
444 fprintf(fp, "<attribute ");
448 fprintf(fp, "<exit ");
452 fprintf(fp, "<exec_args>");
456 fprintf(fp, "<exec_env>");
459 case AUT_OTHER_FILE32:
460 fprintf(fp, "<file ");
464 fprintf(fp, "<group>");
468 fprintf(fp, "<ip_address>");
472 fprintf(fp, "<ip_address>");
484 fprintf(fp, "<IPC_perm ");
488 fprintf(fp, "<ip_port>");
492 fprintf(fp, "<opaque>");
496 fprintf(fp, "<path>");
500 fprintf(fp, "<process ");
503 case AUT_PROCESS32_EX:
504 fprintf(fp, "<process ");
508 fprintf(fp, "<process ");
511 case AUT_PROCESS64_EX:
512 fprintf(fp, "<process ");
516 fprintf(fp, "<return ");
520 fprintf(fp, "<return ");
524 fprintf(fp, "<sequence ");
528 fprintf(fp, "<socket ");
532 fprintf(fp, "<old_socket");
536 fprintf(fp, "<old_socket");
540 fprintf(fp, "<subject ");
544 fprintf(fp, "<subject ");
547 case AUT_SUBJECT32_EX:
548 fprintf(fp, "<subject ");
551 case AUT_SUBJECT64_EX:
552 fprintf(fp, "<subject ");
556 fprintf(fp, "<text>");
560 fprintf(fp, "<socket ");
564 fprintf(fp, "<arbitrary ");
568 fprintf(fp, "<zone ");
573 fprintf(fp, "%u", type);
575 fprintf(fp, "%s", tokname);
580 * Prints a user value.
583 print_user(FILE *fp, u_int32_t usr, char raw)
585 struct passwd *pwent;
588 fprintf(fp, "%d", usr);
590 pwent = getpwuid(usr);
592 fprintf(fp, "%s", pwent->pw_name);
594 fprintf(fp, "%d", usr);
599 * Prints a group value.
602 print_group(FILE *fp, u_int32_t grp, char raw)
604 struct group *grpent;
607 fprintf(fp, "%d", grp);
609 grpent = getgrgid(grp);
611 fprintf(fp, "%s", grpent->gr_name);
613 fprintf(fp, "%d", grp);
618 * Prints the event from the header token in either the short, default or raw
622 print_event(FILE *fp, u_int16_t ev, char raw, char sfrm)
624 char event_ent_name[AU_EVENT_NAME_MAX];
625 char event_ent_desc[AU_EVENT_DESC_MAX];
626 struct au_event_ent e, *ep;
628 bzero(&e, sizeof(e));
629 bzero(event_ent_name, sizeof(event_ent_name));
630 bzero(event_ent_desc, sizeof(event_ent_desc));
631 e.ae_name = event_ent_name;
632 e.ae_desc = event_ent_desc;
634 ep = getauevnum_r(&e, ev);
636 fprintf(fp, "%u", ev);
641 fprintf(fp, "%u", ev);
643 fprintf(fp, "%s", e.ae_name);
645 fprintf(fp, "%s", e.ae_desc);
650 * Prints the event modifier from the header token in either the default or
654 print_evmod(FILE *fp, u_int16_t evmod, char raw)
657 fprintf(fp, "%u", evmod);
659 fprintf(fp, "%u", evmod);
663 * Prints seconds in the ctime format.
666 print_sec32(FILE *fp, u_int32_t sec, char raw)
672 fprintf(fp, "%u", sec);
674 timestamp = (time_t)sec;
675 ctime_r(×tamp, timestr);
676 timestr[24] = '\0'; /* No new line */
677 fprintf(fp, "%s", timestr);
682 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
683 * assume a 32-bit time_t, we simply truncate for now.
686 print_sec64(FILE *fp, u_int64_t sec, char raw)
692 fprintf(fp, "%u", (u_int32_t)sec);
694 timestamp = (time_t)sec;
695 ctime_r(×tamp, timestr);
696 timestr[24] = '\0'; /* No new line */
697 fprintf(fp, "%s", timestr);
702 * Prints the excess milliseconds.
705 print_msec32(FILE *fp, u_int32_t msec, char raw)
708 fprintf(fp, "%u", msec);
710 fprintf(fp, " + %u msec", msec);
714 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
715 * a 32-bit msec, we simply truncate for now.
718 print_msec64(FILE *fp, u_int64_t msec, char raw)
723 fprintf(fp, "%u", (u_int32_t)msec);
725 fprintf(fp, " + %u msec", (u_int32_t)msec);
729 * Prints a dotted form for the IP address.
732 print_ip_address(FILE *fp, u_int32_t ip)
734 struct in_addr ipaddr;
737 fprintf(fp, "%s", inet_ntoa(ipaddr));
741 * Prints a string value for the given ip address.
744 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
747 struct in6_addr ipv6;
748 char dst[INET6_ADDRSTRLEN];
752 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
753 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
758 bcopy(ipaddr, &ipv6, sizeof(ipv6));
759 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
764 fprintf(fp, "invalid");
769 * Prints return value as success or failure.
772 print_retval(FILE *fp, u_char status, char raw)
775 fprintf(fp, "%u", status);
778 fprintf(fp, "success");
780 fprintf(fp, "failure : %s", strerror(status));
785 * Prints the exit value.
788 print_errval(FILE *fp, u_int32_t val)
791 fprintf(fp, "Error %u", val);
798 print_ipctype(FILE *fp, u_char type, char raw)
801 fprintf(fp, "%u", type);
803 if (type == AT_IPC_MSG)
804 fprintf(fp, "Message IPC");
805 else if (type == AT_IPC_SEM)
806 fprintf(fp, "Semaphore IPC");
807 else if (type == AT_IPC_SHM)
808 fprintf(fp, "Shared Memory IPC");
810 fprintf(fp, "%u", type);
818 au_print_xml_header(FILE *outfp)
821 fprintf(outfp, "<?xml version='1.0' ?>\n");
822 fprintf(outfp, "<audit>\n");
829 au_print_xml_footer(FILE *outfp)
832 fprintf(outfp, "</audit>\n");
836 * record byte count 4 bytes
837 * version # 1 byte [2]
839 * event modifier 2 bytes
840 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
841 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
844 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
848 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
852 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
856 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
860 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
864 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
868 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
876 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
880 print_tok_type(fp, tok->id, "header", raw, xml);
882 open_attr(fp, "version");
883 print_1_byte(fp, tok->tt.hdr32.version, "%u");
885 open_attr(fp, "event");
886 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
888 open_attr(fp, "modifier");
889 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
891 open_attr(fp, "time");
892 print_sec32(fp, tok->tt.hdr32.s, raw);
894 open_attr(fp, "msec");
895 print_msec32(fp, tok->tt.hdr32.ms, 1);
897 close_tag(fp, tok->id);
899 print_delim(fp, del);
900 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
901 print_delim(fp, del);
902 print_1_byte(fp, tok->tt.hdr32.version, "%u");
903 print_delim(fp, del);
904 print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
905 print_delim(fp, del);
906 print_evmod(fp, tok->tt.hdr32.e_mod, raw);
907 print_delim(fp, del);
908 print_sec32(fp, tok->tt.hdr32.s, raw);
909 print_delim(fp, del);
910 print_msec32(fp, tok->tt.hdr32.ms, raw);
915 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
916 * depending on the bit of the specifications found. The OpenSolaris source
917 * code uses a 4-byte address length, followed by some number of bytes of
918 * address data. This contrasts with the Solaris audit.log.5 man page, which
919 * specifies a 1-byte length field. We use the Solaris 10 definition so that
920 * we can parse audit trails from that system.
922 * record byte count 4 bytes
923 * version # 1 byte [2]
925 * event modifier 2 bytes
926 * address type/length 4 bytes
927 * [ Solaris man page: address type/length 1 byte]
928 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
929 * seconds of time 4 bytes/8 bytes (32/64-bits)
930 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
933 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
937 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
941 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
945 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
949 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
953 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
957 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
958 switch (tok->tt.hdr32_ex.ad_type) {
960 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
961 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
967 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
968 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
972 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
976 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
984 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
988 print_tok_type(fp, tok->id, "header_ex", raw, xml);
990 open_attr(fp, "version");
991 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
993 open_attr(fp, "event");
994 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
996 open_attr(fp, "modifier");
997 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1000 * No attribute for additional types.
1002 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1003 tok->tt.hdr32_ex.addr);
1005 open_attr(fp, "time");
1006 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1008 open_attr(fp, "msec");
1009 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1011 close_tag(fp, tok->id);
1013 print_delim(fp, del);
1014 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1015 print_delim(fp, del);
1016 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1017 print_delim(fp, del);
1018 print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
1019 print_delim(fp, del);
1020 print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
1021 print_delim(fp, del);
1022 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1023 tok->tt.hdr32_ex.addr);
1024 print_delim(fp, del);
1025 print_sec32(fp, tok->tt.hdr32_ex.s, raw);
1026 print_delim(fp, del);
1027 print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
1032 * record byte count 4 bytes
1033 * event type 2 bytes
1034 * event modifier 2 bytes
1035 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1036 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1040 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1044 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1048 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1052 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1056 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1060 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1064 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1072 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
1076 print_tok_type(fp, tok->id, "header", raw, xml);
1078 open_attr(fp, "version");
1079 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1081 open_attr(fp, "event");
1082 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1084 open_attr(fp, "modifier");
1085 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1087 open_attr(fp, "time");
1088 print_sec64(fp, tok->tt.hdr64.s, raw);
1090 open_attr(fp, "msec");
1091 print_msec64(fp, tok->tt.hdr64.ms, raw);
1093 close_tag(fp, tok->id);
1095 print_delim(fp, del);
1096 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1097 print_delim(fp, del);
1098 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1099 print_delim(fp, del);
1100 print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
1101 print_delim(fp, del);
1102 print_evmod(fp, tok->tt.hdr64.e_mod, raw);
1103 print_delim(fp, del);
1104 print_sec64(fp, tok->tt.hdr64.s, raw);
1105 print_delim(fp, del);
1106 print_msec64(fp, tok->tt.hdr64.ms, raw);
1111 * record byte count 4 bytes
1112 * version # 1 byte [2]
1113 * event type 2 bytes
1114 * event modifier 2 bytes
1115 * address type/length 4 bytes
1116 * [ Solaris man page: address type/length 1 byte]
1117 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1118 * seconds of time 4 bytes/8 bytes (32/64-bits)
1119 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1121 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1122 * accuracy of the BSM spec.
1125 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1129 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1133 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1137 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1141 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1145 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1149 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1150 switch (tok->tt.hdr64_ex.ad_type) {
1152 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1153 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1159 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1160 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1164 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1168 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1176 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1180 print_tok_type(fp, tok->id, "header_ex", raw, xml);
1182 open_attr(fp, "version");
1183 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1185 open_attr(fp, "event");
1186 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1188 open_attr(fp, "modifier");
1189 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1192 * No attribute for additional types.
1194 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1195 tok->tt.hdr64_ex.addr);
1197 open_attr(fp, "time");
1198 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1200 open_attr(fp, "msec");
1201 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1203 close_tag(fp, tok->id);
1205 print_delim(fp, del);
1206 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1207 print_delim(fp, del);
1208 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1209 print_delim(fp, del);
1210 print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
1211 print_delim(fp, del);
1212 print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
1213 print_delim(fp, del);
1214 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1215 tok->tt.hdr64_ex.addr);
1216 print_delim(fp, del);
1217 print_sec64(fp, tok->tt.hdr64_ex.s, raw);
1218 print_delim(fp, del);
1219 print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
1224 * trailer magic 2 bytes
1225 * record size 4 bytes
1228 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1232 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1236 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1244 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1245 __unused char sfrm, int xml)
1248 print_tok_type(fp, tok->id, "trailer", raw, xml);
1250 print_delim(fp, del);
1251 print_4_bytes(fp, tok->tt.trail.count, "%u");
1257 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1258 * text length 2 bytes
1259 * text N bytes + 1 terminating NULL byte
1262 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1266 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1270 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1274 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1278 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1287 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1288 __unused char sfrm, int xml)
1291 print_tok_type(fp, tok->id, "argument", raw, xml);
1293 open_attr(fp, "arg-num");
1294 print_1_byte(fp, tok->tt.arg32.no, "%u");
1296 open_attr(fp, "value");
1297 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1299 open_attr(fp, "desc");
1300 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1302 close_tag(fp, tok->id);
1304 print_delim(fp, del);
1305 print_1_byte(fp, tok->tt.arg32.no, "%u");
1306 print_delim(fp, del);
1307 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1308 print_delim(fp, del);
1309 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1314 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1318 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1322 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1326 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1330 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1339 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1340 __unused char sfrm, int xml)
1343 print_tok_type(fp, tok->id, "argument", raw, xml);
1345 open_attr(fp, "arg-num");
1346 print_1_byte(fp, tok->tt.arg64.no, "%u");
1348 open_attr(fp, "value");
1349 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1351 open_attr(fp, "desc");
1352 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1354 close_tag(fp, tok->id);
1356 print_delim(fp, del);
1357 print_1_byte(fp, tok->tt.arg64.no, "%u");
1358 print_delim(fp, del);
1359 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1360 print_delim(fp, del);
1361 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1366 * how to print 1 byte
1369 * data items (depends on basic unit)
1372 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1377 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1381 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1385 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1390 * Determine the size of the basic unit.
1392 switch(tok->tt.arb.bu) {
1394 /* case AUR_CHAR: */
1395 datasize = AUR_BYTE_SIZE;
1399 datasize = AUR_SHORT_SIZE;
1404 datasize = AUR_INT32_SIZE;
1408 datasize = AUR_INT64_SIZE;
1415 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1424 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1425 __unused char sfrm, int xml)
1432 print_tok_type(fp, tok->id, "arbitrary", raw, xml);
1434 print_delim(fp, del);
1436 switch(tok->tt.arb.howtopr) {
1467 open_attr(fp, "print");
1468 fprintf(fp, "%s",str);
1471 print_string(fp, str, strlen(str));
1472 print_delim(fp, del);
1474 switch(tok->tt.arb.bu) {
1476 /* case AUR_CHAR: */
1478 size = AUR_BYTE_SIZE;
1480 open_attr(fp, "type");
1481 fprintf(fp, "%u", size);
1483 open_attr(fp, "count");
1484 print_1_byte(fp, tok->tt.arb.uc, "%u");
1487 for (i = 0; i<tok->tt.arb.uc; i++)
1488 fprintf(fp, format, *(tok->tt.arb.data +
1490 close_tag(fp, tok->id);
1492 print_string(fp, str, strlen(str));
1493 print_delim(fp, del);
1494 print_1_byte(fp, tok->tt.arb.uc, "%u");
1495 print_delim(fp, del);
1496 for (i = 0; i<tok->tt.arb.uc; i++)
1497 fprintf(fp, format, *(tok->tt.arb.data +
1504 size = AUR_SHORT_SIZE;
1506 open_attr(fp, "type");
1507 fprintf(fp, "%u", size);
1509 open_attr(fp, "count");
1510 print_1_byte(fp, tok->tt.arb.uc, "%u");
1513 for (i = 0; i < tok->tt.arb.uc; i++)
1515 *((u_int16_t *)(tok->tt.arb.data +
1517 close_tag(fp, tok->id);
1519 print_string(fp, str, strlen(str));
1520 print_delim(fp, del);
1521 print_1_byte(fp, tok->tt.arb.uc, "%u");
1522 print_delim(fp, del);
1523 for (i = 0; i < tok->tt.arb.uc; i++)
1525 *((u_int16_t *)(tok->tt.arb.data +
1533 size = AUR_INT32_SIZE;
1535 open_attr(fp, "type");
1536 fprintf(fp, "%u", size);
1538 open_attr(fp, "count");
1539 print_1_byte(fp, tok->tt.arb.uc, "%u");
1542 for (i = 0; i < tok->tt.arb.uc; i++)
1544 *((u_int32_t *)(tok->tt.arb.data +
1546 close_tag(fp, tok->id);
1548 print_string(fp, str, strlen(str));
1549 print_delim(fp, del);
1550 print_1_byte(fp, tok->tt.arb.uc, "%u");
1551 print_delim(fp, del);
1552 for (i = 0; i < tok->tt.arb.uc; i++)
1554 *((u_int32_t *)(tok->tt.arb.data +
1561 size = AUR_INT64_SIZE;
1563 open_attr(fp, "type");
1564 fprintf(fp, "%u", size);
1566 open_attr(fp, "count");
1567 print_1_byte(fp, tok->tt.arb.uc, "%u");
1570 for (i = 0; i < tok->tt.arb.uc; i++)
1572 *((u_int64_t *)(tok->tt.arb.data +
1574 close_tag(fp, tok->id);
1576 print_string(fp, str, strlen(str));
1577 print_delim(fp, del);
1578 print_1_byte(fp, tok->tt.arb.uc, "%u");
1579 print_delim(fp, del);
1580 for (i = 0; i < tok->tt.arb.uc; i++)
1582 *((u_int64_t *)(tok->tt.arb.data +
1593 * file access mode 4 bytes
1594 * owner user ID 4 bytes
1595 * owner group ID 4 bytes
1596 * file system ID 4 bytes
1598 * device 4 bytes/8 bytes (32-bit/64-bit)
1601 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1605 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1609 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1613 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1617 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1621 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1625 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1633 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1634 __unused char sfrm, int xml)
1637 print_tok_type(fp, tok->id, "attribute", raw, xml);
1639 open_attr(fp, "mode");
1640 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1642 open_attr(fp, "uid");
1643 print_user(fp, tok->tt.attr32.uid, raw);
1645 open_attr(fp, "gid");
1646 print_group(fp, tok->tt.attr32.gid, raw);
1648 open_attr(fp, "fsid");
1649 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1651 open_attr(fp, "nodeid");
1652 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1654 open_attr(fp, "device");
1655 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1657 close_tag(fp, tok->id);
1659 print_delim(fp, del);
1660 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1661 print_delim(fp, del);
1662 print_user(fp, tok->tt.attr32.uid, raw);
1663 print_delim(fp, del);
1664 print_group(fp, tok->tt.attr32.gid, raw);
1665 print_delim(fp, del);
1666 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1667 print_delim(fp, del);
1668 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1669 print_delim(fp, del);
1670 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1675 * file access mode 4 bytes
1676 * owner user ID 4 bytes
1677 * owner group ID 4 bytes
1678 * file system ID 4 bytes
1680 * device 4 bytes/8 bytes (32-bit/64-bit)
1683 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1687 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1691 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1695 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1699 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1703 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1707 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1715 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1716 __unused char sfrm, int xml)
1719 print_tok_type(fp, tok->id, "attribute", raw, xml);
1721 open_attr(fp, "mode");
1722 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1724 open_attr(fp, "uid");
1725 print_user(fp, tok->tt.attr64.uid, raw);
1727 open_attr(fp, "gid");
1728 print_group(fp, tok->tt.attr64.gid, raw);
1730 open_attr(fp, "fsid");
1731 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1733 open_attr(fp, "nodeid");
1734 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1736 open_attr(fp, "device");
1737 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1739 close_tag(fp, tok->id);
1741 print_delim(fp, del);
1742 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1743 print_delim(fp, del);
1744 print_user(fp, tok->tt.attr64.uid, raw);
1745 print_delim(fp, del);
1746 print_group(fp, tok->tt.attr64.gid, raw);
1747 print_delim(fp, del);
1748 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1749 print_delim(fp, del);
1750 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1751 print_delim(fp, del);
1752 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1758 * return value 4 bytes
1761 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1765 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1769 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1777 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1778 __unused char sfrm, int xml)
1781 print_tok_type(fp, tok->id, "exit", raw, xml);
1783 open_attr(fp, "errval");
1784 print_errval(fp, tok->tt.exit.status);
1786 open_attr(fp, "retval");
1787 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1789 close_tag(fp, tok->id);
1791 print_delim(fp, del);
1792 print_errval(fp, tok->tt.exit.status);
1793 print_delim(fp, del);
1794 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1800 * text count null-terminated string(s)
1803 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1809 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1813 for (i = 0; i < tok->tt.execarg.count; i++) {
1814 bptr = buf + tok->len;
1815 if (i < AUDIT_MAX_ARGS)
1816 tok->tt.execarg.text[i] = (char*)bptr;
1818 /* Look for a null terminated string. */
1819 while (bptr && (*bptr != '\0')) {
1820 if (++tok->len >=len)
1822 bptr = buf + tok->len;
1826 tok->len++; /* \0 character */
1828 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1829 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1835 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1836 __unused char sfrm, int xml)
1840 print_tok_type(fp, tok->id, "exec arg", raw, xml);
1841 for (i = 0; i < tok->tt.execarg.count; i++) {
1843 fprintf(fp, "<arg>");
1844 print_string(fp, tok->tt.execarg.text[i],
1845 strlen(tok->tt.execarg.text[i]));
1846 fprintf(fp, "</arg>");
1848 print_delim(fp, del);
1849 print_string(fp, tok->tt.execarg.text[i],
1850 strlen(tok->tt.execarg.text[i]));
1854 close_tag(fp, tok->id);
1859 * text count null-terminated string(s)
1862 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1868 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1872 for (i = 0; i < tok->tt.execenv.count; i++) {
1873 bptr = buf + tok->len;
1874 if (i < AUDIT_MAX_ENV)
1875 tok->tt.execenv.text[i] = (char*)bptr;
1877 /* Look for a null terminated string. */
1878 while (bptr && (*bptr != '\0')) {
1879 if (++tok->len >=len)
1881 bptr = buf + tok->len;
1885 tok->len++; /* \0 character */
1887 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1888 tok->tt.execenv.count = AUDIT_MAX_ENV;
1894 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1895 __unused char sfrm, int xml)
1899 print_tok_type(fp, tok->id, "exec env", raw, xml);
1900 for (i = 0; i< tok->tt.execenv.count; i++) {
1902 fprintf(fp, "<env>");
1903 print_string(fp, tok->tt.execenv.text[i],
1904 strlen(tok->tt.execenv.text[i]));
1905 fprintf(fp, "</env>");
1907 print_delim(fp, del);
1908 print_string(fp, tok->tt.execenv.text[i],
1909 strlen(tok->tt.execenv.text[i]));
1913 close_tag(fp, tok->id);
1917 * seconds of time 4 bytes
1918 * milliseconds of time 4 bytes
1919 * file name len 2 bytes
1920 * file pathname N bytes + 1 terminating NULL byte
1923 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1927 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1931 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1935 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1939 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
1948 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1949 __unused char sfrm, int xml)
1952 print_tok_type(fp, tok->id, "file", raw, xml);
1954 open_attr(fp, "time");
1955 print_sec32(fp, tok->tt.file.s, raw);
1957 open_attr(fp, "msec");
1958 print_msec32(fp, tok->tt.file.ms, raw);
1961 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1962 close_tag(fp, tok->id);
1964 print_delim(fp, del);
1965 print_sec32(fp, tok->tt.file.s, raw);
1966 print_delim(fp, del);
1967 print_msec32(fp, tok->tt.file.ms, raw);
1968 print_delim(fp, del);
1969 print_string(fp, tok->tt.file.name, tok->tt.file.len);
1974 * number groups 2 bytes
1975 * group list count * 4 bytes
1978 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
1983 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
1987 for (i = 0; i<tok->tt.grps.no; i++) {
1988 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
1998 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
1999 __unused char sfrm, int xml)
2003 print_tok_type(fp, tok->id, "group", raw, xml);
2004 for (i = 0; i < tok->tt.grps.no; i++) {
2006 fprintf(fp, "<gid>");
2007 print_group(fp, tok->tt.grps.list[i], raw);
2008 fprintf(fp, "</gid>");
2009 close_tag(fp, tok->id);
2011 print_delim(fp, del);
2012 print_group(fp, tok->tt.grps.list[i], raw);
2018 * Internet addr 4 bytes
2021 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2025 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2035 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2036 __unused char sfrm, int xml)
2039 print_tok_type(fp, tok->id, "ip addr", raw, xml);
2041 print_ip_address(fp, tok->tt.inaddr.addr);
2042 close_tag(fp, tok->id);
2044 print_delim(fp, del);
2045 print_ip_address(fp, tok->tt.inaddr.addr);
2054 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2058 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2062 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2063 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2064 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2067 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2068 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2069 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2079 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2080 __unused char sfrm, int xml)
2083 print_tok_type(fp, tok->id, "ip addr ex", raw, xml);
2085 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2086 tok->tt.inaddr_ex.addr);
2087 close_tag(fp, tok->id);
2089 print_delim(fp, del);
2090 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2091 tok->tt.inaddr_ex.addr);
2096 * ip header 20 bytes
2099 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2103 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2107 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2111 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2116 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2121 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2126 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2130 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2134 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2139 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2144 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2153 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2154 __unused char sfrm, int xml)
2157 print_tok_type(fp, tok->id, "ip", raw, xml);
2159 open_attr(fp, "version");
2160 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2163 open_attr(fp, "service_type");
2164 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2166 open_attr(fp, "len");
2167 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2169 open_attr(fp, "id");
2170 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2172 open_attr(fp, "offset");
2173 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2175 open_attr(fp, "time_to_live");
2176 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2178 open_attr(fp, "protocol");
2179 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2181 open_attr(fp, "cksum");
2182 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2184 open_attr(fp, "src_addr");
2185 print_ip_address(fp, tok->tt.ip.src);
2187 open_attr(fp, "dest_addr");
2188 print_ip_address(fp, tok->tt.ip.dest);
2190 close_tag(fp, tok->id);
2192 print_delim(fp, del);
2193 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2195 print_delim(fp, del);
2196 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2197 print_delim(fp, del);
2198 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2199 print_delim(fp, del);
2200 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2201 print_delim(fp, del);
2202 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2203 print_delim(fp, del);
2204 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2205 print_delim(fp, del);
2206 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2207 print_delim(fp, del);
2208 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2209 print_delim(fp, del);
2210 print_ip_address(fp, tok->tt.ip.src);
2211 print_delim(fp, del);
2212 print_ip_address(fp, tok->tt.ip.dest);
2217 * object ID type 1 byte
2221 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2225 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2229 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2237 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2238 __unused char sfrm, int xml)
2241 print_tok_type(fp, tok->id, "IPC", raw, xml);
2243 open_attr(fp, "ipc-type");
2244 print_ipctype(fp, tok->tt.ipc.type, raw);
2246 open_attr(fp, "ipc-id");
2247 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2249 close_tag(fp, tok->id);
2251 print_delim(fp, del);
2252 print_ipctype(fp, tok->tt.ipc.type, raw);
2253 print_delim(fp, del);
2254 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2259 * owner user id 4 bytes
2260 * owner group id 4 bytes
2261 * creator user id 4 bytes
2262 * creator group id 4 bytes
2263 * access mode 4 bytes
2268 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2272 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2276 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2280 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2284 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2288 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2292 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2296 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2304 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2305 __unused char sfrm, int xml)
2308 print_tok_type(fp, tok->id, "IPC perm", raw, xml);
2310 open_attr(fp, "uid");
2311 print_user(fp, tok->tt.ipcperm.uid, raw);
2313 open_attr(fp, "gid");
2314 print_group(fp, tok->tt.ipcperm.gid, raw);
2316 open_attr(fp, "creator-uid");
2317 print_user(fp, tok->tt.ipcperm.puid, raw);
2319 open_attr(fp, "creator-gid");
2320 print_group(fp, tok->tt.ipcperm.pgid, raw);
2322 open_attr(fp, "mode");
2323 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2325 open_attr(fp, "seq");
2326 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2328 open_attr(fp, "key");
2329 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2331 close_tag(fp, tok->id);
2333 print_delim(fp, del);
2334 print_user(fp, tok->tt.ipcperm.uid, raw);
2335 print_delim(fp, del);
2336 print_group(fp, tok->tt.ipcperm.gid, raw);
2337 print_delim(fp, del);
2338 print_user(fp, tok->tt.ipcperm.puid, raw);
2339 print_delim(fp, del);
2340 print_group(fp, tok->tt.ipcperm.pgid, raw);
2341 print_delim(fp, del);
2342 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2343 print_delim(fp, del);
2344 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2345 print_delim(fp, del);
2346 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2351 * port Ip address 2 bytes
2354 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2358 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2367 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2368 __unused char sfrm, int xml)
2371 print_tok_type(fp, tok->id, "ip port", raw, xml);
2373 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2374 close_tag(fp, tok->id);
2376 print_delim(fp, del);
2377 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2386 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2390 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2394 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2403 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2404 __unused char sfrm, int xml)
2407 print_tok_type(fp, tok->id, "opaque", raw, xml);
2409 print_mem(fp, (u_char*)tok->tt.opaque.data,
2410 tok->tt.opaque.size);
2411 close_tag(fp, tok->id);
2413 print_delim(fp, del);
2414 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2415 print_delim(fp, del);
2416 print_mem(fp, (u_char*)tok->tt.opaque.data,
2417 tok->tt.opaque.size);
2426 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2430 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2434 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2443 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2444 __unused char sfrm, int xml)
2447 print_tok_type(fp, tok->id, "path", raw, xml);
2449 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2450 close_tag(fp, tok->id);
2452 print_delim(fp, del);
2453 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2468 * machine id 4 bytes
2471 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2475 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2479 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2483 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2487 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2491 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2495 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2499 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2503 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2507 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2508 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2516 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2517 __unused char sfrm, int xml)
2520 print_tok_type(fp, tok->id, "process", raw, xml);
2522 open_attr(fp, "audit-uid");
2523 print_user(fp, tok->tt.proc32.auid, raw);
2525 open_attr(fp, "uid");
2526 print_user(fp, tok->tt.proc32.euid, raw);
2528 open_attr(fp, "gid");
2529 print_group(fp, tok->tt.proc32.egid, raw);
2531 open_attr(fp, "ruid");
2532 print_user(fp, tok->tt.proc32.ruid, raw);
2534 open_attr(fp, "rgid");
2535 print_group(fp, tok->tt.proc32.rgid, raw);
2537 open_attr(fp, "pid");
2538 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2540 open_attr(fp, "sid");
2541 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2543 open_attr(fp, "tid");
2544 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2545 print_ip_address(fp, tok->tt.proc32.tid.addr);
2547 close_tag(fp, tok->id);
2549 print_delim(fp, del);
2550 print_user(fp, tok->tt.proc32.auid, raw);
2551 print_delim(fp, del);
2552 print_user(fp, tok->tt.proc32.euid, raw);
2553 print_delim(fp, del);
2554 print_group(fp, tok->tt.proc32.egid, raw);
2555 print_delim(fp, del);
2556 print_user(fp, tok->tt.proc32.ruid, raw);
2557 print_delim(fp, del);
2558 print_group(fp, tok->tt.proc32.rgid, raw);
2559 print_delim(fp, del);
2560 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2561 print_delim(fp, del);
2562 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2563 print_delim(fp, del);
2564 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2565 print_delim(fp, del);
2566 print_ip_address(fp, tok->tt.proc32.tid.addr);
2581 * machine id 4 bytes
2584 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2588 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2592 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2596 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2600 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2604 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2608 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2612 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2616 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2620 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2621 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2629 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2630 __unused char sfrm, int xml)
2632 print_tok_type(fp, tok->id, "process", raw, xml);
2634 open_attr(fp, "audit-uid");
2635 print_user(fp, tok->tt.proc64.auid, raw);
2637 open_attr(fp, "uid");
2638 print_user(fp, tok->tt.proc64.euid, raw);
2640 open_attr(fp, "gid");
2641 print_group(fp, tok->tt.proc64.egid, raw);
2643 open_attr(fp, "ruid");
2644 print_user(fp, tok->tt.proc64.ruid, raw);
2646 open_attr(fp, "rgid");
2647 print_group(fp, tok->tt.proc64.rgid, raw);
2649 open_attr(fp, "pid");
2650 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2652 open_attr(fp, "sid");
2653 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2655 open_attr(fp, "tid");
2656 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2657 print_ip_address(fp, tok->tt.proc64.tid.addr);
2659 close_tag(fp, tok->id);
2661 print_delim(fp, del);
2662 print_user(fp, tok->tt.proc64.auid, raw);
2663 print_delim(fp, del);
2664 print_user(fp, tok->tt.proc64.euid, raw);
2665 print_delim(fp, del);
2666 print_group(fp, tok->tt.proc64.egid, raw);
2667 print_delim(fp, del);
2668 print_user(fp, tok->tt.proc64.ruid, raw);
2669 print_delim(fp, del);
2670 print_group(fp, tok->tt.proc64.rgid, raw);
2671 print_delim(fp, del);
2672 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2673 print_delim(fp, del);
2674 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2675 print_delim(fp, del);
2676 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2677 print_delim(fp, del);
2678 print_ip_address(fp, tok->tt.proc64.tid.addr);
2685 * effective user ID 4 bytes
2686 * effective group ID 4 bytes
2687 * real user ID 4 bytes
2688 * real group ID 4 bytes
2689 * process ID 4 bytes
2690 * session ID 4 bytes
2693 * address type-len 4 bytes
2694 * machine address 16 bytes
2697 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2701 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2705 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2709 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2713 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2717 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2721 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2725 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2729 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2734 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2739 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2740 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2741 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2744 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2745 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2746 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2756 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2757 __unused char sfrm, int xml)
2760 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2762 open_attr(fp, "audit-uid");
2763 print_user(fp, tok->tt.proc32_ex.auid, raw);
2765 open_attr(fp, "uid");
2766 print_user(fp, tok->tt.proc32_ex.euid, raw);
2768 open_attr(fp, "gid");
2769 print_group(fp, tok->tt.proc32_ex.egid, raw);
2771 open_attr(fp, "ruid");
2772 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2774 open_attr(fp, "rgid");
2775 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2777 open_attr(fp, "pid");
2778 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2780 open_attr(fp, "sid");
2781 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2783 open_attr(fp, "tid");
2784 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2785 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2786 tok->tt.proc32_ex.tid.addr);
2788 close_tag(fp, tok->id);
2790 print_delim(fp, del);
2791 print_user(fp, tok->tt.proc32_ex.auid, raw);
2792 print_delim(fp, del);
2793 print_user(fp, tok->tt.proc32_ex.euid, raw);
2794 print_delim(fp, del);
2795 print_group(fp, tok->tt.proc32_ex.egid, raw);
2796 print_delim(fp, del);
2797 print_user(fp, tok->tt.proc32_ex.ruid, raw);
2798 print_delim(fp, del);
2799 print_group(fp, tok->tt.proc32_ex.rgid, raw);
2800 print_delim(fp, del);
2801 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2802 print_delim(fp, del);
2803 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2804 print_delim(fp, del);
2805 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2806 print_delim(fp, del);
2807 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2808 tok->tt.proc32_ex.tid.addr);
2815 * effective user ID 4 bytes
2816 * effective group ID 4 bytes
2817 * real user ID 4 bytes
2818 * real group ID 4 bytes
2819 * process ID 4 bytes
2820 * session ID 4 bytes
2823 * address type-len 4 bytes
2824 * machine address 16 bytes
2827 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2831 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2835 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2839 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2843 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2847 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2851 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2855 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2859 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2864 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2869 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2870 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2871 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2874 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2875 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2876 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2886 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2887 __unused char sfrm, int xml)
2889 print_tok_type(fp, tok->id, "process_ex", raw, xml);
2891 open_attr(fp, "audit-uid");
2892 print_user(fp, tok->tt.proc64_ex.auid, raw);
2894 open_attr(fp, "uid");
2895 print_user(fp, tok->tt.proc64_ex.euid, raw);
2897 open_attr(fp, "gid");
2898 print_group(fp, tok->tt.proc64_ex.egid, raw);
2900 open_attr(fp, "ruid");
2901 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2903 open_attr(fp, "rgid");
2904 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2906 open_attr(fp, "pid");
2907 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2909 open_attr(fp, "sid");
2910 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2912 open_attr(fp, "tid");
2913 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2914 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2915 tok->tt.proc64_ex.tid.addr);
2917 close_tag(fp, tok->id);
2919 print_delim(fp, del);
2920 print_user(fp, tok->tt.proc64_ex.auid, raw);
2921 print_delim(fp, del);
2922 print_user(fp, tok->tt.proc64_ex.euid, raw);
2923 print_delim(fp, del);
2924 print_group(fp, tok->tt.proc64_ex.egid, raw);
2925 print_delim(fp, del);
2926 print_user(fp, tok->tt.proc64_ex.ruid, raw);
2927 print_delim(fp, del);
2928 print_group(fp, tok->tt.proc64_ex.rgid, raw);
2929 print_delim(fp, del);
2930 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2931 print_delim(fp, del);
2932 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2933 print_delim(fp, del);
2934 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2935 print_delim(fp, del);
2936 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2937 tok->tt.proc64_ex.tid.addr);
2943 * return value 4 bytes
2946 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2950 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2954 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
2962 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
2963 __unused char sfrm, int xml)
2966 print_tok_type(fp, tok->id, "return", raw, xml);
2968 open_attr(fp ,"errval");
2969 print_retval(fp, tok->tt.ret32.status, raw);
2971 open_attr(fp, "retval");
2972 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2974 close_tag(fp, tok->id);
2976 print_delim(fp, del);
2977 print_retval(fp, tok->tt.ret32.status, raw);
2978 print_delim(fp, del);
2979 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
2984 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
2988 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
2992 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3000 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3001 __unused char sfrm, int xml)
3004 print_tok_type(fp, tok->id, "return", raw, xml);
3006 open_attr(fp, "errval");
3007 print_retval(fp, tok->tt.ret64.err, raw);
3009 open_attr(fp, "retval");
3010 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3012 close_tag(fp, tok->id);
3014 print_delim(fp, del);
3015 print_retval(fp, tok->tt.ret64.err, raw);
3016 print_delim(fp, del);
3017 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3025 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3029 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3037 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3038 __unused char sfrm, int xml)
3041 print_tok_type(fp, tok->id, "sequence", raw, xml);
3043 open_attr(fp, "seq-num");
3044 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3046 close_tag(fp, tok->id);
3048 print_delim(fp, del);
3049 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3054 * socket family 2 bytes
3055 * local port 2 bytes
3056 * socket address 4 bytes
3059 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3063 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet32.family, tok->len,
3068 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.port,
3069 sizeof(uint16_t), tok->len, err);
3073 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet32.addr,
3074 sizeof(tok->tt.sockinet32.addr), tok->len, err);
3082 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3083 __unused char sfrm, int xml)
3086 print_tok_type(fp, tok->id, "socket-inet", raw, xml);
3088 open_attr(fp, "type");
3089 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3091 open_attr(fp, "port");
3092 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3094 open_attr(fp, "addr");
3095 print_ip_address(fp, tok->tt.sockinet32.addr);
3097 close_tag(fp, tok->id);
3099 print_delim(fp, del);
3100 print_2_bytes(fp, tok->tt.sockinet32.family, "%u");
3101 print_delim(fp, del);
3102 print_2_bytes(fp, ntohs(tok->tt.sockinet32.port), "%u");
3103 print_delim(fp, del);
3104 print_ip_address(fp, tok->tt.sockinet32.addr);
3109 * socket family 2 bytes
3113 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3117 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3121 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, 104, tok->len,
3130 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3131 __unused char sfrm, int xml)
3134 print_tok_type(fp, tok->id, "socket-unix", raw, xml);
3136 open_attr(fp, "type");
3137 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3139 open_attr(fp, "port");
3141 open_attr(fp, "addr");
3142 print_string(fp, tok->tt.sockunix.path,
3143 strlen(tok->tt.sockunix.path));
3145 close_tag(fp, tok->id);
3147 print_delim(fp, del);
3148 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3149 print_delim(fp, del);
3150 print_string(fp, tok->tt.sockunix.path,
3151 strlen(tok->tt.sockunix.path));
3156 * socket type 2 bytes
3157 * local port 2 bytes
3158 * local address 4 bytes
3159 * remote port 2 bytes
3160 * remote address 4 bytes
3163 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3167 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3171 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3176 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3177 sizeof(tok->tt.socket.l_addr), tok->len, err);
3181 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3186 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3187 sizeof(tok->tt.socket.r_addr), tok->len, err);
3195 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3196 __unused char sfrm, int xml)
3199 print_tok_type(fp, tok->id, "socket", raw, xml);
3201 open_attr(fp, "sock_type");
3202 print_2_bytes(fp, tok->tt.socket.type, "%u");
3204 open_attr(fp, "lport");
3205 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3207 open_attr(fp, "laddr");
3208 print_ip_address(fp, tok->tt.socket.l_addr);
3210 open_attr(fp, "fport");
3211 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3213 open_attr(fp, "faddr");
3214 print_ip_address(fp, tok->tt.socket.r_addr);
3216 close_tag(fp, tok->id);
3218 print_delim(fp, del);
3219 print_2_bytes(fp, tok->tt.socket.type, "%u");
3220 print_delim(fp, del);
3221 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3222 print_delim(fp, del);
3223 print_ip_address(fp, tok->tt.socket.l_addr);
3224 print_delim(fp, del);
3225 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3226 print_delim(fp, del);
3227 print_ip_address(fp, tok->tt.socket.r_addr);
3240 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3241 * machine id 4 bytes
3244 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3248 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3252 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3256 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3260 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3264 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3268 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3272 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3276 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3280 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3281 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3289 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3290 __unused char sfrm, int xml)
3293 print_tok_type(fp, tok->id, "subject", raw, xml);
3295 open_attr(fp, "audit-uid");
3296 print_user(fp, tok->tt.subj32.auid, raw);
3298 open_attr(fp, "uid");
3299 print_user(fp, tok->tt.subj32.euid, raw);
3301 open_attr(fp, "gid");
3302 print_group(fp, tok->tt.subj32.egid, raw);
3304 open_attr(fp, "ruid");
3305 print_user(fp, tok->tt.subj32.ruid, raw);
3307 open_attr(fp, "rgid");
3308 print_group(fp, tok->tt.subj32.rgid, raw);
3310 open_attr(fp,"pid");
3311 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3313 open_attr(fp,"sid");
3314 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3316 open_attr(fp,"tid");
3317 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3318 print_ip_address(fp, tok->tt.subj32.tid.addr);
3320 close_tag(fp, tok->id);
3322 print_delim(fp, del);
3323 print_user(fp, tok->tt.subj32.auid, raw);
3324 print_delim(fp, del);
3325 print_user(fp, tok->tt.subj32.euid, raw);
3326 print_delim(fp, del);
3327 print_group(fp, tok->tt.subj32.egid, raw);
3328 print_delim(fp, del);
3329 print_user(fp, tok->tt.subj32.ruid, raw);
3330 print_delim(fp, del);
3331 print_group(fp, tok->tt.subj32.rgid, raw);
3332 print_delim(fp, del);
3333 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3334 print_delim(fp, del);
3335 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3336 print_delim(fp, del);
3337 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3338 print_delim(fp, del);
3339 print_ip_address(fp, tok->tt.subj32.tid.addr);
3352 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3353 * machine id 4 bytes
3356 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3360 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3364 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3368 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3372 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3376 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3380 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3384 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3388 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3392 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3393 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3401 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3402 __unused char sfrm, int xml)
3405 print_tok_type(fp, tok->id, "subject", raw, xml);
3407 open_attr(fp, "audit-uid");
3408 print_user(fp, tok->tt.subj64.auid, raw);
3410 open_attr(fp, "uid");
3411 print_user(fp, tok->tt.subj64.euid, raw);
3413 open_attr(fp, "gid");
3414 print_group(fp, tok->tt.subj64.egid, raw);
3416 open_attr(fp, "ruid");
3417 print_user(fp, tok->tt.subj64.ruid, raw);
3419 open_attr(fp, "rgid");
3420 print_group(fp, tok->tt.subj64.rgid, raw);
3422 open_attr(fp, "pid");
3423 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3425 open_attr(fp, "sid");
3426 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3428 open_attr(fp, "tid");
3429 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3430 print_ip_address(fp, tok->tt.subj64.tid.addr);
3432 close_tag(fp, tok->id);
3434 print_delim(fp, del);
3435 print_user(fp, tok->tt.subj64.auid, raw);
3436 print_delim(fp, del);
3437 print_user(fp, tok->tt.subj64.euid, raw);
3438 print_delim(fp, del);
3439 print_group(fp, tok->tt.subj64.egid, raw);
3440 print_delim(fp, del);
3441 print_user(fp, tok->tt.subj64.ruid, raw);
3442 print_delim(fp, del);
3443 print_group(fp, tok->tt.subj64.rgid, raw);
3444 print_delim(fp, del);
3445 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3446 print_delim(fp, del);
3447 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3448 print_delim(fp, del);
3449 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3450 print_delim(fp, del);
3451 print_ip_address(fp, tok->tt.subj64.tid.addr);
3466 * machine id 16 bytes
3469 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3473 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3477 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3481 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3485 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3489 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3493 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3497 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3501 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3506 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3511 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3512 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3513 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3516 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3517 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3518 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3528 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3529 __unused char sfrm, int xml)
3532 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3534 open_attr(fp, "audit-uid");
3535 print_user(fp, tok->tt.subj32_ex.auid, raw);
3537 open_attr(fp, "uid");
3538 print_user(fp, tok->tt.subj32_ex.euid, raw);
3540 open_attr(fp, "gid");
3541 print_group(fp, tok->tt.subj32_ex.egid, raw);
3543 open_attr(fp, "ruid");
3544 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3546 open_attr(fp, "rgid");
3547 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3549 open_attr(fp, "pid");
3550 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3552 open_attr(fp, "sid");
3553 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3555 open_attr(fp, "tid");
3556 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3557 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3558 tok->tt.subj32_ex.tid.addr);
3560 close_tag(fp, tok->id);
3562 print_delim(fp, del);
3563 print_user(fp, tok->tt.subj32_ex.auid, raw);
3564 print_delim(fp, del);
3565 print_user(fp, tok->tt.subj32_ex.euid, raw);
3566 print_delim(fp, del);
3567 print_group(fp, tok->tt.subj32_ex.egid, raw);
3568 print_delim(fp, del);
3569 print_user(fp, tok->tt.subj32_ex.ruid, raw);
3570 print_delim(fp, del);
3571 print_group(fp, tok->tt.subj32_ex.rgid, raw);
3572 print_delim(fp, del);
3573 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3574 print_delim(fp, del);
3575 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3576 print_delim(fp, del);
3577 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3578 print_delim(fp, del);
3579 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3580 tok->tt.subj32_ex.tid.addr);
3595 * machine id 16 bytes
3598 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3602 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3606 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3610 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3614 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3618 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3622 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3626 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3630 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3635 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3640 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3641 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3642 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3645 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3646 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3647 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3657 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3658 __unused char sfrm, int xml)
3660 print_tok_type(fp, tok->id, "subject_ex", raw, xml);
3662 open_attr(fp, "audit-uid");
3663 print_user(fp, tok->tt.subj64_ex.auid, raw);
3665 open_attr(fp, "uid");
3666 print_user(fp, tok->tt.subj64_ex.euid, raw);
3668 open_attr(fp, "gid");
3669 print_group(fp, tok->tt.subj64_ex.egid, raw);
3671 open_attr(fp, "ruid");
3672 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3674 open_attr(fp, "rgid");
3675 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3677 open_attr(fp, "pid");
3678 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3680 open_attr(fp, "sid");
3681 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3683 open_attr(fp, "tid");
3684 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3685 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3686 tok->tt.subj64_ex.tid.addr);
3688 close_tag(fp, tok->id);
3690 print_delim(fp, del);
3691 print_user(fp, tok->tt.subj64_ex.auid, raw);
3692 print_delim(fp, del);
3693 print_user(fp, tok->tt.subj64_ex.euid, raw);
3694 print_delim(fp, del);
3695 print_group(fp, tok->tt.subj64_ex.egid, raw);
3696 print_delim(fp, del);
3697 print_user(fp, tok->tt.subj64_ex.ruid, raw);
3698 print_delim(fp, del);
3699 print_group(fp, tok->tt.subj64_ex.rgid, raw);
3700 print_delim(fp, del);
3701 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3702 print_delim(fp, del);
3703 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3704 print_delim(fp, del);
3705 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3706 print_delim(fp, del);
3707 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3708 tok->tt.subj64_ex.tid.addr);
3717 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3721 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3725 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3734 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3735 __unused char sfrm, int xml)
3738 print_tok_type(fp, tok->id, "text", raw, xml);
3740 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3741 close_tag(fp, tok->id);
3743 print_delim(fp, del);
3744 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3749 * socket type 2 bytes
3750 * local port 2 bytes
3751 * address type/length 4 bytes
3752 * local Internet address 4 bytes
3753 * remote port 4 bytes
3754 * address type/length 4 bytes
3755 * remote Internet address 4 bytes
3758 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3762 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3767 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3768 sizeof(uint16_t), tok->len, err);
3772 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.l_ad_type, tok->len,
3777 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3778 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3782 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3783 sizeof(uint16_t), tok->len, err);
3787 READ_TOKEN_U_INT32(buf, len, tok->tt.socket_ex32.r_ad_type, tok->len,
3792 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3793 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
3801 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3802 __unused char sfrm, int xml)
3805 print_tok_type(fp, tok->id, "socket", raw, xml);
3807 open_attr(fp, "sock_type");
3808 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3810 open_attr(fp, "lport");
3811 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3813 open_attr(fp, "laddr");
3814 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3816 open_attr(fp, "faddr");
3817 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3819 open_attr(fp, "fport");
3820 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3822 close_tag(fp, tok->id);
3824 print_delim(fp, del);
3825 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
3826 print_delim(fp, del);
3827 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
3828 print_delim(fp, del);
3829 print_ip_address(fp, tok->tt.socket_ex32.l_addr);
3830 print_delim(fp, del);
3831 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
3832 print_delim(fp, del);
3833 print_ip_address(fp, tok->tt.socket_ex32.r_addr);
3838 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
3843 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
3844 if (recoversize <= 0)
3847 tok->tt.invalid.length = recoversize;
3849 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
3858 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3859 __unused char sfrm, int xml)
3863 print_tok_type(fp, tok->id, "unknown", raw, 0);
3864 print_delim(fp, del);
3865 print_mem(fp, (u_char*)tok->tt.invalid.data,
3866 tok->tt.invalid.length);
3873 * zonename size bytes;
3876 fetch_zonename_tok(tokenstr_t *tok, char *buf, int len)
3880 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
3883 SET_PTR(buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
3891 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
3892 __unused char sfrm, int xml)
3895 print_tok_type(fp, tok->id, "zone", raw, xml);
3897 open_attr(fp, "name");
3898 print_string(fp, tok->tt.zonename.zonename,
3899 tok->tt.zonename.len);
3901 close_tag(fp, tok->id);
3903 print_delim(fp, del);
3904 print_string(fp, tok->tt.zonename.zonename,
3905 tok->tt.zonename.len);
3910 * Reads the token beginning at buf into tok.
3913 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
3925 return (fetch_header32_tok(tok, buf, len));
3927 case AUT_HEADER32_EX:
3928 return (fetch_header32_ex_tok(tok, buf, len));
3931 return (fetch_header64_tok(tok, buf, len));
3933 case AUT_HEADER64_EX:
3934 return (fetch_header64_ex_tok(tok, buf, len));
3937 return (fetch_trailer_tok(tok, buf, len));
3940 return (fetch_arg32_tok(tok, buf, len));
3943 return (fetch_arg64_tok(tok, buf, len));
3946 return (fetch_attr32_tok(tok, buf, len));
3949 return (fetch_attr64_tok(tok, buf, len));
3952 return (fetch_exit_tok(tok, buf, len));
3955 return (fetch_execarg_tok(tok, buf, len));
3958 return (fetch_execenv_tok(tok, buf, len));
3960 case AUT_OTHER_FILE32:
3961 return (fetch_file_tok(tok, buf, len));
3964 return (fetch_newgroups_tok(tok, buf, len));
3967 return (fetch_inaddr_tok(tok, buf, len));
3969 case AUT_IN_ADDR_EX:
3970 return (fetch_inaddr_ex_tok(tok, buf, len));
3973 return (fetch_ip_tok(tok, buf, len));
3976 return (fetch_ipc_tok(tok, buf, len));
3979 return (fetch_ipcperm_tok(tok, buf, len));
3982 return (fetch_iport_tok(tok, buf, len));
3985 return (fetch_opaque_tok(tok, buf, len));
3988 return (fetch_path_tok(tok, buf, len));
3991 return (fetch_process32_tok(tok, buf, len));
3993 case AUT_PROCESS32_EX:
3994 return (fetch_process32ex_tok(tok, buf, len));
3997 return (fetch_process64_tok(tok, buf, len));
3999 case AUT_PROCESS64_EX:
4000 return (fetch_process64ex_tok(tok, buf, len));
4003 return (fetch_return32_tok(tok, buf, len));
4006 return (fetch_return64_tok(tok, buf, len));
4009 return (fetch_seq_tok(tok, buf, len));
4012 return (fetch_socket_tok(tok, buf, len));
4014 case AUT_SOCKINET32:
4015 return (fetch_sock_inet32_tok(tok, buf, len));
4018 return (fetch_sock_unix_tok(tok, buf, len));
4021 return (fetch_subject32_tok(tok, buf, len));
4023 case AUT_SUBJECT32_EX:
4024 return (fetch_subject32ex_tok(tok, buf, len));
4027 return (fetch_subject64_tok(tok, buf, len));
4029 case AUT_SUBJECT64_EX:
4030 return (fetch_subject64ex_tok(tok, buf, len));
4033 return (fetch_text_tok(tok, buf, len));
4036 return (fetch_socketex32_tok(tok, buf, len));
4039 return (fetch_arb_tok(tok, buf, len));
4042 return (fetch_zonename_tok(tok, buf, len));
4045 return (fetch_invalid_tok(tok, buf, len));
4050 * 'prints' the token out to outfp.
4053 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4058 print_header32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4061 case AUT_HEADER32_EX:
4062 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4066 print_header64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4069 case AUT_HEADER64_EX:
4070 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4074 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4078 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4082 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4086 print_arb_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4090 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4094 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4098 print_exit_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4102 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4106 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4109 case AUT_OTHER_FILE32:
4110 print_file_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4114 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4118 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4121 case AUT_IN_ADDR_EX:
4122 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4126 print_ip_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4130 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4134 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4138 print_iport_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4142 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4146 print_path_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4150 print_process32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4153 case AUT_PROCESS32_EX:
4154 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4158 print_process64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4161 case AUT_PROCESS64_EX:
4162 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4166 print_return32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4170 print_return64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4174 print_seq_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4178 print_socket_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4181 case AUT_SOCKINET32:
4182 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4186 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4190 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4194 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4197 case AUT_SUBJECT32_EX:
4198 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4201 case AUT_SUBJECT64_EX:
4202 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4206 print_text_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4210 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4214 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4218 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_PLAIN);
4223 * 'prints' the token out to outfp in XML format.
4226 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4232 print_header32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4235 case AUT_HEADER32_EX:
4236 print_header32_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4240 print_header64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4243 case AUT_HEADER64_EX:
4244 print_header64_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4248 print_trailer_tok(outfp, tok, del, raw, sfrm, AU_XML);
4252 print_arg32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4256 print_arg64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4260 print_arb_tok(outfp, tok, del, raw, sfrm, AU_XML);
4264 print_attr32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4268 print_attr64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4272 print_exit_tok(outfp, tok, del, raw, sfrm, AU_XML);
4276 print_execarg_tok(outfp, tok, del, raw, sfrm, AU_XML);
4280 print_execenv_tok(outfp, tok, del, raw, sfrm, AU_XML);
4283 case AUT_OTHER_FILE32:
4284 print_file_tok(outfp, tok, del, raw, sfrm, AU_XML);
4288 print_newgroups_tok(outfp, tok, del, raw, sfrm, AU_XML);
4292 print_inaddr_tok(outfp, tok, del, raw, sfrm, AU_XML);
4295 case AUT_IN_ADDR_EX:
4296 print_inaddr_ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4300 print_ip_tok(outfp, tok, del, raw, sfrm, AU_XML);
4304 print_ipc_tok(outfp, tok, del, raw, sfrm, AU_XML);
4308 print_ipcperm_tok(outfp, tok, del, raw, sfrm, AU_XML);
4312 print_iport_tok(outfp, tok, del, raw, sfrm, AU_XML);
4316 print_opaque_tok(outfp, tok, del, raw, sfrm, AU_XML);
4320 print_path_tok(outfp, tok, del, raw, sfrm, AU_XML);
4324 print_process32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4327 case AUT_PROCESS32_EX:
4328 print_process32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4332 print_process64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4335 case AUT_PROCESS64_EX:
4336 print_process64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4340 print_return32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4344 print_return64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4348 print_seq_tok(outfp, tok, del, raw, sfrm, AU_XML);
4352 print_socket_tok(outfp, tok, del, raw, sfrm, AU_XML);
4355 case AUT_SOCKINET32:
4356 print_sock_inet32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4360 print_sock_unix_tok(outfp, tok, del, raw, sfrm, AU_XML);
4364 print_subject32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4368 print_subject64_tok(outfp, tok, del, raw, sfrm, AU_XML);
4371 case AUT_SUBJECT32_EX:
4372 print_subject32ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4375 case AUT_SUBJECT64_EX:
4376 print_subject64ex_tok(outfp, tok, del, raw, sfrm, AU_XML);
4380 print_text_tok(outfp, tok, del, raw, sfrm, AU_XML);
4384 print_socketex32_tok(outfp, tok, del, raw, sfrm, AU_XML);
4388 print_zonename_tok(outfp, tok, del, raw, sfrm, AU_XML);
4392 print_invalid_tok(outfp, tok, del, raw, sfrm, AU_XML);
4397 * Read a record from the file pointer, store data in buf memory for buf is
4398 * also allocated in this function and has to be free'd outside this call.
4400 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4401 * complete audit record.
4403 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4404 * state, because it will be partly offset into a record. We should rewind
4405 * or do something more intelligent. Particularly interesting is the case
4406 * where we perform a partial read of a record from a non-blockable file
4407 * descriptor. We should return the partial read and continue...?
4410 au_read_rec(FILE *fp, u_char **buf)
4414 u_int32_t bytestoread;
4417 u_int32_t sec, msec;
4418 u_int16_t filenamelen;
4424 case AUT_HEADER32_EX:
4426 case AUT_HEADER64_EX:
4427 /* read the record size from the token */
4428 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4429 sizeof(u_int32_t)) {
4433 recsize = be32toh(recsize);
4435 /* Check for recsize sanity */
4436 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4441 *buf = malloc(recsize * sizeof(u_char));
4445 memset(bptr, 0, recsize);
4447 /* store the token contents already read, back to the buffer*/
4450 be32enc(bptr, recsize);
4451 bptr += sizeof(u_int32_t);
4453 /* now read remaining record bytes */
4454 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4456 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4463 case AUT_OTHER_FILE32:
4465 * The file token is variable-length, as it includes a
4466 * pathname. As a result, we have to read incrementally
4467 * until we know the total length, then allocate space and
4470 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4474 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4478 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4479 sizeof(filenamelen)) {
4483 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4484 sizeof(filenamelen) + ntohs(filenamelen);
4485 *buf = malloc(recsize);
4490 bcopy(&type, bptr, sizeof(type));
4491 bptr += sizeof(type);
4492 bcopy(&sec, bptr, sizeof(sec));
4493 bptr += sizeof(sec);
4494 bcopy(&msec, bptr, sizeof(msec));
4495 bptr += sizeof(msec);
4496 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4497 bptr += sizeof(filenamelen);
4499 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4500 ntohs(filenamelen)) {