2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
36 #include <sys/types.h>
38 #include <config/config.h>
43 #ifdef USE_SYS_ENDIAN_H
44 #include <sys/endian.h>
46 #ifdef USE_MACHINE_ENDIAN_H
47 #include <machine/endian.h>
49 #ifdef USE_COMPAT_ENDIAN_H
50 #include <compat/endian.h>
52 #ifdef USE_COMPAT_ENDIAN_ENC_H
53 #include <compat/endian_enc.h>
56 #ifdef HAVE_FULL_QUEUE_H
57 #include <sys/queue.h>
58 #else /* !HAVE_FULL_QUEUE_H */
59 #include <compat/queue.h>
60 #endif /* !HAVE_FULL_QUEUE_H */
63 #include <sys/socket.h>
65 #include <bsm/libbsm.h>
68 #include <netinet/in.h>
69 #include <arpa/inet.h>
81 #include <compat/vis.h>
84 #include <bsm/audit_internal.h>
86 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
87 if ((bytesread) + (size) > (u_int32_t)(len)) { \
90 memcpy((dest), (buf) + (bytesread), (size)); \
95 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
96 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
97 (dest) = buf[(bytesread)]; \
98 (bytesread) += sizeof(u_char); \
103 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
104 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
105 (dest) = be16dec((buf) + (bytesread)); \
106 (bytesread) += sizeof(u_int16_t); \
111 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
112 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
113 (dest) = be32dec((buf) + (bytesread)); \
114 (bytesread) += sizeof(u_int32_t); \
119 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
120 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
121 dest = be64dec((buf) + (bytesread)); \
122 (bytesread) += sizeof(u_int64_t); \
127 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
128 if ((bytesread) + (size) > (u_int32_t)(len)) \
131 (ptr) = (buf) + (bytesread); \
132 (bytesread) += (size); \
143 * Prints the delimiter string.
146 print_delim(FILE *fp, const char *del)
149 fprintf(fp, "%s", del);
153 * Prints a single byte in the given format.
156 print_1_byte(FILE *fp, u_char val, const char *format)
159 fprintf(fp, format, val);
163 * Print 2 bytes in the given format.
166 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
169 fprintf(fp, format, val);
173 * Prints 4 bytes in the given format.
176 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
179 fprintf(fp, format, val);
183 * Prints 8 bytes in the given format.
186 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
189 fprintf(fp, format, val);
193 * Prints the given size of data bytes in hex.
196 print_mem(FILE *fp, u_char *data, size_t len)
202 for (i = 0; i < len; i++)
203 fprintf(fp, "%02x", data[i]);
208 * Prints the given data bytes as a string.
211 print_string(FILE *fp, const char *str, size_t len)
216 for (i = 0; i < len; i++) {
218 fprintf(fp, "%c", str[i]);
224 * Prints the given data bytes as an XML-sanitized string.
227 print_xml_string(FILE *fp, const char *str, size_t len)
235 for (i = 0; i < len; i++) {
241 (void) fprintf(fp, "&");
245 (void) fprintf(fp, "<");
249 (void) fprintf(fp, ">");
253 (void) fprintf(fp, """);
257 (void) fprintf(fp, "'");
261 (void) vis(visbuf, str[i], VIS_CSTYLE, 0);
262 (void) fprintf(fp, "%s", visbuf);
269 * Prints the beginning of an attribute.
272 open_attr(FILE *fp, const char *str)
275 fprintf(fp,"%s=\"", str);
279 * Prints the end of an attribute.
289 * Prints the end of a tag.
292 close_tag(FILE *fp, u_char type)
300 case AUT_HEADER32_EX:
308 case AUT_HEADER64_EX:
333 fprintf(fp, "</exec_args>");
337 fprintf(fp, "</exec_env>");
340 case AUT_OTHER_FILE32:
341 fprintf(fp, "</file>");
345 fprintf(fp, "</group>");
349 fprintf(fp, "</ip_address>");
353 fprintf(fp, "</ip_address>");
369 fprintf(fp, "</ip_port>");
373 fprintf(fp, "</opaque>");
377 fprintf(fp, "</path>");
384 case AUT_PROCESS32_EX:
392 case AUT_PROCESS64_EX:
420 case AUT_SOCKINET128:
432 case AUT_SUBJECT32_EX:
436 case AUT_SUBJECT64_EX:
441 fprintf(fp, "</text>");
449 fprintf(fp, "</arbitrary>");
459 * Prints the token type in either the raw or the default form.
462 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
465 if (oflags & AU_OFLAG_XML) {
468 fprintf(fp, "<record ");
471 case AUT_HEADER32_EX:
472 fprintf(fp, "<record ");
476 fprintf(fp, "<record ");
479 case AUT_HEADER64_EX:
480 fprintf(fp, "<record ");
484 fprintf(fp, "</record>");
488 fprintf(fp, "<argument ");
492 fprintf(fp, "<argument ");
496 fprintf(fp, "<attribute ");
500 fprintf(fp, "<attribute ");
504 fprintf(fp, "<exit ");
508 fprintf(fp, "<exec_args>");
512 fprintf(fp, "<exec_env>");
515 case AUT_OTHER_FILE32:
516 fprintf(fp, "<file ");
520 fprintf(fp, "<group>");
524 fprintf(fp, "<ip_address>");
528 fprintf(fp, "<ip_address>");
540 fprintf(fp, "<IPC_perm ");
544 fprintf(fp, "<ip_port>");
548 fprintf(fp, "<opaque>");
552 fprintf(fp, "<path>");
556 fprintf(fp, "<process ");
559 case AUT_PROCESS32_EX:
560 fprintf(fp, "<process ");
564 fprintf(fp, "<process ");
567 case AUT_PROCESS64_EX:
568 fprintf(fp, "<process ");
572 fprintf(fp, "<return ");
576 fprintf(fp, "<return ");
580 fprintf(fp, "<sequence ");
584 fprintf(fp, "<socket ");
588 fprintf(fp, "<socket-inet ");
592 fprintf(fp, "<socket-unix ");
595 case AUT_SOCKINET128:
596 fprintf(fp, "<socket-inet6 ");
600 fprintf(fp, "<subject ");
604 fprintf(fp, "<subject ");
607 case AUT_SUBJECT32_EX:
608 fprintf(fp, "<subject ");
611 case AUT_SUBJECT64_EX:
612 fprintf(fp, "<subject ");
616 fprintf(fp, "<text>");
620 fprintf(fp, "<socket ");
624 fprintf(fp, "<arbitrary ");
628 fprintf(fp, "<zone ");
632 if (oflags & AU_OFLAG_RAW)
633 fprintf(fp, "%u", type);
635 fprintf(fp, "%s", tokname);
640 * Prints a user value.
643 print_user(FILE *fp, u_int32_t usr, int oflags)
645 struct passwd *pwent;
647 if (oflags & AU_OFLAG_RAW)
648 fprintf(fp, "%d", usr);
650 pwent = getpwuid(usr);
652 fprintf(fp, "%s", pwent->pw_name);
654 fprintf(fp, "%d", usr);
659 * Prints a group value.
662 print_group(FILE *fp, u_int32_t grp, int oflags)
664 struct group *grpent;
666 if (oflags & AU_OFLAG_RAW)
667 fprintf(fp, "%d", grp);
669 grpent = getgrgid(grp);
671 fprintf(fp, "%s", grpent->gr_name);
673 fprintf(fp, "%d", grp);
678 * Prints the event from the header token in either the short, default or raw
682 print_event(FILE *fp, u_int16_t ev, int oflags)
684 char event_ent_name[AU_EVENT_NAME_MAX];
685 char event_ent_desc[AU_EVENT_DESC_MAX];
686 struct au_event_ent e, *ep;
688 bzero(&e, sizeof(e));
689 bzero(event_ent_name, sizeof(event_ent_name));
690 bzero(event_ent_desc, sizeof(event_ent_desc));
691 e.ae_name = event_ent_name;
692 e.ae_desc = event_ent_desc;
694 ep = getauevnum_r(&e, ev);
696 fprintf(fp, "%u", ev);
700 if (oflags & AU_OFLAG_RAW)
701 fprintf(fp, "%u", ev);
702 else if (oflags & AU_OFLAG_SHORT)
703 fprintf(fp, "%s", e.ae_name);
705 fprintf(fp, "%s", e.ae_desc);
710 * Prints the event modifier from the header token in either the default or
714 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
716 if (oflags & AU_OFLAG_RAW)
717 fprintf(fp, "%u", evmod);
719 fprintf(fp, "%u", evmod);
723 * Prints seconds in the ctime format.
726 print_sec32(FILE *fp, u_int32_t sec, int oflags)
731 if (oflags & AU_OFLAG_RAW)
732 fprintf(fp, "%u", sec);
734 timestamp = (time_t)sec;
735 ctime_r(×tamp, timestr);
736 timestr[24] = '\0'; /* No new line */
737 fprintf(fp, "%s", timestr);
742 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
743 * assume a 32-bit time_t, we simply truncate for now.
746 print_sec64(FILE *fp, u_int64_t sec, int oflags)
751 if (oflags & AU_OFLAG_RAW)
752 fprintf(fp, "%u", (u_int32_t)sec);
754 timestamp = (time_t)sec;
755 ctime_r(×tamp, timestr);
756 timestr[24] = '\0'; /* No new line */
757 fprintf(fp, "%s", timestr);
762 * Prints the excess milliseconds.
765 print_msec32(FILE *fp, u_int32_t msec, int oflags)
767 if (oflags & AU_OFLAG_RAW)
768 fprintf(fp, "%u", msec);
770 fprintf(fp, " + %u msec", msec);
774 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
775 * a 32-bit msec, we simply truncate for now.
778 print_msec64(FILE *fp, u_int64_t msec, int oflags)
782 if (oflags & AU_OFLAG_RAW)
783 fprintf(fp, "%u", (u_int32_t)msec);
785 fprintf(fp, " + %u msec", (u_int32_t)msec);
789 * Prints a dotted form for the IP address.
792 print_ip_address(FILE *fp, u_int32_t ip)
794 struct in_addr ipaddr;
797 fprintf(fp, "%s", inet_ntoa(ipaddr));
801 * Prints a string value for the given ip address.
804 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
807 struct in6_addr ipv6;
808 char dst[INET6_ADDRSTRLEN];
812 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
813 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
818 bcopy(ipaddr, &ipv6, sizeof(ipv6));
819 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
824 fprintf(fp, "invalid");
829 * Prints return value as success or failure.
832 print_retval(FILE *fp, u_char status, int oflags)
836 if (oflags & AU_OFLAG_RAW)
837 fprintf(fp, "%u", status);
840 * Convert to a local error number and print the OS's version
841 * of the error string if possible. We may want to provide
842 * an au_strerror(3) in the future so that we can print
843 * strings for non-local errors.
845 if (au_bsm_to_errno(status, &error) == 0) {
847 fprintf(fp, "success");
849 fprintf(fp, "failure : %s", strerror(error));
851 fprintf(fp, "failure: Unknown error: %d", status);
856 * Prints the exit value.
859 print_errval(FILE *fp, u_int32_t val)
862 fprintf(fp, "Error %u", val);
869 print_ipctype(FILE *fp, u_char type, int oflags)
871 if (oflags & AU_OFLAG_RAW)
872 fprintf(fp, "%u", type);
874 if (type == AT_IPC_MSG)
875 fprintf(fp, "Message IPC");
876 else if (type == AT_IPC_SEM)
877 fprintf(fp, "Semaphore IPC");
878 else if (type == AT_IPC_SHM)
879 fprintf(fp, "Shared Memory IPC");
881 fprintf(fp, "%u", type);
889 au_print_xml_header(FILE *outfp)
892 fprintf(outfp, "<?xml version='1.0' ?>\n");
893 fprintf(outfp, "<audit>\n");
900 au_print_xml_footer(FILE *outfp)
903 fprintf(outfp, "</audit>\n");
907 * record byte count 4 bytes
908 * version # 1 byte [2]
910 * event modifier 2 bytes
911 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
912 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
915 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
919 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
923 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
927 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
931 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
935 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
939 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
947 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
950 print_tok_type(fp, tok->id, "header", oflags);
951 if (oflags & AU_OFLAG_XML) {
952 open_attr(fp, "version");
953 print_1_byte(fp, tok->tt.hdr32.version, "%u");
955 open_attr(fp, "event");
956 print_event(fp, tok->tt.hdr32.e_type, oflags);
958 open_attr(fp, "modifier");
959 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
961 open_attr(fp, "time");
962 print_sec32(fp, tok->tt.hdr32.s, oflags);
964 open_attr(fp, "msec");
965 print_msec32(fp, tok->tt.hdr32.ms, oflags);
967 close_tag(fp, tok->id);
969 print_delim(fp, del);
970 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
971 print_delim(fp, del);
972 print_1_byte(fp, tok->tt.hdr32.version, "%u");
973 print_delim(fp, del);
974 print_event(fp, tok->tt.hdr32.e_type, oflags);
975 print_delim(fp, del);
976 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
977 print_delim(fp, del);
978 print_sec32(fp, tok->tt.hdr32.s, oflags);
979 print_delim(fp, del);
980 print_msec32(fp, tok->tt.hdr32.ms, oflags);
985 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
986 * depending on the bit of the specifications found. The OpenSolaris source
987 * code uses a 4-byte address length, followed by some number of bytes of
988 * address data. This contrasts with the Solaris audit.log.5 man page, which
989 * specifies a 1-byte length field. We use the Solaris 10 definition so that
990 * we can parse audit trails from that system.
992 * record byte count 4 bytes
993 * version # 1 byte [2]
995 * event modifier 2 bytes
996 * address type/length 4 bytes
997 * [ Solaris man page: address type/length 1 byte]
998 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
999 * seconds of time 4 bytes/8 bytes (32/64-bits)
1000 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1003 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1007 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1011 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1015 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1019 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1023 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1027 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1028 switch (tok->tt.hdr32_ex.ad_type) {
1030 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1031 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1037 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1038 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1042 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1046 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1054 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1057 print_tok_type(fp, tok->id, "header_ex", oflags);
1058 if (oflags & AU_OFLAG_RAW) {
1059 open_attr(fp, "version");
1060 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1062 open_attr(fp, "event");
1063 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1065 open_attr(fp, "modifier");
1066 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1068 open_attr(fp, "host");
1069 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1070 tok->tt.hdr32_ex.addr);
1072 open_attr(fp, "time");
1073 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1075 open_attr(fp, "msec");
1076 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1078 close_tag(fp, tok->id);
1080 print_delim(fp, del);
1081 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1082 print_delim(fp, del);
1083 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1084 print_delim(fp, del);
1085 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1086 print_delim(fp, del);
1087 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1088 print_delim(fp, del);
1089 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1090 tok->tt.hdr32_ex.addr);
1091 print_delim(fp, del);
1092 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1093 print_delim(fp, del);
1094 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1099 * record byte count 4 bytes
1100 * event type 2 bytes
1101 * event modifier 2 bytes
1102 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1103 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1107 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1111 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1115 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1119 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1123 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1127 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1131 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1139 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1142 print_tok_type(fp, tok->id, "header", oflags);
1143 if (oflags & AU_OFLAG_XML) {
1144 open_attr(fp, "version");
1145 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1147 open_attr(fp, "event");
1148 print_event(fp, tok->tt.hdr64.e_type, oflags);
1150 open_attr(fp, "modifier");
1151 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1153 open_attr(fp, "time");
1154 print_sec64(fp, tok->tt.hdr64.s, oflags);
1156 open_attr(fp, "msec");
1157 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1159 close_tag(fp, tok->id);
1161 print_delim(fp, del);
1162 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1163 print_delim(fp, del);
1164 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1165 print_delim(fp, del);
1166 print_event(fp, tok->tt.hdr64.e_type, oflags);
1167 print_delim(fp, del);
1168 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1169 print_delim(fp, del);
1170 print_sec64(fp, tok->tt.hdr64.s, oflags);
1171 print_delim(fp, del);
1172 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1177 * record byte count 4 bytes
1178 * version # 1 byte [2]
1179 * event type 2 bytes
1180 * event modifier 2 bytes
1181 * address type/length 4 bytes
1182 * [ Solaris man page: address type/length 1 byte]
1183 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1184 * seconds of time 4 bytes/8 bytes (32/64-bits)
1185 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1187 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1188 * accuracy of the BSM spec.
1191 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1195 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1199 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1203 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1207 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1211 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1215 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1216 switch (tok->tt.hdr64_ex.ad_type) {
1218 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1219 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1225 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1226 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1230 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1234 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1242 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1245 print_tok_type(fp, tok->id, "header_ex", oflags);
1246 if (oflags & AU_OFLAG_XML) {
1247 open_attr(fp, "version");
1248 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1250 open_attr(fp, "event");
1251 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1253 open_attr(fp, "modifier");
1254 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1256 open_attr(fp, "host");
1257 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1258 tok->tt.hdr64_ex.addr);
1260 open_attr(fp, "time");
1261 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1263 open_attr(fp, "msec");
1264 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1266 close_tag(fp, tok->id);
1268 print_delim(fp, del);
1269 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1270 print_delim(fp, del);
1271 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1272 print_delim(fp, del);
1273 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1274 print_delim(fp, del);
1275 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1276 print_delim(fp, del);
1277 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1278 tok->tt.hdr64_ex.addr);
1279 print_delim(fp, del);
1280 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1281 print_delim(fp, del);
1282 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1287 * trailer magic 2 bytes
1288 * record size 4 bytes
1291 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1295 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1299 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1307 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1310 print_tok_type(fp, tok->id, "trailer", oflags);
1311 if (!(oflags & AU_OFLAG_XML)) {
1312 print_delim(fp, del);
1313 print_4_bytes(fp, tok->tt.trail.count, "%u");
1319 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1320 * text length 2 bytes
1321 * text N bytes + 1 terminating NULL byte
1324 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1328 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1332 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1336 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1340 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1349 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1352 print_tok_type(fp, tok->id, "argument", oflags);
1353 if (oflags & AU_OFLAG_XML) {
1354 open_attr(fp, "arg-num");
1355 print_1_byte(fp, tok->tt.arg32.no, "%u");
1357 open_attr(fp, "value");
1358 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1360 open_attr(fp, "desc");
1361 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1363 close_tag(fp, tok->id);
1365 print_delim(fp, del);
1366 print_1_byte(fp, tok->tt.arg32.no, "%u");
1367 print_delim(fp, del);
1368 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1369 print_delim(fp, del);
1370 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1375 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1379 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1383 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1387 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1391 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1400 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1403 print_tok_type(fp, tok->id, "argument", oflags);
1404 if (oflags & AU_OFLAG_XML) {
1405 open_attr(fp, "arg-num");
1406 print_1_byte(fp, tok->tt.arg64.no, "%u");
1408 open_attr(fp, "value");
1409 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1411 open_attr(fp, "desc");
1412 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1414 close_tag(fp, tok->id);
1416 print_delim(fp, del);
1417 print_1_byte(fp, tok->tt.arg64.no, "%u");
1418 print_delim(fp, del);
1419 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1420 print_delim(fp, del);
1421 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1426 * how to print 1 byte
1429 * data items (depends on basic unit)
1432 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1437 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1441 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1445 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1450 * Determine the size of the basic unit.
1452 switch(tok->tt.arb.bu) {
1454 /* case AUR_CHAR: */
1455 datasize = AUR_BYTE_SIZE;
1459 datasize = AUR_SHORT_SIZE;
1464 datasize = AUR_INT32_SIZE;
1468 datasize = AUR_INT64_SIZE;
1475 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1484 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1491 print_tok_type(fp, tok->id, "arbitrary", oflags);
1492 if (!(oflags & AU_OFLAG_XML))
1493 print_delim(fp, del);
1495 switch(tok->tt.arb.howtopr) {
1525 if (oflags & AU_OFLAG_XML) {
1526 open_attr(fp, "print");
1527 fprintf(fp, "%s",str);
1530 print_string(fp, str, strlen(str));
1531 print_delim(fp, del);
1533 switch(tok->tt.arb.bu) {
1535 /* case AUR_CHAR: */
1537 size = AUR_BYTE_SIZE;
1538 if (oflags & AU_OFLAG_XML) {
1539 open_attr(fp, "type");
1540 fprintf(fp, "%zu", size);
1542 open_attr(fp, "count");
1543 print_1_byte(fp, tok->tt.arb.uc, "%u");
1546 for (i = 0; i<tok->tt.arb.uc; i++)
1547 fprintf(fp, format, *(tok->tt.arb.data +
1549 close_tag(fp, tok->id);
1551 print_string(fp, str, strlen(str));
1552 print_delim(fp, del);
1553 print_1_byte(fp, tok->tt.arb.uc, "%u");
1554 print_delim(fp, del);
1555 for (i = 0; i<tok->tt.arb.uc; i++)
1556 fprintf(fp, format, *(tok->tt.arb.data +
1563 size = AUR_SHORT_SIZE;
1564 if (oflags & AU_OFLAG_XML) {
1565 open_attr(fp, "type");
1566 fprintf(fp, "%zu", size);
1568 open_attr(fp, "count");
1569 print_1_byte(fp, tok->tt.arb.uc, "%u");
1572 for (i = 0; i < tok->tt.arb.uc; i++)
1574 *((u_int16_t *)(tok->tt.arb.data +
1576 close_tag(fp, tok->id);
1578 print_string(fp, str, strlen(str));
1579 print_delim(fp, del);
1580 print_1_byte(fp, tok->tt.arb.uc, "%u");
1581 print_delim(fp, del);
1582 for (i = 0; i < tok->tt.arb.uc; i++)
1584 *((u_int16_t *)(tok->tt.arb.data +
1592 size = AUR_INT32_SIZE;
1593 if (oflags & AU_OFLAG_XML) {
1594 open_attr(fp, "type");
1595 fprintf(fp, "%zu", size);
1597 open_attr(fp, "count");
1598 print_1_byte(fp, tok->tt.arb.uc, "%u");
1601 for (i = 0; i < tok->tt.arb.uc; i++)
1603 *((u_int32_t *)(tok->tt.arb.data +
1605 close_tag(fp, tok->id);
1607 print_string(fp, str, strlen(str));
1608 print_delim(fp, del);
1609 print_1_byte(fp, tok->tt.arb.uc, "%u");
1610 print_delim(fp, del);
1611 for (i = 0; i < tok->tt.arb.uc; i++)
1613 *((u_int32_t *)(tok->tt.arb.data +
1620 size = AUR_INT64_SIZE;
1621 if (oflags & AU_OFLAG_XML) {
1622 open_attr(fp, "type");
1623 fprintf(fp, "%zu", size);
1625 open_attr(fp, "count");
1626 print_1_byte(fp, tok->tt.arb.uc, "%u");
1629 for (i = 0; i < tok->tt.arb.uc; i++)
1631 *((u_int64_t *)(tok->tt.arb.data +
1633 close_tag(fp, tok->id);
1635 print_string(fp, str, strlen(str));
1636 print_delim(fp, del);
1637 print_1_byte(fp, tok->tt.arb.uc, "%u");
1638 print_delim(fp, del);
1639 for (i = 0; i < tok->tt.arb.uc; i++)
1641 *((u_int64_t *)(tok->tt.arb.data +
1652 * file access mode 4 bytes
1653 * owner user ID 4 bytes
1654 * owner group ID 4 bytes
1655 * file system ID 4 bytes
1657 * device 4 bytes/8 bytes (32-bit/64-bit)
1660 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1664 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1668 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1672 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1676 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1680 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1684 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1692 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1695 print_tok_type(fp, tok->id, "attribute", oflags);
1696 if (oflags & AU_OFLAG_XML) {
1697 open_attr(fp, "mode");
1698 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1700 open_attr(fp, "uid");
1701 print_user(fp, tok->tt.attr32.uid, oflags);
1703 open_attr(fp, "gid");
1704 print_group(fp, tok->tt.attr32.gid, oflags);
1706 open_attr(fp, "fsid");
1707 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1709 open_attr(fp, "nodeid");
1710 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1712 open_attr(fp, "device");
1713 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1715 close_tag(fp, tok->id);
1717 print_delim(fp, del);
1718 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1719 print_delim(fp, del);
1720 print_user(fp, tok->tt.attr32.uid, oflags);
1721 print_delim(fp, del);
1722 print_group(fp, tok->tt.attr32.gid, oflags);
1723 print_delim(fp, del);
1724 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1725 print_delim(fp, del);
1726 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1727 print_delim(fp, del);
1728 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1733 * file access mode 4 bytes
1734 * owner user ID 4 bytes
1735 * owner group ID 4 bytes
1736 * file system ID 4 bytes
1738 * device 4 bytes/8 bytes (32-bit/64-bit)
1741 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1745 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1749 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1753 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1757 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1761 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1765 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1773 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1776 print_tok_type(fp, tok->id, "attribute", oflags);
1777 if (oflags & AU_OFLAG_XML) {
1778 open_attr(fp, "mode");
1779 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1781 open_attr(fp, "uid");
1782 print_user(fp, tok->tt.attr64.uid, oflags);
1784 open_attr(fp, "gid");
1785 print_group(fp, tok->tt.attr64.gid, oflags);
1787 open_attr(fp, "fsid");
1788 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1790 open_attr(fp, "nodeid");
1791 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1793 open_attr(fp, "device");
1794 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1796 close_tag(fp, tok->id);
1798 print_delim(fp, del);
1799 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1800 print_delim(fp, del);
1801 print_user(fp, tok->tt.attr64.uid, oflags);
1802 print_delim(fp, del);
1803 print_group(fp, tok->tt.attr64.gid, oflags);
1804 print_delim(fp, del);
1805 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1806 print_delim(fp, del);
1807 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1808 print_delim(fp, del);
1809 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1815 * return value 4 bytes
1818 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1822 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1826 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1834 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1837 print_tok_type(fp, tok->id, "exit", oflags);
1838 if (oflags & AU_OFLAG_XML) {
1839 open_attr(fp, "errval");
1840 print_errval(fp, tok->tt.exit.status);
1842 open_attr(fp, "retval");
1843 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1845 close_tag(fp, tok->id);
1847 print_delim(fp, del);
1848 print_errval(fp, tok->tt.exit.status);
1849 print_delim(fp, del);
1850 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1856 * text count null-terminated string(s)
1859 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1865 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1869 for (i = 0; i < tok->tt.execarg.count; i++) {
1870 bptr = buf + tok->len;
1871 if (i < AUDIT_MAX_ARGS)
1872 tok->tt.execarg.text[i] = (char*)bptr;
1874 /* Look for a null terminated string. */
1875 while (bptr && (*bptr != '\0')) {
1876 if (++tok->len >= (u_int32_t)len)
1878 bptr = buf + tok->len;
1882 tok->len++; /* \0 character */
1884 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1885 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1891 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1895 print_tok_type(fp, tok->id, "exec arg", oflags);
1896 for (i = 0; i < tok->tt.execarg.count; i++) {
1897 if (oflags & AU_OFLAG_XML) {
1898 fprintf(fp, "<arg>");
1899 print_xml_string(fp, tok->tt.execarg.text[i],
1900 strlen(tok->tt.execarg.text[i]));
1901 fprintf(fp, "</arg>");
1903 print_delim(fp, del);
1904 print_string(fp, tok->tt.execarg.text[i],
1905 strlen(tok->tt.execarg.text[i]));
1908 if (oflags & AU_OFLAG_XML)
1909 close_tag(fp, tok->id);
1914 * text count null-terminated string(s)
1917 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1923 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1927 for (i = 0; i < tok->tt.execenv.count; i++) {
1928 bptr = buf + tok->len;
1929 if (i < AUDIT_MAX_ENV)
1930 tok->tt.execenv.text[i] = (char*)bptr;
1932 /* Look for a null terminated string. */
1933 while (bptr && (*bptr != '\0')) {
1934 if (++tok->len >= (u_int32_t)len)
1936 bptr = buf + tok->len;
1940 tok->len++; /* \0 character */
1942 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1943 tok->tt.execenv.count = AUDIT_MAX_ENV;
1949 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1953 print_tok_type(fp, tok->id, "exec env", oflags);
1954 for (i = 0; i< tok->tt.execenv.count; i++) {
1955 if (oflags & AU_OFLAG_XML) {
1956 fprintf(fp, "<env>");
1957 print_xml_string(fp, tok->tt.execenv.text[i],
1958 strlen(tok->tt.execenv.text[i]));
1959 fprintf(fp, "</env>");
1961 print_delim(fp, del);
1962 print_string(fp, tok->tt.execenv.text[i],
1963 strlen(tok->tt.execenv.text[i]));
1966 if (oflags & AU_OFLAG_XML)
1967 close_tag(fp, tok->id);
1971 * seconds of time 4 bytes
1972 * milliseconds of time 4 bytes
1973 * file name len 2 bytes
1974 * file pathname N bytes + 1 terminating NULL byte
1977 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1981 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1985 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1989 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1993 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
2002 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2005 print_tok_type(fp, tok->id, "file", oflags);
2006 if (oflags & AU_OFLAG_XML) {
2007 open_attr(fp, "time");
2008 print_sec32(fp, tok->tt.file.s, oflags);
2010 open_attr(fp, "msec");
2011 print_msec32(fp, tok->tt.file.ms, oflags);
2014 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2015 close_tag(fp, tok->id);
2017 print_delim(fp, del);
2018 print_sec32(fp, tok->tt.file.s, oflags);
2019 print_delim(fp, del);
2020 print_msec32(fp, tok->tt.file.ms, oflags);
2021 print_delim(fp, del);
2022 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2027 * number groups 2 bytes
2028 * group list count * 4 bytes
2031 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2036 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2040 for (i = 0; i<tok->tt.grps.no; i++) {
2041 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2051 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2055 print_tok_type(fp, tok->id, "group", oflags);
2056 for (i = 0; i < tok->tt.grps.no; i++) {
2057 if (oflags & AU_OFLAG_XML) {
2058 fprintf(fp, "<gid>");
2059 print_group(fp, tok->tt.grps.list[i], oflags);
2060 fprintf(fp, "</gid>");
2061 close_tag(fp, tok->id);
2063 print_delim(fp, del);
2064 print_group(fp, tok->tt.grps.list[i], oflags);
2070 * Internet addr 4 bytes
2073 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2077 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2087 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2090 print_tok_type(fp, tok->id, "ip addr", oflags);
2091 if (oflags & AU_OFLAG_XML) {
2092 print_ip_address(fp, tok->tt.inaddr.addr);
2093 close_tag(fp, tok->id);
2095 print_delim(fp, del);
2096 print_ip_address(fp, tok->tt.inaddr.addr);
2105 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2109 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2113 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2114 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2115 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2118 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2119 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2120 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2130 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2133 print_tok_type(fp, tok->id, "ip addr ex", oflags);
2134 if (oflags & AU_OFLAG_XML) {
2135 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2136 tok->tt.inaddr_ex.addr);
2137 close_tag(fp, tok->id);
2139 print_delim(fp, del);
2140 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2141 tok->tt.inaddr_ex.addr);
2146 * ip header 20 bytes
2149 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2153 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2157 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2161 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2166 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2171 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2176 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2180 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2184 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2189 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2194 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2203 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2206 print_tok_type(fp, tok->id, "ip", oflags);
2207 if (oflags & AU_OFLAG_XML) {
2208 open_attr(fp, "version");
2209 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2212 open_attr(fp, "service_type");
2213 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2215 open_attr(fp, "len");
2216 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2218 open_attr(fp, "id");
2219 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2221 open_attr(fp, "offset");
2222 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2224 open_attr(fp, "time_to_live");
2225 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2227 open_attr(fp, "protocol");
2228 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2230 open_attr(fp, "cksum");
2231 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2233 open_attr(fp, "src_addr");
2234 print_ip_address(fp, tok->tt.ip.src);
2236 open_attr(fp, "dest_addr");
2237 print_ip_address(fp, tok->tt.ip.dest);
2239 close_tag(fp, tok->id);
2241 print_delim(fp, del);
2242 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2244 print_delim(fp, del);
2245 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2246 print_delim(fp, del);
2247 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2248 print_delim(fp, del);
2249 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2250 print_delim(fp, del);
2251 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2252 print_delim(fp, del);
2253 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2254 print_delim(fp, del);
2255 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2256 print_delim(fp, del);
2257 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2258 print_delim(fp, del);
2259 print_ip_address(fp, tok->tt.ip.src);
2260 print_delim(fp, del);
2261 print_ip_address(fp, tok->tt.ip.dest);
2266 * object ID type 1 byte
2270 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2274 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2278 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2286 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2289 print_tok_type(fp, tok->id, "IPC", oflags);
2290 if (oflags & AU_OFLAG_XML) {
2291 open_attr(fp, "ipc-type");
2292 print_ipctype(fp, tok->tt.ipc.type, oflags);
2294 open_attr(fp, "ipc-id");
2295 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2297 close_tag(fp, tok->id);
2299 print_delim(fp, del);
2300 print_ipctype(fp, tok->tt.ipc.type, oflags);
2301 print_delim(fp, del);
2302 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2307 * owner user id 4 bytes
2308 * owner group id 4 bytes
2309 * creator user id 4 bytes
2310 * creator group id 4 bytes
2311 * access mode 4 bytes
2316 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2320 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2324 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2328 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2332 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2336 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2340 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2344 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2352 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2355 print_tok_type(fp, tok->id, "IPC perm", oflags);
2356 if (oflags & AU_OFLAG_XML) {
2357 open_attr(fp, "uid");
2358 print_user(fp, tok->tt.ipcperm.uid, oflags);
2360 open_attr(fp, "gid");
2361 print_group(fp, tok->tt.ipcperm.gid, oflags);
2363 open_attr(fp, "creator-uid");
2364 print_user(fp, tok->tt.ipcperm.puid, oflags);
2366 open_attr(fp, "creator-gid");
2367 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2369 open_attr(fp, "mode");
2370 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2372 open_attr(fp, "seq");
2373 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2375 open_attr(fp, "key");
2376 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2378 close_tag(fp, tok->id);
2380 print_delim(fp, del);
2381 print_user(fp, tok->tt.ipcperm.uid, oflags);
2382 print_delim(fp, del);
2383 print_group(fp, tok->tt.ipcperm.gid, oflags);
2384 print_delim(fp, del);
2385 print_user(fp, tok->tt.ipcperm.puid, oflags);
2386 print_delim(fp, del);
2387 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2388 print_delim(fp, del);
2389 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2390 print_delim(fp, del);
2391 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2392 print_delim(fp, del);
2393 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2398 * port Ip address 2 bytes
2401 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2405 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2414 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2417 print_tok_type(fp, tok->id, "ip port", oflags);
2418 if (oflags & AU_OFLAG_XML) {
2419 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2420 close_tag(fp, tok->id);
2422 print_delim(fp, del);
2423 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2432 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2436 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2440 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2449 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2452 print_tok_type(fp, tok->id, "opaque", oflags);
2453 if (oflags & AU_OFLAG_XML) {
2454 print_mem(fp, (u_char*)tok->tt.opaque.data,
2455 tok->tt.opaque.size);
2456 close_tag(fp, tok->id);
2458 print_delim(fp, del);
2459 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2460 print_delim(fp, del);
2461 print_mem(fp, (u_char*)tok->tt.opaque.data,
2462 tok->tt.opaque.size);
2471 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2475 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2479 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2488 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2491 print_tok_type(fp, tok->id, "path", oflags);
2492 if (oflags & AU_OFLAG_XML) {
2493 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2494 close_tag(fp, tok->id);
2496 print_delim(fp, del);
2497 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2512 * machine id 4 bytes
2515 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2519 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2523 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2527 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2531 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2535 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2539 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2543 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2547 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2551 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2552 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2560 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2563 print_tok_type(fp, tok->id, "process", oflags);
2564 if (oflags & AU_OFLAG_XML) {
2565 open_attr(fp, "audit-uid");
2566 print_user(fp, tok->tt.proc32.auid, oflags);
2568 open_attr(fp, "uid");
2569 print_user(fp, tok->tt.proc32.euid, oflags);
2571 open_attr(fp, "gid");
2572 print_group(fp, tok->tt.proc32.egid, oflags);
2574 open_attr(fp, "ruid");
2575 print_user(fp, tok->tt.proc32.ruid, oflags);
2577 open_attr(fp, "rgid");
2578 print_group(fp, tok->tt.proc32.rgid, oflags);
2580 open_attr(fp, "pid");
2581 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2583 open_attr(fp, "sid");
2584 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2586 open_attr(fp, "tid");
2587 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2588 print_ip_address(fp, tok->tt.proc32.tid.addr);
2590 close_tag(fp, tok->id);
2592 print_delim(fp, del);
2593 print_user(fp, tok->tt.proc32.auid, oflags);
2594 print_delim(fp, del);
2595 print_user(fp, tok->tt.proc32.euid, oflags);
2596 print_delim(fp, del);
2597 print_group(fp, tok->tt.proc32.egid, oflags);
2598 print_delim(fp, del);
2599 print_user(fp, tok->tt.proc32.ruid, oflags);
2600 print_delim(fp, del);
2601 print_group(fp, tok->tt.proc32.rgid, oflags);
2602 print_delim(fp, del);
2603 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2604 print_delim(fp, del);
2605 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2606 print_delim(fp, del);
2607 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2608 print_delim(fp, del);
2609 print_ip_address(fp, tok->tt.proc32.tid.addr);
2624 * machine id 4 bytes
2627 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2631 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2635 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2639 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2643 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2647 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2651 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2655 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2659 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2663 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2664 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2672 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2674 print_tok_type(fp, tok->id, "process", oflags);
2675 if (oflags & AU_OFLAG_XML) {
2676 open_attr(fp, "audit-uid");
2677 print_user(fp, tok->tt.proc64.auid, oflags);
2679 open_attr(fp, "uid");
2680 print_user(fp, tok->tt.proc64.euid, oflags);
2682 open_attr(fp, "gid");
2683 print_group(fp, tok->tt.proc64.egid, oflags);
2685 open_attr(fp, "ruid");
2686 print_user(fp, tok->tt.proc64.ruid, oflags);
2688 open_attr(fp, "rgid");
2689 print_group(fp, tok->tt.proc64.rgid, oflags);
2691 open_attr(fp, "pid");
2692 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2694 open_attr(fp, "sid");
2695 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2697 open_attr(fp, "tid");
2698 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2699 print_ip_address(fp, tok->tt.proc64.tid.addr);
2701 close_tag(fp, tok->id);
2703 print_delim(fp, del);
2704 print_user(fp, tok->tt.proc64.auid, oflags);
2705 print_delim(fp, del);
2706 print_user(fp, tok->tt.proc64.euid, oflags);
2707 print_delim(fp, del);
2708 print_group(fp, tok->tt.proc64.egid, oflags);
2709 print_delim(fp, del);
2710 print_user(fp, tok->tt.proc64.ruid, oflags);
2711 print_delim(fp, del);
2712 print_group(fp, tok->tt.proc64.rgid, oflags);
2713 print_delim(fp, del);
2714 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2715 print_delim(fp, del);
2716 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2717 print_delim(fp, del);
2718 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2719 print_delim(fp, del);
2720 print_ip_address(fp, tok->tt.proc64.tid.addr);
2727 * effective user ID 4 bytes
2728 * effective group ID 4 bytes
2729 * real user ID 4 bytes
2730 * real group ID 4 bytes
2731 * process ID 4 bytes
2732 * session ID 4 bytes
2735 * address type-len 4 bytes
2736 * machine address 16 bytes
2739 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2743 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2747 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2751 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2755 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2759 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2763 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2767 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2771 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2776 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2781 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2782 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2783 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2786 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2787 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2788 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2798 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2801 print_tok_type(fp, tok->id, "process_ex", oflags);
2802 if (oflags & AU_OFLAG_XML) {
2803 open_attr(fp, "audit-uid");
2804 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2806 open_attr(fp, "uid");
2807 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2809 open_attr(fp, "gid");
2810 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2812 open_attr(fp, "ruid");
2813 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2815 open_attr(fp, "rgid");
2816 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2818 open_attr(fp, "pid");
2819 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2821 open_attr(fp, "sid");
2822 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2824 open_attr(fp, "tid");
2825 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2826 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2827 tok->tt.proc32_ex.tid.addr);
2829 close_tag(fp, tok->id);
2831 print_delim(fp, del);
2832 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2833 print_delim(fp, del);
2834 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2835 print_delim(fp, del);
2836 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2837 print_delim(fp, del);
2838 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2839 print_delim(fp, del);
2840 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2841 print_delim(fp, del);
2842 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2843 print_delim(fp, del);
2844 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2845 print_delim(fp, del);
2846 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2847 print_delim(fp, del);
2848 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2849 tok->tt.proc32_ex.tid.addr);
2856 * effective user ID 4 bytes
2857 * effective group ID 4 bytes
2858 * real user ID 4 bytes
2859 * real group ID 4 bytes
2860 * process ID 4 bytes
2861 * session ID 4 bytes
2864 * address type-len 4 bytes
2865 * machine address 16 bytes
2868 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2872 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2876 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2880 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2884 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2888 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2892 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2896 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2900 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2905 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2910 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2911 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2912 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2915 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2916 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2917 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2927 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2929 print_tok_type(fp, tok->id, "process_ex", oflags);
2930 if (oflags & AU_OFLAG_XML) {
2931 open_attr(fp, "audit-uid");
2932 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2934 open_attr(fp, "uid");
2935 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2937 open_attr(fp, "gid");
2938 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2940 open_attr(fp, "ruid");
2941 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2943 open_attr(fp, "rgid");
2944 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2946 open_attr(fp, "pid");
2947 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2949 open_attr(fp, "sid");
2950 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2952 open_attr(fp, "tid");
2953 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2954 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2955 tok->tt.proc64_ex.tid.addr);
2957 close_tag(fp, tok->id);
2959 print_delim(fp, del);
2960 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2961 print_delim(fp, del);
2962 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2963 print_delim(fp, del);
2964 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2965 print_delim(fp, del);
2966 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2967 print_delim(fp, del);
2968 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2969 print_delim(fp, del);
2970 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2971 print_delim(fp, del);
2972 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2973 print_delim(fp, del);
2974 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2975 print_delim(fp, del);
2976 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2977 tok->tt.proc64_ex.tid.addr);
2983 * return value 4 bytes
2986 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2990 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2994 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
3002 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3005 print_tok_type(fp, tok->id, "return", oflags);
3006 if (oflags & AU_OFLAG_XML) {
3007 open_attr(fp ,"errval");
3008 print_retval(fp, tok->tt.ret32.status, oflags);
3010 open_attr(fp, "retval");
3011 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3013 close_tag(fp, tok->id);
3015 print_delim(fp, del);
3016 print_retval(fp, tok->tt.ret32.status, oflags);
3017 print_delim(fp, del);
3018 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3023 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3027 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3031 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3039 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3042 print_tok_type(fp, tok->id, "return", oflags);
3043 if (oflags & AU_OFLAG_XML) {
3044 open_attr(fp, "errval");
3045 print_retval(fp, tok->tt.ret64.err, oflags);
3047 open_attr(fp, "retval");
3048 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3050 close_tag(fp, tok->id);
3052 print_delim(fp, del);
3053 print_retval(fp, tok->tt.ret64.err, oflags);
3054 print_delim(fp, del);
3055 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3063 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3067 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3075 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3078 print_tok_type(fp, tok->id, "sequence", oflags);
3079 if (oflags & AU_OFLAG_XML) {
3080 open_attr(fp, "seq-num");
3081 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3083 close_tag(fp, tok->id);
3085 print_delim(fp, del);
3086 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3091 * socket family 2 bytes
3092 * local port 2 bytes
3093 * socket address 4 bytes
3096 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3100 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3105 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3106 sizeof(uint16_t), tok->len, err);
3110 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3111 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3119 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3122 print_tok_type(fp, tok->id, "socket-inet", oflags);
3123 if (oflags & AU_OFLAG_XML) {
3124 open_attr(fp, "type");
3125 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3127 open_attr(fp, "port");
3128 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3130 open_attr(fp, "addr");
3131 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3133 close_tag(fp, tok->id);
3135 print_delim(fp, del);
3136 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3137 print_delim(fp, del);
3138 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3139 print_delim(fp, del);
3140 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3145 * socket family 2 bytes
3146 * local port 2 bytes
3147 * socket address 16 bytes
3150 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3154 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3159 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3160 sizeof(uint16_t), tok->len, err);
3164 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3165 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3173 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3176 print_tok_type(fp, tok->id, "socket-inet6", oflags);
3177 if (oflags & AU_OFLAG_XML) {
3178 open_attr(fp, "type");
3179 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3181 open_attr(fp, "port");
3182 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3184 open_attr(fp, "addr");
3185 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3187 close_tag(fp, tok->id);
3189 print_delim(fp, del);
3190 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3191 print_delim(fp, del);
3192 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3193 print_delim(fp, del);
3194 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3199 * socket family 2 bytes
3200 * path (up to) 104 bytes + NULL (NULL terminated string).
3203 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3210 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3214 /* slen = strnlen((buf + tok->len), 104) + 1; */
3215 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3216 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1;
3218 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3226 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3229 print_tok_type(fp, tok->id, "socket-unix", oflags);
3230 if (oflags & AU_OFLAG_XML) {
3231 open_attr(fp, "type");
3232 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3234 open_attr(fp, "port");
3236 open_attr(fp, "addr");
3237 print_string(fp, tok->tt.sockunix.path,
3238 strlen(tok->tt.sockunix.path));
3240 close_tag(fp, tok->id);
3242 print_delim(fp, del);
3243 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3244 print_delim(fp, del);
3245 print_string(fp, tok->tt.sockunix.path,
3246 strlen(tok->tt.sockunix.path));
3251 * socket type 2 bytes
3252 * local port 2 bytes
3253 * local address 4 bytes
3254 * remote port 2 bytes
3255 * remote address 4 bytes
3258 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3262 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3266 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3271 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3272 sizeof(tok->tt.socket.l_addr), tok->len, err);
3276 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3281 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3282 sizeof(tok->tt.socket.r_addr), tok->len, err);
3290 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3293 print_tok_type(fp, tok->id, "socket", oflags);
3294 if (oflags & AU_OFLAG_XML) {
3295 open_attr(fp, "sock_type");
3296 print_2_bytes(fp, tok->tt.socket.type, "%u");
3298 open_attr(fp, "lport");
3299 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3301 open_attr(fp, "laddr");
3302 print_ip_address(fp, tok->tt.socket.l_addr);
3304 open_attr(fp, "fport");
3305 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3307 open_attr(fp, "faddr");
3308 print_ip_address(fp, tok->tt.socket.r_addr);
3310 close_tag(fp, tok->id);
3312 print_delim(fp, del);
3313 print_2_bytes(fp, tok->tt.socket.type, "%u");
3314 print_delim(fp, del);
3315 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3316 print_delim(fp, del);
3317 print_ip_address(fp, tok->tt.socket.l_addr);
3318 print_delim(fp, del);
3319 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3320 print_delim(fp, del);
3321 print_ip_address(fp, tok->tt.socket.r_addr);
3334 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3335 * machine id 4 bytes
3338 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3342 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3346 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3350 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3354 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3358 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3362 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3366 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3370 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3374 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3375 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3383 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3386 print_tok_type(fp, tok->id, "subject", oflags);
3387 if (oflags & AU_OFLAG_XML) {
3388 open_attr(fp, "audit-uid");
3389 print_user(fp, tok->tt.subj32.auid, oflags);
3391 open_attr(fp, "uid");
3392 print_user(fp, tok->tt.subj32.euid, oflags);
3394 open_attr(fp, "gid");
3395 print_group(fp, tok->tt.subj32.egid, oflags);
3397 open_attr(fp, "ruid");
3398 print_user(fp, tok->tt.subj32.ruid, oflags);
3400 open_attr(fp, "rgid");
3401 print_group(fp, tok->tt.subj32.rgid, oflags);
3403 open_attr(fp,"pid");
3404 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3406 open_attr(fp,"sid");
3407 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3409 open_attr(fp,"tid");
3410 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3411 print_ip_address(fp, tok->tt.subj32.tid.addr);
3413 close_tag(fp, tok->id);
3415 print_delim(fp, del);
3416 print_user(fp, tok->tt.subj32.auid, oflags);
3417 print_delim(fp, del);
3418 print_user(fp, tok->tt.subj32.euid, oflags);
3419 print_delim(fp, del);
3420 print_group(fp, tok->tt.subj32.egid, oflags);
3421 print_delim(fp, del);
3422 print_user(fp, tok->tt.subj32.ruid, oflags);
3423 print_delim(fp, del);
3424 print_group(fp, tok->tt.subj32.rgid, oflags);
3425 print_delim(fp, del);
3426 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3427 print_delim(fp, del);
3428 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3429 print_delim(fp, del);
3430 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3431 print_delim(fp, del);
3432 print_ip_address(fp, tok->tt.subj32.tid.addr);
3437 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3440 print_tok_type(fp, tok->id, "use of privilege", oflags);
3441 if (oflags & AU_OFLAG_XML) {
3442 open_attr(fp, "status");
3443 if (tok->tt.priv.sorf)
3444 (void) fprintf(fp, "successful use of priv");
3446 (void) fprintf(fp, "failed use of priv");
3448 open_attr(fp, "name");
3449 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3451 close_tag(fp, tok->id);
3453 print_delim(fp, del);
3454 if (tok->tt.priv.sorf)
3455 (void) fprintf(fp, "successful use of priv");
3457 (void) fprintf(fp, "failed use of priv");
3458 print_delim(fp, del);
3459 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3465 * privstrlen 2 bytes
3466 * priv N bytes + 1 (\0 byte)
3469 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3473 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3476 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3479 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3487 * privtstrlen 1 byte
3488 * privtstr N bytes + 1
3490 * privstr N bytes + 1
3493 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3497 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3501 SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3502 tok->tt.privset.privtstrlen, tok->len, err);
3505 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3509 SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3510 tok->tt.privset.privstrlen, tok->len, err);
3517 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3520 print_tok_type(fp, tok->id, "privilege", oflags);
3521 if (oflags & AU_OFLAG_XML) {
3522 open_attr(fp, "type");
3523 print_string(fp, tok->tt.privset.privtstr,
3524 tok->tt.privset.privtstrlen);
3526 open_attr(fp, "priv");
3527 print_string(fp, tok->tt.privset.privstr,
3528 tok->tt.privset.privstrlen);
3531 print_delim(fp, del);
3532 print_string(fp, tok->tt.privset.privtstr,
3533 tok->tt.privset.privtstrlen);
3534 print_delim(fp, del);
3535 print_string(fp, tok->tt.privset.privstr,
3536 tok->tt.privset.privstrlen);
3549 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3550 * machine id 4 bytes
3553 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3557 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3561 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3565 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3569 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3573 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3577 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3581 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3585 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3589 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3590 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3598 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3601 print_tok_type(fp, tok->id, "subject", oflags);
3602 if (oflags & AU_OFLAG_XML) {
3603 open_attr(fp, "audit-uid");
3604 print_user(fp, tok->tt.subj64.auid, oflags);
3606 open_attr(fp, "uid");
3607 print_user(fp, tok->tt.subj64.euid, oflags);
3609 open_attr(fp, "gid");
3610 print_group(fp, tok->tt.subj64.egid, oflags);
3612 open_attr(fp, "ruid");
3613 print_user(fp, tok->tt.subj64.ruid, oflags);
3615 open_attr(fp, "rgid");
3616 print_group(fp, tok->tt.subj64.rgid, oflags);
3618 open_attr(fp, "pid");
3619 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3621 open_attr(fp, "sid");
3622 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3624 open_attr(fp, "tid");
3625 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3626 print_ip_address(fp, tok->tt.subj64.tid.addr);
3628 close_tag(fp, tok->id);
3630 print_delim(fp, del);
3631 print_user(fp, tok->tt.subj64.auid, oflags);
3632 print_delim(fp, del);
3633 print_user(fp, tok->tt.subj64.euid, oflags);
3634 print_delim(fp, del);
3635 print_group(fp, tok->tt.subj64.egid, oflags);
3636 print_delim(fp, del);
3637 print_user(fp, tok->tt.subj64.ruid, oflags);
3638 print_delim(fp, del);
3639 print_group(fp, tok->tt.subj64.rgid, oflags);
3640 print_delim(fp, del);
3641 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3642 print_delim(fp, del);
3643 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3644 print_delim(fp, del);
3645 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3646 print_delim(fp, del);
3647 print_ip_address(fp, tok->tt.subj64.tid.addr);
3662 * machine id 16 bytes
3665 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3669 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3673 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3677 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3681 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3685 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3689 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3693 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3697 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3702 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3707 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3708 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3709 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3712 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3713 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3714 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3724 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3727 print_tok_type(fp, tok->id, "subject_ex", oflags);
3728 if (oflags & AU_OFLAG_XML) {
3729 open_attr(fp, "audit-uid");
3730 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3732 open_attr(fp, "uid");
3733 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3735 open_attr(fp, "gid");
3736 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3738 open_attr(fp, "ruid");
3739 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3741 open_attr(fp, "rgid");
3742 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3744 open_attr(fp, "pid");
3745 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3747 open_attr(fp, "sid");
3748 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3750 open_attr(fp, "tid");
3751 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3752 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3753 tok->tt.subj32_ex.tid.addr);
3755 close_tag(fp, tok->id);
3757 print_delim(fp, del);
3758 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3759 print_delim(fp, del);
3760 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3761 print_delim(fp, del);
3762 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3763 print_delim(fp, del);
3764 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3765 print_delim(fp, del);
3766 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3767 print_delim(fp, del);
3768 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3769 print_delim(fp, del);
3770 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3771 print_delim(fp, del);
3772 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3773 print_delim(fp, del);
3774 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3775 tok->tt.subj32_ex.tid.addr);
3790 * machine id 16 bytes
3793 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3797 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3801 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3805 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3809 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3813 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3817 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3821 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3825 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3830 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3835 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3836 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3837 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3840 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3841 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3842 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3852 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3854 print_tok_type(fp, tok->id, "subject_ex", oflags);
3855 if (oflags & AU_OFLAG_XML) {
3856 open_attr(fp, "audit-uid");
3857 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3859 open_attr(fp, "uid");
3860 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3862 open_attr(fp, "gid");
3863 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3865 open_attr(fp, "ruid");
3866 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3868 open_attr(fp, "rgid");
3869 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3871 open_attr(fp, "pid");
3872 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3874 open_attr(fp, "sid");
3875 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3877 open_attr(fp, "tid");
3878 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3879 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3880 tok->tt.subj64_ex.tid.addr);
3882 close_tag(fp, tok->id);
3884 print_delim(fp, del);
3885 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3886 print_delim(fp, del);
3887 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3888 print_delim(fp, del);
3889 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3890 print_delim(fp, del);
3891 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3892 print_delim(fp, del);
3893 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3894 print_delim(fp, del);
3895 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3896 print_delim(fp, del);
3897 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3898 print_delim(fp, del);
3899 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3900 print_delim(fp, del);
3901 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3902 tok->tt.subj64_ex.tid.addr);
3911 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3915 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3919 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3928 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3931 print_tok_type(fp, tok->id, "text", oflags);
3932 if (oflags & AU_OFLAG_XML) {
3933 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3934 close_tag(fp, tok->id);
3936 print_delim(fp, del);
3937 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3942 * socket domain 2 bytes
3943 * socket type 2 bytes
3944 * address type 2 bytes
3945 * local port 2 bytes
3946 * local Internet address 4/16 bytes
3947 * remote port 2 bytes
3948 * remote Internet address 4/16 bytes
3951 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3955 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3960 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3965 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3970 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3971 tok->tt.socket_ex32.atype != AU_IPv6)
3974 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3975 sizeof(uint16_t), tok->len, err);
3979 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3980 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3981 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3985 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3986 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3991 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3992 sizeof(uint16_t), tok->len, err);
3996 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3997 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3998 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
4002 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4003 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4012 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4016 * This print routine prints BSM constant space domains and socket
4017 * types rather than converting them. If we add string printers for
4018 * these constants in the future, we may want to call conversion
4021 print_tok_type(fp, tok->id, "socket", oflags);
4022 if (oflags & AU_OFLAG_XML) {
4023 open_attr(fp, "sock_dom");
4024 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4026 open_attr(fp, "sock_type");
4027 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4029 open_attr(fp, "lport");
4030 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4032 open_attr(fp, "laddr");
4033 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4034 tok->tt.socket_ex32.l_addr);
4036 open_attr(fp, "faddr");
4037 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4038 tok->tt.socket_ex32.r_addr);
4040 open_attr(fp, "fport");
4041 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4043 close_tag(fp, tok->id);
4045 print_delim(fp, del);
4046 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4047 print_delim(fp, del);
4048 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4049 print_delim(fp, del);
4050 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4051 print_delim(fp, del);
4052 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4053 tok->tt.socket_ex32.l_addr);
4054 print_delim(fp, del);
4055 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4056 print_delim(fp, del);
4057 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4058 tok->tt.socket_ex32.r_addr);
4063 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4068 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4069 if (recoversize <= 0)
4072 tok->tt.invalid.length = recoversize;
4074 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4083 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4086 if (!(oflags & AU_OFLAG_XML)) {
4087 print_tok_type(fp, tok->id, "unknown", oflags);
4088 print_delim(fp, del);
4089 print_mem(fp, (u_char*)tok->tt.invalid.data,
4090 tok->tt.invalid.length);
4097 * zonename size bytes;
4100 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4104 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4107 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4115 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4118 print_tok_type(fp, tok->id, "zone", oflags);
4119 if (oflags & AU_OFLAG_XML) {
4120 open_attr(fp, "name");
4121 print_string(fp, tok->tt.zonename.zonename,
4122 tok->tt.zonename.len);
4124 close_tag(fp, tok->id);
4126 print_delim(fp, del);
4127 print_string(fp, tok->tt.zonename.zonename,
4128 tok->tt.zonename.len);
4133 * Reads the token beginning at buf into tok.
4136 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4148 return (fetch_header32_tok(tok, buf, len));
4150 case AUT_HEADER32_EX:
4151 return (fetch_header32_ex_tok(tok, buf, len));
4154 return (fetch_header64_tok(tok, buf, len));
4156 case AUT_HEADER64_EX:
4157 return (fetch_header64_ex_tok(tok, buf, len));
4160 return (fetch_trailer_tok(tok, buf, len));
4163 return (fetch_arg32_tok(tok, buf, len));
4166 return (fetch_arg64_tok(tok, buf, len));
4169 return (fetch_attr32_tok(tok, buf, len));
4172 return (fetch_attr64_tok(tok, buf, len));
4175 return (fetch_exit_tok(tok, buf, len));
4178 return (fetch_execarg_tok(tok, buf, len));
4181 return (fetch_execenv_tok(tok, buf, len));
4183 case AUT_OTHER_FILE32:
4184 return (fetch_file_tok(tok, buf, len));
4187 return (fetch_newgroups_tok(tok, buf, len));
4190 return (fetch_inaddr_tok(tok, buf, len));
4192 case AUT_IN_ADDR_EX:
4193 return (fetch_inaddr_ex_tok(tok, buf, len));
4196 return (fetch_ip_tok(tok, buf, len));
4199 return (fetch_ipc_tok(tok, buf, len));
4202 return (fetch_ipcperm_tok(tok, buf, len));
4205 return (fetch_iport_tok(tok, buf, len));
4208 return (fetch_opaque_tok(tok, buf, len));
4211 return (fetch_path_tok(tok, buf, len));
4214 return (fetch_process32_tok(tok, buf, len));
4216 case AUT_PROCESS32_EX:
4217 return (fetch_process32ex_tok(tok, buf, len));
4220 return (fetch_process64_tok(tok, buf, len));
4222 case AUT_PROCESS64_EX:
4223 return (fetch_process64ex_tok(tok, buf, len));
4226 return (fetch_return32_tok(tok, buf, len));
4229 return (fetch_return64_tok(tok, buf, len));
4232 return (fetch_seq_tok(tok, buf, len));
4235 return (fetch_socket_tok(tok, buf, len));
4237 case AUT_SOCKINET32:
4238 return (fetch_sock_inet32_tok(tok, buf, len));
4241 return (fetch_sock_unix_tok(tok, buf, len));
4243 case AUT_SOCKINET128:
4244 return (fetch_sock_inet128_tok(tok, buf, len));
4247 return (fetch_subject32_tok(tok, buf, len));
4249 case AUT_SUBJECT32_EX:
4250 return (fetch_subject32ex_tok(tok, buf, len));
4253 return (fetch_subject64_tok(tok, buf, len));
4255 case AUT_SUBJECT64_EX:
4256 return (fetch_subject64ex_tok(tok, buf, len));
4259 return (fetch_text_tok(tok, buf, len));
4262 return (fetch_socketex32_tok(tok, buf, len));
4265 return (fetch_arb_tok(tok, buf, len));
4268 return (fetch_zonename_tok(tok, buf, len));
4271 return (fetch_priv_tok(tok, buf, len));
4274 return (fetch_privset_tok(tok, buf, len));
4277 return (fetch_invalid_tok(tok, buf, len));
4282 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4287 print_header32_tok(outfp, tok, del, oflags);
4290 case AUT_HEADER32_EX:
4291 print_header32_ex_tok(outfp, tok, del, oflags);
4295 print_header64_tok(outfp, tok, del, oflags);
4298 case AUT_HEADER64_EX:
4299 print_header64_ex_tok(outfp, tok, del, oflags);
4303 print_trailer_tok(outfp, tok, del, oflags);
4307 print_arg32_tok(outfp, tok, del, oflags);
4311 print_arg64_tok(outfp, tok, del, oflags);
4315 print_arb_tok(outfp, tok, del, oflags);
4319 print_attr32_tok(outfp, tok, del, oflags);
4323 print_attr64_tok(outfp, tok, del, oflags);
4327 print_exit_tok(outfp, tok, del, oflags);
4331 print_execarg_tok(outfp, tok, del, oflags);
4335 print_execenv_tok(outfp, tok, del, oflags);
4338 case AUT_OTHER_FILE32:
4339 print_file_tok(outfp, tok, del, oflags);
4343 print_newgroups_tok(outfp, tok, del, oflags);
4347 print_inaddr_tok(outfp, tok, del, oflags);
4350 case AUT_IN_ADDR_EX:
4351 print_inaddr_ex_tok(outfp, tok, del, oflags);
4355 print_ip_tok(outfp, tok, del, oflags);
4359 print_ipc_tok(outfp, tok, del, oflags);
4363 print_ipcperm_tok(outfp, tok, del, oflags);
4367 print_iport_tok(outfp, tok, del, oflags);
4371 print_opaque_tok(outfp, tok, del, oflags);
4375 print_path_tok(outfp, tok, del, oflags);
4379 print_process32_tok(outfp, tok, del, oflags);
4382 case AUT_PROCESS32_EX:
4383 print_process32ex_tok(outfp, tok, del, oflags);
4387 print_process64_tok(outfp, tok, del, oflags);
4390 case AUT_PROCESS64_EX:
4391 print_process64ex_tok(outfp, tok, del, oflags);
4395 print_return32_tok(outfp, tok, del, oflags);
4399 print_return64_tok(outfp, tok, del, oflags);
4403 print_seq_tok(outfp, tok, del, oflags);
4407 print_socket_tok(outfp, tok, del, oflags);
4410 case AUT_SOCKINET32:
4411 print_sock_inet32_tok(outfp, tok, del, oflags);
4415 print_sock_unix_tok(outfp, tok, del, oflags);
4418 case AUT_SOCKINET128:
4419 print_sock_inet128_tok(outfp, tok, del, oflags);
4423 print_subject32_tok(outfp, tok, del, oflags);
4427 print_subject64_tok(outfp, tok, del, oflags);
4430 case AUT_SUBJECT32_EX:
4431 print_subject32ex_tok(outfp, tok, del, oflags);
4434 case AUT_SUBJECT64_EX:
4435 print_subject64ex_tok(outfp, tok, del, oflags);
4439 print_text_tok(outfp, tok, del, oflags);
4443 print_socketex32_tok(outfp, tok, del, oflags);
4447 print_zonename_tok(outfp, tok, del, oflags);
4451 print_upriv_tok(outfp, tok, del, oflags);
4455 print_privset_tok(outfp, tok, del, oflags);
4459 print_invalid_tok(outfp, tok, del, oflags);
4464 * 'prints' the token out to outfp.
4467 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4469 int oflags = AU_OFLAG_NONE;
4472 oflags |= AU_OFLAG_RAW;
4474 oflags |= AU_OFLAG_SHORT;
4476 au_print_flags_tok(outfp, tok, del, oflags);
4480 * 'prints' the token out to outfp in XML format.
4483 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4486 int oflags = AU_OFLAG_XML;
4489 oflags |= AU_OFLAG_RAW;
4491 oflags |= AU_OFLAG_SHORT;
4493 au_print_flags_tok(outfp, tok, del, oflags);
4497 * Read a record from the file pointer, store data in buf memory for buf is
4498 * also allocated in this function and has to be free'd outside this call.
4500 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4501 * complete audit record.
4503 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4504 * state, because it will be partly offset into a record. We should rewind
4505 * or do something more intelligent. Particularly interesting is the case
4506 * where we perform a partial read of a record from a non-blockable file
4507 * descriptor. We should return the partial read and continue...?
4510 au_read_rec(FILE *fp, u_char **buf)
4514 u_int32_t bytestoread;
4517 u_int32_t sec, msec;
4518 u_int16_t filenamelen;
4524 case AUT_HEADER32_EX:
4526 case AUT_HEADER64_EX:
4527 /* read the record size from the token */
4528 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4529 sizeof(u_int32_t)) {
4533 recsize = be32toh(recsize);
4535 /* Check for recsize sanity */
4536 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4541 *buf = calloc(recsize, sizeof(u_char));
4546 /* store the token contents already read, back to the buffer*/
4549 be32enc(bptr, recsize);
4550 bptr += sizeof(u_int32_t);
4552 /* now read remaining record bytes */
4553 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4555 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4562 case AUT_OTHER_FILE32:
4564 * The file token is variable-length, as it includes a
4565 * pathname. As a result, we have to read incrementally
4566 * until we know the total length, then allocate space and
4569 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4573 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4577 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4578 sizeof(filenamelen)) {
4582 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4583 sizeof(filenamelen) + ntohs(filenamelen);
4584 *buf = malloc(recsize);
4589 bcopy(&type, bptr, sizeof(type));
4590 bptr += sizeof(type);
4591 bcopy(&sec, bptr, sizeof(sec));
4592 bptr += sizeof(sec);
4593 bcopy(&msec, bptr, sizeof(msec));
4594 bptr += sizeof(msec);
4595 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4596 bptr += sizeof(filenamelen);
4598 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4599 ntohs(filenamelen)) {