2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2005 SPARTA, Inc.
4 * Copyright (c) 2006 Robert N. M. Watson
5 * Copyright (c) 2006 Martin Voros
8 * This code was developed in part by Robert N. M. Watson, Senior Principal
9 * Scientist, SPARTA, Inc.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
20 * its contributors may be used to endorse or promote products derived
21 * from this software without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
27 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
31 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
32 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33 * POSSIBILITY OF SUCH DAMAGE.
35 * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#75 $
38 #include <sys/types.h>
40 #include <config/config.h>
45 #ifdef USE_SYS_ENDIAN_H
46 #include <sys/endian.h>
48 #ifdef USE_MACHINE_ENDIAN_H
49 #include <machine/endian.h>
51 #ifdef USE_COMPAT_ENDIAN_H
52 #include <compat/endian.h>
54 #ifdef USE_COMPAT_ENDIAN_ENC_H
55 #include <compat/endian_enc.h>
58 #ifdef HAVE_FULL_QUEUE_H
59 #include <sys/queue.h>
60 #else /* !HAVE_FULL_QUEUE_H */
61 #include <compat/queue.h>
62 #endif /* !HAVE_FULL_QUEUE_H */
65 #include <sys/socket.h>
67 #include <bsm/libbsm.h>
70 #include <netinet/in.h>
71 #include <arpa/inet.h>
83 #include <compat/vis.h>
86 #include <bsm/audit_internal.h>
88 #define READ_TOKEN_BYTES(buf, len, dest, size, bytesread, err) do { \
89 if ((bytesread) + (size) > (u_int32_t)(len)) { \
92 memcpy((dest), (buf) + (bytesread), (size)); \
97 #define READ_TOKEN_U_CHAR(buf, len, dest, bytesread, err) do { \
98 if ((bytesread) + sizeof(u_char) <= (u_int32_t)(len)) { \
99 (dest) = buf[(bytesread)]; \
100 (bytesread) += sizeof(u_char); \
105 #define READ_TOKEN_U_INT16(buf, len, dest, bytesread, err) do { \
106 if ((bytesread) + sizeof(u_int16_t) <= (u_int32_t)(len)) { \
107 (dest) = be16dec((buf) + (bytesread)); \
108 (bytesread) += sizeof(u_int16_t); \
113 #define READ_TOKEN_U_INT32(buf, len, dest, bytesread, err) do { \
114 if ((bytesread) + sizeof(u_int32_t) <= (u_int32_t)(len)) { \
115 (dest) = be32dec((buf) + (bytesread)); \
116 (bytesread) += sizeof(u_int32_t); \
121 #define READ_TOKEN_U_INT64(buf, len, dest, bytesread, err) do { \
122 if ((bytesread) + sizeof(u_int64_t) <= (u_int32_t)(len)) { \
123 dest = be64dec((buf) + (bytesread)); \
124 (bytesread) += sizeof(u_int64_t); \
129 #define SET_PTR(buf, len, ptr, size, bytesread, err) do { \
130 if ((bytesread) + (size) > (u_int32_t)(len)) \
133 (ptr) = (buf) + (bytesread); \
134 (bytesread) += (size); \
145 * Prints the delimiter string.
148 print_delim(FILE *fp, const char *del)
151 fprintf(fp, "%s", del);
155 * Prints a single byte in the given format.
158 print_1_byte(FILE *fp, u_char val, const char *format)
161 fprintf(fp, format, val);
165 * Print 2 bytes in the given format.
168 print_2_bytes(FILE *fp, u_int16_t val, const char *format)
171 fprintf(fp, format, val);
175 * Prints 4 bytes in the given format.
178 print_4_bytes(FILE *fp, u_int32_t val, const char *format)
181 fprintf(fp, format, val);
185 * Prints 8 bytes in the given format.
188 print_8_bytes(FILE *fp, u_int64_t val, const char *format)
191 fprintf(fp, format, val);
195 * Prints the given size of data bytes in hex.
198 print_mem(FILE *fp, u_char *data, size_t len)
204 for (i = 0; i < len; i++)
205 fprintf(fp, "%02x", data[i]);
210 * Prints the given data bytes as a string.
213 print_string(FILE *fp, const char *str, size_t len)
218 for (i = 0; i < len; i++) {
220 fprintf(fp, "%c", str[i]);
226 * Prints the given data bytes as an XML-sanitized string.
229 print_xml_string(FILE *fp, const char *str, size_t len)
237 for (i = 0; i < len; i++) {
243 (void) fprintf(fp, "&");
247 (void) fprintf(fp, "<");
251 (void) fprintf(fp, ">");
255 (void) fprintf(fp, """);
259 (void) fprintf(fp, "'");
263 (void) vis(visbuf, str[i], VIS_CSTYLE, 0);
264 (void) fprintf(fp, "%s", visbuf);
271 * Prints the beggining of attribute.
274 open_attr(FILE *fp, const char *str)
277 fprintf(fp,"%s=\"", str);
281 * Prints the end of attribute.
291 * Prints the end of tag.
294 close_tag(FILE *fp, u_char type)
302 case AUT_HEADER32_EX:
310 case AUT_HEADER64_EX:
335 fprintf(fp, "</exec_args>");
339 fprintf(fp, "</exec_env>");
342 case AUT_OTHER_FILE32:
343 fprintf(fp, "</file>");
347 fprintf(fp, "</group>");
351 fprintf(fp, "</ip_address>");
355 fprintf(fp, "</ip_address>");
371 fprintf(fp, "</ip_port>");
375 fprintf(fp, "</opaque>");
379 fprintf(fp, "</path>");
386 case AUT_PROCESS32_EX:
394 case AUT_PROCESS64_EX:
422 case AUT_SOCKINET128:
434 case AUT_SUBJECT32_EX:
438 case AUT_SUBJECT64_EX:
443 fprintf(fp, "</text>");
451 fprintf(fp, "</arbitrary>");
461 * Prints the token type in either the raw or the default form.
464 print_tok_type(FILE *fp, u_char type, const char *tokname, int oflags)
467 if (oflags & AU_OFLAG_XML) {
470 fprintf(fp, "<record ");
473 case AUT_HEADER32_EX:
474 fprintf(fp, "<record ");
478 fprintf(fp, "<record ");
481 case AUT_HEADER64_EX:
482 fprintf(fp, "<record ");
486 fprintf(fp, "</record>");
490 fprintf(fp, "<argument ");
494 fprintf(fp, "<argument ");
498 fprintf(fp, "<attribute ");
502 fprintf(fp, "<attribute ");
506 fprintf(fp, "<exit ");
510 fprintf(fp, "<exec_args>");
514 fprintf(fp, "<exec_env>");
517 case AUT_OTHER_FILE32:
518 fprintf(fp, "<file ");
522 fprintf(fp, "<group>");
526 fprintf(fp, "<ip_address>");
530 fprintf(fp, "<ip_address>");
542 fprintf(fp, "<IPC_perm ");
546 fprintf(fp, "<ip_port>");
550 fprintf(fp, "<opaque>");
554 fprintf(fp, "<path>");
558 fprintf(fp, "<process ");
561 case AUT_PROCESS32_EX:
562 fprintf(fp, "<process ");
566 fprintf(fp, "<process ");
569 case AUT_PROCESS64_EX:
570 fprintf(fp, "<process ");
574 fprintf(fp, "<return ");
578 fprintf(fp, "<return ");
582 fprintf(fp, "<sequence ");
586 fprintf(fp, "<socket ");
590 fprintf(fp, "<socket-inet ");
594 fprintf(fp, "<socket-unix ");
597 case AUT_SOCKINET128:
598 fprintf(fp, "<socket-inet6 ");
601 fprintf(fp, "<subject ");
605 fprintf(fp, "<subject ");
608 case AUT_SUBJECT32_EX:
609 fprintf(fp, "<subject ");
612 case AUT_SUBJECT64_EX:
613 fprintf(fp, "<subject ");
617 fprintf(fp, "<text>");
621 fprintf(fp, "<socket ");
625 fprintf(fp, "<arbitrary ");
629 fprintf(fp, "<zone ");
633 if (oflags & AU_OFLAG_RAW)
634 fprintf(fp, "%u", type);
636 fprintf(fp, "%s", tokname);
641 * Prints a user value.
644 print_user(FILE *fp, u_int32_t usr, int oflags)
646 struct passwd *pwent;
648 if (oflags & AU_OFLAG_RAW)
649 fprintf(fp, "%d", usr);
651 pwent = getpwuid(usr);
653 fprintf(fp, "%s", pwent->pw_name);
655 fprintf(fp, "%d", usr);
660 * Prints a group value.
663 print_group(FILE *fp, u_int32_t grp, int oflags)
665 struct group *grpent;
667 if (oflags & AU_OFLAG_RAW)
668 fprintf(fp, "%d", grp);
670 grpent = getgrgid(grp);
672 fprintf(fp, "%s", grpent->gr_name);
674 fprintf(fp, "%d", grp);
679 * Prints the event from the header token in either the short, default or raw
683 print_event(FILE *fp, u_int16_t ev, int oflags)
685 char event_ent_name[AU_EVENT_NAME_MAX];
686 char event_ent_desc[AU_EVENT_DESC_MAX];
687 struct au_event_ent e, *ep;
689 bzero(&e, sizeof(e));
690 bzero(event_ent_name, sizeof(event_ent_name));
691 bzero(event_ent_desc, sizeof(event_ent_desc));
692 e.ae_name = event_ent_name;
693 e.ae_desc = event_ent_desc;
695 ep = getauevnum_r(&e, ev);
697 fprintf(fp, "%u", ev);
701 if (oflags & AU_OFLAG_RAW)
702 fprintf(fp, "%u", ev);
703 else if (oflags & AU_OFLAG_SHORT)
704 fprintf(fp, "%s", e.ae_name);
706 fprintf(fp, "%s", e.ae_desc);
711 * Prints the event modifier from the header token in either the default or
715 print_evmod(FILE *fp, u_int16_t evmod, int oflags)
717 if (oflags & AU_OFLAG_RAW)
718 fprintf(fp, "%u", evmod);
720 fprintf(fp, "%u", evmod);
724 * Prints seconds in the ctime format.
727 print_sec32(FILE *fp, u_int32_t sec, int oflags)
732 if (oflags & AU_OFLAG_RAW)
733 fprintf(fp, "%u", sec);
735 timestamp = (time_t)sec;
736 ctime_r(×tamp, timestr);
737 timestr[24] = '\0'; /* No new line */
738 fprintf(fp, "%s", timestr);
743 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we
744 * assume a 32-bit time_t, we simply truncate for now.
747 print_sec64(FILE *fp, u_int64_t sec, int oflags)
752 if (oflags & AU_OFLAG_RAW)
753 fprintf(fp, "%u", (u_int32_t)sec);
755 timestamp = (time_t)sec;
756 ctime_r(×tamp, timestr);
757 timestr[24] = '\0'; /* No new line */
758 fprintf(fp, "%s", timestr);
763 * Prints the excess milliseconds.
766 print_msec32(FILE *fp, u_int32_t msec, int oflags)
768 if (oflags & AU_OFLAG_RAW)
769 fprintf(fp, "%u", msec);
771 fprintf(fp, " + %u msec", msec);
775 * XXXRW: 64-bit token streams make use of 64-bit time stamps; since we assume
776 * a 32-bit msec, we simply truncate for now.
779 print_msec64(FILE *fp, u_int64_t msec, int oflags)
783 if (oflags & AU_OFLAG_RAW)
784 fprintf(fp, "%u", (u_int32_t)msec);
786 fprintf(fp, " + %u msec", (u_int32_t)msec);
790 * Prints a dotted form for the IP address.
793 print_ip_address(FILE *fp, u_int32_t ip)
795 struct in_addr ipaddr;
798 fprintf(fp, "%s", inet_ntoa(ipaddr));
802 * Prints a string value for the given ip address.
805 print_ip_ex_address(FILE *fp, u_int32_t type, u_int32_t *ipaddr)
808 struct in6_addr ipv6;
809 char dst[INET6_ADDRSTRLEN];
813 ipv4.s_addr = (in_addr_t)(ipaddr[0]);
814 fprintf(fp, "%s", inet_ntop(AF_INET, &ipv4, dst,
819 bcopy(ipaddr, &ipv6, sizeof(ipv6));
820 fprintf(fp, "%s", inet_ntop(AF_INET6, &ipv6, dst,
825 fprintf(fp, "invalid");
830 * Prints return value as success or failure.
833 print_retval(FILE *fp, u_char status, int oflags)
837 if (oflags & AU_OFLAG_RAW)
838 fprintf(fp, "%u", status);
841 * Convert to a local error number and print the OS's version
842 * of the error string if possible. We may want to provide
843 * an au_strerror(3) in the future so that we can print
844 * strings for non-local errors.
846 if (au_bsm_to_errno(status, &error) == 0) {
848 fprintf(fp, "success");
850 fprintf(fp, "failure : %s", strerror(error));
852 fprintf(fp, "failure: Unknown error: %d", status);
857 * Prints the exit value.
860 print_errval(FILE *fp, u_int32_t val)
863 fprintf(fp, "Error %u", val);
870 print_ipctype(FILE *fp, u_char type, int oflags)
872 if (oflags & AU_OFLAG_RAW)
873 fprintf(fp, "%u", type);
875 if (type == AT_IPC_MSG)
876 fprintf(fp, "Message IPC");
877 else if (type == AT_IPC_SEM)
878 fprintf(fp, "Semaphore IPC");
879 else if (type == AT_IPC_SHM)
880 fprintf(fp, "Shared Memory IPC");
882 fprintf(fp, "%u", type);
890 au_print_xml_header(FILE *outfp)
893 fprintf(outfp, "<?xml version='1.0' ?>\n");
894 fprintf(outfp, "<audit>\n");
901 au_print_xml_footer(FILE *outfp)
904 fprintf(outfp, "</audit>\n");
908 * record byte count 4 bytes
909 * version # 1 byte [2]
911 * event modifier 2 bytes
912 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
913 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
916 fetch_header32_tok(tokenstr_t *tok, u_char *buf, int len)
920 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.size, tok->len, err);
924 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32.version, tok->len, err);
928 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_type, tok->len, err);
932 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32.e_mod, tok->len, err);
936 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.s, tok->len, err);
940 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32.ms, tok->len, err);
948 print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
951 print_tok_type(fp, tok->id, "header", oflags);
952 if (oflags & AU_OFLAG_XML) {
953 open_attr(fp, "version");
954 print_1_byte(fp, tok->tt.hdr32.version, "%u");
956 open_attr(fp, "event");
957 print_event(fp, tok->tt.hdr32.e_type, oflags);
959 open_attr(fp, "modifier");
960 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
962 open_attr(fp, "time");
963 print_sec32(fp, tok->tt.hdr32.s, oflags);
965 open_attr(fp, "msec");
966 print_msec32(fp, tok->tt.hdr32.ms, oflags);
968 close_tag(fp, tok->id);
970 print_delim(fp, del);
971 print_4_bytes(fp, tok->tt.hdr32.size, "%u");
972 print_delim(fp, del);
973 print_1_byte(fp, tok->tt.hdr32.version, "%u");
974 print_delim(fp, del);
975 print_event(fp, tok->tt.hdr32.e_type, oflags);
976 print_delim(fp, del);
977 print_evmod(fp, tok->tt.hdr32.e_mod, oflags);
978 print_delim(fp, del);
979 print_sec32(fp, tok->tt.hdr32.s, oflags);
980 print_delim(fp, del);
981 print_msec32(fp, tok->tt.hdr32.ms, oflags);
986 * The Solaris specifications for AUE_HEADER32_EX seem to differ a bit
987 * depending on the bit of the specifications found. The OpenSolaris source
988 * code uses a 4-byte address length, followed by some number of bytes of
989 * address data. This contrasts with the Solaris audit.log.5 man page, which
990 * specifies a 1-byte length field. We use the Solaris 10 definition so that
991 * we can parse audit trails from that system.
993 * record byte count 4 bytes
994 * version # 1 byte [2]
996 * event modifier 2 bytes
997 * address type/length 4 bytes
998 * [ Solaris man page: address type/length 1 byte]
999 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1000 * seconds of time 4 bytes/8 bytes (32/64-bits)
1001 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1004 fetch_header32_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1008 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
1012 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
1016 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
1020 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
1024 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
1028 bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
1029 switch (tok->tt.hdr32_ex.ad_type) {
1031 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr32_ex.addr[0],
1032 sizeof(tok->tt.hdr32_ex.addr[0]), tok->len, err);
1038 READ_TOKEN_BYTES(buf, len, tok->tt.hdr32_ex.addr,
1039 sizeof(tok->tt.hdr32_ex.addr), tok->len, err);
1043 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
1047 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
1055 print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1058 print_tok_type(fp, tok->id, "header_ex", oflags);
1059 if (oflags & AU_OFLAG_RAW) {
1060 open_attr(fp, "version");
1061 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1063 open_attr(fp, "event");
1064 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1066 open_attr(fp, "modifier");
1067 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1069 open_attr(fp, "host");
1070 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1071 tok->tt.hdr32_ex.addr);
1073 open_attr(fp, "time");
1074 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1076 open_attr(fp, "msec");
1077 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1079 close_tag(fp, tok->id);
1081 print_delim(fp, del);
1082 print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
1083 print_delim(fp, del);
1084 print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
1085 print_delim(fp, del);
1086 print_event(fp, tok->tt.hdr32_ex.e_type, oflags);
1087 print_delim(fp, del);
1088 print_evmod(fp, tok->tt.hdr32_ex.e_mod, oflags);
1089 print_delim(fp, del);
1090 print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
1091 tok->tt.hdr32_ex.addr);
1092 print_delim(fp, del);
1093 print_sec32(fp, tok->tt.hdr32_ex.s, oflags);
1094 print_delim(fp, del);
1095 print_msec32(fp, tok->tt.hdr32_ex.ms, oflags);
1100 * record byte count 4 bytes
1101 * event type 2 bytes
1102 * event modifier 2 bytes
1103 * seconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1104 * milliseconds of time 4 bytes/8 bytes (32-bit/64-bit value)
1108 fetch_header64_tok(tokenstr_t *tok, u_char *buf, int len)
1112 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64.size, tok->len, err);
1116 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64.version, tok->len, err);
1120 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_type, tok->len, err);
1124 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64.e_mod, tok->len, err);
1128 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.s, tok->len, err);
1132 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64.ms, tok->len, err);
1140 print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1143 print_tok_type(fp, tok->id, "header", oflags);
1144 if (oflags & AU_OFLAG_XML) {
1145 open_attr(fp, "version");
1146 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1148 open_attr(fp, "event");
1149 print_event(fp, tok->tt.hdr64.e_type, oflags);
1151 open_attr(fp, "modifier");
1152 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1154 open_attr(fp, "time");
1155 print_sec64(fp, tok->tt.hdr64.s, oflags);
1157 open_attr(fp, "msec");
1158 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1160 close_tag(fp, tok->id);
1162 print_delim(fp, del);
1163 print_4_bytes(fp, tok->tt.hdr64.size, "%u");
1164 print_delim(fp, del);
1165 print_1_byte(fp, tok->tt.hdr64.version, "%u");
1166 print_delim(fp, del);
1167 print_event(fp, tok->tt.hdr64.e_type, oflags);
1168 print_delim(fp, del);
1169 print_evmod(fp, tok->tt.hdr64.e_mod, oflags);
1170 print_delim(fp, del);
1171 print_sec64(fp, tok->tt.hdr64.s, oflags);
1172 print_delim(fp, del);
1173 print_msec64(fp, tok->tt.hdr64.ms, oflags);
1178 * record byte count 4 bytes
1179 * version # 1 byte [2]
1180 * event type 2 bytes
1181 * event modifier 2 bytes
1182 * address type/length 4 bytes
1183 * [ Solaris man page: address type/length 1 byte]
1184 * machine address 4 bytes/16 bytes (IPv4/IPv6 address)
1185 * seconds of time 4 bytes/8 bytes (32/64-bits)
1186 * nanoseconds of time 4 bytes/8 bytes (32/64-bits)
1188 * XXXAUDIT: See comment by fetch_header32_ex_tok() for details on the
1189 * accuracy of the BSM spec.
1192 fetch_header64_ex_tok(tokenstr_t *tok, u_char *buf, int len)
1196 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.size, tok->len, err);
1200 READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr64_ex.version, tok->len, err);
1204 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_type, tok->len, err);
1208 READ_TOKEN_U_INT16(buf, len, tok->tt.hdr64_ex.e_mod, tok->len, err);
1212 READ_TOKEN_U_INT32(buf, len, tok->tt.hdr64_ex.ad_type, tok->len, err);
1216 bzero(tok->tt.hdr64_ex.addr, sizeof(tok->tt.hdr64_ex.addr));
1217 switch (tok->tt.hdr64_ex.ad_type) {
1219 READ_TOKEN_BYTES(buf, len, &tok->tt.hdr64_ex.addr[0],
1220 sizeof(tok->tt.hdr64_ex.addr[0]), tok->len, err);
1226 READ_TOKEN_BYTES(buf, len, tok->tt.hdr64_ex.addr,
1227 sizeof(tok->tt.hdr64_ex.addr), tok->len, err);
1231 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.s, tok->len, err);
1235 READ_TOKEN_U_INT64(buf, len, tok->tt.hdr64_ex.ms, tok->len, err);
1243 print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1246 print_tok_type(fp, tok->id, "header_ex", oflags);
1247 if (oflags & AU_OFLAG_XML) {
1248 open_attr(fp, "version");
1249 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1251 open_attr(fp, "event");
1252 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1254 open_attr(fp, "modifier");
1255 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1257 open_attr(fp, "host");
1258 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1259 tok->tt.hdr64_ex.addr);
1261 open_attr(fp, "time");
1262 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1264 open_attr(fp, "msec");
1265 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1267 close_tag(fp, tok->id);
1269 print_delim(fp, del);
1270 print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
1271 print_delim(fp, del);
1272 print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
1273 print_delim(fp, del);
1274 print_event(fp, tok->tt.hdr64_ex.e_type, oflags);
1275 print_delim(fp, del);
1276 print_evmod(fp, tok->tt.hdr64_ex.e_mod, oflags);
1277 print_delim(fp, del);
1278 print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
1279 tok->tt.hdr64_ex.addr);
1280 print_delim(fp, del);
1281 print_sec64(fp, tok->tt.hdr64_ex.s, oflags);
1282 print_delim(fp, del);
1283 print_msec64(fp, tok->tt.hdr64_ex.ms, oflags);
1288 * trailer magic 2 bytes
1289 * record size 4 bytes
1292 fetch_trailer_tok(tokenstr_t *tok, u_char *buf, int len)
1296 READ_TOKEN_U_INT16(buf, len, tok->tt.trail.magic, tok->len, err);
1300 READ_TOKEN_U_INT32(buf, len, tok->tt.trail.count, tok->len, err);
1308 print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1311 print_tok_type(fp, tok->id, "trailer", oflags);
1312 if (!(oflags & AU_OFLAG_XML)) {
1313 print_delim(fp, del);
1314 print_4_bytes(fp, tok->tt.trail.count, "%u");
1320 * argument value 4 bytes/8 bytes (32-bit/64-bit value)
1321 * text length 2 bytes
1322 * text N bytes + 1 terminating NULL byte
1325 fetch_arg32_tok(tokenstr_t *tok, u_char *buf, int len)
1329 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg32.no, tok->len, err);
1333 READ_TOKEN_U_INT32(buf, len, tok->tt.arg32.val, tok->len, err);
1337 READ_TOKEN_U_INT16(buf, len, tok->tt.arg32.len, tok->len, err);
1341 SET_PTR((char*)buf, len, tok->tt.arg32.text, tok->tt.arg32.len,
1350 print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1353 print_tok_type(fp, tok->id, "argument", oflags);
1354 if (oflags & AU_OFLAG_XML) {
1355 open_attr(fp, "arg-num");
1356 print_1_byte(fp, tok->tt.arg32.no, "%u");
1358 open_attr(fp, "value");
1359 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1361 open_attr(fp, "desc");
1362 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1364 close_tag(fp, tok->id);
1366 print_delim(fp, del);
1367 print_1_byte(fp, tok->tt.arg32.no, "%u");
1368 print_delim(fp, del);
1369 print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
1370 print_delim(fp, del);
1371 print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
1376 fetch_arg64_tok(tokenstr_t *tok, u_char *buf, int len)
1380 READ_TOKEN_U_CHAR(buf, len, tok->tt.arg64.no, tok->len, err);
1384 READ_TOKEN_U_INT64(buf, len, tok->tt.arg64.val, tok->len, err);
1388 READ_TOKEN_U_INT16(buf, len, tok->tt.arg64.len, tok->len, err);
1392 SET_PTR((char*)buf, len, tok->tt.arg64.text, tok->tt.arg64.len,
1401 print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1404 print_tok_type(fp, tok->id, "argument", oflags);
1405 if (oflags & AU_OFLAG_XML) {
1406 open_attr(fp, "arg-num");
1407 print_1_byte(fp, tok->tt.arg64.no, "%u");
1409 open_attr(fp, "value");
1410 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1412 open_attr(fp, "desc");
1413 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1415 close_tag(fp, tok->id);
1417 print_delim(fp, del);
1418 print_1_byte(fp, tok->tt.arg64.no, "%u");
1419 print_delim(fp, del);
1420 print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
1421 print_delim(fp, del);
1422 print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
1427 * how to print 1 byte
1430 * data items (depends on basic unit)
1433 fetch_arb_tok(tokenstr_t *tok, u_char *buf, int len)
1438 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.howtopr, tok->len, err);
1442 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.bu, tok->len, err);
1446 READ_TOKEN_U_CHAR(buf, len, tok->tt.arb.uc, tok->len, err);
1451 * Determine the size of the basic unit.
1453 switch(tok->tt.arb.bu) {
1455 /* case AUR_CHAR: */
1456 datasize = AUR_BYTE_SIZE;
1460 datasize = AUR_SHORT_SIZE;
1465 datasize = AUR_INT32_SIZE;
1469 datasize = AUR_INT64_SIZE;
1476 SET_PTR(buf, len, tok->tt.arb.data, datasize * tok->tt.arb.uc,
1485 print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1492 print_tok_type(fp, tok->id, "arbitrary", oflags);
1493 if (!(oflags & AU_OFLAG_XML))
1494 print_delim(fp, del);
1496 switch(tok->tt.arb.howtopr) {
1526 if (oflags & AU_OFLAG_XML) {
1527 open_attr(fp, "print");
1528 fprintf(fp, "%s",str);
1531 print_string(fp, str, strlen(str));
1532 print_delim(fp, del);
1534 switch(tok->tt.arb.bu) {
1536 /* case AUR_CHAR: */
1538 size = AUR_BYTE_SIZE;
1539 if (oflags & AU_OFLAG_XML) {
1540 open_attr(fp, "type");
1541 fprintf(fp, "%zu", size);
1543 open_attr(fp, "count");
1544 print_1_byte(fp, tok->tt.arb.uc, "%u");
1547 for (i = 0; i<tok->tt.arb.uc; i++)
1548 fprintf(fp, format, *(tok->tt.arb.data +
1550 close_tag(fp, tok->id);
1552 print_string(fp, str, strlen(str));
1553 print_delim(fp, del);
1554 print_1_byte(fp, tok->tt.arb.uc, "%u");
1555 print_delim(fp, del);
1556 for (i = 0; i<tok->tt.arb.uc; i++)
1557 fprintf(fp, format, *(tok->tt.arb.data +
1564 size = AUR_SHORT_SIZE;
1565 if (oflags & AU_OFLAG_XML) {
1566 open_attr(fp, "type");
1567 fprintf(fp, "%zu", size);
1569 open_attr(fp, "count");
1570 print_1_byte(fp, tok->tt.arb.uc, "%u");
1573 for (i = 0; i < tok->tt.arb.uc; i++)
1575 *((u_int16_t *)(tok->tt.arb.data +
1577 close_tag(fp, tok->id);
1579 print_string(fp, str, strlen(str));
1580 print_delim(fp, del);
1581 print_1_byte(fp, tok->tt.arb.uc, "%u");
1582 print_delim(fp, del);
1583 for (i = 0; i < tok->tt.arb.uc; i++)
1585 *((u_int16_t *)(tok->tt.arb.data +
1593 size = AUR_INT32_SIZE;
1594 if (oflags & AU_OFLAG_XML) {
1595 open_attr(fp, "type");
1596 fprintf(fp, "%zu", size);
1598 open_attr(fp, "count");
1599 print_1_byte(fp, tok->tt.arb.uc, "%u");
1602 for (i = 0; i < tok->tt.arb.uc; i++)
1604 *((u_int32_t *)(tok->tt.arb.data +
1606 close_tag(fp, tok->id);
1608 print_string(fp, str, strlen(str));
1609 print_delim(fp, del);
1610 print_1_byte(fp, tok->tt.arb.uc, "%u");
1611 print_delim(fp, del);
1612 for (i = 0; i < tok->tt.arb.uc; i++)
1614 *((u_int32_t *)(tok->tt.arb.data +
1621 size = AUR_INT64_SIZE;
1622 if (oflags & AU_OFLAG_XML) {
1623 open_attr(fp, "type");
1624 fprintf(fp, "%zu", size);
1626 open_attr(fp, "count");
1627 print_1_byte(fp, tok->tt.arb.uc, "%u");
1630 for (i = 0; i < tok->tt.arb.uc; i++)
1632 *((u_int64_t *)(tok->tt.arb.data +
1634 close_tag(fp, tok->id);
1636 print_string(fp, str, strlen(str));
1637 print_delim(fp, del);
1638 print_1_byte(fp, tok->tt.arb.uc, "%u");
1639 print_delim(fp, del);
1640 for (i = 0; i < tok->tt.arb.uc; i++)
1642 *((u_int64_t *)(tok->tt.arb.data +
1653 * file access mode 4 bytes
1654 * owner user ID 4 bytes
1655 * owner group ID 4 bytes
1656 * file system ID 4 bytes
1658 * device 4 bytes/8 bytes (32-bit/64-bit)
1661 fetch_attr32_tok(tokenstr_t *tok, u_char *buf, int len)
1665 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.mode, tok->len, err);
1669 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.uid, tok->len, err);
1673 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.gid, tok->len, err);
1677 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.fsid, tok->len, err);
1681 READ_TOKEN_U_INT64(buf, len, tok->tt.attr32.nid, tok->len, err);
1685 READ_TOKEN_U_INT32(buf, len, tok->tt.attr32.dev, tok->len, err);
1693 print_attr32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1696 print_tok_type(fp, tok->id, "attribute", oflags);
1697 if (oflags & AU_OFLAG_XML) {
1698 open_attr(fp, "mode");
1699 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1701 open_attr(fp, "uid");
1702 print_user(fp, tok->tt.attr32.uid, oflags);
1704 open_attr(fp, "gid");
1705 print_group(fp, tok->tt.attr32.gid, oflags);
1707 open_attr(fp, "fsid");
1708 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1710 open_attr(fp, "nodeid");
1711 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1713 open_attr(fp, "device");
1714 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1716 close_tag(fp, tok->id);
1718 print_delim(fp, del);
1719 print_4_bytes(fp, tok->tt.attr32.mode, "%o");
1720 print_delim(fp, del);
1721 print_user(fp, tok->tt.attr32.uid, oflags);
1722 print_delim(fp, del);
1723 print_group(fp, tok->tt.attr32.gid, oflags);
1724 print_delim(fp, del);
1725 print_4_bytes(fp, tok->tt.attr32.fsid, "%u");
1726 print_delim(fp, del);
1727 print_8_bytes(fp, tok->tt.attr32.nid, "%lld");
1728 print_delim(fp, del);
1729 print_4_bytes(fp, tok->tt.attr32.dev, "%u");
1734 * file access mode 4 bytes
1735 * owner user ID 4 bytes
1736 * owner group ID 4 bytes
1737 * file system ID 4 bytes
1739 * device 4 bytes/8 bytes (32-bit/64-bit)
1742 fetch_attr64_tok(tokenstr_t *tok, u_char *buf, int len)
1746 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.mode, tok->len, err);
1750 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.uid, tok->len, err);
1754 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.gid, tok->len, err);
1758 READ_TOKEN_U_INT32(buf, len, tok->tt.attr64.fsid, tok->len, err);
1762 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.nid, tok->len, err);
1766 READ_TOKEN_U_INT64(buf, len, tok->tt.attr64.dev, tok->len, err);
1774 print_attr64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1777 print_tok_type(fp, tok->id, "attribute", oflags);
1778 if (oflags & AU_OFLAG_XML) {
1779 open_attr(fp, "mode");
1780 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1782 open_attr(fp, "uid");
1783 print_user(fp, tok->tt.attr64.uid, oflags);
1785 open_attr(fp, "gid");
1786 print_group(fp, tok->tt.attr64.gid, oflags);
1788 open_attr(fp, "fsid");
1789 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1791 open_attr(fp, "nodeid");
1792 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1794 open_attr(fp, "device");
1795 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1797 close_tag(fp, tok->id);
1799 print_delim(fp, del);
1800 print_4_bytes(fp, tok->tt.attr64.mode, "%o");
1801 print_delim(fp, del);
1802 print_user(fp, tok->tt.attr64.uid, oflags);
1803 print_delim(fp, del);
1804 print_group(fp, tok->tt.attr64.gid, oflags);
1805 print_delim(fp, del);
1806 print_4_bytes(fp, tok->tt.attr64.fsid, "%u");
1807 print_delim(fp, del);
1808 print_8_bytes(fp, tok->tt.attr64.nid, "%lld");
1809 print_delim(fp, del);
1810 print_8_bytes(fp, tok->tt.attr64.dev, "%llu");
1816 * return value 4 bytes
1819 fetch_exit_tok(tokenstr_t *tok, u_char *buf, int len)
1823 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.status, tok->len, err);
1827 READ_TOKEN_U_INT32(buf, len, tok->tt.exit.ret, tok->len, err);
1835 print_exit_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1838 print_tok_type(fp, tok->id, "exit", oflags);
1839 if (oflags & AU_OFLAG_XML) {
1840 open_attr(fp, "errval");
1841 print_errval(fp, tok->tt.exit.status);
1843 open_attr(fp, "retval");
1844 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1846 close_tag(fp, tok->id);
1848 print_delim(fp, del);
1849 print_errval(fp, tok->tt.exit.status);
1850 print_delim(fp, del);
1851 print_4_bytes(fp, tok->tt.exit.ret, "%u");
1857 * text count null-terminated string(s)
1860 fetch_execarg_tok(tokenstr_t *tok, u_char *buf, int len)
1866 READ_TOKEN_U_INT32(buf, len, tok->tt.execarg.count, tok->len, err);
1870 for (i = 0; i < tok->tt.execarg.count; i++) {
1871 bptr = buf + tok->len;
1872 if (i < AUDIT_MAX_ARGS)
1873 tok->tt.execarg.text[i] = (char*)bptr;
1875 /* Look for a null terminated string. */
1876 while (bptr && (*bptr != '\0')) {
1877 if (++tok->len >= (u_int32_t)len)
1879 bptr = buf + tok->len;
1883 tok->len++; /* \0 character */
1885 if (tok->tt.execarg.count > AUDIT_MAX_ARGS)
1886 tok->tt.execarg.count = AUDIT_MAX_ARGS;
1892 print_execarg_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1896 print_tok_type(fp, tok->id, "exec arg", oflags);
1897 for (i = 0; i < tok->tt.execarg.count; i++) {
1898 if (oflags & AU_OFLAG_XML) {
1899 fprintf(fp, "<arg>");
1900 print_xml_string(fp, tok->tt.execarg.text[i],
1901 strlen(tok->tt.execarg.text[i]));
1902 fprintf(fp, "</arg>");
1904 print_delim(fp, del);
1905 print_string(fp, tok->tt.execarg.text[i],
1906 strlen(tok->tt.execarg.text[i]));
1909 if (oflags & AU_OFLAG_XML)
1910 close_tag(fp, tok->id);
1915 * text count null-terminated string(s)
1918 fetch_execenv_tok(tokenstr_t *tok, u_char *buf, int len)
1924 READ_TOKEN_U_INT32(buf, len, tok->tt.execenv.count, tok->len, err);
1928 for (i = 0; i < tok->tt.execenv.count; i++) {
1929 bptr = buf + tok->len;
1930 if (i < AUDIT_MAX_ENV)
1931 tok->tt.execenv.text[i] = (char*)bptr;
1933 /* Look for a null terminated string. */
1934 while (bptr && (*bptr != '\0')) {
1935 if (++tok->len >= (u_int32_t)len)
1937 bptr = buf + tok->len;
1941 tok->len++; /* \0 character */
1943 if (tok->tt.execenv.count > AUDIT_MAX_ENV)
1944 tok->tt.execenv.count = AUDIT_MAX_ENV;
1950 print_execenv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
1954 print_tok_type(fp, tok->id, "exec env", oflags);
1955 for (i = 0; i< tok->tt.execenv.count; i++) {
1956 if (oflags & AU_OFLAG_XML) {
1957 fprintf(fp, "<env>");
1958 print_xml_string(fp, tok->tt.execenv.text[i],
1959 strlen(tok->tt.execenv.text[i]));
1960 fprintf(fp, "</env>");
1962 print_delim(fp, del);
1963 print_string(fp, tok->tt.execenv.text[i],
1964 strlen(tok->tt.execenv.text[i]));
1967 if (oflags & AU_OFLAG_XML)
1968 close_tag(fp, tok->id);
1972 * seconds of time 4 bytes
1973 * milliseconds of time 4 bytes
1974 * file name len 2 bytes
1975 * file pathname N bytes + 1 terminating NULL byte
1978 fetch_file_tok(tokenstr_t *tok, u_char *buf, int len)
1982 READ_TOKEN_U_INT32(buf, len, tok->tt.file.s, tok->len, err);
1986 READ_TOKEN_U_INT32(buf, len, tok->tt.file.ms, tok->len, err);
1990 READ_TOKEN_U_INT16(buf, len, tok->tt.file.len, tok->len, err);
1994 SET_PTR((char*)buf, len, tok->tt.file.name, tok->tt.file.len, tok->len,
2003 print_file_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2006 print_tok_type(fp, tok->id, "file", oflags);
2007 if (oflags & AU_OFLAG_XML) {
2008 open_attr(fp, "time");
2009 print_sec32(fp, tok->tt.file.s, oflags);
2011 open_attr(fp, "msec");
2012 print_msec32(fp, tok->tt.file.ms, oflags);
2015 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2016 close_tag(fp, tok->id);
2018 print_delim(fp, del);
2019 print_sec32(fp, tok->tt.file.s, oflags);
2020 print_delim(fp, del);
2021 print_msec32(fp, tok->tt.file.ms, oflags);
2022 print_delim(fp, del);
2023 print_string(fp, tok->tt.file.name, tok->tt.file.len);
2028 * number groups 2 bytes
2029 * group list count * 4 bytes
2032 fetch_newgroups_tok(tokenstr_t *tok, u_char *buf, int len)
2037 READ_TOKEN_U_INT16(buf, len, tok->tt.grps.no, tok->len, err);
2041 for (i = 0; i<tok->tt.grps.no; i++) {
2042 READ_TOKEN_U_INT32(buf, len, tok->tt.grps.list[i], tok->len,
2052 print_newgroups_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2056 print_tok_type(fp, tok->id, "group", oflags);
2057 for (i = 0; i < tok->tt.grps.no; i++) {
2058 if (oflags & AU_OFLAG_XML) {
2059 fprintf(fp, "<gid>");
2060 print_group(fp, tok->tt.grps.list[i], oflags);
2061 fprintf(fp, "</gid>");
2062 close_tag(fp, tok->id);
2064 print_delim(fp, del);
2065 print_group(fp, tok->tt.grps.list[i], oflags);
2071 * Internet addr 4 bytes
2074 fetch_inaddr_tok(tokenstr_t *tok, u_char *buf, int len)
2078 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr.addr, sizeof(uint32_t),
2088 print_inaddr_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2091 print_tok_type(fp, tok->id, "ip addr", oflags);
2092 if (oflags & AU_OFLAG_XML) {
2093 print_ip_address(fp, tok->tt.inaddr.addr);
2094 close_tag(fp, tok->id);
2096 print_delim(fp, del);
2097 print_ip_address(fp, tok->tt.inaddr.addr);
2106 fetch_inaddr_ex_tok(tokenstr_t *tok, u_char *buf, int len)
2110 READ_TOKEN_U_INT32(buf, len, tok->tt.inaddr_ex.type, tok->len, err);
2114 if (tok->tt.inaddr_ex.type == AU_IPv4) {
2115 READ_TOKEN_BYTES(buf, len, &tok->tt.inaddr_ex.addr[0],
2116 sizeof(tok->tt.inaddr_ex.addr[0]), tok->len, err);
2119 } else if (tok->tt.inaddr_ex.type == AU_IPv6) {
2120 READ_TOKEN_BYTES(buf, len, tok->tt.inaddr_ex.addr,
2121 sizeof(tok->tt.inaddr_ex.addr), tok->len, err);
2131 print_inaddr_ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2134 print_tok_type(fp, tok->id, "ip addr ex", oflags);
2135 if (oflags & AU_OFLAG_XML) {
2136 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2137 tok->tt.inaddr_ex.addr);
2138 close_tag(fp, tok->id);
2140 print_delim(fp, del);
2141 print_ip_ex_address(fp, tok->tt.inaddr_ex.type,
2142 tok->tt.inaddr_ex.addr);
2147 * ip header 20 bytes
2150 fetch_ip_tok(tokenstr_t *tok, u_char *buf, int len)
2154 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.version, tok->len, err);
2158 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.tos, tok->len, err);
2162 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.len, sizeof(uint16_t),
2167 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.id, sizeof(uint16_t),
2172 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.offset, sizeof(uint16_t),
2177 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.ttl, tok->len, err);
2181 READ_TOKEN_U_CHAR(buf, len, tok->tt.ip.prot, tok->len, err);
2185 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.chksm, sizeof(uint16_t),
2190 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.src, sizeof(tok->tt.ip.src),
2195 READ_TOKEN_BYTES(buf, len, &tok->tt.ip.dest, sizeof(tok->tt.ip.dest),
2204 print_ip_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2207 print_tok_type(fp, tok->id, "ip", oflags);
2208 if (oflags & AU_OFLAG_XML) {
2209 open_attr(fp, "version");
2210 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2213 open_attr(fp, "service_type");
2214 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2216 open_attr(fp, "len");
2217 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2219 open_attr(fp, "id");
2220 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2222 open_attr(fp, "offset");
2223 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2225 open_attr(fp, "time_to_live");
2226 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2228 open_attr(fp, "protocol");
2229 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2231 open_attr(fp, "cksum");
2232 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2234 open_attr(fp, "src_addr");
2235 print_ip_address(fp, tok->tt.ip.src);
2237 open_attr(fp, "dest_addr");
2238 print_ip_address(fp, tok->tt.ip.dest);
2240 close_tag(fp, tok->id);
2242 print_delim(fp, del);
2243 print_mem(fp, (u_char *)(&tok->tt.ip.version),
2245 print_delim(fp, del);
2246 print_mem(fp, (u_char *)(&tok->tt.ip.tos), sizeof(u_char));
2247 print_delim(fp, del);
2248 print_2_bytes(fp, ntohs(tok->tt.ip.len), "%u");
2249 print_delim(fp, del);
2250 print_2_bytes(fp, ntohs(tok->tt.ip.id), "%u");
2251 print_delim(fp, del);
2252 print_2_bytes(fp, ntohs(tok->tt.ip.offset), "%u");
2253 print_delim(fp, del);
2254 print_mem(fp, (u_char *)(&tok->tt.ip.ttl), sizeof(u_char));
2255 print_delim(fp, del);
2256 print_mem(fp, (u_char *)(&tok->tt.ip.prot), sizeof(u_char));
2257 print_delim(fp, del);
2258 print_2_bytes(fp, ntohs(tok->tt.ip.chksm), "%u");
2259 print_delim(fp, del);
2260 print_ip_address(fp, tok->tt.ip.src);
2261 print_delim(fp, del);
2262 print_ip_address(fp, tok->tt.ip.dest);
2267 * object ID type 1 byte
2271 fetch_ipc_tok(tokenstr_t *tok, u_char *buf, int len)
2275 READ_TOKEN_U_CHAR(buf, len, tok->tt.ipc.type, tok->len, err);
2279 READ_TOKEN_U_INT32(buf, len, tok->tt.ipc.id, tok->len, err);
2287 print_ipc_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2290 print_tok_type(fp, tok->id, "IPC", oflags);
2291 if (oflags & AU_OFLAG_XML) {
2292 open_attr(fp, "ipc-type");
2293 print_ipctype(fp, tok->tt.ipc.type, oflags);
2295 open_attr(fp, "ipc-id");
2296 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2298 close_tag(fp, tok->id);
2300 print_delim(fp, del);
2301 print_ipctype(fp, tok->tt.ipc.type, oflags);
2302 print_delim(fp, del);
2303 print_4_bytes(fp, tok->tt.ipc.id, "%u");
2308 * owner user id 4 bytes
2309 * owner group id 4 bytes
2310 * creator user id 4 bytes
2311 * creator group id 4 bytes
2312 * access mode 4 bytes
2317 fetch_ipcperm_tok(tokenstr_t *tok, u_char *buf, int len)
2321 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.uid, tok->len, err);
2325 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.gid, tok->len, err);
2329 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.puid, tok->len, err);
2333 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.pgid, tok->len, err);
2337 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.mode, tok->len, err);
2341 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.seq, tok->len, err);
2345 READ_TOKEN_U_INT32(buf, len, tok->tt.ipcperm.key, tok->len, err);
2353 print_ipcperm_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2356 print_tok_type(fp, tok->id, "IPC perm", oflags);
2357 if (oflags & AU_OFLAG_XML) {
2358 open_attr(fp, "uid");
2359 print_user(fp, tok->tt.ipcperm.uid, oflags);
2361 open_attr(fp, "gid");
2362 print_group(fp, tok->tt.ipcperm.gid, oflags);
2364 open_attr(fp, "creator-uid");
2365 print_user(fp, tok->tt.ipcperm.puid, oflags);
2367 open_attr(fp, "creator-gid");
2368 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2370 open_attr(fp, "mode");
2371 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2373 open_attr(fp, "seq");
2374 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2376 open_attr(fp, "key");
2377 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2379 close_tag(fp, tok->id);
2381 print_delim(fp, del);
2382 print_user(fp, tok->tt.ipcperm.uid, oflags);
2383 print_delim(fp, del);
2384 print_group(fp, tok->tt.ipcperm.gid, oflags);
2385 print_delim(fp, del);
2386 print_user(fp, tok->tt.ipcperm.puid, oflags);
2387 print_delim(fp, del);
2388 print_group(fp, tok->tt.ipcperm.pgid, oflags);
2389 print_delim(fp, del);
2390 print_4_bytes(fp, tok->tt.ipcperm.mode, "%o");
2391 print_delim(fp, del);
2392 print_4_bytes(fp, tok->tt.ipcperm.seq, "%u");
2393 print_delim(fp, del);
2394 print_4_bytes(fp, tok->tt.ipcperm.key, "%u");
2399 * port Ip address 2 bytes
2402 fetch_iport_tok(tokenstr_t *tok, u_char *buf, int len)
2406 READ_TOKEN_BYTES(buf, len, &tok->tt.iport.port, sizeof(uint16_t),
2415 print_iport_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2418 print_tok_type(fp, tok->id, "ip port", oflags);
2419 if (oflags & AU_OFLAG_XML) {
2420 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2421 close_tag(fp, tok->id);
2423 print_delim(fp, del);
2424 print_2_bytes(fp, ntohs(tok->tt.iport.port), "%#x");
2433 fetch_opaque_tok(tokenstr_t *tok, u_char *buf, int len)
2437 READ_TOKEN_U_INT16(buf, len, tok->tt.opaque.size, tok->len, err);
2441 SET_PTR((char*)buf, len, tok->tt.opaque.data, tok->tt.opaque.size,
2450 print_opaque_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2453 print_tok_type(fp, tok->id, "opaque", oflags);
2454 if (oflags & AU_OFLAG_XML) {
2455 print_mem(fp, (u_char*)tok->tt.opaque.data,
2456 tok->tt.opaque.size);
2457 close_tag(fp, tok->id);
2459 print_delim(fp, del);
2460 print_2_bytes(fp, tok->tt.opaque.size, "%u");
2461 print_delim(fp, del);
2462 print_mem(fp, (u_char*)tok->tt.opaque.data,
2463 tok->tt.opaque.size);
2472 fetch_path_tok(tokenstr_t *tok, u_char *buf, int len)
2476 READ_TOKEN_U_INT16(buf, len, tok->tt.path.len, tok->len, err);
2480 SET_PTR((char*)buf, len, tok->tt.path.path, tok->tt.path.len, tok->len,
2489 print_path_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2492 print_tok_type(fp, tok->id, "path", oflags);
2493 if (oflags & AU_OFLAG_XML) {
2494 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2495 close_tag(fp, tok->id);
2497 print_delim(fp, del);
2498 print_string(fp, tok->tt.path.path, tok->tt.path.len);
2513 * machine id 4 bytes
2516 fetch_process32_tok(tokenstr_t *tok, u_char *buf, int len)
2520 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.auid, tok->len, err);
2524 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.euid, tok->len, err);
2528 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.egid, tok->len, err);
2532 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.ruid, tok->len, err);
2536 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.rgid, tok->len, err);
2540 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.pid, tok->len, err);
2544 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.sid, tok->len, err);
2548 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32.tid.port, tok->len, err);
2552 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32.tid.addr,
2553 sizeof(tok->tt.proc32.tid.addr), tok->len, err);
2561 print_process32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2564 print_tok_type(fp, tok->id, "process", oflags);
2565 if (oflags & AU_OFLAG_XML) {
2566 open_attr(fp, "audit-uid");
2567 print_user(fp, tok->tt.proc32.auid, oflags);
2569 open_attr(fp, "uid");
2570 print_user(fp, tok->tt.proc32.euid, oflags);
2572 open_attr(fp, "gid");
2573 print_group(fp, tok->tt.proc32.egid, oflags);
2575 open_attr(fp, "ruid");
2576 print_user(fp, tok->tt.proc32.ruid, oflags);
2578 open_attr(fp, "rgid");
2579 print_group(fp, tok->tt.proc32.rgid, oflags);
2581 open_attr(fp, "pid");
2582 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2584 open_attr(fp, "sid");
2585 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2587 open_attr(fp, "tid");
2588 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2589 print_ip_address(fp, tok->tt.proc32.tid.addr);
2591 close_tag(fp, tok->id);
2593 print_delim(fp, del);
2594 print_user(fp, tok->tt.proc32.auid, oflags);
2595 print_delim(fp, del);
2596 print_user(fp, tok->tt.proc32.euid, oflags);
2597 print_delim(fp, del);
2598 print_group(fp, tok->tt.proc32.egid, oflags);
2599 print_delim(fp, del);
2600 print_user(fp, tok->tt.proc32.ruid, oflags);
2601 print_delim(fp, del);
2602 print_group(fp, tok->tt.proc32.rgid, oflags);
2603 print_delim(fp, del);
2604 print_4_bytes(fp, tok->tt.proc32.pid, "%u");
2605 print_delim(fp, del);
2606 print_4_bytes(fp, tok->tt.proc32.sid, "%u");
2607 print_delim(fp, del);
2608 print_4_bytes(fp, tok->tt.proc32.tid.port, "%u");
2609 print_delim(fp, del);
2610 print_ip_address(fp, tok->tt.proc32.tid.addr);
2625 * machine id 4 bytes
2628 fetch_process64_tok(tokenstr_t *tok, u_char *buf, int len)
2632 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.auid, tok->len, err);
2636 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.euid, tok->len, err);
2640 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.egid, tok->len, err);
2644 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.ruid, tok->len, err);
2648 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.rgid, tok->len, err);
2652 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.pid, tok->len, err);
2656 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64.sid, tok->len, err);
2660 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64.tid.port, tok->len, err);
2664 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64.tid.addr,
2665 sizeof(tok->tt.proc64.tid.addr), tok->len, err);
2673 print_process64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2675 print_tok_type(fp, tok->id, "process", oflags);
2676 if (oflags & AU_OFLAG_XML) {
2677 open_attr(fp, "audit-uid");
2678 print_user(fp, tok->tt.proc64.auid, oflags);
2680 open_attr(fp, "uid");
2681 print_user(fp, tok->tt.proc64.euid, oflags);
2683 open_attr(fp, "gid");
2684 print_group(fp, tok->tt.proc64.egid, oflags);
2686 open_attr(fp, "ruid");
2687 print_user(fp, tok->tt.proc64.ruid, oflags);
2689 open_attr(fp, "rgid");
2690 print_group(fp, tok->tt.proc64.rgid, oflags);
2692 open_attr(fp, "pid");
2693 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2695 open_attr(fp, "sid");
2696 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2698 open_attr(fp, "tid");
2699 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2700 print_ip_address(fp, tok->tt.proc64.tid.addr);
2702 close_tag(fp, tok->id);
2704 print_delim(fp, del);
2705 print_user(fp, tok->tt.proc64.auid, oflags);
2706 print_delim(fp, del);
2707 print_user(fp, tok->tt.proc64.euid, oflags);
2708 print_delim(fp, del);
2709 print_group(fp, tok->tt.proc64.egid, oflags);
2710 print_delim(fp, del);
2711 print_user(fp, tok->tt.proc64.ruid, oflags);
2712 print_delim(fp, del);
2713 print_group(fp, tok->tt.proc64.rgid, oflags);
2714 print_delim(fp, del);
2715 print_4_bytes(fp, tok->tt.proc64.pid, "%u");
2716 print_delim(fp, del);
2717 print_4_bytes(fp, tok->tt.proc64.sid, "%u");
2718 print_delim(fp, del);
2719 print_8_bytes(fp, tok->tt.proc64.tid.port, "%llu");
2720 print_delim(fp, del);
2721 print_ip_address(fp, tok->tt.proc64.tid.addr);
2728 * effective user ID 4 bytes
2729 * effective group ID 4 bytes
2730 * real user ID 4 bytes
2731 * real group ID 4 bytes
2732 * process ID 4 bytes
2733 * session ID 4 bytes
2736 * address type-len 4 bytes
2737 * machine address 16 bytes
2740 fetch_process32ex_tok(tokenstr_t *tok, u_char *buf, int len)
2744 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.auid, tok->len, err);
2748 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.euid, tok->len, err);
2752 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.egid, tok->len, err);
2756 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.ruid, tok->len, err);
2760 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.rgid, tok->len, err);
2764 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.pid, tok->len, err);
2768 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.sid, tok->len, err);
2772 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.port, tok->len,
2777 READ_TOKEN_U_INT32(buf, len, tok->tt.proc32_ex.tid.type, tok->len,
2782 if (tok->tt.proc32_ex.tid.type == AU_IPv4) {
2783 READ_TOKEN_BYTES(buf, len, &tok->tt.proc32_ex.tid.addr[0],
2784 sizeof(tok->tt.proc32_ex.tid.addr[0]), tok->len, err);
2787 } else if (tok->tt.proc32_ex.tid.type == AU_IPv6) {
2788 READ_TOKEN_BYTES(buf, len, tok->tt.proc32_ex.tid.addr,
2789 sizeof(tok->tt.proc32_ex.tid.addr), tok->len, err);
2799 print_process32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2802 print_tok_type(fp, tok->id, "process_ex", oflags);
2803 if (oflags & AU_OFLAG_XML) {
2804 open_attr(fp, "audit-uid");
2805 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2807 open_attr(fp, "uid");
2808 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2810 open_attr(fp, "gid");
2811 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2813 open_attr(fp, "ruid");
2814 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2816 open_attr(fp, "rgid");
2817 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2819 open_attr(fp, "pid");
2820 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2822 open_attr(fp, "sid");
2823 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2825 open_attr(fp, "tid");
2826 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2827 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2828 tok->tt.proc32_ex.tid.addr);
2830 close_tag(fp, tok->id);
2832 print_delim(fp, del);
2833 print_user(fp, tok->tt.proc32_ex.auid, oflags);
2834 print_delim(fp, del);
2835 print_user(fp, tok->tt.proc32_ex.euid, oflags);
2836 print_delim(fp, del);
2837 print_group(fp, tok->tt.proc32_ex.egid, oflags);
2838 print_delim(fp, del);
2839 print_user(fp, tok->tt.proc32_ex.ruid, oflags);
2840 print_delim(fp, del);
2841 print_group(fp, tok->tt.proc32_ex.rgid, oflags);
2842 print_delim(fp, del);
2843 print_4_bytes(fp, tok->tt.proc32_ex.pid, "%u");
2844 print_delim(fp, del);
2845 print_4_bytes(fp, tok->tt.proc32_ex.sid, "%u");
2846 print_delim(fp, del);
2847 print_4_bytes(fp, tok->tt.proc32_ex.tid.port, "%u");
2848 print_delim(fp, del);
2849 print_ip_ex_address(fp, tok->tt.proc32_ex.tid.type,
2850 tok->tt.proc32_ex.tid.addr);
2857 * effective user ID 4 bytes
2858 * effective group ID 4 bytes
2859 * real user ID 4 bytes
2860 * real group ID 4 bytes
2861 * process ID 4 bytes
2862 * session ID 4 bytes
2865 * address type-len 4 bytes
2866 * machine address 16 bytes
2869 fetch_process64ex_tok(tokenstr_t *tok, u_char *buf, int len)
2873 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.auid, tok->len, err);
2877 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.euid, tok->len, err);
2881 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.egid, tok->len, err);
2885 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.ruid, tok->len, err);
2889 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.rgid, tok->len, err);
2893 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.pid, tok->len, err);
2897 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.sid, tok->len, err);
2901 READ_TOKEN_U_INT64(buf, len, tok->tt.proc64_ex.tid.port, tok->len,
2906 READ_TOKEN_U_INT32(buf, len, tok->tt.proc64_ex.tid.type, tok->len,
2911 if (tok->tt.proc64_ex.tid.type == AU_IPv4) {
2912 READ_TOKEN_BYTES(buf, len, &tok->tt.proc64_ex.tid.addr[0],
2913 sizeof(tok->tt.proc64_ex.tid.addr[0]), tok->len, err);
2916 } else if (tok->tt.proc64_ex.tid.type == AU_IPv6) {
2917 READ_TOKEN_BYTES(buf, len, tok->tt.proc64_ex.tid.addr,
2918 sizeof(tok->tt.proc64_ex.tid.addr), tok->len, err);
2928 print_process64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
2930 print_tok_type(fp, tok->id, "process_ex", oflags);
2931 if (oflags & AU_OFLAG_XML) {
2932 open_attr(fp, "audit-uid");
2933 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2935 open_attr(fp, "uid");
2936 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2938 open_attr(fp, "gid");
2939 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2941 open_attr(fp, "ruid");
2942 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2944 open_attr(fp, "rgid");
2945 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2947 open_attr(fp, "pid");
2948 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2950 open_attr(fp, "sid");
2951 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2953 open_attr(fp, "tid");
2954 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2955 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2956 tok->tt.proc64_ex.tid.addr);
2958 close_tag(fp, tok->id);
2960 print_delim(fp, del);
2961 print_user(fp, tok->tt.proc64_ex.auid, oflags);
2962 print_delim(fp, del);
2963 print_user(fp, tok->tt.proc64_ex.euid, oflags);
2964 print_delim(fp, del);
2965 print_group(fp, tok->tt.proc64_ex.egid, oflags);
2966 print_delim(fp, del);
2967 print_user(fp, tok->tt.proc64_ex.ruid, oflags);
2968 print_delim(fp, del);
2969 print_group(fp, tok->tt.proc64_ex.rgid, oflags);
2970 print_delim(fp, del);
2971 print_4_bytes(fp, tok->tt.proc64_ex.pid, "%u");
2972 print_delim(fp, del);
2973 print_4_bytes(fp, tok->tt.proc64_ex.sid, "%u");
2974 print_delim(fp, del);
2975 print_8_bytes(fp, tok->tt.proc64_ex.tid.port, "%llu");
2976 print_delim(fp, del);
2977 print_ip_ex_address(fp, tok->tt.proc64_ex.tid.type,
2978 tok->tt.proc64_ex.tid.addr);
2984 * return value 4 bytes
2987 fetch_return32_tok(tokenstr_t *tok, u_char *buf, int len)
2991 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret32.status, tok->len, err);
2995 READ_TOKEN_U_INT32(buf, len, tok->tt.ret32.ret, tok->len, err);
3003 print_return32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3006 print_tok_type(fp, tok->id, "return", oflags);
3007 if (oflags & AU_OFLAG_XML) {
3008 open_attr(fp ,"errval");
3009 print_retval(fp, tok->tt.ret32.status, oflags);
3011 open_attr(fp, "retval");
3012 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3014 close_tag(fp, tok->id);
3016 print_delim(fp, del);
3017 print_retval(fp, tok->tt.ret32.status, oflags);
3018 print_delim(fp, del);
3019 print_4_bytes(fp, tok->tt.ret32.ret, "%u");
3024 fetch_return64_tok(tokenstr_t *tok, u_char *buf, int len)
3028 READ_TOKEN_U_CHAR(buf, len, tok->tt.ret64.err, tok->len, err);
3032 READ_TOKEN_U_INT64(buf, len, tok->tt.ret64.val, tok->len, err);
3040 print_return64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3043 print_tok_type(fp, tok->id, "return", oflags);
3044 if (oflags & AU_OFLAG_XML) {
3045 open_attr(fp, "errval");
3046 print_retval(fp, tok->tt.ret64.err, oflags);
3048 open_attr(fp, "retval");
3049 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3051 close_tag(fp, tok->id);
3053 print_delim(fp, del);
3054 print_retval(fp, tok->tt.ret64.err, oflags);
3055 print_delim(fp, del);
3056 print_8_bytes(fp, tok->tt.ret64.val, "%lld");
3064 fetch_seq_tok(tokenstr_t *tok, u_char *buf, int len)
3068 READ_TOKEN_U_INT32(buf, len, tok->tt.seq.seqno, tok->len, err);
3076 print_seq_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3079 print_tok_type(fp, tok->id, "sequence", oflags);
3080 if (oflags & AU_OFLAG_XML) {
3081 open_attr(fp, "seq-num");
3082 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3084 close_tag(fp, tok->id);
3086 print_delim(fp, del);
3087 print_4_bytes(fp, tok->tt.seq.seqno, "%u");
3092 * socket family 2 bytes
3093 * local port 2 bytes
3094 * socket address 4 bytes
3097 fetch_sock_inet32_tok(tokenstr_t *tok, u_char *buf, int len)
3101 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3106 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3107 sizeof(uint16_t), tok->len, err);
3111 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3112 sizeof(tok->tt.sockinet_ex32.addr[0]), tok->len, err);
3120 print_sock_inet32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3123 print_tok_type(fp, tok->id, "socket-inet", oflags);
3124 if (oflags & AU_OFLAG_XML) {
3125 open_attr(fp, "type");
3126 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3128 open_attr(fp, "port");
3129 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3131 open_attr(fp, "addr");
3132 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3134 close_tag(fp, tok->id);
3136 print_delim(fp, del);
3137 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3138 print_delim(fp, del);
3139 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3140 print_delim(fp, del);
3141 print_ip_address(fp, tok->tt.sockinet_ex32.addr[0]);
3146 * socket family 2 bytes
3147 * local port 2 bytes
3148 * socket address 16 bytes
3151 fetch_sock_inet128_tok(tokenstr_t *tok, u_char *buf, int len)
3155 READ_TOKEN_U_INT16(buf, len, tok->tt.sockinet_ex32.family, tok->len,
3160 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.port,
3161 sizeof(uint16_t), tok->len, err);
3165 READ_TOKEN_BYTES(buf, len, &tok->tt.sockinet_ex32.addr,
3166 sizeof(tok->tt.sockinet_ex32.addr), tok->len, err);
3174 print_sock_inet128_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3177 print_tok_type(fp, tok->id, "socket-inet6", oflags);
3178 if (oflags & AU_OFLAG_XML) {
3179 open_attr(fp, "type");
3180 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3182 open_attr(fp, "port");
3183 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3185 open_attr(fp, "addr");
3186 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3188 close_tag(fp, tok->id);
3190 print_delim(fp, del);
3191 print_2_bytes(fp, tok->tt.sockinet_ex32.family, "%u");
3192 print_delim(fp, del);
3193 print_2_bytes(fp, ntohs(tok->tt.sockinet_ex32.port), "%u");
3194 print_delim(fp, del);
3195 print_ip_ex_address(fp, AU_IPv6, tok->tt.sockinet_ex32.addr);
3200 * socket family 2 bytes
3201 * path (up to) 104 bytes + NULL (NULL terminated string).
3204 fetch_sock_unix_tok(tokenstr_t *tok, u_char *buf, int len)
3211 READ_TOKEN_U_INT16(buf, len, tok->tt.sockunix.family, tok->len, err);
3215 /* slen = strnlen((buf + tok->len), 104) + 1; */
3216 p = (u_char *)memchr((const void *)(buf + tok->len), '\0', 104);
3217 slen = (p ? (int)(p - (buf + tok->len)) : 104) + 1;
3219 READ_TOKEN_BYTES(buf, len, tok->tt.sockunix.path, slen, tok->len, err);
3227 print_sock_unix_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3230 print_tok_type(fp, tok->id, "socket-unix", oflags);
3231 if (oflags & AU_OFLAG_XML) {
3232 open_attr(fp, "type");
3233 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3235 open_attr(fp, "port");
3237 open_attr(fp, "addr");
3238 print_string(fp, tok->tt.sockunix.path,
3239 strlen(tok->tt.sockunix.path));
3241 close_tag(fp, tok->id);
3243 print_delim(fp, del);
3244 print_2_bytes(fp, tok->tt.sockunix.family, "%u");
3245 print_delim(fp, del);
3246 print_string(fp, tok->tt.sockunix.path,
3247 strlen(tok->tt.sockunix.path));
3252 * socket type 2 bytes
3253 * local port 2 bytes
3254 * local address 4 bytes
3255 * remote port 2 bytes
3256 * remote address 4 bytes
3259 fetch_socket_tok(tokenstr_t *tok, u_char *buf, int len)
3263 READ_TOKEN_U_INT16(buf, len, tok->tt.socket.type, tok->len, err);
3267 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_port, sizeof(uint16_t),
3272 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3273 sizeof(tok->tt.socket.l_addr), tok->len, err);
3277 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.r_port, sizeof(uint16_t),
3282 READ_TOKEN_BYTES(buf, len, &tok->tt.socket.l_addr,
3283 sizeof(tok->tt.socket.r_addr), tok->len, err);
3291 print_socket_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3294 print_tok_type(fp, tok->id, "socket", oflags);
3295 if (oflags & AU_OFLAG_XML) {
3296 open_attr(fp, "sock_type");
3297 print_2_bytes(fp, tok->tt.socket.type, "%u");
3299 open_attr(fp, "lport");
3300 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3302 open_attr(fp, "laddr");
3303 print_ip_address(fp, tok->tt.socket.l_addr);
3305 open_attr(fp, "fport");
3306 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3308 open_attr(fp, "faddr");
3309 print_ip_address(fp, tok->tt.socket.r_addr);
3311 close_tag(fp, tok->id);
3313 print_delim(fp, del);
3314 print_2_bytes(fp, tok->tt.socket.type, "%u");
3315 print_delim(fp, del);
3316 print_2_bytes(fp, ntohs(tok->tt.socket.l_port), "%u");
3317 print_delim(fp, del);
3318 print_ip_address(fp, tok->tt.socket.l_addr);
3319 print_delim(fp, del);
3320 print_2_bytes(fp, ntohs(tok->tt.socket.r_port), "%u");
3321 print_delim(fp, del);
3322 print_ip_address(fp, tok->tt.socket.r_addr);
3335 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3336 * machine id 4 bytes
3339 fetch_subject32_tok(tokenstr_t *tok, u_char *buf, int len)
3343 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.auid, tok->len, err);
3347 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.euid, tok->len, err);
3351 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.egid, tok->len, err);
3355 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.ruid, tok->len, err);
3359 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.rgid, tok->len, err);
3363 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.pid, tok->len, err);
3367 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.sid, tok->len, err);
3371 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32.tid.port, tok->len, err);
3375 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32.tid.addr,
3376 sizeof(tok->tt.subj32.tid.addr), tok->len, err);
3384 print_subject32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3387 print_tok_type(fp, tok->id, "subject", oflags);
3388 if (oflags & AU_OFLAG_XML) {
3389 open_attr(fp, "audit-uid");
3390 print_user(fp, tok->tt.subj32.auid, oflags);
3392 open_attr(fp, "uid");
3393 print_user(fp, tok->tt.subj32.euid, oflags);
3395 open_attr(fp, "gid");
3396 print_group(fp, tok->tt.subj32.egid, oflags);
3398 open_attr(fp, "ruid");
3399 print_user(fp, tok->tt.subj32.ruid, oflags);
3401 open_attr(fp, "rgid");
3402 print_group(fp, tok->tt.subj32.rgid, oflags);
3404 open_attr(fp,"pid");
3405 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3407 open_attr(fp,"sid");
3408 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3410 open_attr(fp,"tid");
3411 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u ");
3412 print_ip_address(fp, tok->tt.subj32.tid.addr);
3414 close_tag(fp, tok->id);
3416 print_delim(fp, del);
3417 print_user(fp, tok->tt.subj32.auid, oflags);
3418 print_delim(fp, del);
3419 print_user(fp, tok->tt.subj32.euid, oflags);
3420 print_delim(fp, del);
3421 print_group(fp, tok->tt.subj32.egid, oflags);
3422 print_delim(fp, del);
3423 print_user(fp, tok->tt.subj32.ruid, oflags);
3424 print_delim(fp, del);
3425 print_group(fp, tok->tt.subj32.rgid, oflags);
3426 print_delim(fp, del);
3427 print_4_bytes(fp, tok->tt.subj32.pid, "%u");
3428 print_delim(fp, del);
3429 print_4_bytes(fp, tok->tt.subj32.sid, "%u");
3430 print_delim(fp, del);
3431 print_4_bytes(fp, tok->tt.subj32.tid.port, "%u");
3432 print_delim(fp, del);
3433 print_ip_address(fp, tok->tt.subj32.tid.addr);
3438 print_upriv_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3441 print_tok_type(fp, tok->id, "use of privilege", oflags);
3442 if (oflags & AU_OFLAG_XML) {
3443 open_attr(fp, "status");
3444 if (tok->tt.priv.sorf)
3445 (void) fprintf(fp, "successful use of priv");
3447 (void) fprintf(fp, "failed use of priv");
3449 open_attr(fp, "name");
3450 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3452 close_tag(fp, tok->id);
3454 print_delim(fp, del);
3455 if (tok->tt.priv.sorf)
3456 (void) fprintf(fp, "successful use of priv");
3458 (void) fprintf(fp, "failed use of priv");
3459 print_delim(fp, del);
3460 print_string(fp, tok->tt.priv.priv, tok->tt.priv.privstrlen);
3466 * privstrlen 2 bytes
3467 * priv N bytes + 1 (\0 byte)
3470 fetch_priv_tok(tokenstr_t *tok, u_char *buf, int len)
3474 READ_TOKEN_U_CHAR(buf, len, tok->tt.priv.sorf, tok->len, err);
3477 READ_TOKEN_U_INT16(buf, len, tok->tt.priv.privstrlen, tok->len, err);
3480 SET_PTR((char *)buf, len, tok->tt.priv.priv, tok->tt.priv.privstrlen,
3488 * privtstrlen 1 byte
3489 * privtstr N bytes + 1
3491 * privstr N bytes + 1
3494 fetch_privset_tok(tokenstr_t *tok, u_char *buf, int len)
3498 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privtstrlen,
3502 SET_PTR((char *)buf, len, tok->tt.privset.privtstr,
3503 tok->tt.privset.privtstrlen, tok->len, err);
3506 READ_TOKEN_U_INT16(buf, len, tok->tt.privset.privstrlen,
3510 SET_PTR((char *)buf, len, tok->tt.privset.privstr,
3511 tok->tt.privset.privstrlen, tok->len, err);
3518 print_privset_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3521 print_tok_type(fp, tok->id, "privilege", oflags);
3522 if (oflags & AU_OFLAG_XML) {
3523 open_attr(fp, "type");
3524 print_string(fp, tok->tt.privset.privtstr,
3525 tok->tt.privset.privtstrlen);
3527 open_attr(fp, "priv");
3528 print_string(fp, tok->tt.privset.privstr,
3529 tok->tt.privset.privstrlen);
3532 print_delim(fp, del);
3533 print_string(fp, tok->tt.privset.privtstr,
3534 tok->tt.privset.privtstrlen);
3535 print_delim(fp, del);
3536 print_string(fp, tok->tt.privset.privstr,
3537 tok->tt.privset.privstrlen);
3550 * portid 4 bytes/8 bytes (32-bit/64-bit value)
3551 * machine id 4 bytes
3554 fetch_subject64_tok(tokenstr_t *tok, u_char *buf, int len)
3558 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.auid, tok->len, err);
3562 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.euid, tok->len, err);
3566 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.egid, tok->len, err);
3570 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.ruid, tok->len, err);
3574 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.rgid, tok->len, err);
3578 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.pid, tok->len, err);
3582 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64.sid, tok->len, err);
3586 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64.tid.port, tok->len, err);
3590 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64.tid.addr,
3591 sizeof(tok->tt.subj64.tid.addr), tok->len, err);
3599 print_subject64_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3602 print_tok_type(fp, tok->id, "subject", oflags);
3603 if (oflags & AU_OFLAG_XML) {
3604 open_attr(fp, "audit-uid");
3605 print_user(fp, tok->tt.subj64.auid, oflags);
3607 open_attr(fp, "uid");
3608 print_user(fp, tok->tt.subj64.euid, oflags);
3610 open_attr(fp, "gid");
3611 print_group(fp, tok->tt.subj64.egid, oflags);
3613 open_attr(fp, "ruid");
3614 print_user(fp, tok->tt.subj64.ruid, oflags);
3616 open_attr(fp, "rgid");
3617 print_group(fp, tok->tt.subj64.rgid, oflags);
3619 open_attr(fp, "pid");
3620 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3622 open_attr(fp, "sid");
3623 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3625 open_attr(fp, "tid");
3626 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3627 print_ip_address(fp, tok->tt.subj64.tid.addr);
3629 close_tag(fp, tok->id);
3631 print_delim(fp, del);
3632 print_user(fp, tok->tt.subj64.auid, oflags);
3633 print_delim(fp, del);
3634 print_user(fp, tok->tt.subj64.euid, oflags);
3635 print_delim(fp, del);
3636 print_group(fp, tok->tt.subj64.egid, oflags);
3637 print_delim(fp, del);
3638 print_user(fp, tok->tt.subj64.ruid, oflags);
3639 print_delim(fp, del);
3640 print_group(fp, tok->tt.subj64.rgid, oflags);
3641 print_delim(fp, del);
3642 print_4_bytes(fp, tok->tt.subj64.pid, "%u");
3643 print_delim(fp, del);
3644 print_4_bytes(fp, tok->tt.subj64.sid, "%u");
3645 print_delim(fp, del);
3646 print_8_bytes(fp, tok->tt.subj64.tid.port, "%llu");
3647 print_delim(fp, del);
3648 print_ip_address(fp, tok->tt.subj64.tid.addr);
3663 * machine id 16 bytes
3666 fetch_subject32ex_tok(tokenstr_t *tok, u_char *buf, int len)
3670 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.auid, tok->len, err);
3674 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.euid, tok->len, err);
3678 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.egid, tok->len, err);
3682 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.ruid, tok->len, err);
3686 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.rgid, tok->len, err);
3690 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.pid, tok->len, err);
3694 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.sid, tok->len, err);
3698 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.port, tok->len,
3703 READ_TOKEN_U_INT32(buf, len, tok->tt.subj32_ex.tid.type, tok->len,
3708 if (tok->tt.subj32_ex.tid.type == AU_IPv4) {
3709 READ_TOKEN_BYTES(buf, len, &tok->tt.subj32_ex.tid.addr[0],
3710 sizeof(tok->tt.subj32_ex.tid.addr[0]), tok->len, err);
3713 } else if (tok->tt.subj32_ex.tid.type == AU_IPv6) {
3714 READ_TOKEN_BYTES(buf, len, tok->tt.subj32_ex.tid.addr,
3715 sizeof(tok->tt.subj32_ex.tid.addr), tok->len, err);
3725 print_subject32ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3728 print_tok_type(fp, tok->id, "subject_ex", oflags);
3729 if (oflags & AU_OFLAG_XML) {
3730 open_attr(fp, "audit-uid");
3731 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3733 open_attr(fp, "uid");
3734 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3736 open_attr(fp, "gid");
3737 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3739 open_attr(fp, "ruid");
3740 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3742 open_attr(fp, "rgid");
3743 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3745 open_attr(fp, "pid");
3746 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3748 open_attr(fp, "sid");
3749 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3751 open_attr(fp, "tid");
3752 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3753 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3754 tok->tt.subj32_ex.tid.addr);
3756 close_tag(fp, tok->id);
3758 print_delim(fp, del);
3759 print_user(fp, tok->tt.subj32_ex.auid, oflags);
3760 print_delim(fp, del);
3761 print_user(fp, tok->tt.subj32_ex.euid, oflags);
3762 print_delim(fp, del);
3763 print_group(fp, tok->tt.subj32_ex.egid, oflags);
3764 print_delim(fp, del);
3765 print_user(fp, tok->tt.subj32_ex.ruid, oflags);
3766 print_delim(fp, del);
3767 print_group(fp, tok->tt.subj32_ex.rgid, oflags);
3768 print_delim(fp, del);
3769 print_4_bytes(fp, tok->tt.subj32_ex.pid, "%u");
3770 print_delim(fp, del);
3771 print_4_bytes(fp, tok->tt.subj32_ex.sid, "%u");
3772 print_delim(fp, del);
3773 print_4_bytes(fp, tok->tt.subj32_ex.tid.port, "%u");
3774 print_delim(fp, del);
3775 print_ip_ex_address(fp, tok->tt.subj32_ex.tid.type,
3776 tok->tt.subj32_ex.tid.addr);
3791 * machine id 16 bytes
3794 fetch_subject64ex_tok(tokenstr_t *tok, u_char *buf, int len)
3798 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.auid, tok->len, err);
3802 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.euid, tok->len, err);
3806 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.egid, tok->len, err);
3810 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.ruid, tok->len, err);
3814 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.rgid, tok->len, err);
3818 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.pid, tok->len, err);
3822 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.sid, tok->len, err);
3826 READ_TOKEN_U_INT64(buf, len, tok->tt.subj64_ex.tid.port, tok->len,
3831 READ_TOKEN_U_INT32(buf, len, tok->tt.subj64_ex.tid.type, tok->len,
3836 if (tok->tt.subj64_ex.tid.type == AU_IPv4) {
3837 READ_TOKEN_BYTES(buf, len, &tok->tt.subj64_ex.tid.addr[0],
3838 sizeof(tok->tt.subj64_ex.tid.addr[0]), tok->len, err);
3841 } else if (tok->tt.subj64_ex.tid.type == AU_IPv6) {
3842 READ_TOKEN_BYTES(buf, len, tok->tt.subj64_ex.tid.addr,
3843 sizeof(tok->tt.subj64_ex.tid.addr), tok->len, err);
3853 print_subject64ex_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3855 print_tok_type(fp, tok->id, "subject_ex", oflags);
3856 if (oflags & AU_OFLAG_XML) {
3857 open_attr(fp, "audit-uid");
3858 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3860 open_attr(fp, "uid");
3861 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3863 open_attr(fp, "gid");
3864 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3866 open_attr(fp, "ruid");
3867 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3869 open_attr(fp, "rgid");
3870 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3872 open_attr(fp, "pid");
3873 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3875 open_attr(fp, "sid");
3876 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3878 open_attr(fp, "tid");
3879 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3880 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3881 tok->tt.subj64_ex.tid.addr);
3883 close_tag(fp, tok->id);
3885 print_delim(fp, del);
3886 print_user(fp, tok->tt.subj64_ex.auid, oflags);
3887 print_delim(fp, del);
3888 print_user(fp, tok->tt.subj64_ex.euid, oflags);
3889 print_delim(fp, del);
3890 print_group(fp, tok->tt.subj64_ex.egid, oflags);
3891 print_delim(fp, del);
3892 print_user(fp, tok->tt.subj64_ex.ruid, oflags);
3893 print_delim(fp, del);
3894 print_group(fp, tok->tt.subj64_ex.rgid, oflags);
3895 print_delim(fp, del);
3896 print_4_bytes(fp, tok->tt.subj64_ex.pid, "%u");
3897 print_delim(fp, del);
3898 print_4_bytes(fp, tok->tt.subj64_ex.sid, "%u");
3899 print_delim(fp, del);
3900 print_8_bytes(fp, tok->tt.subj64_ex.tid.port, "%llu");
3901 print_delim(fp, del);
3902 print_ip_ex_address(fp, tok->tt.subj64_ex.tid.type,
3903 tok->tt.subj64_ex.tid.addr);
3912 fetch_text_tok(tokenstr_t *tok, u_char *buf, int len)
3916 READ_TOKEN_U_INT16(buf, len, tok->tt.text.len, tok->len, err);
3920 SET_PTR((char*)buf, len, tok->tt.text.text, tok->tt.text.len, tok->len,
3929 print_text_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
3932 print_tok_type(fp, tok->id, "text", oflags);
3933 if (oflags & AU_OFLAG_XML) {
3934 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3935 close_tag(fp, tok->id);
3937 print_delim(fp, del);
3938 print_string(fp, tok->tt.text.text, tok->tt.text.len);
3943 * socket domain 2 bytes
3944 * socket type 2 bytes
3945 * address type 2 bytes
3946 * local port 2 bytes
3947 * local Internet address 4/16 bytes
3948 * remote port 2 bytes
3949 * remote Internet address 4/16 bytes
3952 fetch_socketex32_tok(tokenstr_t *tok, u_char *buf, int len)
3956 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.domain, tok->len,
3961 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.type, tok->len,
3966 READ_TOKEN_U_INT16(buf, len, tok->tt.socket_ex32.atype, tok->len,
3971 if (tok->tt.socket_ex32.atype != AU_IPv4 &&
3972 tok->tt.socket_ex32.atype != AU_IPv6)
3975 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_port,
3976 sizeof(uint16_t), tok->len, err);
3980 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3981 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3982 sizeof(tok->tt.socket_ex32.l_addr[0]), tok->len, err);
3986 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.l_addr,
3987 sizeof(tok->tt.socket_ex32.l_addr), tok->len, err);
3992 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_port,
3993 sizeof(uint16_t), tok->len, err);
3997 if (tok->tt.socket_ex32.atype == AU_IPv4) {
3998 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
3999 sizeof(tok->tt.socket_ex32.r_addr[0]), tok->len, err);
4003 READ_TOKEN_BYTES(buf, len, &tok->tt.socket_ex32.r_addr,
4004 sizeof(tok->tt.socket_ex32.r_addr), tok->len, err);
4013 print_socketex32_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4017 * This print routine prints BSM constant space domains and socket
4018 * types rather than converting them. If we add string printers for
4019 * these constants in the future, we may want to call conversion
4022 print_tok_type(fp, tok->id, "socket", oflags);
4023 if (oflags & AU_OFLAG_XML) {
4024 open_attr(fp, "sock_dom");
4025 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4027 open_attr(fp, "sock_type");
4028 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4030 open_attr(fp, "lport");
4031 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4033 open_attr(fp, "laddr");
4034 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4035 tok->tt.socket_ex32.l_addr);
4037 open_attr(fp, "faddr");
4038 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4039 tok->tt.socket_ex32.r_addr);
4041 open_attr(fp, "fport");
4042 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4044 close_tag(fp, tok->id);
4046 print_delim(fp, del);
4047 print_2_bytes(fp, tok->tt.socket_ex32.domain, "%#x");
4048 print_delim(fp, del);
4049 print_2_bytes(fp, tok->tt.socket_ex32.type, "%#x");
4050 print_delim(fp, del);
4051 print_2_bytes(fp, ntohs(tok->tt.socket_ex32.l_port), "%#x");
4052 print_delim(fp, del);
4053 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4054 tok->tt.socket_ex32.l_addr);
4055 print_delim(fp, del);
4056 print_4_bytes(fp, ntohs(tok->tt.socket_ex32.r_port), "%#x");
4057 print_delim(fp, del);
4058 print_ip_ex_address(fp, tok->tt.socket_ex32.atype,
4059 tok->tt.socket_ex32.r_addr);
4064 fetch_invalid_tok(tokenstr_t *tok, u_char *buf, int len)
4069 recoversize = len - (tok->len + AUDIT_TRAILER_SIZE);
4070 if (recoversize <= 0)
4073 tok->tt.invalid.length = recoversize;
4075 SET_PTR((char*)buf, len, tok->tt.invalid.data, recoversize, tok->len,
4084 print_invalid_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4087 if (!(oflags & AU_OFLAG_XML)) {
4088 print_tok_type(fp, tok->id, "unknown", oflags);
4089 print_delim(fp, del);
4090 print_mem(fp, (u_char*)tok->tt.invalid.data,
4091 tok->tt.invalid.length);
4098 * zonename size bytes;
4101 fetch_zonename_tok(tokenstr_t *tok, u_char *buf, int len)
4105 READ_TOKEN_U_INT16(buf, len, tok->tt.zonename.len, tok->len, err);
4108 SET_PTR((char *)buf, len, tok->tt.zonename.zonename, tok->tt.zonename.len,
4116 print_zonename_tok(FILE *fp, tokenstr_t *tok, char *del, int oflags)
4119 print_tok_type(fp, tok->id, "zone", oflags);
4120 if (oflags & AU_OFLAG_XML) {
4121 open_attr(fp, "name");
4122 print_string(fp, tok->tt.zonename.zonename,
4123 tok->tt.zonename.len);
4125 close_tag(fp, tok->id);
4127 print_delim(fp, del);
4128 print_string(fp, tok->tt.zonename.zonename,
4129 tok->tt.zonename.len);
4134 * Reads the token beginning at buf into tok.
4137 au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
4149 return (fetch_header32_tok(tok, buf, len));
4151 case AUT_HEADER32_EX:
4152 return (fetch_header32_ex_tok(tok, buf, len));
4155 return (fetch_header64_tok(tok, buf, len));
4157 case AUT_HEADER64_EX:
4158 return (fetch_header64_ex_tok(tok, buf, len));
4161 return (fetch_trailer_tok(tok, buf, len));
4164 return (fetch_arg32_tok(tok, buf, len));
4167 return (fetch_arg64_tok(tok, buf, len));
4170 return (fetch_attr32_tok(tok, buf, len));
4173 return (fetch_attr64_tok(tok, buf, len));
4176 return (fetch_exit_tok(tok, buf, len));
4179 return (fetch_execarg_tok(tok, buf, len));
4182 return (fetch_execenv_tok(tok, buf, len));
4184 case AUT_OTHER_FILE32:
4185 return (fetch_file_tok(tok, buf, len));
4188 return (fetch_newgroups_tok(tok, buf, len));
4191 return (fetch_inaddr_tok(tok, buf, len));
4193 case AUT_IN_ADDR_EX:
4194 return (fetch_inaddr_ex_tok(tok, buf, len));
4197 return (fetch_ip_tok(tok, buf, len));
4200 return (fetch_ipc_tok(tok, buf, len));
4203 return (fetch_ipcperm_tok(tok, buf, len));
4206 return (fetch_iport_tok(tok, buf, len));
4209 return (fetch_opaque_tok(tok, buf, len));
4212 return (fetch_path_tok(tok, buf, len));
4215 return (fetch_process32_tok(tok, buf, len));
4217 case AUT_PROCESS32_EX:
4218 return (fetch_process32ex_tok(tok, buf, len));
4221 return (fetch_process64_tok(tok, buf, len));
4223 case AUT_PROCESS64_EX:
4224 return (fetch_process64ex_tok(tok, buf, len));
4227 return (fetch_return32_tok(tok, buf, len));
4230 return (fetch_return64_tok(tok, buf, len));
4233 return (fetch_seq_tok(tok, buf, len));
4236 return (fetch_socket_tok(tok, buf, len));
4238 case AUT_SOCKINET32:
4239 return (fetch_sock_inet32_tok(tok, buf, len));
4242 return (fetch_sock_unix_tok(tok, buf, len));
4244 case AUT_SOCKINET128:
4245 return (fetch_sock_inet128_tok(tok, buf, len));
4248 return (fetch_subject32_tok(tok, buf, len));
4250 case AUT_SUBJECT32_EX:
4251 return (fetch_subject32ex_tok(tok, buf, len));
4254 return (fetch_subject64_tok(tok, buf, len));
4256 case AUT_SUBJECT64_EX:
4257 return (fetch_subject64ex_tok(tok, buf, len));
4260 return (fetch_text_tok(tok, buf, len));
4263 return (fetch_socketex32_tok(tok, buf, len));
4266 return (fetch_arb_tok(tok, buf, len));
4269 return (fetch_zonename_tok(tok, buf, len));
4272 return (fetch_priv_tok(tok, buf, len));
4275 return (fetch_privset_tok(tok, buf, len));
4278 return (fetch_invalid_tok(tok, buf, len));
4283 au_print_flags_tok(FILE *outfp, tokenstr_t *tok, char *del, int oflags)
4288 print_header32_tok(outfp, tok, del, oflags);
4291 case AUT_HEADER32_EX:
4292 print_header32_ex_tok(outfp, tok, del, oflags);
4296 print_header64_tok(outfp, tok, del, oflags);
4299 case AUT_HEADER64_EX:
4300 print_header64_ex_tok(outfp, tok, del, oflags);
4304 print_trailer_tok(outfp, tok, del, oflags);
4308 print_arg32_tok(outfp, tok, del, oflags);
4312 print_arg64_tok(outfp, tok, del, oflags);
4316 print_arb_tok(outfp, tok, del, oflags);
4320 print_attr32_tok(outfp, tok, del, oflags);
4324 print_attr64_tok(outfp, tok, del, oflags);
4328 print_exit_tok(outfp, tok, del, oflags);
4332 print_execarg_tok(outfp, tok, del, oflags);
4336 print_execenv_tok(outfp, tok, del, oflags);
4339 case AUT_OTHER_FILE32:
4340 print_file_tok(outfp, tok, del, oflags);
4344 print_newgroups_tok(outfp, tok, del, oflags);
4348 print_inaddr_tok(outfp, tok, del, oflags);
4351 case AUT_IN_ADDR_EX:
4352 print_inaddr_ex_tok(outfp, tok, del, oflags);
4356 print_ip_tok(outfp, tok, del, oflags);
4360 print_ipc_tok(outfp, tok, del, oflags);
4364 print_ipcperm_tok(outfp, tok, del, oflags);
4368 print_iport_tok(outfp, tok, del, oflags);
4372 print_opaque_tok(outfp, tok, del, oflags);
4376 print_path_tok(outfp, tok, del, oflags);
4380 print_process32_tok(outfp, tok, del, oflags);
4383 case AUT_PROCESS32_EX:
4384 print_process32ex_tok(outfp, tok, del, oflags);
4388 print_process64_tok(outfp, tok, del, oflags);
4391 case AUT_PROCESS64_EX:
4392 print_process64ex_tok(outfp, tok, del, oflags);
4396 print_return32_tok(outfp, tok, del, oflags);
4400 print_return64_tok(outfp, tok, del, oflags);
4404 print_seq_tok(outfp, tok, del, oflags);
4408 print_socket_tok(outfp, tok, del, oflags);
4411 case AUT_SOCKINET32:
4412 print_sock_inet32_tok(outfp, tok, del, oflags);
4416 print_sock_unix_tok(outfp, tok, del, oflags);
4419 case AUT_SOCKINET128:
4420 print_sock_inet128_tok(outfp, tok, del, oflags);
4424 print_subject32_tok(outfp, tok, del, oflags);
4428 print_subject64_tok(outfp, tok, del, oflags);
4431 case AUT_SUBJECT32_EX:
4432 print_subject32ex_tok(outfp, tok, del, oflags);
4435 case AUT_SUBJECT64_EX:
4436 print_subject64ex_tok(outfp, tok, del, oflags);
4440 print_text_tok(outfp, tok, del, oflags);
4444 print_socketex32_tok(outfp, tok, del, oflags);
4448 print_zonename_tok(outfp, tok, del, oflags);
4452 print_upriv_tok(outfp, tok, del, oflags);
4456 print_privset_tok(outfp, tok, del, oflags);
4460 print_invalid_tok(outfp, tok, del, oflags);
4465 * 'prints' the token out to outfp.
4468 au_print_tok(FILE *outfp, tokenstr_t *tok, char *del, char raw, char sfrm)
4470 int oflags = AU_OFLAG_NONE;
4473 oflags |= AU_OFLAG_RAW;
4475 oflags |= AU_OFLAG_SHORT;
4477 au_print_flags_tok(outfp, tok, del, oflags);
4481 * 'prints' the token out to outfp in XML format.
4484 au_print_tok_xml(FILE *outfp, tokenstr_t *tok, char *del, char raw,
4487 int oflags = AU_OFLAG_XML;
4490 oflags |= AU_OFLAG_RAW;
4492 oflags |= AU_OFLAG_SHORT;
4494 au_print_flags_tok(outfp, tok, del, oflags);
4498 * Read a record from the file pointer, store data in buf memory for buf is
4499 * also allocated in this function and has to be free'd outside this call.
4501 * au_read_rec() handles two possibilities: a stand-alone file token, or a
4502 * complete audit record.
4504 * XXXRW: Note that if we hit an error, we leave the stream in an unusable
4505 * state, because it will be partly offset into a record. We should rewind
4506 * or do something more intelligent. Particularly interesting is the case
4507 * where we perform a partial read of a record from a non-blockable file
4508 * descriptor. We should return the partial read and continue...?
4511 au_read_rec(FILE *fp, u_char **buf)
4515 u_int32_t bytestoread;
4518 u_int32_t sec, msec;
4519 u_int16_t filenamelen;
4525 case AUT_HEADER32_EX:
4527 case AUT_HEADER64_EX:
4528 /* read the record size from the token */
4529 if (fread(&recsize, 1, sizeof(u_int32_t), fp) <
4530 sizeof(u_int32_t)) {
4534 recsize = be32toh(recsize);
4536 /* Check for recsize sanity */
4537 if (recsize < (sizeof(u_int32_t) + sizeof(u_char))) {
4542 *buf = calloc(recsize, sizeof(u_char));
4547 /* store the token contents already read, back to the buffer*/
4550 be32enc(bptr, recsize);
4551 bptr += sizeof(u_int32_t);
4553 /* now read remaining record bytes */
4554 bytestoread = recsize - (sizeof(u_int32_t) + sizeof(u_char));
4556 if (fread(bptr, 1, bytestoread, fp) < bytestoread) {
4563 case AUT_OTHER_FILE32:
4565 * The file token is variable-length, as it includes a
4566 * pathname. As a result, we have to read incrementally
4567 * until we know the total length, then allocate space and
4570 if (fread(&sec, 1, sizeof(sec), fp) < sizeof(sec)) {
4574 if (fread(&msec, 1, sizeof(msec), fp) < sizeof(msec)) {
4578 if (fread(&filenamelen, 1, sizeof(filenamelen), fp) <
4579 sizeof(filenamelen)) {
4583 recsize = sizeof(type) + sizeof(sec) + sizeof(msec) +
4584 sizeof(filenamelen) + ntohs(filenamelen);
4585 *buf = malloc(recsize);
4590 bcopy(&type, bptr, sizeof(type));
4591 bptr += sizeof(type);
4592 bcopy(&sec, bptr, sizeof(sec));
4593 bptr += sizeof(sec);
4594 bcopy(&msec, bptr, sizeof(msec));
4595 bptr += sizeof(msec);
4596 bcopy(&filenamelen, bptr, sizeof(filenamelen));
4597 bptr += sizeof(filenamelen);
4599 if (fread(bptr, 1, ntohs(filenamelen), fp) <
4600 ntohs(filenamelen)) {