Beispiel #1
0
static void do_user_summary_output(slist *sptr)
{
	const snode *sn;

	if (sptr->cnt == 0) {
		printf("<no events of interest were found>\n\n");
		return;
	}
	slist_first(sptr);
	sn=slist_get_cur(sptr);
	while (sn) {
		long uid;
		char name[64];

		if (sn->str[0] == '-' || isdigit(sn->str[0])) {
			uid = strtol(sn->str, NULL, 10);
			printf("%u  ", sn->hits);
			safe_print_string(aulookup_uid(uid, name,
				sizeof(name)), 1);
		} else {
			printf("%u  ", sn->hits);
			safe_print_string(sn->str, 1);
		}
		sn=slist_next(sptr);
	}
}
Beispiel #2
0
char *
get_query_string()
{
	char *request_method, *query_string;
	request_method = getenv("REQUEST_METHOD");
	if( request_method == 0 )
		return( 0 );
	else if( strcmp(request_method,"GET") == 0 )
	{
		query_string = getenv("QUERY_STRING");
		if( query_string == 0 )
			return( 0 );
		else
			return( strdup(query_string) );
	}
	else if( strcmp(request_method,"POST") == 0 )
	{
		return( read_query_string() );
	}
	else
	{
		printf("Unknown method: ");
		safe_print_string( request_method );
		printf("\n");
		return( 0 );
	}
}
Beispiel #3
0
void
safe_printenv( char *name )
{
	char *val ;
	char *safe_val ;

	printf("%s=",name );
    	val = getenv( name );
	safe_print_string( val );
	printf("\n");
}
Beispiel #4
0
static void do_file_summary_output(slist *sptr)
{
	const snode *sn;

	if (sptr->cnt == 0) {
		printf("<no events of interest were found>\n\n");
		return;
	}
	slist_first(sptr);
	sn=slist_get_cur(sptr);
	while (sn) {
		printf("%u  ", sn->hits);
		safe_print_string(sn->str, 1);
		sn=slist_next(sptr);
	}
}
Beispiel #5
0
void print_per_event_item(llist *l)
{
	char buf[128];
	char name[64];
	char date[32];
	struct tm *tv;

	// The beginning is common to all reports
	tv = localtime(&l->e.sec);
	if (tv)
		strftime(date, sizeof(date), "%x %T", tv);
	else
		strcpy(date, "?");
	if (report_type != RPT_AVC) {
		line_item++;
		printf("%u. %s ", line_item, date);
	}

	switch (report_type)
	{
		case RPT_AVC:
			alist_find_avc(l->s.avc);
			do {
				anode *an = l->s.avc->cur;
				line_item++;
				printf("%u. %s ", line_item, date);
		// command subject syscall action obj res event
			safe_print_string(l->s.comm ? l->s.comm : "?", 0);
			printf(" %s %s %s %s %s %s %lu\n", 
				an->scontext, 
				aulookup_syscall(l, buf,sizeof(buf)),
				an->avc_class, an->avc_perm,
				an->tcontext, aulookup_result(an->avc_result),
				l->e.serial);
//printf("items:%d\n", l->s.avc->cnt);
			} while (alist_next_avc(l->s.avc));
			break;
		case RPT_CONFIG:
			// FIXME:who, action, what, outcome, event
			// NOW: type auid success event
			printf("%s %s %s %lu\n",
				audit_msg_type_to_name(l->head->type),
				aulookup_uid(l->s.loginuid, name, sizeof(name)),
				aulookup_success(l->s.success), l->e.serial);
			break;
		case RPT_AUTH:
			// who, addr, terminal, exe, success, event
			// Special note...uid is used here because that is
			// the way that the message works. This is because
			// on failed logins, loginuid is not set.
			safe_print_string(l->s.acct ? l->s.acct :
				aulookup_uid(l->s.uid, name, sizeof(name)), 0);
			printf(" %s %s %s %s %lu\n",
				l->s.hostname, l->s.terminal,
				l->s.exe, aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_LOGIN:
			// who, addr, terminal, exe, success, event
			// Special note...loginuid can be used here for
			// successful logins. loginuid is not set on failed
			// logins so acct is used in that situation.
			safe_print_string(((l->s.success == S_FAILED) &&
				l->s.acct) ? l->s.acct :
				aulookup_uid(l->s.loginuid,
						name, sizeof(name)), 0);
			printf(" %s %s %s %s %lu\n", 
				l->s.hostname, l->s.terminal,
				l->s.exe, aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_ACCT_MOD:
			// who, addr, terminal, exe, success, event
			safe_print_string(
				aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %s %s %s %s %s %lu\n",
				l->s.hostname ? l->s.hostname : "?",
				l->s.terminal ? l->s.terminal : "?",
				l->s.exe ? l->s.exe : "?",
				l->s.acct ? l->s.acct : "?",
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_EVENT:	// report_detail == D_DETAILED
			//        event, type, who, success
			printf("%lu %s ",
				l->e.serial,
				audit_msg_type_to_name(l->head->type));
			safe_print_string(aulookup_uid(l->s.loginuid, name, 
					sizeof(name)), 0);
			printf(" %s\n",	aulookup_success(l->s.success));
			break;
		case RPT_FILE:	// report_detail == D_DETAILED
			// file, syscall, success, exe, who, event
			{
			slist *s = l->s.filename;
			slist_first(s);
			if (s->cnt > 1) {
				char *key = s->cur ? s->cur->key : NULL;
				while (key && strcmp(key, "PARENT") == 0) {
					slist_next(s);
					key = s->cur ? s->cur->key : NULL;
				}
			}
			safe_print_string(s->cur ? s->cur->str : "", 0);
			printf(" %s %s ",
				aulookup_syscall(l,buf,sizeof(buf)),
				aulookup_success(l->s.success));
			safe_print_string(l->s.exe ? l->s.exe : "?", 0);
			putchar(' ');
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			}
			break;
		case RPT_HOST:	// report_detail == D_DETAILED
			// host, syscall, who, event
			printf("%s %s ",
				l->s.hostname,
				aulookup_syscall(l,buf,sizeof(buf)));
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_PID:	// report_detail == D_DETAILED
			// pid, exe, syscall, who, event
			printf("%u ", l->s.pid);
			safe_print_string(l->s.exe ? l->s.exe : "?", 0);
			printf(" %s ", aulookup_syscall(l,buf,sizeof(buf)));
			safe_print_string(aulookup_uid(l->s.loginuid, name,
				sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_SYSCALL:	// report_detail == D_DETAILED
			// syscall, pid, comm, who, event
			printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)),
				l->s.pid);
			safe_print_string(l->s.comm ? l->s.comm : "?", 0);
			putchar(' ');
			safe_print_string(aulookup_uid(l->s.loginuid, name,
				sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_TERM:	// report_detail == D_DETAILED
			// terminal, host, exe, who, event
			printf("%s %s ",
				l->s.terminal, l->s.hostname);
			safe_print_string(l->s.exe, 0);
			putchar(' ');
			safe_print_string(aulookup_uid(l->s.loginuid, name,
				sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_USER:	// report_detail == D_DETAILED
			// who, terminal, host, exe, event
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %s %s ",
				l->s.terminal ? l->s.terminal : "?",
				l->s.hostname ? l->s.hostname : "?");
			safe_print_string(l->s.exe ? l->s.exe : "?", 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_EXE:	// report_detail == D_DETAILED
			// exe, terminal, host, who, event
			safe_print_string(l->s.exe ? l->s.exe : "?", 0);
			printf(" %s %s ",
				l->s.terminal ? l->s.terminal : "?",
				l->s.hostname ? l->s.hostname : "?");
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_COMM:	// report_detail == D_DETAILED
			// comm, terminal, host, who, event
			safe_print_string(l->s.comm ? l->s.comm : "?", 0);
			printf(" %s %s ",
				l->s.terminal ? l->s.terminal : "?",
				l->s.hostname ? l->s.hostname : "?");
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_ANOMALY:	// report_detail == D_DETAILED
			// type exe term host auid event
			printf("%s ", audit_msg_type_to_name(l->head->type));
			safe_print_string(l->s.exe ? l->s.exe :
					l->s.comm ? l->s.comm: "?", 0);
			printf(" %s %s ",
				l->s.terminal ? l->s.terminal : "?",
				l->s.hostname ? l->s.hostname : "?");
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_RESPONSE:	// report_detail == D_DETAILED
			// type success event
			printf("%s %s %lu\n",
				audit_msg_type_to_name(l->head->type),
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_MAC:
			// auid type success event
			printf("%s %s %s %lu\n",
				aulookup_uid(l->s.loginuid, name, sizeof(name)),
				audit_msg_type_to_name(l->head->type),
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_INTEG:
			// type success event
			printf("%s %s %lu\n",
				audit_msg_type_to_name(l->head->type),
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_VIRT:
			// type success event
			printf("%s %s %lu\n",
				audit_msg_type_to_name(l->head->type),
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_CRYPTO:
			// auid type success event
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %s %s %lu\n",
				audit_msg_type_to_name(l->head->type),
				aulookup_success(l->s.success),
				l->e.serial);
			break;
		case RPT_KEY:	// report_detail == D_DETAILED
			// key, success, exe, who, event
			slist_first(l->s.key);
			printf("%s %s ", l->s.key->cur->str,
				aulookup_success(l->s.success));
			safe_print_string(l->s.exe ? l->s.exe : "?", 0);
			putchar(' ');
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %lu\n", l->e.serial);
			break;
		case RPT_TTY: {
			char *ch, *ptr = strstr(l->head->message, "data=");
			if (!ptr)
				break;
			ptr += 5;
			ch = strrchr(ptr, ' ');
			if (ch)
				*ch = 0;
			// event who term sess data
			printf("%lu ", l->e.serial);
			safe_print_string(aulookup_uid(l->s.loginuid, name,
					sizeof(name)), 0);
			printf(" %s %u ",
				l->s.terminal ? l->s.terminal : "?",
				l->s.session_id);
			safe_print_string(l->s.comm ? l->s.comm: "?", 0);
			putchar(' ');
			print_tty_data(ptr);
			printf("\n");
			}
			break;
		default:
			break;
	}
}
Beispiel #6
0
/*
 * This function will cycle through a single record and lookup each field's
 * value that it finds. 
 */
static void output_interpreted_record(const lnode *n, const event *e)
{
	char *ptr, *str = n->message;
	int found, comma = 0;
	int num = n->type;
	struct tm *btm;
	char tmp[32];

	// Reset these because each record could be different
	machine = -1;
	cur_syscall = -1;

	/* Check and see if we start with a node
 	 * If we do, and there is a space in the line
 	 * move the pointer to the first character past
 	 * the space
  	 */
	if (e->node) {
		if ((ptr=strchr(str, ' ')) != NULL) {
			str = ptr+1;
		}
	}

	// First locate time stamp.
	ptr = strchr(str, '(');
	if (ptr == NULL) {
		fprintf(stderr, "can't find time stamp\n");
		return;
	}

	*ptr++ = 0;	/* move to the start of the timestamp */

	// print everything up to it.
	if (num >= 0) {
		const char	* bptr;
		bptr = audit_msg_type_to_name(num);
		if (bptr) {
			if (e->node)
				printf("node=%s ", e->node);
			printf("type=%s msg=audit(", bptr);
			goto no_print;
		}
	} 
	if (e->node)
		printf("node=%s ", e->node);
	printf("%s(", str);
no_print:

	str = strchr(ptr, ')');
	if(str == NULL)
		return;
	*str++ = 0;
	btm = localtime(&e->sec);
	if (btm)
		strftime(tmp, sizeof(tmp), "%x %T", btm);
	else
		strcpy(tmp, "?");
	printf("%s", tmp);
	printf(".%03u:%lu) ", e->milli, e->serial);

	if (n->type == AUDIT_SYSCALL) { 
		a0 = n->a0;
		a1 = n->a1;
	}

	// for each item.
	ausearch_load_interpretations(n);
	found = 0;
	while (str && *str && (ptr = strchr(str, '='))) {
		char *name, *val;
		comma = 0;
		found = 1;

		// look back to last space - this is name
		name = ptr;
		while (*name != ' ' && name > str)
			--name;
		*ptr++ = 0;

		// print everything up to the '='
		printf("%s=", str);

		// Some user messages have msg='uid=500   in this case
		// skip the msg= piece since the real stuff is the uid=
		if (strcmp(name, "msg") == 0) {
			str = ptr;
			continue;
		}

		// In the above case, after msg= we need to trim the ' from uid
		if (*name == '\'')
			name++;

		// get string after = to the next space or end - this is value
		if (*ptr == '\'' || *ptr == '"') {
			str = strchr(ptr+1, *ptr);
			if (str) {
				str++;
				if (*str)
					*str++ = 0;
			}
		} else {
			str = strchr(ptr, ',');
			val = strchr(ptr, ' ');
			if (str && val && (str < val)) {
			// Value side  has commas and another field exists
			// Known: LABEL_LEVEL_CHANGE banners=none,none
			// Known: ROLL_ASSIGN new-role=r,r
			// Known: any MAC LABEL can potentially have commas
				int ftype = auparse_interp_adjust_type(n->type,
								name, val);
				if (ftype == AUPARSE_TYPE_MAC_LABEL) {
					str = val;
					*str++ = 0;
				} else {
					*str++ = 0;
					comma = 1;
				}
			} else if (str && (val == NULL)) {
			// Goes all the way to the end. Done parsing
			// Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7
				int ftype = auparse_interp_adjust_type(n->type,
								name, ptr);
				if (ftype == AUPARSE_TYPE_MAC_LABEL)
					str = NULL;
				else {
					*str++ = 0;
					comma = 1;
				}
			} else if (val) {
			// There is another field, point to next (normal path)
				str = val;
				*str++ = 0;
			}
		}
		// val points to begin & str 1 past end
		val = ptr;
		
		// print interpreted string
		interpret(name, val, comma, n->type);
	}
	ausearch_free_interpretations();

	// If nothing found, just print out as is
	if (!found && ptr == NULL && str)
		safe_print_string(str, 1);

	// If last field had comma, output the rest
	else if (comma)
		safe_print_string(str, 1);
	printf("\n");
}