static void do_summary_total(llist *l)
{
// add events
sd.events++;
// add config changes
if (list_find_msg(l, AUDIT_CONFIG_CHANGE))
sd.changes++;
if (list_find_msg(l, AUDIT_DAEMON_CONFIG))
sd.changes++;
if (list_find_msg(l, AUDIT_USYS_CONFIG))
sd.changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.changes++;
// add acct changes
if (list_find_msg(l, AUDIT_USER_CHAUTHTOK))
sd.acct_changes++;
if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP))
sd.acct_changes++;
if (list_find_msg(l, AUDIT_CHGRP_ID))
sd.acct_changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE))
sd.acct_changes++;
// Crypto
list_first(l);
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG))
sd.crypto++;
if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG))
sd.crypto++;
// add logins
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.success == S_SUCCESS)
sd.good_logins++;
else if (l->s.success == S_FAILED)
sd.bad_logins++;
}
// add use of auth
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_GRP_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
}
// add users
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
// add terminals
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
// add hosts
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
// add execs
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
// add files
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files, sn->str);
sn=slist_next(sptr);
}
}
// add avcs
if (list_find_msg(l, AUDIT_AVC))
sd.avcs++;
else if (list_find_msg(l, AUDIT_USER_AVC))
sd.avcs++;
// MAC
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.mac++;
if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG))
sd.mac++;
// add failed syscalls
if (l->s.success == S_FAILED && l->s.syscall > 0)
sd.failed_syscalls++;
// add pids
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
// add anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG))
sd.anomalies++;
if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG))
sd.anomalies++;
// add response to anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP))
sd.responses++;
// add keys
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str && strcmp(sn->str, "(null)")) {
slist_add_if_uniq(&sd.keys, sn->str);
}
sn=slist_next(sptr);
}
}
}
int main(void)
{
snode n, *node;
int rc, i = 0;
slist_create(&s);
// This first test checks to see if list is
// created in a numeric order
slist_add_if_uniq(&s, "test1");
slist_add_if_uniq(&s, "test2");
slist_first(&s);
slist_add_if_uniq(&s, "test3");
puts("should be 3");
rc = print_list();
if (s.cnt != 3 || rc !=3) {
puts("test count is wrong");
return 1;
}
n.str = strdup("test4");
n.key = NULL;
n.hits = 1;
slist_append(&s, &n);
puts("should add a #4");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_add_if_uniq(&s, "test2");
puts("should be same");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_clear(&s);
puts("should be empty");
rc = print_list();
if (s.cnt != 0 || rc != 0) {
puts("test count is wrong");
return 1;
}
puts("starting sort test");
// Now test to see if the sort function works
// Fill the list exactly backwards
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test1");
slist_sort_by_hits(&s);
slist_first(&s);
do {
node = slist_get_cur(&s);
if (node->hits != (4-i)) {
printf("Sort test failed - i:%d != hits:%u\n", i, node->hits);
return 1;
}
i++;
} while ((node = slist_next(&s)));
puts("sort test passes");
slist_clear(&s);
return 0;
}
static int per_event_summary(llist *l)
{
int rc = 0;
switch (report_type)
{
case RPT_SUMMARY:
do_summary_total(l);
rc = 1;
break;
case RPT_AVC:
if (list_find_msg(l, AUDIT_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(l->s.avc));
}
} else {
if (list_find_msg(l, AUDIT_USER_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(
&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(
l->s.avc));
}
}
}
break;
case RPT_MAC:
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_MAP_DEL)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
}
}
break;
case RPT_CONFIG:
UNIMPLEMENTED;
break;
case RPT_AUTH:
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED) {
if (l->s.loginuid == -2 &&
l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(
l->s.loginuid,
name,
sizeof(name))
);
}
}
}
break;
case RPT_LOGIN:
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
}
break;
case RPT_ACCT_MOD:
UNIMPLEMENTED;
break;
case RPT_EVENT: /* We will borrow the pid list */
if (l->head->type != -1) {
ilist_add_if_uniq(&sd.pids, l->head->type, 0);
}
break;
case RPT_FILE:
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_HOST:
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
break;
case RPT_PID:
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
break;
case RPT_SYSCALL:
if (l->s.syscall > 0) {
ilist_add_if_uniq(&sd.sys_list,
l->s.syscall, l->s.arch);
}
break;
case RPT_TERM:
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
break;
case RPT_USER:
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
break;
case RPT_EXE:
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
break;
case RPT_ANOMALY:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG,
AUDIT_LAST_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
}
}
break;
case RPT_RESPONSE:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP,
AUDIT_LAST_ANOM_RESP)) {
ilist_add_if_uniq(&sd.resp_list,
l->head->type, 0);
}
break;
case RPT_CRYPTO:
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
}
}
break;
case RPT_KEY:
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str &&
strcmp(sn->str, "(null)"))
slist_add_if_uniq(&sd.keys,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_TTY:
UNIMPLEMENTED;
break;
default:
break;
}
return rc;
}
