static void do_user_summary_output(slist *sptr)
{
const snode *sn;
if (sptr->cnt == 0) {
printf("<no events of interest were found>\n\n");
return;
}
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
long uid;
char name[64];
if (sn->str[0] == '-' || isdigit(sn->str[0])) {
uid = strtol(sn->str, NULL, 10);
printf("%u ", sn->hits);
safe_print_string(aulookup_uid(uid, name,
sizeof(name)), 1);
} else {
printf("%u ", sn->hits);
safe_print_string(sn->str, 1);
}
sn=slist_next(sptr);
}
}
int print_list(void)
{
int cnt = 0;
slist_first(&s);
do {
snode *cur = slist_get_cur(&s);
if (cur) {
cnt++;
printf("%s\n", cur->str);
}
} while (slist_next(&s));
return cnt;
}
static void do_string_summary_output(slist *sptr)
{
const snode *sn;
if (sptr->cnt == 0) {
printf("<no events of interest were found>\n\n");
return;
}
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
printf("%u %s\n", sn->hits, sn->str);
sn=slist_next(sptr);
}
}
/*
* This function performs that matching of search params with the record.
* It returns 1 on a match, and 0 if no match.
*/
int scan(llist *l)
{
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
// OK - do the heavier checking
int rc = extract_search_items(l);
if (rc == 0) {
if (event_node_list) {
const snode *sn;
int found=0;
slist *sptr = event_node_list;
if (l->e.node == NULL)
return 0;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn && !found) {
if (sn->str && (!strcmp(sn->str, l->e.node)))
found++;
else
sn=slist_next(sptr);
}
if (!found)
return 0;
}
if (classify_success(l) && classify_conf(l))
return 1;
return 0;
}
}
}
return 0;
}
int main(void)
{
snode n, *node;
int rc, i = 0;
slist_create(&s);
// This first test checks to see if list is
// created in a numeric order
slist_add_if_uniq(&s, "test1");
slist_add_if_uniq(&s, "test2");
slist_first(&s);
slist_add_if_uniq(&s, "test3");
puts("should be 3");
rc = print_list();
if (s.cnt != 3 || rc !=3) {
puts("test count is wrong");
return 1;
}
n.str = strdup("test4");
n.key = NULL;
n.hits = 1;
slist_append(&s, &n);
puts("should add a #4");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_add_if_uniq(&s, "test2");
puts("should be same");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_clear(&s);
puts("should be empty");
rc = print_list();
if (s.cnt != 0 || rc != 0) {
puts("test count is wrong");
return 1;
}
puts("starting sort test");
// Now test to see if the sort function works
// Fill the list exactly backwards
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test1");
slist_sort_by_hits(&s);
slist_first(&s);
do {
node = slist_get_cur(&s);
if (node->hits != (4-i)) {
printf("Sort test failed - i:%d != hits:%u\n", i, node->hits);
return 1;
}
i++;
} while ((node = slist_next(&s)));
puts("sort test passes");
slist_clear(&s);
return 0;
}
static void do_summary_total(llist *l)
{
// add events
sd.events++;
// add config changes
if (list_find_msg(l, AUDIT_CONFIG_CHANGE))
sd.changes++;
if (list_find_msg(l, AUDIT_DAEMON_CONFIG))
sd.changes++;
if (list_find_msg(l, AUDIT_USYS_CONFIG))
sd.changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.changes++;
// add acct changes
if (list_find_msg(l, AUDIT_USER_CHAUTHTOK))
sd.acct_changes++;
if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP))
sd.acct_changes++;
if (list_find_msg(l, AUDIT_CHGRP_ID))
sd.acct_changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE))
sd.acct_changes++;
// Crypto
list_first(l);
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG))
sd.crypto++;
if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG))
sd.crypto++;
// add logins
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.success == S_SUCCESS)
sd.good_logins++;
else if (l->s.success == S_FAILED)
sd.bad_logins++;
}
// add use of auth
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_GRP_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
}
// add users
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
// add terminals
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
// add hosts
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
// add execs
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
// add files
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files, sn->str);
sn=slist_next(sptr);
}
}
// add avcs
if (list_find_msg(l, AUDIT_AVC))
sd.avcs++;
else if (list_find_msg(l, AUDIT_USER_AVC))
sd.avcs++;
// MAC
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.mac++;
if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG))
sd.mac++;
// add failed syscalls
if (l->s.success == S_FAILED && l->s.syscall > 0)
sd.failed_syscalls++;
// add pids
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
// add anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG))
sd.anomalies++;
if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG))
sd.anomalies++;
// add response to anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP))
sd.responses++;
// add keys
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str && strcmp(sn->str, "(null)")) {
slist_add_if_uniq(&sd.keys, sn->str);
}
sn=slist_next(sptr);
}
}
}
static int per_event_summary(llist *l)
{
int rc = 0;
switch (report_type)
{
case RPT_SUMMARY:
do_summary_total(l);
rc = 1;
break;
case RPT_AVC:
if (list_find_msg(l, AUDIT_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(l->s.avc));
}
} else {
if (list_find_msg(l, AUDIT_USER_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(
&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(
l->s.avc));
}
}
}
break;
case RPT_MAC:
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_MAP_DEL)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
}
}
break;
case RPT_CONFIG:
UNIMPLEMENTED;
break;
case RPT_AUTH:
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED) {
if (l->s.loginuid == -2 &&
l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(
l->s.loginuid,
name,
sizeof(name))
);
}
}
}
break;
case RPT_LOGIN:
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
}
break;
case RPT_ACCT_MOD:
UNIMPLEMENTED;
break;
case RPT_EVENT: /* We will borrow the pid list */
if (l->head->type != -1) {
ilist_add_if_uniq(&sd.pids, l->head->type, 0);
}
break;
case RPT_FILE:
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_HOST:
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
break;
case RPT_PID:
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
break;
case RPT_SYSCALL:
if (l->s.syscall > 0) {
ilist_add_if_uniq(&sd.sys_list,
l->s.syscall, l->s.arch);
}
break;
case RPT_TERM:
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
break;
case RPT_USER:
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
break;
case RPT_EXE:
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
break;
case RPT_ANOMALY:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG,
AUDIT_LAST_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
}
}
break;
case RPT_RESPONSE:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP,
AUDIT_LAST_ANOM_RESP)) {
ilist_add_if_uniq(&sd.resp_list,
l->head->type, 0);
}
break;
case RPT_CRYPTO:
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
}
}
break;
case RPT_KEY:
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str &&
strcmp(sn->str, "(null)"))
slist_add_if_uniq(&sd.keys,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_TTY:
UNIMPLEMENTED;
break;
default:
break;
}
return rc;
}
int match(llist *l)
{
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
if (event_id == -1 || event_id == l->e.serial) {
// OK - do the heavier checking
if (extract_search_items(l)) {
return 0;
}
// perform additional tests for the field
if (event_node_list) {
const snode *sn;
int found=0;
slist *sptr = event_node_list;
if (l->e.node == NULL)
return 0;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn && !found) {
if (sn->str && (!strcmp(sn->str, l->e.node)))
found++;
else
sn=slist_next(sptr);
}
if (!found)
return 0;
}
if (user_match(l) == 0)
return 0;
if (group_match(l) == 0)
return 0;
if ((event_ppid != -1) &&
(event_ppid != l->s.ppid))
return 0;
if ((event_pid != -1) &&
(event_pid != l->s.pid))
return 0;
if (event_machine != -1 &&
(event_machine !=
audit_elf_to_machine(l->s.arch)))
return 0;
if ((event_syscall != -1) &&
(event_syscall != l->s.syscall))
return 0;
if ((event_session_id != -2) &&
(event_session_id != l->s.session_id))
return 0;
if (event_exit_is_set) {
if (l->s.exit_is_set == 0)
return 0;
if (event_exit != l->s.exit)
return 0;
}
if ((event_success != S_UNSET) &&
(event_success != l->s.success))
return 0;
// event_type requires looking at each item
if (event_type != NULL) {
int found = 0;
const lnode *n;
list_first(l);
n = list_get_cur(l);
do {
int_node *in;
ilist_first(event_type);
in = ilist_get_cur(event_type);
do {
if (in->num == n->type){
found = 1;
break;
}
} while((in =
ilist_next(event_type)));
if (found)
break;
} while ((n = list_next(l)));
if (!found)
return 0;
}
// Done all the easy compares, now do the
// string searches.
if (event_filename) {
int found = 0;
if (l->s.filename == NULL && l->s.cwd == NULL)
return 0;
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
do {
if (sn->str == NULL)
return 0;
if (strmatch(
event_filename,
sn->str)) {
found = 1;
break;
}
} while ((sn=slist_next(sptr)));
if (!found && l->s.cwd == NULL)
return 0;
}
if (l->s.cwd && !found) {
/* Check cwd, too */
if (strmatch(event_filename,
l->s.cwd) == 0)
return 0;
}
}
if (event_hostname) {
if (l->s.hostname == NULL)
return 0;
if (strmatch(event_hostname,
l->s.hostname) == 0)
return 0;
}
if (event_terminal) {
if (l->s.terminal == NULL)
return 0;
if (strmatch(event_terminal,
l->s.terminal) == 0)
return 0;
}
if (event_exe) {
if (l->s.exe == NULL)
return 0;
if (strmatch(event_exe,
l->s.exe) == 0)
return 0;
}
if (event_comm) {
if (l->s.comm == NULL)
return 0;
if (strmatch(event_comm,
l->s.comm) == 0)
return 0;
}
if (event_key) {
if (l->s.key == NULL)
return 0;
else {
int found = 0;
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
do {
if (sn->str == NULL)
return 0;
if (strmatch(
event_key,
sn->str)) {
found = 1;
break;
}
} while ((sn=slist_next(sptr)));
if (!found)
return 0;
}
}
if (event_vmname) {
if (l->s.vmname == NULL)
return 0;
if (strmatch(event_vmname,
l->s.vmname) == 0)
return 0;
}
if (event_uuid) {
if (l->s.uuid == NULL)
return 0;
if (strmatch(event_uuid,
l->s.uuid) == 0)
return 0;
}
if (context_match(l) == 0)
return 0;
return 1;
}
}
}
return 0;
}
