static void create_new_session(auparse_state_t *au)
{
const char *tpid, *tses, *tauid;
int pid = -1, auid = -1, ses = -1;
lnode *cur;
// Get pid
tpid = auparse_find_field(au, "pid");
if (tpid)
pid = auparse_get_field_int(au);
// Get second auid field
auparse_find_field(au, "auid");
auparse_next_field(au);
tauid = auparse_find_field(au, "auid");
if (tauid)
auid = auparse_get_field_int(au);
// Get second ses field
auparse_find_field(au, "ses");
auparse_next_field(au);
tses = auparse_find_field(au, "ses");
if (tses)
ses = auparse_get_field_int(au);
// Check that they are valid
if (pid == -1 || auid ==-1 || ses == -1) {
if (debug)
fprintf(stderr, "Bad login for event: %lu\n",
auparse_get_serial(au));
return;
}
// See if this session is already open
//cur = list_find_auid(&l, auid, pid, ses);
cur = list_find_session(&l, ses);
if (cur) {
// This means we have an open session close it out
cur->status = GONE;
cur->end = auparse_get_time(au);
report_session(cur);
list_delete_cur(&l);
}
// If this is supposed to be limited to a specific
// uid and we don't have that record, skip creating it
if (cuid != -1 && cuid != auid) {
if (debug)
fprintf(stderr,
"login reporting limited to %d for event: %lu\n",
cuid, auparse_get_serial(au));
return;
}
list_create_session(&l, auid, pid, ses, auparse_get_serial(au));
}
static void process_bootup(auparse_state_t *au)
{
lnode *cur;
int start;
// See if we have unclosed boot up and make into CRASH record
list_first(&l);
cur = list_get_cur(&l);
while (cur) {
if (cur->name) {
cur->user_end_proof = auparse_get_serial(au);
cur->status = CRASH;
cur->end = auparse_get_time(au);
report_session(cur);
}
cur = list_next(&l);
}
// Logout and process anyone still left in the machine
list_first(&l);
cur = list_get_cur(&l);
while (cur) {
if (cur->status != CRASH) {
cur->user_end_proof = auparse_get_serial(au);
cur->status = DOWN;
cur->end = auparse_get_time(au);
report_session(cur);
}
cur = list_next(&l);
}
// Since this is a boot message, all old entries should be gone
list_clear(&l);
list_create(&l);
// make reboot record - user:reboot, tty:system boot, host: kernel
start = auparse_get_time(au);
list_create_session(&l, 0, 0, 0, auparse_get_serial(au));
cur = list_get_cur(&l);
cur->start = start;
cur->name = strdup("reboot");
cur->term = strdup("system boot");
if (kernel)
cur->host = strdup(kernel);
cur->result = 0;
}
static void process_bootup(auparse_state_t *au)
{
lnode *cur;
int start;
struct utsname ubuf;
// See if we have unclosed boot up and make into CRASH record
list_first(&l);
cur = list_get_cur(&l);
while(cur) {
if (cur->name) {
cur->user_end_proof = auparse_get_serial(au);
cur->status = CRASH;
cur->end = auparse_get_time(au);
report_session(cur);
}
cur = list_next(&l);
}
// Logout and process anyone still left in the machine
list_first(&l);
cur = list_get_cur(&l);
while(cur) {
if (cur->status != CRASH) {
cur->user_end_proof = auparse_get_serial(au);
cur->status = DOWN;
cur->end = auparse_get_time(au);
report_session(cur);
}
cur = list_next(&l);
}
list_clear(&l);
list_create(&l);
// make reboot record - user:reboot, tty:system boot, host: uname -r
uname(&ubuf);
start = auparse_get_time(au);
list_create_session(&l, 0, 0, 0, auparse_get_serial(au));
cur = list_get_cur(&l);
cur->start = start;
cur->name = strdup("reboot");
cur->term = strdup("system boot");
cur->host = strdup(ubuf.release);
cur->result = 0;
}
