static const char *print_success(const char *val)
{
int res;
if (isdigit(*val)) {
errno = 0;
res = strtoul(val, NULL, 10);
if (errno) {
char *out;
asprintf(&out, "conversion error(%s)", val);
return out;
}
return strdup(aulookup_success(res));
} else
return strdup(val);
}
void print_per_event_item(llist *l)
{
char buf[128];
char name[64];
char date[32];
struct tm *tv;
// The beginning is common to all reports
tv = localtime(&l->e.sec);
if (tv)
strftime(date, sizeof(date), "%x %T", tv);
else
strcpy(date, "?");
if (report_type != RPT_AVC) {
line_item++;
printf("%u. %s ", line_item, date);
}
switch (report_type)
{
case RPT_AVC:
alist_find_avc(l->s.avc);
do {
anode *an = l->s.avc->cur;
line_item++;
printf("%u. %s ", line_item, date);
// command subject syscall action obj res event
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
printf(" %s %s %s %s %s %s %lu\n",
an->scontext,
aulookup_syscall(l, buf,sizeof(buf)),
an->avc_class, an->avc_perm,
an->tcontext, aulookup_result(an->avc_result),
l->e.serial);
//printf("items:%d\n", l->s.avc->cnt);
} while (alist_next_avc(l->s.avc));
break;
case RPT_CONFIG:
// FIXME:who, action, what, outcome, event
// NOW: type auid success event
printf("%s %s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_uid(l->s.loginuid, name, sizeof(name)),
aulookup_success(l->s.success), l->e.serial);
break;
case RPT_AUTH:
// who, addr, terminal, exe, success, event
// Special note...uid is used here because that is
// the way that the message works. This is because
// on failed logins, loginuid is not set.
safe_print_string(l->s.acct ? l->s.acct :
aulookup_uid(l->s.uid, name, sizeof(name)), 0);
printf(" %s %s %s %s %lu\n",
l->s.hostname, l->s.terminal,
l->s.exe, aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_LOGIN:
// who, addr, terminal, exe, success, event
// Special note...loginuid can be used here for
// successful logins. loginuid is not set on failed
// logins so acct is used in that situation.
safe_print_string(((l->s.success == S_FAILED) &&
l->s.acct) ? l->s.acct :
aulookup_uid(l->s.loginuid,
name, sizeof(name)), 0);
printf(" %s %s %s %s %lu\n",
l->s.hostname, l->s.terminal,
l->s.exe, aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_ACCT_MOD:
// who, addr, terminal, exe, success, event
safe_print_string(
aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s %s %s %s %lu\n",
l->s.hostname ? l->s.hostname : "?",
l->s.terminal ? l->s.terminal : "?",
l->s.exe ? l->s.exe : "?",
l->s.acct ? l->s.acct : "?",
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_EVENT: // report_detail == D_DETAILED
// event, type, who, success
printf("%lu %s ",
l->e.serial,
audit_msg_type_to_name(l->head->type));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s\n", aulookup_success(l->s.success));
break;
case RPT_FILE: // report_detail == D_DETAILED
// file, syscall, success, exe, who, event
{
slist *s = l->s.filename;
slist_first(s);
if (s->cnt > 1) {
char *key = s->cur ? s->cur->key : NULL;
while (key && strcmp(key, "PARENT") == 0) {
slist_next(s);
key = s->cur ? s->cur->key : NULL;
}
}
safe_print_string(s->cur ? s->cur->str : "", 0);
printf(" %s %s ",
aulookup_syscall(l,buf,sizeof(buf)),
aulookup_success(l->s.success));
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
}
break;
case RPT_HOST: // report_detail == D_DETAILED
// host, syscall, who, event
printf("%s %s ",
l->s.hostname,
aulookup_syscall(l,buf,sizeof(buf)));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_PID: // report_detail == D_DETAILED
// pid, exe, syscall, who, event
printf("%u ", l->s.pid);
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %s ", aulookup_syscall(l,buf,sizeof(buf)));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_SYSCALL: // report_detail == D_DETAILED
// syscall, pid, comm, who, event
printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)),
l->s.pid);
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_TERM: // report_detail == D_DETAILED
// terminal, host, exe, who, event
printf("%s %s ",
l->s.terminal, l->s.hostname);
safe_print_string(l->s.exe, 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_USER: // report_detail == D_DETAILED
// who, terminal, host, exe, event
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_EXE: // report_detail == D_DETAILED
// exe, terminal, host, who, event
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_COMM: // report_detail == D_DETAILED
// comm, terminal, host, who, event
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_ANOMALY: // report_detail == D_DETAILED
// type exe term host auid event
printf("%s ", audit_msg_type_to_name(l->head->type));
safe_print_string(l->s.exe ? l->s.exe :
l->s.comm ? l->s.comm: "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_RESPONSE: // report_detail == D_DETAILED
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_MAC:
// auid type success event
printf("%s %s %s %lu\n",
aulookup_uid(l->s.loginuid, name, sizeof(name)),
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_INTEG:
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_VIRT:
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_CRYPTO:
// auid type success event
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_KEY: // report_detail == D_DETAILED
// key, success, exe, who, event
slist_first(l->s.key);
printf("%s %s ", l->s.key->cur->str,
aulookup_success(l->s.success));
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_TTY: {
char *ch, *ptr = strstr(l->head->message, "data=");
if (!ptr)
break;
ptr += 5;
ch = strrchr(ptr, ' ');
if (ch)
*ch = 0;
// event who term sess data
printf("%lu ", l->e.serial);
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %u ",
l->s.terminal ? l->s.terminal : "?",
l->s.session_id);
safe_print_string(l->s.comm ? l->s.comm: "?", 0);
putchar(' ');
print_tty_data(ptr);
printf("\n");
}
break;
default:
break;
}
}
