/* This function shows how to iterate through the fields of a record
* and print its name and raw value and interpretted value. */
static void dump_fields_of_record(auparse_state_t *au)
{
printf("record type %d(%s) has %d fields\n", auparse_get_type(au),
audit_msg_type_to_name(auparse_get_type(au)),
auparse_get_num_fields(au));
printf("line=%d file=%s\n", auparse_get_line_number(au),
auparse_get_filename(au) ? auparse_get_filename(au) : "stdin");
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL) {
printf("Error getting timestamp - aborting\n");
return;
}
/* Note that e->sec can be treated as time_t data if you want
* something a little more readable */
printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec,
e->milli, e->serial, e->host ? e->host : "?");
auparse_first_field(au);
do {
printf("field: %s=%s (%s)\n",
auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("\n");
}
static void process_execv_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* argc = "NULL";
char* arg = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string(type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string(node, strlen(node));
}
if ( strcmp(field_name, F_ARGC) == 0 )
argc = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_ARG) == 0 )
arg = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i EXEC_OBJ %s %u.%u %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, argc, arg);
s_write(msgbuf);
free(t_type);
free(t_node);
return;
}
static void process_generic_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* ses = "NULL";
char* auid = "NULL";
char* egid = "NULL";
char* euid = "NULL";
char* fsgid = "NULL";
char* fsuid = "NULL";
char* gid = "NULL";
char* suid = "NULL";
char* sgid = "NULL";
char* uid = "NULL";
char* comm = "NULL";
char* t_comm = NULL;
char* exe = "NULL";
char* t_exe = NULL;
char* a0 = "NULL";
char* t_a0 = NULL;
char* a1 = "NULL";
char* t_a1 = NULL;
char* a2 = "NULL";
char* t_a2 = NULL;
char* pid = "NULL";
char* ppid = "NULL";
char* success = "NULL";
char* xit = "NULL";
char* t_xit = NULL;
char* tty = "NULL";
char* key = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string(type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string(node, strlen(node));
}
if ( strcmp(field_name, F_SES) == 0 )
ses = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EGID) == 0 )
egid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_AUID) == 0 )
auid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EUID) == 0 )
euid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSGID) == 0 )
fsgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSUID) == 0 )
fsuid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_GID) == 0 )
gid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SUID) == 0 )
suid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SGID) == 0 )
sgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_UID) == 0 )
uid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_COMM) == 0 ) {
comm = (char*)auparse_interpret_field_wrap(_au);
t_comm = encode_string( comm, strlen(comm));
}
if ( strcmp(field_name, F_A0) == 0 ) {
a0 = (char*)auparse_get_field_str_wrap(_au);
t_a0 = encode_string( a0, strlen(a0));
}
if ( strcmp(field_name, F_A1) == 0 ) {
a1 = (char*)auparse_get_field_str_wrap(_au);
t_a1 = encode_string( a1, strlen(a1));
}
if ( strcmp(field_name, F_A2) == 0 ) {
a2 = (char*)auparse_get_field_str_wrap(_au);
t_a2 = encode_string( a2, strlen(a2));
}
if ( strcmp(field_name, F_PID) == 0 )
pid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_PPID) == 0 )
ppid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_SUCCESS) == 0 )
success = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXIT) == 0 ) {
xit = (char*)auparse_interpret_field_wrap(_au);
t_xit = encode_string( xit, strlen(xit));
}
if ( strcmp(field_name, F_TTY) == 0 )
tty = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXE) == 0 ) {
exe = (char*)auparse_interpret_field_wrap(_au);
t_exe = encode_string( exe, strlen(exe));
}
if ( strcmp(field_name, F_KEY) == 0 )
key = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i GENERIC_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, key, t_comm, t_exe, t_a0, t_a1, t_a2, uid, gid, euid, egid, fsuid, fsgid, suid, sgid, pid, ppid, tty, success, t_xit);
s_write(msgbuf);
strncpy(ses_holder,ses,holder_size);
strncpy(pid_holder,pid,holder_size);
free(t_node);
free(t_type);
free(t_comm);
free(t_a0);
free(t_a1);
free(t_a2);
free(t_xit);
free(t_exe);
return;
}
static void process_user_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* ses = "NULL";
char* egid = "NULL";
char* auid = "NULL";
char* euid = "NULL";
char* fsgid = "NULL";
char* fsuid = "NULL";
char* gid = "NULL";
char* suid = "NULL";
char* sgid = "NULL";
char* uid = "NULL";
char* pid = "NULL";
char* success = "NULL";
char* xit = "NULL";
char* t_xit = NULL;
char* term = "NULL";
char* exe = "NULL";
char* t_exe = NULL;
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name,F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string( type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string( node, strlen(node));
}
if ( strcmp(field_name, F_SES) == 0 )
ses = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EGID) == 0 )
egid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_AUID) == 0 )
auid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_EUID) == 0 )
euid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSGID) == 0 )
fsgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_FSUID) == 0 )
fsuid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_GID) == 0 )
gid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SUID) == 0 )
suid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_SGID) == 0 )
sgid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_UID) == 0 )
uid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_PID) == 0 )
pid = (char*)auparse_get_field_str_wrap(_au);
if ( strcmp(field_name, F_SUCCESS) == 0 )
success = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXIT) == 0 ) {
xit = (char*)auparse_interpret_field_wrap(_au);
t_xit = encode_string( xit, strlen(xit));
}
if ( strcmp(field_name, F_TERM) == 0 )
term = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_EXE) == 0 ) {
exe = (char*)auparse_interpret_field_wrap(_au);
t_exe = encode_string( exe, strlen(exe));
}
auparse_next_field(_au);
}
strncpy(ses_holder,ses,holder_size);
strncpy(pid_holder,pid,holder_size);
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i USER_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, egid, euid, fsgid, fsuid, gid, suid, sgid, uid, pid, success, t_xit, term, t_exe);
s_write(msgbuf);
free(t_node);
free(t_type);
free(t_xit);
free(t_exe);
return;
}
static void process_place_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt)
{
char* type = "NULL";
char* t_type = NULL;
char* node = "localhost";
char* t_node = NULL;
char* cwd = "NULL";
char* t_cwd = NULL;
char* path_name = "NULL";
char* t_path_name = NULL;
char* inode = "NULL";
char* mode = "NULL";
char* t_mode = NULL;
char* ouid = "NULL";
char* ogid = "NULL";
int num_fields = auparse_get_num_fields(_au) - 1;
int n;
/* test error condition */
if ( num_fields == -1 )
return;
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL)
return;
if ( auparse_first_field(_au) == 0 )
return;
for ( n = 0 ; n <= num_fields; n++ ) {
char* field_name = (char*)auparse_get_field_name_wrap(_au);
if ( strcmp(field_name, F_TYPE) == 0 ) {
type = (char*)auparse_interpret_field_wrap(_au);
t_type = encode_string( type, strlen(type));
}
if ( strcmp(field_name, F_NODE) == 0 ) {
node = (char*)auparse_interpret_field_wrap(_au);
t_node = encode_string( node, strlen(node));
}
if ( strcmp(field_name, F_CWD) == 0 ) {
cwd = (char*)auparse_interpret_field_wrap(_au);
t_cwd = encode_string( cwd, strlen(cwd));
}
if ( strcmp(field_name, F_NAME) == 0 ) {
path_name = (char*)auparse_interpret_field_wrap(_au);
t_path_name = encode_string( path_name, strlen(path_name));
}
if ( strcmp(field_name, F_INODE) == 0 )
inode = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_MODE) == 0 ) {
mode = (char*)auparse_interpret_field_wrap(_au);
t_mode = encode_string( mode, strlen(mode));
}
if ( strcmp(field_name, F_OUID) == 0 )
ouid = (char*)auparse_interpret_field_wrap(_au);
if ( strcmp(field_name, F_OGID) == 0 )
ogid = (char*)auparse_interpret_field_wrap(_au);
auparse_next_field(_au);
}
bzero(msgbuf, sizeof(msgbuf));
snprintf(msgbuf,sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i PLACE_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, t_cwd, t_path_name, inode, t_mode, ouid, ogid);
s_write(msgbuf);
free(t_type);
free(t_node);
free(t_cwd);
free(t_path_name);
free(t_mode);
return;
}
/*
* auparse_callback - callback routine to be executed once a complete event is composed
*/
void
auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *) user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0)
return; /* If no first record, then no event ! */
if (!(flags & F_CHECK))
printf("event=%d records=%d\n", *event_cnt,
auparse_get_num_records(au));
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return; /* If no timestamp, then no event */
/* If checking, we just emit the raw record again
*/
if (flags & F_CHECK) {
if (e->host != NULL)
printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):",
e->host, auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
else
printf("type=%s msg=audit(%u.%3.3u:%lu):",
auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
auparse_first_field(au); /* Move to first field */
do {
const char *fname = auparse_get_field_name(au);
/* We ignore the node and type fields */
if (strcmp(fname, "type") == 0
|| strcmp(fname, "node") == 0)
continue;
printf(" %s=%s", fname, auparse_get_field_str(au));
} while (auparse_next_field(au) > 0);
printf("\n");
continue;
}
printf("fields=%d\t", auparse_get_num_fields(au));
printf("type=%d (%s) ", auparse_get_type(au),
auparse_get_type_name(au));
printf("event_tid=%u.%3.3u:%lu ",
(unsigned) e->sec, e->milli, e->serial);
if (flags & F_VERBOSE) {
char *fv, *ifv = NULL;
auparse_first_field(au); /* Move to first field */
do {
fv = (char *) auparse_get_field_str(au);
ifv = (char *) auparse_interpret_field(au);
printf("%s=", auparse_get_field_name(au));
print_escape(stdout, fv, "=()");
printf(" (");
print_escape(stdout, ifv, "=()");
printf(") ");
}
while (auparse_next_field(au) > 0);
}
printf("\n");
}
while (auparse_next_record(au) > 0);
(*event_cnt)++;
}
}