void print_per_event_item(llist *l) { char buf[128]; char name[64]; char date[32]; struct tm *tv; // The beginning is common to all reports tv = localtime(&l->e.sec); if (tv) strftime(date, sizeof(date), "%x %T", tv); else strcpy(date, "?"); if (report_type != RPT_AVC) { line_item++; printf("%u. %s ", line_item, date); } switch (report_type) { case RPT_AVC: alist_find_avc(l->s.avc); do { anode *an = l->s.avc->cur; line_item++; printf("%u. %s ", line_item, date); // command subject syscall action obj res event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s %s %s %s %s %lu\n", an->scontext, aulookup_syscall(l, buf,sizeof(buf)), an->avc_class, an->avc_perm, an->tcontext, aulookup_result(an->avc_result), l->e.serial); //printf("items:%d\n", l->s.avc->cnt); } while (alist_next_avc(l->s.avc)); break; case RPT_CONFIG: // FIXME:who, action, what, outcome, event // NOW: type auid success event printf("%s %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_uid(l->s.loginuid, name, sizeof(name)), aulookup_success(l->s.success), l->e.serial); break; case RPT_AUTH: // who, addr, terminal, exe, success, event // Special note...uid is used here because that is // the way that the message works. This is because // on failed logins, loginuid is not set. safe_print_string(l->s.acct ? l->s.acct : aulookup_uid(l->s.uid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_LOGIN: // who, addr, terminal, exe, success, event // Special note...loginuid can be used here for // successful logins. loginuid is not set on failed // logins so acct is used in that situation. safe_print_string(((l->s.success == S_FAILED) && l->s.acct) ? l->s.acct : aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_ACCT_MOD: // who, addr, terminal, exe, success, event safe_print_string( aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %s %s %s %lu\n", l->s.hostname ? l->s.hostname : "?", l->s.terminal ? l->s.terminal : "?", l->s.exe ? l->s.exe : "?", l->s.acct ? l->s.acct : "?", aulookup_success(l->s.success), l->e.serial); break; case RPT_EVENT: // report_detail == D_DETAILED // event, type, who, success printf("%lu %s ", l->e.serial, audit_msg_type_to_name(l->head->type)); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s\n", aulookup_success(l->s.success)); break; case RPT_FILE: // report_detail == D_DETAILED // file, syscall, success, exe, who, event { slist *s = l->s.filename; slist_first(s); if (s->cnt > 1) { char *key = s->cur ? s->cur->key : NULL; while (key && strcmp(key, "PARENT") == 0) { slist_next(s); key = s->cur ? s->cur->key : NULL; } } safe_print_string(s->cur ? s->cur->str : "", 0); printf(" %s %s ", aulookup_syscall(l,buf,sizeof(buf)), aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); } break; case RPT_HOST: // report_detail == D_DETAILED // host, syscall, who, event printf("%s %s ", l->s.hostname, aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_PID: // report_detail == D_DETAILED // pid, exe, syscall, who, event printf("%u ", l->s.pid); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s ", aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_SYSCALL: // report_detail == D_DETAILED // syscall, pid, comm, who, event printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)), l->s.pid); safe_print_string(l->s.comm ? l->s.comm : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TERM: // report_detail == D_DETAILED // terminal, host, exe, who, event printf("%s %s ", l->s.terminal, l->s.hostname); safe_print_string(l->s.exe, 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_USER: // report_detail == D_DETAILED // who, terminal, host, exe, event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %lu\n", l->e.serial); break; case RPT_EXE: // report_detail == D_DETAILED // exe, terminal, host, who, event safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_COMM: // report_detail == D_DETAILED // comm, terminal, host, who, event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_ANOMALY: // report_detail == D_DETAILED // type exe term host auid event printf("%s ", audit_msg_type_to_name(l->head->type)); safe_print_string(l->s.exe ? l->s.exe : l->s.comm ? l->s.comm: "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_RESPONSE: // report_detail == D_DETAILED // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_MAC: // auid type success event printf("%s %s %s %lu\n", aulookup_uid(l->s.loginuid, name, sizeof(name)), audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_INTEG: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_VIRT: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_CRYPTO: // auid type success event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_KEY: // report_detail == D_DETAILED // key, success, exe, who, event slist_first(l->s.key); printf("%s %s ", l->s.key->cur->str, aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TTY: { char *ch, *ptr = strstr(l->head->message, "data="); if (!ptr) break; ptr += 5; ch = strrchr(ptr, ' '); if (ch) *ch = 0; // event who term sess data printf("%lu ", l->e.serial); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %u ", l->s.terminal ? l->s.terminal : "?", l->s.session_id); safe_print_string(l->s.comm ? l->s.comm: "?", 0); putchar(' '); print_tty_data(ptr); printf("\n"); } break; default: break; } }
static int per_event_summary(llist *l) { int rc = 0; switch (report_type) { case RPT_SUMMARY: do_summary_total(l); rc = 1; break; case RPT_AVC: if (list_find_msg(l, AUDIT_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq(&sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc(l->s.avc)); } } else { if (list_find_msg(l, AUDIT_USER_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq( &sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc( l->s.avc)); } } } break; case RPT_MAC: if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_MAP_DEL)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } } break; case RPT_CONFIG: UNIMPLEMENTED; break; case RPT_AUTH: if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid( l->s.loginuid, name, sizeof(name)) ); } } } break; case RPT_LOGIN: if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } break; case RPT_ACCT_MOD: UNIMPLEMENTED; break; case RPT_EVENT: /* We will borrow the pid list */ if (l->head->type != -1) { ilist_add_if_uniq(&sd.pids, l->head->type, 0); } break; case RPT_FILE: if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } break; case RPT_HOST: if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); break; case RPT_PID: if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } break; case RPT_SYSCALL: if (l->s.syscall > 0) { ilist_add_if_uniq(&sd.sys_list, l->s.syscall, l->s.arch); } break; case RPT_TERM: if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); break; case RPT_USER: if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } break; case RPT_EXE: if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); break; case RPT_ANOMALY: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } } break; case RPT_RESPONSE: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) { ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); } break; case RPT_CRYPTO: if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } } break; case RPT_KEY: if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) slist_add_if_uniq(&sd.keys, sn->str); sn=slist_next(sptr); } } break; case RPT_TTY: UNIMPLEMENTED; break; default: break; } return rc; }