/* This function shows how to iterate through the fields of a record * and print its name and raw value and interpretted value. */ static void dump_fields_of_record(auparse_state_t *au) { printf("record type %d(%s) has %d fields\n", auparse_get_type(au), audit_msg_type_to_name(auparse_get_type(au)), auparse_get_num_fields(au)); printf("line=%d file=%s\n", auparse_get_line_number(au), auparse_get_filename(au) ? auparse_get_filename(au) : "stdin"); const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) { printf("Error getting timestamp - aborting\n"); return; } /* Note that e->sec can be treated as time_t data if you want * something a little more readable */ printf("event time: %u.%u:%lu, host=%s\n", (unsigned)e->sec, e->milli, e->serial, e->host ? e->host : "?"); auparse_first_field(au); do { printf("field: %s=%s (%s)\n", auparse_get_field_name(au), auparse_get_field_str(au), auparse_interpret_field(au)); } while (auparse_next_field(au) > 0); printf("\n"); }
static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *)user_data; int num_records = auparse_get_num_records(_au); int record_cnt; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(_au) <= 0) { return; } record_cnt = 1; do { int audtype = return_audtype(auparse_get_type(_au)); switch(audtype) { case PLACE_OBJ: // au, event number:total rec in event:this num in event process_place_obj(_au, event_cnt, num_records, record_cnt); break; case USER_OBJ: process_user_obj(_au, event_cnt, num_records, record_cnt); break; case SYSCALL_OBJ: process_syscall_obj(_au, event_cnt, num_records, record_cnt); break; case SOCK_OBJ: process_sock_obj(_au, event_cnt, num_records, record_cnt); break; case EXECVE_OBJ: process_execv_obj(_au, event_cnt, num_records, record_cnt); break; case GENERIC_OBJ: process_generic_obj(_au, event_cnt, num_records, record_cnt); break; } const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) { return; } record_cnt++; } while(auparse_next_record(_au) > 0); // end of do (*event_cnt)++; } // end cb_event_type == AUPARSE_CB_EVENT_READY }
static void process_execv_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt) { char* type = "NULL"; char* t_type = NULL; char* node = "localhost"; char* t_node = NULL; char* argc = "NULL"; char* arg = "NULL"; int num_fields = auparse_get_num_fields(_au) - 1; int n; /* test error condition */ if ( num_fields == -1 ) return; const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) return; if ( auparse_first_field(_au) == 0 ) return; for ( n = 0 ; n <= num_fields; n++ ) { char* field_name = (char*)auparse_get_field_name_wrap(_au); if ( strcmp(field_name,F_TYPE) == 0 ) { type = (char*)auparse_interpret_field_wrap(_au); t_type = encode_string(type, strlen(type)); } if ( strcmp(field_name, F_NODE) == 0 ) { node = (char*)auparse_interpret_field_wrap(_au); t_node = encode_string(node, strlen(node)); } if ( strcmp(field_name, F_ARGC) == 0 ) argc = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_ARG) == 0 ) arg = (char*)auparse_interpret_field_wrap(_au); auparse_next_field(_au); } bzero(msgbuf, sizeof(msgbuf)); snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i EXEC_OBJ %s %u.%u %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, argc, arg); s_write(msgbuf); free(t_type); free(t_node); return; }
static void process_generic_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt) { char* type = "NULL"; char* t_type = NULL; char* node = "localhost"; char* t_node = NULL; char* ses = "NULL"; char* auid = "NULL"; char* egid = "NULL"; char* euid = "NULL"; char* fsgid = "NULL"; char* fsuid = "NULL"; char* gid = "NULL"; char* suid = "NULL"; char* sgid = "NULL"; char* uid = "NULL"; char* comm = "NULL"; char* t_comm = NULL; char* exe = "NULL"; char* t_exe = NULL; char* a0 = "NULL"; char* t_a0 = NULL; char* a1 = "NULL"; char* t_a1 = NULL; char* a2 = "NULL"; char* t_a2 = NULL; char* pid = "NULL"; char* ppid = "NULL"; char* success = "NULL"; char* xit = "NULL"; char* t_xit = NULL; char* tty = "NULL"; char* key = "NULL"; int num_fields = auparse_get_num_fields(_au) - 1; int n; /* test error condition */ if ( num_fields == -1 ) return; const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) return; if ( auparse_first_field(_au) == 0 ) return; for ( n = 0 ; n <= num_fields; n++ ) { char* field_name = (char*)auparse_get_field_name_wrap(_au); if ( strcmp(field_name,F_TYPE) == 0 ) { type = (char*)auparse_interpret_field_wrap(_au); t_type = encode_string(type, strlen(type)); } if ( strcmp(field_name, F_NODE) == 0 ) { node = (char*)auparse_interpret_field_wrap(_au); t_node = encode_string(node, strlen(node)); } if ( strcmp(field_name, F_SES) == 0 ) ses = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_EGID) == 0 ) egid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_AUID) == 0 ) auid = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_EUID) == 0 ) euid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_FSGID) == 0 ) fsgid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_FSUID) == 0 ) fsuid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_GID) == 0 ) gid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_SUID) == 0 ) suid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_SGID) == 0 ) sgid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_UID) == 0 ) uid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_COMM) == 0 ) { comm = (char*)auparse_interpret_field_wrap(_au); t_comm = encode_string( comm, strlen(comm)); } if ( strcmp(field_name, F_A0) == 0 ) { a0 = (char*)auparse_get_field_str_wrap(_au); t_a0 = encode_string( a0, strlen(a0)); } if ( strcmp(field_name, F_A1) == 0 ) { a1 = (char*)auparse_get_field_str_wrap(_au); t_a1 = encode_string( a1, strlen(a1)); } if ( strcmp(field_name, F_A2) == 0 ) { a2 = (char*)auparse_get_field_str_wrap(_au); t_a2 = encode_string( a2, strlen(a2)); } if ( strcmp(field_name, F_PID) == 0 ) pid = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_PPID) == 0 ) ppid = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_SUCCESS) == 0 ) success = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_EXIT) == 0 ) { xit = (char*)auparse_interpret_field_wrap(_au); t_xit = encode_string( xit, strlen(xit)); } if ( strcmp(field_name, F_TTY) == 0 ) tty = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_EXE) == 0 ) { exe = (char*)auparse_interpret_field_wrap(_au); t_exe = encode_string( exe, strlen(exe)); } if ( strcmp(field_name, F_KEY) == 0 ) key = (char*)auparse_interpret_field_wrap(_au); auparse_next_field(_au); } bzero(msgbuf, sizeof(msgbuf)); snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i GENERIC_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, key, t_comm, t_exe, t_a0, t_a1, t_a2, uid, gid, euid, egid, fsuid, fsgid, suid, sgid, pid, ppid, tty, success, t_xit); s_write(msgbuf); strncpy(ses_holder,ses,holder_size); strncpy(pid_holder,pid,holder_size); free(t_node); free(t_type); free(t_comm); free(t_a0); free(t_a1); free(t_a2); free(t_xit); free(t_exe); return; }
static void process_user_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt) { char* type = "NULL"; char* t_type = NULL; char* node = "localhost"; char* t_node = NULL; char* ses = "NULL"; char* egid = "NULL"; char* auid = "NULL"; char* euid = "NULL"; char* fsgid = "NULL"; char* fsuid = "NULL"; char* gid = "NULL"; char* suid = "NULL"; char* sgid = "NULL"; char* uid = "NULL"; char* pid = "NULL"; char* success = "NULL"; char* xit = "NULL"; char* t_xit = NULL; char* term = "NULL"; char* exe = "NULL"; char* t_exe = NULL; int num_fields = auparse_get_num_fields(_au) - 1; int n; /* test error condition */ if ( num_fields == -1 ) return; const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) return; if ( auparse_first_field(_au) == 0 ) return; for ( n = 0 ; n <= num_fields; n++ ) { char* field_name = (char*)auparse_get_field_name_wrap(_au); if ( strcmp(field_name,F_TYPE) == 0 ) { type = (char*)auparse_interpret_field_wrap(_au); t_type = encode_string( type, strlen(type)); } if ( strcmp(field_name, F_NODE) == 0 ) { node = (char*)auparse_interpret_field_wrap(_au); t_node = encode_string( node, strlen(node)); } if ( strcmp(field_name, F_SES) == 0 ) ses = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_EGID) == 0 ) egid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_AUID) == 0 ) auid = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_EUID) == 0 ) euid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_FSGID) == 0 ) fsgid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_FSUID) == 0 ) fsuid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_GID) == 0 ) gid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_SUID) == 0 ) suid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_SGID) == 0 ) sgid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_UID) == 0 ) uid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_PID) == 0 ) pid = (char*)auparse_get_field_str_wrap(_au); if ( strcmp(field_name, F_SUCCESS) == 0 ) success = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_EXIT) == 0 ) { xit = (char*)auparse_interpret_field_wrap(_au); t_xit = encode_string( xit, strlen(xit)); } if ( strcmp(field_name, F_TERM) == 0 ) term = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_EXE) == 0 ) { exe = (char*)auparse_interpret_field_wrap(_au); t_exe = encode_string( exe, strlen(exe)); } auparse_next_field(_au); } strncpy(ses_holder,ses,holder_size); strncpy(pid_holder,pid,holder_size); bzero(msgbuf, sizeof(msgbuf)); snprintf(msgbuf, sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i USER_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses, auid, egid, euid, fsgid, fsuid, gid, suid, sgid, uid, pid, success, t_xit, term, t_exe); s_write(msgbuf); free(t_node); free(t_type); free(t_xit); free(t_exe); return; }
static void process_place_obj(auparse_state_t *_au, int *event_cnt, int num_records, int record_cnt) { char* type = "NULL"; char* t_type = NULL; char* node = "localhost"; char* t_node = NULL; char* cwd = "NULL"; char* t_cwd = NULL; char* path_name = "NULL"; char* t_path_name = NULL; char* inode = "NULL"; char* mode = "NULL"; char* t_mode = NULL; char* ouid = "NULL"; char* ogid = "NULL"; int num_fields = auparse_get_num_fields(_au) - 1; int n; /* test error condition */ if ( num_fields == -1 ) return; const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) return; if ( auparse_first_field(_au) == 0 ) return; for ( n = 0 ; n <= num_fields; n++ ) { char* field_name = (char*)auparse_get_field_name_wrap(_au); if ( strcmp(field_name, F_TYPE) == 0 ) { type = (char*)auparse_interpret_field_wrap(_au); t_type = encode_string( type, strlen(type)); } if ( strcmp(field_name, F_NODE) == 0 ) { node = (char*)auparse_interpret_field_wrap(_au); t_node = encode_string( node, strlen(node)); } if ( strcmp(field_name, F_CWD) == 0 ) { cwd = (char*)auparse_interpret_field_wrap(_au); t_cwd = encode_string( cwd, strlen(cwd)); } if ( strcmp(field_name, F_NAME) == 0 ) { path_name = (char*)auparse_interpret_field_wrap(_au); t_path_name = encode_string( path_name, strlen(path_name)); } if ( strcmp(field_name, F_INODE) == 0 ) inode = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_MODE) == 0 ) { mode = (char*)auparse_interpret_field_wrap(_au); t_mode = encode_string( mode, strlen(mode)); } if ( strcmp(field_name, F_OUID) == 0 ) ouid = (char*)auparse_interpret_field_wrap(_au); if ( strcmp(field_name, F_OGID) == 0 ) ogid = (char*)auparse_interpret_field_wrap(_au); auparse_next_field(_au); } bzero(msgbuf, sizeof(msgbuf)); snprintf(msgbuf,sizeof(msgbuf) - 1, "NERSCAUD %i:%i:%i PLACE_OBJ %s %u.%u %s %s %s %s %s %s %s %s %s\n", *event_cnt, num_records, record_cnt, t_type, (unsigned)e->sec, e->milli, t_node, ses_holder, pid_holder, t_cwd, t_path_name, inode, t_mode, ouid, ogid); s_write(msgbuf); free(t_type); free(t_node); free(t_cwd); free(t_path_name); free(t_mode); return; }
/* * auparse library callback that's called when an event is ready */ void push_event(auparse_state_t * au, auparse_cb_event_t cb_event_type, void *user_data) { int rc; BerElement *ber; int qualifier; char timestamp[26]; char linkValue[ZOS_REMOTE_LINK_VALUE_SIZE]; char logString[ZOS_REMOTE_LOGSTRING_SIZE]; unsigned long linkValue_tmp; if (cb_event_type != AUPARSE_CB_EVENT_READY) return; const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) return; /* * we have an event. Each record will result in a different 'Item' * (refer ASN.1 definition in zos-remote-ldap.h) */ /* * Create a new BER element to encode the request */ ber = ber_alloc_t(LBER_USE_DER); if (ber == NULL) { log_err("Error allocating memory for BER element"); goto fatal; } /* * Collect some information to fill in every item */ const char *node = auparse_get_node(au); const char *orig_type = auparse_find_field(au, "type"); /* roll back event to get 'success' */ auparse_first_record(au); const char *success = auparse_find_field(au, "success"); /* roll back event to get 'res' */ auparse_first_record(au); const char *res = auparse_find_field(au, "res"); /* check if this event is a success or failure one */ if (success) { if (strncmp(success, "0", 1) == 0 || strncmp(success, "no", 2) == 0) qualifier = ZOS_REMOTE_QUALIF_FAIL; else qualifier = ZOS_REMOTE_QUALIF_SUCCESS; } else if (res) { if (strncmp(res, "0", 1) == 0 || strncmp(res, "failed", 6) == 0) qualifier = ZOS_REMOTE_QUALIF_FAIL; else qualifier = ZOS_REMOTE_QUALIF_SUCCESS; } else qualifier = ZOS_REMOTE_QUALIF_INFO; /* get timestamp text */ ctime_r(&e->sec, timestamp); timestamp[24] = '\0'; /* strip \n' */ /* prepare linkValue which will be used for every item */ linkValue_tmp = htonl(e->serial); /* padronize to use network * byte order */ memset(&linkValue, 0, ZOS_REMOTE_LINK_VALUE_SIZE); memcpy(&linkValue, &linkValue_tmp, sizeof(unsigned long)); /* * Prepare the logString with some meaningful text * We assume the first record type found is the * 'originating' audit record */ sprintf(logString, "Linux (%s): type: %s", node, orig_type); /* * Start writing to BER element. * There's only one field (version) out of the item sequence. * Also open item sequence */ rc = ber_printf(ber, "{i{", ICTX_REQUESTVER); if (rc < 0) goto skip_event; /* * Roll back to first record and iterate through all records */ auparse_first_record(au); do { const char *type = auparse_find_field(au, "type"); if (type == NULL) goto skip_event; log_debug("got record: %s", auparse_get_record_text(au)); /* * First field is item Version, same as global version */ rc = ber_printf(ber, "{i", ICTX_REQUESTVER); /* * Second field is the itemTag * use our internal event counter, increasing it */ rc |= ber_printf(ber, "i", conf.counter++); /* * Third field is the linkValue * using ber_put_ostring since it is not null-terminated */ rc |= ber_put_ostring(ber, linkValue, ZOS_REMOTE_LINK_VALUE_SIZE, LBER_OCTETSTRING); /* * Fourth field is the violation * Don't have anything better yet to put here */ rc |= ber_printf(ber, "b", 0); /* * Fifth field is the event. * FIXME: this might be the place to switch on the * audit record type and map to a more meaningful * SMF type 83, subtype 4 event here */ rc |= ber_printf(ber, "i", ZOS_REMOTE_EVENT_AUTHORIZATION); /* * Sixth field is the qualifier. We map 'success' or * 'res' to this field */ rc |= ber_printf(ber, "i", qualifier); /* * Seventh field is the Class * always use '@LINUX' for this version * max size ZOS_REMOTE_CLASS_SIZE */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s", "@LINUX"); /* * Eighth field is the resource * use the record type (name) as the resource * max size ZOS_REMOTE_RESOURCE_SIZE */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s", type); /* * Nineth field is the LogString * we try to put something meaningful here * we also start the relocations sequence */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s{", logString); /* * Now we start adding the relocations. * Let's add the timestamp as the first one * so it's out of the field loop */ rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_TIMESTAMP); rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s}", timestamp); /* * Check that encoding is going OK until now */ if (rc < 0) goto skip_event; /* * Now go to first field, * and iterate through all fields */ auparse_first_field(au); do { /* * we set a maximum of 1024 chars for * relocation data (field=value pairs) * Hopefuly this wont overflow too often */ char data[1024]; const char *name = auparse_get_field_name(au); const char *value = auparse_interpret_field(au); if (name == NULL || value == NULL) goto skip_event; /* * First reloc field is the Relocation type * We use 'OTHER' here since we don't have * anything better */ rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_OTHER); /* * Second field is the relocation data * We use a 'name=value' pair here * Use up to 1023 chars (one char left for '\0') */ snprintf(data, 1023, "%s=%s", name, value); rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s}", data); /* * Check encoding status */ if (rc < 0) goto skip_event; } while (auparse_next_field(au) > 0); /* * After adding all relocations we are done with * this item - finalize relocs and item */ rc |= ber_printf(ber, "}}"); /* * Check if we are doing well with encoding */ if (rc < 0) goto skip_event; } while (auparse_next_record(au) > 0); /* * We have all items in - finalize item sequence & request */ rc |= ber_printf(ber, "}}"); /* * Check if everything went alright with encoding */ if (rc < 0) goto skip_event; /* * finally, enqueue request and let the other * thread process it */ log_debug("Encoding done, enqueuing event"); enqueue(ber); return; skip_event: log_warn("Warning - error encoding request, skipping event"); ber_free(ber, 1); /* free it since we're not enqueuing it */ return; fatal: log_err("Error - Fatal error while encoding request. Aborting"); stop = 1; }
/* * auparse_callback - callback routine to be executed once a complete event is composed */ void auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *) user_data; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(au) <= 0) return; /* If no first record, then no event ! */ if (!(flags & F_CHECK)) printf("event=%d records=%d\n", *event_cnt, auparse_get_num_records(au)); do { const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) return; /* If no timestamp, then no event */ /* If checking, we just emit the raw record again */ if (flags & F_CHECK) { if (e->host != NULL) printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):", e->host, auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); else printf("type=%s msg=audit(%u.%3.3u:%lu):", auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); auparse_first_field(au); /* Move to first field */ do { const char *fname = auparse_get_field_name(au); /* We ignore the node and type fields */ if (strcmp(fname, "type") == 0 || strcmp(fname, "node") == 0) continue; printf(" %s=%s", fname, auparse_get_field_str(au)); } while (auparse_next_field(au) > 0); printf("\n"); continue; } printf("fields=%d\t", auparse_get_num_fields(au)); printf("type=%d (%s) ", auparse_get_type(au), auparse_get_type_name(au)); printf("event_tid=%u.%3.3u:%lu ", (unsigned) e->sec, e->milli, e->serial); if (flags & F_VERBOSE) { char *fv, *ifv = NULL; auparse_first_field(au); /* Move to first field */ do { fv = (char *) auparse_get_field_str(au); ifv = (char *) auparse_interpret_field(au); printf("%s=", auparse_get_field_name(au)); print_escape(stdout, fv, "=()"); printf(" ("); print_escape(stdout, ifv, "=()"); printf(") "); } while (auparse_next_field(au) > 0); } printf("\n"); } while (auparse_next_record(au) > 0); (*event_cnt)++; } }