コード例 #1
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
static void process_bootup(auparse_state_t *au)
{
	lnode *cur;
	int start;

	// See if we have unclosed boot up and make into CRASH record
	list_first(&l);
	cur = list_get_cur(&l);
	while (cur) {
		if (cur->name) {
			cur->user_end_proof = auparse_get_serial(au);
			cur->status = CRASH;
			cur->end = auparse_get_time(au);
			report_session(cur);
		}
		cur = list_next(&l);
	}

	// Logout and process anyone still left in the machine
	list_first(&l);
	cur = list_get_cur(&l);
	while (cur) {
		if (cur->status != CRASH) {
			cur->user_end_proof = auparse_get_serial(au);
			cur->status = DOWN;
			cur->end = auparse_get_time(au);
			report_session(cur);
		}
		cur = list_next(&l);
	}

	// Since this is a boot message, all old entries should be gone
	list_clear(&l);
	list_create(&l);

	// make reboot record - user:reboot, tty:system boot, host: kernel 
	start = auparse_get_time(au);
	list_create_session(&l, 0, 0, 0, auparse_get_serial(au));
	cur = list_get_cur(&l);
	cur->start = start;
	cur->name = strdup("reboot");
	cur->term = strdup("system boot");
	if (kernel)
		cur->host = strdup(kernel);
	cur->result = 0;
}
コード例 #2
0
ファイル: aulast.c プロジェクト: pexip/os-audit
static void process_bootup(auparse_state_t *au)
{
    lnode *cur;
    int start;
    struct utsname ubuf;

    // See if we have unclosed boot up and make into CRASH record
    list_first(&l);
    cur = list_get_cur(&l);
    while(cur) {
        if (cur->name) {
            cur->user_end_proof = auparse_get_serial(au);
            cur->status = CRASH;
            cur->end = auparse_get_time(au);
            report_session(cur);
        }
        cur = list_next(&l);
    }

    // Logout and process anyone still left in the machine
    list_first(&l);
    cur = list_get_cur(&l);
    while(cur) {
        if (cur->status != CRASH) {
            cur->user_end_proof = auparse_get_serial(au);
            cur->status = DOWN;
            cur->end = auparse_get_time(au);
            report_session(cur);
        }
        cur = list_next(&l);
    }
    list_clear(&l);
    list_create(&l);

    // make reboot record - user:reboot, tty:system boot, host: uname -r
    uname(&ubuf);
    start = auparse_get_time(au);
    list_create_session(&l, 0, 0, 0, auparse_get_serial(au));
    cur = list_get_cur(&l);
    cur->start = start;
    cur->name = strdup("reboot");
    cur->term = strdup("system boot");
    cur->host = strdup(ubuf.release);
    cur->result = 0;
}
コード例 #3
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
static void create_new_session(auparse_state_t *au)
{
	const char *tpid, *tses, *tauid;
	int pid = -1, auid = -1, ses = -1;
	lnode *cur;

	// Get pid
	tpid = auparse_find_field(au, "pid");
	if (tpid)
		pid = auparse_get_field_int(au);

	// Get second auid field
	auparse_find_field(au, "auid");
	auparse_next_field(au);
	tauid = auparse_find_field(au, "auid");
	if (tauid)
		auid = auparse_get_field_int(au);

	// Get second ses field
	auparse_find_field(au, "ses"); 
	auparse_next_field(au);
	tses = auparse_find_field(au, "ses");
	if (tses)
		ses = auparse_get_field_int(au);

	// Check that they are valid
	if (pid == -1 || auid ==-1 || ses == -1) {
		if (debug)
			fprintf(stderr, "Bad login for event: %lu\n",
					auparse_get_serial(au));
		return;
	}

	// See if this session is already open
	//cur = list_find_auid(&l, auid, pid, ses);
	cur = list_find_session(&l, ses);
	if (cur) {
		// This means we have an open session close it out
		cur->status = GONE;
		cur->end = auparse_get_time(au);
		report_session(cur);
		list_delete_cur(&l);
	}

	// If this is supposed to be limited to a specific
	// uid and we don't have that record, skip creating it
	if (cuid != -1 && cuid != auid) {
		if (debug)
			fprintf(stderr,
			    "login reporting limited to %d for event: %lu\n",
				cuid, auparse_get_serial(au));
		return;
	}

	list_create_session(&l, auid, pid, ses, auparse_get_serial(au));
}
コード例 #4
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
static void update_session_logout(auparse_state_t *au)
{
	const char *tses, *tauid, *tpid;
	int pid = -1, auid = -1, ses = -1;
	lnode *cur;

	// Get pid field
	tpid = auparse_find_field(au, "pid");
	if (tpid)
		pid = auparse_get_field_int(au);

	// Get auid field
	tauid = auparse_find_field(au, "auid");
	if (tauid)
		auid = auparse_get_field_int(au);

	// Get ses field
	tses = auparse_find_field(au, "ses");
	if (tses)
		ses = auparse_get_field_int(au);

	// Check that they are valid
	if (pid == -1 || auid ==-1 || ses == -1) {
		if (debug)
			fprintf(stderr, "Bad user logout for event: %lu\n",
					auparse_get_serial(au));
		return;
	}

	// See if this session is already open
	cur = list_find_auid(&l, auid, pid, ses);
	if (cur) {
		// if time never got updated, this must be a cron or su 
		// session...so we will just delete it.
		if (cur->start) {
			// This means we have an open session close it out
			time_t end = auparse_get_time(au);
			list_update_logout(&l, end, auparse_get_serial(au));
			report_session(cur);
		} else if (debug)
			fprintf(stderr, "start time error for event: %lu\n",
					auparse_get_serial(au));
		list_delete_cur(&l);
	}
}
コード例 #5
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
static void process_shutdown(auparse_state_t *au)
{
	lnode *cur;

	// Find reboot record
	list_first(&l);
	cur = list_get_cur(&l);
	while (cur) {
		if (cur->name) {
			// Found it - close it out and display it
			time_t end = auparse_get_time(au);
			list_update_logout(&l, end, auparse_get_serial(au));
			report_session(cur);
			list_delete_cur(&l);
			return;
		}
		cur = list_next(&l);
	}
}
コード例 #6
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
int main(int argc, char *argv[])
{
	int i, use_stdin = 0;
	char *user = NULL, *file = NULL;
	struct passwd *p;
        auparse_state_t *au;

	setlocale (LC_ALL, "");
	for (i=1; i<argc; i++) {
		if (argv[i][0] != '-') {
			//take input and lookup as if it were a user name
			//if that fails assume its a tty
			if (user == NULL) {
				p = getpwnam(argv[i]);
				if (p) {
					cuid = p->pw_uid;
					user = argv[i];
					continue;
				}
			}
			if (cterm == NULL) {
				cterm = argv[i];
			} else {
				usage();
				return 1;
			}
		} else {
			if (strcmp(argv[i], "-f") == 0) {
				if (use_stdin == 0) {
					i++;
					file = argv[i];
				} else {
					fprintf(stderr,"stdin already given\n");
					return 1;
				}
			} else if (strcmp(argv[i], "--bad") == 0) {
				bad = 1;
			} else if (strcmp(argv[i], "--proof") == 0) {
				proof = 1;
			} else if (strcmp(argv[i], "--extract") == 0) {
				f = fopen("aulast.log", "wt");
			} else if (strcmp(argv[i], "--stdin") == 0) {
				if (file == NULL)
					use_stdin = 1;
				else {
					fprintf(stderr, "file already given\n");
					return 1;
				}
			} else if (strcmp(argv[i], "--debug") == 0) {
				debug = 1;
			} else {
				usage();
				return 1;
			}
		}
	}
	list_create(&l);

	// Search for successful user logins
	if (file)
		au = auparse_init(AUSOURCE_FILE, file);
	else if (use_stdin)
		au = auparse_init(AUSOURCE_FILE_POINTER, stdin);
	else {
		if (getuid()) {
			fprintf(stderr, "You probably need to be root for this to work\n");
		}
		au = auparse_init(AUSOURCE_LOGS, NULL);
	}
	if (au == NULL) {
		fprintf(stderr, "Error - %s\n", strerror(errno));
		goto error_exit_1;
	}

	// The theory: iterate though events
	// 1) when LOGIN is found, create a new session node
	// 2) if that session number exists, close out the old one
	// 3) when USER_LOGIN is found, update session node
	// 4) When USER_END is found update session node and close it out
	// 5) When BOOT record found make new record and check for previous
	// 6) If previous boot found, set status to crash and logout everyone
	// 7) When SHUTDOWN found, close out reboot record

	while (auparse_next_event(au) > 0) {
		// We will take advantage of the fact that all events
		// of interest are one record long
		int type = auparse_get_type(au);
		if (type < 0)
			continue;
		switch (type)
		{
			case AUDIT_LOGIN:
				create_new_session(au);
				extract_record(au);
				break;
			case AUDIT_USER_LOGIN:
				update_session_login(au);
				extract_record(au);
				break;
			case AUDIT_USER_END:
				update_session_logout(au);
				extract_record(au);
				break;
			case AUDIT_SYSTEM_BOOT:
				process_bootup(au);
				extract_record(au);
				break;
			case AUDIT_SYSTEM_SHUTDOWN:
				process_shutdown(au);
				extract_record(au);
				break;
			case AUDIT_DAEMON_START:
				process_kernel(au);
				extract_record(au);
				break;
		}
	}
	auparse_destroy(au);

	// Now output the leftovers
	list_first(&l);
	do {
		lnode *cur = list_get_cur(&l);
		report_session(cur);
	} while (list_next(&l));

	free(kernel);
	list_clear(&l);
	if (f)
		fclose(f);
	return 0;

error_exit_1:
	list_clear(&l);
	if (f)
		fclose(f);
	return 1;
}
コード例 #7
0
ファイル: aulast.c プロジェクト: Distrotech/libaudit
static void update_session_login(auparse_state_t *au)
{
	const char *tpid, *tses, *tuid, *tacct=NULL, *host, *term, *tres;
	int pid = -1, uid = -1, ses = -1, result = -1;
	time_t start;
	lnode *cur;

	// Get pid
	tpid = auparse_find_field(au, "pid");
	if (tpid)
		pid = auparse_get_field_int(au);

	// Get ses field
	tses = auparse_find_field(au, "ses");
	if (tses)
		ses = auparse_get_field_int(au);

	// Get second uid field - we should be positioned past the first one
	// gdm sends uid, everything else sends id, we try acct as last resort
	tuid = auparse_find_field(au, "uid");
	if (tuid)
		uid = auparse_get_field_int(au);
	else {
		auparse_first_record(au);
		tuid = auparse_find_field(au, "id");
		if (tuid)
			uid = auparse_get_field_int(au);
		else {
			auparse_first_record(au);
			tuid = auparse_find_field(au, "acct");
			if (tuid) {
				const char *tacct = auparse_interpret_field(au);
				struct passwd *pw = getpwnam (tacct);
				if (pw != NULL)
					uid = pw->pw_uid;
			} else
				auparse_first_record(au);
		}
	}

	start = auparse_get_time(au);

	host = auparse_find_field(au, "hostname");
	if (host && strcmp(host, "?") == 0)
		host = auparse_find_field(au, "addr");

	term = auparse_find_field(au, "terminal");
	if (term == NULL)
		term = "?";
	tres = auparse_find_field(au, "res");
	if (tres)
		tres = auparse_interpret_field(au);
	if (tres) {
		if (strcmp(tres, "success") == 0)
			result = 0;
		else
			result = 1;
	}
	// We only get tacct when its a bad login
	if (result == 1) {
		auparse_first_record(au);
		tacct = auparse_find_field(au, "acct");
		if (tacct)
			tacct = auparse_interpret_field(au);
	} else {
		// Check that they are valid
		if (pid == -1 || uid ==-1 || ses == -1) { 
			if (debug)
				fprintf(stderr,
					"Bad user login for event: %lu\n",
					auparse_get_serial(au));
			return;
		}
	}

	// See if this session is already open
	if (result == 0)
		cur = list_find_auid(&l, uid, pid, ses);
	else
		cur = NULL;
	if (cur) {
		// If we are limited to a specific terminal and
		// we find out the session is not associated with
		// the terminal of interest, delete the current node
		if (cterm && strstr(term, cterm) == NULL) {
			list_delete_cur(&l);
			if (debug)
				fprintf(stderr,
				"User login limited to %s for event: %lu\n",
					cterm, auparse_get_serial(au));
			return;
		}

		// This means we have an open session - update it
		list_update_start(&l, start, host, term, result,
				auparse_get_serial(au));

		// If the results were failed, we can close it out
		/* FIXME: result cannot be true. This is dead code.
		if (result) {
			report_session(cur);
			list_delete_cur(&l);
		} */
	} else if (bad == 1 && result == 1) {
		// If it were a bad login and we are wanting bad logins
		// create the record and report it.
		lnode n;

		n.auid = uid;
		n.start = start;
		n.end = start;
		n.name = tacct;
		n.host = host;
		n.term = term;
		n.result = result;
		n.status = LOG_OUT;
		n.loginuid_proof = auparse_get_serial(au);
		report_session(&n); 
	}
}