static void do_user_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("<no events of interest were found>\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { long uid; char name[64]; if (sn->str[0] == '-' || isdigit(sn->str[0])) { uid = strtol(sn->str, NULL, 10); printf("%u ", sn->hits); safe_print_string(aulookup_uid(uid, name, sizeof(name)), 1); } else { printf("%u ", sn->hits); safe_print_string(sn->str, 1); } sn=slist_next(sptr); } }
char * get_query_string() { char *request_method, *query_string; request_method = getenv("REQUEST_METHOD"); if( request_method == 0 ) return( 0 ); else if( strcmp(request_method,"GET") == 0 ) { query_string = getenv("QUERY_STRING"); if( query_string == 0 ) return( 0 ); else return( strdup(query_string) ); } else if( strcmp(request_method,"POST") == 0 ) { return( read_query_string() ); } else { printf("Unknown method: "); safe_print_string( request_method ); printf("\n"); return( 0 ); } }
void safe_printenv( char *name ) { char *val ; char *safe_val ; printf("%s=",name ); val = getenv( name ); safe_print_string( val ); printf("\n"); }
static void do_file_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("<no events of interest were found>\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { printf("%u ", sn->hits); safe_print_string(sn->str, 1); sn=slist_next(sptr); } }
void print_per_event_item(llist *l) { char buf[128]; char name[64]; char date[32]; struct tm *tv; // The beginning is common to all reports tv = localtime(&l->e.sec); if (tv) strftime(date, sizeof(date), "%x %T", tv); else strcpy(date, "?"); if (report_type != RPT_AVC) { line_item++; printf("%u. %s ", line_item, date); } switch (report_type) { case RPT_AVC: alist_find_avc(l->s.avc); do { anode *an = l->s.avc->cur; line_item++; printf("%u. %s ", line_item, date); // command subject syscall action obj res event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s %s %s %s %s %lu\n", an->scontext, aulookup_syscall(l, buf,sizeof(buf)), an->avc_class, an->avc_perm, an->tcontext, aulookup_result(an->avc_result), l->e.serial); //printf("items:%d\n", l->s.avc->cnt); } while (alist_next_avc(l->s.avc)); break; case RPT_CONFIG: // FIXME:who, action, what, outcome, event // NOW: type auid success event printf("%s %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_uid(l->s.loginuid, name, sizeof(name)), aulookup_success(l->s.success), l->e.serial); break; case RPT_AUTH: // who, addr, terminal, exe, success, event // Special note...uid is used here because that is // the way that the message works. This is because // on failed logins, loginuid is not set. safe_print_string(l->s.acct ? l->s.acct : aulookup_uid(l->s.uid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_LOGIN: // who, addr, terminal, exe, success, event // Special note...loginuid can be used here for // successful logins. loginuid is not set on failed // logins so acct is used in that situation. safe_print_string(((l->s.success == S_FAILED) && l->s.acct) ? l->s.acct : aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_ACCT_MOD: // who, addr, terminal, exe, success, event safe_print_string( aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %s %s %s %lu\n", l->s.hostname ? l->s.hostname : "?", l->s.terminal ? l->s.terminal : "?", l->s.exe ? l->s.exe : "?", l->s.acct ? l->s.acct : "?", aulookup_success(l->s.success), l->e.serial); break; case RPT_EVENT: // report_detail == D_DETAILED // event, type, who, success printf("%lu %s ", l->e.serial, audit_msg_type_to_name(l->head->type)); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s\n", aulookup_success(l->s.success)); break; case RPT_FILE: // report_detail == D_DETAILED // file, syscall, success, exe, who, event { slist *s = l->s.filename; slist_first(s); if (s->cnt > 1) { char *key = s->cur ? s->cur->key : NULL; while (key && strcmp(key, "PARENT") == 0) { slist_next(s); key = s->cur ? s->cur->key : NULL; } } safe_print_string(s->cur ? s->cur->str : "", 0); printf(" %s %s ", aulookup_syscall(l,buf,sizeof(buf)), aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); } break; case RPT_HOST: // report_detail == D_DETAILED // host, syscall, who, event printf("%s %s ", l->s.hostname, aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_PID: // report_detail == D_DETAILED // pid, exe, syscall, who, event printf("%u ", l->s.pid); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s ", aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_SYSCALL: // report_detail == D_DETAILED // syscall, pid, comm, who, event printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)), l->s.pid); safe_print_string(l->s.comm ? l->s.comm : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TERM: // report_detail == D_DETAILED // terminal, host, exe, who, event printf("%s %s ", l->s.terminal, l->s.hostname); safe_print_string(l->s.exe, 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_USER: // report_detail == D_DETAILED // who, terminal, host, exe, event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %lu\n", l->e.serial); break; case RPT_EXE: // report_detail == D_DETAILED // exe, terminal, host, who, event safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_COMM: // report_detail == D_DETAILED // comm, terminal, host, who, event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_ANOMALY: // report_detail == D_DETAILED // type exe term host auid event printf("%s ", audit_msg_type_to_name(l->head->type)); safe_print_string(l->s.exe ? l->s.exe : l->s.comm ? l->s.comm: "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_RESPONSE: // report_detail == D_DETAILED // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_MAC: // auid type success event printf("%s %s %s %lu\n", aulookup_uid(l->s.loginuid, name, sizeof(name)), audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_INTEG: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_VIRT: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_CRYPTO: // auid type success event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_KEY: // report_detail == D_DETAILED // key, success, exe, who, event slist_first(l->s.key); printf("%s %s ", l->s.key->cur->str, aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TTY: { char *ch, *ptr = strstr(l->head->message, "data="); if (!ptr) break; ptr += 5; ch = strrchr(ptr, ' '); if (ch) *ch = 0; // event who term sess data printf("%lu ", l->e.serial); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %u ", l->s.terminal ? l->s.terminal : "?", l->s.session_id); safe_print_string(l->s.comm ? l->s.comm: "?", 0); putchar(' '); print_tty_data(ptr); printf("\n"); } break; default: break; } }
/* * This function will cycle through a single record and lookup each field's * value that it finds. */ static void output_interpreted_record(const lnode *n, const event *e) { char *ptr, *str = n->message; int found, comma = 0; int num = n->type; struct tm *btm; char tmp[32]; // Reset these because each record could be different machine = -1; cur_syscall = -1; /* Check and see if we start with a node * If we do, and there is a space in the line * move the pointer to the first character past * the space */ if (e->node) { if ((ptr=strchr(str, ' ')) != NULL) { str = ptr+1; } } // First locate time stamp. ptr = strchr(str, '('); if (ptr == NULL) { fprintf(stderr, "can't find time stamp\n"); return; } *ptr++ = 0; /* move to the start of the timestamp */ // print everything up to it. if (num >= 0) { const char * bptr; bptr = audit_msg_type_to_name(num); if (bptr) { if (e->node) printf("node=%s ", e->node); printf("type=%s msg=audit(", bptr); goto no_print; } } if (e->node) printf("node=%s ", e->node); printf("%s(", str); no_print: str = strchr(ptr, ')'); if(str == NULL) return; *str++ = 0; btm = localtime(&e->sec); if (btm) strftime(tmp, sizeof(tmp), "%x %T", btm); else strcpy(tmp, "?"); printf("%s", tmp); printf(".%03u:%lu) ", e->milli, e->serial); if (n->type == AUDIT_SYSCALL) { a0 = n->a0; a1 = n->a1; } // for each item. ausearch_load_interpretations(n); found = 0; while (str && *str && (ptr = strchr(str, '='))) { char *name, *val; comma = 0; found = 1; // look back to last space - this is name name = ptr; while (*name != ' ' && name > str) --name; *ptr++ = 0; // print everything up to the '=' printf("%s=", str); // Some user messages have msg='uid=500 in this case // skip the msg= piece since the real stuff is the uid= if (strcmp(name, "msg") == 0) { str = ptr; continue; } // In the above case, after msg= we need to trim the ' from uid if (*name == '\'') name++; // get string after = to the next space or end - this is value if (*ptr == '\'' || *ptr == '"') { str = strchr(ptr+1, *ptr); if (str) { str++; if (*str) *str++ = 0; } } else { str = strchr(ptr, ','); val = strchr(ptr, ' '); if (str && val && (str < val)) { // Value side has commas and another field exists // Known: LABEL_LEVEL_CHANGE banners=none,none // Known: ROLL_ASSIGN new-role=r,r // Known: any MAC LABEL can potentially have commas int ftype = auparse_interp_adjust_type(n->type, name, val); if (ftype == AUPARSE_TYPE_MAC_LABEL) { str = val; *str++ = 0; } else { *str++ = 0; comma = 1; } } else if (str && (val == NULL)) { // Goes all the way to the end. Done parsing // Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7 int ftype = auparse_interp_adjust_type(n->type, name, ptr); if (ftype == AUPARSE_TYPE_MAC_LABEL) str = NULL; else { *str++ = 0; comma = 1; } } else if (val) { // There is another field, point to next (normal path) str = val; *str++ = 0; } } // val points to begin & str 1 past end val = ptr; // print interpreted string interpret(name, val, comma, n->type); } ausearch_free_interpretations(); // If nothing found, just print out as is if (!found && ptr == NULL && str) safe_print_string(str, 1); // If last field had comma, output the rest else if (comma) safe_print_string(str, 1); printf("\n"); }