static void do_user_summary_output(slist *sptr)
{
const snode *sn;
if (sptr->cnt == 0) {
printf("<no events of interest were found>\n\n");
return;
}
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
long uid;
char name[64];
if (sn->str[0] == '-' || isdigit(sn->str[0])) {
uid = strtol(sn->str, NULL, 10);
printf("%u ", sn->hits);
safe_print_string(aulookup_uid(uid, name,
sizeof(name)), 1);
} else {
printf("%u ", sn->hits);
safe_print_string(sn->str, 1);
}
sn=slist_next(sptr);
}
}
int print_list(void)
{
int cnt = 0;
slist_first(&s);
do {
snode *cur = slist_get_cur(&s);
if (cur) {
cnt++;
printf("%s\n", cur->str);
}
} while (slist_next(&s));
return cnt;
}
static void do_string_summary_output(slist *sptr)
{
const snode *sn;
if (sptr->cnt == 0) {
printf("<no events of interest were found>\n\n");
return;
}
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
printf("%u %s\n", sn->hits, sn->str);
sn=slist_next(sptr);
}
}
/*
* This function performs that matching of search params with the record.
* It returns 1 on a match, and 0 if no match.
*/
int scan(llist *l)
{
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
// OK - do the heavier checking
int rc = extract_search_items(l);
if (rc == 0) {
if (event_node_list) {
const snode *sn;
int found=0;
slist *sptr = event_node_list;
if (l->e.node == NULL)
return 0;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn && !found) {
if (sn->str && (!strcmp(sn->str, l->e.node)))
found++;
else
sn=slist_next(sptr);
}
if (!found)
return 0;
}
if (classify_success(l) && classify_conf(l))
return 1;
return 0;
}
}
}
return 0;
}
void rcps_solver_solve(struct rcps_solver *s, struct rcps_problem *p) {
int i, j, k;
struct rcps_genome *genome;
struct rcps_phenotype *pheno;
/* init the random number generator */
srand(time(NULL));
/* fix the indices */
for (i = 0; i < p->job_count; i++) {
p->jobs[i]->index = i;
}
for (i = 0; i < p->resource_count; i++) {
p->resources[i]->index = i;
}
/* fix the predeccessors */
for (i = 0; i < p->job_count; i++) {
free(p->jobs[i]->predeccessors);
p->jobs[i]->predeccessor_count = 0;
}
for (i = 0; i < p->job_count; i++) {
for (j = 0; j < p->jobs[i]->successor_count; j++) {
rcps_job_predeccessor_add(p->jobs[i]->successors[j],
p->jobs[i], p->jobs[i]->successor_types[j]);
}
}
/* do other precalculations */
/* modes and alternatives */
p->genome_modes = 0;
p->genome_alternatives = 0;
for (i = 0; i < p->job_count; i++) {
struct rcps_job *job = p->jobs[i];
// do the modes
if (job->mode_count > 1) {
p->genome_modes++;
p->modes_max = (int*) realloc(p->modes_max, p->genome_modes*sizeof(int));
p->modes_max[p->genome_modes-1] = job->mode_count;
job->genome_position = p->genome_modes-1;
}
else {
job->genome_position = -1;
}
job->res_start = -1;
job->res_mode = -1;
for (j = 0; j < job->mode_count; j++) {
struct rcps_mode *mode = job->modes[j];
for (k = 0; k < mode->request_count; k++) {
struct rcps_request *request = mode->requests[k];
request->res_alternative = -1;
// do the alternatives
if (request->alternative_count > 1) {
p->genome_alternatives++;
p->alternatives_max = (int*) realloc(p->alternatives_max,
p->genome_alternatives*sizeof(int));
p->alternatives_max[p->genome_alternatives-1] =
request->alternative_count;
request->genome_position = p->genome_alternatives-1;
}
else {
request->genome_position = -1;
}
}
}
}
/* hash of predecessor relations */
free(s->predecessor_hash);
s->predecessor_hash = (char*)malloc(sizeof(char)*p->job_count*p->job_count);
for (i = 0; i < p->job_count*p->job_count; i++) {
s->predecessor_hash[i] = -1;
}
/* initialize the population */
s->population = new_population(s, p);
/* here we run the algorithm */
#ifdef HAVE_PTHREAD
if (s->jobs <= 1) {
s->reproductions = run_alg(s, p);
}
else {
s->reproductions = 0;
pthread_t *threads = (pthread_t*)malloc(sizeof(pthread_t) * s->jobs);
struct thread_arg args;
args.s = s;
args.p = p;
int i;
for (i = 0; i < s->jobs; i++) {
int result = pthread_create(&threads[i], NULL, threadfunc, &args);
assert(result == 0);
}
// XXX join them all!
for (i = 0; i < s->jobs; i++) {
int result = pthread_join(threads[i], NULL);
assert(result == 0);
}
}
#else
s->reproductions = run_alg(s, p);
#endif
// struct rcps_fitness fit = ((struct rcps_individual*)slist_node_getdata(slist_first(
// s->population->individuals)))->fitness;
// printf("cycles: \t%i\nfitness:\t[%d, %d]\n", tcount, fit.group, fit.weight);
// transfer the results to the problem structure
genome = &((struct rcps_individual*)slist_node_getdata(
slist_first(s->population->individuals)))->genome;
// XXX we could save us this decoding step if we would keep the best ones
// from before, not really worth it
// save a warning if the schedule is not valid
pheno = decode(s, p, genome);
if (pheno->overuse_count) {
s->warnings = 1;
}
else {
s->warnings = 0;
}
for (i = 0; i < p->job_count; i++) {
struct rcps_job *job;
struct rcps_mode *mode;
job = p->jobs[i];
job->res_start = pheno->job_start[job->index];
job->res_mode =
job->genome_position == -1
? 0
: genome->modes[job->genome_position];
mode = job->modes[job->res_mode];
for (j = 0; j < mode->request_count; j++) {
struct rcps_request *request;
request = mode->requests[j];
request->res_alternative =
request->genome_position == -1
? 0
: genome->alternatives[request->genome_position];
}
}
}
int run_alg(struct rcps_solver *s, struct rcps_problem *p) {
/* run the algorithm */
int end = 0;
int count = 0;
int tcount = 0;
int lcount = 0;
struct rcps_fitness last_fitness;
int last_overuse = 1;
int breakoff_count = 0;
int desperate = 0;
last_fitness.group = FITNESS_MAX_GROUP;
last_fitness.weight = 0;
fflush(stderr);
// make this configurable
breakoff_count = 100000 / s->jobs;
#ifdef HAVE_PTHREAD
// XXX look at error code
pthread_mutex_lock(&s->lock);
#endif
do {
// breed
int i,j;
int son_overuse, daughter_overuse, best_overuse;
struct rcps_individual *father;
struct rcps_individual *mother;
struct rcps_individual *son;
struct rcps_individual *daughter;
struct rcps_phenotype *pheno;
struct rcps_fitness f1, f2;
f1.group = FITNESS_MAX_GROUP;
f1.weight = 0;
f2 = f1;
son = (struct rcps_individual*)malloc(sizeof(struct rcps_individual));
son->genome.schedule = (int*)malloc(sizeof(int) * p->job_count);
son->genome.modes = (int*)malloc(p->genome_modes * sizeof(int));
son->genome.alternatives = (int*)malloc(p->genome_alternatives * sizeof(int));
daughter = (struct rcps_individual*)malloc(sizeof(struct rcps_individual));
daughter->genome.schedule = (int*)malloc(sizeof(int) * p->job_count);
daughter->genome.modes = (int*)malloc(p->genome_modes * sizeof(int));
daughter->genome.alternatives = (int*)malloc(p->genome_alternatives * sizeof(int));
// select father and mother
// XXX we want a configurable bias towards better individuals here
i = irand(s->population->size - 1);
j = 1 + irand(s->population->size - 1);
j = (i + j) % s->population->size;
father = (struct rcps_individual*)slist_node_getdata(
slist_at(s->population->individuals, i));
mother = (struct rcps_individual*)slist_node_getdata(
slist_at(s->population->individuals, j));
// crossover
sched_crossover2(s, p,
father->genome.schedule, mother->genome.schedule,
son->genome.schedule, daughter->genome.schedule);
crossover2(father->genome.modes, mother->genome.modes,
son->genome.modes, daughter->genome.modes, p->genome_modes);
crossover2(father->genome.alternatives, mother->genome.alternatives,
son->genome.alternatives, daughter->genome.alternatives,
p->genome_alternatives);
#ifdef HAVE_PTHREAD
// XXX look at error code
pthread_mutex_unlock(&s->lock);
#endif
// mutate
sched_mutation(s, p, son->genome.schedule, s->mut_sched);
sched_mutation(s, p, daughter->genome.schedule, s->mut_sched);
mutation(son->genome.modes, p->modes_max,
p->genome_modes, s->mut_mode);
mutation(daughter->genome.modes, p->modes_max,
p->genome_modes, s->mut_mode);
mutation(son->genome.alternatives, p->alternatives_max,
p->genome_alternatives, s->mut_alt);
mutation(daughter->genome.alternatives, p->alternatives_max,
p->genome_alternatives, s->mut_mode);
// add to population
pheno = decode(s, p, &son->genome);
son->fitness = fitness(p, &son->genome, pheno);
son_overuse = pheno->overuse_count;
pheno = decode(s, p, &daughter->genome);
daughter->fitness = fitness(p, &daughter->genome, pheno);
daughter_overuse = pheno->overuse_count;
#ifdef HAVE_PTHREAD
// XXX look at error code
pthread_mutex_lock(&s->lock);
#endif
add_individual(son, s->population);
add_individual(daughter, s->population);
// check if we have a better individual, if yes reset count
f1 = ((struct rcps_individual*)slist_node_getdata(slist_first(
s->population->individuals)))->fitness;
// get the best overuse count
best_overuse = son_overuse < daughter_overuse ?
son_overuse : daughter_overuse;
// check if we want to stop
if (rcps_fitness_cmp(&f1, &last_fitness) < 0) {
last_fitness = f1;
last_overuse = best_overuse;
count = 0;
}
count++;
tcount++;
if (count >= breakoff_count) {
if ((last_overuse > 0) && (!desperate)) {
// we are going into desperate mode
desperate = 1;
breakoff_count *= 10;
// XXX threading problem: do not do this because is affects
// other threads too! intead us desperate accordingly above
/* s->population->size *= 5;
s->mut_sched += 1000;
s->mut_mode += 1000;
s->mut_alt += 1000;*/
}
else {
end = 1;
}
}
// XXX if we use multiple threads, communicate to the others as well!
if (s->progress_callback) {
if (tcount >= (lcount + s->cb_steps)) {
end |= s->progress_callback(tcount, last_fitness, s->cb_arg);
lcount = tcount;
}
}
} while (!end);
#ifdef HAVE_PTHREAD
// XXX look at error code
pthread_mutex_unlock(&s->lock);
#endif
return tcount;
}
void print_per_event_item(llist *l)
{
char buf[128];
char name[64];
char date[32];
struct tm *tv;
// The beginning is common to all reports
tv = localtime(&l->e.sec);
if (tv)
strftime(date, sizeof(date), "%x %T", tv);
else
strcpy(date, "?");
if (report_type != RPT_AVC) {
line_item++;
printf("%u. %s ", line_item, date);
}
switch (report_type)
{
case RPT_AVC:
alist_find_avc(l->s.avc);
do {
anode *an = l->s.avc->cur;
line_item++;
printf("%u. %s ", line_item, date);
// command subject syscall action obj res event
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
printf(" %s %s %s %s %s %s %lu\n",
an->scontext,
aulookup_syscall(l, buf,sizeof(buf)),
an->avc_class, an->avc_perm,
an->tcontext, aulookup_result(an->avc_result),
l->e.serial);
//printf("items:%d\n", l->s.avc->cnt);
} while (alist_next_avc(l->s.avc));
break;
case RPT_CONFIG:
// FIXME:who, action, what, outcome, event
// NOW: type auid success event
printf("%s %s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_uid(l->s.loginuid, name, sizeof(name)),
aulookup_success(l->s.success), l->e.serial);
break;
case RPT_AUTH:
// who, addr, terminal, exe, success, event
// Special note...uid is used here because that is
// the way that the message works. This is because
// on failed logins, loginuid is not set.
safe_print_string(l->s.acct ? l->s.acct :
aulookup_uid(l->s.uid, name, sizeof(name)), 0);
printf(" %s %s %s %s %lu\n",
l->s.hostname, l->s.terminal,
l->s.exe, aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_LOGIN:
// who, addr, terminal, exe, success, event
// Special note...loginuid can be used here for
// successful logins. loginuid is not set on failed
// logins so acct is used in that situation.
safe_print_string(((l->s.success == S_FAILED) &&
l->s.acct) ? l->s.acct :
aulookup_uid(l->s.loginuid,
name, sizeof(name)), 0);
printf(" %s %s %s %s %lu\n",
l->s.hostname, l->s.terminal,
l->s.exe, aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_ACCT_MOD:
// who, addr, terminal, exe, success, event
safe_print_string(
aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s %s %s %s %lu\n",
l->s.hostname ? l->s.hostname : "?",
l->s.terminal ? l->s.terminal : "?",
l->s.exe ? l->s.exe : "?",
l->s.acct ? l->s.acct : "?",
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_EVENT: // report_detail == D_DETAILED
// event, type, who, success
printf("%lu %s ",
l->e.serial,
audit_msg_type_to_name(l->head->type));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s\n", aulookup_success(l->s.success));
break;
case RPT_FILE: // report_detail == D_DETAILED
// file, syscall, success, exe, who, event
{
slist *s = l->s.filename;
slist_first(s);
if (s->cnt > 1) {
char *key = s->cur ? s->cur->key : NULL;
while (key && strcmp(key, "PARENT") == 0) {
slist_next(s);
key = s->cur ? s->cur->key : NULL;
}
}
safe_print_string(s->cur ? s->cur->str : "", 0);
printf(" %s %s ",
aulookup_syscall(l,buf,sizeof(buf)),
aulookup_success(l->s.success));
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
}
break;
case RPT_HOST: // report_detail == D_DETAILED
// host, syscall, who, event
printf("%s %s ",
l->s.hostname,
aulookup_syscall(l,buf,sizeof(buf)));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_PID: // report_detail == D_DETAILED
// pid, exe, syscall, who, event
printf("%u ", l->s.pid);
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %s ", aulookup_syscall(l,buf,sizeof(buf)));
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_SYSCALL: // report_detail == D_DETAILED
// syscall, pid, comm, who, event
printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)),
l->s.pid);
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_TERM: // report_detail == D_DETAILED
// terminal, host, exe, who, event
printf("%s %s ",
l->s.terminal, l->s.hostname);
safe_print_string(l->s.exe, 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_USER: // report_detail == D_DETAILED
// who, terminal, host, exe, event
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_EXE: // report_detail == D_DETAILED
// exe, terminal, host, who, event
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_COMM: // report_detail == D_DETAILED
// comm, terminal, host, who, event
safe_print_string(l->s.comm ? l->s.comm : "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_ANOMALY: // report_detail == D_DETAILED
// type exe term host auid event
printf("%s ", audit_msg_type_to_name(l->head->type));
safe_print_string(l->s.exe ? l->s.exe :
l->s.comm ? l->s.comm: "?", 0);
printf(" %s %s ",
l->s.terminal ? l->s.terminal : "?",
l->s.hostname ? l->s.hostname : "?");
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_RESPONSE: // report_detail == D_DETAILED
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_MAC:
// auid type success event
printf("%s %s %s %lu\n",
aulookup_uid(l->s.loginuid, name, sizeof(name)),
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_INTEG:
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_VIRT:
// type success event
printf("%s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_CRYPTO:
// auid type success event
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %s %lu\n",
audit_msg_type_to_name(l->head->type),
aulookup_success(l->s.success),
l->e.serial);
break;
case RPT_KEY: // report_detail == D_DETAILED
// key, success, exe, who, event
slist_first(l->s.key);
printf("%s %s ", l->s.key->cur->str,
aulookup_success(l->s.success));
safe_print_string(l->s.exe ? l->s.exe : "?", 0);
putchar(' ');
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %lu\n", l->e.serial);
break;
case RPT_TTY: {
char *ch, *ptr = strstr(l->head->message, "data=");
if (!ptr)
break;
ptr += 5;
ch = strrchr(ptr, ' ');
if (ch)
*ch = 0;
// event who term sess data
printf("%lu ", l->e.serial);
safe_print_string(aulookup_uid(l->s.loginuid, name,
sizeof(name)), 0);
printf(" %s %u ",
l->s.terminal ? l->s.terminal : "?",
l->s.session_id);
safe_print_string(l->s.comm ? l->s.comm: "?", 0);
putchar(' ');
print_tty_data(ptr);
printf("\n");
}
break;
default:
break;
}
}
int main(void)
{
snode n, *node;
int rc, i = 0;
slist_create(&s);
// This first test checks to see if list is
// created in a numeric order
slist_add_if_uniq(&s, "test1");
slist_add_if_uniq(&s, "test2");
slist_first(&s);
slist_add_if_uniq(&s, "test3");
puts("should be 3");
rc = print_list();
if (s.cnt != 3 || rc !=3) {
puts("test count is wrong");
return 1;
}
n.str = strdup("test4");
n.key = NULL;
n.hits = 1;
slist_append(&s, &n);
puts("should add a #4");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_add_if_uniq(&s, "test2");
puts("should be same");
rc = print_list();
if (s.cnt != 4 || rc != 4) {
puts("test count is wrong");
return 1;
}
slist_clear(&s);
puts("should be empty");
rc = print_list();
if (s.cnt != 0 || rc != 0) {
puts("test count is wrong");
return 1;
}
puts("starting sort test");
// Now test to see if the sort function works
// Fill the list exactly backwards
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test3");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test2");
slist_add_if_uniq(&s, "test4");
slist_add_if_uniq(&s, "test1");
slist_sort_by_hits(&s);
slist_first(&s);
do {
node = slist_get_cur(&s);
if (node->hits != (4-i)) {
printf("Sort test failed - i:%d != hits:%u\n", i, node->hits);
return 1;
}
i++;
} while ((node = slist_next(&s)));
puts("sort test passes");
slist_clear(&s);
return 0;
}
static void do_summary_total(llist *l)
{
// add events
sd.events++;
// add config changes
if (list_find_msg(l, AUDIT_CONFIG_CHANGE))
sd.changes++;
if (list_find_msg(l, AUDIT_DAEMON_CONFIG))
sd.changes++;
if (list_find_msg(l, AUDIT_USYS_CONFIG))
sd.changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.changes++;
// add acct changes
if (list_find_msg(l, AUDIT_USER_CHAUTHTOK))
sd.acct_changes++;
if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP))
sd.acct_changes++;
if (list_find_msg(l, AUDIT_CHGRP_ID))
sd.acct_changes++;
list_first(l);
if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE))
sd.acct_changes++;
// Crypto
list_first(l);
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG))
sd.crypto++;
if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG))
sd.crypto++;
// add logins
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.success == S_SUCCESS)
sd.good_logins++;
else if (l->s.success == S_FAILED)
sd.bad_logins++;
}
// add use of auth
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED)
sd.bad_auth++;
} else if (list_find_msg(l, AUDIT_GRP_AUTH)) {
if (l->s.success == S_SUCCESS)
sd.good_auth++;
else if (l->s.success == S_FAILED)
sd.bad_auth++;
}
// add users
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
// add terminals
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
// add hosts
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
// add execs
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
// add files
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files, sn->str);
sn=slist_next(sptr);
}
}
// add avcs
if (list_find_msg(l, AUDIT_AVC))
sd.avcs++;
else if (list_find_msg(l, AUDIT_USER_AVC))
sd.avcs++;
// MAC
list_first(l);
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL))
sd.mac++;
if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG))
sd.mac++;
// add failed syscalls
if (l->s.success == S_FAILED && l->s.syscall > 0)
sd.failed_syscalls++;
// add pids
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
// add anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG))
sd.anomalies++;
if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG))
sd.anomalies++;
// add response to anomalies
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP))
sd.responses++;
// add keys
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str && strcmp(sn->str, "(null)")) {
slist_add_if_uniq(&sd.keys, sn->str);
}
sn=slist_next(sptr);
}
}
}
static int per_event_detailed(llist *l)
{
int rc = 0;
switch (report_type)
{
case RPT_AVC:
if (list_find_msg(l, AUDIT_AVC)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg(l, AUDIT_USER_AVC)) {
print_per_event_item(l);
rc = 1;
}
break;
case RPT_MAC:
if (report_detail == D_DETAILED) {
if (list_find_msg_range(l,
AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL)) {
print_per_event_item(l);
rc = 1;
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG)) {
print_per_event_item(l);
rc = 1;
}
}
}
break;
case RPT_CONFIG:
if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg(l, AUDIT_USYS_CONFIG)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg_range(l,
AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_UNLBL_STCDEL)) {
print_per_event_item(l);
rc = 1;
}
break;
case RPT_AUTH:
if (list_find_msg(l, AUDIT_USER_AUTH)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failed acct
if (l->s.success == S_FAILED) {
print_per_event_item(l);
rc = 1;
}
}
break;
case RPT_LOGIN:
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
print_per_event_item(l);
rc = 1;
}
break;
case RPT_ACCT_MOD:
if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg_range(l,
AUDIT_ADD_USER, AUDIT_DEL_GROUP)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg(l, AUDIT_CHGRP_ID)) {
print_per_event_item(l);
rc = 1;
} else if (list_find_msg_range(l,
AUDIT_ROLE_ASSIGN,
AUDIT_ROLE_REMOVE)) {
print_per_event_item(l);
rc = 1;
}
break;
case RPT_EVENT:
list_first(l);
if (report_detail == D_DETAILED) {
print_per_event_item(l);
rc = 1;
} else { // specific event report
UNIMPLEMENTED;
}
break;
case RPT_FILE:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.filename) {
print_per_event_item(l);
rc = 1;
}
} else { // specific file report
UNIMPLEMENTED;
}
break;
case RPT_HOST:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.hostname) {
print_per_event_item(l);
rc = 1;
}
} else { // specific host report
UNIMPLEMENTED;
}
break;
case RPT_PID:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.pid >= 0) {
print_per_event_item(l);
rc = 1;
}
} else { // specific pid report
UNIMPLEMENTED;
}
break;
case RPT_SYSCALL:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.syscall) {
print_per_event_item(l);
rc = 1;
}
} else { // specific syscall report
UNIMPLEMENTED;
}
break;
case RPT_TERM:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.terminal) {
print_per_event_item(l);
rc = 1;
}
} else { // specific terminal report
UNIMPLEMENTED;
}
break;
case RPT_USER:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.uid != -1) {
print_per_event_item(l);
rc = 1;
}
} else { // specific user report
UNIMPLEMENTED;
}
break;
case RPT_EXE:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.exe) {
print_per_event_item(l);
rc = 1;
}
} else { // specific exe report
UNIMPLEMENTED;
}
break;
case RPT_ANOMALY:
if (report_detail == D_DETAILED) {
if (list_find_msg_range(l,
AUDIT_FIRST_ANOM_MSG,
AUDIT_LAST_ANOM_MSG)) {
print_per_event_item(l);
rc = 1;
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG)) {
print_per_event_item(l);
rc = 1;
}
}
} else { // FIXME: specific anom report
UNIMPLEMENTED;
}
break;
case RPT_RESPONSE:
if (report_detail == D_DETAILED) {
if (list_find_msg_range(l,
AUDIT_FIRST_ANOM_RESP,
AUDIT_LAST_ANOM_RESP)) {
print_per_event_item(l);
rc = 1;
}
} else { // FIXME: specific resp report
UNIMPLEMENTED;
}
break;
case RPT_CRYPTO:
if (report_detail == D_DETAILED) {
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
print_per_event_item(l);
rc = 1;
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG)) {
print_per_event_item(l);
rc = 1;
}
}
} else { // FIXME: specific crypto report
UNIMPLEMENTED;
}
break;
case RPT_KEY:
list_first(l);
if (report_detail == D_DETAILED) {
if (l->s.key) {
slist_first(l->s.key);
if (strcmp(l->s.key->cur->str,
"(null)")) {
print_per_event_item(l);
rc = 1;
}
}
} else { // specific key report
UNIMPLEMENTED;
}
break;
case RPT_TTY:
if (l->head->type == AUDIT_TTY) {
print_per_event_item(l);
rc = 1;
}
break;
default:
break;
}
return rc;
}
static int per_event_summary(llist *l)
{
int rc = 0;
switch (report_type)
{
case RPT_SUMMARY:
do_summary_total(l);
rc = 1;
break;
case RPT_AVC:
if (list_find_msg(l, AUDIT_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(l->s.avc));
}
} else {
if (list_find_msg(l, AUDIT_USER_AVC)) {
if (alist_find_avc(l->s.avc)) {
do {
slist_add_if_uniq(
&sd.avc_objs,
l->s.avc->cur->tcontext);
} while (alist_next_avc(
l->s.avc));
}
}
}
break;
case RPT_MAC:
if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD,
AUDIT_MAC_MAP_DEL)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_USER_LSPP_MSG,
AUDIT_LAST_USER_LSPP_MSG)) {
ilist_add_if_uniq(&sd.mac_list,
l->head->type, 0);
}
}
break;
case RPT_CONFIG:
UNIMPLEMENTED;
break;
case RPT_AUTH:
if (list_find_msg(l, AUDIT_USER_AUTH)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
} else if (list_find_msg(l, AUDIT_USER_ACCT)) {
// Only count the failures
if (l->s.success == S_FAILED) {
if (l->s.loginuid == -2 &&
l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(
l->s.loginuid,
name,
sizeof(name))
);
}
}
}
break;
case RPT_LOGIN:
if (list_find_msg(l, AUDIT_USER_LOGIN)) {
if (l->s.loginuid == -2 && l->s.acct != NULL)
slist_add_if_uniq(&sd.users, l->s.acct);
else {
char name[64];
slist_add_if_uniq(&sd.users,
aulookup_uid(l->s.loginuid,
name,
sizeof(name))
);
}
}
break;
case RPT_ACCT_MOD:
UNIMPLEMENTED;
break;
case RPT_EVENT: /* We will borrow the pid list */
if (l->head->type != -1) {
ilist_add_if_uniq(&sd.pids, l->head->type, 0);
}
break;
case RPT_FILE:
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str)
slist_add_if_uniq(&sd.files,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_HOST:
if (l->s.hostname)
slist_add_if_uniq(&sd.hosts, l->s.hostname);
break;
case RPT_PID:
if (l->s.pid != -1) {
ilist_add_if_uniq(&sd.pids, l->s.pid, 0);
}
break;
case RPT_SYSCALL:
if (l->s.syscall > 0) {
ilist_add_if_uniq(&sd.sys_list,
l->s.syscall, l->s.arch);
}
break;
case RPT_TERM:
if (l->s.terminal)
slist_add_if_uniq(&sd.terms, l->s.terminal);
break;
case RPT_USER:
if (l->s.loginuid != -2) {
char tmp[32];
snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid);
slist_add_if_uniq(&sd.users, tmp);
}
break;
case RPT_EXE:
if (l->s.exe)
slist_add_if_uniq(&sd.exes, l->s.exe);
break;
case RPT_ANOMALY:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG,
AUDIT_LAST_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_KERN_ANOM_MSG,
AUDIT_LAST_KERN_ANOM_MSG)) {
ilist_add_if_uniq(&sd.anom_list,
l->head->type, 0);
}
}
break;
case RPT_RESPONSE:
if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP,
AUDIT_LAST_ANOM_RESP)) {
ilist_add_if_uniq(&sd.resp_list,
l->head->type, 0);
}
break;
case RPT_CRYPTO:
if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
AUDIT_LAST_KERN_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
} else {
if (list_find_msg_range(l,
AUDIT_FIRST_CRYPTO_MSG,
AUDIT_LAST_CRYPTO_MSG)) {
ilist_add_if_uniq(&sd.crypto_list,
l->head->type, 0);
}
}
break;
case RPT_KEY:
if (l->s.key) {
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn) {
if (sn->str &&
strcmp(sn->str, "(null)"))
slist_add_if_uniq(&sd.keys,
sn->str);
sn=slist_next(sptr);
}
}
break;
case RPT_TTY:
UNIMPLEMENTED;
break;
default:
break;
}
return rc;
}
int match(llist *l)
{
// Are we within time range?
if (start_time == 0 || l->e.sec >= start_time) {
if (end_time == 0 || l->e.sec <= end_time) {
if (event_id == -1 || event_id == l->e.serial) {
// OK - do the heavier checking
if (extract_search_items(l)) {
return 0;
}
// perform additional tests for the field
if (event_node_list) {
const snode *sn;
int found=0;
slist *sptr = event_node_list;
if (l->e.node == NULL)
return 0;
slist_first(sptr);
sn=slist_get_cur(sptr);
while (sn && !found) {
if (sn->str && (!strcmp(sn->str, l->e.node)))
found++;
else
sn=slist_next(sptr);
}
if (!found)
return 0;
}
if (user_match(l) == 0)
return 0;
if (group_match(l) == 0)
return 0;
if ((event_ppid != -1) &&
(event_ppid != l->s.ppid))
return 0;
if ((event_pid != -1) &&
(event_pid != l->s.pid))
return 0;
if (event_machine != -1 &&
(event_machine !=
audit_elf_to_machine(l->s.arch)))
return 0;
if ((event_syscall != -1) &&
(event_syscall != l->s.syscall))
return 0;
if ((event_session_id != -2) &&
(event_session_id != l->s.session_id))
return 0;
if (event_exit_is_set) {
if (l->s.exit_is_set == 0)
return 0;
if (event_exit != l->s.exit)
return 0;
}
if ((event_success != S_UNSET) &&
(event_success != l->s.success))
return 0;
// event_type requires looking at each item
if (event_type != NULL) {
int found = 0;
const lnode *n;
list_first(l);
n = list_get_cur(l);
do {
int_node *in;
ilist_first(event_type);
in = ilist_get_cur(event_type);
do {
if (in->num == n->type){
found = 1;
break;
}
} while((in =
ilist_next(event_type)));
if (found)
break;
} while ((n = list_next(l)));
if (!found)
return 0;
}
// Done all the easy compares, now do the
// string searches.
if (event_filename) {
int found = 0;
if (l->s.filename == NULL && l->s.cwd == NULL)
return 0;
if (l->s.filename) {
const snode *sn;
slist *sptr = l->s.filename;
slist_first(sptr);
sn=slist_get_cur(sptr);
do {
if (sn->str == NULL)
return 0;
if (strmatch(
event_filename,
sn->str)) {
found = 1;
break;
}
} while ((sn=slist_next(sptr)));
if (!found && l->s.cwd == NULL)
return 0;
}
if (l->s.cwd && !found) {
/* Check cwd, too */
if (strmatch(event_filename,
l->s.cwd) == 0)
return 0;
}
}
if (event_hostname) {
if (l->s.hostname == NULL)
return 0;
if (strmatch(event_hostname,
l->s.hostname) == 0)
return 0;
}
if (event_terminal) {
if (l->s.terminal == NULL)
return 0;
if (strmatch(event_terminal,
l->s.terminal) == 0)
return 0;
}
if (event_exe) {
if (l->s.exe == NULL)
return 0;
if (strmatch(event_exe,
l->s.exe) == 0)
return 0;
}
if (event_comm) {
if (l->s.comm == NULL)
return 0;
if (strmatch(event_comm,
l->s.comm) == 0)
return 0;
}
if (event_key) {
if (l->s.key == NULL)
return 0;
else {
int found = 0;
const snode *sn;
slist *sptr = l->s.key;
slist_first(sptr);
sn=slist_get_cur(sptr);
do {
if (sn->str == NULL)
return 0;
if (strmatch(
event_key,
sn->str)) {
found = 1;
break;
}
} while ((sn=slist_next(sptr)));
if (!found)
return 0;
}
}
if (event_vmname) {
if (l->s.vmname == NULL)
return 0;
if (strmatch(event_vmname,
l->s.vmname) == 0)
return 0;
}
if (event_uuid) {
if (l->s.uuid == NULL)
return 0;
if (strmatch(event_uuid,
l->s.uuid) == 0)
return 0;
}
if (context_match(l) == 0)
return 0;
return 1;
}
}
}
return 0;
}