static void do_user_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("<no events of interest were found>\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { long uid; char name[64]; if (sn->str[0] == '-' || isdigit(sn->str[0])) { uid = strtol(sn->str, NULL, 10); printf("%u ", sn->hits); safe_print_string(aulookup_uid(uid, name, sizeof(name)), 1); } else { printf("%u ", sn->hits); safe_print_string(sn->str, 1); } sn=slist_next(sptr); } }
int print_list(void) { int cnt = 0; slist_first(&s); do { snode *cur = slist_get_cur(&s); if (cur) { cnt++; printf("%s\n", cur->str); } } while (slist_next(&s)); return cnt; }
static void do_string_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("<no events of interest were found>\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { printf("%u %s\n", sn->hits, sn->str); sn=slist_next(sptr); } }
/* * This function performs that matching of search params with the record. * It returns 1 on a match, and 0 if no match. */ int scan(llist *l) { // Are we within time range? if (start_time == 0 || l->e.sec >= start_time) { if (end_time == 0 || l->e.sec <= end_time) { // OK - do the heavier checking int rc = extract_search_items(l); if (rc == 0) { if (event_node_list) { const snode *sn; int found=0; slist *sptr = event_node_list; if (l->e.node == NULL) return 0; slist_first(sptr); sn=slist_get_cur(sptr); while (sn && !found) { if (sn->str && (!strcmp(sn->str, l->e.node))) found++; else sn=slist_next(sptr); } if (!found) return 0; } if (classify_success(l) && classify_conf(l)) return 1; return 0; } } } return 0; }
int main(void) { snode n, *node; int rc, i = 0; slist_create(&s); // This first test checks to see if list is // created in a numeric order slist_add_if_uniq(&s, "test1"); slist_add_if_uniq(&s, "test2"); slist_first(&s); slist_add_if_uniq(&s, "test3"); puts("should be 3"); rc = print_list(); if (s.cnt != 3 || rc !=3) { puts("test count is wrong"); return 1; } n.str = strdup("test4"); n.key = NULL; n.hits = 1; slist_append(&s, &n); puts("should add a #4"); rc = print_list(); if (s.cnt != 4 || rc != 4) { puts("test count is wrong"); return 1; } slist_add_if_uniq(&s, "test2"); puts("should be same"); rc = print_list(); if (s.cnt != 4 || rc != 4) { puts("test count is wrong"); return 1; } slist_clear(&s); puts("should be empty"); rc = print_list(); if (s.cnt != 0 || rc != 0) { puts("test count is wrong"); return 1; } puts("starting sort test"); // Now test to see if the sort function works // Fill the list exactly backwards slist_add_if_uniq(&s, "test3"); slist_add_if_uniq(&s, "test3"); slist_add_if_uniq(&s, "test4"); slist_add_if_uniq(&s, "test3"); slist_add_if_uniq(&s, "test4"); slist_add_if_uniq(&s, "test2"); slist_add_if_uniq(&s, "test4"); slist_add_if_uniq(&s, "test2"); slist_add_if_uniq(&s, "test4"); slist_add_if_uniq(&s, "test1"); slist_sort_by_hits(&s); slist_first(&s); do { node = slist_get_cur(&s); if (node->hits != (4-i)) { printf("Sort test failed - i:%d != hits:%u\n", i, node->hits); return 1; } i++; } while ((node = slist_next(&s))); puts("sort test passes"); slist_clear(&s); return 0; }
static void do_summary_total(llist *l) { // add events sd.events++; // add config changes if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) sd.changes++; if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) sd.changes++; if (list_find_msg(l, AUDIT_USYS_CONFIG)) sd.changes++; list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.changes++; // add acct changes if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) sd.acct_changes++; if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP)) sd.acct_changes++; if (list_find_msg(l, AUDIT_CHGRP_ID)) sd.acct_changes++; list_first(l); if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE)) sd.acct_changes++; // Crypto list_first(l); if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) sd.crypto++; if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) sd.crypto++; // add logins if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.success == S_SUCCESS) sd.good_logins++; else if (l->s.success == S_FAILED) sd.bad_logins++; } // add use of auth if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_GRP_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } // add users if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } // add terminals if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); // add hosts if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); // add execs if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); // add files if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } // add avcs if (list_find_msg(l, AUDIT_AVC)) sd.avcs++; else if (list_find_msg(l, AUDIT_USER_AVC)) sd.avcs++; // MAC list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.mac++; if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) sd.mac++; // add failed syscalls if (l->s.success == S_FAILED && l->s.syscall > 0) sd.failed_syscalls++; // add pids if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } // add anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) sd.anomalies++; if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) sd.anomalies++; // add response to anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) sd.responses++; // add keys if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) { slist_add_if_uniq(&sd.keys, sn->str); } sn=slist_next(sptr); } } }
static int per_event_summary(llist *l) { int rc = 0; switch (report_type) { case RPT_SUMMARY: do_summary_total(l); rc = 1; break; case RPT_AVC: if (list_find_msg(l, AUDIT_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq(&sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc(l->s.avc)); } } else { if (list_find_msg(l, AUDIT_USER_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq( &sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc( l->s.avc)); } } } break; case RPT_MAC: if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_MAP_DEL)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } } break; case RPT_CONFIG: UNIMPLEMENTED; break; case RPT_AUTH: if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid( l->s.loginuid, name, sizeof(name)) ); } } } break; case RPT_LOGIN: if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } break; case RPT_ACCT_MOD: UNIMPLEMENTED; break; case RPT_EVENT: /* We will borrow the pid list */ if (l->head->type != -1) { ilist_add_if_uniq(&sd.pids, l->head->type, 0); } break; case RPT_FILE: if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } break; case RPT_HOST: if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); break; case RPT_PID: if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } break; case RPT_SYSCALL: if (l->s.syscall > 0) { ilist_add_if_uniq(&sd.sys_list, l->s.syscall, l->s.arch); } break; case RPT_TERM: if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); break; case RPT_USER: if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } break; case RPT_EXE: if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); break; case RPT_ANOMALY: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } } break; case RPT_RESPONSE: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) { ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); } break; case RPT_CRYPTO: if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } } break; case RPT_KEY: if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) slist_add_if_uniq(&sd.keys, sn->str); sn=slist_next(sptr); } } break; case RPT_TTY: UNIMPLEMENTED; break; default: break; } return rc; }
int match(llist *l) { // Are we within time range? if (start_time == 0 || l->e.sec >= start_time) { if (end_time == 0 || l->e.sec <= end_time) { if (event_id == -1 || event_id == l->e.serial) { // OK - do the heavier checking if (extract_search_items(l)) { return 0; } // perform additional tests for the field if (event_node_list) { const snode *sn; int found=0; slist *sptr = event_node_list; if (l->e.node == NULL) return 0; slist_first(sptr); sn=slist_get_cur(sptr); while (sn && !found) { if (sn->str && (!strcmp(sn->str, l->e.node))) found++; else sn=slist_next(sptr); } if (!found) return 0; } if (user_match(l) == 0) return 0; if (group_match(l) == 0) return 0; if ((event_ppid != -1) && (event_ppid != l->s.ppid)) return 0; if ((event_pid != -1) && (event_pid != l->s.pid)) return 0; if (event_machine != -1 && (event_machine != audit_elf_to_machine(l->s.arch))) return 0; if ((event_syscall != -1) && (event_syscall != l->s.syscall)) return 0; if ((event_session_id != -2) && (event_session_id != l->s.session_id)) return 0; if (event_exit_is_set) { if (l->s.exit_is_set == 0) return 0; if (event_exit != l->s.exit) return 0; } if ((event_success != S_UNSET) && (event_success != l->s.success)) return 0; // event_type requires looking at each item if (event_type != NULL) { int found = 0; const lnode *n; list_first(l); n = list_get_cur(l); do { int_node *in; ilist_first(event_type); in = ilist_get_cur(event_type); do { if (in->num == n->type){ found = 1; break; } } while((in = ilist_next(event_type))); if (found) break; } while ((n = list_next(l))); if (!found) return 0; } // Done all the easy compares, now do the // string searches. if (event_filename) { int found = 0; if (l->s.filename == NULL && l->s.cwd == NULL) return 0; if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); do { if (sn->str == NULL) return 0; if (strmatch( event_filename, sn->str)) { found = 1; break; } } while ((sn=slist_next(sptr))); if (!found && l->s.cwd == NULL) return 0; } if (l->s.cwd && !found) { /* Check cwd, too */ if (strmatch(event_filename, l->s.cwd) == 0) return 0; } } if (event_hostname) { if (l->s.hostname == NULL) return 0; if (strmatch(event_hostname, l->s.hostname) == 0) return 0; } if (event_terminal) { if (l->s.terminal == NULL) return 0; if (strmatch(event_terminal, l->s.terminal) == 0) return 0; } if (event_exe) { if (l->s.exe == NULL) return 0; if (strmatch(event_exe, l->s.exe) == 0) return 0; } if (event_comm) { if (l->s.comm == NULL) return 0; if (strmatch(event_comm, l->s.comm) == 0) return 0; } if (event_key) { if (l->s.key == NULL) return 0; else { int found = 0; const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); do { if (sn->str == NULL) return 0; if (strmatch( event_key, sn->str)) { found = 1; break; } } while ((sn=slist_next(sptr))); if (!found) return 0; } } if (event_vmname) { if (l->s.vmname == NULL) return 0; if (strmatch(event_vmname, l->s.vmname) == 0) return 0; } if (event_uuid) { if (l->s.uuid == NULL) return 0; if (strmatch(event_uuid, l->s.uuid) == 0) return 0; } if (context_match(l) == 0) return 0; return 1; } } } return 0; }