static int per_event_summary(llist *l) { int rc = 0; switch (report_type) { case RPT_SUMMARY: do_summary_total(l); rc = 1; break; case RPT_AVC: if (list_find_msg(l, AUDIT_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq(&sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc(l->s.avc)); } } else { if (list_find_msg(l, AUDIT_USER_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq( &sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc( l->s.avc)); } } } break; case RPT_MAC: if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_MAP_DEL)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } } break; case RPT_CONFIG: UNIMPLEMENTED; break; case RPT_AUTH: if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid( l->s.loginuid, name, sizeof(name)) ); } } } break; case RPT_LOGIN: if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } break; case RPT_ACCT_MOD: UNIMPLEMENTED; break; case RPT_EVENT: /* We will borrow the pid list */ if (l->head->type != -1) { ilist_add_if_uniq(&sd.pids, l->head->type, 0); } break; case RPT_FILE: if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } break; case RPT_HOST: if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); break; case RPT_PID: if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } break; case RPT_SYSCALL: if (l->s.syscall > 0) { ilist_add_if_uniq(&sd.sys_list, l->s.syscall, l->s.arch); } break; case RPT_TERM: if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); break; case RPT_USER: if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } break; case RPT_EXE: if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); break; case RPT_ANOMALY: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } } break; case RPT_RESPONSE: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) { ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); } break; case RPT_CRYPTO: if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } } break; case RPT_KEY: if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) slist_add_if_uniq(&sd.keys, sn->str); sn=slist_next(sptr); } } break; case RPT_TTY: UNIMPLEMENTED; break; default: break; } return rc; }
static int per_event_detailed(llist *l) { int rc = 0; switch (report_type) { case RPT_AVC: if (list_find_msg(l, AUDIT_AVC)) { print_per_event_item(l); rc = 1; } else if (list_find_msg(l, AUDIT_USER_AVC)) { print_per_event_item(l); rc = 1; } break; case RPT_MAC: if (report_detail == D_DETAILED) { if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) { print_per_event_item(l); rc = 1; } else { if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) { print_per_event_item(l); rc = 1; } } } break; case RPT_CONFIG: if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) { print_per_event_item(l); rc = 1; } else if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) { print_per_event_item(l); rc = 1; } else if (list_find_msg(l, AUDIT_USYS_CONFIG)) { print_per_event_item(l); rc = 1; } else if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) { print_per_event_item(l); rc = 1; } break; case RPT_AUTH: if (list_find_msg(l, AUDIT_USER_AUTH)) { print_per_event_item(l); rc = 1; } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failed acct if (l->s.success == S_FAILED) { print_per_event_item(l); rc = 1; } } break; case RPT_LOGIN: if (list_find_msg(l, AUDIT_USER_LOGIN)) { print_per_event_item(l); rc = 1; } break; case RPT_ACCT_MOD: if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) { print_per_event_item(l); rc = 1; } else if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP)) { print_per_event_item(l); rc = 1; } else if (list_find_msg(l, AUDIT_CHGRP_ID)) { print_per_event_item(l); rc = 1; } else if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE)) { print_per_event_item(l); rc = 1; } break; case RPT_EVENT: list_first(l); if (report_detail == D_DETAILED) { print_per_event_item(l); rc = 1; } else { // specific event report UNIMPLEMENTED; } break; case RPT_FILE: list_first(l); if (report_detail == D_DETAILED) { if (l->s.filename) { print_per_event_item(l); rc = 1; } } else { // specific file report UNIMPLEMENTED; } break; case RPT_HOST: list_first(l); if (report_detail == D_DETAILED) { if (l->s.hostname) { print_per_event_item(l); rc = 1; } } else { // specific host report UNIMPLEMENTED; } break; case RPT_PID: list_first(l); if (report_detail == D_DETAILED) { if (l->s.pid >= 0) { print_per_event_item(l); rc = 1; } } else { // specific pid report UNIMPLEMENTED; } break; case RPT_SYSCALL: list_first(l); if (report_detail == D_DETAILED) { if (l->s.syscall) { print_per_event_item(l); rc = 1; } } else { // specific syscall report UNIMPLEMENTED; } break; case RPT_TERM: list_first(l); if (report_detail == D_DETAILED) { if (l->s.terminal) { print_per_event_item(l); rc = 1; } } else { // specific terminal report UNIMPLEMENTED; } break; case RPT_USER: list_first(l); if (report_detail == D_DETAILED) { if (l->s.uid != -1) { print_per_event_item(l); rc = 1; } } else { // specific user report UNIMPLEMENTED; } break; case RPT_EXE: list_first(l); if (report_detail == D_DETAILED) { if (l->s.exe) { print_per_event_item(l); rc = 1; } } else { // specific exe report UNIMPLEMENTED; } break; case RPT_ANOMALY: if (report_detail == D_DETAILED) { if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) { print_per_event_item(l); rc = 1; } else { if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) { print_per_event_item(l); rc = 1; } } } else { // FIXME: specific anom report UNIMPLEMENTED; } break; case RPT_RESPONSE: if (report_detail == D_DETAILED) { if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) { print_per_event_item(l); rc = 1; } } else { // FIXME: specific resp report UNIMPLEMENTED; } break; case RPT_CRYPTO: if (report_detail == D_DETAILED) { if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) { print_per_event_item(l); rc = 1; } else { if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) { print_per_event_item(l); rc = 1; } } } else { // FIXME: specific crypto report UNIMPLEMENTED; } break; case RPT_KEY: list_first(l); if (report_detail == D_DETAILED) { if (l->s.key) { slist_first(l->s.key); if (strcmp(l->s.key->cur->str, "(null)")) { print_per_event_item(l); rc = 1; } } } else { // specific key report UNIMPLEMENTED; } break; case RPT_TTY: if (l->head->type == AUDIT_TTY) { print_per_event_item(l); rc = 1; } break; default: break; } return rc; }
static void do_summary_total(llist *l) { // add events sd.events++; // add config changes if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) sd.changes++; if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) sd.changes++; if (list_find_msg(l, AUDIT_USYS_CONFIG)) sd.changes++; list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.changes++; // add acct changes if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) sd.acct_changes++; if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP)) sd.acct_changes++; if (list_find_msg(l, AUDIT_CHGRP_ID)) sd.acct_changes++; list_first(l); if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE)) sd.acct_changes++; // Crypto list_first(l); if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) sd.crypto++; if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) sd.crypto++; // add logins if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.success == S_SUCCESS) sd.good_logins++; else if (l->s.success == S_FAILED) sd.bad_logins++; } // add use of auth if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_GRP_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } // add users if (l->s.loginuid != -1) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } // add terminals if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); // add hosts if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); // add execs if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); // add files if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } // add avcs if (list_find_msg(l, AUDIT_AVC)) sd.avcs++; else if (list_find_msg(l, AUDIT_USER_AVC)) sd.avcs++; // MAC list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.mac++; if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) sd.mac++; // add failed syscalls if (l->s.success == S_FAILED && l->s.syscall > 0) sd.failed_syscalls++; // add pids if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } // add anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) sd.anomalies++; if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) sd.anomalies++; // add response to anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) sd.responses++; // add keys if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) { slist_add_if_uniq(&sd.keys, sn->str); } sn=slist_next(sptr); } } }