// Returns < 0 on error, 0 no data, > 0 success int ausearch_next_event(auparse_state_t *au) { int rc; if (au->expr == NULL) { errno = EINVAL; return -1; } if (au->expr->started == 0) { if ((rc = auparse_first_record(au)) <= 0) return rc; au->expr->started = 1; } else { if ((rc = auparse_next_event(au)) <= 0) return rc; } do { do { if ((rc = ausearch_compare(au)) > 0) { ausearch_reposition_cursors(au); return 1; } else if (rc < 0) return rc; } while ((rc = auparse_next_record(au)) > 0); if (rc < 0) return rc; } while ((rc = auparse_next_event(au)) > 0); if (rc < 0) return rc; return 0; }
static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *)user_data; int num_records = auparse_get_num_records(_au); int record_cnt; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(_au) <= 0) { return; } record_cnt = 1; do { int audtype = return_audtype(auparse_get_type(_au)); switch(audtype) { case PLACE_OBJ: // au, event number:total rec in event:this num in event process_place_obj(_au, event_cnt, num_records, record_cnt); break; case USER_OBJ: process_user_obj(_au, event_cnt, num_records, record_cnt); break; case SYSCALL_OBJ: process_syscall_obj(_au, event_cnt, num_records, record_cnt); break; case SOCK_OBJ: process_sock_obj(_au, event_cnt, num_records, record_cnt); break; case EXECVE_OBJ: process_execv_obj(_au, event_cnt, num_records, record_cnt); break; case GENERIC_OBJ: process_generic_obj(_au, event_cnt, num_records, record_cnt); break; } const au_event_t *e = auparse_get_timestamp(_au); if (e == NULL) { return; } record_cnt++; } while(auparse_next_record(_au) > 0); // end of do (*event_cnt)++; } // end cb_event_type == AUPARSE_CB_EVENT_READY }
/* This function shows how to dump a whole event by iterating over records */ static void dump_whole_event(auparse_state_t *au) { auparse_first_record(au); do { printf("%s\n", auparse_get_record_text(au)); } while (auparse_next_record(au) > 0); printf("\n"); }
void auparse_dump_records(auparse_state_t *auparse, FILE *fp) { auparse_first_record(auparse); if (!fp) fp = stdout; fprintf(fp, "%s\n", auparse_get_record_text(auparse)); while (auparse_next_record(auparse)) { fprintf(fp, "%s\n", auparse_get_record_text(auparse)); } }
int auparse_exhaustive_find_field(auparse_state_t *auparse, const char *field) { const char *status; auparse_first_record(auparse); auparse_first_field(auparse); status = auparse_find_field(auparse, field); while (!status && auparse_next_record(auparse)) { status = auparse_find_field(auparse, field); } return (status ? 1 : 0); }
/* * auparse library callback that's called when an event is ready */ void push_event(auparse_state_t * au, auparse_cb_event_t cb_event_type, void *user_data) { int rc; BerElement *ber; int qualifier; char timestamp[26]; char linkValue[ZOS_REMOTE_LINK_VALUE_SIZE]; char logString[ZOS_REMOTE_LOGSTRING_SIZE]; unsigned long linkValue_tmp; if (cb_event_type != AUPARSE_CB_EVENT_READY) return; const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) return; /* * we have an event. Each record will result in a different 'Item' * (refer ASN.1 definition in zos-remote-ldap.h) */ /* * Create a new BER element to encode the request */ ber = ber_alloc_t(LBER_USE_DER); if (ber == NULL) { log_err("Error allocating memory for BER element"); goto fatal; } /* * Collect some information to fill in every item */ const char *node = auparse_get_node(au); const char *orig_type = auparse_find_field(au, "type"); /* roll back event to get 'success' */ auparse_first_record(au); const char *success = auparse_find_field(au, "success"); /* roll back event to get 'res' */ auparse_first_record(au); const char *res = auparse_find_field(au, "res"); /* check if this event is a success or failure one */ if (success) { if (strncmp(success, "0", 1) == 0 || strncmp(success, "no", 2) == 0) qualifier = ZOS_REMOTE_QUALIF_FAIL; else qualifier = ZOS_REMOTE_QUALIF_SUCCESS; } else if (res) { if (strncmp(res, "0", 1) == 0 || strncmp(res, "failed", 6) == 0) qualifier = ZOS_REMOTE_QUALIF_FAIL; else qualifier = ZOS_REMOTE_QUALIF_SUCCESS; } else qualifier = ZOS_REMOTE_QUALIF_INFO; /* get timestamp text */ ctime_r(&e->sec, timestamp); timestamp[24] = '\0'; /* strip \n' */ /* prepare linkValue which will be used for every item */ linkValue_tmp = htonl(e->serial); /* padronize to use network * byte order */ memset(&linkValue, 0, ZOS_REMOTE_LINK_VALUE_SIZE); memcpy(&linkValue, &linkValue_tmp, sizeof(unsigned long)); /* * Prepare the logString with some meaningful text * We assume the first record type found is the * 'originating' audit record */ sprintf(logString, "Linux (%s): type: %s", node, orig_type); /* * Start writing to BER element. * There's only one field (version) out of the item sequence. * Also open item sequence */ rc = ber_printf(ber, "{i{", ICTX_REQUESTVER); if (rc < 0) goto skip_event; /* * Roll back to first record and iterate through all records */ auparse_first_record(au); do { const char *type = auparse_find_field(au, "type"); if (type == NULL) goto skip_event; log_debug("got record: %s", auparse_get_record_text(au)); /* * First field is item Version, same as global version */ rc = ber_printf(ber, "{i", ICTX_REQUESTVER); /* * Second field is the itemTag * use our internal event counter, increasing it */ rc |= ber_printf(ber, "i", conf.counter++); /* * Third field is the linkValue * using ber_put_ostring since it is not null-terminated */ rc |= ber_put_ostring(ber, linkValue, ZOS_REMOTE_LINK_VALUE_SIZE, LBER_OCTETSTRING); /* * Fourth field is the violation * Don't have anything better yet to put here */ rc |= ber_printf(ber, "b", 0); /* * Fifth field is the event. * FIXME: this might be the place to switch on the * audit record type and map to a more meaningful * SMF type 83, subtype 4 event here */ rc |= ber_printf(ber, "i", ZOS_REMOTE_EVENT_AUTHORIZATION); /* * Sixth field is the qualifier. We map 'success' or * 'res' to this field */ rc |= ber_printf(ber, "i", qualifier); /* * Seventh field is the Class * always use '@LINUX' for this version * max size ZOS_REMOTE_CLASS_SIZE */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s", "@LINUX"); /* * Eighth field is the resource * use the record type (name) as the resource * max size ZOS_REMOTE_RESOURCE_SIZE */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s", type); /* * Nineth field is the LogString * we try to put something meaningful here * we also start the relocations sequence */ rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s{", logString); /* * Now we start adding the relocations. * Let's add the timestamp as the first one * so it's out of the field loop */ rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_TIMESTAMP); rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s}", timestamp); /* * Check that encoding is going OK until now */ if (rc < 0) goto skip_event; /* * Now go to first field, * and iterate through all fields */ auparse_first_field(au); do { /* * we set a maximum of 1024 chars for * relocation data (field=value pairs) * Hopefuly this wont overflow too often */ char data[1024]; const char *name = auparse_get_field_name(au); const char *value = auparse_interpret_field(au); if (name == NULL || value == NULL) goto skip_event; /* * First reloc field is the Relocation type * We use 'OTHER' here since we don't have * anything better */ rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_OTHER); /* * Second field is the relocation data * We use a 'name=value' pair here * Use up to 1023 chars (one char left for '\0') */ snprintf(data, 1023, "%s=%s", name, value); rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG); rc |= ber_printf(ber, "s}", data); /* * Check encoding status */ if (rc < 0) goto skip_event; } while (auparse_next_field(au) > 0); /* * After adding all relocations we are done with * this item - finalize relocs and item */ rc |= ber_printf(ber, "}}"); /* * Check if we are doing well with encoding */ if (rc < 0) goto skip_event; } while (auparse_next_record(au) > 0); /* * We have all items in - finalize item sequence & request */ rc |= ber_printf(ber, "}}"); /* * Check if everything went alright with encoding */ if (rc < 0) goto skip_event; /* * finally, enqueue request and let the other * thread process it */ log_debug("Encoding done, enqueuing event"); enqueue(ber); return; skip_event: log_warn("Warning - error encoding request, skipping event"); ber_free(ber, 1); /* free it since we're not enqueuing it */ return; fatal: log_err("Error - Fatal error while encoding request. Aborting"); stop = 1; }
/* * auparse_callback - callback routine to be executed once a complete event is composed */ void auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type, void *user_data) { int *event_cnt = (int *) user_data; if (cb_event_type == AUPARSE_CB_EVENT_READY) { if (auparse_first_record(au) <= 0) return; /* If no first record, then no event ! */ if (!(flags & F_CHECK)) printf("event=%d records=%d\n", *event_cnt, auparse_get_num_records(au)); do { const au_event_t *e = auparse_get_timestamp(au); if (e == NULL) return; /* If no timestamp, then no event */ /* If checking, we just emit the raw record again */ if (flags & F_CHECK) { if (e->host != NULL) printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):", e->host, auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); else printf("type=%s msg=audit(%u.%3.3u:%lu):", auparse_get_type_name(au), (unsigned) e->sec, e->milli, e->serial); auparse_first_field(au); /* Move to first field */ do { const char *fname = auparse_get_field_name(au); /* We ignore the node and type fields */ if (strcmp(fname, "type") == 0 || strcmp(fname, "node") == 0) continue; printf(" %s=%s", fname, auparse_get_field_str(au)); } while (auparse_next_field(au) > 0); printf("\n"); continue; } printf("fields=%d\t", auparse_get_num_fields(au)); printf("type=%d (%s) ", auparse_get_type(au), auparse_get_type_name(au)); printf("event_tid=%u.%3.3u:%lu ", (unsigned) e->sec, e->milli, e->serial); if (flags & F_VERBOSE) { char *fv, *ifv = NULL; auparse_first_field(au); /* Move to first field */ do { fv = (char *) auparse_get_field_str(au); ifv = (char *) auparse_interpret_field(au); printf("%s=", auparse_get_field_name(au)); print_escape(stdout, fv, "=()"); printf(" ("); print_escape(stdout, ifv, "=()"); printf(") "); } while (auparse_next_field(au) > 0); } printf("\n"); } while (auparse_next_record(au) > 0); (*event_cnt)++; } }