// Returns < 0 on error, 0 no data, > 0 success
int ausearch_next_event(auparse_state_t *au)
{
int rc;
if (au->expr == NULL) {
errno = EINVAL;
return -1;
}
if (au->expr->started == 0) {
if ((rc = auparse_first_record(au)) <= 0)
return rc;
au->expr->started = 1;
} else {
if ((rc = auparse_next_event(au)) <= 0)
return rc;
}
do {
do {
if ((rc = ausearch_compare(au)) > 0) {
ausearch_reposition_cursors(au);
return 1;
} else if (rc < 0)
return rc;
} while ((rc = auparse_next_record(au)) > 0);
if (rc < 0)
return rc;
} while ((rc = auparse_next_event(au)) > 0);
if (rc < 0)
return rc;
return 0;
}
static void auparse_callback(auparse_state_t *_au, auparse_cb_event_t cb_event_type, void *user_data)
{
int *event_cnt = (int *)user_data;
int num_records = auparse_get_num_records(_au);
int record_cnt;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(_au) <= 0) {
return;
}
record_cnt = 1;
do {
int audtype = return_audtype(auparse_get_type(_au));
switch(audtype) {
case PLACE_OBJ:
// au, event number:total rec in event:this num in event
process_place_obj(_au, event_cnt, num_records, record_cnt);
break;
case USER_OBJ:
process_user_obj(_au, event_cnt, num_records, record_cnt);
break;
case SYSCALL_OBJ:
process_syscall_obj(_au, event_cnt, num_records, record_cnt);
break;
case SOCK_OBJ:
process_sock_obj(_au, event_cnt, num_records, record_cnt);
break;
case EXECVE_OBJ:
process_execv_obj(_au, event_cnt, num_records, record_cnt);
break;
case GENERIC_OBJ:
process_generic_obj(_au, event_cnt, num_records, record_cnt);
break;
}
const au_event_t *e = auparse_get_timestamp(_au);
if (e == NULL) {
return;
}
record_cnt++;
} while(auparse_next_record(_au) > 0); // end of do
(*event_cnt)++;
} // end cb_event_type == AUPARSE_CB_EVENT_READY
}
/* This function shows how to dump a whole event by iterating over records */
static void dump_whole_event(auparse_state_t *au)
{
auparse_first_record(au);
do {
printf("%s\n", auparse_get_record_text(au));
} while (auparse_next_record(au) > 0);
printf("\n");
}
void auparse_dump_records(auparse_state_t *auparse, FILE *fp) {
auparse_first_record(auparse);
if (!fp) fp = stdout;
fprintf(fp, "%s\n", auparse_get_record_text(auparse));
while (auparse_next_record(auparse)) {
fprintf(fp, "%s\n", auparse_get_record_text(auparse));
}
}
int auparse_exhaustive_find_field(auparse_state_t *auparse, const char *field) {
const char *status;
auparse_first_record(auparse);
auparse_first_field(auparse);
status = auparse_find_field(auparse, field);
while (!status && auparse_next_record(auparse)) {
status = auparse_find_field(auparse, field);
}
return (status ? 1 : 0);
}
/*
* auparse library callback that's called when an event is ready
*/
void
push_event(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int rc;
BerElement *ber;
int qualifier;
char timestamp[26];
char linkValue[ZOS_REMOTE_LINK_VALUE_SIZE];
char logString[ZOS_REMOTE_LOGSTRING_SIZE];
unsigned long linkValue_tmp;
if (cb_event_type != AUPARSE_CB_EVENT_READY)
return;
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return;
/*
* we have an event. Each record will result in a different 'Item'
* (refer ASN.1 definition in zos-remote-ldap.h)
*/
/*
* Create a new BER element to encode the request
*/
ber = ber_alloc_t(LBER_USE_DER);
if (ber == NULL) {
log_err("Error allocating memory for BER element");
goto fatal;
}
/*
* Collect some information to fill in every item
*/
const char *node = auparse_get_node(au);
const char *orig_type = auparse_find_field(au, "type");
/* roll back event to get 'success' */
auparse_first_record(au);
const char *success = auparse_find_field(au, "success");
/* roll back event to get 'res' */
auparse_first_record(au);
const char *res = auparse_find_field(au, "res");
/* check if this event is a success or failure one */
if (success) {
if (strncmp(success, "0", 1) == 0 ||
strncmp(success, "no", 2) == 0)
qualifier = ZOS_REMOTE_QUALIF_FAIL;
else
qualifier = ZOS_REMOTE_QUALIF_SUCCESS;
} else if (res) {
if (strncmp(res, "0", 1) == 0
|| strncmp(res, "failed", 6) == 0)
qualifier = ZOS_REMOTE_QUALIF_FAIL;
else
qualifier = ZOS_REMOTE_QUALIF_SUCCESS;
} else
qualifier = ZOS_REMOTE_QUALIF_INFO;
/* get timestamp text */
ctime_r(&e->sec, timestamp);
timestamp[24] = '\0'; /* strip \n' */
/* prepare linkValue which will be used for every item */
linkValue_tmp = htonl(e->serial); /* padronize to use network
* byte order
*/
memset(&linkValue, 0, ZOS_REMOTE_LINK_VALUE_SIZE);
memcpy(&linkValue, &linkValue_tmp, sizeof(unsigned long));
/*
* Prepare the logString with some meaningful text
* We assume the first record type found is the
* 'originating' audit record
*/
sprintf(logString, "Linux (%s): type: %s", node, orig_type);
/*
* Start writing to BER element.
* There's only one field (version) out of the item sequence.
* Also open item sequence
*/
rc = ber_printf(ber, "{i{", ICTX_REQUESTVER);
if (rc < 0)
goto skip_event;
/*
* Roll back to first record and iterate through all records
*/
auparse_first_record(au);
do {
const char *type = auparse_find_field(au, "type");
if (type == NULL)
goto skip_event;
log_debug("got record: %s", auparse_get_record_text(au));
/*
* First field is item Version, same as global version
*/
rc = ber_printf(ber, "{i", ICTX_REQUESTVER);
/*
* Second field is the itemTag
* use our internal event counter, increasing it
*/
rc |= ber_printf(ber, "i", conf.counter++);
/*
* Third field is the linkValue
* using ber_put_ostring since it is not null-terminated
*/
rc |= ber_put_ostring(ber, linkValue,
ZOS_REMOTE_LINK_VALUE_SIZE,
LBER_OCTETSTRING);
/*
* Fourth field is the violation
* Don't have anything better yet to put here
*/
rc |= ber_printf(ber, "b", 0);
/*
* Fifth field is the event.
* FIXME: this might be the place to switch on the
* audit record type and map to a more meaningful
* SMF type 83, subtype 4 event here
*/
rc |= ber_printf(ber, "i", ZOS_REMOTE_EVENT_AUTHORIZATION);
/*
* Sixth field is the qualifier. We map 'success' or
* 'res' to this field
*/
rc |= ber_printf(ber, "i", qualifier);
/*
* Seventh field is the Class
* always use '@LINUX' for this version
* max size ZOS_REMOTE_CLASS_SIZE
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s", "@LINUX");
/*
* Eighth field is the resource
* use the record type (name) as the resource
* max size ZOS_REMOTE_RESOURCE_SIZE
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s", type);
/*
* Nineth field is the LogString
* we try to put something meaningful here
* we also start the relocations sequence
*/
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s{", logString);
/*
* Now we start adding the relocations.
* Let's add the timestamp as the first one
* so it's out of the field loop
*/
rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_TIMESTAMP);
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s}", timestamp);
/*
* Check that encoding is going OK until now
*/
if (rc < 0)
goto skip_event;
/*
* Now go to first field,
* and iterate through all fields
*/
auparse_first_field(au);
do {
/*
* we set a maximum of 1024 chars for
* relocation data (field=value pairs)
* Hopefuly this wont overflow too often
*/
char data[1024];
const char *name = auparse_get_field_name(au);
const char *value = auparse_interpret_field(au);
if (name == NULL || value == NULL)
goto skip_event;
/*
* First reloc field is the Relocation type
* We use 'OTHER' here since we don't have
* anything better
*/
rc |= ber_printf(ber, "{i", ZOS_REMOTE_RELOC_OTHER);
/*
* Second field is the relocation data
* We use a 'name=value' pair here
* Use up to 1023 chars (one char left for '\0')
*/
snprintf(data, 1023, "%s=%s", name, value);
rc |= ber_printf(ber, "t", ASN1_IA5STRING_TAG);
rc |= ber_printf(ber, "s}", data);
/*
* Check encoding status
*/
if (rc < 0)
goto skip_event;
} while (auparse_next_field(au) > 0);
/*
* After adding all relocations we are done with
* this item - finalize relocs and item
*/
rc |= ber_printf(ber, "}}");
/*
* Check if we are doing well with encoding
*/
if (rc < 0)
goto skip_event;
} while (auparse_next_record(au) > 0);
/*
* We have all items in - finalize item sequence & request
*/
rc |= ber_printf(ber, "}}");
/*
* Check if everything went alright with encoding
*/
if (rc < 0)
goto skip_event;
/*
* finally, enqueue request and let the other
* thread process it
*/
log_debug("Encoding done, enqueuing event");
enqueue(ber);
return;
skip_event:
log_warn("Warning - error encoding request, skipping event");
ber_free(ber, 1); /* free it since we're not enqueuing it */
return;
fatal:
log_err("Error - Fatal error while encoding request. Aborting");
stop = 1;
}
/*
* auparse_callback - callback routine to be executed once a complete event is composed
*/
void
auparse_callback(auparse_state_t * au, auparse_cb_event_t cb_event_type,
void *user_data)
{
int *event_cnt = (int *) user_data;
if (cb_event_type == AUPARSE_CB_EVENT_READY) {
if (auparse_first_record(au) <= 0)
return; /* If no first record, then no event ! */
if (!(flags & F_CHECK))
printf("event=%d records=%d\n", *event_cnt,
auparse_get_num_records(au));
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
return; /* If no timestamp, then no event */
/* If checking, we just emit the raw record again
*/
if (flags & F_CHECK) {
if (e->host != NULL)
printf("node=%s type=%s msg=audit(%u.%3.3u:%lu):",
e->host, auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
else
printf("type=%s msg=audit(%u.%3.3u:%lu):",
auparse_get_type_name(au),
(unsigned) e->sec, e->milli, e->serial);
auparse_first_field(au); /* Move to first field */
do {
const char *fname = auparse_get_field_name(au);
/* We ignore the node and type fields */
if (strcmp(fname, "type") == 0
|| strcmp(fname, "node") == 0)
continue;
printf(" %s=%s", fname, auparse_get_field_str(au));
} while (auparse_next_field(au) > 0);
printf("\n");
continue;
}
printf("fields=%d\t", auparse_get_num_fields(au));
printf("type=%d (%s) ", auparse_get_type(au),
auparse_get_type_name(au));
printf("event_tid=%u.%3.3u:%lu ",
(unsigned) e->sec, e->milli, e->serial);
if (flags & F_VERBOSE) {
char *fv, *ifv = NULL;
auparse_first_field(au); /* Move to first field */
do {
fv = (char *) auparse_get_field_str(au);
ifv = (char *) auparse_interpret_field(au);
printf("%s=", auparse_get_field_name(au));
print_escape(stdout, fv, "=()");
printf(" (");
print_escape(stdout, ifv, "=()");
printf(") ");
}
while (auparse_next_field(au) > 0);
}
printf("\n");
}
while (auparse_next_record(au) > 0);
(*event_cnt)++;
}
}
