int main(void) { int i = 0; ilist e; int_node *node; ilist_create(&e); ilist_add_if_uniq(&e, 6, 0); ilist_add_if_uniq(&e, 5, 0); ilist_add_if_uniq(&e, 7, 0); ilist_add_if_uniq(&e, 1, 0); ilist_add_if_uniq(&e, 8, 0); ilist_add_if_uniq(&e, 2, 0); ilist_add_if_uniq(&e, 9, 0); ilist_add_if_uniq(&e, 0, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 3, 0); ilist_first(&e); do { node = ilist_get_cur(&e); if (i != node->num) { printf("Test failed - i:%d != num:%d\n", i, node->num); return 1; } i++; } while ((node = ilist_next(&e))); ilist_clear(&e); printf("ilist test passed\n"); return 0; }
int main(void) { int i = 0; ilist e; int_node *node; ilist_create(&e); // This first test checks to see if list is // created in a numeric order ilist_add_if_uniq(&e, 6, 0); ilist_add_if_uniq(&e, 5, 0); ilist_add_if_uniq(&e, 7, 0); ilist_add_if_uniq(&e, 1, 0); ilist_add_if_uniq(&e, 8, 0); ilist_add_if_uniq(&e, 2, 0); ilist_add_if_uniq(&e, 9, 0); ilist_add_if_uniq(&e, 0, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 3, 0); ilist_first(&e); do { node = ilist_get_cur(&e); if (i != node->num) { printf("Test failed - i:%d != num:%d\n", i, node->num); return 1; } i++; } while ((node = ilist_next(&e))); ilist_clear(&e); puts("starting sort test"); // Now test to see if the sort function works // Fill the list exactly backwards ilist_add_if_uniq(&e, 3, 0); ilist_add_if_uniq(&e, 3, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 3, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 2, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 2, 0); ilist_add_if_uniq(&e, 4, 0); ilist_add_if_uniq(&e, 1, 0); ilist_sort_by_hits(&e); i = 0; ilist_first(&e); do { node = ilist_get_cur(&e); if (node->hits != (4-i)) { printf("Sort test failed - i:%d != ihits:%d\n", i, node->hits); return 1; } i++; } while ((node = ilist_next(&e))); ilist_clear(&e); printf("ilist tests passed\n"); return 0; }
static int per_event_summary(llist *l) { int rc = 0; switch (report_type) { case RPT_SUMMARY: do_summary_total(l); rc = 1; break; case RPT_AVC: if (list_find_msg(l, AUDIT_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq(&sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc(l->s.avc)); } } else { if (list_find_msg(l, AUDIT_USER_AVC)) { if (alist_find_avc(l->s.avc)) { do { slist_add_if_uniq( &sd.avc_objs, l->s.avc->cur->tcontext); } while (alist_next_avc( l->s.avc)); } } } break; case RPT_MAC: if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_MAP_DEL)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) { ilist_add_if_uniq(&sd.mac_list, l->head->type, 0); } } break; case RPT_CONFIG: UNIMPLEMENTED; break; case RPT_AUTH: if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid( l->s.loginuid, name, sizeof(name)) ); } } } break; case RPT_LOGIN: if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.loginuid == -2 && l->s.acct != NULL) slist_add_if_uniq(&sd.users, l->s.acct); else { char name[64]; slist_add_if_uniq(&sd.users, aulookup_uid(l->s.loginuid, name, sizeof(name)) ); } } break; case RPT_ACCT_MOD: UNIMPLEMENTED; break; case RPT_EVENT: /* We will borrow the pid list */ if (l->head->type != -1) { ilist_add_if_uniq(&sd.pids, l->head->type, 0); } break; case RPT_FILE: if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } break; case RPT_HOST: if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); break; case RPT_PID: if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } break; case RPT_SYSCALL: if (l->s.syscall > 0) { ilist_add_if_uniq(&sd.sys_list, l->s.syscall, l->s.arch); } break; case RPT_TERM: if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); break; case RPT_USER: if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } break; case RPT_EXE: if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); break; case RPT_ANOMALY: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) { ilist_add_if_uniq(&sd.anom_list, l->head->type, 0); } } break; case RPT_RESPONSE: if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) { ilist_add_if_uniq(&sd.resp_list, l->head->type, 0); } break; case RPT_CRYPTO: if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } else { if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) { ilist_add_if_uniq(&sd.crypto_list, l->head->type, 0); } } break; case RPT_KEY: if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) slist_add_if_uniq(&sd.keys, sn->str); sn=slist_next(sptr); } } break; case RPT_TTY: UNIMPLEMENTED; break; default: break; } return rc; }
static void do_summary_total(llist *l) { // add events sd.events++; // add config changes if (list_find_msg(l, AUDIT_CONFIG_CHANGE)) sd.changes++; if (list_find_msg(l, AUDIT_DAEMON_CONFIG)) sd.changes++; if (list_find_msg(l, AUDIT_USYS_CONFIG)) sd.changes++; list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.changes++; // add acct changes if (list_find_msg(l, AUDIT_USER_CHAUTHTOK)) sd.acct_changes++; if (list_find_msg_range(l, AUDIT_ADD_USER, AUDIT_DEL_GROUP)) sd.acct_changes++; if (list_find_msg(l, AUDIT_CHGRP_ID)) sd.acct_changes++; list_first(l); if (list_find_msg_range(l, AUDIT_ROLE_ASSIGN, AUDIT_ROLE_REMOVE)) sd.acct_changes++; // Crypto list_first(l); if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG, AUDIT_LAST_KERN_CRYPTO_MSG)) sd.crypto++; if (list_find_msg_range(l, AUDIT_FIRST_CRYPTO_MSG, AUDIT_LAST_CRYPTO_MSG)) sd.crypto++; // add logins if (list_find_msg(l, AUDIT_USER_LOGIN)) { if (l->s.success == S_SUCCESS) sd.good_logins++; else if (l->s.success == S_FAILED) sd.bad_logins++; } // add use of auth if (list_find_msg(l, AUDIT_USER_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_USER_ACCT)) { // Only count the failures if (l->s.success == S_FAILED) sd.bad_auth++; } else if (list_find_msg(l, AUDIT_GRP_AUTH)) { if (l->s.success == S_SUCCESS) sd.good_auth++; else if (l->s.success == S_FAILED) sd.bad_auth++; } // add users if (l->s.loginuid != -2) { char tmp[32]; snprintf(tmp, sizeof(tmp), "%d", l->s.loginuid); slist_add_if_uniq(&sd.users, tmp); } // add terminals if (l->s.terminal) slist_add_if_uniq(&sd.terms, l->s.terminal); // add hosts if (l->s.hostname) slist_add_if_uniq(&sd.hosts, l->s.hostname); // add execs if (l->s.exe) slist_add_if_uniq(&sd.exes, l->s.exe); // add files if (l->s.filename) { const snode *sn; slist *sptr = l->s.filename; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str) slist_add_if_uniq(&sd.files, sn->str); sn=slist_next(sptr); } } // add avcs if (list_find_msg(l, AUDIT_AVC)) sd.avcs++; else if (list_find_msg(l, AUDIT_USER_AVC)) sd.avcs++; // MAC list_first(l); if (list_find_msg_range(l, AUDIT_MAC_POLICY_LOAD, AUDIT_MAC_UNLBL_STCDEL)) sd.mac++; if (list_find_msg_range(l, AUDIT_FIRST_USER_LSPP_MSG, AUDIT_LAST_USER_LSPP_MSG)) sd.mac++; // add failed syscalls if (l->s.success == S_FAILED && l->s.syscall > 0) sd.failed_syscalls++; // add pids if (l->s.pid != -1) { ilist_add_if_uniq(&sd.pids, l->s.pid, 0); } // add anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_MSG, AUDIT_LAST_ANOM_MSG)) sd.anomalies++; if (list_find_msg_range(l, AUDIT_FIRST_KERN_ANOM_MSG, AUDIT_LAST_KERN_ANOM_MSG)) sd.anomalies++; // add response to anomalies if (list_find_msg_range(l, AUDIT_FIRST_ANOM_RESP, AUDIT_LAST_ANOM_RESP)) sd.responses++; // add keys if (l->s.key) { const snode *sn; slist *sptr = l->s.key; slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { if (sn->str && strcmp(sn->str, "(null)")) { slist_add_if_uniq(&sd.keys, sn->str); } sn=slist_next(sptr); } } }
static int watched_accounts_parser(struct nv_pair *nv, int line, prelude_conf_t *config) { char *str = (char *)nv->value; do { char *ptr = strchr(str, '-'); if (ptr) { char *user1, *user2; int start, end, i; user1 = str; *ptr = 0; user2 = ptr+1; if (string_is_numeric(user1)) { start = strtoul(user1, NULL, 10); } else { struct passwd *pw; pw = getpwnam(user1); if (pw == NULL) { syslog(LOG_ERR, "user %s is invalid - line %d, skipping", user1, line); continue; } start = pw->pw_uid; } i = strlen(user2); if (i>0 && user2[i-1] == ',') user2[i-1] = 0; if (string_is_numeric(user2)) { end = strtoul(user2, NULL, 10); } else { struct passwd *pw; pw = getpwnam(user2); if (pw == NULL) { syslog(LOG_ERR, "user %s is invalid - line %d, skipping", user2, line); continue; } end = pw->pw_uid; } if (start >= end) { syslog(LOG_ERR, "%s is larger or equal to %s, please fix, skipping", user1, user2); continue; } for (i=start; i<=end; i++) { ilist_add_if_uniq( &config->watched_accounts, i); } } else { int acct; if (string_is_numeric(str)) acct = strtoul(str, NULL, 10); else { struct passwd *pw; pw = getpwnam(str); if (pw == NULL) { syslog(LOG_ERR, "user %s is invalid - line %d, skipping", str, line); continue; } acct = pw->pw_uid; } ilist_add_if_uniq(&config->watched_accounts, acct); } str = strtok(NULL, ", "); } while(str); return 0; }