diff options
author | Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
---|---|---|
committer | Ashlee Young <ashlee@wildernessvoice.com> | 2015-11-29 08:22:13 -0800 |
commit | df5afa4fcd9725380f94ca6476248d4cc24f889a (patch) | |
tree | 65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/auparse | |
parent | 76f6bf922552c00546e6e85ca471eab28f56986c (diff) |
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084
Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/auparse')
68 files changed, 12689 insertions, 0 deletions
diff --git a/framework/src/audit/auparse/Makefile.am b/framework/src/audit/auparse/Makefile.am new file mode 100644 index 00000000..4b864d7c --- /dev/null +++ b/framework/src/audit/auparse/Makefile.am @@ -0,0 +1,491 @@ +# Makefile.am -- +# Copyright 2006-08,2011-15 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Steve Grubb <sgrubb@redhat.com> +# + +SUBDIRS = test +CLEANFILES = $(BUILT_SOURCES) +CONFIG_CLEAN_FILES = *.loT *.rej *.orig +AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG} +AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/src -I${top_srcdir}/lib +LIBS = + +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = auparse.pc +DISTCLEANFILES = $(pkgconfig_DATA) + +lib_LTLIBRARIES = libauparse.la +include_HEADERS = auparse.h auparse-defs.h +libauparse_la_SOURCES = nvpair.c interpret.c nvlist.c ellist.c \ + auparse.c auditd-config.c message.c data_buf.c strsplit.c \ + auparse-defs.h auparse-idata.h data_buf.h \ + nvlist.h auparse.h ellist.h \ + internal.h nvpair.h rnode.h interpret.h \ + private.h expression.c expression.h tty_named_keys.h +nodist_libauparse_la_SOURCES = $(BUILT_SOURCES) + +libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la +libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h +libauparse_la_LDFLAGS = -Wl,-z,relro + +message.c: + cp ${top_srcdir}/lib/message.c . + +strsplit.c: + cp ${top_srcdir}/lib/strsplit.c . + +BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \ + epoll_ctls.h famtabs.h fcntl-cmdtabs.h \ + flagtabs.h icmptypetabs.h ipctabs.h ipccmdtabs.h\ + ioctlreqtabs.h ipoptnametabs.h ip6optnametabs.h \ + mmaptabs.h mounttabs.h nfprototabs.h open-flagtabs.h \ + persontabs.h prctl_opttabs.h pktoptnametabs.h \ + prottabs.h ptracetabs.h \ + rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \ + seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \ + socktabs.h sockleveltabs.h socktypetabs.h \ + tcpoptnametabs.h typetabs.h umounttabs.h +noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \ + gen_clone-flagtabs_h \ + gen_epoll_ctls_h gen_famtabs_h \ + gen_fcntl-cmdtabs_h gen_flagtabs_h gen_ioctlreqtabs_h \ + gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\ + gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \ + gen_mmaptabs_h gen_mounttabs_h \ + gen_open-flagtabs_h gen_persontabs_h \ + gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \ + gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \ + gen_schedtabs_h gen_seccomptabs_h \ + gen_seektabs_h gen_shm_modetabs_h gen_signals_h \ + gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \ + gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \ + gen_umounttabs_h + +gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h +gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"' +$(gen_accesstabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_accesstabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_accesstabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_accesstabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_accesstabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_accesstabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +accesstabs.h: gen_accesstabs_h Makefile + ./gen_accesstabs_h --i2s-transtab access > $@ + +gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h +gen_captabs_h_CFLAGS = '-DTABLE_H="captab.h"' +$(gen_captabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_captabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_captabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_captabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_captabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_captabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +captabs.h: gen_captabs_h Makefile + ./gen_captabs_h --i2s cap > $@ + +gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h +gen_clock_h_CFLAGS = '-DTABLE_H="clocktab.h"' +$(gen_clock_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_clock_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_clock_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_clock_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_clock_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_clock_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +clocktabs.h: gen_clock_h Makefile + ./gen_clock_h --i2s clock > $@ + +gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + clone-flagtab.h +gen_clone_flagtabs_h_CFLAGS = '-DTABLE_H="clone-flagtab.h"' +$(gen_clone_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_clone_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_clone_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_clone-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_clone-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_clone-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +clone-flagtabs.h: gen_clone-flagtabs_h Makefile + ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@ + +gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h +gen_epoll_ctls_h_CFLAGS = '-DTABLE_H="epoll_ctl.h"' +$(gen_epoll_ctls_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_epoll_ctls_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_epoll_ctls_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_epoll_ctls_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_epoll_ctls_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_epoll_ctls_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +epoll_ctls.h: gen_epoll_ctls_h Makefile + ./gen_epoll_ctls_h --i2s epoll_ctl > $@ + +gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h +gen_famtabs_h_CFLAGS = '-DTABLE_H="famtab.h"' +$(gen_famtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_famtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_famtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_famtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_famtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_famtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +famtabs.h: gen_famtabs_h Makefile + ./gen_famtabs_h --i2s fam > $@ + +gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h +# ../auparse/ is used to avoid using ../lib/flagtab.h +gen_flagtabs_h_CFLAGS = '-DTABLE_H="../auparse/flagtab.h"' +$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +flagtabs.h: gen_flagtabs_h Makefile + ./gen_flagtabs_h --i2s-transtab flag > $@ + +gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + fcntl-cmdtab.h +gen_fcntl_cmdtabs_h_CFLAGS = '-DTABLE_H="fcntl-cmdtab.h"' +$(gen_fcntl_cmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_fcntl_cmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_fcntl_cmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile + ./gen_fcntl-cmdtabs_h --i2s fcntl > $@ + +gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h +gen_icmptypetabs_h_CFLAGS = '-DTABLE_H="icmptypetab.h"' +$(gen_icmptypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_icmptypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_icmptypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_icmptypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_icmptypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_icmptypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +icmptypetabs.h: gen_icmptypetabs_h Makefile + ./gen_icmptypetabs_h --i2s icmptype > $@ + +gen_ioctlreqtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ioctlreqtab.h +gen_ioctlreqtabs_h_CFLAGS = '-DTABLE_H="ioctlreqtab.h"' +$(gen_ioctlreqtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ioctlreqtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ioctlreqtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ioctlreqtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ioctlreqtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ioctlreqtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ioctlreqtabs.h: gen_ioctlreqtabs_h Makefile + ./gen_ioctlreqtabs_h --i2s ioctlreq > $@ + +gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h +gen_ipctabs_h_CFLAGS = '-DTABLE_H="ipctab.h"' +$(gen_ipctabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ipctabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ipctabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ipctabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ipctabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ipctabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ipctabs.h: gen_ipctabs_h Makefile + ./gen_ipctabs_h --i2s ipc > $@ + +gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h +gen_ipccmdtabs_h_CFLAGS = '-DTABLE_H="ipccmdtab.h"' +$(gen_ipccmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ipccmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ipccmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ipccmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ipccmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ipccmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ipccmdtabs.h: gen_ipccmdtabs_h Makefile + ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@ + +gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h +gen_ipoptnametabs_h_CFLAGS = '-DTABLE_H="ipoptnametab.h"' +$(gen_ipoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ipoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ipoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ipoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ipoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ipoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ipoptnametabs.h: gen_ipoptnametabs_h Makefile + ./gen_ipoptnametabs_h --i2s ipoptname > $@ + +gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h +gen_ip6optnametabs_h_CFLAGS = '-DTABLE_H="ip6optnametab.h"' +$(gen_ip6optnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ip6optnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ip6optnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ip6optnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ip6optnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ip6optnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ip6optnametabs.h: gen_ip6optnametabs_h Makefile + ./gen_ip6optnametabs_h --i2s ip6optname > $@ + +gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h +gen_mmaptabs_h_CFLAGS = '-DTABLE_H="mmaptab.h"' +$(gen_mmaptabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_mmaptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_mmaptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_mmaptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_mmaptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_mmaptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +mmaptabs.h: gen_mmaptabs_h Makefile + ./gen_mmaptabs_h --i2s-transtab mmap > $@ + +gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h +gen_mounttabs_h_CFLAGS = '-DTABLE_H="mounttab.h"' +$(gen_mounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_mounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_mounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_mounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_mounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_mounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +mounttabs.h: gen_mounttabs_h Makefile + ./gen_mounttabs_h --i2s-transtab mount > $@ + +gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h +gen_nfprototabs_h_CFLAGS = '-DTABLE_H="nfprototab.h"' +$(gen_nfprototabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_nfprototabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_nfprototabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_nfprototabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_nfprototabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_nfprototabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +nfprototabs.h: gen_nfprototabs_h Makefile + ./gen_nfprototabs_h --i2s nfproto > $@ + +gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \ + open-flagtab.h +gen_open_flagtabs_h_CFLAGS = '-DTABLE_H="open-flagtab.h"' +$(gen_open_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_open_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_open_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_open-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_open-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_open-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +open-flagtabs.h: gen_open-flagtabs_h Makefile + ./gen_open-flagtabs_h --i2s-transtab open_flag > $@ + +gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h +gen_persontabs_h_CFLAGS = '-DTABLE_H="persontab.h"' +$(gen_persontabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_persontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_persontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_persontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_persontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_persontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +persontabs.h: gen_persontabs_h Makefile + ./gen_persontabs_h --i2s person > $@ + +gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h +gen_ptracetabs_h_CFLAGS = '-DTABLE_H="ptracetab.h"' +$(gen_ptracetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_ptracetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_ptracetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_ptracetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_ptracetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_ptracetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +ptracetabs.h: gen_ptracetabs_h Makefile + ./gen_ptracetabs_h --i2s ptrace > $@ + +gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h +gen_prctl_opttabs_h_CFLAGS = '-DTABLE_H="prctl-opt-tab.h"' +$(gen_prctl_opttabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_prctl_opttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_prctl_opttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_prctl_opttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_prctl_opttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_prctl_opttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +prctl_opttabs.h: gen_prctl_opttabs_h Makefile + ./gen_prctl_opttabs_h --i2s prctl_opt > $@ + +gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h +gen_pktoptnametabs_h_CFLAGS = '-DTABLE_H="pktoptnametab.h"' +$(gen_pktoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_pktoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_pktoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_pktoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_pktoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_pktoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +pktoptnametabs.h: gen_pktoptnametabs_h Makefile + ./gen_pktoptnametabs_h --i2s pktoptname > $@ + +gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h +gen_prottabs_h_CFLAGS = '-DTABLE_H="prottab.h"' +$(gen_prottabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_prottabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_prottabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_prottabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_prottabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_prottabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +prottabs.h: gen_prottabs_h Makefile + ./gen_prottabs_h --i2s-transtab prot > $@ + +gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h +gen_recvtabs_h_CFLAGS = '-DTABLE_H="recvtab.h"' +$(gen_recvtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_recvtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_recvtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_recvtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_recvtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_recvtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +recvtabs.h: gen_recvtabs_h Makefile + ./gen_recvtabs_h --i2s-transtab recv > $@ + +gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h +gen_rlimit_h_CFLAGS = '-DTABLE_H="rlimittab.h"' +$(gen_rlimit_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_rlimit_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_rlimit_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_rlimit_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_rlimit_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_rlimit_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +rlimittabs.h: gen_rlimit_h Makefile + ./gen_rlimit_h --i2s rlimit > $@ + +gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h +gen_schedtabs_h_CFLAGS = '-DTABLE_H="schedtab.h"' +$(gen_schedtabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_schedtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_schedtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_schedtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_schedtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_schedtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +schedtabs.h: gen_schedtabs_h Makefile + ./gen_schedtabs_h --i2s sched > $@ + +gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h +gen_seccomptabs_h_CFLAGS = '-DTABLE_H="seccomptab.h"' +$(gen_seccomptabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_seccomptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_seccomptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_seccomptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_seccomptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_seccomptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +seccomptabs.h: gen_seccomptabs_h Makefile + ./gen_seccomptabs_h --i2s seccomp > $@ + +gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h +gen_seektabs_h_CFLAGS = '-DTABLE_H="seektab.h"' +$(gen_seektabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_seektabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_seektabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_seektabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_seektabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_seektabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +seektabs.h: gen_seektabs_h Makefile + ./gen_seektabs_h --i2s seek > $@ + +gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h +gen_shm_modetabs_h_CFLAGS = '-DTABLE_H="shm_modetab.h"' +$(gen_shm_modetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_shm_modetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_shm_modetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_shm_modetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_shm_modetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_shm_modetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +shm_modetabs.h: gen_shm_modetabs_h Makefile + ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@ + +gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h +gen_signals_h_CFLAGS = '-DTABLE_H="signaltab.h"' +$(gen_signals_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_signals_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_signals_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_signals_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_signals_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_signals_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +signaltabs.h: gen_signals_h Makefile + ./gen_signals_h --i2s signal > $@ + +gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h +gen_sockleveltabs_h_CFLAGS = '-DTABLE_H="sockleveltab.h"' +$(gen_sockleveltabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_sockleveltabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_sockleveltabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_sockleveltabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_sockleveltabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_sockleveltabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +sockleveltabs.h: gen_sockleveltabs_h Makefile + ./gen_sockleveltabs_h --i2s socklevel > $@ + +gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h +gen_sockoptnametabs_h_CFLAGS = '-DTABLE_H="sockoptnametab.h"' +$(gen_sockoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_sockoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_sockoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_sockoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_sockoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_sockoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +sockoptnametabs.h: gen_sockoptnametabs_h Makefile + ./gen_sockoptnametabs_h --i2s sockoptname > $@ + +gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h +gen_socktabs_h_CFLAGS = '-DTABLE_H="socktab.h"' +$(gen_socktabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_socktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_socktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_socktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_socktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_socktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +socktabs.h: gen_socktabs_h Makefile + ./gen_socktabs_h --i2s sock > $@ + +gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h +gen_socktypetabs_h_CFLAGS = '-DTABLE_H="socktypetab.h"' +$(gen_socktypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_socktypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_socktypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_socktypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_socktypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_socktypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +socktypetabs.h: gen_socktypetabs_h Makefile + ./gen_socktypetabs_h --i2s sock_type > $@ + +gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h +gen_tcpoptnametabs_h_CFLAGS = '-DTABLE_H="tcpoptnametab.h"' +$(gen_tcpoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_tcpoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_tcpoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_tcpoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_tcpoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_tcpoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile + ./gen_tcpoptnametabs_h --i2s tcpoptname > $@ + +gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h +gen_typetabs_h_CFLAGS = '-DTABLE_H="typetab.h"' +$(gen_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +typetabs.h: gen_typetabs_h Makefile + ./gen_typetabs_h --s2i type > $@ + +gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h +gen_umounttabs_h_CFLAGS = '-DTABLE_H="umounttab.h"' +$(gen_umounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD) +$(gen_umounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD) +$(gen_umounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +gen_umounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD) +gen_umounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD) +gen_umounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD) +umounttabs.h: gen_umounttabs_h Makefile + ./gen_umounttabs_h --i2s-transtab umount > $@ + diff --git a/framework/src/audit/auparse/accesstab.h b/framework/src/audit/auparse/accesstab.h new file mode 100644 index 00000000..439c26d0 --- /dev/null +++ b/framework/src/audit/auparse/accesstab.h @@ -0,0 +1,27 @@ +/* accesstab.h -- + * Copyright 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + + +_S(0x1U, "X_OK" ) +_S(0x2U, "W_OK" ) +_S(0x4U, "R_OK" ) + diff --git a/framework/src/audit/auparse/auditd-config.c b/framework/src/audit/auparse/auditd-config.c new file mode 100644 index 00000000..5964538f --- /dev/null +++ b/framework/src/audit/auparse/auditd-config.c @@ -0,0 +1,445 @@ +/* auditd-config.c -- + * Copyright 2007,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * + */ + +#include "config.h" +#include "internal.h" +#include <errno.h> +#include <stdlib.h> +#include <string.h> +#include <sys/stat.h> +#include <unistd.h> +#include <fcntl.h> +#include <libgen.h> +#include <dirent.h> +#include <ctype.h> + +/* Local prototypes */ +struct _pair +{ + const char *name; + const char *value; +}; + +struct kw_pair +{ + const char *name; + int (*parser)(const char *, int, struct daemon_conf *); +}; + +struct nv_list +{ + const char *name; + int option; +}; + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file); +static int nv_split(char *buf, struct _pair *nv); +static const struct kw_pair *kw_lookup(const char *val); +static int log_file_parser(const char *val, int line, + struct daemon_conf *config); +static int num_logs_parser(const char *val, int line, + struct daemon_conf *config); +static int log_format_parser(const char *val, int line, + struct daemon_conf *config); + +static const struct kw_pair keywords[] = +{ + {"log_file", log_file_parser }, + {"log_format", log_format_parser }, + {"num_logs", num_logs_parser }, + { NULL, NULL } +}; + +static const struct nv_list log_formats[] = +{ + {"raw", LF_RAW }, + {"nolog", LF_NOLOG }, + { NULL, 0 } +}; + + +/* + * Set everything to its default value +*/ +void clear_config(struct daemon_conf *config) +{ + config->qos = QOS_NON_BLOCKING; + config->sender_uid = 0; + config->sender_pid = 0; + config->sender_ctx = NULL; + config->log_file = strdup("/var/log/audit/audit.log"); + config->log_format = LF_RAW; + config->log_group = 0; + config->priority_boost = 3; + config->flush = FT_NONE; + config->freq = 0; + config->num_logs = 0L; + config->dispatcher = NULL; + config->node_name_format = N_NONE; + config->node_name = NULL; + config->max_log_size = 0L; + config->max_log_size_action = SZ_IGNORE; + config->space_left = 0L; + config->space_left_action = FA_IGNORE; + config->space_left_exe = NULL; + config->action_mail_acct = strdup("root"); + config->admin_space_left= 0L; + config->admin_space_left_action = FA_IGNORE; + config->admin_space_left_exe = NULL; + config->disk_full_action = FA_IGNORE; + config->disk_full_exe = NULL; + config->disk_error_action = FA_SYSLOG; + config->disk_error_exe = NULL; +} + +int load_config(struct daemon_conf *config, log_test_t lt) +{ + int fd, rc, lineno = 1; + struct stat st; + FILE *f; + char buf[160]; + + clear_config(config); + lt = lt; + + /* open the file */ + rc = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW); + if (rc < 0) { + if (errno != ENOENT) { + audit_msg(LOG_ERR, "Error opening config file (%s)", + strerror(errno)); + return 1; + } + audit_msg(LOG_WARNING, + "Config file %s doesn't exist, skipping", CONFIG_FILE); + return 0; + } + fd = rc; + + /* check the file's permissions: owned by root, not world writable, + * not symlink. + */ + if (fstat(fd, &st) < 0) { + audit_msg(LOG_ERR, "Error fstat'ing config file (%s)", + strerror(errno)); + close(fd); + return 1; + } + if (st.st_uid != 0) { + audit_msg(LOG_ERR, "Error - %s isn't owned by root", + CONFIG_FILE); + close(fd); + return 1; + } + if (!S_ISREG(st.st_mode)) { + audit_msg(LOG_ERR, "Error - %s is not a regular file", + CONFIG_FILE); + close(fd); + return 1; + } + + /* it's ok, read line by line */ + f = fdopen(fd, "rm"); + if (f == NULL) { + audit_msg(LOG_ERR, "Error - fdopen failed (%s)", + strerror(errno)); + close(fd); + return 1; + } + + while (get_line(f, buf, sizeof(buf), &lineno, CONFIG_FILE)) { + // convert line into name-value pair + const struct kw_pair *kw; + struct _pair nv; + rc = nv_split(buf, &nv); + switch (rc) { + case 0: // fine + break; + case 1: // not the right number of tokens. + audit_msg(LOG_ERR, + "Wrong number of arguments for line %d in %s", + lineno, CONFIG_FILE); + break; + case 2: // no '=' sign + audit_msg(LOG_ERR, + "Missing equal sign for line %d in %s", + lineno, CONFIG_FILE); + break; + default: // something else went wrong... + audit_msg(LOG_ERR, + "Unknown error for line %d in %s", + lineno, CONFIG_FILE); + break; + } + if (nv.name == NULL) { + lineno++; + continue; + } + if (nv.value == NULL) { + fclose(f); + audit_msg(LOG_ERR, + "Not processing any more lines in %s", + CONFIG_FILE); + return 1; + } + + /* identify keyword or error */ + kw = kw_lookup(nv.name); + if (kw->name) { + /* dispatch to keyword's local parser */ + rc = kw->parser(nv.value, lineno, config); + if (rc != 0) { + fclose(f); + return 1; // local parser puts message out + } + } + + lineno++; + } + + fclose(f); + return 0; +} + +static char *get_line(FILE *f, char *buf, unsigned size, int *lineno, + const char *file) +{ + int too_long = 0; + + while (fgets_unlocked(buf, size, f)) { + /* remove newline */ + char *ptr = strchr(buf, 0x0a); + if (ptr) { + if (!too_long) { + *ptr = 0; + return buf; + } + // Reset and start with the next line + too_long = 0; + *lineno = *lineno + 1; + } else { + // If a line is too long skip it. + // Only output 1 warning + if (!too_long) + audit_msg(LOG_ERR, + "Skipping line %d in %s: too long", + *lineno, file); + too_long = 1; + } + } + return NULL; +} + +static int nv_split(char *buf, struct _pair *nv) +{ + /* Get the name part */ + char *ptr; + + nv->name = NULL; + nv->value = NULL; + ptr = audit_strsplit(buf); + if (ptr == NULL) + return 0; /* If there's nothing, go to next line */ + if (ptr[0] == '#') + return 0; /* If there's a comment, go to next line */ + nv->name = ptr; + + /* Check for a '=' */ + ptr = audit_strsplit(NULL); + if (ptr == NULL) + return 1; + if (strcmp(ptr, "=") != 0) + return 2; + + /* get the value */ + ptr = audit_strsplit(NULL); + if (ptr == NULL) + return 1; + nv->value = ptr; + + /* Make sure there's nothing else */ + ptr = audit_strsplit(NULL); + if (ptr) { + /* Allow one option, but check that there's not 2 */ + ptr = audit_strsplit(NULL); + if (ptr) + return 1; + } + + /* Everything is OK */ + return 0; +} + +static const struct kw_pair *kw_lookup(const char *val) +{ + int i = 0; + while (keywords[i].name != NULL) { + if (strcasecmp(keywords[i].name, val) == 0) + break; + i++; + } + return &keywords[i]; +} + +static int log_file_parser(const char *val, int line,struct daemon_conf *config) +{ + char *dir = NULL, *tdir, *base; + DIR *d; + int fd, mode; + struct stat buf; + + /* split name into dir and basename. */ + tdir = strdup(val); + if (tdir) + dir = dirname(tdir); + if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname + audit_msg(LOG_ERR, + "The directory name: %s is too short - line %d", + dir, line); + free((void *)tdir); + return 1; + } + + base = basename((char *)val); + if (base == 0 || strlen(base) == 0) { + audit_msg(LOG_ERR, "The file name: %s is too short - line %d", + base, line); + free((void *)tdir); + return 1; + } + + /* verify the directory path exists */ + d = opendir(dir); + if (d == NULL) { + audit_msg(LOG_ERR, "Could not open dir %s (%s)", dir, + strerror(errno)); + free((void *)tdir); + return 1; + } + free((void *)tdir); + closedir(d); + + /* if the file exists, see that its regular, owned by root, + * and not world anything */ + mode = O_RDONLY; + + fd = open(val, mode); + if (fd < 0) { + audit_msg(LOG_ERR, "Unable to open %s (%s)", val, + strerror(errno)); + return 1; + } + if (fstat(fd, &buf) < 0) { + audit_msg(LOG_ERR, "Unable to stat %s (%s)", + val, strerror(errno)); + close(fd); + return 1; + } + close(fd); + if (!S_ISREG(buf.st_mode)) { + audit_msg(LOG_ERR, "%s is not a regular file", val); + return 1; + } + if (buf.st_uid != 0) { + audit_msg(LOG_ERR, "%s is not owned by root", val); + return 1; + } + if ( (buf.st_mode & (S_IXUSR|S_IWGRP|S_IXGRP|S_IRWXO)) ) { + audit_msg(LOG_ERR, "%s permissions should be 0600 or 0640", + val); + return 1; + } + if ( !(buf.st_mode & S_IWUSR) ) { + audit_msg(LOG_ERR, "audit log is not writable by owner"); + return 1; + } + + free((void *)config->log_file); + config->log_file = strdup(val); + if (config->log_file == NULL) + return 1; + return 0; +} + +static int num_logs_parser(const char *val, int line, + struct daemon_conf *config) +{ + const char *ptr = val; + unsigned long i; + + /* check that all chars are numbers */ + for (i=0; ptr[i]; i++) { + if (!isdigit(ptr[i])) { + audit_msg(LOG_ERR, + "Value %s should only be numbers - line %d", + val, line); + return 1; + } + } + + /* convert to unsigned long */ + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) { + audit_msg(LOG_ERR, + "Error converting string to a number (%s) - line %d", + strerror(errno), line); + return 1; + } + if (i > 99) { + audit_msg(LOG_ERR, "num_logs must be 99 or less"); + return 1; + } + config->num_logs = i; + return 0; +} + +static int log_format_parser(const char *val, int line, + struct daemon_conf *config) +{ + int i; + + for (i=0; log_formats[i].name != NULL; i++) { + if (strcasecmp(val, log_formats[i].name) == 0) { + config->log_format = log_formats[i].option; + return 0; + } + } + audit_msg(LOG_ERR, "Option %s not found - line %d", val, line); + return 1; +} + +void free_config(struct daemon_conf *config) +{ + free((void*)config->sender_ctx); + free((void*)config->log_file); + free((void*)config->dispatcher); + free((void *)config->node_name); + free((void *)config->action_mail_acct); + free((void *)config->space_left_exe); + free((void *)config->admin_space_left_exe); + free((void *)config->disk_full_exe); + free((void *)config->disk_error_exe); +} + diff --git a/framework/src/audit/auparse/auparse-defs.h b/framework/src/audit/auparse/auparse-defs.h new file mode 100644 index 00000000..fd7ed85d --- /dev/null +++ b/framework/src/audit/auparse/auparse-defs.h @@ -0,0 +1,98 @@ +/* auparse-defs.h -- + * Copyright 2006-07,09,2011-12,2014-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#ifndef AUPARSE_DEFS_HEADER +#define AUPARSE_DEFS_HEADER + +#include <time.h> + +#ifdef __cplusplus +extern "C" { +#endif + + +/* Library type definitions */ + +/* This tells the library where the data source is located */ +typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_FILE_ARRAY, + AUSOURCE_BUFFER, AUSOURCE_BUFFER_ARRAY, + AUSOURCE_DESCRIPTOR, AUSOURCE_FILE_POINTER, AUSOURCE_FEED } ausource_t; + +/* This used to define the types of searches that can be done. It is not used + any more. */ +typedef enum { + AUSEARCH_UNSET, + AUSEARCH_EXISTS, + AUSEARCH_EQUAL, AUSEARCH_NOT_EQUAL, + AUSEARCH_TIME_LT, AUSEARCH_TIME_LE, AUSEARCH_TIME_GE, AUSEARCH_TIME_GT, + AUSEARCH_TIME_EQ, + AUSEARCH_INTERPRETED = 0x40000000 +} ausearch_op_t; + +/* This determines where to position the cursor when a search completes */ +typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD, + AUSEARCH_STOP_FIELD } austop_t; + +/* This defines how search rule pieces are treated to decide when + * to stop a search */ +typedef enum { AUSEARCH_RULE_CLEAR, AUSEARCH_RULE_OR, + AUSEARCH_RULE_AND, AUSEARCH_RULE_REGEX } ausearch_rule_t; + + +typedef struct +{ + time_t sec; // Event seconds + unsigned int milli; // millisecond of the timestamp + unsigned long serial; // Serial number of the event + const char *host; // Machine's name +} au_event_t; + + +/* This indicates why the user supplied callback was invoked */ +typedef enum {AUPARSE_CB_EVENT_READY} auparse_cb_event_t; + +/* This determines the type of field at current cursor location + * ONLY APPEND - DO NOT DELETE or it will break ABI */ +typedef enum { AUPARSE_TYPE_UNCLASSIFIED, AUPARSE_TYPE_UID, AUPARSE_TYPE_GID, + AUPARSE_TYPE_SYSCALL, AUPARSE_TYPE_ARCH, AUPARSE_TYPE_EXIT, + AUPARSE_TYPE_ESCAPED, AUPARSE_TYPE_PERM, AUPARSE_TYPE_MODE, + AUPARSE_TYPE_SOCKADDR, AUPARSE_TYPE_FLAGS, AUPARSE_TYPE_PROMISC, + AUPARSE_TYPE_CAPABILITY, AUPARSE_TYPE_SUCCESS, AUPARSE_TYPE_A0, + AUPARSE_TYPE_A1, AUPARSE_TYPE_A2, AUPARSE_TYPE_A3, AUPARSE_TYPE_SIGNAL, + AUPARSE_TYPE_LIST, AUPARSE_TYPE_TTY_DATA, + AUPARSE_TYPE_SESSION, AUPARSE_TYPE_CAP_BITMAP, AUPARSE_TYPE_NFPROTO, + AUPARSE_TYPE_ICMPTYPE, AUPARSE_TYPE_PROTOCOL, + AUPARSE_TYPE_ADDR, AUPARSE_TYPE_PERSONALITY, + AUPARSE_TYPE_SECCOMP, AUPARSE_TYPE_OFLAG, + AUPARSE_TYPE_MMAP, AUPARSE_TYPE_MODE_SHORT, AUPARSE_TYPE_MAC_LABEL, + AUPARSE_TYPE_PROCTITLE } auparse_type_t; + +/* This type determines what escaping if any gets applied to interpreted fields */ +typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL, + AUPARSE_ESC_SHELL_QUOTE } auparse_esc_t; + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/auparse/auparse-idata.h b/framework/src/audit/auparse/auparse-idata.h new file mode 100644 index 00000000..d1995538 --- /dev/null +++ b/framework/src/audit/auparse/auparse-idata.h @@ -0,0 +1,49 @@ +/* +* idata.h - Header file for ausearch-lookup.c +* Copyright (c) 2013 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#ifndef IDATA_HEADER +#define IDATA_HEADER + +#include "config.h" +#include "dso.h" +#include "auparse-defs.h" + +typedef struct _idata { + unsigned int machine; // The machine type for the event + int syscall; // The syscall for the event + unsigned long long a0; // arg 0 to the syscall + unsigned long long a1; // arg 1 to the syscall + const char *name; // name of field being interpretted + const char *val; // value of field being interpretted +} idata; + +int auparse_interp_adjust_type(int rtype, const char *name, const char *val); +const char *auparse_do_interpretation(int type, const idata *id); +int set_escape_mode(auparse_esc_t mode); + +hidden_proto(auparse_interp_adjust_type) +hidden_proto(auparse_do_interpretation) +hidden_proto(set_escape_mode) + +#endif + diff --git a/framework/src/audit/auparse/auparse.c b/framework/src/audit/auparse/auparse.c new file mode 100644 index 00000000..cd3f1180 --- /dev/null +++ b/framework/src/audit/auparse/auparse.c @@ -0,0 +1,1377 @@ +/* auparse.c -- + * Copyright 2006-08,2012-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#include "config.h" +#include "expression.h" +#include "internal.h" +#include "auparse.h" +#include "interpret.h" +#include "auparse-idata.h" +#include <errno.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <stdio_ext.h> + +static int debug = 0; + +/* like strchr except string is delimited by length, not null byte */ +static char *strnchr(const char *s, int c, size_t n) +{ + char *p_char; + const char *p_end = s + n; + + for (p_char = (char *)s; p_char < p_end && *p_char != c; p_char++); + if (p_char == p_end) return NULL; + return p_char; +} + +static int setup_log_file_array(auparse_state_t *au) +{ + struct daemon_conf config; + char *filename, **tmp; + int len, num = 0, i = 0; + + /* Load config so we know where logs are */ + set_aumessage_mode(MSG_STDERR, DBG_NO); + load_config(&config, TEST_SEARCH); + + /* for each file */ + len = strlen(config.log_file) + 16; + filename = malloc(len); + if (!filename) { + fprintf(stderr, "No memory\n"); + free_config(&config); + return 1; + } + /* Find oldest log file */ + snprintf(filename, len, "%s", config.log_file); + do { + if (access(filename, R_OK) != 0) + break; + num++; + snprintf(filename, len, "%s.%d", config.log_file, num); + } while (1); + + if (num == 0) { + fprintf(stderr, "No log file\n"); + free_config(&config); + free(filename); + return 1; + } + num--; + tmp = malloc((num+2)*sizeof(char *)); + + /* Got it, now process logs from last to first */ + if (num > 0) + snprintf(filename, len, "%s.%d", config.log_file, num); + else + snprintf(filename, len, "%s", config.log_file); + do { + tmp[i++] = strdup(filename); + + /* Get next log file */ + num--; + if (num > 0) + snprintf(filename, len, "%s.%d", config.log_file, num); + else if (num == 0) + snprintf(filename, len, "%s", config.log_file); + else + break; + } while (1); + free_config(&config); + free(filename); + + // Terminate the list + tmp[i] = NULL; + au->source_list = tmp; + return 0; +} + +/* General functions that affect operation of the library */ +auparse_state_t *auparse_init(ausource_t source, const void *b) +{ + char **tmp, **bb = (char **)b, *buf = (char *)b; + int n, i; + size_t size, len; + + auparse_state_t *au = malloc(sizeof(auparse_state_t)); + if (au == NULL) { + errno = ENOMEM; + return NULL; + } + + au->in = NULL; + au->source_list = NULL; + databuf_init(&au->databuf, 0, 0); + au->callback = NULL; + au->callback_user_data = NULL; + au->callback_user_data_destroy = NULL; + switch (source) + { + case AUSOURCE_LOGS: + if (geteuid()) { + errno = EPERM; + goto bad_exit; + } + setup_log_file_array(au); + break; + case AUSOURCE_FILE: + if (access(b, R_OK)) + goto bad_exit; + tmp = malloc(2*sizeof(char *)); + tmp[0] = strdup(b); + tmp[1] = NULL; + au->source_list = tmp; + break; + case AUSOURCE_FILE_ARRAY: + n = 0; + while (bb[n]) { + if (access(bb[n], R_OK)) + goto bad_exit; + n++; + } + tmp = malloc((n+1)*sizeof(char *)); + for (i=0; i<n; i++) + tmp[i] = strdup(bb[i]); + tmp[n] = NULL; + au->source_list = tmp; + break; + case AUSOURCE_BUFFER: + buf = buf; + len = strlen(buf); + if (databuf_init(&au->databuf, len, + DATABUF_FLAG_PRESERVE_HEAD) < 0) + goto bad_exit; + if (databuf_append(&au->databuf, buf, len) < 0) + goto bad_exit; + break; + case AUSOURCE_BUFFER_ARRAY: + size = 0; + for (n = 0; (buf = bb[n]); n++) { + len = strlen(bb[n]); + if (bb[n][len-1] != '\n') { + size += len + 1; + } else { + size += len; + } + } + if (databuf_init(&au->databuf, size, + DATABUF_FLAG_PRESERVE_HEAD) < 0) + goto bad_exit; + for (n = 0; (buf = bb[n]); n++) { + len = strlen(buf); + if (databuf_append(&au->databuf, buf, len) < 0) + goto bad_exit; + } + break; + case AUSOURCE_DESCRIPTOR: + n = (long)b; + au->in = fdopen(n, "rm"); + break; + case AUSOURCE_FILE_POINTER: + au->in = (FILE *)b; + break; + case AUSOURCE_FEED: + if (databuf_init(&au->databuf, 0, 0) < 0) goto bad_exit; + break; + default: + errno = EINVAL; + goto bad_exit; + break; + } + au->source = source; + au->list_idx = 0; + au->line_number = 0; + au->next_buf = NULL; + au->off = 0; + au->cur_buf = NULL; + au->line_pushed = 0; + aup_list_create(&au->le); + au->parse_state = EVENT_EMPTY; + au->expr = NULL; + au->find_field = NULL; + au->search_where = AUSEARCH_STOP_EVENT; + + return au; +bad_exit: + databuf_free(&au->databuf); + free(au); + return NULL; +} + + +void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback, + void *user_data, user_destroy user_destroy_func) +{ + if (au == NULL) { + errno = EINVAL; + return; + } + + if (au->callback_user_data_destroy) { + (*au->callback_user_data_destroy)(au->callback_user_data); + au->callback_user_data = NULL; + } + + au->callback = callback; + au->callback_user_data = user_data; + au->callback_user_data_destroy = user_destroy_func; +} + +static void consume_feed(auparse_state_t *au, int flush) +{ + while (auparse_next_event(au) > 0) { + if (au->callback) { + (*au->callback)(au, AUPARSE_CB_EVENT_READY, + au->callback_user_data); + } + } + if (flush) { + // FIXME: might need a call here to force auparse_next_event() + // to consume any partial data not fully consumed. + if (au->parse_state == EVENT_ACCUMULATING) { + // Emit the event, set event cursors to initial position + aup_list_first(&au->le); + aup_list_first_field(&au->le); + au->parse_state = EVENT_EMITTED; + if (au->callback) { + (*au->callback)(au, AUPARSE_CB_EVENT_READY, + au->callback_user_data); + } + } + } +} + +int auparse_feed(auparse_state_t *au, const char *data, size_t data_len) +{ + if (databuf_append(&au->databuf, data, data_len) < 0) + return -1; + consume_feed(au, 0); + return 0; +} + +int auparse_flush_feed(auparse_state_t *au) +{ + consume_feed(au, 1); + return 0; +} + +// If there is data in the state machine, return 1 +// Otherwise return 0 to indicate its empty +int auparse_feed_has_data(const auparse_state_t *au) +{ + if (au->parse_state == EVENT_ACCUMULATING) + return 1; + return 0; +} + +void auparse_set_escape_mode(auparse_esc_t mode) +{ + set_escape_mode(mode); +} + +int auparse_reset(auparse_state_t *au) +{ + if (au == NULL) { + errno = EINVAL; + return -1; + } + + aup_list_clear(&au->le); + au->parse_state = EVENT_EMPTY; + switch (au->source) + { + case AUSOURCE_LOGS: + case AUSOURCE_FILE: + case AUSOURCE_FILE_ARRAY: + if (au->in) { + fclose(au->in); + au->in = NULL; + } + /* Fall through */ + case AUSOURCE_DESCRIPTOR: + case AUSOURCE_FILE_POINTER: + if (au->in) + rewind(au->in); + /* Fall through */ + case AUSOURCE_BUFFER: + case AUSOURCE_BUFFER_ARRAY: + au->list_idx = 0; + au->line_number = 0; + au->off = 0; + databuf_reset(&au->databuf); + break; + default: + return -1; + } + return 0; +} + + +/* Add EXPR to AU, using HOW to select the combining operator. + On success, return 0. + On error, free EXPR set errno and return -1. + NOTE: EXPR is freed on error! */ +static int add_expr(auparse_state_t *au, struct expr *expr, ausearch_rule_t how) +{ + if (au->expr == NULL) + au->expr = expr; + else if (how == AUSEARCH_RULE_CLEAR) { + expr_free(au->expr); + au->expr = expr; + } else { + struct expr *e; + + e = expr_create_binary(how == AUSEARCH_RULE_OR ? EO_OR : EO_AND, + au->expr, expr); + if (e == NULL) { + int err; + + err = errno; + expr_free(expr); + errno = err; + return -1; + } + au->expr = e; + } + return 0; +} + +static int ausearch_add_item_internal(auparse_state_t *au, const char *field, + const char *op, const char *value, ausearch_rule_t how, unsigned op_eq, + unsigned op_ne) +{ + struct expr *expr; + + // Make sure there's a field + if (field == NULL) + goto err_out; + + // Make sure how is within range + if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND) + goto err_out; + + // All pre-checks are done, build a rule + if (strcmp(op, "exists") == 0) + expr = expr_create_field_exists(field); + else { + unsigned t_op; + + if (strcmp(op, "=") == 0) + t_op = op_eq; + else if (strcmp(op, "!=") == 0) + t_op = op_ne; + else + goto err_out; + if (value == NULL) + goto err_out; + expr = expr_create_comparison(field, t_op, value); + } + if (expr == NULL) + return -1; + if (add_expr(au, expr, how) != 0) + return -1; /* expr is freed by add_expr() */ + return 0; + +err_out: + errno = EINVAL; + return -1; +} + +int ausearch_add_item(auparse_state_t *au, const char *field, const char *op, + const char *value, ausearch_rule_t how) +{ + return ausearch_add_item_internal(au, field, op, value, how, EO_RAW_EQ, + EO_RAW_NE); +} + +int ausearch_add_interpreted_item(auparse_state_t *au, const char *field, + const char *op, const char *value, ausearch_rule_t how) +{ + return ausearch_add_item_internal(au, field, op, value, how, + EO_INTERPRETED_EQ, EO_INTERPRETED_NE); +} + +int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op, + time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how) +{ + static const struct { + unsigned value; + const char name[3]; + } ts_tab[] = { + {EO_VALUE_LT, "<"}, + {EO_VALUE_LE, "<="}, + {EO_VALUE_GE, ">="}, + {EO_VALUE_GT, ">"}, + {EO_VALUE_EQ, "="}, + }; + + struct expr *expr; + size_t i; + unsigned t_op; + + for (i = 0; i < sizeof(ts_tab) / sizeof(*ts_tab); i++) { + if (strcmp(ts_tab[i].name, op) == 0) + goto found_op; + } + goto err_out; +found_op: + t_op = ts_tab[i].value; + + if (milli >= 1000) + goto err_out; + + // Make sure how is within range + if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND) + goto err_out; + + // All pre-checks are done, build a rule + expr = expr_create_timestamp_comparison_ex(t_op, sec, milli, serial); + if (expr == NULL) + return -1; + if (add_expr(au, expr, how) != 0) + return -1; /* expr is freed by add_expr() */ + return 0; + +err_out: + errno = EINVAL; + return -1; +} + +int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec, + unsigned milli, ausearch_rule_t how) +{ + return ausearch_add_timestamp_item_ex(au, op, sec, milli, 0, how); +} + +int ausearch_add_expression(auparse_state_t *au, const char *expression, + char **error, ausearch_rule_t how) +{ + struct expr *expr; + + if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND) + goto err_einval; + + expr = expr_parse(expression, error); + if (expr == NULL) { + errno = EINVAL; + return -1; + } + + if (add_expr(au, expr, how) != 0) + goto err; /* expr is freed by add_expr() */ + return 0; + +err_einval: + errno = EINVAL; +err: + *error = NULL; + return -1; +} + +int ausearch_add_regex(auparse_state_t *au, const char *regexp) +{ + struct expr *expr; + + // Make sure there's an expression + if (regexp == NULL) + goto err_out; + + expr = expr_create_regexp_expression(regexp); + if (expr == NULL) + return -1; + if (add_expr(au, expr, AUSEARCH_RULE_AND) != 0) + return -1; /* expr is freed by add_expr() */ + return 0; + +err_out: + errno = EINVAL; + return -1; +} + +int ausearch_set_stop(auparse_state_t *au, austop_t where) +{ + if (where < AUSEARCH_STOP_EVENT || where > AUSEARCH_STOP_FIELD) { + errno = EINVAL; + return -1; + } + + au->search_where = where; + return 0; +} + +void ausearch_clear(auparse_state_t *au) +{ + if (au->expr != NULL) { + expr_free(au->expr); + au->expr = NULL; + } + au->search_where = AUSEARCH_STOP_EVENT; +} + +void auparse_destroy(auparse_state_t *au) +{ + aulookup_destroy_uid_list(); + aulookup_destroy_gid_list(); + if (au == NULL) + return; + + if (au->source_list) { + int n = 0; + while (au->source_list[n]) + free(au->source_list[n++]); + free(au->source_list); + au->source_list = NULL; + } + + au->next_buf = NULL; + free(au->cur_buf); + au->cur_buf = NULL; + aup_list_clear(&au->le); + au->parse_state = EVENT_EMPTY; + free(au->find_field); + au->find_field = NULL; + ausearch_clear(au); + databuf_free(&au->databuf); + if (au->callback_user_data_destroy) { + (*au->callback_user_data_destroy)(au->callback_user_data); + au->callback_user_data = NULL; + } + if (au->in) { + fclose(au->in); + au->in = NULL; + } + free(au); +} + +/* alloc a new buffer, cur_buf which contains a null terminated line + * without a newline (note, this implies the line may be empty (strlen == 0)) if + * successfully read a blank line (e.g. containing only a single newline). + * cur_buf will have been newly allocated with malloc. + * + * Note: cur_buf will be freed the next time this routine is called if + * cur_buf is not NULL, callers who retain a reference to the cur_buf + * pointer will need to set cur_buf to NULL to cause the previous cur_buf + * allocation to persist. + * + * Returns: + * 1 if successful (errno == 0) + * 0 if non-blocking input unavailable (errno == 0) + * -1 if error (errno contains non-zero error code) + * -2 if EOF (errno == 0) + */ + +static int readline_file(auparse_state_t *au) +{ + ssize_t rc; + char *p_last_char; + size_t n = 0; + + if (au->cur_buf != NULL) { + free(au->cur_buf); + au->cur_buf = NULL; + } + if (au->in == NULL) { + errno = EBADF; + return -1; + } + if ((rc = getline(&au->cur_buf, &n, au->in)) <= 0) { + // Note: getline always malloc's if lineptr==NULL or n==0, + // on failure malloc'ed memory is left uninitialized, + // caller must free it. + free(au->cur_buf); + au->cur_buf = NULL; + + // Note: feof() does not set errno + if (feof(au->in)) { + // return EOF condition + errno = 0; + return -2; + } + // return error condition, error code in errno + return -1; + } + p_last_char = au->cur_buf + (rc-1); + if (*p_last_char == '\n') { /* nuke newline */ + *p_last_char = 0; + } + // return success + errno = 0; + return 1; +} + + +/* malloc & copy a line into cur_buf from the internal buffer, + * next_buf. cur_buf will contain a null terminated line without a + * newline (note, this implies the line may be empty (strlen == 0)) if + * successfully read a blank line (e.g. containing only a single + * newline). + * + * Note: cur_buf will be freed the next time this routine is called if + * cur_buf is not NULL, callers who retain a reference to the cur_buf + * pointer will need to set cur_buf to NULL to cause the previous cur_buf + * allocation to persist. + * + * Returns: + * 1 if successful (errno == 0) + * 0 if non-blocking input unavailable (errno == 0) + * -1 if error (errno contains non-zero error code) + * -2 if EOF (errno == 0) + */ + +static int readline_buf(auparse_state_t *au) +{ + char *p_newline=NULL; + size_t line_len; + + if (au->cur_buf != NULL) { + free(au->cur_buf); + au->cur_buf = NULL; + } + + //if (debug) databuf_print(&au->databuf, 1, "readline_buf"); + if (au->databuf.len == 0) { + // return EOF condition + errno = 0; + return -2; + } + + if ((p_newline = strnchr(databuf_beg(&au->databuf), '\n', + au->databuf.len)) != NULL) { + line_len = p_newline - databuf_beg(&au->databuf); + + /* dup the line */ + au->cur_buf = malloc(line_len+1); // +1 for null terminator + if (au->cur_buf == NULL) + return -1; // return error condition, errno set + strncpy(au->cur_buf, databuf_beg(&au->databuf), line_len); + au->cur_buf[line_len] = 0; + + if (databuf_advance(&au->databuf, line_len+1) < 0) + return -1; + // return success + errno = 0; + return 1; + + } else { + // return no data available + errno = 0; + return 0; + } +} + +static int str2event(char *s, au_event_t *e) +{ + char *ptr; + + errno = 0; + ptr = strchr(s+10, ':'); + if (ptr) { + e->serial = strtoul(ptr+1, NULL, 10); + *ptr = 0; + if (errno) + return -1; + } else + e->serial = 0; + ptr = strchr(s, '.'); + if (ptr) { + e->milli = strtoul(ptr+1, NULL, 10); + *ptr = 0; + if (errno) + return -1; + } else + e->milli = 0; + e->sec = strtoul(s, NULL, 10); + if (errno) + return -1; + return 0; +} + +/* Returns 0 on success and 1 on error */ +static int extract_timestamp(const char *b, au_event_t *e) +{ + char *ptr, *tmp; + int rc = 1; + + e->host = NULL; + if (*b == 'n') + tmp = strndupa(b, 340); + else + tmp = strndupa(b, 80); + ptr = audit_strsplit(tmp); + if (ptr) { + // Optionally grab the node - may or may not be included + if (*ptr == 'n') { + e->host = strdup(ptr+5); + (void)audit_strsplit(NULL); // Bump along to the next one + } + // at this point we have type= + ptr = audit_strsplit(NULL); + if (ptr) { + if (*(ptr+9) == '(') + ptr+=9; + else + ptr = strchr(ptr, '('); + if (ptr) { + // now we should be pointed at the timestamp + char *eptr; + ptr++; + eptr = strchr(ptr, ')'); + if (eptr) + *eptr = 0; + + if (str2event(ptr, e) == 0) + rc = 0; +// else { +// audit_msg(LOG_ERROR, +// "Error extracting time stamp (%s)\n", +// ptr); +// } + } + // else we have a bad line + } + // else we have a bad line + } + // else we have a bad line + return rc; +} + +static int inline events_are_equal(au_event_t *e1, au_event_t *e2) +{ + // Check time & serial first since its most likely way + // to spot 2 different events + if (!(e1->serial == e2->serial && e1->milli == e2->milli && + e1->sec == e2->sec)) + return 0; + // Hmm...same so far, check if both have a host, only a string + // compare can tell if they are the same. Otherwise, if only one + // of them have a host, they are definitely not the same. Its + // a boundary on daemon config. + if (e1->host && e2->host) { + if (strcmp(e1->host, e2->host)) + return 0; + } else if (e1->host || e2->host) + return 0; + return 1; +} + +/* This function will figure out how to get the next line of input. + * storing it cur_buf. cur_buf will be NULL terminated but will not + * contain a trailing newline. This implies a successful read + * (result == 1) may result in a zero length cur_buf if a blank line + * was read. + * + * cur_buf will have been allocated with malloc. The next time this + * routine is called if cur_buf is non-NULL cur_buf will be freed, + * thus if the caller wishes to retain a reference to malloc'ed + * cur_buf data it should copy the cur_buf pointer and set cur_buf to + * NULL. + * + * Returns: + * 1 if successful (errno == 0) + * 0 if non-blocking input unavailable (errno == 0) + * -1 if error (errno contains non-zero error code) + * -2 if EOF (errno == 0) + */ + +static int retrieve_next_line(auparse_state_t *au) +{ + int rc; + + // If line was pushed back for re-reading return that + if (au->line_pushed) { + // Starting new event, clear previous event data, + // previous line is returned again for new parsing + au->line_pushed = 0; + au->line_number++; + return 1; + } + + switch (au->source) + { + case AUSOURCE_DESCRIPTOR: + case AUSOURCE_FILE_POINTER: + rc = readline_file(au); + if (rc > 0) au->line_number++; + return rc; + case AUSOURCE_LOGS: + case AUSOURCE_FILE: + case AUSOURCE_FILE_ARRAY: + // if the first time through, open file + if (au->list_idx == 0 && au->in == NULL && + au->source_list != NULL) { + if (au->source_list[au->list_idx] == NULL) { + errno = 0; + return -2; + } + au->line_number = 0; + au->in = fopen(au->source_list[au->list_idx], + "rm"); + if (au->in == NULL) + return -1; + __fsetlocking(au->in, FSETLOCKING_BYCALLER); + } + + // loop reading lines from a file + while (au->in) { + if ((rc = readline_file(au)) == -2) { + // end of file, open next file, + // try readline again + fclose(au->in); + au->in = NULL; + au->list_idx++; + au->line_number = 0; + if (au->source_list[au->list_idx]) { + au->in = fopen( + au->source_list[au->list_idx], + "rm"); + if (au->in == NULL) + return -1; + __fsetlocking(au->in, + FSETLOCKING_BYCALLER); + } + } else { + if (rc > 0) + au->line_number++; + return rc; + } + } + return -2; // return EOF + case AUSOURCE_BUFFER: + case AUSOURCE_BUFFER_ARRAY: + rc = readline_buf(au); + if (rc > 0) + au->line_number++; + return rc; + case AUSOURCE_FEED: + rc = readline_buf(au); + // No such thing as EOF for feed, translate EOF + // to data not available + if (rc == -2) + return 0; + else + if (rc > 0) + au->line_number++; + return rc; + default: + return -1; + } + return -1; /* should never reach here */ +} + +static void push_line(auparse_state_t *au) +{ + au->line_number--; + au->line_pushed = 1; +} + +/******* +* Functions that traverse events. +********/ +static int ausearch_reposition_cursors(auparse_state_t *au) +{ + int rc = 0; + + switch (au->search_where) + { + case AUSEARCH_STOP_EVENT: + aup_list_first(&au->le); + aup_list_first_field(&au->le); + break; + case AUSEARCH_STOP_RECORD: + aup_list_first_field(&au->le); + break; + case AUSEARCH_STOP_FIELD: + // do nothing - this is the normal stopping point + break; + default: + rc = -1; + break; + } + return rc; +} + +/* This is called during search once per each record. It walks the list + * of nvpairs and decides if a field matches. */ +static int ausearch_compare(auparse_state_t *au) +{ + rnode *r; + + r = aup_list_get_cur(&au->le); + if (r) + return expr_eval(au, r, au->expr); + + return 0; +} + +// Returns < 0 on error, 0 no data, > 0 success +int ausearch_next_event(auparse_state_t *au) +{ + int rc; + + if (au->expr == NULL) { + errno = EINVAL; + return -1; + } + if ((rc = auparse_first_record(au)) <= 0) + return rc; + do { + do { + if ((rc = ausearch_compare(au)) > 0) { + ausearch_reposition_cursors(au); + return 1; + } else if (rc < 0) + return rc; + } while ((rc = auparse_next_record(au)) > 0); + if (rc < 0) + return rc; + } while ((rc = auparse_next_event(au)) > 0); + if (rc < 0) + return rc; + + return 0; +} + +// Brute force go to next event. Returns < 0 on error, 0 no data, > 0 success +int auparse_next_event(auparse_state_t *au) +{ + int rc; + au_event_t event; + + if (au->parse_state == EVENT_EMITTED) { + // If the last call resulted in emitting event data then + // clear previous event data in preparation to accumulate + // new event data + aup_list_clear(&au->le); + au->parse_state = EVENT_EMPTY; + } + + // accumulate new event data + while (1) { + rc = retrieve_next_line(au); + if (debug) printf("next_line(%d) '%s'\n", rc, au->cur_buf); + if (rc == 0) return 0; // No data now + if (rc == -2) { + // We're at EOF, did we read any data previously? + // If so return data available, else return no data + // available + if (au->parse_state == EVENT_ACCUMULATING) { + if (debug) printf("EOF, EVENT_EMITTED\n"); + au->parse_state = EVENT_EMITTED; + return 1; // data is available + } + return 0; + } + if (rc > 0) { // Input available + rnode *r; + if (extract_timestamp(au->cur_buf, &event)) { + if (debug) + printf("Malformed line:%s\n", + au->cur_buf); + continue; + } + if (au->parse_state == EVENT_EMPTY) { + // First record in new event, initialize event + if (debug) + printf( + "First record in new event, initialize event\n"); + aup_list_set_event(&au->le, &event); + aup_list_append(&au->le, au->cur_buf, + au->list_idx, au->line_number); + au->parse_state = EVENT_ACCUMULATING; + au->cur_buf = NULL; + } else if (events_are_equal(&au->le.e, &event)) { + // Accumulate data into existing event + if (debug) + printf( + "Accumulate data into existing event\n"); + aup_list_append(&au->le, au->cur_buf, + au->list_idx, au->line_number); + au->parse_state = EVENT_ACCUMULATING; + au->cur_buf = NULL; + } else { + // New event, save input for next invocation + if (debug) + printf( + "New event, save current input for next invocation, EVENT_EMITTED\n"); + push_line(au); + // Emit the event, set event cursors to + // initial position + aup_list_first(&au->le); + aup_list_first_field(&au->le); + au->parse_state = EVENT_EMITTED; + free((char *)event.host); + return 1; // data is available + } + free((char *)event.host); + // Check to see if the event can be emitted due to EOE + // or something we know is a single record event. At + // this point, new record should be pointed at 'cur' + if ((r = aup_list_get_cur(&au->le)) == NULL) + continue; + if ( r->type == AUDIT_EOE || + r->type < AUDIT_FIRST_EVENT || + r->type >= AUDIT_FIRST_ANOM_MSG) { + // Emit the event, set event cursors to + // initial position + aup_list_first(&au->le); + aup_list_first_field(&au->le); + au->parse_state = EVENT_EMITTED; + return 1; // data is available + } + } else { // Read error + return -1; + } + } +} + +/* Accessors to event data */ +const au_event_t *auparse_get_timestamp(auparse_state_t *au) +{ + if (au && au->le.e.sec != 0) + return &au->le.e; + else + return NULL; +} + + +time_t auparse_get_time(auparse_state_t *au) +{ + if (au) + return au->le.e.sec; + else + return 0; +} + + +unsigned int auparse_get_milli(auparse_state_t *au) +{ + if (au) + return au->le.e.milli; + else + return 0; +} + + +unsigned long auparse_get_serial(auparse_state_t *au) +{ + if (au) + return au->le.e.serial; + else + return 0; +} + + +// Gets the machine node name +const char *auparse_get_node(auparse_state_t *au) +{ + if (au && au->le.e.host != NULL) + return strdup(au->le.e.host); + else + return NULL; +} + + +int auparse_node_compare(au_event_t *e1, au_event_t *e2) +{ + // If both have a host, only a string compare can tell if they + // are the same. Otherwise, if only one of them have a host, they + // are definitely not the same. Its a boundary on daemon config. + if (e1->host && e2->host) + return strcmp(e1->host, e2->host); + else if (e1->host) + return 1; + else if (e2->host) + return -1; + + return 0; +} + + +int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2) +{ + if (e1->sec > e2->sec) + return 1; + if (e1->sec < e2->sec) + return -1; + + if (e1->milli > e2->milli) + return 1; + if (e1->milli < e2->milli) + return -1; + + if (e1->serial > e2->serial) + return 1; + if (e1->serial < e2->serial) + return -1; + + return 0; +} + +unsigned int auparse_get_num_records(auparse_state_t *au) +{ + return aup_list_get_cnt(&au->le); +} + + +/* Functions that traverse records in the same event */ +int auparse_first_record(auparse_state_t *au) +{ + int rc; + + if (aup_list_get_cnt(&au->le) == 0) { + rc = auparse_next_event(au); + if (rc <= 0) + return rc; + } + aup_list_first(&au->le); + aup_list_first_field(&au->le); + + return 1; +} + + +int auparse_next_record(auparse_state_t *au) +{ + if (aup_list_get_cnt(&au->le) == 0) { + int rc = auparse_first_record(au); + if (rc <= 0) + return rc; + } + if (aup_list_next(&au->le)) + return 1; + else + return 0; +} + + +int auparse_goto_record_num(auparse_state_t *au, unsigned int num) +{ + /* Check if a request is out of range */ + if (num >= aup_list_get_cnt(&au->le)) + return 0; + + if (aup_list_goto_rec(&au->le, num) != NULL) + return 1; + else + return 0; +} + + +/* Accessors to record data */ +int auparse_get_type(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) + return r->type; + else + return 0; +} + + +const char *auparse_get_type_name(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) + return audit_msg_type_to_name(r->type); + else + return NULL; +} + + +unsigned int auparse_get_line_number(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) + return r->line_number; + else + return 0; +} + + +const char *auparse_get_filename(auparse_state_t *au) +{ + switch (au->source) + { + case AUSOURCE_FILE: + case AUSOURCE_FILE_ARRAY: + break; + default: + return NULL; + } + + rnode *r = aup_list_get_cur(&au->le); + if (r) { + if (r->list_idx < 0) return NULL; + return au->source_list[r->list_idx]; + } else { + return NULL; + } +} + + +int auparse_first_field(auparse_state_t *au) +{ + return aup_list_first_field(&au->le); +} + + +int auparse_next_field(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) { + if (nvlist_next(&r->nv)) + return 1; + else + return 0; + } + return 0; +} + + +unsigned int auparse_get_num_fields(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) + return nvlist_get_cnt(&r->nv); + else + return 0; +} + +const char *auparse_get_record_text(auparse_state_t *au) +{ + rnode *r = aup_list_get_cur(&au->le); + if (r) + return r->record; + else + return NULL; +} + + +/* scan from current location to end of event */ +const char *auparse_find_field(auparse_state_t *au, const char *name) +{ + free(au->find_field); + au->find_field = strdup(name); + + if (au->le.e.sec) { + const char *cur_name; + rnode *r; + + // look at current record before moving + r = aup_list_get_cur(&au->le); + if (r == NULL) + return NULL; + cur_name = nvlist_get_cur_name(&r->nv); + if (cur_name && strcmp(cur_name, name) == 0) + return nvlist_get_cur_val(&r->nv); + + return auparse_find_field_next(au); + } + return NULL; +} + +/* Increment 1 location and then scan for next field */ +const char *auparse_find_field_next(auparse_state_t *au) +{ + if (au->find_field == NULL) { + errno = EINVAL; + return NULL; + } + if (au->le.e.sec) { + int moved = 0; + + rnode *r = aup_list_get_cur(&au->le); + while (r) { // For each record in the event... + if (!moved) { + nvlist_next(&r->nv); + moved=1; + } + if (nvlist_find_name(&r->nv, au->find_field)) + return nvlist_get_cur_val(&r->nv); + r = aup_list_next(&au->le); + if (r) + aup_list_first_field(&au->le); + } + } + return NULL; +} + + +/* Accessors to field data */ +const char *auparse_get_field_name(auparse_state_t *au) +{ + if (au->le.e.sec) { + rnode *r = aup_list_get_cur(&au->le); + if (r) + return nvlist_get_cur_name(&r->nv); + } + return NULL; +} + + +const char *auparse_get_field_str(auparse_state_t *au) +{ + if (au->le.e.sec) { + rnode *r = aup_list_get_cur(&au->le); + if (r) + return nvlist_get_cur_val(&r->nv); + } + return NULL; +} + +int auparse_get_field_type(auparse_state_t *au) +{ + if (au->le.e.sec) { + rnode *r = aup_list_get_cur(&au->le); + if (r) + return nvlist_get_cur_type(r); + } + return AUPARSE_TYPE_UNCLASSIFIED; +} + +int auparse_get_field_int(auparse_state_t *au) +{ + const char *v = auparse_get_field_str(au); + if (v) { + int val; + + errno = 0; + val = strtol(v, NULL, 10); + if (errno == 0) + return val; + } else + errno = ENODATA; + return -1; +} + +const char *auparse_interpret_field(auparse_state_t *au) +{ + if (au->le.e.sec) { + rnode *r = aup_list_get_cur(&au->le); + if (r) + return nvlist_interp_cur_val(r); + } + return NULL; +} + diff --git a/framework/src/audit/auparse/auparse.h b/framework/src/audit/auparse/auparse.h new file mode 100644 index 00000000..78504ffe --- /dev/null +++ b/framework/src/audit/auparse/auparse.h @@ -0,0 +1,112 @@ +/* auparse.h -- + * Copyright 2006-08,2012,2014,2015 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#ifndef AUPARSE_HEADER +#define AUPARSE_HEADER + +#include "auparse-defs.h" + +#ifdef __cplusplus +extern "C" { +#endif + + +/* Library type definitions */ + +/* opaque data type used for maintaining library state */ +typedef struct opaque auparse_state_t; + +typedef void (*user_destroy)(void *user_data); +typedef void (*auparse_callback_ptr)(auparse_state_t *au, + auparse_cb_event_t cb_event_type, void *user_data); + +/* General functions that affect operation of the library */ +auparse_state_t *auparse_init(ausource_t source, const void *b); +int auparse_feed(auparse_state_t *au, const char *data, size_t data_len); +int auparse_flush_feed(auparse_state_t *au); +int auparse_feed_has_data(const auparse_state_t *au); +void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback, + void *user_data, user_destroy user_destroy_func); +void auparse_set_escape_mode(auparse_esc_t mode); +int auparse_reset(auparse_state_t *au); +void auparse_destroy(auparse_state_t *au); + +/* Functions that are part of the search interface */ +int ausearch_add_expression(auparse_state_t *au, const char *expression, + char **error, ausearch_rule_t how); +int ausearch_add_item(auparse_state_t *au, const char *field, const char *op, + const char *value, ausearch_rule_t how); +int ausearch_add_interpreted_item(auparse_state_t *au, const char *field, + const char *op, const char *value, ausearch_rule_t how); +int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec, + unsigned milli, ausearch_rule_t how); +int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op, + time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how); +int ausearch_add_regex(auparse_state_t *au, const char *expr); +int ausearch_set_stop(auparse_state_t *au, austop_t where); +void ausearch_clear(auparse_state_t *au); + +/* Functions that traverse events */ +int ausearch_next_event(auparse_state_t *au); +int auparse_next_event(auparse_state_t *au); + +/* Accessors to event data */ +const au_event_t *auparse_get_timestamp(auparse_state_t *au); +time_t auparse_get_time(auparse_state_t *au); +unsigned int auparse_get_milli(auparse_state_t *au); +unsigned long auparse_get_serial(auparse_state_t *au); +const char *auparse_get_node(auparse_state_t *au); +int auparse_node_compare(au_event_t *e1, au_event_t *e2); +int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2); +unsigned int auparse_get_num_records(auparse_state_t *au); + +/* Functions that traverse records in the same event */ +int auparse_first_record(auparse_state_t *au); +int auparse_next_record(auparse_state_t *au); +int auparse_goto_record_num(auparse_state_t *au, unsigned int num); + +/* Accessors to record data */ +int auparse_get_type(auparse_state_t *au); +const char *auparse_get_type_name(auparse_state_t *au); +unsigned int auparse_get_line_number(auparse_state_t *au); +const char *auparse_get_filename(auparse_state_t *au); +int auparse_first_field(auparse_state_t *au); +int auparse_next_field(auparse_state_t *au); +unsigned int auparse_get_num_fields(auparse_state_t *au); +const char *auparse_get_record_text(auparse_state_t *au); +const char *auparse_find_field(auparse_state_t *au, const char *name); +const char *auparse_find_field_next(auparse_state_t *au); + +/* Accessors to field data */ +const char *auparse_get_field_name(auparse_state_t *au); +const char *auparse_get_field_str(auparse_state_t *au); +int auparse_get_field_type(auparse_state_t *au); +int auparse_get_field_int(auparse_state_t *au); +const char *auparse_interpret_field(auparse_state_t *au); + + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/auparse/auparse.pc.in b/framework/src/audit/auparse/auparse.pc.in new file mode 100644 index 00000000..581287e8 --- /dev/null +++ b/framework/src/audit/auparse/auparse.pc.in @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libauparse +Description: Library for apps that want to parse and interpret audit logs +Version: @VERSION@ +Libs: -L${libdir} -lauparse +Libs.private: -laudit +Cflags: -I${includedir} diff --git a/framework/src/audit/auparse/captab.h b/framework/src/audit/auparse/captab.h new file mode 100644 index 00000000..409fdb4e --- /dev/null +++ b/framework/src/audit/auparse/captab.h @@ -0,0 +1,62 @@ +/* captab.h -- + * Copyright 2007,2008,2012-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/capability.h + */ + + +_S(0, "chown" ) +_S(1, "dac_override" ) +_S(2, "dac_read_search" ) +_S(3, "fowner" ) +_S(4, "fsetid" ) +_S(5, "kill" ) +_S(6, "setgid" ) +_S(7, "setuid" ) +_S(8, "setpcap" ) +_S(9, "linux_immutable" ) +_S(10, "net_bind_service" ) +_S(11, "net_broadcast" ) +_S(12, "net_admin" ) +_S(13, "net_raw" ) +_S(14, "ipc_lock" ) +_S(15, "ipc_owner" ) +_S(16, "sys_module" ) +_S(17, "sys_rawio" ) +_S(18, "sys_chroot" ) +_S(19, "sys_ptrace" ) +_S(20, "sys_pacct" ) +_S(21, "sys_admin" ) +_S(22, "sys_boot" ) +_S(23, "sys_nice" ) +_S(24, "sys_resource" ) +_S(25, "sys_time" ) +_S(26, "sys_tty_config" ) +_S(27, "mknod" ) +_S(28, "lease" ) +_S(29, "audit_write" ) +_S(30, "audit_control" ) +_S(31, "setfcap" ) +_S(32, "mac_override" ) +_S(33, "mac_admin" ) +_S(34, "syslog" ) +_S(35, "wake_alarm" ) +_S(36, "block_suspend" ) +_S(37, "audit_read" ) diff --git a/framework/src/audit/auparse/clocktab.h b/framework/src/audit/auparse/clocktab.h new file mode 100644 index 00000000..bcb396fe --- /dev/null +++ b/framework/src/audit/auparse/clocktab.h @@ -0,0 +1,36 @@ +/* clocktab.h -- + * Copyright 2012,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/time.h + */ + +_S(0, "CLOCK_REALTIME" ) +_S(1, "CLOCK_MONOTONIC" ) +_S(2, "CLOCK_PROCESS_CPUTIME_ID" ) +_S(3, "CLOCK_THREAD_CPUTIME_ID" ) +_S(4, "CLOCK_MONOTONIC_RAW" ) +_S(5, "CLOCK_REALTIME_COARSE" ) +_S(6, "CLOCK_MONOTONIC_COARSE" ) +_S(7, "CLOCK_BOOTTIME" ) +_S(8, "CLOCK_REALTIME_ALARM" ) +_S(9, "CLOCK_BOOTTIME_ALARM" ) +_S(10, "CLOCK_SGI_CYCLE" ) +_S(11, "CLOCK_TAI" ) + diff --git a/framework/src/audit/auparse/clone-flagtab.h b/framework/src/audit/auparse/clone-flagtab.h new file mode 100644 index 00000000..503e84bc --- /dev/null +++ b/framework/src/audit/auparse/clone-flagtab.h @@ -0,0 +1,47 @@ +/* clone-flagtab.h -- + * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/sched.h + */ + +_S(0x00000100, "CLONE_VM" ) +_S(0x00000200, "CLONE_FS" ) +_S(0x00000400, "CLONE_FILES" ) +_S(0x00000800, "CLONE_SIGHAND" ) +_S(0x00002000, "CLONE_PTRACE" ) +_S(0x00004000, "CLONE_VFORK" ) +_S(0x00008000, "CLONE_PARENT" ) +_S(0x00010000, "CLONE_THREAD" ) +_S(0x00020000, "CLONE_NEWNS" ) +_S(0x00040000, "CLONE_SYSVSEM" ) +_S(0x00080000, "CLONE_SETTLS" ) +_S(0x00100000, "CLONE_PARENT_SETTID" ) +_S(0x00200000, "CLONE_CHILD_CLEARTID" ) +_S(0x00400000, "CLONE_DETACHED" ) +_S(0x00800000, "CLONE_UNTRACED" ) +_S(0x01000000, "CLONE_CHILD_SETTID" ) +_S(0x02000000, "CLONE_STOPPED" ) +_S(0x04000000, "CLONE_NEWUTS" ) +_S(0x08000000, "CLONE_NEWIPC" ) +_S(0x10000000, "CLONE_NEWUSER" ) +_S(0x20000000, "CLONE_NEWPID" ) +_S(0x40000000, "CLONE_NEWNET" ) +_S(0x80000000, "CLONE_IO" ) + diff --git a/framework/src/audit/auparse/data_buf.c b/framework/src/audit/auparse/data_buf.c new file mode 100644 index 00000000..43b5999e --- /dev/null +++ b/framework/src/audit/auparse/data_buf.c @@ -0,0 +1,394 @@ +/* data_buf.c -- + * Copyright 2007,2011 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * John Dennis <jdennis@redhat.com> + */ + +/* + * gcc -DTEST -g data_buf.c -o data_buf + * gcc -DTEST -g data_buf.c -o data_buf && valgrind --leak-check=yes ./data_buf + */ + +/*****************************************************************************/ +/******************************** Documentation ******************************/ +/*****************************************************************************/ + +/*****************************************************************************/ +/******************************* Include Files *******************************/ +/*****************************************************************************/ + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <assert.h> +#include <stdarg.h> +#include <errno.h> +#include "data_buf.h" + +/*****************************************************************************/ +/****************************** Internal Defines *****************************/ +/*****************************************************************************/ + +#ifndef MIN +#define MIN(a,b) (((a)<=(b))?(a):(b)) +#endif + +#ifndef MAX +#define MAX(a,b) (((a)>=(b))?(a):(b)) +#endif + +//#define DEBUG 1 + +#ifdef DEBUG +#define DATABUF_VALIDATE(db) \ +{ \ + if (db->alloc_ptr == NULL || db->alloc_size == 0) { \ + assert(db->alloc_ptr == NULL); \ + assert(db->alloc_size == 0); \ + assert(db->len == 0); \ + } else { \ + assert(db->offset <= db->alloc_size); \ + assert(db->len <= db->alloc_size); \ + assert(db->offset+db->len <= db->alloc_size); \ + } \ +} +#else +#define DATABUF_VALIDATE(db) +#endif + +/*****************************************************************************/ +/************************** Internal Type Definitions ************************/ +/*****************************************************************************/ + +/*****************************************************************************/ +/********************** External Function Declarations *********************/ +/*****************************************************************************/ + +/*****************************************************************************/ +/********************** Internal Function Declarations *********************/ +/*****************************************************************************/ + +static int databuf_shift_data_to_beginning(DataBuf *db); +static int databuf_strcat(DataBuf *db, const char *str); + +/*****************************************************************************/ +/************************* External Global Variables ***********************/ +/*****************************************************************************/ + +/*****************************************************************************/ +/************************* Internal Global Variables ***********************/ +/*****************************************************************************/ + +#ifdef DEBUG +static int debug = 0; +#endif + +/*****************************************************************************/ +/**************************** Inline Functions *****************************/ +/*****************************************************************************/ +static inline char *databuf_end(DataBuf *db) +{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset+db->len;} + +static inline char *databuf_alloc_end(DataBuf *db) +{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->alloc_size;} + +static inline int databuf_tail_size(DataBuf *db) +{return db->alloc_size - (db->offset+db->len);} + +static inline int databuf_tail_available(DataBuf *db, size_t append_len) +{return append_len <= databuf_tail_size(db);} + +static inline size_t databuf_free_size(DataBuf *db) +{return db->alloc_size-db->len;} + +/*****************************************************************************/ +/*************************** Internal Functions ****************************/ +/*****************************************************************************/ + +static int databuf_shift_data_to_beginning(DataBuf *db) +{ + DATABUF_VALIDATE(db); + if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) return -1; + if (databuf_beg(db) == NULL) return 1; + if (db->offset) { + memmove(db->alloc_ptr, databuf_beg(db), db->len); + db->offset = 0; + } + DATABUF_VALIDATE(db); + return 1; +} + +/*****************************************************************************/ +/**************************** Exported Functions ***************************/ +/*****************************************************************************/ + +void databuf_print(DataBuf *db, int print_data, char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + if (fmt) { + vprintf(fmt, ap); + } + printf("%salloc_size=%zu alloc_ptr=%p offset=%zu beg=%p len=%zu max_len=%zu flags=[", + fmt?" ":"", db->alloc_size, db->alloc_ptr, db->offset, databuf_beg(db), db->len, db->max_len); + + if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) printf("PRESERVE_HEAD "); + if (db->flags & DATABUF_FLAG_STRING) printf("STRING "); + printf("]"); + + if (print_data) { + printf(" ["); + fwrite(databuf_beg(db), 1, db->len, stdout); + printf("]"); + } + printf("\n"); + va_end(ap); +} + +int databuf_init(DataBuf *db, size_t size, unsigned flags) +{ + db->alloc_ptr = NULL; + db->alloc_size = 0; + db->offset = 0; + db->len = 0; + db->max_len = 0; + db->flags = flags; + + if (size) { + if ((db->alloc_ptr = malloc(size))) { + db->alloc_size = size; + return 1; + } else { + return -1; + } + } + + // For strings intialize with initial NULL terminator + if (flags & DATABUF_FLAG_STRING) databuf_strcat(db, ""); + + return 1; +} + +void databuf_free(DataBuf *db) +{ + DATABUF_VALIDATE(db); + + if (db->alloc_ptr != NULL) { + free(db->alloc_ptr); + } + + db->alloc_ptr = NULL; + db->alloc_size = 0; + db->offset = 0; + db->len = 0; + db->max_len = 0; + + DATABUF_VALIDATE(db); +} + +int databuf_append(DataBuf *db, const char *src, size_t src_size) +{ + size_t new_size; + + DATABUF_VALIDATE(db); + + if (src == NULL || src_size == 0) return 0; + + new_size = db->len+src_size; + +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_append() size=%zd", src_size); +#endif + if ((new_size > db->alloc_size) || + ((db->flags & DATABUF_FLAG_PRESERVE_HEAD) && !databuf_tail_available(db, src_size))) { + /* not enough room, we must realloc */ + void *new_alloc; + + databuf_shift_data_to_beginning(db); + if ((new_alloc = realloc(db->alloc_ptr, new_size))) { + db->alloc_ptr = new_alloc; + db->alloc_size = new_size; + } else { + return -1; /* realloc failed */ + } + } else { + /* we can fit within current allocation, but can we append? */ + if (!databuf_tail_available(db, src_size)) { + /* we can't append in place, must create room at tail by shifting + data forward to the beginning of the allocation block */ + databuf_shift_data_to_beginning(db); + } + } +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_append() about to memmove()"); +#endif + /* pointers all set up and room availble, move the data and update */ + memmove(databuf_end(db), src, src_size); + db->len = new_size; + db->max_len = MAX(db->max_len, new_size); +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_append() conclusion"); +#endif + DATABUF_VALIDATE(db); + return 1; +} + +static int databuf_strcat(DataBuf *db, const char *str) +{ + size_t str_len; + + DATABUF_VALIDATE(db); + + if (str == NULL) return 0; + + // +1 so the data append also copies the NULL terminator + str_len = strlen(str) + 1; + + // If there is a NULL terminator exclude it so the subsequent + // data append produces a proper string concatenation + if (db->len > 0) { + char *last_char = databuf_end(db) - 1; + if (*last_char == 0) { + db->len--; // backup over NULL terminator + } + } + + // Copy string and NULL terminator + databuf_append(db, str, str_len); + + DATABUF_VALIDATE(db); + return 1; +} + +int databuf_advance(DataBuf *db, size_t advance) +{ + size_t actual_advance; + DATABUF_VALIDATE(db); + +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_advance() enter, advance=%zd", advance); +#endif + actual_advance = MIN(advance, db->len); + db->offset += actual_advance; + db->len -= actual_advance; + +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_advance() leave, actual_advance=%zd", actual_advance); +#endif + DATABUF_VALIDATE(db); + if (advance == actual_advance) { + return 1; + } else { + errno = ESPIPE; // Illegal seek + return -1; + } +} + +int databuf_reset(DataBuf *db) +{ +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_reset() entry"); +#endif + if (!(db->flags & DATABUF_FLAG_PRESERVE_HEAD)) return -1; + db->offset = 0; + db->len = MIN(db->alloc_size, db->max_len); +#ifdef DEBUG + if (debug) databuf_print(db, 1, "databuf_reset() exit"); +#endif + return 1; +} + +/*****************************************************************************/ +/******************************* Test Program ******************************/ +/*****************************************************************************/ + +#ifdef TEST +static char *make_data(size_t size, const char *fill) { + int n=0; + char *data = malloc(size); + + if (data == NULL) { + fprintf(stderr, "ERROR: make_data malloc failed\n"); + exit(1); + } + + n += snprintf(data, size, "%d", size); + while (n < size) { + n += snprintf(data+n, size-n, "%s", fill); + } + return data; +} + +int main(int argc, char **argv) +{ + size_t size = 0; + DataBuf buf; + char *data; + + assert(databuf_init(&buf, size, DATABUF_FLAG_STRING)); + databuf_print(&buf, 1, "after init size=%d", size); + +#if 1 + data = "a"; + assert(databuf_strcat(&buf, data)); + databuf_print(&buf, 1, "after strcat(%s)", data); + + data = "bb"; + assert(databuf_strcat(&buf, data)); + databuf_print(&buf, 1, "after strcat(%s)", data); + + data = "ccc"; + assert(databuf_strcat(&buf, data)); + databuf_print(&buf, 1, "after strcat(%s)", data); + +#endif + + databuf_free(&buf); + +#if 0 + assert(databuf_init(&buf, size, 0)); + databuf_print(&buf, 1, "after init size=%d", size); + + size = 8; + data = make_data(size, "a"); + assert(databuf_append(&buf, data, size)); + databuf_print(&buf, 1, "after append size=%d", size); + assert(databuf_append(&buf, data, size)); + free(data); + databuf_print(&buf, 1, "after append size=%d", size); + + assert(databuf_advance(&buf, 4)); + databuf_print(&buf, 1, "after databuf_advance(%d", 4); + + size = 5; + data = make_data(size, "b"); + assert(databuf_append(&buf, data, size)); + free(data); + databuf_print(&buf, 1, "after append size=%d", size); + size = 7; + data = make_data(size, "c"); + assert(databuf_append(&buf, data, size)); + free(data); + databuf_print(&buf, 1, "after append size=%d", size); + + databuf_free(&buf); +#endif + exit(0); +} +#endif diff --git a/framework/src/audit/auparse/data_buf.h b/framework/src/audit/auparse/data_buf.h new file mode 100644 index 00000000..66323fb7 --- /dev/null +++ b/framework/src/audit/auparse/data_buf.h @@ -0,0 +1,80 @@ +/* data_buf.h -- + * Copyright 2007 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * John Dennis <jdennis@redhat.com> + */ + +#ifndef DATA_BUF_HEADER +#define DATA_BUF_HEADER + +/*****************************************************************************/ +/******************************* Include Files *******************************/ +/*****************************************************************************/ +#include "config.h" +#include "private.h" + +/*****************************************************************************/ +/*********************************** Defines *********************************/ +/*****************************************************************************/ + +#define DATABUF_FLAG_PRESERVE_HEAD (1 << 0) +#define DATABUF_FLAG_STRING (2 << 0) + + +/*****************************************************************************/ +/******************************* Type Definitions ****************************/ +/*****************************************************************************/ + +typedef struct Databuf { + unsigned flags; + size_t alloc_size; + char *alloc_ptr; + size_t offset; + size_t len; + size_t max_len; +} DataBuf; + +/*****************************************************************************/ +/************************* External Global Variables ***********************/ +/*****************************************************************************/ + +/*****************************************************************************/ +/***************************** Inline Functions ****************************/ +/*****************************************************************************/ + +static inline char *databuf_beg(DataBuf *db) +{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset;} + +/*****************************************************************************/ +/**************************** Exported Functions ***************************/ +/*****************************************************************************/ + +void databuf_print(DataBuf *db, int print_data, char *fmt, ...) hidden +#ifdef __GNUC__ + __attribute__ ((format (printf, 3, 4))); +#else + ; +#endif +int databuf_init(DataBuf *db, size_t size, unsigned flags) hidden; +void databuf_free(DataBuf *db) hidden; +int databuf_append(DataBuf *db, const char *src, size_t src_size) hidden; +int databuf_advance(DataBuf *db, size_t advance) hidden; +int databuf_reset(DataBuf *db) hidden; + +#endif diff --git a/framework/src/audit/auparse/ellist.c b/framework/src/audit/auparse/ellist.c new file mode 100644 index 00000000..e5b60264 --- /dev/null +++ b/framework/src/audit/auparse/ellist.c @@ -0,0 +1,428 @@ +/* +* ellist.c - Minimal linked list library +* Copyright (c) 2006-08,2014 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#include <stdlib.h> +#include <string.h> +#include <stdio.h> +#include <errno.h> +#include <libaudit.h> +#include "ellist.h" +#include "interpret.h" + +static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 }; + +void aup_list_create(event_list_t *l) +{ + l->head = NULL; + l->cur = NULL; + l->cnt = 0; + l->e.milli = 0L; + l->e.sec = 0L; + l->e.serial = 0L; + l->e.host = NULL; +} + +static void aup_list_last(event_list_t *l) +{ + register rnode* window; + + if (l->head == NULL) + return; + + window = l->head; + while (window->next) + window = window->next; + l->cur = window; +} + +rnode *aup_list_next(event_list_t *l) +{ + if (l->cur) + l->cur = l->cur->next; + return l->cur; +} + +/* + * * This function does encoding of "untrusted" names just like the kernel + * */ +static char *_audit_c2x(char *final, const char *buf, unsigned int size) +{ + unsigned int i; + char *ptr = final; + const char *hex = "0123456789ABCDEF"; + + for (i=0; i<size; i++) { + *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */ + *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */ + } + *ptr = 0; + return final; +} + +static char *escape(const char *tmp) +{ + char *name; + const unsigned char *p = (unsigned char *)tmp; + while (*p) { + if (*p == '"' || *p < 0x21 || *p > 0x7e) { + int len = strlen(tmp); + name = malloc((2*len)+1); + return _audit_c2x(name, tmp, len); + } + p++; + } + if (asprintf(&name, "\"%s\"", tmp) < 0) + name = NULL; + return name; +} + +/* This funtion does the heavy duty work of splitting a record into + * its little tiny pieces */ +static int parse_up_record(rnode* r) +{ + char *ptr, *buf, *saved=NULL; + int offset = 0; + + buf = strdup(r->record); + ptr = audit_strsplit_r(buf, &saved); + if (ptr == NULL) { + free(buf); + return -1; + } + + do { // If there's an '=' sign, its a keeper + nvnode n; + char *val = strchr(ptr, '='); + if (val) { + int len; + + // If name is 'msg=audit' throw it away + if (*ptr == 'm' && strncmp(ptr, "msg=", 4) == 0) { + if (ptr[4] == 'a') + continue; + + // If name is 'msg='' chop off and see + // if there is still a = in the string. + else if (ptr[4] == '\'') { + ptr += 5; + val = strchr(ptr, '='); + if (val == NULL) + continue; + } + } + + // Split the string + *val = 0; + val++; + + // Remove beginning cruft of name + if (*ptr == '(') + ptr++; + n.name = strdup(ptr); + n.val = strdup(val); + // Remove trailing punctuation + len = strlen(n.val); + if (len && n.val[len-1] == ':') { + n.val[len-1] = 0; + len--; + } + if (len && n.val[len-1] == ',') { + n.val[len-1] = 0; + len--; + } + if (len && n.val[len-1] == '\'') { + n.val[len-1] = 0; + len--; + } + if (len && n.val[len-1] == ')') { + if (strcmp(n.val, "(none)") && + strcmp(n.val, "(null)")) { + n.val[len-1] = 0; + len--; + } + } + // Make virtual keys or just store it + if (strcmp(n.name, "key") == 0 && *n.val != '(') { + if (*n.val == '"') + nvlist_append(&r->nv, &n); + else { + char *key, *ptr, *saved2; + + key = (char *)au_unescape(n.val); + if (key == NULL) { + // Malformed key - save as is + nvlist_append(&r->nv, &n); + continue; + } + ptr = strtok_r(key, key_sep, &saved2); + free(n.name); + free(n.val); + while (ptr) { + n.name = strdup("key"); + n.val = escape(ptr); + nvlist_append(&r->nv, &n); + ptr = strtok_r(NULL, + key_sep, &saved2); + } + free(key); + } + continue; + } else + nvlist_append(&r->nv, &n); + + // Do some info gathering for use later + if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0) + offset = 1; // if node, some positions changes + else if (r->nv.cnt == (1 + offset) && + strcmp(n.name, "type") == 0) { + r->type = audit_name_to_msg_type(n.val); + } else if (r->nv.cnt == (2 + offset) && + strcmp(n.name, "arch")== 0){ + unsigned int ival; + errno = 0; + ival = strtoul(n.val, NULL, 16); + if (errno) + r->machine = -2; + else + r->machine = audit_elf_to_machine(ival); + } else if (r->nv.cnt == (3 + offset) && + strcmp(n.name, "syscall") == 0){ + errno = 0; + r->syscall = strtoul(n.val, NULL, 10); + if (errno) + r->syscall = -1; + } else if (r->nv.cnt == (6 + offset) && + strcmp(n.name, "a0") == 0){ + errno = 0; + r->a0 = strtoull(n.val, NULL, 16); + if (errno) + r->a0 = -1LL; + } else if (r->nv.cnt == (7 + offset) && + strcmp(n.name, "a1") == 0){ + errno = 0; + r->a1 = strtoull(n.val, NULL, 16); + if (errno) + r->a1 = -1LL; + } + } else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) { + // We special case these 2 fields because selinux + // avc messages do not label these fields. + n.name = NULL; + if (nvlist_get_cnt(&r->nv) == (1 + offset)) { + // skip over 'avc:' + if (strncmp(ptr, "avc", 3) == 0) + continue; + n.name = strdup("seresult"); + } else if (nvlist_get_cnt(&r->nv) == (2 + offset)) { + // skip over open brace + if (*ptr == '{') { + int total = 0, len; + char tmpctx[256], *to; + tmpctx[0] = 0; + to = tmpctx; + ptr = audit_strsplit_r(NULL, &saved); + while (ptr && *ptr != '}') { + len = strlen(ptr); + if ((len+1) >= (256-total)) { + free(buf); + return -1; + } + if (tmpctx[0]) { + to = stpcpy(to, ","); + total++; + } + to = stpcpy(to, ptr); + total += len; + ptr = audit_strsplit_r(NULL, + &saved); + } + n.name = strdup("seperms"); + n.val = strdup(tmpctx); + nvlist_append(&r->nv, &n); + continue; + } + } else + continue; + n.val = strdup(ptr); + nvlist_append(&r->nv, &n); + } + // FIXME: There should be an else here to catch ancillary data + } while((ptr = audit_strsplit_r(NULL, &saved))); + + free(buf); + r->nv.cur = r->nv.head; // reset to beginning + return 0; +} + +int aup_list_append(event_list_t *l, char *record, int list_idx, + unsigned int line_number) +{ + rnode* r; + + if (record == NULL) + return -1; + + // First step is build rnode + r = malloc(sizeof(rnode)); + if (r == NULL) + return -1; + + r->record = record; + r->type = 0; + r->a0 = 0LL; + r->a1 = 0LL; + r->machine = -1; + r->syscall = -1; + r->item = l->cnt; + r->list_idx = list_idx; + r->line_number = line_number; + r->next = NULL; + nvlist_create(&r->nv); + + // if we are at top, fix this up + if (l->head == NULL) + l->head = r; + else { // Otherwise add pointer to newnode + aup_list_last(l); + l->cur->next = r; + } + + // make newnode current + l->cur = r; + l->cnt++; + + // Then parse the record up into nvlist + return parse_up_record(r); +} + +void aup_list_clear(event_list_t* l) +{ + rnode* nextnode; + register rnode* current; + + if (l == NULL) + return; + + current = l->head; + while (current) { + nextnode=current->next; + nvlist_clear(¤t->nv); + free(current->record); + free(current); + current=nextnode; + } + l->head = NULL; + l->cur = NULL; + l->cnt = 0; + l->e.milli = 0L; + l->e.sec = 0L; + l->e.serial = 0L; + free((char *)l->e.host); + l->e.host = NULL; +} + +/*int aup_list_get_event(event_list_t* l, au_event_t *e) +{ + if (l == NULL || e == NULL) + return 0; + + e->sec = l->e.sec; + e->milli = l->e.milli; + e->serial = l->e.serial; + if (l->e.host) + e->host = strdup(l->e.host); + else + e->host = NULL; + return 1; +} */ + +int aup_list_set_event(event_list_t* l, au_event_t *e) +{ + if (l == NULL || e == NULL) + return 0; + + l->e.sec = e->sec; + l->e.milli = e->milli; + l->e.serial = e->serial; + l->e.host = e->host; // Take custody of the memory + e->host = NULL; + return 1; +} + +rnode *aup_list_find_rec(event_list_t *l, int i) +{ + register rnode* window; + + window = l->head; /* start at the beginning */ + while (window) { + if (window->type == i) { + l->cur = window; + return window; + } else + window = window->next; + } + return NULL; +} + +rnode *aup_list_goto_rec(event_list_t *l, int i) +{ + register rnode* window; + + window = l->head; /* start at the beginning */ + while (window) { + if (window->item == i) { + l->cur = window; + return window; + } else + window = window->next; + } + return NULL; +} + +rnode *aup_list_find_rec_range(event_list_t *l, int low, int high) +{ + register rnode* window; + + if (high <= low) + return NULL; + + window = l->head; /* Start at the beginning */ + while (window) { + if (window->type >= low && window->type <= high) { + l->cur = window; + return window; + } else + window = window->next; + } + return NULL; +} + +int aup_list_first_field(event_list_t *l) +{ + if (l->cur) { + nvlist_first(&l->cur->nv); + return 1; + } else + return 0; +} + diff --git a/framework/src/audit/auparse/ellist.h b/framework/src/audit/auparse/ellist.h new file mode 100644 index 00000000..2b43a68d --- /dev/null +++ b/framework/src/audit/auparse/ellist.h @@ -0,0 +1,66 @@ +/* +* ellist.h - Header file for ellist.c +* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#ifndef ELLIST_HEADER +#define ELLIST_HEADER + +#include "config.h" +#include "private.h" +#include "auparse-defs.h" +#include <sys/types.h> +#include "nvlist.h" + +/* This is the linked list head. Only data elements that are 1 per + * event goes here. */ +typedef struct { + rnode *head; // List head + rnode *cur; // Pointer to current node + unsigned int cnt; // How many items in this list + + // Data we add as 1 per event + au_event_t e; // event - time & serial number +} event_list_t; + +void aup_list_create(event_list_t *l) hidden; +void aup_list_clear(event_list_t* l) hidden; +static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l->cnt; } +static inline void aup_list_first(event_list_t *l) { l->cur = l->head; } +static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; } +rnode *aup_list_next(event_list_t *l) hidden; +int aup_list_append(event_list_t *l, char *record, int list_idx, unsigned int line_number) hidden; +//int aup_list_get_event(event_list_t* l, au_event_t *e) hidden; +int aup_list_set_event(event_list_t* l, au_event_t *e) hidden; + +/* Given a message type, find the matching node */ +rnode *aup_list_find_rec(event_list_t *l, int i) hidden; + +/* Seek to a specific record number */ +rnode *aup_list_goto_rec(event_list_t *l, int i) hidden; + +/* Given two message types, find the first matching node */ +rnode *aup_list_find_rec_range(event_list_t *l, int low, int high) hidden; + +int aup_list_first_field(event_list_t *l) hidden; + +#endif + diff --git a/framework/src/audit/auparse/epoll_ctl.h b/framework/src/audit/auparse/epoll_ctl.h new file mode 100644 index 00000000..3d58a2bf --- /dev/null +++ b/framework/src/audit/auparse/epoll_ctl.h @@ -0,0 +1,27 @@ +/* epoll_ctl.h -- + * Copyright 2008,2012,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/eventpoll.h + */ + +_S(1, "EPOLL_CTL_ADD" ) +_S(2, "EPOLL_CTL_DEL" ) +_S(3, "EPOLL_CTL_MOD" ) + diff --git a/framework/src/audit/auparse/expression.c b/framework/src/audit/auparse/expression.c new file mode 100644 index 00000000..6bed45ba --- /dev/null +++ b/framework/src/audit/auparse/expression.c @@ -0,0 +1,1111 @@ +/* +* expression.c - Expression parsing and handling +* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Miloslav Trmač <mitr@redhat.com> +* Steve Grubb <sgrubb@redhat.com> extended timestamp +*/ + +#include <assert.h> +#include <errno.h> +#include <limits.h> +#include <stdlib.h> +#include <string.h> + +#include "expression.h" + + /* Utilities */ + +/* Free EXPR and all its subexpressions. */ +void +expr_free(struct expr *expr) +{ + switch (expr->op) { + case EO_NOT: + expr_free(expr->v.sub[0]); + break; + + case EO_AND: case EO_OR: + expr_free(expr->v.sub[0]); + expr_free(expr->v.sub[1]); + break; + + case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ: + case EO_INTERPRETED_NE: case EO_VALUE_EQ: case EO_VALUE_NE: + case EO_VALUE_LT: case EO_VALUE_LE: case EO_VALUE_GT: case EO_VALUE_GE: + if (expr->virtual_field == 0) + free(expr->v.p.field.name); + if (expr->precomputed_value == 0) + free(expr->v.p.value.string); + break; + + case EO_FIELD_EXISTS: + assert(expr->virtual_field == 0); + free(expr->v.p.field.name); + break; + + case EO_REGEXP_MATCHES: + regfree(expr->v.regexp); + free(expr->v.regexp); + break; + + default: + abort(); + } + free(expr); +} + + /* Expression parsing. */ + +/* The formal grammar: + + start: or-expression + + or-expression: and-expression + or-expression: or-expression || and-expression + + and-expression: primary-expression + and-expression: and-expression && primary-expression + + primary-expression: ! primary-expression + primary-expression: ( or-expression ) + primary-expression: comparison-expression + + comparison-expression: field op value + comparison-expression: field-escape "regexp" regexp-value + field: string + field: field-escape string + value: string + regexp-value: string + regexp-value: regexp */ + +/* Token types */ +enum token_type { + /* EO_* */ + T_LEFT_PAREN = NUM_EO_VALUES, T_RIGHT_PAREN, T_STRING, T_REGEXP, + T_FIELD_ESCAPE, T_UNKNOWN, T_EOF +}; + +/* Expression parsing status */ +struct parsing { + char **error; /* Error message destination. */ + enum token_type token; + const char *token_start; /* Original "src" value */ + int token_len; /* int because it must be usable in %.*s */ + char *token_value; /* Non-NULL only for T_STRING, until used */ + const char *src; /* Expression source, after the current token */ +}; + +static struct expr *parse_or(struct parsing *p); + +/* Allocate SIZE bytes. + On error, return NULL and try to set *P->ERROR. */ +static void * +parser_malloc(struct parsing *p, size_t size) +{ + void *res; + + res = malloc(size); + if (res != NULL || size == 0) + return res; + *p->error = strdup("Out of memory"); + return NULL; +} + +/* Reallocate PTR to SIZE bytes. + On error, free(PTR), return NULL and try to set *P->ERROR. + NOTE: realloc() does not free(PTR), this function does. */ +static void * +parser_realloc(struct parsing *p, void *ptr, size_t size) +{ + void *res; + + res = realloc(ptr, size); + if (res != NULL || size == 0) + return res; + free(ptr); + *p->error = strdup("Out of memory"); + return NULL; +} + +/* Discard P->token_value, if any, and parse the next token in P->src. + On success, return 0. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + -1. */ +static int +lex(struct parsing *p) +{ + free(p->token_value); + p->token_value = NULL; + while (*p->src == ' ' || *p->src == '\t' || *p->src == '\n') + p->src++; + p->token_start = p->src; + switch (*p->src) { + case '\0': + p->token = T_EOF; + break; + + case '!': + p->src++; + if (*p->src == '=' && p->src[1] == '=') { + p->src += 2; + p->token = EO_VALUE_NE; + break; + } + p->token = EO_NOT; + break; + + case '"': case '/': { + char *buf, delimiter; + size_t dest, buf_size; + + delimiter = *p->src; + buf_size = 8; + buf = parser_malloc(p, buf_size); + if (buf == NULL) + return -1; + p->src++; + dest = 0; + while (*p->src != delimiter) { + if (*p->src == '\0') { + *p->error = strdup("Terminating delimiter " + "missing"); + free(buf); + return -1; + } + if (*p->src == '\\') { + p->src++; + if (*p->src != '\\' && *p->src != delimiter) { + if (asprintf(p->error, "Unknown escape " + "sequence ``\\%c''", + *p->src) < 0) + *p->error = NULL; + free(buf); + return -1; + } + } + /* +1: make sure there is space for the terminating + NUL. */ + if (dest + 1 >= buf_size) { + if (buf_size > SIZE_MAX / 2) { + *p->error = strdup("Delimited string " + "too long"); + free(buf); + return -1; + } + buf_size *= 2; + buf = parser_realloc(p, buf, buf_size); + if (buf == NULL) { + *p->error = strdup("Out of memory"); + return -1; + } + } + buf[dest] = *p->src; + dest++; + p->src++; + } + p->src++; + buf[dest] = '\0'; + p->token_value = parser_realloc(p, buf, dest + 1); + if (p->token_value == NULL) + return -1; + p->token = delimiter == '/' ? T_REGEXP : T_STRING; + break; + } + + case '&': + p->src++; + if (*p->src == '&') { + p->src++; + p->token = EO_AND; + break; + } + p->token = T_UNKNOWN; + break; + + case '(': + p->src++; + p->token = T_LEFT_PAREN; + break; + + case ')': + p->src++; + p->token = T_RIGHT_PAREN; + break; + + case '<': + p->src++; + if (*p->src == '=') { + p->src++; + p->token = EO_VALUE_LE; + break; + } + p->token = EO_VALUE_LT; + break; + + case '=': + p->src++; + if (*p->src == '=') { + p->src++; + p->token = EO_VALUE_EQ; + break; + } + p->token = T_UNKNOWN; + break; + + case '>': + p->src++; + if (*p->src == '=') { + p->src++; + p->token = EO_VALUE_GE; + break; + } + p->token = EO_VALUE_GT; + break; + + case '\\': + p->src++; + p->token = T_FIELD_ESCAPE; + break; + + case '|': + p->src++; + if (*p->src == '|') { + p->src++; + p->token = EO_OR; + break; + } + p->token = T_UNKNOWN; + break; + + case 'i': + if (p->src[1] == '=') { + p->src += 2; + p->token = EO_INTERPRETED_EQ; + break; + } else if (p->src[1] == '!' && p->src[2] == '=') { + p->src += 3; + p->token = EO_INTERPRETED_NE; + break; + } + goto unquoted_string; + + case 'r': + if (p->src[1] == '=') { + p->src += 2; + p->token = EO_RAW_EQ; + break; + } else if (p->src[1] == '!' && p->src[2] == '=') { + p->src += 3; + p->token = EO_RAW_NE; + break; + } + goto unquoted_string; + + default: + /* This assumes ASCII */ + assert ('Z' == 'A' + 25 && 'z' == 'a' + 25); +#define IS_UNQUOTED_STRING_CHAR(C) \ + (((C) >= 'a' && (C) <= 'z') \ + || ((C) >= 'A' && (C) <= 'Z') \ + || ((C) >= '0' && (C) <= '9') \ + || (C) == '_') + if (IS_UNQUOTED_STRING_CHAR(*p->src)) { + size_t len; + + unquoted_string: + do + p->src++; + while (IS_UNQUOTED_STRING_CHAR(*p->src)); + len = p->src - p->token_start; + p->token_value = parser_malloc(p, len + 1); + if (p->token_value == NULL) + return -1; + memcpy(p->token_value, p->token_start, len); + p->token_value[len] = '\0'; + p->token = T_STRING; + break; + } + p->src++; + p->token = T_UNKNOWN; + break; + } + if (p->src - p->token_start > INT_MAX) { + *p->error = strdup("Token too long"); + return -1; + } + p->token_len = p->src - p->token_start; + return 0; +} + +/* Parse an escaped field NAME to DEST. + Return 0 on success, -1 if NAME is unknown. */ +static int +parse_escaped_field_name(enum field_id *dest, const char *name) +{ + if (strcmp(name, "timestamp") == 0) + *dest = EF_TIMESTAMP; + else if (strcmp(name, "record_type") == 0) + *dest = EF_RECORD_TYPE; + else if (strcmp(name, "timestamp_ex") == 0) + *dest = EF_TIMESTAMP_EX; + else + return -1; + return 0; +} + +/* Parse a \timestamp field value in P->token_value to DEST. + On success, return 0. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + -1. */ +static int +parse_timestamp_value(struct expr *dest, struct parsing *p) +{ + intmax_t sec; + + assert(p->token == T_STRING); + /* FIXME: other formats? */ + if (sscanf(p->token_value, "ts:%jd.%u:%u", &sec, + &dest->v.p.value.timestamp_ex.milli, + &dest->v.p.value.timestamp_ex.serial) != 3) { + if (sscanf(p->token_value, "ts:%jd.%u", &sec, + &dest->v.p.value.timestamp.milli) != 2) { + if (asprintf(p->error, "Invalid timestamp value `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + return -1; + } + } + /* FIXME: validate milli */ + dest->v.p.value.timestamp.sec = sec; + if (dest->v.p.value.timestamp.sec != sec) { + if (asprintf(p->error, "Timestamp overflow in `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + return -1; + } + dest->precomputed_value = 1; + return 0; +} + +/* Parse a \record_type field value in P->token_value to DEST. + On success, return 0. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + -1. */ +static int +parse_record_type_value(struct expr *dest, struct parsing *p) +{ + int type; + + assert(p->token == T_STRING); + type = audit_name_to_msg_type(p->token_value); + if (type < 0) { + if (asprintf(p->error, "Invalid record type `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + return -1; + } + dest->v.p.value.int_value = type; + dest->precomputed_value = 1; + return 0; +} + +/* Parse a virtual field value in P->token_value to DEST. + On success, return 0. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static int +parse_virtual_field_value(struct expr *dest, struct parsing *p) +{ + switch (dest->v.p.field.id) { + case EF_TIMESTAMP: + return parse_timestamp_value(dest, p); + + case EF_RECORD_TYPE: + return parse_record_type_value(dest, p); + + case EF_TIMESTAMP_EX: + return parse_timestamp_value(dest, p); + + default: + abort(); + } +} + +/* Parse a \regexp comparison-expression string in *P, with \regexp parsed. + Use or free EXPR. + On success, return the parsed comparison-expression. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static struct expr * +parse_comparison_regexp(struct parsing *p, struct expr *res) +{ + int err; + + if (lex(p) != 0) + goto err_res; + if (p->token != T_STRING && p->token != T_REGEXP) { + if (asprintf(p->error, "Regexp expected, got `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_res; + } + res->v.regexp = parser_malloc(p, sizeof(*res->v.regexp)); + if (res->v.regexp == NULL) + goto err_res; + err = regcomp(res->v.regexp, p->token_value, REG_EXTENDED | REG_NOSUB); + if (err != 0) { + size_t err_size; + char *err_msg; + + err_size = regerror(err, res->v.regexp, NULL, 0); + err_msg = parser_malloc(p, err_size); + if (err_msg == NULL) + goto err_res_regexp; + regerror(err, res->v.regexp, err_msg, err_size); + if (asprintf(p->error, "Invalid regexp: %s", err_msg) < 0) + *p->error = NULL; + free(err_msg); + goto err_res_regexp; + } + res->op = EO_REGEXP_MATCHES; + if (lex(p) != 0) { + expr_free(res); + return NULL; + } + return res; + +err_res_regexp: + free(res->v.regexp); +err_res: + free(res); + return NULL; +} + +/* Parse a comparison-expression string in *P. + On success, return the parsed comparison-expression. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static struct expr * +parse_comparison(struct parsing *p) +{ + struct expr *res; + + res = parser_malloc(p, sizeof(*res)); + if (res == NULL) + return NULL; + if (p->token == T_FIELD_ESCAPE) { + if (lex(p) != 0) + goto err_res; + if (p->token != T_STRING) { + *p->error = strdup("Field name expected after field " + "escape"); + goto err_res; + } + if (strcmp(p->token_value, "regexp") == 0) + return parse_comparison_regexp(p, res); + res->virtual_field = 1; + if (parse_escaped_field_name(&res->v.p.field.id, p->token_value) + != 0) { + if (asprintf(p->error, + "Unknown escaped field name `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_res; + } + } else { + assert(p->token == T_STRING); + res->virtual_field = 0; + res->v.p.field.name = p->token_value; + p->token_value = NULL; + } + if (lex(p) != 0) + goto err_field; + switch (p->token) { + case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ: + case EO_INTERPRETED_NE: + res->op = p->token; + if (lex(p) != 0) + goto err_field; + if (p->token != T_STRING) { + if (asprintf(p->error, "Value expected, got `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_field; + } + res->precomputed_value = 0; + res->v.p.value.string = p->token_value; + p->token_value = NULL; + if (lex(p) != 0) { + expr_free(res); + return NULL; + } + break; + + case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE: + case EO_VALUE_GT: case EO_VALUE_GE: + res->op = p->token; + if (lex(p) != 0) + goto err_field; + if (p->token != T_STRING) { + if (asprintf(p->error, "Value expected, got `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_field; + } + if (res->virtual_field == 0) { + if (asprintf(p->error, "Field `%s' does not support " + "value comparison", + res->v.p.field.name) < 0) + *p->error = NULL; + goto err_field; + } else { + if (parse_virtual_field_value(res, p) != 0) + goto err_field; + } + if (lex(p) != 0) { + expr_free(res); + return NULL; + } + break; + + default: + if (asprintf(p->error, "Operator expected, got `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_field; + } + return res; + +err_field: + if (res->virtual_field == 0) + free(res->v.p.field.name); +err_res: + free(res); + return NULL; +} + +/* Parse a primary-expression string in *P. + On success, return the parsed primary-expression. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static struct expr * +parse_primary(struct parsing *p) +{ + struct expr *e; + + switch (p->token) { + case EO_NOT: { + struct expr *res; + + if (lex(p) != 0) + return NULL; + e = parse_primary(p); + if (e == NULL) + return NULL; + res = parser_malloc(p, sizeof(*res)); + if (res == NULL) + goto err_e; + res->op = EO_NOT; + res->v.sub[0] = e; + return res; + } + + case T_LEFT_PAREN: { + if (lex(p) != 0) + return NULL; + e = parse_or(p); + if (e == NULL) + return NULL; + if (p->token != T_RIGHT_PAREN) { + if (asprintf(p->error, + "Right paren expected, got `%.*s'", + p->token_len, p->token_start) < 0) + *p->error = NULL; + goto err_e; + } + if (lex(p) != 0) + goto err_e; + return e; + } + + case T_FIELD_ESCAPE: case T_STRING: + return parse_comparison(p); + + default: + if (asprintf(p->error, "Unexpected token `%.*s'", p->token_len, + p->token_start) < 0) + *p->error = NULL; + return NULL; + } +err_e: + expr_free(e); + return NULL; +} + +/* Parse an and-expression string in *P. + On success, return the parsed and-expression. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static struct expr * +parse_and(struct parsing *p) +{ + struct expr *res; + + res = parse_primary(p); + if (res == NULL) + return NULL; + while (p->token == EO_AND) { + struct expr *e2, *e; + + if (lex(p) != 0) + goto err_res; + e2 = parse_primary(p); + if (e2 == NULL) + goto err_res; + e = parser_malloc(p, sizeof(*e)); + if (e == NULL) { + expr_free(e2); + goto err_res; + } + e->op = EO_AND; + e->v.sub[0] = res; + e->v.sub[1] = e2; + res = e; + } + return res; + +err_res: + expr_free(res); + return NULL; +} + +/* Parse an or-expression string in *P. + On success, return the parsed or-expression. + On error, set *P->ERROR to an error string (for free()) or NULL, and return + NULL. */ +static struct expr * +parse_or(struct parsing *p) +{ + struct expr *res; + + res = parse_and(p); + if (res == NULL) + return NULL; + while (p->token == EO_OR) { + struct expr *e2, *e; + + if (lex(p) != 0) + goto err_res; + e2 = parse_and(p); + if (e2 == NULL) + goto err_res; + e = parser_malloc(p, sizeof(*e)); + if (e == NULL) { + expr_free(e2); + goto err_res; + } + e->op = EO_OR; + e->v.sub[0] = res; + e->v.sub[1] = e2; + res = e; + } + return res; + +err_res: + expr_free(res); + return NULL; +} + +/* Parse STRING. + On success, return the parsed expression tree. + On error, set *ERROR to an error string (for free()) or NULL, and return + NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */ +struct expr * +expr_parse(const char *string, char **error) +{ + struct parsing p; + struct expr *res; + + p.error = error; + p.token_value = NULL; + p.src = string; + if (lex(&p) != 0) + goto err; + if (p.token == T_EOF) { + *error = strdup("Empty expression"); + goto err; + } + res = parse_or(&p); + if (res != NULL && p.token != T_EOF) { + expr_free(res); + if (asprintf(error, "Unexpected trailing token `%.*s'", + p.token_len, p.token_start) < 0) + *error = NULL; + goto err; + } + free(p.token_value); + return res; + +err: + free(p.token_value); + return NULL; +} + + /* Manual expression creation */ + +/* Create a comparison-expression for FIELD, OP and VALUE. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr * +expr_create_comparison(const char *field, unsigned op, const char *value) +{ + struct expr *res; + + res = malloc(sizeof(*res)); + if (res == NULL) + goto err; + assert(op == EO_RAW_EQ || op == EO_RAW_NE || op == EO_INTERPRETED_EQ + || op == EO_INTERPRETED_NE); + res->op = op; + res->virtual_field = 0; + res->precomputed_value = 0; + res->v.p.field.name = strdup(field); + if (res->v.p.field.name == NULL) + goto err_res; + res->v.p.value.string = strdup(value); + if (res->v.p.value.string == NULL) + goto err_field; + return res; + +err_field: + free(res->v.p.field.name); +err_res: + free(res); +err: + return NULL; +} + +/* Create an extended timestamp comparison-expression for with OP, SEC, + MILLI, and SERIAL. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr * +expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli, + unsigned serial) +{ + struct expr *res; + + res = malloc(sizeof(*res)); + if (res == NULL) + return NULL; + assert(op == EO_VALUE_EQ || op == EO_VALUE_NE || op == EO_VALUE_LT + || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE); + res->op = op; + res->virtual_field = 1; + res->v.p.field.id = EF_TIMESTAMP_EX; + res->precomputed_value = 1; + res->v.p.value.timestamp_ex.sec = sec; + assert(milli < 1000); + res->v.p.value.timestamp_ex.milli = milli; + res->v.p.value.timestamp_ex.serial = serial; + return res; +} + +/* Create a timestamp comparison-expression for with OP, SEC, MILLI. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr * +expr_create_timestamp_comparison(unsigned op, time_t sec, unsigned milli) +{ + return expr_create_timestamp_comparison_ex(op, sec, milli, 0); +} + +/* Create an EO_FIELD_EXISTS-expression for FIELD. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr * +expr_create_field_exists(const char *field) +{ + struct expr *res; + + res = malloc(sizeof(*res)); + if (res == NULL) + goto err; + res->op = EO_FIELD_EXISTS; + res->virtual_field = 0; + res->v.p.field.name = strdup(field); + if (res->v.p.field.name == NULL) + goto err_res; + return res; + +err_res: + free(res); +err: + return NULL; +} + +/* Create a \regexp expression for regexp comparison. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr * +expr_create_regexp_expression(const char *regexp) +{ + struct expr *res; + + res = malloc(sizeof(*res)); + if (res == NULL) + goto err; + res->v.regexp = malloc(sizeof(*res->v.regexp)); + if (res->v.regexp == NULL) + goto err_res; + if (regcomp(res->v.regexp, regexp, REG_EXTENDED | REG_NOSUB) != 0) { + errno = EINVAL; + goto err_res_regexp; + } + res->op = EO_REGEXP_MATCHES; + return res; + +err_res_regexp: + free(res->v.regexp); +err_res: + free(res); +err: + return NULL; +} + +/* Create a binary expresion for OP and subexpressions E1 and E2. + On success, return the created expresion. + On error, set errno and return NULL. */ +struct expr * +expr_create_binary(unsigned op, struct expr *e1, struct expr *e2) +{ + struct expr *res; + + res = malloc(sizeof(*res)); + if (res == NULL) + return NULL; + assert(op == EO_AND || op ==EO_OR); + res->op = op; + res->v.sub[0] = e1; + res->v.sub[1] = e2; + return res; +} + + /* Expression evaluation */ + +/* Return the "raw" value of the field in EXPR for RECORD in AU->le. Set + *FREE_IT to 1 if the return value should free()'d. + Return NULL on error. */ +static char * +eval_raw_value(auparse_state_t *au, rnode *record, const struct expr *expr, + int *free_it) +{ + if (expr->virtual_field == 0) { + nvlist_first(&record->nv); + if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0) + return NULL; + *free_it = 0; + return (char *)nvlist_get_cur_val(&record->nv); + } + switch (expr->v.p.field.id) { + case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX: + return NULL; + + default: + abort(); + } +} + +/* Return the "interpreted" value of the field in EXPR for RECORD in AU->le. + Set *FREE_IT to 1 if the return value should free()'d. + Return NULL on *error. */ +static char * +eval_interpreted_value(auparse_state_t *au, rnode *record, + const struct expr *expr, int *free_it) +{ + if (expr->virtual_field == 0) { + const char *res; + + nvlist_first(&record->nv); + if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0) + return NULL; + *free_it = 0; + res = nvlist_interp_cur_val(record); + if (res == NULL) + res = nvlist_get_cur_val(&record->nv); + return (char *)res; + } + switch (expr->v.p.field.id) { + case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX: + return NULL; + + default: + abort(); + } +} + +/* Return -1, 0, 1 depending on comparing the field in EXPR with RECORD in AU. + Set *ERROR to 0 if OK, non-zero otherwise. */ +static int +compare_values(auparse_state_t *au, rnode *record, const struct expr *expr, + int *error) +{ + int res; + if (expr->virtual_field == 0) { + *error = 1; + return 0; + } + switch (expr->v.p.field.id) { + case EF_TIMESTAMP: + if (au->le.e.sec < expr->v.p.value.timestamp.sec) + res = -1; + else if (au->le.e.sec > expr->v.p.value.timestamp.sec) + res = 1; + else if (au->le.e.milli < expr->v.p.value.timestamp.milli) + res = -1; + else if (au->le.e.milli > expr->v.p.value.timestamp.milli) + res = 1; + else + res = 0; + break; + + case EF_RECORD_TYPE: + if (record->type < expr->v.p.value.int_value) + res = -1; + else if (record->type > expr->v.p.value.int_value) + res = 1; + else + res = 0; + break; + + case EF_TIMESTAMP_EX: + if (au->le.e.sec < expr->v.p.value.timestamp.sec) + res = -1; + else if (au->le.e.sec > expr->v.p.value.timestamp.sec) + res = 1; + else if (au->le.e.milli < expr->v.p.value.timestamp.milli) + res = -1; + else if (au->le.e.milli > expr->v.p.value.timestamp.milli) + res = 1; + else if (au->le.e.serial < expr->v.p.value.timestamp_ex.serial) + res = -1; + else if (au->le.e.serial > expr->v.p.value.timestamp_ex.serial) + res = 1; + else + res = 0; + break; + + default: + abort(); + } + *error = 0; + return res; +} + +/* Evaluate EXPR on RECORD in AU->le. + Return 1 if EXPR is true, 0 if it false or if it fails. + (No error reporting facility is provided; an invalid term is considered to + be false; e.g. !invalid is true.) */ +int +expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr) +{ + switch (expr->op) { + case EO_NOT: + return !expr_eval(au, record, expr->v.sub[0]); + + case EO_AND: + return (expr_eval(au, record, expr->v.sub[0]) + && expr_eval(au, record, expr->v.sub[1])); + + case EO_OR: + return (expr_eval(au, record, expr->v.sub[0]) + || expr_eval(au, record, expr->v.sub[1])); + + case EO_RAW_EQ: case EO_RAW_NE: { + int free_it, ne; + char *value; + + value = eval_raw_value(au, record, expr, &free_it); + if (value == NULL) + return 0; + assert(expr->precomputed_value == 0); + ne = strcmp(expr->v.p.value.string, value); + if (free_it != 0) + free(value); + return expr->op == EO_RAW_EQ ? ne == 0 : ne != 0; + } + + case EO_INTERPRETED_EQ: case EO_INTERPRETED_NE: { + int free_it, ne; + char *value; + + value = eval_interpreted_value(au, record, expr, &free_it); + if (value == NULL) + return 0; + assert(expr->precomputed_value == 0); + ne = strcmp(expr->v.p.value.string, value); + if (free_it != 0) + free(value); + return expr->op == EO_INTERPRETED_EQ ? ne == 0 : ne != 0; + } + + case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE: + case EO_VALUE_GT: case EO_VALUE_GE: { + int err, cmp; + + cmp = compare_values(au, record, expr, &err); + if (err != 0) + return 0; + switch (expr->op) { + case EO_VALUE_EQ: + return cmp == 0; + + case EO_VALUE_NE: + return cmp != 0; + + case EO_VALUE_LT: + return cmp < 0; + + case EO_VALUE_LE: + return cmp <= 0; + + case EO_VALUE_GT: + return cmp > 0; + + case EO_VALUE_GE: + return cmp >= 0; + + default: + abort(); + } + } + + case EO_FIELD_EXISTS: + assert(expr->virtual_field == 0); + nvlist_first(&record->nv); + return nvlist_find_name(&record->nv, expr->v.p.field.name) != 0; + + case EO_REGEXP_MATCHES: + return regexec(expr->v.regexp, record->record, 0, NULL, 0) == 0; + + default: + abort(); + } +} diff --git a/framework/src/audit/auparse/expression.h b/framework/src/audit/auparse/expression.h new file mode 100644 index 00000000..b4af66f0 --- /dev/null +++ b/framework/src/audit/auparse/expression.h @@ -0,0 +1,133 @@ +/* +* expression.h - Expression parsing and handling +* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Miloslav Trmač <mitr@redhat.com> +* Steve Grubb <sgrubb@redhat.com> extended timestamp +*/ + +#ifndef EXPRESSION_H__ +#define EXPRESSION_H__ + +#include <regex.h> +#include <sys/types.h> + +#include "internal.h" + +enum { + EO_NOT, /* Uses v.sub[0] */ + EO_AND, EO_OR, /* Uses v.sub[0] and v.sub[1] */ + /* All of the following use v.p */ + EO_RAW_EQ, EO_RAW_NE, EO_INTERPRETED_EQ, EO_INTERPRETED_NE, + EO_VALUE_EQ, EO_VALUE_NE, EO_VALUE_LT, EO_VALUE_LE, EO_VALUE_GT, + EO_VALUE_GE, + /* Uses v.p.field. Cannot be specified by an expression. */ + EO_FIELD_EXISTS, + EO_REGEXP_MATCHES, /* Uses v.regexp */ + NUM_EO_VALUES, +}; + +enum field_id { + EF_TIMESTAMP, EF_RECORD_TYPE, EF_TIMESTAMP_EX +}; + +struct expr { + unsigned op : 8; /* EO_* */ + unsigned virtual_field : 1; + /* Can be non-zero only if virtual_field != 0 */ + unsigned precomputed_value : 1; + union { + struct expr *sub[2]; + struct { + union { + char *name; + enum field_id id; /* If virtual_field != 0 */ + } field; + union { + char *string; + /* A member from the following is selected + implicitly by field.id. */ + struct { + time_t sec; + unsigned int milli; + } timestamp; /* EF_TIMESTAMP */ + struct { + time_t sec; + unsigned milli; + unsigned serial; + } timestamp_ex; /* EF_TIMESTAMP_EX */ + int int_value; /* EF_RECORD_TYPE */ + } value; + } p; + regex_t *regexp; + } v; +}; + +/* Free EXPR and all its subexpressions. */ +void expr_free(struct expr *expr) hidden; + +/* Parse STRING. + On success, return the parsed expression tree. + On error, set *ERROR to an error string (for free()) or NULL, and return + NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */ +struct expr *expr_parse(const char *string, char **error) hidden; + +/* Create a comparison-expression for FIELD, OP and VALUE. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr *expr_create_comparison(const char *field, unsigned op, + const char *value) hidden; + +/* Create a timestamp comparison-expression for with OP, SEC, MILLI. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr *expr_create_timestamp_comparison(unsigned op, time_t sec, + unsigned milli) hidden; + +/* Create an extended timestamp comparison-expression for with OP, SEC, + MILLI, and SERIAL. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr *expr_create_timestamp_comparison_ex(unsigned op, time_t sec, + unsigned milli, unsigned serial) hidden; + +/* Create an EO_FIELD_EXISTS-expression for FIELD. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr *expr_create_field_exists(const char *field) hidden; + +/* Create a \regexp expression for regexp comparison. + On success, return the created expression. + On error, set errno and return NULL. */ +struct expr *expr_create_regexp_expression(const char *regexp) hidden; + +/* Create a binary expresion for OP and subexpressions E1 and E2. + On success, return the created expresion. + On error, set errno and return NULL. */ +struct expr *expr_create_binary(unsigned op, struct expr *e1, struct expr *e2) + hidden; + +/* Evaluate EXPR on RECORD in AU->le. + Return 1 if EXPR is true, 0 if it false or if it fails. + (No error reporting facility is provided; an invalid term is considered to + be false; e.g. !invalid is true.) */ +int expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr) + hidden; + +#endif diff --git a/framework/src/audit/auparse/famtab.h b/framework/src/audit/auparse/famtab.h new file mode 100644 index 00000000..31d63079 --- /dev/null +++ b/framework/src/audit/auparse/famtab.h @@ -0,0 +1,62 @@ +/* famtab.h -- + * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/socket.h + */ + +_S(AF_LOCAL, "local" ) +_S(AF_INET, "inet" ) +_S(AF_AX25, "ax25" ) +_S(AF_IPX, "ipx" ) +_S(AF_APPLETALK, "appletalk" ) +_S(AF_NETROM, "netrom" ) +_S(AF_BRIDGE, "bridge" ) +_S(AF_ATMPVC, "atmpvc" ) +_S(AF_X25, "x25" ) +_S(AF_INET6, "inet6" ) +_S(AF_ROSE, "rose" ) +_S(AF_DECnet, "decnet" ) +_S(AF_NETBEUI, "netbeui" ) +_S(AF_SECURITY, "security" ) +_S(AF_KEY, "key" ) +_S(AF_NETLINK, "netlink" ) +_S(AF_PACKET, "packet" ) +_S(AF_ASH, "ash" ) +_S(AF_ECONET, "econet" ) +_S(AF_ATMSVC, "atmsvc" ) +_S(AF_RDS, "rds" ) +_S(AF_SNA, "sna" ) +_S(AF_IRDA, "irda" ) +_S(AF_PPPOX, "pppox" ) +_S(AF_WANPIPE, "wanpipe" ) +_S(AF_LLC, "llc" ) +_S(AF_CAN, "can" ) +_S(AF_TIPC, "tipc" ) +_S(AF_BLUETOOTH, "bluetooth" ) +_S(AF_IUCV, "iucv" ) +_S(AF_RXRPC, "rxrpc" ) +_S(AF_ISDN, "isdn" ) +_S(AF_PHONET, "phonet" ) +_S(AF_IEEE802154, "ieee802154" ) +_S(37, "caif" ) +_S(38, "alg" ) +_S(39, "nfc" ) +_S(40, "vsock" ) + diff --git a/framework/src/audit/auparse/fcntl-cmdtab.h b/framework/src/audit/auparse/fcntl-cmdtab.h new file mode 100644 index 00000000..7e20f92b --- /dev/null +++ b/framework/src/audit/auparse/fcntl-cmdtab.h @@ -0,0 +1,52 @@ +/* fcntl-cmdtab.h -- + * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/fcntl.h <17 + * include/uapi/linux/fcntl.h >= 1024 + */ + +_S(0, "F_DUPFD" ) +_S(1, "F_GETFD" ) +_S(2, "F_SETFD" ) +_S(3, "F_GETFL" ) +_S(4, "F_SETFL" ) +_S(5, "F_GETLK" ) +_S(6, "F_SETLK" ) +_S(7, "F_SETLKW" ) +_S(8, "F_SETOWN" ) +_S(9, "F_GETOWN" ) +_S(10, "F_SETSIG" ) +_S(11, "F_GETSIG" ) +_S(12, "F_GETLK64" ) +_S(13, "F_SETLK64" ) +_S(14, "F_SETLKW64" ) +_S(15, "F_SETOWN_EX" ) +_S(16, "F_GETOWN_EX" ) +_S(17, "F_GETOWNER_UIDS" ) +_S(1024, "F_SETLEASE" ) +_S(1025, "F_GETLEASE" ) +_S(1026, "F_NOTIFY" ) +_S(1029, "F_CANCELLK" ) +_S(1030, "F_DUPFD_CLOEXEC" ) +_S(1031, "F_SETPIPE_SZ" ) +_S(1032, "F_GETPIPE_SZ" ) +_S(1033, "F_ADD_SEALS" ) +_S(1034, "F_GET_SEALS" ) + diff --git a/framework/src/audit/auparse/flagtab.h b/framework/src/audit/auparse/flagtab.h new file mode 100644 index 00000000..7e1146d6 --- /dev/null +++ b/framework/src/audit/auparse/flagtab.h @@ -0,0 +1,33 @@ +/* flagtab.h -- + * Copyright 2007,2012 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: these are only for the RHEL4 kernel + */ + +_S(0x0001, "follow" ) +_S(0x0002, "directory" ) +_S(0x0004, "continue" ) +_S(0x0010, "parent" ) +_S(0x0020, "noalt" ) +_S(0x0040, "atomic" ) +_S(0x0100, "open" ) +_S(0x0200, "create" ) +_S(0x0400, "access" ) + diff --git a/framework/src/audit/auparse/icmptypetab.h b/framework/src/audit/auparse/icmptypetab.h new file mode 100644 index 00000000..a9ee3eef --- /dev/null +++ b/framework/src/audit/auparse/icmptypetab.h @@ -0,0 +1,37 @@ +/* icmptypetab.h -- + * Copyright 2011-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/icmp.h + */ + +_S(0, "echo-reply" ) +_S(3, "destination-unreachable" ) +_S(4, "source-quench" ) +_S(5, "redirect" ) +_S(8, "echo" ) +_S(11, "time-exceeded" ) +_S(12, "parameter-problem" ) +_S(13, "timestamp-request" ) +_S(14, "timestamp-reply" ) +_S(15, "info-request" ) +_S(16, "info-reply" ) +_S(17, "address-mask-request" ) +_S(18, "address-mask-reply" ) + diff --git a/framework/src/audit/auparse/internal.h b/framework/src/audit/auparse/internal.h new file mode 100644 index 00000000..56c0bf9f --- /dev/null +++ b/framework/src/audit/auparse/internal.h @@ -0,0 +1,86 @@ +/* internal.h -- + * Copyright 2006-07,2013-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +#ifndef AUPARSE_INTERNAL_HEADER +#define AUPARSE_INTERNAL_HEADER + +#include "auparse-defs.h" +#include "ellist.h" +#include "auditd-config.h" +#include "data_buf.h" +#include "dso.h" +#include <stdio.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* This is what state the parser is in */ +typedef enum { EVENT_EMPTY, EVENT_ACCUMULATING, EVENT_EMITTED } auparser_state_t; + +/* This is the name/value pair used by search tables */ +struct nv_pair { + int value; + const char *name; +}; + +struct opaque +{ + ausource_t source; // Source type + char **source_list; // Array of buffers, or array of + // file names + int list_idx; // The index into the source list + FILE *in; // If source is file, this is the fd + unsigned int line_number; // line number of current file, zero + // if invalid + char *next_buf; // The current buffer being broken down + unsigned int off; // The current offset into next_buf + char *cur_buf; // The current buffer being parsed + int line_pushed; // True if retrieve_next_line() + // returns same input + event_list_t le; // Linked list of record in same event + struct expr *expr; // Search expression or NULL + char *find_field; // Used to store field name when + // searching + austop_t search_where; // Where to put the cursors on a match + auparser_state_t parse_state; // parsing state + DataBuf databuf; // input data + + // function to call to notify user of parsing changes + void (*callback)(struct opaque *au, auparse_cb_event_t cb_event_type, void *user_data); + + void *callback_user_data; // user data supplied to callback + + // function to call when user_data is destroyed + void (*callback_user_data_destroy)(void *user_data); +}; + +// auditd-config.c +void clear_config(struct daemon_conf *config) hidden; +int load_config(struct daemon_conf *config, log_test_t lt) hidden; +void free_config(struct daemon_conf *config) hidden; + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/auparse/interpret.c b/framework/src/audit/auparse/interpret.c new file mode 100644 index 00000000..e8f82f92 --- /dev/null +++ b/framework/src/audit/auparse/interpret.c @@ -0,0 +1,2651 @@ +/* +* interpret.c - Lookup values to something more readable +* Copyright (c) 2007-09,2011-15 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#include "config.h" +#include "nvlist.h" +#include "nvpair.h" +#include "libaudit.h" +#include "internal.h" +#include "interpret.h" +#include "auparse-idata.h" +#include <stddef.h> +#include <stdio.h> +#include <stdlib.h> +#include <fcntl.h> +#include <ctype.h> +#include <errno.h> +#include <string.h> +#include <pwd.h> +#include <grp.h> +#include <sys/stat.h> +#include <linux/net.h> +#include <netdb.h> +#include <sys/un.h> +#include <linux/ax25.h> +#include <linux/atm.h> +#include <linux/x25.h> +#include <linux/if.h> // FIXME: remove when ipx.h is fixed +#include <linux/ipx.h> +#include <linux/capability.h> +#include <sys/personality.h> +#include <sys/prctl.h> +#include <sched.h> +#include "auparse-defs.h" +#include "gen_tables.h" + +#if !HAVE_DECL_ADDR_NO_RANDOMIZE +# define ADDR_NO_RANDOMIZE 0x0040000 +#endif + +/* This is from asm/ipc.h. Copying it for now as some platforms + * have broken headers. */ +#define SEMOP 1 +#define SEMGET 2 +#define SEMCTL 3 +#define SEMTIMEDOP 4 +#define MSGSND 11 +#define MSGRCV 12 +#define MSGGET 13 +#define MSGCTL 14 +#define SHMAT 21 +#define SHMDT 22 +#define SHMGET 23 +#define SHMCTL 24 +#define DIPC 25 + +#include "captabs.h" +#include "clone-flagtabs.h" +#include "epoll_ctls.h" +#include "famtabs.h" +#include "fcntl-cmdtabs.h" +#include "flagtabs.h" +#include "ipctabs.h" +#include "ipccmdtabs.h" +#include "mmaptabs.h" +#include "mounttabs.h" +#include "open-flagtabs.h" +#include "persontabs.h" +#include "prottabs.h" +#include "ptracetabs.h" +#include "recvtabs.h" +#include "rlimittabs.h" +#include "seektabs.h" +#include "socktabs.h" +#include "socktypetabs.h" +#include "signaltabs.h" +#include "clocktabs.h" +#include "typetabs.h" +#include "nfprototabs.h" +#include "icmptypetabs.h" +#include "seccomptabs.h" +#include "accesstabs.h" +#include "prctl_opttabs.h" +#include "schedtabs.h" +#include "shm_modetabs.h" +#include "sockoptnametabs.h" +#include "sockleveltabs.h" +#include "ipoptnametabs.h" +#include "ip6optnametabs.h" +#include "tcpoptnametabs.h" +#include "pktoptnametabs.h" +#include "umounttabs.h" +#include "ioctlreqtabs.h" + +typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t; +typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t; + +static const char *print_signals(const char *val, unsigned int base); +static auparse_esc_t escape_mode = AUPARSE_ESC_TTY; + +/* + * This function will take a pointer to a 2 byte Ascii character buffer and + * return the actual hex value. + */ +static unsigned char x2c(const unsigned char *buf) +{ + static const char AsciiArray[17] = "0123456789ABCDEF"; + char *ptr; + unsigned char total=0; + + ptr = strchr(AsciiArray, (char)toupper(buf[0])); + if (ptr) + total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4); + ptr = strchr(AsciiArray, (char)toupper(buf[1])); + if (ptr) + total += (unsigned char)((ptr-AsciiArray) & 0x0F); + + return total; +} + +// Check if any characters need tty escaping. Returns how many found. +static unsigned int need_tty_escape(const unsigned char *s, unsigned int len) +{ + unsigned int i = 0, cnt = 0; + while (i < len) { + if (s[i] < 32) + cnt++; + i++; + } + return cnt; +} + +// TTY escaping s string into dest. +static void tty_escape(const char *s, char *dest, unsigned int len) +{ + unsigned int i = 0, j = 0; + while (i < len) { + if ((unsigned char)s[i] < 32) { + dest[j++] = ('\\'); + dest[j++] = ('0' + ((s[i] & 0300) >> 6)); + dest[j++] = ('0' + ((s[i] & 0070) >> 3)); + dest[j++] = ('0' + (s[i] & 0007)); + } else + dest[j++] = s[i]; + i++; + } +} + +static const char sh_set[] = "\"'`$\\"; +static unsigned int need_shell_escape(const char *s, unsigned int len) +{ + unsigned int i = 0, cnt = 0; + while (i < len) { + if (s[i] < 32) + cnt++; + else if (strchr(sh_set, s[i])) + cnt++; + i++; + } + return cnt; +} + +static void shell_escape(const char *s, char *dest, unsigned int len) +{ + unsigned int i = 0, j = 0; + while (i < len) { + if ((unsigned char)s[i] < 32) { + dest[j++] = ('\\'); + dest[j++] = ('0' + ((s[i] & 0300) >> 6)); + dest[j++] = ('0' + ((s[i] & 0070) >> 3)); + dest[j++] = ('0' + (s[i] & 0007)); + } else if (strchr(sh_set, s[i])) { + dest[j++] = ('\\'); + dest[j++] = s[i]; + } else + dest[j++] = s[i]; + i++; + } +} + +static const char quote_set[] = ";'\"`#$&*?[]<>{}\\"; +static unsigned int need_shell_quote_escape(const unsigned char *s, unsigned int len) +{ + unsigned int i = 0, cnt = 0; + while (i < len) { + if (s[i] < 32) + cnt++; + else if (strchr(quote_set, s[i])) + cnt++; + i++; + } + return cnt; +} + +static void shell_quote_escape(const char *s, char *dest, unsigned int len) +{ + unsigned int i = 0, j = 0; + while (i < len) { + if ((unsigned char)s[i] < 32) { + dest[j++] = ('\\'); + dest[j++] = ('0' + ((s[i] & 0300) >> 6)); + dest[j++] = ('0' + ((s[i] & 0070) >> 3)); + dest[j++] = ('0' + (s[i] & 0007)); + } else if (strchr(quote_set, s[i])) { + dest[j++] = ('\\'); + dest[j++] = s[i]; + } else + dest[j++] = s[i]; + i++; + } +} + +/* This should return the count of what needs escaping */ +static unsigned int need_escaping(const char *s, unsigned int len) +{ + switch (escape_mode) + { + case AUPARSE_ESC_RAW: + break; + case AUPARSE_ESC_TTY: + return need_tty_escape(s, len); + case AUPARSE_ESC_SHELL: + return need_shell_escape(s, len); + case AUPARSE_ESC_SHELL_QUOTE: + return need_shell_quote_escape(s, len);; + } + return 0; +} + +static void escape(const char *s, char *dest, unsigned int len) +{ + switch (escape_mode) + { + case AUPARSE_ESC_RAW: + return; + case AUPARSE_ESC_TTY: + return tty_escape(s, dest, len); + case AUPARSE_ESC_SHELL: + return shell_escape(s, dest, len); + case AUPARSE_ESC_SHELL_QUOTE: + return shell_quote_escape(s, dest, len); + } +} + +int set_escape_mode(auparse_esc_t mode) +{ + if (mode < 0 || mode > AUPARSE_ESC_SHELL_QUOTE) + return 1; + escape_mode = mode; + return 0; +} +hidden_def(set_escape_mode) + +static int is_hex_string(const char *str) +{ + while (*str) { + if (!isxdigit(*str)) + return 0; + str++; + } + return 1; +} + +/* returns a freshly malloc'ed and converted buffer */ +char *au_unescape(char *buf) +{ + int len, i; + char saved, *str, *ptr = buf; + + /* Find the end of the name */ + if (*ptr == '(') { + ptr = strchr(ptr, ')'); + if (ptr == NULL) + return NULL; + else + ptr++; + } else { + while (isxdigit(*ptr)) + ptr++; + } + saved = *ptr; + *ptr = 0; + str = strdup(buf); + *ptr = saved; + + /* See if its '(null)' from the kernel */ + if (*buf == '(') + return str; + + /* We can get away with this since the buffer is 2 times + * bigger than what we are putting there. + */ + len = strlen(str); + if (len < 2) { + free(str); + return NULL; + } + ptr = str; + for (i=0; i<len; i+=2) { + *ptr = x2c((unsigned char *)&str[i]); + ptr++; + } + *ptr = 0; + return str; +} + +static const char *success[3]= { "unset", "no", "yes" }; +static const char *aulookup_success(int s) +{ + switch (s) + { + default: + return success[0]; + break; + case S_FAILED: + return success[1]; + break; + case S_SUCCESS: + return success[2]; + break; + } +} + +static nvpair uid_nvl; +static int uid_list_created=0; +static const char *aulookup_uid(uid_t uid, char *buf, size_t size) +{ + char *name = NULL; + int rc; + + if (uid == -1) { + snprintf(buf, size, "unset"); + return buf; + } + + // Check the cache first + if (uid_list_created == 0) { + nvpair_create(&uid_nvl); + nvpair_clear(&uid_nvl); + uid_list_created = 1; + } + rc = nvpair_find_val(&uid_nvl, uid); + if (rc) { + name = uid_nvl.cur->name; + } else { + // Add it to cache + struct passwd *pw; + pw = getpwuid(uid); + if (pw) { + nvpnode nv; + nv.name = strdup(pw->pw_name); + nv.val = uid; + nvpair_append(&uid_nvl, &nv); + name = uid_nvl.cur->name; + } + } + if (name != NULL) + snprintf(buf, size, "%s", name); + else + snprintf(buf, size, "unknown(%d)", uid); + return buf; +} + +void aulookup_destroy_uid_list(void) +{ + if (uid_list_created == 0) + return; + + nvpair_clear(&uid_nvl); + uid_list_created = 0; +} + +static nvpair gid_nvl; +static int gid_list_created=0; +static const char *aulookup_gid(gid_t gid, char *buf, size_t size) +{ + char *name = NULL; + int rc; + + if (gid == -1) { + snprintf(buf, size, "unset"); + return buf; + } + + // Check the cache first + if (gid_list_created == 0) { + nvpair_create(&gid_nvl); + nvpair_clear(&gid_nvl); + gid_list_created = 1; + } + rc = nvpair_find_val(&gid_nvl, gid); + if (rc) { + name = gid_nvl.cur->name; + } else { + // Add it to cache + struct group *gr; + gr = getgrgid(gid); + if (gr) { + nvpnode nv; + nv.name = strdup(gr->gr_name); + nv.val = gid; + nvpair_append(&gid_nvl, &nv); + name = gid_nvl.cur->name; + } + } + if (name != NULL) + snprintf(buf, size, "%s", name); + else + snprintf(buf, size, "unknown(%d)", gid); + return buf; +} + +void aulookup_destroy_gid_list(void) +{ + if (gid_list_created == 0) + return; + + nvpair_clear(&gid_nvl); + gid_list_created = 0; +} + +static const char *print_uid(const char *val, unsigned int base) +{ + int uid; + char name[64]; + + errno = 0; + uid = strtoul(val, NULL, base); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + return strdup(aulookup_uid(uid, name, sizeof(name))); +} + +static const char *print_gid(const char *val, unsigned int base) +{ + int gid; + char name[64]; + + errno = 0; + gid = strtoul(val, NULL, base); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + return strdup(aulookup_gid(gid, name, sizeof(name))); +} + +static const char *print_arch(const char *val, unsigned int machine) +{ + const char *ptr; + char *out; + + if (machine > MACH_AARCH64) { + unsigned int ival; + + errno = 0; + ival = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s) ", val) < 0) + out = NULL; + return out; + } + machine = audit_elf_to_machine(ival); + } + if ((int)machine < 0) { + if (asprintf(&out, "unknown elf type(%s)", val) < 0) + out = NULL; + return out; + } + ptr = audit_machine_to_name(machine); + if (ptr) + return strdup(ptr); + else { + if (asprintf(&out, "unknown machine type(%d)", machine) < 0) + out = NULL; + return out; + } +} + +static const char *print_ipccall(const char *val, unsigned int base) +{ + int a0; + char *out; + const char *func = NULL; + + errno = 0; + a0 = strtol(val, NULL, base); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + func = ipc_i2s(a0); + if (func) + return strdup(func); + else { + if (asprintf(&out, "unknown ipccall(%s)", val) < 0) + out = NULL; + return out; + } +} + +static const char *print_socketcall(const char *val, unsigned int base) +{ + int a0; + char *out; + const char *func = NULL; + + errno = 0; + a0 = strtol(val, NULL, base); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + func = sock_i2s(a0); + if (func) + return strdup(func); + else { + if (asprintf(&out, "unknown socketcall(%s)", val) < 0) + out = NULL; + return out; + } +} + +static const char *print_syscall(const idata *id) +{ + const char *sys; + char *out; + int machine = id->machine, syscall = id->syscall; + unsigned long long a0 = id->a0; + + if (machine < 0) + machine = audit_detect_machine(); + if (machine < 0) { + out = strdup(id->val); + return out; + } + sys = audit_syscall_to_name(syscall, machine); + if (sys) { + const char *func = NULL; + if (strcmp(sys, "socketcall") == 0) { + if ((int)a0 == a0) + func = sock_i2s(a0); + } else if (strcmp(sys, "ipc") == 0) + if ((int)a0 == a0) + func = ipc_i2s(a0); + if (func) { + if (asprintf(&out, "%s(%s)", sys, func) < 0) + out = NULL; + } else + return strdup(sys); + } else { + if (asprintf(&out, "unknown syscall(%d)", syscall) < 0) + out = NULL; + } + + return out; +} + +static const char *print_exit(const char *val) +{ + long long ival; + char *out; + + errno = 0; + ival = strtoll(val, NULL, 10); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + if (ival < 0) { + if (asprintf(&out, "%lld(%s)", ival, strerror(-ival)) < 0) + out = NULL; + return out; + } + return strdup(val); +} + +static const char *print_escaped(const char *val) +{ + const char *out; + + if (*val == '"') { + char *term; + val++; + term = strchr(val, '"'); + if (term == NULL) + return strdup(" "); + *term = 0; + out = strdup(val); + *term = '"'; + return out; +// FIXME: working here...was trying to detect (null) and handle that +// differently. The other 2 should have " around the file names. +/* } else if (*val == '(') { + char *term; + val++; + term = strchr(val, ' '); + if (term == NULL) + return; + *term = 0; + printf("%s ", val); */ + } else if (val[0] == '0' && val[1] == '0') + out = au_unescape((char *)&val[2]); // Abstract name af_unix + else + out = au_unescape((char *)val); + if (out) + return out; + return strdup(val); // Something is wrong with string, just send as is +} + +static const char *print_proctitle(const char *val) +{ + char *out = (char *)print_escaped(val); + if (*val != '"') { + size_t len = strlen(val) / 2; + const char *end = out + len; + char *ptr = out; + while ((ptr = rawmemchr(ptr, '\0'))) { + if (ptr >= end) + break; + *ptr = ' '; + ptr++; + } + } + return out; +} + +static const char *print_perm(const char *val) +{ + int ival, printed=0; + char buf[32]; + + errno = 0; + ival = strtol(val, NULL, 10); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + buf[0] = 0; + + /* The kernel treats nothing (0x00) as everything (0x0F) */ + if (ival == 0) + ival = 0x0F; + if (ival & AUDIT_PERM_READ) { + strcat(buf, "read"); + printed = 1; + } + if (ival & AUDIT_PERM_WRITE) { + if (printed) + strcat(buf, ",write"); + else + strcat(buf, "write"); + printed = 1; + } + if (ival & AUDIT_PERM_EXEC) { + if (printed) + strcat(buf, ",exec"); + else + strcat(buf, "exec"); + printed = 1; + } + if (ival & AUDIT_PERM_ATTR) { + if (printed) + strcat(buf, ",attr"); + else + strcat(buf, "attr"); + } + return strdup(buf); +} + +static const char *print_mode(const char *val, unsigned int base) +{ + unsigned int ival; + char *out, buf[48]; + const char *name; + + errno = 0; + ival = strtoul(val, NULL, base); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + // detect the file type + name = audit_ftype_to_name(ival & S_IFMT); + if (name != NULL) + strcpy(buf, name); + else { + unsigned first_ifmt_bit; + + // The lowest-valued "1" bit in S_IFMT + first_ifmt_bit = S_IFMT & ~(S_IFMT - 1); + sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit); + } + + // check on special bits + if (S_ISUID & ival) + strcat(buf, ",suid"); + if (S_ISGID & ival) + strcat(buf, ",sgid"); + if (S_ISVTX & ival) + strcat(buf, ",sticky"); + + // and the read, write, execute flags in octal + if (asprintf(&out, "%s,%03o", buf, + (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) + out = NULL; + return out; +} + +static const char *print_mode_short_int(unsigned int ival) +{ + char *out, buf[48]; + + // check on special bits + buf[0] = 0; + if (S_ISUID & ival) + strcat(buf, "suid"); + if (S_ISGID & ival) { + if (buf[0]) + strcat(buf, ","); + strcat(buf, "sgid"); + } + if (S_ISVTX & ival) { + if (buf[0]) + strcat(buf, ","); + strcat(buf, "sticky"); + } + + // and the read, write, execute flags in octal + if (buf[0] == 0) { + if (asprintf(&out, "0%03o", + (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) + out = NULL; + } else + if (asprintf(&out, "%s,0%03o", buf, + (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0) + out = NULL; + return out; +} + +static const char *print_mode_short(const char *val, int base) +{ + unsigned int ival; + char *out; + + errno = 0; + ival = strtoul(val, NULL, base); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + return print_mode_short_int(ival); +} + +static const char *print_socket_domain(const char *val) +{ + int i; + char *out; + const char *str; + + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + str = fam_i2s(i); + if (str == NULL) { + if (asprintf(&out, "unknown family(0x%s)", val) < 0) + out = NULL; + return out; + } else + return strdup(str); +} + +static const char *print_socket_type(const char *val) +{ + unsigned int type; + char *out; + const char *str; + + errno = 0; + type = 0xFF & strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + str = sock_type_i2s(type); + if (str == NULL) { + if (asprintf(&out, "unknown type(%s)", val) < 0) + out = NULL; + return out; + } else + return strdup(str); +} + +static const char *print_socket_proto(const char *val) +{ + unsigned int proto; + char *out; + struct protoent *p; + + errno = 0; + proto = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + p = getprotobynumber(proto); + if (p == NULL) { + if (asprintf(&out, "unknown proto(%s)", val) < 0) + out = NULL; + return out; + } else + return strdup(p->p_name); +} + +static const char *print_sockaddr(const char *val) +{ + int slen, rc = 0; + const struct sockaddr *saddr; + char name[NI_MAXHOST], serv[NI_MAXSERV]; + const char *host; + char *out = NULL; + const char *str; + + slen = strlen(val)/2; + host = au_unescape((char *)val); + if (host == NULL) { + if (asprintf(&out, "malformed host(%s)", val) < 0) + out = NULL; + return out; + } + saddr = (struct sockaddr *)host; + + + str = fam_i2s(saddr->sa_family); + if (str == NULL) { + if (asprintf(&out, "unknown family(%d)", saddr->sa_family) < 0) + out = NULL; + free((char *)host); + return out; + } + + // Now print address for some families + switch (saddr->sa_family) { + case AF_LOCAL: + { + const struct sockaddr_un *un = + (struct sockaddr_un *)saddr; + if (un->sun_path[0]) + rc = asprintf(&out, "%s %s", str, + un->sun_path); + else // abstract name + rc = asprintf(&out, "%s %.108s", str, + &un->sun_path[1]); + } + break; + case AF_INET: + if (slen < sizeof(struct sockaddr_in)) { + rc = asprintf(&out, "%s sockaddr len too short", + str); + break; + } + slen = sizeof(struct sockaddr_in); + if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv, + NI_MAXSERV, NI_NUMERICHOST | + NI_NUMERICSERV) == 0 ) { + rc = asprintf(&out, "%s host:%s serv:%s", str, + name, serv); + } else + rc = asprintf(&out, "%s (error resolving addr)", + str); + break; + case AF_AX25: + { + const struct sockaddr_ax25 *x = + (struct sockaddr_ax25 *)saddr; + rc = asprintf(&out, "%s call:%c%c%c%c%c%c%c", + str, + x->sax25_call.ax25_call[0], + x->sax25_call.ax25_call[1], + x->sax25_call.ax25_call[2], + x->sax25_call.ax25_call[3], + x->sax25_call.ax25_call[4], + x->sax25_call.ax25_call[5], + x->sax25_call.ax25_call[6]); + } + break; + case AF_IPX: + { + const struct sockaddr_ipx *ip = + (struct sockaddr_ipx *)saddr; + rc = asprintf(&out, "%s port:%d net:%u", str, + ip->sipx_port, ip->sipx_network); + } + break; + case AF_ATMPVC: + { + const struct sockaddr_atmpvc* at = + (struct sockaddr_atmpvc *)saddr; + rc = asprintf(&out, "%s int:%d", str, + at->sap_addr.itf); + } + break; + case AF_X25: + { + const struct sockaddr_x25* x = + (struct sockaddr_x25 *)saddr; + rc = asprintf(&out, "%s addr:%.15s", str, + x->sx25_addr.x25_addr); + } + break; + case AF_INET6: + if (slen < sizeof(struct sockaddr_in6)) { + rc = asprintf(&out, + "%s sockaddr6 len too short", + str); + break; + } + slen = sizeof(struct sockaddr_in6); + if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv, + NI_MAXSERV, NI_NUMERICHOST | + NI_NUMERICSERV) == 0 ) { + rc = asprintf(&out, "%s host:%s serv:%s", str, + name, serv); + } else + rc = asprintf(&out, "%s (error resolving addr)", + str); + break; + case AF_NETLINK: + { + const struct sockaddr_nl *n = + (struct sockaddr_nl *)saddr; + rc = asprintf(&out, "%s pid:%u", str, + n->nl_pid); + } + break; + } + if (rc < 0) + out = NULL; + free((char *)host); + return out; +} + +/* This is only used in the RHEL4 kernel */ +static const char *print_flags(const char *val) +{ + int flags, cnt = 0; + size_t i; + char *out, buf[80]; + + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + if (flags == 0) { + if (asprintf(&out, "none") < 0) + out = NULL; + return out; + } + buf[0] = 0; + for (i=0; i<FLAG_NUM_ENTRIES; i++) { + if (flag_table[i].value & flags) { + if (!cnt) { + strcat(buf, + flag_strings + flag_table[i].offset); + cnt++; + } else { + strcat(buf, ","); + strcat(buf, + flag_strings + flag_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_promiscuous(const char *val) +{ + int ival; + + errno = 0; + ival = strtol(val, NULL, 10); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + if (ival == 0) + return strdup("no"); + else + return strdup("yes"); +} + +static const char *print_capabilities(const char *val, int base) +{ + int cap; + char *out; + const char *s; + + errno = 0; + cap = strtoul(val, NULL, base); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = cap_i2s(cap); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown capability(%s%s)", + base == 16 ? "0x" : "", val) < 0) + out = NULL; + return out; +} + +static const char *print_cap_bitmap(const char *val) +{ +#define MASK(x) (1U << (x)) + unsigned long long temp; + __u32 caps[2]; + int i, found=0; + char *p, buf[600]; // 17 per cap * 33 + + errno = 0; + temp = strtoull(val, NULL, 16); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + caps[0] = temp & 0x00000000FFFFFFFFLL; + caps[1] = (temp & 0xFFFFFFFF00000000LL) >> 32; + p = buf; + for (i=0; i <= CAP_LAST_CAP; i++) { + if (MASK(i%32) & caps[i/32]) { + const char *s; + if (found) + p = stpcpy(p, ","); + s = cap_i2s(i); + if (s != NULL) + p = stpcpy(p, s); + found = 1; + } + } + if (found == 0) + return strdup("none"); + return strdup(buf); +} + +static const char *print_success(const char *val) +{ + int res; + + if (isdigit(*val)) { + errno = 0; + res = strtoul(val, NULL, 10); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + return strdup(aulookup_success(res)); + } else + return strdup(val); +} + +static const char *print_open_flags(const char *val) +{ + size_t i; + unsigned int flags; + int cnt = 0; + char *out, buf[178]; + + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + buf[0] = 0; + if ((flags & O_ACCMODE) == 0) { + // Handle O_RDONLY specially + strcat(buf, "O_RDONLY"); + cnt++; + } + for (i=0; i<OPEN_FLAG_NUM_ENTRIES; i++) { + if (open_flag_table[i].value & flags) { + if (!cnt) { + strcat(buf, + open_flag_strings + open_flag_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + open_flag_strings + open_flag_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_clone_flags(const char *val) +{ + unsigned int flags, i, clone_sig; + int cnt = 0; + char *out, buf[362]; // added 10 for signal name + + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + buf[0] = 0; + for (i=0; i<CLONE_FLAG_NUM_ENTRIES; i++) { + if (clone_flag_table[i].value & flags) { + if (!cnt) { + strcat(buf, + clone_flag_strings + clone_flag_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + clone_flag_strings + clone_flag_table[i].offset); + } + } + } + clone_sig = flags & 0xFF; + if (clone_sig && (clone_sig < 32)) { + const char *s = signal_i2s(clone_sig); + if (s != NULL) { + if (buf[0] != 0) + strcat(buf, "|"); + strcat(buf, s); + } + } + + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%x", flags); + return strdup(buf); +} + +static const char *print_fcntl_cmd(const char *val) +{ + char *out; + const char *s; + int cmd; + + errno = 0; + cmd = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = fcntl_i2s(cmd); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown fcntl command(%d)", cmd) < 0) + out = NULL; + return out; +} + +static const char *print_epoll_ctl(const char *val) +{ + char *out; + const char *s; + int cmd; + + errno = 0; + cmd = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = epoll_ctl_i2s(cmd); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown epoll_ctl operation (%d)", cmd) < 0) + out = NULL; + return out; +} + +static const char *print_clock_id(const char *val) +{ + int i; + char *out; + + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + else if (i < 7) { + const char *s = clock_i2s(i); + if (s != NULL) + return strdup(s); + } + if (asprintf(&out, "unknown clk_id (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_prot(const char *val, unsigned int is_mmap) +{ + unsigned int prot, i; + int cnt = 0, limit; + char buf[144]; + char *out; + + errno = 0; + prot = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + buf[0] = 0; + if ((prot & 0x07) == 0) { + // Handle PROT_NONE specially + strcat(buf, "PROT_NONE"); + return strdup(buf); + } + if (is_mmap) + limit = 4; + else + limit = 3; + for (i=0; i<limit; i++) { + if (prot_table[i].value & prot) { + if (!cnt) { + strcat(buf, + prot_strings + prot_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + prot_strings + prot_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_mmap(const char *val) +{ + unsigned int maps, i; + int cnt = 0; + char buf[176]; + char *out; + + errno = 0; + maps = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + buf[0] = 0; + if ((maps & 0x0F) == 0) { + // Handle MAP_FILE specially + strcat(buf, "MAP_FILE"); + cnt++; + } + for (i=0; i<MMAP_NUM_ENTRIES; i++) { + if (mmap_table[i].value & maps) { + if (!cnt) { + strcat(buf, + mmap_strings + mmap_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + mmap_strings + mmap_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_personality(const char *val) +{ + int pers, pers2; + char *out; + const char *s; + + errno = 0; + pers = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + pers2 = pers & ~ADDR_NO_RANDOMIZE; + s = person_i2s(pers2); + if (s != NULL) { + if (pers & ADDR_NO_RANDOMIZE) { + if (asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s) < 0) + out = NULL; + return out; + } else + return strdup(s); + } + if (asprintf(&out, "unknown personality (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_ptrace(const char *val) +{ + int trace; + char *out; + const char *s; + + errno = 0; + trace = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = ptrace_i2s(trace); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown ptrace (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_prctl_opt(const char *val) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = prctl_opt_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown prctl option (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_mount(const char *val) +{ + unsigned int mounts, i; + int cnt = 0; + char buf[334]; + char *out; + + errno = 0; + mounts = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + buf[0] = 0; + for (i=0; i<MOUNT_NUM_ENTRIES; i++) { + if (mount_table[i].value & mounts) { + if (!cnt) { + strcat(buf, + mount_strings + mount_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + mount_strings + mount_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_rlimit(const char *val) +{ + int i; + char *out; + + errno = 0; + i = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + else if (i < 17) { + const char *s = rlimit_i2s(i); + if (s != NULL) + return strdup(s); + } + if (asprintf(&out, "unknown rlimit (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_recv(const char *val) +{ + unsigned int rec, i; + int cnt = 0; + char buf[234]; + char *out; + + errno = 0; + rec = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + buf[0] = 0; + for (i=0; i<RECV_NUM_ENTRIES; i++) { + if (recv_table[i].value & rec) { + if (!cnt) { + strcat(buf, + recv_strings + recv_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + recv_strings + recv_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_access(const char *val) +{ + unsigned long mode; + char buf[16]; + unsigned int i, cnt = 0; + + errno = 0; + mode = strtoul(val, NULL, 16); + if (errno) { + char *out; + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + if ((mode & 0xF) == 0) + return strdup("F_OK"); + buf[0] = 0; + for (i=0; i<3; i++) { + if (access_table[i].value & mode) { + if (!cnt) { + strcat(buf, + access_strings + access_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + access_strings + access_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static char *print_dirfd(const char *val) +{ + char *out; + + if (strcmp(val, "-100") == 0) { + if (asprintf(&out, "AT_FDCWD") < 0) + out = NULL; + } else { + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + } + return out; +} + +#ifndef SCHED_RESET_ON_FORK +#define SCHED_RESET_ON_FORK 0x40000000 +#endif +static const char *print_sched(const char *val) +{ + unsigned int pol; + char *out; + const char *s; + + errno = 0; + pol = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = sched_i2s(pol & 0x0F); + if (s != NULL) { + char buf[48]; + + strcpy(buf, s); + if (pol & SCHED_RESET_ON_FORK ) + strcat(buf, "|SCHED_RESET_ON_FORK"); + return strdup(buf); + } + if (asprintf(&out, "unknown scheduler policy (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_sock_opt_level(const char *val) +{ + int lvl; + char *out; + + errno = 0; + lvl = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + if (lvl == SOL_SOCKET) + return strdup("SOL_SOCKET"); + else { + struct protoent *p = getprotobynumber(lvl); + if (p == NULL) { + const char *s = socklevel_i2s(lvl); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown sockopt level (0x%s)", val) < 0) + out = NULL; + } else + return strdup(p->p_name); + } + + return out; +} + +static const char *print_sock_opt_name(const char *val, int machine) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + // PPC's tables are different + if ((machine == MACH_PPC64 || machine == MACH_PPC) && + opt >= 16 && opt <= 21) + opt+=100; + + s = sockoptname_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown sockopt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_ip_opt_name(const char *val) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = ipoptname_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown ipopt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_ip6_opt_name(const char *val) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = ip6optname_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown ip6opt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_tcp_opt_name(const char *val) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = tcpoptname_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown tcpopt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_udp_opt_name(const char *val) +{ + int opt; + char *out; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + if (opt == 1) + out = strdup("UDP_CORK"); + else if (opt == 100) + out = strdup("UDP_ENCAP"); + else if (asprintf(&out, "unknown udpopt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_pkt_opt_name(const char *val) +{ + int opt; + char *out; + const char *s; + + errno = 0; + opt = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = pktoptname_i2s(opt); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown pktopt name (0x%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_shmflags(const char *val) +{ + unsigned int flags, partial, i; + int cnt = 0; + char *out, buf[32]; + + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + partial = flags & 00003000; + buf[0] = 0; + for (i=0; i<IPCCMD_NUM_ENTRIES; i++) { + if (ipccmd_table[i].value & partial) { + if (!cnt) { + strcat(buf, + ipccmd_strings + ipccmd_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + ipccmd_strings + ipccmd_table[i].offset); + } + } + } + + partial = flags & 00014000; + for (i=0; i<SHM_MODE_NUM_ENTRIES; i++) { + if (shm_mode_table[i].value & partial) { + if (!cnt) { + strcat(buf, + shm_mode_strings + shm_mode_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + shm_mode_strings + shm_mode_table[i].offset); + } + } + } + + partial = flags & 000777; + const char *tmode = print_mode_short_int(partial); + if (tmode) { + if (buf[0] != 0) + strcat(buf, "|"); + strcat(buf, tmode); + free((void *)tmode); + } + + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%x", flags); + return strdup(buf); +} + +static const char *print_seek(const char *val) +{ + unsigned int whence; + char *out; + const char *str; + + errno = 0; + whence = 0xFF & strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + str = seek_i2s(whence); + if (str == NULL) { + if (asprintf(&out, "unknown whence(%s)", val) < 0) + out = NULL; + return out; + } else + return strdup(str); +} + +static const char *print_umount(const char *val) +{ + unsigned int flags, i; + int cnt = 0; + char buf[64]; + char *out; + + errno = 0; + flags = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + buf[0] = 0; + for (i=0; i<UMOUNT_NUM_ENTRIES; i++) { + if (umount_table[i].value & flags) { + if (!cnt) { + strcat(buf, + umount_strings + umount_table[i].offset); + cnt++; + } else { + strcat(buf, "|"); + strcat(buf, + umount_strings + umount_table[i].offset); + } + } + } + if (buf[0] == 0) + snprintf(buf, sizeof(buf), "0x%s", val); + return strdup(buf); +} + +static const char *print_ioctl_req(const char *val) +{ + int req; + char *out; + const char *r; + + errno = 0; + req = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + r = ioctlreq_i2s(req); + if (r != NULL) + return strdup(r); + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + return out; +} + +static const char *print_a0(const char *val, const idata *id) +{ + char *out; + int machine = id->machine, syscall = id->syscall; + const char *sys = audit_syscall_to_name(syscall, machine); + if (sys) { + if (*sys == 'r') { + if (strcmp(sys, "rt_sigaction") == 0) + return print_signals(val, 16); + else if (strcmp(sys, "renameat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "readlinkat") == 0) + return print_dirfd(val); + } else if (*sys == 'c') { + if (strcmp(sys, "clone") == 0) + return print_clone_flags(val); + else if (strcmp(sys, "clock_settime") == 0) + return print_clock_id(val); + } else if (*sys == 'p') { + if (strcmp(sys, "personality") == 0) + return print_personality(val); + else if (strcmp(sys, "ptrace") == 0) + return print_ptrace(val); + else if (strcmp(sys, "prctl") == 0) + return print_prctl_opt(val); + } else if (*sys == 'm') { + if (strcmp(sys, "mkdirat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "mknodat") == 0) + return print_dirfd(val); + } else if (*sys == 'f') { + if (strcmp(sys, "fchownat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "futimesat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "fchmodat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "faccessat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "futimensat") == 0) + return print_dirfd(val); + } else if (*sys == 'u') { + if (strcmp(sys, "unshare") == 0) + return print_clone_flags(val); + else if (strcmp(sys, "unlinkat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "utimensat") == 0) + return print_dirfd(val); + } else if (strcmp(sys+1, "etrlimit") == 0) + return print_rlimit(val); + else if (*sys == 's') { + if (strcmp(sys, "setuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setreuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setresuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setfsuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setgid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "setregid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "setresgid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "socket") == 0) + return print_socket_domain(val); + else if (strcmp(sys, "setfsgid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "socketcall") == 0) + return print_socketcall(val, 16); + } + else if (strcmp(sys, "linkat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "newfstatat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "openat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "ipccall") == 0) + return print_ipccall(val, 16); + } + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + return out; +} + +static const char *print_a1(const char *val, const idata *id) +{ + char *out; + int machine = id->machine, syscall = id->syscall; + const char *sys = audit_syscall_to_name(syscall, machine); + if (sys) { + if (*sys == 'f') { + if (strcmp(sys, "fchmod") == 0) + return print_mode_short(val, 16); + else if (strncmp(sys, "fcntl", 5) == 0) + return print_fcntl_cmd(val); + } else if (*sys == 'c') { + if (strcmp(sys, "chmod") == 0) + return print_mode_short(val, 16); + else if (strstr(sys, "chown")) + return print_uid(val, 16); + else if (strcmp(sys, "creat") == 0) + return print_mode_short(val, 16); + } + if (strcmp(sys+1, "etsockopt") == 0) + return print_sock_opt_level(val); + else if (*sys == 's') { + if (strcmp(sys, "setreuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setresuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setregid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "setresgid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "socket") == 0) + return print_socket_type(val); + else if (strcmp(sys, "setns") == 0) + return print_clone_flags(val); + else if (strcmp(sys, "sched_setscheduler") == 0) + return print_sched(val); + } else if (*sys == 'm') { + if (strcmp(sys, "mkdir") == 0) + return print_mode_short(val, 16); + else if (strcmp(sys, "mknod") == 0) + return print_mode(val, 16); + else if (strcmp(sys, "mq_open") == 0) + return print_open_flags(val); + } + else if (strcmp(sys, "open") == 0) + return print_open_flags(val); + else if (strcmp(sys, "access") == 0) + return print_access(val); + else if (strcmp(sys, "epoll_ctl") == 0) + return print_epoll_ctl(val); + else if (strcmp(sys, "kill") == 0) + return print_signals(val, 16); + else if (strcmp(sys, "prctl") == 0) { + if (id->a0 == PR_CAPBSET_READ || + id->a0 == PR_CAPBSET_DROP) + return print_capabilities(val, 16); + else if (id->a0 == PR_SET_PDEATHSIG) + return print_signals(val, 16); + } + else if (strcmp(sys, "tkill") == 0) + return print_signals(val, 16); + else if (strcmp(sys, "umount2") == 0) + return print_umount(val); + else if (strcmp(sys, "ioctl") == 0) + return print_ioctl_req(val); + } + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + return out; +} + +static const char *print_a2(const char *val, const idata *id) +{ + char *out; + int machine = id->machine, syscall = id->syscall; + const char *sys = audit_syscall_to_name(syscall, machine); + if (sys) { + if (strncmp(sys, "fcntl", 5) == 0) { + int ival; + + errno = 0; + ival = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", + val) < 0) + out = NULL; + return out; + } + switch (id->a1) + { + case F_SETOWN: + return print_uid(val, 16); + case F_SETFD: + if (ival == FD_CLOEXEC) + return strdup("FD_CLOEXEC"); + /* Fall thru okay. */ + case F_SETFL: + case F_SETLEASE: + case F_GETLEASE: + case F_NOTIFY: + break; + } + } else if (strcmp(sys+1, "etsockopt") == 0) { + if (id->a1 == IPPROTO_IP) + return print_ip_opt_name(val); + else if (id->a1 == SOL_SOCKET) + return print_sock_opt_name(val, machine); + else if (id->a1 == IPPROTO_TCP) + return print_tcp_opt_name(val); + else if (id->a1 == IPPROTO_UDP) + return print_udp_opt_name(val); + else if (id->a1 == IPPROTO_IPV6) + return print_ip6_opt_name(val); + else if (id->a1 == SOL_PACKET) + return print_pkt_opt_name(val); + else + goto normal; + } else if (*sys == 'o') { + if (strcmp(sys, "openat") == 0) + return print_open_flags(val); + if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT)) + return print_mode_short(val, 16); + } else if (*sys == 'f') { + if (strcmp(sys, "fchmodat") == 0) + return print_mode_short(val, 16); + else if (strcmp(sys, "faccessat") == 0) + return print_access(val); + } else if (*sys == 's') { + if (strcmp(sys, "setresuid") == 0) + return print_uid(val, 16); + else if (strcmp(sys, "setresgid") == 0) + return print_gid(val, 16); + else if (strcmp(sys, "socket") == 0) + return print_socket_proto(val); + else if (strcmp(sys, "sendmsg") == 0) + return print_recv(val); + else if (strcmp(sys, "shmget") == 0) + return print_shmflags(val); + } else if (*sys == 'm') { + if (strcmp(sys, "mmap") == 0) + return print_prot(val, 1); + else if (strcmp(sys, "mkdirat") == 0) + return print_mode_short(val, 16); + else if (strcmp(sys, "mknodat") == 0) + return print_mode_short(val, 16); + else if (strcmp(sys, "mprotect") == 0) + return print_prot(val, 0); + else if ((strcmp(sys, "mq_open") == 0) && + (id->a1 & O_CREAT)) + return print_mode_short(val, 16); + } else if (*sys == 'r') { + if (strcmp(sys, "recvmsg") == 0) + return print_recv(val); + else if (strcmp(sys, "readlinkat") == 0) + return print_dirfd(val); + } else if (*sys == 'l') { + if (strcmp(sys, "linkat") == 0) + return print_dirfd(val); + else if (strcmp(sys, "lseek") == 0) + return print_seek(val); + } + else if (strstr(sys, "chown")) + return print_gid(val, 16); + else if (strcmp(sys, "tgkill") == 0) + return print_signals(val, 16); + } +normal: + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + return out; +} + +static const char *print_a3(const char *val, const idata *id) +{ + char *out; + int machine = id->machine, syscall = id->syscall; + const char *sys = audit_syscall_to_name(syscall, machine); + if (sys) { + if (*sys == 'm') { + if (strcmp(sys, "mmap") == 0) + return print_mmap(val); + else if (strcmp(sys, "mount") == 0) + return print_mount(val); + } else if (*sys == 'r') { + if (strcmp(sys, "recv") == 0) + return print_recv(val); + else if (strcmp(sys, "recvfrom") == 0) + return print_recv(val); + else if (strcmp(sys, "recvmmsg") == 0) + return print_recv(val); + } else if (*sys == 's') { + if (strcmp(sys, "send") == 0) + return print_recv(val); + else if (strcmp(sys, "sendto") == 0) + return print_recv(val); + else if (strcmp(sys, "sendmmsg") == 0) + return print_recv(val); + } + } + if (asprintf(&out, "0x%s", val) < 0) + out = NULL; + return out; +} + +static const char *print_signals(const char *val, unsigned int base) +{ + int i; + char *out; + + errno = 0; + i = strtoul(val, NULL, base); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + else if (i < 32) { + const char *s = signal_i2s(i); + if (s != NULL) + return strdup(s); + } + if (asprintf(&out, "unknown signal (%s%s)", + base == 16 ? "0x" : "", val) < 0) + out = NULL; + return out; +} + +static const char *print_nfproto(const char *val) +{ + int proto; + char *out; + const char *s; + + errno = 0; + proto = strtoul(val, NULL, 10); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = nfproto_i2s(proto); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown netfilter protocol (%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_icmptype(const char *val) +{ + int icmptype; + char *out; + const char *s; + + errno = 0; + icmptype = strtoul(val, NULL, 10); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + + s = icmptype_i2s(icmptype); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown icmp type (%s)", val) < 0) + out = NULL; + return out; +} + +static const char *print_protocol(const char *val) +{ + int i; + char *out; + + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + } else { + struct protoent *p = getprotobynumber(i); + if (p) + out = strdup(p->p_name); + else + out = strdup("undefined protocol"); + } + return out; +} + +static const char *print_addr(const char *val) +{ + char *out = strdup(val); + return out; +} + +static const char *print_list(const char *val) +{ + int i; + char *out; + + errno = 0; + i = strtoul(val, NULL, 10); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + } else + out = strdup(audit_flag_to_name(i)); + return out; +} + +struct string_buf { + char *buf; /* NULL if was ever out of memory */ + size_t allocated; + size_t pos; +}; + +/* Append c to buf. */ +static void append_char(struct string_buf *buf, char c) +{ + if (buf->buf == NULL) + return; + if (buf->pos == buf->allocated) { + char *p; + + buf->allocated *= 2; + p = realloc(buf->buf, buf->allocated); + if (p == NULL) { + free(buf->buf); + buf->buf = NULL; + return; + } + buf->buf = p; + } + buf->buf[buf->pos] = c; + buf->pos++; +} + +/* Represent c as a character within a quoted string, and append it to buf. */ +static void tty_append_printable_char(struct string_buf *buf, unsigned char c) +{ + if (c < 0x20 || c > 0x7E) { + append_char(buf, '\\'); + append_char(buf, '0' + ((c >> 6) & 07)); + append_char(buf, '0' + ((c >> 3) & 07)); + append_char(buf, '0' + (c & 07)); + } else { + if (c == '\\' || c == '"') + append_char(buf, '\\'); + append_char(buf, c); + } +} + +/* Search for a name of a sequence of TTY bytes. + If found, return the name and advance *INPUT. Return NULL otherwise. */ +static const char *tty_find_named_key(unsigned char **input, size_t input_len) +{ + /* NUL-terminated list of (sequence, NUL, name, NUL) entries. + First match wins, even if a longer match were possible later */ + static const unsigned char named_keys[] = +#define E(SEQ, NAME) SEQ "\0" NAME "\0" +#include "tty_named_keys.h" +#undef E + "\0"; + + unsigned char *src; + const unsigned char *nk; + + src = *input; + if (*src >= ' ' && (*src < 0x7F || *src >= 0xA0)) + return NULL; /* Fast path */ + nk = named_keys; + do { + const unsigned char *p; + size_t nk_len; + + p = strchr(nk, '\0'); + nk_len = p - nk; + if (nk_len <= input_len && memcmp(src, nk, nk_len) == 0) { + *input += nk_len; + return p + 1; + } + nk = strchr(p + 1, '\0') + 1; + } while (*nk != '\0'); + return NULL; +} + +static const char *print_tty_data(const char *raw_data) +{ + struct string_buf buf; + int in_printable; + unsigned char *data, *data_pos, *data_end; + + if (!is_hex_string(raw_data)) + return strdup(raw_data); + data = au_unescape((char *)raw_data); + if (data == NULL) + return NULL; + data_end = data + strlen(raw_data) / 2; + + buf.allocated = 10; + buf.buf = malloc(buf.allocated); /* NULL handled in append_char() */ + buf.pos = 0; + in_printable = 0; + data_pos = data; + while (data_pos < data_end) { + /* FIXME: Unicode */ + const char *desc; + + desc = tty_find_named_key(&data_pos, data_end - data_pos); + if (desc != NULL) { + if (in_printable != 0) { + append_char(&buf, '"'); + in_printable = 0; + } + if (buf.pos != 0) + append_char(&buf, ','); + append_char(&buf, '<'); + while (*desc != '\0') { + append_char(&buf, *desc); + desc++; + } + append_char(&buf, '>'); + } else { + if (in_printable == 0) { + if (buf.pos != 0) + append_char(&buf, ','); + append_char(&buf, '"'); + in_printable = 1; + } + tty_append_printable_char(&buf, *data_pos); + data_pos++; + } + } + if (in_printable != 0) + append_char(&buf, '"'); + append_char(&buf, '\0'); + free(data); + return buf.buf; +} + +static const char *print_session(const char *val) +{ + if (strcmp(val, "4294967295") == 0) + return strdup("unset"); + else + return strdup(val); +} + +#define SECCOMP_RET_ACTION 0x7fff0000U +static const char *print_seccomp_code(const char *val) +{ + unsigned long code; + char *out; + const char *s; + + errno = 0; + code = strtoul(val, NULL, 16); + if (errno) { + if (asprintf(&out, "conversion error(%s)", val) < 0) + out = NULL; + return out; + } + s = seccomp_i2s(code & SECCOMP_RET_ACTION); + if (s != NULL) + return strdup(s); + if (asprintf(&out, "unknown seccomp code (%s)", val) < 0) + out = NULL; + return out; +} + +int lookup_type(const char *name) +{ + int i; + + if (type_s2i(name, &i) != 0) + return i; + return AUPARSE_TYPE_UNCLASSIFIED; +} + +const char *interpret(const rnode *r) +{ + const nvlist *nv = &r->nv; + int type; + idata id; + nvnode *n; + const char *out; + + id.machine = r->machine; + id.syscall = r->syscall; + id.a0 = r->a0; + id.a1 = r->a1; + id.name = nvlist_get_cur_name(nv); + id.val = nvlist_get_cur_val(nv); + type = auparse_interp_adjust_type(r->type, id.name, id.val); + + out = auparse_do_interpretation(type, &id); + n = nvlist_get_cur(nv); + n->interp_val = (char *)out; + + return out; +} + +/* + * rtype: the record type + * name: the current field name + * value: the current field value + * Returns: field's internal type is returned + */ +int auparse_interp_adjust_type(int rtype, const char *name, const char *val) +{ + int type; + + /* This set of statements overrides or corrects the detection. + * In almost all cases its a double use of a field. */ + if (rtype == AUDIT_EXECVE && *name == 'a' && strcmp(name, "argc") && + !strstr(name, "_len")) + type = AUPARSE_TYPE_ESCAPED; + else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0) + type = AUPARSE_TYPE_UNCLASSIFIED; + else if (rtype == AUDIT_USER_TTY && strcmp(name, "msg") == 0) + type = AUPARSE_TYPE_ESCAPED; + else if (rtype == AUDIT_NETFILTER_PKT && strcmp(name, "saddr") == 0) + type = AUPARSE_TYPE_ADDR; + else if (strcmp(name, "acct") == 0) { + if (val[0] == '"') + type = AUPARSE_TYPE_ESCAPED; + else if (is_hex_string(val)) + type = AUPARSE_TYPE_ESCAPED; + else + type = AUPARSE_TYPE_UNCLASSIFIED; + } else if (rtype == AUDIT_PATH && *name =='f' && + strcmp(name, "flags") == 0) + type = AUPARSE_TYPE_FLAGS; + else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0) + type = AUPARSE_TYPE_MODE_SHORT; + else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0) + type = AUPARSE_TYPE_UNCLASSIFIED; + else if ((strcmp(name, "id") == 0) && + (rtype == AUDIT_ADD_GROUP || rtype == AUDIT_GRP_MGMT || + rtype == AUDIT_DEL_GROUP)) + type = AUPARSE_TYPE_GID; + else + type = lookup_type(name); + + return type; +} +hidden_def(auparse_interp_adjust_type) + +const char *auparse_do_interpretation(int type, const idata *id) +{ + const char *out; + switch(type) { + case AUPARSE_TYPE_UID: + out = print_uid(id->val, 10); + break; + case AUPARSE_TYPE_GID: + out = print_gid(id->val, 10); + break; + case AUPARSE_TYPE_SYSCALL: + out = print_syscall(id); + break; + case AUPARSE_TYPE_ARCH: + out = print_arch(id->val, id->machine); + break; + case AUPARSE_TYPE_EXIT: + out = print_exit(id->val); + break; + case AUPARSE_TYPE_ESCAPED: + out = print_escaped(id->val); + break; + case AUPARSE_TYPE_PERM: + out = print_perm(id->val); + break; + case AUPARSE_TYPE_MODE: + out = print_mode(id->val,8); + break; + case AUPARSE_TYPE_MODE_SHORT: + out = print_mode_short(id->val,8); + break; + case AUPARSE_TYPE_SOCKADDR: + out = print_sockaddr(id->val); + break; + case AUPARSE_TYPE_FLAGS: + out = print_flags(id->val); + break; + case AUPARSE_TYPE_PROMISC: + out = print_promiscuous(id->val); + break; + case AUPARSE_TYPE_CAPABILITY: + out = print_capabilities(id->val, 10); + break; + case AUPARSE_TYPE_SUCCESS: + out = print_success(id->val); + break; + case AUPARSE_TYPE_A0: + out = print_a0(id->val, id); + break; + case AUPARSE_TYPE_A1: + out = print_a1(id->val, id); + break; + case AUPARSE_TYPE_A2: + out = print_a2(id->val, id); + break; + case AUPARSE_TYPE_A3: + out = print_a3(id->val, id); + break; + case AUPARSE_TYPE_SIGNAL: + out = print_signals(id->val, 10); + break; + case AUPARSE_TYPE_LIST: + out = print_list(id->val); + break; + case AUPARSE_TYPE_TTY_DATA: + out = print_tty_data(id->val); + break; + case AUPARSE_TYPE_SESSION: + out = print_session(id->val); + break; + case AUPARSE_TYPE_CAP_BITMAP: + out = print_cap_bitmap(id->val); + break; + case AUPARSE_TYPE_NFPROTO: + out = print_nfproto(id->val); + break; + case AUPARSE_TYPE_ICMPTYPE: + out = print_icmptype(id->val); + break; + case AUPARSE_TYPE_PROTOCOL: + out = print_protocol(id->val); + break; + case AUPARSE_TYPE_ADDR: + out = print_addr(id->val); + break; + case AUPARSE_TYPE_PERSONALITY: + out = print_personality(id->val); + break; + case AUPARSE_TYPE_SECCOMP: + out = print_seccomp_code(id->val); + break; + case AUPARSE_TYPE_OFLAG: + out = print_open_flags(id->val); + break; + case AUPARSE_TYPE_MMAP: + out = print_mmap(id->val); + break; + case AUPARSE_TYPE_PROCTITLE: + out = print_proctitle(id->val); + break; + case AUPARSE_TYPE_MAC_LABEL: + case AUPARSE_TYPE_UNCLASSIFIED: + default: + out = strdup(id->val); + break; + } + + if (escape_mode != AUPARSE_ESC_RAW) { + unsigned int len = strlen(out); + unsigned int cnt = need_escaping(out, len); + if (cnt) { + char *dest = malloc(len + 1 + (3*cnt)); + if (dest) + escape(out, dest, len); + free((void *)out); + out = dest; + } + } + return out; +} +hidden_def(auparse_do_interpretation) + diff --git a/framework/src/audit/auparse/interpret.h b/framework/src/audit/auparse/interpret.h new file mode 100644 index 00000000..e546452e --- /dev/null +++ b/framework/src/audit/auparse/interpret.h @@ -0,0 +1,54 @@ +/* interpret.h -- + * Copyright 2007,08 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#ifndef INTERPRET_HEADER +#define INTERPRET_HEADER + +#include "config.h" +#include "private.h" +#include "rnode.h" +#include <time.h> + +#ifdef __cplusplus +extern "C" { +#endif + + +int lookup_type(const char *name); +const char *interpret(const rnode *r); +void aulookup_destroy_uid_list(void); +void aulookup_destroy_gid_list(void); +char *au_unescape(char *buf); + +/* Make these hidden to prevent conflicts */ +hidden_proto(lookup_type); +hidden_proto(interpret); +hidden_proto(aulookup_destroy_uid_list); +hidden_proto(aulookup_destroy_gid_list); +hidden_proto(au_unescape); + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/auparse/ioctlreqtab.h b/framework/src/audit/auparse/ioctlreqtab.h new file mode 100644 index 00000000..a3301e3e --- /dev/null +++ b/framework/src/audit/auparse/ioctlreqtab.h @@ -0,0 +1,54 @@ +/* ioctlreqtab.h -- + * Copyright 2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +_S(0x4B3A, "KDSETMODE" ) +_S(0x4B3B, "KDGETMODE" ) +_S(0x5309, "CDROMEJECT" ) +_S(0x530F, "CDROMEJECT_SW" ) +_S(0x5311, "CDROM_GET_UPC" ) +_S(0x5316, "CDROMSEEK" ) +_S(0x5401, "TCGETS" ) +_S(0x5402, "TCSETS" ) +_S(0x5403, "TCSETSW" ) +_S(0x5404, "TCSETSF" ) +_S(0x5409, "TCSBRK" ) +_S(0x540B, "TCFLSH" ) +_S(0x540E, "TIOCSCTTY" ) +_S(0x540F, "TIOCGPGRP" ) +_S(0x5410, "TIOCSPGRP" ) +_S(0x5413, "TIOCGWINSZ" ) +_S(0x5414, "TIOCSWINSZ" ) +_S(0x541B, "TIOCINQ" ) +_S(0x5421, "FIONBIO" ) +_S(0x8901, "FIOSETOWN" ) +_S(0x8903, "FIOGETOWN" ) +_S(0x8910, "SIOCGIFNAME" ) +_S(0x8927, "SIOCGIFHWADDR" ) +_S(0x8933, "SIOCGIFINDEX" ) +_S(0x89a2, "SIOCBRADDIF" ) +_S(0x40045431, "TIOCSPTLCK" ) // Need a better fix for these +_S(0x80045430, "TIOCGPTN" ) +_S(0x80045431, "TIOCSPTLCK" ) +_S(0xC01C64A3, "DRM_IOCTL_MODE_CURSOR" ) +_S(0xC01864B0, "DRM_IOCTL_MODE_PAGE_FLIP" ) +_S(0xC01864B1, "DRM_IOCTL_MODE_DIRTYFB" ) + diff --git a/framework/src/audit/auparse/ip6optnametab.h b/framework/src/audit/auparse/ip6optnametab.h new file mode 100644 index 00000000..16452af0 --- /dev/null +++ b/framework/src/audit/auparse/ip6optnametab.h @@ -0,0 +1,87 @@ +/* ip6optnametab.h -- + * Copyright 2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/in6.h + * include/uapi/linux/netfilter_ipv6/ip6_tables.h + */ + +_S(1, "IPV6_ADDRFORM") +_S(2, "IPV6_2292PKTINFO") +_S(3, "IPV6_2292HOPOPTS") +_S(4, "IPV6_2292DSTOPTS") +_S(5, "IPV6_2292RTHDR") +_S(6, "IPV6_2292PKTOPTIONS") +_S(7, "IPV6_CHECKSUM") +_S(8, "IPV6_2292HOPLIMIT") +_S(9, "IPV6_NEXTHOP") +_S(10, "IPV6_AUTHHDR") +_S(11, "IPV6_FLOWINFO") +_S(16, "IPV6_UNICAST_HOPS") +_S(17, "IPV6_MULTICAST_IF") +_S(18, "IPV6_MULTICAST_HOPS") +_S(19, "IPV6_MULTICAST_LOOP") +_S(20, "IPV6_ADD_MEMBERSHIP") +_S(21, "IPV6_DROP_MEMBERSHIP") +_S(22, "IPV6_ROUTER_ALERT") +_S(23, "IPV6_MTU_DISCOVER") +_S(24, "IPV6_MTU") +_S(25, "IPV6_RECVERR") +_S(26, "IPV6_V6ONLY") +_S(27, "IPV6_JOIN_ANYCAST") +_S(28, "IPV6_LEAVE_ANYCAST") +_S(32, "IPV6_FLOWLABEL_MGR") +_S(33, "IPV6_FLOWINFO_SEND") +_S(34, "IPV6_IPSEC_POLICY") +_S(35, "IPV6_XFRM_POLICY") +_S(42, "MCAST_JOIN_GROUP") +_S(43, "MCAST_BLOCK_SOURCE") +_S(44, "MCAST_UNBLOCK_SOURCE") +_S(45, "MCAST_LEAVE_GROUP") +_S(46, "MCAST_JOIN_SOURCE_GROUP") +_S(47, "MCAST_LEAVE_SOURCE_GROUP") +_S(48, "MCAST_MSFILTER") +_S(49, "IPV6_RECVPKTINFO") +_S(50, "IPV6_PKTINFO") +_S(51, "IPV6_RECVHOPLIMIT") +_S(52, "IPV6_HOPLIMIT") +_S(53, "IPV6_RECVHOPOPTS") +_S(54, "IPV6_HOPOPTS") +_S(55, "IPV6_RTHDRDSTOPTS") +_S(56, "IPV6_RECVRTHDR") +_S(57, "IPV6_RTHDR") +_S(58, "IPV6_RECVDSTOPTS") +_S(59, "IPV6_DSTOPTS") +_S(60, "IPV6_RECVPATHMTU") +_S(61, "IPV6_PATHMTU") +_S(62, "IPV6_DONTFRAG") +_S(63, "IPV6_USE_MIN_MTU") +_S(64, "IP6T_SO_SET_REPLACE") +_S(65, "IP6T_SO_SET_ADD_COUNTERS") +_S(66, "IPV6_RECVTCLASS") +_S(67, "IPV6_TCLASS") +_S(68, "IP6T_SO_GET_REVISION_MATCH") +_S(69, "IP6T_SO_GET_REVISION_TARGET") +_S(72, "IPV6_ADDR_PREFERENCES") +_S(73, "IPV6_MINHOPCOUNT") +_S(74, "IPV6_ORIGDSTADDR") +_S(75, "IPV6_TRANSPARENT") +_S(76, "IPV6_UNICAST_IF") +_S(80, "IP6T_SO_ORIGINAL_DST") + diff --git a/framework/src/audit/auparse/ipccmdtab.h b/framework/src/audit/auparse/ipccmdtab.h new file mode 100644 index 00000000..97c6bc30 --- /dev/null +++ b/framework/src/audit/auparse/ipccmdtab.h @@ -0,0 +1,28 @@ +/* ipccmdtab.h -- + * Copyright 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/ipc.h + */ + + +_S(00001000, "IPC_CREAT" ) +_S(00002000, "IPC_EXCL" ) +_S(00004000, "IPC_NOWAIT" ) + diff --git a/framework/src/audit/auparse/ipctab.h b/framework/src/audit/auparse/ipctab.h new file mode 100644 index 00000000..c30eb20c --- /dev/null +++ b/framework/src/audit/auparse/ipctab.h @@ -0,0 +1,37 @@ +/* ipctab.h -- + * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/ipc.h + */ + + +_S(SEMOP, "semop" ) +_S(SEMGET, "semget" ) +_S(SEMCTL, "semctl" ) +_S(4, "semtimedop" ) +_S(MSGSND, "msgsnd" ) +_S(MSGRCV, "msgrcv" ) +_S(MSGGET, "msgget" ) +_S(MSGCTL, "msgctl" ) +_S(SHMAT, "shmat" ) +_S(SHMDT, "shmdt" ) +_S(SHMGET, "shmget" ) +_S(SHMCTL, "shmctl" ) + diff --git a/framework/src/audit/auparse/ipoptnametab.h b/framework/src/audit/auparse/ipoptnametab.h new file mode 100644 index 00000000..38a9fb80 --- /dev/null +++ b/framework/src/audit/auparse/ipoptnametab.h @@ -0,0 +1,70 @@ +/* ipoptnametab.h -- + * Copyright 2013,2015 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/in.h + * include/uapi/linux/netfilter_ipv4/ip_tables.h + */ + + +_S(1, "IP_TOS") +_S(2, "IP_TTL") +_S(3, "IP_HDRINCL") +_S(4, "IP_OPTIONS") +_S(5, "IP_ROUTER_ALERT") +_S(6, "IP_RECVOPTS") +_S(7, "IP_RETOPTS") +_S(8, "IP_PKTINFO") +_S(9, "IP_PKTOPTIONS") +_S(10, "IP_MTU_DISCOVER") +_S(11, "IP_RECVERR") +_S(12, "IP_RECVTTL") +_S(14, "IP_MTU") +_S(15, "IP_FREEBIND") +_S(16, "IP_IPSEC_POLICY") +_S(17, "IP_XFRM_POLICY") +_S(18, "IP_PASSSEC") +_S(19, "IP_TRANSPARENT") +_S(20, "IP_ORIGDSTADDR") +_S(21, "IP_MINTTL") +_S(22, "IP_NODEFRAG") +_S(23, "IP_CHECKSUM") +_S(32, "IP_MULTICAST_IF") +_S(33, "IP_MULTICAST_TTL") +_S(34, "IP_MULTICAST_LOOP") +_S(35, "IP_ADD_MEMBERSHIP") +_S(36, "IP_DROP_MEMBERSHIP") +_S(37, "IP_UNBLOCK_SOURCE") +_S(38, "IP_BLOCK_SOURCE") +_S(39, "IP_ADD_SOURCE_MEMBERSHIP") +_S(40, "IP_DROP_SOURCE_MEMBERSHIP") +_S(41, "IP_MSFILTER") +_S(42, "MCAST_JOIN_GROUP") +_S(43, "MCAST_BLOCK_SOURCE") +_S(44, "MCAST_UNBLOCK_SOURCE") +_S(45, "MCAST_LEAVE_GROUP") +_S(46, "MCAST_JOIN_SOURCE_GROUP") +_S(47, "MCAST_LEAVE_SOURCE_GROUP") +_S(48, "MCAST_MSFILTER") +_S(49, "IP_MULTICAST_ALL") +_S(50, "IP_UNICAST_IF") +_S(64, "IPT_SO_SET_REPLACE") +_S(65, "IPT_SO_SET_ADD_COUNTERS") +_S(66, "IPT_SO_GET_REVISION_TARGET") + diff --git a/framework/src/audit/auparse/message.c b/framework/src/audit/auparse/message.c new file mode 100644 index 00000000..45b33c0f --- /dev/null +++ b/framework/src/audit/auparse/message.c @@ -0,0 +1,58 @@ +/* message.c -- + * Copyright 2004, 2005 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#include "config.h" +#include <stdio.h> +#include <stdarg.h> +#include "libaudit.h" +#include "private.h" + +/* The message mode refers to where informational messages go + 0 - stderr, 1 - syslog, 2 - quiet. The default is quiet. */ +static message_t message_mode = MSG_QUIET; +static debug_message_t debug_message = DBG_NO; + +void set_aumessage_mode(message_t mode, debug_message_t debug) +{ + message_mode = mode; + debug_message = debug; +} + +void audit_msg(int priority, const char *fmt, ...) +{ + va_list ap; + + if (message_mode == MSG_QUIET) + return; + + if (priority == LOG_DEBUG && debug_message == DBG_NO) + return; + + va_start(ap, fmt); + if (message_mode == MSG_SYSLOG) + vsyslog(priority, fmt, ap); + else { + vfprintf(stderr, fmt, ap); + fputc('\n', stderr); + } + va_end( ap ); +} diff --git a/framework/src/audit/auparse/mmaptab.h b/framework/src/audit/auparse/mmaptab.h new file mode 100644 index 00000000..9bd5ef5a --- /dev/null +++ b/framework/src/audit/auparse/mmaptab.h @@ -0,0 +1,40 @@ +/* mmaptab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/mman.h >0x100 + * include/uapi/asm-generic/mman-common.h < 0x100 + * NOTE: If this is updated, also update interpret.c:print_mmap() + */ + +_S(0x00001, "MAP_SHARED" ) +_S(0x00002, "MAP_PRIVATE" ) +_S(0x00010, "MAP_FIXED" ) +_S(0x00020, "MAP_ANONYMOUS" ) +_S(0x00040, "MAP_32BIT" ) +_S(0x00100, "MAP_GROWSDOWN" ) +_S(0x00800, "MAP_DENYWRITE" ) +_S(0x01000, "MAP_EXECUTABLE" ) +_S(0x02000, "MAP_LOCKED" ) +_S(0x04000, "MAP_NORESERVE" ) +_S(0x08000, "MAP_POPULATE" ) +_S(0x10000, "MAP_NONBLOCK" ) +_S(0x20000, "MAP_STACK" ) +_S(0x40000, "MAP_HUGETLB" ) + diff --git a/framework/src/audit/auparse/mounttab.h b/framework/src/audit/auparse/mounttab.h new file mode 100644 index 00000000..ce98a998 --- /dev/null +++ b/framework/src/audit/auparse/mounttab.h @@ -0,0 +1,53 @@ +/* mounttab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/fs.h + * NOTE: When updating this table, update interpret.c:print_mount() + */ + +_S(MS_RDONLY, "MS_RDONLY") +_S(MS_NOSUID, "MS_NOSUID") +_S(MS_NODEV, "MS_NODEV" ) +_S(MS_NOEXEC, "MS_NOEXEC") +_S(MS_SYNCHRONOUS, "MS_SYNCHRONOUS") +_S(MS_REMOUNT, "MS_REMOUNT") +_S(MS_MANDLOCK, "MS_MANDLOCK") +_S(MS_DIRSYNC, "MS_DIRSYNC") +_S(MS_NOATIME, "MS_NOATIME") +_S(MS_NODIRATIME, "MS_NODIRATIME") +_S(MS_BIND, "MS_BIND") +_S(MS_MOVE, "MS_MOVE") +_S(MS_REC, "MS_REC") +_S(MS_SILENT, "MS_SILENT") +_S(MS_POSIXACL, "MS_POSIXACL") +_S(MS_UNBINDABLE, "MS_UNBINDABLE") +_S(MS_PRIVATE, "MS_PRIVATE") +_S(MS_SLAVE, "MS_SLAVE") +_S(MS_SHARED, "MS_SHARED") +_S(MS_RELATIME, "MS_RELATIME") +_S(MS_KERNMOUNT, "MS_KERNMOUNT") +_S(MS_I_VERSION, "MS_I_VERSION") +_S((1<<24), "MS_STRICTATIME") +_S((1<<27), "MS_SNAP_STABLE") +_S((1<<28), "MS_NOSEC") +_S((1<<29), "MS_BORN") +_S(MS_ACTIVE, "MS_ACTIVE") +_S(MS_NOUSER, "MS_NOUSER") + diff --git a/framework/src/audit/auparse/nfprototab.h b/framework/src/audit/auparse/nfprototab.h new file mode 100644 index 00000000..eab43370 --- /dev/null +++ b/framework/src/audit/auparse/nfprototab.h @@ -0,0 +1,31 @@ +/* nfprototab.h -- + * Copyright 2011-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/netfilter.h + */ + +_S(0, "unspecified" ) +_S(1, "inet" ) +_S(2, "ipv4" ) +_S(3, "arp" ) +_S(7, "bridge" ) +_S(10, "ipv6" ) +_S(12, "decnet" ) + diff --git a/framework/src/audit/auparse/nvlist.c b/framework/src/audit/auparse/nvlist.c new file mode 100644 index 00000000..66e7ff8c --- /dev/null +++ b/framework/src/audit/auparse/nvlist.c @@ -0,0 +1,137 @@ +/* +* nvlist.c - Minimal linked list library for name-value pairs +* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#include "config.h" +#include <stdlib.h> +#include <string.h> +#include "nvlist.h" +#include "interpret.h" +#include "auparse-idata.h" + + +void nvlist_create(nvlist *l) +{ + l->head = NULL; + l->cur = NULL; + l->cnt = 0; +} + +static void nvlist_last(nvlist *l) +{ + register nvnode* window; + + if (l->head == NULL) + return; + + window = l->head; + while (window->next) + window = window->next; + l->cur = window; +} + +nvnode *nvlist_next(nvlist *l) +{ + if (l->cur) + l->cur = l->cur->next; + return l->cur; +} + +void nvlist_append(nvlist *l, nvnode *node) +{ + nvnode* newnode = malloc(sizeof(nvnode)); + + newnode->name = node->name; + newnode->val = node->val; + newnode->interp_val = NULL; + newnode->item = l->cnt; + newnode->next = NULL; + + // if we are at top, fix this up + if (l->head == NULL) + l->head = newnode; + else { // Otherwise add pointer to newnode + if (l->cnt == (l->cur->item+1)) { + l->cur->next = newnode; + } + else { + nvlist_last(l); + l->cur->next = newnode; + } + } + + // make newnode current + l->cur = newnode; + l->cnt++; +} + +/* + * This function will start at current index and scan for a name + */ +int nvlist_find_name(nvlist *l, const char *name) +{ + register nvnode* window = l->cur; + + while (window) { + if (strcmp(window->name, name) == 0) { + l->cur = window; + return 1; + } + else + window = window->next; + } + return 0; +} + +extern int interp_adjust_type(int rtype, const char *name, const char *val); +int nvlist_get_cur_type(const rnode *r) +{ + const nvlist *l = &r->nv; + return auparse_interp_adjust_type(r->type, l->cur->name, l->cur->val); +} + +const char *nvlist_interp_cur_val(const rnode *r) +{ + const nvlist *l = &r->nv; + if (l->cur->interp_val) + return l->cur->interp_val; + return interpret(r); +} + +void nvlist_clear(nvlist* l) +{ + nvnode* nextnode; + register nvnode* current; + + current = l->head; + while (current) { + nextnode=current->next; + free(current->name); + free(current->val); + free(current->interp_val); + free(current); + current=nextnode; + } + l->head = NULL; + l->cur = NULL; + l->cnt = 0; +} diff --git a/framework/src/audit/auparse/nvlist.h b/framework/src/audit/auparse/nvlist.h new file mode 100644 index 00000000..2924ddc6 --- /dev/null +++ b/framework/src/audit/auparse/nvlist.h @@ -0,0 +1,51 @@ +/* +* nvlist.h - Header file for nvlist.c +* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#ifndef NVLIST_HEADER +#define NVLIST_HEADER + +#include "config.h" +#include "private.h" +#include <sys/types.h> +#include "rnode.h" +#include "ellist.h" + + +void nvlist_create(nvlist *l) hidden; +void nvlist_clear(nvlist* l) hidden; +static inline unsigned int nvlist_get_cnt(nvlist *l) { return l->cnt; } +static inline void nvlist_first(nvlist *l) { l->cur = l->head; } +static inline nvnode *nvlist_get_cur(const nvlist *l) { return l->cur; } +nvnode *nvlist_next(nvlist *l) hidden; +static inline const char *nvlist_get_cur_name(const nvlist *l) {if (l->cur) return l->cur->name; else return NULL;} +static inline const char *nvlist_get_cur_val(const nvlist *l) {if (l->cur) return l->cur->val; else return NULL;} +static inline const char *nvlist_get_cur_val_interp(const nvlist *l) {if (l->cur) return l->cur->interp_val; else return NULL;} +int nvlist_get_cur_type(const rnode *r) hidden; +const char *nvlist_interp_cur_val(const rnode *r) hidden; +void nvlist_append(nvlist *l, nvnode *node) hidden; + +/* Given a numeric index, find that record. */ +int nvlist_find_name(nvlist *l, const char *name) hidden; + +#endif + diff --git a/framework/src/audit/auparse/nvpair.c b/framework/src/audit/auparse/nvpair.c new file mode 100644 index 00000000..467d1546 --- /dev/null +++ b/framework/src/audit/auparse/nvpair.c @@ -0,0 +1,89 @@ +/* +* nvpair.c - Minimal linked list library for name-value pairs +* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#include "config.h" +#include <stdlib.h> +#include "nvpair.h" + + +void nvpair_create(nvpair *l) +{ + l->head = NULL; + l->cur = NULL; + l->cnt = 0; +} + +void nvpair_append(nvpair *l, nvpnode *node) +{ + nvpnode* newnode = malloc(sizeof(nvpnode)); + + newnode->name = node->name; + newnode->val = node->val; + newnode->next = NULL; + + // if we are at top, fix this up + if (l->head == NULL) + l->head = newnode; + else { // Otherwise add pointer to newnode + while (l->cur->next) + l->cur = l->cur->next; + l->cur->next = newnode; + } + + // make newnode current + l->cur = newnode; + l->cnt++; +} + +int nvpair_find_val(nvpair *l, long val) +{ + register nvpnode* window = l->head; + + while (window) { + if (window->val == val) { + l->cur = window; + return 1; + } + else + window = window->next; + } + return 0; +} + +void nvpair_clear(nvpair *l) +{ + nvpnode* nextnode; + register nvpnode* current; + + current = l->head; + while (current) { + nextnode=current->next; + free(current->name); + free(current); + current=nextnode; + } + l->head = NULL; + l->cur = NULL; + l->cnt = 0; +} + diff --git a/framework/src/audit/auparse/nvpair.h b/framework/src/audit/auparse/nvpair.h new file mode 100644 index 00000000..2ea7f635 --- /dev/null +++ b/framework/src/audit/auparse/nvpair.h @@ -0,0 +1,56 @@ +/* +* nvpair.h - Header file for nvpair.c +* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This library is free software; you can redistribute it and/or +* modify it under the terms of the GNU Lesser General Public +* License as published by the Free Software Foundation; either +* version 2.1 of the License, or (at your option) any later version. +* +* This library is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +* Lesser General Public License for more details. +* +* You should have received a copy of the GNU Lesser General Public +* License along with this library; if not, write to the Free Software +* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#ifndef NVPAIR_HEADER +#define NVPAIR_HEADER + +#include "config.h" +#include "private.h" +#include <sys/types.h> + +/* This is the node of the linked list. Any data elements that are + * per item goes here. */ +typedef struct _nvpnode{ + char *name; // The name string + long val; // The value field + struct _nvpnode* next; // Next nvpair node pointer +} nvpnode; + +/* This is the linked list head. Only data elements that are 1 per + * event goes here. */ +typedef struct { + nvpnode *head; // List head + nvpnode *cur; // Pointer to current node + unsigned int cnt; // How many items in this list +} nvpair; + +void nvpair_create(nvpair *l) hidden; +static inline void nvpair_first(nvpair *l) { l->cur = l->head; } +static inline nvpnode *nvpair_get_cur(nvpair *l) { return l->cur; } +void nvpair_append(nvpair *l, nvpnode *node) hidden; +void nvpair_clear(nvpair *l) hidden; +int nvpair_find_val(nvpair *l, long val) hidden; + + +#endif + diff --git a/framework/src/audit/auparse/open-flagtab.h b/framework/src/audit/auparse/open-flagtab.h new file mode 100644 index 00000000..42bc9950 --- /dev/null +++ b/framework/src/audit/auparse/open-flagtab.h @@ -0,0 +1,44 @@ +/* open-flagtab.h -- + * Copyright 2007,2012-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/fcntl.h + * NOTE: When updating this table, update interpret.c:print_open_flags() + */ + +// Handled in the code: _S(00, "O_RDONLY" ) +_S(01, "O_WRONLY" ) +_S(02, "O_RDWR" ) +_S(0100, "O_CREAT") +_S(0200, "O_EXCL" ) +_S(0400, "O_NOCTTY" ) +_S(01000, "O_TRUNC" ) +_S(02000, "O_APPEND" ) +_S(04000, "O_NONBLOCK" ) +_S(010000, "O_DSYNC" ) +_S(020000, "O_ASYNC" ) +_S(040000, "O_DIRECT" ) +_S(0200000, "O_DIRECTORY" ) +_S(0400000, "O_NOFOLLOW" ) +_S(01000000, "O_NOATIME" ) +_S(02000000, "O_CLOEXEC") +_S(04000000, "__O_SYNC") +_S(010000000, "O_PATH") +_S(020000000, "__O_TMPFILE") + diff --git a/framework/src/audit/auparse/persontab.h b/framework/src/audit/auparse/persontab.h new file mode 100644 index 00000000..a1957653 --- /dev/null +++ b/framework/src/audit/auparse/persontab.h @@ -0,0 +1,45 @@ +/* persontab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/personality.h + */ + +_S(0x0000, "PER_LINUX") +_S(0x0000 | ADDR_LIMIT_32BIT, "PER_LINUX_32BIT") +_S(0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_SVR4") +_S(0x0002 | STICKY_TIMEOUTS | SHORT_INODE, "PER_SVR3") +_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS | SHORT_INODE, "PER_SCOSVR3") +_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS, "PER_OSR5") +_S(0x0004 | STICKY_TIMEOUTS | SHORT_INODE, "PER_WYSEV386") +_S(0x0005 | STICKY_TIMEOUTS, "PER_ISCR4") +_S(0x0006, "PER_BSD") +_S(0x0006 | STICKY_TIMEOUTS, "PER_SUNOS") +_S(0x0007 | STICKY_TIMEOUTS | SHORT_INODE, "PER_XENIX") +_S(0x0008, "PER_LINUX32") +_S(0x0008 | ADDR_LIMIT_3GB, "PER_LINUX32_3GB") +_S(0x0009 | STICKY_TIMEOUTS, "PER_IRIX32") +_S(0x000a | STICKY_TIMEOUTS, "PER_IRIXN32") +_S(0x000b | STICKY_TIMEOUTS, "PER_IRIX64") +_S(0x000c, "PER_RISCOS") +_S(0x000d | STICKY_TIMEOUTS, "PER_SOLARIS") +_S(0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_UW7") +_S(0x000f, "PER_OSF4") +_S(0x0010, "PER_HPUX") + diff --git a/framework/src/audit/auparse/pktoptnametab.h b/framework/src/audit/auparse/pktoptnametab.h new file mode 100644 index 00000000..d532a59d --- /dev/null +++ b/framework/src/audit/auparse/pktoptnametab.h @@ -0,0 +1,43 @@ +/* pktoptnametab.h -- + * Copyright 2013-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/if_packet.h + */ + +_S(1, "PACKET_ADD_MEMBERSHIP") +_S(2, "PACKET_DROP_MEMBERSHIP") +_S(3, "PACKET_RECV_OUTPUT") +_S(5, "PACKET_RX_RING") +_S(6, "PACKET_STATISTICS") +_S(7, "PACKET_COPY_THRESH") +_S(8, "PACKET_AUXDATA") +_S(9, "PACKET_ORIGDEV") +_S(10, "PACKET_VERSION") +_S(11, "PACKET_HDRLEN") +_S(12, "PACKET_RESERVE") +_S(13, "PACKET_TX_RING") +_S(14, "PACKET_LOSS") +_S(15, "PACKET_VNET_HDR") +_S(16, "PACKET_TX_TIMESTAMP") +_S(17, "PACKET_TIMESTAMP") +_S(18, "PACKET_FANOUT") +_S(19, "PACKET_TX_HAS_OFF") +_S(20, "PACKET_QDISC_BYPASS") + diff --git a/framework/src/audit/auparse/prctl-opt-tab.h b/framework/src/audit/auparse/prctl-opt-tab.h new file mode 100644 index 00000000..0285a88d --- /dev/null +++ b/framework/src/audit/auparse/prctl-opt-tab.h @@ -0,0 +1,68 @@ +/* prctl-opt-tab.h -- + * Copyright 2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/prctl.h + */ + +_S(1, "PR_SET_PDEATHSIG") +_S(2, "PR_GET_PDEATHSIG") +_S(3, "PR_GET_DUMPABLE") +_S(4, "PR_SET_DUMPABLE") +_S(5, "PR_GET_UNALIGN") +_S(6, "PR_SET_UNALIGN") +_S(7, "PR_GET_KEEPCAPS") +_S(8, "PR_SET_KEEPCAPS") +_S(9, "PR_GET_FPEMU") +_S(10, "PR_SET_FPEMU") +_S(11, "PR_GET_FPEXC") +_S(12, "PR_SET_FPEXC") +_S(13, "PR_GET_TIMING") +_S(14, "PR_SET_TIMING") +_S(15, "PR_SET_NAME") +_S(16, "PR_GET_NAME") +_S(19, "PR_GET_ENDIAN") +_S(20, "PR_SET_ENDIAN") +_S(21, "PR_GET_SECCOMP") +_S(22, "PR_SET_SECCOMP") +_S(23, "PR_CAPBSET_READ") +_S(24, "PR_CAPBSET_DROP") +_S(25, "PR_GET_TSC") +_S(26, "PR_SET_TSC") +_S(27, "PR_GET_SECUREBITS") +_S(28, "PR_SET_SECUREBITS") +_S(29, "PR_SET_TIMERSLACK") +_S(30, "PR_GET_TIMERSLACK") +_S(31, "PR_TASK_PERF_EVENTS_DISABLE") +_S(32, "PR_TASK_PERF_EVENTS_ENABLE") +_S(33, "PR_MCE_KILL") +_S(34, "PR_MCE_KILL_GET") +_S(35, "PR_SET_MM") +_S(36, "PR_SET_CHILD_SUBREAPER") +_S(37, "PR_GET_CHILD_SUBREAPER") +_S(38, "PR_SET_NO_NEW_PRIVS") +_S(39, "PR_GET_NO_NEW_PRIVS") +_S(40, "PR_GET_TID_ADDRESS") +_S(41, "PR_SET_THP_DISABLE") +_S(42, "PR_GET_THP_DISABLE") +_S(43, "PR_MPX_ENABLE_MANAGEMENT") +_S(44, "PR_MPX_DISABLE_MANAGEMENT") +_S(45, "PR_SET_FP_MODE") +_S(46, "PR_GET_FP_MODE") + diff --git a/framework/src/audit/auparse/private.h b/framework/src/audit/auparse/private.h new file mode 100644 index 00000000..c0a0da9c --- /dev/null +++ b/framework/src/audit/auparse/private.h @@ -0,0 +1,54 @@ +/* private.h -- + * Copyright 2007,2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ +#ifndef _PRIVATE_H_ +#define _PRIVATE_H_ + +#include "auparse.h" +#include "libaudit.h" +#include "dso.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* Internal syslog messaging */ +#define audit_msg auparse_msg +#define set_aumessage_mode set_aup_message_mode +void auparse_msg(int priority, const char *fmt, ...) hidden +#ifdef __GNUC__ + __attribute__ ((format (printf, 2, 3))); +#else + ; +#endif +void set_aumessage_mode(message_t mode, debug_message_t debug) hidden; + +char *audit_strsplit_r(char *s, char **savedpp); +char *audit_strsplit(char *s); +hidden_proto(audit_strsplit_r) +hidden_proto(audit_strsplit) + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/framework/src/audit/auparse/prottab.h b/framework/src/audit/auparse/prottab.h new file mode 100644 index 00000000..e0edeb84 --- /dev/null +++ b/framework/src/audit/auparse/prottab.h @@ -0,0 +1,28 @@ +/* prottab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/mman-common.h + */ + +_S(1, "PROT_READ" ) +_S(2, "PROT_WRITE" ) +_S(4, "PROT_EXEC" ) +_S(8, "PROT_SEM" ) + diff --git a/framework/src/audit/auparse/ptracetab.h b/framework/src/audit/auparse/ptracetab.h new file mode 100644 index 00000000..11698ab7 --- /dev/null +++ b/framework/src/audit/auparse/ptracetab.h @@ -0,0 +1,55 @@ +/* ptracetab.h -- + * Copyright 2012-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/ptrace.h + */ + +_S(0, "PTRACE_TRACEME" ) +_S(1, "PTRACE_PEEKTEXT" ) +_S(2, "PTRACE_PEEKDATA" ) +_S(3, "PTRACE_PEEKUSER" ) +_S(4, "PTRACE_POKETEXT" ) +_S(5, "PTRACE_POKEDATA" ) +_S(6, "PTRACE_POKEUSER" ) +_S(7, "PTRACE_CONT" ) +_S(8, "PTRACE_KILL" ) +_S(9, "PTRACE_SINGLESTEP" ) +_S(12, "PTRACE_GETREGS" ) +_S(13, "PTRACE_SETREGS" ) +_S(14, "PTRACE_GETFPREGS" ) +_S(15, "PTRACE_SETFPREGS" ) +_S(16, "PTRACE_ATTACH" ) +_S(17, "PTRACE_DETACH" ) +_S(18, "PTRACE_GETFPXREGS" ) +_S(19, "PTRACE_SETFPXREGS" ) +_S(24, "PTRACE_SYSCALL" ) +_S(0x4200, "PTRACE_SETOPTIONS" ) +_S(0x4201, "PTRACE_GETEVENTMSG" ) +_S(0x4202, "PTRACE_GETSIGINFO" ) +_S(0x4203, "PTRACE_SETSIGINFO" ) +_S(0x4204, "PTRACE_GETREGSET" ) +_S(0x4205, "PTRACE_SETREGSET" ) +_S(0x4206, "PTRACE_SEIZE" ) +_S(0x4207, "PTRACE_INTERRUPT" ) +_S(0x4208, "PTRACE_LISTEN" ) +_S(0x4209, "PTRACE_PEEKSIGINFO" ) +_S(0x420a, "PTRACE_GETSIGMASK" ) +_S(0x420b, "PTRACE_SETSIGMASK" ) + diff --git a/framework/src/audit/auparse/recvtab.h b/framework/src/audit/auparse/recvtab.h new file mode 100644 index 00000000..af201ab9 --- /dev/null +++ b/framework/src/audit/auparse/recvtab.h @@ -0,0 +1,46 @@ +/* recvtab.h -- + * Copyright 2012-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/socket.h + * NOTE: If any update are made, update buffer size in interpret.c:print_recv() + */ + +_S(0x00000001, "MSG_OOB") +_S(0x00000002, "MSG_PEEK") +_S(0x00000004, "MSG_DONTROUTE") +_S(0x00000008, "MSG_CTRUNC") +_S(0x00000010, "MSG_PROXY") +_S(0x00000020, "MSG_TRUNC") +_S(0x00000040, "MSG_DONTWAIT") +_S(0x00000080, "MSG_EOR") +_S(0x00000100, "MSG_WAITALL") +_S(0x00000200, "MSG_FIN") +_S(0x00000400, "MSG_SYN") +_S(0x00000800, "MSG_CONFIRM") +_S(0x00001000, "MSG_RST") +_S(0x00002000, "MSG_ERRQUEUE") +_S(0x00004000, "MSG_NOSIGNAL") +_S(0x00008000, "MSG_MORE") +_S(0x00010000, "MSG_WAITFORONE") +_S(0x00020000, "MSG_SENDPAGE_NOTLAST") +_S(0x20000000, "MSG_FASTOPEN") +_S(0x40000000, "MSG_CMSG_CLOEXEC") +_S(0x80000000, "MSG_CMSG_COMPAT") + diff --git a/framework/src/audit/auparse/rlimittab.h b/framework/src/audit/auparse/rlimittab.h new file mode 100644 index 00000000..3efd22f0 --- /dev/null +++ b/framework/src/audit/auparse/rlimittab.h @@ -0,0 +1,40 @@ +/* rlimittab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/resource.h + */ + + _S(0, "RLIMIT_CPU") + _S(1, "RLIMIT_FSIZE") + _S(2, "RLIMIT_DATA") + _S(3, "RLIMIT_STACK") + _S(4, "RLIMIT_CORE") + _S(5, "RLIMIT_RSS") + _S(6, "RLIMIT_NPROC") + _S(7, "RLIMIT_NOFILE") + _S(8, "RLIMIT_MEMLOCK") + _S(9, "RLIMIT_AS") + _S(10,"RLIMIT_LOCKS") + _S(11,"RLIMIT_SIGPENDING") + _S(12,"RLIMIT_MSGQUEUE") + _S(13,"RLIMIT_NICE") + _S(14,"RLIMIT_RTPRIO") + _S(15,"RLIMIT_RTTIME") + diff --git a/framework/src/audit/auparse/rnode.h b/framework/src/audit/auparse/rnode.h new file mode 100644 index 00000000..2c871c95 --- /dev/null +++ b/framework/src/audit/auparse/rnode.h @@ -0,0 +1,63 @@ + +/* rnode.h -- + * Copyright 2007 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + +#ifndef RNODE_HEADER +#define RNODE_HEADER + +/* This is the node of the linked list. Any data elements that are + * per item goes here. */ +typedef struct _nvnode{ + char *name; // The name string + char *val; // The value field + char *interp_val; // The value field interpretted + unsigned int item; // Which item of the same event + struct _nvnode* next; // Next nvpair node pointer +} nvnode; + +/* This is the linked list head. Only data elements that are 1 per + * event goes here. */ +typedef struct { + nvnode *head; // List head + nvnode *cur; // Pointer to current node + unsigned int cnt; // How many items in this list +} nvlist; + + +/* This is the node of the linked list. Any data elements that are per + * * item goes here. */ +typedef struct _rnode{ + char *record; // The whole unparsed record + int type; // record type (KERNEL, USER, LOGIN, etc) + int machine; // The machine type for the event + int syscall; // The syscall for the event + unsigned long long a0; // arg 0 to the syscall + unsigned long long a1; // arg 1 to the syscall + nvlist nv; // name-value linked list of parsed elements + unsigned int item; // Which item of the same event + int list_idx; // The index into the source list, points to where record was found + unsigned int line_number; // The line number where record was found + struct _rnode* next; // Next record node pointer +} rnode; + +#endif + diff --git a/framework/src/audit/auparse/schedtab.h b/framework/src/audit/auparse/schedtab.h new file mode 100644 index 00000000..90e0e7d5 --- /dev/null +++ b/framework/src/audit/auparse/schedtab.h @@ -0,0 +1,31 @@ +/* schedtab.h -- + * Copyright 2013-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/sched.h + */ + + +_S(0, "SCHED_OTHER" ) +_S(1, "SCHED_FIFO" ) +_S(2, "SCHED_RR" ) +_S(3, "SCHED_BATCH" ) +_S(5, "SCHED_IDLE" ) +_S(6, "SCHED_DEADLINE") + diff --git a/framework/src/audit/auparse/seccomptab.h b/framework/src/audit/auparse/seccomptab.h new file mode 100644 index 00000000..3fd5aff9 --- /dev/null +++ b/framework/src/audit/auparse/seccomptab.h @@ -0,0 +1,30 @@ +/* seccomptab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/seccomp.h + */ + + +_S(0x00000000U, "kill" ) +_S(0x00030000U, "trap" ) +_S(0x00050000U, "errno" ) +_S(0x7ff00000U, "trace" ) +_S(0x7fff0000U, "allow" ) + diff --git a/framework/src/audit/auparse/seektab.h b/framework/src/audit/auparse/seektab.h new file mode 100644 index 00000000..118d5fc6 --- /dev/null +++ b/framework/src/audit/auparse/seektab.h @@ -0,0 +1,29 @@ +/* seektab.h -- + * Copyright 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/fs.h + */ + +_S(0, "SEEK_SET") +_S(1, "SEEK_CUR") +_S(2, "SEEK_END") +_S(3, "SEEK_DATA") +_S(4, "SEEK_HOLE") + diff --git a/framework/src/audit/auparse/shm_modetab.h b/framework/src/audit/auparse/shm_modetab.h new file mode 100644 index 00000000..10b5b108 --- /dev/null +++ b/framework/src/audit/auparse/shm_modetab.h @@ -0,0 +1,29 @@ +/* shm_mode.h -- + * Copyright 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/shm.h + */ + + +_S(00001000, "SHM_DEST" ) +_S(00002000, "SHM_LOCKED" ) +_S(00004000, "SHM_HUGETLB" ) +_S(00010000, "SHM_NORESERVE" ) + diff --git a/framework/src/audit/auparse/signaltab.h b/framework/src/audit/auparse/signaltab.h new file mode 100644 index 00000000..173ad9f2 --- /dev/null +++ b/framework/src/audit/auparse/signaltab.h @@ -0,0 +1,56 @@ +/* signaltab.h -- + * Copyright 2012-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/asm-generic/signal.h + */ + +_S(0, "SIG0" ) +_S(1, "SIGHUP" ) +_S(2, "SIGINT" ) +_S(3, "SIGQUIT" ) +_S(4, "SIGILL" ) +_S(5, "SIGTRAP" ) +_S(6, "SIGABRT" ) +_S(7, "SIGBUS" ) +_S(8, "SIGFPE" ) +_S(9, "SIGKILL" ) +_S(10, "SIGUSR1" ) +_S(11, "SIGSEGV" ) +_S(12, "SIGUSR2" ) +_S(13, "SIGPIPE" ) +_S(14, "SIGALRM" ) +_S(15, "SIGTERM" ) +_S(16, "SIGSTKFLT" ) +_S(17, "SIGCHLD" ) +_S(18, "SIGCONT" ) +_S(19, "SIGSTOP" ) +_S(20, "SIGTSTP" ) +_S(21, "SIGTTIN" ) +_S(22, "SIGTTOU" ) +_S(23, "SIGURG" ) +_S(24, "SIGXCPU" ) +_S(25, "SIGXFSZ" ) +_S(26, "SIGVTALRM" ) +_S(27, "SIGPROF" ) +_S(28, "SIGWINCH" ) +_S(29, "SIGIO" ) +_S(30, "IGPWR" ) +_S(31, "SIGSYS" ) + diff --git a/framework/src/audit/auparse/sockleveltab.h b/framework/src/audit/auparse/sockleveltab.h new file mode 100644 index 00000000..bf376ade --- /dev/null +++ b/framework/src/audit/auparse/sockleveltab.h @@ -0,0 +1,56 @@ +/* sockleveltab.h -- + * Copyright 2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/socket.h + */ + + +_S(0, "SOL_IP") +_S(6, "SOL_TCP") +_S(17, "SOL_UDP") +_S(41, "SOL_IPV6") +_S(58, "SOL_ICMPV6") +_S(132, "SOL_SCTP") +_S(136, "SOL_UDPLITE") +_S(255, "SOL_RAW") +_S(256, "SOL_IPX") +_S(257, "SOL_AX25") +_S(258, "SOL_ATALK") +_S(259, "SOL_NETROM") +_S(260, "SOL_ROSE") +_S(261, "SOL_DECNET") +_S(263, "SOL_PACKET") +_S(264, "SOL_ATM") +_S(265, "SOL_AAL") +_S(266, "SOL_IRDA") +_S(267, "SOL_NETBEUI") +_S(268, "SOL_LLC") +_S(269, "SOL_DCCP") +_S(270, "SOL_NETLINK") +_S(271, "SOL_TIPC") +_S(272, "SOL_RXRPC") +_S(273, "SOL_PPPOL2TP") +_S(274, "SOL_BLUETOOTH") +_S(275, "SOL_PNPIPE") +_S(276, "SOL_RDS") +_S(277, "SOL_IUCV") +_S(278, "SOL_CAIF") +_S(279, "SOL_ALG") +_S(280, "SOL_NFC") diff --git a/framework/src/audit/auparse/sockoptnametab.h b/framework/src/audit/auparse/sockoptnametab.h new file mode 100644 index 00000000..85c6692d --- /dev/null +++ b/framework/src/audit/auparse/sockoptnametab.h @@ -0,0 +1,84 @@ +/* sockoptnametab.h -- + * Copyright 2013-15 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * File: include/uapi/asm-generic/socket.h + */ + + +_S(1, "SO_DEBUG") +_S(2, "SO_REUSEADDR") +_S(3, "SO_TYPE") +_S(4, "SO_ERROR") +_S(5, "SO_DONTROUTE") +_S(6, "SO_BROADCAST") +_S(7, "SO_SNDBUF") +_S(8, "SO_RCVBUF") +_S(9, "SO_KEEPALIVE") +_S(10, "SO_OOBINLINE") +_S(11, "SO_NO_CHECK") +_S(12, "SO_PRIORITY") +_S(13, "SO_LINGER") +_S(14, "SO_BSDCOMPAT") +_S(15, "SO_REUSEPORT") +_S(16, "SO_PASSCRED") +_S(17, "SO_PEERCRED") +_S(18, "SO_RCVLOWAT") +_S(19, "SO_SNDLOWAT") +_S(20, "SO_RCVTIMEO") +_S(21, "SO_SNDTIMEO") +_S(22, "SO_SECURITY_AUTHENTICATION") +_S(23, "SO_SECURITY_ENCRYPTION_TRANSPORT") +_S(24, "SO_SECURITY_ENCRYPTION_NETWORK") +_S(25, "SO_BINDTODEVICE") +_S(26, "SO_ATTACH_FILTER") +_S(27, "SO_DETACH_FILTER") +_S(28, "SO_PEERNAME") +_S(29, "SO_TIMESTAMP") +_S(30, "SO_ACCEPTCONN") +_S(31, "SO_PEERSEC") +_S(32, "SO_SNDBUFFORCE") +_S(33, "SO_RCVBUFFORCE") +_S(34, "SO_PASSSEC") +_S(35, "SO_TIMESTAMPNS") +_S(36, "SO_MARK") +_S(37, "SO_TIMESTAMPING") +_S(38, "SO_PROTOCOL") +_S(39, "SO_DOMAIN") +_S(40, "SO_RXQ_OVFL") +_S(41, "SO_WIFI_STATUS") +_S(42, "SO_PEEK_OFF") +_S(43, "SO_NOFCS") +_S(44, "SO_LOCK_FILTER") +_S(45, "SO_SELECT_ERR_QUEUE") +_S(46, "SO_BUSY_POLL") +_S(47, "SO_MAX_PACING_RATE") +_S(48, "SO_BPF_EXTENSIONS") +_S(49, "SO_INCOMING_CPU") +_S(50, "SO_ATTACH_BPF") + +// PPC has these different +_S(116, "SO_RCVLOWAT") +_S(117, "SO_SNDLOWAT") +_S(118, "SO_RCVTIMEO") +_S(119, "SO_SNDTIMEO") +_S(120, "SO_PASSCRED") +_S(121, "SO_PEERCRED") + + diff --git a/framework/src/audit/auparse/socktab.h b/framework/src/audit/auparse/socktab.h new file mode 100644 index 00000000..8907b4b3 --- /dev/null +++ b/framework/src/audit/auparse/socktab.h @@ -0,0 +1,44 @@ +/* socktab.h -- + * Copyright 2007,2011-13 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/net.h + */ + +_S(SYS_SOCKET, "socket" ) +_S(SYS_BIND, "bind" ) +_S(SYS_CONNECT, "connect" ) +_S(SYS_LISTEN, "listen" ) +_S(SYS_ACCEPT, "accept" ) +_S(SYS_GETSOCKNAME, "getsockname" ) +_S(SYS_GETPEERNAME, "getpeername" ) +_S(SYS_SOCKETPAIR, "socketpair" ) +_S(SYS_SEND, "send" ) +_S(SYS_RECV, "recv" ) +_S(SYS_SENDTO, "sendto" ) +_S(SYS_RECVFROM, "recvfrom" ) +_S(SYS_SHUTDOWN, "shutdown" ) +_S(SYS_SETSOCKOPT, "setsockopt" ) +_S(SYS_GETSOCKOPT, "getsockopt" ) +_S(SYS_SENDMSG, "sendmsg" ) +_S(SYS_RECVMSG, "recvmsg" ) +_S(SYS_ACCEPT4, "accept4" ) +_S(19, "recvmmsg" ) +_S(20, "sendmmsg" ) + diff --git a/framework/src/audit/auparse/socktypetab.h b/framework/src/audit/auparse/socktypetab.h new file mode 100644 index 00000000..ec00ecfa --- /dev/null +++ b/framework/src/audit/auparse/socktypetab.h @@ -0,0 +1,31 @@ +/* socktypetab.h -- + * Copyright 2012 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/net.h + */ + +_S(1, "SOCK_STREAM") +_S(2, "SOCK_DGRAM") +_S(3, "SOCK_RAW") +_S(4, "SOCK_RDM") +_S(5, "SOCK_SEQPACKET") +_S(6, "SOCK_DCCP") +_S(10, "SOCK_PACKET") + diff --git a/framework/src/audit/auparse/tcpoptnametab.h b/framework/src/audit/auparse/tcpoptnametab.h new file mode 100644 index 00000000..64e1cbe0 --- /dev/null +++ b/framework/src/audit/auparse/tcpoptnametab.h @@ -0,0 +1,49 @@ +/* tcpoptnametab.h -- + * Copyright 2013-14 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/uapi/linux/tcp.h + */ + +_S(1, "TCP_NODELAY") +_S(2, "TCP_MAXSEG") +_S(3, "TCP_CORK") +_S(4, "TCP_KEEPIDLE") +_S(5, "TCP_KEEPINTVL") +_S(6, "TCP_KEEPCNT") +_S(7, "TCP_SYNCNT") +_S(8, "TCP_LINGER2") +_S(9, "TCP_DEFER_ACCEPT") +_S(10, "TCP_WINDOW_CLAMP") +_S(11, "TCP_INFO") +_S(12, "TCP_QUICKACK") +_S(13, "TCP_CONGESTION") +_S(14, "TCP_MD5SIG") +_S(15, "TCP_COOKIE_TRANSACTIONS") +_S(16, "TCP_THIN_LINEAR_TIMEOUTS") +_S(17, "TCP_THIN_DUPACK") +_S(18, "TCP_USER_TIMEOUT") +_S(19, "TCP_REPAIR") +_S(20, "TCP_REPAIR_QUEUE") +_S(21, "TCP_QUEUE_SEQ") +_S(22, "TCP_REPAIR_OPTIONS") +_S(23, "TCP_FASTOPEN") +_S(24, "TCP_TIMESTAMP") +_S(25, "TCP_NOTSENT_LOWAT") + diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am new file mode 100644 index 00000000..19793508 --- /dev/null +++ b/framework/src/audit/auparse/test/Makefile.am @@ -0,0 +1,91 @@ +# Makefile.am -- +# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina. +# All Rights Reserved. +# +# This library is free software; you can redistribute it and/or +# modify it under the terms of the GNU Lesser General Public +# License as published by the Free Software Foundation; either +# version 2.1 of the License, or (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public +# License along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Authors: +# Steve Grubb <sgrubb@redhat.com> +# + +CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur +AUTOMAKE_OPTIONS = no-dependencies +check_PROGRAMS = auparse_test +dist_check_SCRIPTS = auparse_test.py +EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log + +AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib + +auparse_test_SOURCES = auparse_test.c +auparse_test_LDFLAGS = -static +auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \ + ${top_builddir}/lib/libaudit.la + +drop_srcdir = sed 's,$(srcdir)/test,test,' + +check: auparse_test + test "$(top_srcdir)" = "$(top_builddir)" || \ + cp $(top_srcdir)/auparse/test/test*.log . + LC_ALL=C \ + ./auparse_test > auparse_test.cur + diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur +if HAVE_PYTHON + cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py \ + | $(drop_srcdir) > auparse_test.cur + diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur +endif + echo -e "===================\nAuparse Test Passes\n===================" + +diffcheck: auparse_test + ./auparse_test > auparse_test.cur + diff -u $(srcdir)/auparse_test.ref auparse_test.cur + +memcheck: auparse_test + valgrind --leak-check=yes --show-reachable=yes ./auparse_test + +pycheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py +endif + +pydiffcheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \ + srcdir=$(srcdir) $(srcdir)/auparse_test.py \ + | $(drop_srcdir) > auparse_test.cur + diff $(srcdir)/auparse_test.ref auparse_test.cur +endif + +pymemcheck: auparse_test.py +if HAVE_PYTHON + PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \ + LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py + +${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c + cd ${top_builddir}/bindings/python && make +endif + +clean-generic: + $(RM) *.cur +if HAVE_PYTHON + $(RM) ${top_builddir}/bindings/swig/python/_audit.so +endif + test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c new file mode 100644 index 00000000..a6477d41 --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.c @@ -0,0 +1,469 @@ +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> +#include <string.h> +#include <locale.h> +#include <errno.h> +#include <libaudit.h> +#include <auparse.h> + + +static const char *buf[] = { + "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n" + "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", + + "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", + + NULL +}; + + +static void walk_test(auparse_state_t *au) +{ + int event_cnt = 1, record_cnt; + + do { + if (auparse_first_record(au) <= 0) { + printf("Error getting first record (%s)\n", + strerror(errno)); + exit(1); + } + printf("event %d has %d records\n", event_cnt, + auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + printf("Error getting timestamp - aborting\n"); + exit(1); + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, e->host ? e->host : "?"); + auparse_first_field(au); + do { + printf(" %s=%s (%s)\n", + auparse_get_field_name(au), + auparse_get_field_str(au), + auparse_interpret_field(au)); + } while (auparse_next_field(au) > 0); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + event_cnt++; + } while (auparse_next_event(au) > 0); +} + +void light_test(auparse_state_t *au) +{ + int record_cnt; + + do { + if (auparse_first_record(au) <= 0) { + puts("Error getting first record"); + exit(1); + } + printf("event has %d records\n", auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + printf("Error getting timestamp - aborting\n"); + exit(1); + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, + e->host ? e->host : "?"); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + + } while (auparse_next_event(au) > 0); +} + +void simple_search(ausource_t source, austop_t where) +{ + auparse_state_t *au; + const char *val; + + if (source == AUSOURCE_FILE) { + au = auparse_init(AUSOURCE_FILE, "./test.log"); + val = "4294967295"; + } else { + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + val = "848"; + } + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_set_stop(au, where)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) + printf("Error searching for auid - %s\n", strerror(errno)); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +void compound_search(ausearch_rule_t how) +{ + auparse_state_t *au; + + au = auparse_init(AUSOURCE_FILE, "./test.log"); + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (how == AUSEARCH_RULE_AND) { + if (ausearch_add_item(au, "uid", "=", "0", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 1 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "pid", "=", "13015", how)){ + printf("ausearch_add_item 2 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "type", "=", "USER_START", how)){ + printf("ausearch_add_item 3 error - %s\n", + strerror(errno)); + exit(1); + } + } else { + if (ausearch_add_item(au, "auid", "=", "42", + AUSEARCH_RULE_CLEAR)){ + printf("ausearch_add_item 4 error - %s\n", + strerror(errno)); + exit(1); + } + // should stop on this one + if (ausearch_add_item(au, "auid", "=", "0", how)){ + printf("ausearch_add_item 5 error - %s\n", + strerror(errno)); + exit(1); + } + if (ausearch_add_item(au, "auid", "=", "500", how)){ + printf("ausearch_add_item 6 error - %s\n", + strerror(errno)); + exit(1); + } + } + if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) + printf("Error searching for auid - %s\n", strerror(errno)); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +void regex_search(const char *expr) +{ + auparse_state_t *au; + int rc; + + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("auparse_init error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_add_regex(au, expr)){ + printf("ausearch_add_regex error - %s\n", strerror(errno)); + exit(1); + } + if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){ + printf("ausearch_set_stop error - %s\n", strerror(errno)); + exit(1); + } + rc = ausearch_next_event(au); + if (rc < 0) + printf("Error searching for %s - %s\n", expr, strerror(errno)); + else if (rc == 0) + printf("Not found\n"); + else + printf("Found %s = %s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + auparse_destroy(au); +} + +static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) +{ + int *event_cnt = (int *)user_data; + int record_cnt; + + if (cb_event_type == AUPARSE_CB_EVENT_READY) { + if (auparse_first_record(au) <= 0) { + printf("can't get first record\n"); + return; + } + printf("event %d has %d records\n", *event_cnt, + auparse_get_num_records(au)); + record_cnt = 1; + do { + printf(" record %d of type %d(%s) has %d fields\n", + record_cnt, + auparse_get_type(au), + audit_msg_type_to_name(auparse_get_type(au)), + auparse_get_num_fields(au)); + printf(" line=%d file=%s\n", + auparse_get_line_number(au), + auparse_get_filename(au) ? + auparse_get_filename(au) : "None"); + const au_event_t *e = auparse_get_timestamp(au); + if (e == NULL) { + return; + } + printf(" event time: %u.%u:%lu, host=%s\n", + (unsigned)e->sec, + e->milli, e->serial, + e->host ? e->host : "?"); + auparse_first_field(au); + do { + printf(" %s=%s (%s)\n", + auparse_get_field_name(au), + auparse_get_field_str(au), + auparse_interpret_field(au)); + } while (auparse_next_field(au) > 0); + printf("\n"); + record_cnt++; + } while(auparse_next_record(au) > 0); + (*event_cnt)++; + } +} + +int main(void) +{ + //char *files[4] = { "test.log", "test2.log", "test3.log", NULL }; + char *files[3] = { "test.log", "test2.log", NULL }; + setlocale (LC_ALL, ""); + auparse_state_t *au; + + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + + printf("Starting Test 1, iterate...\n"); + while (auparse_next_event(au) > 0) { + if (auparse_find_field(au, "auid")) { + printf("%s=%s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + printf("interp auid=%s\n", auparse_interpret_field(au)); + } else + printf("Error iterating to auid\n"); + } + auparse_reset(au); + while (auparse_next_event(au) > 0) { + if (auparse_find_field(au, "auid")) { + do { + printf("%s=%s\n", auparse_get_field_name(au), + auparse_get_field_str(au)); + printf("interp auid=%s\n", auparse_interpret_field(au)); + } while (auparse_find_field_next(au)); + } else + printf("Error iterating to auid\n"); + } + printf("Test 1 Done\n\n"); + + /* Reset, now lets go to beginning and walk the list manually */ + printf("Starting Test 2, walk events, records, and fields...\n"); + auparse_reset(au); + walk_test(au); + auparse_destroy(au); + printf("Test 2 Done\n\n"); + + /* Reset, now lets go to beginning and walk the list manually */ + printf("Starting Test 3, walk events, records of 1 buffer...\n"); + au = auparse_init(AUSOURCE_BUFFER, buf[1]); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + light_test(au); + auparse_destroy(au); + printf("Test 3 Done\n\n"); + + printf("Starting Test 4, walk events, records of 1 file...\n"); + au = auparse_init(AUSOURCE_FILE, "./test.log"); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + walk_test(au); + auparse_destroy(au); + printf("Test 4 Done\n\n"); + + printf("Starting Test 5, walk events, records of 2 files...\n"); + au = auparse_init(AUSOURCE_FILE_ARRAY, files); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + walk_test(au); + auparse_destroy(au); + printf("Test 5 Done\n\n"); + + printf("Starting Test 6, search...\n"); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){ + printf("Error - %s", strerror(errno)); + return 1; + } + if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ + printf("Error - %s", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) != 0) { + printf("Error search found something it shouldn't have\n"); + } + puts("auid = 500 not found...which is correct"); + ausearch_clear(au); + auparse_destroy(au); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){ + printf("Error - %s", strerror(errno)); + return 1; + } + if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){ + printf("Error - %s", strerror(errno)); + exit(1); + } + if (ausearch_next_event(au) <= 0) { + printf("Error searching for existence of auid\n"); + } + puts("auid exists...which is correct"); + puts("Testing BUFFER_ARRAY, stop on field"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD); + puts("Testing BUFFER_ARRAY, stop on record"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD); + puts("Testing BUFFER_ARRAY, stop on event"); + simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT); + puts("Testing test.log, stop on field"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD); + puts("Testing test.log, stop on record"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD); + puts("Testing test.log, stop on event"); + simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT); + auparse_destroy(au); + printf("Test 6 Done\n\n"); + + printf("Starting Test 7, compound search...\n"); + au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf); + if (au == NULL) { + printf("Error - %s\n", strerror(errno)); + return 1; + } + compound_search(AUSEARCH_RULE_AND); + compound_search(AUSEARCH_RULE_OR); + auparse_destroy(au); + printf("Test 7 Done\n\n"); + + printf("Starting Test 8, regex search...\n"); + puts("Doing regex match..."); + regex_search("1143146623"); + puts("Doing regex wildcard search..."); + regex_search("11431466.*146"); + printf("Test 8 Done\n\n"); + + /* Note: this should match Test 2 exactly */ + printf("Starting Test 9, buffer feed...\n"); + { + int event_cnt = 1; + size_t len, chunk_len = 3; + const char **cur_buf, *p_beg, *p_end, *p_chunk_beg, + *p_chunk_end; + + au = auparse_init(AUSOURCE_FEED, 0); + auparse_add_callback(au, auparse_callback, &event_cnt, NULL); + for (cur_buf = buf, p_beg = *cur_buf; *cur_buf; + cur_buf++, p_beg = *cur_buf) { + len = strlen(p_beg); + p_end = p_beg + len; + p_chunk_beg = p_beg; + while (p_chunk_beg < p_end) { + p_chunk_end = p_chunk_beg + chunk_len; + if (p_chunk_end > p_end) + p_chunk_end = p_end; + + //fwrite(p_chunk_beg, 1, + // p_chunk_end-p_chunk_beg, stdout); + auparse_feed(au, p_chunk_beg, + p_chunk_end-p_chunk_beg); + p_chunk_beg = p_chunk_end; + } + } + + auparse_flush_feed(au); + auparse_destroy(au); + } + printf("Test 9 Done\n\n"); + + /* Note: this should match Test 4 exactly */ + printf("Starting Test 10, file feed...\n"); + { + int *event_cnt = malloc(sizeof(int)); + size_t len; + char filename[] = "./test.log"; + char buf[4]; + FILE *fp; + + *event_cnt = 1; + au = auparse_init(AUSOURCE_FEED, 0); + auparse_add_callback(au, auparse_callback, event_cnt, free); + if ((fp = fopen(filename, "r")) == NULL) { + fprintf(stderr, "could not open '%s', %s\n", + filename, strerror(errno)); + return 1; + } + while ((len = fread(buf, 1, sizeof(buf), fp))) { + auparse_feed(au, buf, len); + } + + fclose(fp); + auparse_flush_feed(au); + auparse_destroy(au); + } + printf("Test 10 Done\n\n"); + + puts("Finished non-admin tests\n"); + + return 0; +} + diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py new file mode 100755 index 00000000..9d9a5c4d --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.py @@ -0,0 +1,262 @@ +#!/usr/bin/env python + +import os +srcdir = os.getenv('srcdir') + +buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n", +"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n", +] +files = [srcdir + "/test.log", srcdir + "/test2.log"] + +import sys +import time +load_path = '../../bindings/python/build/lib.linux-i686-2.4' +if False: + sys.path.insert(0, load_path) + +import auparse +import audit + +def none_to_null(s): + 'used so output matches C version' + if s is None: + return '(null)' + else: + return s + +def walk_test(au): + event_cnt = 1 + + au.reset() + while True: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event %d has %d records" % (event_cnt, au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + au.first_field() + while True: + print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) + if not au.next_field(): break + print + record_cnt += 1 + if not au.next_record(): break + event_cnt += 1 + if not au.parse_next_event(): break + + +def light_test(au): + while True: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event has %d records" % (au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + print + record_cnt += 1 + if not au.next_record(): break + if not au.parse_next_event(): break + +def simple_search(au, source, where): + + if source == auparse.AUSOURCE_FILE: + au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); + val = "4294967295" + else: + au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) + val = "848" + + au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR) + au.search_set_stop(where) + if not au.search_next_event(): + print "Error searching for auid" + else: + print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) + +def compound_search(au, how): + au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); + if how == auparse.AUSEARCH_RULE_AND: + au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR) + au.search_add_item("pid", "=", "13015", how) + au.search_add_item("type", "=", "USER_START", how) + else: + au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR) + # should stop on this one + au.search_add_item("auid", "=", "0", how) + au.search_add_item("auid", "=", "500", how) + + au.search_set_stop(auparse.AUSEARCH_STOP_FIELD) + if not au.search_next_event(): + print "Error searching for auid" + else: + print "Found %s = %s" % (au.get_field_name(), au.get_field_str()) + +def feed_callback(au, cb_event_type, event_cnt): + if cb_event_type == auparse.AUPARSE_CB_EVENT_READY: + if not au.first_record(): + print "Error getting first record" + sys.exit(1) + + print "event %d has %d records" % (event_cnt[0], au.get_num_records()) + + record_cnt = 1 + while True: + print " record %d of type %d(%s) has %d fields" % \ + (record_cnt, + au.get_type(), audit.audit_msg_type_to_name(au.get_type()), + au.get_num_fields()) + print " line=%d file=%s" % (au.get_line_number(), au.get_filename()) + event = au.get_timestamp() + if event is None: + print "Error getting timestamp - aborting" + sys.exit(1) + + print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host)) + au.first_field() + while True: + print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field()) + if not au.next_field(): break + print + record_cnt += 1 + if not au.next_record(): break + event_cnt[0] += 1 + +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) + +print "Starting Test 1, iterate..." +while au.parse_next_event(): + if au.find_field("auid"): + print "%s=%s" % (au.get_field_name(), au.get_field_str()) + print "interp auid=%s" % (au.interpret_field()) + else: + print "Error iterating to auid" +print "Test 1 Done\n" + +# Reset, now lets go to beginning and walk the list manually */ +print "Starting Test 2, walk events, records, and fields..." +au.reset() +walk_test(au) +print "Test 2 Done\n" + +# Reset, now lets go to beginning and walk the list manually */ +print "Starting Test 3, walk events, records of 1 buffer..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1]) +light_test(au); +print "Test 3 Done\n" + +print "Starting Test 4, walk events, records of 1 file..." +au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log"); +walk_test(au); +print "Test 4 Done\n" + +print "Starting Test 5, walk events, records of 2 files..." +au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files); +walk_test(au); +print "Test 5 Done\n" + +print "Starting Test 6, search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR) +au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) +if au.search_next_event(): + print "Error search found something it shouldn't have" +else: + print "auid = 500 not found...which is correct" +au.search_clear() +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR) +au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR) +au.search_set_stop(auparse.AUSEARCH_STOP_EVENT) +if not au.search_next_event(): + print "Error searching for existence of auid" +print "auid exists...which is correct" +print "Testing BUFFER_ARRAY, stop on field" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD) +print "Testing BUFFER_ARRAY, stop on record" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD) +print "Testing BUFFER_ARRAY, stop on event" +simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT) +print "Testing test.log, stop on field" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD) +print "Testing test.log, stop on record" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD) +print "Testing test.log, stop on event" +simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT) +print "Test 6 Done\n" + +print "Starting Test 7, compound search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +compound_search(au, auparse.AUSEARCH_RULE_AND) +compound_search(au, auparse.AUSEARCH_RULE_OR) +print "Test 7 Done\n" + +print "Starting Test 8, regex search..." +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +print "Doing regex match...\n" +au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf) +print "Test 8 Done\n" + +# Note: this should match Test 2 exactly +# Note: this should match Test 2 exactly +print "Starting Test 9, buffer feed..." +au = auparse.AuParser(auparse.AUSOURCE_FEED); +event_cnt = 1 +au.add_callback(feed_callback, [event_cnt]) +chunk_len = 3 +for s in buf: + s_len = len(s) + beg = 0 + while beg < s_len: + end = min(s_len, beg + chunk_len) + data = s[beg:end] + beg += chunk_len + au.feed(data) +au.flush_feed() +print "Test 9 Done\n" + +# Note: this should match Test 4 exactly +print "Starting Test 10, file feed..." +au = auparse.AuParser(auparse.AUSOURCE_FEED); +event_cnt = 1 +au.add_callback(feed_callback, [event_cnt]) +f = open(srcdir + "/test.log"); +while True: + data = f.read(4) + if not data: break + au.feed(data) +au.flush_feed() +print "Test 10 Done\n" + +print "Finished non-admin tests\n" + +au = None +sys.exit(0) + diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref new file mode 100644 index 00000000..6cc399bd --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.ref @@ -0,0 +1,803 @@ +Starting Test 1, iterate... +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +Test 1 Done + +Starting Test 2, walk events, records, and fields... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=? + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=? + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 2 Done + +Starting Test 3, walk events, records of 1 buffer... +event has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=1 file=None + event time: 1143146623.879:146, host=? + +Test 3 Done + +Starting Test 4, walk events, records of 1 file... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=./test.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=./test.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=./test.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=./test.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=./test.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=./test.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=./test.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=./test.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=./test.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=./test.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 4 Done + +Starting Test 5, walk events, records of 2 files... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 8 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test2.log + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read (read) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test2.log + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test2.log + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test2.log + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 9 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test2.log + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 10 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test2.log + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 11 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test2.log + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 12 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test2.log + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 13 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test2.log + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 14 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test2.log + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 5 Done + +Starting Test 6, search... +auid = 500 not found...which is correct +auid exists...which is correct +Testing BUFFER_ARRAY, stop on field +Found auid = 848 +Testing BUFFER_ARRAY, stop on record +Found type = SYSCALL +Testing BUFFER_ARRAY, stop on event +Found type = SYSCALL +Testing test.log, stop on field +Found auid = 4294967295 +Testing test.log, stop on record +Found type = SYSCALL +Testing test.log, stop on event +Found type = AVC +Test 6 Done + +Starting Test 7, compound search... +Found type = USER_START +Found auid = 0 +Test 7 Done + +Starting Test 8, regex search... +Doing regex match... +Found type = LOGIN +Doing regex wildcard search... +Found type = USER_LOGIN +Test 8 Done + +Starting Test 9, buffer feed... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=? + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=? + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 9 Done + +Starting Test 10, file feed... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=None + event time: 1170021493.977:293, host=? + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=None + event time: 1170021493.977:293, host=? + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=None + event time: 1170021493.977:293, host=? + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=None + event time: 1170021493.977:293, host=? + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=None + event time: 1170021601.340:294, host=? + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=None + event time: 1170021601.342:295, host=? + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=None + event time: 1170021601.343:296, host=? + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=None + event time: 1170021601.344:297, host=? + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=None + event time: 1170021601.364:298, host=? + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=None + event time: 1170021601.366:299, host=? + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 10 Done + +Finished non-admin tests + diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py new file mode 100644 index 00000000..d25e0645 --- /dev/null +++ b/framework/src/audit/auparse/test/auparse_test.ref.py @@ -0,0 +1,793 @@ +Starting Test 1, iterate... +auid=4294967295 +interp auid=unset +auid=848 +interp auid=unknown(848) +auid=848 +interp auid=unknown(848) +Test 1 Done + +Starting Test 2, walk events, records, and fields... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=(null) + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=(null) + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 2 Done + +Starting Test 3, walk events, records of 1 buffer... +event has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=1 file=None + event time: 1143146623.879:146, host=(null) + +Test 3 Done + +Starting Test 4, walk events, records of 1 file... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 4 Done + +Starting Test 5, walk events, records of 2 files... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 8 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=test2.log + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read (read) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=test2.log + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=test2.log + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=test2.log + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 9 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=test2.log + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 10 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=test2.log + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 11 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=test2.log + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 12 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=test2.log + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 13 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=test2.log + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 14 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=test2.log + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 5 Done + +Starting Test 6, search... +auid = 500 not found...which is correct +auid exists...which is correct +Testing BUFFER_ARRAY, stop on field +Found auid = 848 +Testing BUFFER_ARRAY, stop on record +Found type = SYSCALL +Testing BUFFER_ARRAY, stop on event +Found type = SYSCALL +Testing test.log, stop on field +Found auid = 4294967295 +Testing test.log, stop on record +Found type = SYSCALL +Testing test.log, stop on event +Found type = AVC +Test 6 Done + +Starting Test 7, compound search... +Found type = USER_START +Found auid = 0 +Test 7 Done + +Starting Test 8, regex search... +Doing regex match... + +Test 8 Done + +Starting Test 9, buffer feed... +event 1 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=1 file=None + event time: 1143146623.787:142, host=(null) + type=LOGIN (LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=4294967295 (unset) + auid=848 (unknown(848)) + +event 2 has 1 records + record 1 of type 1300(SYSCALL) has 24 fields + line=2 file=None + event time: 1143146623.875:143, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=188 (setxattr) + success=yes (yes) + exit=0 (0) + a0=7fffffa9a9f0 (0x7fffffa9a9f0) + a1=3958d11333 (0x3958d11333) + a2=5131f0 (0x5131f0) + a3=20 (0x20) + items=1 (1) + pid=2027 (2027) + auid=848 (unknown(848)) + uid=0 (root) + gid=0 (root) + euid=0 (root) + suid=0 (root) + fsuid=0 (root) + egid=0 (root) + sgid=0 (root) + fsgid=0 (root) + tty=tty3 (tty3) + comm="login" (login) + exe="/bin/login" (/bin/login) + subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255) + +event 3 has 1 records + record 1 of type 1112(USER_LOGIN) has 10 fields + line=3 file=None + event time: 1143146623.879:146, host=(null) + type=USER_LOGIN (USER_LOGIN) + pid=2027 (2027) + uid=0 (root) + auid=848 (unknown(848)) + uid=848 (unknown(848)) + exe="/bin/login" (/bin/login) + hostname=? (?) + addr=? (?) + terminal=tty3 (tty3) + res=success (success) + +Test 9 Done + +Starting Test 10, file feed... +event 1 has 4 records + record 1 of type 1400(AVC) has 11 fields + line=1 file=None + event time: 1170021493.977:293, host=(null) + type=AVC (AVC) + seresult=denied (denied) + seperms=read,write (read,write) + pid=13010 (13010) + comm="pickup" (pickup) + name="maildrop" (maildrop) + dev=hda7 (hda7) + ino=14911367 (14911367) + scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + tclass=dir (dir) + + record 2 of type 1300(SYSCALL) has 26 fields + line=2 file=None + event time: 1170021493.977:293, host=(null) + type=SYSCALL (SYSCALL) + arch=c000003e (x86_64) + syscall=2 (open) + success=no (no) + exit=-13 (-13(Permission denied)) + a0=5555665d91b0 (0x5555665d91b0) + a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY) + a2=5555665d91b8 (0x5555665d91b8) + a3=0 (0x0) + items=1 (1) + ppid=2013 (2013) + pid=13010 (13010) + auid=4294967295 (unset) + uid=890 (unknown(890)) + gid=890 (unknown(890)) + euid=890 (unknown(890)) + suid=890 (unknown(890)) + fsuid=890 (unknown(890)) + egid=890 (unknown(890)) + sgid=890 (unknown(890)) + fsgid=890 (unknown(890)) + tty=(none) ((none)) + comm="pickup" (pickup) + exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup) + subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0) + key=(null) ((null)) + + record 3 of type 1307(CWD) has 2 fields + line=3 file=None + event time: 1170021493.977:293, host=(null) + type=CWD (CWD) + cwd="/var/spool/postfix" (/var/spool/postfix) + + record 4 of type 1302(PATH) has 10 fields + line=4 file=None + event time: 1170021493.977:293, host=(null) + type=PATH (PATH) + item=0 (0) + name="maildrop" (maildrop) + inode=14911367 (14911367) + dev=03:07 (03:07) + mode=040730 (dir,730) + ouid=890 (unknown(890)) + ogid=891 (unknown(891)) + rdev=00:00 (00:00) + obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0) + +event 2 has 1 records + record 1 of type 1101(USER_ACCT) has 11 fields + line=5 file=None + event time: 1170021601.340:294, host=(null) + type=USER_ACCT (USER_ACCT) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 3 has 1 records + record 1 of type 1103(CRED_ACQ) has 11 fields + line=6 file=None + event time: 1170021601.342:295, host=(null) + type=CRED_ACQ (CRED_ACQ) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 4 has 1 records + record 1 of type 1006(LOGIN) has 5 fields + line=7 file=None + event time: 1170021601.343:296, host=(null) + type=LOGIN (LOGIN) + pid=13015 (13015) + uid=0 (root) + auid=4294967295 (unset) + auid=0 (root) + +event 5 has 1 records + record 1 of type 1105(USER_START) has 11 fields + line=8 file=None + event time: 1170021601.344:297, host=(null) + type=USER_START (USER_START) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 6 has 1 records + record 1 of type 1104(CRED_DISP) has 11 fields + line=9 file=None + event time: 1170021601.364:298, host=(null) + type=CRED_DISP (CRED_DISP) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +event 7 has 1 records + record 1 of type 1106(USER_END) has 11 fields + line=10 file=None + event time: 1170021601.366:299, host=(null) + type=USER_END (USER_END) + pid=13015 (13015) + uid=0 (root) + auid=0 (root) + subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023) + acct=root (root) + exe="/usr/sbin/crond" (/usr/sbin/crond) + hostname=? (?) + addr=? (?) + terminal=cron (cron) + res=success (success) + +Test 10 Done + +Finished non-admin tests + diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log new file mode 100644 index 00000000..e0ffabf5 --- /dev/null +++ b/framework/src/audit/auparse/test/test.log @@ -0,0 +1,10 @@ +type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir +type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) +type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" +type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 +type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 +type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log new file mode 100644 index 00000000..588f1e04 --- /dev/null +++ b/framework/src/audit/auparse/test/test2.log @@ -0,0 +1,10 @@ +type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir +type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null) +type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix" +type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0 +type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' +type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0 +type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' +type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)' diff --git a/framework/src/audit/auparse/tty_named_keys.h b/framework/src/audit/auparse/tty_named_keys.h new file mode 100644 index 00000000..e71ae11e --- /dev/null +++ b/framework/src/audit/auparse/tty_named_keys.h @@ -0,0 +1,409 @@ +/* tty_named_keys.h -- + * Copyright 2008 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Miloslav Trmač <mitr@redhat.com> + */ + +/* Longest sequences should go first, but these are comparatively common. */ +E("\x01", "^A") +E("\x02", "^B") +E("\x03", "^C") // Or "cancel" (3 terms) +E("\x04", "^D") +E("\x05", "^E") +E("\x06", "^F") +E("\x07", "^G") +E("\x08", "backspace") +E("\t", "tab") +E("\n", "nl") +E("\x0B", "^K") +E("\x0C", "^L") +E("\r", "ret") +E("\x0E", "^N") +E("\x0F", "^O") +E("\x10", "^P") +E("\x11", "^Q") +E("\x12", "^R") +E("\x13", "^S") +E("\x14", "^T") +E("\x15", "^U") +E("\x16", "^V") +E("\x17", "^W") +E("\x18", "^X") +E("\x19", "^Y") +E("\x1A", "^Z") // Or "suspend" (9 terms) +/* \x1B handled only after all other escape sequences */ +E("\x7F", "backspace") // 59 terms; alternative: "delete" (11 terms) + +// Based on terminal descriptions in ncrses-base-5.6-20.20080927.fc10. +// Conflicts are marked by comments. Ordering: longest sequences first, then +// lexicographically. +E("\x1B[11;2~", "F13") +E("\x1B[11;3~", "F49") +E("\x1B[11;4~", "F61") +E("\x1B[11;5~", "F25") +E("\x1B[11;6~", "F37") +E("\x1B[12;2~", "F14") +E("\x1B[12;3~", "F50") +E("\x1B[12;4~", "F62") +E("\x1B[12;5~", "F26") +E("\x1B[12;6~", "F38") +E("\x1B[13;2~", "F15") +E("\x1B[13;3~", "F51") +E("\x1B[13;4~", "F63") +E("\x1B[13;5~", "F27") +E("\x1B[13;6~", "F39") +E("\x1B[14;2~", "F16") +E("\x1B[14;3~", "F52") +E("\x1B[14;5~", "F28") +E("\x1B[14;6~", "F40") +E("\x1B[15;2~", "F17") +E("\x1B[15;3~", "F53") +E("\x1B[15;5~", "F29") +E("\x1B[15;6~", "F41") +E("\x1B[17;2~", "F18") +E("\x1B[17;3~", "F54") +E("\x1B[17;5~", "F30") +E("\x1B[17;6~", "F42") +E("\x1B[18;2~", "F19") +E("\x1B[18;3~", "F55") +E("\x1B[18;5~", "F31") +E("\x1B[18;6~", "F43") +E("\x1B[19;2~", "F20") +E("\x1B[19;3~", "F56") +E("\x1B[19;5~", "F32") +E("\x1B[19;6~", "F44") +E("\x1B[20;2~", "F21") +E("\x1B[20;3~", "F57") +E("\x1B[20;5~", "F33") +E("\x1B[20;6~", "F45") +E("\x1B[21;2~", "F22") +E("\x1B[21;3~", "F58") +E("\x1B[21;5~", "F34") +E("\x1B[21;6~", "F46") +E("\x1B[23;2~", "F23") +E("\x1B[23;3~", "F59") +E("\x1B[23;5~", "F35") +E("\x1B[23;6~", "F47") +E("\x1B[24;2~", "F24") +E("\x1B[24;3~", "F60") +E("\x1B[24;5~", "F36") +E("\x1B[24;6~", "F48") +E("\x1B""O1;2A", "scroll-backward") +E("\x1B""O1;2B", "scroll-forward") +E("\x1B""O1;2C", "shift-right") +E("\x1B""O1;2D", "shift-left") +E("\x1B[192z", "F11") +E("\x1B[193z", "resume") // 3 terms; alternative "F12" (1 term) +E("\x1B[194z", "options") // 3 terms; alternative "F13" (1 term) +E("\x1B[195z", "undo") // 4 terms; alternative "F14" (1 term) +E("\x1B[196z", "help") // 1 term; alternative "F15" (1 term) +E("\x1B[197z", "copy") +E("\x1B[198z", "F17") +E("\x1B[199z", "F18") +E("\x1B[1;2A", "scroll-backward") +E("\x1B[1;2B", "scroll-forward") +E("\x1B[1;2C", "shift-right") +E("\x1B[1;2D", "shift-left") +E("\x1B[1;2F", "shift-end") +E("\x1B[1;2H", "shift-home") +E("\x1B[200z", "find") // 1 term; alternative "F19" (1 term) +E("\x1B[201z", "F20") +E("\x1B[208z", "F31") +E("\x1B[209z", "F32") +E("\x1B[210z", "F33") +E("\x1B[211z", "F34") +E("\x1B[212z", "F35") +E("\x1B[213z", "F36") +E("\x1B[214z", "home") +E("\x1B[215z", "F38") +E("\x1B[216z", "page-up") +E("\x1B[217z", "F40") +E("\x1B[218z", "B2") +E("\x1B[219z", "F42") +E("\x1B[220z", "end") +E("\x1B[221z", "F44") +E("\x1B[222z", "page-down") // 4 terms; alternative "F45" (1 term) +E("\x1B[224z", "F1") +E("\x1B[225z", "F2") +E("\x1B[226z", "F3") +E("\x1B[227z", "F4") +E("\x1B[228z", "F5") +E("\x1B[229z", "F6") +E("\x1B[230z", "F7") +E("\x1B[231z", "F8") +E("\x1B[232z", "F9") +E("\x1B[233z", "F10") +E("\x1B[234z", "F11") // 3 terms; alternative "F46" (1 term) +E("\x1B[235z", "F12") // 3 terms; alternative "F47" (1 term) +E("\x1B[2;2~", "shift-insert") +E("\x1B[2;5~", "shift-insert") +E("\x1B[3;2~", "shift-del") +E("\x1B[3;5~", "shift-del") +E("\x1B[5;2~", "shift-previous") +E("\x1B[5;5~", "shift-previous") +E("\x1B[6;2~", "shift-next") +E("\x1B[6;5~", "shift-next") +E("\x1B[11^", "F23") +E("\x1B[11~", "F1") +E("\x1B[12^", "F24") +E("\x1B[12~", "F2") +E("\x1B[13^", "F25") +E("\x1B[13~", "F3") +E("\x1B[14^", "F26") +E("\x1B[14~", "F4") +E("\x1B[15^", "F27") +E("\x1B[15~", "F5") +E("\x1B[17^", "F28") +E("\x1B[17~", "F6") +E("\x1B[18^", "F29") +E("\x1B[18~", "F7") +E("\x1B[19^", "F30") +E("\x1B[19~", "F8") +E("\x1B[20^", "F31") +E("\x1B[20~", "F9") +E("\x1B[21^", "F32") +E("\x1B[21~", "F10") // 85 terms; alternative "F0" (9 terms) +E("\x1B[23$", "F21") +E("\x1B[23@", "F43") +E("\x1B[23^", "F33") +E("\x1B[23~", "F11") +E("\x1B[24$", "F22") +E("\x1B[24@", "F44") +E("\x1B[24^", "F34") +E("\x1B[24~", "F12") +E("\x1B[25^", "F35") +E("\x1B[25~", "F13") +E("\x1B[26^", "F36") +E("\x1B[26~", "F14") +E("\x1B[28^", "F37") +E("\x1B[28~", "F15") // 42 terms; alternative "help" (8 terms) +E("\x1B[29^", "F38") +E("\x1B[29~", "F16") // 42 terms; alternative "redo" (4 terms) +E("\x1B[30~", "insert-line") +E("\x1B[31^", "F39") +E("\x1B[31~", "F17") // 46 terms; alternative "delete-line" (1 term) +E("\x1B[32^", "F40") +E("\x1B[32~", "F18") +E("\x1B[33^", "F41") +E("\x1B[33~", "F19") +E("\x1B[34^", "F42") +E("\x1B[34~", "F20") +E("\x1B""O2A", "scroll-backward") +E("\x1B""O2B", "scroll-forward") +E("\x1B""O2C", "shift-right") +E("\x1B""O2D", "shift-left") +E("\x1B""O2P", "F13") +E("\x1B""O2Q", "F14") +E("\x1B""O2R", "F15") +E("\x1B""O2S", "F16") +E("\x1B""O3P", "F49") +E("\x1B""O3Q", "F50") +E("\x1B""O3R", "F51") +E("\x1B""O3S", "F52") +E("\x1B""O4P", "F61") +E("\x1B""O4Q", "F62") +E("\x1B""O4R", "F63") +E("\x1B""O5C", "shift-right") +E("\x1B""O5D", "shift-left") +E("\x1B""O5F", "shift-end") +E("\x1B""O5H", "shift-home") +E("\x1B""O5P", "F25") +E("\x1B""O5Q", "F26") +E("\x1B""O5R", "F27") +E("\x1B""O5S", "F28") +E("\x1B""O6P", "F37") +E("\x1B""O6Q", "F38") +E("\x1B""O6R", "F39") +E("\x1B""O6S", "F40") +E("\x1B[1~", "home") // 30 terms; alternative "find" (42 terms, but "home" is used in Linux) +E("\x1B[2$", "shift-insert") +E("\x1B[2z", "insert") +E("\x1B[2~", "insert") +E("\x1B[3$", "shift-del") +E("\x1B[3z", "delete") +E("\x1B[3~", "delete") +E("\x1B[4~", "end") // 30 terms; alternative "select" (42 terms, but "end" is used in Linux) +E("\x1B[5$", "shift-previous") +E("\x1B[5~", "page-up") // 86 terms; alternative "A3" (4 terms) +E("\x1B[6$", "shift-next") +E("\x1B[6~", "page-down") // 86 terms; alternative "C3" (4 terms) +E("\x1B[7$", "shift-home") +E("\x1B[7~", "home") // 17 terms; alternative "A1" (4 terms) +E("\x1B[8$", "shift-end") +E("\x1B[8^", "delete-eol") +E("\x1B[8~", "end") // 17 terms; alternatives "C1" (4 terms), "delete-eol" (1 term) +E("\x1B[>M", "mouse") +E("\x1B[[A", "F1") +E("\x1B[[B", "F2") +E("\x1B[[C", "F3") +E("\x1B[[D", "F4") +E("\x1B[[E", "F5") +E("\x9B""11~", "F1") +E("\x9B""12~", "F2") +E("\x9B""13~", "F3") +E("\x9B""14~", "F4") +E("\x9B""15~", "F5") +E("\x9B""17~", "F6") +E("\x9B""18~", "F7") +E("\x9B""19~", "F8") +E("\x9B""20~", "F9") +E("\x9B""21~", "F10") +E("\x9B""23~", "F11") +E("\x9B""24~", "F12") +E("\x9B""25~", "F13") +E("\x9B""26~", "F14") +E("\x9B""28~", "F15") +E("\x9B""29~", "F16") +E("\x9B""31~", "F17") +E("\x9B""32~", "F18") +E("\x9B""33~", "F19") +E("\x9B""34~", "F20") +E("\x1B""2$", "shift-insert") +E("\x1B""OA", "up") +E("\x1B""OB", "down") +E("\x1B""OC", "right") +E("\x1B""OD", "left") +E("\x1B""OE", "B2") // 16 terms; alternative "begin" (5 terms) +E("\x1B""OF", "end") +E("\x1B""OH", "home") +E("\x1B""OM", "send") +E("\x1B""OP", "F1") +E("\x1B""OQ", "F2") +E("\x1B""OR", "F3") +E("\x1B""OS", "F4") +E("\x1B""OT", "F5") +E("\x1B""OU", "F6") +E("\x1B""OV", "F7") +E("\x1B""OW", "F8") +E("\x1B""OX", "F9") +E("\x1B""OY", "F10") +E("\x1B""OZ", "F11") +E("\x1B""O[", "F12") +E("\x1B""Ol", "F8") +E("\x1B""On", "C3") +E("\x1B""Op", "C1") +E("\x1B""Oq", "C1") // 17 terms; alternatives "A1" (5 terms), "F0" (1 term) +E("\x1B""Or", "B2") +E("\x1B""Os", "C3") // 17 terms; alternative "A3" (7 terms) +E("\x1B""Ot", "F5") +E("\x1B""Ou", "B2") // 21 terms; alternative "F6" (4 terms), "begin" (4 terms) +E("\x1B""Ov", "F7") +E("\x1B""Ow", "A1") // 17 terms; alternative "F9" (4 terms) +E("\x1B""Ox", "F10") +E("\x1B""Oy", "A3") // 17 terms; alternative "F0" (5 terms) +E("\x1B[9", "delete") +E("\x1B[@", "F41") // 4 terms; alternative "insert" (3 terms) +E("\x1B[A", "up") +E("\x1B[B", "down") +E("\x1B[C", "right") +E("\x1B[D", "left") +E("\x1B[E", "B2") // 9 terms; alternative "begin" (1 term) +E("\x1B[F", "end") // 5 terms; alternative "lower-left" (3 terms) +E("\x1B[G", "B2") // 9 terms; alternative "page-down" (4 terms) +E("\x1B[H", "home") +E("\x1B[I", "page-up") +E("\x1B[L", "insert") +E("\x1B[M", "mouse") // 83 terms; alternative "F1" (4 terms) +E("\x1B[N", "F2") +E("\x1B[O", "F3") +E("\x1B[P", "F4") +E("\x1B[Q", "F5") +E("\x1B[R", "F6") +E("\x1B[S", "F7") +E("\x1B[T", "F8") +E("\x1B[U", "F9") // 4 terms; alternative "page-down" (3 terms) +E("\x1B[V", "F10") // 4 terms; alternative "page-dup" (3 terms) +E("\x1B[W", "F11") +E("\x1B[X", "F12") +E("\x1B[Y", "F13") // 4 terms; alternative "end" (3 terms) +E("\x1B[Z", "back-tab") // 59 terms; alternative "F14" (4 terms) +E("\x1B[[", "F42") +E("\x1B[\\", "F43") +E("\x1B[]", "F44") +E("\x1B[^", "F45") +E("\x1B[_", "F46") +E("\x1B[`", "F47") +E("\x1B[a", "F15") +E("\x1B[b", "F16") +E("\x1B[c", "shift-right") // 15 terms; alternative "F17" (4 terms) +E("\x1B[d", "shift-left") // 15 terms; alternative "F18" (4 terms) +E("\x1B[e", "F19") +E("\x1B[f", "F20") +E("\x1B[g", "F21") +E("\x1B[h", "F22") +E("\x1B[i", "F23") +E("\x1B[j", "F24") +E("\x1B[k", "F25") +E("\x1B[l", "F26") +E("\x1B[m", "F27") +E("\x1B[n", "F28") +E("\x1B[o", "F29") +E("\x1B[p", "F30") +E("\x1B[q", "F31") +E("\x1B[r", "F32") +E("\x1B[s", "F33") +E("\x1B[t", "F34") +E("\x1B[u", "F35") +E("\x1B[v", "F36") +E("\x1B[w", "F37") +E("\x1B[x", "F38") +E("\x1B[y", "F39") +E("\x1B[z", "F40") +E("\x1B[{", "F48") +E("\x9B""1~", "home") +E("\x9B""2~", "insert") +E("\x9B""3~", "delete") +E("\x9B""4~", "end") +E("\x9B""5~", "page-up") +E("\x9B""6~", "page-down") +E("\x1B""A", "up") +E("\x1B""B", "down") +E("\x1B""C", "right") +E("\x1B""D", "left") +E("\x1B""F", "end") +E("\x1B""J", "clear") +E("\x1B""P", "delete") +E("\x1B""Q", "insert") +E("\x1B""S", "page-down") +E("\x1B""T", "page-up") +E("\x1B""h", "home") +E("\x1B""p", "F1") +E("\x1B""q", "F2") +E("\x1B""r", "F3") +E("\x1B""s", "F4") +E("\x1B""t", "F5") +E("\x1B""u", "F6") +E("\x1B""v", "F7") +E("\x1B""w", "F8") +E("\x1B\x09", "back-tab") +E("\x8F""A", "up") +E("\x8F""B", "down") +E("\x8F""C", "right") +E("\x8F""D", "left") +E("\x8F""E", "begin") +E("\x8F""M", "send") +E("\x8F""q", "C1") +E("\x8F""s", "C3") +E("\x8F""u", "A3") +E("\x8F""w", "A1") +E("\x8F""y", "B2") +E("\x9B""M", "mouse") +E("\x9B""Z", "back-tab") + +E("\x1B", "esc") diff --git a/framework/src/audit/auparse/typetab.h b/framework/src/audit/auparse/typetab.h new file mode 100644 index 00000000..7ff53c31 --- /dev/null +++ b/framework/src/audit/auparse/typetab.h @@ -0,0 +1,127 @@ +/* typetab.h -- + * Copyright 2007-09,2011-12,2014 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + */ + + +_S(AUPARSE_TYPE_UID, "auid" ) +_S(AUPARSE_TYPE_UID, "uid" ) +_S(AUPARSE_TYPE_UID, "euid" ) +_S(AUPARSE_TYPE_UID, "suid" ) +_S(AUPARSE_TYPE_UID, "fsuid" ) +_S(AUPARSE_TYPE_UID, "ouid" ) +_S(AUPARSE_TYPE_UID, "oauid" ) +_S(AUPARSE_TYPE_UID, "iuid" ) +_S(AUPARSE_TYPE_UID, "id" ) +_S(AUPARSE_TYPE_UID, "inode_uid" ) +_S(AUPARSE_TYPE_UID, "sauid" ) +_S(AUPARSE_TYPE_UID, "obj_uid" ) +_S(AUPARSE_TYPE_GID, "obj_gid" ) +_S(AUPARSE_TYPE_GID, "gid" ) +_S(AUPARSE_TYPE_GID, "egid" ) +_S(AUPARSE_TYPE_GID, "sgid" ) +_S(AUPARSE_TYPE_GID, "fsgid" ) +_S(AUPARSE_TYPE_GID, "ogid" ) +_S(AUPARSE_TYPE_GID, "igid" ) +_S(AUPARSE_TYPE_GID, "inode_gid" ) +_S(AUPARSE_TYPE_GID, "new_gid" ) +_S(AUPARSE_TYPE_SYSCALL, "syscall" ) +_S(AUPARSE_TYPE_ARCH, "arch" ) +_S(AUPARSE_TYPE_EXIT, "exit" ) +_S(AUPARSE_TYPE_ESCAPED, "path" ) +_S(AUPARSE_TYPE_ESCAPED, "comm" ) +_S(AUPARSE_TYPE_ESCAPED, "exe" ) +_S(AUPARSE_TYPE_ESCAPED, "file" ) +_S(AUPARSE_TYPE_ESCAPED, "name" ) +_S(AUPARSE_TYPE_ESCAPED, "watch" ) +_S(AUPARSE_TYPE_ESCAPED, "cwd" ) +_S(AUPARSE_TYPE_ESCAPED, "cmd" ) +_S(AUPARSE_TYPE_ESCAPED, "acct" ) +_S(AUPARSE_TYPE_ESCAPED, "dir" ) +_S(AUPARSE_TYPE_ESCAPED, "key" ) +_S(AUPARSE_TYPE_ESCAPED, "vm" ) +_S(AUPARSE_TYPE_ESCAPED, "old-disk" ) +_S(AUPARSE_TYPE_ESCAPED, "new-disk" ) +_S(AUPARSE_TYPE_ESCAPED, "old-fs" ) +_S(AUPARSE_TYPE_ESCAPED, "new-fs" ) +_S(AUPARSE_TYPE_ESCAPED, "device" ) +_S(AUPARSE_TYPE_ESCAPED, "cgroup" ) +_S(AUPARSE_TYPE_PERM, "perm" ) +_S(AUPARSE_TYPE_PERM, "perm_mask" ) +_S(AUPARSE_TYPE_MODE, "mode" ) +_S(AUPARSE_TYPE_SOCKADDR, "saddr" ) +//_S(AUPARSE_TYPE_FLAGS, "flags" ) +_S(AUPARSE_TYPE_PROMISC, "prom" ) +_S(AUPARSE_TYPE_PROMISC, "old_prom" ) +_S(AUPARSE_TYPE_CAPABILITY, "capability" ) +_S(AUPARSE_TYPE_SUCCESS, "res" ) +_S(AUPARSE_TYPE_SUCCESS, "result" ) +_S(AUPARSE_TYPE_A0, "a0" ) +_S(AUPARSE_TYPE_A1, "a1" ) +_S(AUPARSE_TYPE_A2, "a2" ) +_S(AUPARSE_TYPE_A3, "a3" ) +_S(AUPARSE_TYPE_SIGNAL, "sig" ) +_S(AUPARSE_TYPE_LIST, "list" ) +_S(AUPARSE_TYPE_TTY_DATA, "data" ) +_S(AUPARSE_TYPE_SESSION, "ses" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "fp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "fi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "fe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" ) +_S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" ) +_S(AUPARSE_TYPE_NFPROTO, "family" ) +_S(AUPARSE_TYPE_ICMPTYPE, "icmptype" ) +_S(AUPARSE_TYPE_PROTOCOL, "proto" ) +_S(AUPARSE_TYPE_ADDR, "addr" ) +#ifdef WITH_APPARMOR +_S(AUPARSE_TYPE_ESCAPED, "apparmor" ) +_S(AUPARSE_TYPE_ESCAPED, "operation" ) +_S(AUPARSE_TYPE_ESCAPED, "denied_mask" ) +_S(AUPARSE_TYPE_ESCAPED, "info" ) +_S(AUPARSE_TYPE_ESCAPED, "profile" ) +_S(AUPARSE_TYPE_ESCAPED, "requested_mask") +#endif +_S(AUPARSE_TYPE_PERSONALITY, "per" ) +_S(AUPARSE_TYPE_SECCOMP, "code" ) +_S(AUPARSE_TYPE_ESCAPED, "old-rng" ) +_S(AUPARSE_TYPE_ESCAPED, "new-rng" ) +_S(AUPARSE_TYPE_OFLAG, "oflag" ) +_S(AUPARSE_TYPE_ESCAPED, "ocomm" ) +_S(AUPARSE_TYPE_MMAP, "flags" ) +_S(AUPARSE_TYPE_SIGNAL, "sigev_signo" ) +_S(AUPARSE_TYPE_MAC_LABEL, "subj" ) +_S(AUPARSE_TYPE_MAC_LABEL, "obj" ) +_S(AUPARSE_TYPE_MAC_LABEL, "scontext" ) +_S(AUPARSE_TYPE_MAC_LABEL, "tcontext" ) +_S(AUPARSE_TYPE_MAC_LABEL, "vm-ctx" ) +_S(AUPARSE_TYPE_MAC_LABEL, "img-ctx" ) +_S(AUPARSE_TYPE_PROCTITLE, "proctitle" ) +_S(AUPARSE_TYPE_ESCAPED, "grp" ) +_S(AUPARSE_TYPE_ESCAPED, "new_group" ) + diff --git a/framework/src/audit/auparse/umounttab.h b/framework/src/audit/auparse/umounttab.h new file mode 100644 index 00000000..a673efb1 --- /dev/null +++ b/framework/src/audit/auparse/umounttab.h @@ -0,0 +1,30 @@ +/* umounttab.h -- + * Copyright 2013 Red Hat Inc., Durham, North Carolina. + * All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Authors: + * Steve Grubb <sgrubb@redhat.com> + * Location: include/linux/fs.h + */ + + +_S(0x00000001, "MNT_FORCE" ) +_S(0x00000002, "MNT_DETACH" ) +_S(0x00000004, "MNT_EXPIRE" ) +_S(0x00000008, "UMOUNT_NOFOLLOW" ) +_S(0x80000001, "UMOUNT_UNUSED" ) + |