summaryrefslogtreecommitdiffstats
path: root/framework/src/audit/auparse
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/auparse')
-rw-r--r--framework/src/audit/auparse/Makefile.am491
-rw-r--r--framework/src/audit/auparse/accesstab.h27
-rw-r--r--framework/src/audit/auparse/auditd-config.c445
-rw-r--r--framework/src/audit/auparse/auparse-defs.h98
-rw-r--r--framework/src/audit/auparse/auparse-idata.h49
-rw-r--r--framework/src/audit/auparse/auparse.c1377
-rw-r--r--framework/src/audit/auparse/auparse.h112
-rw-r--r--framework/src/audit/auparse/auparse.pc.in11
-rw-r--r--framework/src/audit/auparse/captab.h62
-rw-r--r--framework/src/audit/auparse/clocktab.h36
-rw-r--r--framework/src/audit/auparse/clone-flagtab.h47
-rw-r--r--framework/src/audit/auparse/data_buf.c394
-rw-r--r--framework/src/audit/auparse/data_buf.h80
-rw-r--r--framework/src/audit/auparse/ellist.c428
-rw-r--r--framework/src/audit/auparse/ellist.h66
-rw-r--r--framework/src/audit/auparse/epoll_ctl.h27
-rw-r--r--framework/src/audit/auparse/expression.c1111
-rw-r--r--framework/src/audit/auparse/expression.h133
-rw-r--r--framework/src/audit/auparse/famtab.h62
-rw-r--r--framework/src/audit/auparse/fcntl-cmdtab.h52
-rw-r--r--framework/src/audit/auparse/flagtab.h33
-rw-r--r--framework/src/audit/auparse/icmptypetab.h37
-rw-r--r--framework/src/audit/auparse/internal.h86
-rw-r--r--framework/src/audit/auparse/interpret.c2651
-rw-r--r--framework/src/audit/auparse/interpret.h54
-rw-r--r--framework/src/audit/auparse/ioctlreqtab.h54
-rw-r--r--framework/src/audit/auparse/ip6optnametab.h87
-rw-r--r--framework/src/audit/auparse/ipccmdtab.h28
-rw-r--r--framework/src/audit/auparse/ipctab.h37
-rw-r--r--framework/src/audit/auparse/ipoptnametab.h70
-rw-r--r--framework/src/audit/auparse/message.c58
-rw-r--r--framework/src/audit/auparse/mmaptab.h40
-rw-r--r--framework/src/audit/auparse/mounttab.h53
-rw-r--r--framework/src/audit/auparse/nfprototab.h31
-rw-r--r--framework/src/audit/auparse/nvlist.c137
-rw-r--r--framework/src/audit/auparse/nvlist.h51
-rw-r--r--framework/src/audit/auparse/nvpair.c89
-rw-r--r--framework/src/audit/auparse/nvpair.h56
-rw-r--r--framework/src/audit/auparse/open-flagtab.h44
-rw-r--r--framework/src/audit/auparse/persontab.h45
-rw-r--r--framework/src/audit/auparse/pktoptnametab.h43
-rw-r--r--framework/src/audit/auparse/prctl-opt-tab.h68
-rw-r--r--framework/src/audit/auparse/private.h54
-rw-r--r--framework/src/audit/auparse/prottab.h28
-rw-r--r--framework/src/audit/auparse/ptracetab.h55
-rw-r--r--framework/src/audit/auparse/recvtab.h46
-rw-r--r--framework/src/audit/auparse/rlimittab.h40
-rw-r--r--framework/src/audit/auparse/rnode.h63
-rw-r--r--framework/src/audit/auparse/schedtab.h31
-rw-r--r--framework/src/audit/auparse/seccomptab.h30
-rw-r--r--framework/src/audit/auparse/seektab.h29
-rw-r--r--framework/src/audit/auparse/shm_modetab.h29
-rw-r--r--framework/src/audit/auparse/signaltab.h56
-rw-r--r--framework/src/audit/auparse/sockleveltab.h56
-rw-r--r--framework/src/audit/auparse/sockoptnametab.h84
-rw-r--r--framework/src/audit/auparse/socktab.h44
-rw-r--r--framework/src/audit/auparse/socktypetab.h31
-rw-r--r--framework/src/audit/auparse/tcpoptnametab.h49
-rw-r--r--framework/src/audit/auparse/test/Makefile.am91
-rw-r--r--framework/src/audit/auparse/test/auparse_test.c469
-rwxr-xr-xframework/src/audit/auparse/test/auparse_test.py262
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref803
-rw-r--r--framework/src/audit/auparse/test/auparse_test.ref.py793
-rw-r--r--framework/src/audit/auparse/test/test.log10
-rw-r--r--framework/src/audit/auparse/test/test2.log10
-rw-r--r--framework/src/audit/auparse/tty_named_keys.h409
-rw-r--r--framework/src/audit/auparse/typetab.h127
-rw-r--r--framework/src/audit/auparse/umounttab.h30
68 files changed, 0 insertions, 12689 deletions
diff --git a/framework/src/audit/auparse/Makefile.am b/framework/src/audit/auparse/Makefile.am
deleted file mode 100644
index 4b864d7c..00000000
--- a/framework/src/audit/auparse/Makefile.am
+++ /dev/null
@@ -1,491 +0,0 @@
-# Makefile.am --
-# Copyright 2006-08,2011-15 Red Hat Inc., Durham, North Carolina.
-# All Rights Reserved.
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-# Authors:
-# Steve Grubb <sgrubb@redhat.com>
-#
-
-SUBDIRS = test
-CLEANFILES = $(BUILT_SOURCES)
-CONFIG_CLEAN_FILES = *.loT *.rej *.orig
-AM_CFLAGS = -fPIC -DPIC -D_GNU_SOURCE -g ${DEBUG}
-AM_CPPFLAGS = -I. -I${top_srcdir} -I${top_srcdir}/src -I${top_srcdir}/lib
-LIBS =
-
-pkgconfigdir = $(libdir)/pkgconfig
-pkgconfig_DATA = auparse.pc
-DISTCLEANFILES = $(pkgconfig_DATA)
-
-lib_LTLIBRARIES = libauparse.la
-include_HEADERS = auparse.h auparse-defs.h
-libauparse_la_SOURCES = nvpair.c interpret.c nvlist.c ellist.c \
- auparse.c auditd-config.c message.c data_buf.c strsplit.c \
- auparse-defs.h auparse-idata.h data_buf.h \
- nvlist.h auparse.h ellist.h \
- internal.h nvpair.h rnode.h interpret.h \
- private.h expression.c expression.h tty_named_keys.h
-nodist_libauparse_la_SOURCES = $(BUILT_SOURCES)
-
-libauparse_la_LIBADD = ${top_builddir}/lib/libaudit.la
-libauparse_la_DEPENDENCIES = $(libauparse_la_SOURCES) ${top_builddir}/config.h
-libauparse_la_LDFLAGS = -Wl,-z,relro
-
-message.c:
- cp ${top_srcdir}/lib/message.c .
-
-strsplit.c:
- cp ${top_srcdir}/lib/strsplit.c .
-
-BUILT_SOURCES = accesstabs.h captabs.h clocktabs.h clone-flagtabs.h \
- epoll_ctls.h famtabs.h fcntl-cmdtabs.h \
- flagtabs.h icmptypetabs.h ipctabs.h ipccmdtabs.h\
- ioctlreqtabs.h ipoptnametabs.h ip6optnametabs.h \
- mmaptabs.h mounttabs.h nfprototabs.h open-flagtabs.h \
- persontabs.h prctl_opttabs.h pktoptnametabs.h \
- prottabs.h ptracetabs.h \
- rlimittabs.h recvtabs.h schedtabs.h seccomptabs.h \
- seektabs.h shm_modetabs.h signaltabs.h sockoptnametabs.h \
- socktabs.h sockleveltabs.h socktypetabs.h \
- tcpoptnametabs.h typetabs.h umounttabs.h
-noinst_PROGRAMS = gen_accesstabs_h gen_captabs_h gen_clock_h \
- gen_clone-flagtabs_h \
- gen_epoll_ctls_h gen_famtabs_h \
- gen_fcntl-cmdtabs_h gen_flagtabs_h gen_ioctlreqtabs_h \
- gen_icmptypetabs_h gen_ipctabs_h gen_ipccmdtabs_h\
- gen_ipoptnametabs_h gen_ip6optnametabs_h gen_nfprototabs_h \
- gen_mmaptabs_h gen_mounttabs_h \
- gen_open-flagtabs_h gen_persontabs_h \
- gen_prctl_opttabs_h gen_pktoptnametabs_h gen_prottabs_h \
- gen_recvtabs_h gen_rlimit_h gen_ptracetabs_h \
- gen_schedtabs_h gen_seccomptabs_h \
- gen_seektabs_h gen_shm_modetabs_h gen_signals_h \
- gen_sockoptnametabs_h gen_socktabs_h gen_sockleveltabs_h \
- gen_socktypetabs_h gen_tcpoptnametabs_h gen_typetabs_h \
- gen_umounttabs_h
-
-gen_accesstabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h accesstab.h
-gen_accesstabs_h_CFLAGS = '-DTABLE_H="accesstab.h"'
-$(gen_accesstabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_accesstabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_accesstabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_accesstabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_accesstabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_accesstabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-accesstabs.h: gen_accesstabs_h Makefile
- ./gen_accesstabs_h --i2s-transtab access > $@
-
-gen_captabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h captab.h
-gen_captabs_h_CFLAGS = '-DTABLE_H="captab.h"'
-$(gen_captabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_captabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_captabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_captabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_captabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_captabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-captabs.h: gen_captabs_h Makefile
- ./gen_captabs_h --i2s cap > $@
-
-gen_clock_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h clocktab.h
-gen_clock_h_CFLAGS = '-DTABLE_H="clocktab.h"'
-$(gen_clock_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_clock_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_clock_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_clock_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_clock_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_clock_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-clocktabs.h: gen_clock_h Makefile
- ./gen_clock_h --i2s clock > $@
-
-gen_clone_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
- clone-flagtab.h
-gen_clone_flagtabs_h_CFLAGS = '-DTABLE_H="clone-flagtab.h"'
-$(gen_clone_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_clone_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_clone_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_clone-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_clone-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_clone-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-clone-flagtabs.h: gen_clone-flagtabs_h Makefile
- ./gen_clone-flagtabs_h --i2s-transtab clone_flag > $@
-
-gen_epoll_ctls_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h epoll_ctl.h
-gen_epoll_ctls_h_CFLAGS = '-DTABLE_H="epoll_ctl.h"'
-$(gen_epoll_ctls_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_epoll_ctls_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_epoll_ctls_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_epoll_ctls_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_epoll_ctls_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_epoll_ctls_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-epoll_ctls.h: gen_epoll_ctls_h Makefile
- ./gen_epoll_ctls_h --i2s epoll_ctl > $@
-
-gen_famtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h famtab.h
-gen_famtabs_h_CFLAGS = '-DTABLE_H="famtab.h"'
-$(gen_famtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_famtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_famtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_famtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_famtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_famtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-famtabs.h: gen_famtabs_h Makefile
- ./gen_famtabs_h --i2s fam > $@
-
-gen_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h flagtab.h
-# ../auparse/ is used to avoid using ../lib/flagtab.h
-gen_flagtabs_h_CFLAGS = '-DTABLE_H="../auparse/flagtab.h"'
-$(gen_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-flagtabs.h: gen_flagtabs_h Makefile
- ./gen_flagtabs_h --i2s-transtab flag > $@
-
-gen_fcntl_cmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
- fcntl-cmdtab.h
-gen_fcntl_cmdtabs_h_CFLAGS = '-DTABLE_H="fcntl-cmdtab.h"'
-$(gen_fcntl_cmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_fcntl_cmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_fcntl_cmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_fcntl-cmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-fcntl-cmdtabs.h: gen_fcntl-cmdtabs_h Makefile
- ./gen_fcntl-cmdtabs_h --i2s fcntl > $@
-
-gen_icmptypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h icmptypetab.h
-gen_icmptypetabs_h_CFLAGS = '-DTABLE_H="icmptypetab.h"'
-$(gen_icmptypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_icmptypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_icmptypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_icmptypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_icmptypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_icmptypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-icmptypetabs.h: gen_icmptypetabs_h Makefile
- ./gen_icmptypetabs_h --i2s icmptype > $@
-
-gen_ioctlreqtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ioctlreqtab.h
-gen_ioctlreqtabs_h_CFLAGS = '-DTABLE_H="ioctlreqtab.h"'
-$(gen_ioctlreqtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ioctlreqtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ioctlreqtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ioctlreqtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ioctlreqtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ioctlreqtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ioctlreqtabs.h: gen_ioctlreqtabs_h Makefile
- ./gen_ioctlreqtabs_h --i2s ioctlreq > $@
-
-gen_ipctabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipctab.h
-gen_ipctabs_h_CFLAGS = '-DTABLE_H="ipctab.h"'
-$(gen_ipctabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ipctabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ipctabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ipctabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ipctabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ipctabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ipctabs.h: gen_ipctabs_h Makefile
- ./gen_ipctabs_h --i2s ipc > $@
-
-gen_ipccmdtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipccmdtab.h
-gen_ipccmdtabs_h_CFLAGS = '-DTABLE_H="ipccmdtab.h"'
-$(gen_ipccmdtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ipccmdtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ipccmdtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ipccmdtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ipccmdtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ipccmdtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ipccmdtabs.h: gen_ipccmdtabs_h Makefile
- ./gen_ipccmdtabs_h --i2s-transtab ipccmd > $@
-
-gen_ipoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ipoptnametab.h
-gen_ipoptnametabs_h_CFLAGS = '-DTABLE_H="ipoptnametab.h"'
-$(gen_ipoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ipoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ipoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ipoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ipoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ipoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ipoptnametabs.h: gen_ipoptnametabs_h Makefile
- ./gen_ipoptnametabs_h --i2s ipoptname > $@
-
-gen_ip6optnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ip6optnametab.h
-gen_ip6optnametabs_h_CFLAGS = '-DTABLE_H="ip6optnametab.h"'
-$(gen_ip6optnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ip6optnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ip6optnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ip6optnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ip6optnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ip6optnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ip6optnametabs.h: gen_ip6optnametabs_h Makefile
- ./gen_ip6optnametabs_h --i2s ip6optname > $@
-
-gen_mmaptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mmaptab.h
-gen_mmaptabs_h_CFLAGS = '-DTABLE_H="mmaptab.h"'
-$(gen_mmaptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_mmaptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_mmaptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_mmaptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_mmaptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_mmaptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-mmaptabs.h: gen_mmaptabs_h Makefile
- ./gen_mmaptabs_h --i2s-transtab mmap > $@
-
-gen_mounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h mounttab.h
-gen_mounttabs_h_CFLAGS = '-DTABLE_H="mounttab.h"'
-$(gen_mounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_mounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_mounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_mounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_mounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_mounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-mounttabs.h: gen_mounttabs_h Makefile
- ./gen_mounttabs_h --i2s-transtab mount > $@
-
-gen_nfprototabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h nfprototab.h
-gen_nfprototabs_h_CFLAGS = '-DTABLE_H="nfprototab.h"'
-$(gen_nfprototabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_nfprototabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_nfprototabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_nfprototabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_nfprototabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_nfprototabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-nfprototabs.h: gen_nfprototabs_h Makefile
- ./gen_nfprototabs_h --i2s nfproto > $@
-
-gen_open_flagtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h \
- open-flagtab.h
-gen_open_flagtabs_h_CFLAGS = '-DTABLE_H="open-flagtab.h"'
-$(gen_open_flagtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_open_flagtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_open_flagtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_open-flagtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_open-flagtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_open-flagtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-open-flagtabs.h: gen_open-flagtabs_h Makefile
- ./gen_open-flagtabs_h --i2s-transtab open_flag > $@
-
-gen_persontabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h persontab.h
-gen_persontabs_h_CFLAGS = '-DTABLE_H="persontab.h"'
-$(gen_persontabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_persontabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_persontabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_persontabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_persontabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_persontabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-persontabs.h: gen_persontabs_h Makefile
- ./gen_persontabs_h --i2s person > $@
-
-gen_ptracetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h ptracetab.h
-gen_ptracetabs_h_CFLAGS = '-DTABLE_H="ptracetab.h"'
-$(gen_ptracetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_ptracetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_ptracetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_ptracetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_ptracetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_ptracetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-ptracetabs.h: gen_ptracetabs_h Makefile
- ./gen_ptracetabs_h --i2s ptrace > $@
-
-gen_prctl_opttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prctl-opt-tab.h
-gen_prctl_opttabs_h_CFLAGS = '-DTABLE_H="prctl-opt-tab.h"'
-$(gen_prctl_opttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_prctl_opttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_prctl_opttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_prctl_opttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_prctl_opttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_prctl_opttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-prctl_opttabs.h: gen_prctl_opttabs_h Makefile
- ./gen_prctl_opttabs_h --i2s prctl_opt > $@
-
-gen_pktoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h pktoptnametab.h
-gen_pktoptnametabs_h_CFLAGS = '-DTABLE_H="pktoptnametab.h"'
-$(gen_pktoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_pktoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_pktoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_pktoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_pktoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_pktoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-pktoptnametabs.h: gen_pktoptnametabs_h Makefile
- ./gen_pktoptnametabs_h --i2s pktoptname > $@
-
-gen_prottabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h prottab.h
-gen_prottabs_h_CFLAGS = '-DTABLE_H="prottab.h"'
-$(gen_prottabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_prottabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_prottabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_prottabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_prottabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_prottabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-prottabs.h: gen_prottabs_h Makefile
- ./gen_prottabs_h --i2s-transtab prot > $@
-
-gen_recvtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h recvtab.h
-gen_recvtabs_h_CFLAGS = '-DTABLE_H="recvtab.h"'
-$(gen_recvtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_recvtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_recvtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_recvtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_recvtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_recvtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-recvtabs.h: gen_recvtabs_h Makefile
- ./gen_recvtabs_h --i2s-transtab recv > $@
-
-gen_rlimit_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h rlimittab.h
-gen_rlimit_h_CFLAGS = '-DTABLE_H="rlimittab.h"'
-$(gen_rlimit_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_rlimit_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_rlimit_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_rlimit_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_rlimit_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_rlimit_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-rlimittabs.h: gen_rlimit_h Makefile
- ./gen_rlimit_h --i2s rlimit > $@
-
-gen_schedtabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h schedtab.h
-gen_schedtabs_h_CFLAGS = '-DTABLE_H="schedtab.h"'
-$(gen_schedtabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_schedtabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_schedtabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_schedtabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_schedtabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_schedtabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-schedtabs.h: gen_schedtabs_h Makefile
- ./gen_schedtabs_h --i2s sched > $@
-
-gen_seccomptabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seccomptab.h
-gen_seccomptabs_h_CFLAGS = '-DTABLE_H="seccomptab.h"'
-$(gen_seccomptabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_seccomptabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_seccomptabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_seccomptabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_seccomptabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_seccomptabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-seccomptabs.h: gen_seccomptabs_h Makefile
- ./gen_seccomptabs_h --i2s seccomp > $@
-
-gen_seektabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h seektab.h
-gen_seektabs_h_CFLAGS = '-DTABLE_H="seektab.h"'
-$(gen_seektabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_seektabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_seektabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_seektabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_seektabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_seektabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-seektabs.h: gen_seektabs_h Makefile
- ./gen_seektabs_h --i2s seek > $@
-
-gen_shm_modetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h shm_modetab.h
-gen_shm_modetabs_h_CFLAGS = '-DTABLE_H="shm_modetab.h"'
-$(gen_shm_modetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_shm_modetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_shm_modetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_shm_modetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_shm_modetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_shm_modetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-shm_modetabs.h: gen_shm_modetabs_h Makefile
- ./gen_shm_modetabs_h --i2s-transtab shm_mode > $@
-
-gen_signals_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h signaltab.h
-gen_signals_h_CFLAGS = '-DTABLE_H="signaltab.h"'
-$(gen_signals_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_signals_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_signals_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_signals_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_signals_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_signals_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-signaltabs.h: gen_signals_h Makefile
- ./gen_signals_h --i2s signal > $@
-
-gen_sockleveltabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockleveltab.h
-gen_sockleveltabs_h_CFLAGS = '-DTABLE_H="sockleveltab.h"'
-$(gen_sockleveltabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_sockleveltabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_sockleveltabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_sockleveltabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_sockleveltabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_sockleveltabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-sockleveltabs.h: gen_sockleveltabs_h Makefile
- ./gen_sockleveltabs_h --i2s socklevel > $@
-
-gen_sockoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h sockoptnametab.h
-gen_sockoptnametabs_h_CFLAGS = '-DTABLE_H="sockoptnametab.h"'
-$(gen_sockoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_sockoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_sockoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_sockoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_sockoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_sockoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-sockoptnametabs.h: gen_sockoptnametabs_h Makefile
- ./gen_sockoptnametabs_h --i2s sockoptname > $@
-
-gen_socktabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktab.h
-gen_socktabs_h_CFLAGS = '-DTABLE_H="socktab.h"'
-$(gen_socktabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_socktabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_socktabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_socktabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_socktabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_socktabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-socktabs.h: gen_socktabs_h Makefile
- ./gen_socktabs_h --i2s sock > $@
-
-gen_socktypetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h socktypetab.h
-gen_socktypetabs_h_CFLAGS = '-DTABLE_H="socktypetab.h"'
-$(gen_socktypetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_socktypetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_socktypetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_socktypetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_socktypetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_socktypetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-socktypetabs.h: gen_socktypetabs_h Makefile
- ./gen_socktypetabs_h --i2s sock_type > $@
-
-gen_tcpoptnametabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h tcpoptnametab.h
-gen_tcpoptnametabs_h_CFLAGS = '-DTABLE_H="tcpoptnametab.h"'
-$(gen_tcpoptnametabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_tcpoptnametabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_tcpoptnametabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_tcpoptnametabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_tcpoptnametabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_tcpoptnametabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-tcpoptnametabs.h: gen_tcpoptnametabs_h Makefile
- ./gen_tcpoptnametabs_h --i2s tcpoptname > $@
-
-gen_typetabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h typetab.h
-gen_typetabs_h_CFLAGS = '-DTABLE_H="typetab.h"'
-$(gen_typetabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_typetabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_typetabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_typetabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_typetabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_typetabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-typetabs.h: gen_typetabs_h Makefile
- ./gen_typetabs_h --s2i type > $@
-
-gen_umounttabs_h_SOURCES = ../lib/gen_tables.c ../lib/gen_tables.h umounttab.h
-gen_umounttabs_h_CFLAGS = '-DTABLE_H="umounttab.h"'
-$(gen_umounttabs_h_OBJECTS): CC=$(CC_FOR_BUILD)
-$(gen_umounttabs_h_OBJECTS): CFLAGS=$(CFLAGS_FOR_BUILD)
-$(gen_umounttabs_h_OBJECTS): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-gen_umounttabs_h$(BUILD_EXEEXT): CC=$(CC_FOR_BUILD)
-gen_umounttabs_h$(BUILD_EXEEXT): CFLAGS=$(CFLAGS_FOR_BUILD)
-gen_umounttabs_h$(BUILD_EXEEXT): CPPFLAGS=$(CPPFLAGS_FOR_BUILD)
-umounttabs.h: gen_umounttabs_h Makefile
- ./gen_umounttabs_h --i2s-transtab umount > $@
-
diff --git a/framework/src/audit/auparse/accesstab.h b/framework/src/audit/auparse/accesstab.h
deleted file mode 100644
index 439c26d0..00000000
--- a/framework/src/audit/auparse/accesstab.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* accesstab.h --
- * Copyright 2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-
-_S(0x1U, "X_OK" )
-_S(0x2U, "W_OK" )
-_S(0x4U, "R_OK" )
-
diff --git a/framework/src/audit/auparse/auditd-config.c b/framework/src/audit/auparse/auditd-config.c
deleted file mode 100644
index 5964538f..00000000
--- a/framework/src/audit/auparse/auditd-config.c
+++ /dev/null
@@ -1,445 +0,0 @@
-/* auditd-config.c --
- * Copyright 2007,2014 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- *
- */
-
-#include "config.h"
-#include "internal.h"
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/stat.h>
-#include <unistd.h>
-#include <fcntl.h>
-#include <libgen.h>
-#include <dirent.h>
-#include <ctype.h>
-
-/* Local prototypes */
-struct _pair
-{
- const char *name;
- const char *value;
-};
-
-struct kw_pair
-{
- const char *name;
- int (*parser)(const char *, int, struct daemon_conf *);
-};
-
-struct nv_list
-{
- const char *name;
- int option;
-};
-
-static char *get_line(FILE *f, char *buf, unsigned size, int *lineno,
- const char *file);
-static int nv_split(char *buf, struct _pair *nv);
-static const struct kw_pair *kw_lookup(const char *val);
-static int log_file_parser(const char *val, int line,
- struct daemon_conf *config);
-static int num_logs_parser(const char *val, int line,
- struct daemon_conf *config);
-static int log_format_parser(const char *val, int line,
- struct daemon_conf *config);
-
-static const struct kw_pair keywords[] =
-{
- {"log_file", log_file_parser },
- {"log_format", log_format_parser },
- {"num_logs", num_logs_parser },
- { NULL, NULL }
-};
-
-static const struct nv_list log_formats[] =
-{
- {"raw", LF_RAW },
- {"nolog", LF_NOLOG },
- { NULL, 0 }
-};
-
-
-/*
- * Set everything to its default value
-*/
-void clear_config(struct daemon_conf *config)
-{
- config->qos = QOS_NON_BLOCKING;
- config->sender_uid = 0;
- config->sender_pid = 0;
- config->sender_ctx = NULL;
- config->log_file = strdup("/var/log/audit/audit.log");
- config->log_format = LF_RAW;
- config->log_group = 0;
- config->priority_boost = 3;
- config->flush = FT_NONE;
- config->freq = 0;
- config->num_logs = 0L;
- config->dispatcher = NULL;
- config->node_name_format = N_NONE;
- config->node_name = NULL;
- config->max_log_size = 0L;
- config->max_log_size_action = SZ_IGNORE;
- config->space_left = 0L;
- config->space_left_action = FA_IGNORE;
- config->space_left_exe = NULL;
- config->action_mail_acct = strdup("root");
- config->admin_space_left= 0L;
- config->admin_space_left_action = FA_IGNORE;
- config->admin_space_left_exe = NULL;
- config->disk_full_action = FA_IGNORE;
- config->disk_full_exe = NULL;
- config->disk_error_action = FA_SYSLOG;
- config->disk_error_exe = NULL;
-}
-
-int load_config(struct daemon_conf *config, log_test_t lt)
-{
- int fd, rc, lineno = 1;
- struct stat st;
- FILE *f;
- char buf[160];
-
- clear_config(config);
- lt = lt;
-
- /* open the file */
- rc = open(CONFIG_FILE, O_RDONLY|O_NOFOLLOW);
- if (rc < 0) {
- if (errno != ENOENT) {
- audit_msg(LOG_ERR, "Error opening config file (%s)",
- strerror(errno));
- return 1;
- }
- audit_msg(LOG_WARNING,
- "Config file %s doesn't exist, skipping", CONFIG_FILE);
- return 0;
- }
- fd = rc;
-
- /* check the file's permissions: owned by root, not world writable,
- * not symlink.
- */
- if (fstat(fd, &st) < 0) {
- audit_msg(LOG_ERR, "Error fstat'ing config file (%s)",
- strerror(errno));
- close(fd);
- return 1;
- }
- if (st.st_uid != 0) {
- audit_msg(LOG_ERR, "Error - %s isn't owned by root",
- CONFIG_FILE);
- close(fd);
- return 1;
- }
- if (!S_ISREG(st.st_mode)) {
- audit_msg(LOG_ERR, "Error - %s is not a regular file",
- CONFIG_FILE);
- close(fd);
- return 1;
- }
-
- /* it's ok, read line by line */
- f = fdopen(fd, "rm");
- if (f == NULL) {
- audit_msg(LOG_ERR, "Error - fdopen failed (%s)",
- strerror(errno));
- close(fd);
- return 1;
- }
-
- while (get_line(f, buf, sizeof(buf), &lineno, CONFIG_FILE)) {
- // convert line into name-value pair
- const struct kw_pair *kw;
- struct _pair nv;
- rc = nv_split(buf, &nv);
- switch (rc) {
- case 0: // fine
- break;
- case 1: // not the right number of tokens.
- audit_msg(LOG_ERR,
- "Wrong number of arguments for line %d in %s",
- lineno, CONFIG_FILE);
- break;
- case 2: // no '=' sign
- audit_msg(LOG_ERR,
- "Missing equal sign for line %d in %s",
- lineno, CONFIG_FILE);
- break;
- default: // something else went wrong...
- audit_msg(LOG_ERR,
- "Unknown error for line %d in %s",
- lineno, CONFIG_FILE);
- break;
- }
- if (nv.name == NULL) {
- lineno++;
- continue;
- }
- if (nv.value == NULL) {
- fclose(f);
- audit_msg(LOG_ERR,
- "Not processing any more lines in %s",
- CONFIG_FILE);
- return 1;
- }
-
- /* identify keyword or error */
- kw = kw_lookup(nv.name);
- if (kw->name) {
- /* dispatch to keyword's local parser */
- rc = kw->parser(nv.value, lineno, config);
- if (rc != 0) {
- fclose(f);
- return 1; // local parser puts message out
- }
- }
-
- lineno++;
- }
-
- fclose(f);
- return 0;
-}
-
-static char *get_line(FILE *f, char *buf, unsigned size, int *lineno,
- const char *file)
-{
- int too_long = 0;
-
- while (fgets_unlocked(buf, size, f)) {
- /* remove newline */
- char *ptr = strchr(buf, 0x0a);
- if (ptr) {
- if (!too_long) {
- *ptr = 0;
- return buf;
- }
- // Reset and start with the next line
- too_long = 0;
- *lineno = *lineno + 1;
- } else {
- // If a line is too long skip it.
- // Only output 1 warning
- if (!too_long)
- audit_msg(LOG_ERR,
- "Skipping line %d in %s: too long",
- *lineno, file);
- too_long = 1;
- }
- }
- return NULL;
-}
-
-static int nv_split(char *buf, struct _pair *nv)
-{
- /* Get the name part */
- char *ptr;
-
- nv->name = NULL;
- nv->value = NULL;
- ptr = audit_strsplit(buf);
- if (ptr == NULL)
- return 0; /* If there's nothing, go to next line */
- if (ptr[0] == '#')
- return 0; /* If there's a comment, go to next line */
- nv->name = ptr;
-
- /* Check for a '=' */
- ptr = audit_strsplit(NULL);
- if (ptr == NULL)
- return 1;
- if (strcmp(ptr, "=") != 0)
- return 2;
-
- /* get the value */
- ptr = audit_strsplit(NULL);
- if (ptr == NULL)
- return 1;
- nv->value = ptr;
-
- /* Make sure there's nothing else */
- ptr = audit_strsplit(NULL);
- if (ptr) {
- /* Allow one option, but check that there's not 2 */
- ptr = audit_strsplit(NULL);
- if (ptr)
- return 1;
- }
-
- /* Everything is OK */
- return 0;
-}
-
-static const struct kw_pair *kw_lookup(const char *val)
-{
- int i = 0;
- while (keywords[i].name != NULL) {
- if (strcasecmp(keywords[i].name, val) == 0)
- break;
- i++;
- }
- return &keywords[i];
-}
-
-static int log_file_parser(const char *val, int line,struct daemon_conf *config)
-{
- char *dir = NULL, *tdir, *base;
- DIR *d;
- int fd, mode;
- struct stat buf;
-
- /* split name into dir and basename. */
- tdir = strdup(val);
- if (tdir)
- dir = dirname(tdir);
- if (dir == NULL || strlen(dir) < 4) { // '/var' is shortest dirname
- audit_msg(LOG_ERR,
- "The directory name: %s is too short - line %d",
- dir, line);
- free((void *)tdir);
- return 1;
- }
-
- base = basename((char *)val);
- if (base == 0 || strlen(base) == 0) {
- audit_msg(LOG_ERR, "The file name: %s is too short - line %d",
- base, line);
- free((void *)tdir);
- return 1;
- }
-
- /* verify the directory path exists */
- d = opendir(dir);
- if (d == NULL) {
- audit_msg(LOG_ERR, "Could not open dir %s (%s)", dir,
- strerror(errno));
- free((void *)tdir);
- return 1;
- }
- free((void *)tdir);
- closedir(d);
-
- /* if the file exists, see that its regular, owned by root,
- * and not world anything */
- mode = O_RDONLY;
-
- fd = open(val, mode);
- if (fd < 0) {
- audit_msg(LOG_ERR, "Unable to open %s (%s)", val,
- strerror(errno));
- return 1;
- }
- if (fstat(fd, &buf) < 0) {
- audit_msg(LOG_ERR, "Unable to stat %s (%s)",
- val, strerror(errno));
- close(fd);
- return 1;
- }
- close(fd);
- if (!S_ISREG(buf.st_mode)) {
- audit_msg(LOG_ERR, "%s is not a regular file", val);
- return 1;
- }
- if (buf.st_uid != 0) {
- audit_msg(LOG_ERR, "%s is not owned by root", val);
- return 1;
- }
- if ( (buf.st_mode & (S_IXUSR|S_IWGRP|S_IXGRP|S_IRWXO)) ) {
- audit_msg(LOG_ERR, "%s permissions should be 0600 or 0640",
- val);
- return 1;
- }
- if ( !(buf.st_mode & S_IWUSR) ) {
- audit_msg(LOG_ERR, "audit log is not writable by owner");
- return 1;
- }
-
- free((void *)config->log_file);
- config->log_file = strdup(val);
- if (config->log_file == NULL)
- return 1;
- return 0;
-}
-
-static int num_logs_parser(const char *val, int line,
- struct daemon_conf *config)
-{
- const char *ptr = val;
- unsigned long i;
-
- /* check that all chars are numbers */
- for (i=0; ptr[i]; i++) {
- if (!isdigit(ptr[i])) {
- audit_msg(LOG_ERR,
- "Value %s should only be numbers - line %d",
- val, line);
- return 1;
- }
- }
-
- /* convert to unsigned long */
- errno = 0;
- i = strtoul(val, NULL, 10);
- if (errno) {
- audit_msg(LOG_ERR,
- "Error converting string to a number (%s) - line %d",
- strerror(errno), line);
- return 1;
- }
- if (i > 99) {
- audit_msg(LOG_ERR, "num_logs must be 99 or less");
- return 1;
- }
- config->num_logs = i;
- return 0;
-}
-
-static int log_format_parser(const char *val, int line,
- struct daemon_conf *config)
-{
- int i;
-
- for (i=0; log_formats[i].name != NULL; i++) {
- if (strcasecmp(val, log_formats[i].name) == 0) {
- config->log_format = log_formats[i].option;
- return 0;
- }
- }
- audit_msg(LOG_ERR, "Option %s not found - line %d", val, line);
- return 1;
-}
-
-void free_config(struct daemon_conf *config)
-{
- free((void*)config->sender_ctx);
- free((void*)config->log_file);
- free((void*)config->dispatcher);
- free((void *)config->node_name);
- free((void *)config->action_mail_acct);
- free((void *)config->space_left_exe);
- free((void *)config->admin_space_left_exe);
- free((void *)config->disk_full_exe);
- free((void *)config->disk_error_exe);
-}
-
diff --git a/framework/src/audit/auparse/auparse-defs.h b/framework/src/audit/auparse/auparse-defs.h
deleted file mode 100644
index fd7ed85d..00000000
--- a/framework/src/audit/auparse/auparse-defs.h
+++ /dev/null
@@ -1,98 +0,0 @@
-/* auparse-defs.h --
- * Copyright 2006-07,09,2011-12,2014-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#ifndef AUPARSE_DEFS_HEADER
-#define AUPARSE_DEFS_HEADER
-
-#include <time.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-/* Library type definitions */
-
-/* This tells the library where the data source is located */
-typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_FILE_ARRAY,
- AUSOURCE_BUFFER, AUSOURCE_BUFFER_ARRAY,
- AUSOURCE_DESCRIPTOR, AUSOURCE_FILE_POINTER, AUSOURCE_FEED } ausource_t;
-
-/* This used to define the types of searches that can be done. It is not used
- any more. */
-typedef enum {
- AUSEARCH_UNSET,
- AUSEARCH_EXISTS,
- AUSEARCH_EQUAL, AUSEARCH_NOT_EQUAL,
- AUSEARCH_TIME_LT, AUSEARCH_TIME_LE, AUSEARCH_TIME_GE, AUSEARCH_TIME_GT,
- AUSEARCH_TIME_EQ,
- AUSEARCH_INTERPRETED = 0x40000000
-} ausearch_op_t;
-
-/* This determines where to position the cursor when a search completes */
-typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
- AUSEARCH_STOP_FIELD } austop_t;
-
-/* This defines how search rule pieces are treated to decide when
- * to stop a search */
-typedef enum { AUSEARCH_RULE_CLEAR, AUSEARCH_RULE_OR,
- AUSEARCH_RULE_AND, AUSEARCH_RULE_REGEX } ausearch_rule_t;
-
-
-typedef struct
-{
- time_t sec; // Event seconds
- unsigned int milli; // millisecond of the timestamp
- unsigned long serial; // Serial number of the event
- const char *host; // Machine's name
-} au_event_t;
-
-
-/* This indicates why the user supplied callback was invoked */
-typedef enum {AUPARSE_CB_EVENT_READY} auparse_cb_event_t;
-
-/* This determines the type of field at current cursor location
- * ONLY APPEND - DO NOT DELETE or it will break ABI */
-typedef enum { AUPARSE_TYPE_UNCLASSIFIED, AUPARSE_TYPE_UID, AUPARSE_TYPE_GID,
- AUPARSE_TYPE_SYSCALL, AUPARSE_TYPE_ARCH, AUPARSE_TYPE_EXIT,
- AUPARSE_TYPE_ESCAPED, AUPARSE_TYPE_PERM, AUPARSE_TYPE_MODE,
- AUPARSE_TYPE_SOCKADDR, AUPARSE_TYPE_FLAGS, AUPARSE_TYPE_PROMISC,
- AUPARSE_TYPE_CAPABILITY, AUPARSE_TYPE_SUCCESS, AUPARSE_TYPE_A0,
- AUPARSE_TYPE_A1, AUPARSE_TYPE_A2, AUPARSE_TYPE_A3, AUPARSE_TYPE_SIGNAL,
- AUPARSE_TYPE_LIST, AUPARSE_TYPE_TTY_DATA,
- AUPARSE_TYPE_SESSION, AUPARSE_TYPE_CAP_BITMAP, AUPARSE_TYPE_NFPROTO,
- AUPARSE_TYPE_ICMPTYPE, AUPARSE_TYPE_PROTOCOL,
- AUPARSE_TYPE_ADDR, AUPARSE_TYPE_PERSONALITY,
- AUPARSE_TYPE_SECCOMP, AUPARSE_TYPE_OFLAG,
- AUPARSE_TYPE_MMAP, AUPARSE_TYPE_MODE_SHORT, AUPARSE_TYPE_MAC_LABEL,
- AUPARSE_TYPE_PROCTITLE } auparse_type_t;
-
-/* This type determines what escaping if any gets applied to interpreted fields */
-typedef enum { AUPARSE_ESC_RAW, AUPARSE_ESC_TTY, AUPARSE_ESC_SHELL,
- AUPARSE_ESC_SHELL_QUOTE } auparse_esc_t;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
diff --git a/framework/src/audit/auparse/auparse-idata.h b/framework/src/audit/auparse/auparse-idata.h
deleted file mode 100644
index d1995538..00000000
--- a/framework/src/audit/auparse/auparse-idata.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
-* idata.h - Header file for ausearch-lookup.c
-* Copyright (c) 2013 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#ifndef IDATA_HEADER
-#define IDATA_HEADER
-
-#include "config.h"
-#include "dso.h"
-#include "auparse-defs.h"
-
-typedef struct _idata {
- unsigned int machine; // The machine type for the event
- int syscall; // The syscall for the event
- unsigned long long a0; // arg 0 to the syscall
- unsigned long long a1; // arg 1 to the syscall
- const char *name; // name of field being interpretted
- const char *val; // value of field being interpretted
-} idata;
-
-int auparse_interp_adjust_type(int rtype, const char *name, const char *val);
-const char *auparse_do_interpretation(int type, const idata *id);
-int set_escape_mode(auparse_esc_t mode);
-
-hidden_proto(auparse_interp_adjust_type)
-hidden_proto(auparse_do_interpretation)
-hidden_proto(set_escape_mode)
-
-#endif
-
diff --git a/framework/src/audit/auparse/auparse.c b/framework/src/audit/auparse/auparse.c
deleted file mode 100644
index cd3f1180..00000000
--- a/framework/src/audit/auparse/auparse.c
+++ /dev/null
@@ -1,1377 +0,0 @@
-/* auparse.c --
- * Copyright 2006-08,2012-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#include "config.h"
-#include "expression.h"
-#include "internal.h"
-#include "auparse.h"
-#include "interpret.h"
-#include "auparse-idata.h"
-#include <errno.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdio_ext.h>
-
-static int debug = 0;
-
-/* like strchr except string is delimited by length, not null byte */
-static char *strnchr(const char *s, int c, size_t n)
-{
- char *p_char;
- const char *p_end = s + n;
-
- for (p_char = (char *)s; p_char < p_end && *p_char != c; p_char++);
- if (p_char == p_end) return NULL;
- return p_char;
-}
-
-static int setup_log_file_array(auparse_state_t *au)
-{
- struct daemon_conf config;
- char *filename, **tmp;
- int len, num = 0, i = 0;
-
- /* Load config so we know where logs are */
- set_aumessage_mode(MSG_STDERR, DBG_NO);
- load_config(&config, TEST_SEARCH);
-
- /* for each file */
- len = strlen(config.log_file) + 16;
- filename = malloc(len);
- if (!filename) {
- fprintf(stderr, "No memory\n");
- free_config(&config);
- return 1;
- }
- /* Find oldest log file */
- snprintf(filename, len, "%s", config.log_file);
- do {
- if (access(filename, R_OK) != 0)
- break;
- num++;
- snprintf(filename, len, "%s.%d", config.log_file, num);
- } while (1);
-
- if (num == 0) {
- fprintf(stderr, "No log file\n");
- free_config(&config);
- free(filename);
- return 1;
- }
- num--;
- tmp = malloc((num+2)*sizeof(char *));
-
- /* Got it, now process logs from last to first */
- if (num > 0)
- snprintf(filename, len, "%s.%d", config.log_file, num);
- else
- snprintf(filename, len, "%s", config.log_file);
- do {
- tmp[i++] = strdup(filename);
-
- /* Get next log file */
- num--;
- if (num > 0)
- snprintf(filename, len, "%s.%d", config.log_file, num);
- else if (num == 0)
- snprintf(filename, len, "%s", config.log_file);
- else
- break;
- } while (1);
- free_config(&config);
- free(filename);
-
- // Terminate the list
- tmp[i] = NULL;
- au->source_list = tmp;
- return 0;
-}
-
-/* General functions that affect operation of the library */
-auparse_state_t *auparse_init(ausource_t source, const void *b)
-{
- char **tmp, **bb = (char **)b, *buf = (char *)b;
- int n, i;
- size_t size, len;
-
- auparse_state_t *au = malloc(sizeof(auparse_state_t));
- if (au == NULL) {
- errno = ENOMEM;
- return NULL;
- }
-
- au->in = NULL;
- au->source_list = NULL;
- databuf_init(&au->databuf, 0, 0);
- au->callback = NULL;
- au->callback_user_data = NULL;
- au->callback_user_data_destroy = NULL;
- switch (source)
- {
- case AUSOURCE_LOGS:
- if (geteuid()) {
- errno = EPERM;
- goto bad_exit;
- }
- setup_log_file_array(au);
- break;
- case AUSOURCE_FILE:
- if (access(b, R_OK))
- goto bad_exit;
- tmp = malloc(2*sizeof(char *));
- tmp[0] = strdup(b);
- tmp[1] = NULL;
- au->source_list = tmp;
- break;
- case AUSOURCE_FILE_ARRAY:
- n = 0;
- while (bb[n]) {
- if (access(bb[n], R_OK))
- goto bad_exit;
- n++;
- }
- tmp = malloc((n+1)*sizeof(char *));
- for (i=0; i<n; i++)
- tmp[i] = strdup(bb[i]);
- tmp[n] = NULL;
- au->source_list = tmp;
- break;
- case AUSOURCE_BUFFER:
- buf = buf;
- len = strlen(buf);
- if (databuf_init(&au->databuf, len,
- DATABUF_FLAG_PRESERVE_HEAD) < 0)
- goto bad_exit;
- if (databuf_append(&au->databuf, buf, len) < 0)
- goto bad_exit;
- break;
- case AUSOURCE_BUFFER_ARRAY:
- size = 0;
- for (n = 0; (buf = bb[n]); n++) {
- len = strlen(bb[n]);
- if (bb[n][len-1] != '\n') {
- size += len + 1;
- } else {
- size += len;
- }
- }
- if (databuf_init(&au->databuf, size,
- DATABUF_FLAG_PRESERVE_HEAD) < 0)
- goto bad_exit;
- for (n = 0; (buf = bb[n]); n++) {
- len = strlen(buf);
- if (databuf_append(&au->databuf, buf, len) < 0)
- goto bad_exit;
- }
- break;
- case AUSOURCE_DESCRIPTOR:
- n = (long)b;
- au->in = fdopen(n, "rm");
- break;
- case AUSOURCE_FILE_POINTER:
- au->in = (FILE *)b;
- break;
- case AUSOURCE_FEED:
- if (databuf_init(&au->databuf, 0, 0) < 0) goto bad_exit;
- break;
- default:
- errno = EINVAL;
- goto bad_exit;
- break;
- }
- au->source = source;
- au->list_idx = 0;
- au->line_number = 0;
- au->next_buf = NULL;
- au->off = 0;
- au->cur_buf = NULL;
- au->line_pushed = 0;
- aup_list_create(&au->le);
- au->parse_state = EVENT_EMPTY;
- au->expr = NULL;
- au->find_field = NULL;
- au->search_where = AUSEARCH_STOP_EVENT;
-
- return au;
-bad_exit:
- databuf_free(&au->databuf);
- free(au);
- return NULL;
-}
-
-
-void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
- void *user_data, user_destroy user_destroy_func)
-{
- if (au == NULL) {
- errno = EINVAL;
- return;
- }
-
- if (au->callback_user_data_destroy) {
- (*au->callback_user_data_destroy)(au->callback_user_data);
- au->callback_user_data = NULL;
- }
-
- au->callback = callback;
- au->callback_user_data = user_data;
- au->callback_user_data_destroy = user_destroy_func;
-}
-
-static void consume_feed(auparse_state_t *au, int flush)
-{
- while (auparse_next_event(au) > 0) {
- if (au->callback) {
- (*au->callback)(au, AUPARSE_CB_EVENT_READY,
- au->callback_user_data);
- }
- }
- if (flush) {
- // FIXME: might need a call here to force auparse_next_event()
- // to consume any partial data not fully consumed.
- if (au->parse_state == EVENT_ACCUMULATING) {
- // Emit the event, set event cursors to initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
- au->parse_state = EVENT_EMITTED;
- if (au->callback) {
- (*au->callback)(au, AUPARSE_CB_EVENT_READY,
- au->callback_user_data);
- }
- }
- }
-}
-
-int auparse_feed(auparse_state_t *au, const char *data, size_t data_len)
-{
- if (databuf_append(&au->databuf, data, data_len) < 0)
- return -1;
- consume_feed(au, 0);
- return 0;
-}
-
-int auparse_flush_feed(auparse_state_t *au)
-{
- consume_feed(au, 1);
- return 0;
-}
-
-// If there is data in the state machine, return 1
-// Otherwise return 0 to indicate its empty
-int auparse_feed_has_data(const auparse_state_t *au)
-{
- if (au->parse_state == EVENT_ACCUMULATING)
- return 1;
- return 0;
-}
-
-void auparse_set_escape_mode(auparse_esc_t mode)
-{
- set_escape_mode(mode);
-}
-
-int auparse_reset(auparse_state_t *au)
-{
- if (au == NULL) {
- errno = EINVAL;
- return -1;
- }
-
- aup_list_clear(&au->le);
- au->parse_state = EVENT_EMPTY;
- switch (au->source)
- {
- case AUSOURCE_LOGS:
- case AUSOURCE_FILE:
- case AUSOURCE_FILE_ARRAY:
- if (au->in) {
- fclose(au->in);
- au->in = NULL;
- }
- /* Fall through */
- case AUSOURCE_DESCRIPTOR:
- case AUSOURCE_FILE_POINTER:
- if (au->in)
- rewind(au->in);
- /* Fall through */
- case AUSOURCE_BUFFER:
- case AUSOURCE_BUFFER_ARRAY:
- au->list_idx = 0;
- au->line_number = 0;
- au->off = 0;
- databuf_reset(&au->databuf);
- break;
- default:
- return -1;
- }
- return 0;
-}
-
-
-/* Add EXPR to AU, using HOW to select the combining operator.
- On success, return 0.
- On error, free EXPR set errno and return -1.
- NOTE: EXPR is freed on error! */
-static int add_expr(auparse_state_t *au, struct expr *expr, ausearch_rule_t how)
-{
- if (au->expr == NULL)
- au->expr = expr;
- else if (how == AUSEARCH_RULE_CLEAR) {
- expr_free(au->expr);
- au->expr = expr;
- } else {
- struct expr *e;
-
- e = expr_create_binary(how == AUSEARCH_RULE_OR ? EO_OR : EO_AND,
- au->expr, expr);
- if (e == NULL) {
- int err;
-
- err = errno;
- expr_free(expr);
- errno = err;
- return -1;
- }
- au->expr = e;
- }
- return 0;
-}
-
-static int ausearch_add_item_internal(auparse_state_t *au, const char *field,
- const char *op, const char *value, ausearch_rule_t how, unsigned op_eq,
- unsigned op_ne)
-{
- struct expr *expr;
-
- // Make sure there's a field
- if (field == NULL)
- goto err_out;
-
- // Make sure how is within range
- if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
- goto err_out;
-
- // All pre-checks are done, build a rule
- if (strcmp(op, "exists") == 0)
- expr = expr_create_field_exists(field);
- else {
- unsigned t_op;
-
- if (strcmp(op, "=") == 0)
- t_op = op_eq;
- else if (strcmp(op, "!=") == 0)
- t_op = op_ne;
- else
- goto err_out;
- if (value == NULL)
- goto err_out;
- expr = expr_create_comparison(field, t_op, value);
- }
- if (expr == NULL)
- return -1;
- if (add_expr(au, expr, how) != 0)
- return -1; /* expr is freed by add_expr() */
- return 0;
-
-err_out:
- errno = EINVAL;
- return -1;
-}
-
-int ausearch_add_item(auparse_state_t *au, const char *field, const char *op,
- const char *value, ausearch_rule_t how)
-{
- return ausearch_add_item_internal(au, field, op, value, how, EO_RAW_EQ,
- EO_RAW_NE);
-}
-
-int ausearch_add_interpreted_item(auparse_state_t *au, const char *field,
- const char *op, const char *value, ausearch_rule_t how)
-{
- return ausearch_add_item_internal(au, field, op, value, how,
- EO_INTERPRETED_EQ, EO_INTERPRETED_NE);
-}
-
-int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op,
- time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how)
-{
- static const struct {
- unsigned value;
- const char name[3];
- } ts_tab[] = {
- {EO_VALUE_LT, "<"},
- {EO_VALUE_LE, "<="},
- {EO_VALUE_GE, ">="},
- {EO_VALUE_GT, ">"},
- {EO_VALUE_EQ, "="},
- };
-
- struct expr *expr;
- size_t i;
- unsigned t_op;
-
- for (i = 0; i < sizeof(ts_tab) / sizeof(*ts_tab); i++) {
- if (strcmp(ts_tab[i].name, op) == 0)
- goto found_op;
- }
- goto err_out;
-found_op:
- t_op = ts_tab[i].value;
-
- if (milli >= 1000)
- goto err_out;
-
- // Make sure how is within range
- if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
- goto err_out;
-
- // All pre-checks are done, build a rule
- expr = expr_create_timestamp_comparison_ex(t_op, sec, milli, serial);
- if (expr == NULL)
- return -1;
- if (add_expr(au, expr, how) != 0)
- return -1; /* expr is freed by add_expr() */
- return 0;
-
-err_out:
- errno = EINVAL;
- return -1;
-}
-
-int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec,
- unsigned milli, ausearch_rule_t how)
-{
- return ausearch_add_timestamp_item_ex(au, op, sec, milli, 0, how);
-}
-
-int ausearch_add_expression(auparse_state_t *au, const char *expression,
- char **error, ausearch_rule_t how)
-{
- struct expr *expr;
-
- if (how < AUSEARCH_RULE_CLEAR || how > AUSEARCH_RULE_AND)
- goto err_einval;
-
- expr = expr_parse(expression, error);
- if (expr == NULL) {
- errno = EINVAL;
- return -1;
- }
-
- if (add_expr(au, expr, how) != 0)
- goto err; /* expr is freed by add_expr() */
- return 0;
-
-err_einval:
- errno = EINVAL;
-err:
- *error = NULL;
- return -1;
-}
-
-int ausearch_add_regex(auparse_state_t *au, const char *regexp)
-{
- struct expr *expr;
-
- // Make sure there's an expression
- if (regexp == NULL)
- goto err_out;
-
- expr = expr_create_regexp_expression(regexp);
- if (expr == NULL)
- return -1;
- if (add_expr(au, expr, AUSEARCH_RULE_AND) != 0)
- return -1; /* expr is freed by add_expr() */
- return 0;
-
-err_out:
- errno = EINVAL;
- return -1;
-}
-
-int ausearch_set_stop(auparse_state_t *au, austop_t where)
-{
- if (where < AUSEARCH_STOP_EVENT || where > AUSEARCH_STOP_FIELD) {
- errno = EINVAL;
- return -1;
- }
-
- au->search_where = where;
- return 0;
-}
-
-void ausearch_clear(auparse_state_t *au)
-{
- if (au->expr != NULL) {
- expr_free(au->expr);
- au->expr = NULL;
- }
- au->search_where = AUSEARCH_STOP_EVENT;
-}
-
-void auparse_destroy(auparse_state_t *au)
-{
- aulookup_destroy_uid_list();
- aulookup_destroy_gid_list();
- if (au == NULL)
- return;
-
- if (au->source_list) {
- int n = 0;
- while (au->source_list[n])
- free(au->source_list[n++]);
- free(au->source_list);
- au->source_list = NULL;
- }
-
- au->next_buf = NULL;
- free(au->cur_buf);
- au->cur_buf = NULL;
- aup_list_clear(&au->le);
- au->parse_state = EVENT_EMPTY;
- free(au->find_field);
- au->find_field = NULL;
- ausearch_clear(au);
- databuf_free(&au->databuf);
- if (au->callback_user_data_destroy) {
- (*au->callback_user_data_destroy)(au->callback_user_data);
- au->callback_user_data = NULL;
- }
- if (au->in) {
- fclose(au->in);
- au->in = NULL;
- }
- free(au);
-}
-
-/* alloc a new buffer, cur_buf which contains a null terminated line
- * without a newline (note, this implies the line may be empty (strlen == 0)) if
- * successfully read a blank line (e.g. containing only a single newline).
- * cur_buf will have been newly allocated with malloc.
- *
- * Note: cur_buf will be freed the next time this routine is called if
- * cur_buf is not NULL, callers who retain a reference to the cur_buf
- * pointer will need to set cur_buf to NULL to cause the previous cur_buf
- * allocation to persist.
- *
- * Returns:
- * 1 if successful (errno == 0)
- * 0 if non-blocking input unavailable (errno == 0)
- * -1 if error (errno contains non-zero error code)
- * -2 if EOF (errno == 0)
- */
-
-static int readline_file(auparse_state_t *au)
-{
- ssize_t rc;
- char *p_last_char;
- size_t n = 0;
-
- if (au->cur_buf != NULL) {
- free(au->cur_buf);
- au->cur_buf = NULL;
- }
- if (au->in == NULL) {
- errno = EBADF;
- return -1;
- }
- if ((rc = getline(&au->cur_buf, &n, au->in)) <= 0) {
- // Note: getline always malloc's if lineptr==NULL or n==0,
- // on failure malloc'ed memory is left uninitialized,
- // caller must free it.
- free(au->cur_buf);
- au->cur_buf = NULL;
-
- // Note: feof() does not set errno
- if (feof(au->in)) {
- // return EOF condition
- errno = 0;
- return -2;
- }
- // return error condition, error code in errno
- return -1;
- }
- p_last_char = au->cur_buf + (rc-1);
- if (*p_last_char == '\n') { /* nuke newline */
- *p_last_char = 0;
- }
- // return success
- errno = 0;
- return 1;
-}
-
-
-/* malloc & copy a line into cur_buf from the internal buffer,
- * next_buf. cur_buf will contain a null terminated line without a
- * newline (note, this implies the line may be empty (strlen == 0)) if
- * successfully read a blank line (e.g. containing only a single
- * newline).
- *
- * Note: cur_buf will be freed the next time this routine is called if
- * cur_buf is not NULL, callers who retain a reference to the cur_buf
- * pointer will need to set cur_buf to NULL to cause the previous cur_buf
- * allocation to persist.
- *
- * Returns:
- * 1 if successful (errno == 0)
- * 0 if non-blocking input unavailable (errno == 0)
- * -1 if error (errno contains non-zero error code)
- * -2 if EOF (errno == 0)
- */
-
-static int readline_buf(auparse_state_t *au)
-{
- char *p_newline=NULL;
- size_t line_len;
-
- if (au->cur_buf != NULL) {
- free(au->cur_buf);
- au->cur_buf = NULL;
- }
-
- //if (debug) databuf_print(&au->databuf, 1, "readline_buf");
- if (au->databuf.len == 0) {
- // return EOF condition
- errno = 0;
- return -2;
- }
-
- if ((p_newline = strnchr(databuf_beg(&au->databuf), '\n',
- au->databuf.len)) != NULL) {
- line_len = p_newline - databuf_beg(&au->databuf);
-
- /* dup the line */
- au->cur_buf = malloc(line_len+1); // +1 for null terminator
- if (au->cur_buf == NULL)
- return -1; // return error condition, errno set
- strncpy(au->cur_buf, databuf_beg(&au->databuf), line_len);
- au->cur_buf[line_len] = 0;
-
- if (databuf_advance(&au->databuf, line_len+1) < 0)
- return -1;
- // return success
- errno = 0;
- return 1;
-
- } else {
- // return no data available
- errno = 0;
- return 0;
- }
-}
-
-static int str2event(char *s, au_event_t *e)
-{
- char *ptr;
-
- errno = 0;
- ptr = strchr(s+10, ':');
- if (ptr) {
- e->serial = strtoul(ptr+1, NULL, 10);
- *ptr = 0;
- if (errno)
- return -1;
- } else
- e->serial = 0;
- ptr = strchr(s, '.');
- if (ptr) {
- e->milli = strtoul(ptr+1, NULL, 10);
- *ptr = 0;
- if (errno)
- return -1;
- } else
- e->milli = 0;
- e->sec = strtoul(s, NULL, 10);
- if (errno)
- return -1;
- return 0;
-}
-
-/* Returns 0 on success and 1 on error */
-static int extract_timestamp(const char *b, au_event_t *e)
-{
- char *ptr, *tmp;
- int rc = 1;
-
- e->host = NULL;
- if (*b == 'n')
- tmp = strndupa(b, 340);
- else
- tmp = strndupa(b, 80);
- ptr = audit_strsplit(tmp);
- if (ptr) {
- // Optionally grab the node - may or may not be included
- if (*ptr == 'n') {
- e->host = strdup(ptr+5);
- (void)audit_strsplit(NULL); // Bump along to the next one
- }
- // at this point we have type=
- ptr = audit_strsplit(NULL);
- if (ptr) {
- if (*(ptr+9) == '(')
- ptr+=9;
- else
- ptr = strchr(ptr, '(');
- if (ptr) {
- // now we should be pointed at the timestamp
- char *eptr;
- ptr++;
- eptr = strchr(ptr, ')');
- if (eptr)
- *eptr = 0;
-
- if (str2event(ptr, e) == 0)
- rc = 0;
-// else {
-// audit_msg(LOG_ERROR,
-// "Error extracting time stamp (%s)\n",
-// ptr);
-// }
- }
- // else we have a bad line
- }
- // else we have a bad line
- }
- // else we have a bad line
- return rc;
-}
-
-static int inline events_are_equal(au_event_t *e1, au_event_t *e2)
-{
- // Check time & serial first since its most likely way
- // to spot 2 different events
- if (!(e1->serial == e2->serial && e1->milli == e2->milli &&
- e1->sec == e2->sec))
- return 0;
- // Hmm...same so far, check if both have a host, only a string
- // compare can tell if they are the same. Otherwise, if only one
- // of them have a host, they are definitely not the same. Its
- // a boundary on daemon config.
- if (e1->host && e2->host) {
- if (strcmp(e1->host, e2->host))
- return 0;
- } else if (e1->host || e2->host)
- return 0;
- return 1;
-}
-
-/* This function will figure out how to get the next line of input.
- * storing it cur_buf. cur_buf will be NULL terminated but will not
- * contain a trailing newline. This implies a successful read
- * (result == 1) may result in a zero length cur_buf if a blank line
- * was read.
- *
- * cur_buf will have been allocated with malloc. The next time this
- * routine is called if cur_buf is non-NULL cur_buf will be freed,
- * thus if the caller wishes to retain a reference to malloc'ed
- * cur_buf data it should copy the cur_buf pointer and set cur_buf to
- * NULL.
- *
- * Returns:
- * 1 if successful (errno == 0)
- * 0 if non-blocking input unavailable (errno == 0)
- * -1 if error (errno contains non-zero error code)
- * -2 if EOF (errno == 0)
- */
-
-static int retrieve_next_line(auparse_state_t *au)
-{
- int rc;
-
- // If line was pushed back for re-reading return that
- if (au->line_pushed) {
- // Starting new event, clear previous event data,
- // previous line is returned again for new parsing
- au->line_pushed = 0;
- au->line_number++;
- return 1;
- }
-
- switch (au->source)
- {
- case AUSOURCE_DESCRIPTOR:
- case AUSOURCE_FILE_POINTER:
- rc = readline_file(au);
- if (rc > 0) au->line_number++;
- return rc;
- case AUSOURCE_LOGS:
- case AUSOURCE_FILE:
- case AUSOURCE_FILE_ARRAY:
- // if the first time through, open file
- if (au->list_idx == 0 && au->in == NULL &&
- au->source_list != NULL) {
- if (au->source_list[au->list_idx] == NULL) {
- errno = 0;
- return -2;
- }
- au->line_number = 0;
- au->in = fopen(au->source_list[au->list_idx],
- "rm");
- if (au->in == NULL)
- return -1;
- __fsetlocking(au->in, FSETLOCKING_BYCALLER);
- }
-
- // loop reading lines from a file
- while (au->in) {
- if ((rc = readline_file(au)) == -2) {
- // end of file, open next file,
- // try readline again
- fclose(au->in);
- au->in = NULL;
- au->list_idx++;
- au->line_number = 0;
- if (au->source_list[au->list_idx]) {
- au->in = fopen(
- au->source_list[au->list_idx],
- "rm");
- if (au->in == NULL)
- return -1;
- __fsetlocking(au->in,
- FSETLOCKING_BYCALLER);
- }
- } else {
- if (rc > 0)
- au->line_number++;
- return rc;
- }
- }
- return -2; // return EOF
- case AUSOURCE_BUFFER:
- case AUSOURCE_BUFFER_ARRAY:
- rc = readline_buf(au);
- if (rc > 0)
- au->line_number++;
- return rc;
- case AUSOURCE_FEED:
- rc = readline_buf(au);
- // No such thing as EOF for feed, translate EOF
- // to data not available
- if (rc == -2)
- return 0;
- else
- if (rc > 0)
- au->line_number++;
- return rc;
- default:
- return -1;
- }
- return -1; /* should never reach here */
-}
-
-static void push_line(auparse_state_t *au)
-{
- au->line_number--;
- au->line_pushed = 1;
-}
-
-/*******
-* Functions that traverse events.
-********/
-static int ausearch_reposition_cursors(auparse_state_t *au)
-{
- int rc = 0;
-
- switch (au->search_where)
- {
- case AUSEARCH_STOP_EVENT:
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
- break;
- case AUSEARCH_STOP_RECORD:
- aup_list_first_field(&au->le);
- break;
- case AUSEARCH_STOP_FIELD:
- // do nothing - this is the normal stopping point
- break;
- default:
- rc = -1;
- break;
- }
- return rc;
-}
-
-/* This is called during search once per each record. It walks the list
- * of nvpairs and decides if a field matches. */
-static int ausearch_compare(auparse_state_t *au)
-{
- rnode *r;
-
- r = aup_list_get_cur(&au->le);
- if (r)
- return expr_eval(au, r, au->expr);
-
- return 0;
-}
-
-// Returns < 0 on error, 0 no data, > 0 success
-int ausearch_next_event(auparse_state_t *au)
-{
- int rc;
-
- if (au->expr == NULL) {
- errno = EINVAL;
- return -1;
- }
- if ((rc = auparse_first_record(au)) <= 0)
- return rc;
- do {
- do {
- if ((rc = ausearch_compare(au)) > 0) {
- ausearch_reposition_cursors(au);
- return 1;
- } else if (rc < 0)
- return rc;
- } while ((rc = auparse_next_record(au)) > 0);
- if (rc < 0)
- return rc;
- } while ((rc = auparse_next_event(au)) > 0);
- if (rc < 0)
- return rc;
-
- return 0;
-}
-
-// Brute force go to next event. Returns < 0 on error, 0 no data, > 0 success
-int auparse_next_event(auparse_state_t *au)
-{
- int rc;
- au_event_t event;
-
- if (au->parse_state == EVENT_EMITTED) {
- // If the last call resulted in emitting event data then
- // clear previous event data in preparation to accumulate
- // new event data
- aup_list_clear(&au->le);
- au->parse_state = EVENT_EMPTY;
- }
-
- // accumulate new event data
- while (1) {
- rc = retrieve_next_line(au);
- if (debug) printf("next_line(%d) '%s'\n", rc, au->cur_buf);
- if (rc == 0) return 0; // No data now
- if (rc == -2) {
- // We're at EOF, did we read any data previously?
- // If so return data available, else return no data
- // available
- if (au->parse_state == EVENT_ACCUMULATING) {
- if (debug) printf("EOF, EVENT_EMITTED\n");
- au->parse_state = EVENT_EMITTED;
- return 1; // data is available
- }
- return 0;
- }
- if (rc > 0) { // Input available
- rnode *r;
- if (extract_timestamp(au->cur_buf, &event)) {
- if (debug)
- printf("Malformed line:%s\n",
- au->cur_buf);
- continue;
- }
- if (au->parse_state == EVENT_EMPTY) {
- // First record in new event, initialize event
- if (debug)
- printf(
- "First record in new event, initialize event\n");
- aup_list_set_event(&au->le, &event);
- aup_list_append(&au->le, au->cur_buf,
- au->list_idx, au->line_number);
- au->parse_state = EVENT_ACCUMULATING;
- au->cur_buf = NULL;
- } else if (events_are_equal(&au->le.e, &event)) {
- // Accumulate data into existing event
- if (debug)
- printf(
- "Accumulate data into existing event\n");
- aup_list_append(&au->le, au->cur_buf,
- au->list_idx, au->line_number);
- au->parse_state = EVENT_ACCUMULATING;
- au->cur_buf = NULL;
- } else {
- // New event, save input for next invocation
- if (debug)
- printf(
- "New event, save current input for next invocation, EVENT_EMITTED\n");
- push_line(au);
- // Emit the event, set event cursors to
- // initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
- au->parse_state = EVENT_EMITTED;
- free((char *)event.host);
- return 1; // data is available
- }
- free((char *)event.host);
- // Check to see if the event can be emitted due to EOE
- // or something we know is a single record event. At
- // this point, new record should be pointed at 'cur'
- if ((r = aup_list_get_cur(&au->le)) == NULL)
- continue;
- if ( r->type == AUDIT_EOE ||
- r->type < AUDIT_FIRST_EVENT ||
- r->type >= AUDIT_FIRST_ANOM_MSG) {
- // Emit the event, set event cursors to
- // initial position
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
- au->parse_state = EVENT_EMITTED;
- return 1; // data is available
- }
- } else { // Read error
- return -1;
- }
- }
-}
-
-/* Accessors to event data */
-const au_event_t *auparse_get_timestamp(auparse_state_t *au)
-{
- if (au && au->le.e.sec != 0)
- return &au->le.e;
- else
- return NULL;
-}
-
-
-time_t auparse_get_time(auparse_state_t *au)
-{
- if (au)
- return au->le.e.sec;
- else
- return 0;
-}
-
-
-unsigned int auparse_get_milli(auparse_state_t *au)
-{
- if (au)
- return au->le.e.milli;
- else
- return 0;
-}
-
-
-unsigned long auparse_get_serial(auparse_state_t *au)
-{
- if (au)
- return au->le.e.serial;
- else
- return 0;
-}
-
-
-// Gets the machine node name
-const char *auparse_get_node(auparse_state_t *au)
-{
- if (au && au->le.e.host != NULL)
- return strdup(au->le.e.host);
- else
- return NULL;
-}
-
-
-int auparse_node_compare(au_event_t *e1, au_event_t *e2)
-{
- // If both have a host, only a string compare can tell if they
- // are the same. Otherwise, if only one of them have a host, they
- // are definitely not the same. Its a boundary on daemon config.
- if (e1->host && e2->host)
- return strcmp(e1->host, e2->host);
- else if (e1->host)
- return 1;
- else if (e2->host)
- return -1;
-
- return 0;
-}
-
-
-int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2)
-{
- if (e1->sec > e2->sec)
- return 1;
- if (e1->sec < e2->sec)
- return -1;
-
- if (e1->milli > e2->milli)
- return 1;
- if (e1->milli < e2->milli)
- return -1;
-
- if (e1->serial > e2->serial)
- return 1;
- if (e1->serial < e2->serial)
- return -1;
-
- return 0;
-}
-
-unsigned int auparse_get_num_records(auparse_state_t *au)
-{
- return aup_list_get_cnt(&au->le);
-}
-
-
-/* Functions that traverse records in the same event */
-int auparse_first_record(auparse_state_t *au)
-{
- int rc;
-
- if (aup_list_get_cnt(&au->le) == 0) {
- rc = auparse_next_event(au);
- if (rc <= 0)
- return rc;
- }
- aup_list_first(&au->le);
- aup_list_first_field(&au->le);
-
- return 1;
-}
-
-
-int auparse_next_record(auparse_state_t *au)
-{
- if (aup_list_get_cnt(&au->le) == 0) {
- int rc = auparse_first_record(au);
- if (rc <= 0)
- return rc;
- }
- if (aup_list_next(&au->le))
- return 1;
- else
- return 0;
-}
-
-
-int auparse_goto_record_num(auparse_state_t *au, unsigned int num)
-{
- /* Check if a request is out of range */
- if (num >= aup_list_get_cnt(&au->le))
- return 0;
-
- if (aup_list_goto_rec(&au->le, num) != NULL)
- return 1;
- else
- return 0;
-}
-
-
-/* Accessors to record data */
-int auparse_get_type(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return r->type;
- else
- return 0;
-}
-
-
-const char *auparse_get_type_name(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return audit_msg_type_to_name(r->type);
- else
- return NULL;
-}
-
-
-unsigned int auparse_get_line_number(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return r->line_number;
- else
- return 0;
-}
-
-
-const char *auparse_get_filename(auparse_state_t *au)
-{
- switch (au->source)
- {
- case AUSOURCE_FILE:
- case AUSOURCE_FILE_ARRAY:
- break;
- default:
- return NULL;
- }
-
- rnode *r = aup_list_get_cur(&au->le);
- if (r) {
- if (r->list_idx < 0) return NULL;
- return au->source_list[r->list_idx];
- } else {
- return NULL;
- }
-}
-
-
-int auparse_first_field(auparse_state_t *au)
-{
- return aup_list_first_field(&au->le);
-}
-
-
-int auparse_next_field(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r) {
- if (nvlist_next(&r->nv))
- return 1;
- else
- return 0;
- }
- return 0;
-}
-
-
-unsigned int auparse_get_num_fields(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return nvlist_get_cnt(&r->nv);
- else
- return 0;
-}
-
-const char *auparse_get_record_text(auparse_state_t *au)
-{
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return r->record;
- else
- return NULL;
-}
-
-
-/* scan from current location to end of event */
-const char *auparse_find_field(auparse_state_t *au, const char *name)
-{
- free(au->find_field);
- au->find_field = strdup(name);
-
- if (au->le.e.sec) {
- const char *cur_name;
- rnode *r;
-
- // look at current record before moving
- r = aup_list_get_cur(&au->le);
- if (r == NULL)
- return NULL;
- cur_name = nvlist_get_cur_name(&r->nv);
- if (cur_name && strcmp(cur_name, name) == 0)
- return nvlist_get_cur_val(&r->nv);
-
- return auparse_find_field_next(au);
- }
- return NULL;
-}
-
-/* Increment 1 location and then scan for next field */
-const char *auparse_find_field_next(auparse_state_t *au)
-{
- if (au->find_field == NULL) {
- errno = EINVAL;
- return NULL;
- }
- if (au->le.e.sec) {
- int moved = 0;
-
- rnode *r = aup_list_get_cur(&au->le);
- while (r) { // For each record in the event...
- if (!moved) {
- nvlist_next(&r->nv);
- moved=1;
- }
- if (nvlist_find_name(&r->nv, au->find_field))
- return nvlist_get_cur_val(&r->nv);
- r = aup_list_next(&au->le);
- if (r)
- aup_list_first_field(&au->le);
- }
- }
- return NULL;
-}
-
-
-/* Accessors to field data */
-const char *auparse_get_field_name(auparse_state_t *au)
-{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return nvlist_get_cur_name(&r->nv);
- }
- return NULL;
-}
-
-
-const char *auparse_get_field_str(auparse_state_t *au)
-{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return nvlist_get_cur_val(&r->nv);
- }
- return NULL;
-}
-
-int auparse_get_field_type(auparse_state_t *au)
-{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return nvlist_get_cur_type(r);
- }
- return AUPARSE_TYPE_UNCLASSIFIED;
-}
-
-int auparse_get_field_int(auparse_state_t *au)
-{
- const char *v = auparse_get_field_str(au);
- if (v) {
- int val;
-
- errno = 0;
- val = strtol(v, NULL, 10);
- if (errno == 0)
- return val;
- } else
- errno = ENODATA;
- return -1;
-}
-
-const char *auparse_interpret_field(auparse_state_t *au)
-{
- if (au->le.e.sec) {
- rnode *r = aup_list_get_cur(&au->le);
- if (r)
- return nvlist_interp_cur_val(r);
- }
- return NULL;
-}
-
diff --git a/framework/src/audit/auparse/auparse.h b/framework/src/audit/auparse/auparse.h
deleted file mode 100644
index 78504ffe..00000000
--- a/framework/src/audit/auparse/auparse.h
+++ /dev/null
@@ -1,112 +0,0 @@
-/* auparse.h --
- * Copyright 2006-08,2012,2014,2015 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#ifndef AUPARSE_HEADER
-#define AUPARSE_HEADER
-
-#include "auparse-defs.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-/* Library type definitions */
-
-/* opaque data type used for maintaining library state */
-typedef struct opaque auparse_state_t;
-
-typedef void (*user_destroy)(void *user_data);
-typedef void (*auparse_callback_ptr)(auparse_state_t *au,
- auparse_cb_event_t cb_event_type, void *user_data);
-
-/* General functions that affect operation of the library */
-auparse_state_t *auparse_init(ausource_t source, const void *b);
-int auparse_feed(auparse_state_t *au, const char *data, size_t data_len);
-int auparse_flush_feed(auparse_state_t *au);
-int auparse_feed_has_data(const auparse_state_t *au);
-void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
- void *user_data, user_destroy user_destroy_func);
-void auparse_set_escape_mode(auparse_esc_t mode);
-int auparse_reset(auparse_state_t *au);
-void auparse_destroy(auparse_state_t *au);
-
-/* Functions that are part of the search interface */
-int ausearch_add_expression(auparse_state_t *au, const char *expression,
- char **error, ausearch_rule_t how);
-int ausearch_add_item(auparse_state_t *au, const char *field, const char *op,
- const char *value, ausearch_rule_t how);
-int ausearch_add_interpreted_item(auparse_state_t *au, const char *field,
- const char *op, const char *value, ausearch_rule_t how);
-int ausearch_add_timestamp_item(auparse_state_t *au, const char *op, time_t sec,
- unsigned milli, ausearch_rule_t how);
-int ausearch_add_timestamp_item_ex(auparse_state_t *au, const char *op,
- time_t sec, unsigned milli, unsigned serial, ausearch_rule_t how);
-int ausearch_add_regex(auparse_state_t *au, const char *expr);
-int ausearch_set_stop(auparse_state_t *au, austop_t where);
-void ausearch_clear(auparse_state_t *au);
-
-/* Functions that traverse events */
-int ausearch_next_event(auparse_state_t *au);
-int auparse_next_event(auparse_state_t *au);
-
-/* Accessors to event data */
-const au_event_t *auparse_get_timestamp(auparse_state_t *au);
-time_t auparse_get_time(auparse_state_t *au);
-unsigned int auparse_get_milli(auparse_state_t *au);
-unsigned long auparse_get_serial(auparse_state_t *au);
-const char *auparse_get_node(auparse_state_t *au);
-int auparse_node_compare(au_event_t *e1, au_event_t *e2);
-int auparse_timestamp_compare(au_event_t *e1, au_event_t *e2);
-unsigned int auparse_get_num_records(auparse_state_t *au);
-
-/* Functions that traverse records in the same event */
-int auparse_first_record(auparse_state_t *au);
-int auparse_next_record(auparse_state_t *au);
-int auparse_goto_record_num(auparse_state_t *au, unsigned int num);
-
-/* Accessors to record data */
-int auparse_get_type(auparse_state_t *au);
-const char *auparse_get_type_name(auparse_state_t *au);
-unsigned int auparse_get_line_number(auparse_state_t *au);
-const char *auparse_get_filename(auparse_state_t *au);
-int auparse_first_field(auparse_state_t *au);
-int auparse_next_field(auparse_state_t *au);
-unsigned int auparse_get_num_fields(auparse_state_t *au);
-const char *auparse_get_record_text(auparse_state_t *au);
-const char *auparse_find_field(auparse_state_t *au, const char *name);
-const char *auparse_find_field_next(auparse_state_t *au);
-
-/* Accessors to field data */
-const char *auparse_get_field_name(auparse_state_t *au);
-const char *auparse_get_field_str(auparse_state_t *au);
-int auparse_get_field_type(auparse_state_t *au);
-int auparse_get_field_int(auparse_state_t *au);
-const char *auparse_interpret_field(auparse_state_t *au);
-
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
diff --git a/framework/src/audit/auparse/auparse.pc.in b/framework/src/audit/auparse/auparse.pc.in
deleted file mode 100644
index 581287e8..00000000
--- a/framework/src/audit/auparse/auparse.pc.in
+++ /dev/null
@@ -1,11 +0,0 @@
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-libdir=@libdir@
-includedir=@includedir@
-
-Name: libauparse
-Description: Library for apps that want to parse and interpret audit logs
-Version: @VERSION@
-Libs: -L${libdir} -lauparse
-Libs.private: -laudit
-Cflags: -I${includedir}
diff --git a/framework/src/audit/auparse/captab.h b/framework/src/audit/auparse/captab.h
deleted file mode 100644
index 409fdb4e..00000000
--- a/framework/src/audit/auparse/captab.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/* captab.h --
- * Copyright 2007,2008,2012-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/capability.h
- */
-
-
-_S(0, "chown" )
-_S(1, "dac_override" )
-_S(2, "dac_read_search" )
-_S(3, "fowner" )
-_S(4, "fsetid" )
-_S(5, "kill" )
-_S(6, "setgid" )
-_S(7, "setuid" )
-_S(8, "setpcap" )
-_S(9, "linux_immutable" )
-_S(10, "net_bind_service" )
-_S(11, "net_broadcast" )
-_S(12, "net_admin" )
-_S(13, "net_raw" )
-_S(14, "ipc_lock" )
-_S(15, "ipc_owner" )
-_S(16, "sys_module" )
-_S(17, "sys_rawio" )
-_S(18, "sys_chroot" )
-_S(19, "sys_ptrace" )
-_S(20, "sys_pacct" )
-_S(21, "sys_admin" )
-_S(22, "sys_boot" )
-_S(23, "sys_nice" )
-_S(24, "sys_resource" )
-_S(25, "sys_time" )
-_S(26, "sys_tty_config" )
-_S(27, "mknod" )
-_S(28, "lease" )
-_S(29, "audit_write" )
-_S(30, "audit_control" )
-_S(31, "setfcap" )
-_S(32, "mac_override" )
-_S(33, "mac_admin" )
-_S(34, "syslog" )
-_S(35, "wake_alarm" )
-_S(36, "block_suspend" )
-_S(37, "audit_read" )
diff --git a/framework/src/audit/auparse/clocktab.h b/framework/src/audit/auparse/clocktab.h
deleted file mode 100644
index bcb396fe..00000000
--- a/framework/src/audit/auparse/clocktab.h
+++ /dev/null
@@ -1,36 +0,0 @@
-/* clocktab.h --
- * Copyright 2012,2014 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/time.h
- */
-
-_S(0, "CLOCK_REALTIME" )
-_S(1, "CLOCK_MONOTONIC" )
-_S(2, "CLOCK_PROCESS_CPUTIME_ID" )
-_S(3, "CLOCK_THREAD_CPUTIME_ID" )
-_S(4, "CLOCK_MONOTONIC_RAW" )
-_S(5, "CLOCK_REALTIME_COARSE" )
-_S(6, "CLOCK_MONOTONIC_COARSE" )
-_S(7, "CLOCK_BOOTTIME" )
-_S(8, "CLOCK_REALTIME_ALARM" )
-_S(9, "CLOCK_BOOTTIME_ALARM" )
-_S(10, "CLOCK_SGI_CYCLE" )
-_S(11, "CLOCK_TAI" )
-
diff --git a/framework/src/audit/auparse/clone-flagtab.h b/framework/src/audit/auparse/clone-flagtab.h
deleted file mode 100644
index 503e84bc..00000000
--- a/framework/src/audit/auparse/clone-flagtab.h
+++ /dev/null
@@ -1,47 +0,0 @@
-/* clone-flagtab.h --
- * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/sched.h
- */
-
-_S(0x00000100, "CLONE_VM" )
-_S(0x00000200, "CLONE_FS" )
-_S(0x00000400, "CLONE_FILES" )
-_S(0x00000800, "CLONE_SIGHAND" )
-_S(0x00002000, "CLONE_PTRACE" )
-_S(0x00004000, "CLONE_VFORK" )
-_S(0x00008000, "CLONE_PARENT" )
-_S(0x00010000, "CLONE_THREAD" )
-_S(0x00020000, "CLONE_NEWNS" )
-_S(0x00040000, "CLONE_SYSVSEM" )
-_S(0x00080000, "CLONE_SETTLS" )
-_S(0x00100000, "CLONE_PARENT_SETTID" )
-_S(0x00200000, "CLONE_CHILD_CLEARTID" )
-_S(0x00400000, "CLONE_DETACHED" )
-_S(0x00800000, "CLONE_UNTRACED" )
-_S(0x01000000, "CLONE_CHILD_SETTID" )
-_S(0x02000000, "CLONE_STOPPED" )
-_S(0x04000000, "CLONE_NEWUTS" )
-_S(0x08000000, "CLONE_NEWIPC" )
-_S(0x10000000, "CLONE_NEWUSER" )
-_S(0x20000000, "CLONE_NEWPID" )
-_S(0x40000000, "CLONE_NEWNET" )
-_S(0x80000000, "CLONE_IO" )
-
diff --git a/framework/src/audit/auparse/data_buf.c b/framework/src/audit/auparse/data_buf.c
deleted file mode 100644
index 43b5999e..00000000
--- a/framework/src/audit/auparse/data_buf.c
+++ /dev/null
@@ -1,394 +0,0 @@
-/* data_buf.c --
- * Copyright 2007,2011 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * John Dennis <jdennis@redhat.com>
- */
-
-/*
- * gcc -DTEST -g data_buf.c -o data_buf
- * gcc -DTEST -g data_buf.c -o data_buf && valgrind --leak-check=yes ./data_buf
- */
-
-/*****************************************************************************/
-/******************************** Documentation ******************************/
-/*****************************************************************************/
-
-/*****************************************************************************/
-/******************************* Include Files *******************************/
-/*****************************************************************************/
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <assert.h>
-#include <stdarg.h>
-#include <errno.h>
-#include "data_buf.h"
-
-/*****************************************************************************/
-/****************************** Internal Defines *****************************/
-/*****************************************************************************/
-
-#ifndef MIN
-#define MIN(a,b) (((a)<=(b))?(a):(b))
-#endif
-
-#ifndef MAX
-#define MAX(a,b) (((a)>=(b))?(a):(b))
-#endif
-
-//#define DEBUG 1
-
-#ifdef DEBUG
-#define DATABUF_VALIDATE(db) \
-{ \
- if (db->alloc_ptr == NULL || db->alloc_size == 0) { \
- assert(db->alloc_ptr == NULL); \
- assert(db->alloc_size == 0); \
- assert(db->len == 0); \
- } else { \
- assert(db->offset <= db->alloc_size); \
- assert(db->len <= db->alloc_size); \
- assert(db->offset+db->len <= db->alloc_size); \
- } \
-}
-#else
-#define DATABUF_VALIDATE(db)
-#endif
-
-/*****************************************************************************/
-/************************** Internal Type Definitions ************************/
-/*****************************************************************************/
-
-/*****************************************************************************/
-/********************** External Function Declarations *********************/
-/*****************************************************************************/
-
-/*****************************************************************************/
-/********************** Internal Function Declarations *********************/
-/*****************************************************************************/
-
-static int databuf_shift_data_to_beginning(DataBuf *db);
-static int databuf_strcat(DataBuf *db, const char *str);
-
-/*****************************************************************************/
-/************************* External Global Variables ***********************/
-/*****************************************************************************/
-
-/*****************************************************************************/
-/************************* Internal Global Variables ***********************/
-/*****************************************************************************/
-
-#ifdef DEBUG
-static int debug = 0;
-#endif
-
-/*****************************************************************************/
-/**************************** Inline Functions *****************************/
-/*****************************************************************************/
-static inline char *databuf_end(DataBuf *db)
-{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset+db->len;}
-
-static inline char *databuf_alloc_end(DataBuf *db)
-{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->alloc_size;}
-
-static inline int databuf_tail_size(DataBuf *db)
-{return db->alloc_size - (db->offset+db->len);}
-
-static inline int databuf_tail_available(DataBuf *db, size_t append_len)
-{return append_len <= databuf_tail_size(db);}
-
-static inline size_t databuf_free_size(DataBuf *db)
-{return db->alloc_size-db->len;}
-
-/*****************************************************************************/
-/*************************** Internal Functions ****************************/
-/*****************************************************************************/
-
-static int databuf_shift_data_to_beginning(DataBuf *db)
-{
- DATABUF_VALIDATE(db);
- if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) return -1;
- if (databuf_beg(db) == NULL) return 1;
- if (db->offset) {
- memmove(db->alloc_ptr, databuf_beg(db), db->len);
- db->offset = 0;
- }
- DATABUF_VALIDATE(db);
- return 1;
-}
-
-/*****************************************************************************/
-/**************************** Exported Functions ***************************/
-/*****************************************************************************/
-
-void databuf_print(DataBuf *db, int print_data, char *fmt, ...)
-{
- va_list ap;
- va_start(ap, fmt);
- if (fmt) {
- vprintf(fmt, ap);
- }
- printf("%salloc_size=%zu alloc_ptr=%p offset=%zu beg=%p len=%zu max_len=%zu flags=[",
- fmt?" ":"", db->alloc_size, db->alloc_ptr, db->offset, databuf_beg(db), db->len, db->max_len);
-
- if (db->flags & DATABUF_FLAG_PRESERVE_HEAD) printf("PRESERVE_HEAD ");
- if (db->flags & DATABUF_FLAG_STRING) printf("STRING ");
- printf("]");
-
- if (print_data) {
- printf(" [");
- fwrite(databuf_beg(db), 1, db->len, stdout);
- printf("]");
- }
- printf("\n");
- va_end(ap);
-}
-
-int databuf_init(DataBuf *db, size_t size, unsigned flags)
-{
- db->alloc_ptr = NULL;
- db->alloc_size = 0;
- db->offset = 0;
- db->len = 0;
- db->max_len = 0;
- db->flags = flags;
-
- if (size) {
- if ((db->alloc_ptr = malloc(size))) {
- db->alloc_size = size;
- return 1;
- } else {
- return -1;
- }
- }
-
- // For strings intialize with initial NULL terminator
- if (flags & DATABUF_FLAG_STRING) databuf_strcat(db, "");
-
- return 1;
-}
-
-void databuf_free(DataBuf *db)
-{
- DATABUF_VALIDATE(db);
-
- if (db->alloc_ptr != NULL) {
- free(db->alloc_ptr);
- }
-
- db->alloc_ptr = NULL;
- db->alloc_size = 0;
- db->offset = 0;
- db->len = 0;
- db->max_len = 0;
-
- DATABUF_VALIDATE(db);
-}
-
-int databuf_append(DataBuf *db, const char *src, size_t src_size)
-{
- size_t new_size;
-
- DATABUF_VALIDATE(db);
-
- if (src == NULL || src_size == 0) return 0;
-
- new_size = db->len+src_size;
-
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_append() size=%zd", src_size);
-#endif
- if ((new_size > db->alloc_size) ||
- ((db->flags & DATABUF_FLAG_PRESERVE_HEAD) && !databuf_tail_available(db, src_size))) {
- /* not enough room, we must realloc */
- void *new_alloc;
-
- databuf_shift_data_to_beginning(db);
- if ((new_alloc = realloc(db->alloc_ptr, new_size))) {
- db->alloc_ptr = new_alloc;
- db->alloc_size = new_size;
- } else {
- return -1; /* realloc failed */
- }
- } else {
- /* we can fit within current allocation, but can we append? */
- if (!databuf_tail_available(db, src_size)) {
- /* we can't append in place, must create room at tail by shifting
- data forward to the beginning of the allocation block */
- databuf_shift_data_to_beginning(db);
- }
- }
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_append() about to memmove()");
-#endif
- /* pointers all set up and room availble, move the data and update */
- memmove(databuf_end(db), src, src_size);
- db->len = new_size;
- db->max_len = MAX(db->max_len, new_size);
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_append() conclusion");
-#endif
- DATABUF_VALIDATE(db);
- return 1;
-}
-
-static int databuf_strcat(DataBuf *db, const char *str)
-{
- size_t str_len;
-
- DATABUF_VALIDATE(db);
-
- if (str == NULL) return 0;
-
- // +1 so the data append also copies the NULL terminator
- str_len = strlen(str) + 1;
-
- // If there is a NULL terminator exclude it so the subsequent
- // data append produces a proper string concatenation
- if (db->len > 0) {
- char *last_char = databuf_end(db) - 1;
- if (*last_char == 0) {
- db->len--; // backup over NULL terminator
- }
- }
-
- // Copy string and NULL terminator
- databuf_append(db, str, str_len);
-
- DATABUF_VALIDATE(db);
- return 1;
-}
-
-int databuf_advance(DataBuf *db, size_t advance)
-{
- size_t actual_advance;
- DATABUF_VALIDATE(db);
-
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_advance() enter, advance=%zd", advance);
-#endif
- actual_advance = MIN(advance, db->len);
- db->offset += actual_advance;
- db->len -= actual_advance;
-
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_advance() leave, actual_advance=%zd", actual_advance);
-#endif
- DATABUF_VALIDATE(db);
- if (advance == actual_advance) {
- return 1;
- } else {
- errno = ESPIPE; // Illegal seek
- return -1;
- }
-}
-
-int databuf_reset(DataBuf *db)
-{
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_reset() entry");
-#endif
- if (!(db->flags & DATABUF_FLAG_PRESERVE_HEAD)) return -1;
- db->offset = 0;
- db->len = MIN(db->alloc_size, db->max_len);
-#ifdef DEBUG
- if (debug) databuf_print(db, 1, "databuf_reset() exit");
-#endif
- return 1;
-}
-
-/*****************************************************************************/
-/******************************* Test Program ******************************/
-/*****************************************************************************/
-
-#ifdef TEST
-static char *make_data(size_t size, const char *fill) {
- int n=0;
- char *data = malloc(size);
-
- if (data == NULL) {
- fprintf(stderr, "ERROR: make_data malloc failed\n");
- exit(1);
- }
-
- n += snprintf(data, size, "%d", size);
- while (n < size) {
- n += snprintf(data+n, size-n, "%s", fill);
- }
- return data;
-}
-
-int main(int argc, char **argv)
-{
- size_t size = 0;
- DataBuf buf;
- char *data;
-
- assert(databuf_init(&buf, size, DATABUF_FLAG_STRING));
- databuf_print(&buf, 1, "after init size=%d", size);
-
-#if 1
- data = "a";
- assert(databuf_strcat(&buf, data));
- databuf_print(&buf, 1, "after strcat(%s)", data);
-
- data = "bb";
- assert(databuf_strcat(&buf, data));
- databuf_print(&buf, 1, "after strcat(%s)", data);
-
- data = "ccc";
- assert(databuf_strcat(&buf, data));
- databuf_print(&buf, 1, "after strcat(%s)", data);
-
-#endif
-
- databuf_free(&buf);
-
-#if 0
- assert(databuf_init(&buf, size, 0));
- databuf_print(&buf, 1, "after init size=%d", size);
-
- size = 8;
- data = make_data(size, "a");
- assert(databuf_append(&buf, data, size));
- databuf_print(&buf, 1, "after append size=%d", size);
- assert(databuf_append(&buf, data, size));
- free(data);
- databuf_print(&buf, 1, "after append size=%d", size);
-
- assert(databuf_advance(&buf, 4));
- databuf_print(&buf, 1, "after databuf_advance(%d", 4);
-
- size = 5;
- data = make_data(size, "b");
- assert(databuf_append(&buf, data, size));
- free(data);
- databuf_print(&buf, 1, "after append size=%d", size);
- size = 7;
- data = make_data(size, "c");
- assert(databuf_append(&buf, data, size));
- free(data);
- databuf_print(&buf, 1, "after append size=%d", size);
-
- databuf_free(&buf);
-#endif
- exit(0);
-}
-#endif
diff --git a/framework/src/audit/auparse/data_buf.h b/framework/src/audit/auparse/data_buf.h
deleted file mode 100644
index 66323fb7..00000000
--- a/framework/src/audit/auparse/data_buf.h
+++ /dev/null
@@ -1,80 +0,0 @@
-/* data_buf.h --
- * Copyright 2007 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * John Dennis <jdennis@redhat.com>
- */
-
-#ifndef DATA_BUF_HEADER
-#define DATA_BUF_HEADER
-
-/*****************************************************************************/
-/******************************* Include Files *******************************/
-/*****************************************************************************/
-#include "config.h"
-#include "private.h"
-
-/*****************************************************************************/
-/*********************************** Defines *********************************/
-/*****************************************************************************/
-
-#define DATABUF_FLAG_PRESERVE_HEAD (1 << 0)
-#define DATABUF_FLAG_STRING (2 << 0)
-
-
-/*****************************************************************************/
-/******************************* Type Definitions ****************************/
-/*****************************************************************************/
-
-typedef struct Databuf {
- unsigned flags;
- size_t alloc_size;
- char *alloc_ptr;
- size_t offset;
- size_t len;
- size_t max_len;
-} DataBuf;
-
-/*****************************************************************************/
-/************************* External Global Variables ***********************/
-/*****************************************************************************/
-
-/*****************************************************************************/
-/***************************** Inline Functions ****************************/
-/*****************************************************************************/
-
-static inline char *databuf_beg(DataBuf *db)
-{return (db->alloc_ptr == NULL) ? NULL : db->alloc_ptr+db->offset;}
-
-/*****************************************************************************/
-/**************************** Exported Functions ***************************/
-/*****************************************************************************/
-
-void databuf_print(DataBuf *db, int print_data, char *fmt, ...) hidden
-#ifdef __GNUC__
- __attribute__ ((format (printf, 3, 4)));
-#else
- ;
-#endif
-int databuf_init(DataBuf *db, size_t size, unsigned flags) hidden;
-void databuf_free(DataBuf *db) hidden;
-int databuf_append(DataBuf *db, const char *src, size_t src_size) hidden;
-int databuf_advance(DataBuf *db, size_t advance) hidden;
-int databuf_reset(DataBuf *db) hidden;
-
-#endif
diff --git a/framework/src/audit/auparse/ellist.c b/framework/src/audit/auparse/ellist.c
deleted file mode 100644
index e5b60264..00000000
--- a/framework/src/audit/auparse/ellist.c
+++ /dev/null
@@ -1,428 +0,0 @@
-/*
-* ellist.c - Minimal linked list library
-* Copyright (c) 2006-08,2014 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#include <errno.h>
-#include <libaudit.h>
-#include "ellist.h"
-#include "interpret.h"
-
-static const char key_sep[2] = { AUDIT_KEY_SEPARATOR, 0 };
-
-void aup_list_create(event_list_t *l)
-{
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
- l->e.milli = 0L;
- l->e.sec = 0L;
- l->e.serial = 0L;
- l->e.host = NULL;
-}
-
-static void aup_list_last(event_list_t *l)
-{
- register rnode* window;
-
- if (l->head == NULL)
- return;
-
- window = l->head;
- while (window->next)
- window = window->next;
- l->cur = window;
-}
-
-rnode *aup_list_next(event_list_t *l)
-{
- if (l->cur)
- l->cur = l->cur->next;
- return l->cur;
-}
-
-/*
- * * This function does encoding of "untrusted" names just like the kernel
- * */
-static char *_audit_c2x(char *final, const char *buf, unsigned int size)
-{
- unsigned int i;
- char *ptr = final;
- const char *hex = "0123456789ABCDEF";
-
- for (i=0; i<size; i++) {
- *ptr++ = hex[(buf[i] & 0xF0)>>4]; /* Upper nibble */
- *ptr++ = hex[buf[i] & 0x0F]; /* Lower nibble */
- }
- *ptr = 0;
- return final;
-}
-
-static char *escape(const char *tmp)
-{
- char *name;
- const unsigned char *p = (unsigned char *)tmp;
- while (*p) {
- if (*p == '"' || *p < 0x21 || *p > 0x7e) {
- int len = strlen(tmp);
- name = malloc((2*len)+1);
- return _audit_c2x(name, tmp, len);
- }
- p++;
- }
- if (asprintf(&name, "\"%s\"", tmp) < 0)
- name = NULL;
- return name;
-}
-
-/* This funtion does the heavy duty work of splitting a record into
- * its little tiny pieces */
-static int parse_up_record(rnode* r)
-{
- char *ptr, *buf, *saved=NULL;
- int offset = 0;
-
- buf = strdup(r->record);
- ptr = audit_strsplit_r(buf, &saved);
- if (ptr == NULL) {
- free(buf);
- return -1;
- }
-
- do { // If there's an '=' sign, its a keeper
- nvnode n;
- char *val = strchr(ptr, '=');
- if (val) {
- int len;
-
- // If name is 'msg=audit' throw it away
- if (*ptr == 'm' && strncmp(ptr, "msg=", 4) == 0) {
- if (ptr[4] == 'a')
- continue;
-
- // If name is 'msg='' chop off and see
- // if there is still a = in the string.
- else if (ptr[4] == '\'') {
- ptr += 5;
- val = strchr(ptr, '=');
- if (val == NULL)
- continue;
- }
- }
-
- // Split the string
- *val = 0;
- val++;
-
- // Remove beginning cruft of name
- if (*ptr == '(')
- ptr++;
- n.name = strdup(ptr);
- n.val = strdup(val);
- // Remove trailing punctuation
- len = strlen(n.val);
- if (len && n.val[len-1] == ':') {
- n.val[len-1] = 0;
- len--;
- }
- if (len && n.val[len-1] == ',') {
- n.val[len-1] = 0;
- len--;
- }
- if (len && n.val[len-1] == '\'') {
- n.val[len-1] = 0;
- len--;
- }
- if (len && n.val[len-1] == ')') {
- if (strcmp(n.val, "(none)") &&
- strcmp(n.val, "(null)")) {
- n.val[len-1] = 0;
- len--;
- }
- }
- // Make virtual keys or just store it
- if (strcmp(n.name, "key") == 0 && *n.val != '(') {
- if (*n.val == '"')
- nvlist_append(&r->nv, &n);
- else {
- char *key, *ptr, *saved2;
-
- key = (char *)au_unescape(n.val);
- if (key == NULL) {
- // Malformed key - save as is
- nvlist_append(&r->nv, &n);
- continue;
- }
- ptr = strtok_r(key, key_sep, &saved2);
- free(n.name);
- free(n.val);
- while (ptr) {
- n.name = strdup("key");
- n.val = escape(ptr);
- nvlist_append(&r->nv, &n);
- ptr = strtok_r(NULL,
- key_sep, &saved2);
- }
- free(key);
- }
- continue;
- } else
- nvlist_append(&r->nv, &n);
-
- // Do some info gathering for use later
- if (r->nv.cnt == 1 && strcmp(n.name, "node") == 0)
- offset = 1; // if node, some positions changes
- else if (r->nv.cnt == (1 + offset) &&
- strcmp(n.name, "type") == 0) {
- r->type = audit_name_to_msg_type(n.val);
- } else if (r->nv.cnt == (2 + offset) &&
- strcmp(n.name, "arch")== 0){
- unsigned int ival;
- errno = 0;
- ival = strtoul(n.val, NULL, 16);
- if (errno)
- r->machine = -2;
- else
- r->machine = audit_elf_to_machine(ival);
- } else if (r->nv.cnt == (3 + offset) &&
- strcmp(n.name, "syscall") == 0){
- errno = 0;
- r->syscall = strtoul(n.val, NULL, 10);
- if (errno)
- r->syscall = -1;
- } else if (r->nv.cnt == (6 + offset) &&
- strcmp(n.name, "a0") == 0){
- errno = 0;
- r->a0 = strtoull(n.val, NULL, 16);
- if (errno)
- r->a0 = -1LL;
- } else if (r->nv.cnt == (7 + offset) &&
- strcmp(n.name, "a1") == 0){
- errno = 0;
- r->a1 = strtoull(n.val, NULL, 16);
- if (errno)
- r->a1 = -1LL;
- }
- } else if (r->type == AUDIT_AVC || r->type == AUDIT_USER_AVC) {
- // We special case these 2 fields because selinux
- // avc messages do not label these fields.
- n.name = NULL;
- if (nvlist_get_cnt(&r->nv) == (1 + offset)) {
- // skip over 'avc:'
- if (strncmp(ptr, "avc", 3) == 0)
- continue;
- n.name = strdup("seresult");
- } else if (nvlist_get_cnt(&r->nv) == (2 + offset)) {
- // skip over open brace
- if (*ptr == '{') {
- int total = 0, len;
- char tmpctx[256], *to;
- tmpctx[0] = 0;
- to = tmpctx;
- ptr = audit_strsplit_r(NULL, &saved);
- while (ptr && *ptr != '}') {
- len = strlen(ptr);
- if ((len+1) >= (256-total)) {
- free(buf);
- return -1;
- }
- if (tmpctx[0]) {
- to = stpcpy(to, ",");
- total++;
- }
- to = stpcpy(to, ptr);
- total += len;
- ptr = audit_strsplit_r(NULL,
- &saved);
- }
- n.name = strdup("seperms");
- n.val = strdup(tmpctx);
- nvlist_append(&r->nv, &n);
- continue;
- }
- } else
- continue;
- n.val = strdup(ptr);
- nvlist_append(&r->nv, &n);
- }
- // FIXME: There should be an else here to catch ancillary data
- } while((ptr = audit_strsplit_r(NULL, &saved)));
-
- free(buf);
- r->nv.cur = r->nv.head; // reset to beginning
- return 0;
-}
-
-int aup_list_append(event_list_t *l, char *record, int list_idx,
- unsigned int line_number)
-{
- rnode* r;
-
- if (record == NULL)
- return -1;
-
- // First step is build rnode
- r = malloc(sizeof(rnode));
- if (r == NULL)
- return -1;
-
- r->record = record;
- r->type = 0;
- r->a0 = 0LL;
- r->a1 = 0LL;
- r->machine = -1;
- r->syscall = -1;
- r->item = l->cnt;
- r->list_idx = list_idx;
- r->line_number = line_number;
- r->next = NULL;
- nvlist_create(&r->nv);
-
- // if we are at top, fix this up
- if (l->head == NULL)
- l->head = r;
- else { // Otherwise add pointer to newnode
- aup_list_last(l);
- l->cur->next = r;
- }
-
- // make newnode current
- l->cur = r;
- l->cnt++;
-
- // Then parse the record up into nvlist
- return parse_up_record(r);
-}
-
-void aup_list_clear(event_list_t* l)
-{
- rnode* nextnode;
- register rnode* current;
-
- if (l == NULL)
- return;
-
- current = l->head;
- while (current) {
- nextnode=current->next;
- nvlist_clear(&current->nv);
- free(current->record);
- free(current);
- current=nextnode;
- }
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
- l->e.milli = 0L;
- l->e.sec = 0L;
- l->e.serial = 0L;
- free((char *)l->e.host);
- l->e.host = NULL;
-}
-
-/*int aup_list_get_event(event_list_t* l, au_event_t *e)
-{
- if (l == NULL || e == NULL)
- return 0;
-
- e->sec = l->e.sec;
- e->milli = l->e.milli;
- e->serial = l->e.serial;
- if (l->e.host)
- e->host = strdup(l->e.host);
- else
- e->host = NULL;
- return 1;
-} */
-
-int aup_list_set_event(event_list_t* l, au_event_t *e)
-{
- if (l == NULL || e == NULL)
- return 0;
-
- l->e.sec = e->sec;
- l->e.milli = e->milli;
- l->e.serial = e->serial;
- l->e.host = e->host; // Take custody of the memory
- e->host = NULL;
- return 1;
-}
-
-rnode *aup_list_find_rec(event_list_t *l, int i)
-{
- register rnode* window;
-
- window = l->head; /* start at the beginning */
- while (window) {
- if (window->type == i) {
- l->cur = window;
- return window;
- } else
- window = window->next;
- }
- return NULL;
-}
-
-rnode *aup_list_goto_rec(event_list_t *l, int i)
-{
- register rnode* window;
-
- window = l->head; /* start at the beginning */
- while (window) {
- if (window->item == i) {
- l->cur = window;
- return window;
- } else
- window = window->next;
- }
- return NULL;
-}
-
-rnode *aup_list_find_rec_range(event_list_t *l, int low, int high)
-{
- register rnode* window;
-
- if (high <= low)
- return NULL;
-
- window = l->head; /* Start at the beginning */
- while (window) {
- if (window->type >= low && window->type <= high) {
- l->cur = window;
- return window;
- } else
- window = window->next;
- }
- return NULL;
-}
-
-int aup_list_first_field(event_list_t *l)
-{
- if (l->cur) {
- nvlist_first(&l->cur->nv);
- return 1;
- } else
- return 0;
-}
-
diff --git a/framework/src/audit/auparse/ellist.h b/framework/src/audit/auparse/ellist.h
deleted file mode 100644
index 2b43a68d..00000000
--- a/framework/src/audit/auparse/ellist.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
-* ellist.h - Header file for ellist.c
-* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#ifndef ELLIST_HEADER
-#define ELLIST_HEADER
-
-#include "config.h"
-#include "private.h"
-#include "auparse-defs.h"
-#include <sys/types.h>
-#include "nvlist.h"
-
-/* This is the linked list head. Only data elements that are 1 per
- * event goes here. */
-typedef struct {
- rnode *head; // List head
- rnode *cur; // Pointer to current node
- unsigned int cnt; // How many items in this list
-
- // Data we add as 1 per event
- au_event_t e; // event - time & serial number
-} event_list_t;
-
-void aup_list_create(event_list_t *l) hidden;
-void aup_list_clear(event_list_t* l) hidden;
-static inline unsigned int aup_list_get_cnt(event_list_t *l) { return l->cnt; }
-static inline void aup_list_first(event_list_t *l) { l->cur = l->head; }
-static inline rnode *aup_list_get_cur(event_list_t *l) { return l->cur; }
-rnode *aup_list_next(event_list_t *l) hidden;
-int aup_list_append(event_list_t *l, char *record, int list_idx, unsigned int line_number) hidden;
-//int aup_list_get_event(event_list_t* l, au_event_t *e) hidden;
-int aup_list_set_event(event_list_t* l, au_event_t *e) hidden;
-
-/* Given a message type, find the matching node */
-rnode *aup_list_find_rec(event_list_t *l, int i) hidden;
-
-/* Seek to a specific record number */
-rnode *aup_list_goto_rec(event_list_t *l, int i) hidden;
-
-/* Given two message types, find the first matching node */
-rnode *aup_list_find_rec_range(event_list_t *l, int low, int high) hidden;
-
-int aup_list_first_field(event_list_t *l) hidden;
-
-#endif
-
diff --git a/framework/src/audit/auparse/epoll_ctl.h b/framework/src/audit/auparse/epoll_ctl.h
deleted file mode 100644
index 3d58a2bf..00000000
--- a/framework/src/audit/auparse/epoll_ctl.h
+++ /dev/null
@@ -1,27 +0,0 @@
-/* epoll_ctl.h --
- * Copyright 2008,2012,2014 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/eventpoll.h
- */
-
-_S(1, "EPOLL_CTL_ADD" )
-_S(2, "EPOLL_CTL_DEL" )
-_S(3, "EPOLL_CTL_MOD" )
-
diff --git a/framework/src/audit/auparse/expression.c b/framework/src/audit/auparse/expression.c
deleted file mode 100644
index 6bed45ba..00000000
--- a/framework/src/audit/auparse/expression.c
+++ /dev/null
@@ -1,1111 +0,0 @@
-/*
-* expression.c - Expression parsing and handling
-* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Miloslav Trmač <mitr@redhat.com>
-* Steve Grubb <sgrubb@redhat.com> extended timestamp
-*/
-
-#include <assert.h>
-#include <errno.h>
-#include <limits.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "expression.h"
-
- /* Utilities */
-
-/* Free EXPR and all its subexpressions. */
-void
-expr_free(struct expr *expr)
-{
- switch (expr->op) {
- case EO_NOT:
- expr_free(expr->v.sub[0]);
- break;
-
- case EO_AND: case EO_OR:
- expr_free(expr->v.sub[0]);
- expr_free(expr->v.sub[1]);
- break;
-
- case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ:
- case EO_INTERPRETED_NE: case EO_VALUE_EQ: case EO_VALUE_NE:
- case EO_VALUE_LT: case EO_VALUE_LE: case EO_VALUE_GT: case EO_VALUE_GE:
- if (expr->virtual_field == 0)
- free(expr->v.p.field.name);
- if (expr->precomputed_value == 0)
- free(expr->v.p.value.string);
- break;
-
- case EO_FIELD_EXISTS:
- assert(expr->virtual_field == 0);
- free(expr->v.p.field.name);
- break;
-
- case EO_REGEXP_MATCHES:
- regfree(expr->v.regexp);
- free(expr->v.regexp);
- break;
-
- default:
- abort();
- }
- free(expr);
-}
-
- /* Expression parsing. */
-
-/* The formal grammar:
-
- start: or-expression
-
- or-expression: and-expression
- or-expression: or-expression || and-expression
-
- and-expression: primary-expression
- and-expression: and-expression && primary-expression
-
- primary-expression: ! primary-expression
- primary-expression: ( or-expression )
- primary-expression: comparison-expression
-
- comparison-expression: field op value
- comparison-expression: field-escape "regexp" regexp-value
- field: string
- field: field-escape string
- value: string
- regexp-value: string
- regexp-value: regexp */
-
-/* Token types */
-enum token_type {
- /* EO_* */
- T_LEFT_PAREN = NUM_EO_VALUES, T_RIGHT_PAREN, T_STRING, T_REGEXP,
- T_FIELD_ESCAPE, T_UNKNOWN, T_EOF
-};
-
-/* Expression parsing status */
-struct parsing {
- char **error; /* Error message destination. */
- enum token_type token;
- const char *token_start; /* Original "src" value */
- int token_len; /* int because it must be usable in %.*s */
- char *token_value; /* Non-NULL only for T_STRING, until used */
- const char *src; /* Expression source, after the current token */
-};
-
-static struct expr *parse_or(struct parsing *p);
-
-/* Allocate SIZE bytes.
- On error, return NULL and try to set *P->ERROR. */
-static void *
-parser_malloc(struct parsing *p, size_t size)
-{
- void *res;
-
- res = malloc(size);
- if (res != NULL || size == 0)
- return res;
- *p->error = strdup("Out of memory");
- return NULL;
-}
-
-/* Reallocate PTR to SIZE bytes.
- On error, free(PTR), return NULL and try to set *P->ERROR.
- NOTE: realloc() does not free(PTR), this function does. */
-static void *
-parser_realloc(struct parsing *p, void *ptr, size_t size)
-{
- void *res;
-
- res = realloc(ptr, size);
- if (res != NULL || size == 0)
- return res;
- free(ptr);
- *p->error = strdup("Out of memory");
- return NULL;
-}
-
-/* Discard P->token_value, if any, and parse the next token in P->src.
- On success, return 0.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- -1. */
-static int
-lex(struct parsing *p)
-{
- free(p->token_value);
- p->token_value = NULL;
- while (*p->src == ' ' || *p->src == '\t' || *p->src == '\n')
- p->src++;
- p->token_start = p->src;
- switch (*p->src) {
- case '\0':
- p->token = T_EOF;
- break;
-
- case '!':
- p->src++;
- if (*p->src == '=' && p->src[1] == '=') {
- p->src += 2;
- p->token = EO_VALUE_NE;
- break;
- }
- p->token = EO_NOT;
- break;
-
- case '"': case '/': {
- char *buf, delimiter;
- size_t dest, buf_size;
-
- delimiter = *p->src;
- buf_size = 8;
- buf = parser_malloc(p, buf_size);
- if (buf == NULL)
- return -1;
- p->src++;
- dest = 0;
- while (*p->src != delimiter) {
- if (*p->src == '\0') {
- *p->error = strdup("Terminating delimiter "
- "missing");
- free(buf);
- return -1;
- }
- if (*p->src == '\\') {
- p->src++;
- if (*p->src != '\\' && *p->src != delimiter) {
- if (asprintf(p->error, "Unknown escape "
- "sequence ``\\%c''",
- *p->src) < 0)
- *p->error = NULL;
- free(buf);
- return -1;
- }
- }
- /* +1: make sure there is space for the terminating
- NUL. */
- if (dest + 1 >= buf_size) {
- if (buf_size > SIZE_MAX / 2) {
- *p->error = strdup("Delimited string "
- "too long");
- free(buf);
- return -1;
- }
- buf_size *= 2;
- buf = parser_realloc(p, buf, buf_size);
- if (buf == NULL) {
- *p->error = strdup("Out of memory");
- return -1;
- }
- }
- buf[dest] = *p->src;
- dest++;
- p->src++;
- }
- p->src++;
- buf[dest] = '\0';
- p->token_value = parser_realloc(p, buf, dest + 1);
- if (p->token_value == NULL)
- return -1;
- p->token = delimiter == '/' ? T_REGEXP : T_STRING;
- break;
- }
-
- case '&':
- p->src++;
- if (*p->src == '&') {
- p->src++;
- p->token = EO_AND;
- break;
- }
- p->token = T_UNKNOWN;
- break;
-
- case '(':
- p->src++;
- p->token = T_LEFT_PAREN;
- break;
-
- case ')':
- p->src++;
- p->token = T_RIGHT_PAREN;
- break;
-
- case '<':
- p->src++;
- if (*p->src == '=') {
- p->src++;
- p->token = EO_VALUE_LE;
- break;
- }
- p->token = EO_VALUE_LT;
- break;
-
- case '=':
- p->src++;
- if (*p->src == '=') {
- p->src++;
- p->token = EO_VALUE_EQ;
- break;
- }
- p->token = T_UNKNOWN;
- break;
-
- case '>':
- p->src++;
- if (*p->src == '=') {
- p->src++;
- p->token = EO_VALUE_GE;
- break;
- }
- p->token = EO_VALUE_GT;
- break;
-
- case '\\':
- p->src++;
- p->token = T_FIELD_ESCAPE;
- break;
-
- case '|':
- p->src++;
- if (*p->src == '|') {
- p->src++;
- p->token = EO_OR;
- break;
- }
- p->token = T_UNKNOWN;
- break;
-
- case 'i':
- if (p->src[1] == '=') {
- p->src += 2;
- p->token = EO_INTERPRETED_EQ;
- break;
- } else if (p->src[1] == '!' && p->src[2] == '=') {
- p->src += 3;
- p->token = EO_INTERPRETED_NE;
- break;
- }
- goto unquoted_string;
-
- case 'r':
- if (p->src[1] == '=') {
- p->src += 2;
- p->token = EO_RAW_EQ;
- break;
- } else if (p->src[1] == '!' && p->src[2] == '=') {
- p->src += 3;
- p->token = EO_RAW_NE;
- break;
- }
- goto unquoted_string;
-
- default:
- /* This assumes ASCII */
- assert ('Z' == 'A' + 25 && 'z' == 'a' + 25);
-#define IS_UNQUOTED_STRING_CHAR(C) \
- (((C) >= 'a' && (C) <= 'z') \
- || ((C) >= 'A' && (C) <= 'Z') \
- || ((C) >= '0' && (C) <= '9') \
- || (C) == '_')
- if (IS_UNQUOTED_STRING_CHAR(*p->src)) {
- size_t len;
-
- unquoted_string:
- do
- p->src++;
- while (IS_UNQUOTED_STRING_CHAR(*p->src));
- len = p->src - p->token_start;
- p->token_value = parser_malloc(p, len + 1);
- if (p->token_value == NULL)
- return -1;
- memcpy(p->token_value, p->token_start, len);
- p->token_value[len] = '\0';
- p->token = T_STRING;
- break;
- }
- p->src++;
- p->token = T_UNKNOWN;
- break;
- }
- if (p->src - p->token_start > INT_MAX) {
- *p->error = strdup("Token too long");
- return -1;
- }
- p->token_len = p->src - p->token_start;
- return 0;
-}
-
-/* Parse an escaped field NAME to DEST.
- Return 0 on success, -1 if NAME is unknown. */
-static int
-parse_escaped_field_name(enum field_id *dest, const char *name)
-{
- if (strcmp(name, "timestamp") == 0)
- *dest = EF_TIMESTAMP;
- else if (strcmp(name, "record_type") == 0)
- *dest = EF_RECORD_TYPE;
- else if (strcmp(name, "timestamp_ex") == 0)
- *dest = EF_TIMESTAMP_EX;
- else
- return -1;
- return 0;
-}
-
-/* Parse a \timestamp field value in P->token_value to DEST.
- On success, return 0.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- -1. */
-static int
-parse_timestamp_value(struct expr *dest, struct parsing *p)
-{
- intmax_t sec;
-
- assert(p->token == T_STRING);
- /* FIXME: other formats? */
- if (sscanf(p->token_value, "ts:%jd.%u:%u", &sec,
- &dest->v.p.value.timestamp_ex.milli,
- &dest->v.p.value.timestamp_ex.serial) != 3) {
- if (sscanf(p->token_value, "ts:%jd.%u", &sec,
- &dest->v.p.value.timestamp.milli) != 2) {
- if (asprintf(p->error, "Invalid timestamp value `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- return -1;
- }
- }
- /* FIXME: validate milli */
- dest->v.p.value.timestamp.sec = sec;
- if (dest->v.p.value.timestamp.sec != sec) {
- if (asprintf(p->error, "Timestamp overflow in `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- return -1;
- }
- dest->precomputed_value = 1;
- return 0;
-}
-
-/* Parse a \record_type field value in P->token_value to DEST.
- On success, return 0.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- -1. */
-static int
-parse_record_type_value(struct expr *dest, struct parsing *p)
-{
- int type;
-
- assert(p->token == T_STRING);
- type = audit_name_to_msg_type(p->token_value);
- if (type < 0) {
- if (asprintf(p->error, "Invalid record type `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- return -1;
- }
- dest->v.p.value.int_value = type;
- dest->precomputed_value = 1;
- return 0;
-}
-
-/* Parse a virtual field value in P->token_value to DEST.
- On success, return 0.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static int
-parse_virtual_field_value(struct expr *dest, struct parsing *p)
-{
- switch (dest->v.p.field.id) {
- case EF_TIMESTAMP:
- return parse_timestamp_value(dest, p);
-
- case EF_RECORD_TYPE:
- return parse_record_type_value(dest, p);
-
- case EF_TIMESTAMP_EX:
- return parse_timestamp_value(dest, p);
-
- default:
- abort();
- }
-}
-
-/* Parse a \regexp comparison-expression string in *P, with \regexp parsed.
- Use or free EXPR.
- On success, return the parsed comparison-expression.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static struct expr *
-parse_comparison_regexp(struct parsing *p, struct expr *res)
-{
- int err;
-
- if (lex(p) != 0)
- goto err_res;
- if (p->token != T_STRING && p->token != T_REGEXP) {
- if (asprintf(p->error, "Regexp expected, got `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_res;
- }
- res->v.regexp = parser_malloc(p, sizeof(*res->v.regexp));
- if (res->v.regexp == NULL)
- goto err_res;
- err = regcomp(res->v.regexp, p->token_value, REG_EXTENDED | REG_NOSUB);
- if (err != 0) {
- size_t err_size;
- char *err_msg;
-
- err_size = regerror(err, res->v.regexp, NULL, 0);
- err_msg = parser_malloc(p, err_size);
- if (err_msg == NULL)
- goto err_res_regexp;
- regerror(err, res->v.regexp, err_msg, err_size);
- if (asprintf(p->error, "Invalid regexp: %s", err_msg) < 0)
- *p->error = NULL;
- free(err_msg);
- goto err_res_regexp;
- }
- res->op = EO_REGEXP_MATCHES;
- if (lex(p) != 0) {
- expr_free(res);
- return NULL;
- }
- return res;
-
-err_res_regexp:
- free(res->v.regexp);
-err_res:
- free(res);
- return NULL;
-}
-
-/* Parse a comparison-expression string in *P.
- On success, return the parsed comparison-expression.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static struct expr *
-parse_comparison(struct parsing *p)
-{
- struct expr *res;
-
- res = parser_malloc(p, sizeof(*res));
- if (res == NULL)
- return NULL;
- if (p->token == T_FIELD_ESCAPE) {
- if (lex(p) != 0)
- goto err_res;
- if (p->token != T_STRING) {
- *p->error = strdup("Field name expected after field "
- "escape");
- goto err_res;
- }
- if (strcmp(p->token_value, "regexp") == 0)
- return parse_comparison_regexp(p, res);
- res->virtual_field = 1;
- if (parse_escaped_field_name(&res->v.p.field.id, p->token_value)
- != 0) {
- if (asprintf(p->error,
- "Unknown escaped field name `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_res;
- }
- } else {
- assert(p->token == T_STRING);
- res->virtual_field = 0;
- res->v.p.field.name = p->token_value;
- p->token_value = NULL;
- }
- if (lex(p) != 0)
- goto err_field;
- switch (p->token) {
- case EO_RAW_EQ: case EO_RAW_NE: case EO_INTERPRETED_EQ:
- case EO_INTERPRETED_NE:
- res->op = p->token;
- if (lex(p) != 0)
- goto err_field;
- if (p->token != T_STRING) {
- if (asprintf(p->error, "Value expected, got `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_field;
- }
- res->precomputed_value = 0;
- res->v.p.value.string = p->token_value;
- p->token_value = NULL;
- if (lex(p) != 0) {
- expr_free(res);
- return NULL;
- }
- break;
-
- case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE:
- case EO_VALUE_GT: case EO_VALUE_GE:
- res->op = p->token;
- if (lex(p) != 0)
- goto err_field;
- if (p->token != T_STRING) {
- if (asprintf(p->error, "Value expected, got `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_field;
- }
- if (res->virtual_field == 0) {
- if (asprintf(p->error, "Field `%s' does not support "
- "value comparison",
- res->v.p.field.name) < 0)
- *p->error = NULL;
- goto err_field;
- } else {
- if (parse_virtual_field_value(res, p) != 0)
- goto err_field;
- }
- if (lex(p) != 0) {
- expr_free(res);
- return NULL;
- }
- break;
-
- default:
- if (asprintf(p->error, "Operator expected, got `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_field;
- }
- return res;
-
-err_field:
- if (res->virtual_field == 0)
- free(res->v.p.field.name);
-err_res:
- free(res);
- return NULL;
-}
-
-/* Parse a primary-expression string in *P.
- On success, return the parsed primary-expression.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static struct expr *
-parse_primary(struct parsing *p)
-{
- struct expr *e;
-
- switch (p->token) {
- case EO_NOT: {
- struct expr *res;
-
- if (lex(p) != 0)
- return NULL;
- e = parse_primary(p);
- if (e == NULL)
- return NULL;
- res = parser_malloc(p, sizeof(*res));
- if (res == NULL)
- goto err_e;
- res->op = EO_NOT;
- res->v.sub[0] = e;
- return res;
- }
-
- case T_LEFT_PAREN: {
- if (lex(p) != 0)
- return NULL;
- e = parse_or(p);
- if (e == NULL)
- return NULL;
- if (p->token != T_RIGHT_PAREN) {
- if (asprintf(p->error,
- "Right paren expected, got `%.*s'",
- p->token_len, p->token_start) < 0)
- *p->error = NULL;
- goto err_e;
- }
- if (lex(p) != 0)
- goto err_e;
- return e;
- }
-
- case T_FIELD_ESCAPE: case T_STRING:
- return parse_comparison(p);
-
- default:
- if (asprintf(p->error, "Unexpected token `%.*s'", p->token_len,
- p->token_start) < 0)
- *p->error = NULL;
- return NULL;
- }
-err_e:
- expr_free(e);
- return NULL;
-}
-
-/* Parse an and-expression string in *P.
- On success, return the parsed and-expression.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static struct expr *
-parse_and(struct parsing *p)
-{
- struct expr *res;
-
- res = parse_primary(p);
- if (res == NULL)
- return NULL;
- while (p->token == EO_AND) {
- struct expr *e2, *e;
-
- if (lex(p) != 0)
- goto err_res;
- e2 = parse_primary(p);
- if (e2 == NULL)
- goto err_res;
- e = parser_malloc(p, sizeof(*e));
- if (e == NULL) {
- expr_free(e2);
- goto err_res;
- }
- e->op = EO_AND;
- e->v.sub[0] = res;
- e->v.sub[1] = e2;
- res = e;
- }
- return res;
-
-err_res:
- expr_free(res);
- return NULL;
-}
-
-/* Parse an or-expression string in *P.
- On success, return the parsed or-expression.
- On error, set *P->ERROR to an error string (for free()) or NULL, and return
- NULL. */
-static struct expr *
-parse_or(struct parsing *p)
-{
- struct expr *res;
-
- res = parse_and(p);
- if (res == NULL)
- return NULL;
- while (p->token == EO_OR) {
- struct expr *e2, *e;
-
- if (lex(p) != 0)
- goto err_res;
- e2 = parse_and(p);
- if (e2 == NULL)
- goto err_res;
- e = parser_malloc(p, sizeof(*e));
- if (e == NULL) {
- expr_free(e2);
- goto err_res;
- }
- e->op = EO_OR;
- e->v.sub[0] = res;
- e->v.sub[1] = e2;
- res = e;
- }
- return res;
-
-err_res:
- expr_free(res);
- return NULL;
-}
-
-/* Parse STRING.
- On success, return the parsed expression tree.
- On error, set *ERROR to an error string (for free()) or NULL, and return
- NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */
-struct expr *
-expr_parse(const char *string, char **error)
-{
- struct parsing p;
- struct expr *res;
-
- p.error = error;
- p.token_value = NULL;
- p.src = string;
- if (lex(&p) != 0)
- goto err;
- if (p.token == T_EOF) {
- *error = strdup("Empty expression");
- goto err;
- }
- res = parse_or(&p);
- if (res != NULL && p.token != T_EOF) {
- expr_free(res);
- if (asprintf(error, "Unexpected trailing token `%.*s'",
- p.token_len, p.token_start) < 0)
- *error = NULL;
- goto err;
- }
- free(p.token_value);
- return res;
-
-err:
- free(p.token_value);
- return NULL;
-}
-
- /* Manual expression creation */
-
-/* Create a comparison-expression for FIELD, OP and VALUE.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_comparison(const char *field, unsigned op, const char *value)
-{
- struct expr *res;
-
- res = malloc(sizeof(*res));
- if (res == NULL)
- goto err;
- assert(op == EO_RAW_EQ || op == EO_RAW_NE || op == EO_INTERPRETED_EQ
- || op == EO_INTERPRETED_NE);
- res->op = op;
- res->virtual_field = 0;
- res->precomputed_value = 0;
- res->v.p.field.name = strdup(field);
- if (res->v.p.field.name == NULL)
- goto err_res;
- res->v.p.value.string = strdup(value);
- if (res->v.p.value.string == NULL)
- goto err_field;
- return res;
-
-err_field:
- free(res->v.p.field.name);
-err_res:
- free(res);
-err:
- return NULL;
-}
-
-/* Create an extended timestamp comparison-expression for with OP, SEC,
- MILLI, and SERIAL.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_timestamp_comparison_ex(unsigned op, time_t sec, unsigned milli,
- unsigned serial)
-{
- struct expr *res;
-
- res = malloc(sizeof(*res));
- if (res == NULL)
- return NULL;
- assert(op == EO_VALUE_EQ || op == EO_VALUE_NE || op == EO_VALUE_LT
- || op == EO_VALUE_LE || op == EO_VALUE_GT || op == EO_VALUE_GE);
- res->op = op;
- res->virtual_field = 1;
- res->v.p.field.id = EF_TIMESTAMP_EX;
- res->precomputed_value = 1;
- res->v.p.value.timestamp_ex.sec = sec;
- assert(milli < 1000);
- res->v.p.value.timestamp_ex.milli = milli;
- res->v.p.value.timestamp_ex.serial = serial;
- return res;
-}
-
-/* Create a timestamp comparison-expression for with OP, SEC, MILLI.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_timestamp_comparison(unsigned op, time_t sec, unsigned milli)
-{
- return expr_create_timestamp_comparison_ex(op, sec, milli, 0);
-}
-
-/* Create an EO_FIELD_EXISTS-expression for FIELD.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_field_exists(const char *field)
-{
- struct expr *res;
-
- res = malloc(sizeof(*res));
- if (res == NULL)
- goto err;
- res->op = EO_FIELD_EXISTS;
- res->virtual_field = 0;
- res->v.p.field.name = strdup(field);
- if (res->v.p.field.name == NULL)
- goto err_res;
- return res;
-
-err_res:
- free(res);
-err:
- return NULL;
-}
-
-/* Create a \regexp expression for regexp comparison.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_regexp_expression(const char *regexp)
-{
- struct expr *res;
-
- res = malloc(sizeof(*res));
- if (res == NULL)
- goto err;
- res->v.regexp = malloc(sizeof(*res->v.regexp));
- if (res->v.regexp == NULL)
- goto err_res;
- if (regcomp(res->v.regexp, regexp, REG_EXTENDED | REG_NOSUB) != 0) {
- errno = EINVAL;
- goto err_res_regexp;
- }
- res->op = EO_REGEXP_MATCHES;
- return res;
-
-err_res_regexp:
- free(res->v.regexp);
-err_res:
- free(res);
-err:
- return NULL;
-}
-
-/* Create a binary expresion for OP and subexpressions E1 and E2.
- On success, return the created expresion.
- On error, set errno and return NULL. */
-struct expr *
-expr_create_binary(unsigned op, struct expr *e1, struct expr *e2)
-{
- struct expr *res;
-
- res = malloc(sizeof(*res));
- if (res == NULL)
- return NULL;
- assert(op == EO_AND || op ==EO_OR);
- res->op = op;
- res->v.sub[0] = e1;
- res->v.sub[1] = e2;
- return res;
-}
-
- /* Expression evaluation */
-
-/* Return the "raw" value of the field in EXPR for RECORD in AU->le. Set
- *FREE_IT to 1 if the return value should free()'d.
- Return NULL on error. */
-static char *
-eval_raw_value(auparse_state_t *au, rnode *record, const struct expr *expr,
- int *free_it)
-{
- if (expr->virtual_field == 0) {
- nvlist_first(&record->nv);
- if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0)
- return NULL;
- *free_it = 0;
- return (char *)nvlist_get_cur_val(&record->nv);
- }
- switch (expr->v.p.field.id) {
- case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX:
- return NULL;
-
- default:
- abort();
- }
-}
-
-/* Return the "interpreted" value of the field in EXPR for RECORD in AU->le.
- Set *FREE_IT to 1 if the return value should free()'d.
- Return NULL on *error. */
-static char *
-eval_interpreted_value(auparse_state_t *au, rnode *record,
- const struct expr *expr, int *free_it)
-{
- if (expr->virtual_field == 0) {
- const char *res;
-
- nvlist_first(&record->nv);
- if (nvlist_find_name(&record->nv, expr->v.p.field.name) == 0)
- return NULL;
- *free_it = 0;
- res = nvlist_interp_cur_val(record);
- if (res == NULL)
- res = nvlist_get_cur_val(&record->nv);
- return (char *)res;
- }
- switch (expr->v.p.field.id) {
- case EF_TIMESTAMP: case EF_RECORD_TYPE: case EF_TIMESTAMP_EX:
- return NULL;
-
- default:
- abort();
- }
-}
-
-/* Return -1, 0, 1 depending on comparing the field in EXPR with RECORD in AU.
- Set *ERROR to 0 if OK, non-zero otherwise. */
-static int
-compare_values(auparse_state_t *au, rnode *record, const struct expr *expr,
- int *error)
-{
- int res;
- if (expr->virtual_field == 0) {
- *error = 1;
- return 0;
- }
- switch (expr->v.p.field.id) {
- case EF_TIMESTAMP:
- if (au->le.e.sec < expr->v.p.value.timestamp.sec)
- res = -1;
- else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
- res = 1;
- else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
- res = -1;
- else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
- res = 1;
- else
- res = 0;
- break;
-
- case EF_RECORD_TYPE:
- if (record->type < expr->v.p.value.int_value)
- res = -1;
- else if (record->type > expr->v.p.value.int_value)
- res = 1;
- else
- res = 0;
- break;
-
- case EF_TIMESTAMP_EX:
- if (au->le.e.sec < expr->v.p.value.timestamp.sec)
- res = -1;
- else if (au->le.e.sec > expr->v.p.value.timestamp.sec)
- res = 1;
- else if (au->le.e.milli < expr->v.p.value.timestamp.milli)
- res = -1;
- else if (au->le.e.milli > expr->v.p.value.timestamp.milli)
- res = 1;
- else if (au->le.e.serial < expr->v.p.value.timestamp_ex.serial)
- res = -1;
- else if (au->le.e.serial > expr->v.p.value.timestamp_ex.serial)
- res = 1;
- else
- res = 0;
- break;
-
- default:
- abort();
- }
- *error = 0;
- return res;
-}
-
-/* Evaluate EXPR on RECORD in AU->le.
- Return 1 if EXPR is true, 0 if it false or if it fails.
- (No error reporting facility is provided; an invalid term is considered to
- be false; e.g. !invalid is true.) */
-int
-expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr)
-{
- switch (expr->op) {
- case EO_NOT:
- return !expr_eval(au, record, expr->v.sub[0]);
-
- case EO_AND:
- return (expr_eval(au, record, expr->v.sub[0])
- && expr_eval(au, record, expr->v.sub[1]));
-
- case EO_OR:
- return (expr_eval(au, record, expr->v.sub[0])
- || expr_eval(au, record, expr->v.sub[1]));
-
- case EO_RAW_EQ: case EO_RAW_NE: {
- int free_it, ne;
- char *value;
-
- value = eval_raw_value(au, record, expr, &free_it);
- if (value == NULL)
- return 0;
- assert(expr->precomputed_value == 0);
- ne = strcmp(expr->v.p.value.string, value);
- if (free_it != 0)
- free(value);
- return expr->op == EO_RAW_EQ ? ne == 0 : ne != 0;
- }
-
- case EO_INTERPRETED_EQ: case EO_INTERPRETED_NE: {
- int free_it, ne;
- char *value;
-
- value = eval_interpreted_value(au, record, expr, &free_it);
- if (value == NULL)
- return 0;
- assert(expr->precomputed_value == 0);
- ne = strcmp(expr->v.p.value.string, value);
- if (free_it != 0)
- free(value);
- return expr->op == EO_INTERPRETED_EQ ? ne == 0 : ne != 0;
- }
-
- case EO_VALUE_EQ: case EO_VALUE_NE: case EO_VALUE_LT: case EO_VALUE_LE:
- case EO_VALUE_GT: case EO_VALUE_GE: {
- int err, cmp;
-
- cmp = compare_values(au, record, expr, &err);
- if (err != 0)
- return 0;
- switch (expr->op) {
- case EO_VALUE_EQ:
- return cmp == 0;
-
- case EO_VALUE_NE:
- return cmp != 0;
-
- case EO_VALUE_LT:
- return cmp < 0;
-
- case EO_VALUE_LE:
- return cmp <= 0;
-
- case EO_VALUE_GT:
- return cmp > 0;
-
- case EO_VALUE_GE:
- return cmp >= 0;
-
- default:
- abort();
- }
- }
-
- case EO_FIELD_EXISTS:
- assert(expr->virtual_field == 0);
- nvlist_first(&record->nv);
- return nvlist_find_name(&record->nv, expr->v.p.field.name) != 0;
-
- case EO_REGEXP_MATCHES:
- return regexec(expr->v.regexp, record->record, 0, NULL, 0) == 0;
-
- default:
- abort();
- }
-}
diff --git a/framework/src/audit/auparse/expression.h b/framework/src/audit/auparse/expression.h
deleted file mode 100644
index b4af66f0..00000000
--- a/framework/src/audit/auparse/expression.h
+++ /dev/null
@@ -1,133 +0,0 @@
-/*
-* expression.h - Expression parsing and handling
-* Copyright (C) 2008,2014 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Miloslav Trmač <mitr@redhat.com>
-* Steve Grubb <sgrubb@redhat.com> extended timestamp
-*/
-
-#ifndef EXPRESSION_H__
-#define EXPRESSION_H__
-
-#include <regex.h>
-#include <sys/types.h>
-
-#include "internal.h"
-
-enum {
- EO_NOT, /* Uses v.sub[0] */
- EO_AND, EO_OR, /* Uses v.sub[0] and v.sub[1] */
- /* All of the following use v.p */
- EO_RAW_EQ, EO_RAW_NE, EO_INTERPRETED_EQ, EO_INTERPRETED_NE,
- EO_VALUE_EQ, EO_VALUE_NE, EO_VALUE_LT, EO_VALUE_LE, EO_VALUE_GT,
- EO_VALUE_GE,
- /* Uses v.p.field. Cannot be specified by an expression. */
- EO_FIELD_EXISTS,
- EO_REGEXP_MATCHES, /* Uses v.regexp */
- NUM_EO_VALUES,
-};
-
-enum field_id {
- EF_TIMESTAMP, EF_RECORD_TYPE, EF_TIMESTAMP_EX
-};
-
-struct expr {
- unsigned op : 8; /* EO_* */
- unsigned virtual_field : 1;
- /* Can be non-zero only if virtual_field != 0 */
- unsigned precomputed_value : 1;
- union {
- struct expr *sub[2];
- struct {
- union {
- char *name;
- enum field_id id; /* If virtual_field != 0 */
- } field;
- union {
- char *string;
- /* A member from the following is selected
- implicitly by field.id. */
- struct {
- time_t sec;
- unsigned int milli;
- } timestamp; /* EF_TIMESTAMP */
- struct {
- time_t sec;
- unsigned milli;
- unsigned serial;
- } timestamp_ex; /* EF_TIMESTAMP_EX */
- int int_value; /* EF_RECORD_TYPE */
- } value;
- } p;
- regex_t *regexp;
- } v;
-};
-
-/* Free EXPR and all its subexpressions. */
-void expr_free(struct expr *expr) hidden;
-
-/* Parse STRING.
- On success, return the parsed expression tree.
- On error, set *ERROR to an error string (for free()) or NULL, and return
- NULL. (*ERROR == NULL is allowed to handle out-of-memory errors) */
-struct expr *expr_parse(const char *string, char **error) hidden;
-
-/* Create a comparison-expression for FIELD, OP and VALUE.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *expr_create_comparison(const char *field, unsigned op,
- const char *value) hidden;
-
-/* Create a timestamp comparison-expression for with OP, SEC, MILLI.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *expr_create_timestamp_comparison(unsigned op, time_t sec,
- unsigned milli) hidden;
-
-/* Create an extended timestamp comparison-expression for with OP, SEC,
- MILLI, and SERIAL.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *expr_create_timestamp_comparison_ex(unsigned op, time_t sec,
- unsigned milli, unsigned serial) hidden;
-
-/* Create an EO_FIELD_EXISTS-expression for FIELD.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *expr_create_field_exists(const char *field) hidden;
-
-/* Create a \regexp expression for regexp comparison.
- On success, return the created expression.
- On error, set errno and return NULL. */
-struct expr *expr_create_regexp_expression(const char *regexp) hidden;
-
-/* Create a binary expresion for OP and subexpressions E1 and E2.
- On success, return the created expresion.
- On error, set errno and return NULL. */
-struct expr *expr_create_binary(unsigned op, struct expr *e1, struct expr *e2)
- hidden;
-
-/* Evaluate EXPR on RECORD in AU->le.
- Return 1 if EXPR is true, 0 if it false or if it fails.
- (No error reporting facility is provided; an invalid term is considered to
- be false; e.g. !invalid is true.) */
-int expr_eval(auparse_state_t *au, rnode *record, const struct expr *expr)
- hidden;
-
-#endif
diff --git a/framework/src/audit/auparse/famtab.h b/framework/src/audit/auparse/famtab.h
deleted file mode 100644
index 31d63079..00000000
--- a/framework/src/audit/auparse/famtab.h
+++ /dev/null
@@ -1,62 +0,0 @@
-/* famtab.h --
- * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/socket.h
- */
-
-_S(AF_LOCAL, "local" )
-_S(AF_INET, "inet" )
-_S(AF_AX25, "ax25" )
-_S(AF_IPX, "ipx" )
-_S(AF_APPLETALK, "appletalk" )
-_S(AF_NETROM, "netrom" )
-_S(AF_BRIDGE, "bridge" )
-_S(AF_ATMPVC, "atmpvc" )
-_S(AF_X25, "x25" )
-_S(AF_INET6, "inet6" )
-_S(AF_ROSE, "rose" )
-_S(AF_DECnet, "decnet" )
-_S(AF_NETBEUI, "netbeui" )
-_S(AF_SECURITY, "security" )
-_S(AF_KEY, "key" )
-_S(AF_NETLINK, "netlink" )
-_S(AF_PACKET, "packet" )
-_S(AF_ASH, "ash" )
-_S(AF_ECONET, "econet" )
-_S(AF_ATMSVC, "atmsvc" )
-_S(AF_RDS, "rds" )
-_S(AF_SNA, "sna" )
-_S(AF_IRDA, "irda" )
-_S(AF_PPPOX, "pppox" )
-_S(AF_WANPIPE, "wanpipe" )
-_S(AF_LLC, "llc" )
-_S(AF_CAN, "can" )
-_S(AF_TIPC, "tipc" )
-_S(AF_BLUETOOTH, "bluetooth" )
-_S(AF_IUCV, "iucv" )
-_S(AF_RXRPC, "rxrpc" )
-_S(AF_ISDN, "isdn" )
-_S(AF_PHONET, "phonet" )
-_S(AF_IEEE802154, "ieee802154" )
-_S(37, "caif" )
-_S(38, "alg" )
-_S(39, "nfc" )
-_S(40, "vsock" )
-
diff --git a/framework/src/audit/auparse/fcntl-cmdtab.h b/framework/src/audit/auparse/fcntl-cmdtab.h
deleted file mode 100644
index 7e20f92b..00000000
--- a/framework/src/audit/auparse/fcntl-cmdtab.h
+++ /dev/null
@@ -1,52 +0,0 @@
-/* fcntl-cmdtab.h --
- * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/fcntl.h <17
- * include/uapi/linux/fcntl.h >= 1024
- */
-
-_S(0, "F_DUPFD" )
-_S(1, "F_GETFD" )
-_S(2, "F_SETFD" )
-_S(3, "F_GETFL" )
-_S(4, "F_SETFL" )
-_S(5, "F_GETLK" )
-_S(6, "F_SETLK" )
-_S(7, "F_SETLKW" )
-_S(8, "F_SETOWN" )
-_S(9, "F_GETOWN" )
-_S(10, "F_SETSIG" )
-_S(11, "F_GETSIG" )
-_S(12, "F_GETLK64" )
-_S(13, "F_SETLK64" )
-_S(14, "F_SETLKW64" )
-_S(15, "F_SETOWN_EX" )
-_S(16, "F_GETOWN_EX" )
-_S(17, "F_GETOWNER_UIDS" )
-_S(1024, "F_SETLEASE" )
-_S(1025, "F_GETLEASE" )
-_S(1026, "F_NOTIFY" )
-_S(1029, "F_CANCELLK" )
-_S(1030, "F_DUPFD_CLOEXEC" )
-_S(1031, "F_SETPIPE_SZ" )
-_S(1032, "F_GETPIPE_SZ" )
-_S(1033, "F_ADD_SEALS" )
-_S(1034, "F_GET_SEALS" )
-
diff --git a/framework/src/audit/auparse/flagtab.h b/framework/src/audit/auparse/flagtab.h
deleted file mode 100644
index 7e1146d6..00000000
--- a/framework/src/audit/auparse/flagtab.h
+++ /dev/null
@@ -1,33 +0,0 @@
-/* flagtab.h --
- * Copyright 2007,2012 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: these are only for the RHEL4 kernel
- */
-
-_S(0x0001, "follow" )
-_S(0x0002, "directory" )
-_S(0x0004, "continue" )
-_S(0x0010, "parent" )
-_S(0x0020, "noalt" )
-_S(0x0040, "atomic" )
-_S(0x0100, "open" )
-_S(0x0200, "create" )
-_S(0x0400, "access" )
-
diff --git a/framework/src/audit/auparse/icmptypetab.h b/framework/src/audit/auparse/icmptypetab.h
deleted file mode 100644
index a9ee3eef..00000000
--- a/framework/src/audit/auparse/icmptypetab.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* icmptypetab.h --
- * Copyright 2011-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/icmp.h
- */
-
-_S(0, "echo-reply" )
-_S(3, "destination-unreachable" )
-_S(4, "source-quench" )
-_S(5, "redirect" )
-_S(8, "echo" )
-_S(11, "time-exceeded" )
-_S(12, "parameter-problem" )
-_S(13, "timestamp-request" )
-_S(14, "timestamp-reply" )
-_S(15, "info-request" )
-_S(16, "info-reply" )
-_S(17, "address-mask-request" )
-_S(18, "address-mask-reply" )
-
diff --git a/framework/src/audit/auparse/internal.h b/framework/src/audit/auparse/internal.h
deleted file mode 100644
index 56c0bf9f..00000000
--- a/framework/src/audit/auparse/internal.h
+++ /dev/null
@@ -1,86 +0,0 @@
-/* internal.h --
- * Copyright 2006-07,2013-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-#ifndef AUPARSE_INTERNAL_HEADER
-#define AUPARSE_INTERNAL_HEADER
-
-#include "auparse-defs.h"
-#include "ellist.h"
-#include "auditd-config.h"
-#include "data_buf.h"
-#include "dso.h"
-#include <stdio.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* This is what state the parser is in */
-typedef enum { EVENT_EMPTY, EVENT_ACCUMULATING, EVENT_EMITTED } auparser_state_t;
-
-/* This is the name/value pair used by search tables */
-struct nv_pair {
- int value;
- const char *name;
-};
-
-struct opaque
-{
- ausource_t source; // Source type
- char **source_list; // Array of buffers, or array of
- // file names
- int list_idx; // The index into the source list
- FILE *in; // If source is file, this is the fd
- unsigned int line_number; // line number of current file, zero
- // if invalid
- char *next_buf; // The current buffer being broken down
- unsigned int off; // The current offset into next_buf
- char *cur_buf; // The current buffer being parsed
- int line_pushed; // True if retrieve_next_line()
- // returns same input
- event_list_t le; // Linked list of record in same event
- struct expr *expr; // Search expression or NULL
- char *find_field; // Used to store field name when
- // searching
- austop_t search_where; // Where to put the cursors on a match
- auparser_state_t parse_state; // parsing state
- DataBuf databuf; // input data
-
- // function to call to notify user of parsing changes
- void (*callback)(struct opaque *au, auparse_cb_event_t cb_event_type, void *user_data);
-
- void *callback_user_data; // user data supplied to callback
-
- // function to call when user_data is destroyed
- void (*callback_user_data_destroy)(void *user_data);
-};
-
-// auditd-config.c
-void clear_config(struct daemon_conf *config) hidden;
-int load_config(struct daemon_conf *config, log_test_t lt) hidden;
-void free_config(struct daemon_conf *config) hidden;
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
diff --git a/framework/src/audit/auparse/interpret.c b/framework/src/audit/auparse/interpret.c
deleted file mode 100644
index e8f82f92..00000000
--- a/framework/src/audit/auparse/interpret.c
+++ /dev/null
@@ -1,2651 +0,0 @@
-/*
-* interpret.c - Lookup values to something more readable
-* Copyright (c) 2007-09,2011-15 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#include "config.h"
-#include "nvlist.h"
-#include "nvpair.h"
-#include "libaudit.h"
-#include "internal.h"
-#include "interpret.h"
-#include "auparse-idata.h"
-#include <stddef.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <fcntl.h>
-#include <ctype.h>
-#include <errno.h>
-#include <string.h>
-#include <pwd.h>
-#include <grp.h>
-#include <sys/stat.h>
-#include <linux/net.h>
-#include <netdb.h>
-#include <sys/un.h>
-#include <linux/ax25.h>
-#include <linux/atm.h>
-#include <linux/x25.h>
-#include <linux/if.h> // FIXME: remove when ipx.h is fixed
-#include <linux/ipx.h>
-#include <linux/capability.h>
-#include <sys/personality.h>
-#include <sys/prctl.h>
-#include <sched.h>
-#include "auparse-defs.h"
-#include "gen_tables.h"
-
-#if !HAVE_DECL_ADDR_NO_RANDOMIZE
-# define ADDR_NO_RANDOMIZE 0x0040000
-#endif
-
-/* This is from asm/ipc.h. Copying it for now as some platforms
- * have broken headers. */
-#define SEMOP 1
-#define SEMGET 2
-#define SEMCTL 3
-#define SEMTIMEDOP 4
-#define MSGSND 11
-#define MSGRCV 12
-#define MSGGET 13
-#define MSGCTL 14
-#define SHMAT 21
-#define SHMDT 22
-#define SHMGET 23
-#define SHMCTL 24
-#define DIPC 25
-
-#include "captabs.h"
-#include "clone-flagtabs.h"
-#include "epoll_ctls.h"
-#include "famtabs.h"
-#include "fcntl-cmdtabs.h"
-#include "flagtabs.h"
-#include "ipctabs.h"
-#include "ipccmdtabs.h"
-#include "mmaptabs.h"
-#include "mounttabs.h"
-#include "open-flagtabs.h"
-#include "persontabs.h"
-#include "prottabs.h"
-#include "ptracetabs.h"
-#include "recvtabs.h"
-#include "rlimittabs.h"
-#include "seektabs.h"
-#include "socktabs.h"
-#include "socktypetabs.h"
-#include "signaltabs.h"
-#include "clocktabs.h"
-#include "typetabs.h"
-#include "nfprototabs.h"
-#include "icmptypetabs.h"
-#include "seccomptabs.h"
-#include "accesstabs.h"
-#include "prctl_opttabs.h"
-#include "schedtabs.h"
-#include "shm_modetabs.h"
-#include "sockoptnametabs.h"
-#include "sockleveltabs.h"
-#include "ipoptnametabs.h"
-#include "ip6optnametabs.h"
-#include "tcpoptnametabs.h"
-#include "pktoptnametabs.h"
-#include "umounttabs.h"
-#include "ioctlreqtabs.h"
-
-typedef enum { AVC_UNSET, AVC_DENIED, AVC_GRANTED } avc_t;
-typedef enum { S_UNSET=-1, S_FAILED, S_SUCCESS } success_t;
-
-static const char *print_signals(const char *val, unsigned int base);
-static auparse_esc_t escape_mode = AUPARSE_ESC_TTY;
-
-/*
- * This function will take a pointer to a 2 byte Ascii character buffer and
- * return the actual hex value.
- */
-static unsigned char x2c(const unsigned char *buf)
-{
- static const char AsciiArray[17] = "0123456789ABCDEF";
- char *ptr;
- unsigned char total=0;
-
- ptr = strchr(AsciiArray, (char)toupper(buf[0]));
- if (ptr)
- total = (unsigned char)(((ptr-AsciiArray) & 0x0F)<<4);
- ptr = strchr(AsciiArray, (char)toupper(buf[1]));
- if (ptr)
- total += (unsigned char)((ptr-AsciiArray) & 0x0F);
-
- return total;
-}
-
-// Check if any characters need tty escaping. Returns how many found.
-static unsigned int need_tty_escape(const unsigned char *s, unsigned int len)
-{
- unsigned int i = 0, cnt = 0;
- while (i < len) {
- if (s[i] < 32)
- cnt++;
- i++;
- }
- return cnt;
-}
-
-// TTY escaping s string into dest.
-static void tty_escape(const char *s, char *dest, unsigned int len)
-{
- unsigned int i = 0, j = 0;
- while (i < len) {
- if ((unsigned char)s[i] < 32) {
- dest[j++] = ('\\');
- dest[j++] = ('0' + ((s[i] & 0300) >> 6));
- dest[j++] = ('0' + ((s[i] & 0070) >> 3));
- dest[j++] = ('0' + (s[i] & 0007));
- } else
- dest[j++] = s[i];
- i++;
- }
-}
-
-static const char sh_set[] = "\"'`$\\";
-static unsigned int need_shell_escape(const char *s, unsigned int len)
-{
- unsigned int i = 0, cnt = 0;
- while (i < len) {
- if (s[i] < 32)
- cnt++;
- else if (strchr(sh_set, s[i]))
- cnt++;
- i++;
- }
- return cnt;
-}
-
-static void shell_escape(const char *s, char *dest, unsigned int len)
-{
- unsigned int i = 0, j = 0;
- while (i < len) {
- if ((unsigned char)s[i] < 32) {
- dest[j++] = ('\\');
- dest[j++] = ('0' + ((s[i] & 0300) >> 6));
- dest[j++] = ('0' + ((s[i] & 0070) >> 3));
- dest[j++] = ('0' + (s[i] & 0007));
- } else if (strchr(sh_set, s[i])) {
- dest[j++] = ('\\');
- dest[j++] = s[i];
- } else
- dest[j++] = s[i];
- i++;
- }
-}
-
-static const char quote_set[] = ";'\"`#$&*?[]<>{}\\";
-static unsigned int need_shell_quote_escape(const unsigned char *s, unsigned int len)
-{
- unsigned int i = 0, cnt = 0;
- while (i < len) {
- if (s[i] < 32)
- cnt++;
- else if (strchr(quote_set, s[i]))
- cnt++;
- i++;
- }
- return cnt;
-}
-
-static void shell_quote_escape(const char *s, char *dest, unsigned int len)
-{
- unsigned int i = 0, j = 0;
- while (i < len) {
- if ((unsigned char)s[i] < 32) {
- dest[j++] = ('\\');
- dest[j++] = ('0' + ((s[i] & 0300) >> 6));
- dest[j++] = ('0' + ((s[i] & 0070) >> 3));
- dest[j++] = ('0' + (s[i] & 0007));
- } else if (strchr(quote_set, s[i])) {
- dest[j++] = ('\\');
- dest[j++] = s[i];
- } else
- dest[j++] = s[i];
- i++;
- }
-}
-
-/* This should return the count of what needs escaping */
-static unsigned int need_escaping(const char *s, unsigned int len)
-{
- switch (escape_mode)
- {
- case AUPARSE_ESC_RAW:
- break;
- case AUPARSE_ESC_TTY:
- return need_tty_escape(s, len);
- case AUPARSE_ESC_SHELL:
- return need_shell_escape(s, len);
- case AUPARSE_ESC_SHELL_QUOTE:
- return need_shell_quote_escape(s, len);;
- }
- return 0;
-}
-
-static void escape(const char *s, char *dest, unsigned int len)
-{
- switch (escape_mode)
- {
- case AUPARSE_ESC_RAW:
- return;
- case AUPARSE_ESC_TTY:
- return tty_escape(s, dest, len);
- case AUPARSE_ESC_SHELL:
- return shell_escape(s, dest, len);
- case AUPARSE_ESC_SHELL_QUOTE:
- return shell_quote_escape(s, dest, len);
- }
-}
-
-int set_escape_mode(auparse_esc_t mode)
-{
- if (mode < 0 || mode > AUPARSE_ESC_SHELL_QUOTE)
- return 1;
- escape_mode = mode;
- return 0;
-}
-hidden_def(set_escape_mode)
-
-static int is_hex_string(const char *str)
-{
- while (*str) {
- if (!isxdigit(*str))
- return 0;
- str++;
- }
- return 1;
-}
-
-/* returns a freshly malloc'ed and converted buffer */
-char *au_unescape(char *buf)
-{
- int len, i;
- char saved, *str, *ptr = buf;
-
- /* Find the end of the name */
- if (*ptr == '(') {
- ptr = strchr(ptr, ')');
- if (ptr == NULL)
- return NULL;
- else
- ptr++;
- } else {
- while (isxdigit(*ptr))
- ptr++;
- }
- saved = *ptr;
- *ptr = 0;
- str = strdup(buf);
- *ptr = saved;
-
- /* See if its '(null)' from the kernel */
- if (*buf == '(')
- return str;
-
- /* We can get away with this since the buffer is 2 times
- * bigger than what we are putting there.
- */
- len = strlen(str);
- if (len < 2) {
- free(str);
- return NULL;
- }
- ptr = str;
- for (i=0; i<len; i+=2) {
- *ptr = x2c((unsigned char *)&str[i]);
- ptr++;
- }
- *ptr = 0;
- return str;
-}
-
-static const char *success[3]= { "unset", "no", "yes" };
-static const char *aulookup_success(int s)
-{
- switch (s)
- {
- default:
- return success[0];
- break;
- case S_FAILED:
- return success[1];
- break;
- case S_SUCCESS:
- return success[2];
- break;
- }
-}
-
-static nvpair uid_nvl;
-static int uid_list_created=0;
-static const char *aulookup_uid(uid_t uid, char *buf, size_t size)
-{
- char *name = NULL;
- int rc;
-
- if (uid == -1) {
- snprintf(buf, size, "unset");
- return buf;
- }
-
- // Check the cache first
- if (uid_list_created == 0) {
- nvpair_create(&uid_nvl);
- nvpair_clear(&uid_nvl);
- uid_list_created = 1;
- }
- rc = nvpair_find_val(&uid_nvl, uid);
- if (rc) {
- name = uid_nvl.cur->name;
- } else {
- // Add it to cache
- struct passwd *pw;
- pw = getpwuid(uid);
- if (pw) {
- nvpnode nv;
- nv.name = strdup(pw->pw_name);
- nv.val = uid;
- nvpair_append(&uid_nvl, &nv);
- name = uid_nvl.cur->name;
- }
- }
- if (name != NULL)
- snprintf(buf, size, "%s", name);
- else
- snprintf(buf, size, "unknown(%d)", uid);
- return buf;
-}
-
-void aulookup_destroy_uid_list(void)
-{
- if (uid_list_created == 0)
- return;
-
- nvpair_clear(&uid_nvl);
- uid_list_created = 0;
-}
-
-static nvpair gid_nvl;
-static int gid_list_created=0;
-static const char *aulookup_gid(gid_t gid, char *buf, size_t size)
-{
- char *name = NULL;
- int rc;
-
- if (gid == -1) {
- snprintf(buf, size, "unset");
- return buf;
- }
-
- // Check the cache first
- if (gid_list_created == 0) {
- nvpair_create(&gid_nvl);
- nvpair_clear(&gid_nvl);
- gid_list_created = 1;
- }
- rc = nvpair_find_val(&gid_nvl, gid);
- if (rc) {
- name = gid_nvl.cur->name;
- } else {
- // Add it to cache
- struct group *gr;
- gr = getgrgid(gid);
- if (gr) {
- nvpnode nv;
- nv.name = strdup(gr->gr_name);
- nv.val = gid;
- nvpair_append(&gid_nvl, &nv);
- name = gid_nvl.cur->name;
- }
- }
- if (name != NULL)
- snprintf(buf, size, "%s", name);
- else
- snprintf(buf, size, "unknown(%d)", gid);
- return buf;
-}
-
-void aulookup_destroy_gid_list(void)
-{
- if (gid_list_created == 0)
- return;
-
- nvpair_clear(&gid_nvl);
- gid_list_created = 0;
-}
-
-static const char *print_uid(const char *val, unsigned int base)
-{
- int uid;
- char name[64];
-
- errno = 0;
- uid = strtoul(val, NULL, base);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- return strdup(aulookup_uid(uid, name, sizeof(name)));
-}
-
-static const char *print_gid(const char *val, unsigned int base)
-{
- int gid;
- char name[64];
-
- errno = 0;
- gid = strtoul(val, NULL, base);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- return strdup(aulookup_gid(gid, name, sizeof(name)));
-}
-
-static const char *print_arch(const char *val, unsigned int machine)
-{
- const char *ptr;
- char *out;
-
- if (machine > MACH_AARCH64) {
- unsigned int ival;
-
- errno = 0;
- ival = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s) ", val) < 0)
- out = NULL;
- return out;
- }
- machine = audit_elf_to_machine(ival);
- }
- if ((int)machine < 0) {
- if (asprintf(&out, "unknown elf type(%s)", val) < 0)
- out = NULL;
- return out;
- }
- ptr = audit_machine_to_name(machine);
- if (ptr)
- return strdup(ptr);
- else {
- if (asprintf(&out, "unknown machine type(%d)", machine) < 0)
- out = NULL;
- return out;
- }
-}
-
-static const char *print_ipccall(const char *val, unsigned int base)
-{
- int a0;
- char *out;
- const char *func = NULL;
-
- errno = 0;
- a0 = strtol(val, NULL, base);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- func = ipc_i2s(a0);
- if (func)
- return strdup(func);
- else {
- if (asprintf(&out, "unknown ipccall(%s)", val) < 0)
- out = NULL;
- return out;
- }
-}
-
-static const char *print_socketcall(const char *val, unsigned int base)
-{
- int a0;
- char *out;
- const char *func = NULL;
-
- errno = 0;
- a0 = strtol(val, NULL, base);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- func = sock_i2s(a0);
- if (func)
- return strdup(func);
- else {
- if (asprintf(&out, "unknown socketcall(%s)", val) < 0)
- out = NULL;
- return out;
- }
-}
-
-static const char *print_syscall(const idata *id)
-{
- const char *sys;
- char *out;
- int machine = id->machine, syscall = id->syscall;
- unsigned long long a0 = id->a0;
-
- if (machine < 0)
- machine = audit_detect_machine();
- if (machine < 0) {
- out = strdup(id->val);
- return out;
- }
- sys = audit_syscall_to_name(syscall, machine);
- if (sys) {
- const char *func = NULL;
- if (strcmp(sys, "socketcall") == 0) {
- if ((int)a0 == a0)
- func = sock_i2s(a0);
- } else if (strcmp(sys, "ipc") == 0)
- if ((int)a0 == a0)
- func = ipc_i2s(a0);
- if (func) {
- if (asprintf(&out, "%s(%s)", sys, func) < 0)
- out = NULL;
- } else
- return strdup(sys);
- } else {
- if (asprintf(&out, "unknown syscall(%d)", syscall) < 0)
- out = NULL;
- }
-
- return out;
-}
-
-static const char *print_exit(const char *val)
-{
- long long ival;
- char *out;
-
- errno = 0;
- ival = strtoll(val, NULL, 10);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- if (ival < 0) {
- if (asprintf(&out, "%lld(%s)", ival, strerror(-ival)) < 0)
- out = NULL;
- return out;
- }
- return strdup(val);
-}
-
-static const char *print_escaped(const char *val)
-{
- const char *out;
-
- if (*val == '"') {
- char *term;
- val++;
- term = strchr(val, '"');
- if (term == NULL)
- return strdup(" ");
- *term = 0;
- out = strdup(val);
- *term = '"';
- return out;
-// FIXME: working here...was trying to detect (null) and handle that
-// differently. The other 2 should have " around the file names.
-/* } else if (*val == '(') {
- char *term;
- val++;
- term = strchr(val, ' ');
- if (term == NULL)
- return;
- *term = 0;
- printf("%s ", val); */
- } else if (val[0] == '0' && val[1] == '0')
- out = au_unescape((char *)&val[2]); // Abstract name af_unix
- else
- out = au_unescape((char *)val);
- if (out)
- return out;
- return strdup(val); // Something is wrong with string, just send as is
-}
-
-static const char *print_proctitle(const char *val)
-{
- char *out = (char *)print_escaped(val);
- if (*val != '"') {
- size_t len = strlen(val) / 2;
- const char *end = out + len;
- char *ptr = out;
- while ((ptr = rawmemchr(ptr, '\0'))) {
- if (ptr >= end)
- break;
- *ptr = ' ';
- ptr++;
- }
- }
- return out;
-}
-
-static const char *print_perm(const char *val)
-{
- int ival, printed=0;
- char buf[32];
-
- errno = 0;
- ival = strtol(val, NULL, 10);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- buf[0] = 0;
-
- /* The kernel treats nothing (0x00) as everything (0x0F) */
- if (ival == 0)
- ival = 0x0F;
- if (ival & AUDIT_PERM_READ) {
- strcat(buf, "read");
- printed = 1;
- }
- if (ival & AUDIT_PERM_WRITE) {
- if (printed)
- strcat(buf, ",write");
- else
- strcat(buf, "write");
- printed = 1;
- }
- if (ival & AUDIT_PERM_EXEC) {
- if (printed)
- strcat(buf, ",exec");
- else
- strcat(buf, "exec");
- printed = 1;
- }
- if (ival & AUDIT_PERM_ATTR) {
- if (printed)
- strcat(buf, ",attr");
- else
- strcat(buf, "attr");
- }
- return strdup(buf);
-}
-
-static const char *print_mode(const char *val, unsigned int base)
-{
- unsigned int ival;
- char *out, buf[48];
- const char *name;
-
- errno = 0;
- ival = strtoul(val, NULL, base);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- // detect the file type
- name = audit_ftype_to_name(ival & S_IFMT);
- if (name != NULL)
- strcpy(buf, name);
- else {
- unsigned first_ifmt_bit;
-
- // The lowest-valued "1" bit in S_IFMT
- first_ifmt_bit = S_IFMT & ~(S_IFMT - 1);
- sprintf(buf, "%03o", (ival & S_IFMT) / first_ifmt_bit);
- }
-
- // check on special bits
- if (S_ISUID & ival)
- strcat(buf, ",suid");
- if (S_ISGID & ival)
- strcat(buf, ",sgid");
- if (S_ISVTX & ival)
- strcat(buf, ",sticky");
-
- // and the read, write, execute flags in octal
- if (asprintf(&out, "%s,%03o", buf,
- (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_mode_short_int(unsigned int ival)
-{
- char *out, buf[48];
-
- // check on special bits
- buf[0] = 0;
- if (S_ISUID & ival)
- strcat(buf, "suid");
- if (S_ISGID & ival) {
- if (buf[0])
- strcat(buf, ",");
- strcat(buf, "sgid");
- }
- if (S_ISVTX & ival) {
- if (buf[0])
- strcat(buf, ",");
- strcat(buf, "sticky");
- }
-
- // and the read, write, execute flags in octal
- if (buf[0] == 0) {
- if (asprintf(&out, "0%03o",
- (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
- out = NULL;
- } else
- if (asprintf(&out, "%s,0%03o", buf,
- (S_IRWXU|S_IRWXG|S_IRWXO) & ival) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_mode_short(const char *val, int base)
-{
- unsigned int ival;
- char *out;
-
- errno = 0;
- ival = strtoul(val, NULL, base);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- return print_mode_short_int(ival);
-}
-
-static const char *print_socket_domain(const char *val)
-{
- int i;
- char *out;
- const char *str;
-
- errno = 0;
- i = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- str = fam_i2s(i);
- if (str == NULL) {
- if (asprintf(&out, "unknown family(0x%s)", val) < 0)
- out = NULL;
- return out;
- } else
- return strdup(str);
-}
-
-static const char *print_socket_type(const char *val)
-{
- unsigned int type;
- char *out;
- const char *str;
-
- errno = 0;
- type = 0xFF & strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- str = sock_type_i2s(type);
- if (str == NULL) {
- if (asprintf(&out, "unknown type(%s)", val) < 0)
- out = NULL;
- return out;
- } else
- return strdup(str);
-}
-
-static const char *print_socket_proto(const char *val)
-{
- unsigned int proto;
- char *out;
- struct protoent *p;
-
- errno = 0;
- proto = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- p = getprotobynumber(proto);
- if (p == NULL) {
- if (asprintf(&out, "unknown proto(%s)", val) < 0)
- out = NULL;
- return out;
- } else
- return strdup(p->p_name);
-}
-
-static const char *print_sockaddr(const char *val)
-{
- int slen, rc = 0;
- const struct sockaddr *saddr;
- char name[NI_MAXHOST], serv[NI_MAXSERV];
- const char *host;
- char *out = NULL;
- const char *str;
-
- slen = strlen(val)/2;
- host = au_unescape((char *)val);
- if (host == NULL) {
- if (asprintf(&out, "malformed host(%s)", val) < 0)
- out = NULL;
- return out;
- }
- saddr = (struct sockaddr *)host;
-
-
- str = fam_i2s(saddr->sa_family);
- if (str == NULL) {
- if (asprintf(&out, "unknown family(%d)", saddr->sa_family) < 0)
- out = NULL;
- free((char *)host);
- return out;
- }
-
- // Now print address for some families
- switch (saddr->sa_family) {
- case AF_LOCAL:
- {
- const struct sockaddr_un *un =
- (struct sockaddr_un *)saddr;
- if (un->sun_path[0])
- rc = asprintf(&out, "%s %s", str,
- un->sun_path);
- else // abstract name
- rc = asprintf(&out, "%s %.108s", str,
- &un->sun_path[1]);
- }
- break;
- case AF_INET:
- if (slen < sizeof(struct sockaddr_in)) {
- rc = asprintf(&out, "%s sockaddr len too short",
- str);
- break;
- }
- slen = sizeof(struct sockaddr_in);
- if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
- NI_MAXSERV, NI_NUMERICHOST |
- NI_NUMERICSERV) == 0 ) {
- rc = asprintf(&out, "%s host:%s serv:%s", str,
- name, serv);
- } else
- rc = asprintf(&out, "%s (error resolving addr)",
- str);
- break;
- case AF_AX25:
- {
- const struct sockaddr_ax25 *x =
- (struct sockaddr_ax25 *)saddr;
- rc = asprintf(&out, "%s call:%c%c%c%c%c%c%c",
- str,
- x->sax25_call.ax25_call[0],
- x->sax25_call.ax25_call[1],
- x->sax25_call.ax25_call[2],
- x->sax25_call.ax25_call[3],
- x->sax25_call.ax25_call[4],
- x->sax25_call.ax25_call[5],
- x->sax25_call.ax25_call[6]);
- }
- break;
- case AF_IPX:
- {
- const struct sockaddr_ipx *ip =
- (struct sockaddr_ipx *)saddr;
- rc = asprintf(&out, "%s port:%d net:%u", str,
- ip->sipx_port, ip->sipx_network);
- }
- break;
- case AF_ATMPVC:
- {
- const struct sockaddr_atmpvc* at =
- (struct sockaddr_atmpvc *)saddr;
- rc = asprintf(&out, "%s int:%d", str,
- at->sap_addr.itf);
- }
- break;
- case AF_X25:
- {
- const struct sockaddr_x25* x =
- (struct sockaddr_x25 *)saddr;
- rc = asprintf(&out, "%s addr:%.15s", str,
- x->sx25_addr.x25_addr);
- }
- break;
- case AF_INET6:
- if (slen < sizeof(struct sockaddr_in6)) {
- rc = asprintf(&out,
- "%s sockaddr6 len too short",
- str);
- break;
- }
- slen = sizeof(struct sockaddr_in6);
- if (getnameinfo(saddr, slen, name, NI_MAXHOST, serv,
- NI_MAXSERV, NI_NUMERICHOST |
- NI_NUMERICSERV) == 0 ) {
- rc = asprintf(&out, "%s host:%s serv:%s", str,
- name, serv);
- } else
- rc = asprintf(&out, "%s (error resolving addr)",
- str);
- break;
- case AF_NETLINK:
- {
- const struct sockaddr_nl *n =
- (struct sockaddr_nl *)saddr;
- rc = asprintf(&out, "%s pid:%u", str,
- n->nl_pid);
- }
- break;
- }
- if (rc < 0)
- out = NULL;
- free((char *)host);
- return out;
-}
-
-/* This is only used in the RHEL4 kernel */
-static const char *print_flags(const char *val)
-{
- int flags, cnt = 0;
- size_t i;
- char *out, buf[80];
-
- errno = 0;
- flags = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- if (flags == 0) {
- if (asprintf(&out, "none") < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- for (i=0; i<FLAG_NUM_ENTRIES; i++) {
- if (flag_table[i].value & flags) {
- if (!cnt) {
- strcat(buf,
- flag_strings + flag_table[i].offset);
- cnt++;
- } else {
- strcat(buf, ",");
- strcat(buf,
- flag_strings + flag_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_promiscuous(const char *val)
-{
- int ival;
-
- errno = 0;
- ival = strtol(val, NULL, 10);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- if (ival == 0)
- return strdup("no");
- else
- return strdup("yes");
-}
-
-static const char *print_capabilities(const char *val, int base)
-{
- int cap;
- char *out;
- const char *s;
-
- errno = 0;
- cap = strtoul(val, NULL, base);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = cap_i2s(cap);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown capability(%s%s)",
- base == 16 ? "0x" : "", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_cap_bitmap(const char *val)
-{
-#define MASK(x) (1U << (x))
- unsigned long long temp;
- __u32 caps[2];
- int i, found=0;
- char *p, buf[600]; // 17 per cap * 33
-
- errno = 0;
- temp = strtoull(val, NULL, 16);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- caps[0] = temp & 0x00000000FFFFFFFFLL;
- caps[1] = (temp & 0xFFFFFFFF00000000LL) >> 32;
- p = buf;
- for (i=0; i <= CAP_LAST_CAP; i++) {
- if (MASK(i%32) & caps[i/32]) {
- const char *s;
- if (found)
- p = stpcpy(p, ",");
- s = cap_i2s(i);
- if (s != NULL)
- p = stpcpy(p, s);
- found = 1;
- }
- }
- if (found == 0)
- return strdup("none");
- return strdup(buf);
-}
-
-static const char *print_success(const char *val)
-{
- int res;
-
- if (isdigit(*val)) {
- errno = 0;
- res = strtoul(val, NULL, 10);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- return strdup(aulookup_success(res));
- } else
- return strdup(val);
-}
-
-static const char *print_open_flags(const char *val)
-{
- size_t i;
- unsigned int flags;
- int cnt = 0;
- char *out, buf[178];
-
- errno = 0;
- flags = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- buf[0] = 0;
- if ((flags & O_ACCMODE) == 0) {
- // Handle O_RDONLY specially
- strcat(buf, "O_RDONLY");
- cnt++;
- }
- for (i=0; i<OPEN_FLAG_NUM_ENTRIES; i++) {
- if (open_flag_table[i].value & flags) {
- if (!cnt) {
- strcat(buf,
- open_flag_strings + open_flag_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- open_flag_strings + open_flag_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_clone_flags(const char *val)
-{
- unsigned int flags, i, clone_sig;
- int cnt = 0;
- char *out, buf[362]; // added 10 for signal name
-
- errno = 0;
- flags = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- buf[0] = 0;
- for (i=0; i<CLONE_FLAG_NUM_ENTRIES; i++) {
- if (clone_flag_table[i].value & flags) {
- if (!cnt) {
- strcat(buf,
- clone_flag_strings + clone_flag_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- clone_flag_strings + clone_flag_table[i].offset);
- }
- }
- }
- clone_sig = flags & 0xFF;
- if (clone_sig && (clone_sig < 32)) {
- const char *s = signal_i2s(clone_sig);
- if (s != NULL) {
- if (buf[0] != 0)
- strcat(buf, "|");
- strcat(buf, s);
- }
- }
-
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%x", flags);
- return strdup(buf);
-}
-
-static const char *print_fcntl_cmd(const char *val)
-{
- char *out;
- const char *s;
- int cmd;
-
- errno = 0;
- cmd = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = fcntl_i2s(cmd);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown fcntl command(%d)", cmd) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_epoll_ctl(const char *val)
-{
- char *out;
- const char *s;
- int cmd;
-
- errno = 0;
- cmd = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = epoll_ctl_i2s(cmd);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown epoll_ctl operation (%d)", cmd) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_clock_id(const char *val)
-{
- int i;
- char *out;
-
- errno = 0;
- i = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- else if (i < 7) {
- const char *s = clock_i2s(i);
- if (s != NULL)
- return strdup(s);
- }
- if (asprintf(&out, "unknown clk_id (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_prot(const char *val, unsigned int is_mmap)
-{
- unsigned int prot, i;
- int cnt = 0, limit;
- char buf[144];
- char *out;
-
- errno = 0;
- prot = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- if ((prot & 0x07) == 0) {
- // Handle PROT_NONE specially
- strcat(buf, "PROT_NONE");
- return strdup(buf);
- }
- if (is_mmap)
- limit = 4;
- else
- limit = 3;
- for (i=0; i<limit; i++) {
- if (prot_table[i].value & prot) {
- if (!cnt) {
- strcat(buf,
- prot_strings + prot_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- prot_strings + prot_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_mmap(const char *val)
-{
- unsigned int maps, i;
- int cnt = 0;
- char buf[176];
- char *out;
-
- errno = 0;
- maps = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- if ((maps & 0x0F) == 0) {
- // Handle MAP_FILE specially
- strcat(buf, "MAP_FILE");
- cnt++;
- }
- for (i=0; i<MMAP_NUM_ENTRIES; i++) {
- if (mmap_table[i].value & maps) {
- if (!cnt) {
- strcat(buf,
- mmap_strings + mmap_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- mmap_strings + mmap_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_personality(const char *val)
-{
- int pers, pers2;
- char *out;
- const char *s;
-
- errno = 0;
- pers = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- pers2 = pers & ~ADDR_NO_RANDOMIZE;
- s = person_i2s(pers2);
- if (s != NULL) {
- if (pers & ADDR_NO_RANDOMIZE) {
- if (asprintf(&out, "%s|~ADDR_NO_RANDOMIZE", s) < 0)
- out = NULL;
- return out;
- } else
- return strdup(s);
- }
- if (asprintf(&out, "unknown personality (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_ptrace(const char *val)
-{
- int trace;
- char *out;
- const char *s;
-
- errno = 0;
- trace = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = ptrace_i2s(trace);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown ptrace (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_prctl_opt(const char *val)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = prctl_opt_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown prctl option (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_mount(const char *val)
-{
- unsigned int mounts, i;
- int cnt = 0;
- char buf[334];
- char *out;
-
- errno = 0;
- mounts = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- for (i=0; i<MOUNT_NUM_ENTRIES; i++) {
- if (mount_table[i].value & mounts) {
- if (!cnt) {
- strcat(buf,
- mount_strings + mount_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- mount_strings + mount_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_rlimit(const char *val)
-{
- int i;
- char *out;
-
- errno = 0;
- i = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- else if (i < 17) {
- const char *s = rlimit_i2s(i);
- if (s != NULL)
- return strdup(s);
- }
- if (asprintf(&out, "unknown rlimit (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_recv(const char *val)
-{
- unsigned int rec, i;
- int cnt = 0;
- char buf[234];
- char *out;
-
- errno = 0;
- rec = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- for (i=0; i<RECV_NUM_ENTRIES; i++) {
- if (recv_table[i].value & rec) {
- if (!cnt) {
- strcat(buf,
- recv_strings + recv_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- recv_strings + recv_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_access(const char *val)
-{
- unsigned long mode;
- char buf[16];
- unsigned int i, cnt = 0;
-
- errno = 0;
- mode = strtoul(val, NULL, 16);
- if (errno) {
- char *out;
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- if ((mode & 0xF) == 0)
- return strdup("F_OK");
- buf[0] = 0;
- for (i=0; i<3; i++) {
- if (access_table[i].value & mode) {
- if (!cnt) {
- strcat(buf,
- access_strings + access_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- access_strings + access_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static char *print_dirfd(const char *val)
-{
- char *out;
-
- if (strcmp(val, "-100") == 0) {
- if (asprintf(&out, "AT_FDCWD") < 0)
- out = NULL;
- } else {
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- }
- return out;
-}
-
-#ifndef SCHED_RESET_ON_FORK
-#define SCHED_RESET_ON_FORK 0x40000000
-#endif
-static const char *print_sched(const char *val)
-{
- unsigned int pol;
- char *out;
- const char *s;
-
- errno = 0;
- pol = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = sched_i2s(pol & 0x0F);
- if (s != NULL) {
- char buf[48];
-
- strcpy(buf, s);
- if (pol & SCHED_RESET_ON_FORK )
- strcat(buf, "|SCHED_RESET_ON_FORK");
- return strdup(buf);
- }
- if (asprintf(&out, "unknown scheduler policy (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_sock_opt_level(const char *val)
-{
- int lvl;
- char *out;
-
- errno = 0;
- lvl = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- if (lvl == SOL_SOCKET)
- return strdup("SOL_SOCKET");
- else {
- struct protoent *p = getprotobynumber(lvl);
- if (p == NULL) {
- const char *s = socklevel_i2s(lvl);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown sockopt level (0x%s)", val) < 0)
- out = NULL;
- } else
- return strdup(p->p_name);
- }
-
- return out;
-}
-
-static const char *print_sock_opt_name(const char *val, int machine)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- // PPC's tables are different
- if ((machine == MACH_PPC64 || machine == MACH_PPC) &&
- opt >= 16 && opt <= 21)
- opt+=100;
-
- s = sockoptname_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown sockopt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_ip_opt_name(const char *val)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = ipoptname_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown ipopt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_ip6_opt_name(const char *val)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = ip6optname_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown ip6opt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_tcp_opt_name(const char *val)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = tcpoptname_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown tcpopt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_udp_opt_name(const char *val)
-{
- int opt;
- char *out;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- if (opt == 1)
- out = strdup("UDP_CORK");
- else if (opt == 100)
- out = strdup("UDP_ENCAP");
- else if (asprintf(&out, "unknown udpopt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_pkt_opt_name(const char *val)
-{
- int opt;
- char *out;
- const char *s;
-
- errno = 0;
- opt = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = pktoptname_i2s(opt);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown pktopt name (0x%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_shmflags(const char *val)
-{
- unsigned int flags, partial, i;
- int cnt = 0;
- char *out, buf[32];
-
- errno = 0;
- flags = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- partial = flags & 00003000;
- buf[0] = 0;
- for (i=0; i<IPCCMD_NUM_ENTRIES; i++) {
- if (ipccmd_table[i].value & partial) {
- if (!cnt) {
- strcat(buf,
- ipccmd_strings + ipccmd_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- ipccmd_strings + ipccmd_table[i].offset);
- }
- }
- }
-
- partial = flags & 00014000;
- for (i=0; i<SHM_MODE_NUM_ENTRIES; i++) {
- if (shm_mode_table[i].value & partial) {
- if (!cnt) {
- strcat(buf,
- shm_mode_strings + shm_mode_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- shm_mode_strings + shm_mode_table[i].offset);
- }
- }
- }
-
- partial = flags & 000777;
- const char *tmode = print_mode_short_int(partial);
- if (tmode) {
- if (buf[0] != 0)
- strcat(buf, "|");
- strcat(buf, tmode);
- free((void *)tmode);
- }
-
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%x", flags);
- return strdup(buf);
-}
-
-static const char *print_seek(const char *val)
-{
- unsigned int whence;
- char *out;
- const char *str;
-
- errno = 0;
- whence = 0xFF & strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- str = seek_i2s(whence);
- if (str == NULL) {
- if (asprintf(&out, "unknown whence(%s)", val) < 0)
- out = NULL;
- return out;
- } else
- return strdup(str);
-}
-
-static const char *print_umount(const char *val)
-{
- unsigned int flags, i;
- int cnt = 0;
- char buf[64];
- char *out;
-
- errno = 0;
- flags = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- buf[0] = 0;
- for (i=0; i<UMOUNT_NUM_ENTRIES; i++) {
- if (umount_table[i].value & flags) {
- if (!cnt) {
- strcat(buf,
- umount_strings + umount_table[i].offset);
- cnt++;
- } else {
- strcat(buf, "|");
- strcat(buf,
- umount_strings + umount_table[i].offset);
- }
- }
- }
- if (buf[0] == 0)
- snprintf(buf, sizeof(buf), "0x%s", val);
- return strdup(buf);
-}
-
-static const char *print_ioctl_req(const char *val)
-{
- int req;
- char *out;
- const char *r;
-
- errno = 0;
- req = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- r = ioctlreq_i2s(req);
- if (r != NULL)
- return strdup(r);
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_a0(const char *val, const idata *id)
-{
- char *out;
- int machine = id->machine, syscall = id->syscall;
- const char *sys = audit_syscall_to_name(syscall, machine);
- if (sys) {
- if (*sys == 'r') {
- if (strcmp(sys, "rt_sigaction") == 0)
- return print_signals(val, 16);
- else if (strcmp(sys, "renameat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "readlinkat") == 0)
- return print_dirfd(val);
- } else if (*sys == 'c') {
- if (strcmp(sys, "clone") == 0)
- return print_clone_flags(val);
- else if (strcmp(sys, "clock_settime") == 0)
- return print_clock_id(val);
- } else if (*sys == 'p') {
- if (strcmp(sys, "personality") == 0)
- return print_personality(val);
- else if (strcmp(sys, "ptrace") == 0)
- return print_ptrace(val);
- else if (strcmp(sys, "prctl") == 0)
- return print_prctl_opt(val);
- } else if (*sys == 'm') {
- if (strcmp(sys, "mkdirat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "mknodat") == 0)
- return print_dirfd(val);
- } else if (*sys == 'f') {
- if (strcmp(sys, "fchownat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "futimesat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "fchmodat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "faccessat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "futimensat") == 0)
- return print_dirfd(val);
- } else if (*sys == 'u') {
- if (strcmp(sys, "unshare") == 0)
- return print_clone_flags(val);
- else if (strcmp(sys, "unlinkat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "utimensat") == 0)
- return print_dirfd(val);
- } else if (strcmp(sys+1, "etrlimit") == 0)
- return print_rlimit(val);
- else if (*sys == 's') {
- if (strcmp(sys, "setuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setreuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setresuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setfsuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setgid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "setregid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "setresgid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "socket") == 0)
- return print_socket_domain(val);
- else if (strcmp(sys, "setfsgid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "socketcall") == 0)
- return print_socketcall(val, 16);
- }
- else if (strcmp(sys, "linkat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "newfstatat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "openat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "ipccall") == 0)
- return print_ipccall(val, 16);
- }
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_a1(const char *val, const idata *id)
-{
- char *out;
- int machine = id->machine, syscall = id->syscall;
- const char *sys = audit_syscall_to_name(syscall, machine);
- if (sys) {
- if (*sys == 'f') {
- if (strcmp(sys, "fchmod") == 0)
- return print_mode_short(val, 16);
- else if (strncmp(sys, "fcntl", 5) == 0)
- return print_fcntl_cmd(val);
- } else if (*sys == 'c') {
- if (strcmp(sys, "chmod") == 0)
- return print_mode_short(val, 16);
- else if (strstr(sys, "chown"))
- return print_uid(val, 16);
- else if (strcmp(sys, "creat") == 0)
- return print_mode_short(val, 16);
- }
- if (strcmp(sys+1, "etsockopt") == 0)
- return print_sock_opt_level(val);
- else if (*sys == 's') {
- if (strcmp(sys, "setreuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setresuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setregid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "setresgid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "socket") == 0)
- return print_socket_type(val);
- else if (strcmp(sys, "setns") == 0)
- return print_clone_flags(val);
- else if (strcmp(sys, "sched_setscheduler") == 0)
- return print_sched(val);
- } else if (*sys == 'm') {
- if (strcmp(sys, "mkdir") == 0)
- return print_mode_short(val, 16);
- else if (strcmp(sys, "mknod") == 0)
- return print_mode(val, 16);
- else if (strcmp(sys, "mq_open") == 0)
- return print_open_flags(val);
- }
- else if (strcmp(sys, "open") == 0)
- return print_open_flags(val);
- else if (strcmp(sys, "access") == 0)
- return print_access(val);
- else if (strcmp(sys, "epoll_ctl") == 0)
- return print_epoll_ctl(val);
- else if (strcmp(sys, "kill") == 0)
- return print_signals(val, 16);
- else if (strcmp(sys, "prctl") == 0) {
- if (id->a0 == PR_CAPBSET_READ ||
- id->a0 == PR_CAPBSET_DROP)
- return print_capabilities(val, 16);
- else if (id->a0 == PR_SET_PDEATHSIG)
- return print_signals(val, 16);
- }
- else if (strcmp(sys, "tkill") == 0)
- return print_signals(val, 16);
- else if (strcmp(sys, "umount2") == 0)
- return print_umount(val);
- else if (strcmp(sys, "ioctl") == 0)
- return print_ioctl_req(val);
- }
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_a2(const char *val, const idata *id)
-{
- char *out;
- int machine = id->machine, syscall = id->syscall;
- const char *sys = audit_syscall_to_name(syscall, machine);
- if (sys) {
- if (strncmp(sys, "fcntl", 5) == 0) {
- int ival;
-
- errno = 0;
- ival = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)",
- val) < 0)
- out = NULL;
- return out;
- }
- switch (id->a1)
- {
- case F_SETOWN:
- return print_uid(val, 16);
- case F_SETFD:
- if (ival == FD_CLOEXEC)
- return strdup("FD_CLOEXEC");
- /* Fall thru okay. */
- case F_SETFL:
- case F_SETLEASE:
- case F_GETLEASE:
- case F_NOTIFY:
- break;
- }
- } else if (strcmp(sys+1, "etsockopt") == 0) {
- if (id->a1 == IPPROTO_IP)
- return print_ip_opt_name(val);
- else if (id->a1 == SOL_SOCKET)
- return print_sock_opt_name(val, machine);
- else if (id->a1 == IPPROTO_TCP)
- return print_tcp_opt_name(val);
- else if (id->a1 == IPPROTO_UDP)
- return print_udp_opt_name(val);
- else if (id->a1 == IPPROTO_IPV6)
- return print_ip6_opt_name(val);
- else if (id->a1 == SOL_PACKET)
- return print_pkt_opt_name(val);
- else
- goto normal;
- } else if (*sys == 'o') {
- if (strcmp(sys, "openat") == 0)
- return print_open_flags(val);
- if ((strcmp(sys, "open") == 0) && (id->a1 & O_CREAT))
- return print_mode_short(val, 16);
- } else if (*sys == 'f') {
- if (strcmp(sys, "fchmodat") == 0)
- return print_mode_short(val, 16);
- else if (strcmp(sys, "faccessat") == 0)
- return print_access(val);
- } else if (*sys == 's') {
- if (strcmp(sys, "setresuid") == 0)
- return print_uid(val, 16);
- else if (strcmp(sys, "setresgid") == 0)
- return print_gid(val, 16);
- else if (strcmp(sys, "socket") == 0)
- return print_socket_proto(val);
- else if (strcmp(sys, "sendmsg") == 0)
- return print_recv(val);
- else if (strcmp(sys, "shmget") == 0)
- return print_shmflags(val);
- } else if (*sys == 'm') {
- if (strcmp(sys, "mmap") == 0)
- return print_prot(val, 1);
- else if (strcmp(sys, "mkdirat") == 0)
- return print_mode_short(val, 16);
- else if (strcmp(sys, "mknodat") == 0)
- return print_mode_short(val, 16);
- else if (strcmp(sys, "mprotect") == 0)
- return print_prot(val, 0);
- else if ((strcmp(sys, "mq_open") == 0) &&
- (id->a1 & O_CREAT))
- return print_mode_short(val, 16);
- } else if (*sys == 'r') {
- if (strcmp(sys, "recvmsg") == 0)
- return print_recv(val);
- else if (strcmp(sys, "readlinkat") == 0)
- return print_dirfd(val);
- } else if (*sys == 'l') {
- if (strcmp(sys, "linkat") == 0)
- return print_dirfd(val);
- else if (strcmp(sys, "lseek") == 0)
- return print_seek(val);
- }
- else if (strstr(sys, "chown"))
- return print_gid(val, 16);
- else if (strcmp(sys, "tgkill") == 0)
- return print_signals(val, 16);
- }
-normal:
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_a3(const char *val, const idata *id)
-{
- char *out;
- int machine = id->machine, syscall = id->syscall;
- const char *sys = audit_syscall_to_name(syscall, machine);
- if (sys) {
- if (*sys == 'm') {
- if (strcmp(sys, "mmap") == 0)
- return print_mmap(val);
- else if (strcmp(sys, "mount") == 0)
- return print_mount(val);
- } else if (*sys == 'r') {
- if (strcmp(sys, "recv") == 0)
- return print_recv(val);
- else if (strcmp(sys, "recvfrom") == 0)
- return print_recv(val);
- else if (strcmp(sys, "recvmmsg") == 0)
- return print_recv(val);
- } else if (*sys == 's') {
- if (strcmp(sys, "send") == 0)
- return print_recv(val);
- else if (strcmp(sys, "sendto") == 0)
- return print_recv(val);
- else if (strcmp(sys, "sendmmsg") == 0)
- return print_recv(val);
- }
- }
- if (asprintf(&out, "0x%s", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_signals(const char *val, unsigned int base)
-{
- int i;
- char *out;
-
- errno = 0;
- i = strtoul(val, NULL, base);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- else if (i < 32) {
- const char *s = signal_i2s(i);
- if (s != NULL)
- return strdup(s);
- }
- if (asprintf(&out, "unknown signal (%s%s)",
- base == 16 ? "0x" : "", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_nfproto(const char *val)
-{
- int proto;
- char *out;
- const char *s;
-
- errno = 0;
- proto = strtoul(val, NULL, 10);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = nfproto_i2s(proto);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown netfilter protocol (%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_icmptype(const char *val)
-{
- int icmptype;
- char *out;
- const char *s;
-
- errno = 0;
- icmptype = strtoul(val, NULL, 10);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
-
- s = icmptype_i2s(icmptype);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown icmp type (%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-static const char *print_protocol(const char *val)
-{
- int i;
- char *out;
-
- errno = 0;
- i = strtoul(val, NULL, 10);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- } else {
- struct protoent *p = getprotobynumber(i);
- if (p)
- out = strdup(p->p_name);
- else
- out = strdup("undefined protocol");
- }
- return out;
-}
-
-static const char *print_addr(const char *val)
-{
- char *out = strdup(val);
- return out;
-}
-
-static const char *print_list(const char *val)
-{
- int i;
- char *out;
-
- errno = 0;
- i = strtoul(val, NULL, 10);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- } else
- out = strdup(audit_flag_to_name(i));
- return out;
-}
-
-struct string_buf {
- char *buf; /* NULL if was ever out of memory */
- size_t allocated;
- size_t pos;
-};
-
-/* Append c to buf. */
-static void append_char(struct string_buf *buf, char c)
-{
- if (buf->buf == NULL)
- return;
- if (buf->pos == buf->allocated) {
- char *p;
-
- buf->allocated *= 2;
- p = realloc(buf->buf, buf->allocated);
- if (p == NULL) {
- free(buf->buf);
- buf->buf = NULL;
- return;
- }
- buf->buf = p;
- }
- buf->buf[buf->pos] = c;
- buf->pos++;
-}
-
-/* Represent c as a character within a quoted string, and append it to buf. */
-static void tty_append_printable_char(struct string_buf *buf, unsigned char c)
-{
- if (c < 0x20 || c > 0x7E) {
- append_char(buf, '\\');
- append_char(buf, '0' + ((c >> 6) & 07));
- append_char(buf, '0' + ((c >> 3) & 07));
- append_char(buf, '0' + (c & 07));
- } else {
- if (c == '\\' || c == '"')
- append_char(buf, '\\');
- append_char(buf, c);
- }
-}
-
-/* Search for a name of a sequence of TTY bytes.
- If found, return the name and advance *INPUT. Return NULL otherwise. */
-static const char *tty_find_named_key(unsigned char **input, size_t input_len)
-{
- /* NUL-terminated list of (sequence, NUL, name, NUL) entries.
- First match wins, even if a longer match were possible later */
- static const unsigned char named_keys[] =
-#define E(SEQ, NAME) SEQ "\0" NAME "\0"
-#include "tty_named_keys.h"
-#undef E
- "\0";
-
- unsigned char *src;
- const unsigned char *nk;
-
- src = *input;
- if (*src >= ' ' && (*src < 0x7F || *src >= 0xA0))
- return NULL; /* Fast path */
- nk = named_keys;
- do {
- const unsigned char *p;
- size_t nk_len;
-
- p = strchr(nk, '\0');
- nk_len = p - nk;
- if (nk_len <= input_len && memcmp(src, nk, nk_len) == 0) {
- *input += nk_len;
- return p + 1;
- }
- nk = strchr(p + 1, '\0') + 1;
- } while (*nk != '\0');
- return NULL;
-}
-
-static const char *print_tty_data(const char *raw_data)
-{
- struct string_buf buf;
- int in_printable;
- unsigned char *data, *data_pos, *data_end;
-
- if (!is_hex_string(raw_data))
- return strdup(raw_data);
- data = au_unescape((char *)raw_data);
- if (data == NULL)
- return NULL;
- data_end = data + strlen(raw_data) / 2;
-
- buf.allocated = 10;
- buf.buf = malloc(buf.allocated); /* NULL handled in append_char() */
- buf.pos = 0;
- in_printable = 0;
- data_pos = data;
- while (data_pos < data_end) {
- /* FIXME: Unicode */
- const char *desc;
-
- desc = tty_find_named_key(&data_pos, data_end - data_pos);
- if (desc != NULL) {
- if (in_printable != 0) {
- append_char(&buf, '"');
- in_printable = 0;
- }
- if (buf.pos != 0)
- append_char(&buf, ',');
- append_char(&buf, '<');
- while (*desc != '\0') {
- append_char(&buf, *desc);
- desc++;
- }
- append_char(&buf, '>');
- } else {
- if (in_printable == 0) {
- if (buf.pos != 0)
- append_char(&buf, ',');
- append_char(&buf, '"');
- in_printable = 1;
- }
- tty_append_printable_char(&buf, *data_pos);
- data_pos++;
- }
- }
- if (in_printable != 0)
- append_char(&buf, '"');
- append_char(&buf, '\0');
- free(data);
- return buf.buf;
-}
-
-static const char *print_session(const char *val)
-{
- if (strcmp(val, "4294967295") == 0)
- return strdup("unset");
- else
- return strdup(val);
-}
-
-#define SECCOMP_RET_ACTION 0x7fff0000U
-static const char *print_seccomp_code(const char *val)
-{
- unsigned long code;
- char *out;
- const char *s;
-
- errno = 0;
- code = strtoul(val, NULL, 16);
- if (errno) {
- if (asprintf(&out, "conversion error(%s)", val) < 0)
- out = NULL;
- return out;
- }
- s = seccomp_i2s(code & SECCOMP_RET_ACTION);
- if (s != NULL)
- return strdup(s);
- if (asprintf(&out, "unknown seccomp code (%s)", val) < 0)
- out = NULL;
- return out;
-}
-
-int lookup_type(const char *name)
-{
- int i;
-
- if (type_s2i(name, &i) != 0)
- return i;
- return AUPARSE_TYPE_UNCLASSIFIED;
-}
-
-const char *interpret(const rnode *r)
-{
- const nvlist *nv = &r->nv;
- int type;
- idata id;
- nvnode *n;
- const char *out;
-
- id.machine = r->machine;
- id.syscall = r->syscall;
- id.a0 = r->a0;
- id.a1 = r->a1;
- id.name = nvlist_get_cur_name(nv);
- id.val = nvlist_get_cur_val(nv);
- type = auparse_interp_adjust_type(r->type, id.name, id.val);
-
- out = auparse_do_interpretation(type, &id);
- n = nvlist_get_cur(nv);
- n->interp_val = (char *)out;
-
- return out;
-}
-
-/*
- * rtype: the record type
- * name: the current field name
- * value: the current field value
- * Returns: field's internal type is returned
- */
-int auparse_interp_adjust_type(int rtype, const char *name, const char *val)
-{
- int type;
-
- /* This set of statements overrides or corrects the detection.
- * In almost all cases its a double use of a field. */
- if (rtype == AUDIT_EXECVE && *name == 'a' && strcmp(name, "argc") &&
- !strstr(name, "_len"))
- type = AUPARSE_TYPE_ESCAPED;
- else if (rtype == AUDIT_AVC && strcmp(name, "saddr") == 0)
- type = AUPARSE_TYPE_UNCLASSIFIED;
- else if (rtype == AUDIT_USER_TTY && strcmp(name, "msg") == 0)
- type = AUPARSE_TYPE_ESCAPED;
- else if (rtype == AUDIT_NETFILTER_PKT && strcmp(name, "saddr") == 0)
- type = AUPARSE_TYPE_ADDR;
- else if (strcmp(name, "acct") == 0) {
- if (val[0] == '"')
- type = AUPARSE_TYPE_ESCAPED;
- else if (is_hex_string(val))
- type = AUPARSE_TYPE_ESCAPED;
- else
- type = AUPARSE_TYPE_UNCLASSIFIED;
- } else if (rtype == AUDIT_PATH && *name =='f' &&
- strcmp(name, "flags") == 0)
- type = AUPARSE_TYPE_FLAGS;
- else if (rtype == AUDIT_MQ_OPEN && strcmp(name, "mode") == 0)
- type = AUPARSE_TYPE_MODE_SHORT;
- else if (rtype == AUDIT_CRYPTO_KEY_USER && strcmp(name, "fp") == 0)
- type = AUPARSE_TYPE_UNCLASSIFIED;
- else if ((strcmp(name, "id") == 0) &&
- (rtype == AUDIT_ADD_GROUP || rtype == AUDIT_GRP_MGMT ||
- rtype == AUDIT_DEL_GROUP))
- type = AUPARSE_TYPE_GID;
- else
- type = lookup_type(name);
-
- return type;
-}
-hidden_def(auparse_interp_adjust_type)
-
-const char *auparse_do_interpretation(int type, const idata *id)
-{
- const char *out;
- switch(type) {
- case AUPARSE_TYPE_UID:
- out = print_uid(id->val, 10);
- break;
- case AUPARSE_TYPE_GID:
- out = print_gid(id->val, 10);
- break;
- case AUPARSE_TYPE_SYSCALL:
- out = print_syscall(id);
- break;
- case AUPARSE_TYPE_ARCH:
- out = print_arch(id->val, id->machine);
- break;
- case AUPARSE_TYPE_EXIT:
- out = print_exit(id->val);
- break;
- case AUPARSE_TYPE_ESCAPED:
- out = print_escaped(id->val);
- break;
- case AUPARSE_TYPE_PERM:
- out = print_perm(id->val);
- break;
- case AUPARSE_TYPE_MODE:
- out = print_mode(id->val,8);
- break;
- case AUPARSE_TYPE_MODE_SHORT:
- out = print_mode_short(id->val,8);
- break;
- case AUPARSE_TYPE_SOCKADDR:
- out = print_sockaddr(id->val);
- break;
- case AUPARSE_TYPE_FLAGS:
- out = print_flags(id->val);
- break;
- case AUPARSE_TYPE_PROMISC:
- out = print_promiscuous(id->val);
- break;
- case AUPARSE_TYPE_CAPABILITY:
- out = print_capabilities(id->val, 10);
- break;
- case AUPARSE_TYPE_SUCCESS:
- out = print_success(id->val);
- break;
- case AUPARSE_TYPE_A0:
- out = print_a0(id->val, id);
- break;
- case AUPARSE_TYPE_A1:
- out = print_a1(id->val, id);
- break;
- case AUPARSE_TYPE_A2:
- out = print_a2(id->val, id);
- break;
- case AUPARSE_TYPE_A3:
- out = print_a3(id->val, id);
- break;
- case AUPARSE_TYPE_SIGNAL:
- out = print_signals(id->val, 10);
- break;
- case AUPARSE_TYPE_LIST:
- out = print_list(id->val);
- break;
- case AUPARSE_TYPE_TTY_DATA:
- out = print_tty_data(id->val);
- break;
- case AUPARSE_TYPE_SESSION:
- out = print_session(id->val);
- break;
- case AUPARSE_TYPE_CAP_BITMAP:
- out = print_cap_bitmap(id->val);
- break;
- case AUPARSE_TYPE_NFPROTO:
- out = print_nfproto(id->val);
- break;
- case AUPARSE_TYPE_ICMPTYPE:
- out = print_icmptype(id->val);
- break;
- case AUPARSE_TYPE_PROTOCOL:
- out = print_protocol(id->val);
- break;
- case AUPARSE_TYPE_ADDR:
- out = print_addr(id->val);
- break;
- case AUPARSE_TYPE_PERSONALITY:
- out = print_personality(id->val);
- break;
- case AUPARSE_TYPE_SECCOMP:
- out = print_seccomp_code(id->val);
- break;
- case AUPARSE_TYPE_OFLAG:
- out = print_open_flags(id->val);
- break;
- case AUPARSE_TYPE_MMAP:
- out = print_mmap(id->val);
- break;
- case AUPARSE_TYPE_PROCTITLE:
- out = print_proctitle(id->val);
- break;
- case AUPARSE_TYPE_MAC_LABEL:
- case AUPARSE_TYPE_UNCLASSIFIED:
- default:
- out = strdup(id->val);
- break;
- }
-
- if (escape_mode != AUPARSE_ESC_RAW) {
- unsigned int len = strlen(out);
- unsigned int cnt = need_escaping(out, len);
- if (cnt) {
- char *dest = malloc(len + 1 + (3*cnt));
- if (dest)
- escape(out, dest, len);
- free((void *)out);
- out = dest;
- }
- }
- return out;
-}
-hidden_def(auparse_do_interpretation)
-
diff --git a/framework/src/audit/auparse/interpret.h b/framework/src/audit/auparse/interpret.h
deleted file mode 100644
index e546452e..00000000
--- a/framework/src/audit/auparse/interpret.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* interpret.h --
- * Copyright 2007,08 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#ifndef INTERPRET_HEADER
-#define INTERPRET_HEADER
-
-#include "config.h"
-#include "private.h"
-#include "rnode.h"
-#include <time.h>
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-
-int lookup_type(const char *name);
-const char *interpret(const rnode *r);
-void aulookup_destroy_uid_list(void);
-void aulookup_destroy_gid_list(void);
-char *au_unescape(char *buf);
-
-/* Make these hidden to prevent conflicts */
-hidden_proto(lookup_type);
-hidden_proto(interpret);
-hidden_proto(aulookup_destroy_uid_list);
-hidden_proto(aulookup_destroy_gid_list);
-hidden_proto(au_unescape);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
diff --git a/framework/src/audit/auparse/ioctlreqtab.h b/framework/src/audit/auparse/ioctlreqtab.h
deleted file mode 100644
index a3301e3e..00000000
--- a/framework/src/audit/auparse/ioctlreqtab.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* ioctlreqtab.h --
- * Copyright 2014 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-_S(0x4B3A, "KDSETMODE" )
-_S(0x4B3B, "KDGETMODE" )
-_S(0x5309, "CDROMEJECT" )
-_S(0x530F, "CDROMEJECT_SW" )
-_S(0x5311, "CDROM_GET_UPC" )
-_S(0x5316, "CDROMSEEK" )
-_S(0x5401, "TCGETS" )
-_S(0x5402, "TCSETS" )
-_S(0x5403, "TCSETSW" )
-_S(0x5404, "TCSETSF" )
-_S(0x5409, "TCSBRK" )
-_S(0x540B, "TCFLSH" )
-_S(0x540E, "TIOCSCTTY" )
-_S(0x540F, "TIOCGPGRP" )
-_S(0x5410, "TIOCSPGRP" )
-_S(0x5413, "TIOCGWINSZ" )
-_S(0x5414, "TIOCSWINSZ" )
-_S(0x541B, "TIOCINQ" )
-_S(0x5421, "FIONBIO" )
-_S(0x8901, "FIOSETOWN" )
-_S(0x8903, "FIOGETOWN" )
-_S(0x8910, "SIOCGIFNAME" )
-_S(0x8927, "SIOCGIFHWADDR" )
-_S(0x8933, "SIOCGIFINDEX" )
-_S(0x89a2, "SIOCBRADDIF" )
-_S(0x40045431, "TIOCSPTLCK" ) // Need a better fix for these
-_S(0x80045430, "TIOCGPTN" )
-_S(0x80045431, "TIOCSPTLCK" )
-_S(0xC01C64A3, "DRM_IOCTL_MODE_CURSOR" )
-_S(0xC01864B0, "DRM_IOCTL_MODE_PAGE_FLIP" )
-_S(0xC01864B1, "DRM_IOCTL_MODE_DIRTYFB" )
-
diff --git a/framework/src/audit/auparse/ip6optnametab.h b/framework/src/audit/auparse/ip6optnametab.h
deleted file mode 100644
index 16452af0..00000000
--- a/framework/src/audit/auparse/ip6optnametab.h
+++ /dev/null
@@ -1,87 +0,0 @@
-/* ip6optnametab.h --
- * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/in6.h
- * include/uapi/linux/netfilter_ipv6/ip6_tables.h
- */
-
-_S(1, "IPV6_ADDRFORM")
-_S(2, "IPV6_2292PKTINFO")
-_S(3, "IPV6_2292HOPOPTS")
-_S(4, "IPV6_2292DSTOPTS")
-_S(5, "IPV6_2292RTHDR")
-_S(6, "IPV6_2292PKTOPTIONS")
-_S(7, "IPV6_CHECKSUM")
-_S(8, "IPV6_2292HOPLIMIT")
-_S(9, "IPV6_NEXTHOP")
-_S(10, "IPV6_AUTHHDR")
-_S(11, "IPV6_FLOWINFO")
-_S(16, "IPV6_UNICAST_HOPS")
-_S(17, "IPV6_MULTICAST_IF")
-_S(18, "IPV6_MULTICAST_HOPS")
-_S(19, "IPV6_MULTICAST_LOOP")
-_S(20, "IPV6_ADD_MEMBERSHIP")
-_S(21, "IPV6_DROP_MEMBERSHIP")
-_S(22, "IPV6_ROUTER_ALERT")
-_S(23, "IPV6_MTU_DISCOVER")
-_S(24, "IPV6_MTU")
-_S(25, "IPV6_RECVERR")
-_S(26, "IPV6_V6ONLY")
-_S(27, "IPV6_JOIN_ANYCAST")
-_S(28, "IPV6_LEAVE_ANYCAST")
-_S(32, "IPV6_FLOWLABEL_MGR")
-_S(33, "IPV6_FLOWINFO_SEND")
-_S(34, "IPV6_IPSEC_POLICY")
-_S(35, "IPV6_XFRM_POLICY")
-_S(42, "MCAST_JOIN_GROUP")
-_S(43, "MCAST_BLOCK_SOURCE")
-_S(44, "MCAST_UNBLOCK_SOURCE")
-_S(45, "MCAST_LEAVE_GROUP")
-_S(46, "MCAST_JOIN_SOURCE_GROUP")
-_S(47, "MCAST_LEAVE_SOURCE_GROUP")
-_S(48, "MCAST_MSFILTER")
-_S(49, "IPV6_RECVPKTINFO")
-_S(50, "IPV6_PKTINFO")
-_S(51, "IPV6_RECVHOPLIMIT")
-_S(52, "IPV6_HOPLIMIT")
-_S(53, "IPV6_RECVHOPOPTS")
-_S(54, "IPV6_HOPOPTS")
-_S(55, "IPV6_RTHDRDSTOPTS")
-_S(56, "IPV6_RECVRTHDR")
-_S(57, "IPV6_RTHDR")
-_S(58, "IPV6_RECVDSTOPTS")
-_S(59, "IPV6_DSTOPTS")
-_S(60, "IPV6_RECVPATHMTU")
-_S(61, "IPV6_PATHMTU")
-_S(62, "IPV6_DONTFRAG")
-_S(63, "IPV6_USE_MIN_MTU")
-_S(64, "IP6T_SO_SET_REPLACE")
-_S(65, "IP6T_SO_SET_ADD_COUNTERS")
-_S(66, "IPV6_RECVTCLASS")
-_S(67, "IPV6_TCLASS")
-_S(68, "IP6T_SO_GET_REVISION_MATCH")
-_S(69, "IP6T_SO_GET_REVISION_TARGET")
-_S(72, "IPV6_ADDR_PREFERENCES")
-_S(73, "IPV6_MINHOPCOUNT")
-_S(74, "IPV6_ORIGDSTADDR")
-_S(75, "IPV6_TRANSPARENT")
-_S(76, "IPV6_UNICAST_IF")
-_S(80, "IP6T_SO_ORIGINAL_DST")
-
diff --git a/framework/src/audit/auparse/ipccmdtab.h b/framework/src/audit/auparse/ipccmdtab.h
deleted file mode 100644
index 97c6bc30..00000000
--- a/framework/src/audit/auparse/ipccmdtab.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* ipccmdtab.h --
- * Copyright 2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/ipc.h
- */
-
-
-_S(00001000, "IPC_CREAT" )
-_S(00002000, "IPC_EXCL" )
-_S(00004000, "IPC_NOWAIT" )
-
diff --git a/framework/src/audit/auparse/ipctab.h b/framework/src/audit/auparse/ipctab.h
deleted file mode 100644
index c30eb20c..00000000
--- a/framework/src/audit/auparse/ipctab.h
+++ /dev/null
@@ -1,37 +0,0 @@
-/* ipctab.h --
- * Copyright 2007,2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/ipc.h
- */
-
-
-_S(SEMOP, "semop" )
-_S(SEMGET, "semget" )
-_S(SEMCTL, "semctl" )
-_S(4, "semtimedop" )
-_S(MSGSND, "msgsnd" )
-_S(MSGRCV, "msgrcv" )
-_S(MSGGET, "msgget" )
-_S(MSGCTL, "msgctl" )
-_S(SHMAT, "shmat" )
-_S(SHMDT, "shmdt" )
-_S(SHMGET, "shmget" )
-_S(SHMCTL, "shmctl" )
-
diff --git a/framework/src/audit/auparse/ipoptnametab.h b/framework/src/audit/auparse/ipoptnametab.h
deleted file mode 100644
index 38a9fb80..00000000
--- a/framework/src/audit/auparse/ipoptnametab.h
+++ /dev/null
@@ -1,70 +0,0 @@
-/* ipoptnametab.h --
- * Copyright 2013,2015 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/in.h
- * include/uapi/linux/netfilter_ipv4/ip_tables.h
- */
-
-
-_S(1, "IP_TOS")
-_S(2, "IP_TTL")
-_S(3, "IP_HDRINCL")
-_S(4, "IP_OPTIONS")
-_S(5, "IP_ROUTER_ALERT")
-_S(6, "IP_RECVOPTS")
-_S(7, "IP_RETOPTS")
-_S(8, "IP_PKTINFO")
-_S(9, "IP_PKTOPTIONS")
-_S(10, "IP_MTU_DISCOVER")
-_S(11, "IP_RECVERR")
-_S(12, "IP_RECVTTL")
-_S(14, "IP_MTU")
-_S(15, "IP_FREEBIND")
-_S(16, "IP_IPSEC_POLICY")
-_S(17, "IP_XFRM_POLICY")
-_S(18, "IP_PASSSEC")
-_S(19, "IP_TRANSPARENT")
-_S(20, "IP_ORIGDSTADDR")
-_S(21, "IP_MINTTL")
-_S(22, "IP_NODEFRAG")
-_S(23, "IP_CHECKSUM")
-_S(32, "IP_MULTICAST_IF")
-_S(33, "IP_MULTICAST_TTL")
-_S(34, "IP_MULTICAST_LOOP")
-_S(35, "IP_ADD_MEMBERSHIP")
-_S(36, "IP_DROP_MEMBERSHIP")
-_S(37, "IP_UNBLOCK_SOURCE")
-_S(38, "IP_BLOCK_SOURCE")
-_S(39, "IP_ADD_SOURCE_MEMBERSHIP")
-_S(40, "IP_DROP_SOURCE_MEMBERSHIP")
-_S(41, "IP_MSFILTER")
-_S(42, "MCAST_JOIN_GROUP")
-_S(43, "MCAST_BLOCK_SOURCE")
-_S(44, "MCAST_UNBLOCK_SOURCE")
-_S(45, "MCAST_LEAVE_GROUP")
-_S(46, "MCAST_JOIN_SOURCE_GROUP")
-_S(47, "MCAST_LEAVE_SOURCE_GROUP")
-_S(48, "MCAST_MSFILTER")
-_S(49, "IP_MULTICAST_ALL")
-_S(50, "IP_UNICAST_IF")
-_S(64, "IPT_SO_SET_REPLACE")
-_S(65, "IPT_SO_SET_ADD_COUNTERS")
-_S(66, "IPT_SO_GET_REVISION_TARGET")
-
diff --git a/framework/src/audit/auparse/message.c b/framework/src/audit/auparse/message.c
deleted file mode 100644
index 45b33c0f..00000000
--- a/framework/src/audit/auparse/message.c
+++ /dev/null
@@ -1,58 +0,0 @@
-/* message.c --
- * Copyright 2004, 2005 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#include "config.h"
-#include <stdio.h>
-#include <stdarg.h>
-#include "libaudit.h"
-#include "private.h"
-
-/* The message mode refers to where informational messages go
- 0 - stderr, 1 - syslog, 2 - quiet. The default is quiet. */
-static message_t message_mode = MSG_QUIET;
-static debug_message_t debug_message = DBG_NO;
-
-void set_aumessage_mode(message_t mode, debug_message_t debug)
-{
- message_mode = mode;
- debug_message = debug;
-}
-
-void audit_msg(int priority, const char *fmt, ...)
-{
- va_list ap;
-
- if (message_mode == MSG_QUIET)
- return;
-
- if (priority == LOG_DEBUG && debug_message == DBG_NO)
- return;
-
- va_start(ap, fmt);
- if (message_mode == MSG_SYSLOG)
- vsyslog(priority, fmt, ap);
- else {
- vfprintf(stderr, fmt, ap);
- fputc('\n', stderr);
- }
- va_end( ap );
-}
diff --git a/framework/src/audit/auparse/mmaptab.h b/framework/src/audit/auparse/mmaptab.h
deleted file mode 100644
index 9bd5ef5a..00000000
--- a/framework/src/audit/auparse/mmaptab.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* mmaptab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/mman.h >0x100
- * include/uapi/asm-generic/mman-common.h < 0x100
- * NOTE: If this is updated, also update interpret.c:print_mmap()
- */
-
-_S(0x00001, "MAP_SHARED" )
-_S(0x00002, "MAP_PRIVATE" )
-_S(0x00010, "MAP_FIXED" )
-_S(0x00020, "MAP_ANONYMOUS" )
-_S(0x00040, "MAP_32BIT" )
-_S(0x00100, "MAP_GROWSDOWN" )
-_S(0x00800, "MAP_DENYWRITE" )
-_S(0x01000, "MAP_EXECUTABLE" )
-_S(0x02000, "MAP_LOCKED" )
-_S(0x04000, "MAP_NORESERVE" )
-_S(0x08000, "MAP_POPULATE" )
-_S(0x10000, "MAP_NONBLOCK" )
-_S(0x20000, "MAP_STACK" )
-_S(0x40000, "MAP_HUGETLB" )
-
diff --git a/framework/src/audit/auparse/mounttab.h b/framework/src/audit/auparse/mounttab.h
deleted file mode 100644
index ce98a998..00000000
--- a/framework/src/audit/auparse/mounttab.h
+++ /dev/null
@@ -1,53 +0,0 @@
-/* mounttab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/fs.h
- * NOTE: When updating this table, update interpret.c:print_mount()
- */
-
-_S(MS_RDONLY, "MS_RDONLY")
-_S(MS_NOSUID, "MS_NOSUID")
-_S(MS_NODEV, "MS_NODEV" )
-_S(MS_NOEXEC, "MS_NOEXEC")
-_S(MS_SYNCHRONOUS, "MS_SYNCHRONOUS")
-_S(MS_REMOUNT, "MS_REMOUNT")
-_S(MS_MANDLOCK, "MS_MANDLOCK")
-_S(MS_DIRSYNC, "MS_DIRSYNC")
-_S(MS_NOATIME, "MS_NOATIME")
-_S(MS_NODIRATIME, "MS_NODIRATIME")
-_S(MS_BIND, "MS_BIND")
-_S(MS_MOVE, "MS_MOVE")
-_S(MS_REC, "MS_REC")
-_S(MS_SILENT, "MS_SILENT")
-_S(MS_POSIXACL, "MS_POSIXACL")
-_S(MS_UNBINDABLE, "MS_UNBINDABLE")
-_S(MS_PRIVATE, "MS_PRIVATE")
-_S(MS_SLAVE, "MS_SLAVE")
-_S(MS_SHARED, "MS_SHARED")
-_S(MS_RELATIME, "MS_RELATIME")
-_S(MS_KERNMOUNT, "MS_KERNMOUNT")
-_S(MS_I_VERSION, "MS_I_VERSION")
-_S((1<<24), "MS_STRICTATIME")
-_S((1<<27), "MS_SNAP_STABLE")
-_S((1<<28), "MS_NOSEC")
-_S((1<<29), "MS_BORN")
-_S(MS_ACTIVE, "MS_ACTIVE")
-_S(MS_NOUSER, "MS_NOUSER")
-
diff --git a/framework/src/audit/auparse/nfprototab.h b/framework/src/audit/auparse/nfprototab.h
deleted file mode 100644
index eab43370..00000000
--- a/framework/src/audit/auparse/nfprototab.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* nfprototab.h --
- * Copyright 2011-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/netfilter.h
- */
-
-_S(0, "unspecified" )
-_S(1, "inet" )
-_S(2, "ipv4" )
-_S(3, "arp" )
-_S(7, "bridge" )
-_S(10, "ipv6" )
-_S(12, "decnet" )
-
diff --git a/framework/src/audit/auparse/nvlist.c b/framework/src/audit/auparse/nvlist.c
deleted file mode 100644
index 66e7ff8c..00000000
--- a/framework/src/audit/auparse/nvlist.c
+++ /dev/null
@@ -1,137 +0,0 @@
-/*
-* nvlist.c - Minimal linked list library for name-value pairs
-* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#include "config.h"
-#include <stdlib.h>
-#include <string.h>
-#include "nvlist.h"
-#include "interpret.h"
-#include "auparse-idata.h"
-
-
-void nvlist_create(nvlist *l)
-{
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
-}
-
-static void nvlist_last(nvlist *l)
-{
- register nvnode* window;
-
- if (l->head == NULL)
- return;
-
- window = l->head;
- while (window->next)
- window = window->next;
- l->cur = window;
-}
-
-nvnode *nvlist_next(nvlist *l)
-{
- if (l->cur)
- l->cur = l->cur->next;
- return l->cur;
-}
-
-void nvlist_append(nvlist *l, nvnode *node)
-{
- nvnode* newnode = malloc(sizeof(nvnode));
-
- newnode->name = node->name;
- newnode->val = node->val;
- newnode->interp_val = NULL;
- newnode->item = l->cnt;
- newnode->next = NULL;
-
- // if we are at top, fix this up
- if (l->head == NULL)
- l->head = newnode;
- else { // Otherwise add pointer to newnode
- if (l->cnt == (l->cur->item+1)) {
- l->cur->next = newnode;
- }
- else {
- nvlist_last(l);
- l->cur->next = newnode;
- }
- }
-
- // make newnode current
- l->cur = newnode;
- l->cnt++;
-}
-
-/*
- * This function will start at current index and scan for a name
- */
-int nvlist_find_name(nvlist *l, const char *name)
-{
- register nvnode* window = l->cur;
-
- while (window) {
- if (strcmp(window->name, name) == 0) {
- l->cur = window;
- return 1;
- }
- else
- window = window->next;
- }
- return 0;
-}
-
-extern int interp_adjust_type(int rtype, const char *name, const char *val);
-int nvlist_get_cur_type(const rnode *r)
-{
- const nvlist *l = &r->nv;
- return auparse_interp_adjust_type(r->type, l->cur->name, l->cur->val);
-}
-
-const char *nvlist_interp_cur_val(const rnode *r)
-{
- const nvlist *l = &r->nv;
- if (l->cur->interp_val)
- return l->cur->interp_val;
- return interpret(r);
-}
-
-void nvlist_clear(nvlist* l)
-{
- nvnode* nextnode;
- register nvnode* current;
-
- current = l->head;
- while (current) {
- nextnode=current->next;
- free(current->name);
- free(current->val);
- free(current->interp_val);
- free(current);
- current=nextnode;
- }
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
-}
diff --git a/framework/src/audit/auparse/nvlist.h b/framework/src/audit/auparse/nvlist.h
deleted file mode 100644
index 2924ddc6..00000000
--- a/framework/src/audit/auparse/nvlist.h
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
-* nvlist.h - Header file for nvlist.c
-* Copyright (c) 2006-07 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#ifndef NVLIST_HEADER
-#define NVLIST_HEADER
-
-#include "config.h"
-#include "private.h"
-#include <sys/types.h>
-#include "rnode.h"
-#include "ellist.h"
-
-
-void nvlist_create(nvlist *l) hidden;
-void nvlist_clear(nvlist* l) hidden;
-static inline unsigned int nvlist_get_cnt(nvlist *l) { return l->cnt; }
-static inline void nvlist_first(nvlist *l) { l->cur = l->head; }
-static inline nvnode *nvlist_get_cur(const nvlist *l) { return l->cur; }
-nvnode *nvlist_next(nvlist *l) hidden;
-static inline const char *nvlist_get_cur_name(const nvlist *l) {if (l->cur) return l->cur->name; else return NULL;}
-static inline const char *nvlist_get_cur_val(const nvlist *l) {if (l->cur) return l->cur->val; else return NULL;}
-static inline const char *nvlist_get_cur_val_interp(const nvlist *l) {if (l->cur) return l->cur->interp_val; else return NULL;}
-int nvlist_get_cur_type(const rnode *r) hidden;
-const char *nvlist_interp_cur_val(const rnode *r) hidden;
-void nvlist_append(nvlist *l, nvnode *node) hidden;
-
-/* Given a numeric index, find that record. */
-int nvlist_find_name(nvlist *l, const char *name) hidden;
-
-#endif
-
diff --git a/framework/src/audit/auparse/nvpair.c b/framework/src/audit/auparse/nvpair.c
deleted file mode 100644
index 467d1546..00000000
--- a/framework/src/audit/auparse/nvpair.c
+++ /dev/null
@@ -1,89 +0,0 @@
-/*
-* nvpair.c - Minimal linked list library for name-value pairs
-* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#include "config.h"
-#include <stdlib.h>
-#include "nvpair.h"
-
-
-void nvpair_create(nvpair *l)
-{
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
-}
-
-void nvpair_append(nvpair *l, nvpnode *node)
-{
- nvpnode* newnode = malloc(sizeof(nvpnode));
-
- newnode->name = node->name;
- newnode->val = node->val;
- newnode->next = NULL;
-
- // if we are at top, fix this up
- if (l->head == NULL)
- l->head = newnode;
- else { // Otherwise add pointer to newnode
- while (l->cur->next)
- l->cur = l->cur->next;
- l->cur->next = newnode;
- }
-
- // make newnode current
- l->cur = newnode;
- l->cnt++;
-}
-
-int nvpair_find_val(nvpair *l, long val)
-{
- register nvpnode* window = l->head;
-
- while (window) {
- if (window->val == val) {
- l->cur = window;
- return 1;
- }
- else
- window = window->next;
- }
- return 0;
-}
-
-void nvpair_clear(nvpair *l)
-{
- nvpnode* nextnode;
- register nvpnode* current;
-
- current = l->head;
- while (current) {
- nextnode=current->next;
- free(current->name);
- free(current);
- current=nextnode;
- }
- l->head = NULL;
- l->cur = NULL;
- l->cnt = 0;
-}
-
diff --git a/framework/src/audit/auparse/nvpair.h b/framework/src/audit/auparse/nvpair.h
deleted file mode 100644
index 2ea7f635..00000000
--- a/framework/src/audit/auparse/nvpair.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
-* nvpair.h - Header file for nvpair.c
-* Copyright (c) 2007-08 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This library is free software; you can redistribute it and/or
-* modify it under the terms of the GNU Lesser General Public
-* License as published by the Free Software Foundation; either
-* version 2.1 of the License, or (at your option) any later version.
-*
-* This library is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this library; if not, write to the Free Software
-* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#ifndef NVPAIR_HEADER
-#define NVPAIR_HEADER
-
-#include "config.h"
-#include "private.h"
-#include <sys/types.h>
-
-/* This is the node of the linked list. Any data elements that are
- * per item goes here. */
-typedef struct _nvpnode{
- char *name; // The name string
- long val; // The value field
- struct _nvpnode* next; // Next nvpair node pointer
-} nvpnode;
-
-/* This is the linked list head. Only data elements that are 1 per
- * event goes here. */
-typedef struct {
- nvpnode *head; // List head
- nvpnode *cur; // Pointer to current node
- unsigned int cnt; // How many items in this list
-} nvpair;
-
-void nvpair_create(nvpair *l) hidden;
-static inline void nvpair_first(nvpair *l) { l->cur = l->head; }
-static inline nvpnode *nvpair_get_cur(nvpair *l) { return l->cur; }
-void nvpair_append(nvpair *l, nvpnode *node) hidden;
-void nvpair_clear(nvpair *l) hidden;
-int nvpair_find_val(nvpair *l, long val) hidden;
-
-
-#endif
-
diff --git a/framework/src/audit/auparse/open-flagtab.h b/framework/src/audit/auparse/open-flagtab.h
deleted file mode 100644
index 42bc9950..00000000
--- a/framework/src/audit/auparse/open-flagtab.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/* open-flagtab.h --
- * Copyright 2007,2012-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/fcntl.h
- * NOTE: When updating this table, update interpret.c:print_open_flags()
- */
-
-// Handled in the code: _S(00, "O_RDONLY" )
-_S(01, "O_WRONLY" )
-_S(02, "O_RDWR" )
-_S(0100, "O_CREAT")
-_S(0200, "O_EXCL" )
-_S(0400, "O_NOCTTY" )
-_S(01000, "O_TRUNC" )
-_S(02000, "O_APPEND" )
-_S(04000, "O_NONBLOCK" )
-_S(010000, "O_DSYNC" )
-_S(020000, "O_ASYNC" )
-_S(040000, "O_DIRECT" )
-_S(0200000, "O_DIRECTORY" )
-_S(0400000, "O_NOFOLLOW" )
-_S(01000000, "O_NOATIME" )
-_S(02000000, "O_CLOEXEC")
-_S(04000000, "__O_SYNC")
-_S(010000000, "O_PATH")
-_S(020000000, "__O_TMPFILE")
-
diff --git a/framework/src/audit/auparse/persontab.h b/framework/src/audit/auparse/persontab.h
deleted file mode 100644
index a1957653..00000000
--- a/framework/src/audit/auparse/persontab.h
+++ /dev/null
@@ -1,45 +0,0 @@
-/* persontab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/personality.h
- */
-
-_S(0x0000, "PER_LINUX")
-_S(0x0000 | ADDR_LIMIT_32BIT, "PER_LINUX_32BIT")
-_S(0x0001 | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_SVR4")
-_S(0x0002 | STICKY_TIMEOUTS | SHORT_INODE, "PER_SVR3")
-_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS | SHORT_INODE, "PER_SCOSVR3")
-_S(0x0003 | STICKY_TIMEOUTS | WHOLE_SECONDS, "PER_OSR5")
-_S(0x0004 | STICKY_TIMEOUTS | SHORT_INODE, "PER_WYSEV386")
-_S(0x0005 | STICKY_TIMEOUTS, "PER_ISCR4")
-_S(0x0006, "PER_BSD")
-_S(0x0006 | STICKY_TIMEOUTS, "PER_SUNOS")
-_S(0x0007 | STICKY_TIMEOUTS | SHORT_INODE, "PER_XENIX")
-_S(0x0008, "PER_LINUX32")
-_S(0x0008 | ADDR_LIMIT_3GB, "PER_LINUX32_3GB")
-_S(0x0009 | STICKY_TIMEOUTS, "PER_IRIX32")
-_S(0x000a | STICKY_TIMEOUTS, "PER_IRIXN32")
-_S(0x000b | STICKY_TIMEOUTS, "PER_IRIX64")
-_S(0x000c, "PER_RISCOS")
-_S(0x000d | STICKY_TIMEOUTS, "PER_SOLARIS")
-_S(0x000e | STICKY_TIMEOUTS | MMAP_PAGE_ZERO, "PER_UW7")
-_S(0x000f, "PER_OSF4")
-_S(0x0010, "PER_HPUX")
-
diff --git a/framework/src/audit/auparse/pktoptnametab.h b/framework/src/audit/auparse/pktoptnametab.h
deleted file mode 100644
index d532a59d..00000000
--- a/framework/src/audit/auparse/pktoptnametab.h
+++ /dev/null
@@ -1,43 +0,0 @@
-/* pktoptnametab.h --
- * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/if_packet.h
- */
-
-_S(1, "PACKET_ADD_MEMBERSHIP")
-_S(2, "PACKET_DROP_MEMBERSHIP")
-_S(3, "PACKET_RECV_OUTPUT")
-_S(5, "PACKET_RX_RING")
-_S(6, "PACKET_STATISTICS")
-_S(7, "PACKET_COPY_THRESH")
-_S(8, "PACKET_AUXDATA")
-_S(9, "PACKET_ORIGDEV")
-_S(10, "PACKET_VERSION")
-_S(11, "PACKET_HDRLEN")
-_S(12, "PACKET_RESERVE")
-_S(13, "PACKET_TX_RING")
-_S(14, "PACKET_LOSS")
-_S(15, "PACKET_VNET_HDR")
-_S(16, "PACKET_TX_TIMESTAMP")
-_S(17, "PACKET_TIMESTAMP")
-_S(18, "PACKET_FANOUT")
-_S(19, "PACKET_TX_HAS_OFF")
-_S(20, "PACKET_QDISC_BYPASS")
-
diff --git a/framework/src/audit/auparse/prctl-opt-tab.h b/framework/src/audit/auparse/prctl-opt-tab.h
deleted file mode 100644
index 0285a88d..00000000
--- a/framework/src/audit/auparse/prctl-opt-tab.h
+++ /dev/null
@@ -1,68 +0,0 @@
-/* prctl-opt-tab.h --
- * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/prctl.h
- */
-
-_S(1, "PR_SET_PDEATHSIG")
-_S(2, "PR_GET_PDEATHSIG")
-_S(3, "PR_GET_DUMPABLE")
-_S(4, "PR_SET_DUMPABLE")
-_S(5, "PR_GET_UNALIGN")
-_S(6, "PR_SET_UNALIGN")
-_S(7, "PR_GET_KEEPCAPS")
-_S(8, "PR_SET_KEEPCAPS")
-_S(9, "PR_GET_FPEMU")
-_S(10, "PR_SET_FPEMU")
-_S(11, "PR_GET_FPEXC")
-_S(12, "PR_SET_FPEXC")
-_S(13, "PR_GET_TIMING")
-_S(14, "PR_SET_TIMING")
-_S(15, "PR_SET_NAME")
-_S(16, "PR_GET_NAME")
-_S(19, "PR_GET_ENDIAN")
-_S(20, "PR_SET_ENDIAN")
-_S(21, "PR_GET_SECCOMP")
-_S(22, "PR_SET_SECCOMP")
-_S(23, "PR_CAPBSET_READ")
-_S(24, "PR_CAPBSET_DROP")
-_S(25, "PR_GET_TSC")
-_S(26, "PR_SET_TSC")
-_S(27, "PR_GET_SECUREBITS")
-_S(28, "PR_SET_SECUREBITS")
-_S(29, "PR_SET_TIMERSLACK")
-_S(30, "PR_GET_TIMERSLACK")
-_S(31, "PR_TASK_PERF_EVENTS_DISABLE")
-_S(32, "PR_TASK_PERF_EVENTS_ENABLE")
-_S(33, "PR_MCE_KILL")
-_S(34, "PR_MCE_KILL_GET")
-_S(35, "PR_SET_MM")
-_S(36, "PR_SET_CHILD_SUBREAPER")
-_S(37, "PR_GET_CHILD_SUBREAPER")
-_S(38, "PR_SET_NO_NEW_PRIVS")
-_S(39, "PR_GET_NO_NEW_PRIVS")
-_S(40, "PR_GET_TID_ADDRESS")
-_S(41, "PR_SET_THP_DISABLE")
-_S(42, "PR_GET_THP_DISABLE")
-_S(43, "PR_MPX_ENABLE_MANAGEMENT")
-_S(44, "PR_MPX_DISABLE_MANAGEMENT")
-_S(45, "PR_SET_FP_MODE")
-_S(46, "PR_GET_FP_MODE")
-
diff --git a/framework/src/audit/auparse/private.h b/framework/src/audit/auparse/private.h
deleted file mode 100644
index c0a0da9c..00000000
--- a/framework/src/audit/auparse/private.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/* private.h --
- * Copyright 2007,2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-#ifndef _PRIVATE_H_
-#define _PRIVATE_H_
-
-#include "auparse.h"
-#include "libaudit.h"
-#include "dso.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/* Internal syslog messaging */
-#define audit_msg auparse_msg
-#define set_aumessage_mode set_aup_message_mode
-void auparse_msg(int priority, const char *fmt, ...) hidden
-#ifdef __GNUC__
- __attribute__ ((format (printf, 2, 3)));
-#else
- ;
-#endif
-void set_aumessage_mode(message_t mode, debug_message_t debug) hidden;
-
-char *audit_strsplit_r(char *s, char **savedpp);
-char *audit_strsplit(char *s);
-hidden_proto(audit_strsplit_r)
-hidden_proto(audit_strsplit)
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
diff --git a/framework/src/audit/auparse/prottab.h b/framework/src/audit/auparse/prottab.h
deleted file mode 100644
index e0edeb84..00000000
--- a/framework/src/audit/auparse/prottab.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/* prottab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/mman-common.h
- */
-
-_S(1, "PROT_READ" )
-_S(2, "PROT_WRITE" )
-_S(4, "PROT_EXEC" )
-_S(8, "PROT_SEM" )
-
diff --git a/framework/src/audit/auparse/ptracetab.h b/framework/src/audit/auparse/ptracetab.h
deleted file mode 100644
index 11698ab7..00000000
--- a/framework/src/audit/auparse/ptracetab.h
+++ /dev/null
@@ -1,55 +0,0 @@
-/* ptracetab.h --
- * Copyright 2012-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/ptrace.h
- */
-
-_S(0, "PTRACE_TRACEME" )
-_S(1, "PTRACE_PEEKTEXT" )
-_S(2, "PTRACE_PEEKDATA" )
-_S(3, "PTRACE_PEEKUSER" )
-_S(4, "PTRACE_POKETEXT" )
-_S(5, "PTRACE_POKEDATA" )
-_S(6, "PTRACE_POKEUSER" )
-_S(7, "PTRACE_CONT" )
-_S(8, "PTRACE_KILL" )
-_S(9, "PTRACE_SINGLESTEP" )
-_S(12, "PTRACE_GETREGS" )
-_S(13, "PTRACE_SETREGS" )
-_S(14, "PTRACE_GETFPREGS" )
-_S(15, "PTRACE_SETFPREGS" )
-_S(16, "PTRACE_ATTACH" )
-_S(17, "PTRACE_DETACH" )
-_S(18, "PTRACE_GETFPXREGS" )
-_S(19, "PTRACE_SETFPXREGS" )
-_S(24, "PTRACE_SYSCALL" )
-_S(0x4200, "PTRACE_SETOPTIONS" )
-_S(0x4201, "PTRACE_GETEVENTMSG" )
-_S(0x4202, "PTRACE_GETSIGINFO" )
-_S(0x4203, "PTRACE_SETSIGINFO" )
-_S(0x4204, "PTRACE_GETREGSET" )
-_S(0x4205, "PTRACE_SETREGSET" )
-_S(0x4206, "PTRACE_SEIZE" )
-_S(0x4207, "PTRACE_INTERRUPT" )
-_S(0x4208, "PTRACE_LISTEN" )
-_S(0x4209, "PTRACE_PEEKSIGINFO" )
-_S(0x420a, "PTRACE_GETSIGMASK" )
-_S(0x420b, "PTRACE_SETSIGMASK" )
-
diff --git a/framework/src/audit/auparse/recvtab.h b/framework/src/audit/auparse/recvtab.h
deleted file mode 100644
index af201ab9..00000000
--- a/framework/src/audit/auparse/recvtab.h
+++ /dev/null
@@ -1,46 +0,0 @@
-/* recvtab.h --
- * Copyright 2012-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/socket.h
- * NOTE: If any update are made, update buffer size in interpret.c:print_recv()
- */
-
-_S(0x00000001, "MSG_OOB")
-_S(0x00000002, "MSG_PEEK")
-_S(0x00000004, "MSG_DONTROUTE")
-_S(0x00000008, "MSG_CTRUNC")
-_S(0x00000010, "MSG_PROXY")
-_S(0x00000020, "MSG_TRUNC")
-_S(0x00000040, "MSG_DONTWAIT")
-_S(0x00000080, "MSG_EOR")
-_S(0x00000100, "MSG_WAITALL")
-_S(0x00000200, "MSG_FIN")
-_S(0x00000400, "MSG_SYN")
-_S(0x00000800, "MSG_CONFIRM")
-_S(0x00001000, "MSG_RST")
-_S(0x00002000, "MSG_ERRQUEUE")
-_S(0x00004000, "MSG_NOSIGNAL")
-_S(0x00008000, "MSG_MORE")
-_S(0x00010000, "MSG_WAITFORONE")
-_S(0x00020000, "MSG_SENDPAGE_NOTLAST")
-_S(0x20000000, "MSG_FASTOPEN")
-_S(0x40000000, "MSG_CMSG_CLOEXEC")
-_S(0x80000000, "MSG_CMSG_COMPAT")
-
diff --git a/framework/src/audit/auparse/rlimittab.h b/framework/src/audit/auparse/rlimittab.h
deleted file mode 100644
index 3efd22f0..00000000
--- a/framework/src/audit/auparse/rlimittab.h
+++ /dev/null
@@ -1,40 +0,0 @@
-/* rlimittab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/resource.h
- */
-
- _S(0, "RLIMIT_CPU")
- _S(1, "RLIMIT_FSIZE")
- _S(2, "RLIMIT_DATA")
- _S(3, "RLIMIT_STACK")
- _S(4, "RLIMIT_CORE")
- _S(5, "RLIMIT_RSS")
- _S(6, "RLIMIT_NPROC")
- _S(7, "RLIMIT_NOFILE")
- _S(8, "RLIMIT_MEMLOCK")
- _S(9, "RLIMIT_AS")
- _S(10,"RLIMIT_LOCKS")
- _S(11,"RLIMIT_SIGPENDING")
- _S(12,"RLIMIT_MSGQUEUE")
- _S(13,"RLIMIT_NICE")
- _S(14,"RLIMIT_RTPRIO")
- _S(15,"RLIMIT_RTTIME")
-
diff --git a/framework/src/audit/auparse/rnode.h b/framework/src/audit/auparse/rnode.h
deleted file mode 100644
index 2c871c95..00000000
--- a/framework/src/audit/auparse/rnode.h
+++ /dev/null
@@ -1,63 +0,0 @@
-
-/* rnode.h --
- * Copyright 2007 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-#ifndef RNODE_HEADER
-#define RNODE_HEADER
-
-/* This is the node of the linked list. Any data elements that are
- * per item goes here. */
-typedef struct _nvnode{
- char *name; // The name string
- char *val; // The value field
- char *interp_val; // The value field interpretted
- unsigned int item; // Which item of the same event
- struct _nvnode* next; // Next nvpair node pointer
-} nvnode;
-
-/* This is the linked list head. Only data elements that are 1 per
- * event goes here. */
-typedef struct {
- nvnode *head; // List head
- nvnode *cur; // Pointer to current node
- unsigned int cnt; // How many items in this list
-} nvlist;
-
-
-/* This is the node of the linked list. Any data elements that are per
- * * item goes here. */
-typedef struct _rnode{
- char *record; // The whole unparsed record
- int type; // record type (KERNEL, USER, LOGIN, etc)
- int machine; // The machine type for the event
- int syscall; // The syscall for the event
- unsigned long long a0; // arg 0 to the syscall
- unsigned long long a1; // arg 1 to the syscall
- nvlist nv; // name-value linked list of parsed elements
- unsigned int item; // Which item of the same event
- int list_idx; // The index into the source list, points to where record was found
- unsigned int line_number; // The line number where record was found
- struct _rnode* next; // Next record node pointer
-} rnode;
-
-#endif
-
diff --git a/framework/src/audit/auparse/schedtab.h b/framework/src/audit/auparse/schedtab.h
deleted file mode 100644
index 90e0e7d5..00000000
--- a/framework/src/audit/auparse/schedtab.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* schedtab.h --
- * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/sched.h
- */
-
-
-_S(0, "SCHED_OTHER" )
-_S(1, "SCHED_FIFO" )
-_S(2, "SCHED_RR" )
-_S(3, "SCHED_BATCH" )
-_S(5, "SCHED_IDLE" )
-_S(6, "SCHED_DEADLINE")
-
diff --git a/framework/src/audit/auparse/seccomptab.h b/framework/src/audit/auparse/seccomptab.h
deleted file mode 100644
index 3fd5aff9..00000000
--- a/framework/src/audit/auparse/seccomptab.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* seccomptab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/seccomp.h
- */
-
-
-_S(0x00000000U, "kill" )
-_S(0x00030000U, "trap" )
-_S(0x00050000U, "errno" )
-_S(0x7ff00000U, "trace" )
-_S(0x7fff0000U, "allow" )
-
diff --git a/framework/src/audit/auparse/seektab.h b/framework/src/audit/auparse/seektab.h
deleted file mode 100644
index 118d5fc6..00000000
--- a/framework/src/audit/auparse/seektab.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* seektab.h --
- * Copyright 2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/fs.h
- */
-
-_S(0, "SEEK_SET")
-_S(1, "SEEK_CUR")
-_S(2, "SEEK_END")
-_S(3, "SEEK_DATA")
-_S(4, "SEEK_HOLE")
-
diff --git a/framework/src/audit/auparse/shm_modetab.h b/framework/src/audit/auparse/shm_modetab.h
deleted file mode 100644
index 10b5b108..00000000
--- a/framework/src/audit/auparse/shm_modetab.h
+++ /dev/null
@@ -1,29 +0,0 @@
-/* shm_mode.h --
- * Copyright 2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/shm.h
- */
-
-
-_S(00001000, "SHM_DEST" )
-_S(00002000, "SHM_LOCKED" )
-_S(00004000, "SHM_HUGETLB" )
-_S(00010000, "SHM_NORESERVE" )
-
diff --git a/framework/src/audit/auparse/signaltab.h b/framework/src/audit/auparse/signaltab.h
deleted file mode 100644
index 173ad9f2..00000000
--- a/framework/src/audit/auparse/signaltab.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* signaltab.h --
- * Copyright 2012-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/asm-generic/signal.h
- */
-
-_S(0, "SIG0" )
-_S(1, "SIGHUP" )
-_S(2, "SIGINT" )
-_S(3, "SIGQUIT" )
-_S(4, "SIGILL" )
-_S(5, "SIGTRAP" )
-_S(6, "SIGABRT" )
-_S(7, "SIGBUS" )
-_S(8, "SIGFPE" )
-_S(9, "SIGKILL" )
-_S(10, "SIGUSR1" )
-_S(11, "SIGSEGV" )
-_S(12, "SIGUSR2" )
-_S(13, "SIGPIPE" )
-_S(14, "SIGALRM" )
-_S(15, "SIGTERM" )
-_S(16, "SIGSTKFLT" )
-_S(17, "SIGCHLD" )
-_S(18, "SIGCONT" )
-_S(19, "SIGSTOP" )
-_S(20, "SIGTSTP" )
-_S(21, "SIGTTIN" )
-_S(22, "SIGTTOU" )
-_S(23, "SIGURG" )
-_S(24, "SIGXCPU" )
-_S(25, "SIGXFSZ" )
-_S(26, "SIGVTALRM" )
-_S(27, "SIGPROF" )
-_S(28, "SIGWINCH" )
-_S(29, "SIGIO" )
-_S(30, "IGPWR" )
-_S(31, "SIGSYS" )
-
diff --git a/framework/src/audit/auparse/sockleveltab.h b/framework/src/audit/auparse/sockleveltab.h
deleted file mode 100644
index bf376ade..00000000
--- a/framework/src/audit/auparse/sockleveltab.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/* sockleveltab.h --
- * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/socket.h
- */
-
-
-_S(0, "SOL_IP")
-_S(6, "SOL_TCP")
-_S(17, "SOL_UDP")
-_S(41, "SOL_IPV6")
-_S(58, "SOL_ICMPV6")
-_S(132, "SOL_SCTP")
-_S(136, "SOL_UDPLITE")
-_S(255, "SOL_RAW")
-_S(256, "SOL_IPX")
-_S(257, "SOL_AX25")
-_S(258, "SOL_ATALK")
-_S(259, "SOL_NETROM")
-_S(260, "SOL_ROSE")
-_S(261, "SOL_DECNET")
-_S(263, "SOL_PACKET")
-_S(264, "SOL_ATM")
-_S(265, "SOL_AAL")
-_S(266, "SOL_IRDA")
-_S(267, "SOL_NETBEUI")
-_S(268, "SOL_LLC")
-_S(269, "SOL_DCCP")
-_S(270, "SOL_NETLINK")
-_S(271, "SOL_TIPC")
-_S(272, "SOL_RXRPC")
-_S(273, "SOL_PPPOL2TP")
-_S(274, "SOL_BLUETOOTH")
-_S(275, "SOL_PNPIPE")
-_S(276, "SOL_RDS")
-_S(277, "SOL_IUCV")
-_S(278, "SOL_CAIF")
-_S(279, "SOL_ALG")
-_S(280, "SOL_NFC")
diff --git a/framework/src/audit/auparse/sockoptnametab.h b/framework/src/audit/auparse/sockoptnametab.h
deleted file mode 100644
index 85c6692d..00000000
--- a/framework/src/audit/auparse/sockoptnametab.h
+++ /dev/null
@@ -1,84 +0,0 @@
-/* sockoptnametab.h --
- * Copyright 2013-15 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * File: include/uapi/asm-generic/socket.h
- */
-
-
-_S(1, "SO_DEBUG")
-_S(2, "SO_REUSEADDR")
-_S(3, "SO_TYPE")
-_S(4, "SO_ERROR")
-_S(5, "SO_DONTROUTE")
-_S(6, "SO_BROADCAST")
-_S(7, "SO_SNDBUF")
-_S(8, "SO_RCVBUF")
-_S(9, "SO_KEEPALIVE")
-_S(10, "SO_OOBINLINE")
-_S(11, "SO_NO_CHECK")
-_S(12, "SO_PRIORITY")
-_S(13, "SO_LINGER")
-_S(14, "SO_BSDCOMPAT")
-_S(15, "SO_REUSEPORT")
-_S(16, "SO_PASSCRED")
-_S(17, "SO_PEERCRED")
-_S(18, "SO_RCVLOWAT")
-_S(19, "SO_SNDLOWAT")
-_S(20, "SO_RCVTIMEO")
-_S(21, "SO_SNDTIMEO")
-_S(22, "SO_SECURITY_AUTHENTICATION")
-_S(23, "SO_SECURITY_ENCRYPTION_TRANSPORT")
-_S(24, "SO_SECURITY_ENCRYPTION_NETWORK")
-_S(25, "SO_BINDTODEVICE")
-_S(26, "SO_ATTACH_FILTER")
-_S(27, "SO_DETACH_FILTER")
-_S(28, "SO_PEERNAME")
-_S(29, "SO_TIMESTAMP")
-_S(30, "SO_ACCEPTCONN")
-_S(31, "SO_PEERSEC")
-_S(32, "SO_SNDBUFFORCE")
-_S(33, "SO_RCVBUFFORCE")
-_S(34, "SO_PASSSEC")
-_S(35, "SO_TIMESTAMPNS")
-_S(36, "SO_MARK")
-_S(37, "SO_TIMESTAMPING")
-_S(38, "SO_PROTOCOL")
-_S(39, "SO_DOMAIN")
-_S(40, "SO_RXQ_OVFL")
-_S(41, "SO_WIFI_STATUS")
-_S(42, "SO_PEEK_OFF")
-_S(43, "SO_NOFCS")
-_S(44, "SO_LOCK_FILTER")
-_S(45, "SO_SELECT_ERR_QUEUE")
-_S(46, "SO_BUSY_POLL")
-_S(47, "SO_MAX_PACING_RATE")
-_S(48, "SO_BPF_EXTENSIONS")
-_S(49, "SO_INCOMING_CPU")
-_S(50, "SO_ATTACH_BPF")
-
-// PPC has these different
-_S(116, "SO_RCVLOWAT")
-_S(117, "SO_SNDLOWAT")
-_S(118, "SO_RCVTIMEO")
-_S(119, "SO_SNDTIMEO")
-_S(120, "SO_PASSCRED")
-_S(121, "SO_PEERCRED")
-
-
diff --git a/framework/src/audit/auparse/socktab.h b/framework/src/audit/auparse/socktab.h
deleted file mode 100644
index 8907b4b3..00000000
--- a/framework/src/audit/auparse/socktab.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/* socktab.h --
- * Copyright 2007,2011-13 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/net.h
- */
-
-_S(SYS_SOCKET, "socket" )
-_S(SYS_BIND, "bind" )
-_S(SYS_CONNECT, "connect" )
-_S(SYS_LISTEN, "listen" )
-_S(SYS_ACCEPT, "accept" )
-_S(SYS_GETSOCKNAME, "getsockname" )
-_S(SYS_GETPEERNAME, "getpeername" )
-_S(SYS_SOCKETPAIR, "socketpair" )
-_S(SYS_SEND, "send" )
-_S(SYS_RECV, "recv" )
-_S(SYS_SENDTO, "sendto" )
-_S(SYS_RECVFROM, "recvfrom" )
-_S(SYS_SHUTDOWN, "shutdown" )
-_S(SYS_SETSOCKOPT, "setsockopt" )
-_S(SYS_GETSOCKOPT, "getsockopt" )
-_S(SYS_SENDMSG, "sendmsg" )
-_S(SYS_RECVMSG, "recvmsg" )
-_S(SYS_ACCEPT4, "accept4" )
-_S(19, "recvmmsg" )
-_S(20, "sendmmsg" )
-
diff --git a/framework/src/audit/auparse/socktypetab.h b/framework/src/audit/auparse/socktypetab.h
deleted file mode 100644
index ec00ecfa..00000000
--- a/framework/src/audit/auparse/socktypetab.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/* socktypetab.h --
- * Copyright 2012 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/net.h
- */
-
-_S(1, "SOCK_STREAM")
-_S(2, "SOCK_DGRAM")
-_S(3, "SOCK_RAW")
-_S(4, "SOCK_RDM")
-_S(5, "SOCK_SEQPACKET")
-_S(6, "SOCK_DCCP")
-_S(10, "SOCK_PACKET")
-
diff --git a/framework/src/audit/auparse/tcpoptnametab.h b/framework/src/audit/auparse/tcpoptnametab.h
deleted file mode 100644
index 64e1cbe0..00000000
--- a/framework/src/audit/auparse/tcpoptnametab.h
+++ /dev/null
@@ -1,49 +0,0 @@
-/* tcpoptnametab.h --
- * Copyright 2013-14 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/uapi/linux/tcp.h
- */
-
-_S(1, "TCP_NODELAY")
-_S(2, "TCP_MAXSEG")
-_S(3, "TCP_CORK")
-_S(4, "TCP_KEEPIDLE")
-_S(5, "TCP_KEEPINTVL")
-_S(6, "TCP_KEEPCNT")
-_S(7, "TCP_SYNCNT")
-_S(8, "TCP_LINGER2")
-_S(9, "TCP_DEFER_ACCEPT")
-_S(10, "TCP_WINDOW_CLAMP")
-_S(11, "TCP_INFO")
-_S(12, "TCP_QUICKACK")
-_S(13, "TCP_CONGESTION")
-_S(14, "TCP_MD5SIG")
-_S(15, "TCP_COOKIE_TRANSACTIONS")
-_S(16, "TCP_THIN_LINEAR_TIMEOUTS")
-_S(17, "TCP_THIN_DUPACK")
-_S(18, "TCP_USER_TIMEOUT")
-_S(19, "TCP_REPAIR")
-_S(20, "TCP_REPAIR_QUEUE")
-_S(21, "TCP_QUEUE_SEQ")
-_S(22, "TCP_REPAIR_OPTIONS")
-_S(23, "TCP_FASTOPEN")
-_S(24, "TCP_TIMESTAMP")
-_S(25, "TCP_NOTSENT_LOWAT")
-
diff --git a/framework/src/audit/auparse/test/Makefile.am b/framework/src/audit/auparse/test/Makefile.am
deleted file mode 100644
index 19793508..00000000
--- a/framework/src/audit/auparse/test/Makefile.am
+++ /dev/null
@@ -1,91 +0,0 @@
-# Makefile.am --
-# Copyright 2006-08,2014-15 Red Hat Inc., Durham, North Carolina.
-# All Rights Reserved.
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
-#
-# Authors:
-# Steve Grubb <sgrubb@redhat.com>
-#
-
-CONFIG_CLEAN_FILES = *.loT *.rej *.orig *.cur
-AUTOMAKE_OPTIONS = no-dependencies
-check_PROGRAMS = auparse_test
-dist_check_SCRIPTS = auparse_test.py
-EXTRA_DIST = auparse_test.ref auparse_test.ref.py test.log test2.log
-
-AM_CPPFLAGS = -I${top_srcdir}/auparse -I${top_srcdir}/lib
-
-auparse_test_SOURCES = auparse_test.c
-auparse_test_LDFLAGS = -static
-auparse_test_LDADD = ${top_builddir}/auparse/libauparse.la \
- ${top_builddir}/lib/libaudit.la
-
-drop_srcdir = sed 's,$(srcdir)/test,test,'
-
-check: auparse_test
- test "$(top_srcdir)" = "$(top_builddir)" || \
- cp $(top_srcdir)/auparse/test/test*.log .
- LC_ALL=C \
- ./auparse_test > auparse_test.cur
- diff -u $(top_srcdir)/auparse/test/auparse_test.ref auparse_test.cur
-if HAVE_PYTHON
- cp ${top_builddir}/bindings/swig/python/.libs/_audit.so ${top_builddir}/bindings/swig/python
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py \
- | $(drop_srcdir) > auparse_test.cur
- diff -u $(top_srcdir)/auparse/test/auparse_test.ref.py auparse_test.cur
-endif
- echo -e "===================\nAuparse Test Passes\n==================="
-
-diffcheck: auparse_test
- ./auparse_test > auparse_test.cur
- diff -u $(srcdir)/auparse_test.ref auparse_test.cur
-
-memcheck: auparse_test
- valgrind --leak-check=yes --show-reachable=yes ./auparse_test
-
-pycheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py
-endif
-
-pydiffcheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs \
- srcdir=$(srcdir) $(srcdir)/auparse_test.py \
- | $(drop_srcdir) > auparse_test.cur
- diff $(srcdir)/auparse_test.ref auparse_test.cur
-endif
-
-pymemcheck: auparse_test.py
-if HAVE_PYTHON
- PYTHONPATH=${top_builddir}/bindings/python/python2/.libs/:${top_builddir}/bindings/swig/python:${top_builddir}/bindings/swig/python/.libs \
- LD_LIBRARY_PATH=${top_builddir}/auparse/.libs srcdir=$(srcdir) valgrind --leak-check=yes --show-reachable=yes python $(srcdir)/auparse_test.py
-
-${top_builddir}/bindings/python/build/*/auparse.so: ${top_srcdir}/bindings/python/auparse_python.c
- cd ${top_builddir}/bindings/python && make
-endif
-
-clean-generic:
- $(RM) *.cur
-if HAVE_PYTHON
- $(RM) ${top_builddir}/bindings/swig/python/_audit.so
-endif
- test "$(top_srcdir)" = "$(top_builddir)" || $(RM) test*.log
diff --git a/framework/src/audit/auparse/test/auparse_test.c b/framework/src/audit/auparse/test/auparse_test.c
deleted file mode 100644
index a6477d41..00000000
--- a/framework/src/audit/auparse/test/auparse_test.c
+++ /dev/null
@@ -1,469 +0,0 @@
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <string.h>
-#include <locale.h>
-#include <errno.h>
-#include <libaudit.h>
-#include <auparse.h>
-
-
-static const char *buf[] = {
- "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n"
- "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
-
- "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
-
- NULL
-};
-
-
-static void walk_test(auparse_state_t *au)
-{
- int event_cnt = 1, record_cnt;
-
- do {
- if (auparse_first_record(au) <= 0) {
- printf("Error getting first record (%s)\n",
- strerror(errno));
- exit(1);
- }
- printf("event %d has %d records\n", event_cnt,
- auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- printf("Error getting timestamp - aborting\n");
- exit(1);
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial, e->host ? e->host : "?");
- auparse_first_field(au);
- do {
- printf(" %s=%s (%s)\n",
- auparse_get_field_name(au),
- auparse_get_field_str(au),
- auparse_interpret_field(au));
- } while (auparse_next_field(au) > 0);
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
- event_cnt++;
- } while (auparse_next_event(au) > 0);
-}
-
-void light_test(auparse_state_t *au)
-{
- int record_cnt;
-
- do {
- if (auparse_first_record(au) <= 0) {
- puts("Error getting first record");
- exit(1);
- }
- printf("event has %d records\n", auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- printf("Error getting timestamp - aborting\n");
- exit(1);
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial,
- e->host ? e->host : "?");
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
-
- } while (auparse_next_event(au) > 0);
-}
-
-void simple_search(ausource_t source, austop_t where)
-{
- auparse_state_t *au;
- const char *val;
-
- if (source == AUSOURCE_FILE) {
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- val = "4294967295";
- } else {
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- val = "848";
- }
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_set_stop(au, where)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0)
- printf("Error searching for auid - %s\n", strerror(errno));
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-void compound_search(ausearch_rule_t how)
-{
- auparse_state_t *au;
-
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (how == AUSEARCH_RULE_AND) {
- if (ausearch_add_item(au, "uid", "=", "0",
- AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item 1 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "pid", "=", "13015", how)){
- printf("ausearch_add_item 2 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "type", "=", "USER_START", how)){
- printf("ausearch_add_item 3 error - %s\n",
- strerror(errno));
- exit(1);
- }
- } else {
- if (ausearch_add_item(au, "auid", "=", "42",
- AUSEARCH_RULE_CLEAR)){
- printf("ausearch_add_item 4 error - %s\n",
- strerror(errno));
- exit(1);
- }
- // should stop on this one
- if (ausearch_add_item(au, "auid", "=", "0", how)){
- printf("ausearch_add_item 5 error - %s\n",
- strerror(errno));
- exit(1);
- }
- if (ausearch_add_item(au, "auid", "=", "500", how)){
- printf("ausearch_add_item 6 error - %s\n",
- strerror(errno));
- exit(1);
- }
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0)
- printf("Error searching for auid - %s\n", strerror(errno));
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-void regex_search(const char *expr)
-{
- auparse_state_t *au;
- int rc;
-
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("auparse_init error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_add_regex(au, expr)){
- printf("ausearch_add_regex error - %s\n", strerror(errno));
- exit(1);
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
- printf("ausearch_set_stop error - %s\n", strerror(errno));
- exit(1);
- }
- rc = ausearch_next_event(au);
- if (rc < 0)
- printf("Error searching for %s - %s\n", expr, strerror(errno));
- else if (rc == 0)
- printf("Not found\n");
- else
- printf("Found %s = %s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- auparse_destroy(au);
-}
-
-static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
-{
- int *event_cnt = (int *)user_data;
- int record_cnt;
-
- if (cb_event_type == AUPARSE_CB_EVENT_READY) {
- if (auparse_first_record(au) <= 0) {
- printf("can't get first record\n");
- return;
- }
- printf("event %d has %d records\n", *event_cnt,
- auparse_get_num_records(au));
- record_cnt = 1;
- do {
- printf(" record %d of type %d(%s) has %d fields\n",
- record_cnt,
- auparse_get_type(au),
- audit_msg_type_to_name(auparse_get_type(au)),
- auparse_get_num_fields(au));
- printf(" line=%d file=%s\n",
- auparse_get_line_number(au),
- auparse_get_filename(au) ?
- auparse_get_filename(au) : "None");
- const au_event_t *e = auparse_get_timestamp(au);
- if (e == NULL) {
- return;
- }
- printf(" event time: %u.%u:%lu, host=%s\n",
- (unsigned)e->sec,
- e->milli, e->serial,
- e->host ? e->host : "?");
- auparse_first_field(au);
- do {
- printf(" %s=%s (%s)\n",
- auparse_get_field_name(au),
- auparse_get_field_str(au),
- auparse_interpret_field(au));
- } while (auparse_next_field(au) > 0);
- printf("\n");
- record_cnt++;
- } while(auparse_next_record(au) > 0);
- (*event_cnt)++;
- }
-}
-
-int main(void)
-{
- //char *files[4] = { "test.log", "test2.log", "test3.log", NULL };
- char *files[3] = { "test.log", "test2.log", NULL };
- setlocale (LC_ALL, "");
- auparse_state_t *au;
-
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
-
- printf("Starting Test 1, iterate...\n");
- while (auparse_next_event(au) > 0) {
- if (auparse_find_field(au, "auid")) {
- printf("%s=%s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- printf("interp auid=%s\n", auparse_interpret_field(au));
- } else
- printf("Error iterating to auid\n");
- }
- auparse_reset(au);
- while (auparse_next_event(au) > 0) {
- if (auparse_find_field(au, "auid")) {
- do {
- printf("%s=%s\n", auparse_get_field_name(au),
- auparse_get_field_str(au));
- printf("interp auid=%s\n", auparse_interpret_field(au));
- } while (auparse_find_field_next(au));
- } else
- printf("Error iterating to auid\n");
- }
- printf("Test 1 Done\n\n");
-
- /* Reset, now lets go to beginning and walk the list manually */
- printf("Starting Test 2, walk events, records, and fields...\n");
- auparse_reset(au);
- walk_test(au);
- auparse_destroy(au);
- printf("Test 2 Done\n\n");
-
- /* Reset, now lets go to beginning and walk the list manually */
- printf("Starting Test 3, walk events, records of 1 buffer...\n");
- au = auparse_init(AUSOURCE_BUFFER, buf[1]);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- light_test(au);
- auparse_destroy(au);
- printf("Test 3 Done\n\n");
-
- printf("Starting Test 4, walk events, records of 1 file...\n");
- au = auparse_init(AUSOURCE_FILE, "./test.log");
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- walk_test(au);
- auparse_destroy(au);
- printf("Test 4 Done\n\n");
-
- printf("Starting Test 5, walk events, records of 2 files...\n");
- au = auparse_init(AUSOURCE_FILE_ARRAY, files);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- walk_test(au);
- auparse_destroy(au);
- printf("Test 5 Done\n\n");
-
- printf("Starting Test 6, search...\n");
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){
- printf("Error - %s", strerror(errno));
- return 1;
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
- printf("Error - %s", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) != 0) {
- printf("Error search found something it shouldn't have\n");
- }
- puts("auid = 500 not found...which is correct");
- ausearch_clear(au);
- auparse_destroy(au);
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){
- printf("Error - %s", strerror(errno));
- return 1;
- }
- if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
- printf("Error - %s", strerror(errno));
- exit(1);
- }
- if (ausearch_next_event(au) <= 0) {
- printf("Error searching for existence of auid\n");
- }
- puts("auid exists...which is correct");
- puts("Testing BUFFER_ARRAY, stop on field");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD);
- puts("Testing BUFFER_ARRAY, stop on record");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD);
- puts("Testing BUFFER_ARRAY, stop on event");
- simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT);
- puts("Testing test.log, stop on field");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD);
- puts("Testing test.log, stop on record");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD);
- puts("Testing test.log, stop on event");
- simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT);
- auparse_destroy(au);
- printf("Test 6 Done\n\n");
-
- printf("Starting Test 7, compound search...\n");
- au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
- if (au == NULL) {
- printf("Error - %s\n", strerror(errno));
- return 1;
- }
- compound_search(AUSEARCH_RULE_AND);
- compound_search(AUSEARCH_RULE_OR);
- auparse_destroy(au);
- printf("Test 7 Done\n\n");
-
- printf("Starting Test 8, regex search...\n");
- puts("Doing regex match...");
- regex_search("1143146623");
- puts("Doing regex wildcard search...");
- regex_search("11431466.*146");
- printf("Test 8 Done\n\n");
-
- /* Note: this should match Test 2 exactly */
- printf("Starting Test 9, buffer feed...\n");
- {
- int event_cnt = 1;
- size_t len, chunk_len = 3;
- const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
- *p_chunk_end;
-
- au = auparse_init(AUSOURCE_FEED, 0);
- auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
- for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
- cur_buf++, p_beg = *cur_buf) {
- len = strlen(p_beg);
- p_end = p_beg + len;
- p_chunk_beg = p_beg;
- while (p_chunk_beg < p_end) {
- p_chunk_end = p_chunk_beg + chunk_len;
- if (p_chunk_end > p_end)
- p_chunk_end = p_end;
-
- //fwrite(p_chunk_beg, 1,
- // p_chunk_end-p_chunk_beg, stdout);
- auparse_feed(au, p_chunk_beg,
- p_chunk_end-p_chunk_beg);
- p_chunk_beg = p_chunk_end;
- }
- }
-
- auparse_flush_feed(au);
- auparse_destroy(au);
- }
- printf("Test 9 Done\n\n");
-
- /* Note: this should match Test 4 exactly */
- printf("Starting Test 10, file feed...\n");
- {
- int *event_cnt = malloc(sizeof(int));
- size_t len;
- char filename[] = "./test.log";
- char buf[4];
- FILE *fp;
-
- *event_cnt = 1;
- au = auparse_init(AUSOURCE_FEED, 0);
- auparse_add_callback(au, auparse_callback, event_cnt, free);
- if ((fp = fopen(filename, "r")) == NULL) {
- fprintf(stderr, "could not open '%s', %s\n",
- filename, strerror(errno));
- return 1;
- }
- while ((len = fread(buf, 1, sizeof(buf), fp))) {
- auparse_feed(au, buf, len);
- }
-
- fclose(fp);
- auparse_flush_feed(au);
- auparse_destroy(au);
- }
- printf("Test 10 Done\n\n");
-
- puts("Finished non-admin tests\n");
-
- return 0;
-}
-
diff --git a/framework/src/audit/auparse/test/auparse_test.py b/framework/src/audit/auparse/test/auparse_test.py
deleted file mode 100755
index 9d9a5c4d..00000000
--- a/framework/src/audit/auparse/test/auparse_test.py
+++ /dev/null
@@ -1,262 +0,0 @@
-#!/usr/bin/env python
-
-import os
-srcdir = os.getenv('srcdir')
-
-buf = ["type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\ntype=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
-"type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
-]
-files = [srcdir + "/test.log", srcdir + "/test2.log"]
-
-import sys
-import time
-load_path = '../../bindings/python/build/lib.linux-i686-2.4'
-if False:
- sys.path.insert(0, load_path)
-
-import auparse
-import audit
-
-def none_to_null(s):
- 'used so output matches C version'
- if s is None:
- return '(null)'
- else:
- return s
-
-def walk_test(au):
- event_cnt = 1
-
- au.reset()
- while True:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event %d has %d records" % (event_cnt, au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- au.first_field()
- while True:
- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
- if not au.next_field(): break
- print
- record_cnt += 1
- if not au.next_record(): break
- event_cnt += 1
- if not au.parse_next_event(): break
-
-
-def light_test(au):
- while True:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event has %d records" % (au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- print
- record_cnt += 1
- if not au.next_record(): break
- if not au.parse_next_event(): break
-
-def simple_search(au, source, where):
-
- if source == auparse.AUSOURCE_FILE:
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- val = "4294967295"
- else:
- au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
- val = "848"
-
- au.search_add_item("auid", "=", val, auparse.AUSEARCH_RULE_CLEAR)
- au.search_set_stop(where)
- if not au.search_next_event():
- print "Error searching for auid"
- else:
- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-
-def compound_search(au, how):
- au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
- if how == auparse.AUSEARCH_RULE_AND:
- au.search_add_item("uid", "=", "0", auparse.AUSEARCH_RULE_CLEAR)
- au.search_add_item("pid", "=", "13015", how)
- au.search_add_item("type", "=", "USER_START", how)
- else:
- au.search_add_item("auid", "=", "42", auparse.AUSEARCH_RULE_CLEAR)
- # should stop on this one
- au.search_add_item("auid", "=", "0", how)
- au.search_add_item("auid", "=", "500", how)
-
- au.search_set_stop(auparse.AUSEARCH_STOP_FIELD)
- if not au.search_next_event():
- print "Error searching for auid"
- else:
- print "Found %s = %s" % (au.get_field_name(), au.get_field_str())
-
-def feed_callback(au, cb_event_type, event_cnt):
- if cb_event_type == auparse.AUPARSE_CB_EVENT_READY:
- if not au.first_record():
- print "Error getting first record"
- sys.exit(1)
-
- print "event %d has %d records" % (event_cnt[0], au.get_num_records())
-
- record_cnt = 1
- while True:
- print " record %d of type %d(%s) has %d fields" % \
- (record_cnt,
- au.get_type(), audit.audit_msg_type_to_name(au.get_type()),
- au.get_num_fields())
- print " line=%d file=%s" % (au.get_line_number(), au.get_filename())
- event = au.get_timestamp()
- if event is None:
- print "Error getting timestamp - aborting"
- sys.exit(1)
-
- print " event time: %d.%d:%d, host=%s" % (event.sec, event.milli, event.serial, none_to_null(event.host))
- au.first_field()
- while True:
- print " %s=%s (%s)" % (au.get_field_name(), au.get_field_str(), au.interpret_field())
- if not au.next_field(): break
- print
- record_cnt += 1
- if not au.next_record(): break
- event_cnt[0] += 1
-
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-
-print "Starting Test 1, iterate..."
-while au.parse_next_event():
- if au.find_field("auid"):
- print "%s=%s" % (au.get_field_name(), au.get_field_str())
- print "interp auid=%s" % (au.interpret_field())
- else:
- print "Error iterating to auid"
-print "Test 1 Done\n"
-
-# Reset, now lets go to beginning and walk the list manually */
-print "Starting Test 2, walk events, records, and fields..."
-au.reset()
-walk_test(au)
-print "Test 2 Done\n"
-
-# Reset, now lets go to beginning and walk the list manually */
-print "Starting Test 3, walk events, records of 1 buffer..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER, buf[1])
-light_test(au);
-print "Test 3 Done\n"
-
-print "Starting Test 4, walk events, records of 1 file..."
-au = auparse.AuParser(auparse.AUSOURCE_FILE, srcdir + "/test.log");
-walk_test(au);
-print "Test 4 Done\n"
-
-print "Starting Test 5, walk events, records of 2 files..."
-au = auparse.AuParser(auparse.AUSOURCE_FILE_ARRAY, files);
-walk_test(au);
-print "Test 5 Done\n"
-
-print "Starting Test 6, search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-au.search_add_item("auid", "=", "500", auparse.AUSEARCH_RULE_CLEAR)
-au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
-if au.search_next_event():
- print "Error search found something it shouldn't have"
-else:
- print "auid = 500 not found...which is correct"
-au.search_clear()
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-#au.search_add_item("auid", "exists", None, auparse.AUSEARCH_RULE_CLEAR)
-au.search_add_item("auid", "exists", "", auparse.AUSEARCH_RULE_CLEAR)
-au.search_set_stop(auparse.AUSEARCH_STOP_EVENT)
-if not au.search_next_event():
- print "Error searching for existence of auid"
-print "auid exists...which is correct"
-print "Testing BUFFER_ARRAY, stop on field"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_FIELD)
-print "Testing BUFFER_ARRAY, stop on record"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_RECORD)
-print "Testing BUFFER_ARRAY, stop on event"
-simple_search(au, auparse.AUSOURCE_BUFFER_ARRAY, auparse.AUSEARCH_STOP_EVENT)
-print "Testing test.log, stop on field"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_FIELD)
-print "Testing test.log, stop on record"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_RECORD)
-print "Testing test.log, stop on event"
-simple_search(au, auparse.AUSOURCE_FILE, auparse.AUSEARCH_STOP_EVENT)
-print "Test 6 Done\n"
-
-print "Starting Test 7, compound search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-compound_search(au, auparse.AUSEARCH_RULE_AND)
-compound_search(au, auparse.AUSEARCH_RULE_OR)
-print "Test 7 Done\n"
-
-print "Starting Test 8, regex search..."
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-print "Doing regex match...\n"
-au = auparse.AuParser(auparse.AUSOURCE_BUFFER_ARRAY, buf)
-print "Test 8 Done\n"
-
-# Note: this should match Test 2 exactly
-# Note: this should match Test 2 exactly
-print "Starting Test 9, buffer feed..."
-au = auparse.AuParser(auparse.AUSOURCE_FEED);
-event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
-chunk_len = 3
-for s in buf:
- s_len = len(s)
- beg = 0
- while beg < s_len:
- end = min(s_len, beg + chunk_len)
- data = s[beg:end]
- beg += chunk_len
- au.feed(data)
-au.flush_feed()
-print "Test 9 Done\n"
-
-# Note: this should match Test 4 exactly
-print "Starting Test 10, file feed..."
-au = auparse.AuParser(auparse.AUSOURCE_FEED);
-event_cnt = 1
-au.add_callback(feed_callback, [event_cnt])
-f = open(srcdir + "/test.log");
-while True:
- data = f.read(4)
- if not data: break
- au.feed(data)
-au.flush_feed()
-print "Test 10 Done\n"
-
-print "Finished non-admin tests\n"
-
-au = None
-sys.exit(0)
-
diff --git a/framework/src/audit/auparse/test/auparse_test.ref b/framework/src/audit/auparse/test/auparse_test.ref
deleted file mode 100644
index 6cc399bd..00000000
--- a/framework/src/audit/auparse/test/auparse_test.ref
+++ /dev/null
@@ -1,803 +0,0 @@
-Starting Test 1, iterate...
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-Test 1 Done
-
-Starting Test 2, walk events, records, and fields...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=?
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 2 Done
-
-Starting Test 3, walk events, records of 1 buffer...
-event has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=1 file=None
- event time: 1143146623.879:146, host=?
-
-Test 3 Done
-
-Starting Test 4, walk events, records of 1 file...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=./test.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=./test.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=./test.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=./test.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=./test.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=./test.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=./test.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=./test.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=./test.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=./test.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 4 Done
-
-Starting Test 5, walk events, records of 2 files...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 8 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test2.log
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read (read)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test2.log
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test2.log
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test2.log
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 9 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test2.log
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 10 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test2.log
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 11 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test2.log
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 12 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test2.log
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 13 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test2.log
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 14 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test2.log
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 5 Done
-
-Starting Test 6, search...
-auid = 500 not found...which is correct
-auid exists...which is correct
-Testing BUFFER_ARRAY, stop on field
-Found auid = 848
-Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
-Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
-Testing test.log, stop on field
-Found auid = 4294967295
-Testing test.log, stop on record
-Found type = SYSCALL
-Testing test.log, stop on event
-Found type = AVC
-Test 6 Done
-
-Starting Test 7, compound search...
-Found type = USER_START
-Found auid = 0
-Test 7 Done
-
-Starting Test 8, regex search...
-Doing regex match...
-Found type = LOGIN
-Doing regex wildcard search...
-Found type = USER_LOGIN
-Test 8 Done
-
-Starting Test 9, buffer feed...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=?
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=?
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 9 Done
-
-Starting Test 10, file feed...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=None
- event time: 1170021493.977:293, host=?
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=None
- event time: 1170021493.977:293, host=?
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=None
- event time: 1170021493.977:293, host=?
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=None
- event time: 1170021493.977:293, host=?
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=None
- event time: 1170021601.340:294, host=?
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=None
- event time: 1170021601.342:295, host=?
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=None
- event time: 1170021601.343:296, host=?
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=None
- event time: 1170021601.344:297, host=?
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=None
- event time: 1170021601.364:298, host=?
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=None
- event time: 1170021601.366:299, host=?
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 10 Done
-
-Finished non-admin tests
-
diff --git a/framework/src/audit/auparse/test/auparse_test.ref.py b/framework/src/audit/auparse/test/auparse_test.ref.py
deleted file mode 100644
index d25e0645..00000000
--- a/framework/src/audit/auparse/test/auparse_test.ref.py
+++ /dev/null
@@ -1,793 +0,0 @@
-Starting Test 1, iterate...
-auid=4294967295
-interp auid=unset
-auid=848
-interp auid=unknown(848)
-auid=848
-interp auid=unknown(848)
-Test 1 Done
-
-Starting Test 2, walk events, records, and fields...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=(null)
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 2 Done
-
-Starting Test 3, walk events, records of 1 buffer...
-event has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=1 file=None
- event time: 1143146623.879:146, host=(null)
-
-Test 3 Done
-
-Starting Test 4, walk events, records of 1 file...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 4 Done
-
-Starting Test 5, walk events, records of 2 files...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 8 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read (read)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=test2.log
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 9 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=test2.log
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 10 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=test2.log
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 11 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=test2.log
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 12 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=test2.log
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 13 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=test2.log
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 14 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=test2.log
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 5 Done
-
-Starting Test 6, search...
-auid = 500 not found...which is correct
-auid exists...which is correct
-Testing BUFFER_ARRAY, stop on field
-Found auid = 848
-Testing BUFFER_ARRAY, stop on record
-Found type = SYSCALL
-Testing BUFFER_ARRAY, stop on event
-Found type = SYSCALL
-Testing test.log, stop on field
-Found auid = 4294967295
-Testing test.log, stop on record
-Found type = SYSCALL
-Testing test.log, stop on event
-Found type = AVC
-Test 6 Done
-
-Starting Test 7, compound search...
-Found type = USER_START
-Found auid = 0
-Test 7 Done
-
-Starting Test 8, regex search...
-Doing regex match...
-
-Test 8 Done
-
-Starting Test 9, buffer feed...
-event 1 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=1 file=None
- event time: 1143146623.787:142, host=(null)
- type=LOGIN (LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=848 (unknown(848))
-
-event 2 has 1 records
- record 1 of type 1300(SYSCALL) has 24 fields
- line=2 file=None
- event time: 1143146623.875:143, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=188 (setxattr)
- success=yes (yes)
- exit=0 (0)
- a0=7fffffa9a9f0 (0x7fffffa9a9f0)
- a1=3958d11333 (0x3958d11333)
- a2=5131f0 (0x5131f0)
- a3=20 (0x20)
- items=1 (1)
- pid=2027 (2027)
- auid=848 (unknown(848))
- uid=0 (root)
- gid=0 (root)
- euid=0 (root)
- suid=0 (root)
- fsuid=0 (root)
- egid=0 (root)
- sgid=0 (root)
- fsgid=0 (root)
- tty=tty3 (tty3)
- comm="login" (login)
- exe="/bin/login" (/bin/login)
- subj=system_u:system_r:local_login_t:s0-s0:c0.c255 (system_u:system_r:local_login_t:s0-s0:c0.c255)
-
-event 3 has 1 records
- record 1 of type 1112(USER_LOGIN) has 10 fields
- line=3 file=None
- event time: 1143146623.879:146, host=(null)
- type=USER_LOGIN (USER_LOGIN)
- pid=2027 (2027)
- uid=0 (root)
- auid=848 (unknown(848))
- uid=848 (unknown(848))
- exe="/bin/login" (/bin/login)
- hostname=? (?)
- addr=? (?)
- terminal=tty3 (tty3)
- res=success (success)
-
-Test 9 Done
-
-Starting Test 10, file feed...
-event 1 has 4 records
- record 1 of type 1400(AVC) has 11 fields
- line=1 file=None
- event time: 1170021493.977:293, host=(null)
- type=AVC (AVC)
- seresult=denied (denied)
- seperms=read,write (read,write)
- pid=13010 (13010)
- comm="pickup" (pickup)
- name="maildrop" (maildrop)
- dev=hda7 (hda7)
- ino=14911367 (14911367)
- scontext=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
- tclass=dir (dir)
-
- record 2 of type 1300(SYSCALL) has 26 fields
- line=2 file=None
- event time: 1170021493.977:293, host=(null)
- type=SYSCALL (SYSCALL)
- arch=c000003e (x86_64)
- syscall=2 (open)
- success=no (no)
- exit=-13 (-13(Permission denied))
- a0=5555665d91b0 (0x5555665d91b0)
- a1=10800 (O_RDONLY|O_NONBLOCK|O_DIRECTORY)
- a2=5555665d91b8 (0x5555665d91b8)
- a3=0 (0x0)
- items=1 (1)
- ppid=2013 (2013)
- pid=13010 (13010)
- auid=4294967295 (unset)
- uid=890 (unknown(890))
- gid=890 (unknown(890))
- euid=890 (unknown(890))
- suid=890 (unknown(890))
- fsuid=890 (unknown(890))
- egid=890 (unknown(890))
- sgid=890 (unknown(890))
- fsgid=890 (unknown(890))
- tty=(none) ((none))
- comm="pickup" (pickup)
- exe="/usr/libexec/postfix/pickup" (/usr/libexec/postfix/pickup)
- subj=system_u:system_r:postfix_pickup_t:s0 (system_u:system_r:postfix_pickup_t:s0)
- key=(null) ((null))
-
- record 3 of type 1307(CWD) has 2 fields
- line=3 file=None
- event time: 1170021493.977:293, host=(null)
- type=CWD (CWD)
- cwd="/var/spool/postfix" (/var/spool/postfix)
-
- record 4 of type 1302(PATH) has 10 fields
- line=4 file=None
- event time: 1170021493.977:293, host=(null)
- type=PATH (PATH)
- item=0 (0)
- name="maildrop" (maildrop)
- inode=14911367 (14911367)
- dev=03:07 (03:07)
- mode=040730 (dir,730)
- ouid=890 (unknown(890))
- ogid=891 (unknown(891))
- rdev=00:00 (00:00)
- obj=system_u:object_r:postfix_spool_maildrop_t:s0 (system_u:object_r:postfix_spool_maildrop_t:s0)
-
-event 2 has 1 records
- record 1 of type 1101(USER_ACCT) has 11 fields
- line=5 file=None
- event time: 1170021601.340:294, host=(null)
- type=USER_ACCT (USER_ACCT)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 3 has 1 records
- record 1 of type 1103(CRED_ACQ) has 11 fields
- line=6 file=None
- event time: 1170021601.342:295, host=(null)
- type=CRED_ACQ (CRED_ACQ)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 4 has 1 records
- record 1 of type 1006(LOGIN) has 5 fields
- line=7 file=None
- event time: 1170021601.343:296, host=(null)
- type=LOGIN (LOGIN)
- pid=13015 (13015)
- uid=0 (root)
- auid=4294967295 (unset)
- auid=0 (root)
-
-event 5 has 1 records
- record 1 of type 1105(USER_START) has 11 fields
- line=8 file=None
- event time: 1170021601.344:297, host=(null)
- type=USER_START (USER_START)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 6 has 1 records
- record 1 of type 1104(CRED_DISP) has 11 fields
- line=9 file=None
- event time: 1170021601.364:298, host=(null)
- type=CRED_DISP (CRED_DISP)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-event 7 has 1 records
- record 1 of type 1106(USER_END) has 11 fields
- line=10 file=None
- event time: 1170021601.366:299, host=(null)
- type=USER_END (USER_END)
- pid=13015 (13015)
- uid=0 (root)
- auid=0 (root)
- subj=system_u:system_r:crond_t:s0-s0:c0.c1023 (system_u:system_r:crond_t:s0-s0:c0.c1023)
- acct=root (root)
- exe="/usr/sbin/crond" (/usr/sbin/crond)
- hostname=? (?)
- addr=? (?)
- terminal=cron (cron)
- res=success (success)
-
-Test 10 Done
-
-Finished non-admin tests
-
diff --git a/framework/src/audit/auparse/test/test.log b/framework/src/audit/auparse/test/test.log
deleted file mode 100644
index e0ffabf5..00000000
--- a/framework/src/audit/auparse/test/test.log
+++ /dev/null
@@ -1,10 +0,0 @@
-type=AVC msg=audit(1170021493.977:293): avc: denied { read write } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
-type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
-type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
-type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
-type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
-type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/test/test2.log b/framework/src/audit/auparse/test/test2.log
deleted file mode 100644
index 588f1e04..00000000
--- a/framework/src/audit/auparse/test/test2.log
+++ /dev/null
@@ -1,10 +0,0 @@
-type=AVC msg=audit(1170021493.977:293): avc: denied { read } for pid=13010 comm="pickup" name="maildrop" dev=hda7 ino=14911367 scontext=system_u:system_r:postfix_pickup_t:s0 tcontext=system_u:object_r:postfix_spool_maildrop_t:s0 tclass=dir
-type=SYSCALL msg=audit(1170021493.977:293): arch=c000003e syscall=2 success=no exit=-13 a0=5555665d91b0 a1=10800 a2=5555665d91b8 a3=0 items=1 ppid=2013 pid=13010 auid=4294967295 uid=890 gid=890 euid=890 suid=890 fsuid=890 egid=890 sgid=890 fsgid=890 tty=(none) comm="pickup" exe="/usr/libexec/postfix/pickup" subj=system_u:system_r:postfix_pickup_t:s0 key=(null)
-type=CWD msg=audit(1170021493.977:293): cwd="/var/spool/postfix"
-type=PATH msg=audit(1170021493.977:293): item=0 name="maildrop" inode=14911367 dev=03:07 mode=040730 ouid=890 ogid=891 rdev=00:00 obj=system_u:object_r:postfix_spool_maildrop_t:s0
-type=USER_ACCT msg=audit(1170021601.340:294): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=CRED_ACQ msg=audit(1170021601.342:295): user pid=13015 uid=0 auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-type=LOGIN msg=audit(1170021601.343:296): login pid=13015 uid=0 old auid=4294967295 new auid=0
-type=USER_START msg=audit(1170021601.344:297): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=CRED_DISP msg=audit(1170021601.364:298): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
-type=USER_END msg=audit(1170021601.366:299): user pid=13015 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close acct=root : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
diff --git a/framework/src/audit/auparse/tty_named_keys.h b/framework/src/audit/auparse/tty_named_keys.h
deleted file mode 100644
index e71ae11e..00000000
--- a/framework/src/audit/auparse/tty_named_keys.h
+++ /dev/null
@@ -1,409 +0,0 @@
-/* tty_named_keys.h --
- * Copyright 2008 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Miloslav Trmač <mitr@redhat.com>
- */
-
-/* Longest sequences should go first, but these are comparatively common. */
-E("\x01", "^A")
-E("\x02", "^B")
-E("\x03", "^C") // Or "cancel" (3 terms)
-E("\x04", "^D")
-E("\x05", "^E")
-E("\x06", "^F")
-E("\x07", "^G")
-E("\x08", "backspace")
-E("\t", "tab")
-E("\n", "nl")
-E("\x0B", "^K")
-E("\x0C", "^L")
-E("\r", "ret")
-E("\x0E", "^N")
-E("\x0F", "^O")
-E("\x10", "^P")
-E("\x11", "^Q")
-E("\x12", "^R")
-E("\x13", "^S")
-E("\x14", "^T")
-E("\x15", "^U")
-E("\x16", "^V")
-E("\x17", "^W")
-E("\x18", "^X")
-E("\x19", "^Y")
-E("\x1A", "^Z") // Or "suspend" (9 terms)
-/* \x1B handled only after all other escape sequences */
-E("\x7F", "backspace") // 59 terms; alternative: "delete" (11 terms)
-
-// Based on terminal descriptions in ncrses-base-5.6-20.20080927.fc10.
-// Conflicts are marked by comments. Ordering: longest sequences first, then
-// lexicographically.
-E("\x1B[11;2~", "F13")
-E("\x1B[11;3~", "F49")
-E("\x1B[11;4~", "F61")
-E("\x1B[11;5~", "F25")
-E("\x1B[11;6~", "F37")
-E("\x1B[12;2~", "F14")
-E("\x1B[12;3~", "F50")
-E("\x1B[12;4~", "F62")
-E("\x1B[12;5~", "F26")
-E("\x1B[12;6~", "F38")
-E("\x1B[13;2~", "F15")
-E("\x1B[13;3~", "F51")
-E("\x1B[13;4~", "F63")
-E("\x1B[13;5~", "F27")
-E("\x1B[13;6~", "F39")
-E("\x1B[14;2~", "F16")
-E("\x1B[14;3~", "F52")
-E("\x1B[14;5~", "F28")
-E("\x1B[14;6~", "F40")
-E("\x1B[15;2~", "F17")
-E("\x1B[15;3~", "F53")
-E("\x1B[15;5~", "F29")
-E("\x1B[15;6~", "F41")
-E("\x1B[17;2~", "F18")
-E("\x1B[17;3~", "F54")
-E("\x1B[17;5~", "F30")
-E("\x1B[17;6~", "F42")
-E("\x1B[18;2~", "F19")
-E("\x1B[18;3~", "F55")
-E("\x1B[18;5~", "F31")
-E("\x1B[18;6~", "F43")
-E("\x1B[19;2~", "F20")
-E("\x1B[19;3~", "F56")
-E("\x1B[19;5~", "F32")
-E("\x1B[19;6~", "F44")
-E("\x1B[20;2~", "F21")
-E("\x1B[20;3~", "F57")
-E("\x1B[20;5~", "F33")
-E("\x1B[20;6~", "F45")
-E("\x1B[21;2~", "F22")
-E("\x1B[21;3~", "F58")
-E("\x1B[21;5~", "F34")
-E("\x1B[21;6~", "F46")
-E("\x1B[23;2~", "F23")
-E("\x1B[23;3~", "F59")
-E("\x1B[23;5~", "F35")
-E("\x1B[23;6~", "F47")
-E("\x1B[24;2~", "F24")
-E("\x1B[24;3~", "F60")
-E("\x1B[24;5~", "F36")
-E("\x1B[24;6~", "F48")
-E("\x1B""O1;2A", "scroll-backward")
-E("\x1B""O1;2B", "scroll-forward")
-E("\x1B""O1;2C", "shift-right")
-E("\x1B""O1;2D", "shift-left")
-E("\x1B[192z", "F11")
-E("\x1B[193z", "resume") // 3 terms; alternative "F12" (1 term)
-E("\x1B[194z", "options") // 3 terms; alternative "F13" (1 term)
-E("\x1B[195z", "undo") // 4 terms; alternative "F14" (1 term)
-E("\x1B[196z", "help") // 1 term; alternative "F15" (1 term)
-E("\x1B[197z", "copy")
-E("\x1B[198z", "F17")
-E("\x1B[199z", "F18")
-E("\x1B[1;2A", "scroll-backward")
-E("\x1B[1;2B", "scroll-forward")
-E("\x1B[1;2C", "shift-right")
-E("\x1B[1;2D", "shift-left")
-E("\x1B[1;2F", "shift-end")
-E("\x1B[1;2H", "shift-home")
-E("\x1B[200z", "find") // 1 term; alternative "F19" (1 term)
-E("\x1B[201z", "F20")
-E("\x1B[208z", "F31")
-E("\x1B[209z", "F32")
-E("\x1B[210z", "F33")
-E("\x1B[211z", "F34")
-E("\x1B[212z", "F35")
-E("\x1B[213z", "F36")
-E("\x1B[214z", "home")
-E("\x1B[215z", "F38")
-E("\x1B[216z", "page-up")
-E("\x1B[217z", "F40")
-E("\x1B[218z", "B2")
-E("\x1B[219z", "F42")
-E("\x1B[220z", "end")
-E("\x1B[221z", "F44")
-E("\x1B[222z", "page-down") // 4 terms; alternative "F45" (1 term)
-E("\x1B[224z", "F1")
-E("\x1B[225z", "F2")
-E("\x1B[226z", "F3")
-E("\x1B[227z", "F4")
-E("\x1B[228z", "F5")
-E("\x1B[229z", "F6")
-E("\x1B[230z", "F7")
-E("\x1B[231z", "F8")
-E("\x1B[232z", "F9")
-E("\x1B[233z", "F10")
-E("\x1B[234z", "F11") // 3 terms; alternative "F46" (1 term)
-E("\x1B[235z", "F12") // 3 terms; alternative "F47" (1 term)
-E("\x1B[2;2~", "shift-insert")
-E("\x1B[2;5~", "shift-insert")
-E("\x1B[3;2~", "shift-del")
-E("\x1B[3;5~", "shift-del")
-E("\x1B[5;2~", "shift-previous")
-E("\x1B[5;5~", "shift-previous")
-E("\x1B[6;2~", "shift-next")
-E("\x1B[6;5~", "shift-next")
-E("\x1B[11^", "F23")
-E("\x1B[11~", "F1")
-E("\x1B[12^", "F24")
-E("\x1B[12~", "F2")
-E("\x1B[13^", "F25")
-E("\x1B[13~", "F3")
-E("\x1B[14^", "F26")
-E("\x1B[14~", "F4")
-E("\x1B[15^", "F27")
-E("\x1B[15~", "F5")
-E("\x1B[17^", "F28")
-E("\x1B[17~", "F6")
-E("\x1B[18^", "F29")
-E("\x1B[18~", "F7")
-E("\x1B[19^", "F30")
-E("\x1B[19~", "F8")
-E("\x1B[20^", "F31")
-E("\x1B[20~", "F9")
-E("\x1B[21^", "F32")
-E("\x1B[21~", "F10") // 85 terms; alternative "F0" (9 terms)
-E("\x1B[23$", "F21")
-E("\x1B[23@", "F43")
-E("\x1B[23^", "F33")
-E("\x1B[23~", "F11")
-E("\x1B[24$", "F22")
-E("\x1B[24@", "F44")
-E("\x1B[24^", "F34")
-E("\x1B[24~", "F12")
-E("\x1B[25^", "F35")
-E("\x1B[25~", "F13")
-E("\x1B[26^", "F36")
-E("\x1B[26~", "F14")
-E("\x1B[28^", "F37")
-E("\x1B[28~", "F15") // 42 terms; alternative "help" (8 terms)
-E("\x1B[29^", "F38")
-E("\x1B[29~", "F16") // 42 terms; alternative "redo" (4 terms)
-E("\x1B[30~", "insert-line")
-E("\x1B[31^", "F39")
-E("\x1B[31~", "F17") // 46 terms; alternative "delete-line" (1 term)
-E("\x1B[32^", "F40")
-E("\x1B[32~", "F18")
-E("\x1B[33^", "F41")
-E("\x1B[33~", "F19")
-E("\x1B[34^", "F42")
-E("\x1B[34~", "F20")
-E("\x1B""O2A", "scroll-backward")
-E("\x1B""O2B", "scroll-forward")
-E("\x1B""O2C", "shift-right")
-E("\x1B""O2D", "shift-left")
-E("\x1B""O2P", "F13")
-E("\x1B""O2Q", "F14")
-E("\x1B""O2R", "F15")
-E("\x1B""O2S", "F16")
-E("\x1B""O3P", "F49")
-E("\x1B""O3Q", "F50")
-E("\x1B""O3R", "F51")
-E("\x1B""O3S", "F52")
-E("\x1B""O4P", "F61")
-E("\x1B""O4Q", "F62")
-E("\x1B""O4R", "F63")
-E("\x1B""O5C", "shift-right")
-E("\x1B""O5D", "shift-left")
-E("\x1B""O5F", "shift-end")
-E("\x1B""O5H", "shift-home")
-E("\x1B""O5P", "F25")
-E("\x1B""O5Q", "F26")
-E("\x1B""O5R", "F27")
-E("\x1B""O5S", "F28")
-E("\x1B""O6P", "F37")
-E("\x1B""O6Q", "F38")
-E("\x1B""O6R", "F39")
-E("\x1B""O6S", "F40")
-E("\x1B[1~", "home") // 30 terms; alternative "find" (42 terms, but "home" is used in Linux)
-E("\x1B[2$", "shift-insert")
-E("\x1B[2z", "insert")
-E("\x1B[2~", "insert")
-E("\x1B[3$", "shift-del")
-E("\x1B[3z", "delete")
-E("\x1B[3~", "delete")
-E("\x1B[4~", "end") // 30 terms; alternative "select" (42 terms, but "end" is used in Linux)
-E("\x1B[5$", "shift-previous")
-E("\x1B[5~", "page-up") // 86 terms; alternative "A3" (4 terms)
-E("\x1B[6$", "shift-next")
-E("\x1B[6~", "page-down") // 86 terms; alternative "C3" (4 terms)
-E("\x1B[7$", "shift-home")
-E("\x1B[7~", "home") // 17 terms; alternative "A1" (4 terms)
-E("\x1B[8$", "shift-end")
-E("\x1B[8^", "delete-eol")
-E("\x1B[8~", "end") // 17 terms; alternatives "C1" (4 terms), "delete-eol" (1 term)
-E("\x1B[>M", "mouse")
-E("\x1B[[A", "F1")
-E("\x1B[[B", "F2")
-E("\x1B[[C", "F3")
-E("\x1B[[D", "F4")
-E("\x1B[[E", "F5")
-E("\x9B""11~", "F1")
-E("\x9B""12~", "F2")
-E("\x9B""13~", "F3")
-E("\x9B""14~", "F4")
-E("\x9B""15~", "F5")
-E("\x9B""17~", "F6")
-E("\x9B""18~", "F7")
-E("\x9B""19~", "F8")
-E("\x9B""20~", "F9")
-E("\x9B""21~", "F10")
-E("\x9B""23~", "F11")
-E("\x9B""24~", "F12")
-E("\x9B""25~", "F13")
-E("\x9B""26~", "F14")
-E("\x9B""28~", "F15")
-E("\x9B""29~", "F16")
-E("\x9B""31~", "F17")
-E("\x9B""32~", "F18")
-E("\x9B""33~", "F19")
-E("\x9B""34~", "F20")
-E("\x1B""2$", "shift-insert")
-E("\x1B""OA", "up")
-E("\x1B""OB", "down")
-E("\x1B""OC", "right")
-E("\x1B""OD", "left")
-E("\x1B""OE", "B2") // 16 terms; alternative "begin" (5 terms)
-E("\x1B""OF", "end")
-E("\x1B""OH", "home")
-E("\x1B""OM", "send")
-E("\x1B""OP", "F1")
-E("\x1B""OQ", "F2")
-E("\x1B""OR", "F3")
-E("\x1B""OS", "F4")
-E("\x1B""OT", "F5")
-E("\x1B""OU", "F6")
-E("\x1B""OV", "F7")
-E("\x1B""OW", "F8")
-E("\x1B""OX", "F9")
-E("\x1B""OY", "F10")
-E("\x1B""OZ", "F11")
-E("\x1B""O[", "F12")
-E("\x1B""Ol", "F8")
-E("\x1B""On", "C3")
-E("\x1B""Op", "C1")
-E("\x1B""Oq", "C1") // 17 terms; alternatives "A1" (5 terms), "F0" (1 term)
-E("\x1B""Or", "B2")
-E("\x1B""Os", "C3") // 17 terms; alternative "A3" (7 terms)
-E("\x1B""Ot", "F5")
-E("\x1B""Ou", "B2") // 21 terms; alternative "F6" (4 terms), "begin" (4 terms)
-E("\x1B""Ov", "F7")
-E("\x1B""Ow", "A1") // 17 terms; alternative "F9" (4 terms)
-E("\x1B""Ox", "F10")
-E("\x1B""Oy", "A3") // 17 terms; alternative "F0" (5 terms)
-E("\x1B[9", "delete")
-E("\x1B[@", "F41") // 4 terms; alternative "insert" (3 terms)
-E("\x1B[A", "up")
-E("\x1B[B", "down")
-E("\x1B[C", "right")
-E("\x1B[D", "left")
-E("\x1B[E", "B2") // 9 terms; alternative "begin" (1 term)
-E("\x1B[F", "end") // 5 terms; alternative "lower-left" (3 terms)
-E("\x1B[G", "B2") // 9 terms; alternative "page-down" (4 terms)
-E("\x1B[H", "home")
-E("\x1B[I", "page-up")
-E("\x1B[L", "insert")
-E("\x1B[M", "mouse") // 83 terms; alternative "F1" (4 terms)
-E("\x1B[N", "F2")
-E("\x1B[O", "F3")
-E("\x1B[P", "F4")
-E("\x1B[Q", "F5")
-E("\x1B[R", "F6")
-E("\x1B[S", "F7")
-E("\x1B[T", "F8")
-E("\x1B[U", "F9") // 4 terms; alternative "page-down" (3 terms)
-E("\x1B[V", "F10") // 4 terms; alternative "page-dup" (3 terms)
-E("\x1B[W", "F11")
-E("\x1B[X", "F12")
-E("\x1B[Y", "F13") // 4 terms; alternative "end" (3 terms)
-E("\x1B[Z", "back-tab") // 59 terms; alternative "F14" (4 terms)
-E("\x1B[[", "F42")
-E("\x1B[\\", "F43")
-E("\x1B[]", "F44")
-E("\x1B[^", "F45")
-E("\x1B[_", "F46")
-E("\x1B[`", "F47")
-E("\x1B[a", "F15")
-E("\x1B[b", "F16")
-E("\x1B[c", "shift-right") // 15 terms; alternative "F17" (4 terms)
-E("\x1B[d", "shift-left") // 15 terms; alternative "F18" (4 terms)
-E("\x1B[e", "F19")
-E("\x1B[f", "F20")
-E("\x1B[g", "F21")
-E("\x1B[h", "F22")
-E("\x1B[i", "F23")
-E("\x1B[j", "F24")
-E("\x1B[k", "F25")
-E("\x1B[l", "F26")
-E("\x1B[m", "F27")
-E("\x1B[n", "F28")
-E("\x1B[o", "F29")
-E("\x1B[p", "F30")
-E("\x1B[q", "F31")
-E("\x1B[r", "F32")
-E("\x1B[s", "F33")
-E("\x1B[t", "F34")
-E("\x1B[u", "F35")
-E("\x1B[v", "F36")
-E("\x1B[w", "F37")
-E("\x1B[x", "F38")
-E("\x1B[y", "F39")
-E("\x1B[z", "F40")
-E("\x1B[{", "F48")
-E("\x9B""1~", "home")
-E("\x9B""2~", "insert")
-E("\x9B""3~", "delete")
-E("\x9B""4~", "end")
-E("\x9B""5~", "page-up")
-E("\x9B""6~", "page-down")
-E("\x1B""A", "up")
-E("\x1B""B", "down")
-E("\x1B""C", "right")
-E("\x1B""D", "left")
-E("\x1B""F", "end")
-E("\x1B""J", "clear")
-E("\x1B""P", "delete")
-E("\x1B""Q", "insert")
-E("\x1B""S", "page-down")
-E("\x1B""T", "page-up")
-E("\x1B""h", "home")
-E("\x1B""p", "F1")
-E("\x1B""q", "F2")
-E("\x1B""r", "F3")
-E("\x1B""s", "F4")
-E("\x1B""t", "F5")
-E("\x1B""u", "F6")
-E("\x1B""v", "F7")
-E("\x1B""w", "F8")
-E("\x1B\x09", "back-tab")
-E("\x8F""A", "up")
-E("\x8F""B", "down")
-E("\x8F""C", "right")
-E("\x8F""D", "left")
-E("\x8F""E", "begin")
-E("\x8F""M", "send")
-E("\x8F""q", "C1")
-E("\x8F""s", "C3")
-E("\x8F""u", "A3")
-E("\x8F""w", "A1")
-E("\x8F""y", "B2")
-E("\x9B""M", "mouse")
-E("\x9B""Z", "back-tab")
-
-E("\x1B", "esc")
diff --git a/framework/src/audit/auparse/typetab.h b/framework/src/audit/auparse/typetab.h
deleted file mode 100644
index 7ff53c31..00000000
--- a/framework/src/audit/auparse/typetab.h
+++ /dev/null
@@ -1,127 +0,0 @@
-/* typetab.h --
- * Copyright 2007-09,2011-12,2014 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- */
-
-
-_S(AUPARSE_TYPE_UID, "auid" )
-_S(AUPARSE_TYPE_UID, "uid" )
-_S(AUPARSE_TYPE_UID, "euid" )
-_S(AUPARSE_TYPE_UID, "suid" )
-_S(AUPARSE_TYPE_UID, "fsuid" )
-_S(AUPARSE_TYPE_UID, "ouid" )
-_S(AUPARSE_TYPE_UID, "oauid" )
-_S(AUPARSE_TYPE_UID, "iuid" )
-_S(AUPARSE_TYPE_UID, "id" )
-_S(AUPARSE_TYPE_UID, "inode_uid" )
-_S(AUPARSE_TYPE_UID, "sauid" )
-_S(AUPARSE_TYPE_UID, "obj_uid" )
-_S(AUPARSE_TYPE_GID, "obj_gid" )
-_S(AUPARSE_TYPE_GID, "gid" )
-_S(AUPARSE_TYPE_GID, "egid" )
-_S(AUPARSE_TYPE_GID, "sgid" )
-_S(AUPARSE_TYPE_GID, "fsgid" )
-_S(AUPARSE_TYPE_GID, "ogid" )
-_S(AUPARSE_TYPE_GID, "igid" )
-_S(AUPARSE_TYPE_GID, "inode_gid" )
-_S(AUPARSE_TYPE_GID, "new_gid" )
-_S(AUPARSE_TYPE_SYSCALL, "syscall" )
-_S(AUPARSE_TYPE_ARCH, "arch" )
-_S(AUPARSE_TYPE_EXIT, "exit" )
-_S(AUPARSE_TYPE_ESCAPED, "path" )
-_S(AUPARSE_TYPE_ESCAPED, "comm" )
-_S(AUPARSE_TYPE_ESCAPED, "exe" )
-_S(AUPARSE_TYPE_ESCAPED, "file" )
-_S(AUPARSE_TYPE_ESCAPED, "name" )
-_S(AUPARSE_TYPE_ESCAPED, "watch" )
-_S(AUPARSE_TYPE_ESCAPED, "cwd" )
-_S(AUPARSE_TYPE_ESCAPED, "cmd" )
-_S(AUPARSE_TYPE_ESCAPED, "acct" )
-_S(AUPARSE_TYPE_ESCAPED, "dir" )
-_S(AUPARSE_TYPE_ESCAPED, "key" )
-_S(AUPARSE_TYPE_ESCAPED, "vm" )
-_S(AUPARSE_TYPE_ESCAPED, "old-disk" )
-_S(AUPARSE_TYPE_ESCAPED, "new-disk" )
-_S(AUPARSE_TYPE_ESCAPED, "old-fs" )
-_S(AUPARSE_TYPE_ESCAPED, "new-fs" )
-_S(AUPARSE_TYPE_ESCAPED, "device" )
-_S(AUPARSE_TYPE_ESCAPED, "cgroup" )
-_S(AUPARSE_TYPE_PERM, "perm" )
-_S(AUPARSE_TYPE_PERM, "perm_mask" )
-_S(AUPARSE_TYPE_MODE, "mode" )
-_S(AUPARSE_TYPE_SOCKADDR, "saddr" )
-//_S(AUPARSE_TYPE_FLAGS, "flags" )
-_S(AUPARSE_TYPE_PROMISC, "prom" )
-_S(AUPARSE_TYPE_PROMISC, "old_prom" )
-_S(AUPARSE_TYPE_CAPABILITY, "capability" )
-_S(AUPARSE_TYPE_SUCCESS, "res" )
-_S(AUPARSE_TYPE_SUCCESS, "result" )
-_S(AUPARSE_TYPE_A0, "a0" )
-_S(AUPARSE_TYPE_A1, "a1" )
-_S(AUPARSE_TYPE_A2, "a2" )
-_S(AUPARSE_TYPE_A3, "a3" )
-_S(AUPARSE_TYPE_SIGNAL, "sig" )
-_S(AUPARSE_TYPE_LIST, "list" )
-_S(AUPARSE_TYPE_TTY_DATA, "data" )
-_S(AUPARSE_TYPE_SESSION, "ses" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pe" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "cap_pp" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "cap_fp" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "fp" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "fi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "fe" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "old_pp" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "old_pi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "old_pe" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "new_pp" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "new_pi" )
-_S(AUPARSE_TYPE_CAP_BITMAP, "new_pe" )
-_S(AUPARSE_TYPE_NFPROTO, "family" )
-_S(AUPARSE_TYPE_ICMPTYPE, "icmptype" )
-_S(AUPARSE_TYPE_PROTOCOL, "proto" )
-_S(AUPARSE_TYPE_ADDR, "addr" )
-#ifdef WITH_APPARMOR
-_S(AUPARSE_TYPE_ESCAPED, "apparmor" )
-_S(AUPARSE_TYPE_ESCAPED, "operation" )
-_S(AUPARSE_TYPE_ESCAPED, "denied_mask" )
-_S(AUPARSE_TYPE_ESCAPED, "info" )
-_S(AUPARSE_TYPE_ESCAPED, "profile" )
-_S(AUPARSE_TYPE_ESCAPED, "requested_mask")
-#endif
-_S(AUPARSE_TYPE_PERSONALITY, "per" )
-_S(AUPARSE_TYPE_SECCOMP, "code" )
-_S(AUPARSE_TYPE_ESCAPED, "old-rng" )
-_S(AUPARSE_TYPE_ESCAPED, "new-rng" )
-_S(AUPARSE_TYPE_OFLAG, "oflag" )
-_S(AUPARSE_TYPE_ESCAPED, "ocomm" )
-_S(AUPARSE_TYPE_MMAP, "flags" )
-_S(AUPARSE_TYPE_SIGNAL, "sigev_signo" )
-_S(AUPARSE_TYPE_MAC_LABEL, "subj" )
-_S(AUPARSE_TYPE_MAC_LABEL, "obj" )
-_S(AUPARSE_TYPE_MAC_LABEL, "scontext" )
-_S(AUPARSE_TYPE_MAC_LABEL, "tcontext" )
-_S(AUPARSE_TYPE_MAC_LABEL, "vm-ctx" )
-_S(AUPARSE_TYPE_MAC_LABEL, "img-ctx" )
-_S(AUPARSE_TYPE_PROCTITLE, "proctitle" )
-_S(AUPARSE_TYPE_ESCAPED, "grp" )
-_S(AUPARSE_TYPE_ESCAPED, "new_group" )
-
diff --git a/framework/src/audit/auparse/umounttab.h b/framework/src/audit/auparse/umounttab.h
deleted file mode 100644
index a673efb1..00000000
--- a/framework/src/audit/auparse/umounttab.h
+++ /dev/null
@@ -1,30 +0,0 @@
-/* umounttab.h --
- * Copyright 2013 Red Hat Inc., Durham, North Carolina.
- * All Rights Reserved.
- *
- * This library is free software; you can redistribute it and/or
- * modify it under the terms of the GNU Lesser General Public
- * License as published by the Free Software Foundation; either
- * version 2.1 of the License, or (at your option) any later version.
- *
- * This library is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this library; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
- *
- * Authors:
- * Steve Grubb <sgrubb@redhat.com>
- * Location: include/linux/fs.h
- */
-
-
-_S(0x00000001, "MNT_FORCE" )
-_S(0x00000002, "MNT_DETACH" )
-_S(0x00000004, "MNT_EXPIRE" )
-_S(0x00000008, "UMOUNT_NOFOLLOW" )
-_S(0x80000001, "UMOUNT_UNUSED" )
-