diff options
Diffstat (limited to 'framework/src/audit/bindings/python/auparse_python.c')
| -rw-r--r-- | framework/src/audit/bindings/python/auparse_python.c | 1776 |
1 files changed, 0 insertions, 1776 deletions
diff --git a/framework/src/audit/bindings/python/auparse_python.c b/framework/src/audit/bindings/python/auparse_python.c deleted file mode 100644 index af19194c..00000000 --- a/framework/src/audit/bindings/python/auparse_python.c +++ /dev/null @@ -1,1776 +0,0 @@ -#include <Python.h> -#include "structmember.h" - -#include <errno.h> -#include <time.h> -#include "auparse.h" - -/* -auparse functions explicitly not exported in this binding and why: - -auparse_destroy: because this is handled by python object management -auparse_get_time: because AuEvent provides this as an attribute -auparse_get_milli: because AuEvent provides this as an attribute -auparse_get_serial: because AuEvent provides this as an attribute -auparse_get_node: because AuEvent provides this as an attribute -auparse_timestamp_compare: because AuEvent calls this via the cmp operator - -*/ - -#if PY_MAJOR_VERSION > 2 -#define IS_PY3K -#define MODINITERROR return NULL -#define PYNUM_FROMLONG PyLong_FromLong -#define PYSTR_CHECK PyUnicode_Check -#define PYSTR_FROMSTRING PyUnicode_FromString -#define PYSTR_ASSTRING PyUnicode_AsUTF8 -#define PYFILE_ASFILE(f) fdopen(PyObject_AsFileDescriptor(f), "r") -int PyFile_Check(PyObject *f) { - PyObject *io, *base; - if (!(io = PyImport_ImportModule("io"))) { - return 0; - } else { - if (!(base = PyObject_GetAttrString(io, "TextIOBase"))) { - return 0; - } else { - return PyObject_IsInstance(f, base); - } - } -} -#else -#define MODINITERROR return -#define PYNUM_FROMLONG PyInt_FromLong -#define PYSTR_CHECK PyString_Check -#define PYSTR_FROMSTRING PyString_FromString -#define PYSTR_ASSTRING PyString_AsString -#define PYFILE_ASFILE(f) PyFile_AsFile(f) -#endif - -static int debug = 0; -static PyObject *NoParserError = NULL; - -/*=========================================================================== - * AuEvent - *===========================================================================*/ - -typedef struct { - PyObject_HEAD - PyObject *sec; - PyObject *milli; - PyObject *serial; - PyObject *host; - au_event_t event; -} AuEvent; - -static void -AuEvent_dealloc(AuEvent* self) -{ - Py_XDECREF(self->sec); - Py_XDECREF(self->milli); - Py_XDECREF(self->serial); - Py_XDECREF(self->host); - Py_TYPE(self)->tp_free((PyObject*)self); -} - -static int -AuEvent_compare(PyObject *obj1, PyObject *obj2) -{ - AuEvent *au_event1 = (AuEvent *) obj1; - AuEvent *au_event2 = (AuEvent *) obj2; - - return auparse_timestamp_compare(&au_event1->event, &au_event2->event); -} - -static PyObject * -AuEvent_get_sec(AuEvent *self, void *closure) -{ - if (self->sec == NULL) { - if ((self->sec = PYNUM_FROMLONG(self->event.sec)) == NULL) return NULL; - } - Py_INCREF(self->sec); - return self->sec; -} - -static PyObject * -AuEvent_get_milli(AuEvent *self, void *closure) -{ - if (self->milli == NULL) { - if ((self->milli = PYNUM_FROMLONG(self->event.milli)) == NULL) return NULL; - } - Py_INCREF(self->milli); - return self->milli; -} - -static PyObject * -AuEvent_get_serial(AuEvent *self, void *closure) -{ - if (self->serial == NULL) { - if ((self->serial = PYNUM_FROMLONG(self->event.serial)) == NULL) return NULL; - } - Py_INCREF(self->serial); - return self->serial; -} - -static PyObject * -AuEvent_get_host(AuEvent *self, void *closure) -{ - if (self->event.host == NULL) { - Py_RETURN_NONE; - } else { - if (self->host == NULL) { - if ((self->host = PYSTR_FROMSTRING(self->event.host)) == NULL) return NULL; - } - Py_INCREF(self->host); - return self->host; - } -} - -static PyGetSetDef AuEvent_getseters[] = { - {"sec", (getter)AuEvent_get_sec, (setter)NULL, "Event seconds", NULL}, - {"milli", (getter)AuEvent_get_milli, (setter)NULL, "millisecond of the timestamp", NULL}, - {"serial", (getter)AuEvent_get_serial, (setter)NULL, "Serial number of the event", NULL}, - {"host", (getter)AuEvent_get_host, (setter)NULL, "Machine's name", NULL}, - {NULL} /* Sentinel */ -}; - -static PyMemberDef AuEvent_members[] = { - {NULL} /* Sentinel */ -}; - -static char * -fmt_event(time_t seconds, unsigned int milli, unsigned long serial, const char *host) -{ - static char buf1[200], buf2[200]; - char fmt[] = "%a %b %d %H:%M:%S.%%ld %Y serial=%%ld host=%%s"; - struct tm *tmp; - - tmp = localtime(&seconds); - if (tmp == NULL) { - sprintf(buf2, "localtime error"); - return buf2; - } - - if (strftime(buf1, sizeof(buf1), fmt, tmp) == 0) { - sprintf(buf2, "strftime returned 0"); - return buf2; - } - - snprintf(buf2, sizeof(buf2), buf1, milli, serial, host, sizeof(buf2)); - return buf2; -} - -static PyObject * -AuEvent_str(PyObject * obj) -{ - AuEvent *event = (AuEvent *) obj; - return PYSTR_FROMSTRING(fmt_event(event->event.sec, event->event.milli, event->event.serial, event->event.host)); -} - - -static PyMethodDef AuEvent_methods[] = { - {NULL} /* Sentinel */ -}; - -PyDoc_STRVAR(AuEvent_doc, -"An internal object which encapsulates the timestamp, serial number\n\ -and host information of an audit event. The object cannot be\n\ -instantiated from python code, rather it is returned from the\n\ -audit parsing API."); - -static PyTypeObject AuEventType = { - PyVarObject_HEAD_INIT(NULL, 0) - "auparse.AuEvent", /*tp_name*/ - sizeof(AuEvent), /*tp_basicsize*/ - 0, /*tp_itemsize*/ - (destructor)AuEvent_dealloc, /*tp_dealloc*/ - 0, /*tp_print*/ - 0, /*tp_getattr*/ - 0, /*tp_setattr*/ - AuEvent_compare, /*tp_compare*/ - 0, /*tp_repr*/ - 0, /*tp_as_number*/ - 0, /*tp_as_sequence*/ - 0, /*tp_as_mapping*/ - 0, /*tp_hash */ - 0, /*tp_call*/ - AuEvent_str, /*tp_str*/ - 0, /*tp_getattro*/ - 0, /*tp_setattro*/ - 0, /*tp_as_buffer*/ - Py_TPFLAGS_DEFAULT, /*tp_flags*/ - AuEvent_doc, /* tp_doc */ - 0, /* tp_traverse */ - 0, /* tp_clear */ - 0, /* tp_richcompare */ - 0, /* tp_weaklistoffset */ - 0, /* tp_iter */ - 0, /* tp_iternext */ - AuEvent_methods, /* tp_methods */ - AuEvent_members, /* tp_members */ - AuEvent_getseters, /* tp_getset */ - 0, /* tp_base */ - 0, /* tp_dict */ - 0, /* tp_descr_get */ - 0, /* tp_descr_set */ - 0, /* tp_dictoffset */ - 0, /* tp_init */ - 0, /* tp_alloc */ - 0, /* tp_new */ -}; - -static PyObject * -AuEvent_new_from_struct(au_event_t const *event_ptr) -{ - AuEvent *self; - - self = (AuEvent *)AuEventType.tp_alloc(&AuEventType, 0); - if (self != NULL) { - self->event = *event_ptr; - } - - return (PyObject *)self; -} - -/*=========================================================================== - * AuParser - *===========================================================================*/ - -#define PARSER_CHECK \ - if (self->au == NULL) { \ - PyErr_SetString(NoParserError, "object has no parser associated with it"); \ - return NULL; \ - } - -typedef struct { - PyObject_HEAD - auparse_state_t *au; -} AuParser; - -typedef struct { - AuParser *py_AuParser; - PyObject *func; - PyObject *user_data; -} CallbackData; - -void callback_data_destroy(void *user_data) -{ - CallbackData *cb = (CallbackData *)user_data; - - if (debug) printf("<< callback_data_destroy\n"); - if (cb) { - Py_DECREF(cb->func); - Py_XDECREF(cb->user_data); - PyMem_Del(cb); - } -} - -static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data) -{ - CallbackData *cb = (CallbackData *)user_data; - PyObject *arglist; - PyObject *result; - - arglist = Py_BuildValue("OiO", cb->py_AuParser, cb_event_type, cb->user_data); - result = PyEval_CallObject(cb->func, arglist); - Py_DECREF(arglist); - Py_XDECREF(result); -} - -static void -AuParser_dealloc(AuParser* self) -{ - if (debug) printf("<< AuParser_dealloc: self=%p au=%p\n", self, self->au); - if (self->au != NULL) { - auparse_destroy(self->au); - } - Py_TYPE(self)->tp_free((PyObject*)self); -} - -static PyObject * -AuParser_new(PyTypeObject *type, PyObject *args, PyObject *kwds) -{ - AuParser *self; - - self = (AuParser *)type->tp_alloc(type, 0); - if (self != NULL) { - self->au = NULL; - } - return (PyObject *)self; -} - -/******************************** - * auparse_init - ********************************/ -static int -AuParser_init(AuParser *self, PyObject *args, PyObject *kwds) -{ - static char *kwlist[] = {"source_type", "source", NULL}; - int source_type = -1; - PyObject *source=Py_None; - - if (self->au != NULL) { - auparse_destroy(self->au); - self->au = NULL; - } - - if (! PyArg_ParseTupleAndKeywords(args, kwds, "|iO", kwlist, &source_type, &source)) return -1; - - switch (source_type) { - case AUSOURCE_LOGS: { - if (source != Py_None) { - PyErr_SetString(PyExc_ValueError, "source must be None or not passed as a parameter when source_type is AUSOURCE_LOGS"); - return -1; - } - if ((self->au = auparse_init(source_type, NULL)) == NULL) { - PyErr_SetFromErrno(PyExc_IOError); - return -1; - } - } break; - case AUSOURCE_FILE: { - char *filename = NULL; - - if (!PYSTR_CHECK(source)) { - PyErr_SetString(PyExc_ValueError, "source must be a string when source_type is AUSOURCE_FILE"); - return -1; - } - if ((filename = PYSTR_ASSTRING(source)) == NULL) return -1; - if ((self->au = auparse_init(source_type, filename)) == NULL) { - PyErr_SetFromErrnoWithFilename(PyExc_IOError, filename); - return -1; - } - } break; - case AUSOURCE_FILE_ARRAY: { - int i, n; - PyObject *item = NULL; - char **files = NULL; - - if (PySequence_Check(source)) { - n = PySequence_Size(source); - if ((files = PyMem_New(char *, n+1)) == NULL) { - PyErr_NoMemory(); - return -1; - } - for (i = 0; i < n; i++) { - item = PySequence_GetItem(source, i); - if ((files[i] = PYSTR_ASSTRING(item)) == NULL) { - PyErr_SetString(PyExc_ValueError, "members of source sequence must be a string when source_type is AUSOURCE_FILE_ARRAY"); - Py_DECREF(item); - PyMem_Del(files); - return -1; - } else { - Py_DECREF(item); - } - } - files[i] = NULL; - } else { - PyErr_SetString(PyExc_ValueError, "source must be a sequence when source_type is AUSOURCE_FILE_ARRAY"); - return -1; - } - - if ((self->au = auparse_init(source_type, files)) == NULL) { - PyErr_SetFromErrno(PyExc_IOError); - PyMem_Del(files); - return -1; - } - PyMem_Del(files); - } break; - case AUSOURCE_BUFFER: { - char *buf; - if ((buf = PYSTR_ASSTRING(source)) == NULL) return -1; - if ((self->au = auparse_init(source_type, buf)) == NULL) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return -1; - } - } break; - case AUSOURCE_BUFFER_ARRAY: { - int i, n; - PyObject *item = NULL; - char **buffers = NULL; - - if (PySequence_Check(source)) { - n = PySequence_Size(source); - if ((buffers = PyMem_New(char *, n+1)) == NULL) { - PyErr_NoMemory(); - return -1; - } - for (i = 0; i < n; i++) { - item = PySequence_GetItem(source, i); - if ((buffers[i] = PYSTR_ASSTRING(item)) == NULL) { - PyErr_SetString(PyExc_ValueError, "members of source sequence must be a string when source_type is AUSOURCE_BUFFER_ARRAY"); - Py_DECREF(item); - PyMem_Del(buffers); - return -1; - } else { - Py_DECREF(item); - } - } - buffers[i] = NULL; - } else { - PyErr_SetString(PyExc_ValueError, "source must be a sequence when source_type is AUSOURCE_FILE_ARRAY"); - return -1; - } - - if ((self->au = auparse_init(source_type, buffers)) == NULL) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - PyMem_Del(buffers); - return -1; - } - PyMem_Del(buffers); - } break; - case AUSOURCE_DESCRIPTOR: { - int fd; - fd = PyObject_AsFileDescriptor(source); - if (fd < 0) { - PyErr_SetString(PyExc_ValueError, "source must be resolvable to a file descriptor when source_type is AUSOURCE_DESCRIPTOR"); - return -1; - } - } break; - case AUSOURCE_FILE_POINTER: { - FILE* fp; - - if (!PyFile_Check(source)) { - PyErr_SetString(PyExc_ValueError, "source must be a file object when source_type is AUSOURCE_FILE_POINTER"); - return -1; - } - if ((fp = PYFILE_ASFILE(source)) == NULL) { - PyErr_SetString(PyExc_TypeError, "source must be open file when source_type is AUSOURCE_FILE_POINTER"); - return -1; - } - if ((self->au = auparse_init(source_type, fp)) == NULL) { - //char *filename = PYSTR_ASSTRING(PyFile_Name(source)); - char *filename = "TODO"; - PyErr_SetFromErrnoWithFilename(PyExc_IOError, filename); - return -1; - } - } break; - case AUSOURCE_FEED: { - if (source != Py_None) { - PyErr_SetString(PyExc_ValueError, "source must be None when source_type is AUSOURCE_FEED"); - return -1; - } - if ((self->au = auparse_init(source_type, NULL)) == NULL) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return -1; - } - } break; - default: { - PyErr_SetString(PyExc_ValueError, "Invalid source type"); - return -1; - } break; - } - - if (debug) printf(">> AuParser_init: self=%p au=%p\n", self, self->au); - return 0; -} - -/******************************** - * auparse_feed - ********************************/ -PyDoc_STRVAR(feed_doc, -"feed(data) supplies new data for the parser to consume.\n\ -\n\ -AuParser() must have been called with a source type of AUSOURCE_FEED.\n\ -The parser consumes as much data as it can invoking a user supplied\n\ -callback specified with add_callback() with a cb_event_type of\n\ -AUPARSE_CB_EVENT_READY each time the parser recognizes a complete event\n\ -in the data stream. Data not fully parsed will persist and be prepended\n\ -to the next feed data. After all data has been feed to the parser flush_feed()\n\ -should be called to signal the end of input data and flush any pending\n\ -parse data through the parsing system.\n\ -\n\ -Returns None.\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_feed(AuParser *self, PyObject *args) -{ - char *data; - int data_len; - int result; - - if (!PyArg_ParseTuple(args, "s#:feed", &data, &data_len)) return NULL; - PARSER_CHECK; - result = auparse_feed(self->au, data, data_len); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_flush_feed - ********************************/ -PyDoc_STRVAR(flush_feed_doc, -"flush_feed() flush any unconsumed feed data through parser\n\ -\n\ -flush_feed() should be called to signal the end of feed input data\n\ -and flush any pending parse data through the parsing system.\n\ -\n\ -Returns None.\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_flush_feed(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_flush_feed(self->au); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_add_callback - ********************************/ -PyDoc_STRVAR(add_callback_doc, -"add_callback(callback, user_data) add a callback handler for notifications.\n\ -\n\ -auparse_add_callback adds a callback function to the parse state which\n\ -is invoked to notify the application of parsing events.\n\ -\n\ -The signature of the callback is:\n\ -\n\ -callback(au, cb_event_type,user_data)\n\ -\n\ -When the callback is invoked it is passed:\n\ -au: the AuParser object\n\ -cb_event_type: enumerated value indicating the reason why the callback was invoked\n\ -user_data: user supplied private data\n\ -\n\ -The cb_event_type argument indicates why the callback was invoked.\n\ -It's possible values are:\n\ -\n\ -AUPARSE_CB_EVENT_READY\n\ -A complete event has been parsed and is ready to be examined.\n\ -This is logically equivalent to the parse state immediately following\n\ -auparse_next_event()\n\ -\n\ -Returns None.\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_add_callback(AuParser *self, PyObject *args) -{ - PyObject *func; - PyObject *user_data; - - if (!PyArg_ParseTuple(args, "O|O:add_callback", &func, &user_data)) return NULL; - if (!PyFunction_Check(func)) { - PyErr_SetString(PyExc_ValueError, "callback must be a function"); - return NULL; - } - PARSER_CHECK; - - { - CallbackData *cb; - - cb = PyMem_New(CallbackData, 1); - if (cb == NULL) - return PyErr_NoMemory(); - cb->py_AuParser = self; - cb->func = func; - cb->user_data = user_data; - Py_INCREF(cb->func); - Py_XINCREF(cb->user_data); - auparse_add_callback(self->au, auparse_callback, cb, callback_data_destroy); -} - - Py_RETURN_NONE; -} - -/******************************** - * auparse_set_escape_mode - ********************************/ -PyDoc_STRVAR(set_escape_mode_doc, -"set_escape_mode() Set audit parser escaping\n\ -\n\ -This function sets the character escaping applied to value fields in the audit record.\n\ -Returns None.\n\ -"); -static PyObject * -AuParser_set_escape_mode(PyObject *args) -{ - int mode; - - if (!PyArg_ParseTuple(args, "i", &mode)) return NULL; - auparse_set_escape_mode(mode); - - return NULL; -} - -/******************************** - * auparse_reset - ********************************/ -PyDoc_STRVAR(reset_doc, -"reset() Reset audit parser instance\n\ -\n\ -reset resets all internal cursors to the beginning.\n\ -It closes files and descriptors.\n\ -\n\ -Returns None.\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_reset(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_reset(self->au); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_add_expression - ********************************/ -PyDoc_STRVAR(search_add_expression_doc, -"search_add_expression(expression, how) Build up search expression\n\ -\n\ -\n\ -ausearch_add_item adds an expression to the current audit search\n\ -expression. The search conditions can then be used to scan logs,\n\ -files, or buffers for something of interest. The expression parameter\n\ -contains an expression, as specified in ausearch-expression(5).\n\ -\n\ -The how parameter determines how this search expression will affect the\n\ -existing search expression, if one is already defined. The possible\n\ -values are:\n\ -\n\ -AUSEARCH_RULE_CLEAR:\n\ -Clear the current search expression, if any, and use only this search\n\ -expression.\n\ -\n\ -AUSEARCH_RULE_OR:\n\ -\n\ -If a search expression E is already configured, replace it by\n\ -(E || this_search_expression).\n\ -\n\ -AUSEARCH_RULE_AND:\n\ -If a search expression E is already configured, replace it by\n\ -(E && this_search_expression).\n\ -\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_search_add_expression(AuParser *self, PyObject *args) -{ - const char *expression; - char *error; - int how; - int result; - - if (!PyArg_ParseTuple(args, "si", &expression, &how)) return NULL; - PARSER_CHECK; - - result = ausearch_add_expression(self->au, expression, &error, how); - if (result == 0) Py_RETURN_NONE; - if (error == NULL) - PyErr_SetFromErrno(PyExc_EnvironmentError); - else { - PyErr_SetString(PyExc_EnvironmentError, error); - free(error); - } - return NULL; -} - -/******************************** - * ausearch_add_item - ********************************/ -PyDoc_STRVAR(search_add_item_doc, -"search_add_item(field, op, value, how) Build up search rule\n\ -\n\ -\n\ -search_add_item() adds one search condition to the current audit search\n\ -expression. The search conditions can then be used to scan logs, files, or\n\ -buffers for something of interest. The field value is the field name\n\ -that the value will be checked for. The op variable describes what\n\ -kind of check is to be done. Legal op values are:\n\ -\n\ -'exists':\n\ -Just check that a field name exists\n\ -\n\ -'=':\n\ -locate the field name and check that the value associated with it\n\ -is equal to the value given in this rule.\n\ -\n\ -'!=':\n\ -locate the field name and check that the value associated with\n\ -it is NOT equal to the value given in this rule.\n\ -\n\ -The value parameter is compared to the uninterpreted field value.\n\ -\n\ -The how parameter determines how this search expression will affect the\n\ -existing search expression, if one is already defined. The possible\n\ -values are:\n\ -\n\ -AUSEARCH_RULE_CLEAR:\n\ -Clear the current search expression, if any, and use only this search\n\ -expression.\n\ -\n\ -AUSEARCH_RULE_OR:\n\ -\n\ -If a search expression E is already configured, replace it by\n\ -(E || this_search_expression).\n\ -\n\ -AUSEARCH_RULE_AND:\n\ -If a search expression E is already configured, replace it by\n\ -(E && this_search_expression).\n\ -\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); - -static PyObject * -AuParser_search_add_item(AuParser *self, PyObject *args) -{ - const char *field; - const char *op; - const char *value; - int how; - int result; - - if (!PyArg_ParseTuple(args, "sssi", &field, &op, &value, &how)) return NULL; - PARSER_CHECK; - - result = ausearch_add_item(self->au, field, op, value, how); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_add_interpreted_item - ********************************/ -PyDoc_STRVAR(search_add_interpreted_item_doc, -"search_add_interpreted_item(field, op, value, how) Build up search rule\n\ -\n\ -\n\ -search_add_interpreted_item() adds one search condition to the current audit\n\ -search expression. The search conditions can then be used to scan logs,\n\ -files, or buffers for something of interest. The field value is the field\n\ -name that the value will be checked for. The op variable describes what\n\ -kind of check is to be done. Legal op values are:\n\ -\n\ -'exists':\n\ -Just check that a field name exists\n\ -\n\ -'=':\n\ -locate the field name and check that the value associated with it\n\ -is equal to the value given in this rule.\n\ -\n\ -'!=':\n\ -locate the field name and check that the value associated with\n\ -it is NOT equal to the value given in this rule.\n\ -\n\ -The value parameter is compared to the interpreted field value (the value\n\ -that would be returned by AuParser.interpret_field).\n\ -\n\ -The how parameter determines how this search expression will affect the\n\ -existing search expression, if one is already defined. The possible\n\ -values are:\n\ -\n\ -AUSEARCH_RULE_CLEAR:\n\ -Clear the current search expression, if any, and use only this search\n\ -expression.\n\ -\n\ -AUSEARCH_RULE_OR:\n\ -\n\ -If a search expression E is already configured, replace it by\n\ -(E || this_search_expression).\n\ -\n\ -AUSEARCH_RULE_AND:\n\ -If a search expression E is already configured, replace it by\n\ -(E && this_search_expression).\n\ -\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); - -static PyObject * -AuParser_search_add_interpreted_item(AuParser *self, PyObject *args) -{ - const char *field; - const char *op; - const char *value; - int how; - int result; - - if (!PyArg_ParseTuple(args, "sssi", &field, &op, &value, &how)) return NULL; - PARSER_CHECK; - - result = ausearch_add_interpreted_item(self->au, field, op, value, how); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_add_timestamp_item - ********************************/ -PyDoc_STRVAR(search_add_timestamp_item_doc, -"search_add_timestamp_item(op, sec, milli, how) Build up search rule\n\ -\n\ -\n\ -search_add_timestamp_item adds an event time condition to the current audit\n\ -search expression. The search conditions can then be used to scan logs,\n\ -files, or buffers for something of interest. The op parameter specifies the\n\ -desired comparison. Legal op values are \"<\", \"<=\", \">=\", \">\" and\n\ -\"=\". The left operand of the comparison operator is the timestamp of the\n\ -examined event, the right operand is specified by the sec and milli\n\ -parameters.\n\ -\n\ -The how parameter determines how this search expression will affect the\n\ -existing search expression, if one is already defined. The possible\n\ -values are:\n\ -\n\ -AUSEARCH_RULE_CLEAR:\n\ -Clear the current search expression, if any, and use only this search\n\ -expression.\n\ -\n\ -AUSEARCH_RULE_OR:\n\ -\n\ -If a search expression E is already configured, replace it by\n\ -(E || this_search_expression).\n\ -\n\ -AUSEARCH_RULE_AND:\n\ -If a search expression E is already configured, replace it by\n\ -(E && this_search_expression).\n\ -\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); - -static PyObject * -AuParser_search_add_timestamp_item(AuParser *self, PyObject *args) -{ - const char *op; - PY_LONG_LONG sec; - int milli; - int how; - int result; - - /* There's no completely portable way to handle time_t values from Python; - note that time_t might even be a floating-point type! PY_LONG_LONG - is at least enough not to worry about year 2038. - - milli is int because Python's 'I' format does no overflow checking. - Negative milli values will wrap to values > 1000 and - ausearch_add_timestamp_item will reject them. */ - if (!PyArg_ParseTuple(args, "sLii", &op, &sec, &milli, &how)) - return NULL; - PARSER_CHECK; - - result = ausearch_add_timestamp_item(self->au, op, sec, (unsigned)milli, - how); - if (result == 0) - Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_add_timestamp_item_ex - ********************************/ -PyDoc_STRVAR(search_add_timestamp_item_ex_doc, -"search_add_timestamp_item_ex(op, sec, milli, serial, how) Build up search rule\n\ -search_add_timestamp_item_ex adds an event time condition to the current audit\n\ -search expression. Its similar to search_add_timestamp_item except it adds\n\ -the event serial number.\n\ -"); - -static PyObject * -AuParser_search_add_timestamp_item_ex(AuParser *self, PyObject *args) -{ - const char *op; - PY_LONG_LONG sec; - int milli; - int serial; - int how; - int result; - - /* There's no completely portable way to handle time_t values from Python; - note that time_t might even be a floating-point type! PY_LONG_LONG - is at least enough not to worry about year 2038. - - milli is int because Python's 'I' format does no overflow checking. - Negative milli values will wrap to values > 1000 and - ausearch_add_timestamp_item will reject them. */ - if (!PyArg_ParseTuple(args, "sLiiii", &op, &sec, &milli, &serial, &how)) - return NULL; - PARSER_CHECK; - - result = ausearch_add_timestamp_item_ex(self->au, op, sec, (unsigned)milli, - (unsigned)serial, how); - if (result == 0) - Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_add_regex - ********************************/ -PyDoc_STRVAR(search_add_regex_doc, -"search_add_regex(regexp) Add a regular expression to the search criteria.\n\ -\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_search_add_regex(AuParser *self, PyObject *args) -{ - const char* regexp; - int result; - - if (!PyArg_ParseTuple(args, "s", ®exp)) return NULL; - PARSER_CHECK; - result = ausearch_add_regex(self->au, regexp); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * ausearch_set_stop - ********************************/ -PyDoc_STRVAR(search_set_stop_doc, -"search_set_stop(where) Set where cursor is positioned on search match.\n\ -\n\ -search_set_stop() determines where the internal cursor will stop when\n\ -a search condition is met. The possible values are:\n\ -\n\ -AUSEARCH_STOP_EVENT:\n\ -This one repositions the cursors to the first field of the first\n\ -record of the event con- taining the items searched for.\n\ -\n\ -AUSEARCH_STOP_RECORD:\n\ -This one repositions the cursors to the first field of the record\n\ -containing the items searched for.\n\ -\n\ -AUSEARCH_STOP_FIELD:\n\ -This one simply stops on the current field when the evaluation of the\n\ -rules becomes true.\n\ -\n\ -No Return value, raises exception (ValueError) on error.\n\ -"); -static PyObject * -AuParser_search_set_stop(AuParser *self, PyObject *args) -{ - int where; - int result; - - if (!PyArg_ParseTuple(args, "i", &where)) return NULL; - PARSER_CHECK; - result = ausearch_set_stop(self->au, where); - if (result == 0) Py_RETURN_NONE; - PyErr_SetFromErrno(PyExc_ValueError); - return NULL; -} - -/******************************** - * ausearch_clear - ********************************/ -PyDoc_STRVAR(search_clear_doc, -"search_clear() Clear search parameters.\n\ -\n\ -ausearch_clear clears any search parameters stored in the parser\n\ -instance and frees memory associated with it.\n\ -\n\ -No Return value.\n\ -"); -static PyObject * -AuParser_search_clear(AuParser *self) -{ - PARSER_CHECK; - ausearch_clear(self->au); - Py_RETURN_NONE; -} - -/******************************** - * ausearch_next_event - ********************************/ -PyDoc_STRVAR(search_next_event_doc, -"search_next_event() Find the next event that meets search criteria.\n\ -\n\ -search_next_event() will scan the input source and evaluate whether\n\ -any record in an event contains the data being searched\n\ -for. Evaluation is done at the record level.\n\ -\n\ -Returns True if a match was found\n\ -Returns False if a match was not found.\n\ -\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_search_next_event(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = ausearch_next_event(self->au); - if (result > 0) Py_RETURN_TRUE; - if (result == 0) Py_RETURN_FALSE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_next_event - ********************************/ -PyDoc_STRVAR(parse_next_event_doc, -"parse_next_event() Advance the parser to the next event.\n\ -\n\ -parse_next_event() will position the cursors at the first field of the first\n\ -record of the next event in a file or buffer. It does not skip events\n\ -or honor any search criteria that may be stored.\n\ -\n\ -Returns True if parser advances to next event.\n\ -Returns False if there are no more events to parse\n\ -\n\ -Raises exception (EnvironmentError) on error\n\ -"); -static PyObject * -AuParser_parse_next_event(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_next_event(self->au); - if (result > 0) Py_RETURN_TRUE; - if (result == 0) Py_RETURN_FALSE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_get_timestamp - ********************************/ -PyDoc_STRVAR(get_timestamp_doc, -"get_timestamp() Return current event's timestamp.\n\ -\n\ -Returns the current event's timestamp info as an AuEvent object.\n\ -No Return value, raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_get_timestamp(AuParser *self) -{ - const au_event_t *event_ptr; - PyObject *py_event; - - PARSER_CHECK; - event_ptr = auparse_get_timestamp(self->au); - - if (event_ptr == NULL) { - if (errno) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } else { - Py_RETURN_NONE; - } - } - py_event = AuEvent_new_from_struct(event_ptr); - Py_INCREF(py_event); /* FIXME: should we be bumping the ref count? */ - return py_event; -} - -/******************************** - * auparse_get_num_records - ********************************/ -PyDoc_STRVAR(get_num_records_doc, -"get_num_records() Get the number of records.\n\ -\n\ -Returns the number of records in the current event.\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_get_num_records(AuParser *self) -{ - int num_records; - - PARSER_CHECK; - num_records = auparse_get_num_records(self->au); - if (num_records == 0) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } - return Py_BuildValue("i", num_records); -} - -/******************************** - * auparse_first_record - ********************************/ -PyDoc_STRVAR(first_record_doc, -"first_record() Reposition record cursor.\n\ -\n\ -first_record() repositions the internal cursors of the parsing library\n\ -to point to the first record in the current event.\n\ -\n\ -Return True for success, False if there is no event data.\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_first_record(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_first_record(self->au); - if (result > 0) Py_RETURN_TRUE; - if (result == 0) Py_RETURN_FALSE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_next_record - ********************************/ -PyDoc_STRVAR(next_record_doc, -"next_record() Advance record cursor.\n\ -\n\ -next_record() will move the internal library cursors to point to the\n\ -next record of the current event.\n\ -\n\ -Returns True on success, False if no more records in current event\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_next_record(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_next_record(self->au); - - if (result > 0) Py_RETURN_TRUE; - if (result == 0) Py_RETURN_FALSE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_goto_record_num - ********************************/ -PyDoc_STRVAR(goto_record_num_doc, -"goto_record_num() Move record cursor to specific position.\n\ -\n\ -goto_record_num() will move the internal library cursors to point\n\ -to a specific physical record number. Records within the same event are\n\ -numbered starting from 0. This is generally not needed but there are\n\ -some cases where one may want precise control over the exact record\n\ -being looked at.\n\ -\n\ -Returns True on success, False if no more records in current event\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_goto_record_num(AuParser *self, PyObject *args) -{ - int result; - unsigned int num; - - if (!PyArg_ParseTuple(args, "i", &num)) return NULL; - PARSER_CHECK; - result = auparse_goto_record_num(self->au, num); - - if (result > 0) Py_RETURN_TRUE; - if (result == 0) Py_RETURN_FALSE; - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; -} - -/******************************** - * auparse_get_type - ********************************/ -PyDoc_STRVAR(get_type_doc, -"get_type() Get record’s type.\n\ -\n\ -get_type() will return the integer value for the current record of the\n\ -current event.\n\ -\n\ -Returns record type.\n\ -Raises exception (LookupError) on error.\n\ -"); -static PyObject * -AuParser_get_type(AuParser *self) -{ - int value; - - PARSER_CHECK; - value = auparse_get_type(self->au); - - if (value == 0) { - PyErr_SetString(PyExc_LookupError, "Not found"); - return NULL; - } - return Py_BuildValue("i", value); -} - -/******************************** - * auparse_get_type_name - ********************************/ -PyDoc_STRVAR(get_type_name_doc, -"get_type_name() Get current record’s type name.\n\ -\n\ -get_type_name() allows access to the current record type name in the\n\ -current event.\n\ -\n\ -Returns None if the record type name is unavailable.\n\ -"); -static PyObject * -AuParser_get_type_name(AuParser *self) -{ - const char *name = NULL; - - PARSER_CHECK; - name = auparse_get_type_name(self->au); - return Py_BuildValue("s", name); -} - -/******************************** - * auparse_get_line_number - ********************************/ -PyDoc_STRVAR(get_line_number_doc, -"auparse_get_line_number() get line number where record was found\n\ -\n\ -get_line_number will return the source input line number for\n\ -the current record of the current event. Line numbers start at 1. If\n\ -the source input type is AUSOURCE_FILE_ARRAY the line numbering will\n\ -reset back to 1 each time a new life in the file array is opened.\n\ -"); -static PyObject * -AuParser_get_line_number(AuParser *self) -{ - unsigned int value; - - PARSER_CHECK; - value = auparse_get_line_number(self->au); - return Py_BuildValue("I", value); -} - -/******************************** - * auparse_get_filename - ********************************/ -PyDoc_STRVAR(get_filename_doc, -"auparse_get_filename() get the filename where record was found\n\ -get_filename() will return the name of the source file where the\n\ -record was found if the source type is AUSOURCE_FILE or\n\ -AUSOURCE_FILE_ARRAY. For other source types the return value will be\n\ -None.\n\ -"); -static PyObject * -AuParser_get_filename(AuParser *self) -{ - const char *value; - - PARSER_CHECK; - value = auparse_get_filename(self->au); - - if (value == NULL) Py_RETURN_NONE; - return Py_BuildValue("s", value); -} - -/******************************** - * auparse_first_field - ********************************/ -PyDoc_STRVAR(first_field_doc, -"first_field() Reposition field cursor.\n\ -\n\ -Returns True on success, False if there is no event data\n\ -"); -static PyObject * -AuParser_first_field(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_first_field(self->au); - - if (result == 0) Py_RETURN_FALSE; - Py_RETURN_TRUE; -} - -/******************************** - * auparse_next_field - ********************************/ -PyDoc_STRVAR(next_field_doc, -"next_field() Advance the field cursor.\n\ -\n\ -next_field() moves the library’s internal cursor to point to the next\n\ -field in the current record of the current event.\n\ -\n\ -Returns True on success, False if there is no more fields exist\n\ -"); -static PyObject * -AuParser_next_field(AuParser *self) -{ - int result; - - PARSER_CHECK; - result = auparse_next_field(self->au); - - if (result == 0) Py_RETURN_FALSE; - Py_RETURN_TRUE; -} - -/******************************** - * auparse_get_num_fields - ********************************/ -PyDoc_STRVAR(get_num_fields_doc, -"get_num_fields() Get the number of fields.\n\ -\n\ -Returns the number of fields in the current event.\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_get_num_fields(AuParser *self) -{ - int num_fields; - - PARSER_CHECK; - num_fields = auparse_get_num_fields(self->au); - if (num_fields == 0) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } - return Py_BuildValue("i", num_fields); -} - -/******************************** - * auparse_get_record_text - ********************************/ -PyDoc_STRVAR(get_record_text_doc, -"get_record_text() Return unparsed record data\n\ -\n\ -get_record_text() returns the full unparsed record.\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_get_record_text(AuParser *self) -{ - const char *text; - - PARSER_CHECK; - text = auparse_get_record_text(self->au); - - if (text == NULL) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } - return Py_BuildValue("s", text); -} - -/******************************** - * auparse_find_field - ********************************/ -PyDoc_STRVAR(find_field_doc, -"find_field(name) Search for field name.\n\ -\n\ -find_field() will scan all records in an event to find the first\n\ -occurance of the field name passed to it. Searching begins from the\n\ -cursor’s current position. The field name is stored for subsequent\n\ -searching.\n\ -\n\ -Returns value associated with field or None if not found.\n\ -"); -static PyObject * -AuParser_find_field(AuParser *self, PyObject *args) -{ - char *name = NULL; - const char *value; - - if (!PyArg_ParseTuple(args, "s:find_field", &name)) return NULL; - PARSER_CHECK; - if ((value =auparse_find_field(self->au, name)) == NULL) { - if (errno) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } else { - Py_RETURN_NONE; - } - } - return Py_BuildValue("s", value); -} - -const char *auparse_find_field_next(auparse_state_t *au); -/******************************** - * auparse_find_field_next - ********************************/ -PyDoc_STRVAR(find_field_next_doc, -"find_field_next() Get next occurrance of field name\n\ -\n\ -find_field_next() returns the value associated next occurrance of field name.\n\ -Returns value associated with field or None if there is no next field.\n\ -Raises exception (EnvironmentError) on error.\n\ -"); -static PyObject * -AuParser_find_field_next(AuParser *self) -{ - const char *value; - - PARSER_CHECK; - if ((value = auparse_find_field_next(self->au)) == NULL) { - if (errno) { - PyErr_SetFromErrno(PyExc_EnvironmentError); - return NULL; - } else { - Py_RETURN_NONE; - } - } - return Py_BuildValue("s", value); -} - -/******************************** - * auparse_get_field_name - ********************************/ -PyDoc_STRVAR(get_field_name_doc, -"get_field_name() Get current field’s name.\n\ -\n\ -get_field_name() allows access to the current field name of the\n\ -current record in the current event.\n\ -\n\ -Returns None if the field value is unavailable.\n\ -"); -static PyObject * -AuParser_get_field_name(AuParser *self) -{ - const char *name = NULL; - - PARSER_CHECK; - name = auparse_get_field_name(self->au); - return Py_BuildValue("s", name); -} - -/******************************** - * auparse_get_field_str - ********************************/ -PyDoc_STRVAR(get_field_str_doc, -"get_field_str() get current field’s value\n\ -\n\ -get_field_str() allows access to the value in the current field of the\n\ -current record in the current event.\n\ -\n\ -Returns None if the field value is unavailable.\n\ -"); -static PyObject * -AuParser_get_field_str(AuParser *self) -{ - const char *value = NULL; - - PARSER_CHECK; - value = auparse_get_field_str(self->au); - return Py_BuildValue("s", value); -} - -/******************************** - * auparse_get_field_type - ********************************/ -PyDoc_STRVAR(get_field_type_doc, -"get_field_type() Get current field’s data type value.\n\ -\n\ -get_field_type() returns a value from the auparse_type_t enum that\n\ -describes the kind of data in the current field of the current record\n\ -in the current event.\n\ -\n\ -Returns AUPARSE_TYPE_UNCLASSIFIED if the field’s data type has no\n\ -known description or is an integer. Otherwise it returns another enum.\n\ -Fields with the type AUPARSE_TYPE_ESCAPED must be interpretted to access\n\ -their value since those field’s raw value is encoded.\n\ -"); -static PyObject * -AuParser_get_field_type(AuParser *self) -{ - int value; - - PARSER_CHECK; - value = auparse_get_field_type(self->au); - return Py_BuildValue("i", value); -} - -/******************************** - * auparse_get_field_int - ********************************/ -PyDoc_STRVAR(get_field_int_doc, -"get_field_int() Get current field’s value as an integer.\n\ -\n\ -get_field_int() allows access to the value as an int of the current\n\ -field of the current record in the current event.\n\ -\n\ -Returns None if the field value is unavailable.\n\ -"); -static PyObject * -AuParser_get_field_int(AuParser *self) -{ - int value; - - PARSER_CHECK; - value = auparse_get_field_int(self->au); - if (errno == 0) return Py_BuildValue("i", value); - Py_RETURN_NONE; -} - -// FIXME: can't tell if interpret is succesful, always returns some string in somewhat arbitrary format. -PyDoc_STRVAR(interpret_field_doc, -"interpret_field() Return an interpretation of the current field as a string that has the chosen character escaping applied.\n\ -\n\ -If the field cannot be interpreted the field is returned unmodified.\n\ -Returns None if the field value is unavailable.\n\ -"); -static PyObject * -AuParser_interpret_field(AuParser *self) -{ - const char *value = NULL; - - PARSER_CHECK; - value = auparse_interpret_field(self->au); - return Py_BuildValue("s", value); -} - -static -PyGetSetDef AuParser_getseters[] = { - {NULL} /* Sentinel */ -}; - -static -PyMemberDef AuParser_members[] = { - {NULL} /* Sentinel */ -}; - -static PyMethodDef AuParser_methods[] = { - {"feed", (PyCFunction)AuParser_feed, METH_VARARGS, feed_doc}, - {"flush_feed", (PyCFunction)AuParser_flush_feed, METH_NOARGS, flush_feed_doc}, - {"add_callback", (PyCFunction)AuParser_add_callback, METH_VARARGS, add_callback_doc}, - {"set_escape_mode", (PyCFunction)AuParser_set_escape_mode, METH_VARARGS, set_escape_mode_doc}, - {"reset", (PyCFunction)AuParser_reset, METH_NOARGS, reset_doc}, - {"search_add_expression", (PyCFunction)AuParser_search_add_expression, METH_VARARGS, search_add_expression_doc}, - {"search_add_item", (PyCFunction)AuParser_search_add_item, METH_VARARGS, search_add_item_doc}, - {"search_add_interpreted_item", (PyCFunction)AuParser_search_add_interpreted_item, METH_VARARGS, search_add_interpreted_item_doc}, - {"search_add_timestamp_item", (PyCFunction)AuParser_search_add_timestamp_item, METH_VARARGS, search_add_timestamp_item_doc}, - {"search_add_timestamp_item_ex", (PyCFunction)AuParser_search_add_timestamp_item_ex, METH_VARARGS, search_add_timestamp_item_ex_doc}, - {"search_add_regex", (PyCFunction)AuParser_search_add_regex, METH_VARARGS, search_add_regex_doc}, - {"search_set_stop", (PyCFunction)AuParser_search_set_stop, METH_VARARGS, search_set_stop_doc}, - {"search_clear", (PyCFunction)AuParser_search_clear, METH_NOARGS, search_clear_doc}, - {"search_next_event", (PyCFunction)AuParser_search_next_event, METH_NOARGS, search_next_event_doc}, - {"parse_next_event", (PyCFunction)AuParser_parse_next_event, METH_NOARGS, parse_next_event_doc}, - {"get_timestamp", (PyCFunction)AuParser_get_timestamp, METH_NOARGS, get_timestamp_doc}, - {"get_num_records", (PyCFunction)AuParser_get_num_records, METH_NOARGS, get_num_records_doc}, - {"first_record", (PyCFunction)AuParser_first_record, METH_NOARGS, first_record_doc}, - {"next_record", (PyCFunction)AuParser_next_record, METH_NOARGS, next_record_doc}, - {"goto_record_num", (PyCFunction)AuParser_goto_record_num, METH_VARARGS, goto_record_num_doc}, - {"get_type", (PyCFunction)AuParser_get_type, METH_NOARGS, get_type_doc}, - {"get_type_name", (PyCFunction)AuParser_get_type_name, METH_NOARGS, get_type_name_doc}, - {"get_line_number", (PyCFunction)AuParser_get_line_number, METH_NOARGS, get_line_number_doc}, - {"get_filename", (PyCFunction)AuParser_get_filename, METH_NOARGS, get_filename_doc}, - {"first_field", (PyCFunction)AuParser_first_field, METH_NOARGS, first_field_doc}, - {"next_field", (PyCFunction)AuParser_next_field, METH_NOARGS, next_field_doc}, - {"get_num_fields", (PyCFunction)AuParser_get_num_fields, METH_NOARGS, get_num_fields_doc}, - {"get_record_text", (PyCFunction)AuParser_get_record_text, METH_NOARGS, get_record_text_doc}, - {"find_field_next", (PyCFunction)AuParser_find_field_next, METH_NOARGS, find_field_next_doc}, - {"find_field", (PyCFunction)AuParser_find_field, METH_VARARGS, find_field_doc}, - {"get_field_name", (PyCFunction)AuParser_get_field_name, METH_NOARGS, get_field_name_doc}, - {"get_field_str", (PyCFunction)AuParser_get_field_str, METH_NOARGS, get_field_str_doc}, - {"get_field_type", (PyCFunction)AuParser_get_field_type, METH_NOARGS, get_field_type_doc}, - {"get_field_int", (PyCFunction)AuParser_get_field_int, METH_NOARGS, get_field_int_doc}, - {"interpret_field", (PyCFunction)AuParser_interpret_field, METH_NOARGS, interpret_field_doc}, - {NULL, NULL} /* Sentinel */ -}; - -PyDoc_STRVAR(AuParser_doc, -"AuParser(source_type, source)\n\ -\n\ -Construct a new audit parser object and bind it to input data.\n\ -source_type: one of the AUSOURCE_* constants.\n\ -source: the input data, dependent on the source_type as follows:\n\ -\n\ -AUSOURCE_LOGS: None (system log files will be parsed)\n\ -AUSOURCE_FILE: string containing file path name\n\ -AUSOURCE_FILE_ARRAY: list or tuple of strings each containing a file path name\n\ -AUSOURCE_BUFFER: string containing audit data to parse\n\ -AUSOURCE_BUFFER_ARRAY: list or tuple of strings each containing audit data to parse\n\ -AUSOURCE_DESCRIPTOR: integer file descriptor (e.g. fileno)\n\ -AUSOURCE_FILE_POINTER: file object (e.g. types.FileType)\n\ -AUSOURCE_FEED: None (data supplied via feed()\n\ -"); - -static PyTypeObject AuParserType = { - PyVarObject_HEAD_INIT(NULL, 0) - "auparse.AuParser", /*tp_name*/ - sizeof(AuParser), /*tp_basicsize*/ - 0, /*tp_itemsize*/ - (destructor)AuParser_dealloc, /*tp_dealloc*/ - 0, /*tp_print*/ - 0, /*tp_getattr*/ - 0, /*tp_setattr*/ - 0, /*tp_compare*/ - 0, /*tp_repr*/ - 0, /*tp_as_number*/ - 0, /*tp_as_sequence*/ - 0, /*tp_as_mapping*/ - 0, /*tp_hash */ - 0, /*tp_call*/ - 0, /*tp_str*/ - 0, /*tp_getattro*/ - 0, /*tp_setattro*/ - 0, /*tp_as_buffer*/ - Py_TPFLAGS_DEFAULT, /*tp_flags*/ - AuParser_doc, /* tp_doc */ - 0, /* tp_traverse */ - 0, /* tp_clear */ - 0, /* tp_richcompare */ - 0, /* tp_weaklistoffset */ - 0, /* tp_iter */ - 0, /* tp_iternext */ - AuParser_methods, /* tp_methods */ - AuParser_members, /* tp_members */ - AuParser_getseters, /* tp_getset */ - 0, /* tp_base */ - 0, /* tp_dict */ - 0, /* tp_descr_get */ - 0, /* tp_descr_set */ - 0, /* tp_dictoffset */ - (initproc)AuParser_init, /* tp_init */ - 0, /* tp_alloc */ - AuParser_new, /* tp_new */ -}; - - - -/*=========================================================================== - * Module - *===========================================================================*/ - -PyDoc_STRVAR(auparse_doc, -"Parsing library for audit messages.\n\ -\n\ -The module defines the following exceptions:\n\ -\n\ -NoParser: Raised if the underlying C code parser is not bound to the AuParser object.\n\ -"); - -static PyMethodDef module_methods[] = { - {NULL} /* Sentinel */ -}; - -#ifdef IS_PY3K -static struct PyModuleDef auparse_def = { - PyModuleDef_HEAD_INIT, - "auparse", - NULL, - -1, - module_methods, - NULL, - NULL, - NULL, - NULL -}; - -PyMODINIT_FUNC -PyInit_auparse(void) -#else -PyMODINIT_FUNC -initauparse(void) -#endif -{ - PyObject* m; - - if (PyType_Ready(&AuEventType) < 0) MODINITERROR; - if (PyType_Ready(&AuParserType) < 0) MODINITERROR; - -#ifdef IS_PY3K - m = PyModule_Create(&auparse_def); -#else - m = Py_InitModule3("auparse", module_methods, auparse_doc); -#endif - - if (m == NULL) - MODINITERROR; - - Py_INCREF(&AuParserType); - PyModule_AddObject(m, "AuParser", (PyObject *)&AuParserType); - - Py_INCREF(&AuEventType); - PyModule_AddObject(m, "AuEvent", (PyObject *)&AuEventType); - - /* exceptions */ - NoParserError = PyErr_NewException("auparse.NoParser", NULL, NULL); - Py_INCREF(NoParserError); - PyModule_AddObject(m, "NoParser", NoParserError); - - /* ausource_t */ - PyModule_AddIntConstant(m, "AUSOURCE_LOGS", AUSOURCE_LOGS); - PyModule_AddIntConstant(m, "AUSOURCE_FILE", AUSOURCE_FILE); - PyModule_AddIntConstant(m, "AUSOURCE_FILE_ARRAY", AUSOURCE_FILE_ARRAY); - PyModule_AddIntConstant(m, "AUSOURCE_BUFFER", AUSOURCE_BUFFER); - PyModule_AddIntConstant(m, "AUSOURCE_BUFFER_ARRAY", AUSOURCE_BUFFER_ARRAY); - PyModule_AddIntConstant(m, "AUSOURCE_DESCRIPTOR", AUSOURCE_DESCRIPTOR); - PyModule_AddIntConstant(m, "AUSOURCE_FILE_POINTER", AUSOURCE_FILE_POINTER); - PyModule_AddIntConstant(m, "AUSOURCE_FEED", AUSOURCE_FEED); - - /* ausearch_op_t */ - PyModule_AddIntConstant(m, "AUSEARCH_UNSET", AUSEARCH_UNSET); - PyModule_AddIntConstant(m, "AUSEARCH_EXISTS", AUSEARCH_EXISTS); - PyModule_AddIntConstant(m, "AUSEARCH_EQUAL", AUSEARCH_EQUAL); - PyModule_AddIntConstant(m, "AUSEARCH_NOT_EQUAL", AUSEARCH_NOT_EQUAL); - PyModule_AddIntConstant(m, "AUSEARCH_TIME_LT", AUSEARCH_TIME_LT); - PyModule_AddIntConstant(m, "AUSEARCH_TIME_LE", AUSEARCH_TIME_LE); - PyModule_AddIntConstant(m, "AUSEARCH_TIME_GE", AUSEARCH_TIME_GE); - PyModule_AddIntConstant(m, "AUSEARCH_TIME_GT", AUSEARCH_TIME_GT); - PyModule_AddIntConstant(m, "AUSEARCH_TIME_EQ", AUSEARCH_TIME_EQ); - PyModule_AddIntConstant(m, "AUSEARCH_INTERPRETED", 0x40000000); - - /* austop_t */ - PyModule_AddIntConstant(m, "AUSEARCH_STOP_EVENT", AUSEARCH_STOP_EVENT); - PyModule_AddIntConstant(m, "AUSEARCH_STOP_RECORD", AUSEARCH_STOP_RECORD); - PyModule_AddIntConstant(m, "AUSEARCH_STOP_FIELD", AUSEARCH_STOP_FIELD); - - /* ausearch_rule_t */ - PyModule_AddIntConstant(m, "AUSEARCH_RULE_CLEAR", AUSEARCH_RULE_CLEAR); - PyModule_AddIntConstant(m, "AUSEARCH_RULE_OR", AUSEARCH_RULE_OR); - PyModule_AddIntConstant(m, "AUSEARCH_RULE_AND", AUSEARCH_RULE_AND); - PyModule_AddIntConstant(m, "AUSEARCH_RULE_REGEX", AUSEARCH_RULE_REGEX); - - /* auparse_cb_event_t */ - PyModule_AddIntConstant(m, "AUPARSE_CB_EVENT_READY", AUPARSE_CB_EVENT_READY); - /* auparse_type_t */ - PyModule_AddIntConstant(m, "AUPARSE_TYPE_UNCLASSIFIED", AUPARSE_TYPE_UNCLASSIFIED); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_UID", AUPARSE_TYPE_UID); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_GID", AUPARSE_TYPE_GID); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SYSCALL", AUPARSE_TYPE_SYSCALL); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_ARCH", AUPARSE_TYPE_ARCH); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_EXIT", AUPARSE_TYPE_EXIT); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_ESCAPED", AUPARSE_TYPE_ESCAPED); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_PERM", AUPARSE_TYPE_PERM); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_MODE", AUPARSE_TYPE_MODE); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SOCKADDR", AUPARSE_TYPE_SOCKADDR); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_FLAGS", AUPARSE_TYPE_FLAGS); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_PROMISC", AUPARSE_TYPE_PROMISC); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_CAPABILITY", AUPARSE_TYPE_CAPABILITY); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SUCCESS", AUPARSE_TYPE_SUCCESS); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_A0", AUPARSE_TYPE_A0); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_A1", AUPARSE_TYPE_A1); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_A2", AUPARSE_TYPE_A2); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SIGNAL", AUPARSE_TYPE_SIGNAL); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_LIST", AUPARSE_TYPE_LIST); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_TTY_DATA", AUPARSE_TYPE_TTY_DATA); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SESSION", AUPARSE_TYPE_SESSION); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_CAP_BITMAP", AUPARSE_TYPE_CAP_BITMAP); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_NFPROTO", AUPARSE_TYPE_NFPROTO); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_ICMPTYPE", AUPARSE_TYPE_ICMPTYPE); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_PROTOCOL", AUPARSE_TYPE_PROTOCOL); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_ADDR", AUPARSE_TYPE_ADDR); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_PERSONALITY", AUPARSE_TYPE_PERSONALITY); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_SECCOMP", AUPARSE_TYPE_SECCOMP); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_OFLAG", AUPARSE_TYPE_OFLAG); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_MMAP", AUPARSE_TYPE_MMAP); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_MODE_SHORT", AUPARSE_TYPE_MODE_SHORT); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_MAC_LABEL", AUPARSE_TYPE_MAC_LABEL); - PyModule_AddIntConstant(m, "AUPARSE_TYPE_PROCTITLE", AUPARSE_TYPE_PROCTITLE); - - /* Escape types */ - PyModule_AddIntConstant(m, "AUPARSE_ESC_RAW", AUPARSE_ESC_RAW); - PyModule_AddIntConstant(m, "AUPARSE_ESC_TTY", AUPARSE_ESC_TTY); - PyModule_AddIntConstant(m, "AUPARSE_ESC_SHELL", AUPARSE_ESC_SHELL); - PyModule_AddIntConstant(m, "AUPARSE_ESC_SHELL_QUOTE", AUPARSE_ESC_SHELL_QUOTE); - -#ifdef IS_PY3K - return m; -#endif -} |