diff options
Diffstat (limited to 'framework/src/audit/src/aureport-output.c')
-rw-r--r-- | framework/src/audit/src/aureport-output.c | 1023 |
1 files changed, 1023 insertions, 0 deletions
diff --git a/framework/src/audit/src/aureport-output.c b/framework/src/audit/src/aureport-output.c new file mode 100644 index 00000000..9125d5ff --- /dev/null +++ b/framework/src/audit/src/aureport-output.c @@ -0,0 +1,1023 @@ +/* +* aureport-output.c - Print the report +* Copyright (c) 2005-06,2008,2014 Red Hat Inc., Durham, North Carolina. +* All Rights Reserved. +* +* This software may be freely redistributed and/or modified under the +* terms of the GNU General Public License as published by the Free +* Software Foundation; either version 2, or (at your option) any +* later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; see the file COPYING. If not, write to the +* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +* +* Authors: +* Steve Grubb <sgrubb@redhat.com> +*/ + +#include "config.h" +#include <stdio.h> +#include <string.h> +#include <ctype.h> +#include "aureport-scan.h" +#include "aureport-options.h" +#include "ausearch-lookup.h" + +/* Locale functions */ +static void print_title_summary(void); +static void print_title_detailed(void); +static void do_summary_output(void); +static void do_file_summary_output(slist *sptr); +static void do_string_summary_output(slist *sptr); +static void do_user_summary_output(slist *sptr); +static void do_int_summary_output(ilist *sptr); +static void do_syscall_summary_output(ilist *sptr); +static void do_type_summary_output(ilist *sptr); + +/* Local Data */ +unsigned int line_item; + + +void print_title(void) +{ + line_item = 0U; + printf("\n"); + switch (report_detail) + { + case D_SUM: + print_title_summary(); + break; + case D_DETAILED: + print_title_detailed(); + break; + case D_SPECIFIC: + default: + break; + } +} + +static void print_title_summary(void) +{ + if (event_failed == F_FAILED) printf("Failed "); + if (event_failed == F_SUCCESS) printf("Success "); + switch (report_type) + { + case RPT_SUMMARY: + printf("Summary Report\n"); + printf("======================\n"); + break; + case RPT_AVC: + printf("Avc Object Summary Report\n"); + printf("=================================\n"); + printf("total obj\n"); + printf("=================================\n"); + break; + case RPT_MAC: + printf("MAC Summary Report\n"); + printf("==================\n"); + printf("total type\n"); + printf("==================\n"); + break; + case RPT_INTEG: + printf("Integrity Summary Report\n"); + printf("========================\n"); + printf("total type\n"); + printf("========================\n"); + break; + case RPT_VIRT: + printf("Virtualization Summary Report\n"); + printf("=============================\n"); + printf("total type\n"); + printf("=============================\n"); + break; + case RPT_CONFIG: + printf("Config Change Summary Report\n"); + printf("============================\n"); + printf("total type\n"); + printf("============================\n"); + break; + case RPT_AUTH: + printf("Authentication Summary Report\n"); + printf("=============================\n"); + printf("total acct\n"); + printf("=============================\n"); + break; + case RPT_LOGIN: + printf("Login Summary Report\n"); + printf("============================\n"); + printf("total auid\n"); + printf("============================\n"); + break; + case RPT_ACCT_MOD: + printf("Acct Modification Summary Report\n"); + printf("================================\n"); + printf("total type\n"); + printf("================================\n"); + break; + case RPT_TIME: + UNIMPLEMENTED; + break; + case RPT_EVENT: + printf("Event Summary Report\n"); + printf("======================\n"); + printf("total type\n"); + printf("======================\n"); + break; + case RPT_FILE: + printf("File Summary Report\n"); + printf("===========================\n"); + printf("total file\n"); + printf("===========================\n"); + break; + case RPT_HOST: + printf("Host Summary Report\n"); + printf("===========================\n"); + printf("total host\n"); + printf("===========================\n"); + break; + case RPT_PID: + printf("Pid Summary Report\n"); + printf("==========================\n"); + printf("total pid\n"); + printf("==========================\n"); + break; + case RPT_SYSCALL: + printf("Syscall Summary Report\n"); + printf("==========================\n"); + printf("total syscall\n"); + printf("==========================\n"); + break; + case RPT_TERM: + printf("Terminal Summary Report\n"); + printf("===============================\n"); + printf("total terminal\n"); + printf("===============================\n"); + break; + case RPT_USER: + printf("User Summary Report\n"); + printf("===========================\n"); + printf("total auid\n"); + printf("===========================\n"); + break; + case RPT_EXE: + printf("Executable Summary Report\n"); + printf("=================================\n"); + printf("total file\n"); + printf("=================================\n"); + break; + case RPT_COMM: + printf("Command Summary Report\n"); + printf("=================================\n"); + printf("total command\n"); + printf("=================================\n"); + break; + case RPT_ANOMALY: + printf("Anomaly Summary Report\n"); + printf("======================\n"); + printf("total type\n"); + printf("======================\n"); + break; + case RPT_RESPONSE: + printf("Anomaly Response Summary Report\n"); + printf("===============================\n"); + printf("total type\n"); + printf("===============================\n"); + break; + case RPT_CRYPTO: + printf("Crypto Summary Report\n"); + printf("=====================\n"); + printf("total type\n"); + printf("=====================\n"); + break; + case RPT_KEY: + printf("Key Summary Report\n"); + printf("===========================\n"); + printf("total key\n"); + printf("===========================\n"); + break; + case RPT_TTY: + UNIMPLEMENTED; + break; + default: + break; + } +} + +static void print_title_detailed(void) +{ + switch (report_type) + { + case RPT_AVC: + printf("AVC Report\n"); + printf( + "========================================================\n"); + printf( + "# date time comm subj syscall class permission obj event\n"); + printf( + "========================================================\n"); + break; + case RPT_CONFIG: + printf("Config Change Report\n"); + printf("===================================\n"); + printf("# date time type auid success event\n"); + printf("===================================\n"); + break; + case RPT_AUTH: + printf("Authentication Report\n"); + printf( + "============================================\n"); + printf( + "# date time acct host term exe success event\n"); + printf( + "============================================\n"); + break; + case RPT_LOGIN: + printf("Login Report\n"); + printf( + "============================================\n"); + printf( + "# date time auid host term exe success event\n"); + printf( + "============================================\n"); + break; + case RPT_ACCT_MOD: + printf("Account Modifications Report\n"); + printf( + "=================================================\n"); + printf( + "# date time auid addr term exe acct success event\n"); + printf( + "=================================================\n"); + break; + case RPT_TIME: + printf("Log Time Range Report\n"); + printf("=====================\n"); + break; + case RPT_EVENT: + if (report_detail == D_DETAILED) { + printf("Event Report\n"); + printf("===================================\n"); + printf("# date time event type auid success\n"); + printf("===================================\n"); + } else { + printf("Specific Event Report\n"); + printf("=====================\n"); + } + break; + case RPT_FILE: + if (report_detail == D_DETAILED) { + printf("File Report\n"); + printf( + "===============================================\n"); + printf( + "# date time file syscall success exe auid event\n"); + printf( + "===============================================\n"); + } else { + printf("Specific File Report\n"); + printf("====================\n"); + } + break; + case RPT_HOST: + if (report_detail == D_DETAILED) { + printf("Host Report\n"); + printf("===================================\n"); + printf("# date time host syscall auid event\n"); + printf("===================================\n"); + } else { + printf("Specific Host Report\n"); + printf("====================\n"); + } + break; + case RPT_PID: + if (report_detail == D_DETAILED) { + printf("Process ID Report\n"); + printf( + "======================================\n"); + printf( + "# date time pid exe syscall auid event\n"); + printf( + "======================================\n"); + } else { + printf("Specific Process ID Report\n"); + printf("==========================\n"); + } + break; + case RPT_SYSCALL: + if (report_detail == D_DETAILED) { + printf("Syscall Report\n"); + printf( + "=======================================\n"); + printf( + "# date time syscall pid comm auid event\n"); + printf( + "=======================================\n"); + } else { + printf("Specific Syscall Report\n"); + printf("=======================\n"); + } + break; + case RPT_TERM: + if (report_detail == D_DETAILED) { + printf("Terminal Report\n"); + printf( + "====================================\n"); + printf( + "# date time term host exe auid event\n"); + printf( + "====================================\n"); + } else { + printf("Specific Terminal Report\n"); + printf("========================\n"); + } + break; + case RPT_USER: + if (report_detail == D_DETAILED) { + printf("User ID Report\n"); + printf( + "====================================\n"); + printf( + "# date time auid term host exe event\n"); + printf( + "====================================\n"); + } else { + printf("Specific User ID Report\n"); + printf("=======================\n"); + } + break; + case RPT_EXE: + if (report_detail == D_DETAILED) { + printf("Executable Report\n"); + printf( + "====================================\n"); + printf( + "# date time exe term host auid event\n"); + printf( + "====================================\n"); + } else { + printf("Specific Executable Report\n"); + printf("==========================\n"); + } + break; + case RPT_COMM: + if (report_detail == D_DETAILED) { + printf("Command Report\n"); + printf( + "====================================\n"); + printf( + "# date time comm term host auid event\n"); + printf( + "=====================================\n"); + } else { + printf("Specific command Report\n"); + printf("=======================\n"); + } + break; + case RPT_ANOMALY: + if (report_detail == D_DETAILED) { + printf("Anomaly Report\n"); + printf( + "=========================================\n"); + printf( + "# date time type exe term host auid event\n"); + printf( + "=========================================\n"); + } else { + printf("Specific Anomaly Report\n"); + printf("=======================\n"); + } + break; + case RPT_RESPONSE: + if (report_detail == D_DETAILED) { + printf("Response to Anomaly Report\n"); + printf("==============================\n"); + printf("# date time type success event\n"); + printf("==============================\n"); + } else { + printf("Specific Response to Anomaly Report\n"); + printf("===================================\n"); + } + break; + case RPT_MAC: + if (report_detail == D_DETAILED) { + printf("MAC Report\n"); + printf("===================================\n"); + printf("# date time auid type success event\n"); + printf("===================================\n"); + } else { + printf("Specific Mandatory Access Control (MAC) Report\n"); + printf("===================================\n"); + } + break; + case RPT_INTEG: + if (report_detail == D_DETAILED) { + printf("Integrity Report\n"); + printf("==============================\n"); + printf("# date time type success event\n"); + printf("==============================\n"); + } else { + printf("Specific Integrity Report\n"); + printf("==============================\n"); + } + break; + case RPT_VIRT: + if (report_detail == D_DETAILED) { + printf("Virtualization Report\n"); + printf("==============================\n"); + printf("# date time type success event\n"); + printf("==============================\n"); + } else { + printf("Specific Virtualization Report\n"); + printf("==============================\n"); + } + break; + case RPT_CRYPTO: + if (report_detail == D_DETAILED) { + printf("Crypto Report\n"); + printf("===================================\n"); + printf("# date time auid type success event\n"); + printf("===================================\n"); + } else { + printf("Specific Crypto Report\n"); + printf("===================================\n"); + } + break; + case RPT_KEY: + if (report_detail == D_DETAILED) { + printf("Key Report\n"); + printf( + "===============================================\n"); + printf( + "# date time key success exe auid event\n"); + printf( + "===============================================\n"); + } else { + printf("Specific Key Report\n"); + printf("====================\n"); + } + break; + case RPT_TTY: + if (report_detail == D_DETAILED) { + printf("TTY Report\n"); + printf( + "===============================================\n"); + printf( + "# date time event auid term sess comm data\n"); + printf( + "===============================================\n"); + } else { + printf("Specific TTY Report\n"); + printf("====================\n"); + } + break; + default: + break; + } +} + +void print_per_event_item(llist *l) +{ + char buf[128]; + char name[64]; + char date[32]; + struct tm *tv; + + // The beginning is common to all reports + tv = localtime(&l->e.sec); + strftime(date, sizeof(date), "%x %T", tv); + if (report_type != RPT_AVC) { + line_item++; + printf("%u. %s ", line_item, date); + } + + switch (report_type) + { + case RPT_AVC: + alist_find_avc(l->s.avc); + do { + anode *an = l->s.avc->cur; + line_item++; + printf("%u. %s ", line_item, date); + // command subject syscall action obj res event + safe_print_string(l->s.comm ? l->s.comm : "?", 0); + printf(" %s %s %s %s %s %s %lu\n", + an->scontext, + aulookup_syscall(l, buf,sizeof(buf)), + an->avc_class, an->avc_perm, + an->tcontext, aulookup_result(an->avc_result), + l->e.serial); +//printf("items:%d\n", l->s.avc->cnt); + } while (alist_next_avc(l->s.avc)); + break; + case RPT_CONFIG: + // FIXME:who, action, what, outcome, event + // NOW: type auid success event + printf("%s %s %s %lu\n", + audit_msg_type_to_name(l->head->type), + aulookup_uid(l->s.loginuid, name, sizeof(name)), + aulookup_success(l->s.success), l->e.serial); + break; + case RPT_AUTH: + // who, addr, terminal, exe, success, event + // Special note...uid is used here because that is + // the way that the message works. This is because + // on failed logins, loginuid is not set. + safe_print_string(l->s.acct ? l->s.acct : + aulookup_uid(l->s.uid, name, sizeof(name)), 0); + printf(" %s %s %s %s %lu\n", + l->s.hostname, l->s.terminal, + l->s.exe, aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_LOGIN: + // who, addr, terminal, exe, success, event + // Special note...uid is used here because that is + // the way that the message works. This is because + // on failed logins, loginuid is not set. + safe_print_string(((l->s.success == S_FAILED) && + l->s.acct) ? l->s.acct : + aulookup_uid(l->s.uid, name, sizeof(name)), 0); + printf(" %s %s %s %s %lu\n", + l->s.hostname, l->s.terminal, + l->s.exe, aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_ACCT_MOD: + // who, addr, terminal, exe, success, event + safe_print_string( + aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %s %s %s %s %s %lu\n", + l->s.hostname ? l->s.hostname : "?", + l->s.terminal ? l->s.terminal : "?", + l->s.exe ? l->s.exe : "?", + l->s.acct ? l->s.acct : "?", + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_EVENT: // report_detail == D_DETAILED + // event, type, who, success + printf("%lu %s ", + l->e.serial, + audit_msg_type_to_name(l->head->type)); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %s\n", aulookup_success(l->s.success)); + break; + case RPT_FILE: // report_detail == D_DETAILED + // file, syscall, success, exe, who, event + slist_first(l->s.filename); + safe_print_string(l->s.filename->cur->str,0); + printf(" %s %s ", + aulookup_syscall(l,buf,sizeof(buf)), + aulookup_success(l->s.success)); + safe_print_string(l->s.exe ? l->s.exe : "?", 0); + putchar(' '); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_HOST: // report_detail == D_DETAILED + // host, syscall, who, event + printf("%s %s ", + l->s.hostname, + aulookup_syscall(l,buf,sizeof(buf))); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_PID: // report_detail == D_DETAILED + // pid, exe, syscall, who, event + printf("%u ", l->s.pid); + safe_print_string(l->s.exe ? l->s.exe : "?", 0); + printf(" %s ", aulookup_syscall(l,buf,sizeof(buf))); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_SYSCALL: // report_detail == D_DETAILED + // syscall, pid, comm, who, event + printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)), + l->s.pid); + safe_print_string(l->s.comm ? l->s.comm : "?", 0); + putchar(' '); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_TERM: // report_detail == D_DETAILED + // terminal, host, exe, who, event + printf("%s %s ", + l->s.terminal, l->s.hostname); + safe_print_string(l->s.exe, 0); + putchar(' '); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_USER: // report_detail == D_DETAILED + // who, terminal, host, exe, event + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %s %s ", + l->s.terminal ? l->s.terminal : "?", + l->s.hostname ? l->s.hostname : "?"); + safe_print_string(l->s.exe ? l->s.exe : "?", 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_EXE: // report_detail == D_DETAILED + // exe, terminal, host, who, event + safe_print_string(l->s.exe ? l->s.exe : "?", 0); + printf(" %s %s ", + l->s.terminal ? l->s.terminal : "?", + l->s.hostname ? l->s.hostname : "?"); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_COMM: // report_detail == D_DETAILED + // comm, terminal, host, who, event + safe_print_string(l->s.comm ? l->s.comm : "?", 0); + printf(" %s %s ", + l->s.terminal ? l->s.terminal : "?", + l->s.hostname ? l->s.hostname : "?"); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_ANOMALY: // report_detail == D_DETAILED + // type exe term host auid event + printf("%s ", audit_msg_type_to_name(l->head->type)); + safe_print_string(l->s.exe ? l->s.exe : + l->s.comm ? l->s.comm: "?", 0); + printf(" %s %s ", + l->s.terminal ? l->s.terminal : "?", + l->s.hostname ? l->s.hostname : "?"); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_RESPONSE: // report_detail == D_DETAILED + // type success event + printf("%s %s %lu\n", + audit_msg_type_to_name(l->head->type), + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_MAC: + // auid type success event + printf("%s %s %s %lu\n", + aulookup_uid(l->s.loginuid, name, sizeof(name)), + audit_msg_type_to_name(l->head->type), + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_INTEG: + // type success event + printf("%s %s %lu\n", + audit_msg_type_to_name(l->head->type), + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_VIRT: + // type success event + printf("%s %s %lu\n", + audit_msg_type_to_name(l->head->type), + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_CRYPTO: + // auid type success event + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %s %s %lu\n", + audit_msg_type_to_name(l->head->type), + aulookup_success(l->s.success), + l->e.serial); + break; + case RPT_KEY: // report_detail == D_DETAILED + // key, success, exe, who, event + slist_first(l->s.key); + printf("%s %s ", l->s.key->cur->str, + aulookup_success(l->s.success)); + safe_print_string(l->s.exe ? l->s.exe : "?", 0); + putchar(' '); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %lu\n", l->e.serial); + break; + case RPT_TTY: { + char *ch, *ptr = strstr(l->head->message, "data="); + if (!ptr) + break; + ptr += 5; + ch = strrchr(ptr, ' '); + if (ch) + *ch = 0; + // event who term sess data + printf("%lu ", l->e.serial); + safe_print_string(aulookup_uid(l->s.loginuid, name, + sizeof(name)), 0); + printf(" %s %u ", + l->s.terminal ? l->s.terminal : "?", + l->s.session_id); + safe_print_string(l->s.comm ? l->s.comm: "?", 0); + putchar(' '); + print_tty_data(ptr); + printf("\n"); + } + break; + default: + break; + } +} + +void print_wrap_up(void) +{ + if (report_detail != D_SUM) + return; + + switch (report_type) + { + case RPT_SUMMARY: + do_summary_output(); + break; + case RPT_AVC: + slist_sort_by_hits(&sd.avc_objs); + do_string_summary_output(&sd.avc_objs); + break; + case RPT_CONFIG: /* We will borrow the pid list */ + ilist_sort_by_hits(&sd.pids); + do_type_summary_output(&sd.pids); + break; + case RPT_AUTH: + slist_sort_by_hits(&sd.users); + do_user_summary_output(&sd.users); + break; + case RPT_LOGIN: + slist_sort_by_hits(&sd.users); + do_user_summary_output(&sd.users); + break; + case RPT_ACCT_MOD: /* We will borrow the pid list */ + ilist_sort_by_hits(&sd.pids); + do_type_summary_output(&sd.pids); + break; + case RPT_EVENT: /* We will borrow the pid list */ + ilist_sort_by_hits(&sd.pids); + do_type_summary_output(&sd.pids); + break; + case RPT_FILE: + slist_sort_by_hits(&sd.files); + do_file_summary_output(&sd.files); + break; + case RPT_HOST: + slist_sort_by_hits(&sd.hosts); + do_string_summary_output(&sd.hosts); + break; + case RPT_PID: + ilist_sort_by_hits(&sd.pids); + do_int_summary_output(&sd.pids); + break; + case RPT_SYSCALL: + ilist_sort_by_hits(&sd.sys_list); + do_syscall_summary_output(&sd.sys_list); + break; + case RPT_TERM: + slist_sort_by_hits(&sd.terms); + do_string_summary_output(&sd.terms); + break; + case RPT_USER: + slist_sort_by_hits(&sd.users); + do_user_summary_output(&sd.users); + break; + case RPT_EXE: + slist_sort_by_hits(&sd.exes); + do_file_summary_output(&sd.exes); + break; + case RPT_COMM: + slist_sort_by_hits(&sd.comms); + do_file_summary_output(&sd.comms); + break; + case RPT_ANOMALY: + ilist_sort_by_hits(&sd.anom_list); + do_type_summary_output(&sd.anom_list); + break; + case RPT_RESPONSE: + ilist_sort_by_hits(&sd.resp_list); + do_type_summary_output(&sd.resp_list); + break; + case RPT_MAC: + ilist_sort_by_hits(&sd.mac_list); + do_type_summary_output(&sd.mac_list); + break; + case RPT_INTEG: + ilist_sort_by_hits(&sd.integ_list); + do_type_summary_output(&sd.integ_list); + break; + case RPT_VIRT: + ilist_sort_by_hits(&sd.virt_list); + do_type_summary_output(&sd.virt_list); + break; + case RPT_CRYPTO: + ilist_sort_by_hits(&sd.crypto_list); + do_type_summary_output(&sd.crypto_list); + break; + case RPT_KEY: + slist_sort_by_hits(&sd.keys); + do_file_summary_output(&sd.keys); + break; + default: + break; + } +} + +static void do_summary_output(void) +{ + extern event very_first_event; + extern event very_last_event; + + printf("Range of time in logs: "); + { + struct tm *btm; + char tmp[48]; + + btm = localtime(&very_first_event.sec); + strftime(tmp, sizeof(tmp), "%x %T", btm); + printf("%s.%03d - ", tmp, very_first_event.milli); + btm = localtime(&very_last_event.sec); + strftime(tmp, sizeof(tmp), "%x %T", btm); + printf("%s.%03d\n", tmp, very_last_event.milli); + } + printf("Selected time for report: "); + { + struct tm *btm; + char tmp[48]; + + if (start_time) + btm = localtime(&start_time); + else + btm = localtime(&very_first_event.sec); + strftime(tmp, sizeof(tmp), "%x %T", btm); + printf("%s - ", tmp); + if (end_time) + btm = localtime(&end_time); + else + btm = localtime(&very_last_event.sec); + strftime(tmp, sizeof(tmp), "%x %T", btm); + if (end_time) + printf("%s\n", tmp); + else + printf("%s.%03d\n", tmp, very_last_event.milli); + } + printf("Number of changes in configuration: %lu\n", sd.changes); + printf("Number of changes to accounts, groups, or roles: %lu\n", + sd.acct_changes); + printf("Number of logins: %lu\n", sd.good_logins); + printf("Number of failed logins: %lu\n", sd.bad_logins); + printf("Number of authentications: %lu\n", sd.good_auth); + printf("Number of failed authentications: %lu\n", sd.bad_auth); + printf("Number of users: %u\n", sd.users.cnt); + printf("Number of terminals: %u\n", sd.terms.cnt); + printf("Number of host names: %u\n", sd.hosts.cnt); + printf("Number of executables: %u\n", sd.exes.cnt); + printf("Number of commands: %u\n", sd.comms.cnt); + printf("Number of files: %u\n", sd.files.cnt); + printf("Number of AVC's: %lu\n", sd.avcs); + printf("Number of MAC events: %lu\n", sd.mac); + printf("Number of failed syscalls: %lu\n", sd.failed_syscalls); + printf("Number of anomaly events: %lu\n", sd.anomalies); + printf("Number of responses to anomaly events: %lu\n", sd.responses); + printf("Number of crypto events: %lu\n", sd.crypto); + printf("Number of integrity events: %lu\n", sd.integ); + printf("Number of virt events: %lu\n", sd.virt); + printf("Number of keys: %u\n", sd.keys.cnt); + printf("Number of process IDs: %u\n", sd.pids.cnt); + printf("Number of events: %lu\n", sd.events); + printf("\n"); +} + +static void do_file_summary_output(slist *sptr) +{ + const snode *sn; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + slist_first(sptr); + sn=slist_get_cur(sptr); + while (sn) { + printf("%u ", sn->hits); + safe_print_string(sn->str, 1); + sn=slist_next(sptr); + } +} + +static void do_string_summary_output(slist *sptr) +{ + const snode *sn; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + slist_first(sptr); + sn=slist_get_cur(sptr); + while (sn) { + printf("%u %s\n", sn->hits, sn->str); + sn=slist_next(sptr); + } +} + +static void do_user_summary_output(slist *sptr) +{ + const snode *sn; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + slist_first(sptr); + sn=slist_get_cur(sptr); + while (sn) { + long uid; + char name[64]; + + if (sn->str[0] == '-' || isdigit(sn->str[0])) { + uid = strtol(sn->str, NULL, 10); + printf("%u ", sn->hits); + safe_print_string(aulookup_uid(uid, name, + sizeof(name)), 1); + } else { + printf("%u ", sn->hits); + safe_print_string(sn->str, 1); + } + sn=slist_next(sptr); + } +} + +static void do_int_summary_output(ilist *sptr) +{ + const int_node *in; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + ilist_first(sptr); + in=ilist_get_cur(sptr); + while (in) { + printf("%u %d\n", in->hits, in->num); + in=ilist_next(sptr); + } +} + +static void do_syscall_summary_output(ilist *sptr) +{ + const int_node *in; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + ilist_first(sptr); + in=ilist_get_cur(sptr); + while (in) { + const char *sys = NULL; + int machine = audit_elf_to_machine(in->aux1); + if (machine >= 0) + sys = audit_syscall_to_name(in->num, machine); + if (sys) + printf("%u %s\n", in->hits, sys); + else + printf("%u %d\n", in->hits, in->num); + in=ilist_next(sptr); + } +} + +static void do_type_summary_output(ilist *sptr) +{ + const int_node *in; + + if (sptr->cnt == 0) { + printf("<no events of interest were found>\n\n"); + return; + } + ilist_first(sptr); + in=ilist_get_cur(sptr); + while (in) { + const char *name = audit_msg_type_to_name(in->num); + if (report_format == RPT_DEFAULT) + printf("%u %d\n", in->hits, in->num); + else + printf("%u %s\n", in->hits, name); + in=ilist_next(sptr); + } +} + |