aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/src/aureport-output.c
diff options
context:
space:
mode:
Diffstat (limited to 'framework/src/audit/src/aureport-output.c')
-rw-r--r--framework/src/audit/src/aureport-output.c1023
1 files changed, 0 insertions, 1023 deletions
diff --git a/framework/src/audit/src/aureport-output.c b/framework/src/audit/src/aureport-output.c
deleted file mode 100644
index 9125d5ff..00000000
--- a/framework/src/audit/src/aureport-output.c
+++ /dev/null
@@ -1,1023 +0,0 @@
-/*
-* aureport-output.c - Print the report
-* Copyright (c) 2005-06,2008,2014 Red Hat Inc., Durham, North Carolina.
-* All Rights Reserved.
-*
-* This software may be freely redistributed and/or modified under the
-* terms of the GNU General Public License as published by the Free
-* Software Foundation; either version 2, or (at your option) any
-* later version.
-*
-* This program is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-* GNU General Public License for more details.
-*
-* You should have received a copy of the GNU General Public License
-* along with this program; see the file COPYING. If not, write to the
-* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-*
-* Authors:
-* Steve Grubb <sgrubb@redhat.com>
-*/
-
-#include "config.h"
-#include <stdio.h>
-#include <string.h>
-#include <ctype.h>
-#include "aureport-scan.h"
-#include "aureport-options.h"
-#include "ausearch-lookup.h"
-
-/* Locale functions */
-static void print_title_summary(void);
-static void print_title_detailed(void);
-static void do_summary_output(void);
-static void do_file_summary_output(slist *sptr);
-static void do_string_summary_output(slist *sptr);
-static void do_user_summary_output(slist *sptr);
-static void do_int_summary_output(ilist *sptr);
-static void do_syscall_summary_output(ilist *sptr);
-static void do_type_summary_output(ilist *sptr);
-
-/* Local Data */
-unsigned int line_item;
-
-
-void print_title(void)
-{
- line_item = 0U;
- printf("\n");
- switch (report_detail)
- {
- case D_SUM:
- print_title_summary();
- break;
- case D_DETAILED:
- print_title_detailed();
- break;
- case D_SPECIFIC:
- default:
- break;
- }
-}
-
-static void print_title_summary(void)
-{
- if (event_failed == F_FAILED) printf("Failed ");
- if (event_failed == F_SUCCESS) printf("Success ");
- switch (report_type)
- {
- case RPT_SUMMARY:
- printf("Summary Report\n");
- printf("======================\n");
- break;
- case RPT_AVC:
- printf("Avc Object Summary Report\n");
- printf("=================================\n");
- printf("total obj\n");
- printf("=================================\n");
- break;
- case RPT_MAC:
- printf("MAC Summary Report\n");
- printf("==================\n");
- printf("total type\n");
- printf("==================\n");
- break;
- case RPT_INTEG:
- printf("Integrity Summary Report\n");
- printf("========================\n");
- printf("total type\n");
- printf("========================\n");
- break;
- case RPT_VIRT:
- printf("Virtualization Summary Report\n");
- printf("=============================\n");
- printf("total type\n");
- printf("=============================\n");
- break;
- case RPT_CONFIG:
- printf("Config Change Summary Report\n");
- printf("============================\n");
- printf("total type\n");
- printf("============================\n");
- break;
- case RPT_AUTH:
- printf("Authentication Summary Report\n");
- printf("=============================\n");
- printf("total acct\n");
- printf("=============================\n");
- break;
- case RPT_LOGIN:
- printf("Login Summary Report\n");
- printf("============================\n");
- printf("total auid\n");
- printf("============================\n");
- break;
- case RPT_ACCT_MOD:
- printf("Acct Modification Summary Report\n");
- printf("================================\n");
- printf("total type\n");
- printf("================================\n");
- break;
- case RPT_TIME:
- UNIMPLEMENTED;
- break;
- case RPT_EVENT:
- printf("Event Summary Report\n");
- printf("======================\n");
- printf("total type\n");
- printf("======================\n");
- break;
- case RPT_FILE:
- printf("File Summary Report\n");
- printf("===========================\n");
- printf("total file\n");
- printf("===========================\n");
- break;
- case RPT_HOST:
- printf("Host Summary Report\n");
- printf("===========================\n");
- printf("total host\n");
- printf("===========================\n");
- break;
- case RPT_PID:
- printf("Pid Summary Report\n");
- printf("==========================\n");
- printf("total pid\n");
- printf("==========================\n");
- break;
- case RPT_SYSCALL:
- printf("Syscall Summary Report\n");
- printf("==========================\n");
- printf("total syscall\n");
- printf("==========================\n");
- break;
- case RPT_TERM:
- printf("Terminal Summary Report\n");
- printf("===============================\n");
- printf("total terminal\n");
- printf("===============================\n");
- break;
- case RPT_USER:
- printf("User Summary Report\n");
- printf("===========================\n");
- printf("total auid\n");
- printf("===========================\n");
- break;
- case RPT_EXE:
- printf("Executable Summary Report\n");
- printf("=================================\n");
- printf("total file\n");
- printf("=================================\n");
- break;
- case RPT_COMM:
- printf("Command Summary Report\n");
- printf("=================================\n");
- printf("total command\n");
- printf("=================================\n");
- break;
- case RPT_ANOMALY:
- printf("Anomaly Summary Report\n");
- printf("======================\n");
- printf("total type\n");
- printf("======================\n");
- break;
- case RPT_RESPONSE:
- printf("Anomaly Response Summary Report\n");
- printf("===============================\n");
- printf("total type\n");
- printf("===============================\n");
- break;
- case RPT_CRYPTO:
- printf("Crypto Summary Report\n");
- printf("=====================\n");
- printf("total type\n");
- printf("=====================\n");
- break;
- case RPT_KEY:
- printf("Key Summary Report\n");
- printf("===========================\n");
- printf("total key\n");
- printf("===========================\n");
- break;
- case RPT_TTY:
- UNIMPLEMENTED;
- break;
- default:
- break;
- }
-}
-
-static void print_title_detailed(void)
-{
- switch (report_type)
- {
- case RPT_AVC:
- printf("AVC Report\n");
- printf(
- "========================================================\n");
- printf(
- "# date time comm subj syscall class permission obj event\n");
- printf(
- "========================================================\n");
- break;
- case RPT_CONFIG:
- printf("Config Change Report\n");
- printf("===================================\n");
- printf("# date time type auid success event\n");
- printf("===================================\n");
- break;
- case RPT_AUTH:
- printf("Authentication Report\n");
- printf(
- "============================================\n");
- printf(
- "# date time acct host term exe success event\n");
- printf(
- "============================================\n");
- break;
- case RPT_LOGIN:
- printf("Login Report\n");
- printf(
- "============================================\n");
- printf(
- "# date time auid host term exe success event\n");
- printf(
- "============================================\n");
- break;
- case RPT_ACCT_MOD:
- printf("Account Modifications Report\n");
- printf(
- "=================================================\n");
- printf(
- "# date time auid addr term exe acct success event\n");
- printf(
- "=================================================\n");
- break;
- case RPT_TIME:
- printf("Log Time Range Report\n");
- printf("=====================\n");
- break;
- case RPT_EVENT:
- if (report_detail == D_DETAILED) {
- printf("Event Report\n");
- printf("===================================\n");
- printf("# date time event type auid success\n");
- printf("===================================\n");
- } else {
- printf("Specific Event Report\n");
- printf("=====================\n");
- }
- break;
- case RPT_FILE:
- if (report_detail == D_DETAILED) {
- printf("File Report\n");
- printf(
- "===============================================\n");
- printf(
- "# date time file syscall success exe auid event\n");
- printf(
- "===============================================\n");
- } else {
- printf("Specific File Report\n");
- printf("====================\n");
- }
- break;
- case RPT_HOST:
- if (report_detail == D_DETAILED) {
- printf("Host Report\n");
- printf("===================================\n");
- printf("# date time host syscall auid event\n");
- printf("===================================\n");
- } else {
- printf("Specific Host Report\n");
- printf("====================\n");
- }
- break;
- case RPT_PID:
- if (report_detail == D_DETAILED) {
- printf("Process ID Report\n");
- printf(
- "======================================\n");
- printf(
- "# date time pid exe syscall auid event\n");
- printf(
- "======================================\n");
- } else {
- printf("Specific Process ID Report\n");
- printf("==========================\n");
- }
- break;
- case RPT_SYSCALL:
- if (report_detail == D_DETAILED) {
- printf("Syscall Report\n");
- printf(
- "=======================================\n");
- printf(
- "# date time syscall pid comm auid event\n");
- printf(
- "=======================================\n");
- } else {
- printf("Specific Syscall Report\n");
- printf("=======================\n");
- }
- break;
- case RPT_TERM:
- if (report_detail == D_DETAILED) {
- printf("Terminal Report\n");
- printf(
- "====================================\n");
- printf(
- "# date time term host exe auid event\n");
- printf(
- "====================================\n");
- } else {
- printf("Specific Terminal Report\n");
- printf("========================\n");
- }
- break;
- case RPT_USER:
- if (report_detail == D_DETAILED) {
- printf("User ID Report\n");
- printf(
- "====================================\n");
- printf(
- "# date time auid term host exe event\n");
- printf(
- "====================================\n");
- } else {
- printf("Specific User ID Report\n");
- printf("=======================\n");
- }
- break;
- case RPT_EXE:
- if (report_detail == D_DETAILED) {
- printf("Executable Report\n");
- printf(
- "====================================\n");
- printf(
- "# date time exe term host auid event\n");
- printf(
- "====================================\n");
- } else {
- printf("Specific Executable Report\n");
- printf("==========================\n");
- }
- break;
- case RPT_COMM:
- if (report_detail == D_DETAILED) {
- printf("Command Report\n");
- printf(
- "====================================\n");
- printf(
- "# date time comm term host auid event\n");
- printf(
- "=====================================\n");
- } else {
- printf("Specific command Report\n");
- printf("=======================\n");
- }
- break;
- case RPT_ANOMALY:
- if (report_detail == D_DETAILED) {
- printf("Anomaly Report\n");
- printf(
- "=========================================\n");
- printf(
- "# date time type exe term host auid event\n");
- printf(
- "=========================================\n");
- } else {
- printf("Specific Anomaly Report\n");
- printf("=======================\n");
- }
- break;
- case RPT_RESPONSE:
- if (report_detail == D_DETAILED) {
- printf("Response to Anomaly Report\n");
- printf("==============================\n");
- printf("# date time type success event\n");
- printf("==============================\n");
- } else {
- printf("Specific Response to Anomaly Report\n");
- printf("===================================\n");
- }
- break;
- case RPT_MAC:
- if (report_detail == D_DETAILED) {
- printf("MAC Report\n");
- printf("===================================\n");
- printf("# date time auid type success event\n");
- printf("===================================\n");
- } else {
- printf("Specific Mandatory Access Control (MAC) Report\n");
- printf("===================================\n");
- }
- break;
- case RPT_INTEG:
- if (report_detail == D_DETAILED) {
- printf("Integrity Report\n");
- printf("==============================\n");
- printf("# date time type success event\n");
- printf("==============================\n");
- } else {
- printf("Specific Integrity Report\n");
- printf("==============================\n");
- }
- break;
- case RPT_VIRT:
- if (report_detail == D_DETAILED) {
- printf("Virtualization Report\n");
- printf("==============================\n");
- printf("# date time type success event\n");
- printf("==============================\n");
- } else {
- printf("Specific Virtualization Report\n");
- printf("==============================\n");
- }
- break;
- case RPT_CRYPTO:
- if (report_detail == D_DETAILED) {
- printf("Crypto Report\n");
- printf("===================================\n");
- printf("# date time auid type success event\n");
- printf("===================================\n");
- } else {
- printf("Specific Crypto Report\n");
- printf("===================================\n");
- }
- break;
- case RPT_KEY:
- if (report_detail == D_DETAILED) {
- printf("Key Report\n");
- printf(
- "===============================================\n");
- printf(
- "# date time key success exe auid event\n");
- printf(
- "===============================================\n");
- } else {
- printf("Specific Key Report\n");
- printf("====================\n");
- }
- break;
- case RPT_TTY:
- if (report_detail == D_DETAILED) {
- printf("TTY Report\n");
- printf(
- "===============================================\n");
- printf(
- "# date time event auid term sess comm data\n");
- printf(
- "===============================================\n");
- } else {
- printf("Specific TTY Report\n");
- printf("====================\n");
- }
- break;
- default:
- break;
- }
-}
-
-void print_per_event_item(llist *l)
-{
- char buf[128];
- char name[64];
- char date[32];
- struct tm *tv;
-
- // The beginning is common to all reports
- tv = localtime(&l->e.sec);
- strftime(date, sizeof(date), "%x %T", tv);
- if (report_type != RPT_AVC) {
- line_item++;
- printf("%u. %s ", line_item, date);
- }
-
- switch (report_type)
- {
- case RPT_AVC:
- alist_find_avc(l->s.avc);
- do {
- anode *an = l->s.avc->cur;
- line_item++;
- printf("%u. %s ", line_item, date);
- // command subject syscall action obj res event
- safe_print_string(l->s.comm ? l->s.comm : "?", 0);
- printf(" %s %s %s %s %s %s %lu\n",
- an->scontext,
- aulookup_syscall(l, buf,sizeof(buf)),
- an->avc_class, an->avc_perm,
- an->tcontext, aulookup_result(an->avc_result),
- l->e.serial);
-//printf("items:%d\n", l->s.avc->cnt);
- } while (alist_next_avc(l->s.avc));
- break;
- case RPT_CONFIG:
- // FIXME:who, action, what, outcome, event
- // NOW: type auid success event
- printf("%s %s %s %lu\n",
- audit_msg_type_to_name(l->head->type),
- aulookup_uid(l->s.loginuid, name, sizeof(name)),
- aulookup_success(l->s.success), l->e.serial);
- break;
- case RPT_AUTH:
- // who, addr, terminal, exe, success, event
- // Special note...uid is used here because that is
- // the way that the message works. This is because
- // on failed logins, loginuid is not set.
- safe_print_string(l->s.acct ? l->s.acct :
- aulookup_uid(l->s.uid, name, sizeof(name)), 0);
- printf(" %s %s %s %s %lu\n",
- l->s.hostname, l->s.terminal,
- l->s.exe, aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_LOGIN:
- // who, addr, terminal, exe, success, event
- // Special note...uid is used here because that is
- // the way that the message works. This is because
- // on failed logins, loginuid is not set.
- safe_print_string(((l->s.success == S_FAILED) &&
- l->s.acct) ? l->s.acct :
- aulookup_uid(l->s.uid, name, sizeof(name)), 0);
- printf(" %s %s %s %s %lu\n",
- l->s.hostname, l->s.terminal,
- l->s.exe, aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_ACCT_MOD:
- // who, addr, terminal, exe, success, event
- safe_print_string(
- aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %s %s %s %s %s %lu\n",
- l->s.hostname ? l->s.hostname : "?",
- l->s.terminal ? l->s.terminal : "?",
- l->s.exe ? l->s.exe : "?",
- l->s.acct ? l->s.acct : "?",
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_EVENT: // report_detail == D_DETAILED
- // event, type, who, success
- printf("%lu %s ",
- l->e.serial,
- audit_msg_type_to_name(l->head->type));
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %s\n", aulookup_success(l->s.success));
- break;
- case RPT_FILE: // report_detail == D_DETAILED
- // file, syscall, success, exe, who, event
- slist_first(l->s.filename);
- safe_print_string(l->s.filename->cur->str,0);
- printf(" %s %s ",
- aulookup_syscall(l,buf,sizeof(buf)),
- aulookup_success(l->s.success));
- safe_print_string(l->s.exe ? l->s.exe : "?", 0);
- putchar(' ');
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_HOST: // report_detail == D_DETAILED
- // host, syscall, who, event
- printf("%s %s ",
- l->s.hostname,
- aulookup_syscall(l,buf,sizeof(buf)));
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_PID: // report_detail == D_DETAILED
- // pid, exe, syscall, who, event
- printf("%u ", l->s.pid);
- safe_print_string(l->s.exe ? l->s.exe : "?", 0);
- printf(" %s ", aulookup_syscall(l,buf,sizeof(buf)));
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_SYSCALL: // report_detail == D_DETAILED
- // syscall, pid, comm, who, event
- printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)),
- l->s.pid);
- safe_print_string(l->s.comm ? l->s.comm : "?", 0);
- putchar(' ');
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_TERM: // report_detail == D_DETAILED
- // terminal, host, exe, who, event
- printf("%s %s ",
- l->s.terminal, l->s.hostname);
- safe_print_string(l->s.exe, 0);
- putchar(' ');
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_USER: // report_detail == D_DETAILED
- // who, terminal, host, exe, event
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %s %s ",
- l->s.terminal ? l->s.terminal : "?",
- l->s.hostname ? l->s.hostname : "?");
- safe_print_string(l->s.exe ? l->s.exe : "?", 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_EXE: // report_detail == D_DETAILED
- // exe, terminal, host, who, event
- safe_print_string(l->s.exe ? l->s.exe : "?", 0);
- printf(" %s %s ",
- l->s.terminal ? l->s.terminal : "?",
- l->s.hostname ? l->s.hostname : "?");
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_COMM: // report_detail == D_DETAILED
- // comm, terminal, host, who, event
- safe_print_string(l->s.comm ? l->s.comm : "?", 0);
- printf(" %s %s ",
- l->s.terminal ? l->s.terminal : "?",
- l->s.hostname ? l->s.hostname : "?");
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_ANOMALY: // report_detail == D_DETAILED
- // type exe term host auid event
- printf("%s ", audit_msg_type_to_name(l->head->type));
- safe_print_string(l->s.exe ? l->s.exe :
- l->s.comm ? l->s.comm: "?", 0);
- printf(" %s %s ",
- l->s.terminal ? l->s.terminal : "?",
- l->s.hostname ? l->s.hostname : "?");
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_RESPONSE: // report_detail == D_DETAILED
- // type success event
- printf("%s %s %lu\n",
- audit_msg_type_to_name(l->head->type),
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_MAC:
- // auid type success event
- printf("%s %s %s %lu\n",
- aulookup_uid(l->s.loginuid, name, sizeof(name)),
- audit_msg_type_to_name(l->head->type),
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_INTEG:
- // type success event
- printf("%s %s %lu\n",
- audit_msg_type_to_name(l->head->type),
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_VIRT:
- // type success event
- printf("%s %s %lu\n",
- audit_msg_type_to_name(l->head->type),
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_CRYPTO:
- // auid type success event
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %s %s %lu\n",
- audit_msg_type_to_name(l->head->type),
- aulookup_success(l->s.success),
- l->e.serial);
- break;
- case RPT_KEY: // report_detail == D_DETAILED
- // key, success, exe, who, event
- slist_first(l->s.key);
- printf("%s %s ", l->s.key->cur->str,
- aulookup_success(l->s.success));
- safe_print_string(l->s.exe ? l->s.exe : "?", 0);
- putchar(' ');
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %lu\n", l->e.serial);
- break;
- case RPT_TTY: {
- char *ch, *ptr = strstr(l->head->message, "data=");
- if (!ptr)
- break;
- ptr += 5;
- ch = strrchr(ptr, ' ');
- if (ch)
- *ch = 0;
- // event who term sess data
- printf("%lu ", l->e.serial);
- safe_print_string(aulookup_uid(l->s.loginuid, name,
- sizeof(name)), 0);
- printf(" %s %u ",
- l->s.terminal ? l->s.terminal : "?",
- l->s.session_id);
- safe_print_string(l->s.comm ? l->s.comm: "?", 0);
- putchar(' ');
- print_tty_data(ptr);
- printf("\n");
- }
- break;
- default:
- break;
- }
-}
-
-void print_wrap_up(void)
-{
- if (report_detail != D_SUM)
- return;
-
- switch (report_type)
- {
- case RPT_SUMMARY:
- do_summary_output();
- break;
- case RPT_AVC:
- slist_sort_by_hits(&sd.avc_objs);
- do_string_summary_output(&sd.avc_objs);
- break;
- case RPT_CONFIG: /* We will borrow the pid list */
- ilist_sort_by_hits(&sd.pids);
- do_type_summary_output(&sd.pids);
- break;
- case RPT_AUTH:
- slist_sort_by_hits(&sd.users);
- do_user_summary_output(&sd.users);
- break;
- case RPT_LOGIN:
- slist_sort_by_hits(&sd.users);
- do_user_summary_output(&sd.users);
- break;
- case RPT_ACCT_MOD: /* We will borrow the pid list */
- ilist_sort_by_hits(&sd.pids);
- do_type_summary_output(&sd.pids);
- break;
- case RPT_EVENT: /* We will borrow the pid list */
- ilist_sort_by_hits(&sd.pids);
- do_type_summary_output(&sd.pids);
- break;
- case RPT_FILE:
- slist_sort_by_hits(&sd.files);
- do_file_summary_output(&sd.files);
- break;
- case RPT_HOST:
- slist_sort_by_hits(&sd.hosts);
- do_string_summary_output(&sd.hosts);
- break;
- case RPT_PID:
- ilist_sort_by_hits(&sd.pids);
- do_int_summary_output(&sd.pids);
- break;
- case RPT_SYSCALL:
- ilist_sort_by_hits(&sd.sys_list);
- do_syscall_summary_output(&sd.sys_list);
- break;
- case RPT_TERM:
- slist_sort_by_hits(&sd.terms);
- do_string_summary_output(&sd.terms);
- break;
- case RPT_USER:
- slist_sort_by_hits(&sd.users);
- do_user_summary_output(&sd.users);
- break;
- case RPT_EXE:
- slist_sort_by_hits(&sd.exes);
- do_file_summary_output(&sd.exes);
- break;
- case RPT_COMM:
- slist_sort_by_hits(&sd.comms);
- do_file_summary_output(&sd.comms);
- break;
- case RPT_ANOMALY:
- ilist_sort_by_hits(&sd.anom_list);
- do_type_summary_output(&sd.anom_list);
- break;
- case RPT_RESPONSE:
- ilist_sort_by_hits(&sd.resp_list);
- do_type_summary_output(&sd.resp_list);
- break;
- case RPT_MAC:
- ilist_sort_by_hits(&sd.mac_list);
- do_type_summary_output(&sd.mac_list);
- break;
- case RPT_INTEG:
- ilist_sort_by_hits(&sd.integ_list);
- do_type_summary_output(&sd.integ_list);
- break;
- case RPT_VIRT:
- ilist_sort_by_hits(&sd.virt_list);
- do_type_summary_output(&sd.virt_list);
- break;
- case RPT_CRYPTO:
- ilist_sort_by_hits(&sd.crypto_list);
- do_type_summary_output(&sd.crypto_list);
- break;
- case RPT_KEY:
- slist_sort_by_hits(&sd.keys);
- do_file_summary_output(&sd.keys);
- break;
- default:
- break;
- }
-}
-
-static void do_summary_output(void)
-{
- extern event very_first_event;
- extern event very_last_event;
-
- printf("Range of time in logs: ");
- {
- struct tm *btm;
- char tmp[48];
-
- btm = localtime(&very_first_event.sec);
- strftime(tmp, sizeof(tmp), "%x %T", btm);
- printf("%s.%03d - ", tmp, very_first_event.milli);
- btm = localtime(&very_last_event.sec);
- strftime(tmp, sizeof(tmp), "%x %T", btm);
- printf("%s.%03d\n", tmp, very_last_event.milli);
- }
- printf("Selected time for report: ");
- {
- struct tm *btm;
- char tmp[48];
-
- if (start_time)
- btm = localtime(&start_time);
- else
- btm = localtime(&very_first_event.sec);
- strftime(tmp, sizeof(tmp), "%x %T", btm);
- printf("%s - ", tmp);
- if (end_time)
- btm = localtime(&end_time);
- else
- btm = localtime(&very_last_event.sec);
- strftime(tmp, sizeof(tmp), "%x %T", btm);
- if (end_time)
- printf("%s\n", tmp);
- else
- printf("%s.%03d\n", tmp, very_last_event.milli);
- }
- printf("Number of changes in configuration: %lu\n", sd.changes);
- printf("Number of changes to accounts, groups, or roles: %lu\n",
- sd.acct_changes);
- printf("Number of logins: %lu\n", sd.good_logins);
- printf("Number of failed logins: %lu\n", sd.bad_logins);
- printf("Number of authentications: %lu\n", sd.good_auth);
- printf("Number of failed authentications: %lu\n", sd.bad_auth);
- printf("Number of users: %u\n", sd.users.cnt);
- printf("Number of terminals: %u\n", sd.terms.cnt);
- printf("Number of host names: %u\n", sd.hosts.cnt);
- printf("Number of executables: %u\n", sd.exes.cnt);
- printf("Number of commands: %u\n", sd.comms.cnt);
- printf("Number of files: %u\n", sd.files.cnt);
- printf("Number of AVC's: %lu\n", sd.avcs);
- printf("Number of MAC events: %lu\n", sd.mac);
- printf("Number of failed syscalls: %lu\n", sd.failed_syscalls);
- printf("Number of anomaly events: %lu\n", sd.anomalies);
- printf("Number of responses to anomaly events: %lu\n", sd.responses);
- printf("Number of crypto events: %lu\n", sd.crypto);
- printf("Number of integrity events: %lu\n", sd.integ);
- printf("Number of virt events: %lu\n", sd.virt);
- printf("Number of keys: %u\n", sd.keys.cnt);
- printf("Number of process IDs: %u\n", sd.pids.cnt);
- printf("Number of events: %lu\n", sd.events);
- printf("\n");
-}
-
-static void do_file_summary_output(slist *sptr)
-{
- const snode *sn;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- slist_first(sptr);
- sn=slist_get_cur(sptr);
- while (sn) {
- printf("%u ", sn->hits);
- safe_print_string(sn->str, 1);
- sn=slist_next(sptr);
- }
-}
-
-static void do_string_summary_output(slist *sptr)
-{
- const snode *sn;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- slist_first(sptr);
- sn=slist_get_cur(sptr);
- while (sn) {
- printf("%u %s\n", sn->hits, sn->str);
- sn=slist_next(sptr);
- }
-}
-
-static void do_user_summary_output(slist *sptr)
-{
- const snode *sn;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- slist_first(sptr);
- sn=slist_get_cur(sptr);
- while (sn) {
- long uid;
- char name[64];
-
- if (sn->str[0] == '-' || isdigit(sn->str[0])) {
- uid = strtol(sn->str, NULL, 10);
- printf("%u ", sn->hits);
- safe_print_string(aulookup_uid(uid, name,
- sizeof(name)), 1);
- } else {
- printf("%u ", sn->hits);
- safe_print_string(sn->str, 1);
- }
- sn=slist_next(sptr);
- }
-}
-
-static void do_int_summary_output(ilist *sptr)
-{
- const int_node *in;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- ilist_first(sptr);
- in=ilist_get_cur(sptr);
- while (in) {
- printf("%u %d\n", in->hits, in->num);
- in=ilist_next(sptr);
- }
-}
-
-static void do_syscall_summary_output(ilist *sptr)
-{
- const int_node *in;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- ilist_first(sptr);
- in=ilist_get_cur(sptr);
- while (in) {
- const char *sys = NULL;
- int machine = audit_elf_to_machine(in->aux1);
- if (machine >= 0)
- sys = audit_syscall_to_name(in->num, machine);
- if (sys)
- printf("%u %s\n", in->hits, sys);
- else
- printf("%u %d\n", in->hits, in->num);
- in=ilist_next(sptr);
- }
-}
-
-static void do_type_summary_output(ilist *sptr)
-{
- const int_node *in;
-
- if (sptr->cnt == 0) {
- printf("<no events of interest were found>\n\n");
- return;
- }
- ilist_first(sptr);
- in=ilist_get_cur(sptr);
- while (in) {
- const char *name = audit_msg_type_to_name(in->num);
- if (report_format == RPT_DEFAULT)
- printf("%u %d\n", in->hits, in->num);
- else
- printf("%u %s\n", in->hits, name);
- in=ilist_next(sptr);
- }
-}
-