diff options
Diffstat (limited to 'framework/src/audit/src/aureport-output.c')
-rw-r--r-- | framework/src/audit/src/aureport-output.c | 1023 |
1 files changed, 0 insertions, 1023 deletions
diff --git a/framework/src/audit/src/aureport-output.c b/framework/src/audit/src/aureport-output.c deleted file mode 100644 index 9125d5ff..00000000 --- a/framework/src/audit/src/aureport-output.c +++ /dev/null @@ -1,1023 +0,0 @@ -/* -* aureport-output.c - Print the report -* Copyright (c) 2005-06,2008,2014 Red Hat Inc., Durham, North Carolina. -* All Rights Reserved. -* -* This software may be freely redistributed and/or modified under the -* terms of the GNU General Public License as published by the Free -* Software Foundation; either version 2, or (at your option) any -* later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; see the file COPYING. If not, write to the -* Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Authors: -* Steve Grubb <sgrubb@redhat.com> -*/ - -#include "config.h" -#include <stdio.h> -#include <string.h> -#include <ctype.h> -#include "aureport-scan.h" -#include "aureport-options.h" -#include "ausearch-lookup.h" - -/* Locale functions */ -static void print_title_summary(void); -static void print_title_detailed(void); -static void do_summary_output(void); -static void do_file_summary_output(slist *sptr); -static void do_string_summary_output(slist *sptr); -static void do_user_summary_output(slist *sptr); -static void do_int_summary_output(ilist *sptr); -static void do_syscall_summary_output(ilist *sptr); -static void do_type_summary_output(ilist *sptr); - -/* Local Data */ -unsigned int line_item; - - -void print_title(void) -{ - line_item = 0U; - printf("\n"); - switch (report_detail) - { - case D_SUM: - print_title_summary(); - break; - case D_DETAILED: - print_title_detailed(); - break; - case D_SPECIFIC: - default: - break; - } -} - -static void print_title_summary(void) -{ - if (event_failed == F_FAILED) printf("Failed "); - if (event_failed == F_SUCCESS) printf("Success "); - switch (report_type) - { - case RPT_SUMMARY: - printf("Summary Report\n"); - printf("======================\n"); - break; - case RPT_AVC: - printf("Avc Object Summary Report\n"); - printf("=================================\n"); - printf("total obj\n"); - printf("=================================\n"); - break; - case RPT_MAC: - printf("MAC Summary Report\n"); - printf("==================\n"); - printf("total type\n"); - printf("==================\n"); - break; - case RPT_INTEG: - printf("Integrity Summary Report\n"); - printf("========================\n"); - printf("total type\n"); - printf("========================\n"); - break; - case RPT_VIRT: - printf("Virtualization Summary Report\n"); - printf("=============================\n"); - printf("total type\n"); - printf("=============================\n"); - break; - case RPT_CONFIG: - printf("Config Change Summary Report\n"); - printf("============================\n"); - printf("total type\n"); - printf("============================\n"); - break; - case RPT_AUTH: - printf("Authentication Summary Report\n"); - printf("=============================\n"); - printf("total acct\n"); - printf("=============================\n"); - break; - case RPT_LOGIN: - printf("Login Summary Report\n"); - printf("============================\n"); - printf("total auid\n"); - printf("============================\n"); - break; - case RPT_ACCT_MOD: - printf("Acct Modification Summary Report\n"); - printf("================================\n"); - printf("total type\n"); - printf("================================\n"); - break; - case RPT_TIME: - UNIMPLEMENTED; - break; - case RPT_EVENT: - printf("Event Summary Report\n"); - printf("======================\n"); - printf("total type\n"); - printf("======================\n"); - break; - case RPT_FILE: - printf("File Summary Report\n"); - printf("===========================\n"); - printf("total file\n"); - printf("===========================\n"); - break; - case RPT_HOST: - printf("Host Summary Report\n"); - printf("===========================\n"); - printf("total host\n"); - printf("===========================\n"); - break; - case RPT_PID: - printf("Pid Summary Report\n"); - printf("==========================\n"); - printf("total pid\n"); - printf("==========================\n"); - break; - case RPT_SYSCALL: - printf("Syscall Summary Report\n"); - printf("==========================\n"); - printf("total syscall\n"); - printf("==========================\n"); - break; - case RPT_TERM: - printf("Terminal Summary Report\n"); - printf("===============================\n"); - printf("total terminal\n"); - printf("===============================\n"); - break; - case RPT_USER: - printf("User Summary Report\n"); - printf("===========================\n"); - printf("total auid\n"); - printf("===========================\n"); - break; - case RPT_EXE: - printf("Executable Summary Report\n"); - printf("=================================\n"); - printf("total file\n"); - printf("=================================\n"); - break; - case RPT_COMM: - printf("Command Summary Report\n"); - printf("=================================\n"); - printf("total command\n"); - printf("=================================\n"); - break; - case RPT_ANOMALY: - printf("Anomaly Summary Report\n"); - printf("======================\n"); - printf("total type\n"); - printf("======================\n"); - break; - case RPT_RESPONSE: - printf("Anomaly Response Summary Report\n"); - printf("===============================\n"); - printf("total type\n"); - printf("===============================\n"); - break; - case RPT_CRYPTO: - printf("Crypto Summary Report\n"); - printf("=====================\n"); - printf("total type\n"); - printf("=====================\n"); - break; - case RPT_KEY: - printf("Key Summary Report\n"); - printf("===========================\n"); - printf("total key\n"); - printf("===========================\n"); - break; - case RPT_TTY: - UNIMPLEMENTED; - break; - default: - break; - } -} - -static void print_title_detailed(void) -{ - switch (report_type) - { - case RPT_AVC: - printf("AVC Report\n"); - printf( - "========================================================\n"); - printf( - "# date time comm subj syscall class permission obj event\n"); - printf( - "========================================================\n"); - break; - case RPT_CONFIG: - printf("Config Change Report\n"); - printf("===================================\n"); - printf("# date time type auid success event\n"); - printf("===================================\n"); - break; - case RPT_AUTH: - printf("Authentication Report\n"); - printf( - "============================================\n"); - printf( - "# date time acct host term exe success event\n"); - printf( - "============================================\n"); - break; - case RPT_LOGIN: - printf("Login Report\n"); - printf( - "============================================\n"); - printf( - "# date time auid host term exe success event\n"); - printf( - "============================================\n"); - break; - case RPT_ACCT_MOD: - printf("Account Modifications Report\n"); - printf( - "=================================================\n"); - printf( - "# date time auid addr term exe acct success event\n"); - printf( - "=================================================\n"); - break; - case RPT_TIME: - printf("Log Time Range Report\n"); - printf("=====================\n"); - break; - case RPT_EVENT: - if (report_detail == D_DETAILED) { - printf("Event Report\n"); - printf("===================================\n"); - printf("# date time event type auid success\n"); - printf("===================================\n"); - } else { - printf("Specific Event Report\n"); - printf("=====================\n"); - } - break; - case RPT_FILE: - if (report_detail == D_DETAILED) { - printf("File Report\n"); - printf( - "===============================================\n"); - printf( - "# date time file syscall success exe auid event\n"); - printf( - "===============================================\n"); - } else { - printf("Specific File Report\n"); - printf("====================\n"); - } - break; - case RPT_HOST: - if (report_detail == D_DETAILED) { - printf("Host Report\n"); - printf("===================================\n"); - printf("# date time host syscall auid event\n"); - printf("===================================\n"); - } else { - printf("Specific Host Report\n"); - printf("====================\n"); - } - break; - case RPT_PID: - if (report_detail == D_DETAILED) { - printf("Process ID Report\n"); - printf( - "======================================\n"); - printf( - "# date time pid exe syscall auid event\n"); - printf( - "======================================\n"); - } else { - printf("Specific Process ID Report\n"); - printf("==========================\n"); - } - break; - case RPT_SYSCALL: - if (report_detail == D_DETAILED) { - printf("Syscall Report\n"); - printf( - "=======================================\n"); - printf( - "# date time syscall pid comm auid event\n"); - printf( - "=======================================\n"); - } else { - printf("Specific Syscall Report\n"); - printf("=======================\n"); - } - break; - case RPT_TERM: - if (report_detail == D_DETAILED) { - printf("Terminal Report\n"); - printf( - "====================================\n"); - printf( - "# date time term host exe auid event\n"); - printf( - "====================================\n"); - } else { - printf("Specific Terminal Report\n"); - printf("========================\n"); - } - break; - case RPT_USER: - if (report_detail == D_DETAILED) { - printf("User ID Report\n"); - printf( - "====================================\n"); - printf( - "# date time auid term host exe event\n"); - printf( - "====================================\n"); - } else { - printf("Specific User ID Report\n"); - printf("=======================\n"); - } - break; - case RPT_EXE: - if (report_detail == D_DETAILED) { - printf("Executable Report\n"); - printf( - "====================================\n"); - printf( - "# date time exe term host auid event\n"); - printf( - "====================================\n"); - } else { - printf("Specific Executable Report\n"); - printf("==========================\n"); - } - break; - case RPT_COMM: - if (report_detail == D_DETAILED) { - printf("Command Report\n"); - printf( - "====================================\n"); - printf( - "# date time comm term host auid event\n"); - printf( - "=====================================\n"); - } else { - printf("Specific command Report\n"); - printf("=======================\n"); - } - break; - case RPT_ANOMALY: - if (report_detail == D_DETAILED) { - printf("Anomaly Report\n"); - printf( - "=========================================\n"); - printf( - "# date time type exe term host auid event\n"); - printf( - "=========================================\n"); - } else { - printf("Specific Anomaly Report\n"); - printf("=======================\n"); - } - break; - case RPT_RESPONSE: - if (report_detail == D_DETAILED) { - printf("Response to Anomaly Report\n"); - printf("==============================\n"); - printf("# date time type success event\n"); - printf("==============================\n"); - } else { - printf("Specific Response to Anomaly Report\n"); - printf("===================================\n"); - } - break; - case RPT_MAC: - if (report_detail == D_DETAILED) { - printf("MAC Report\n"); - printf("===================================\n"); - printf("# date time auid type success event\n"); - printf("===================================\n"); - } else { - printf("Specific Mandatory Access Control (MAC) Report\n"); - printf("===================================\n"); - } - break; - case RPT_INTEG: - if (report_detail == D_DETAILED) { - printf("Integrity Report\n"); - printf("==============================\n"); - printf("# date time type success event\n"); - printf("==============================\n"); - } else { - printf("Specific Integrity Report\n"); - printf("==============================\n"); - } - break; - case RPT_VIRT: - if (report_detail == D_DETAILED) { - printf("Virtualization Report\n"); - printf("==============================\n"); - printf("# date time type success event\n"); - printf("==============================\n"); - } else { - printf("Specific Virtualization Report\n"); - printf("==============================\n"); - } - break; - case RPT_CRYPTO: - if (report_detail == D_DETAILED) { - printf("Crypto Report\n"); - printf("===================================\n"); - printf("# date time auid type success event\n"); - printf("===================================\n"); - } else { - printf("Specific Crypto Report\n"); - printf("===================================\n"); - } - break; - case RPT_KEY: - if (report_detail == D_DETAILED) { - printf("Key Report\n"); - printf( - "===============================================\n"); - printf( - "# date time key success exe auid event\n"); - printf( - "===============================================\n"); - } else { - printf("Specific Key Report\n"); - printf("====================\n"); - } - break; - case RPT_TTY: - if (report_detail == D_DETAILED) { - printf("TTY Report\n"); - printf( - "===============================================\n"); - printf( - "# date time event auid term sess comm data\n"); - printf( - "===============================================\n"); - } else { - printf("Specific TTY Report\n"); - printf("====================\n"); - } - break; - default: - break; - } -} - -void print_per_event_item(llist *l) -{ - char buf[128]; - char name[64]; - char date[32]; - struct tm *tv; - - // The beginning is common to all reports - tv = localtime(&l->e.sec); - strftime(date, sizeof(date), "%x %T", tv); - if (report_type != RPT_AVC) { - line_item++; - printf("%u. %s ", line_item, date); - } - - switch (report_type) - { - case RPT_AVC: - alist_find_avc(l->s.avc); - do { - anode *an = l->s.avc->cur; - line_item++; - printf("%u. %s ", line_item, date); - // command subject syscall action obj res event - safe_print_string(l->s.comm ? l->s.comm : "?", 0); - printf(" %s %s %s %s %s %s %lu\n", - an->scontext, - aulookup_syscall(l, buf,sizeof(buf)), - an->avc_class, an->avc_perm, - an->tcontext, aulookup_result(an->avc_result), - l->e.serial); -//printf("items:%d\n", l->s.avc->cnt); - } while (alist_next_avc(l->s.avc)); - break; - case RPT_CONFIG: - // FIXME:who, action, what, outcome, event - // NOW: type auid success event - printf("%s %s %s %lu\n", - audit_msg_type_to_name(l->head->type), - aulookup_uid(l->s.loginuid, name, sizeof(name)), - aulookup_success(l->s.success), l->e.serial); - break; - case RPT_AUTH: - // who, addr, terminal, exe, success, event - // Special note...uid is used here because that is - // the way that the message works. This is because - // on failed logins, loginuid is not set. - safe_print_string(l->s.acct ? l->s.acct : - aulookup_uid(l->s.uid, name, sizeof(name)), 0); - printf(" %s %s %s %s %lu\n", - l->s.hostname, l->s.terminal, - l->s.exe, aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_LOGIN: - // who, addr, terminal, exe, success, event - // Special note...uid is used here because that is - // the way that the message works. This is because - // on failed logins, loginuid is not set. - safe_print_string(((l->s.success == S_FAILED) && - l->s.acct) ? l->s.acct : - aulookup_uid(l->s.uid, name, sizeof(name)), 0); - printf(" %s %s %s %s %lu\n", - l->s.hostname, l->s.terminal, - l->s.exe, aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_ACCT_MOD: - // who, addr, terminal, exe, success, event - safe_print_string( - aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %s %s %s %s %s %lu\n", - l->s.hostname ? l->s.hostname : "?", - l->s.terminal ? l->s.terminal : "?", - l->s.exe ? l->s.exe : "?", - l->s.acct ? l->s.acct : "?", - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_EVENT: // report_detail == D_DETAILED - // event, type, who, success - printf("%lu %s ", - l->e.serial, - audit_msg_type_to_name(l->head->type)); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %s\n", aulookup_success(l->s.success)); - break; - case RPT_FILE: // report_detail == D_DETAILED - // file, syscall, success, exe, who, event - slist_first(l->s.filename); - safe_print_string(l->s.filename->cur->str,0); - printf(" %s %s ", - aulookup_syscall(l,buf,sizeof(buf)), - aulookup_success(l->s.success)); - safe_print_string(l->s.exe ? l->s.exe : "?", 0); - putchar(' '); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_HOST: // report_detail == D_DETAILED - // host, syscall, who, event - printf("%s %s ", - l->s.hostname, - aulookup_syscall(l,buf,sizeof(buf))); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_PID: // report_detail == D_DETAILED - // pid, exe, syscall, who, event - printf("%u ", l->s.pid); - safe_print_string(l->s.exe ? l->s.exe : "?", 0); - printf(" %s ", aulookup_syscall(l,buf,sizeof(buf))); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_SYSCALL: // report_detail == D_DETAILED - // syscall, pid, comm, who, event - printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)), - l->s.pid); - safe_print_string(l->s.comm ? l->s.comm : "?", 0); - putchar(' '); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_TERM: // report_detail == D_DETAILED - // terminal, host, exe, who, event - printf("%s %s ", - l->s.terminal, l->s.hostname); - safe_print_string(l->s.exe, 0); - putchar(' '); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_USER: // report_detail == D_DETAILED - // who, terminal, host, exe, event - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %s %s ", - l->s.terminal ? l->s.terminal : "?", - l->s.hostname ? l->s.hostname : "?"); - safe_print_string(l->s.exe ? l->s.exe : "?", 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_EXE: // report_detail == D_DETAILED - // exe, terminal, host, who, event - safe_print_string(l->s.exe ? l->s.exe : "?", 0); - printf(" %s %s ", - l->s.terminal ? l->s.terminal : "?", - l->s.hostname ? l->s.hostname : "?"); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_COMM: // report_detail == D_DETAILED - // comm, terminal, host, who, event - safe_print_string(l->s.comm ? l->s.comm : "?", 0); - printf(" %s %s ", - l->s.terminal ? l->s.terminal : "?", - l->s.hostname ? l->s.hostname : "?"); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_ANOMALY: // report_detail == D_DETAILED - // type exe term host auid event - printf("%s ", audit_msg_type_to_name(l->head->type)); - safe_print_string(l->s.exe ? l->s.exe : - l->s.comm ? l->s.comm: "?", 0); - printf(" %s %s ", - l->s.terminal ? l->s.terminal : "?", - l->s.hostname ? l->s.hostname : "?"); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_RESPONSE: // report_detail == D_DETAILED - // type success event - printf("%s %s %lu\n", - audit_msg_type_to_name(l->head->type), - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_MAC: - // auid type success event - printf("%s %s %s %lu\n", - aulookup_uid(l->s.loginuid, name, sizeof(name)), - audit_msg_type_to_name(l->head->type), - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_INTEG: - // type success event - printf("%s %s %lu\n", - audit_msg_type_to_name(l->head->type), - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_VIRT: - // type success event - printf("%s %s %lu\n", - audit_msg_type_to_name(l->head->type), - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_CRYPTO: - // auid type success event - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %s %s %lu\n", - audit_msg_type_to_name(l->head->type), - aulookup_success(l->s.success), - l->e.serial); - break; - case RPT_KEY: // report_detail == D_DETAILED - // key, success, exe, who, event - slist_first(l->s.key); - printf("%s %s ", l->s.key->cur->str, - aulookup_success(l->s.success)); - safe_print_string(l->s.exe ? l->s.exe : "?", 0); - putchar(' '); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %lu\n", l->e.serial); - break; - case RPT_TTY: { - char *ch, *ptr = strstr(l->head->message, "data="); - if (!ptr) - break; - ptr += 5; - ch = strrchr(ptr, ' '); - if (ch) - *ch = 0; - // event who term sess data - printf("%lu ", l->e.serial); - safe_print_string(aulookup_uid(l->s.loginuid, name, - sizeof(name)), 0); - printf(" %s %u ", - l->s.terminal ? l->s.terminal : "?", - l->s.session_id); - safe_print_string(l->s.comm ? l->s.comm: "?", 0); - putchar(' '); - print_tty_data(ptr); - printf("\n"); - } - break; - default: - break; - } -} - -void print_wrap_up(void) -{ - if (report_detail != D_SUM) - return; - - switch (report_type) - { - case RPT_SUMMARY: - do_summary_output(); - break; - case RPT_AVC: - slist_sort_by_hits(&sd.avc_objs); - do_string_summary_output(&sd.avc_objs); - break; - case RPT_CONFIG: /* We will borrow the pid list */ - ilist_sort_by_hits(&sd.pids); - do_type_summary_output(&sd.pids); - break; - case RPT_AUTH: - slist_sort_by_hits(&sd.users); - do_user_summary_output(&sd.users); - break; - case RPT_LOGIN: - slist_sort_by_hits(&sd.users); - do_user_summary_output(&sd.users); - break; - case RPT_ACCT_MOD: /* We will borrow the pid list */ - ilist_sort_by_hits(&sd.pids); - do_type_summary_output(&sd.pids); - break; - case RPT_EVENT: /* We will borrow the pid list */ - ilist_sort_by_hits(&sd.pids); - do_type_summary_output(&sd.pids); - break; - case RPT_FILE: - slist_sort_by_hits(&sd.files); - do_file_summary_output(&sd.files); - break; - case RPT_HOST: - slist_sort_by_hits(&sd.hosts); - do_string_summary_output(&sd.hosts); - break; - case RPT_PID: - ilist_sort_by_hits(&sd.pids); - do_int_summary_output(&sd.pids); - break; - case RPT_SYSCALL: - ilist_sort_by_hits(&sd.sys_list); - do_syscall_summary_output(&sd.sys_list); - break; - case RPT_TERM: - slist_sort_by_hits(&sd.terms); - do_string_summary_output(&sd.terms); - break; - case RPT_USER: - slist_sort_by_hits(&sd.users); - do_user_summary_output(&sd.users); - break; - case RPT_EXE: - slist_sort_by_hits(&sd.exes); - do_file_summary_output(&sd.exes); - break; - case RPT_COMM: - slist_sort_by_hits(&sd.comms); - do_file_summary_output(&sd.comms); - break; - case RPT_ANOMALY: - ilist_sort_by_hits(&sd.anom_list); - do_type_summary_output(&sd.anom_list); - break; - case RPT_RESPONSE: - ilist_sort_by_hits(&sd.resp_list); - do_type_summary_output(&sd.resp_list); - break; - case RPT_MAC: - ilist_sort_by_hits(&sd.mac_list); - do_type_summary_output(&sd.mac_list); - break; - case RPT_INTEG: - ilist_sort_by_hits(&sd.integ_list); - do_type_summary_output(&sd.integ_list); - break; - case RPT_VIRT: - ilist_sort_by_hits(&sd.virt_list); - do_type_summary_output(&sd.virt_list); - break; - case RPT_CRYPTO: - ilist_sort_by_hits(&sd.crypto_list); - do_type_summary_output(&sd.crypto_list); - break; - case RPT_KEY: - slist_sort_by_hits(&sd.keys); - do_file_summary_output(&sd.keys); - break; - default: - break; - } -} - -static void do_summary_output(void) -{ - extern event very_first_event; - extern event very_last_event; - - printf("Range of time in logs: "); - { - struct tm *btm; - char tmp[48]; - - btm = localtime(&very_first_event.sec); - strftime(tmp, sizeof(tmp), "%x %T", btm); - printf("%s.%03d - ", tmp, very_first_event.milli); - btm = localtime(&very_last_event.sec); - strftime(tmp, sizeof(tmp), "%x %T", btm); - printf("%s.%03d\n", tmp, very_last_event.milli); - } - printf("Selected time for report: "); - { - struct tm *btm; - char tmp[48]; - - if (start_time) - btm = localtime(&start_time); - else - btm = localtime(&very_first_event.sec); - strftime(tmp, sizeof(tmp), "%x %T", btm); - printf("%s - ", tmp); - if (end_time) - btm = localtime(&end_time); - else - btm = localtime(&very_last_event.sec); - strftime(tmp, sizeof(tmp), "%x %T", btm); - if (end_time) - printf("%s\n", tmp); - else - printf("%s.%03d\n", tmp, very_last_event.milli); - } - printf("Number of changes in configuration: %lu\n", sd.changes); - printf("Number of changes to accounts, groups, or roles: %lu\n", - sd.acct_changes); - printf("Number of logins: %lu\n", sd.good_logins); - printf("Number of failed logins: %lu\n", sd.bad_logins); - printf("Number of authentications: %lu\n", sd.good_auth); - printf("Number of failed authentications: %lu\n", sd.bad_auth); - printf("Number of users: %u\n", sd.users.cnt); - printf("Number of terminals: %u\n", sd.terms.cnt); - printf("Number of host names: %u\n", sd.hosts.cnt); - printf("Number of executables: %u\n", sd.exes.cnt); - printf("Number of commands: %u\n", sd.comms.cnt); - printf("Number of files: %u\n", sd.files.cnt); - printf("Number of AVC's: %lu\n", sd.avcs); - printf("Number of MAC events: %lu\n", sd.mac); - printf("Number of failed syscalls: %lu\n", sd.failed_syscalls); - printf("Number of anomaly events: %lu\n", sd.anomalies); - printf("Number of responses to anomaly events: %lu\n", sd.responses); - printf("Number of crypto events: %lu\n", sd.crypto); - printf("Number of integrity events: %lu\n", sd.integ); - printf("Number of virt events: %lu\n", sd.virt); - printf("Number of keys: %u\n", sd.keys.cnt); - printf("Number of process IDs: %u\n", sd.pids.cnt); - printf("Number of events: %lu\n", sd.events); - printf("\n"); -} - -static void do_file_summary_output(slist *sptr) -{ - const snode *sn; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - slist_first(sptr); - sn=slist_get_cur(sptr); - while (sn) { - printf("%u ", sn->hits); - safe_print_string(sn->str, 1); - sn=slist_next(sptr); - } -} - -static void do_string_summary_output(slist *sptr) -{ - const snode *sn; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - slist_first(sptr); - sn=slist_get_cur(sptr); - while (sn) { - printf("%u %s\n", sn->hits, sn->str); - sn=slist_next(sptr); - } -} - -static void do_user_summary_output(slist *sptr) -{ - const snode *sn; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - slist_first(sptr); - sn=slist_get_cur(sptr); - while (sn) { - long uid; - char name[64]; - - if (sn->str[0] == '-' || isdigit(sn->str[0])) { - uid = strtol(sn->str, NULL, 10); - printf("%u ", sn->hits); - safe_print_string(aulookup_uid(uid, name, - sizeof(name)), 1); - } else { - printf("%u ", sn->hits); - safe_print_string(sn->str, 1); - } - sn=slist_next(sptr); - } -} - -static void do_int_summary_output(ilist *sptr) -{ - const int_node *in; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - ilist_first(sptr); - in=ilist_get_cur(sptr); - while (in) { - printf("%u %d\n", in->hits, in->num); - in=ilist_next(sptr); - } -} - -static void do_syscall_summary_output(ilist *sptr) -{ - const int_node *in; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - ilist_first(sptr); - in=ilist_get_cur(sptr); - while (in) { - const char *sys = NULL; - int machine = audit_elf_to_machine(in->aux1); - if (machine >= 0) - sys = audit_syscall_to_name(in->num, machine); - if (sys) - printf("%u %s\n", in->hits, sys); - else - printf("%u %d\n", in->hits, in->num); - in=ilist_next(sptr); - } -} - -static void do_type_summary_output(ilist *sptr) -{ - const int_node *in; - - if (sptr->cnt == 0) { - printf("<no events of interest were found>\n\n"); - return; - } - ilist_first(sptr); - in=ilist_get_cur(sptr); - while (in) { - const char *name = audit_msg_type_to_name(in->num); - if (report_format == RPT_DEFAULT) - printf("%u %d\n", in->hits, in->num); - else - printf("%u %s\n", in->hits, name); - in=ilist_next(sptr); - } -} - |