diff options
Diffstat (limited to 'framework/src/audit/src/ausearch-options.c')
-rw-r--r-- | framework/src/audit/src/ausearch-options.c | 1175 |
1 files changed, 0 insertions, 1175 deletions
diff --git a/framework/src/audit/src/ausearch-options.c b/framework/src/audit/src/ausearch-options.c deleted file mode 100644 index 50469723..00000000 --- a/framework/src/audit/src/ausearch-options.c +++ /dev/null @@ -1,1175 +0,0 @@ -/* ausearch-options.c - parse commandline options and configure ausearch - * Copyright 2005-08,2010-11,2014 Red Hat Inc., Durham, North Carolina. - * Copyright (c) 2011 IBM Corp. - * All Rights Reserved. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - * - * Authors: - * Debora Velarde <dvelarde@us.ibm.com> - * Steve Grubb <sgrubb@redhat.com> - * Marcelo Henrique Cerri <mhcerri@br.ibm.com> - */ - -#include "config.h" -#include <string.h> -#include <ctype.h> -#include <stdlib.h> -#include <stdio.h> -#include <errno.h> -#include <pwd.h> -#include <grp.h> -#include "ausearch-options.h" -#include "ausearch-time.h" -#include "ausearch-int.h" -#include "libaudit.h" - - -/* Global vars that will be accessed by the main program */ -char *user_file = NULL; -int force_logs = 0; - -/* Global vars that will be accessed by the match model */ -unsigned int event_id = -1; -gid_t event_gid = -1, event_egid = -1; -ilist *event_type = NULL; -pid_t event_pid = -1, event_ppid = -1; -success_t event_success = S_UNSET; -int event_exact_match = 0; -uid_t event_uid = -1, event_euid = -1, event_loginuid = -2; -int event_syscall = -1, event_machine = -1; -int event_ua = 0, event_ga = 0, event_se = 0; -int just_one = 0; -uint32_t event_session_id = -2; -long long event_exit = 0; -int event_exit_is_set = 0; -int line_buffered = 0; -int event_debug = 0; -int checkpt_timeonly = 0; -const char *event_key = NULL; -const char *event_filename = NULL; -const char *event_exe = NULL; -const char *event_comm = NULL; -const char *event_hostname = NULL; -const char *event_terminal = NULL; -const char *event_subject = NULL; -const char *event_object = NULL; -const char *event_uuid = NULL; -const char *event_vmname = NULL; -const char *checkpt_filename = NULL; /* checkpoint filename if present */ -report_t report_format = RPT_DEFAULT; -ilist *event_type; - -slist *event_node_list = NULL; - -struct nv_pair { - int value; - const char *name; -}; - - -enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP, -S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS, -S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, -S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT, -S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT, -S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH }; - -static struct nv_pair optiontab[] = { - { S_EVENT, "-a" }, - { S_ARCH, "--arch" }, - { S_EVENT, "--event" }, - { S_COMM, "-c" }, - { S_COMM, "--comm" }, - { S_CHECKPOINT, "--checkpoint" }, - { S_DEBUG, "--debug" }, - { S_EXIT, "-e" }, - { S_EXIT, "--exit" }, - { S_FILENAME, "-f" }, - { S_FILENAME, "--file" }, - { S_ALL_GID, "-ga" }, - { S_ALL_GID, "--gid-all" }, - { S_EFF_GID, "-ge" }, - { S_EFF_GID, "--gid-effective" }, - { S_GID, "-gi" }, - { S_GID, "--gid" }, - { S_HELP, "-h" }, - { S_HELP, "--help" }, - { S_HOSTNAME, "-hn" }, - { S_HOSTNAME, "--host" }, - { S_INTERP, "-i" }, - { S_INTERP, "--interpret" }, - { S_INFILE, "-if" }, - { S_INFILE, "--input" }, - { S_IN_LOGS, "--input-logs" }, - { S_JUST_ONE, "--just-one" }, - { S_KEY, "-k" }, - { S_KEY, "--key" }, - { S_LINEBUFFERED, "-l" }, - { S_LINEBUFFERED, "--line-buffered" }, - { S_MESSAGE_TYPE, "-m" }, - { S_MESSAGE_TYPE, "--message" }, - { S_NODE, "-n" }, - { S_NODE, "--node" }, - { S_OBJECT, "-o" }, - { S_OBJECT, "--object" }, - { S_PID, "-p" }, - { S_PID, "--pid" }, - { S_PPID, "-pp" }, - { S_PPID, "--ppid" }, - { S_RAW, "-r" }, - { S_RAW, "--raw" }, - { S_SYSCALL, "-sc" }, - { S_SYSCALL, "--syscall" }, - { S_CONTEXT, "-se" }, - { S_CONTEXT, "--context" }, - { S_SESSION, "--session" }, - { S_SUBJECT, "-su" }, - { S_SUBJECT, "--subject" }, - { S_OSUCCESS, "-sv" }, - { S_OSUCCESS, "--success" }, - { S_TIME_END, "-te"}, - { S_TIME_END, "--end"}, - { S_TIME_START, "-ts" }, - { S_TIME_START, "--start" }, - { S_TERMINAL, "-tm" }, - { S_TERMINAL, "--terminal" }, - { S_ALL_UID, "-ua" }, - { S_ALL_UID, "--uid-all" }, - { S_EFF_UID, "-ue" }, - { S_EFF_UID, "--uid-effective" }, - { S_UID, "-ui" }, - { S_UID, "--uid" }, - { S_UUID, "-uu" }, - { S_UUID, "--uuid" }, - { S_LOGINID, "-ul" }, - { S_LOGINID, "--loginuid" }, - { S_VERSION, "-v" }, - { S_VERSION, "--version" }, - { S_VMNAME, "-vm" }, - { S_VMNAME, "--vm-name" }, - { S_EXACT_MATCH, "-w" }, - { S_EXACT_MATCH, "--word" }, - { S_EXECUTABLE, "-x" }, - { S_EXECUTABLE, "--executable" } -}; -#define OPTION_NAMES (sizeof(optiontab)/sizeof(optiontab[0])) - - -static int audit_lookup_option(const char *name) -{ - int i; - - for (i = 0; i < OPTION_NAMES; i++) - if (!strcmp(optiontab[i].name, name)) - return optiontab[i].value; - return -1; -} - -static void usage(void) -{ - printf("usage: ausearch [options]\n" - "\t-a,--event <Audit event id>\tsearch based on audit event id\n" - "\t--arch <CPU>\t\t\tsearch based on the CPU architecture\n" - "\t-c,--comm <Comm name>\t\tsearch based on command line name\n" - "\t--checkpoint <checkpoint file>\tsearch from last complete event\n" - "\t--debug\t\t\tWrite malformed events that are skipped to stderr\n" - "\t-e,--exit <Exit code or errno>\tsearch based on syscall exit code\n" - "\t-f,--file <File name>\t\tsearch based on file name\n" - "\t-ga,--gid-all <all Group id>\tsearch based on All group ids\n" - "\t-ge,--gid-effective <effective Group id> search based on Effective\n\t\t\t\t\tgroup id\n" - "\t-gi,--gid <Group Id>\t\tsearch based on group id\n" - "\t-h,--help\t\t\thelp\n" - "\t-hn,--host <Host Name>\t\tsearch based on remote host name\n" - "\t-i,--interpret\t\t\tInterpret results to be human readable\n" - "\t-if,--input <Input File name>\tuse this file instead of current logs\n" - "\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n" - "\t--just-one\t\t\tEmit just one event\n" - "\t-k,--key <key string>\t\tsearch based on key field\n" - "\t-l, --line-buffered\t\tFlush output on every line\n" - "\t-m,--message <Message type>\tsearch based on message type\n" - "\t-n,--node <Node name>\t\tsearch based on machine's name\n" - "\t-o,--object <SE Linux Object context> search based on context of object\n" - "\t-p,--pid <Process id>\t\tsearch based on process id\n" - "\t-pp,--ppid <Parent Process id>\tsearch based on parent process id\n" - "\t-r,--raw\t\t\toutput is completely unformatted\n" - "\t-sc,--syscall <SysCall name>\tsearch based on syscall name or number\n" - "\t-se,--context <SE Linux context> search based on either subject or\n\t\t\t\t\t object\n" - "\t--session <login session id>\tsearch based on login session id\n" - "\t-su,--subject <SE Linux context> search based on context of the Subject\n" - "\t-sv,--success <Success Value>\tsearch based on syscall or event\n\t\t\t\t\tsuccess value\n" - "\t-te,--end [end date] [end time]\tending date & time for search\n" - "\t-ts,--start [start date] [start time]\tstarting data & time for search\n" - "\t-tm,--terminal <TerMinal>\tsearch based on terminal\n" - "\t-ua,--uid-all <all User id>\tsearch based on All user id's\n" - "\t-ue,--uid-effective <effective User id> search based on Effective\n\t\t\t\t\tuser id\n" - "\t-ui,--uid <User Id>\t\tsearch based on user id\n" - "\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n" - "\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n" - "\t\t\t\t\tmachine with the given UUID.\n" - "\t-v,--version\t\t\tversion\n" - "\t-vm,--vm-name <guest name>\tsearch for events related to the virtual\n" - "\t\t\t\t\tmachine with the name.\n" - "\t-w,--word\t\t\tstring matches are whole word\n" - "\t-x,--executable <executable name> search based on executable name\n" - ); -} - -static int convert_str_to_msg(const char *optarg) -{ - int tmp, retval = 0; - - if (isdigit(optarg[0])) { - errno = 0; - tmp = strtoul(optarg, NULL, 10); - if (errno) { - fprintf(stderr, - "Numeric message type conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - tmp = audit_name_to_msg_type(optarg); - if (tmp < 0) - retval = -1; - } - if (retval == 0) { - if (event_type == NULL) { - event_type = malloc(sizeof(ilist)); - if (event_type == NULL) - return -1; - ilist_create(event_type); - } - ilist_append(event_type, tmp, 1, 0); - } - return retval; -} - -static int parse_msg(const char *optarg) -{ - int retval = 0; - char *saved; - - if (strchr(optarg, ',')) { - char *ptr, *tmp = strdup(optarg); - if (tmp == NULL) - return -1; - ptr = strtok_r(tmp, ",", &saved); - while (ptr) { - retval = convert_str_to_msg(ptr); - if (retval != 0) - break; - ptr = strtok_r(NULL, ",", &saved); - } - free(tmp); - return retval; - } - - return convert_str_to_msg(optarg); -} - -/* - * This function examines the commandline parameters and sets various - * search options. It returns a 0 on success and < 0 on failure - */ -int check_params(int count, char *vars[]) -{ - int c = 1; - int retval = 0; - const char *optarg; - - if (count < 2) { - usage(); - return -1; - } - while (c < count && retval == 0) { - // Go ahead and point to the next argument - if (c+1 < count) { - if (vars[c+1][0] != '-') - optarg = vars[c+1]; - else - optarg = NULL; - } else - optarg = NULL; - - switch (audit_lookup_option(vars[c])) { - case S_EVENT: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_id = strtoul(optarg, NULL, 10); - if (errno) { - fprintf(stderr, - "Illegal value for audit event ID"); - retval = -1; - } - c++; - } else { - fprintf(stderr, - "Audit event id must be a numeric value, was %s\n", - optarg); - retval = -1; - } - break; - case S_COMM: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } else { - event_comm = strdup(optarg); - if (event_comm == NULL) - retval = -1; - c++; - } - break; - case S_FILENAME: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_filename = strdup(optarg); - if (event_filename == NULL) - retval = -1; - c++; - } - break; - case S_KEY: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_key = strdup(optarg); - if (event_key == NULL) - retval = -1; - c++; - } - break; - case S_ALL_GID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_gid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric group ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct group *gr ; - - gr = getgrnam(optarg) ; - if (gr == NULL) { - fprintf(stderr, - "Group ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_gid = gr->gr_gid; - } - event_egid = event_gid; - event_ga = 1; - c++; - break; - case S_EFF_GID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_egid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric group ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct group *gr ; - - gr = getgrnam(optarg) ; - if (gr == NULL) { - fprintf(stderr, - "Effective group ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_egid = gr->gr_gid; - } - c++; - break; - case S_GID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_gid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric group ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct group *gr ; - - gr = getgrnam(optarg) ; - if (gr == NULL) { - fprintf(stderr, - "Group ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_gid = gr->gr_gid; - } - c++; - break; - case S_HELP: - usage(); - exit(0); - break; - case S_HOSTNAME: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_hostname = strdup(optarg); - if (event_hostname == NULL) - retval = -1; - c++; - } - break; - case S_INTERP: - if (report_format == RPT_DEFAULT) - report_format = RPT_INTERP; - else { - fprintf(stderr, - "Conflicting output format %s\n", - vars[c]); - retval = -1; - } - if (optarg) { - fprintf(stderr, - "Argument is NOT required for %s\n", - vars[c]); - retval = -1; - } - break; - case S_INFILE: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - user_file = strdup(optarg); - if (user_file == NULL) - retval = -1; - c++; - } - break; - case S_MESSAGE_TYPE: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - if (strcasecmp(optarg, "ALL") != 0) { - retval = parse_msg(optarg); - } - c++; - } - if (retval < 0) { - int i; - fprintf(stderr, - "Valid message types are: ALL "); - for (i=AUDIT_USER;i<=AUDIT_LAST_VIRT_MSG;i++){ - const char *name; - if (i == AUDIT_WATCH_INS) // Skip a few - i = AUDIT_FIRST_USER_MSG; - name = audit_msg_type_to_name(i); - if (name) - fprintf(stderr, "%s ", name); - } - fprintf(stderr, "\n"); - } - break; - case S_OBJECT: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } else { - event_object = strdup(optarg); - if (event_object == NULL) - retval = -1; - c++; - } - break; - case S_PPID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_ppid = strtol(optarg,NULL,10); - if (errno) - retval = -1; - c++; - } else { - fprintf(stderr, - "Parent process id must be a numeric value, was %s\n", - optarg); - retval = -1; - } - break; - case S_PID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_pid = strtol(optarg,NULL,10); - if (errno) - retval = -1; - c++; - } else { - fprintf(stderr, - "Process id must be a numeric value, was %s\n", - optarg); - retval = -1; - } - break; - case S_RAW: - if (report_format == RPT_DEFAULT) - report_format = RPT_RAW; - else { - fprintf(stderr, - "Conflicting output format --raw\n"); - retval = -1; - } - if (optarg) { - fprintf(stderr, - "Argument is NOT required for --raw\n"); - retval = -1; - } - break; - case S_NODE: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - snode sn; - c++; - - if (!event_node_list) { - event_node_list = malloc(sizeof (slist)); - if (!event_node_list) { - retval = -1; - break; - } - slist_create(event_node_list); - } - - sn.str = strdup(optarg); - sn.key = NULL; - sn.hits=0; - slist_append(event_node_list, &sn); - } - break; - case S_SYSCALL: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_syscall = (int)strtoul(optarg, NULL, 10); - if (errno) { - fprintf(stderr, - "Syscall numeric conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - if (event_machine == -1) { - int machine; - machine = audit_detect_machine(); - if (machine < 0) { - fprintf(stderr, - "Error detecting machine type"); - retval = -1; - break; - } - event_machine = machine; - } - event_syscall = audit_name_to_syscall(optarg, - event_machine); - if (event_syscall == -1) { - fprintf(stderr, - "Syscall %s not found\n", - optarg); - retval = -1; - } - } - c++; - break; - case S_CONTEXT: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } else { - event_subject = strdup(optarg); - if (event_subject == NULL) - retval = -1; - event_object = strdup(optarg); - if (event_object == NULL) - retval = -1; - event_se = 1; - c++; - } - break; - case S_SUBJECT: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } else { - event_subject = strdup(optarg); - if (event_subject == NULL) - retval = -1; - c++; - } - break; - case S_OSUCCESS: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if ( (strstr(optarg, "yes")!=NULL) || - (strstr(optarg, "no")!=NULL) ) { - if (strcmp(optarg, "yes") == 0) - event_success = S_SUCCESS; - else - event_success = S_FAILED; - } else { - fprintf(stderr, - "Success must be 'yes' or 'no'.\n"); - retval = -1; - } - c++; - break; - case S_SESSION: - if (!optarg) { - if ((c+1 < count) && vars[c+1]) - optarg = vars[c+1]; - else { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - } - { - size_t len = strlen(optarg); - if (isdigit(optarg[0])) { - errno = 0; - event_session_id = strtoul(optarg,NULL,10); - if (errno) - retval = -1; - c++; - } else if (len >= 2 && *(optarg)=='-' && - (isdigit(optarg[1]))) { - errno = 0; - event_session_id = strtoul(optarg, NULL, 0); - if (errno) { - retval = -1; - fprintf(stderr, "Error converting %s\n", - optarg); - } - c++; - } else { - fprintf(stderr, - "Session id must be a numeric value, was %s\n", - optarg); - retval = -1; - } - } - break; - case S_EXIT: - if (!optarg) { - if ((c+1 < count) && vars[c+1]) - optarg = vars[c+1]; - else { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - } - { - size_t len = strlen(optarg); - if (isdigit(optarg[0])) { - errno = 0; - event_exit = strtoll(optarg, NULL, 0); - if (errno) { - retval = -1; - fprintf(stderr, "Error converting %s\n", - optarg); - } - } else if (len >= 2 && *(optarg)=='-' && - (isdigit(optarg[1]))) { - errno = 0; - event_exit = strtoll(optarg, NULL, 0); - if (errno) { - retval = -1; - fprintf(stderr, "Error converting %s\n", - optarg); - } - } else { - event_exit = audit_name_to_errno(optarg); - if (event_exit == 0) { - retval = -1; - fprintf(stderr, - "Unknown errno, was %s\n", - optarg); - } - } - c++; - if (retval != -1) - event_exit_is_set = 1; - } - break; - case S_TIME_END: - if (optarg) { - if ( (c+2 < count) && vars[c+2] && - (vars[c+2][0] != '-') ) { - /* Have both date and time - check order*/ - if (strchr(optarg, ':')) { - if (ausearch_time_end(vars[c+2], - optarg) != 0) - retval = -1; - } else { - if (ausearch_time_end(optarg, - vars[c+2]) != 0) - retval = -1; - } - c++; - } else { - // Check against recognized words - int t = lookup_time(optarg); - if (t >= 0) { - if (ausearch_time_end(optarg, - NULL) != 0) - retval = -1; - } else if ( (strchr(optarg, ':')) == NULL) { - /* Only have date */ - if (ausearch_time_end(optarg, - NULL) != 0) - retval = -1; - } else { - /* Only have time */ - if (ausearch_time_end(NULL, - optarg) != 0) - retval = -1; - } - } - c++; - break; - } - fprintf(stderr, - "%s requires either date and/or time\n", - vars[c]); - retval = -1; - break; - case S_TIME_START: - if (optarg) { - if ( (c+2 < count) && vars[c+2] && - (vars[c+2][0] != '-') ) { - /* Have both date and time - check order */ - if (strchr(optarg, ':')) { - if (ausearch_time_start( - vars[c+2], optarg) != 0) - retval = -1; - } else { - if (ausearch_time_start(optarg, - vars[c+2]) != 0) - retval = -1; - } - c++; - } else { - // Check against recognized words - int t = lookup_time(optarg); - if (t >= 0) { - if (ausearch_time_start(optarg, - "00:00:00") != 0) - retval = -1; - } else if (strcmp(optarg, - "checkpoint") == 0) { - // Only use the timestamp from within - // the checkpoint file - checkpt_timeonly++; - } else if (strchr(optarg, ':') == NULL){ - /* Only have date */ - if (ausearch_time_start(optarg, - "00:00:00") != 0) - retval = -1; - } else { - /* Only have time */ - if (ausearch_time_start(NULL, - optarg) != 0) - retval = -1; - } - } - c++; - break; - } - fprintf(stderr, - "%s requires either date and/or time\n", - vars[c]); - retval = -1; - break; - case S_TERMINAL: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_terminal = strdup(optarg); - if (event_terminal == NULL) - retval = -1; - c++; - } - break; - case S_UID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_uid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric user ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct passwd *pw; - - pw = getpwnam(optarg); - if (pw == NULL) { - fprintf(stderr, - "Effective user ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_uid = pw->pw_uid; - } - c++; - break; - case S_EFF_UID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_euid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric user ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct passwd *pw ; - - pw = getpwnam(optarg) ; - if (pw == NULL) { - fprintf(stderr, - "User ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_euid = pw->pw_uid; - } - c++; - break; - case S_ALL_UID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (isdigit(optarg[0])) { - errno = 0; - event_uid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric user ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else { - struct passwd *pw ; - - pw = getpwnam(optarg) ; - if (pw == NULL) { - fprintf(stderr, - "User ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_uid = pw->pw_uid; - } - event_ua = 1; - event_euid = event_uid; - event_loginuid = event_uid; - c++; - break; - case S_LOGINID: - if (!optarg) { - if ((c+1 < count) && vars[c+1]) - optarg = vars[c+1]; - else { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - } - { - size_t len = strlen(optarg); - if (isdigit(optarg[0])) { - errno = 0; - event_loginuid = strtoul(optarg,NULL,10); - if (errno) { - fprintf(stderr, - "Numeric user ID conversion error (%s) for %s\n", - strerror(errno), optarg); - retval = -1; - } - } else if (len >= 2 && *(optarg)=='-' && - (isdigit(optarg[1]))) { - errno = 0; - event_loginuid = strtol(optarg, NULL, 0); - if (errno) { - retval = -1; - fprintf(stderr, "Error converting %s\n", - optarg); - } - } else { - struct passwd *pw ; - - pw = getpwnam(optarg) ; - if (pw == NULL) { - fprintf(stderr, - "Login user ID is non-numeric and unknown (%s)\n", - optarg); - retval = -1; - break; - } - event_loginuid = pw->pw_uid; - } - } - c++; - break; - case S_UUID: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_uuid = strdup(optarg); - if (event_uuid == NULL) { - retval = -1; - } - c++; - } - break; - case S_VMNAME: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_vmname= strdup(optarg); - if (event_vmname == NULL) { - retval = -1; - } - c++; - } - break; - case S_VERSION: - printf("ausearch version %s\n", VERSION); - exit(0); - break; - case S_EXACT_MATCH: - event_exact_match=1; - break; - case S_IN_LOGS: - force_logs = 1; - break; - case S_JUST_ONE: - just_one = 1; - break; - case S_EXECUTABLE: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - event_exe = strdup(optarg); - if (event_exe == NULL) - retval = -1; - c++; - } - break; - case S_LINEBUFFERED: - line_buffered = 1; - break; - case S_DEBUG: - event_debug = 1; - break; - case S_CHECKPOINT: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - } else { - checkpt_filename = strdup(optarg); - if (checkpt_filename == NULL) - retval = -1; - c++; - } - break; - case S_ARCH: - if (!optarg) { - fprintf(stderr, - "Argument is required for %s\n", - vars[c]); - retval = -1; - break; - } - if (event_machine != -1) { - if (event_syscall != -1) - fprintf(stderr, - "Arch needs to be defined before the syscall\n"); - else - fprintf(stderr, - "Arch is already defined\n"); - retval = -1; - break; - } else { - int machine = audit_determine_machine(optarg); - if (machine < 0) { - fprintf(stderr, "Unknown arch %s\n", - optarg); - retval = -1; - } - event_machine = machine; - } - c++; - break; - default: - fprintf(stderr, "%s is an unsupported option\n", - vars[c]); - retval = -1; - break; - } - c++; - } - - return retval; -} - |