/* * aureport-output.c - Print the report * Copyright (c) 2005-06,2008,2014 Red Hat Inc., Durham, North Carolina. * All Rights Reserved. * * This software may be freely redistributed and/or modified under the * terms of the GNU General Public License as published by the Free * Software Foundation; either version 2, or (at your option) any * later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; see the file COPYING. If not, write to the * Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Authors: * Steve Grubb */ #include "config.h" #include #include #include #include "aureport-scan.h" #include "aureport-options.h" #include "ausearch-lookup.h" /* Locale functions */ static void print_title_summary(void); static void print_title_detailed(void); static void do_summary_output(void); static void do_file_summary_output(slist *sptr); static void do_string_summary_output(slist *sptr); static void do_user_summary_output(slist *sptr); static void do_int_summary_output(ilist *sptr); static void do_syscall_summary_output(ilist *sptr); static void do_type_summary_output(ilist *sptr); /* Local Data */ unsigned int line_item; void print_title(void) { line_item = 0U; printf("\n"); switch (report_detail) { case D_SUM: print_title_summary(); break; case D_DETAILED: print_title_detailed(); break; case D_SPECIFIC: default: break; } } static void print_title_summary(void) { if (event_failed == F_FAILED) printf("Failed "); if (event_failed == F_SUCCESS) printf("Success "); switch (report_type) { case RPT_SUMMARY: printf("Summary Report\n"); printf("======================\n"); break; case RPT_AVC: printf("Avc Object Summary Report\n"); printf("=================================\n"); printf("total obj\n"); printf("=================================\n"); break; case RPT_MAC: printf("MAC Summary Report\n"); printf("==================\n"); printf("total type\n"); printf("==================\n"); break; case RPT_INTEG: printf("Integrity Summary Report\n"); printf("========================\n"); printf("total type\n"); printf("========================\n"); break; case RPT_VIRT: printf("Virtualization Summary Report\n"); printf("=============================\n"); printf("total type\n"); printf("=============================\n"); break; case RPT_CONFIG: printf("Config Change Summary Report\n"); printf("============================\n"); printf("total type\n"); printf("============================\n"); break; case RPT_AUTH: printf("Authentication Summary Report\n"); printf("=============================\n"); printf("total acct\n"); printf("=============================\n"); break; case RPT_LOGIN: printf("Login Summary Report\n"); printf("============================\n"); printf("total auid\n"); printf("============================\n"); break; case RPT_ACCT_MOD: printf("Acct Modification Summary Report\n"); printf("================================\n"); printf("total type\n"); printf("================================\n"); break; case RPT_TIME: UNIMPLEMENTED; break; case RPT_EVENT: printf("Event Summary Report\n"); printf("======================\n"); printf("total type\n"); printf("======================\n"); break; case RPT_FILE: printf("File Summary Report\n"); printf("===========================\n"); printf("total file\n"); printf("===========================\n"); break; case RPT_HOST: printf("Host Summary Report\n"); printf("===========================\n"); printf("total host\n"); printf("===========================\n"); break; case RPT_PID: printf("Pid Summary Report\n"); printf("==========================\n"); printf("total pid\n"); printf("==========================\n"); break; case RPT_SYSCALL: printf("Syscall Summary Report\n"); printf("==========================\n"); printf("total syscall\n"); printf("==========================\n"); break; case RPT_TERM: printf("Terminal Summary Report\n"); printf("===============================\n"); printf("total terminal\n"); printf("===============================\n"); break; case RPT_USER: printf("User Summary Report\n"); printf("===========================\n"); printf("total auid\n"); printf("===========================\n"); break; case RPT_EXE: printf("Executable Summary Report\n"); printf("=================================\n"); printf("total file\n"); printf("=================================\n"); break; case RPT_COMM: printf("Command Summary Report\n"); printf("=================================\n"); printf("total command\n"); printf("=================================\n"); break; case RPT_ANOMALY: printf("Anomaly Summary Report\n"); printf("======================\n"); printf("total type\n"); printf("======================\n"); break; case RPT_RESPONSE: printf("Anomaly Response Summary Report\n"); printf("===============================\n"); printf("total type\n"); printf("===============================\n"); break; case RPT_CRYPTO: printf("Crypto Summary Report\n"); printf("=====================\n"); printf("total type\n"); printf("=====================\n"); break; case RPT_KEY: printf("Key Summary Report\n"); printf("===========================\n"); printf("total key\n"); printf("===========================\n"); break; case RPT_TTY: UNIMPLEMENTED; break; default: break; } } static void print_title_detailed(void) { switch (report_type) { case RPT_AVC: printf("AVC Report\n"); printf( "========================================================\n"); printf( "# date time comm subj syscall class permission obj event\n"); printf( "========================================================\n"); break; case RPT_CONFIG: printf("Config Change Report\n"); printf("===================================\n"); printf("# date time type auid success event\n"); printf("===================================\n"); break; case RPT_AUTH: printf("Authentication Report\n"); printf( "============================================\n"); printf( "# date time acct host term exe success event\n"); printf( "============================================\n"); break; case RPT_LOGIN: printf("Login Report\n"); printf( "============================================\n"); printf( "# date time auid host term exe success event\n"); printf( "============================================\n"); break; case RPT_ACCT_MOD: printf("Account Modifications Report\n"); printf( "=================================================\n"); printf( "# date time auid addr term exe acct success event\n"); printf( "=================================================\n"); break; case RPT_TIME: printf("Log Time Range Report\n"); printf("=====================\n"); break; case RPT_EVENT: if (report_detail == D_DETAILED) { printf("Event Report\n"); printf("===================================\n"); printf("# date time event type auid success\n"); printf("===================================\n"); } else { printf("Specific Event Report\n"); printf("=====================\n"); } break; case RPT_FILE: if (report_detail == D_DETAILED) { printf("File Report\n"); printf( "===============================================\n"); printf( "# date time file syscall success exe auid event\n"); printf( "===============================================\n"); } else { printf("Specific File Report\n"); printf("====================\n"); } break; case RPT_HOST: if (report_detail == D_DETAILED) { printf("Host Report\n"); printf("===================================\n"); printf("# date time host syscall auid event\n"); printf("===================================\n"); } else { printf("Specific Host Report\n"); printf("====================\n"); } break; case RPT_PID: if (report_detail == D_DETAILED) { printf("Process ID Report\n"); printf( "======================================\n"); printf( "# date time pid exe syscall auid event\n"); printf( "======================================\n"); } else { printf("Specific Process ID Report\n"); printf("==========================\n"); } break; case RPT_SYSCALL: if (report_detail == D_DETAILED) { printf("Syscall Report\n"); printf( "=======================================\n"); printf( "# date time syscall pid comm auid event\n"); printf( "=======================================\n"); } else { printf("Specific Syscall Report\n"); printf("=======================\n"); } break; case RPT_TERM: if (report_detail == D_DETAILED) { printf("Terminal Report\n"); printf( "====================================\n"); printf( "# date time term host exe auid event\n"); printf( "====================================\n"); } else { printf("Specific Terminal Report\n"); printf("========================\n"); } break; case RPT_USER: if (report_detail == D_DETAILED) { printf("User ID Report\n"); printf( "====================================\n"); printf( "# date time auid term host exe event\n"); printf( "====================================\n"); } else { printf("Specific User ID Report\n"); printf("=======================\n"); } break; case RPT_EXE: if (report_detail == D_DETAILED) { printf("Executable Report\n"); printf( "====================================\n"); printf( "# date time exe term host auid event\n"); printf( "====================================\n"); } else { printf("Specific Executable Report\n"); printf("==========================\n"); } break; case RPT_COMM: if (report_detail == D_DETAILED) { printf("Command Report\n"); printf( "====================================\n"); printf( "# date time comm term host auid event\n"); printf( "=====================================\n"); } else { printf("Specific command Report\n"); printf("=======================\n"); } break; case RPT_ANOMALY: if (report_detail == D_DETAILED) { printf("Anomaly Report\n"); printf( "=========================================\n"); printf( "# date time type exe term host auid event\n"); printf( "=========================================\n"); } else { printf("Specific Anomaly Report\n"); printf("=======================\n"); } break; case RPT_RESPONSE: if (report_detail == D_DETAILED) { printf("Response to Anomaly Report\n"); printf("==============================\n"); printf("# date time type success event\n"); printf("==============================\n"); } else { printf("Specific Response to Anomaly Report\n"); printf("===================================\n"); } break; case RPT_MAC: if (report_detail == D_DETAILED) { printf("MAC Report\n"); printf("===================================\n"); printf("# date time auid type success event\n"); printf("===================================\n"); } else { printf("Specific Mandatory Access Control (MAC) Report\n"); printf("===================================\n"); } break; case RPT_INTEG: if (report_detail == D_DETAILED) { printf("Integrity Report\n"); printf("==============================\n"); printf("# date time type success event\n"); printf("==============================\n"); } else { printf("Specific Integrity Report\n"); printf("==============================\n"); } break; case RPT_VIRT: if (report_detail == D_DETAILED) { printf("Virtualization Report\n"); printf("==============================\n"); printf("# date time type success event\n"); printf("==============================\n"); } else { printf("Specific Virtualization Report\n"); printf("==============================\n"); } break; case RPT_CRYPTO: if (report_detail == D_DETAILED) { printf("Crypto Report\n"); printf("===================================\n"); printf("# date time auid type success event\n"); printf("===================================\n"); } else { printf("Specific Crypto Report\n"); printf("===================================\n"); } break; case RPT_KEY: if (report_detail == D_DETAILED) { printf("Key Report\n"); printf( "===============================================\n"); printf( "# date time key success exe auid event\n"); printf( "===============================================\n"); } else { printf("Specific Key Report\n"); printf("====================\n"); } break; case RPT_TTY: if (report_detail == D_DETAILED) { printf("TTY Report\n"); printf( "===============================================\n"); printf( "# date time event auid term sess comm data\n"); printf( "===============================================\n"); } else { printf("Specific TTY Report\n"); printf("====================\n"); } break; default: break; } } void print_per_event_item(llist *l) { char buf[128]; char name[64]; char date[32]; struct tm *tv; // The beginning is common to all reports tv = localtime(&l->e.sec); strftime(date, sizeof(date), "%x %T", tv); if (report_type != RPT_AVC) { line_item++; printf("%u. %s ", line_item, date); } switch (report_type) { case RPT_AVC: alist_find_avc(l->s.avc); do { anode *an = l->s.avc->cur; line_item++; printf("%u. %s ", line_item, date); // command subject syscall action obj res event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s %s %s %s %s %lu\n", an->scontext, aulookup_syscall(l, buf,sizeof(buf)), an->avc_class, an->avc_perm, an->tcontext, aulookup_result(an->avc_result), l->e.serial); //printf("items:%d\n", l->s.avc->cnt); } while (alist_next_avc(l->s.avc)); break; case RPT_CONFIG: // FIXME:who, action, what, outcome, event // NOW: type auid success event printf("%s %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_uid(l->s.loginuid, name, sizeof(name)), aulookup_success(l->s.success), l->e.serial); break; case RPT_AUTH: // who, addr, terminal, exe, success, event // Special note...uid is used here because that is // the way that the message works. This is because // on failed logins, loginuid is not set. safe_print_string(l->s.acct ? l->s.acct : aulookup_uid(l->s.uid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_LOGIN: // who, addr, terminal, exe, success, event // Special note...uid is used here because that is // the way that the message works. This is because // on failed logins, loginuid is not set. safe_print_string(((l->s.success == S_FAILED) && l->s.acct) ? l->s.acct : aulookup_uid(l->s.uid, name, sizeof(name)), 0); printf(" %s %s %s %s %lu\n", l->s.hostname, l->s.terminal, l->s.exe, aulookup_success(l->s.success), l->e.serial); break; case RPT_ACCT_MOD: // who, addr, terminal, exe, success, event safe_print_string( aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %s %s %s %lu\n", l->s.hostname ? l->s.hostname : "?", l->s.terminal ? l->s.terminal : "?", l->s.exe ? l->s.exe : "?", l->s.acct ? l->s.acct : "?", aulookup_success(l->s.success), l->e.serial); break; case RPT_EVENT: // report_detail == D_DETAILED // event, type, who, success printf("%lu %s ", l->e.serial, audit_msg_type_to_name(l->head->type)); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s\n", aulookup_success(l->s.success)); break; case RPT_FILE: // report_detail == D_DETAILED // file, syscall, success, exe, who, event slist_first(l->s.filename); safe_print_string(l->s.filename->cur->str,0); printf(" %s %s ", aulookup_syscall(l,buf,sizeof(buf)), aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_HOST: // report_detail == D_DETAILED // host, syscall, who, event printf("%s %s ", l->s.hostname, aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_PID: // report_detail == D_DETAILED // pid, exe, syscall, who, event printf("%u ", l->s.pid); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s ", aulookup_syscall(l,buf,sizeof(buf))); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_SYSCALL: // report_detail == D_DETAILED // syscall, pid, comm, who, event printf("%s %u ", aulookup_syscall(l,buf,sizeof(buf)), l->s.pid); safe_print_string(l->s.comm ? l->s.comm : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TERM: // report_detail == D_DETAILED // terminal, host, exe, who, event printf("%s %s ", l->s.terminal, l->s.hostname); safe_print_string(l->s.exe, 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_USER: // report_detail == D_DETAILED // who, terminal, host, exe, event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %lu\n", l->e.serial); break; case RPT_EXE: // report_detail == D_DETAILED // exe, terminal, host, who, event safe_print_string(l->s.exe ? l->s.exe : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_COMM: // report_detail == D_DETAILED // comm, terminal, host, who, event safe_print_string(l->s.comm ? l->s.comm : "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_ANOMALY: // report_detail == D_DETAILED // type exe term host auid event printf("%s ", audit_msg_type_to_name(l->head->type)); safe_print_string(l->s.exe ? l->s.exe : l->s.comm ? l->s.comm: "?", 0); printf(" %s %s ", l->s.terminal ? l->s.terminal : "?", l->s.hostname ? l->s.hostname : "?"); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_RESPONSE: // report_detail == D_DETAILED // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_MAC: // auid type success event printf("%s %s %s %lu\n", aulookup_uid(l->s.loginuid, name, sizeof(name)), audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_INTEG: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_VIRT: // type success event printf("%s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_CRYPTO: // auid type success event safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %s %lu\n", audit_msg_type_to_name(l->head->type), aulookup_success(l->s.success), l->e.serial); break; case RPT_KEY: // report_detail == D_DETAILED // key, success, exe, who, event slist_first(l->s.key); printf("%s %s ", l->s.key->cur->str, aulookup_success(l->s.success)); safe_print_string(l->s.exe ? l->s.exe : "?", 0); putchar(' '); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %lu\n", l->e.serial); break; case RPT_TTY: { char *ch, *ptr = strstr(l->head->message, "data="); if (!ptr) break; ptr += 5; ch = strrchr(ptr, ' '); if (ch) *ch = 0; // event who term sess data printf("%lu ", l->e.serial); safe_print_string(aulookup_uid(l->s.loginuid, name, sizeof(name)), 0); printf(" %s %u ", l->s.terminal ? l->s.terminal : "?", l->s.session_id); safe_print_string(l->s.comm ? l->s.comm: "?", 0); putchar(' '); print_tty_data(ptr); printf("\n"); } break; default: break; } } void print_wrap_up(void) { if (report_detail != D_SUM) return; switch (report_type) { case RPT_SUMMARY: do_summary_output(); break; case RPT_AVC: slist_sort_by_hits(&sd.avc_objs); do_string_summary_output(&sd.avc_objs); break; case RPT_CONFIG: /* We will borrow the pid list */ ilist_sort_by_hits(&sd.pids); do_type_summary_output(&sd.pids); break; case RPT_AUTH: slist_sort_by_hits(&sd.users); do_user_summary_output(&sd.users); break; case RPT_LOGIN: slist_sort_by_hits(&sd.users); do_user_summary_output(&sd.users); break; case RPT_ACCT_MOD: /* We will borrow the pid list */ ilist_sort_by_hits(&sd.pids); do_type_summary_output(&sd.pids); break; case RPT_EVENT: /* We will borrow the pid list */ ilist_sort_by_hits(&sd.pids); do_type_summary_output(&sd.pids); break; case RPT_FILE: slist_sort_by_hits(&sd.files); do_file_summary_output(&sd.files); break; case RPT_HOST: slist_sort_by_hits(&sd.hosts); do_string_summary_output(&sd.hosts); break; case RPT_PID: ilist_sort_by_hits(&sd.pids); do_int_summary_output(&sd.pids); break; case RPT_SYSCALL: ilist_sort_by_hits(&sd.sys_list); do_syscall_summary_output(&sd.sys_list); break; case RPT_TERM: slist_sort_by_hits(&sd.terms); do_string_summary_output(&sd.terms); break; case RPT_USER: slist_sort_by_hits(&sd.users); do_user_summary_output(&sd.users); break; case RPT_EXE: slist_sort_by_hits(&sd.exes); do_file_summary_output(&sd.exes); break; case RPT_COMM: slist_sort_by_hits(&sd.comms); do_file_summary_output(&sd.comms); break; case RPT_ANOMALY: ilist_sort_by_hits(&sd.anom_list); do_type_summary_output(&sd.anom_list); break; case RPT_RESPONSE: ilist_sort_by_hits(&sd.resp_list); do_type_summary_output(&sd.resp_list); break; case RPT_MAC: ilist_sort_by_hits(&sd.mac_list); do_type_summary_output(&sd.mac_list); break; case RPT_INTEG: ilist_sort_by_hits(&sd.integ_list); do_type_summary_output(&sd.integ_list); break; case RPT_VIRT: ilist_sort_by_hits(&sd.virt_list); do_type_summary_output(&sd.virt_list); break; case RPT_CRYPTO: ilist_sort_by_hits(&sd.crypto_list); do_type_summary_output(&sd.crypto_list); break; case RPT_KEY: slist_sort_by_hits(&sd.keys); do_file_summary_output(&sd.keys); break; default: break; } } static void do_summary_output(void) { extern event very_first_event; extern event very_last_event; printf("Range of time in logs: "); { struct tm *btm; char tmp[48]; btm = localtime(&very_first_event.sec); strftime(tmp, sizeof(tmp), "%x %T", btm); printf("%s.%03d - ", tmp, very_first_event.milli); btm = localtime(&very_last_event.sec); strftime(tmp, sizeof(tmp), "%x %T", btm); printf("%s.%03d\n", tmp, very_last_event.milli); } printf("Selected time for report: "); { struct tm *btm; char tmp[48]; if (start_time) btm = localtime(&start_time); else btm = localtime(&very_first_event.sec); strftime(tmp, sizeof(tmp), "%x %T", btm); printf("%s - ", tmp); if (end_time) btm = localtime(&end_time); else btm = localtime(&very_last_event.sec); strftime(tmp, sizeof(tmp), "%x %T", btm); if (end_time) printf("%s\n", tmp); else printf("%s.%03d\n", tmp, very_last_event.milli); } printf("Number of changes in configuration: %lu\n", sd.changes); printf("Number of changes to accounts, groups, or roles: %lu\n", sd.acct_changes); printf("Number of logins: %lu\n", sd.good_logins); printf("Number of failed logins: %lu\n", sd.bad_logins); printf("Number of authentications: %lu\n", sd.good_auth); printf("Number of failed authentications: %lu\n", sd.bad_auth); printf("Number of users: %u\n", sd.users.cnt); printf("Number of terminals: %u\n", sd.terms.cnt); printf("Number of host names: %u\n", sd.hosts.cnt); printf("Number of executables: %u\n", sd.exes.cnt); printf("Number of commands: %u\n", sd.comms.cnt); printf("Number of files: %u\n", sd.files.cnt); printf("Number of AVC's: %lu\n", sd.avcs); printf("Number of MAC events: %lu\n", sd.mac); printf("Number of failed syscalls: %lu\n", sd.failed_syscalls); printf("Number of anomaly events: %lu\n", sd.anomalies); printf("Number of responses to anomaly events: %lu\n", sd.responses); printf("Number of crypto events: %lu\n", sd.crypto); printf("Number of integrity events: %lu\n", sd.integ); printf("Number of virt events: %lu\n", sd.virt); printf("Number of keys: %u\n", sd.keys.cnt); printf("Number of process IDs: %u\n", sd.pids.cnt); printf("Number of events: %lu\n", sd.events); printf("\n"); } static void do_file_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { printf("%u ", sn->hits); safe_print_string(sn->str, 1); sn=slist_next(sptr); } } static void do_string_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { printf("%u %s\n", sn->hits, sn->str); sn=slist_next(sptr); } } static void do_user_summary_output(slist *sptr) { const snode *sn; if (sptr->cnt == 0) { printf("\n\n"); return; } slist_first(sptr); sn=slist_get_cur(sptr); while (sn) { long uid; char name[64]; if (sn->str[0] == '-' || isdigit(sn->str[0])) { uid = strtol(sn->str, NULL, 10); printf("%u ", sn->hits); safe_print_string(aulookup_uid(uid, name, sizeof(name)), 1); } else { printf("%u ", sn->hits); safe_print_string(sn->str, 1); } sn=slist_next(sptr); } } static void do_int_summary_output(ilist *sptr) { const int_node *in; if (sptr->cnt == 0) { printf("\n\n"); return; } ilist_first(sptr); in=ilist_get_cur(sptr); while (in) { printf("%u %d\n", in->hits, in->num); in=ilist_next(sptr); } } static void do_syscall_summary_output(ilist *sptr) { const int_node *in; if (sptr->cnt == 0) { printf("\n\n"); return; } ilist_first(sptr); in=ilist_get_cur(sptr); while (in) { const char *sys = NULL; int machine = audit_elf_to_machine(in->aux1); if (machine >= 0) sys = audit_syscall_to_name(in->num, machine); if (sys) printf("%u %s\n", in->hits, sys); else printf("%u %d\n", in->hits, in->num); in=ilist_next(sptr); } } static void do_type_summary_output(ilist *sptr) { const int_node *in; if (sptr->cnt == 0) { printf("\n\n"); return; } ilist_first(sptr); in=ilist_get_cur(sptr); while (in) { const char *name = audit_msg_type_to_name(in->num); if (report_format == RPT_DEFAULT) printf("%u %d\n", in->hits, in->num); else printf("%u %s\n", in->hits, name); in=ilist_next(sptr); } }