1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
|
/*
* ausearch.c - main file for ausearch utility
* Copyright 2005-08,2010,2013,2014 Red Hat Inc., Durham, North Carolina.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*
* Authors:
* Steve Grubb <sgrubb@redhat.com>
*/
#include "config.h"
#include <stdio.h>
#include <stdio_ext.h>
#include <string.h>
#include <stdlib.h>
#include <getopt.h>
#include <unistd.h>
#include <ctype.h>
#include <time.h>
#include <errno.h>
#include <sys/resource.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <locale.h>
#include <signal.h>
#include "libaudit.h"
#include "auditd-config.h"
#include "ausearch-options.h"
#include "ausearch-lol.h"
#include "ausearch-lookup.h"
#include "auparse.h"
#include "ausearch-checkpt.h"
static FILE *log_fd = NULL;
static lol lo;
static int found = 0;
static int input_is_pipe = 0;
static int timeout_interval = 3; /* timeout in seconds */
static int files_to_process = 0; /* number of log files yet to process when reading multiple */
static int process_logs(void);
static int process_log_fd(void);
static int process_stdin(void);
static int process_file(char *filename);
static int get_record(llist **);
extern const char *checkpt_filename; /* checkpoint file name */
extern int checkpt_timeonly; /* use timestamp from within checkpoint file */
static int have_chkpt_data = 0; /* have checkpt need to compare wit */
extern char *user_file;
extern int force_logs;
extern int match(llist *l);
extern void output_record(llist *l);
static int userfile_is_dir = 0;
static int is_pipe(int fd)
{
struct stat st;
int pipe_mode=0;
if (fstat(fd, &st) == 0) {
if (S_ISFIFO(st.st_mode))
pipe_mode = 1;
}
return pipe_mode;
}
int main(int argc, char *argv[])
{
struct rlimit limit;
int rc;
struct stat sb;
/* Check params and build regexpr */
setlocale (LC_ALL, "");
if (check_params(argc, argv))
return 1;
/* Raise the rlimits in case we're being started from a shell
* with restrictions. Not a fatal error. */
limit.rlim_cur = RLIM_INFINITY;
limit.rlim_max = RLIM_INFINITY;
setrlimit(RLIMIT_FSIZE, &limit);
setrlimit(RLIMIT_CPU, &limit);
set_aumessage_mode(MSG_STDERR, DBG_NO);
(void) umask( umask( 077 ) | 027 );
/* Load the checkpoint file if requested */
if (checkpt_filename) {
rc = load_ChkPt(checkpt_filename);
/*
* If < -1, then some load/parse error
* If == -1 then no file present (OK)
* If == 0, then checkpoint has data
*/
if (rc < -1) {
(void)free((void *)checkpt_filename);
free_ChkPtMemory();
return 10; /* bad checkpoint status file */
} else if (rc == -1) {
/*
* No file, so no checking required. This just means
* we have never checkpointed before and this is the
* first time.
*/
have_chkpt_data = 0;
} else {
/* We will need to check */
have_chkpt_data++;
}
}
lol_create(&lo);
if (user_file) {
if (stat(user_file, &sb) == -1) {
perror("stat");
return 1;
}
switch (sb.st_mode & S_IFMT) {
case S_IFDIR:
userfile_is_dir = 1;
rc = process_logs();
break;
case S_IFREG:
default:
rc = process_file(user_file);
break;
}
} else if (force_logs)
rc = process_logs();
else if (is_pipe(0))
rc = process_stdin();
else
rc = process_logs();
/* Generate a checkpoint if required */
if (checkpt_filename) {
/* Providing we found something and haven't failed */
if (!checkpt_failure && found)
save_ChkPt(checkpt_filename);
free_ChkPtMemory();
free((void *)checkpt_filename);
/*
* A checkpoint failure at this point means either
* - we failed in attempting to create the checkpouint file
* and so we will return 11
* - we had a corrupted checkpoint file and so we will return 12
*/
if (checkpt_failure) {
rc = ((checkpt_failure & CP_CORRUPTED) ==
CP_CORRUPTED) ? 12 : 11;
}
}
lol_clear(&lo);
ilist_clear(event_type);
free(event_type);
free(user_file);
free((char *)event_key);
auparse_destroy(NULL);
if (rc)
return rc;
if (!found) {
if (report_format != RPT_RAW)
fprintf(stderr, "<no matches>\n");
return 1;
}
return 0;
}
static int process_logs(void)
{
struct daemon_conf config;
char *filename;
int len, num = 0;
int found_chkpt_file = -1;
int ret;
if (user_file && userfile_is_dir) {
char dirname[MAXPATHLEN];
clear_config (&config);
strcpy(dirname, user_file);
if (dirname[strlen(dirname)-1] != '/')
strcat(dirname, "/");
strcat (dirname, "audit.log");
free((void *)config.log_file);
config.log_file=strdup(dirname);
fprintf(stderr, "NOTE - using logs in %s\n", config.log_file);
}
else {
/* Load config so we know where logs are */
if (load_config(&config, TEST_SEARCH)) {
fprintf(stderr,
"NOTE - using built-in logs: %s\n",
config.log_file);
}
}
/* for each file */
len = strlen(config.log_file) + 16;
filename = malloc(len);
if (!filename) {
fprintf(stderr, "No memory\n");
free_config(&config);
return 1;
}
/* Find oldest log file */
snprintf(filename, len, "%s", config.log_file);
do {
if (access(filename, R_OK) != 0)
break;
/*
* If we have prior checkpoint data, we ignore files till we
* find the file we last checkpointed from
*/
if (checkpt_filename && have_chkpt_data) {
struct stat sbuf;
if (stat(filename, &sbuf)) {
fprintf(stderr, "Error stat'ing %s (%s)\n",
filename, strerror(errno));
free(filename);
free_config(&config);
return 1;
}
/*
* Have we accessed the checkpointed file?
* If so, stop checking further files.
*/
if ( (sbuf.st_dev == chkpt_input_dev) &&
(sbuf.st_ino == chkpt_input_ino) ) {
/*
* If we are ignoing all but time, then we
* don't stop checking more files and just
* let this loop go to completion and hence
* we will find the 'oldest' file.
*/
if (!checkpt_timeonly) {
found_chkpt_file = num++;
break;
}
}
}
num++;
snprintf(filename, len, "%s.%d", config.log_file, num);
} while (1);
/* If a checkpoint is loaded but can't find it's file, and we
* are not only just checking the timestamp from the checkpoint file,
* we need to error */
if (checkpt_filename && have_chkpt_data && found_chkpt_file == -1
&& !checkpt_timeonly) {
free(filename);
free_config(&config);
return 10;
}
num--;
/* We note how many files we need to process */
files_to_process = num;
/* Got it, now process logs from last to first */
if (num > 0)
snprintf(filename, len, "%s.%d", config.log_file, num);
else
snprintf(filename, len, "%s", config.log_file);
do {
if ((ret = process_file(filename))) {
free(filename);
free_config(&config);
return ret;
}
if (just_one && found)
break;
files_to_process--; /* one less file to process */
/* Get next log file */
num--;
if (num > 0)
snprintf(filename, len, "%s.%d", config.log_file, num);
else if (num == 0)
snprintf(filename, len, "%s", config.log_file);
else
break;
} while (1);
/*
* If performing a checkpoint, set the checkpointed
* file details - ie remember the last file processed
*/
ret = 0;
if (checkpt_filename)
ret = set_ChkPtFileDetails(filename);
free(filename);
free_config(&config);
return ret;
}
/*
* Decide if we should start outputing events given we loaded a checkpoint.
*
* The previous checkpoint will have recorded the last event outputted,
* if there was one. If nothing is to be output, either the audit.log file
* is empty, all the events in it were incomplete, or ???
*
* We can return
* 0 no output
* 1 can output
* 2 can output but not this event
* 3 we have found an event whose time is > MAX_EVENT_DELTA_SECS secs
* past our checkpoint time, which means this particulare event is
* complete. This should not happen, for we should have found our
* checkpoint event before ANY other completed event.
*
*/
static int chkpt_output_decision(event * e)
{
static int can_output = 0;
/* Short cut. Once we made the decision, it's made for good */
if (can_output)
return 1;
/* If there was no checkpoint file, we turn on output */
if (have_chkpt_data == 0) {
can_output = 1;
return 1; /* can output on this event */
}
/*
* If the previous checkpoint had no recorded output, then
* we assume everything was partial so we turn on output
*/
if (chkpt_input_levent.sec == 0) {
can_output = 1;
return 1; /* can output on this event */
}
/*
* If we are ignoring all but event time from within the checkpoint
* file, then we output if the current event's time is greater than
* or equal to the checkpoint time.
*/
if (checkpt_timeonly) {
if ( (chkpt_input_levent.sec < e->sec) ||
( (chkpt_input_levent.sec == e->sec) &&
(chkpt_input_levent.milli <= e->milli) ) ) {
can_output = 1;
return 1; /* can output on this event */
}
}
if (chkpt_input_levent.sec == e->sec &&
chkpt_input_levent.milli == e->milli &&
chkpt_input_levent.serial == e->serial &&
chkpt_input_levent.type == e->type ) {
/* So far a match, so now check the nodes */
if (chkpt_input_levent.node == NULL && e->node == NULL) {
can_output = 1;
return 2; /* output after this event */
}
if (chkpt_input_levent.node && e->node &&
(strcmp(chkpt_input_levent.node, e->node) == 0) ) {
can_output = 1;
return 2; /* output after this event */
}
/*
* The nodes are different. Drop through to further checks.
*/
}
/*
* If the event we are looking at is more than MAX_EVENT_DELTA_SECS
* seconds past our checkpoint event, then by definition we should
* have had a complete event (ie a complete event is one where at
* least MAX_EVENT_DELTA_SECS seconds have passed since it's last
* output record).
* This means there is a problem, for the recorded checkpoint event was
* the last complete event in the file when we last processed it.
* Normally we see this if the checkpoint is very old and the system
* has used the same inode again in an audit log file.
*/
if ( (chkpt_input_levent.sec < e->sec) &&
((e->sec - chkpt_input_levent.sec) > MAX_EVENT_DELTA_SECS) ) {
/* fprintf(stderr, "%s %lu.%03u:%lu vs %s %lu.%03u:%lu\n",
chkpt_input_levent.host ? chkpt_input_levent.host : "-",
chkpt_input_levent.sec, chkpt_input_levent.milli,
chkpt_input_levent.serial,
e->host, e->sec, e->milli, e->serial); */
return 3;
}
return 0;
}
static int process_log_fd(void)
{
llist *entries; // entries in a record
int ret;
int do_output = 1;
/* For each record in file */
do {
ret = get_record(&entries);
if ((ret != 0)||(entries->cnt == 0)) {
break;
}
/*
* We flush all events on the last log file being processed.
* Thus incomplete events are 'carried forward' to be
* completed from the rest of it's records we expect to find
* in the next file we are about to process.
*/
if (match(entries)) {
/*
* If we are checkpointing, decide if we output
* this event
*/
if (checkpt_filename)
do_output = chkpt_output_decision(&entries->e);
if (do_output == 1) {
found = 1;
output_record(entries);
/* Remember this event if checkpointing */
if (checkpt_filename) {
if (set_ChkPtLastEvent(&entries->e)) {
list_clear(entries);
free(entries);
fclose(log_fd);
return 4; /* no memory */
}
}
} else if (do_output == 3) {
fprintf(stderr,
"Corrupted checkpoint file. Inode match, but newer complete event (%lu.%03u:%lu) found before loaded checkpoint %lu.%03u:%lu\n",
entries->e.sec, entries->e.milli,
entries->e.serial,
chkpt_input_levent.sec,
chkpt_input_levent.milli,
chkpt_input_levent.serial);
checkpt_failure |= CP_CORRUPTED;
list_clear(entries);
free(entries);
fclose(log_fd);
return 10;
}
if (just_one) {
list_clear(entries);
free(entries);
break;
}
if (line_buffered)
fflush(stdout);
}
list_clear(entries);
free(entries);
} while (ret == 0);
fclose(log_fd);
return 0;
}
static void alarm_handler(int signal)
{
/* will interrupt current syscall */
}
static int process_stdin(void)
{
log_fd = stdin;
input_is_pipe=1;
if (signal(SIGALRM, alarm_handler) == SIG_ERR ||
siginterrupt(SIGALRM, 1) == -1)
return -1;
return process_log_fd();
}
static int process_file(char *filename)
{
log_fd = fopen(filename, "rm");
if (log_fd == NULL) {
fprintf(stderr, "Error opening %s (%s)\n", filename,
strerror(errno));
return 1;
}
__fsetlocking(log_fd, FSETLOCKING_BYCALLER);
return process_log_fd();
}
/*
* This function returns a malloc'd buffer of the next record in the audit
* logs. It returns 0 on success, 1 on eof, -1 on error.
*/
static int get_record(llist **l)
{
char *rc;
char *buff = NULL;
int rcount = 0, timer_running = 0;
/*
* If we have any events ready to print ie have all records that
* make up the event, we just return. If not, we read more lines
* from the files until we get a complete event or finish reading
* input
*/
*l = get_ready_event(&lo);
if (*l)
return 0;
while (1) {
rcount++;
if (!buff) {
buff = malloc(MAX_AUDIT_MESSAGE_LENGTH);
if (!buff)
return -1;
}
if (input_is_pipe && rcount > 1) {
timer_running = 1;
alarm(timeout_interval);
}
rc = fgets_unlocked(buff, MAX_AUDIT_MESSAGE_LENGTH,
log_fd);
if (timer_running) {
/* timer may have fired but thats ok */
timer_running = 0;
alarm(0);
}
if (rc) {
if (lol_add_record(&lo, buff)) {
*l = get_ready_event(&lo);
if (*l)
break;
}
} else {
free(buff);
/*
* If we get an EINTR error or we are at EOF, we check
* to see if we have any events to print and return
* appropriately. If we are the last file being
* processed, we mark all incomplete events as
* complete so they will be printed.
*/
if ((ferror_unlocked(log_fd) &&
errno == EINTR) || feof_unlocked(log_fd)) {
/*
* Only mark all events as L_COMPLETE if we are
* the last file being processed.
* We DO NOT do this if we are checkpointing.
*/
if (files_to_process == 0) {
if (!checkpt_filename)
terminate_all_events(&lo);
}
*l = get_ready_event(&lo);
if (*l)
return 0;
else
return 1;
} else
return -1; /* all other errors are terminal */
}
}
free(buff);
return 0;
}
|
