PERFORCE change 143419 for review

Christian S.J. Peron csjp at FreeBSD.org
Fri Jun 13 14:11:29 UTC 2008 

http://perforce.freebsd.org/chv.cgi?CH=143419

Change 143419 by csjp at ibm01 on 2008/06/13 14:10:46

	- Change -m so users can select audit records based on one or more
	  audit events.  This is accomplished by using the -m option more then
	  once.
	- Update the man page to reflect the new behavior
	- Update the HISTORY file informing users that this functionality has
	  be added.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/HISTORY#66 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/HISTORY#66 (text+ko) ====

@@ -1,3 +1,5 @@
+- Modify the -m option so users can select more then one audit event.
+
 OpenBSM 1.1 alpha 1
 
 - Add option to auditreduce(1) which allows users to invert sense of
@@ -316,4 +318,4 @@
   to support reloading of kernel event table.
 - Allow comments in /etc/security configuration files.
 
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#65 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#66 $

==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 (text+ko) ====

@@ -25,7 +25,7 @@
 .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 .\" POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#15 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 $
 .\"
 .Dd January 24, 2004
 .Dt AUDITREDUCE 1
@@ -94,7 +94,8 @@
 .It Fl j Ar id
 Select records having a subject token with matching ID.
 .It Fl m Ar event
-Select records with the given event name or number.
+Select records with the given event name or number. This option can
+be used more then once to select records of multiple event types.
 See
 .Xr audit_event 5
 for a description of audit event names and numbers.

==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 (text+ko) ====

@@ -26,7 +26,7 @@
  * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  * POSSIBILITY OF SUCH DAMAGE.
  *
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#22 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 $
  */
 
 /* 
@@ -72,7 +72,6 @@
 static au_mask_t	 maskp;		/* Class. */
 static time_t		 p_atime;	/* Created after this time. */
 static time_t		 p_btime;	/* Created before this time. */
-static uint16_t		 p_evtype;	/* Event that we are searching for. */
 static int		 p_auid;	/* Audit id. */ 
 static int		 p_euid;	/* Effective user id. */
 static int		 p_egid;	/* Effective group id. */ 
@@ -81,6 +80,13 @@
 static int		 p_subid;	/* Subject id. */
 
 /*
+ * Maintain a dynamically sized array of events for -m
+ */
+static uint16_t		*p_evec;	/* Event type list */
+static int		 p_evec_used;	/* Number of events used */
+static int		 p_evec_alloc;	/* Number of events allocated */
+
+/*
  * Following are the objects (-o option) that we can select upon.
  */
 static char	*p_fileobj = NULL;
@@ -346,6 +352,8 @@
 static int
 select_hdr32(tokenstr_t tok, uint32_t *optchkd)
 {
+	uint16_t *ev;
+	int match;
 
 	SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m | OPT_v));
 
@@ -378,7 +386,11 @@
 
 	/* Check if event matches. */
 	if (ISOPTSET(opttochk, OPT_m)) {
-		if (tok.tt.hdr32.e_type != p_evtype)
+		match = 0;
+		for (ev = p_evec; ev < &p_evec[p_evec_used]; ev++)
+			if (tok.tt.hdr32.e_type == *ev)
+				match = 1;
+		if (match == 0)
 			return (0);
 	}
 		
@@ -615,6 +627,7 @@
 	int ch;
 	char timestr[128];
 	char *fname;
+	uint16_t *etp;
 
 	converr = NULL;
 
@@ -715,13 +728,26 @@
 			break;
 
 		case 'm':
-			p_evtype = strtol(optarg, (char **)NULL, 10);
-			if (p_evtype == 0) {
+			if (p_evec == NULL) {
+				p_evec_alloc = 32;
+				p_evec = malloc(sizeof(*etp) * p_evec_alloc);
+				if (p_evec == NULL)
+					err(1, "malloc");
+			} else if (p_evec_alloc == p_evec_used) {
+				p_evec_alloc <<= 1;
+				p_evec = realloc(p_evec,
+				    sizeof(*p_evec) * p_evec_alloc);
+				if (p_evec == NULL)
+					err(1, "realloc");
+			}
+			etp = &p_evec[p_evec_used++];
+			*etp = strtol(optarg, (char **)NULL, 10);
+			if (*etp == 0) {
 				/* Could be the string representation. */
 				n = getauevnonam(optarg);
 				if (n == NULL)
 					usage("Incorrect event name");
-				p_evtype = *n;
+				*etp = *n;
 			}
 			SETOPT(opttochk, OPT_m);
 			break;

More information about the p4-projects mailing list