PERFORCE change 85498 for review

Robert Watson rwatson at FreeBSD.org
Tue Oct 18 14:10:41 GMT 2005 

http://perforce.freebsd.org/chv.cgi?CH=85498

Change 85498 by rwatson at rwatson_fledge on 2005/10/18 14:10:23

	Teach OpenBSM about AUT_HEADER32_EX, which is required to parse
	Solaris 10 audit trails.

Affected files ...

.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#2 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#16 edit

Differences ...

==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#2 (text+ko) ====

@@ -332,6 +332,29 @@
 
 } au_header32_t;
 
+/*
+ * record byte count       4 bytes
+ * version #               1 byte     [2]
+ * event type              2 bytes
+ * event modifier          2 bytes
+ * address type/length     1 byte
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+typedef struct {
+
+	u_int32_t size;
+	u_char version;
+	u_int16_t e_type;
+	u_int16_t e_mod;
+	u_char ad_type;
+	u_int32_t addr[4];
+	u_int32_t s;
+	u_int32_t ms;
+
+} au_header32_ex_t;
+
 typedef struct {
 
 	u_int32_t size;
@@ -740,6 +763,7 @@
 		au_file_t		file;
 		au_groups_t		grps;
 		au_header32_t		hdr32;
+		au_header32_ex_t	hdr32_ex;
 		au_header64_t		hdr64;
 		au_inaddr_t		inaddr;
 		au_inaddr_ex_t		inaddr_ex;

==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#16 (text+ko) ====

@@ -490,8 +490,106 @@
 
 /*
  * record byte count       4 bytes
+ * version #               1 byte     [2]
  * event type              2 bytes
  * event modifier          2 bytes
+ * address type/length     1 byte
+ * machine address         4 bytes/16 bytes (IPv4/IPv6 address)
+ * seconds of time         4 bytes/8 bytes  (32/64-bits)
+ * nanoseconds of time     4 bytes/8 bytes  (32/64-bits)
+ */
+static int
+fetch_header32_ex_tok(tokenstr_t *tok, char *buf, int len)
+{
+	int err = 0;
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.size, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.version, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT16(buf, len, tok->tt.hdr32_ex.e_mod, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_CHAR(buf, len, tok->tt.hdr32_ex.ad_type, tok->len, err);
+	if (err)
+		return (-1);
+
+	bzero(tok->tt.hdr32_ex.addr, sizeof(tok->tt.hdr32_ex.addr));
+	switch (tok->tt.hdr32_ex.ad_type) {
+	case AF_INET:
+		READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.addr[0],
+		    tok->len, err);
+		if (err)
+			return (-1);
+		break;
+
+	case AF_INET6:
+		READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.addr[0],
+		    tok->len, err);
+		if (err)
+			return (-1);
+		READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.addr[1],
+		    tok->len, err);
+		if (err)
+			return (-1);
+		READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.addr[2],
+		    tok->len, err);
+		if (err)
+			return (-1);
+		READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.addr[3],
+		    tok->len, err);
+		if (err)
+			return (-1);
+		break;
+	}
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.s, tok->len, err);
+	if (err)
+		return (-1);
+
+	READ_TOKEN_U_INT32(buf, len, tok->tt.hdr32_ex.ms, tok->len, err);
+	if (err)
+		return (-1);
+
+	return (0);
+}
+
+static void
+print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+    char sfrm)
+{
+
+	print_tok_type(fp, tok->id, "header_ex", raw);
+	print_delim(fp, del);
+	print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+	print_delim(fp, del);
+	print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+	print_delim(fp, del);
+	print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+	print_delim(fp, del);
+	print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+	print_delim(fp, del);
+	print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+	    tok->tt.hdr32_ex.addr);
+	print_delim(fp, del);
+	print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+	print_delim(fp, del);
+	print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+}
+
+/*
+ * record byte count       4 bytes
+ * event type              2 bytes
+ * event modifier          2 bytes
  * seconds of time         4 bytes/8 bytes (32-bit/64-bit value)
  * milliseconds of time    4 bytes/8 bytes (32-bit/64-bit value)
  * version #              
@@ -2211,7 +2309,8 @@
 /*
  * Reads the token beginning at buf into tok.
  */
-int au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
+int
+au_fetch_tok(tokenstr_t *tok, u_char *buf, int len)
 {
 
 	if (len <= 0)
@@ -2225,6 +2324,9 @@
 	case AUT_HEADER32:
 		return (fetch_header32_tok(tok, buf, len));
 
+	case AUT_HEADER32_EX:
+		return (fetch_header32_ex_tok(tok, buf, len));
+
 	case AUT_HEADER64:
 		return (fetch_header64_tok(tok, buf, len));
 
@@ -2340,6 +2442,9 @@
 	case AUT_HEADER32:
 		return (print_header32_tok(outfp, tok, del, raw, sfrm));
 
+	case AUT_HEADER32_EX:
+		return (print_header32_ex_tok(outfp, tok, del, raw, sfrm));
+
 	case AUT_HEADER64:
 		return (print_header64_tok(outfp, tok, del, raw, sfrm));
 
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message

More information about the trustedbsd-cvs mailing list