PERFORCE change 109311 for review
Robert Watson
rwatson at FreeBSD.org
Sun Nov 5 23:31:01 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=109311
Change 109311 by rwatson at rwatson_fledge on 2006/11/05 23:30:33
Support for printing BSM records as XML in praudit.
Reviewed by: Martin Voros <martin_voros at yahoo dot com>
Affected files ...
.. //depot/projects/trustedbsd/openbsm/HISTORY#43 edit
.. //depot/projects/trustedbsd/openbsm/README#21 edit
.. //depot/projects/trustedbsd/openbsm/TODO#9 edit
.. //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 edit
.. //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 edit
.. //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#31 edit
.. //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#42 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/HISTORY#43 (text+ko) ====
@@ -3,6 +3,7 @@
- compat/clock_gettime.h now provides a compatibility implementation of
clock_gettime(), which fixes building on Mac OS X.
- Countless man page fixes.
+- praudit XML support via "praudit -x".
OpenBSM 1.0 alpha 12
@@ -270,4 +271,4 @@
to support reloading of kernel event table.
- Allow comments in /etc/security configuration files.
-$P4: //depot/projects/trustedbsd/openbsm/HISTORY#42 $
+$P4: //depot/projects/trustedbsd/openbsm/HISTORY#43 $
==== //depot/projects/trustedbsd/openbsm/README#21 (text+ko) ====
@@ -77,6 +77,7 @@
Pawel Worach
Martin Englund
Ruslan Ermilov
+ Martin Voros
In addition, Coverity, Inc.'s Prevent(tm) static analysis tool and Gimpel
Software's FlexeLint tool were used to identify a number of bugs in the
@@ -98,4 +99,4 @@
http://www.TrustedBSD.org/
-$P4: //depot/projects/trustedbsd/openbsm/README#20 $
+$P4: //depot/projects/trustedbsd/openbsm/README#21 $
==== //depot/projects/trustedbsd/openbsm/TODO#9 (text+ko) ====
@@ -1,4 +1,3 @@
-- Teach praudit how to general XML format BSM streams.
- Teach libbsm about any additional 64-bit token types that are present
in more recent Solaris versions.
- Build a regression test suite for libbsm that generates each token
@@ -20,4 +19,4 @@
- Put hostname in trail file name.
- Document audit_warn event arguments.
-$P4: //depot/projects/trustedbsd/openbsm/TODO#8 $
+$P4: //depot/projects/trustedbsd/openbsm/TODO#9 $
==== //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 (text+ko) ====
@@ -25,9 +25,9 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.1#12 $
.\"
-.Dd October 3, 2006
+.Dd November 5, 2006
.Dt PRAUDIT 1
.Os
.Sh NAME
@@ -35,7 +35,7 @@
.Nd "print the contents of audit trail files"
.Sh SYNOPSIS
.Nm
-.Op Fl lp
+.Op Fl lpx
.Op Fl r | s
.Op Fl d Ar del
.Op Ar
@@ -77,6 +77,8 @@
record and event type are displayed.
This option is exclusive from
.Fl r .
+.It Fl x
+Print audit records in the XML output format.
.El
.Pp
If the raw or short forms are not specified, the default is to print the tokens
==== //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 (text+ko) ====
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2004 Apple Computer, Inc.
+ * Copyright (c) 2006 Martin Voros
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -26,7 +27,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#10 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/praudit/praudit.c#11 $
*/
/*
@@ -34,7 +35,7 @@
*/
/*
- * praudit [-lp] [-r | -s] [-d del] [file ...]
+ * praudit [-lpx] [-r | -s] [-d del] [file ...]
*/
#include <bsm/libbsm.h>
@@ -51,12 +52,14 @@
static int raw = 0;
static int shortfrm = 0;
static int partial = 0;
+static int xml = 0;
static void
usage(void)
{
- fprintf(stderr, "usage: praudit [-lp] [-r | -s] [-d del] [file ...]\n");
+ fprintf(stderr, "usage: praudit [-lpx] [-r | -s] [-d del] "
+ "[file ...]\n");
exit(1);
}
@@ -88,11 +91,17 @@
if (-1 == au_fetch_tok(&tok, buf + bytesread,
reclen - bytesread))
break;
- au_print_tok(stdout, &tok, del, raw, shortfrm);
+ if (xml)
+ au_print_tok_xml(stdout, &tok, del, raw,
+ shortfrm);
+ else
+ au_print_tok(stdout, &tok, del, raw,
+ shortfrm);
bytesread += tok.len;
- if (oneline)
- printf("%s", del);
- else
+ if (oneline) {
+ if (!xml)
+ printf("%s", del);
+ } else
printf("\n");
}
free(buf);
@@ -109,7 +118,7 @@
int i;
FILE *fp;
- while ((ch = getopt(argc, argv, "d:lprs")) != -1) {
+ while ((ch = getopt(argc, argv, "d:lprsx")) != -1) {
switch(ch) {
case 'd':
del = optarg;
@@ -135,12 +144,19 @@
shortfrm = 1;
break;
+ case 'x':
+ xml = 1;
+ break;
+
case '?':
default:
usage();
}
}
+ if (xml)
+ au_print_xml_header(stdout);
+
/* For each of the files passed as arguments dump the contents. */
if (optind == argc) {
print_tokens(stdin);
@@ -153,5 +169,9 @@
if (fp != NULL)
fclose(fp);
}
+
+ if (xml)
+ au_print_xml_footer(stdout);
+
return (1);
}
==== //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#31 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#30 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bsm/libbsm.h#31 $
*/
#ifndef _LIBBSM_H_
@@ -771,6 +771,14 @@
//XXX The following interface has different prototype from BSM
void au_print_tok(FILE *outfp, tokenstr_t *tok,
char *del, char raw, char sfrm);
+void au_print_tok_xml(FILE *outfp, tokenstr_t *tok,
+ char *del, char raw, char sfrm);
+
+/*
+ * Functions relating to XML output.
+ */
+void au_print_xml_header(FILE *outfp);
+void au_print_xml_footer(FILE *outfp);
__END_DECLS
/*
==== //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#42 (text+ko) ====
@@ -2,6 +2,7 @@
* Copyright (c) 2004 Apple Computer, Inc.
* Copyright (c) 2005 SPARTA, Inc.
* Copyright (c) 2006 Robert N. M. Watson
+ * Copyright (c) 2006 Martin Voros
* All rights reserved.
*
* This code was developed in part by Robert N. M. Watson, Senior Principal
@@ -31,7 +32,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#41 $
+ * $P4: //depot/projects/trustedbsd/openbsm/libbsm/bsm_io.c#42 $
*/
#include <sys/types.h>
@@ -126,6 +127,12 @@
} while (0)
/*
+ * XML option.
+ */
+#define AU_PLAIN 0
+#define AU_XML 1
+
+/*
* Prints the delimiter string.
*/
static void
@@ -207,16 +214,334 @@
}
/*
+ * Prints the beggining of attribute.
+ */
+static void
+open_attr(FILE *fp, u_char *str)
+{
+
+ fprintf(fp,"%s=\"", str);
+}
+
+/*
+ * Prints the end of attribute.
+ */
+static void
+close_attr(FILE *fp)
+{
+
+ fprintf(fp,"\" ");
+}
+
+/*
+ * Prints the end of tag.
+ */
+static void
+close_tag(FILE *fp, u_char type)
+{
+
+ switch(type) {
+ case AUT_HEADER32:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER32_EX:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER64:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_HEADER64_EX:
+ fprintf(fp, ">");
+ break;
+
+ case AUT_ARG32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ARG64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ATTR32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_ATTR64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_EXIT:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_EXEC_ARGS:
+ fprintf(fp, "</exec_args>");
+ break;
+
+ case AUT_EXEC_ENV:
+ fprintf(fp, "</exec_env>");
+ break;
+
+ case AUT_OTHER_FILE32:
+ fprintf(fp, "</file>");
+ break;
+
+ case AUT_NEWGROUPS:
+ fprintf(fp, "</group>");
+ break;
+
+ case AUT_IN_ADDR:
+ fprintf(fp, "</ip_address>");
+ break;
+
+ case AUT_IN_ADDR_EX:
+ fprintf(fp, "</ip_address>");
+ break;
+
+ case AUT_IP:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPC:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPC_PERM:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_IPORT:
+ fprintf(fp, "</ip_port>");
+ break;
+
+ case AUT_OPAQUE:
+ fprintf(fp, "</opaque>");
+ break;
+
+ case AUT_PATH:
+ fprintf(fp, "</path>");
+ break;
+
+ case AUT_PROCESS32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_PROCESS32_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_RETURN32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_RETURN64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SEQ:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKET:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKINET32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SOCKUNIX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT32:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT64:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_SUBJECT32_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_TEXT:
+ fprintf(fp, "</text>");
+ break;
+
+ case AUT_SOCKET_EX:
+ fprintf(fp, "/>");
+ break;
+
+ case AUT_DATA:
+ fprintf(fp, "</arbitrary>");
+ break;
+ }
+}
+
+/*
* Prints the token type in either the raw or the default form.
*/
static void
-print_tok_type(FILE *fp, u_char type, const char *tokname, char raw)
+print_tok_type(FILE *fp, u_char type, const char *tokname, char raw, int xml)
{
- if (raw)
- fprintf(fp, "%u", type);
- else
- fprintf(fp, "%s", tokname);
+ if (xml) {
+ switch(type) {
+ case AUT_HEADER32:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER32_EX:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER64:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_HEADER64_EX:
+ fprintf(fp, "<record ");
+ break;
+
+ case AUT_TRAILER:
+ fprintf(fp, "</record>");
+ break;
+
+ case AUT_ARG32:
+ fprintf(fp, "<argument ");
+ break;
+
+ case AUT_ARG64:
+ fprintf(fp, "<argument ");
+ break;
+
+ case AUT_ATTR32:
+ fprintf(fp, "<attribute ");
+ break;
+
+ case AUT_ATTR64:
+ fprintf(fp, "<attribute ");
+ break;
+
+ case AUT_EXIT:
+ fprintf(fp, "<exit ");
+ break;
+
+ case AUT_EXEC_ARGS:
+ fprintf(fp, "<exec_args>");
+ break;
+
+ case AUT_EXEC_ENV:
+ fprintf(fp, "<exec_env>");
+ break;
+
+ case AUT_OTHER_FILE32:
+ fprintf(fp, "<file ");
+ break;
+
+ case AUT_NEWGROUPS:
+ fprintf(fp, "<group>");
+ break;
+
+ case AUT_IN_ADDR:
+ fprintf(fp, "<ip_address>");
+ break;
+
+ case AUT_IN_ADDR_EX:
+ fprintf(fp, "<ip_address>");
+ break;
+
+ case AUT_IP:
+ fprintf(fp, "<ip ");
+ break;
+
+ case AUT_IPC:
+ fprintf(fp, "<IPC");
+ break;
+
+ case AUT_IPC_PERM:
+ fprintf(fp, "<IPC_perm ");
+ break;
+
+ case AUT_IPORT:
+ fprintf(fp, "<ip_port>");
+ break;
+
+ case AUT_OPAQUE:
+ fprintf(fp, "<opaque>");
+ break;
+
+ case AUT_PATH:
+ fprintf(fp, "<path>");
+ break;
+
+ case AUT_PROCESS32:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_PROCESS32_EX:
+ fprintf(fp, "<process ");
+ break;
+
+ case AUT_RETURN32:
+ fprintf(fp, "<return ");
+ break;
+
+ case AUT_RETURN64:
+ fprintf(fp, "<return ");
+ break;
+
+ case AUT_SEQ:
+ fprintf(fp, "<sequence ");
+ break;
+
+ case AUT_SOCKET:
+ fprintf(fp, "<socket ");
+ break;
+
+ case AUT_SOCKINET32:
+ fprintf(fp, "<old_socket");
+ break;
+
+ case AUT_SOCKUNIX:
+ fprintf(fp, "<old_socket");
+ break;
+
+ case AUT_SUBJECT32:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_SUBJECT64:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_SUBJECT32_EX:
+ fprintf(fp, "<subject ");
+ break;
+
+ case AUT_TEXT:
+ fprintf(fp, "<text>");
+ break;
+
+ case AUT_SOCKET_EX:
+ fprintf(fp, "<socket ");
+ break;
+
+ case AUT_DATA:
+ fprintf(fp, "<arbitrary ");
+ break;
+ }
+ } else {
+ if (raw)
+ fprintf(fp, "%u", type);
+ else
+ fprintf(fp, "%s", tokname);
+ }
}
/*
@@ -455,6 +780,27 @@
}
/*
+ * Print XML header.
+ */
+void
+au_print_xml_header(FILE *outfp)
+{
+
+ fprintf(outfp, "<?xml version='1.0' ?>\n");
+ fprintf(outfp, "<audit>\n");
+}
+
+/*
+ * Print XML footer.
+ */
+void
+au_print_xml_footer(FILE *outfp)
+{
+
+ fprintf(outfp, "</audit>\n");
+}
+
+/*
* record byte count 4 bytes
* version # 1 byte [2]
* event type 2 bytes
@@ -495,22 +841,42 @@
}
static void
-print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+ int xml)
{
- print_tok_type(fp, tok->id, "header", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr32.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr32.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr32.e_mod, raw);
- print_delim(fp, del);
- print_sec32(fp, tok->tt.hdr32.s, raw);
- print_delim(fp, del);
- print_msec32(fp, tok->tt.hdr32.ms, raw);
+ print_tok_type(fp, tok->id, "header", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr32.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+ close_attr(fp);
+ open_attr(fp, "time");
+ print_sec32(fp, tok->tt.hdr32.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec32(fp, tok->tt.hdr32.ms, 1);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32.e_mod, raw);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32.ms, raw);
+ }
}
/*
@@ -584,25 +950,50 @@
static void
print_header32_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- char sfrm)
+ char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "header_ex", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
- tok->tt.hdr32_ex.addr);
- print_delim(fp, del);
- print_sec32(fp, tok->tt.hdr32_ex.s, raw);
- print_delim(fp, del);
- print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ print_tok_type(fp, tok->id, "header_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+ close_attr(fp);
+ /*
+ * No attribute for additional types.
+ *
+ print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+ tok->tt.hdr32_ex.addr);
+ */
+ open_attr(fp, "time");
+ print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr32_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr32_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr32_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr32_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr32_ex.ad_type,
+ tok->tt.hdr32_ex.addr);
+ print_delim(fp, del);
+ print_sec32(fp, tok->tt.hdr32_ex.s, raw);
+ print_delim(fp, del);
+ print_msec32(fp, tok->tt.hdr32_ex.ms, raw);
+ }
}
/*
@@ -646,23 +1037,44 @@
}
static void
-print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm,
+ int xml)
{
+
+ print_tok_type(fp, tok->id, "header", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr64.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+ close_attr(fp);
+ open_attr(fp, "time");
+ print_sec64(fp, tok->tt.hdr64.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec64(fp, tok->tt.hdr64.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64.e_mod, raw);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64.ms, raw);
+ }
+}
- print_tok_type(fp, tok->id, "header", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr64.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr64.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr64.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr64.e_mod, raw);
- print_delim(fp, del);
- print_sec64(fp, tok->tt.hdr64.s, raw);
- print_delim(fp, del);
- print_msec64(fp, tok->tt.hdr64.ms, raw);
-}
/*
* record byte count 4 bytes
* version # 1 byte [2]
@@ -729,25 +1141,51 @@
}
static void
-print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw, char sfrm)
+print_header64_ex_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
+ char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "header_ex", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
- print_delim(fp, del);
- print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
- print_delim(fp, del);
- print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
- print_delim(fp, del);
- print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
- tok->tt.hdr64_ex.addr);
- print_delim(fp, del);
- print_sec64(fp, tok->tt.hdr64_ex.s, raw);
- print_delim(fp, del);
- print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ print_tok_type(fp, tok->id, "header_ex", raw, xml);
+ if (xml) {
+ open_attr(fp, "version");
+ print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+ close_attr(fp);
+ open_attr(fp, "event");
+ print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+ close_attr(fp);
+ open_attr(fp, "modifier");
+ print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+ close_attr(fp);
+ /*
+ * No attribute for additional types.
+ *
+ print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+ tok->tt.hdr64_ex.addr);
+ */
+ open_attr(fp, "time");
+ print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+ close_attr(fp);
+ open_attr(fp, "msec");
+ print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.hdr64_ex.size, "%u");
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.hdr64_ex.version, "%u");
+ print_delim(fp, del);
+ print_event(fp, tok->tt.hdr64_ex.e_type, raw, sfrm);
+ print_delim(fp, del);
+ print_evmod(fp, tok->tt.hdr64_ex.e_mod, raw);
+ print_delim(fp, del);
+ print_ip_ex_address(fp, tok->tt.hdr64_ex.ad_type,
+ tok->tt.hdr64_ex.addr);
+ print_delim(fp, del);
+ print_sec64(fp, tok->tt.hdr64_ex.s, raw);
+ print_delim(fp, del);
+ print_msec64(fp, tok->tt.hdr64_ex.ms, raw);
+ }
}
/*
@@ -772,12 +1210,14 @@
static void
print_trailer_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "trailer", raw);
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.trail.count, "%u");
+ print_tok_type(fp, tok->id, "trailer", raw, xml);
+ if (!xml) {
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.trail.count, "%u");
+ }
}
/*
@@ -813,16 +1253,28 @@
static void
print_arg32_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "argument", raw);
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arg32.no, "%u");
- print_delim(fp, del);
- print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
- print_delim(fp, del);
- print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+ print_tok_type(fp, tok->id, "argument", raw, xml);
+ if (xml) {
+ open_attr(fp, "arg-num");
+ print_1_byte(fp, tok->tt.arg32.no, "%u");
+ close_attr(fp);
+ open_attr(fp, "value");
+ print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+ close_attr(fp);
+ open_attr(fp, "desc");
+ print_string(fp, tok->tt.arg32.text, tok->tt.arg32.len);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg32.no, "%u");
+ print_delim(fp, del);
+ print_4_bytes(fp, tok->tt.arg32.val, "0x%x");
+ print_delim(fp, del);
+ }
}
static int
@@ -852,16 +1304,29 @@
static void
print_arg64_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
- print_tok_type(fp, tok->id, "argument", raw);
- print_delim(fp, del);
- print_1_byte(fp, tok->tt.arg64.no, "%u");
- print_delim(fp, del);
- print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
- print_delim(fp, del);
- print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ print_tok_type(fp, tok->id, "argument", raw, xml);
+ if (xml) {
+ open_attr(fp, "arg-num");
+ print_1_byte(fp, tok->tt.arg64.no, "%u");
+ close_attr(fp);
+ open_attr(fp, "value");
+ print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+ close_attr(fp);
+ open_attr(fp, "desc");
+ print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ close_attr(fp);
+ close_tag(fp, tok->id);
+ } else {
+ print_delim(fp, del);
+ print_1_byte(fp, tok->tt.arg64.no, "%u");
+ print_delim(fp, del);
+ print_8_bytes(fp, tok->tt.arg64.val, "0x%llx");
+ print_delim(fp, del);
+ print_string(fp, tok->tt.arg64.text, tok->tt.arg64.len);
+ }
}
/*
@@ -924,15 +1389,16 @@
static void
print_arb_tok(FILE *fp, tokenstr_t *tok, char *del, char raw,
- __unused char sfrm)
+ __unused char sfrm, int xml)
{
char *str;
char *format;
size_t size;
int i;
- print_tok_type(fp, tok->id, "arbitrary", raw);
- print_delim(fp, del);
+ print_tok_type(fp, tok->id, "arbitrary", raw, xml);
+ if (!xml)
+ print_delim(fp, del);
switch(tok->tt.arb.howtopr) {
case AUP_BINARY:
@@ -964,56 +1430,125 @@
>>> TRUNCATED FOR MAIL (1000 lines) <<<
More information about the trustedbsd-cvs
mailing list