PERFORCE change 106603 for review
Christian S.J. Peron
csjp at FreeBSD.org
Sun Sep 24 08:37:50 PDT 2006
http://perforce.freebsd.org/chv.cgi?CH=106603
Change 106603 by csjp at csjp_xor on 2006/09/24 15:36:33
Add support for regular expression based pathname matching. This should be
functionally equivalent to how the Solaris auditreduce handles things.
Affected files ...
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#17 edit
.. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 edit
Differences ...
==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 (text+ko) ====
@@ -25,7 +25,7 @@
.\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#11 $
+.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#12 $
.\"
.Dd January 24, 2004
.Dt AUDITREDUCE 1
@@ -105,12 +105,17 @@
.It Fl o Ar object=value
.Bl -tag -width Ds
.It Nm file
-Select records containing the given path name.
-file="/usr" matches paths
-starting with
-.Pa usr .
-file="~/usr" matches paths not starting with
-.Pa usr .
+Select records containing path tokens, where the pathname matches
+one of the comma delimited extended regular expression contained in
+given specification.
+Regular expressions which are prefixed with a tilde (~) are excluded
+from the search results.
+These extended regular expressions are processed from left to right,
+and a path will either be selected or deslected based on the first match.
+.Pp
+Since commas are used to delimit the regular expressions, a backslash (\\)
+character should be used to escape the comma if it's a part of the search
+pattern.
.It Nm msgqid
Select records containing the given message queue id.
.It Nm pid
@@ -141,6 +146,25 @@
file, or via standard output to the
.Xr praudit 1
command.
+.Pp
+Select all records containing a path token where the pathname contains
+.Pa /etc/master.passwd
+.Pp
+.Nm
+-ofile="/etc/master.passwd" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+device:
+.Pp
+.Nm
+-ofile="/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
+.Pp
+Select all records containing path tokens, where the pathname is a TTY
+except for
+.Pa /dev/ttyp2
+.Pp
+.Nm
+-ofile="~/dev/ttyp2,/dev/tty[a-zA-Z][0-9]+" /var/audit/20031016184719.20031017122634
.Sh SEE ALSO
.Xr praudit 1 ,
.Xr audit_control 5 ,
==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#17 (text+ko) ====
@@ -26,7 +26,7 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#16 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#17 $
*/
/*
@@ -40,6 +40,7 @@
* XXX the records present within the file and between the files themselves
*/
+#include <sys/queue.h>
#include <bsm/libbsm.h>
#include <err.h>
@@ -51,9 +52,14 @@
#include <string.h>
#include <time.h>
#include <unistd.h>
+#include <regex.h>
+#include <errno.h>
#include "auditreduce.h"
+static TAILQ_HEAD(tailhead, re_entry) re_head =
+ TAILQ_HEAD_INITIALIZER(re_head);
+
extern char *optarg;
extern int optind, optopt, opterr,optreset;
@@ -81,6 +87,53 @@
static uint32_t opttochk = 0;
static void
+parse_regexp(char *re_string)
+{
+ char *orig, *copy, re_error[64];
+ struct re_entry *rep;
+ int error, nstrs, i, len;
+
+ copy = strdup(re_string);
+ orig = copy;
+ len = strlen(copy);
+ for (nstrs = 0, i = 0; i < len; i++) {
+ if (copy[i] == ',' && i > 0) {
+ if (copy[i - 1] == '\\')
+ strcpy(©[i - 1], ©[i]);
+ else {
+ nstrs++;
+ copy[i] = '\0';
+ }
+ }
+ }
+ TAILQ_INIT(&re_head);
+ for (i = 0; i < nstrs + 1; i++) {
+ rep = calloc(1, sizeof(*rep));
+ if (rep == NULL) {
+ (void) fprintf(stderr, "calloc: %s\n",
+ strerror(errno));
+ exit(1);
+ }
+ if (*copy == '~') {
+ copy++;
+ rep->re_negate = 1;
+ }
+ rep->re_pattern = strdup(copy);
+ error = regcomp(&rep->re_regexp, rep->re_pattern,
+ REG_EXTENDED | REG_NOSUB);
+ if (error != 0) {
+ regerror(error, &rep->re_regexp, re_error, 64);
+ (void) fprintf(stderr, "regcomp: %s\n", re_error);
+ exit(1);
+ }
+ TAILQ_INSERT_TAIL(&re_head, rep, re_glue);
+ len = strlen(copy);
+ copy += len + 1;
+ }
+ free(orig);
+}
+
+static void
usage(const char *msg)
{
fprintf(stderr, "%s\n", msg);
@@ -258,23 +311,20 @@
static int
select_filepath(char *path, uint32_t *optchkd)
{
- char *loc;
+ struct re_entry *rep;
+ int match;
SETOPT((*optchkd), OPT_of);
+ match = 1;
if (ISOPTSET(opttochk, OPT_of)) {
- if (p_fileobj[0] == '~') {
- /* Object should not be in path. */
- loc = strstr(path, p_fileobj + 1);
- if ((loc != NULL) && (loc == path))
- return (0);
- } else {
- /* Object should be in path. */
- loc = strstr(path, p_fileobj);
- if ((loc == NULL) || (loc != path))
- return (0);
+ match = 0;
+ TAILQ_FOREACH(rep, &re_head, re_glue) {
+ if (regexec(&rep->re_regexp, path, 0, NULL,
+ 0) != REG_NOMATCH)
+ return (!rep->re_negate);
}
}
- return (1);
+ return (match);
}
/*
@@ -525,6 +575,7 @@
if (!strcmp(name, FILEOBJ)) {
p_fileobj = val;
+ parse_regexp(val);
SETOPT(opttochk, OPT_of);
} else if (!strcmp(name, MSGQIDOBJ)) {
p_msgqobj = val;
==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 (text+ko) ====
@@ -26,13 +26,20 @@
* IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
- * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#4 $
+ * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.h#5 $
*/
#ifndef _AUDITREDUCE_H_
#define _AUDITREDUCE_H_
+struct re_entry {
+ char *re_pattern;
+ int re_negate;
+ regex_t re_regexp;
+ TAILQ_ENTRY(re_entry) re_glue;
+};
+
#define OPT_a 0x00000001
#define OPT_b 0x00000002
#define OPT_c 0x00000004
More information about the trustedbsd-cvs
mailing list