audit_tool.c
来自「<B>Digital的Unix操作系统VAX 4.2源码</B>」· C语言 代码 · 共 1,802 行 · 第 1/5 页
C
1,802 行
#ifndef lintstatic char *sccsid = "@(#)audit_tool.c 4.4 ULTRIX 4/11/91";#endif lint/************************************************************************ * * * Copyright (c) 1989, 1990, 1991 by * * Digital Equipment Corporation, Maynard, MA * * All rights reserved. * * * * This software is furnished under a license and may be used and * * copied only in accordance with the terms of such license and * * with the inclusion of the above copyright notice. This * * software or any other copies thereof may not be provided or * * otherwise made available to any other person. No title to and * * ownership of the software is hereby transferred. * * * * The information in this software is subject to change without * * notice and should not be construed as a commitment by Digital * * Equipment Corporation. * * * * Digital assumes no responsibility for the use or reliability * * of its software on equipment which is not supplied by Digital. * * * ************************************************************************//* * * Modification history: * * 07 Jul 89 - scott * created file * * 09 Aug 90 - scott * change prompt * add -w option * improve syscall integer param formatting*//* Audit Reduction Tool link with /sys/`machine`/BINARY/syscalls.o -laud optional: -Ddebug1 to get block maps and proc lists optional: -DPRIV to include priv information optional: -DPRIVDB -lprivdb to use privdb library*//* to handle new token in audit.h: 1) update audit_fields struct 2) update init_audit_fields() 3) update appropriate output_*() routine 4) update parse_rec()*/#include <sys/types.h>#include <sys/time.h>#include <sys/file.h>#include <sys/param.h>#include <sys/socket.h>#include <sys/stat.h>#include <sys/audit.h>#include <sys/cpudata.h>#include <netdb.h>#include <netinet/in.h>#include <arpa/inet.h>#include <strings.h>#include <syscall.h>#include <stdio.h>#include <errno.h>#ifdef mips#include <varargs.h>#endif mips#include <pwd.h>#include <grp.h>#include <sys/mount.h>#include <fs/nfs/nfs_clnt.h>#include <fs/nfs/vfs.h>#ifdef PRIVtypedef u_long priv_mask_t;typedef struct priv_set_t { priv_mask_t mask[2]; } priv_set_t;#endif PRIV#define HOST_LEN 32#define MAX_RULE_SIZ 4096#define MAX_SPECIAL 263#define MIN_SPECIAL 260#define NO_F 0x01#define NO_S 0x02#define NUM_SYSCALLS 257 /* based on # entries in syscalls.c */#define NRULESETS 32#define N_SELECT (NUM_SYSCALLS+N_TRUSTED_EVENTS)#define N_SELECT2 8#define RULE(i,x) rules[i/NRULESETS]->x[i%NRULESETS]#define RULES_IN_SET 32#define STR_LEN 1024#define STR_LEN2 32#define TIME_LEN 13#define MEM_ELMNT 32#define MEM_NELMNT 1000#define MEM_NBLKS 100#define FLAG_BINARY 0x01#define FLAG_DISPLAY 0x02#define FLAG_FOLLOW 0x04#define FLAG_OVERRIDE 0x08#define FLAG_REPORT 0x10#define FLAG_BRIEF 0x20#define FLAG_SORT 0x40#define FLAG_LOCALID 0x80char *aud_mem_op();struct a_proc *aud_mem_proc();char *fetch_matching_rec();char *fetch_rec();char *gethost_l();char *itoa();int sig_int1();/* special events */char *special_event[] = { "shmget", "shmdt", "shmctl", "shmat", "logout"};#define SYS_SHMGET MIN_SPECIAL#define SYS_SHMDT MIN_SPECIAL+1#define SYS_SHMCTL MIN_SPECIAL+2#define SYS_SHMAT MIN_SPECIAL+3#define _LOGOUT special_event[4]/* audit record fields */struct audit_fields { long auid; short device; int error; int event; short flag; int hostid; unsigned long ipaddr; short n_cpu; short pid; short ppid; int result; struct timeval timeval; struct timezone timezone; short uid; short ruid;#ifdef PRIV priv_set_t privstr;#endif PRIV long auid2; int hostid2; unsigned long ipaddr2; short device2; short pid2; short ppid2; short uid2; short ruid2; short login_proc; char *charparam[AUD_NPARAM]; int charp_indx; int charlen[AUD_NPARAM]; int intparam[AUD_NPARAM]; int intp_indx; short shortparam[AUD_NPARAM]; int shortp_indx; char *int_array[AUD_NPARAM]; int int_array_indx; int int_array_len[AUD_NPARAM]; int descrip[AUD_NPARAM]; int descrip_indx; long gnode_id[AUD_NPARAM]; int gp_id_indx; ushort gnode_dev[AUD_NPARAM]; int gp_dev_indx; char *socketaddr[AUD_NPARAM]; int socket_indx; int socketlen[AUD_NPARAM]; char *msgaddr[AUD_NPARAM]; int msg_indx; int msglen[AUD_NPARAM]; char *accessaddr[AUD_NPARAM]; int access_indx; int accesslen[AUD_NPARAM]; ushort ipc_uid[AUD_NPARAM]; int ipc_uid_indx; ushort ipc_gid[AUD_NPARAM]; int ipc_gid_indx; ushort ipc_mode[AUD_NPARAM]; int ipc_mode_indx; char *login[AUD_NPARAM]; int login_indx; int login_len[AUD_NPARAM]; char *login2[AUD_NPARAM]; int login2_indx; int login2_len[AUD_NPARAM]; char *homedir[AUD_NPARAM]; int homedir_indx; int homedir_len[AUD_NPARAM]; char *shell[AUD_NPARAM]; int shell_indx; int shell_len[AUD_NPARAM]; char *service[AUD_NPARAM]; int service_indx; int service_len[AUD_NPARAM]; char *devname[AUD_NPARAM]; int devname_indx; int devname_len[AUD_NPARAM]; int atom_id[AUD_NPARAM]; int atom_id_indx; struct aud_client_info x_client[AUD_NPARAM]; int x_client_indx; int client_id[AUD_NPARAM]; int client_id_indx; int property[AUD_NPARAM]; int property_indx; unsigned int res_class[AUD_NPARAM]; int res_class_indx; unsigned int res_type[AUD_NPARAM]; int res_type_indx; int res_id[AUD_NPARAM]; int res_id_indx;};/* audit record fields on which post-selection enabled */struct selectn { long auid[N_SELECT2]; int auid_indx; char charparam[N_SELECT2][STR_LEN]; int charparam_indx; short dev[N_SELECT2]; int dev_indx; int error[N_SELECT2]; int error_indx; char event[N_SELECT][STR_LEN]; int event_indx; char event_status[N_SELECT]; long gnode[N_SELECT2]; int gnode_indx; int gnode_dev[N_SELECT2]; int gnode_dev_indx; unsigned long ipaddr[N_SELECT2]; int ipaddr_indx; char logfile[MAXPATHLEN]; short n_cpu; short pid[N_SELECT2]; int pid_indx; short ppid[N_SELECT2]; int ppid_indx; short ruid[N_SELECT2]; int ruid_indx; char rulesfil[STR_LEN]; char time_end[TIME_LEN]; char time_start[TIME_LEN]; short uid[N_SELECT2]; int uid_indx; char username[N_SELECT2][STR_LEN]; int username_indx;#ifdef PRIV int priv;#endif PRIV} selectn;int flag = 0; /* see FLAG_* def's above */char close_buf[MAXPATHLEN]; /* last closed file */int sort_flag = 0; /* sort status of data file *//* deselection ruleset, and ruleset ptrs */struct ruleset { char *host[RULES_IN_SET]; long auid[RULES_IN_SET]; short ruid[RULES_IN_SET]; char *event[RULES_IN_SET]; char *param[RULES_IN_SET]; int oprtn[RULES_IN_SET];} ruleset;struct ruleset *rules[NRULESETS];int ruleno = 0; /* # rules in ruleset file *//* process state information */struct a_proc { ushort access_gp_dev[_NFILE]; long access_gp_id[_NFILE]; int access_gp_indx; long auid; unsigned long ipaddr; short pid; short ruid; short login_proc; char *cwd; char *root; char *username; char *fd_nm[_NFILE]; struct a_proc *a_proc_next; struct a_proc *a_proc_prev;};#define A_PROC_HDR_SIZ (sizeof(short)*(2+_NFILE) + sizeof(int) + sizeof(long)*(2+_NFILE))#define ALIGN(to,from,type) \ to = (struct type *)((int)from + (4-((int)from & 0x03))%4);
/* reduction tool */main ( argc, argv )int argc;char *argv[];{ int interactive = 0; /* interactive initialization mode */ struct hostent *hp; /* hostentry pointer */ int i, j; if ( argc < 2 ) { printf ( "Audit reduction tool usage: [options] logfile\n" ); printf ( "\nselection options:\n" ); printf ( " -a audit_id -e event[:succeed:fail]\n" ); printf ( " -E error# or error_string -g gnode_id\n" ); printf ( " -G gnode's device-major#,minor# -h hostname or ip_address\n" ); printf ( " -p pid -P ppid\n" ); printf ( " -r real_uid -s string_parameter\n" ); printf ( " -t start_time -T end_time format: yymmdd[hh[mm[ss]]]\n" ); printf ( " -u uid -U username\n" ); printf ( " -x device-major#,minor#\n" );#ifdef PRIV printf ( " -V: select records with privilege used\n" );#endif PRIV printf ( "\ncontrol options:\n" ); printf ( " -b: output in binary format\n" ); printf ( " -B: output in abbreviated format\n" ); printf ( " -d file: use specified deselection rules file (-D to print ruleset)\n" ); printf ( " -f: keep reading auditlog (like tail -f)\n" ); printf ( " -i: interactive selection mode\n" ); printf ( " -o: override switching logfile due to change_auditlog records\n" ); printf ( " -R: generate reports by audit_id\n" ); printf ( " -S: sort audit records by time (for SMP only)\n" ); printf ( " -w: map ruid, group #'s to names using passwd, group tables\n" ); exit(0); } /* sig hndlr to trigger interact() on ^C */ signal ( SIGINT, sig_int1 ); /* initializations for post-selection */ init_selectn ( &selectn ); /* process command line */ for ( i = 1; i < argc; i++ ) { /* select on audit record fields */ if ( argv[i][0] == '-' ) switch ( argv[i][1] ) { case 'a': if ( selectn.auid_indx < N_SELECT2 && ++i < argc ) selectn.auid[selectn.auid_indx++] = atoi(argv[i]); break; case 'B': flag |= FLAG_BRIEF; break; case 'b': flag |= FLAG_BINARY; break; case 'D': flag |= FLAG_DISPLAY; /* fall through to 'd' */ case 'd': if ( ++i < argc ) strncpy (selectn.rulesfil, argv[i], STR_LEN); break; case 'e': if ( selectn.event_indx < N_SELECT && ++i < argc ) { for ( j = 0; argv[i][j] && argv[i][j] != ':' && j < STR_LEN2; j++ ); bcopy ( argv[i], selectn.event[selectn.event_indx], j ); selectn.event_status[selectn.event_indx] = 0x0; if ( argv[i][j] == ':' && argv[i][j+1] == '0' ) selectn.event_status[selectn.event_indx] += NO_S; if ( argv[i][j] && argv[i][j+2] == ':' && argv[i][j+3] == '0' ) selectn.event_status[selectn.event_indx] += NO_F; selectn.event_indx++; } break; case 'E': if ( selectn.error_indx < N_SELECT2 && ++i < argc ) selectn.error[selectn.error_indx++] = atoi(argv[i]); break; case 'f': flag |= FLAG_FOLLOW; break; case 'g': if ( selectn.gnode_indx < N_SELECT2 && ++i < argc ) selectn.gnode[selectn.gnode_indx++] = atoi(argv[i]); break; case 'G': if ( selectn.gnode_dev_indx < N_SELECT2 && ++i < argc ) { for ( j = 0; argv[i][j] && argv[i][j] != ','; j++ ); if ( argv[i][j] == ',' ) selectn.gnode_dev[selectn.gnode_dev_indx++] = makedev ( atoi(argv[i]), atoi(argv[i]+j+1) ); } break; case 'h': if ( selectn.ipaddr_indx < N_SELECT2 && ++i < argc ) { if ( hp = gethostbyname(argv[i]) ) bcopy ( hp->h_addr, &selectn.ipaddr[selectn.ipaddr_indx++], hp->h_length ); else if ( (j = inet_addr(argv[i])) != -1 ) selectn.ipaddr[selectn.ipaddr_indx++] = j; else write ( 1, "bad host/address\n", 17 ); } break; case 'i': interactive = 1; break; case 'I': if ( selectn.ipaddr_indx < N_SELECT2 && ++i < argc ) selectn.ipaddr[selectn.ipaddr_indx] = inet_addr(argv[i]); break; case 'o': flag |= FLAG_OVERRIDE; break;⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?