audit_tool.c
来自「<B>Digital的Unix操作系统VAX 4.2源码</B>」· C语言 代码 · 共 1,802 行 · 第 1/5 页
C
1,802 行
case 'p': if ( selectn.pid_indx < N_SELECT2 && ++i < argc ) selectn.pid[selectn.pid_indx++] = atoi(argv[i]); break; case 'P': if ( selectn.ppid_indx < N_SELECT2 && ++i < argc ) selectn.ppid[selectn.ppid_indx++] = atoi(argv[i]); break; case 'r': if ( selectn.ruid_indx < N_SELECT2 && ++i < argc ) selectn.ruid[selectn.ruid_indx++] = atoi(argv[i]); break; case 'R': flag |= FLAG_REPORT; break; case 's': if ( selectn.charparam_indx < N_SELECT2 && ++i < argc ) strncpy (selectn.charparam[selectn.charparam_indx++], argv[i], STR_LEN); break; case 'S': flag |= FLAG_SORT; break; case 't': if ( ++i < argc ) strncpy (selectn.time_start, argv[i], TIME_LEN); break; case 'T': if ( ++i < argc ) strncpy (selectn.time_end, argv[i], TIME_LEN); break; case 'u': if ( selectn.uid_indx < N_SELECT2 && ++i < argc ) selectn.uid[selectn.uid_indx++] = atoi(argv[i]); break; case 'U': if ( selectn.username_indx < N_SELECT2 && ++i < argc ) strncpy (selectn.username[selectn.username_indx++], argv[i], STR_LEN); break;#ifdef PRIV case 'v': selectn.priv = 1; break;#endif PRIV case 'w': flag |= FLAG_LOCALID; break; case 'x': if ( selectn.dev_indx < N_SELECT2 && ++i < argc ) { for ( j = 0; argv[i][j] && argv[i][j] != ','; j++ ); if ( argv[i][j] == ',' ) selectn.dev[selectn.dev_indx++] = makedev ( atoi(argv[i]), atoi(argv[i]+j+1) ); } break; default: fprintf ( stderr, "audit_tool: unknown option: %c ignored\n", argv[i][1] ); break; } /* set initial log file */ else if ( argv[i][0] != '-' ) strncpy ( selectn.logfile, argv[i], MAXPATHLEN ); } /* check for log file on command line */ if ( selectn.logfile[0] == '\0' ) { printf ( "Usage: %s [ option ... ] auditlog_file\n", argv[0] ); exit(1); } /* interactive mode */ if ( interactive ) interact ( &selectn, &flag ); /* build deselection ruleset */ if ( *(selectn.rulesfil) ) ruleno = build_ruleset ( selectn.rulesfil, flag&FLAG_DISPLAY ); fflush ( stdout ); /* process audit log */ audit_reduce ( &selectn, &flag ); exit(0);}
/* fetch and output audit records */audit_reduce ( selectn, flag_p )struct selectn *selectn; /* selection criteria */int *flag_p; /* misc options */{ struct audit_fields audit_fields; char *rec_ptr; /* ptr to audit data */ int rec_len; /* length of audit rec */ static char *output_file = "report.xxxxxxxxxxxx"; char buf_ptr[AUD_BUF_SIZ*2]; int cnt_p = 0; int cnt = 0; int fd_i = 0; int fd_o = 1; int i = 0; for ( cnt = 0; (rec_ptr = fetch_matching_rec ( &audit_fields, selectn, &cnt_p, *flag_p, &rec_len, &fd_i )) != (char *)-1; cnt++ ) { fflush ( stdout ); fflush ( stderr ); /* set file descriptor to tty or output_file */ if ( *flag_p & FLAG_REPORT ) { strcpy ( &output_file[7], itoa(audit_fields.auid) ); fd_o = open ( output_file, O_CREAT|O_RDWR|O_APPEND, 0600 ); if ( fd_o == -1 ) fd_o = 1; } if ( (*flag_p&FLAG_BINARY) == 0 ) { i = output_rec_fmt ( buf_ptr, audit_fields, *flag_p ); write ( fd_o, buf_ptr, i ); } else write ( fd_o, rec_ptr, rec_len ); close_buf[0] = '\0'; if ( *flag_p&FLAG_REPORT ) close ( fd_o ); fflush ( stdout ); fflush ( stderr ); if ( cnt_p%1000 == 0 ) fprintf ( stderr, "(%d records processed...)\n\n", cnt_p ); } if ( (*flag_p&(FLAG_BINARY|FLAG_BRIEF)) == 0 ) { printf ( "%d records output\n", cnt ); printf ( "%d records processed\n", cnt_p ); }}
/* sort audit records by time - for SMP */audit_sort ( logfile )char *logfile;{ struct audit_fields af; /* fields of parsed record */ struct selectn selectn; /* selection criteria */ struct { int pos; struct timeval tv; } sort[MAXCPU]; /* per-cpu time, posn */ char *rec_ptr; /* ptr to audit data */ int rec_len; /* length of record */ char sortfile[MAXPATHLEN]; /* tmp file to hold sorted data */ struct stat logstat; /* stat struct for logfile */ struct stat sortstat; /* stat struct for sortfile */ int cnt = 0; /* # records processed */ int opos = 0; /* posn in input file */ int fd = 0; /* input file descriptor */ int fd_o; /* output file descriptor */ int i, j;#define ABS(x) (x > 0 ? x : -x) init_selectn ( &selectn ); strncpy ( selectn.logfile, logfile, MAXPATHLEN ); for ( i = 0; i < MAXCPU; i++ ) sort[i].pos = -1; /* check if logfile previously sorted */ if ( fetch_hdr ( logfile, selectn.time_start, 1 ) ) { printf ( "%s already sorted.\n", logfile ); return; } /* pass 1 - find first record per cpu */ printf ( "sorting %s... (pass 1)\n", logfile ); for ( ;; ) { if ( fetch_matching_rec ( &af, &selectn, &cnt, FLAG_OVERRIDE, &rec_len, &fd ) == (char *)-1 ) break; if ( sort[af.n_cpu].pos == -1 ) { opos = tell(fd); sort[af.n_cpu].pos = opos-rec_len; sort[af.n_cpu].tv = af.timeval; } if ( cnt%1000 == 0 ) printf ( "(pass 1: %d records processed...)\n", cnt ); } printf ( "pass 1 complete: %d records sorted\n", cnt ); /* open sortfile */ for ( i = 0; (sortfile[i] = logfile[i]) && i < MAXPATHLEN-5; i++ ); for ( j = 0; (sortfile[i] = ".sort"[j]) && i < MAXPATHLEN; i++, j++ ); if ( (fd_o = open ( sortfile, O_RDWR|O_CREAT|O_TRUNC, 0600 )) < 0 ) { printf ( "failed to open %s\n", sortfile ); return; } /* pass 2 - build sorted logfile */ printf ( "sorting... (pass 2)\n" ); for ( cnt = 0;; cnt++ ) { for ( i = 0, j = -1; i < MAXCPU; i++ ) { if ( sort[i].pos != -1 ) { if ( j == -1 ) j = i; else if ( ABS(sort[i].tv.tv_sec) < ABS(sort[j].tv.tv_sec) ) j = i; else if ( ( ABS(sort[i].tv.tv_sec) == ABS(sort[j].tv.tv_sec) ) && ( ABS(sort[i].tv.tv_usec) < ABS(sort[j].tv.tv_usec) ) ) j = i; } } if ( j == -1 ) break; if ( lseek ( fd, sort[j].pos, L_SET ) == -1 ) perror ( "lseek" ); rec_ptr = fetch_rec ( &fd, &rec_len, &af, 0, 0 ); write ( fd_o, rec_ptr, rec_len ); parse_rec ( rec_ptr, rec_len, &af ); selectn.n_cpu = af.n_cpu; if ( fetch_matching_rec ( &af, &selectn, &j, FLAG_OVERRIDE, &rec_len, &fd ) != (char *)-1 ) { opos = tell(fd); sort[af.n_cpu].pos = opos-rec_len; sort[af.n_cpu].tv = af.timeval; } else sort[selectn.n_cpu].pos = -1; if ( cnt && (cnt%1000 == 0) ) printf ( "(pass 2: %d records processed...)\n", cnt ); } printf ( "pass 2 complete: %d records sorted\n", cnt ); /* check filesizes, rename sortfile, update hdr file */ stat ( logfile, &logstat ); stat ( sortfile, &sortstat ); if ( logstat.st_size != sortstat.st_size ) printf ( "sort failed; %s and %s not same size\n", logfile, sortfile ); else if ( rename ( sortfile, logfile ) == -1 ) perror ( "rename from sortfile to logfile" ); else { fetch_hdr ( logfile, selectn.time_start, 2 ); sort_flag = 1; }}
/* get/free/provide memory for reduction state processing */char *aud_mem_op ( fetch_siz, free_ptr, free_siz, debug )int fetch_siz; /* # bytes requested */char *free_ptr; /* ptr to mem to be free'd */int free_siz; /* # bytes of mem to be free'd */int debug; /* show memory block map */{ static struct block *blk_ptr[MEM_NBLKS]; static int blk_ptr_used = -1; struct block { char blk_map[MEM_NELMNT]; char blk_mem[MEM_ELMNT*MEM_NELMNT]; }; char *cp; int i, j, k; /* fetch memory */ if ( fetch_siz ) { fetch_siz = (fetch_siz-1)/MEM_ELMNT + 1; /* check each blk_ptr */ for ( i = 0; i < MEM_NBLKS; i++ ) { if ( i > blk_ptr_used ) { if ( (cp = (char *)sbrk ( sizeof(int)+sizeof(struct block) )) == (char *)-1 ) return((char *)0); ALIGN ( blk_ptr[i], cp, block ); blk_ptr[i] = (struct block *)((int)cp + (sizeof(int)-((int)cp & 0x03))%sizeof(int)); blk_ptr_used++; for ( j = 0; j < MEM_NELMNT; j++ ) blk_ptr[i]->blk_map[j] = '0'; } /* check blk_map for fetch_siz contiguous entries */ for ( j = 0; j <= MEM_NELMNT-fetch_siz; j++ ) { for ( k = 0; k < fetch_siz; k++ ) if ( blk_ptr[i]->blk_map[j+k] != '0' ) break; if ( k < fetch_siz ) continue; for ( k = 0; k < fetch_siz; k++ ) blk_ptr[i]->blk_map[j+k] = '1'; return ( &blk_ptr[i]->blk_mem[j*MEM_ELMNT] ); } } return((char *)0); } /* free memory */ if ( free_siz && free_ptr ) { for ( i = 0; i <= blk_ptr_used; i++ ) { if ( free_ptr >= blk_ptr[i]->blk_mem && free_ptr+free_siz <= &blk_ptr[i]->blk_mem[MEM_ELMNT*MEM_NELMNT-1] ) { k = (free_ptr - blk_ptr[i]->blk_mem) / MEM_ELMNT; for ( j = 0; j <= (free_siz-1)/MEM_ELMNT; j++ ) blk_ptr[i]->blk_map[j+k] = '0'; return((char *)0); } } return ((char *)0); } /* debug: draw blk_map's */ if ( debug ) { for ( i = 0; i <= blk_ptr_used; i++ ) { fprintf ( stderr, "block %.03d: ", i ); for ( j = 0; j < MEM_NELMNT; j++ ) { fprintf ( stderr, "%c", blk_ptr[i]->blk_map[j] ); if ( (j+1)%10 == 0 ) fprintf ( stderr, " " ); if ( (j+1)%40 == 0 ) fprintf ( stderr, "\n " ); } fprintf ( stderr, "\n" ); } fprintf ( stderr, "\n" ); }}
/* get/free/provide a_proc struct for reduction state processing */struct a_proc *aud_mem_proc ( oprtn, rel_ptr, pid, hostp, fd )int oprtn; /* 0: release a_proc struct; 1: get new struct */ /* 2: get addr for <pid,hostp> */ /* 3: debug; 4: dump state on fd */struct a_proc *rel_ptr; /* free referenced a_proc */short pid;int hostp;int fd;{ static struct a_proc *free_list = (struct a_proc *)0; static struct a_proc *used_list = (struct a_proc *)0; struct a_proc *ptr, *ptr2; char *cp; int i, j, k; /* return ptr to a_proc structure */ if ( oprtn == 1 ) { /* get a_proc structure; use free_list and dbly-linked used_list */ if ( free_list ) { ptr = free_list; free_list = free_list->a_proc_next; } else { if ( (cp = (char *)sbrk(sizeof(int)+sizeof (struct a_proc))) == (char *)-1 ) return ((struct a_proc *)-1); ALIGN ( ptr, cp, a_proc ); } if ( used_list == (struct a_proc *)0 ) used_list = ptr; ptr->a_proc_next = used_list; ptr->a_proc_prev = ptr; ptr->a_proc_prev = ptr->a_proc_next->a_proc_prev; ptr->a_proc_next->a_proc_prev = ptr; ptr->a_proc_prev->a_proc_next = ptr; /* update proc_tbl and a_proc structure */ ptr->auid = -1; ptr->pid = pid; ptr->ruid = -1; ptr->login_proc = 0; ptr->ipaddr = hostp; ptr->cwd = (char *)0; ptr->root = (char *)0; ptr->username = (char *)0; for ( i = 0; i < _NFILE; i++ ) ptr->fd_nm[i] = (char *)0; ptr->access_gp_indx = 0; return ( ptr ); } /* find a_proc struct for this <pid,hostp> */ if ( oprtn == 2 ) { if ( used_list == (struct a_proc *)0 ) return ( (struct a_proc *)-1 ); ptr = used_list; do { ptr = ptr->a_proc_prev; if ( ptr->pid == pid && ptr->ipaddr == hostp ) return ( ptr ); } while ( ptr != used_list ); return ( (struct a_proc *)-1 ); } /* release a_proc struct */ if ( oprtn == 0 && rel_ptr ) { if ( rel_ptr->pid == pid && rel_ptr->ipaddr == hostp ) { rel_ptr->a_proc_next->a_proc_prev = rel_ptr->a_proc_prev; rel_ptr->a_proc_prev->a_proc_next = rel_ptr->a_proc_next; used_list = rel_ptr->a_proc_next; if ( used_list == rel_ptr ) used_list = (struct a_proc *)0; rel_ptr->a_proc_next = free_list; free_list = rel_ptr;⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?