audit_tool.c
来自「<B>Digital的Unix操作系统VAX 4.2源码</B>」· C语言 代码 · 共 1,802 行 · 第 1/5 页
C
1,802 行
return ( (struct a_proc *)0 ); } else return ( (struct a_proc *)-1 ); } /* debug */ if ( oprtn == 3 ) { fprintf ( stderr, "used_list: " ); if ( used_list ) for ( i = 0, ptr = ptr2 = used_list; ptr != ptr2 || i == 0; ptr = ptr->a_proc_next, i++ ) { fprintf ( stderr, "0x%x ", ptr ); if ( (i+1)%5 == 0 ) fprintf ( stderr, "\n " ); } fprintf ( stderr, "\n" ); fprintf ( stderr, "free_list: " ); for ( i = 0, ptr = free_list; ptr; ptr = ptr->a_proc_next, i++ ) { fprintf ( stderr, "0x%x ", ptr ); if ( (i+1)%5 == 0 ) fprintf ( stderr, "\n " ); } fprintf ( stderr, "\n" ); }#define DUMPIT(obj,indx) \ for ( indx = 0; obj && obj[indx]; indx++ ); \ write ( fd, &indx, sizeof(int) ); \ write ( fd, obj, indx ); /* dump rvalues and ptrs in a_proc structures to fd */ if ( oprtn == 4 && used_list ) for ( i = 0, ptr = ptr2 = used_list; ptr != ptr2 || i == 0; ptr = ptr->a_proc_next, i++ ) { write ( fd, ptr, A_PROC_HDR_SIZ ); DUMPIT ( ptr->cwd, j ); DUMPIT ( ptr->root, j ); DUMPIT ( ptr->username, j ); for ( j = 0; j < _NFILE; j++ ) { DUMPIT ( ptr->fd_nm[j], k ); } }}
/* build deselection ruleset return # rules built */build_ruleset ( rulesfile, display )char *rulesfile; /* pathname of rulesfile */int display; /* display rulesets */{ char buf[2][MAX_RULE_SIZ]; /* switch-buffering for rule input */ int buf_sw = 1; /* switch indicating current buffer */ char conv_buf[16]; /* buffer to atoi() */ char param_buf[MAX_RULE_SIZ]; /* must hold param before sbrk */ char event_buf[STR_LEN2]; /* must hold event before sbrk */ char hostname_buf[HOST_LEN]; /* must hold hostname before sbrk */ int ruleno = 0; /* count of rules built */ int start; int end; int fd; int i, j, k; char *cp; /* open rulesfile */ if ( (fd = open ( rulesfile, 0 )) == -1 ) { fprintf ( stderr, "build_ruleset: could not open %s\n", rulesfile ); return(0); } /* read in rules */ start = end = 0; end = read ( fd, buf[buf_sw], sizeof buf[0] ); do { /* alternate buffers; no rule may occupy >2 buffers */ for ( j = start; j < end && buf[buf_sw][j] != '\n'; j++ ); if ( j == end ) if ( (end = read ( fd, buf[buf_sw^1], sizeof buf[0] )) == 0 ) break; /* allow comment lines */ if ( buf[buf_sw][start] == '#' ) { for ( j = start; buf[buf_sw][j] != '\n'; j++ ); start = j+1; continue; } /* allocate rules struct */ if ( ruleno%RULES_IN_SET == 0 ) { if ( (cp = (char *)sbrk (sizeof(int)+sizeof(struct ruleset) )) == (char *)-1 ) { fprintf ( stderr, "sbrk failed on ruleset %d\n", ruleno/RULES_IN_SET ); return ( ruleno ); } ALIGN ( rules[ruleno/RULES_IN_SET], cp, ruleset ); } /* read hostname */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' ' || buf[buf_sw][j] == '\n'; j++ ); for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n' && k < sizeof hostname_buf-1; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; hostname_buf[k] = buf[buf_sw][j]; } hostname_buf[k] = '\0'; if ( (RULE(ruleno,host) = (caddr_t)sbrk(k+1)) == (caddr_t)-1 ) { fprintf ( stderr, "sbrk failed on ruleset %d, rule %d\n", ruleno/RULES_IN_SET, ruleno%RULES_IN_SET ); continue; } bcopy ( hostname_buf, RULE(ruleno,host), k+1 ); for ( start = j; buf[buf_sw][start] != '\t' && buf[buf_sw][start] != ' '; start++ ); /* read audit_id */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' '; j++ ); if ( buf[buf_sw][j] == '\n' ) { fprintf ( stderr, "bad rule at line #%d in %s\n", ruleno+1, rulesfile ); continue; } if ( buf[buf_sw][j] == '*' ) RULE(ruleno,auid) = -1; else { for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n' && k < sizeof conv_buf-1; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; conv_buf[k] = buf[buf_sw][j]; } conv_buf[k] = '\0'; RULE(ruleno,auid) = atoi(conv_buf); } for ( start = j; buf[buf_sw][start] != '\t' && buf[buf_sw][start] != ' '; start++ ); /* read real uid */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' '; j++ ); if ( buf[buf_sw][j] == '\n' ) { fprintf ( stderr, "bad rule at line #%d in %s\n", ruleno+1, rulesfile ); continue; } if ( buf[buf_sw][j] == '*' ) RULE(ruleno,ruid) = -1; else { for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n' && k < sizeof conv_buf-1; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; conv_buf[k] = buf[buf_sw][j]; } conv_buf[k] = '\0'; RULE(ruleno,ruid) = atoi(conv_buf); } for ( start = j; buf[buf_sw][start] != '\t' && buf[buf_sw][start] != ' '; start++ ); /* read event */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' '; j++ ); if ( buf[buf_sw][j] == '\n' ) { fprintf ( stderr, "bad rule at line #%d in %s\n", ruleno+1, rulesfile ); continue; } if ( buf[buf_sw][j] == '"' ) { for ( j++, k = 0; buf[buf_sw][j] != '"'; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; event_buf[k] = buf[buf_sw][j]; } } else for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n' && k < sizeof event_buf-1; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; event_buf[k] = buf[buf_sw][j]; } event_buf[k] = '\0'; if ( (RULE(ruleno,event) = (caddr_t)sbrk(k+1)) == (caddr_t)-1 ) { fprintf ( stderr, "sbrk failed on ruleset %d, rule %d\n", ruleno/RULES_IN_SET, ruleno%RULES_IN_SET ); continue; } bcopy ( event_buf, RULE(ruleno,event), k+1 ); for ( start = j; buf[buf_sw][start] != '\t' && buf[buf_sw][start] != ' '; start++ ); /* read param string */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' '; j++ ); if ( buf[buf_sw][j] == '\n' ) { fprintf ( stderr, "bad rule at line #%d in %s\n", ruleno+1, rulesfile ); continue; } for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n' && k < sizeof param_buf-1; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; param_buf[k] = buf[buf_sw][j]; } param_buf[k] = '\0'; if ( (RULE(ruleno,param) = (caddr_t)sbrk(k+1)) == (caddr_t)-1 ) { fprintf ( stderr, "sbrk failed on ruleset %d, rule %d\n", ruleno/RULES_IN_SET, ruleno%RULES_IN_SET ); continue; } bcopy ( param_buf, RULE(ruleno,param), k+1 ); for ( start = j; buf[buf_sw][start] != '\t' && buf[buf_sw][start] != ' '; start++ ); /* read operation */ for ( j = start; buf[buf_sw][j] == '\t' || buf[buf_sw][j] == ' '; j++ ); RULE(ruleno,oprtn) = -1; if ( buf[buf_sw][j] != '\n' ) { RULE(ruleno,oprtn) = 0; for ( k = 0; buf[buf_sw][j] != '\t' && buf[buf_sw][j] != ' ' && buf[buf_sw][j] != '\n'; j++, k++ ) { if ( j == sizeof buf[0] ) buf_sw ^= 1, j = 0; if ( buf[buf_sw][j] == 'r' ) RULE(ruleno,oprtn) += 1; if ( buf[buf_sw][j] == 'w' ) RULE(ruleno,oprtn) += 2; } for ( ; buf[buf_sw][j] != '\n'; j++ ); start = j+1; RULE(ruleno,oprtn)--; } /* max # rules hit */ if ( ++ruleno == RULES_IN_SET * NRULESETS ) { fprintf ( stderr, "Maximum # rules (%d) reached.\n", ruleno ); break; } } while ( start < end ); close(fd); /* display rulesets */ if ( display ) fprintf ( stderr, " hostname audit_id ruid event string oprtn(r/w)\n" ); for ( i = 0; (i < ruleno) && display; i++ ) { fprintf ( stderr, "r%d: ", i ); fprintf ( stderr, "%s ", RULE(i,host) ); if ( RULE(i,auid) == -1 ) fprintf ( stderr, "* " ); else fprintf ( stderr, "%-6d ", RULE(i,auid) ); if ( RULE(i,ruid) == -1 ) fprintf ( stderr, "* " ); else fprintf ( stderr, "%-6d ", RULE(i,ruid) ); fprintf ( stderr, "%s ", RULE(i,event) ); fprintf ( stderr, "%s ", RULE(i,param) ); if ( RULE(i,oprtn) == -1 ) fprintf ( stderr, "*\n" ); else fprintf ( stderr, "%d\n", RULE(i,oprtn) ); } fprintf ( stderr, "\n\n" ); return ( ruleno );}
/* process change audit log directive */change_log ( fd_p, logfile, time_l, af )int *fd_p; /* ptr to audit log descriptor */char *logfile; /* current auditlog file */long time_l; /* seconds component of timestamp */struct audit_fields *af; /* audit record fields */{ struct stat sbuf; char logfilehdr[MAXPATHLEN]; int i, j; /* close fd; compress previously compressed files */ close(*fd_p); compress ( 1, (char *)0 ); /* dump sort status, timestamp and next logname into current logfile hdr */ for ( i = 0; logfile[i]; i++ ); bcopy ( logfile, logfilehdr, i ); if ( strncmp ( &logfilehdr[i-2], ".Z", 2 ) == 0 ) i -= 2; bcopy ( ".hdr\0", &logfilehdr[i], 5 ); if ( (j = open ( logfilehdr, O_CREAT|O_WRONLY, 0600 )) != -1 ) { write ( j, &sort_flag, sizeof(sort_flag) ); write ( j, &time_l, sizeof(time_l) ); write ( j, &af->timeval.tv_sec, sizeof(time_l) ); write ( j, af->charparam[1], af->charlen[1] ); close(j); } sort_flag = 0; /* dump info in next log's logfile hdr */ i = af->charlen[1] < MAXPATHLEN-5 ? af->charlen[1] : MAXPATHLEN-5; bcopy ( af->charparam[1], logfile, i ); logfile[i] = '\0'; bcopy ( af->charparam[1], logfilehdr, i ); if ( strncmp ( &logfilehdr[i-2], ".Z", 2 ) == 0 ) i -= 2; bcopy ( ".hdr\0", &logfilehdr[i], 5 ); if ( (j = open ( logfilehdr, O_CREAT|O_WRONLY|O_EXCL, 0600 )) != -1 ) { lseek ( j, (sizeof time_l)*2+(sizeof sort_flag)+MAXPATHLEN, L_SET ); aud_mem_proc ( 4, (struct a_proc *)0, 0, 0, j ); close(j); } /* audit data transferred to another host */ if ( strncmp ( &af->charparam[0][20], "host", 4 ) == 0 ) { fprintf ( stderr, "** Audit log change: data sent to remote host %s **\n\n", logfile ); *fd_p = -1; } /* open new file; uncompress files ending in .Z */ else if ( stat ( logfile, &sbuf ) == 0 ) { if ( (*fd_p = open ( logfile, 0 )) == -1 ) fprintf ( stderr, "** Audit log change: failed to open %s **\n\n", logfile ); } /* else try logfile.Z */ else { bcopy ( ".Z\0", &logfile[i], 3 ); fprintf ( stderr, "** Audit log change: trying %s **\n\n", logfile ); if ( stat ( logfile, &sbuf ) == 0 ) { compress ( 0, logfile ); if ( (*fd_p = open ( logfile, 0 )) == -1 ) fprintf ( stderr, "** Audit log change: failed to open %s **\n\n", logfile ); } else *fd_p = -1; }}
/* compress/uncompress filnam */compress ( op, filnam )int op; /* 1: compress; 0: uncompress */char *filnam; /* file to uncompress */{ static char oldlog[MAXPATHLEN]; static char cmd1[MAXPATHLEN+9] = "compress "; static char cmd2[MAXPATHLEN+11] = "uncompress "; static int compress = 0; int i; switch ( op ) { case 0: /* uncompress filnam, if ending in .Z */ for ( i = 0; filnam[i]; i++ ); if ( (filnam[i-2] == '.') && (filnam[i-1] == 'Z') ) { bcopy ( filnam, &cmd2[11], i+1 ); if ( system ( cmd2 ) ) fprintf ( stderr, "failed on: %s\n", cmd2 ); else { fprintf ( stderr, "** Uncompressed %s **\n\n", filnam ); filnam[i-2] = '\0'; bcopy ( filnam, oldlog, i-1 ); compress = 1; } } break; case 1: /* compress previously compressed filnam */ if ( compress == 1 ) { for ( i = 0; oldlog[i]; i++ ); bcopy ( oldlog, &cmd1[9], i+1 ); if ( system ( cmd1 ) ) fprintf ( stderr, "failed on: %s\n", cmd1 ); else fprintf ( stderr, "** Compressed %s **\n\n", oldlog ); compress = 0; } break; }}
/* check audit_fields against deselection rules; return match */int deselect ( af, ruleno )struct audit_fields *af; /* audit fields struct */int ruleno; /* # deselection rules */{ extern char *syscallnames[];⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?