2 * Copyright (c) 2004-2009 Apple Inc.
3 * Copyright (c) 2006 Martin Voros
4 * Copyright (c) 2016 Robert N. M. Watson
7 * Portions of this software were developed by BAE Systems, the University of
8 * Cambridge Computer Laboratory, and Memorial University under DARPA/AFRL
9 * contract FA8650-15-C-7558 ("CADETS"), as part of the DARPA Transparent
10 * Computing (TC) research program.
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
15 * 1. Redistributions of source code must retain the above copyright
16 * notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 * notice, this list of conditions and the following disclaimer in the
19 * documentation and/or other materials provided with the distribution.
20 * 3. Neither the name of Apple Inc. ("Apple") nor the names of
21 * its contributors may be used to endorse or promote products derived
22 * from this software without specific prior written permission.
24 * THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND
25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
27 * ARE DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR
28 * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
32 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
33 * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
34 * POSSIBILITY OF SUCH DAMAGE.
38 * Tool used to parse audit records conforming to the BSM structure.
42 * praudit [-lnpx] [-r | -s] [-d del] [file ...]
45 #include <config/config.h>
47 #include <bsm/libbsm.h>
50 #include <sys/capsicum.h>
63 extern int optind, optopt, opterr,optreset;
65 static char *del = ","; /* Default delimiter. */
66 static int oneline = 0;
67 static int partial = 0;
68 static int oflags = AU_OFLAG_NONE;
74 fprintf(stderr, "usage: praudit [-lnpx] [-r | -s] [-d del] "
80 * Token printing for each token type .
83 print_tokens(FILE *fp)
90 /* Allow tail -f | praudit to work. */
93 /* Record must begin with a header token. */
96 } while(type != AUT_HEADER32);
100 while ((reclen = au_read_rec(fp, &buf)) != -1) {
102 while (bytesread < reclen) {
103 /* Is this an incomplete record? */
104 if (-1 == au_fetch_tok(&tok, buf + bytesread,
107 au_print_flags_tok(stdout, &tok, del, oflags);
108 bytesread += tok.len;
110 if (!(oflags & AU_OFLAG_XML))
124 main(int argc, char **argv)
128 #ifdef HAVE_CAP_ENTER
134 while ((ch = getopt(argc, argv, "d:lnprsx")) != -1) {
145 oflags |= AU_OFLAG_NORESOLVE;
153 if (oflags & AU_OFLAG_SHORT)
154 usage(); /* Exclusive from shortfrm. */
155 oflags |= AU_OFLAG_RAW;
159 if (oflags & AU_OFLAG_RAW)
160 usage(); /* Exclusive from raw. */
161 oflags |= AU_OFLAG_SHORT;
165 oflags |= AU_OFLAG_XML;
174 #ifdef HAVE_CAP_ENTER
176 * Prime group, password, and audit-event files to be opened before we
177 * enter capability mode.
180 (void)setgroupent(1);
186 if (oflags & AU_OFLAG_XML)
187 au_print_xml_header(stdout);
189 /* For each of the files passed as arguments dump the contents. */
190 if (optind == argc) {
191 #ifdef HAVE_CAP_ENTER
192 retval = cap_enter();
193 if (retval != 0 && errno != ENOSYS)
194 err(EXIT_FAILURE, "cap_enter");
199 for (i = optind; i < argc; i++) {
200 fp = fopen(argv[i], "r");
207 * If operating with sandboxing, create a sandbox process for
208 * each trail file we operate on. This avoids the need to do
209 * fancy things with file descriptors, etc, when iterating on
210 * a list of arguments.
212 #ifdef HAVE_CAP_ENTER
216 retval = cap_enter();
217 if (retval != 0 && errno != ENOSYS)
218 err(EXIT_FAILURE, "cap_enter");
219 if (print_tokens(fp) == -1)
224 /* Parent. Await child termination. */
225 while ((pid = waitpid(childpid, NULL, 0)) != childpid);
227 if (print_tokens(fp) == -1)
233 if (oflags & AU_OFLAG_XML)
234 au_print_xml_footer(stdout);