* Auparse using Buffer.......
@ 2008-01-18 14:42 kunal chandarana
2008-01-18 14:55 ` John Dennis
0 siblings, 1 reply; 2+ messages in thread
From: kunal chandarana @ 2008-01-18 14:42 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 6874 bytes --]
#include<stdio.h>
#include<unistd.h>
#include<auparse.h>
#include<stdlib.h>
#include "libaudit.h"
#include<unistd.h>
#include<fcntl.h>
#include<time.h>
int main(void)
{
char *data;
int i=0;
data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0
auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023msg='op=PAM:accounting
acct=root exe=\"/usr/sbin/gdm-binary\" (hostname=?,
addr=?, terminal=:0 res=success)'\0";
auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data);
if (au == NULL)
{ printf("hi eroror \n");
exit(1);
}
//ADDING RULES
if (!ausearch_add_item(au, "a0", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a1", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "a2", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "a3", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "a4", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "acct", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "addr", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "arch", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "audit_backlog_limit", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "audit_enabled", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "audit_failure", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "auid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "comm", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "cwd", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "dev", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "egid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "euid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "exe", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "exit", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "file", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "flags", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "format", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "fsgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "fsuid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "gid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "hostname", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "id", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "inode", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "inode_gid", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "inode_uid", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "item", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "items", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "list", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "mode", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "msg", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "nargs", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "name", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "obj", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "ogid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "old", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "old_prom", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "op", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "ouid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "parent", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "path", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "perm", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "perm_mask", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "pid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "prom", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "qbytes", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "range", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "rdev", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "res", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "result", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "role", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "saddr", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "sauid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "scontext", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "seuser", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "sgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "spid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "subj", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "success", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "suid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "syscall", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "tclass", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "tcontext", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "terminal", "!=", "NULL",
AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "tty", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "type", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "uid", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "user", "!=", "NULL", AUSEARCH_RULE_OR))
{}
if (!ausearch_add_item(au, "ver", "!=", "NULL", AUSEARCH_RULE_OR)) {}
if (!ausearch_add_item(au, "watch", "!=", "NULL", AUSEARCH_RULE_OR))
{}
auparse_next_event(au);
if (auparse_find_field(au, "auid")) {
printf("auid=%s\n", auparse_get_field_str(au));
}
if (auparse_find_field(au, "hostname")) {
printf("hostname=%s\n", auparse_get_field_str(au));
}
auparse_destroy(au);
return 0;
}
Same code tried with file pointer is working properly that is
auparse_init(AUSOURCE_FILE_POINTER, <<File Pointer>>).
But when tried with buffer is neither giving output nor error.
auparse_init(AUSOURCE_BUFFER, <<buffer address>>).
[-- Attachment #1.2: Type: text/html, Size: 13070 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: Auparse using Buffer.......
2008-01-18 14:42 Auparse using Buffer kunal chandarana
@ 2008-01-18 14:55 ` John Dennis
0 siblings, 0 replies; 2+ messages in thread
From: John Dennis @ 2008-01-18 14:55 UTC (permalink / raw)
To: kunal chandarana; +Cc: linux-audit
kunal chandarana wrote:
> data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156
uid=0 auid=4294967295 subj=system_u:system_r:xdm_t:s0-s0:c0.c1023
msg='op=PAM:accounting acct=root exe=\"/usr/sbin/gdm-binary\"
(hostname=?, addr=?, terminal=:0 res=success)'\0";
There is no EOR (End of Record) character in your data (e.g. newline),
therefore the record is not terminated and the input is incomplete.
The EOR is *not* implicit at EOB (End of Buffer) because buffers can be
concatenated fragments.
--
John Dennis <jdennis@redhat.com>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-01-18 14:55 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-01-18 14:42 Auparse using Buffer kunal chandarana
2008-01-18 14:55 ` John Dennis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox