Date: Fri, 13 Jun 2008 14:11:28 GMT From: "Christian S.J. Peron" <csjp@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 143419 for review Message-ID: <200806131411.m5DEBS3B064851@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=143419 Change 143419 by csjp@ibm01 on 2008/06/13 14:10:46 - Change -m so users can select audit records based on one or more audit events. This is accomplished by using the -m option more then once. - Update the man page to reflect the new behavior - Update the HISTORY file informing users that this functionality has be added. Affected files ... .. //depot/projects/trustedbsd/openbsm/HISTORY#66 edit .. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 edit .. //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 edit Differences ... ==== //depot/projects/trustedbsd/openbsm/HISTORY#66 (text+ko) ==== @@ -1,3 +1,5 @@ +- Modify the -m option so users can select more then one audit event. + OpenBSM 1.1 alpha 1 - Add option to auditreduce(1) which allows users to invert sense of @@ -316,4 +318,4 @@ to support reloading of kernel event table. - Allow comments in /etc/security configuration files. -$P4: //depot/projects/trustedbsd/openbsm/HISTORY#65 $ +$P4: //depot/projects/trustedbsd/openbsm/HISTORY#66 $ ==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 (text+ko) ==== @@ -25,7 +25,7 @@ .\" IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#15 $ +.\" $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.1#16 $ .\" .Dd January 24, 2004 .Dt AUDITREDUCE 1 @@ -94,7 +94,8 @@ .It Fl j Ar id Select records having a subject token with matching ID. .It Fl m Ar event -Select records with the given event name or number. +Select records with the given event name or number. This option can +be used more then once to select records of multiple event types. See .Xr audit_event 5 for a description of audit event names and numbers. ==== //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 (text+ko) ==== @@ -26,7 +26,7 @@ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * - * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#22 $ + * $P4: //depot/projects/trustedbsd/openbsm/bin/auditreduce/auditreduce.c#23 $ */ /* @@ -72,7 +72,6 @@ static au_mask_t maskp; /* Class. */ static time_t p_atime; /* Created after this time. */ static time_t p_btime; /* Created before this time. */ -static uint16_t p_evtype; /* Event that we are searching for. */ static int p_auid; /* Audit id. */ static int p_euid; /* Effective user id. */ static int p_egid; /* Effective group id. */ @@ -81,6 +80,13 @@ static int p_subid; /* Subject id. */ /* + * Maintain a dynamically sized array of events for -m + */ +static uint16_t *p_evec; /* Event type list */ +static int p_evec_used; /* Number of events used */ +static int p_evec_alloc; /* Number of events allocated */ + +/* * Following are the objects (-o option) that we can select upon. */ static char *p_fileobj = NULL; @@ -346,6 +352,8 @@ static int select_hdr32(tokenstr_t tok, uint32_t *optchkd) { + uint16_t *ev; + int match; SETOPT((*optchkd), (OPT_A | OPT_a | OPT_b | OPT_c | OPT_m | OPT_v)); @@ -378,7 +386,11 @@ /* Check if event matches. */ if (ISOPTSET(opttochk, OPT_m)) { - if (tok.tt.hdr32.e_type != p_evtype) + match = 0; + for (ev = p_evec; ev < &p_evec[p_evec_used]; ev++) + if (tok.tt.hdr32.e_type == *ev) + match = 1; + if (match == 0) return (0); } @@ -615,6 +627,7 @@ int ch; char timestr[128]; char *fname; + uint16_t *etp; converr = NULL; @@ -715,13 +728,26 @@ break; case 'm': - p_evtype = strtol(optarg, (char **)NULL, 10); - if (p_evtype == 0) { + if (p_evec == NULL) { + p_evec_alloc = 32; + p_evec = malloc(sizeof(*etp) * p_evec_alloc); + if (p_evec == NULL) + err(1, "malloc"); + } else if (p_evec_alloc == p_evec_used) { + p_evec_alloc <<= 1; + p_evec = realloc(p_evec, + sizeof(*p_evec) * p_evec_alloc); + if (p_evec == NULL) + err(1, "realloc"); + } + etp = &p_evec[p_evec_used++]; + *etp = strtol(optarg, (char **)NULL, 10); + if (*etp == 0) { /* Could be the string representation. */ n = getauevnonam(optarg); if (n == NULL) usage("Incorrect event name"); - p_evtype = *n; + *etp = *n; } SETOPT(opttochk, OPT_m); break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200806131411.m5DEBS3B064851>