Auparse using Buffer.......

kunal chandarana chandarana.kunal at gmail.com
Fri Jan 18 14:42:22 UTC 2008 

#include<stdio.h>
#include<unistd.h>
#include<auparse.h>
#include<stdlib.h>
#include "libaudit.h"
#include<unistd.h>
#include<fcntl.h>
#include<time.h>
int main(void)
{


    char *data;
    int i=0;

    data="type=USER_ACCT msg=audit(1200638450.722:15): user pid=2156 uid=0
auid=4294967295
subj=system_u:system_r:xdm_t:s0-s0:c0.c1023msg='op=PAM:accounting
acct=root exe=\"/usr/sbin/gdm-binary\" (hostname=?,
addr=?, terminal=:0 res=success)'\0";


    auparse_state_t *au = auparse_init(AUSOURCE_BUFFER,data);
    if (au == NULL)
    {    printf("hi eroror \n");
        exit(1);
    }


    //ADDING RULES

    if (!ausearch_add_item(au, "a0", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "a1", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "a2", "!=", "NULL", AUSEARCH_RULE_OR))     {}
    if (!ausearch_add_item(au, "a3", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "a4", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "acct", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "addr", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "arch", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "audit_backlog_limit", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "audit_enabled", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "audit_failure", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "auid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "comm", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "cwd", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "dev", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "egid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "euid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "exe", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "exit", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "file", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "flags", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "format", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "fsgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "fsuid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "gid", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "hostname", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "id", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "inode", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "inode_gid", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "inode_uid", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "item", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "items", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "list", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "mode", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "msg", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "nargs", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "name", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "obj", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "ogid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "old", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "old_prom", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "op", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "ouid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "parent", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "path", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "perm", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "perm_mask", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "pid", "!=", "NULL", AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "prom", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "qbytes", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "range", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "rdev", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "res", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "result", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "role", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "saddr", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "sauid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "scontext", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "seuser", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "sgid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "spid", "!=", "NULL", AUSEARCH_RULE_OR))
{}
    if (!ausearch_add_item(au, "subj", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "success", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "suid", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "syscall", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "tclass", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "tcontext", "!=", "NULL",
AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "terminal", "!=", "NULL",
AUSEARCH_RULE_OR))    {}

    if (!ausearch_add_item(au, "tty", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "type", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "uid", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "user", "!=", "NULL", AUSEARCH_RULE_OR))
{}

    if (!ausearch_add_item(au, "ver", "!=", "NULL", AUSEARCH_RULE_OR))    {}
    if (!ausearch_add_item(au, "watch", "!=", "NULL", AUSEARCH_RULE_OR))
{}


    auparse_next_event(au);


    if (auparse_find_field(au, "auid")) {
    printf("auid=%s\n", auparse_get_field_str(au));
    }
    if (auparse_find_field(au, "hostname")) {
    printf("hostname=%s\n", auparse_get_field_str(au));
    }


    auparse_destroy(au);
    return 0;
}


Same code tried with file pointer is working properly that is
auparse_init(AUSOURCE_FILE_POINTER, <<File Pointer>>).

But when tried with buffer is neither giving output nor error.
auparse_init(AUSOURCE_BUFFER, <<buffer address>>).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20080118/2484e90f/attachment.htm>

More information about the Linux-audit mailing list