11 static const char *buf[] = {
12 "type=LOGIN msg=audit(1143146623.787:142): login pid=2027 uid=0 old auid=4294967295 new auid=848\n"
13 "type=SYSCALL msg=audit(1143146623.875:143): arch=c000003e syscall=188 success=yes exit=0 a0=7fffffa9a9f0 a1=3958d11333 a2=5131f0 a3=20 items=1 pid=2027 auid=848 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty3 comm=\"login\" exe=\"/bin/login\" subj=system_u:system_r:local_login_t:s0-s0:c0.c255\n",
15 "type=USER_LOGIN msg=audit(1143146623.879:146): user pid=2027 uid=0 auid=848 msg=\'uid=848: exe=\"/bin/login\" (hostname=?, addr=?, terminal=tty3 res=success)\'\n",
21 static void walk_test(auparse_state_t *au)
23 int event_cnt = 1, record_cnt;
26 if (auparse_first_record(au) <= 0) {
27 printf("Error getting first record (%s)\n",
31 printf("event %d has %d records\n", event_cnt,
32 auparse_get_num_records(au));
35 printf(" record %d of type %d(%s) has %d fields\n",
38 audit_msg_type_to_name(auparse_get_type(au)),
39 auparse_get_num_fields(au));
40 printf(" line=%d file=%s\n",
41 auparse_get_line_number(au),
42 auparse_get_filename(au) ?
43 auparse_get_filename(au) : "None");
44 const au_event_t *e = auparse_get_timestamp(au);
46 printf("Error getting timestamp - aborting\n");
49 printf(" event time: %u.%u:%lu, host=%s\n",
51 e->milli, e->serial, e->host ? e->host : "?");
52 auparse_first_field(au);
54 printf(" %s=%s (%s)\n",
55 auparse_get_field_name(au),
56 auparse_get_field_str(au),
57 auparse_interpret_field(au));
58 } while (auparse_next_field(au) > 0);
61 } while(auparse_next_record(au) > 0);
63 } while (auparse_next_event(au) > 0);
66 void light_test(auparse_state_t *au)
71 if (auparse_first_record(au) <= 0) {
72 puts("Error getting first record");
75 printf("event has %d records\n", auparse_get_num_records(au));
78 printf(" record %d of type %d(%s) has %d fields\n",
81 audit_msg_type_to_name(auparse_get_type(au)),
82 auparse_get_num_fields(au));
83 printf(" line=%d file=%s\n",
84 auparse_get_line_number(au),
85 auparse_get_filename(au) ?
86 auparse_get_filename(au) : "None");
87 const au_event_t *e = auparse_get_timestamp(au);
89 printf("Error getting timestamp - aborting\n");
92 printf(" event time: %u.%u:%lu, host=%s\n",
95 e->host ? e->host : "?");
98 } while(auparse_next_record(au) > 0);
100 } while (auparse_next_event(au) > 0);
103 void simple_search(ausource_t source, austop_t where)
108 if (source == AUSOURCE_FILE) {
109 au = auparse_init(AUSOURCE_FILE, "./test.log");
112 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
116 printf("auparse_init error - %s\n", strerror(errno));
119 if (ausearch_add_item(au, "auid", "=", val, AUSEARCH_RULE_CLEAR)){
120 printf("ausearch_add_item error - %s\n", strerror(errno));
123 if (ausearch_set_stop(au, where)){
124 printf("ausearch_set_stop error - %s\n", strerror(errno));
127 if (ausearch_next_event(au) <= 0)
128 printf("Error searching for auid - %s\n", strerror(errno));
130 printf("Found %s = %s\n", auparse_get_field_name(au),
131 auparse_get_field_str(au));
135 void compound_search(ausearch_rule_t how)
139 au = auparse_init(AUSOURCE_FILE, "./test.log");
141 printf("auparse_init error - %s\n", strerror(errno));
144 if (how == AUSEARCH_RULE_AND) {
145 if (ausearch_add_item(au, "uid", "=", "0",
146 AUSEARCH_RULE_CLEAR)){
147 printf("ausearch_add_item 1 error - %s\n",
151 if (ausearch_add_item(au, "pid", "=", "13015", how)){
152 printf("ausearch_add_item 2 error - %s\n",
156 if (ausearch_add_item(au, "type", "=", "USER_START", how)){
157 printf("ausearch_add_item 3 error - %s\n",
162 if (ausearch_add_item(au, "auid", "=", "42",
163 AUSEARCH_RULE_CLEAR)){
164 printf("ausearch_add_item 4 error - %s\n",
168 // should stop on this one
169 if (ausearch_add_item(au, "auid", "=", "0", how)){
170 printf("ausearch_add_item 5 error - %s\n",
174 if (ausearch_add_item(au, "auid", "=", "500", how)){
175 printf("ausearch_add_item 6 error - %s\n",
180 if (ausearch_set_stop(au, AUSEARCH_STOP_FIELD)){
181 printf("ausearch_set_stop error - %s\n", strerror(errno));
184 if (ausearch_next_event(au) <= 0)
185 printf("Error searching for auid - %s\n", strerror(errno));
187 printf("Found %s = %s\n", auparse_get_field_name(au),
188 auparse_get_field_str(au));
192 void regex_search(const char *expr)
197 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
199 printf("auparse_init error - %s\n", strerror(errno));
202 if (ausearch_add_regex(au, expr)){
203 printf("ausearch_add_regex error - %s\n", strerror(errno));
206 if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){
207 printf("ausearch_set_stop error - %s\n", strerror(errno));
210 rc = ausearch_next_event(au);
212 printf("Error searching for %s - %s\n", expr, strerror(errno));
214 printf("Not found\n");
216 printf("Found %s = %s\n", auparse_get_field_name(au),
217 auparse_get_field_str(au));
221 static void auparse_callback(auparse_state_t *au, auparse_cb_event_t cb_event_type, void *user_data)
223 int *event_cnt = (int *)user_data;
226 if (cb_event_type == AUPARSE_CB_EVENT_READY) {
227 if (auparse_first_record(au) <= 0) {
228 printf("can't get first record\n");
231 printf("event %d has %d records\n", *event_cnt,
232 auparse_get_num_records(au));
235 printf(" record %d of type %d(%s) has %d fields\n",
237 auparse_get_type(au),
238 audit_msg_type_to_name(auparse_get_type(au)),
239 auparse_get_num_fields(au));
240 printf(" line=%d file=%s\n",
241 auparse_get_line_number(au),
242 auparse_get_filename(au) ?
243 auparse_get_filename(au) : "None");
244 const au_event_t *e = auparse_get_timestamp(au);
248 printf(" event time: %u.%u:%lu, host=%s\n",
251 e->host ? e->host : "?");
252 auparse_first_field(au);
254 printf(" %s=%s (%s)\n",
255 auparse_get_field_name(au),
256 auparse_get_field_str(au),
257 auparse_interpret_field(au));
258 } while (auparse_next_field(au) > 0);
261 } while(auparse_next_record(au) > 0);
268 //char *files[4] = { "test.log", "test2.log", "test3.log", NULL };
269 char *files[3] = { "test.log", "test2.log", NULL };
270 setlocale (LC_ALL, "");
273 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
275 printf("Error - %s\n", strerror(errno));
279 printf("Starting Test 1, iterate...\n");
280 while (auparse_next_event(au) > 0) {
281 if (auparse_find_field(au, "auid")) {
282 printf("%s=%s\n", auparse_get_field_name(au),
283 auparse_get_field_str(au));
284 printf("interp auid=%s\n", auparse_interpret_field(au));
286 printf("Error iterating to auid\n");
289 while (auparse_next_event(au) > 0) {
290 if (auparse_find_field(au, "auid")) {
292 printf("%s=%s\n", auparse_get_field_name(au),
293 auparse_get_field_str(au));
294 printf("interp auid=%s\n", auparse_interpret_field(au));
295 } while (auparse_find_field_next(au));
297 printf("Error iterating to auid\n");
299 printf("Test 1 Done\n\n");
301 /* Reset, now lets go to beginning and walk the list manually */
302 printf("Starting Test 2, walk events, records, and fields...\n");
306 printf("Test 2 Done\n\n");
308 /* Reset, now lets go to beginning and walk the list manually */
309 printf("Starting Test 3, walk events, records of 1 buffer...\n");
310 au = auparse_init(AUSOURCE_BUFFER, buf[1]);
312 printf("Error - %s\n", strerror(errno));
317 printf("Test 3 Done\n\n");
319 printf("Starting Test 4, walk events, records of 1 file...\n");
320 au = auparse_init(AUSOURCE_FILE, "./test.log");
322 printf("Error - %s\n", strerror(errno));
327 printf("Test 4 Done\n\n");
329 printf("Starting Test 5, walk events, records of 2 files...\n");
330 au = auparse_init(AUSOURCE_FILE_ARRAY, files);
332 printf("Error - %s\n", strerror(errno));
337 printf("Test 5 Done\n\n");
339 printf("Starting Test 6, search...\n");
340 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
342 printf("Error - %s\n", strerror(errno));
345 if (ausearch_add_item(au, "auid", "=", "500", AUSEARCH_RULE_CLEAR)){
346 printf("Error - %s", strerror(errno));
349 if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
350 printf("Error - %s", strerror(errno));
353 if (ausearch_next_event(au) != 0) {
354 printf("Error search found something it shouldn't have\n");
356 puts("auid = 500 not found...which is correct");
359 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
360 if (ausearch_add_item(au,"auid", "exists", NULL, AUSEARCH_RULE_CLEAR)){
361 printf("Error - %s", strerror(errno));
364 if (ausearch_set_stop(au, AUSEARCH_STOP_EVENT)){
365 printf("Error - %s", strerror(errno));
368 if (ausearch_next_event(au) <= 0) {
369 printf("Error searching for existence of auid\n");
371 puts("auid exists...which is correct");
372 puts("Testing BUFFER_ARRAY, stop on field");
373 simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_FIELD);
374 puts("Testing BUFFER_ARRAY, stop on record");
375 simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_RECORD);
376 puts("Testing BUFFER_ARRAY, stop on event");
377 simple_search(AUSOURCE_BUFFER_ARRAY, AUSEARCH_STOP_EVENT);
378 puts("Testing test.log, stop on field");
379 simple_search(AUSOURCE_FILE, AUSEARCH_STOP_FIELD);
380 puts("Testing test.log, stop on record");
381 simple_search(AUSOURCE_FILE, AUSEARCH_STOP_RECORD);
382 puts("Testing test.log, stop on event");
383 simple_search(AUSOURCE_FILE, AUSEARCH_STOP_EVENT);
385 printf("Test 6 Done\n\n");
387 printf("Starting Test 7, compound search...\n");
388 au = auparse_init(AUSOURCE_BUFFER_ARRAY, buf);
390 printf("Error - %s\n", strerror(errno));
393 compound_search(AUSEARCH_RULE_AND);
394 compound_search(AUSEARCH_RULE_OR);
396 printf("Test 7 Done\n\n");
398 printf("Starting Test 8, regex search...\n");
399 puts("Doing regex match...");
400 regex_search("1143146623");
401 puts("Doing regex wildcard search...");
402 regex_search("11431466.*146");
403 printf("Test 8 Done\n\n");
405 /* Note: this should match Test 2 exactly */
406 printf("Starting Test 9, buffer feed...\n");
409 size_t len, chunk_len = 3;
410 const char **cur_buf, *p_beg, *p_end, *p_chunk_beg,
413 au = auparse_init(AUSOURCE_FEED, 0);
414 auparse_add_callback(au, auparse_callback, &event_cnt, NULL);
415 for (cur_buf = buf, p_beg = *cur_buf; *cur_buf;
416 cur_buf++, p_beg = *cur_buf) {
420 while (p_chunk_beg < p_end) {
421 p_chunk_end = p_chunk_beg + chunk_len;
422 if (p_chunk_end > p_end)
425 //fwrite(p_chunk_beg, 1,
426 // p_chunk_end-p_chunk_beg, stdout);
427 auparse_feed(au, p_chunk_beg,
428 p_chunk_end-p_chunk_beg);
429 p_chunk_beg = p_chunk_end;
433 auparse_flush_feed(au);
436 printf("Test 9 Done\n\n");
438 /* Note: this should match Test 4 exactly */
439 printf("Starting Test 10, file feed...\n");
441 int *event_cnt = malloc(sizeof(int));
443 char filename[] = "./test.log";
448 au = auparse_init(AUSOURCE_FEED, 0);
449 auparse_add_callback(au, auparse_callback, event_cnt, free);
450 if ((fp = fopen(filename, "r")) == NULL) {
451 fprintf(stderr, "could not open '%s', %s\n",
452 filename, strerror(errno));
455 while ((len = fread(buf, 1, sizeof(buf), fp))) {
456 auparse_feed(au, buf, len);
460 auparse_flush_feed(au);
463 printf("Test 10 Done\n\n");
465 puts("Finished non-admin tests\n");