1 /* aureport-options.c - parse commandline options and configure aureport
2 * Copyright 2005-08,2010-11,2014 Red Hat Inc., Durham, North Carolina.
3 * Copyright (c) 2011 IBM Corp.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
21 * Steve Grubb <sgrubb@redhat.com>
22 * Marcelo Henrique Cerri <mhcerri@br.ibm.com>
34 #include "aureport-options.h"
35 #include "ausearch-time.h"
39 /* Global vars that will be accessed by the main program */
40 char *user_file = NULL;
44 /* These are for compatibility with parser */
45 unsigned int event_id = -1;
46 uid_t event_uid = -1, event_loginuid = -2, event_euid = -1;
47 gid_t event_gid = -1, event_egid = -1;
48 slist *event_node_list = NULL;
49 const char *event_key = NULL;
50 const char *event_filename = NULL;
51 const char *event_exe = NULL;
52 const char *event_comm = NULL;
53 const char *event_hostname = NULL;
54 const char *event_terminal = NULL;
55 const char *event_subject = NULL;
56 const char *event_object = NULL;
57 const char *event_uuid = NULL;
58 const char *event_vmname = NULL;
59 long long event_exit = 0;
60 int event_exit_is_set = 0;
61 int event_ppid = -1, event_session_id = -2;
62 int event_debug = 0, event_machine = -1;
64 /* These are used by aureport */
65 const char *dummy = "dummy";
66 report_type_t report_type = RPT_UNSET;
67 report_det_t report_detail = D_UNSET;
68 report_t report_format = RPT_DEFAULT;
69 failed_t event_failed = F_BOTH;
70 conf_act_t event_conf_act = C_NEITHER;
71 success_t event_success = S_SUCCESS;
79 enum { R_INFILE, R_TIME_END, R_TIME_START, R_VERSION, R_SUMMARY, R_LOG_TIMES,
80 R_CONFIGS, R_LOGINS, R_USERS, R_TERMINALS, R_HOSTS, R_EXES, R_FILES,
81 R_AVCS, R_SYSCALLS, R_PIDS, R_EVENTS, R_ACCT_MODS,
82 R_INTERPRET, R_HELP, R_ANOMALY, R_RESPONSE, R_SUMMARY_DET, R_CRYPTO,
83 R_MAC, R_FAILED, R_SUCCESS, R_ADD, R_DEL, R_AUTH, R_NODE, R_IN_LOGS,
84 R_KEYS, R_TTY, R_NO_CONFIG, R_COMM, R_VIRT, R_INTEG };
86 static struct nv_pair optiontab[] = {
94 { R_CONFIGS, "--config" },
96 { R_CRYPTO, "--crypto" },
97 { R_DEL, "--delete" },
99 { R_EVENTS, "--event" },
101 { R_FILES, "--file" },
102 { R_FAILED, "--failed" },
104 { R_HOSTS, "--host" },
105 { R_HELP, "--help" },
106 { R_INTERPRET, "-i" },
107 { R_INTERPRET, "--interpret" },
109 { R_INFILE, "--input" },
110 { R_IN_LOGS, "--input-logs" },
111 { R_INTEG, "--integrity" },
115 { R_LOGINS, "--login" },
116 { R_ACCT_MODS, "-m" },
117 { R_ACCT_MODS, "--mods" },
120 { R_NODE, "--node" },
121 { R_NO_CONFIG, "-nc" },
122 { R_NO_CONFIG, "--no-config" },
124 { R_ANOMALY, "--anomaly" },
127 { R_RESPONSE, "-r" },
128 { R_RESPONSE, "--response" },
129 { R_SYSCALLS, "-s" },
130 { R_SYSCALLS, "--syscall" },
131 { R_SUCCESS, "--success" },
132 { R_SUMMARY_DET, "--summary" },
133 { R_LOG_TIMES, "-t" },
134 { R_LOG_TIMES, "--log" },
135 { R_TIME_END, "-te"},
136 { R_TIME_END, "--end"},
137 { R_TERMINALS, "-tm"}, // don't like this
138 { R_TERMINALS, "--terminal"}, // don't like this
139 { R_TIME_START, "-ts" },
141 { R_TIME_START, "--start" },
143 { R_USERS, "--user" },
145 { R_VERSION, "--version" },
147 { R_EXES, "--executable" },
150 #define OPTION_NAMES (sizeof(optiontab)/sizeof(optiontab[0]))
153 static int audit_lookup_option(const char *name)
157 for (i = 0; i < OPTION_NAMES; i++)
158 if (!strcmp(optiontab[i].name, name))
159 return optiontab[i].value;
163 static void usage(void)
165 printf("usage: aureport [options]\n"
166 "\t-a,--avc\t\t\tAvc report\n"
167 "\t-au,--auth\t\t\tAuthentication report\n"
168 "\t--comm\t\t\t\tCommands run report\n"
169 "\t-c,--config\t\t\tConfig change report\n"
170 "\t-cr,--crypto\t\t\tCrypto report\n"
171 "\t-e,--event\t\t\tEvent report\n"
172 "\t-f,--file\t\t\tFile name report\n"
173 "\t--failed\t\t\tonly failed events in report\n"
174 "\t-h,--host\t\t\tRemote Host name report\n"
175 "\t--help\t\t\t\thelp\n"
176 "\t-i,--interpret\t\t\tInterpretive mode\n"
177 "\t-if,--input <Input File name>\tuse this file as input\n"
178 "\t--input-logs\t\t\tUse the logs even if stdin is a pipe\n"
179 "\t--integrity\t\t\tIntegrity event report\n"
180 "\t-l,--login\t\t\tLogin report\n"
181 "\t-k,--key\t\t\tKey report\n"
182 "\t-m,--mods\t\t\tModification to accounts report\n"
183 "\t-ma,--mac\t\t\tMandatory Access Control (MAC) report\n"
184 "\t-n,--anomaly\t\t\taNomaly report\n"
185 "\t-nc,--no-config\t\t\tDon't include config events\n"
186 "\t--node <node name>\t\tOnly events from a specific node\n"
187 "\t-p,--pid\t\t\tPid report\n"
188 "\t-r,--response\t\t\tResponse to anomaly report\n"
189 "\t-s,--syscall\t\t\tSyscall report\n"
190 "\t--success\t\t\tonly success events in report\n"
191 "\t--summary\t\t\tsorted totals for main object in report\n"
192 "\t-t,--log\t\t\tLog time range report\n"
193 "\t-te,--end [end date] [end time]\tending date & time for reports\n"
194 "\t-tm,--terminal\t\t\tTerMinal name report\n"
195 "\t-ts,--start [start date] [start time]\tstarting data & time for reports\n"
196 "\t--tty\t\t\t\tReport about tty keystrokes\n"
197 "\t-u,--user\t\t\tUser name report\n"
198 "\t-v,--version\t\t\tVersion\n"
199 "\t--virt\t\t\t\tVirtualization report\n"
200 "\t-x,--executable\t\t\teXecutable name report\n"
201 "\tIf no report is given, the summary report will be displayed\n"
205 static int set_report(report_type_t r)
207 if (report_type == RPT_UNSET) {
211 fprintf(stderr, "Error - only one report can be specified");
216 static int set_detail(report_det_t d)
218 if (report_detail == D_UNSET) {
221 } else if (d == D_SUM) {
230 * This function examines the commandline parameters and sets various
231 * search options. It returns a 0 on success and < 0 on failure
233 int check_params(int count, char *vars[])
239 while (c < count && retval == 0) {
240 // Go ahead and point to the next argument
242 if (vars[c+1][0] != '-')
249 switch (audit_lookup_option(vars[c])) {
253 "Argument is required for %s\n",
257 user_file = strdup(optarg);
258 if (user_file == NULL)
264 if (set_report(RPT_TIME))
267 set_detail(D_DETAILED);
270 if (set_report(RPT_AVC))
273 set_detail(D_DETAILED);
275 event_subject = dummy;
276 event_object = dummy;
280 if (set_report(RPT_AUTH))
283 set_detail(D_DETAILED);
285 event_hostname = dummy;
286 event_terminal = dummy;
291 if (set_report(RPT_MAC))
294 set_detail(D_DETAILED);
299 if (set_report(RPT_INTEG))
302 set_detail(D_DETAILED);
307 if (set_report(RPT_VIRT))
310 set_detail(D_DETAILED);
314 if (set_report(RPT_CONFIG))
317 set_detail(D_DETAILED);
322 if (set_report(RPT_CRYPTO))
325 set_detail(D_DETAILED);
330 if (set_report(RPT_LOGIN))
333 set_detail(D_DETAILED);
335 event_hostname = dummy;
336 event_terminal = dummy;
341 if (set_report(RPT_ACCT_MOD))
344 set_detail(D_DETAILED);
346 event_hostname = dummy;
347 event_terminal = dummy;
352 if (set_report(RPT_EVENT))
356 set_detail(D_DETAILED);
360 // set_detail(D_SPECIFIC);
361 // if (isdigit(optarg[0])) {
363 // event_id = strtoul(optarg,
367 // "Illegal value for audit event ID");
373 // "Audit event id must be a numeric value, was %s\n",
381 if (set_report(RPT_FILE))
385 set_detail(D_DETAILED);
386 event_filename = dummy;
395 if (set_report(RPT_HOST))
399 set_detail(D_DETAILED);
400 event_hostname = dummy;
408 report_format = RPT_INTERP;
411 "Argument is NOT required for %s\n",
417 if (set_report(RPT_PID))
421 set_detail(D_DETAILED);
430 if (set_report(RPT_SYSCALL))
434 set_detail(D_DETAILED);
443 if (set_report(RPT_TERM))
447 set_detail(D_DETAILED);
448 event_terminal = dummy;
449 event_hostname = dummy;
458 if (set_report(RPT_USER))
462 set_detail(D_DETAILED);
463 event_terminal = dummy;
464 event_hostname = dummy;
474 if (set_report(RPT_EXE))
478 set_detail(D_DETAILED);
479 event_terminal = dummy;
480 event_hostname = dummy;
489 if (set_report(RPT_COMM))
493 set_detail(D_DETAILED);
494 event_terminal = dummy;
495 event_hostname = dummy;
504 if (set_report(RPT_ANOMALY))
508 set_detail(D_DETAILED);
509 event_terminal = dummy;
510 event_hostname = dummy;
520 if (set_report(RPT_RESPONSE))
524 set_detail(D_DETAILED);
531 if (set_report(RPT_KEY))
535 set_detail(D_DETAILED);
545 if (set_report(RPT_TTY))
548 set_detail(D_DETAILED);
549 event_session_id = 1;
551 event_terminal = dummy;
557 if ( (c+2 < count) && vars[c+2] &&
558 (vars[c+2][0] != '-') ) {
559 /* Have both date and time - check order*/
560 if (strchr(optarg, ':')) {
561 if (ausearch_time_end(vars[c+2],
565 if (ausearch_time_end(optarg,
571 // Check against recognized words
572 int t = lookup_time(optarg);
574 if (ausearch_time_end(optarg,
577 } else if ( (strchr(optarg, ':')) == NULL) {
579 if (ausearch_time_end(optarg,
584 if (ausearch_time_end(NULL,
593 "%s requires either date and/or time\n",
599 if ( (c+2 < count) && vars[c+2] &&
600 (vars[c+2][0] != '-') ) {
601 /* Have both date and time - check order */
602 if (strchr(optarg, ':')) {
603 if (ausearch_time_start(
604 vars[c+2], optarg) != 0)
607 if (ausearch_time_start(optarg,
613 // Check against recognized words
614 int t = lookup_time(optarg);
616 if (ausearch_time_start(optarg,
619 } else if ( strchr(optarg, ':') == NULL) {
621 if (ausearch_time_start(optarg,
626 if (ausearch_time_start(NULL,
635 "%s requires either date and/or time\n",
642 "Argument is required for %s\n",
649 if (!event_node_list) {
650 event_node_list = malloc(sizeof (slist));
651 if (!event_node_list) {
655 slist_create(event_node_list);
658 sn.str = strdup(optarg);
661 slist_append(event_node_list, &sn);
668 event_failed = F_FAILED;
671 event_failed = F_SUCCESS;
674 event_conf_act = C_ADD;
677 event_conf_act = C_DEL;
686 printf("aureport version %s\n", VERSION);
694 fprintf(stderr, "%s is an unsupported option\n",
703 if (report_type == RPT_UNSET) {
704 if (set_report(RPT_SUMMARY))
708 event_filename = dummy;
709 event_hostname = dummy;
710 event_terminal = dummy;