[PATCH] multiple nodes patch

[PATCH] multiple nodes patch

[LC Bruzenak]

Steve,

This seems to work fine with multiple nodes allowed.

Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>

diff -up ./docs/aureport.8.orig ./docs/aureport.8
--- ./docs/aureport.8.orig	2009-06-05 16:15:58.000000000 -0500
+++ ./docs/aureport.8	2009-06-05 16:16:31.000000000 -0500
@@ -55,7 +55,7 @@ Report about account modifications
 Report about Mandatory Access Control (MAC) events
 .TP
 .BR \-\-node \ \fInode-name\fP
-Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes.
+Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes. Multiple nodes are allowed.
 .TP
 .BR \-p ,\  \-\-pid
 Report about processes
diff -up ./docs/ausearch.8.orig ./docs/ausearch.8
--- ./docs/ausearch.8.orig	2009-06-05 16:14:29.000000000 -0500
+++ ./docs/ausearch.8	2009-06-05 16:40:51.000000000 -0500
@@ -5,7 +5,7 @@ ausearch \- a tool to query audit daemon
 .B ausearch
 .RI [ options ]
 .SH DESCRIPTION
-\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given.
+\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-n\fP option; multiple nodes are allowed in a search which will return any matching node.
 
 It should also be noted that each syscall excursion from user space into the kernel and back into user space has one event ID that is unique. Any auditable event that is triggered during this trip share this ID so that they may be correlated.
 
@@ -64,7 +64,7 @@ Flush output on every line. Most useful 
 Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list.
 .TP
 .BR \-n ,\  \-\-node \ \fInode-name\fP
-Search for events originating from \fInode name\fP string.
+Search for events originating from \fInode name\fP string. Multiple nodes are allowed, and if any nodes match, the event is matched.
 .TP
 .BR \-o ,\  \-\-object \ \fISE-Linux-context-string\fP
 Search for event with \fItcontext\fP (object) matching the string.
diff -up ./src/aureport-options.c.orig ./src/aureport-options.c
--- ./src/aureport-options.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-options.c	2009-06-05 16:06:23.000000000 -0500
@@ -40,7 +40,9 @@ int force_logs = 0;
 
 /* These are for compatibility with parser */
 unsigned int event_id = -1;
-const char *event_node = NULL;
+int event_nodename_count=0;
+const char **event_node_array=NULL;
+
 const char *event_key = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
@@ -573,10 +575,20 @@ int check_params(int count, char *vars[]
 					vars[c]);
 				retval = -1;
 			} else {
-				event_node = strdup(optarg);
-				if (event_node == NULL)
-					retval = -1;
 				c++;
+				event_nodename_count++;
+
+				event_node_array = 
+				  realloc (event_node_array, sizeof (char *) * event_nodename_count);
+				if (event_node_array== NULL) {
+					retval = -1;
+					break;
+				}
+				event_node_array[event_nodename_count-1] = strdup(optarg);
+				if (event_node_array[event_nodename_count-1] == NULL) {
+					retval = -1;
+					break;
+				}
 			}
 			break;
 		case R_SUMMARY_DET:
diff -up ./src/aureport-scan.c.orig ./src/aureport-scan.c
--- ./src/aureport-scan.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-scan.c	2009-06-05 16:21:10.000000000 -0500
@@ -193,18 +193,24 @@ int classify_conf(const llist *l)
  */
 int scan(llist *l)
 {
+	int i, found=0;
+
 	// Are we within time range?
 	if (start_time == 0 || l->e.sec >= start_time) {
 		if (end_time == 0 || l->e.sec <= end_time) {
 			// OK - do the heavier checking
 			int rc = extract_search_items(l);
 			if (rc == 0) {
-                                if (event_node) {
-                                        if (l->e.node == NULL)
-                                                return 0;
-                                        if (strcasecmp(event_node, l->e.node))
-                                                return 0;
-                                }
+				if (event_nodename_count && event_node_array) {
+					if (l->e.node == NULL)
+						return 0;
+					for (i=0; i < event_nodename_count && !found; i++) {
+						if (!strcasecmp(event_node_array[i], l->e.node))
+						found++;
+				  	}
+				  	if (!found)
+				  		return 0;
+				}
 				if (classify_success(l) && classify_conf(l))
 					return 1;
 				return 0;
diff -up ./src/ausearch-common.h.orig ./src/ausearch-common.h
--- ./src/ausearch-common.h.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-common.h	2009-06-05 16:03:23.000000000 -0500
@@ -31,7 +31,8 @@ extern gid_t event_gid, event_egid;
 extern pid_t event_pid;
 extern int event_exact_match;
 extern uid_t event_uid, event_euid, event_loginuid;
-extern const char *event_node;
+extern int event_nodename_count;
+extern const char **event_node_array;
 extern const char *event_comm;
 extern const char *event_filename;
 extern const char *event_hostname;
diff -up ./src/ausearch-match.c.orig ./src/ausearch-match.c
--- ./src/ausearch-match.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-match.c	2009-06-05 16:22:28.000000000 -0500
@@ -43,6 +43,7 @@ static int context_match(llist *l);
 #include <stdio.h>
 int match(llist *l)
 {
+	int i, found=0;
 	// Are we within time range?
 	if (start_time == 0 || l->e.sec >= start_time) {
 		if (end_time == 0 || l->e.sec <= end_time) {
@@ -53,12 +54,14 @@ int match(llist *l)
 				}
 
 				// perform additional tests for the field
-				if (event_node) {
+				if (event_nodename_count && event_node_array) {
 					if (l->e.node == NULL)
+				  		return 0;
+					for (i=0; i < event_nodename_count && !found; i++)
+				  		if (strmatch(event_node_array[i], l->e.node))
+				  			found++;
+					if (!found)
 						return 0;
-					if (strmatch(event_node, 
-						l->e.node) == 0)
-						return 0; 
 				}
 				if (user_match(l) == 0)
 					return 0;
diff -up ./src/ausearch-options.c.orig ./src/ausearch-options.c
--- ./src/ausearch-options.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-options.c	2009-06-05 16:05:18.000000000 -0500
@@ -53,7 +53,6 @@ int event_session_id = -1;
 int event_exit = 0, event_exit_is_set = 0;
 int line_buffered = 0;
 const char *event_key = NULL;
-const char *event_node = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
 const char *event_comm = NULL;
@@ -63,6 +62,9 @@ const char *event_subject = NULL;
 const char *event_object = NULL;
 report_t report_format = RPT_DEFAULT;
 
+int event_nodename_count=0;
+const char **event_node_array=NULL;
+
 struct nv_pair {
     int        value;
     const char *name;
@@ -591,10 +593,19 @@ int check_params(int count, char *vars[]
 					vars[c]);
 				retval = -1;
 			} else {
-				event_node = strdup(optarg);
-				if (event_node == NULL)
-					retval = -1;
 				c++;
+				event_nodename_count++;
+
+				event_node_array = realloc (event_node_array, sizeof (char *) * event_nodename_count);
+				if (event_node_array== NULL) {
+					retval = -1;
+					break;
+				}
+				event_node_array[event_nodename_count-1] = strdup(optarg);
+				if (event_node_array[event_nodename_count-1] == NULL) {
+					retval = -1;
+					break;
+				}
 			}
 			break;
 		case S_SYSCALL:

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: [PATCH] multiple nodes patch

[Steve Grubb]

On Friday 05 June 2009 05:52:52 pm LC Bruzenak wrote:
> This seems to work fine with multiple nodes allowed.
>
> Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>

Lenny, thanks for the patch. Ideally, I would like to have seen this use the 
string linked list code that's already in ausearch so that we don't have 2 
implementations of the same thing. The API for it is in ausearch-string.h and 
its already linked in.

-Steve

Re: [PATCH] multiple nodes patch

[LC Bruzenak]

On Sat, 2009-06-06 at 08:27 -0400, Steve Grubb wrote:
> On Friday 05 June 2009 05:52:52 pm LC Bruzenak wrote:
> > This seems to work fine with multiple nodes allowed.
> >
> > Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>
> 
> Lenny, thanks for the patch. Ideally, I would like to have seen this use the 
> string linked list code that's already in ausearch so that we don't have 2 
> implementations of the same thing. The API for it is in ausearch-string.h and 
> its already linked in.
> 
> -Steve

OK, let's try this one.

Thanks,
LCB.

Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>

diff -up ./docs/aureport.8.orig ./docs/aureport.8
--- ./docs/aureport.8.orig	2009-06-05 16:15:58.000000000 -0500
+++ ./docs/aureport.8	2009-06-05 16:16:31.000000000 -0500
@@ -55,7 +55,7 @@ Report about account modifications
 Report about Mandatory Access Control (MAC) events
 .TP
 .BR \-\-node \ \fInode-name\fP
-Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes.
+Only select events originating from \fInode name\fP string for processing in the reports. The default is to include all nodes. Multiple nodes are allowed.
 .TP
 .BR \-p ,\  \-\-pid
 Report about processes
diff -up ./docs/ausearch.8.orig ./docs/ausearch.8
--- ./docs/ausearch.8.orig	2009-06-05 16:14:29.000000000 -0500
+++ ./docs/ausearch.8	2009-06-05 16:40:51.000000000 -0500
@@ -5,7 +5,7 @@ ausearch \- a tool to query audit daemon
 .B ausearch
 .RI [ options ]
 .SH DESCRIPTION
-\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given.
+\fBausearch\fP is a tool that can query the audit daemon logs based for events based on different search criteria. The ausearch utility can also take input from stdin as long as the input is the raw log data. Each commandline option given forms an "and" statement. For example, searching with \fB\-m\fP and \fB\-ui\fP means return events that have both the requested type and match the user id given. An exception is the \fB\-n\fP option; multiple nodes are allowed in a search which will return any matching node.
 
 It should also be noted that each syscall excursion from user space into the kernel and back into user space has one event ID that is unique. Any auditable event that is triggered during this trip share this ID so that they may be correlated.
 
@@ -64,7 +64,7 @@ Flush output on every line. Most useful 
 Search for an event matching the given \fImessage type\fP. You may also enter a \fIcomma separated list of message types\fP. There is an \fBALL\fP message type that doesn't exist in the actual logs. It allows you to get all messages in the system. The list of valid messages types is long. The program will display the list whenever no message type is passed with this parameter. The message type can be either text or numeric. If you enter a list, there can be only commas and no spaces separating the list.
 .TP
 .BR \-n ,\  \-\-node \ \fInode-name\fP
-Search for events originating from \fInode name\fP string.
+Search for events originating from \fInode name\fP string. Multiple nodes are allowed, and if any nodes match, the event is matched.
 .TP
 .BR \-o ,\  \-\-object \ \fISE-Linux-context-string\fP
 Search for event with \fItcontext\fP (object) matching the string.
diff -up ./src/aureport-options.c.orig ./src/aureport-options.c
--- ./src/aureport-options.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-options.c	2009-06-08 11:06:50.000000000 -0500
@@ -40,7 +40,7 @@ int force_logs = 0;
 
 /* These are for compatibility with parser */
 unsigned int event_id = -1;
-const char *event_node = NULL;
+const slist *event_node_list = NULL;
 const char *event_key = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
@@ -573,10 +573,22 @@ int check_params(int count, char *vars[]
 					vars[c]);
 				retval = -1;
 			} else {
-				event_node = strdup(optarg);
-				if (event_node == NULL)
-					retval = -1;
+				snode sn;
 				c++;
+
+				if (!event_node_list) {
+					event_node_list = malloc(sizeof (slist));
+					if (!event_node_list) {
+						retval = -1;
+						break;
+					}
+					slist_create(event_node_list);
+				}
+				
+				sn.str = strdup(optarg);
+				sn.key = NULL;
+				sn.hits=0;
+				slist_append(event_node_list, &sn);
 			}
 			break;
 		case R_SUMMARY_DET:
diff -up ./src/aureport-scan.c.orig ./src/aureport-scan.c
--- ./src/aureport-scan.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/aureport-scan.c	2009-06-08 11:16:07.000000000 -0500
@@ -199,12 +199,26 @@ int scan(llist *l)
 			// OK - do the heavier checking
 			int rc = extract_search_items(l);
 			if (rc == 0) {
-                                if (event_node) {
-                                        if (l->e.node == NULL)
-                                                return 0;
-                                        if (strcasecmp(event_node, l->e.node))
-                                                return 0;
-                                }
+				if (event_node_list) {
+					const snode *sn;
+					int found=0;
+					slist *sptr = event_node_list;
+
+					if (l->e.node == NULL)
+						return 0;
+
+					slist_first(sptr);
+					sn=slist_get_cur(sptr);
+					while (sn && !found) {
+						if (sn->str && (!strcmp(sn->str, l->e.node)))
+							found++;
+						else
+							sn=slist_next(sptr);
+					}
+					
+				  	if (!found)
+				  		return 0;
+				}
 				if (classify_success(l) && classify_conf(l))
 					return 1;
 				return 0;
diff -up ./src/ausearch-common.h.orig ./src/ausearch-common.h
--- ./src/ausearch-common.h.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-common.h	2009-06-08 11:12:09.000000000 -0500
@@ -24,6 +24,8 @@
 #ifndef AUREPORT_COMMON_H
 #define AUREPORT_COMMON_H
 
+#include "ausearch-string.h"
+
 /* Global variables that describe what search is to be performed */
 extern time_t start_time, end_time;
 extern unsigned int event_id;
@@ -31,7 +33,7 @@ extern gid_t event_gid, event_egid;
 extern pid_t event_pid;
 extern int event_exact_match;
 extern uid_t event_uid, event_euid, event_loginuid;
-extern const char *event_node;
+const slist *event_node_list;
 extern const char *event_comm;
 extern const char *event_filename;
 extern const char *event_hostname;
diff -up ./src/ausearch-match.c.orig ./src/ausearch-match.c
--- ./src/ausearch-match.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-match.c	2009-06-08 11:23:11.000000000 -0500
@@ -53,12 +53,24 @@ int match(llist *l)
 				}
 
 				// perform additional tests for the field
-				if (event_node) {
+				if (event_node_list) {
+					const snode *sn;
+					int found=0;
+					slist *sptr = event_node_list;
+
 					if (l->e.node == NULL)
+				  		return 0;
+
+					slist_first(sptr);
+					sn=slist_get_cur(sptr);
+					while (sn && !found) {
+						if (sn->str &&  (!strcmp(sn->str, l->e.node)))
+							found++;
+						else
+							sn=slist_next(sptr);
+					}
+					if (!found)
 						return 0;
-					if (strmatch(event_node, 
-						l->e.node) == 0)
-						return 0; 
 				}
 				if (user_match(l) == 0)
 					return 0;
diff -up ./src/ausearch-options.c.orig ./src/ausearch-options.c
--- ./src/ausearch-options.c.orig	2009-02-24 15:11:36.000000000 -0600
+++ ./src/ausearch-options.c	2009-06-08 11:08:20.000000000 -0500
@@ -53,7 +53,6 @@ int event_session_id = -1;
 int event_exit = 0, event_exit_is_set = 0;
 int line_buffered = 0;
 const char *event_key = NULL;
-const char *event_node = NULL;
 const char *event_filename = NULL;
 const char *event_exe = NULL;
 const char *event_comm = NULL;
@@ -63,6 +62,8 @@ const char *event_subject = NULL;
 const char *event_object = NULL;
 report_t report_format = RPT_DEFAULT;
 
+const slist *event_node_list = NULL;
+
 struct nv_pair {
     int        value;
     const char *name;
@@ -591,10 +592,22 @@ int check_params(int count, char *vars[]
 					vars[c]);
 				retval = -1;
 			} else {
-				event_node = strdup(optarg);
-				if (event_node == NULL)
-					retval = -1;
+				snode sn;
 				c++;
+
+				if (!event_node_list) {
+					event_node_list = malloc(sizeof (slist));
+					if (!event_node_list) {
+						retval = -1;
+						break;
+					}
+					slist_create(event_node_list);
+				}
+				
+				sn.str = strdup(optarg);
+				sn.key = NULL;
+				sn.hits=0;
+				slist_append(event_node_list, &sn);
 			}
 			break;
 		case S_SYSCALL:

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

Re: [PATCH] multiple nodes patch

[Steve Grubb]

On Monday 08 June 2009 12:27:16 pm LC Bruzenak wrote:
> On Sat, 2009-06-06 at 08:27 -0400, Steve Grubb wrote:
> > On Friday 05 June 2009 05:52:52 pm LC Bruzenak wrote:
> > > This seems to work fine with multiple nodes allowed.
> > >
> > > Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>
> >
> > Lenny, thanks for the patch. Ideally, I would like to have seen this use
> > the string linked list code that's already in ausearch so that we don't
> > have 2 implementations of the same thing. The API for it is in
> > ausearch-string.h and its already linked in.
> >
> > -Steve
>
> OK, let's try this one.
>
> Thanks,
> LCB.
>
> Signed-off-by: Lenny Bruzenak <lenny@magitekltd.com>

Thanks for the rework. I'll add it to the next release.

-Steve