usr/src/cmd/auditreduce/proc.c

root/usr/src/cmd/auditreduce/proc.c
/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License (the "License").
 * You may not use this file except in compliance with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

/*
 * Main processor for auditreduce.
 * Mproc() is the entry point for this module. It is the only visible
 * function in this module.
 */

#include <sys/types.h>
#include <locale.h>
#include <bsm/libbsm.h>
#include <bsm/audit.h>
#include "auditr.h"

extern int      write_header();
extern int      token_processing();

static void     asort();
static audit_pcb_t *aget();
static int      get_file();
static int      write_recs();
static int      get_recs();
static int      check_rec();
static void     check_order();
static int      check_header();
static int      get_record();

static char     empty_file_token[] = {
#ifdef _LP64
                AUT_OTHER_FILE64, /* token id */
                0, 0, 0, 0, 0, 0, 0, 0, /* seconds of time */
                0, 0, 0, 0, 0, 0, 0, 0, /* microseconds of time */
#else
                AUT_OTHER_FILE32, /* token id */
                0, 0, 0, 0, /* seconds of time */
                0, 0, 0, 0, /* microseconds of time */
#endif
                0, 0, /* length of path name */
};


/*
 * .func        mproc - main processor.
 * .desc        Mproc controls a single process's actions.
 *      First one record is retreived from each pcb. As they are retreived
 *      they are placed into a linked list sorted with oldest first. Then
 *      the first one from the list is written out and another record
 *      read in to replace it. The new record is placed into the list.
 *      This continues until the list is empty.
 * .call        ret = mproc(pcbr).
 * .arg pcbr    - ptr to pcb for this process.
 * .ret 0       - no errors in processing.
 * .ret -1      - errors in processing (message already printed).
 */
int
mproc(pcbr)
register audit_pcb_t *pcbr;
{
        int     i, ret, junk;
        int     nrecs = 0;              /* number of records read from stream */
        int     nprecs = 0;             /* number of records put to stream */
        register audit_pcb_t *pcb;
        audit_pcb_t *aget();
        void    asort();

#if AUDIT_PROC_TRACE
        (void) fprintf(stderr, "mproc: count %d lo %d hi %d\n",
            pcbr->pcb_count, pcbr->pcb_lo, pcbr->pcb_hi);
#endif

        /*
         * First load up a record from each input group.
         */
        for (i = pcbr->pcb_lo; i <= pcbr->pcb_hi; i++) {
                pcb = &(pcbr->pcb_below[i]); /* get next PCB */
                while (pcb->pcb_time < 0) { /* while no active record ... */
                        if ((ret = get_file(pcb)) == -1)
                                break;          /*  no files - finished PCB */
                        if (ret == -2)
                                return (-1);    /* quit processing - failed */
                        if (get_recs(pcb, &nrecs) == 0)
                                asort(pcb);     /* got a rec - put in list */
                }
        }
        /*
         * Now process all of the records.
         */
        while ((pcb = aget()) != NULL) {        /* get oldest record */
                if (write_recs(pcbr, pcb, &nprecs))
                        return (-1);
                while (pcb->pcb_time < 0) {     /* while we don't have a rec */
                        if (pcb->pcb_fpr == NULL) {     /* no active file ... */
                                if ((ret = get_file(pcb)) == -1)
                                        break;  /* no files - finished pcb */
                                else if (ret == -2)
                                        return (-1);    /* quit - failed */
                        }
                        if (get_recs(pcb, &nrecs) == 0)
                                asort(pcb);             /* put record in list */
                }
        }
        /*
         * For root: write outfile header if no records were encountered.
         * For non-root: write trailer to pipe and close pipe.
         */
        if (pcbr->pcb_flags & PF_ROOT) {
                if (nprecs == 0) {
                        if (write_header())     /* write header if no records */
                                return (-1);
                }
        } else {
                pcb = &(pcbr->pcb_below[0]);    /* any old PCB will do */
                pcb->pcb_rec = empty_file_token;
                if (write_recs(pcbr, pcb, &junk))
                        return (-1);
                if (fclose(pcbr->pcb_fpw) == EOF) {
                        if (!f_quiet)
                                (void) fprintf(stderr,
                                    gettext("%s couldn't close pipe.\n"), ar);
                }
        }
        /*
         * For root process tell how many records were written.
         */
        if (f_verbose && (pcbr->pcb_flags & PF_ROOT)) {
                (void) fprintf(stderr,
                    gettext("%s %d record(s) total were written out.\n"),
                        ar, nprecs);
        }
        return (0);
}


/*
 * Head of linked-list of pcbs - sorted by time - oldest first.
 */
static audit_pcb_t              *pcbls = NULL;

/*
 * .func        asort - audit sort.
 * .desc        Place a pcb in the list sorted by time - oldest first.
 * .call        asort(pcb);
 * .arg pcb     - ptr to pcb to install in list.
 * .ret void.
 */
static void
asort(pcb)
register audit_pcb_t *pcb;
{
        register audit_pcb_t *pcbc, *pcbp;
        extern audit_pcb_t *pcbls;      /* ptr to start of list */

        pcb->pcb_next = NULL;
        if (pcbls == NULL) {
                pcbls = pcb;            /* empty list */
                return;
        }
        pcbc = pcbls;                   /* current pcb */
        pcbp = pcbls;                   /* previous pcb */
        while (pcbc != NULL) {
                if (pcb->pcb_time < pcbc->pcb_time) {
                        if (pcbp == pcbc) {
                                pcb->pcb_next = pcbls;  /* new -> 1st in list */
                                pcbls = pcb;
                                return;
                        }
                        pcbp->pcb_next = pcb;
                        pcb->pcb_next = pcbc;           /* new in the inside */
                        return;
                }
                pcbp = pcbc;
                pcbc = pcbc->pcb_next;
        }
        pcbp->pcb_next = pcb;                           /* new -> last */
}


/*
 * .func        aget - audit get.
 * .desc        Get the first pcb from the list. Pcb is removed from list, too.
 * .call        pcb = aget().
 * .arg none.
 * .ret pcb     - ptr to pcb that was the first.
 */
static audit_pcb_t *
aget()
{
        audit_pcb_t *pcbret;
        extern audit_pcb_t *pcbls;      /* ptr to start of list */

        if (pcbls == NULL)
                return (pcbls);         /* empty list */
        pcbret = pcbls;
        pcbls = pcbls->pcb_next;        /* 2nd becomes 1st */
        return (pcbret);
}


/*
 * .func        get_file - get a new file.
 * .desc        Get the next file from the pcb's list. Check the header to see
 *      if the file really is an audit file. If there are no more then
 *      quit. If a file open (fopen) fails because the system file table
 *      is full or the process file table is full then quit processing
 *      altogether.
 * .call        ret = get_file(pcb).
 * .arg pcb     - pcb holding the fcb's (files).
 * .ret 0       - new file opened for processing.
 * .ret -1      - no more files - pcb finished.
 * .ret -2      - fatal error - quit processing.
 */
static int
get_file(pcb)
register audit_pcb_t *pcb;
{
        FILE *fp;
        audit_fcb_t *fcb;

        /*
         * Process file list until a good one if found or empty.
         */
        while (pcb->pcb_fpr == NULL) {
                if ((fcb = pcb->pcb_first) == NULL) {
                        pcb->pcb_time = -1;
                        return (-1);    /* pcb is all done */
                } else {
                /*
                 * If we are reading from files then open the next one.
                 */
                        if (!f_stdin) {
                                if ((fp = fopen(fcb->fcb_file, "r")) == NULL) {
                                        if (!f_quiet) {
                                                (void) sprintf(errbuf, gettext(
                                                "%s couldn't open:\n  %s"),
                                                ar, fcb->fcb_file);
                                                perror(errbuf);
                                        }
                                        /*
                                         * See if file space is depleted.
                                         * If it is then we quit.
                                         */
                                        if (errno == ENFILE || errno == EMFILE)
                                        {
                                                return (-2);
                                        }
                                        pcb->pcb_first = fcb->fcb_next;
                                        continue;       /* try another file */
                                }
                        } else {
                                /*
                                 * Read from standard input.
                                 */
                                fp = stdin;
                        }
                        /*
                         * Check header of audit file.
                         */
                        if (check_header(fp, fcb->fcb_name)) {
                                if (!f_quiet) {
                                        (void) fprintf(stderr,
                                            "%s %s:\n  %s.\n",
                                            ar, error_str, fcb->fcb_file);
                                }
                                if (fclose(fp) == EOF) {
                                        if (!f_quiet) {
                                                (void) fprintf(stderr, gettext(
                                                "%s couldn't close %s.\n"),
                                                ar, fcb->fcb_file);
                                        }
                                }
                                pcb->pcb_first = fcb->fcb_next;
                                continue;               /* try another file */
                        }
                        /*
                         * Found a good audit file.
                         * Initalize pcb for processing.
                         */
                        pcb->pcb_first = fcb->fcb_next;
                        pcb->pcb_cur = fcb;
                        pcb->pcb_fpr = fp;
                        pcb->pcb_nrecs = 0;
                        pcb->pcb_nprecs = 0;
                        pcb->pcb_otime = -1;
                }
        }
        return (0);
}


/*
 * .func        write_recs - write records.
 * .desc        Write record from a buffer to output stream. Keep an eye out
 *      for the first and last records of the root's output stream.
 * .call        ret = write_recs(pcbr, pcb, nprecs).
 * .arg pcbr    - ptr to node pcb.
 * .arg pcb             - ptr to pcb holding the stream.
 * .arg nprecs  - ptr to the number of put records. Updated here.
 * .ret 0       - no errors detected.
 * .ret -1      - error in writing. Quit processing.
 */
static int
write_recs(pcbr, pcb, nprecs)
register audit_pcb_t *pcbr, *pcb;
int     *nprecs;
{
        adr_t adr;
        char    id;
        int32_t size;

        adrm_start(&adr, pcb->pcb_rec);
        (void) adrm_char(&adr, &id, 1);
        (void) adrm_int32(&adr, &size, 1);

        /*
         * Scan for first record to be written to outfile.
         * When we find it then write the header and
         * save the time for the outfile name.
         */
        if ((*nprecs)++ == 0) {
                if (pcbr->pcb_flags & PF_ROOT) {
                        f_start = pcb->pcb_time;        /* save start time */
                        if (write_header())
                                return (-1);
                }
        }
        f_end = pcb->pcb_time;                  /* find last record's time */
        pcb->pcb_time = -1;                     /* disable just written rec */

        if ((fwrite(pcb->pcb_rec, sizeof (char), size, pcbr->pcb_fpw)) !=
                        size) {
                if (pcbr->pcb_flags & PF_ROOT) {
                        (void) sprintf(errbuf, gettext(
                                "%s write failed to %s"),
                                ar, f_outfile ? f_outfile : gettext("stdout"));
                        perror(errbuf);
                } else {
                        perror(gettext("auditreduce: write failed to pipe"));
                }
                return (-1);
        }
        free(pcb->pcb_rec);
        return (0);
}

/*
 * .func get_recs - get records.
 * .desc Get records from a stream until one passing the current selection
 *      criteria is found or the stream is emptied.
 * .call        ret = get_recs(pcb, nr).
 * .arg pcb     - ptr to pcb that holds this stream.
 * .arg nr      - ptr to number of records read. Updated by this routine.
 * .ret 0       - got a record.
 * .ret -1      - stream is finished.
 */
static int
get_recs(pcb, nr)
register audit_pcb_t *pcb;
int     *nr;
{
        adr_t adr;
        time_t secs;
        int     tmp;
        int     ret, ret2;
        int     nrecs = 0;      /* count how many records read this call */
        int     getrec = TRUE;
        int     alldone = FALSE;
        char    header_type;
        short   e;
        char    *str;
#if AUDIT_FILE
        static void     get_trace();
#endif

        while (getrec) {
                ret = get_record(pcb->pcb_fpr, &pcb->pcb_rec,
                        pcb->pcb_cur->fcb_name);
                if (ret > 0) {
                        adrm_start(&adr, pcb->pcb_rec);

                        /* get token id */
                        (void) adrm_char(&adr, (char *)&header_type, 1);
                        /* skip over byte count */
                        (void) adrm_int32(&adr, (int32_t *)&tmp, 1);
                        /* skip over version # */
                        (void) adrm_char(&adr, (char *)&tmp, 1);
                        /* skip over event id */
                        (void) adrm_short(&adr, (short *)&e, 1);
                        /* skip over event id modifier */
                        (void) adrm_short(&adr, (short *)&tmp, 1);

                        if (header_type == AUT_HEADER32) {
                            int32_t s, m;

                            /* get seconds */
                            (void) adrm_int32(&adr, (int32_t *)&s, 1);
                            /* get microseconds */
                            (void) adrm_int32(&adr, (int32_t *)&m, 1);
                            secs = (time_t)s;
                        } else if (header_type == AUT_HEADER32_EX) {
                            int32_t s, m;
                            int32_t t, junk[4]; /* at_type + at_addr[4] */

                            /* skip type and ip address field */
                            (void) adrm_int32(&adr, (int32_t *)&t, 1);
                            (void) adrm_int32(&adr, (int32_t *)&junk[0], t/4);

                            /* get seconds */
                            (void) adrm_int32(&adr, (int32_t *)&s, 1);
                            /* get microseconds */
                            (void) adrm_int32(&adr, (int32_t *)&m, 1);
                            secs = (time_t)s;
                        } else if (header_type == AUT_HEADER64) {
                            int64_t s, m;

                            /* get seconds */
                            (void) adrm_int64(&adr, (int64_t *)&s, 1);
                            /* get microseconds */
                            (void) adrm_int64(&adr, (int64_t *)&m, 1);
#if ((!defined(_LP64)) || defined(_SYSCALL32))
                            if (s < (time_t)INT32_MIN ||
                                s > (time_t)INT32_MAX)
                                        secs = 0;
                            else
                                        secs = (time_t)s;
#else
                            secs = (time_t)s;
#endif
                        } else if (header_type == AUT_HEADER64_EX) {
                            int64_t s, m;
                            int32_t t, junk[4];

                            /* skip type and ip address field */
                            (void) adrm_int32(&adr, (int32_t *)&t, 1);
                            (void) adrm_int32(&adr, (int32_t *)&junk[0], t/4);

                            /* get seconds */
                            (void) adrm_int64(&adr, (int64_t *)&s, 1);
                            /* get microseconds */
                            (void) adrm_int64(&adr, (int64_t *)&m, 1);
#if ((!defined(_LP64)) || defined(_SYSCALL32))
                            if (s < (time_t)INT32_MIN ||
                                s > (time_t)INT32_MAX)
                                        secs = 0;
                            else
                                        secs = (time_t)s;
#else
                            secs = (time_t)s;
#endif
                        }
                }

#if AUDIT_REC
                (void) fprintf(stderr, "get_recs: %d ret %d recno %d\n",
                        pcb->pcb_procno, ret, pcb->pcb_nrecs + 1);
#endif
                /*
                 * See if entire file is after the time window specified.
                 * Must be check here because the start time of the file name
                 * may be after the first record(s).
                 */
                if (pcb->pcb_nrecs == 0 && (pcb->pcb_flags & PF_USEFILE)) {
                        /*
                         * If the first record read failed then use the time
                         * that was in the filename to judge.
                         */
                        if (ret > 0)
                                (pcb->pcb_cur)->fcb_start = secs;
                        if (!f_all && (m_before <= (pcb->pcb_cur)->fcb_start)) {
                                (void) fclose(pcb->pcb_fpr); /* ignore file */
                                pcb->pcb_fpr = NULL;
                                pcb->pcb_time = -1;
                                return (-1);
                        } else {
                                /* Give belated announcement of file opening. */
                                if (f_verbose) {
                                        (void) fprintf(stderr,
                                                gettext("%s opened:\n  %s.\n"),
                                                ar, (pcb->pcb_cur)->fcb_file);
                                }
                        }
                }
                /* Succesful acquisition of a record.  */
                if (ret > 0) {
                        pcb->pcb_time = secs;   /* time of record */
                        pcb->pcb_nrecs++;       /* # of read recs from stream */
                        nrecs++;                /* # of recs read this call */
                        /* Only check record if at bottom of process tree. */
                        if (pcb->pcb_flags & PF_USEFILE) {
                                check_order(pcb); /* check time sequence */
                                if ((ret2 = check_rec(pcb)) == 0) {
                                        pcb->pcb_nprecs++;
                                        getrec = FALSE;
                                } else if (ret2 == -2) {
                                        /* error */
                                        getrec = FALSE; /* get no more recs */
                                        alldone = TRUE; /* quit this file */
                                        free(pcb->pcb_rec);
                                } else {
                                        /* -1: record not interesting */
                                        free(pcb->pcb_rec);
                                }
                        } else {
                                pcb->pcb_nprecs++;
                                getrec = FALSE;
                        }
                } else {
                        /* Error with record read or all done with stream. */
                        getrec = FALSE;
                        alldone = TRUE;
                }
        }
        if (alldone == TRUE) {
#if AUDIT_FILE
                get_trace(pcb);
#endif
                /* Error in record read. Display messages. */
                if (ret < 0 || ret2 == -2) {
                        pcb->pcb_nrecs++;       /* # of read records */
                        if (!f_quiet) {
                                if (pcb->pcb_flags & PF_USEFILE) {
                                        /* Ignore if this is not_terminated. */
                                        if (!strstr((pcb->pcb_cur)->fcb_file,
                                                        "not_terminated")) {
(void) fprintf(stderr, gettext("%s read error in %s at record %d.\n"), ar,
        (pcb->pcb_cur)->fcb_file, pcb->pcb_nrecs);
                                        }
                                } else {
(void) fprintf(stderr, gettext("%s read error in pipe at record %d.\n"), ar,
        pcb->pcb_nrecs);
                                }
                        }
                } else {
                        /*
                         * Only mark infile for deleting if we have succesfully
                         * processed all of it.
                         */
                        if (pcb->pcb_flags & PF_USEFILE)
                                (pcb->pcb_cur)->fcb_flags |= FF_DELETE;
                }
                if (fclose(pcb->pcb_fpr) == EOF) {
                        if (!f_quiet) {
                                if (pcb->pcb_flags & PF_USEFILE) {
                                        str = (pcb->pcb_cur)->fcb_file;
                                } else {
                                        str = "pipe";
                                }
                                (void) fprintf(stderr,
                                        gettext("%s couldn't close %s.\n"),
                                        ar, str);
                        }
                }
                pcb->pcb_fpr = NULL;
                pcb->pcb_time = -1;
                *nr += nrecs;
                return (-1);
        }
        *nr += nrecs;
        return (0);
}


#if AUDIT_FILE
/*
 * .func get_trace - get trace.
 * .desc If we are tracing file action (AUDIT_FILE is on) then print out
 *      a message when the file is closed regarding how many records
 *      were handled.
 * .call        get_trace(pcb).
 * .arg pcb     - ptr to pcb holding file/pipe.
 * .ret void.
 */
static void
get_trace(pcb)
audit_pcb_t *pcb;
{
        /*
         * For file give filename, too.
         */
        if (pcb->pcb_flags & PF_USEFILE) {
        (void) fprintf(stderr, "%s closed %s: %d records read recs: \
                %d record written.\n", ar, (pcb->pcb_cur)->fcb_file,
                pcb->pcb_nrecs, pcb->pcb_nprecs);
        } else {
                (void) fprintf(stderr, "%s closed pipe: %d records read: \
                        %d records written .\n", ar, pcb->pcb_nrecs,
                        pcb->pcb_nprecs);
        }
}

#endif

/*
 * .func        check_rec - check a record.
 * .desc        Check a record against the user's selection criteria.
 * .call        ret = check_rec(pcb).
 * .arg pcb     - ptr to pcb holding the record.
 * .ret 0       - record accepted.
 * .ret -1      - record rejected - continue processing file.
 * .ret -2      - record rejected - quit processing file.
 */
static int
check_rec(pcb)
register audit_pcb_t *pcb;
{
        adr_t adr;
        struct timeval tv;
        uint_t  bytes;
        au_emod_t id_modifier;
        char    version;
        au_event_t event_type;
        char    tokenid;
        int     rc;      /* return code */

        adrm_start(&adr, pcb->pcb_rec);
        (void) adrm_char(&adr, &tokenid, 1);

        /*
         * checkflags will be my data structure for determining if
         * a record has met ALL the selection criteria.  Once
         * checkflags == flags, we have seen all we need to of the
         * record, and can go to the next one.  If when we finish
         * processing the record we still have stuff to see,
         * checkflags != flags, and thus we should return a -1
         * from this function meaning reject this record.
         */

        checkflags = 0;

        /* must be header token -- sanity check */
        if (tokenid != AUT_HEADER32 && tokenid != AUT_HEADER64 &&
            tokenid != AUT_HEADER32_EX && tokenid != AUT_HEADER64_EX) {
#if AUDIT_REC
                (void) fprintf(stderr,
                    "check_rec: %d recno %d no header %d found\n",
                    pcb->pcb_procno, pcb->pcb_nrecs, tokenid);
#endif
                return (-2);
        }

        /*
         * The header token is:
         *      attribute id:           char
         *      byte count:             int
         *      version #:              char
         *      event ID:               short
         *      ID modifier:            short
         *      seconds (date):         int
         *      time (microsecs):       int
         */
        (void) adrm_u_int32(&adr, (uint32_t *)&bytes, 1);
        (void) adrm_char(&adr, &version, 1);
        (void) adrm_u_short(&adr, &event_type, 1);

        /*
         * Used by s5_IPC_token to set the ipc_type so
         * s5_IPC_perm_token can test.
         */
        ipc_type = (char)0;

        if (flags & M_TYPE) {
                checkflags |= M_TYPE;
                if (m_type != event_type)
                        return (-1);
        }
        if (flags & M_CLASS) {
                au_event_ent_t *ev = NULL;

                checkflags |= M_CLASS;
                if (cacheauevent(&ev, event_type) <= 0) {
                    (void) fprintf(stderr, gettext(
                        "Warning: invalid event no %d in audit trail."),
                        event_type);
                    return (-1);
                }
                global_class = ev->ae_class;
                if (!(flags & M_SORF) && !(mask.am_success & global_class))
                        return (-1);
        }

        (void) adrm_u_short(&adr, &id_modifier, 1);

        /*
         * Check record against time criteria.
         * If the 'A' option was used then no time checking is done.
         * The 'a' parameter is inclusive and the 'b' exclusive.
         */
        if (tokenid == AUT_HEADER32) {
            int32_t secs, msecs;
            (void) adrm_int32(&adr, (int32_t *)&secs, 1);
            (void) adrm_int32(&adr, (int32_t *)&msecs, 1);
            tv.tv_sec = (time_t)secs;
            tv.tv_usec = (suseconds_t)msecs;
        } else if (tokenid == AUT_HEADER32_EX) {
            int32_t secs, msecs;
            int32_t t, junk[5]; /* at_type + at_addr[4] */
            /* skip type and ip address field */
            (void) adrm_int32(&adr, (int32_t *)&t, 1);
            (void) adrm_int32(&adr, (int32_t *)&junk[0], t/4);
            /* get time */
            (void) adrm_int32(&adr, (int32_t *)&secs, 1);
            (void) adrm_int32(&adr, (int32_t *)&msecs, 1);
            tv.tv_sec = (time_t)secs;
            tv.tv_usec = (suseconds_t)msecs;
        } else if (tokenid == AUT_HEADER64) {
            int64_t secs, msecs;
            (void) adrm_int64(&adr, (int64_t *)&secs, 1);
            (void) adrm_int64(&adr, (int64_t *)&msecs, 1);
#if ((!defined(_LP64)) || defined(_SYSCALL32))
            if (secs < (time_t)INT32_MIN ||
                secs > (time_t)INT32_MAX)
                        tv.tv_sec = 0;
            else
                        tv.tv_sec = (time_t)secs;
            if (msecs < (suseconds_t)INT32_MIN ||
                msecs > (suseconds_t)INT32_MAX)
                        tv.tv_usec = 0;
            else
                        tv.tv_usec = (suseconds_t)msecs;
#else
            tv.tv_sec = (time_t)secs;
            tv.tv_usec = (suseconds_t)msecs;
#endif
        } else if (tokenid == AUT_HEADER64_EX) {
            int64_t secs, msecs;
            int32_t t, junk[4]; /* at_type + at_addr[4] */
            /* skip type and ip address field */
            (void) adrm_int32(&adr, (int32_t *)&t, 1);
            (void) adrm_int32(&adr, (int32_t *)&junk[0], t/4);
            /* get time */
            (void) adrm_int64(&adr, (int64_t *)&secs, 1);
            (void) adrm_int64(&adr, (int64_t *)&msecs, 1);
#if ((!defined(_LP64)) || defined(_SYSCALL32))
            if (secs < (time_t)INT32_MIN ||
                secs > (time_t)INT32_MAX)
                        tv.tv_sec = 0;
            else
                        tv.tv_sec = (time_t)secs;
            if (msecs < (suseconds_t)INT32_MIN ||
                msecs > (suseconds_t)INT32_MAX)
                        tv.tv_usec = 0;
            else
                        tv.tv_usec = (suseconds_t)msecs;
#else
            tv.tv_sec = (time_t)secs;
            tv.tv_usec = (suseconds_t)msecs;
#endif
        }
        pcb->pcb_otime = pcb->pcb_time;
        if (!f_all) {
                if (m_after > tv.tv_sec)
                        return (-1);
                if (m_before <= tv.tv_sec)
                        return (-1);
        }

        /* if no selection flags were passed, select everything */
        if (!flags)
                return (0);

        /*
         * If all information can be found in header,
         * there is no need to continue processing the tokens.
         */
        if (flags == checkflags)
                return (0);

        /*
         * Process tokens until we hit the end of the record
         */
        while ((uint_t)(adr.adr_now - adr.adr_stream) < bytes) {
                adrm_char(&adr, &tokenid, 1);
                rc = token_processing(&adr, tokenid);

                /* Any Problems? */
                if (rc == -2) {
                        (void) fprintf(stderr,
                            gettext("auditreduce: bad token %u, terminating "
                            "file %s\n"), tokenid, (pcb->pcb_cur)->fcb_file);
                        return (-2);
                }

                /* Are we finished? */
                if (flags == checkflags)
                        return (0);
        }

        /*
         * So, we haven't seen all that we need to see.  Reject record.
         */

        return (-1);
}


/*
 * .func check_order - Check temporal sequence.
 * .call check_order(pcb).
 * .arg  pcb - ptr to audit_pcb_t.
 * .desc        Check to see if the records are out of temporal sequence, ie,
 *      a record has a time stamp older than its predecessor.
 *      Also check to see if the current record is within the bounds of
 *      the file itself.
 *      This routine prints a diagnostic message, unless the QUIET
 *      option was selected.
 * .call        check_order(pcb).
 * .arg pcb     - ptr to pcb holding the records.
 * .ret void.
 */
static void
check_order(pcb)
register audit_pcb_t *pcb;
{
        char    cptr1[28], cptr2[28];   /* for error reporting */

        /*
         * If the record-past is not the oldest then say so.
         */
        if (pcb->pcb_otime > pcb->pcb_time) {
                if (!f_quiet) {
                        (void) memcpy((void *)cptr1,
                                (void *)ctime(&pcb->pcb_otime), 26);
                        cptr1[24] = ' ';
                        (void) memcpy((void *)cptr2,
                                (void *)ctime(&pcb->pcb_time), 26);
                        cptr2[24] = ' ';
                        (void) fprintf(stderr,
        gettext("%s %s had records out of order: %s was followed by %s.\n"),
                                ar, (pcb->pcb_cur)->fcb_file, cptr1, cptr2);
                }
        }
}


/*
 * .func        check_header.
 * .desc        Read in and check the header for an audit file.
 *      The header must read-in properly and have the magic #.
 * .call        err = check_header(fp).
 * .arg fp      - file stream.
 * .ret 0       no problems.
 * .ret -1      problems.
 */
static int
check_header(fp, fn)
FILE *fp;
char    *fn;
{
        char    id;
        char    *fname;
        short   pathlength;
        adr_t   adr;
        adrf_t  adrf;

        adrf_start(&adrf, &adr, fp);

        if (adrf_char(&adrf, &id, 1)) {
                (void) sprintf(errbuf, gettext("%s is empty"), fn);
                error_str = errbuf;
                return (-1);
        }
        if (!(id == AUT_OTHER_FILE32 || id == AUT_OTHER_FILE64)) {
                (void) sprintf(errbuf, gettext("%s not an audit file "), fn);
                error_str = errbuf;
                return (-1);
        }

        if (id == AUT_OTHER_FILE32) {
            int32_t secs, msecs;
            (void) adrf_int32(&adrf, (int32_t *)&secs, 1);
            (void) adrf_int32(&adrf, (int32_t *)&msecs, 1);
        } else {
            int64_t secs, msecs;
            (void) adrf_int64(&adrf, (int64_t *)&secs, 1);
            (void) adrf_int64(&adrf, (int64_t *)&msecs, 1);
#if ((!defined(_LP64)) || defined(_SYSCALL32))
            if (secs < (time_t)INT32_MIN ||
                secs > (time_t)INT32_MAX) {
                    error_str = gettext("bad time stamp in file header");
                    return (-1);
            }
            if (msecs < (suseconds_t)INT32_MIN ||
                msecs > (suseconds_t)INT32_MAX) {
                    error_str = gettext("bad time stamp in file header");
                    return (-1);
            }
#endif
        }

        if (adrf_short(&adrf, &pathlength, 1)) {
                error_str = gettext("incomplete file header");
                return (-1);
        }

        if (pathlength != 0) {
                fname = (char *)a_calloc(1, (size_t)pathlength);
                if ((fread(fname, sizeof (char), pathlength, fp)) !=
                                pathlength) {
                        (void) sprintf(errbuf,
                                gettext("error in header/filename read in %s"),
                                fn);
                        error_str = errbuf;
                        return (-1);
                }
                free(fname);
        }
        return (0);
}


/*
 * .func        get_record - get a single record.
 * .desc        Read a single record from stream fp. If the record to be read
 *      is larger than the buffer given to hold it (as determined by
 *      cur_size) then free that buffer and allocate a new and bigger
 *      one, making sure to store its size.
 * .call        ret = get_record(fp, buf, cur_size, flags).
 * .arg fp      - stream to read from.
 * .arg buf     - ptr to ptr to buffer to place record in.
 * .arg cur_size- ptr to the size of the buffer that *buf points to.
 * .arg flags   - flags from fcb (to get FF_NOTTERM).
 * .ret +number - number of chars in the record.
 * .ret 0       - trailer seen - file done.
 * .ret -1      - read error (error_str know what type).
 */
static int
get_record(fp, buf, fn)
FILE *fp;
char    **buf;
char    *fn;
{
        adr_t   adr;
        adrf_t  adrf;
        int     leadin;
        char    id;
        int     lsize;
        short   ssize;

        /*
         * Get the token type. It will be either a header or a file
         * token.
         */
        (void) adrf_start(&adrf, &adr, fp);
        if (adrf_char(&adrf, &id, 1)) {
                (void) sprintf(errbuf, gettext(
                        "record expected but not found in %s"),
                        fn);
                error_str = errbuf;
                return (-1);
        }
        switch (id) {
        case AUT_HEADER32:
        case AUT_HEADER32_EX:
        case AUT_HEADER64:
        case AUT_HEADER64_EX:
                /*
                 * The header token is:
                 *      attribute id:           char
                 *      byte count:             int
                 *      version #:              char
                 *      event ID:               short
                 *      ID modifier:            short
                 *      IP address type         int     (_EX only)
                 *      IP address              1/4*int (_EX only)
                 *      seconds (date):         long
                 *      time (microsecs):       long
                 */
                leadin = sizeof (int32_t) + sizeof (char);
                (void) adrf_int32(&adrf, &lsize, 1);
                *buf = (char *)a_calloc(1, (size_t)(lsize + leadin));
                adr_start(&adr, *buf);
                adr_char(&adr, &id, 1);
                adr_int32(&adr, (int32_t *)&lsize, 1);
                if (fread(*buf + leadin, sizeof (char), lsize - leadin, fp) !=
                        lsize - leadin) {
                        (void) sprintf(errbuf,
                                gettext("header token read failure in %s"), fn);
                        error_str = errbuf;
                        return (-1);
                }
                return (lsize + leadin);
        case AUT_OTHER_FILE32: {
                int32_t secs, msecs;
                leadin =  2 * sizeof (int32_t) +
                                sizeof (short) + sizeof (char);
                (void) adrf_int32(&adrf, (int32_t *)&secs, 1);
                (void) adrf_int32(&adrf, (int32_t *)&msecs, 1);
                (void) adrf_short(&adrf, &ssize, 1);
                *buf = (char *)a_calloc(1, (size_t)(ssize + leadin));
                adr_start(&adr, *buf);
                adr_char(&adr, &id, 1);
                adr_int32(&adr, (int32_t *)&secs, 1);
                adr_int32(&adr, (int32_t *)&msecs, 1);
                adr_short(&adr, &ssize, 1);
                if (fread(*buf + leadin, sizeof (char), ssize, fp) != ssize) {
                        error_str = gettext("file token read failure");
                        return (-1);
                }
                return (0);             /* done! */
        }
        case AUT_OTHER_FILE64: {
                int64_t secs, msecs;
                leadin =  2 * sizeof (int64_t) +
                                sizeof (short) + sizeof (char);
                (void) adrf_int64(&adrf, (int64_t *)&secs, 1);
                (void) adrf_int64(&adrf, (int64_t *)&msecs, 1);
                (void) adrf_short(&adrf, &ssize, 1);
                *buf = (char *)a_calloc(1, (size_t)(ssize + leadin));
                adr_start(&adr, *buf);
                adr_char(&adr, &id, 1);
                adr_int64(&adr, (int64_t *)&secs, 1);
                adr_int64(&adr, (int64_t *)&msecs, 1);
                adr_short(&adr, &ssize, 1);
                if (fread(*buf + leadin, sizeof (char), ssize, fp) != ssize) {
                        error_str = gettext("file token read failure");
                        return (-1);
                }
                return (0);             /* done! */
        }
        default:
                break;
        }
        error_str = gettext("record begins without proper token");
        return (-1);
}
Illumos
