#include #include #include #include #include int main(int argc, char *argv[]) { // auparse handle. auparse_state_t *au = NULL; // Error message. char *error = NULL; // Testing audit log file. char *log = NULL; // Testing expressions. char *expr1 = NULL, *expr2 = NULL; // Testing operator. ausearch_rule_t op; // Parameters. if (argc < 5) { fprintf(stderr, "Missing parameters!\n"); fprintf(stderr, "\nUsage: %s AND | OR \n", argv[0]); return 1; } log = argv[1]; expr1 = argv[2]; if (strcmp(argv[4], "") != 0) { expr2 = argv[4]; op = (strcmp(argv[3], "&&") == 0 ? AUSEARCH_RULE_AND : AUSEARCH_RULE_OR); } // Initialize parser. au = auparse_init(AUSOURCE_FILE, log); // Construct expression. if (ausearch_add_expression(au, expr1, &error, AUSEARCH_RULE_CLEAR)) { fprintf(stderr, "Criteria error: %s\n", error); free(error); return 2; } if (expr2 != NULL && ausearch_add_expression(au, expr2, &error, op)) { fprintf(stderr, "Criteria error: %s\n", error); free(error); return 2; } // Get events. while (ausearch_next_event(au) > 0) printf("%lu\n", auparse_get_serial(au)); // Destroy parser. auparse_destroy(au); return 0; }