
##########################################################################
# $Id: audit,v 1.2 2005/06/07 18:43:32 bjorn Exp $
##########################################################################
# $Log: audit,v $
# Revision 1.2  2005/06/07 18:43:32  bjorn
# Limiting number of unmatched statement
#
# Revision 1.1  2005/05/04 15:56:13  bjorn
# Audit (for selinux) submitted by Ron Kuris
#
##########################################################################
########################################################
# selinux audit log summaries
#
# This was written and is maintained by:
#    Ron Kuris <swcafe@gmail.com>
#
# Please send all comments, suggestions, bug reports,
#    etc, to logwatch-devel@logwatch.org
########################################################
use strict;
use Logwatch ':all';

my (%denials, %grants);
my @OtherList;
my $othercount = 0;
my $Debug = ($ENV{'LOGWATCH_DEBUG'} || 0);
my $Detail = ($ENV{'LOGWATCH_DETAIL_LEVEL'} || 0);

# No sense in running if selinux doesn't even exist on this system
exit(0) unless -d '/selinux';

print STDERR "\n\nDEBUG: Inside audit filter\n\n" if ( $Debug >= 5 );

if ( $Detail > 9 ) {
    while (<STDIN>) {
	chomp;
	if ( /avc:\s*denied\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
	    $denials{$2.' '.$3.' ('.$1.$4 . ')'}++;
	} elsif ( /avc:\s*granted\s*{\s*([^}]+).*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
	    $grants{$2.' '.$3.' ('.$1.$4 . ')'}++;
	} else {
            $othercount++;
            s/^\s*//;
            if ($othercount < 11) {
	       push @OtherList, $_;
            }
	}
    }
} elsif ( $Detail > 4 ) {
    while (<STDIN>) {
	chomp;
	if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
	    $denials{$1.' '.$2.' ('.$3 . ')'}++;
	} elsif ( /avc:\s*granted\s*{\s*[^}]+}.*scontext=(\S+)\s*tcontext=(\S+)\s*tclass=(\S+)/ ) {
	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
	} else {
            $othercount++;
            s/^\s*//;
            if ($othercount < 11) {
	       push @OtherList, $_;
            }
	}
    }
} else {
    while (<STDIN>) {
	chomp;
	if ( /avc:\s*denied\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
	    $denials{$1.' '.$2.' ('.$3 . ')'}++;
	} elsif ( /avc:\s*granted\s*{\s*[^}]+.*scontext=([^:]+):[^:]+:\S+\s*tcontext=([^:]+):[^:]+:\S+\s*tclass=(\S+)/ ) {
	    $grants{$1.' '.$2.' ('.$3 . ')'}++;
	} else {
            $othercount++;
            s/^\s*//;
            if ($othercount < 11) {
	       push @OtherList, $_;
            }
	}
    }
}

if ( keys %denials ) {
    print "\n\n*** Denials ***\n";
    foreach my $key (sort keys %denials) {
    	print " $key: ". $denials{$key} . " times\n";
    }
}

if ( keys %grants ) {
    print "\n\n*** Grants ***\n";
    foreach my $key (sort keys %grants) {
    	print " $key: ". $grants{$key} . " times\n";
    }
}

if ( $#OtherList >= 0 ) {
    print "\n**Unmatched Entries** ";
    if ($othercount > 10) {
       print "(Only first 10 out of $othercount are printed)";
    }
    print "\n ";
    print join("\n ", @OtherList);
}
exit(0);
