Refactor audit log file processing for ausearch/report

Introduced shared audit log helpers to capture first record timestamps,
list rotated logs, and free associated resources, enabling timestamp-driven
log selection across tools.

Updated aureport to leverage the new log enumeration routines, selecting
the correct starting log based on --start time while simplifying filename
traversal.

Refactored ausearch so checkpoint handling occurs before log enumeration;
when no checkpoint is used, it now mirrors aureport’s timestamp-based
log selection for cleaner, non-duplicated logic.

Author: stevegrubb

src/aureport.c

@@ -171,9 +171,10 @@ int main(int argc, char *argv[])
 
 static int process_logs(void)
 {
+	struct audit_log_info *logs = NULL;
 	char *filename;
 	size_t len;
-	int num = 0;
+	size_t log_cnt = 0;
 
 	if (user_file && userfile_is_dir) {
 		char dirname[MAXPATHLEN+1];
@@ -189,32 +190,38 @@ static int process_logs(void)
 		fprintf(stderr, "NOTE - using logs in %s\n", config.log_file);
 	}
 
-	/* for each file */
 	len = strlen(config.log_file) + 16;
 	filename = malloc(len);
 	if (!filename) {
 		fprintf(stderr, "No memory\n");
 		free_config(&config);
 		return 1;
 	}
-	/* Find oldest log file */
-	snprintf(filename, len, "%s", config.log_file);
-	do {
-		if (access(filename, R_OK) != 0)
-			break;
-// FIXME: do a time check and put them on linked list for later
-		num++;
-		snprintf(filename, len, "%s.%d", config.log_file, num);
-	} while (1);
-	num--;
-	/*
-	 * We note how many files we need to process
-	 */
-	files_to_process = num;
+
+	/* Count the logs */
+	if (audit_log_list(config.log_file, &logs, &log_cnt)) {
+		fprintf(stderr, "No memory\n");
+		free(filename);
+		free_config(&config);
+		return 1;
+	}
+
+	if (log_cnt == 0) {
+		snprintf(filename, len, "%s", config.log_file);
+		int ret = process_file(filename);
+		free(filename);
+		free_config(&config);
+		return ret;
+	}
+
+	/* Locate the starting file that is in range */
+	files_to_process = audit_log_find_start(logs, log_cnt, start_time);
+	audit_log_free(logs, log_cnt);
 
 	/* Got it, now process logs from last to first */
-	if (num > 0)
-		snprintf(filename, len, "%s.%d", config.log_file, num);
+	if (files_to_process > 0)
+		snprintf(filename, len, "%s.%d", config.log_file,
+			 files_to_process);
 	else
 		snprintf(filename, len, "%s", config.log_file);
 	do {
@@ -225,15 +232,17 @@ static int process_logs(void)
 			return ret;
 		}
 
+		if (files_to_process == 0)
+			break;
+
 		/* Get next log file */
-		files_to_process--;     /* one less file to process */
-		num--;
-		if (num > 0)
-			snprintf(filename, len, "%s.%d", config.log_file, num);
-		else if (num == 0)
-			snprintf(filename, len, "%s", config.log_file);
+		files_to_process--;
+		if (files_to_process > 0)
+			snprintf(filename, len, "%s.%d",
+				 config.log_file, files_to_process);
 		else
-			break;
+			snprintf(filename, len, "%s",
+				 config.log_file);
 	} while (1);
 	free(filename);
 	free_config(&config);

src/ausearch-parse.c

@@ -34,6 +34,7 @@
 #include <netdb.h>
 #include <limits.h>	/* PATH_MAX */
 #include <ctype.h>
+#include <unistd.h>
 #include "libaudit.h"
 #include "ausearch-options.h"
 #include "ausearch-lookup.h"
@@ -2830,3 +2831,133 @@ static int parse_kernel(lnode *n, search_items *s)
 	return 0;
 }
 
+//////// These are used by ausearch / aureport ///////////////
+
+/* read_first_ts - get timestamp of the first record in a log file
+ * @file: path to the log file
+ * @sec: returned seconds component
+ * @milli: returned milliseconds component
+ *
+ * Returns 0 on success and -1 on failure.
+ */
+static int read_first_ts(const char *file, time_t *sec, unsigned int *milli)
+{
+	FILE *fp;
+	char buf[MAX_AUDIT_MESSAGE_LENGTH];
+	char *p, *e;
+
+	*sec = 0;
+	*milli = 0;
+
+	fp = fopen(file, "rm");
+	if (fp == NULL)
+		return -1;
+	if (fgets_unlocked(buf, sizeof(buf), fp) == NULL) {
+		fclose(fp);
+		return -1;
+	}
+	fclose(fp);
+
+	p = strstr(buf, "audit(");
+	if (p == NULL)
+		return -1;
+	p += 6;
+	*sec = strtoll(p, &e, 10);
+	if (*e == '.')
+		*milli = strtoul(e + 1, &e, 10);
+
+	return 0;
+}
+
+/* audit_log_list - collect audit logs and their first timestamps
+ * @basefile: base audit log file
+ * @logs: returned array of log information
+ * @log_cnt: number of entries in @logs
+ *
+ * Returns 0 on success and -1 on failure.
+ */
+int audit_log_list(const char *basefile, struct audit_log_info **logs,
+                        size_t *log_cnt)
+{
+	char *filename;
+	size_t len;
+	int num = 0;
+	struct audit_log_info *list = NULL;
+
+	len = strlen(basefile) + 16;
+	filename = malloc(len);
+	if (filename == NULL)
+		return -1;
+
+	snprintf(filename, len, "%s", basefile);
+	do {
+		struct audit_log_info *tmp;
+		time_t sec;
+		unsigned int milli;
+
+		if (access(filename, R_OK) != 0)
+			break;
+		if (read_first_ts(filename, &sec, &milli))
+			sec = 0;
+		tmp = realloc(list, (num + 1) * sizeof(*list));
+		if (tmp == NULL) {
+			free(filename);
+			audit_log_free(list, num);
+			return -1;
+		}
+		list = tmp;
+		list[num].name = strdup(filename);
+		if (list[num].name == NULL) {
+			free(filename);
+			audit_log_free(list, num);
+			return -1;
+		}
+		list[num].sec = sec;
+		list[num].milli = milli;
+		num++;
+		snprintf(filename, len, "%s.%d", basefile, num);
+	} while (1);
+
+	free(filename);
+	*logs = list;
+	*log_cnt = num;
+	return 0;
+}
+
+/* audit_log_find_start - choose oldest log that may contain @start
+ * @logs: array of log information
+ * @log_cnt: number of logs
+ * @start: requested start time
+ *
+ * Returns index of the log to begin processing from.
+ */
+unsigned audit_log_find_start(const struct audit_log_info *logs,
+			      size_t log_cnt, time_t start)
+{
+	size_t start_idx = log_cnt ? log_cnt - 1 : 0;
+
+	if (start) {
+		ssize_t i;
+		for (i = log_cnt - 1; i >= 0; i--) {
+			if (logs[i].sec > start) {
+				if ((size_t)i < log_cnt - 1)
+					start_idx = i + 1;
+				break;
+			}
+		}
+	}
+	return start_idx;
+}
+
+/* audit_log_free - release memory held by audit_log_list */
+void audit_log_free(struct audit_log_info *logs, size_t log_cnt)
+{
+	size_t i;
+
+	if (logs == NULL)
+		return;
+	for (i = 0; i < log_cnt; i++)
+		free(logs[i].name);
+	free(logs);
+}
+

src/ausearch-parse.h

@@ -31,5 +31,17 @@
 int extract_search_items(llist *l);
 void lookup_uid_destroy_list(void);
 
+struct audit_log_info {
+	char *name;
+	time_t sec;
+	unsigned int milli;
+};
+
+int audit_log_list(const char *basefile, struct audit_log_info **logs,
+		   size_t *log_cnt);
+unsigned audit_log_find_start(const struct audit_log_info *logs,
+			      size_t log_cnt, time_t start);
+void audit_log_free(struct audit_log_info *logs, size_t log_cnt);
+
 #endif