#!/bin/bash
# =============================================================================
# (c) Copyright Hewlett-Packard Development Company, L.P., 2005
# Written by Aron Griffis <aron@hp.com>
#
#   This program is free software: you can redistribute it and/or modify
#   it under the terms of version 2 the GNU General Public License as
#   published by the Free Software Foundation.
#   
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#   
#   You should have received a copy of the GNU General Public License
#   along with this program.  If not, see <http://www.gnu.org/licenses/>.
# =============================================================================
#
# PURPOSE:
# Verify ausearch finds requested records

source testcase.bash || exit 2

# some of these require sed -r, and all are compatible with it
collapse_interior_whitespace='s/[[:blank:]]+/ /g'
remove_trailing_whitespace='s/[[:blank:]]*$//'
remove_msg_space='s/(msg=audit[^)]*\)) :/\1:/'
remove_daemon_commas='/^type=DAEMON_START/s/,[[:blank:]]+/ /g'
[[ $* == *-i* ]] && remove_quotes='s/"//g' || remove_quotes=''

echo "# augrok --ausearch -if auditlog.sample $*" >&2
augrok_output=$(augrok --ausearch -if auditlog.sample "$@" \
    | sed -r "
	$collapse_interior_whitespace
	$remove_daemon_commas
	$remove_quotes" \
    | tee /dev/stderr \
    | sort)

if [[ -z $augrok_output ]]; then
    exit_error "augrok couldn't find anything"
fi

echo
echo "# ausearch -if auditlog.sample $*" >&2
ausearch_output=$(ausearch -if auditlog.sample "$@" \
    | sed -r "
	$collapse_interior_whitespace
	$remove_trailing_whitespace
	$remove_msg_space
	$remove_daemon_commas
	$remove_quotes" \
    | tee /dev/stderr \
    | sort)

echo
if [[ "$augrok_output" == "$ausearch_output" ]]; then
    exit_pass "output matches"
else
    echo "diff augrok_output ausearch_output"
    diff -u <(sed 's/[[:blank:]]/\n/g' <<<"$augrok_output") \
	    <(sed 's/[[:blank:]]/\n/g' <<<"$ausearch_output")
    echo
    exit_fail "discrepancies found"
fi
