[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

API design for library to be used by testcases and ausearch



Some of us at IBM have been discussing the possibility of having an API 
which can be used by testcases and tools, such as ausearch, to get 
information form the audit subsystem.
I'm attaching our proposal for what the API structures would look like as 
well as prototypes for functions that testcases and ausearch would need in 
order to get the data they need.

Note the structures are based on the current audit records and will need 
to be updated as record types and fields are modified.

Please look them over and send us any feedback.

Thanks,
debbie

The following was designed by Loulwa Salem, Michael Thompson, and myself 
with some feedback from Tim Chavez.

typdef struct records_t
    {
	record_t record;
	records_t * next_record;	
    } records;


typdef struct record_t
    {
	recordtype kind;     //what kind of audit_record record it is
	record_data data;
	record * next;	
    } record;

union record_data_t
    {
	syscall_t syscall;
	ipc_t ipc;
	fs_watch_t fs_watch;
	fs_inode_t fs_inode;
	cwd_t cwd;
	path_t path;
	config_change_t config_change;
	daemon_end_t daemon_end;
	user_t user;
	user_chauthtok_t user_chauthtok;
	user_auth_t user_auth;
	user_acct_t user_acct;
	user_start_t user_start;
	user_end_t user_end;
	cred_acq_t cred_acq;
	cred_disp_t cred_disp;
	cred_refr_t cred_refr;
	login_t longin;
    } record_data;


typedef struct syscall_t {
	time_t time;
	serial_t serial;
	arch_t arch;
	syscall_num_t syscall_num;   //note used syscall_num rather than syscall at some point they could add syscall_name
	success_t success;
	exit_t exit;
	a_t a0;
	a_t a1;
	a_t a2;
	a_t a3;
	items_t items;
	id_t pid;
	id_t auid;
	id_t uid;
	id_t gid;
	id_t euid;
	id_t suid;
	id_t fsuid;
	id_t egid;
	id_t sgid;
	id_t fsgid;
	comm_t comm;
	exe_t exe;
}

typedef struct fs_watch {
	time_t time;
	serial_t serial;
	inode_t watch_inode;	
	watch_t watch;
	filterkey_t filterkey;
	perm_t perm;
	perm_mask_t perm_mask;
}

typedef struct fs_inode {
	time_t time;
	serial_t serial;
	inode_t inode;	
	id_t inode_uid;    	
	id_t inode_gid;		
	dev_t inode_dev;	
	rdev_t inode_rdev	
}


typedef struct cwd {
	time_t time;
	serial_t serial;
	cwd_t cwd;	
}


typedef struct path {
	time_t time;
	serial_t serial;
	name_t name;
	flags_t flags;
	inode_t inode;
	dev_t dev;
	mode_t mode;
	id_t ouid;
	id_t ogid;
	rdev_t rdev;	
}


typedef struct config_change {
	time_t time;
	serial_t serial;
	id_t auid;
	text_t text;    //"removed watch"
	audit_enabled_t audit_enabled;
	old_t old;
}


typedef struct daemon_start {
	time_t time;
	serial_t serial;
	version_t version;
	format_t format;
	id_t auid;
	id_t auditd_pid;
	text_t text;    //"auditd start"
}


typedef struct daemon_end {
	time_t time;
	serial_t serial;
	id_t auid;
	id_t sending_pid;
	id_t auditd_pid;
	text_t text;    //"auditd normal halt"
}



typedef struct ipc {
	time_t time;
	serial_t serial;
	qbytes_t qbytes;
	id_t iuid;
	id_t igid;
	mode_t mode;	
}

typdef struct login {
	time_t time;
	serial_t serial;
	msg_t msg;  //message needs to be parsed to figure out the following
	id_t pid;
	id_t uid;
	id_t old_auid;
	id_t new_auid;
}


typedef struct user {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;
	text_t text;	//"user"
}



typdef struct user_chauthtok {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
        res_t res;		//records using 'res' should be changed to use 'result'
	result_t result;   
	op_t op;
	acct_t acct;
}
	
Note: user_auth, user_acct, user_start, user_end, cred_acq, cred_disp, cred_refr have the same tydef, but the message parsed differs slightly.

typdef struct user_auth {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

typdef struct user_acct {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

typdef struct user_start {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

typdef struct user_end {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}


typdef struct cred_acq {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

typdef struct cred_disp {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

typdef struct cred_refr {
	time_t time;
	serial_t serial;
	id_t pid;
	id_t uid;
	id_t auid;
	msg_t msg;  //message needs to be parsed to figure out the following
	user_t user;
	exe_t exe;
	hostname_t hostname;
	addr_t addr;
	terminal_t terminal;
	result_t result;
}

	


/* The following struct is the generic record struct which does not have a record type */
/* It is used by get_by_fields(). */


typedef struct generic_field_data_t {
	a_t a0;
	a_t a1;
	a_t a2;
	a_t a3;
	acct_t acct;
	addr_t addr;
	arch_t arch;
	comm_t comm;
	cwd_t cwd;	
	dev_t dev;
	dev_t inode_dev;	
	audit_enabled_t audit_enabled;
	exe_t exe;
	exit_t exit;
	filterkey_t filterkey;
	flags_t flags;
	format_t format;
	hostname_t hostname;
	id_t auditd_pid;
	id_t auid;
	id_t egid;
	id_t euid;
	id_t fsgid;
	id_t fsuid;
	id_t gid;
	id_t igid;
	id_t inode_gid;	
	id_t inode_uid; 
	id_t iuid;
	id_t new_auid;
	id_t ogid;
	id_t ouid;
	id_t old_auid;
	id_t ouid;
	id_t pid;
	id_t sending_pid;
	id_t sgid;
	id_t suid;
	id_t uid;
	inode_t inode;
	inode_t watch_inode;	
	items_t items;
	mode_t mode;
	msg_t msg;
	name_t name;
	old_t old;
	op_t op;
	perm_mask_t perm_mask;
	perm_t perm;
	qbytes_t qbytes;
	rdev_t inode_rdev;
	rdev_t rdev;	
	result_t res;
	result_t result;
	serial_t serial;
	success_t success;
	syscall_num_t syscall_num;   //note used syscall_num rather than syscall at some point they could add syscall_name
	terminal_t terminal;
	text_t text;    // example "removed watch"
	time_t time;
	type_t type;
	user_t user;
	version_t version;
	watch_t watch;
} generic_field_data
struct record * get_records(time_t start, time_t end){
// start and end time can be specified
// If zero is passed in for start time, then start searching at beginning of log
// If zero is passed in for the end time, then search until the end of the log

// returns pointer to link list of all records within start and end time (which are themselves a link list)
// if no records were found during specified start and end time, returns NULL
}


struct record * get_matching_records(struct record * matching_criteria, time_t start, time_t end){
// matching_criteria is passed into function
// matching_criteria is a pointer to a linked list of record pieces we are looking for
// start and end time can be specified
// If zero is passed in for start time, then start searching at beginning of log
// If zero is passed in for the end time, then search until the end of the log

// returns pointer to link list of all matching records (which are themselves a link list)
// if no matching record is found, returns NULL
}

struct record * get_records_by_fields(struct generic_field_data * fields_to_match, time_t start, time_t end){
// fields_to_match is passed into the function
// fields_to_match is a pointer to one structure with all the fields we want to match filled in and the rest initialized
// start and end time can be specified
// If zero is passed in for start time, then start searching at beginning of log
// If zero is passed in for the end time, then search until the end of the log

// returns pointer to link list of all matching records (which are themselves a link list)
// if no matching record is found, returns NULL
}

record_data * initialize_record_data(record_data * matching_criteria){
//initializes all fields in generic field data type
}

generic_field_data * initialize_generic_field_data(generic_field_data * fields_to_match){
//initializes all fields in generic field data type
}

Attachment: api.sxi
Description: Binary data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]