Audit Parsing Library Requirements
Klaus Weidner
klaus at atsec.com
Fri Mar 10 19:02:09 UTC 2006
On Fri, Mar 10, 2006 at 12:05:27PM -0500, Steve Grubb wrote:
> This would allow the following kind of programming:
>
> if (!auparse_init(AUSOURCE_LOGS, NULL))
> if (!ausearch_set_param("auid", "=", "500", AUSEARCH_STOP_RECORD))
> while (ausearch_next_event()) {
> if (auparse_find_field("auid"))
With this kind of interface, the library will need to keep state
internally, which seems to make it impossible to have multiple scanners
active from the same application. An example for that would be a GUI
application for examining audit logs which may very well want to have
multiple search windows open at once.
How about an extra parameter to make the state management explicit,
similar to the stdio.h opaque FILE* type, to allow fully reentrant
operation?
Something like this:
auparse_state_t *au;
if (! (au = auparse_init(AUSOURCE_LOGS, NULL)))
if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_RECORD))
while (ausearch_next_event(au, )) {
if (auparse_find_field(au, "auid"))
-Klaus
More information about the Linux-audit
mailing list