Audit Parsing Library Requirements

Steve Grubb sgrubb at redhat.com
Mon Mar 13 21:23:42 UTC 2006 

On Monday 13 March 2006 14:57, Robert Wenner wrote:
> On Monday 13 March 2006 13:33, Steve Grubb wrote:
> > An audit event is all records that have the same host, timestamp, and
> > serial number.
>
> What happens if two events happen on the same time stamp?

Nothing bad happens. They are still unique because of serial numbers which are 
atomically incremented in the kernel.

> What is the time granularity?

Millisecond

> Why do we need a serial number?

To separate events with the same time stamp.

> > Information in the fields
> > are held by a name/value pair that contains an '=' between them. Each
> > field is separated from one another by a space or comma.
>
> What happens if the data contains a space, comma, or equals sign?

If it contains a character that has a delimiter, it is encoded with ascii hex.

> Is quoting allowed? How is it done?

I assume you mean escaping. When a field that is under user control is 
recorded, it is checked by the audit_log_untrustedstring function. That 
function escapes it if needed.

> > All functions return 1 on success and 0 on failure unless
> > otherwise noted.
>
> How can an application query reasons for failure?

errno

> Is errno set?

Yes.

> > You access the
> > fields through functions that either return a pointer to an immutable,
> > zero-terminated array of ASCII characters or integral values.
>
> How can you keep the data immutable?
> Everybody can cast away the const.

I suppose you are right. But it won't be an application that is part of the 
cert.

> Is this a concern here? Can this introduce problems?

To me, no. Just because they mess up their copy of the data doesn't mean they 
messed up the data source.

> > typedef struct
> > {
> >         time_t sec;             // Event seconds
> >         unsigned int milli;     // millisecond of the timestamp
> >         unsigned long serial;   // Serial number of the event
> >         const char *host;       // Machine's name
> > } event_t;
> >
> > event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time
> > stamp of current record
> > time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
> > of current record
> > time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
> > time of current record
>
> What is the difference between get_timestamp and get_time and get_milli?

What they return.

> > int auparse_first_record(auparse_state_t *au) - set iterator to first
> > record in current event
> >
> > int auparse_next_record(auparse_state_t *au) - traverse to next record
> > in event. This allows access to the event type
>
> Is there something like a has_more_records or will next_record just fail
> if there is none?

Fail if there is none.

> > const char *auparse_interpret_field(auparse_state_t *au) - interpret
> > the current field
>
> What does interpreting mean here?

uid=0  becomes uid=root

> >         if (!ausearch_set_param(au, "auid", "=", "500",
> > AUSEARCH_STOP_EVENT)) exit(1);
>
> Is there a special reason to pass in the comparison operator as a char*
> rather than a typedef'd int?

Ease of use from other languages.

-Steve

More information about the Linux-audit mailing list