Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Mon Mar 13 21:23:42 UTC 2006
On Monday 13 March 2006 14:57, Robert Wenner wrote:
> On Monday 13 March 2006 13:33, Steve Grubb wrote:
> > An audit event is all records that have the same host, timestamp, and
> > serial number.
>
> What happens if two events happen on the same time stamp?
Nothing bad happens. They are still unique because of serial numbers which are
atomically incremented in the kernel.
> What is the time granularity?
Millisecond
> Why do we need a serial number?
To separate events with the same time stamp.
> > Information in the fields
> > are held by a name/value pair that contains an '=' between them. Each
> > field is separated from one another by a space or comma.
>
> What happens if the data contains a space, comma, or equals sign?
If it contains a character that has a delimiter, it is encoded with ascii hex.
> Is quoting allowed? How is it done?
I assume you mean escaping. When a field that is under user control is
recorded, it is checked by the audit_log_untrustedstring function. That
function escapes it if needed.
> > All functions return 1 on success and 0 on failure unless
> > otherwise noted.
>
> How can an application query reasons for failure?
errno
> Is errno set?
Yes.
> > You access the
> > fields through functions that either return a pointer to an immutable,
> > zero-terminated array of ASCII characters or integral values.
>
> How can you keep the data immutable?
> Everybody can cast away the const.
I suppose you are right. But it won't be an application that is part of the
cert.
> Is this a concern here? Can this introduce problems?
To me, no. Just because they mess up their copy of the data doesn't mean they
messed up the data source.
> > typedef struct
> > {
> > time_t sec; // Event seconds
> > unsigned int milli; // millisecond of the timestamp
> > unsigned long serial; // Serial number of the event
> > const char *host; // Machine's name
> > } event_t;
> >
> > event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time
> > stamp of current record
> > time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
> > of current record
> > time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
> > time of current record
>
> What is the difference between get_timestamp and get_time and get_milli?
What they return.
> > int auparse_first_record(auparse_state_t *au) - set iterator to first
> > record in current event
> >
> > int auparse_next_record(auparse_state_t *au) - traverse to next record
> > in event. This allows access to the event type
>
> Is there something like a has_more_records or will next_record just fail
> if there is none?
Fail if there is none.
> > const char *auparse_interpret_field(auparse_state_t *au) - interpret
> > the current field
>
> What does interpreting mean here?
uid=0 becomes uid=root
> > if (!ausearch_set_param(au, "auid", "=", "500",
> > AUSEARCH_STOP_EVENT)) exit(1);
>
> Is there a special reason to pass in the comparison operator as a char*
> rather than a typedef'd int?
Ease of use from other languages.
-Steve
More information about the Linux-audit
mailing list