[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Changes to Audit record format



Hi,
As per the talk we had Monday on the call, here are some of the formatting issues we would like to see resolved for consistency and sanity of the parsers we have to write...

Basically .. here is what I am proposing we change in the formatting ..
Unnecessary stray symbols (,:() ..etc surrounded by spaces on both sides) are a bit inconsistent and problematic (we deal with them currently, but would be nice to get rid of them and thus the use of all the exception code to handle them). All two word fields should have an "_" between the words rather than a space (since we use the space as a delimeter which makes the most sense, we end up with lonely words that need to be ignored currently). Using "_" would make life easier instead.

I am breaking this by audit type and grouping those types that share the same format together ...

1- DAEMON_START
	Remove "," between fields, leave spaces only
	Change "auditd pid=" to "auditd_pid="

2- DAEMON_END
	Remove "," between fields, leave spaces only
	Change "sending auid=" to "sending_auid=" or just "auid="
	Change "auditd pid=" to "auditd_pid="

3- CONFIG_CHANGE
   type=CONFIG_CHANGE ... audit_enabled=1 old=1 by auid=0
	Is there a reason we have the "by" word in there?

   type=CONFIG_CHANGE ... auid=0 add rule to list=2 res=1
this is how I am understanding this.. the message is "add rule to list=2". however the fact that we have "list=2" makes it sound like the message is "add rule to" and a field is "list=2". Can we change that to something like (auid=0 add rule to list 2 res=1) or (auid=0 add rule to list_2 res=1)?

4- USER_CHAUTHTOK
type=USER_CHAUTHTOK ... user pid=13827 uid=0 auid=0 msg='op=changing name acct=laf_c exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1 res=success)'
	Remove "," between fields, leave spaces only
	Change "user pid=" to "user_pid="
What happened to msg='SomeString. For example, it might be gpasswd, or passwd, or some PAM msg .. etc. our cases were checking for that string, so what happened to it? In some cases it still prints, but not others; is there a reason for that?

type=USER_CHAUTHTOK ... user pid=12862 uid=0 auid=0 msg='password aging data updated - acct=laf_a, uid=500, min=-2, max=60, warn=-2, inact=-2: exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 res=success)'
	Please remove all those "," and just leave spaces
	Remove "-" before "acct="
	Note that msg='SomeString is shown, unlike previous example.

5- USER_ACCT, USER_START, USER_END, USER_AUTH, USER_LOGIN
	Change "user pid=" to "user_pid="
	Remove the lonely ":" after "acct=" field
	Remove "," and just leave spaces
	Again, some of these have a "msg=" field with no value.

6- CRED_DISP, CRED_ACQ, CRED_REFR
	Change "user pid=" to "user_pid="
	Remove the lonely ":" after "acct=" field

7- USYS_CONFIG
	Change "user pid=" to "user_pid="
	Remove "," and just leave spaces

These are the records I see right now. At the moment I am not seeing any watch records so I don't know if those have formatting issues... I'll add to this list as I find more.

Thanks,
- Loulwa


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]