Changes to Audit record format

John D. Ramsdell ramsdell at mitre.org
Wed Mar 15 19:38:27 UTC 2006 

Loulwa Salem <loulwas at us.ibm.com> writes:

> 	All two word fields should have an "_" between the words
> rather than a space (since we use the space as a delimeter which makes
> the most sense, we end up with lonely words that need to be ignored
> currently). Using "_" would make life easier instead.

I'm confused.  Are you talking about ausearch output, or about the
names that will be returned by the parsing libraries functions?  If
it's the ausearch output, records of type SOCKADDR fail to meet your
parsing requirements.  It's as if colon becomes the name/value pair
separator.

John

----
type=SOCKETCALL msg=audit(03/15/2006 11:24:10.541:1858) : nargs=3 a0=3 a1=bfae\cee4 a2=10
type=SOCKADDR msg=audit(03/15/2006 11:24:10.541:1858) : saddr=inet host:0.0.0.\0 serv:9999
type=SYSCALL msg=audit(03/15/2006 11:24:10.541:1858) : arch=i386 syscall=socke\tcall(bind) success=yes exit=0 a0=2 a1=bfaeada0 a2=bfaecee4 a3=bfaecfc4 items=\0 pid=20786 auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egi\d=root sgid=root fsgid=root tty=pts1 comm=broadcast exe=/home/ramsdell/scm/pol\gen/src/daemon-example/broadcast subj=user_u:system_r:unconfined_t:s0-s0:c0.c2\55

> 
> I am breaking this by audit type and grouping those types that share
> the same format together ...
> 
> 1- DAEMON_START
> 	Remove "," between fields, leave spaces only
> 	Change "auditd pid=" to "auditd_pid="
> 
> 2- DAEMON_END
> 	Remove "," between fields, leave spaces only
> 	Change "sending auid=" to "sending_auid=" or just "auid="
> 	Change "auditd pid=" to "auditd_pid="
> 
> 3- CONFIG_CHANGE
>     type=CONFIG_CHANGE ... audit_enabled=1 old=1 by auid=0
> 	Is there a reason we have the "by" word in there?
> 
>     type=CONFIG_CHANGE ... auid=0 add rule to list=2 res=1
> 	this is how I am understanding this.. the message is "add rule
> to list=2". however the fact that we have "list=2" makes it sound like
> the message is "add rule to" and a field is "list=2".
> 	Can we change that to something like (auid=0 add rule to list
> 2 res=1) or (auid=0 add rule to list_2 res=1)?
> 
> 4- USER_CHAUTHTOK
>     type=USER_CHAUTHTOK ... user pid=13827 uid=0 auid=0
> msg='op=changing name acct=laf_c exe="/usr/sbin/usermod" (hostname=?,
> addr=?, terminal=pts/1 res=success)'
> 	Remove "," between fields, leave spaces only
> 	Change "user pid=" to "user_pid="
> 	What happened to msg='SomeString. For example, it might be
> gpasswd, or passwd, or some PAM msg .. etc. our cases were checking
> for that string, so what happened to it? In some cases it still
> prints, but not others; is there a reason for that?
> 
>     type=USER_CHAUTHTOK ... user pid=12862 uid=0 auid=0 msg='password
> aging data updated - acct=laf_a, uid=500, min=-2, max=60, warn=-2,
> inact=-2: exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1
> res=success)'
> 	Please remove all those "," and just leave spaces
> 	Remove "-" before "acct="
> 	Note that msg='SomeString is shown, unlike previous example.
> 
> 5- USER_ACCT, USER_START, USER_END, USER_AUTH, USER_LOGIN
> 	Change "user pid=" to "user_pid="
> 	Remove the lonely ":" after "acct=" field
> 	Remove "," and just leave spaces
> 	Again, some of these have a "msg=" field with no value.
> 
> 6- CRED_DISP, CRED_ACQ, CRED_REFR
> 	Change "user pid=" to "user_pid="
> 	Remove the lonely ":" after "acct=" field
> 
> 7- USYS_CONFIG
> 	Change "user pid=" to "user_pid="
> 	Remove "," and just leave spaces
> 
> These are the records I see right now. At the moment I am not seeing
> any watch records so I don't know if those have formatting
> issues... I'll add to this list as I find more.
> 
> Thanks,
> - Loulwa
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list