Dispatcher - single line output (perl)

Leigh Purdie intersect at gmail.com
Thu May 25 00:22:08 UTC 2006 

On 5/24/06, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday 23 May 2006 21:26, Leigh Purdie wrote:
> > Note the 228387 four from the top, and also after the 228390's.
> >
> > Is this something that should be considered a bug?
> > <snip>
> It might be, but its not likely to get fixed soon (bigger fish to fry...). I'd
> work around it for now.

No worries. Easy done, at the expense of a bit of memory, and by
sacrificing near-real-time for 'within a few seconds of generation
time'.

> > Just spaces? How about inverted-commas, embedded newlines (or
> > Carriage-Returns), or other non-displaying characters that may be
> > valid on linux (or other) filesystems?
>
> This is the function that does it:
>
> http://sosdg.org/~coywolf/lxr/source/kernel/audit.c#L819
>
> if (*p == '"' || *p < 0x21 || *p > 0x7f)

Thanks. :)

> > Also, anyone have any thoughts on how to translate "eventid 11" to a
> > more human-readable "execve" in perl without writing my own C Header
> > translator?
>
> Are you meaning how to translate the raw time stamp/serial number ? If so, I'd
> point to the ausearch source code. I don't program in perl so I may not be
> the best source of info. The long term plan is to have an audit event parsing
> library so that external apps do not have to have secret audit format
> knowledge. The audit parsing library could probably be turned into a perl
> module as could libaudit. If you wanted to send a patch for that, I'd be
> happy to integrate it. (Right now we only have python bindings.)

Nah, timestamps are fine. I was thinking of 'syscall=11'.
I can translate the value of '11' to 'execve' manually by grepping
through /usr/include/asm/unistd.h. However, it's a little harder
programatically - particularly when:
* The system call numbers are subject to change (though, rarely), and
* The numbers might be slightly different for different architectures, and
* The header file might include things like:
   #define __NR_mq_notify          (__NR_mq_open+4)
.. which makes a quick 'hack' in perl to scan in unistd.h, not worthwhile.

So, to rephrase my question slightly - is there a programmatic way to
turn syscall=5 into syscall=execve that anyone can suggest?

WRT perl, I'm language agnostic. If there's better support for audit
in python, I'll switch the code over. (Perl has, historically, been
more likely to be installed on server systems that are likely to be
running audit though).

Regards,

Leigh.

More information about the Linux-audit mailing list