[RFC] New ausearch output option & audit viewing in Spacewalk
Steve Grubb
sgrubb at redhat.com
Mon Jun 8 18:06:16 UTC 2009
On Monday 08 June 2009 01:43:52 pm John Dennis wrote:
> [Steve may want to correct and/or comment about my statements on the
> parsing logic which is in ausearch.]
>
> The idea is interesting but I think this is the wrong implementation
> approach, there should only be one library which knows how to read audit
> data, namely libauparse. The code you've added is duplicating some of
> the logic in libauparse.
Actually, if you look at the test cases in the aupase library, you will see
that it basically does the same thing. The core code from the test cases is
this:
do {
if (auparse_first_record(au) <= 0)
exit(1);
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
exit(1);
printf(" event time: %u.%u:%lu, host=%s\n",
(unsigned)e->sec,
e->milli, e->serial, e->host ? e->host : "?");
auparse_first_field(au);
do {
printf(" %s=%s (%s)\n",
auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("\n");
} while(auparse_next_record(au) > 0);
} while (auparse_next_event(au) > 0);
One could easily make a single purpose program in probably less that 30 lines
of code that reproduces the same output as patching ausearch. The auparse
library still can't reconnect interlaced records, but you could init the app
with AUSOURCE_DESCRIPTOR as the data source (for stdin) and pipe the ouput of
ausearch --raw into the single purpose reformatter.
> If the audit format ever changes (or you have a
> parsing bug) then this code will break. The fact ausearch has logic in
> it to parse audit data is historical, at the time ausearch was written
> libauparse did not exist yet. I believe Steve has said that ausearch
> needs to be rewritten to layer on top of libauparse.
This is very true. Some day it will be layered on top of auparse.
-Steve
More information about the Linux-audit
mailing list