Proposed additions to ausearch

Burn Alting burn at swtf.dyndns.org
Sun May 5 08:21:57 UTC 2013 

All,
 
I have completed all the items listed below against ausearch. That is
 
        - it can now checkpoint itself, in that, successive invocations
        will only display new events
        
        - a new option will print out more parser friendly output for
        interpreted mode
        
        - a new option will also print out some values both in it's
        original as well as interpreted form
 
Whilst doing this, I fixed some very minor bugs or annoyances.

        - when ausearch processes events, incomplete events are
        considered as complete (and hence printed) when ausearch
        encounters an EOF on input. Now, ausearch will carry over
        incomplete events, providing the opportunity to complete them,
        unless it's the last file ausearch is processing
        
        - ausearch -i now identifies ANY quoted values on input and
        considers these values of type T_ESCAPED and hence will be
        processed via the print_escaped() routine. It was noticed keys
        such as ocomm, dev and op could have quoted values as per
                ... opid=717 oauid=42 ouid=0 oses=1
                obj=system_u:system_r:xdm_t:s0-s0:c0.c1023
                ocomm="gdm-session-wor"
                ... avc:  denied  { read } for  pid=21340
                comm="unix_chkpwd" name="libaudit.so.1.0.0" dev="dm-1"
                ino=394483
                scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
                tcontext=system_u:object_r:default_t:s0 tclass=file
                ... auid=4294967295 ses=4294967295
                subj=system_u:system_r:init_t:s0 op="add rule"
                key="time-change" list=4 res=1
        The change identifies ANY value with double quotes around the
        value and offers their interpretation via the print_escaped()
        routine. The alternative is to add the above three keys to the
        typetab[] array.
        
        - when processing flag values in interpretive mode, a trailing
        space was always printed whether the flags key value pair was
        the last pair on the event record or not.
 
Should I submit this as one patch or multiple? I have a single patch
file (including mods to ausearch.8) but if required, I may be able to
present each new feature as it's own patch and/or the bugs as a group.

The patch(es) would be against audit-2.3.

Regards
Burn

On Sat, 2013-04-20 at 22:22 +1000, Burn Alting wrote:
> I want to add a number of features to ausearch and would like the list
> to make comment on my proposals before implementing same.
> 
> #1
> Have ausearch only output whole events (all supplemental records of an
> event must be present in the audit.log files to be output) and maintain
> state to know the last whole event displayed.
> 
> The use case is for when one periodically processes the audit log files
> and the last log file opened does not necessarily hold whole events for
> the last few events in the file.
> 
> One could possibly achieve this using the --start/--end arguments to
> ausearch but it would be challenging to work out the appropriate
> start/end times on a high log throughput system.
> 
> My plan is to maintain state recording the last whole event displayed
> along with details of the file it resided in (eg inode, etc).
> 
> #2
> Add a 'parser friendly' option to ausearch's -i output such that it is
> more friendly for parsing. As we know, the -i argument causes output in
> the form of
>   - a "header" comprising
>     - the node if present as a key value pair
>     - the event type as a key value pair
>     - the message date/time and serial
>   - a colon
>   - a series of key value pairs
> 
> The new option would have output that
>   - surrounds all values with double quotes
>   - escape embedded double quote and backslash characters in the value
> with the backslash character '\'
>   - translate embedded newlines or carriage returns into '\n' and '\r'
> respectively
>   - translate all non-printing characters into escaped octal values or
> some other recommended text based format.
> 
> #3
> Add an option to include the original value as well as the interpreted
> value when interpretation (-i) is requested. This would be for specified
> keys or, key types.
> 
> One use case would be for user or group names to include the original
> uid/gids. This is to aid de-conflicting inadvertent user or group
> attribution across an enterprise environment.
> 
> The option would have arguments that identify what key values will have
> both original and interpreted values.
> 
> Regards
> Burn Alting
> 
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list