Proposed additions to ausearch
Burn Alting
burn at swtf.dyndns.org
Sun May 5 08:21:57 UTC 2013
All,
I have completed all the items listed below against ausearch. That is
- it can now checkpoint itself, in that, successive invocations
will only display new events
- a new option will print out more parser friendly output for
interpreted mode
- a new option will also print out some values both in it's
original as well as interpreted form
Whilst doing this, I fixed some very minor bugs or annoyances.
- when ausearch processes events, incomplete events are
considered as complete (and hence printed) when ausearch
encounters an EOF on input. Now, ausearch will carry over
incomplete events, providing the opportunity to complete them,
unless it's the last file ausearch is processing
- ausearch -i now identifies ANY quoted values on input and
considers these values of type T_ESCAPED and hence will be
processed via the print_escaped() routine. It was noticed keys
such as ocomm, dev and op could have quoted values as per
... opid=717 oauid=42 ouid=0 oses=1
obj=system_u:system_r:xdm_t:s0-s0:c0.c1023
ocomm="gdm-session-wor"
... avc: denied { read } for pid=21340
comm="unix_chkpwd" name="libaudit.so.1.0.0" dev="dm-1"
ino=394483
scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:default_t:s0 tclass=file
... auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 op="add rule"
key="time-change" list=4 res=1
The change identifies ANY value with double quotes around the
value and offers their interpretation via the print_escaped()
routine. The alternative is to add the above three keys to the
typetab[] array.
- when processing flag values in interpretive mode, a trailing
space was always printed whether the flags key value pair was
the last pair on the event record or not.
Should I submit this as one patch or multiple? I have a single patch
file (including mods to ausearch.8) but if required, I may be able to
present each new feature as it's own patch and/or the bugs as a group.
The patch(es) would be against audit-2.3.
Regards
Burn
On Sat, 2013-04-20 at 22:22 +1000, Burn Alting wrote:
> I want to add a number of features to ausearch and would like the list
> to make comment on my proposals before implementing same.
>
> #1
> Have ausearch only output whole events (all supplemental records of an
> event must be present in the audit.log files to be output) and maintain
> state to know the last whole event displayed.
>
> The use case is for when one periodically processes the audit log files
> and the last log file opened does not necessarily hold whole events for
> the last few events in the file.
>
> One could possibly achieve this using the --start/--end arguments to
> ausearch but it would be challenging to work out the appropriate
> start/end times on a high log throughput system.
>
> My plan is to maintain state recording the last whole event displayed
> along with details of the file it resided in (eg inode, etc).
>
> #2
> Add a 'parser friendly' option to ausearch's -i output such that it is
> more friendly for parsing. As we know, the -i argument causes output in
> the form of
> - a "header" comprising
> - the node if present as a key value pair
> - the event type as a key value pair
> - the message date/time and serial
> - a colon
> - a series of key value pairs
>
> The new option would have output that
> - surrounds all values with double quotes
> - escape embedded double quote and backslash characters in the value
> with the backslash character '\'
> - translate embedded newlines or carriage returns into '\n' and '\r'
> respectively
> - translate all non-printing characters into escaped octal values or
> some other recommended text based format.
>
> #3
> Add an option to include the original value as well as the interpreted
> value when interpretation (-i) is requested. This would be for specified
> keys or, key types.
>
> One use case would be for user or group names to include the original
> uid/gids. This is to aid de-conflicting inadvertent user or group
> attribution across an enterprise environment.
>
> The option would have arguments that identify what key values will have
> both original and interpreted values.
>
> Regards
> Burn Alting
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list