Audit Parsing Library Requirements
John D. Ramsdell
ramsdell at mitre.org
Tue Mar 7 20:13:40 UTC 2006
Steve Grubb <sgrubb at redhat.com> writes:
> Are there any issues that need to be taken into account for Python
> compatibility?
When information flows only from the audit search program to a Python
program, one can connect the two via a pipe, and transmit an XML
document. The following DTD captures the structure Steve described,
and the C code needed to generate data in this format is trivial.
<!ELEMENT au (seq)*>
<!ELEMENT seq (tab)+>
<!ELEMENT tab (ent)+>
<!ELEMENT ent EMPTY>
<!ATTLIST ent
key CDATA #REQUIRED
val CDATA #REQUIRED>
For Python programs that dynamically link in the audit parsing
library, one would like to use a C interface that maps well to
the Python/C API described at:
http://docs.python.org/api/api.html
I haven't used this API in a while, as I've been embedding Lua into my
C applications when I want to extend a C program with internal
scripting. I'll read the API carefully, and get back to you with any
issues I discover.
If we want to be scripting language neutral, we should use SWIG.
http://www.swig.org
Once again, I haven't used this in a long time, but I'll take a look
at it. I know functions in the libsemanage interface are made
available to multiple languages via SWIG. We could ask Tresys for
advice.
John
I end with output from the tool I currently use to reformat ausearch
output.
<?xml version="1.0"?>
<!DOCTYPE au [
<!ELEMENT au (seq)*>
<!ELEMENT seq (tab)+>
<!ELEMENT tab (ent)+>
<!ELEMENT ent EMPTY>
<!ATTLIST ent
key CDATA #REQUIRED
val CDATA #IMPLIED>
]>
<au>
<seq>
<tab>
<ent key="type" val="PATH"/>
<ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/>
<ent key=":"/>
<ent key="item" val="1"/>
<ent key="name" val="(null)"/>
<ent key="inode" val="17284616"/>
<ent key="dev" val="08:01"/>
<ent key="mode" val="file,755"/>
<ent key="ouid" val="root"/>
<ent key="ogid" val="root"/>
<ent key="rdev" val="00:00"/>
<ent key="obj" val="system_u:object_r:ld_so_t:s0"/>
</tab>
<tab>
<ent key="type" val="PATH"/>
<ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/>
<ent key=":"/>
<ent key="item" val="0"/>
<ent key="name" val="/bin/ls"/>
<ent key="inode" val="6678183"/>
<ent key="dev" val="08:01"/>
<ent key="mode" val="file,755"/>
<ent key="ouid" val="root"/>
<ent key="ogid" val="root"/>
<ent key="rdev" val="00:00"/>
<ent key="obj" val="system_u:object_r:ls_exec_t:s0"/>
</tab>
<tab>
<ent key="type" val="CWD"/>
<ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/>
<ent key=":"/>
<ent key="cwd" val="/home/bsniffen"/>
</tab>
<tab>
<ent key="type" val="SYSCALL"/>
<ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/>
<ent key=":"/>
<ent key="arch" val="i386"/>
<ent key="syscall" val="execve"/>
<ent key="success" val="yes"/>
<ent key="exit" val="0"/>
<ent key="a0" val="bfa05bd1"/>
<ent key="a1" val="bfa04408"/>
<ent key="a2" val="bfa04414"/>
<ent key="a3" val="bfa04408"/>
<ent key="items" val="2"/>
<ent key="pid" val="2202"/>
<ent key="auid" val="bsniffen"/>
<ent key="uid" val="root"/>
<ent key="gid" val="root"/>
<ent key="euid" val="root"/>
<ent key="suid" val="root"/>
<ent key="fsuid" val="root"/>
<ent key="egid" val="root"/>
<ent key="sgid" val="root"/>
<ent key="fsgid" val="root"/>
<ent key="tty" val="pts0"/>
<ent key="comm" val="ls"/>
<ent key="exe" val="/bin/ls"/>
<ent key="subj" val="user_u:system_r:unconfined_t:s0-s0:c0.c255"/>
</tab>
</seq>
</au>
More information about the Linux-audit
mailing list