Audit Parsing Library Requirements
Klaus Weidner
klaus at atsec.com
Wed Mar 8 02:10:02 UTC 2006
On Tue, Mar 07, 2006 at 03:23:41PM -0700, Debora Velarde wrote:
> Below are the structures that we (Loulwa Salem, Mike Thompson, Tim Chavez
> and I) had envisioned the structures for the new API to look like.
> Basically we imagine a list of lists. Below that are some function
> prototypes needed in the API.
[...]
> typedef struct syscall {
> arch_t arch;
> syscall_num_t syscall_num;
> success_t success;
> exit_t exit;
> a_t a0;
> a_t a1;
I think using C structures for each type of entry is a maintenance
nightmare, and you'd need to recompile code using them each time a
definition changes even if you don't care about any of the added fields.
Wouldn't it be much easier to conceptually treat the audit records as
hashes (collections of tag/value pairs), where the tags are strings and
the values are either also strings (for a very low-level interface), or
explicitly typed objects such as integers, strings, lists, etc.?
Something like this:
log = audit_log_open(file);
while ( (record = audit_get_record(log)) != NULL) {
if audit_record_match(record, "type", "syscall") {
/* get a typed object */
item_t item = audit_record_get(record, "a0");
if (item->type == T_INT) foo+=item->intval;
/* assume that a type is numeric, lib will
* throw an errow if that's not correct */
int num = audit_record_get_int(record, "syscall_num");
/* if you don't care about the type, get a string */
char *success = audit_record_get_string(record, "success");
} else {
/* loop over all entries */
iter = audit_item_iter(record);
item_t item;
while ( (item = audit_next_item(iter) != NULL) {
/* ... */
}
}
}
An iterator-based approach should be easy to use from Python as well.
If you worry about the efficiency or type-safety of string-based hash
references, abstract that out so that it's optimizable later. Something
like:
tag_t syscall_num = audit_get_tag("syscall");
for (...)
n = audit_record_get(record, syscall_num);
(This approach is somewhat inspired by Lisp-style SEXP lists using
interned symbols and type-tagged data. Hey, it worked for 40 years, why
invent something new?)
-Klaus
More information about the Linux-audit
mailing list