Audit Parsing Library Requirements

Klaus Weidner klaus at atsec.com
Wed Mar 8 02:10:02 UTC 2006 

On Tue, Mar 07, 2006 at 03:23:41PM -0700, Debora Velarde wrote:
> Below are the structures that we (Loulwa Salem, Mike Thompson, Tim Chavez 
> and I) had envisioned the structures for the new API to look like. 
> Basically we imagine a list of lists.  Below that are some function 
> prototypes needed in the API. 
[...]
> typedef struct syscall {
>         arch_t arch;
>         syscall_num_t syscall_num;
>         success_t success;
>         exit_t exit;
>         a_t a0;
>         a_t a1;

I think using C structures for each type of entry is a maintenance
nightmare, and you'd need to recompile code using them each time a
definition changes even if you don't care about any of the added fields.

Wouldn't it be much easier to conceptually treat the audit records as
hashes (collections of tag/value pairs), where the tags are strings and
the values are either also strings (for a very low-level interface), or
explicitly typed objects such as integers, strings, lists, etc.?

Something like this:

	log = audit_log_open(file);

	while ( (record = audit_get_record(log)) != NULL) {
		if audit_record_match(record, "type", "syscall") {
			/* get a typed object */
			item_t item = audit_record_get(record, "a0");
			if (item->type == T_INT) foo+=item->intval;
			
			/* assume that a type is numeric, lib will
			 * throw an errow if that's not correct */
			int num = audit_record_get_int(record, "syscall_num");

			/* if you don't care about the type, get a string */
			char *success = audit_record_get_string(record, "success");
		} else {
			/* loop over all entries */

			iter = audit_item_iter(record);
			item_t item;
			while ( (item = audit_next_item(iter) != NULL) {
				/* ... */
			}
		}
	}

An iterator-based approach should be easy to use from Python as well.

If you worry about the efficiency or type-safety of string-based hash
references, abstract that out so that it's optimizable later. Something
like:

	tag_t syscall_num = audit_get_tag("syscall");

	for (...)
		n = audit_record_get(record, syscall_num);

(This approach is somewhat inspired by Lisp-style SEXP lists using
interned symbols and type-tagged data. Hey, it worked for 40 years, why
invent something new?)

-Klaus

More information about the Linux-audit mailing list