Audit Parsing Library Requirements
Klaus Weidner
klaus at atsec.com
Wed Mar 8 02:36:14 UTC 2006
On Tue, Mar 07, 2006 at 08:10:02PM -0600, Klaus Weidner wrote:
> An iterator-based approach should be easy to use from Python as well.
This would be especially nice if you export the typed objects from the
audit log as python objects of the correct type, then something like
this should work:
import auditlog
log = auditlog.open(file)
for record in log:
if record.type == auditlog.SYSCALL:
print record.isodate,
print "call %d, arg0=%d\n" %
(record.syscall_num, record.a0)
else:
d = record.dict()
for tag in d:
print tag, d[tag]
Similarily for other high-level languages that support dynamic typing.
In general, I think that the interface should have the following
properties:
- code that expects certain fields to be present will continue to work
when new fields get added (and will ignore them)
- if expected fields are absent, you get a (trappable) error
- if code loops over all fields and handles each item in a type-safe way,
it'll support new fields automatically with no code change when they
are added
-Klaus
More information about the Linux-audit
mailing list