Audit Parsing Library Requirements
Debora Velarde
dvelarde at us.ibm.com
Fri Mar 10 22:45:01 UTC 2006
A couple questions about how I would access all the info in a record such
as:
type=USER_ACCT msg=audit(1127329315.111:55495): user pid=23769 uid=0
auid=4294967295 msg='PAM accounting: user=laf_a exe="/usr/sbin/sshd"
(hostname=system.ibm.com, addr=127.0.0.1, terminal=ssh result=Success)'
1. In this case would auparse_get_host(auparse_state_t *au) retrieve the
hostname of this record?
2. Will the user have to extract the values of 'user' and 'exe' from the
entire value of 'msg' themselves? Or can the API return the values for
those individually?
linux-audit-bounces at redhat.com wrote on 03/10/2006 01:33:12 PM:
> On Friday 10 March 2006 12:05, Steve Grubb wrote:
> > so this is another round of updates with more details fleshed out.
>
> OK. I think the last round of comments was helpful. I added some
language to
> define the concept of multiple hosts in one log. This is the final draft
> unless there is an omission.
>
> -Steve
>
>
>
> Audit Event Parsing Library Specifications
> ==========================================
>
> Definitions
> -----------
> An audit event is all records that have the same host, timestamp, and
> serial number. Each event on a host has a unique timestamp and serial
> number. An event is composed of multiple records which have information
about
> different aspects of an audit event. Each record is denoted by a type
which
> indicates what fields will follow. Information in the fields are held by
a
> name/value pair that contains an '=' between them. Each field is
separated
> from one another by a space or comma.
>
>
> Ground Rules
> ------------
> All functions that begin with ausearch are related to searching for a
subset
> of events based on certain criteria. All functions that begin with
auparse
> are used to access events, records, and fields sequentially and without
> regard to any search options that may be in effect. All functions return
1
> on success and 0 on failure unless otherwise noted. Where the return
type is
> a char pointer, NULL will indicate failure. The data structures would be
> hidden from the external application. Access to fields is a name/value
style.
> You access the fields through functions that either return a pointer to
an
> immutable, zero-terminated array of ASCII characters or integral values.
Every
> function (except auparse_init) takes a parameter, au, which is the
internal
> state information for the current query.
>
>
> Functions
> ---------
> auparse_state_t - is an opaque data type used for maintaining library
state.
>
> typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER }
ausource_t;
>
> auparse_state_t *auparse_init(ausource_t source, const void *b) - allow
init
> of library. Set data source: logs, file, buffer. The pointer 'b' is used
to
> set the file name or pass the buff when those types are given.
>
> typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
> AUSEARCH_STOP_FIELD } austop_t;
>
> int ausearch_set_param(auparse_state_t *au, const char *field, constchar
*op,
> const char *value, austop_t where) - set search
> options. The field would be the left hand side of the audit name/value
pairs.
> The op would be how to match: =,!=,>,<. The value would be the right
hand
> side of the audit field name/value pairs. The where parameter tells the
> search library where to place the internal cursor when a match is found.
It
> could be on first field of first record, first field of record
containing the
> match, or the field that matches.
>
> int ausearch_next_event(auparse_state_t *au) - traverse to the next
event that
> yields a match based on the given search criteria.
>
> int auparse_next_event(auparse_state_t *au) - traverse to next event.
This
> allows access to time and serial number.
>
> typedef struct
> {
> time_t sec; // Event seconds
> unsigned int milli; // millisecond of the timestamp
> unsigned long serial; // Serial number of the event
> const char *host; // Machine's name
> } event_t;
>
> event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time stamp
of
> current record
> time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
of
> current record
> time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
time of
> current record
> unsigned long auparse_get_serial(auparse_state_t *au) - retrieve serial
number
> of current record
> const char *auparse_get_host(auparse_state_t *au) - retrieve host name
> of current record
>
> int auparse_first_record(auparse_state_t *au) - set iterator to first
record
> in current event
>
> int auparse_next_record(auparse_state_t *au) - traverse to next record
in
> event. This allows access to the event type
>
> int auparse_get_type(auparse_state_t *au) - retrieve type of current
record
>
> int auparse_first_field(auparse_state_t *au) - set field pointer to
first in
> current record
>
> int auparse_next_field(auparse_state_t *au) - traverse the fields in a
record
>
> const char *auparse_find_field(auparse_state_t *au, const char *name) -
find a
> given field in a event or record. Name is the left hand side of the
name/value
> pair. Returns pointer to the value as ascii text.
>
> const char *auparse_find_field_next(auparse_state_t *au) - find the next
> occurance of that field in the same record. Returns pointer to the value
as
> ascii text.
>
> const char *auparse_get_field_str(auparse_state_t *au) - return current
field
> value as a string
>
> int auparse_get_field_int(auparse_state_t *au) - return current field
value
> as an int
>
> const char *auparse_interpret_field(auparse_state_t *au) - interpret the
> current field
>
> int auparse_destroy(auparse_state_t *au) - free all data structures and
close
> file descriptors
>
>
> Code Example
> ------------
> int main(void)
> {
> auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL);
> if (au == NULL)
> exit(1);
>
> if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT))
> exit(1);
>
> while (ausearch_next_event(au)) {
> if (auparse_find_field(au, "auid")) {
> printf("auid=%s\n", auparse_interpret_field(au));
> }
> }
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list