Audit Parsing Library Requirements
Michael C Thompson
mcthomps at us.ibm.com
Mon Mar 13 14:35:27 UTC 2006
linux-audit-bounces at redhat.com wrote on 03/10/2006 03:33:12 PM:
> On Friday 10 March 2006 12:05, Steve Grubb wrote:
> > so this is another round of updates with more details fleshed out.
>
> OK. I think the last round of comments was helpful. I added some
language to
> define the concept of multiple hosts in one log. This is the final draft
> unless there is an omission.
>
> -Steve
>
>
>
> Audit Event Parsing Library Specifications
> ==========================================
>
> Definitions
> -----------
> An audit event is all records that have the same host, timestamp, and
> serial number. Each event on a host has a unique timestamp and serial
> number. An event is composed of multiple records which have information
about
> different aspects of an audit event. Each record is denoted by a type
which
> indicates what fields will follow. Information in the fields are held by
a
> name/value pair that contains an '=' between them. Each field is
separated
> from one another by a space or comma.
I know this is not likely to change, but is there a reason why we don't
have a common delimiter? I understand that going through the code and
modifying this would be a large undertaking, and I'm not even saying I
will do it (although I believe Loulwa was consider doing at one point, but
don't hold me to that). Removing inconstancies in the records, such as
using '_' in place of spaces in field names and removing these commas,
would seem like a good thing to do, but before anyone does that work, will
making that change be acceptable from a code point of view? (Discount any
work which might be needed to update parsing code from ausearch etc,
although there would be a fair amount to change I imagine).
>
>
> Ground Rules
> ------------
> All functions that begin with ausearch are related to searching for a
subset
> of events based on certain criteria. All functions that begin with
auparse
> are used to access events, records, and fields sequentially and without
> regard to any search options that may be in effect. All functions return
1
> on success and 0 on failure unless otherwise noted. Where the return
type is
> a char pointer, NULL will indicate failure. The data structures would be
Typo: The data structures [would -> will] be
> hidden from the external application. Access to fields is a name/value
style.
> You access the fields through functions that either return a pointer to
an
> immutable, zero-terminated array of ASCII characters or integral values.
Every
> function (except auparse_init) takes a parameter, au, which is the
internal
> state information for the current query.
Although it is clear from the code example (and I am sure this is not
going to be the final version of the document, it would probably be nice
to mention that auparse will, when not using auparse_next_event, will be
parsing the record that was found (and is current being pointed to) by
ausearch_* functions, for example. Your comment in the above, "without
regard to any search options that may be in effect", is somewhat
befuddling on this point. A clear statement such as "auparse_* functions
will parse the current event found either through ausearch_* functions or
auparse_* functions." I am not a writer though, so don't use my suggestion
verbatim.
>
>
> Functions
> ---------
> auparse_state_t - is an opaque data type used for maintaining library
state.
>
> typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER }
ausource_t;
>
> auparse_state_t *auparse_init(ausource_t source, const void *b) - allow
init
> of library. Set data source: logs, file, buffer. The pointer 'b' is used
to
> set the file name or pass the buff when those types are given.
>
> typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
> AUSEARCH_STOP_FIELD } austop_t;
>
> int ausearch_set_param(auparse_state_t *au, const char *field, constchar
*op,
> const char *value, austop_t where) - set search
> options. The field would be the left hand side of the audit name/value
pairs.
> The op would be how to match: =,!=,>,<. The value would be the right
hand
> side of the audit field name/value pairs. The where parameter tells the
> search library where to place the internal cursor when a match is found.
It
> could be on first field of first record, first field of record
containing the
> match, or the field that matches.
>
> int ausearch_next_event(auparse_state_t *au) - traverse to the next
event that
> yields a match based on the given search criteria.
>
> int auparse_next_event(auparse_state_t *au) - traverse to next event.
This
> allows access to time and serial number.
>
> typedef struct
> {
> time_t sec; // Event seconds
> unsigned int milli; // millisecond of the timestamp
> unsigned long serial; // Serial number of the event
> const char *host; // Machine's name
> } event_t;
>
> event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time stamp
of
> current record
> time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
of
> current record
> time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
time of
> current record
> unsigned long auparse_get_serial(auparse_state_t *au) - retrieve serial
number
> of current record
> const char *auparse_get_host(auparse_state_t *au) - retrieve host name
> of current record
>
> int auparse_first_record(auparse_state_t *au) - set iterator to first
record
> in current event
>
> int auparse_next_record(auparse_state_t *au) - traverse to next record
in
> event. This allows access to the event type
>
> int auparse_get_type(auparse_state_t *au) - retrieve type of current
record
>
> int auparse_first_field(auparse_state_t *au) - set field pointer to
first in
> current record
>
> int auparse_next_field(auparse_state_t *au) - traverse the fields in a
record
>
> const char *auparse_find_field(auparse_state_t *au, const char *name) -
find a
> given field in a event or record. Name is the left hand side of the
name/value
> pair. Returns pointer to the value as ascii text.
>
> const char *auparse_find_field_next(auparse_state_t *au) - find the next
> occurance of that field in the same record. Returns pointer to the value
as
> ascii text.
>
> const char *auparse_get_field_str(auparse_state_t *au) - return current
field
> value as a string
>
> int auparse_get_field_int(auparse_state_t *au) - return current field
value
> as an int
>
> const char *auparse_interpret_field(auparse_state_t *au) - interpret the
> current field
>
> int auparse_destroy(auparse_state_t *au) - free all data structures and
close
> file descriptors
>
>
> Code Example
> ------------
> int main(void)
> {
> auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL);
> if (au == NULL)
> exit(1);
>
> if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT))
> exit(1);
>
> while (ausearch_next_event(au)) {
> if (auparse_find_field(au, "auid")) {
> printf("auid=%s\n", auparse_interpret_field(au));
> }
> }
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060313/0b724e44/attachment.htm>
More information about the Linux-audit
mailing list