Audit Parsing Library Requirements
Kevin Carr
kcarr at tresys.com
Mon Mar 13 16:14:51 UTC 2006
I apologize for jumping into this thread so late, it has been real busy
around Tresys lately :) I think everything looks good but I have a question
about how you imagine regular expression matching to work. For example if I
want to match the "exe" field in avc messages with at regular expression,
what will be the best way given this API?
Does it become something like:
ausearch_set_param("exe", "regex", "/sbin(/.*)")
Kevin Carr
Tresys Technology
410.290.1411 x137
> On Friday 10 March 2006 12:05, Steve Grubb wrote:
> > so this is another round of updates with more details fleshed out.
>
> OK. I think the last round of comments was helpful. I added some language
> to
> define the concept of multiple hosts in one log. This is the final draft
> unless there is an omission.
>
> -Steve
>
>
>
> Audit Event Parsing Library Specifications
> ==========================================
>
> Definitions
> -----------
> An audit event is all records that have the same host, timestamp, and
> serial number. Each event on a host has a unique timestamp and serial
> number. An event is composed of multiple records which have information
> about
> different aspects of an audit event. Each record is denoted by a type
> which
> indicates what fields will follow. Information in the fields are held by a
> name/value pair that contains an '=' between them. Each field is separated
> from one another by a space or comma.
>
>
> Ground Rules
> ------------
> All functions that begin with ausearch are related to searching for a
> subset
> of events based on certain criteria. All functions that begin with auparse
> are used to access events, records, and fields sequentially and without
> regard to any search options that may be in effect. All functions return 1
> on success and 0 on failure unless otherwise noted. Where the return type
> is
> a char pointer, NULL will indicate failure. The data structures would be
> hidden from the external application. Access to fields is a name/value
> style.
> You access the fields through functions that either return a pointer to an
> immutable, zero-terminated array of ASCII characters or integral values.
> Every
> function (except auparse_init) takes a parameter, au, which is the
> internal
> state information for the current query.
>
>
> Functions
> ---------
> auparse_state_t - is an opaque data type used for maintaining library
> state.
>
> typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER } ausource_t;
>
> auparse_state_t *auparse_init(ausource_t source, const void *b) - allow
> init
> of library. Set data source: logs, file, buffer. The pointer 'b' is used
> to
> set the file name or pass the buff when those types are given.
>
> typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD,
> AUSEARCH_STOP_FIELD } austop_t;
>
> int ausearch_set_param(auparse_state_t *au, const char *field, const char
> *op,
> const char *value, austop_t where) - set search
> options. The field would be the left hand side of the audit name/value
> pairs.
> The op would be how to match: =,!=,>,<. The value would be the right hand
> side of the audit field name/value pairs. The where parameter tells the
> search library where to place the internal cursor when a match is found.
> It
> could be on first field of first record, first field of record containing
> the
> match, or the field that matches.
>
> int ausearch_next_event(auparse_state_t *au) - traverse to the next event
> that
> yields a match based on the given search criteria.
>
> int auparse_next_event(auparse_state_t *au) - traverse to next event. This
> allows access to time and serial number.
>
> typedef struct
> {
> time_t sec; // Event seconds
> unsigned int milli; // millisecond of the timestamp
> unsigned long serial; // Serial number of the event
> const char *host; // Machine's name
> } event_t;
>
> event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time stamp
> of
> current record
> time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds of
> current record
> time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds time
> of
> current record
> unsigned long auparse_get_serial(auparse_state_t *au) - retrieve serial
> number
> of current record
> const char *auparse_get_host(auparse_state_t *au) - retrieve host name
> of current record
>
> int auparse_first_record(auparse_state_t *au) - set iterator to first
> record
> in current event
>
> int auparse_next_record(auparse_state_t *au) - traverse to next record in
> event. This allows access to the event type
>
> int auparse_get_type(auparse_state_t *au) - retrieve type of current
> record
>
> int auparse_first_field(auparse_state_t *au) - set field pointer to first
> in
> current record
>
> int auparse_next_field(auparse_state_t *au) - traverse the fields in a
> record
>
> const char *auparse_find_field(auparse_state_t *au, const char *name) -
> find a
> given field in a event or record. Name is the left hand side of the
> name/value
> pair. Returns pointer to the value as ascii text.
>
> const char *auparse_find_field_next(auparse_state_t *au) - find the next
> occurance of that field in the same record. Returns pointer to the value
> as
> ascii text.
>
> const char *auparse_get_field_str(auparse_state_t *au) - return current
> field
> value as a string
>
> int auparse_get_field_int(auparse_state_t *au) - return current field
> value
> as an int
>
> const char *auparse_interpret_field(auparse_state_t *au) - interpret the
> current field
>
> int auparse_destroy(auparse_state_t *au) - free all data structures and
> close
> file descriptors
>
>
> Code Example
> ------------
> int main(void)
> {
> auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL);
> if (au == NULL)
> exit(1);
>
> if (!ausearch_set_param(au, "auid", "=", "500",
> AUSEARCH_STOP_EVENT))
> exit(1);
>
> while (ausearch_next_event(au)) {
> if (auparse_find_field(au, "auid")) {
> printf("auid=%s\n", auparse_interpret_field(au));
> }
> }
> return 0;
> }
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list