Audit Parsing Library Requirements

John D. Ramsdell ramsdell at mitre.org
Mon Mar 13 16:42:09 UTC 2006 

Steve Grubb <sgrubb at redhat.com> writes:

> Each record is denoted by a type which indicates what fields will
> follow. Information in the fields are held by a name/value pair that
> contains an '=' between them. Each field is separated from one
> another by a space or comma.

Please do not separate fields with commas.  The length of each line is
way too long as it is.  Furthermore, when ausearch interprets numeric
entities into text, there is a simple, lex-based program can
format the output into XML with the following DTD:

<!ELEMENT au (seq)*>
<!ELEMENT seq (tab)+>
<!ELEMENT tab (ent)+>
<!ELEMENT ent EMPTY>
<!ATTLIST ent
          key CDATA #REQUIRED
          val CDATA #IMPLIED>

The output can then be consumed with another, very simple Python
program: 

--------------------- consume.py -------------------------
import sys, xml.sax, xml.sax.handler

def main():
    if len(sys.argv) != 2:
	print "Usage: " + sys.argv[0] + " FILE"
    else:
        xml.sax.parse(sys.argv[1], AuditHandler())

class AuditHandler(xml.sax.handler.ContentHandler):
    seq = None
    tab = None

    def startElement(self, name, attrs):
	if name == 'seq':
	    self.seq = []
        elif name == 'tab':
            self.tab = {}
        elif name == 'ent' and attrs.has_key("key") and attrs.has_key("val"):
            self.tab[attrs.getValue("key")] = attrs.getValue("val")

    def endElement(self, name):
        if name == 'tab':
	    self.seq.append(self.tab)
	elif name == 'seq':
            consume(self.seq)

def consume(seq):
    print 'seq', len(seq)   # Do something interesting here

if __name__ == "__main__":
    main()
--------------------- consume.py -------------------------

I see value in having a way to consume ausearch output without having
access to audit development libraries.  If I want to write a one off
audit analysis tool, the combination of the XML formatter and a simple
Python script would greatly shorten the time required to write the
analysis tool.  Having that tool is allowing me to analyze audit data
right now.

The program that converts ausearch output into XML is called auxml,
and is in the CVS repository of the polgen project on SourceForge, in
the pkg/auxml directory of the polgen module.  The package includes a
manual page.

John

More information about the Linux-audit mailing list