Audit Parsing Library Requirements
Steve Grubb
sgrubb at redhat.com
Mon Mar 13 16:44:53 UTC 2006
On Monday 13 March 2006 11:14, Kevin Carr wrote:
> I have a question about how you imagine regular expression matching to
> work. For example if I want to match the "exe" field in avc messages with
> at regular expression, what will be the best way given this API?
That's a good question. Right now, ausearch has 2 kinds of matching, substring
and whole string. Which match to use is governed by the -w parameter to
ausearch. The default being substring.
> Does it become something like:
> ausearch_set_param("exe", "regex", "/sbin(/.*)")
I think we need to add another operator to correctly represent ausearch's
capabilities:
ausearch_set_param("exe", "~", "/sbin");
For example, the above would do substring matches. Any exe field that
has /sbin, would match. So both /sbin/fdisk and /usr/sbin/nstat would match.
ausearch_set_param("exe", "=", "/sbin");
Would likely draw no matches since a directory isn't an executable.
I have stayed away from regex matching because performance will be bad.
However, I think we can throw that in at this point and just warn people that
its likely to be slow.
I'll update the spec to include a section about operators & matching and
repost it to this thread.
-Steve
More information about the Linux-audit
mailing list