Audit Parsing Library Requirements

Robert Wenner robert.wenner at atsec.com
Mon Mar 13 19:57:36 UTC 2006 

Hi,

I joined the discussion a little late, so please bear with me for asking 
obvious things.

On Monday 13 March 2006 13:33, Steve Grubb wrote:
> An audit event is all records that have the same host, timestamp, and
> serial number. 

What happens if two events happen on the same time stamp?
What is the time granularity?
Even a millisecond can be a long time for a computer.

Why do we need a serial number?

> Information in the fields 
> are held by a name/value pair that contains an '=' between them. Each
> field is separated from one another by a space or comma.

What happens if the data contains a space, comma, or equals sign?
Is quoting allowed? How is it done? 

> All functions return 1 on success and 0 on failure unless
> otherwise noted. 

How can an application query reasons for failure?
Is errno set?

> You access the
> fields through functions that either return a pointer to an immutable,
> zero-terminated array of ASCII characters or integral values. 

How can you keep the data immutable?
Everybody can cast away the const.
Is this a concern here? Can this introduce problems?

> typedef struct
> {
>         time_t sec;             // Event seconds
>         unsigned int milli;     // millisecond of the timestamp
>         unsigned long serial;   // Serial number of the event
>         const char *host;       // Machine's name
> } event_t;
>
> event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time
> stamp of current record
> time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
> of current record
> time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
> time of current record

What is the difference between get_timestamp and get_time and get_milli?

> int auparse_first_record(auparse_state_t *au) - set iterator to first
> record in current event
>
> int auparse_next_record(auparse_state_t *au) - traverse to next record
> in event. This allows access to the event type

Is there something like a has_more_records or will next_record just fail 
if there is none?
(In that case it would be especially important to be able to distinguish 
between failure and "end of records".)
(Same for iterating the fields in a record.)

> const char *auparse_interpret_field(auparse_state_t *au) - interpret
> the current field

What does interpreting mean here?

>         if (!ausearch_set_param(au, "auid", "=", "500",
> AUSEARCH_STOP_EVENT)) exit(1);

Is there a special reason to pass in the comparison operator as a char* 
rather than a typedef'd int?

Robert

More information about the Linux-audit mailing list