Audit Parsing Library Requirements
John D. Ramsdell
ramsdell at mitre.org
Wed Mar 15 14:50:38 UTC 2006
I'd like to suggest a convention for representing name/value pairs
made available through the parsing library. As stated before, I'd
like to be sure that the strings returned as the name and as the value
of a field contain 7-bit ASCII characters excluding zero. The
question is what happens if a value represents binary data. Such a
value might appear in the log if the initial sequence of the second
argument of a write system call is recorded.
I suggest that in the string returned as the name or value of a field,
we let the alphanumeric characters, space, and the following graphic
characters stand for themselves: !#%^*(_)~+=~[]'|;:{},.<>/?$@`. The
characters that can be represented as a single character escape in a C
string would be represented the same way in a value, and the remaining
characters would be represented as a backslash, followed by the letter
'x', followed by two hexidecimal digits. With this specification, a
value could be wrapped in double quotes, and become a C string
constant. Note with this specification, characters such as '\t' and
'\n' would appear quoted, and programs can make use of this fact.
John
Steve Grubb <sgrubb at redhat.com> writes:
> On Friday 10 March 2006 16:33, Steve Grubb wrote:
> > OK. I think the last round of comments was helpful.
>
>
> Audit Event Parsing Library Specifications
> ==========================================
...
More information about the Linux-audit
mailing list