Audit Parsing Library Requirements

[Steve Grubb]

On Wednesday 15 March 2006 09:50, John D. Ramsdell wrote:
> As stated before, I'd like to be sure that the strings returned as the name
> and as the value of a field contain 7-bit ASCII characters excluding
> zero.  

The name will be 7-bit ASCII, however, I cannot guarantee what the value will 
be. It comes from the kernel. If someone in another country uses their native 
language to name files and it shows up in the audit record, what should we 
do? This subject has come up before and I believe we have to make an effort 
to support them. I don't believe CC requires this, our user's do.

> The question is what happens if a value represents binary data.  Such a
> value might appear in the log if the initial sequence of the second
> argument of a write system call is recorded.

I believe 0 still terminates the string.

> I suggest that in the string returned as the name or value of a field,
> we let the alphanumeric characters, space, and the following graphic
> characters stand for themselves: !#%^*(_)~+=~[]'|;:{},.<>/?$@`.  The
> characters that can be represented as a single character escape in a C
> string would be represented the same way in a value, and the remaining
> characters would be represented as a backslash, followed by the letter
> 'x', followed by two hexidecimal digits.  With this specification, a
> value could be wrapped in double quotes, and become a C string
> constant.  Note with this specification, characters such as '\t' and
> '\n' would appear quoted, and programs can make use of this fact.

I think the raw values should be available. The escaping could be a library 
function just as interpret is a library function.

-Steve