Changes to Audit record format

Loulwa Salem loulwas at us.ibm.com
Wed Mar 15 19:14:38 UTC 2006 

Hi,
As per the talk we had Monday on the call, here are some of the 
formatting issues we would like to see resolved for consistency and 
sanity of the parsers we have to write...

Basically .. here is what I am proposing we change in the formatting ..
	Unnecessary stray symbols (,:() ..etc surrounded by spaces on both 
sides) are a bit inconsistent and problematic (we deal with them 
currently, but would be nice to get rid of them and thus the use of all 
the exception code to handle them).
	All two word fields should have an "_" between the words rather than a 
space (since we use the space as a delimeter which makes the most sense, 
we end up with lonely words that need to be ignored currently). Using 
"_" would make life easier instead.

I am breaking this by audit type and grouping those types that share the 
same format together ...

1- DAEMON_START
	Remove "," between fields, leave spaces only
	Change "auditd pid=" to "auditd_pid="

2- DAEMON_END
	Remove "," between fields, leave spaces only
	Change "sending auid=" to "sending_auid=" or just "auid="
	Change "auditd pid=" to "auditd_pid="

3- CONFIG_CHANGE
    type=CONFIG_CHANGE ... audit_enabled=1 old=1 by auid=0
	Is there a reason we have the "by" word in there?

    type=CONFIG_CHANGE ... auid=0 add rule to list=2 res=1
	this is how I am understanding this.. the message is "add rule to 
list=2". however the fact that we have "list=2" makes it sound like the 
message is "add rule to" and a field is "list=2".
	Can we change that to something like (auid=0 add rule to list 2 res=1) 
or (auid=0 add rule to list_2 res=1)?

4- USER_CHAUTHTOK
    type=USER_CHAUTHTOK ... user pid=13827 uid=0 auid=0 msg='op=changing 
name acct=laf_c exe="/usr/sbin/usermod" (hostname=?, addr=?, 
terminal=pts/1 res=success)'
	Remove "," between fields, leave spaces only
	Change "user pid=" to "user_pid="
	What happened to msg='SomeString. For example, it might be gpasswd, or 
passwd, or some PAM msg .. etc. our cases were checking for that string, 
so what happened to it? In some cases it still prints, but not others; 
is there a reason for that?

    type=USER_CHAUTHTOK ... user pid=12862 uid=0 auid=0 msg='password 
aging data updated - acct=laf_a, uid=500, min=-2, max=60, warn=-2, 
inact=-2: exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1 
res=success)'
	Please remove all those "," and just leave spaces
	Remove "-" before "acct="
	Note that msg='SomeString is shown, unlike previous example.

5- USER_ACCT, USER_START, USER_END, USER_AUTH, USER_LOGIN
	Change "user pid=" to "user_pid="
	Remove the lonely ":" after "acct=" field
	Remove "," and just leave spaces
	Again, some of these have a "msg=" field with no value.

6- CRED_DISP, CRED_ACQ, CRED_REFR
	Change "user pid=" to "user_pid="
	Remove the lonely ":" after "acct=" field

7- USYS_CONFIG
	Change "user pid=" to "user_pid="
	Remove "," and just leave spaces

These are the records I see right now. At the moment I am not seeing any 
watch records so I don't know if those have formatting issues... I'll 
add to this list as I find more.

Thanks,
- Loulwa

More information about the Linux-audit mailing list