ASCII representations of audit events

John D. Ramsdell ramsdell at mitre.org
Fri Mar 24 11:24:42 UTC 2006 

ramsdell at mitre.org (John D. Ramsdell) writes:

> Binary data can occur in logs for unexpected reasons.  For example, a
> log file can become corrupted, or something that is not a log file can
> accidentally be used as one.  

It occurred to me it's much easier to put binary data into a log
file.  Just open a file with a UTF-8 name while logging the open
system call.  Catting that log file in putty is likely to put it into
a bad mode.

Anyway, let me use this opportunity to include a version of emit.h in
which the most embarrassing grammatical errors have been corrected.

John

#if !defined EMIT_H
#define EMIT_H

/* The emitters generate tab separated values when the flag is
   non-zero, otherwise name-value pairs are separated by an equal
   sign. */

void set_tsv_mode(int flag);

/* Emit an event start marker, the string "---\n". */

void emit_start_event(void);

/* Emit an end of record marker, a newline character. */

void emit_record_end(void);

/* Emit the field separator, a tab character when in TSV mode,
   otherwise a space character. */

void emit_field_separator(void);

/* Emit the name-value pair separator, a tab character when in TSV
   mode, otherwise an equal sign character. */

void emit_name_value_separator(void);

/* Emit a name or a value.  In TSV mode, the output is quoted using
   the C string literal syntax.  Letters, digits, and space characters
   are emitted unmodified.  Characters that can be represented with
   character escapes, such as the tab and newline characters, are
   printed using a character escape, with the exception of apostrophe
   and question mark, which are emitted unmodified.  Also emitted
   unmodified are the graphics characters: !#%^&*(_)-+=~[]|;:{},.<>/.
   The remaining characters are output using three digit octal numeric
   escapes.

   In non-TSV mode, a name or a value is emitted unmodified if it
   contains only characters that are emitted unmodifed in TSV mode,
   and do not contain an equal sign or a space character.  Otherwise,
   it is emitted as in TSV mode surrounded by double quotes.

   A name or value emitted in TSV mode is designed to be scripting
   language friendly.  For example in Python, if the variable item
   contains a value, and it has a back slash, one obtains the string
   it represents with the expression eval('"' + item + '"', {}, {}). */

void emit_item(const char *bytes);

#endif

More information about the Linux-audit mailing list