Audit Parsing Library Requirements

John D. Ramsdell ramsdell at mitre.org
Fri Mar 24 12:16:39 UTC 2006 

Steve Grubb <sgrubb at redhat.com> writes:

> I just updated the audit library parsing spec to include all this
> information.  I don't mention what records they are in. Instead it
> lists what all the field definitions are.

Steve,

This is very helpful information.  I expect I will be acquiring field
values using auparse_interpret_field, not auparse_get_field_str, so I
would really like to see the field definitions augmented with a
description of their results when the field is interpreted.  When
there is a difference, perhaps you could describe it within say
parentheses.

I'd like to engage you in a thought experiment.  Suppose the task is
to generate strace like output from an audit log.  To make the
experiment concrete, let's suppose each event is given to you as a
sequence of Python dictionaries, and each dictionary contains the
content of a single audit record.  As near as I can tell, here is the
beginnings of an algorithm that can do the job.

Let seq be a sequence of dictionaries representing an audit event.

1. If the sequence contains no dictionary that maps "type" to
   "SYSCALL", process the next event.

2. Set n to be the index in seq of the dictionary that maps "type" to
   "SYSCALL".

3. If seq[n]["syscall"] contains a parenthesis, goto step 10.

4. Print seq[n]["syscall"]

5. Let i be seq[n]["items"] or zero if seq[n]["items"] is not defined.
 
6. For j from 0 to i-1, print the "name" field from the dictionary
   that maps "type" to "PATH", and "item" to j.

7. For j from i+1 by 1, while seq[n]["a" + str(j)] is defined, print
   seq[n]["a" + str(j)].

8. Print seq[n]["exit"].

9. Process the next event.

10. If seq[n]["syscall"] does not match "socketcall([^)]+)", goto 16.

11. Print the capture that results from matching "socketcall([^)]+)".

12. If there is a dictionary that maps "type" to "SOCKADDR", print
    saddr as the first argument to the system call, otherwise use
    the dictionary that maps "type" to "SOCKETCALL", to print the
    first argument.

13. Print the remaining arguments using the dictionary that maps
    "type" to "SOCKETCALL".

14. Print seq[n]["exit"].

15. Process the next event.

16. I haven't figured out how to handle the ipc system call.

Is this algorithm correct?  Perhaps the audit-parse.txt document
should contain a description of the correct algorithm.

John

> You can find it here:
> http://people.redhat.com/sgrubb/audit/audit-parse.txt

More information about the Linux-audit mailing list