[RFC] New ausearch output option & audit viewing in Spacewalk

[John Dennis]

Joshua Roys wrote:
> Hello all.
> 
> As part of developing an audit viewing "plugin"[1] to Spacewalk[2], I
> wrote a small program to use libauparse to output (easily)
> machine-parsable audit logs.  I think this functionality would be nice
> to have in ausearch, and as such, wrote a patch for it.
> 
> As well as reviewing this patch, I would like your feedback concerning
> the Spacewalk audit plugin.  Any questions or constructive criticism is
> welcome.

[Steve may want to correct and/or comment about my statements on the
parsing logic which is in ausearch.]

The idea is interesting but I think this is the wrong implementation
approach, there should only be one library which knows how to read audit
data, namely libauparse. The code you've added is duplicating some of
the logic in libauparse. If the audit format ever changes (or you have a
parsing bug) then this code will break. The fact ausearch has logic in
it to parse audit data is historical, at the time ausearch was written
libauparse did not exist yet. I believe Steve has said that ausearch
needs to be rewritten to layer on top of libauparse.

I'm glad to see the use of "interpret" on the value, this is often
valuable, but not always. It's critical for strings. But how about
things like uid's? You probably want both the uid number and the name it
maps to, perhaps it needs to output both the raw and interpreted values
separated by deliminters, or make it an option. I'd rather see a blank
line to delimit events rather than "----".

Also, it appears as though you're outputting records and not events (an
event is the union of all records with the same ID
(node,seconds,milli,serial). It think the output should be coallesced
into events.

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/