audit_ftype_to_name?

Steve Grubb sgrubb at redhat.com
Tue Oct 22 21:26:12 UTC 2013 

On Tuesday, October 22, 2013 09:58:05 PM Stephen Quinney wrote:
> On Tue, Oct 22, 2013 at 01:59:32PM -0400, Steve Grubb wrote:
> > On Friday, October 18, 2013 12:47:23 PM Stephen Quinney wrote:
> > > I can't see any definition of the ftype_i2s function which is called
> > > by audit_ftype_to_name so maybe this hasn't been implemented yet?
> > 
> > Yes, it has been. However, its over in lib/libaudit.
> 
> I suspect I'm a little confused here, is libaudit provided separately
> from the main audit code?

No, its all there.

> % tar zxf Downloads/audit-2.3.2.tar.gz
> % grep -ri ftype_i2s audit-2.3.2/
> audit-2.3.2/lib/lookup_table.c:   return ftype_i2s(ftype);
> 
> So, I don't see the function definition, just the call.

The lookup tables are performance critical. So, what happens is at compile 
time a program builds a b-tree and functions to access them based on the 
current name/value entries. It would be hard to maintain by hand. So, you'd 
need to compile the code to see the definition.


> > It seems to work fin on my system:
> > 
> > #!/usr/bin/env python
> > import sys
> > import audit
> > 
> > name = audit.audit_ftype_to_name(0140000)
> > print '%s\n' % (name,),
> > sys.exit(0)
> 
> So, I was trying to use it to translate the value returned by the
> get_field_type function in auparse, should that work?

The field type is sort of an internal classification scheme. It is available to 
help decide if you want the raw text or interpreted representation of the 
field.

For example, you may be processing text and checking for the type to be 
AUPARSE_TYPE_ESCAPED in which case you need to call auparse_interpret_field 
rather than use the raw text. This is the whole purpose for allowing internal 
state information out of the parser.

The audit_ftype_to_name() function is also sort of an internal function not 
meant for outside callers. What it does is lookup the _file_ type. Not exactly 
what you are looking for.

There is no lookup table to go from the numeric internal representation to a 
text value of the internal representation. Its always been considered internal 
state that no one should be using beyond needing to know when they must ask 
for an interpretation of an encoded field.

-Steve

More information about the Linux-audit mailing list