Refactoring src/ausearch-report.c:output_interpreted_node()
Burn Alting
burn at swtf.dyndns.org
Tue Oct 7 09:31:30 UTC 2014
All,
This patch prevents ausearch from parsing an event's "header" of node,
type, time and serial twice. That is
[node=<node>] type=<type> msg=audit(<epochsecs>.<msecs>:<serial>)
It does this by passing the llist->e value to output_interpreted_node()
as this structure holds the already parsed event "header" information.
The code does not change the ausearch -i output.
Rgds
On Thu, 2014-10-02 at 19:29 +1000, Burn Alting wrote:
> Thanks Steve,
>
> Patch to follow this weekend.
>
> Rgds
>
> On Wed, 2014-10-01 at 18:28 -0400, Steve Grubb wrote:
> > On Thursday, October 02, 2014 07:52:47 AM Burn Alting wrote:
> > > On Wed, 2014-10-01 at 17:19 -0400, Steve Grubb wrote:
> > > > On Thursday, October 02, 2014 07:08:13 AM Burn Alting wrote:
> > > > > On Wed, 2014-10-01 at 14:54 -0400, Steve Grubb wrote:
> > > > > > > I am uncertain what effect of accepting this additional format would
> > > > > > > have when adding rules to the running audit system - i.e.
> > > > > > > audit_name_to_msg_type() is called by autrace/auditctl when parsing
> > > > > > > rules (ie the msgtype field name).
> > > > > >
> > > > > > I think ausearch-report.c might be the place that needs updating.
> > > > >
> > > > > So, could we modify output_interpreted_node() to no longer re-parse the
> > > > >
> > > > > [node=<node>] type=<type> msg=audit(<epochsecs>.<msecs>:<serial>)
> > > > >
> > > > > header and pass both the lnode and llist->e which has this data already
> > > > > as the code
> > > > >
> > > > > if (num == -1) {
> > > > >
> > > > > // see if we are older and wiser now.
> > > > > bptr = strchr(str, '[');
> > > > > if (bptr && bptr < ptr) {
> > > > >
> > > > > char *eptr;
> > > > > bptr++;
> > > > > eptr = strchr(bptr, ']');
> > > > > if (eptr) {
> > > > >
> > > > > *eptr = 0;
> > > > > errno = 0;
> > > > > num = strtoul(bptr, NULL, 10);
> > > > > *eptr = ']';
> > > > > if (errno)
> > > > >
> > > > > num = -1;
> > > > >
> > > > > }
> > > > >
> > > > > }
> > > > >
> > > > > }
> > > > >
> > > > > which parses for
> > > > >
> > > > > type=.*[n].*
> > > > >
> > > > > is no longer needed as we don't have that format any more?
> > > >
> > > > That is a very loose check for UNKNOWN[####]. If you see a performance
> > > > improvement by refactoring this function, please send a patch. The output
> > > > needs to be identical to the old way.
> > > >
> > > > Thanks,
> > > > -Steve
> > >
> > > I can provide a patch to refactor this part of the code, but I want to
> > > confirm there is no longer a need to parse for
> > >
> > > type=some_text '[' integer_type ']' some_other_text
> >
> > While this may have been implied by the code, the fact is that [ ] would only
> > be in type fields when its unknown[####].
> >
> >
> > > given my refactoring will rely upon the parsing already done by
> > > lib/lookup_table.c:audit_name_to_msg_type(). Remember this routine only
> > > parses for
> > > Given
> > > type=<type_value>
> > > then
> > > <type_value>
> > > is parsed for
> > > - a known string
> > > - a long integer number, n, found in the specific string
> > > "UNKNOWN[n]"
> > > - a long integer number, n, found in the specific string
> > > "n"
> >
> > These 3 formats are all that it can ever be. So, I think you have a correct
> > understanding.
> >
> > -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: audit-2.4_ausearch_refactor_01.patch
Type: text/x-patch
Size: 4026 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20141007/d3ba9992/attachment.bin>
More information about the Linux-audit
mailing list