Audit format utility

Burn Alting burn at swtf.dyndns.org
Sun Sep 28 04:52:53 UTC 2014 

Steve,

Had a play around with it. I am not sure about it's value in it's
current form. Rather than specifying the keys to print, it would be
better to print everything in the event and only 'override' the standard
formatting if there is an 'snode' for a key.

Further, it has a couple of immediate issues given it's using
libauparse.

-  it is "lossy" in that it wont parse poorly formed audit events (see
the op key value pair below)
        [burn at swtf auformat]$ cat add_user.txt
        node=swtf.swtf.dyndns.org type=ADD_USER
        msg=audit(1411871714.393:47872): user pid=13455 uid=0 auid=500
        ses=11
        subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        msg='op=adding home directory id=502 exe="/usr/sbin/useradd"
        hostname=? addr=? terminal=pts/2 res=success'
        [burn at swtf auformat]$ ./auformat "%node %date %time %milli %
        serial: type=%TYPE msg=%msg op=%op auid=%auid pid=%pid  path=%
        path exe=%exe subj=%subj hostname=%hostname terminal=%terminal
        res=%res\n" add_user.txt
        swtf.swtf.dyndns.org 09/28/2014 12:35:14 393 47872:
        type=ADD_USER msg= op=adding auid=500 pid=13455  path=
        exe="/usr/sbin/useradd"
        subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
        hostname=? terminal=pts/2 res=success
        [burn at swtf auformat]$ 
        
We loose the strings
    - 'user' before the pid key
    - op='adding home directory' becomes op'adding'
This is particularly important for incorrectly formatted application
level audit sent via auditd.

- 'rewinding' the event's cursor for each possible key, the call to
auparse_first_record() in print_item(), is probably not what one would
want - but then again, auformat is just a mock up at the moment.

- one looses the parsing 'fix-up' that ausearch does in
src/ausearch-report.c:output_interpreted_node()

- to build a complete event, having addressed the 'rewinding' issue,
would make the format look very messy - you would need to include every
possible key to print all key/values. 

- one should add event separation so that further tools could process
the data more easily.

At the moment, the only tool I'm aware of that 'correctly' parses a log
file is ausearch. Perhaps we would be better served by adding another
output option to ausearch to print events in a much more parse-able
format (e.g. XML, JSON)

I am happy to work on this (either extending ausearch or working on
auformat).

Rgds


On Fri, 2014-09-26 at 10:24 -0500, LC Bruzenak wrote:
> On 09/25/2014 10:05 PM, Steve Grubb wrote:
> > But this proposal is purely about output and not searching.
> I get it now; thanks Steve!
> 
> LCB
> 
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

More information about the Linux-audit mailing list