Use case not covered by the audit library?

Gulland, Scott A scott.gulland at hpe.com
Tue Jan 5 21:59:25 UTC 2016 

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb at redhat.com]
> Sent: Thursday, December 17, 2015 6:51 PM

> > > My problem is I don't know what the proper set of "keys" are and the
> > > values they should contain.  If my assumptions are correct, is there
> > > any documentation on on the key-value pairs and how to format the
> > > contents of the message parameter?  Based on what I've seen in the
> > > audit log file, I would add "acct=<user>" to the contents of the
> > > message to reflect the particular authenticated user who issued the REST
> API call.
> > Well, Steve has published these as a starting point.  I'm sure he'll
> > chime in when he sees your message.
> >
> >         http://people.redhat.com/sgrubb/audit/audit-events.txt
> >         http://people.redhat.com/sgrubb/audit/audit-parse.txt
> 
> Thanks for pointing these out, Richard.
> 
> The basic guidance for AUDIT_USYS_CONFIG is to record old and new values.
> Typically old values are prefixed with 'old-' and new values are the name of
> the field with no prefix.
> 
> Any field that the user could influence the value has to be handled in such a
> way as to not allow them to trick the parser if they are malicious. For the
> most part, we hex encode those fields and then write some code to label the
> fields as encoded so that interpretation can be done later.
> 
> Since your field names may not be official names in the audit system, you
> may have to filter illegal characters the user sent during event construction
> and fill in spaces with an underscore or dash.

Thanks for the feedback and information.  It has been very helpful.  I've done
some testing using a "val" and "old-val" field names with data values encoded
by audit_encode_nv_string(...).  However, when I try to display the event with
"ausearch --interpret ..." neither field's data is decoded back into asci text.  So 
I plan on using the "op", "data" and "euid" fields.   Only the data field needs to
encoded and ausearch does decode this field correctly.  My message text
would look like:

    "op=<op text> data=<encoded data> euid=<uid>"

When I was using ausearch I expected to be able to find events by uid using
either the "-ua" or "-ue" option that would match the euid field's value, but no
matching events were found.  Is this expected behavior?  The "-I" option did
correctly convert the euid into the user name.

Scott G.

More information about the Linux-audit mailing list