Questions about the standard (Google Summer of Code Project)

Mateusz Piotrowski 0mp at FreeBSD.org
Wed Jul 13 11:23:29 UTC 2016 

Hi,

I participate in Google Summer of Code and my project involves converting Linux Audit logs to BSM logs.

As I was writing a parser and converter I stumbled upon a couple of things I do not understand and I cannot find in the documentation:

1. Where are all the elements like auditd start, user, etc. listed? I cannot find any document which specifies what can occurs between the colon (separating the type and the msg=audit(…) from the fields) and the record’s fields. 

2. Why are there two spaces between the colon and the first field in records of type=CWD and a field cwd=“/root”? Here’s an example: 

        type=CWD msg=audit(1464013682.961:409):  cwd="/root”

3. According to Red Hat’s documentation[1]:

 > Each record consists of several name=value pairs separated by a white space or a comma.
 
 a) Is a white space always a space? Can be any white space like the tab character?
 b) Why do some records are separated by a comma and a whitespace? Example:

            type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success

 I’ve posted the question on Unix & Linux SE: [3].

4. Is it possible that there are duplicate fields in a record? Something like (which doesn’t make much sense obviously):

        type=CWD msg=audit(1464013682.961:409):  cwd="/root” cwd=“/usr”

 I’ve already asked a similar question on Unix & Linux SE: [4].

5. Is there a document which answers my questions? That would be cool!


Thanks a lot for help!

Cheers!

Matuesz Piotrowski

[GSoC project’s wiki]: https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools <https://wiki.freebsd.org/SummerOfCode2016/NonBSMtoBSMConversionTools>
[1]: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Understanding_Audit_Log_Files.html <https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Understanding_Audit_Log_Files.html>
[3]: http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records <http://unix.stackexchange.com/questions/293975/undocumented-format-of-linux-audit-log-records>
[4]: http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique <http://unix.stackexchange.com/questions/293809/can-i-be-sure-that-the-name-of-a-linux-audit-records-field-is-unique>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20160713/a7fc49e1/attachment.htm>

More information about the Linux-audit mailing list