[PATCH] audit: add Paul Moore to the MAINTAINERS entry
by Paul Moore
After a long stint maintaining the audit tree, Eric asked me to step
in and handle the day-to-day management of the audit tree. We should
also update the linux-audit mailing list entry to better reflect
current usage.
Signed-off-by: Paul Moore <pmoore(a)redhat.com>
---
MAINTAINERS | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/MAINTAINERS b/MAINTAINERS
index c2066f4..86c24fd 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -1689,10 +1689,11 @@ S: Supported
F: drivers/scsi/esas2r
AUDIT SUBSYSTEM
+M: Paul Moore <paul(a)paul-moore.com>
M: Eric Paris <eparis(a)redhat.com>
-L: linux-audit(a)redhat.com (subscribers-only)
+L: linux-audit(a)redhat.com (moderated for non-subscribers)
W: http://people.redhat.com/sgrubb/audit/
-T: git git://git.infradead.org/users/eparis/audit.git
+T: git git://git.infradead.org/users/pcmoore/audit
S: Maintained
F: include/linux/audit.h
F: include/uapi/linux/audit.h
10 years, 2 months
[GIT PULL] Audit changes for 3.18
by Eric Paris
So this change across a whole bunch of arches really solves one basic
problem. We want to audit when seccomp is killing a process. seccomp
hooks in before the audit syscall entry code. audit_syscall_entry took
as an argument the arch of the given syscall. Since the arch is part of
what makes a syscall number meaningful it's an important part of the
record, but it isn't available when seccomp shoots the syscall...
For most arch's we have a better way to get the arch (syscall_get_arch)
So the solution was two fold: Implement syscall_get_arch() everywhere
there is audit which didn't have it. Use syscall_get_arch() in the
seccomp audit code. Having syscall_get_arch() everywhere meant it was a
useless flag on the stack and we could get rid of it for the typical
syscall entry.
This of course results in a couple of merge issues. Pretty easy, x86_64
appears to have removed the assembly we were editing and did it in C
code in arch/x86/kernel/ptrace.c::do_audit_syscall_entry(). arm
conflict is also obvious.
The other changes inside the audit system aren't grand, fixed some
records that had invalid spaces. Better locking around the task comm
field. Removing some dead functions and structs. Make some things
static. Really minor stuff.
The following changes since commit 19583ca584d6f574384e17fe7613dfaeadcdc4a6:
Linux 3.16 (2014-08-03 15:25:02 -0700)
are available in the git repository at:
git://git.infradead.org/users/eparis/audit.git master
for you to fetch changes up to 2991dd2b0117e864f394c826af6df144206ce0db:
audit: rename audit_log_remove_rule to disambiguate for trees (2014-10-10 15:30:25 -0400)
----------------------------------------------------------------
AKASHI Takahiro (1):
arm64: audit: Add audit hook in syscall_trace_enter/exit()
Burn Alting (1):
audit: invalid op= values for rules
Eric Paris (11):
audit: drop unused struct audit_rule definition
SH: define syscall_get_arch() for superh
UM: implement syscall_get_arch()
Alpha: define syscall_get_arch()
ARCH: AUDIT: implement syscall_get_arch for all arches
ARCH: AUDIT: audit_syscall_entry() should not require the arch
audit: fix build error when asm/syscall.h does not exist
sparc: simplify syscall_get_arch()
sparc: implement is_32bit_task
audit: arm64: Remove the audit arch argument to audit_syscall_entry
audit: WARN if audit_rule_change called illegally
Fabian Frederick (1):
kernel/audit.c: use ARRAY_SIZE instead of sizeof/sizeof[0]
Guenter Roeck (1):
next: openrisc: Fix build
Richard Guy Briggs (15):
syscall.h: fix doc text for syscall_get_arch()
audit: __audit_syscall_entry: ignore arch arg and call syscall_get_arch() directly
audit: add arch field to seccomp event log
audit: x86: drop arch from __audit_syscall_entry() interface
audit: reduce scope of audit_net_id
audit: reduce scope of audit_log_fcaps
audit: use atomic_t to simplify audit_serial()
audit: use union for audit_field values since they are mutually exclusive
audit: set nlmsg_len for multicast messages.
audit: correct AUDIT_GET_FEATURE return message type
audit: remove open_arg() function that is never used
audit: get comm using lock to avoid race in string printing
audit: put rule existence check in canonical order
audit: cull redundancy in audit_rule_change
audit: rename audit_log_remove_rule to disambiguate for trees
Stephen Rothwell (1):
sparc: properly conditionalize use of TIF_32BIT
arch/alpha/include/asm/syscall.h | 11 +++++++
arch/alpha/kernel/ptrace.c | 2 +-
arch/arm/kernel/ptrace.c | 4 +--
arch/arm64/kernel/ptrace.c | 7 +++++
arch/ia64/include/asm/syscall.h | 6 ++++
arch/ia64/kernel/ptrace.c | 2 +-
arch/microblaze/include/asm/syscall.h | 5 +++
arch/microblaze/kernel/ptrace.c | 3 +-
arch/mips/include/asm/syscall.h | 2 +-
arch/mips/kernel/ptrace.c | 4 +--
arch/openrisc/include/asm/syscall.h | 5 +++
arch/openrisc/include/uapi/asm/elf.h | 3 +-
arch/openrisc/kernel/ptrace.c | 3 +-
arch/parisc/include/asm/syscall.h | 11 +++++++
arch/parisc/kernel/ptrace.c | 9 ++----
arch/powerpc/include/asm/syscall.h | 6 ++++
arch/powerpc/kernel/ptrace.c | 7 ++---
arch/s390/kernel/ptrace.c | 4 +--
arch/sh/include/asm/syscall_32.h | 10 ++++++
arch/sh/include/asm/syscall_64.h | 14 +++++++++
arch/sh/kernel/ptrace_32.c | 14 +--------
arch/sh/kernel/ptrace_64.c | 17 +---------
arch/sparc/include/asm/syscall.h | 7 +++++
arch/sparc/include/asm/thread_info_32.h | 2 ++
arch/sparc/include/asm/thread_info_64.h | 2 ++
arch/sparc/kernel/ptrace_64.c | 9 ++----
arch/um/kernel/ptrace.c | 3 +-
arch/x86/ia32/ia32entry.S | 12 +++----
arch/x86/kernel/entry_32.S | 11 +++----
arch/x86/kernel/entry_64.S | 11 +++----
arch/x86/kernel/ptrace.c | 8 ++---
arch/x86/um/asm/ptrace.h | 4 ---
arch/x86/um/asm/syscall.h | 15 +++++++++
arch/xtensa/kernel/ptrace.c | 2 +-
include/asm-generic/syscall.h | 2 +-
include/linux/audit.h | 25 +++++++++------
include/uapi/linux/audit.h | 14 +--------
include/uapi/linux/elf-em.h | 1 +
kernel/audit.c | 30 ++++++------------
kernel/audit.h | 1 -
kernel/audit_tree.c | 6 ++--
kernel/audit_watch.c | 4 +--
kernel/auditfilter.c | 56 +++++++++++++++++++--------------
kernel/auditsc.c | 28 ++++++-----------
44 files changed, 214 insertions(+), 188 deletions(-)
create mode 100644 arch/alpha/include/asm/syscall.h
create mode 100644 arch/x86/um/asm/syscall.h
10 years, 2 months
[PATCH V5 00/13] namespaces: log namespaces per task
by Richard Guy Briggs
The purpose is to track namespace instances in use by logged processes from the
perspective of init_*_ns by assigning each a per-kernel, per-boot serial
number.
1/13 defines a function to generate them and assigns them.
Use a serial number per namespace (unique across one boot of one kernel)
instead of the inode number (which is claimed to have had the right to change
reserved and is not necessarily unique if there is more than one proc fs). It
could be argued that the inode numbers have now become a defacto interface and
can't change now, but I'm proposing this approach to see if this helps address
some of the objections to the earlier patchset.
2/13 adds access functions to get to the serial numbers in a similar way to
inode access for namespace proc operations.
3/13 exposes proc's ns entries structure which lists a number of useful
operations per namespace type for other subsystems to use.
4/13 provides an example of usage for audit_log_task_info() which is used by
syscall audits, among others. audit_log_task() and audit_common_recv_message()
would be other potential use cases.
Proposed output format:
This differs slightly from Aristeu's patch because of the label conflict with
"pid=" due to including it in existing records rather than it being a seperate
record. It has now returned to being a seperate record. The serial numbers
are printed in hex.
type=NS_INFO msg=audit(1408577535.306:82): netns=8 utsns=2 ipcns=1 pidns=4 userns=3 mntns=5
5/13 change audit startup from __initcall to subsys_initcall to get it started
earlier to be able to receive initial namespace log messages.
6/13 tracks the creation and deletion of of namespaces, listing the type of
namespace instance, related namespace id if there is one and the newly minted
serial number.
Proposed output format for initial namespace creation:
type=AUDIT_NS_INIT_UTS msg=audit(1408577534.868:5): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_utsns=0 utsns=2 res=1
type=AUDIT_NS_INIT_USER msg=audit(1408577534.868:6): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_userns=0 userns=3 res=1
type=AUDIT_NS_INIT_PID msg=audit(1408577534.868:7): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_pidns=0 pidns=4 res=1
type=AUDIT_NS_INIT_MNT msg=audit(1408577534.868:8): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_mntns=0 mntns=5 res=1
type=AUDIT_NS_INIT_IPC msg=audit(1408577534.868:9): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_ipcns=0 ipcns=1 res=1
type=AUDIT_NS_INIT_NET msg=audit(1408577533.500:10): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=kernel old_netns=0 netns=7 res=1
And a CLONE action would result in:
type=type=AUDIT_NS_INIT_NET msg=audit(1408577535.306:81): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_netns=7 netns=8 res=1
type=type=AUDIT_NS_INIT_MNT msg=audit(1408577535.307:83): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 old_mntns=5 mntns=9 res=1
While deleting a namespace would result in:
type=type=AUDIT_NS_DEL_MNT msg=audit(1408577552.221:85): pid=481 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 mntns=9 res=1
7/13 accepts a PID from userspace and requests logging an AUDIT_NS_INFO record
type (CAP_AUDIT_CONTROL required).
8/13 is a macro for CLONE_NEW_* flags.
9/13 adds auditing on creation of namespace(s) in fork.
10/13 adds auditing a change of namespace on setns.
11/13 attaches a AUDIT_NS_INFO record to AUDIT_VIRT_CONTROL records
(CAP_AUDIT_WRITE required).
12/13 implements, as suggested by Serge Hallyn, making these serial numbers
available in /proc/self/ns/{ipc,mnt,net,pid,user,uts}_snum. I chose "snum"
instead of "seq" for consistency with inum and there are a number of other uses
of "seq" in the namespace code.
13/13 Document proc's ns entries structure in Documentation/filesystems/proc.txt
v4 -> v5:
Clean up prototypes for dependencies on CONFIG_NAMESPACES.
Add AUDIT_NS_INFO record type to AUDIT_VIRT_CONTROL record.
Log AUDIT_NS_INFO with PID.
Move /proc/<pid>/ns_* patches to end of patchset to deprecate them.
Log on changing ns (setns).
Log on creating new namespaces when forking.
Added a macro for CLONE_NEW*.
v3 -> v4:
Seperate out the NS_INFO message from the SYSCALL message.
Moved audit_log_namespace_info() out of audit_log_task_info().
Use a seperate message type per namespace type for each of INIT/DEL.
Make ns= easier to search across NS_INFO and NS_INIT/DEL_XXX msg types.
Add /proc/<pid>/ns/ documentation.
Fix dynamic initial ns logging.
v2 -> v3:
Use atomic64_t in ns_serial to simplify it.
Avoid funciton duplication in proc, keying on dentry.
Squash down audit patch to avoid rcu sleep issues.
Add tracking for creation and deletion of namespace instances.
v1 -> v2:
Avoid rollover by switching from an int to a long long.
Change rollover behaviour from simply avoiding zero to raising a BUG.
Expose serial numbers in /proc/<pid>/ns/*_snum.
Expose ns_entries and use it in audit.
Notes:
As for CAP_AUDIT_READ, a patchset has been accepted upstream to check
capabilities of userspace processes that try to join netlink broadcast groups.
This set does not try to solve the non-init namespace audit messages and
auditd problem yet. That will come later, likely with additional auditd
instances running in another namespace with a limited ability to influence the
master auditd. I echo Eric B's idea that messages destined for different
namespaces would have to be tailored for that namespace with references that
make sense (such as the right pid number reported to that pid namespace, and
not leaking info about parents or peers).
Questions:
Is there a way to link serial numbers of namespaces involved in migration of a
container to another kernel? It sounds like what is needed is a part of a
mangement application that is able to pull the audit records from constituent
hosts to build an audit trail of a container.
What additional events should list this information?
Does this present any problematic information leaks? Only CAP_AUDIT_CONTROL
(and now CAP_AUDIT_READ) in init_user_ns can get to this information in
the init namespace at the moment from audit. *However*, the addition of the
proc/<pid>/ns/*_snum does make it available to other processes now.
Richard Guy Briggs (13):
namespaces: assign each namespace instance a serial number
namespaces: expose namespace instance serial number in
proc_ns_operations
namespaces: expose ns_entries
audit: log namespace serial numbers
audit: initialize at subsystem time rather than device time
audit: log creation and deletion of namespace instances
audit: dump namespace IDs for pid on receipt of AUDIT_NS_INFO
sched: add a macro to ref all CLONE_NEW* flags
fork: audit on creation of new namespace(s)
audit: log on switching namespace (setns)
audit: emit AUDIT_NS_INFO record with AUDIT_VIRT_CONTROL record
namespaces: expose ns instance serial numbers in proc
Documentation: add a section for /proc/<pid>/ns/
Documentation/filesystems/proc.txt | 16 ++++
fs/mount.h | 1 +
fs/namespace.c | 20 +++++
fs/proc/namespaces.c | 35 +++++++--
include/linux/audit.h | 20 +++++
include/linux/ipc_namespace.h | 1 +
include/linux/nsproxy.h | 10 +++
include/linux/pid_namespace.h | 1 +
include/linux/proc_ns.h | 2 +
include/linux/user_namespace.h | 1 +
include/linux/utsname.h | 1 +
include/net/net_namespace.h | 1 +
include/uapi/linux/audit.h | 21 +++++
include/uapi/linux/sched.h | 6 ++
init/version.c | 1 +
ipc/msgutil.c | 1 +
ipc/namespace.c | 20 +++++
kernel/audit.c | 143 +++++++++++++++++++++++++++++++++++-
kernel/auditsc.c | 2 +
kernel/fork.c | 3 +
kernel/nsproxy.c | 22 ++++++
kernel/pid.c | 1 +
kernel/pid_namespace.c | 19 +++++
kernel/user.c | 1 +
kernel/user_namespace.c | 20 +++++
kernel/utsname.c | 21 +++++
net/core/net_namespace.c | 27 +++++++-
security/integrity/ima/ima_api.c | 2 +
28 files changed, 408 insertions(+), 11 deletions(-)
10 years, 2 months
Definitive guide for audit message types
by William Roberts
For audit log records, the type field can be something like 1400 for
an AVC event. I know on the desktop it formats these all to the pretty
names IIRC, however I am on Android and were not quite as advanced
yet. Is their a definitive guide for each number what they correspond
to besides cracking open the header files?
Thanks.
--
Respectfully,
William C Roberts
10 years, 2 months
[PATCH 0/7] audit fsnotify cleanups for watches and trees
by Richard Guy Briggs
This is a collection of patches to clean up some issues discovered while
implementing audit by exe path.
They compile and have been lightly tested.
I'd be interested in feedback about approaches or details or grossly
misunderstanding some fundamental concepts.
Thanks!
Richard Guy Briggs (7):
audit: put rule existence check in canonical order
audit: cull redundancy in audit_rule_change
audit: eliminate string copy for new tree rules
audit: optimize add to parent skipping needless search and consuming
parent ref
audit: remove redundant watch refcount
audit: remove extra audit_get_parent()
audit: rename audit_log_remove_rule to disambiguate for trees
kernel/audit_tree.c | 13 +++++++------
kernel/audit_watch.c | 29 ++++++++++++++++-------------
kernel/auditfilter.c | 34 +++++++++++-----------------------
3 files changed, 34 insertions(+), 42 deletions(-)
10 years, 2 months
Refactoring src/ausearch-report.c:output_interpreted_node()
by Burn Alting
Steve,
In lib/lookup_table.c:audit_name_to_msg_type(), the event type value is
parsed and converted to an integer as per,
Given
type=<type_value>
then
<type_value>
is parsed for
- a known string
- a long integer number, n, found in the specific string
"UNKNOWN[n]"
- a long integer number, n, found in the specific string
"n"
In src/ausearch-report.c:output_interpreted_node() it additionally
parses for a <type_value> of
- a long integer number, n, found in the string "[^\[]*[n].*"
i.e.
type=something[n]something_else
Is there any reason against adding this additional parsing into
lib/lookup_table.c:audit_name_to_msg_type()?
If we can, then output_interpreted_node() can be re-factored so we are
not parsing the same data twice for every event.
I am uncertain what effect of accepting this additional format would
have when adding rules to the running audit system - i.e.
audit_name_to_msg_type() is called by autrace/auditctl when parsing
rules (ie the msgtype field name).
Regards
Burn
10 years, 2 months
[PATCH] netlink: have netlink per-protocol bind function return an error code.
by Richard Guy Briggs
Have the netlink per-protocol optional bind function return an int error code
rather than void to signal a failure.
This will enable netlink protocols to perform extra checks including
capabilities and permissions verifications when updating memberships in
multicast groups.
In netlink_bind() and netlink_setsockopt() the call to the per-protocol bind
function was moved above the multicast group update to prevent any access to
the multicast socket groups before checking with the per-protocol bind
function. This will enable the per-protocol bind function to be used to check
permissions which could be denied before making them available, and to avoid
the messy job of undoing the addition should the per-protocol bind function
fail.
The netfilter subsystem seems to be the only one currently using the
per-protocol bind function.
Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
---
In particular, the audit subsystem (NETLINK_AUDIT protocol) could benefit by
being able to check specific capabilities for each multicast group before
granting membership to the requesting socket. Currently, all NETLINK_AUDIT
sockets must have the capability CAP_NET_ADMIN. No other capabilities are
required to join a multicast group. This capability is too broad allowing
access to this socket by many applications that must not have access to this
information. It is proposed to add capability CAP_AUDIT_READ to allow this
access while dropping the exessively broad capability CAP_NET_ADMIN.
There has also been some interest expressed by IETF ForCES folk.
---
include/linux/netlink.h | 2 +-
net/netfilter/nfnetlink.c | 3 ++-
net/netlink/af_netlink.c | 30 +++++++++++++++++-------------
net/netlink/af_netlink.h | 4 ++--
4 files changed, 22 insertions(+), 17 deletions(-)
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index 7a6c396..4402653 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -45,7 +45,7 @@ struct netlink_kernel_cfg {
unsigned int flags;
void (*input)(struct sk_buff *skb);
struct mutex *cb_mutex;
- void (*bind)(int group);
+ int (*bind)(int group);
bool (*compare)(struct net *net, struct sock *sk);
};
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 75619f9..10a4cf5 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -392,7 +392,7 @@ static void nfnetlink_rcv(struct sk_buff *skb)
}
#ifdef CONFIG_MODULES
-static void nfnetlink_bind(int group)
+static int nfnetlink_bind(int group)
{
const struct nfnetlink_subsystem *ss;
int type = nfnl_group2type[group];
@@ -403,6 +403,7 @@ static void nfnetlink_bind(int group)
if (!ss) {
request_module("nfnetlink-subsys-%d", type);
}
+ return 0;
}
#endif
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index bca50b9..4224dc5 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1198,7 +1198,7 @@ static int netlink_create(struct net *net, struct socket *sock, int protocol,
struct module *module = NULL;
struct mutex *cb_mutex;
struct netlink_sock *nlk;
- void (*bind)(int group);
+ int (*bind)(int group);
int err = 0;
sock->state = SS_UNCONNECTED;
@@ -1441,6 +1441,17 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
if (!nladdr->nl_groups && (nlk->groups == NULL || !(u32)nlk->groups[0]))
return 0;
+ if (nlk->netlink_bind && nladdr->nl_groups) {
+ int i;
+
+ for (i = 0; i < nlk->ngroups; i++)
+ if (test_bit(i, (long unsigned int *)&nladdr->nl_groups)) {
+ err = nlk->netlink_bind(i);
+ if (err)
+ return err;
+ }
+ }
+
netlink_table_grab();
netlink_update_subscriptions(sk, nlk->subscriptions +
hweight32(nladdr->nl_groups) -
@@ -1449,15 +1460,6 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
netlink_update_listeners(sk);
netlink_table_ungrab();
- if (nlk->netlink_bind && nlk->groups[0]) {
- int i;
-
- for (i=0; i<nlk->ngroups; i++) {
- if (test_bit(i, nlk->groups))
- nlk->netlink_bind(i);
- }
- }
-
return 0;
}
@@ -2095,14 +2097,16 @@ static int netlink_setsockopt(struct socket *sock, int level, int optname,
return err;
if (!val || val - 1 >= nlk->ngroups)
return -EINVAL;
+ if (nlk->netlink_bind) {
+ err = nlk->netlink_bind(val);
+ if (err)
+ return err;
+ }
netlink_table_grab();
netlink_update_socket_mc(nlk, val,
optname == NETLINK_ADD_MEMBERSHIP);
netlink_table_ungrab();
- if (nlk->netlink_bind)
- nlk->netlink_bind(val);
-
err = 0;
break;
}
diff --git a/net/netlink/af_netlink.h b/net/netlink/af_netlink.h
index acbd774..0edb8d5 100644
--- a/net/netlink/af_netlink.h
+++ b/net/netlink/af_netlink.h
@@ -37,7 +37,7 @@ struct netlink_sock {
struct mutex *cb_mutex;
struct mutex cb_def_mutex;
void (*netlink_rcv)(struct sk_buff *skb);
- void (*netlink_bind)(int group);
+ int (*netlink_bind)(int group);
struct module *module;
#ifdef CONFIG_NETLINK_MMAP
struct mutex pg_vec_lock;
@@ -73,7 +73,7 @@ struct netlink_table {
unsigned int groups;
struct mutex *cb_mutex;
struct module *module;
- void (*bind)(int group);
+ int (*bind)(int group);
bool (*compare)(struct net *net, struct sock *sock);
int registered;
};
--
1.7.1
10 years, 2 months
Audit message format change history.
by Kangkook Jee
Hi, all
I’m trying to build a generic audit client that works across a wide range of Linux distributions from very old ones (e.g., CentOS 5.x) to relatively recent distributions (e.g., Ubuntu 13.x or 14.x).
In the course of developing it, I found out the audit message format differs distributions by distributions. For instance, earlier kernel versions do not emit EOE messages to signify the end of a system call logging.
Could anyone give me a pointer that I can track message format history? If you don’t have any single location or documentation for it, a piece of advice regarding how I can track it by myself in an efficient way also would be very helpful.
Thanks a lot for your help in advance!
Regards, Kangkook
10 years, 2 months
Audit format utility
by Steve Grubb
Hello,
I have been doing some thinking about allowing user defined formats to be
declared as a parameter to ausearch. Before I commit to that, I thought it
might be interesting to create a "mockup". I have placed a utility here:
http://people.redhat.com/sgrubb/files/auformat.tar.gz
Just untar it and run make.
$ ./auformat
Usage: auformat <format-string> [path-to-log] --fill
What this means is that you can give it a path to a file. If you don't do that,
it will read from stdin. Then it will output the fields that you specify. To
specify fields start with a % and then put the name as seen in logs. A couple examples:
%auid %pid %path %exe
This will dump the raw value. But suppose you wanted the interpreted values?
Tell it to interpret by giving uppercase:
%AUID %SYSCALL %RES %PATH
Not all events have all fields. By default it will emit a message to stderr
about this. But, you can give it --fill which will print "(none)" in that case.
So, a use might be:
# ausearch --start today -m login --raw | ~sgrubb/test/auformat/auformat "%time %AUID %ses %RES\n"
The app also has 4 virtual field names: date, time, milli, serial. These
relate to the event timestamp which you couldn't specify any other way.
In any event, I am putting this out to see what people think.
-Steve
10 years, 2 months
