Re: audit plugin for AVC and USER_AVC messages
Hello,
On Thursday, August 15, 2024 2:12:41 PM EDT nupurdeora(a)gmail.com wrote:
ok Thanks I 'll try the multithreading . I have one more thing
that I want
to acheive using the handle_event
I want to print the logs with different severity based on TYPE and
permissive set to 1 or 0 . SO my sample code is like below. When I use the
API "auparse_find_field" , does it move the pointer to the field value
permanently ?
Yes.
Do I need to reset the pointer before I pass the "au" to
next function ?
It depends on the function. Some automatically rewind and some don't. I
suppose it doesn't hurt to reset the internal cursor. Couple points below
static void handle_event(auparse_state_t *au,
151 auparse_cb_event_t cb_event_type, void *user_data)
152 {
153 int type, num = 0;
154
155 if (cb_event_type != AUPARSE_CB_EVENT_READY)
156 return;
I should probably get rid of this ^^^ in examples. There is only one state
for cb_event_type and it is always that state.
158 while (auparse_goto_record_num(au, num) > 0) {
159 type = auparse_get_type(au);
160 const char *perm = auparse_find_field(au, "permissive");
I'd move this ^^^ into the case for AUDIT_USER_AVC so that it doesn't look
for it in non-avc records. Also, that function will cross record boundaries
while looking for it. It stops at the end of the event if it can't find it.
161
162 switch (type) {
163 case AUDIT_AVC:
164 case AUDIT_USER_AVC:
165 if (perm) {
166 if (strncmp(perm, "0", 1) == 0) {
could be if (*perm == '0')
167 dump_avc_critical_record(au);
168 }
169 else if (strncmp(perm, "1", 1) == 0) {
170 dump_avc_info_record(au);
171 }
172 }
173 else {
174 dump_avc_info_record(au);
175 }
176 break;
177 default:
178 dump_whole_record(au);
179 break;
180 }
181 num ++;
182 }
183 }
_______________________________________________
Linux-audit mailing list -- linux-audit(a)lists.linux-audit.osci.io
To unsubscribe send an email to linux-audit-leave(a)lists.linux-audit.osci.io