All two word fields should have an "_" between the words
rather than a space (since we use the space as a delimeter which makes
the most sense, we end up with lonely words that need to be ignored
currently). Using "_" would make life easier instead.
I'm confused. Are you talking about ausearch output, or about the
names that will be returned by the parsing libraries functions? If
it's the ausearch output, records of type SOCKADDR fail to meet your
parsing requirements. It's as if colon becomes the name/value pair
separator.
John
----
type=SOCKETCALL msg=audit(03/15/2006 11:24:10.541:1858) : nargs=3 a0=3 a1=bfae\cee4 a2=10
type=SOCKADDR msg=audit(03/15/2006 11:24:10.541:1858) : saddr=inet host:0.0.0.\0
serv:9999
type=SYSCALL msg=audit(03/15/2006 11:24:10.541:1858) : arch=i386 syscall=socke\tcall(bind)
success=yes exit=0 a0=2 a1=bfaeada0 a2=bfaecee4 a3=bfaecfc4 items=\0 pid=20786
auid=ramsdell uid=root gid=root euid=root suid=root fsuid=root egi\d=root sgid=root
fsgid=root tty=pts1 comm=broadcast
exe=/home/ramsdell/scm/pol\gen/src/daemon-example/broadcast
subj=user_u:system_r:unconfined_t:s0-s0:c0.c2\55
I am breaking this by audit type and grouping those types that share
the same format together ...
1- DAEMON_START
Remove "," between fields, leave spaces only
Change "auditd pid=" to "auditd_pid="
2- DAEMON_END
Remove "," between fields, leave spaces only
Change "sending auid=" to "sending_auid=" or just "auid="
Change "auditd pid=" to "auditd_pid="
3- CONFIG_CHANGE
type=CONFIG_CHANGE ... audit_enabled=1 old=1 by auid=0
Is there a reason we have the "by" word in there?
type=CONFIG_CHANGE ... auid=0 add rule to list=2 res=1
this is how I am understanding this.. the message is "add rule
to list=2". however the fact that we have "list=2" makes it sound like
the message is "add rule to" and a field is "list=2".
Can we change that to something like (auid=0 add rule to list
2 res=1) or (auid=0 add rule to list_2 res=1)?
4- USER_CHAUTHTOK
type=USER_CHAUTHTOK ... user pid=13827 uid=0 auid=0
msg='op=changing name acct=laf_c exe="/usr/sbin/usermod" (hostname=?,
addr=?, terminal=pts/1 res=success)'
Remove "," between fields, leave spaces only
Change "user pid=" to "user_pid="
What happened to msg='SomeString. For example, it might be
gpasswd, or passwd, or some PAM msg .. etc. our cases were checking
for that string, so what happened to it? In some cases it still
prints, but not others; is there a reason for that?
type=USER_CHAUTHTOK ... user pid=12862 uid=0 auid=0 msg='password
aging data updated - acct=laf_a, uid=500, min=-2, max=60, warn=-2,
inact=-2: exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1
res=success)'
Please remove all those "," and just leave spaces
Remove "-" before "acct="
Note that msg='SomeString is shown, unlike previous example.
5- USER_ACCT, USER_START, USER_END, USER_AUTH, USER_LOGIN
Change "user pid=" to "user_pid="
Remove the lonely ":" after "acct=" field
Remove "," and just leave spaces
Again, some of these have a "msg=" field with no value.
6- CRED_DISP, CRED_ACQ, CRED_REFR
Change "user pid=" to "user_pid="
Remove the lonely ":" after "acct=" field
7- USYS_CONFIG
Change "user pid=" to "user_pid="
Remove "," and just leave spaces
These are the records I see right now. At the moment I am not seeing
any watch records so I don't know if those have formatting
issues... I'll add to this list as I find more.
Thanks,
- Loulwa
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit