Re: Dispatcher - single line output (perl)
On Tuesday 23 May 2006 21:26, Leigh Purdie wrote:
> Right, but they are not interlaced. You can protect against this
just to
> be safe.
Actually, they are. Hang on, and I'll give you a bigger example
<snip>
Note the 228387 four from the top, and also after the 228390's.
Is this something that should be considered a bug? If so (and it's
likely to be fixed in RHEL4 in the near future), then I'll be able to
greatly simplify the dispatcher code.
It might be, but its not likely to get fixed soon (bigger fish to fry...). I'd
work around it for now.
However, it's probably something that others would appreciate.
The protocol may not need to change explicitly, two separate paths in
auditd may be viable - ie:
dispatcher = /path/to/something-that-receives-a-raw-feed or
asciidispatcher =
/path/to/something-that-receives-nullterminated-ascii-to-stdin
.. if 'asciidispatcher' is active, auditd does a little extra work to
push the line out in a 'nicer' format.
The way I had expected this to work is for people to use the audit parsing
library. I haven't been able to dedicate any time to it for a while, but as
kernel work winds down, I think I'll have more time for it.
> Also...please note that if the file name has a space
> in it, you get a ascii hex representation of the file name.
No worries - easy to cope with. Thanks for the hint.
Just spaces? How about inverted-commas, embedded newlines (or
Carriage-Returns), or other non-displaying characters that may be
valid on linux (or other) filesystems?
This is the function that does it:
http://sosdg.org/~coywolf/lxr/source/kernel/audit.c#L819
if (*p == '"' || *p < 0x21 || *p > 0x7f)
Also, anyone have any thoughts on how to translate "eventid
11" to a
more human-readable "execve" in perl without writing my own C Header
translator?
Are you meaning how to translate the raw time stamp/serial number ? If so, I'd
point to the ausearch source code. I don't program in perl so I may not be
the best source of info. The long term plan is to have an audit event parsing
library so that external apps do not have to have secret audit format
knowledge. The audit parsing library could probably be turned into a perl
module as could libaudit. If you wanted to send a patch for that, I'd be
happy to integrate it. (Right now we only have python bindings.)
-Steve