Re: Audit Parsing Library Requirements
Hi,
I joined the discussion a little late, so please bear with me for asking
obvious things.
On Monday 13 March 2006 13:33, Steve Grubb wrote:
An audit event is all records that have the same host, timestamp,
and
serial number.
What happens if two events happen on the same time stamp?
What is the time granularity?
Even a millisecond can be a long time for a computer.
Why do we need a serial number?
Information in the fields
are held by a name/value pair that contains an '=' between them. Each
field is separated from one another by a space or comma.
What happens if the data contains a space, comma, or equals sign?
Is quoting allowed? How is it done?
All functions return 1 on success and 0 on failure unless
otherwise noted.
How can an application query reasons for failure?
Is errno set?
You access the
fields through functions that either return a pointer to an immutable,
zero-terminated array of ASCII characters or integral values.
How can you keep the data immutable?
Everybody can cast away the const.
Is this a concern here? Can this introduce problems?
typedef struct
{
time_t sec; // Event seconds
unsigned int milli; // millisecond of the timestamp
unsigned long serial; // Serial number of the event
const char *host; // Machine's name
} event_t;
event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time
stamp of current record
time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
of current record
time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
time of current record
What is the difference between get_timestamp and get_time and get_milli?
int auparse_first_record(auparse_state_t *au) - set iterator to
first
record in current event
int auparse_next_record(auparse_state_t *au) - traverse to next record
in event. This allows access to the event type
Is there something like a has_more_records or will next_record just fail
if there is none?
(In that case it would be especially important to be able to distinguish
between failure and "end of records".)
(Same for iterating the fields in a record.)
const char *auparse_interpret_field(auparse_state_t *au) - interpret
the current field
What does interpreting mean here?
if (!ausearch_set_param(au, "auid", "=",
"500",
AUSEARCH_STOP_EVENT)) exit(1);
Is there a special reason to pass in the comparison operator as a char*
rather than a typedef'd int?
Robert