Re: saddr value in connect()
On Thu, 15 May 2014 09:20:47 -0700
lists_todd(a)mac.com wrote:
> Out of curiosity, why don't you use auparse to write your
BSM
> reformatter?
(1) I hadn’t run across the code repository until after you had
mentioned it (I’ve only been actively looking at Linux auditing for a
few weeks), and (2) I am still very much in the learning phase,
trying to figure out what is in the data, what type of configuration
I would like, etc.
I will take a look at auparse soon. I am particularly interested in
performance. My first parsing effort is *way* too slow. I use C++
regex a lot, and that seems to be a problem.
In general, I wouldn't think you need use regex all the time. Auparse
organizes things into events, record, fields, and accessor function at
each level. Its really easy to walk through events in a couple lines of
code and ask for translations without having to figure out how to
decode or where it comes from. Auparse will also add metadata in the
near future so that you can see how each field belongs to time,
location, subject, object, action, or result.
If anyone is interested is seeing Linux audit data (along with BSM)
on a Mac, I posted a blog entry along with a little video:
Analyzing Linux Audit Data
http://www.toddheberlein.com/blog/2014/5/13/analyzing-linux-audit-data
> We will likely be needing to make changes soon and it would
> insulate you from those kinds of issues.
Can I ask what type of changes and what is motivating the changes?
Typically evolving common criteria requirements or other security
needs. The main point is really that you can whip together a translator
in an afternoon with having to be concerned with the lowest level
details.
-Steve