Re: Questions about the standard (Google Summer of Code Project)
Hello,
On Wednesday, July 13, 2016 1:23:29 PM EDT Mateusz Piotrowski wrote:
I participate in Google Summer of Code and my project involves
converting
Linux Audit logs to BSM logs.
As I was writing a parser and converter I stumbled upon a couple of things I
do not understand and I cannot find in the documentation:
The linux audit system has a library, libauparse, that encapsulates all the
quirks of the audit system so that writing applications like a translator is
easy. I would recommend using that as a starting point so that you don't have
to recreate it from scratch.
1. Where are all the elements like auditd start, user, etc. listed? I
cannot
find any document which specifies what can occurs between the colon
(separating the type and the msg=audit(…) from the fields) and the record’s
fields.
There really is none, Libauparse takes care of all of this so that you don't
have to. If you are wanting to do translation, you can feed the logs into
auparse and then just format the event the way you want.
That said, there is a big change coming soon which might make your project
easier. I'm planning to create a field classification extension to auparse that
will allow you to say, "give me the subject of this event", "give me the
action being performed", "give me the object", "give me the
results". This
would probably make tranlators of all kinds easier to write.
2. Why are there two spaces between the colon and the first field in
records
of type=CWD and a field cwd=“/root”? Here’s an example:
type=CWD msg=audit(1464013682.961:409): cwd="/root”
Human error? We use strtok_r to parse and it doesn't care.
3. According to Red Hat’s documentation[1]:
> Each record consists of several name=value pairs separated by a white
> space or a comma.
a) Is a white space always a space?
Yes.
Can be any white space like the tab character?
No.
b) Why do some records are separated by a comma and a
whitespace? Example:
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start,
ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=500 pid=4979
subj=unconfined_u:system_r:auditd_t:s0 res=success
A long time ago the records were meant to be both human readable (don't laugh)
and machine consumable. Over time these have been converted name=value pairs.
Even the one you mention above has been fixed.
I’ve posted the question on Unix & Linux SE: [3].
4. Is it possible that there are duplicate fields in a record?
Sometimes. I've tried to fix those when it happens. The problem is that not
everyone runs their audit code by this mail list so that we can check it to
see that its well formed. What I am planning to do is write an audit event
validation suite that checks that events are well formed and that expected
events are being written when they are supposed to and in the order that they
are supoosed to. Cleaning up these events is high on my TODO list.
Something
like (which doesn’t make much sense obviously):
type=CWD msg=audit(1464013682.961:409): cwd="/root” cwd=“/usr”
Something like this will not happen, its more likely around auid and uid. The
reason being that the kernel adds somethings automatically because its a
trusted source of information. User space can write contradictory information.
For example if a daemon is working on behalf of a user but its auid has not
been set for the user, then you might see this.
I’ve already asked a similar question on Unix & Linux SE: [4].
This mail list is where you will get the best answers.
5. Is there a document which answers my questions? That would be
cool!
https://github.com/linux-audit/audit-documentation/wiki
-Steve