Re: Proposed additions to ausearch
All,
I have completed all the items listed below against ausearch. That is
- it can now checkpoint itself, in that, successive invocations
will only display new events
- a new option will print out more parser friendly output for
interpreted mode
- a new option will also print out some values both in it's
original as well as interpreted form
Whilst doing this, I fixed some very minor bugs or annoyances.
- when ausearch processes events, incomplete events are
considered as complete (and hence printed) when ausearch
encounters an EOF on input. Now, ausearch will carry over
incomplete events, providing the opportunity to complete them,
unless it's the last file ausearch is processing
- ausearch -i now identifies ANY quoted values on input and
considers these values of type T_ESCAPED and hence will be
processed via the print_escaped() routine. It was noticed keys
such as ocomm, dev and op could have quoted values as per
... opid=717 oauid=42 ouid=0 oses=1
obj=system_u:system_r:xdm_t:s0-s0:c0.c1023
ocomm="gdm-session-wor"
... avc: denied { read } for pid=21340
comm="unix_chkpwd" name="libaudit.so.1.0.0"
dev="dm-1"
ino=394483
scontext=system_u:system_r:chkpwd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:default_t:s0 tclass=file
... auid=4294967295 ses=4294967295
subj=system_u:system_r:init_t:s0 op="add rule"
key="time-change" list=4 res=1
The change identifies ANY value with double quotes around the
value and offers their interpretation via the print_escaped()
routine. The alternative is to add the above three keys to the
typetab[] array.
- when processing flag values in interpretive mode, a trailing
space was always printed whether the flags key value pair was
the last pair on the event record or not.
Should I submit this as one patch or multiple? I have a single patch
file (including mods to ausearch.8) but if required, I may be able to
present each new feature as it's own patch and/or the bugs as a group.
The patch(es) would be against audit-2.3.
Regards
Burn
On Sat, 2013-04-20 at 22:22 +1000, Burn Alting wrote:
I want to add a number of features to ausearch and would like the
list
to make comment on my proposals before implementing same.
#1
Have ausearch only output whole events (all supplemental records of an
event must be present in the audit.log files to be output) and maintain
state to know the last whole event displayed.
The use case is for when one periodically processes the audit log files
and the last log file opened does not necessarily hold whole events for
the last few events in the file.
One could possibly achieve this using the --start/--end arguments to
ausearch but it would be challenging to work out the appropriate
start/end times on a high log throughput system.
My plan is to maintain state recording the last whole event displayed
along with details of the file it resided in (eg inode, etc).
#2
Add a 'parser friendly' option to ausearch's -i output such that it is
more friendly for parsing. As we know, the -i argument causes output in
the form of
- a "header" comprising
- the node if present as a key value pair
- the event type as a key value pair
- the message date/time and serial
- a colon
- a series of key value pairs
The new option would have output that
- surrounds all values with double quotes
- escape embedded double quote and backslash characters in the value
with the backslash character '\'
- translate embedded newlines or carriage returns into '\n' and '\r'
respectively
- translate all non-printing characters into escaped octal values or
some other recommended text based format.
#3
Add an option to include the original value as well as the interpreted
value when interpretation (-i) is requested. This would be for specified
keys or, key types.
One use case would be for user or group names to include the original
uid/gids. This is to aid de-conflicting inadvertent user or group
attribution across an enterprise environment.
The option would have arguments that identify what key values will have
both original and interpreted values.
Regards
Burn Alting
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit