Re: Audit Parsing Library Requirements

On Tue, Mar 07, 2006 at 03:23:41PM -0700, Debora Velarde wrote: [...] I think using C structures for each type of entry is a maintenance nightmare, and you'd need to recompile code using them each time a definition changes even if you don't care about any of the added fields. Wouldn't it be much easier to conceptually treat the audit records as hashes (collections of tag/value pairs), where the tags are strings and the values are either also strings (for a very low-level interface), or explicitly typed objects such as integers, strings, lists, etc.? Something like this: log = audit_log_open(file); while ( (record = audit_get_record(log)) != NULL) { if audit_record_match(record, "type", "syscall") { /* get a typed object */ item_t item = audit_record_get(record, "a0"); if (item->type == T_INT) foo+=item->intval; /* assume that a type is numeric, lib will * throw an errow if that's not correct */ int num = audit_record_get_int(record, "syscall_num"); /* if you don't care about the type, get a string */ char *success = audit_record_get_string(record, "success"); } else { /* loop over all entries */ iter = audit_item_iter(record); item_t item; while ( (item = audit_next_item(iter) != NULL) { /* ... */ } } } An iterator-based approach should be easy to use from Python as well. If you worry about the efficiency or type-safety of string-based hash references, abstract that out so that it's optimizable later. Something like: tag_t syscall_num = audit_get_tag("syscall"); for (...) n = audit_record_get(record, syscall_num); (This approach is somewhat inspired by Lisp-style SEXP lists using interned symbols and type-tagged data. Hey, it worked for 40 years, why invent something new?) -Klaus