Re: Audit Parsing Library Requirements
Steve Grubb <sgrubb(a)redhat.com> writes:
I just updated the audit library parsing spec to include all this
information. I don't mention what records they are in. Instead it
lists what all the field definitions are.
Steve,
This is very helpful information. I expect I will be acquiring field
values using auparse_interpret_field, not auparse_get_field_str, so I
would really like to see the field definitions augmented with a
description of their results when the field is interpreted. When
there is a difference, perhaps you could describe it within say
parentheses.
I'd like to engage you in a thought experiment. Suppose the task is
to generate strace like output from an audit log. To make the
experiment concrete, let's suppose each event is given to you as a
sequence of Python dictionaries, and each dictionary contains the
content of a single audit record. As near as I can tell, here is the
beginnings of an algorithm that can do the job.
Let seq be a sequence of dictionaries representing an audit event.
1. If the sequence contains no dictionary that maps "type" to
"SYSCALL", process the next event.
2. Set n to be the index in seq of the dictionary that maps "type" to
"SYSCALL".
3. If seq[n]["syscall"] contains a parenthesis, goto step 10.
4. Print seq[n]["syscall"]
5. Let i be seq[n]["items"] or zero if seq[n]["items"] is not
defined.
6. For j from 0 to i-1, print the "name" field from the dictionary
that maps "type" to "PATH", and "item" to j.
7. For j from i+1 by 1, while seq[n]["a" + str(j)] is defined, print
seq[n]["a" + str(j)].
8. Print seq[n]["exit"].
9. Process the next event.
10. If seq[n]["syscall"] does not match "socketcall([^)]+)", goto 16.
11. Print the capture that results from matching "socketcall([^)]+)".
12. If there is a dictionary that maps "type" to "SOCKADDR", print
saddr as the first argument to the system call, otherwise use
the dictionary that maps "type" to "SOCKETCALL", to print the
first argument.
13. Print the remaining arguments using the dictionary that maps
"type" to "SOCKETCALL".
14. Print seq[n]["exit"].
15. Process the next event.
16. I haven't figured out how to handle the ipc system call.
Is this algorithm correct? Perhaps the audit-parse.txt document
should contain a description of the correct algorithm.
John
You can find it here:
http://people.redhat.com/sgrubb/audit/audit-parse.txt