All,
I need some advice.
audit_log_user_message(_audit_fd, AUDIT_USER_DEVICE, message.c_str(),
/*hostname=*/nullptr, /*addr=*/nullptr, /*tty=*/nullptr, result);
As a result, one sees audit events such as
type=USER_DEVICE msg=audit(1580255002.606:352190): pid=3115 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op="changed-authorization-state-for" device="/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.3" target="allow" device_rule=626C6F636B20696420303738313A353539312073657269616C2022344335333030303132323034313231303533313322206E616D652022556C7472612055534220332E30222068617368202279536D433045594970734A575666474436414854774577712F624974344631466A78785856306C3552356B3D2220706172656E742D6861736820226B763376322B726E713951765949332F48624A314556397664756A5A30615643512F43474259496B4542303D22207669612D706F72742022312D312E332220776974682D696E746572666163652030383A30363A3530 exe="/usr/sbin/usbguard-daemon" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
where device_rule started as
block id 0781:5591 serial "4C530001220412105313" name "Ultra USB 3.0" hash "ySmC0EYIpsJWVfGD6AHTwEwq/bIt4F1FjxxXV0l5R5k=" parent-hash "kv3v2+rnq9QvYI3/HbJ1EV9vdujZ0aVCQ/CGBYIkEB0=" via-port "1-1.3" with-interface 08:06:50
or
type=USER_DEVICE msg=audit(1580255002.605:352187): pid=3115 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op="discovered-device" device="/devices/pci0000:00/0000:00:1d.0/usb2/2-1" device_rule=616C6C6F7720696420383038373A303032342073657269616C202222206E616D65202222206861736820225A78377630464D51456A53634B534146454E41696F624573314F47505042305957522B79584443564530343D2220706172656E742D68617368202257484254784E61456F4D474E534E6333314B70464E53416546463448624C4D51675342714F526C433653383D22207669612D706F72742022322D312220776974682D696E746572666163652030393A30303A3030 exe="/usr/sbin/usbguard-daemon" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
where device_rule started as
allow id 8087:0024 serial "" name "" hash "Zx7v0FMQEjScKSAFENAiobEs1OGPPB0YWR+yXDCVE04=" parent-hash "WHBTxNaEoMGNSNc31KpFNSAeFF4HbLMQgSBqORlC6S8=" via-port "2-1" with-interface 09:00:00
I have a number of questions
- What is the best recommendation I can make in a bug report I'd like to raise so that the auparse library can reliably interpret all their key's values?
- Should I also request they actually provide hostname and addr values to audit_log_user_message()?
- If one want them to identify the user who participates in the activity what is the best recommendation to make in terms of keys in the message?
Thanks in advance