Re: Audit Parsing Library Requirements
On Monday 13 March 2006 14:57, Robert Wenner wrote:
On Monday 13 March 2006 13:33, Steve Grubb wrote:
> An audit event is all records that have the same host, timestamp, and
> serial number.
What happens if two events happen on the same time stamp?
Nothing bad happens. They are still unique because of serial numbers which are
atomically incremented in the kernel.
What is the time granularity?
Millisecond
Why do we need a serial number?
To separate events with the same time stamp.
> Information in the fields
> are held by a name/value pair that contains an '=' between them. Each
> field is separated from one another by a space or comma.
What happens if the data contains a space, comma, or equals sign?
If it contains a character that has a delimiter, it is encoded with ascii hex.
Is quoting allowed? How is it done?
I assume you mean escaping. When a field that is under user control is
recorded, it is checked by the audit_log_untrustedstring function. That
function escapes it if needed.
> All functions return 1 on success and 0 on failure unless
> otherwise noted.
How can an application query reasons for failure?
errno
Is errno set?
Yes.
> You access the
> fields through functions that either return a pointer to an immutable,
> zero-terminated array of ASCII characters or integral values.
How can you keep the data immutable?
Everybody can cast away the const.
I suppose you are right. But it won't be an application that is part of the
cert.
Is this a concern here? Can this introduce problems?
To me, no. Just because they mess up their copy of the data doesn't mean they
messed up the data source.
> typedef struct
> {
> time_t sec; // Event seconds
> unsigned int milli; // millisecond of the timestamp
> unsigned long serial; // Serial number of the event
> const char *host; // Machine's name
> } event_t;
>
> event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time
> stamp of current record
> time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds
> of current record
> time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds
> time of current record
What is the difference between get_timestamp and get_time and get_milli?
What they return.
> int auparse_first_record(auparse_state_t *au) - set iterator to
first
> record in current event
>
> int auparse_next_record(auparse_state_t *au) - traverse to next record
> in event. This allows access to the event type
Is there something like a has_more_records or will next_record just fail
if there is none?
Fail if there is none.
> const char *auparse_interpret_field(auparse_state_t *au) -
interpret
> the current field
What does interpreting mean here?
uid=0 becomes uid=root
> if (!ausearch_set_param(au, "auid",
"=", "500",
> AUSEARCH_STOP_EVENT)) exit(1);
Is there a special reason to pass in the comparison operator as a char*
rather than a typedef'd int?
Ease of use from other languages.
-Steve