Hi,
As per the talk we had Monday on the call, here are some of the
formatting issues we would like to see resolved for consistency and
sanity of the parsers we have to write...
Basically .. here is what I am proposing we change in the formatting ..
Unnecessary stray symbols (,:() ..etc surrounded by spaces on both
sides) are a bit inconsistent and problematic (we deal with them
currently, but would be nice to get rid of them and thus the use of all
the exception code to handle them).
All two word fields should have an "_" between the words rather than a
space (since we use the space as a delimeter which makes the most sense,
we end up with lonely words that need to be ignored currently). Using
"_" would make life easier instead.
I am breaking this by audit type and grouping those types that share the
same format together ...
1- DAEMON_START
Remove "," between fields, leave spaces only
Change "auditd pid=" to "auditd_pid="
2- DAEMON_END
Remove "," between fields, leave spaces only
Change "sending auid=" to "sending_auid=" or just "auid="
Change "auditd pid=" to "auditd_pid="
3- CONFIG_CHANGE
type=CONFIG_CHANGE ... audit_enabled=1 old=1 by auid=0
Is there a reason we have the "by" word in there?
type=CONFIG_CHANGE ... auid=0 add rule to list=2 res=1
this is how I am understanding this.. the message is "add rule to
list=2". however the fact that we have "list=2" makes it sound like the
message is "add rule to" and a field is "list=2".
Can we change that to something like (auid=0 add rule to list 2 res=1)
or (auid=0 add rule to list_2 res=1)?
4- USER_CHAUTHTOK
type=USER_CHAUTHTOK ... user pid=13827 uid=0 auid=0 msg='op=changing
name acct=laf_c exe="/usr/sbin/usermod" (hostname=?, addr=?,
terminal=pts/1 res=success)'
Remove "," between fields, leave spaces only
Change "user pid=" to "user_pid="
What happened to msg='SomeString. For example, it might be gpasswd, or
passwd, or some PAM msg .. etc. our cases were checking for that string,
so what happened to it? In some cases it still prints, but not others;
is there a reason for that?
type=USER_CHAUTHTOK ... user pid=12862 uid=0 auid=0 msg='password
aging data updated - acct=laf_a, uid=500, min=-2, max=60, warn=-2,
inact=-2: exe="/usr/bin/passwd" (hostname=?, addr=?, terminal=pts/1
res=success)'
Please remove all those "," and just leave spaces
Remove "-" before "acct="
Note that msg='SomeString is shown, unlike previous example.
5- USER_ACCT, USER_START, USER_END, USER_AUTH, USER_LOGIN
Change "user pid=" to "user_pid="
Remove the lonely ":" after "acct=" field
Remove "," and just leave spaces
Again, some of these have a "msg=" field with no value.
6- CRED_DISP, CRED_ACQ, CRED_REFR
Change "user pid=" to "user_pid="
Remove the lonely ":" after "acct=" field
7- USYS_CONFIG
Change "user pid=" to "user_pid="
Remove "," and just leave spaces
These are the records I see right now. At the moment I am not seeing any
watch records so I don't know if those have formatting issues... I'll
add to this list as I find more.
Thanks,
- Loulwa