Steve Grubb <sgrubb(a)redhat.com&gt; writes: One aspect of such a library is to define the structure of events as seen by consumers of the information. From reading the manual page, and observing output, I conclude ausearch produces a sequence of events. Each event is a sequence of tables, one table is specified on one line of output. A table is a sequence of key-value pairs, and sometimes the value is missing. If this description accurately reflects the structure of the output of ausearch, a simple callback-based programming interface is suggested. For example, a consumer of the information could define a structure of type struct audit_event_callback, and then pass a pointer to it to the provider of audit data, in the following example, the gimme function. typedef struct audit_event_callback { void (*end_event)(void); /* Note the end of an event. */ void (*end_table)(void); /* Note the end of a table in an event. */ /* Note one entry in a table in an event--a key-value pair. */ /* The value may be NULL. */ void (*entry)(const char *key, const char *value); } *audit_event_callback_t; int gimme(audit_event_callback_t a_callback/* other input */) { /* ...*/ return 0; } With this kind of interface, if an audit event consumer passed the pointer aec as its callback to the gimme function for data ausearch would output as: ---- type=SYSCALL syscall=umount2 type=PATH name=/media/LEXAR_MEDIA the following calls would be produced. aec->entry("type", "SYSCALL"); aec->entry("syscall", "umount2"); aec->end_table(); aec->entry("type", "PATH"); aec->entry("name", "/media/LEXAR_MEDIA"); aec->end_table(); aec->end_event(); On another topic, I would like to see the library interface commit to providing only US-ASCII strings. This way, issues of character sets can be avoided. John

Steve Grubb <sgrubb(a)redhat.com&gt; writes: When information flows only from the audit search program to a Python program, one can connect the two via a pipe, and transmit an XML document. The following DTD captures the structure Steve described, and the C code needed to generate data in this format is trivial. <!ELEMENT au (seq)*> <!ELEMENT seq (tab)+> <!ELEMENT tab (ent)+> <!ELEMENT ent EMPTY> <!ATTLIST ent key CDATA #REQUIRED val CDATA #REQUIRED> For Python programs that dynamically link in the audit parsing library, one would like to use a C interface that maps well to the Python/C API described at: http://docs.python.org/api/api.html I haven't used this API in a while, as I've been embedding Lua into my C applications when I want to extend a C program with internal scripting. I'll read the API carefully, and get back to you with any issues I discover. If we want to be scripting language neutral, we should use SWIG. http://www.swig.org Once again, I haven't used this in a long time, but I'll take a look at it. I know functions in the libsemanage interface are made available to multiple languages via SWIG. We could ask Tresys for advice. John I end with output from the tool I currently use to reformat ausearch output. <?xml version="1.0"?> <!DOCTYPE au [ <!ELEMENT au (seq)*> <!ELEMENT seq (tab)+> <!ELEMENT tab (ent)+> <!ELEMENT ent EMPTY> <!ATTLIST ent key CDATA #REQUIRED val CDATA #IMPLIED> ]> <au> <seq> <tab> <ent key="type" val="PATH"/> <ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/> <ent key=":"/> <ent key="item" val="1"/> <ent key="name" val="(null)"/> <ent key="inode" val="17284616"/> <ent key="dev" val="08:01"/> <ent key="mode" val="file,755"/> <ent key="ouid" val="root"/> <ent key="ogid" val="root"/> <ent key="rdev" val="00:00"/> <ent key="obj" val="system_u:object_r:ld_so_t:s0"/> </tab> <tab> <ent key="type" val="PATH"/> <ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/> <ent key=":"/> <ent key="item" val="0"/> <ent key="name" val="/bin/ls"/> <ent key="inode" val="6678183"/> <ent key="dev" val="08:01"/> <ent key="mode" val="file,755"/> <ent key="ouid" val="root"/> <ent key="ogid" val="root"/> <ent key="rdev" val="00:00"/> <ent key="obj" val="system_u:object_r:ls_exec_t:s0"/> </tab> <tab> <ent key="type" val="CWD"/> <ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/> <ent key=":"/> <ent key="cwd" val="/home/bsniffen"/> </tab> <tab> <ent key="type" val="SYSCALL"/> <ent key="msg" val="audit(03/07/2006 12:18:03.698:18)"/> <ent key=":"/> <ent key="arch" val="i386"/> <ent key="syscall" val="execve"/> <ent key="success" val="yes"/> <ent key="exit" val="0"/> <ent key="a0" val="bfa05bd1"/> <ent key="a1" val="bfa04408"/> <ent key="a2" val="bfa04414"/> <ent key="a3" val="bfa04408"/> <ent key="items" val="2"/> <ent key="pid" val="2202"/> <ent key="auid" val="bsniffen"/> <ent key="uid" val="root"/> <ent key="gid" val="root"/> <ent key="euid" val="root"/> <ent key="suid" val="root"/> <ent key="fsuid" val="root"/> <ent key="egid" val="root"/> <ent key="sgid" val="root"/> <ent key="fsgid" val="root"/> <ent key="tty" val="pts0"/> <ent key="comm" val="ls"/> <ent key="exe" val="/bin/ls"/> <ent key="subj" val="user_u:system_r:unconfined_t:s0-s0:c0.c255"/> </tab> </seq> </au>

Below are the structures that we (Loulwa Salem, Mike Thompson, Tim Chavez and I) had envisioned the structures for the new API to look like. Basically we imagine a list of lists. Below that are some function prototypes needed in the API. I'm new to Python so I will study the Python/C API link posted. typedef struct records { time_t time; serial_t serial; record_t record; records_t * next_record; } records_t; typedef struct record { recordtype kind; //what kind of audit_record record it is record_data data; record * next; } record_t; union record_data { syscall_t syscall; ipc_t ipc; fs_watch_t fs_watch; fs_inode_t fs_inode; cwd_t cwd; path_t path; config_change_t config_change; daemon_end_t daemon_end; user_t user; user_chauthtok_t user_chauthtok; user_auth_t user_auth; user_acct_t user_acct; user_start_t user_start; user_end_t user_end; cred_acq_t cred_acq; cred_disp_t cred_disp; cred_refr_t cred_refr; login_t longin; } record_data_t; typedef struct syscall { arch_t arch; syscall_num_t syscall_num; //note used syscall_num rather than syscall at some point they could add syscall_name success_t success; exit_t exit; a_t a0; a_t a1; a_t a2; a_t a3; items_t items; id_t pid; id_t auid; id_t uid; id_t gid; id_t euid; id_t suid; id_t fsuid; id_t egid; id_t sgid; id_t fsgid; comm_t comm; exe_t exe; } syscall_t; typedef struct fs_watch { inode_t watch_inode; watch_t watch; filterkey_t filterkey; perm_t perm; perm_mask_t perm_mask; } fs_watch_t; typedef struct fs_inode { inode_t inode; id_t inode_uid; id_t inode_gid; dev_t inode_dev; rdev_t inode_rdev } fs_inode_t; typedef struct cwd { cwd_t cwd; } cwd_t; typedef struct path { name_t name; flags_t flags; inode_t inode; dev_t dev; mode_t mode; id_t ouid; id_t ogid; rdev_t rdev; } path_t; typedef struct config_change { time_t time; id_t auid; text_t text; //"removed watch" audit_enabled_t audit_enabled; old_t old; } config_change_t; typedef struct daemon_start { version_t version; format_t format; id_t auid; id_t auditd_pid; text_t text; //"auditd start" } daemon_start_t; typedef struct daemon_end { id_t auid; id_t sending_pid; id_t auditd_pid; text_t text; //"auditd normal halt" } daemon_end_t; typedef struct ipc { qbytes_t qbytes; id_t iuid; id_t igid; mode_t mode; } ipc_t; typedef struct login { msg_t msg; //message needs to be parsed to figure out the following id_t pid; id_t uid; id_t old_auid; id_t new_auid; } login_t; typedef struct user { id_t pid; id_t uid; id_t auid; msg_t msg; text_t text; //"user" } user_t; typedef struct user_chauthtok { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; res_t res; //records using 'res' should be changed to use 'result' result_t result; op_t op; acct_t acct; } user_chauthtok_t; Note: user_auth, user_acct, user_start, user_end, cred_acq, cred_disp, cred_refr have the same tydef, but the message parsed differs slightly. typedef struct user_auth { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } user_auth_t; typedef struct user_acct { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } user_acct_t; typedef struct user_start { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } user_start_t; typedef struct user_end { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } user_end_t; typedef struct cred_acq { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } cred_acq_t; typedef struct cred_disp { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } cred_disp_t; typedef struct cred_refr { id_t pid; id_t uid; id_t auid; msg_t msg; //message needs to be parsed to figure out the following user_t user; exe_t exe; hostname_t hostname; addr_t addr; terminal_t terminal; result_t result; } cred_refr_t; /* The following struct is the generic record struct which does not have a record type */ /* It is used by get_by_fields(). */ typedef struct generic_field_data { a_t a0; a_t a1; a_t a2; a_t a3; acct_t acct; addr_t addr; arch_t arch; comm_t comm; cwd_t cwd; dev_t dev; dev_t inode_dev; audit_enabled_t audit_enabled; exe_t exe; exit_t exit; filterkey_t filterkey; flags_t flags; format_t format; hostname_t hostname; id_t auditd_pid; id_t auid; id_t egid; id_t euid; id_t fsgid; id_t fsuid; id_t gid; id_t igid; id_t inode_gid; id_t inode_uid; id_t iuid; id_t new_auid; id_t ogid; id_t ouid; id_t old_auid; id_t ouid; id_t pid; id_t sending_pid; id_t sgid; id_t suid; id_t uid; inode_t inode; inode_t watch_inode; items_t items; mode_t mode; msg_t msg; name_t name; old_t old; op_t op; perm_mask_t perm_mask; perm_t perm; qbytes_t qbytes; rdev_t inode_rdev; rdev_t rdev; result_t res; result_t result; serial_t serial; success_t success; syscall_num_t syscall_num; //note used syscall_num rather than syscall at some point they could add syscall_name terminal_t terminal; text_t text; // example "removed watch" time_t time; type_t type; user_t user; version_t version; watch_t watch; } generic_field_data_t; Some function prototypes: struct record * get_records(time_t start, time_t end){ // start and end time can be specified // If zero is passed in for start time, then start searching at beginning of log // If zero is passed in for the end time, then search until the end of the log // returns pointer to link list of all records within start and end time (which are themselves a link list) // if no records were found during specified start and end time, returns NULL } struct record * get_matching_records(struct record * matching_criteria, time_t start, time_t end){ // matching_criteria is passed into function // matching_criteria is a pointer to a linked list of record pieces we are looking for // start and end time can be specified // If zero is passed in for start time, then start searching at beginning of log // If zero is passed in for the end time, then search until the end of the log // returns pointer to link list of all matching records (which are themselves a link list) // if no matching record is found, returns NULL } struct record * get_records_by_fields(struct generic_field_data * fields_to_match, time_t start, time_t end){ // fields_to_match is passed into the function // fields_to_match is a pointer to one structure with all the fields we want to match filled in and the rest initialized // start and end time can be specified // If zero is passed in for start time, then start searching at beginning of log // If zero is passed in for the end time, then search until the end of the log // returns pointer to link list of all matching records (which are themselves a link list) // if no matching record is found, returns NULL } record_data * initialize_record_data(record_data * matching_criteria){ //initializes all fields in generic field data type } generic_field_data * initialize_generic_field_data(generic_field_data * fields_to_match){ //initializes all fields in generic field data type }

On Tue, Mar 07, 2006 at 08:10:02PM -0600, Klaus Weidner wrote: This would be especially nice if you export the typed objects from the audit log as python objects of the correct type, then something like this should work: import auditlog log = auditlog.open(file) for record in log: if record.type == auditlog.SYSCALL: print record.isodate, print "call %d, arg0=%d\n" % (record.syscall_num, record.a0) else: d = record.dict() for tag in d: print tag, d[tag] Similarily for other high-level languages that support dynamic typing. In general, I think that the interface should have the following properties: - code that expects certain fields to be present will continue to work when new fields get added (and will ignore them) - if expected fields are absent, you get a (trappable) error - if code loops over all fields and handles each item in a type-safe way, it'll support new fields automatically with no code change when they are added -Klaus

On Wednesday 08 March 2006 07:11, John D. Ramsdell wrote: That is why I countered with an iterator interface. Ausearch iterates through the records and would be easy to adapt it and aureport to such a library interface. I have also been thinking about key/value pair as the representation for exactly the same reason Klaus mentioned. It should be extensible and a minimal amount of maintenance. Key/value interface should allow Python to access anything in case it does not understand "C" structures. I'll take a hack at proposing an API and send it in a little while. -Steve

On Wednesday 08 March 2006 10:39, Steve Grubb wrote: OK, here's what I have: The audit library parser could have the following functions: auparse_init - allow init of library. Set data source: logs, file, buffer. ausearch_set_param - set search options ausearch_next_event - traverse to the next event that yields a match based on search criteria. auparse_next_event - traverse to next event. This allows access to time and serial number. auparse_get_time - retrieve time stamp of current record auparse_get_serial - retrieve serial number of current record auparse_first_record - set iterator to first record in current event auparse_next_record - traverse to next record in event. This allows access to the event type auparse_get_type - retrieve type of current record auparse_first_field - set field pointer to first in current record auparse_next_field - traverse the fields in a record auparse_find_field() - find a given field in a event or record auparse_find_field_next() - find the next occurance of that field in the same record auparse_get_field_str - return current field value as a string auparse_get_field_int - return current field value as an int auparse_interpret_field - interpret the current field as a string auparse_destroy - free all data structures and close file descriptors This would allow the following kind of programming: auparse_init ausearch_set_param while ausearch_next_event if auparse_find_field auparse_interpret_field print out ... auparse_destroy This is essentially how ausearch works. The data structures would be hidden from the external application. Access to fields is a name/value style. You access the fields through functions that either return str pointer or ints. Would something like this meet everyone's needs? -Steve

On Thursday 09 March 2006 11:48, Michael C Thompson wrote: Oh...how about any? We could limit it to that and it would be faster...or it could be more. Do we need to search on all field or just have access to all fields? -Steve

On Thursday 09 March 2006 14:13, Michael C Thompson wrote: Yes. Please give an example to make sure I understand you. -Steve

If I want to match on two params (say syscall name and group id) would I call ausearch_set_param twice or pass ausearch_set_param all my parameters in one call? Can you post how you imagine the call to look like? linux-audit-bounces(a)redhat.com wrote on 03/09/2006 08:06:47 AM: buffer. based on and access to same Access to that

linux-audit-bounces(a)redhat.com wrote on 03/09/2006 11:08:05 AM: I parameters Since you are eventually going after Python support, it would be awesome if (in Pyhton) you could supply a list of pairs, since making multiple calls is not very friendly.

Steve Grubb <sgrubb(a)redhat.com&gt; wrote on 03/09/2006 12:55:59 PM: Yes, I did not mean that it was unacceptable in terms of the language's syntax and semantics, but tedious from a coder's viewpoint. However, I have no suggestion for an alternative that would be better, so I guess tedious works :)

linux-audit-bounces(a)redhat.com wrote on 03/09/2006 02:24:15 PM: awesome Such was my suggestion. Sorry if I failed to make that clear. Mike

Not sure if ausearch supports this now, but I'm thinking of two use cases: 1. If I want to find all records where the auid is NOT 500 2. If I want to find all records where the gid is greater than 500. Could we then do: ausearch_set_param("auid", "!=", "500"); ausearch_set_param("gid", ">", "500"); Steve Grubb <sgrubb(a)redhat.com&gt; wrote on 03/09/2006 09:08:05 AM: I parameters

I would also vote that we use the field names like they are passed in auditctl, as opposed to the options passed into ausearch. So we would use ausearch_set_param("uid", "!=", "500"); rather than ausearch_set_param("ui", "!=500"); Steve Grubb <sgrubb(a)redhat.com&gt; wrote on 03/09/2006 11:00:05 AM: cases:

Looks good to me. I only have simple editorial comments. Steve Grubb <sgrubb(a)redhat.com&gt; writes: type is a char pointer, NULL ... the fields through functions that either return a pointer to an immutable, zero-terminated array of ASCII characters or integral values. John

On Friday 10 March 2006 14:02, Klaus Weidner wrote: Good point. I'll update the spec. I'll wait a little while longer in case there are other comments before posting an updated spec. My goal is to finalize the spec today and start implementation next week. -Steve

On Friday 10 March 2006 14:25, LC Bruzenak wrote: We'll make that later in the project. I would need to spend some time going over every single message. Amazingly, you can write a parser without knowing what all is there since it all follows a well defined pattern. -Steve

On Friday 10 March 2006 14:42, LC Bruzenak wrote: It would be stored internally for reference. Think strtok. Sort of...there are multiple fields with the same name in various records that make up an event. The idea is that you can pass the name one time and then its stored internally until another call replaces it. This is true. An example is uid. I think there are some places where the kernel inserts uid and userspace inserts uid to the same event. -Steve

On Fri, 2006-03-10 at 13:53 -0600, Klaus Weidner wrote: Yes, and the audit scanner(s) would have to handle/accommodate this also. In this scheme is there a distinction between name/value pairs supplied by the kernel vice those added by userspace or audit-aware applications? LCB. -- LC Bruzenak lenny(a)bruzenak.com

On Friday 10 March 2006 15:38, Steve Grubb wrote: Actually, this is bad example since I don't think it happens for this message. There's only 1 or 2 messages that do this and I don't remember what they are other than user space. But we do favor the uid later in the message under the current scheme. -Steve

On Monday 13 March 2006 09:57, Loulwa Salem wrote: That would actually slow down parsing since I would now have to do lots of exception processing. It has to be high performance and adding spaces just makes that harder to achieve. The are separators for different kinds of information. Don't worry about any of these details. auparse library should make it such that you don't worry about the underlying details. -Steve

On Friday 10 March 2006 14:25, LC Bruzenak wrote: I just updated the audit library parsing spec to include all this information. I don't mention what records they are in. Instead it lists what all the field definitions are. You can find it here: http://people.redhat.com/sgrubb/audit/audit-parse.txt If anyone sees something missing from the list or changes, please let me know. -Steve

On Friday 10 March 2006 12:05, Steve Grubb wrote: OK. I think the last round of comments was helpful. I added some language to define the concept of multiple hosts in one log. This is the final draft unless there is an omission. -Steve Audit Event Parsing Library Specifications ========================================== Definitions ----------- An audit event is all records that have the same host, timestamp, and serial number. Each event on a host has a unique timestamp and serial number. An event is composed of multiple records which have information about different aspects of an audit event. Each record is denoted by a type which indicates what fields will follow. Information in the fields are held by a name/value pair that contains an '=' between them. Each field is separated from one another by a space or comma. Ground Rules ------------ All functions that begin with ausearch are related to searching for a subset of events based on certain criteria. All functions that begin with auparse are used to access events, records, and fields sequentially and without regard to any search options that may be in effect. All functions return 1 on success and 0 on failure unless otherwise noted. Where the return type is a char pointer, NULL will indicate failure. The data structures would be hidden from the external application. Access to fields is a name/value style. You access the fields through functions that either return a pointer to an immutable, zero-terminated array of ASCII characters or integral values. Every function (except auparse_init) takes a parameter, au, which is the internal state information for the current query. Functions --------- auparse_state_t - is an opaque data type used for maintaining library state. typedef enum { AUSOURCE_LOGS, AUSOURCE_FILE, AUSOURCE_BUFFER } ausource_t; auparse_state_t *auparse_init(ausource_t source, const void *b) - allow init of library. Set data source: logs, file, buffer. The pointer 'b' is used to set the file name or pass the buff when those types are given. typedef enum { AUSEARCH_STOP_EVENT, AUSEARCH_STOP_RECORD, AUSEARCH_STOP_FIELD } austop_t; int ausearch_set_param(auparse_state_t *au, const char *field, const char *op, const char *value, austop_t where) - set search options. The field would be the left hand side of the audit name/value pairs. The op would be how to match: =,!=,>,<. The value would be the right hand side of the audit field name/value pairs. The where parameter tells the search library where to place the internal cursor when a match is found. It could be on first field of first record, first field of record containing the match, or the field that matches. int ausearch_next_event(auparse_state_t *au) - traverse to the next event that yields a match based on the given search criteria. int auparse_next_event(auparse_state_t *au) - traverse to next event. This allows access to time and serial number. typedef struct { time_t sec; // Event seconds unsigned int milli; // millisecond of the timestamp unsigned long serial; // Serial number of the event const char *host; // Machine's name } event_t; event_t auparse_get_timestamp(auparse_state_t *au) - retrieve time stamp of current record time_t auparse_get_time(auparse_state_t *au) - retrieve time in seconds of current record time_t auparse_get_milli(auparse_state_t *au) - retrieve milliseconds time of current record unsigned long auparse_get_serial(auparse_state_t *au) - retrieve serial number of current record const char *auparse_get_host(auparse_state_t *au) - retrieve host name of current record int auparse_first_record(auparse_state_t *au) - set iterator to first record in current event int auparse_next_record(auparse_state_t *au) - traverse to next record in event. This allows access to the event type int auparse_get_type(auparse_state_t *au) - retrieve type of current record int auparse_first_field(auparse_state_t *au) - set field pointer to first in current record int auparse_next_field(auparse_state_t *au) - traverse the fields in a record const char *auparse_find_field(auparse_state_t *au, const char *name) - find a given field in a event or record. Name is the left hand side of the name/value pair. Returns pointer to the value as ascii text. const char *auparse_find_field_next(auparse_state_t *au) - find the next occurance of that field in the same record. Returns pointer to the value as ascii text. const char *auparse_get_field_str(auparse_state_t *au) - return current field value as a string int auparse_get_field_int(auparse_state_t *au) - return current field value as an int const char *auparse_interpret_field(auparse_state_t *au) - interpret the current field int auparse_destroy(auparse_state_t *au) - free all data structures and close file descriptors Code Example ------------ int main(void) { auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL); if (au == NULL) exit(1); if (!ausearch_set_param(au, "auid", "=", "500", AUSEARCH_STOP_EVENT)) exit(1); while (ausearch_next_event(au)) { if (auparse_find_field(au, "auid")) { printf("auid=%s\n", auparse_interpret_field(au)); } } return 0; }

On Friday 10 March 2006 17:45, Debora Velarde wrote: It would retrieve the name of the machine that the audit message came from. In this format, it would default to the rough equivalent of "uname -n". The record format will change to accommodate a host field. This is needed so that a data center can have a central logger that stores everything. No. look at the example code. You would do if (auparse_find_field(au, "user") { const char *str = auparse_get_field_str(au); do-whatever(str); } Yes. -Steve

On Friday 10 March 2006 17:45, Debora Velarde wrote: Since this is introducing the notion of multiple machines potentially sharing the same log...would it be more clear to change the name to prevent confusion? Its currently host, but would could make it: server, node, machine, etc. -Steve

On Monday 13 March 2006 12:45, Michael C Thompson wrote: I think so. My answer is still true. I was just wondering if the name is going to cause other people to mistunderstand its meaning. -Steve

On Monday 13 March 2006 09:35, Michael C Thompson wrote: Personally, I think its a bad idea since it makes the text "darker". Spaces make it lighter and more pleasing to the eye. Its too later to make these kind of changes. I would like to fix inconsistencies, but I don't consider '_' to be an inconsistency. I would be hesitant to make any other changes besides normalizing records. Its unnecessary and unwanted. But this is not true. OK, you put in a search for uid=500. ausearch will find events that have a match. You should call ausearch functions to walk these events. So, for example, the cursor goes to event 150 on first call, then event 200 next call. If you auparse, then it will go to the next event which could be 201. This is all common database techniques. One is based off an index and the other is sequential access -Steve

I apologize for jumping into this thread so late, it has been real busy around Tresys lately :) I think everything looks good but I have a question about how you imagine regular expression matching to work. For example if I want to match the "exe" field in avc messages with at regular expression, what will be the best way given this API? Does it become something like: ausearch_set_param("exe", "regex", "/sbin(/.*)") Kevin Carr Tresys Technology 410.290.1411 x137

Steve Grubb <sgrubb(a)redhat.com&gt; writes: Please do not separate fields with commas. The length of each line is way too long as it is. Furthermore, when ausearch interprets numeric entities into text, there is a simple, lex-based program can format the output into XML with the following DTD: <!ELEMENT au (seq)*> <!ELEMENT seq (tab)+> <!ELEMENT tab (ent)+> <!ELEMENT ent EMPTY> <!ATTLIST ent key CDATA #REQUIRED val CDATA #IMPLIED> The output can then be consumed with another, very simple Python program: --------------------- consume.py ------------------------- import sys, xml.sax, xml.sax.handler def main(): if len(sys.argv) != 2: print "Usage: " + sys.argv[0] + " FILE" else: xml.sax.parse(sys.argv[1], AuditHandler()) class AuditHandler(xml.sax.handler.ContentHandler): seq = None tab = None def startElement(self, name, attrs): if name == 'seq': self.seq = [] elif name == 'tab': self.tab = {} elif name == 'ent' and attrs.has_key("key") and attrs.has_key("val"): self.tab[attrs.getValue("key")] = attrs.getValue("val") def endElement(self, name): if name == 'tab': self.seq.append(self.tab) elif name == 'seq': consume(self.seq) def consume(seq): print 'seq', len(seq) # Do something interesting here if __name__ == "__main__": main() --------------------- consume.py ------------------------- I see value in having a way to consume ausearch output without having access to audit development libraries. If I want to write a one off audit analysis tool, the combination of the XML formatter and a simple Python script would greatly shorten the time required to write the analysis tool. Having that tool is allowing me to analyze audit data right now. The program that converts ausearch output into XML is called auxml, and is in the CVS repository of the polgen project on SourceForge, in the pkg/auxml directory of the polgen module. The package includes a manual page. John

If I have a bunch of collected log files from around the network in my sysadmins home directory, I want to view all these files together and maybe with different filters (this is the seaudit GUI). Can we make auparse_init() support multiple files specified manually? Example: char ** files = { "/home/admin/log1", "/home/admin/log2", NULL }; ausearch_init(AUSOURCE_FILES, files) I am a bit confused about the capabilities provided above. Can I make an array of these auparse_state_t objects and maintain several different search "views" on the library iterating over each view independently? This would seem ideal. Kevin Carr Tresys Technology 410.290.1411 x137

It seems that the naming is a bit confusing then. Should it be ausearch_state_t instead of auparse_state_t, as it is setting information related to the search. It also makes sense because ausearch_set_param() should be setting information on a ausearch_state_t. This seems more inline with the Ground Rules we specified. Kevin Carr Tresys Technology 410.290.1411 x137

On Monday 13 March 2006 12:00, Kevin Carr wrote: I wonder if we should have AUSOURCE_FILE_ARRAY and AUSOURCE_BUFFER_ARRAY to indicate the pointer being passed is a NULL terminated array of filenames or buffer addresses. -Steve

Hi, I joined the discussion a little late, so please bear with me for asking obvious things. On Monday 13 March 2006 13:33, Steve Grubb wrote: What happens if two events happen on the same time stamp? What is the time granularity? Even a millisecond can be a long time for a computer. Why do we need a serial number? What happens if the data contains a space, comma, or equals sign? Is quoting allowed? How is it done? How can an application query reasons for failure? Is errno set? How can you keep the data immutable? Everybody can cast away the const. Is this a concern here? Can this introduce problems? What is the difference between get_timestamp and get_time and get_milli? Is there something like a has_more_records or will next_record just fail if there is none? (In that case it would be especially important to be able to distinguish between failure and "end of records".) (Same for iterating the fields in a record.) What does interpreting mean here? Is there a special reason to pass in the comparison operator as a char* rather than a typedef'd int? Robert

Another item that came up here at Tresys is the ability to do log monitoring. After our initial parse/search routine, we would like to be able to check every so often to see if new messages have been generated and then display the messages if they match our search criteria. How do you imagine this fitting in to the API? Can we work this in somehow? Kevin Carr Tresys Technology 410.340.3092

On Monday 13 March 2006 17:51, Kevin Carr wrote: As an aside...this is not the recommended thing to do since every access of the audit logs are an auditable event. If you have to do real-time monitoring, I would suggest using the audit event dispatcher interface. That gets all audit events in realtime. The parsing specs we are defining right now also take a buffer as an input source so that they can be used to examine events passed via the event dispatcher. This sounds like a 100% fit for the audit event interface. -Steve

On Wednesday 15 March 2006 09:50, John D. Ramsdell wrote: The name will be 7-bit ASCII, however, I cannot guarantee what the value will be. It comes from the kernel. If someone in another country uses their native language to name files and it shows up in the audit record, what should we do? This subject has come up before and I believe we have to make an effort to support them. I don't believe CC requires this, our user's do. I believe 0 still terminates the string. I think the raw values should be available. The escaping could be a library function just as interpret is a library function. -Steve

On Wednesday 15 March 2006 10:20, John D. Ramsdell wrote: It doesn't. -Steve

Steve, I decided to write a simple program against the interface defined by the Audit Event Parsing Library Specifications, but found a function missing from the specification. I could find no way to get the name associated with the current field. Let me suggest the addition of a function with the following prototype. const char *auparse_get_field_name(auparse_state_t *au) - return current field name as a string With this addition, I'm guessing I can translate a log into a textual form similar to what is produced by ausearch, but with quoting, by using a program with a main routine something like the following. int main(int argc, char **argv) { auparse_state_t *au = auparse_init(AUSOURCE_LOGS, NULL); while (auparse_next_event(au)) { if (auparse_first_record(au)) { printf("---\n"); do { /* for each record in this event */ if (auparse_first_field(au)) { int not_first = 0; do { /* for each field in this record */ if (not_first) putchar(' '); else not_first = 1; const char *name = auparse_get_field_name(au); const char *value = auparse_interpret_field(au); if (!name || !value) { fprintf(stderr, "Internal error\n"); return 1; } putitem(name); putchar('='); putitem(value); /* Putitem quotes an item as needed. */ } while (auparse_next_field(au)); } putchar('\n'); } while (auparse_next_record(au)); } } return 0; } John Steve Grubb <sgrubb(a)redhat.com&gt; writes:

Steve, On a machine running Rawhide, I'm studying the output produced by ausearch for the socketcall system call. I noticed that a socketcall(bind) and socketcall(connect) event contain a record of type=SOCKADDR, but I cannot see one for a system call event associated with socketcall(accept). Recording the sockaddr of an accepted socket is important for cross platform information flow analysis. John $ uname -a Linux drawlight.mitre.org 2.6.15-1.2032.2.3_FC5.lspp.12smp #1 SMP Fri Mar 10 15\:44:23 EST 2006 i686 i686 i386 GNU/Linux