From mboxrd@z Thu Jan  1 00:00:00 1970
From: Klaus Heinrich Kiwi <klausk@br.ibm.com>
Subject: should I loose audit data if I only care about the record's fields?
Date: Tue, 13 Nov 2007 18:30:45 -0500
Message-ID: <1194996645.26025.28.camel@klausk.br.ibm.com>
Reply-To: klausk@br.ibm.com
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "sgrubb@redhat.com" <sgrubb@redhat.com>, "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hi,

 when I started building my dispatcher plug-in, I assumed that I'd only
need the fields values in each record to have all the data I needed. My
plug-in for remote logging aimed at consolidating the audit data in
another server, so I probably need all the audit data I can get from the
Audit subsystem, possibly in a format that is compatible with the target
system (thus using the record fields for mapping)

Giving another look the some audit records, I saw that this approach was
probably not sufficient to describe the audited operation as a whole.

Example record:
type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
msg='op=adding user to shadow group acct=klausk
exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
res=success)'

using walk_test() from the test routine (python):
---
event 1 has 1 records
    record 1 of type 1108(USER_CHAUTHTOK) has 12 fields
    line=1 file=None
    event time: 1194995431.57:58485, host=None
        type=USER_CHAUTHTOK (USER_CHAUTHTOK)
        pid=30759 (30759)
        uid=0 (root)
        auid=0 (root)
        subj=root:system_r:unconfined_t:s0-s0:c0.c1023
(root:system_r:unconfined_t:s0-s0:c0.c1023)
        op=adding (adding)
        acct=klausk (klausk)
        exe="/usr/sbin/usermod" (/usr/sbin/usermod)
        hostname=? (?)
        addr=? (?)
        terminal=pts/1 (pts/1)
        res=success (success)
---
'op=adding' - adding what? no information about what's going on here.
_side note_: just noticed that the original record is telling 'adding
user to shadow group' when in fact I was adding the user to the 'nobody'
group, plus others, with 'usermod -G' - I'll check that again later.

Another example is the LOGIN record:
original record:
type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
auid=4294967295 new auid=0

---walk_test()----
event 1 has 1 records
    record 1 of type 1006(LOGIN) has 5 fields
    line=1 file=None
    event time: 1193547601.367:36782, host=None
        type=LOGIN (LOGIN)
        pid=11698 (11698)
        uid=0 (root)
        auid=4294967295 (unset)
        auid=0 (root)
---
two auid fields? which is old and which is new? ok maybe not the
brightest example but IMO still valid.

There are probably more examples besides those two. 

Maybe auparse is aimed to just help us when we need to extract data, but
it is well-settled that someone will need the whole record to actually
know what's going on - please tell me if that is the case.

Thoughts?

 Klaus