From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Use case not covered by the audit library?
Date: Mon, 11 Jan 2016 16:12:12 -0500
Message-ID: <14106614.VpUO6lg5qc@x2>
References: <B41870ED03633F4092CDF476119204DF561CDE2E@G9W0758.americas.hpqcorp.net>
	<8445926.khRdTJspS3@x2>
	<B41870ED03633F4092CDF476119204DF561D5A23@G4W3225.americas.hpqcorp.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <B41870ED03633F4092CDF476119204DF561D5A23@G4W3225.americas.hpqcorp.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Gulland, Scott A" <scott.gulland@hpe.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday, January 06, 2016 08:27:31 PM Gulland, Scott A wrote:
> > What I would suggest in a case like this is to create a small utility that
> > generates the exact report that you want. The auparse library makes that
> > super easy. I can dig up the skeleton code for something like this if you
> > want.
>
> Thanks Steve!   I'd appreciate the skeleton code.   At some point we'll
> probably want to create a custom report capability.   It sounds like
> ausearch really only handles the fields written by the kernel.

Sorry for the delay, I needed to get the 2.5 package out the door.

There is some example code in the audit package and here:
https://fedorahosted.org/audit/browser/trunk/contrib/plugin/audisp-example.c

If you wanted to read from a file, then you change the code to 

        f = fopen("./test.log", "r");
        if (f == NULL) {
                printf("Can't open log\n");
                return 1;
        }

but keep the AUSOURCE_FEED. Then in the loop

                /* Now the event loop */
                 if (!stop && !hup && retval > 0) {
                        if (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, f)) {
                                auparse_feed(au, tmp, strnlen(tmp,
                                                MAX_AUDIT_MESSAGE_LENGTH));
                        }
                } else if (retval == 0)
                        auparse_flush_feed(au);
                if (feof(f))
                        break;

Then you put the report in the callback function. You can switch between the
types as shown in the handle_event function.

If you want it to run off of logs, then you would need to structure things a
bit different. The aulastlog program shows a good example of that:

https://fedorahosted.org/audit/browser/trunk/tools/aulastlog/aulastlog.c

Hope this helps...

-Steve