Re: Dispatcher - single line output (perl)

[Steve Grubb <sgrubb@redhat.com>]

On Tuesday 23 May 2006 21:26, Leigh Purdie wrote:
> > Right, but they are not interlaced. You can protect against this just to
> > be safe.
>
> Actually, they are. Hang on, and I'll give you a bigger example 

<snip>
> Note the 228387 four from the top, and also after the 228390's.
>
> Is this something that should be considered a bug? If so (and it's
> likely to be fixed in RHEL4 in the near future), then I'll be able to
> greatly simplify the dispatcher code.

It might be, but its not likely to get fixed soon (bigger fish to fry...). I'd 
work around it for now.

> However, it's probably something that others would appreciate.
> The protocol may not need to change explicitly, two separate paths in
> auditd may be viable - ie:
> dispatcher = /path/to/something-that-receives-a-raw-feed   or
> asciidispatcher =
> /path/to/something-that-receives-nullterminated-ascii-to-stdin
>
> .. if 'asciidispatcher' is active, auditd does a little extra work to
> push the line out in a 'nicer' format.

The way I had expected this to work is for people to use the audit parsing 
library. I haven't been able to dedicate any time to it for a while, but as 
kernel work winds down, I think I'll have more time for it.

> > Also...please note that if the file name has a space
> > in it, you get a ascii hex representation of the file name.
>
> No worries - easy to cope with. Thanks for the hint.
>
> Just spaces? How about inverted-commas, embedded newlines (or
> Carriage-Returns), or other non-displaying characters that may be
> valid on linux (or other) filesystems?

This is the function that does it:

http://sosdg.org/~coywolf/lxr/source/kernel/audit.c#L819

if (*p == '"' || *p < 0x21 || *p > 0x7f)

> Also, anyone have any thoughts on how to translate "eventid 11" to a
> more human-readable "execve" in perl without writing my own C Header
> translator?

Are you meaning how to translate the raw time stamp/serial number ? If so, I'd 
point to the ausearch source code. I don't program in perl so I may not be 
the best source of info. The long term plan is to have an audit event parsing 
library so that external apps do not have to have secret audit format 
knowledge. The audit parsing library could probably be turned into a perl 
module as could libaudit. If you wanted to send a patch for that, I'd be 
happy to integrate it. (Right now we only have python bindings.)

-Steve