From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Dispatcher - single line output (perl)
Date: Thu, 25 May 2006 08:30:02 -0400
Message-ID: <200605250830.03031.sgrubb@redhat.com>
References: <1ba978500605220535h537ec28cp6fbddd86e2779228@mail.gmail.com>
	<200605240841.52299.sgrubb@redhat.com>
	<1ba978500605241722h6c58f05by30556fdcc01abdb8@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1ba978500605241722h6c58f05by30556fdcc01abdb8@mail.gmail.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Leigh Purdie <intersect@gmail.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday 24 May 2006 20:22, Leigh Purdie wrote:
> So, to rephrase my question slightly - is there a programmatic way to
> turn syscall=5 into syscall=execve that anyone can suggest?

OK, then libaudit has that function, audit_syscall_to_name(). There are 
several factors that have to be considered to correctly interpret a syscall 
name.

> WRT perl, I'm language agnostic. If there's better support for audit
> in python, I'll switch the code over.

Yes, there is better support for python right now. We've also written a 
dispatcher used for real-time SE Linux event analysis using python. It grabs 
the events as a dictionary and passes them on for analysis. I should be 
releasing audit-1.2.3 today which improves python support a little bit more.

-Steve