From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: How to read audit log? Date: Tue, 25 Sep 2007 11:02:31 -0400 Message-ID: <200709251102.32720.sgrubb@redhat.com> References: <1190730861.3569.18.camel@finch.boston.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Wieprecht, Karen M." List-Id: linux-audit@redhat.com On Tuesday 25 September 2007 10:50:13 Wieprecht, Karen M. wrote: >> Your best bet might be to use the auparse library, or ausearch which >> knows how to interpret the audit log format for you and can present the >> information in a human friendly format. It doesn't actually present the information in a human friendly format. Auparse is a library that can be used to write programs to present data in a human friendly output. But someone has to write the code. Basically, it saves you from having to know the details of what the audit log's file format is and present the programmer with a smart iterator that can walk the input source. > I would really like to see a sample of what the auparse output looks > like. I have a Perl script that sucks the output of ausearch into a > key-value hash table from which I have other code that determines how to > print this in a human friendly format, but I'm wondering if auparse > can replace that or if all it does for me is to get the information into > the key-value hash table so I can decide how I want to format the output Yes. It would let you write an app that is more efficient than using perl on ausearch output. > ... Anyone have a sample of what they have done with any particular > record type and what auparse does with it on the output end? For example, I decided to write a lastlog replacement that works off the audit logs. The main code loop looks something like this: auparse_state_t *au; // Search for successful user logins au = auparse_init(AUSOURCE_LOGS, NULL); if (au == NULL) { printf("Error - %s\n", strerror(errno)); goto error_exit_1; } if (ausearch_add_item(au, "type", "=", "USER_LOGIN", AUSEARCH_RULE_CLEAR)){ printf("ausearch_add_item error - %s\n", strerror(errno)); goto error_exit_2; } if (ausearch_add_item(au, "res", "=", "success", AUSEARCH_RULE_AND)){ printf("ausearch_add_item error - %s\n", strerror(errno)); goto error_exit_2; } if (ausearch_set_stop(au, AUSEARCH_STOP_RECORD)){ printf("ausearch_set_stop error - %s\n", strerror(errno)); goto error_exit_2; } // Now scan the logs and append events while (ausearch_next_event(au) > 0) { const au_event_t *e = auparse_get_timestamp(au); if (auparse_find_field(au, "auid")) { uid_t u = auparse_get_field_int(au); list_first(&l); if (list_find_uid(&l, u)) { const char *str; list_update_login(&l, e->sec); str = auparse_find_field(au, "hostname"); if (str) list_update_host(&l, str); str = auparse_find_field(au, "terminal"); if (str) list_update_term(&l, str); } } auparse_next_event(au); } auparse_destroy(au); At this point the program walks it linked list and outputs the data in lastlog format. I was planning to write this program up in a tutorial at some point so that people can see how easy auparse makes writing apps for audit logs. -Steve