From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: should I loose audit data if I only care about the record's
	fields?
Date: Wed, 14 Nov 2007 10:37:07 -0500
Message-ID: <200711141037.08301.sgrubb@redhat.com>
References: <1194996645.26025.28.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1194996645.26025.28.camel@klausk.br.ibm.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: klausk@br.ibm.com
Cc: "Linux-audit@redhat.com" <Linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Tuesday 13 November 2007 18:30:45 Klaus Heinrich Kiwi wrote:
> Example record:
> type=USER_CHAUTHTOK msg=audit(1194995431.057:58485): user pid=30759
> uid=0 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023
> msg='op=adding user to shadow group acct=klausk
> exe="/usr/sbin/usermod" (hostname=?, addr=?, terminal=pts/1
> res=success)'
>
> using walk_test() from the test routine (python):
> ---
>         op=adding (adding)
> ---
> 'op=adding' - adding what? no information about what's going on here.

This is an audit record that should probably be fixed in the application's 
source code.

> _side note_: just noticed that the original record is telling 'adding
> user to shadow group' when in fact I was adding the user to the 'nobody'
> group, plus others, with 'usermod -G' - I'll check that again later.

Yeah, might be a bug. shadow-utils is horrible for auditing since it has so 
many exit points that need to be audited. In my opinion, all the apps in it 
need restructuring for the logging/auditing.

> Another example is the LOGIN record:
> original record:
> type=LOGIN msg=audit(1193547601.367:36782): login pid=11698 uid=0 old
> auid=4294967295 new auid=0
>
> ---walk_test()----
> event 1 has 1 records
>     record 1 of type 1006(LOGIN) has 5 fields
>     line=1 file=None
>     event time: 1193547601.367:36782, host=None
>         type=LOGIN (LOGIN)
>         pid=11698 (11698)
>         uid=0 (root)
>         auid=4294967295 (unset)
>         auid=0 (root)
> ---
> two auid fields? which is old and which is new? ok maybe not the
> brightest example but IMO still valid.

Yep, that is implicit in the ordering. 

> Maybe auparse is aimed to just help us when we need to extract data, but
> it is well-settled that someone will need the whole record to actually
> know what's going on - please tell me if that is the case.

You can access the whole record with auparse_get_record_text().


> Thoughts?

There is also a section of code that is not written. There are plans to access 
the "in-between" data as an ancillary field. I believe there are FIXME's in 
the code where this should be. Unfortunately, I can't get to it for a little 
while.

-Steve