From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: [RFC] New ausearch output option & audit viewing in Spacewalk
Date: Mon, 8 Jun 2009 14:06:16 -0400 [thread overview]
Message-ID: <200906081406.31030.sgrubb@redhat.com> (raw)
In-Reply-To: <4A2D4DD8.6060809@redhat.com>
On Monday 08 June 2009 01:43:52 pm John Dennis wrote:
> [Steve may want to correct and/or comment about my statements on the
> parsing logic which is in ausearch.]
>
> The idea is interesting but I think this is the wrong implementation
> approach, there should only be one library which knows how to read audit
> data, namely libauparse. The code you've added is duplicating some of
> the logic in libauparse.
Actually, if you look at the test cases in the aupase library, you will see
that it basically does the same thing. The core code from the test cases is
this:
do {
if (auparse_first_record(au) <= 0)
exit(1);
do {
const au_event_t *e = auparse_get_timestamp(au);
if (e == NULL)
exit(1);
printf(" event time: %u.%u:%lu, host=%s\n",
(unsigned)e->sec,
e->milli, e->serial, e->host ? e->host : "?");
auparse_first_field(au);
do {
printf(" %s=%s (%s)\n",
auparse_get_field_name(au),
auparse_get_field_str(au),
auparse_interpret_field(au));
} while (auparse_next_field(au) > 0);
printf("\n");
} while(auparse_next_record(au) > 0);
} while (auparse_next_event(au) > 0);
One could easily make a single purpose program in probably less that 30 lines
of code that reproduces the same output as patching ausearch. The auparse
library still can't reconnect interlaced records, but you could init the app
with AUSOURCE_DESCRIPTOR as the data source (for stdin) and pipe the ouput of
ausearch --raw into the single purpose reformatter.
> If the audit format ever changes (or you have a
> parsing bug) then this code will break. The fact ausearch has logic in
> it to parse audit data is historical, at the time ausearch was written
> libauparse did not exist yet. I believe Steve has said that ausearch
> needs to be rewritten to layer on top of libauparse.
This is very true. Some day it will be layered on top of auparse.
-Steve
prev parent reply other threads:[~2009-06-08 18:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-08 16:46 [RFC] New ausearch output option & audit viewing in Spacewalk Joshua Roys
2009-06-08 17:12 ` John Dennis
2009-06-08 17:17 ` Joshua Roys
2009-06-08 17:28 ` Steve Grubb
2009-06-08 17:35 ` Miloslav Trmac
2009-06-08 17:43 ` John Dennis
2009-06-08 18:06 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200906081406.31030.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox